Merge pull request #8845 from rycee/fix/dtach-CVE-2012-3368
dtach: fix CVE-2012-3368
This commit is contained in:
commit
0861cb2c7d
2 changed files with 51 additions and 0 deletions
|
@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
|
|||
sha256 = "16614ebddf8ab2811d3dc0e7f329c7de88929ac6a9632d4cb4aef7fe11b8f2a9";
|
||||
};
|
||||
|
||||
patches = [ ./fix-CVE-2012-3368.patch ];
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
cp dtach $out/bin/dtach
|
||||
|
|
49
pkgs/tools/misc/dtach/fix-CVE-2012-3368.patch
Normal file
49
pkgs/tools/misc/dtach/fix-CVE-2012-3368.patch
Normal file
|
@ -0,0 +1,49 @@
|
|||
Fix error handling for read from stdin in attach.c
|
||||
|
||||
attach.c did not correctly handle a read from stdin when read returned
|
||||
an error. The code assigned the return value of read to pkt.len (an
|
||||
unsigned char) before checking the value. This prevented the error check
|
||||
from working correctly, since an unsigned integer can never be < 0.
|
||||
|
||||
A packet with an invalid length was then sent to the master, which then
|
||||
sent 255 bytes of garbage to the program.
|
||||
|
||||
Fix the bug in attach.c and the unchecked packet length bug in master.c.
|
||||
|
||||
Report and initial patch by Enrico Scholz.
|
||||
|
||||
--- a/master.c 2012/07/01 21:26:10 1.14
|
||||
+++ b/master.c 2012/07/01 21:44:34 1.15
|
||||
@@ -351,7 +351,10 @@
|
||||
|
||||
/* Push out data to the program. */
|
||||
if (pkt.type == MSG_PUSH)
|
||||
- write(the_pty.fd, pkt.u.buf, pkt.len);
|
||||
+ {
|
||||
+ if (pkt.len <= sizeof(pkt.u.buf))
|
||||
+ write(the_pty.fd, pkt.u.buf, pkt.len);
|
||||
+ }
|
||||
|
||||
/* Attach or detach from the program. */
|
||||
else if (pkt.type == MSG_ATTACH)
|
||||
--- a/attach.c 2012/07/01 21:26:10 1.12
|
||||
+++ b/attach.c 2012/07/01 21:44:34 1.13
|
||||
@@ -237,12 +237,16 @@
|
||||
/* stdin activity */
|
||||
if (n > 0 && FD_ISSET(0, &readfds))
|
||||
{
|
||||
+ ssize_t len;
|
||||
+
|
||||
pkt.type = MSG_PUSH;
|
||||
memset(pkt.u.buf, 0, sizeof(pkt.u.buf));
|
||||
- pkt.len = read(0, pkt.u.buf, sizeof(pkt.u.buf));
|
||||
+ len = read(0, pkt.u.buf, sizeof(pkt.u.buf));
|
||||
|
||||
- if (pkt.len <= 0)
|
||||
+ if (len <= 0)
|
||||
exit(1);
|
||||
+
|
||||
+ pkt.len = len;
|
||||
process_kbd(s, &pkt);
|
||||
n--;
|
||||
}
|
Loading…
Reference in a new issue