This is for CVE-2009-0582. I'm hereby making it public. Camel's NTLM SASL authentication mechanism does not properly validate server's challenge packets (NTLM authentication type 2 packets, [1]). In the ntlm_challenge() in camel/camel-sasl-ntlm.c, length of the domain string that was copied from type 2 to type 3 packet (client's reply to server's challenge) was not properly validated against the rest of the data received from the server. 127 ntlm_set_string (ret, NTLM_RESPONSE_DOMAIN_OFFSET, 128 token->data + NTLM_CHALLENGE_DOMAIN_OFFSET, 129 atoi (token->data + NTLM_CHALLENGE_DOMAIN_LEN_OFFSET)); Server could specify larger length than the actual data sent in the packet, causing the client to disclose portion of its memory, or crash. Note: length value was not properly extracted from the packet too, as it is not passed as string, rather as 16-bit LE value. Red Hat security verified the patch for this and it was sent to other vendors on March 4. I would like to get this committed before 2.26.0 releases. [1] http://curl.haxx.se/rfc/ntlm.html#theType2Message
Attachment:
signature.asc
Description: This is a digitally signed message part