Another Evolution-Data-Server freeze break

This is for CVE-2009-0582.  I'm hereby making it public.

Camel's NTLM SASL authentication mechanism does not properly validate
server's challenge packets (NTLM authentication type 2 packets, [1]).
In the ntlm_challenge() in camel/camel-sasl-ntlm.c, length of the domain
string that was copied from type 2 to type 3 packet (client's reply to
server's challenge) was not properly validated against the rest of the
data received from the server.

127     ntlm_set_string (ret, NTLM_RESPONSE_DOMAIN_OFFSET,
128              token->data + NTLM_CHALLENGE_DOMAIN_OFFSET,
129              atoi (token->data + NTLM_CHALLENGE_DOMAIN_LEN_OFFSET));

Server could specify larger length than the actual data sent in the
packet, causing the client to disclose portion of its memory, or crash.

Note: length value was not properly extracted from the packet too, as it
is not passed as string, rather as 16-bit LE value.

Red Hat security verified the patch for this and it was sent to other
vendors on March 4.  I would like to get this committed before 2.26.0


Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]