Fixed out-of-bounds read in the SPA authenticator
Resolves: CVE-2020-12783
This commit is contained in:
Jaroslav Škarvada
parent
ca3eadd65f
commit
759ca87ef8
|
|
@ -0,0 +1,200 @@
|
|||
diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c
|
||||
index fc363df..44c99e9 100644
|
||||
--- a/src/auths/auth-spa.c
|
||||
+++ b/src/auths/auth-spa.c
|
||||
@@ -374,27 +374,27 @@ void
|
||||
spa_bits_to_base64 (uschar *out, const uschar *in, int inlen)
|
||||
/* raw bytes in quasi-big-endian order to base 64 string (NUL-terminated) */
|
||||
{
|
||||
- for (; inlen >= 3; inlen -= 3)
|
||||
- {
|
||||
- *out++ = base64digits[in[0] >> 2];
|
||||
- *out++ = base64digits[((in[0] << 4) & 0x30) | (in[1] >> 4)];
|
||||
- *out++ = base64digits[((in[1] << 2) & 0x3c) | (in[2] >> 6)];
|
||||
- *out++ = base64digits[in[2] & 0x3f];
|
||||
- in += 3;
|
||||
- }
|
||||
- if (inlen > 0)
|
||||
- {
|
||||
- uschar fragment;
|
||||
-
|
||||
- *out++ = base64digits[in[0] >> 2];
|
||||
- fragment = (in[0] << 4) & 0x30;
|
||||
- if (inlen > 1)
|
||||
- fragment |= in[1] >> 4;
|
||||
- *out++ = base64digits[fragment];
|
||||
- *out++ = (inlen < 2) ? '=' : base64digits[(in[1] << 2) & 0x3c];
|
||||
- *out++ = '=';
|
||||
- }
|
||||
- *out = '\0';
|
||||
+for (; inlen >= 3; inlen -= 3)
|
||||
+ {
|
||||
+ *out++ = base64digits[in[0] >> 2];
|
||||
+ *out++ = base64digits[((in[0] << 4) & 0x30) | (in[1] >> 4)];
|
||||
+ *out++ = base64digits[((in[1] << 2) & 0x3c) | (in[2] >> 6)];
|
||||
+ *out++ = base64digits[in[2] & 0x3f];
|
||||
+ in += 3;
|
||||
+ }
|
||||
+if (inlen > 0)
|
||||
+ {
|
||||
+ uschar fragment;
|
||||
+
|
||||
+ *out++ = base64digits[in[0] >> 2];
|
||||
+ fragment = (in[0] << 4) & 0x30;
|
||||
+ if (inlen > 1)
|
||||
+ fragment |= in[1] >> 4;
|
||||
+ *out++ = base64digits[fragment];
|
||||
+ *out++ = (inlen < 2) ? '=' : base64digits[(in[1] << 2) & 0x3c];
|
||||
+ *out++ = '=';
|
||||
+ }
|
||||
+*out = '\0';
|
||||
}
|
||||
|
||||
|
||||
@@ -404,52 +404,52 @@ int
|
||||
spa_base64_to_bits (char *out, int outlength, const char *in)
|
||||
/* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
|
||||
{
|
||||
- int len = 0;
|
||||
- register uschar digit1, digit2, digit3, digit4;
|
||||
+int len = 0;
|
||||
+uschar digit1, digit2, digit3, digit4;
|
||||
|
||||
- if (in[0] == '+' && in[1] == ' ')
|
||||
- in += 2;
|
||||
- if (*in == '\r')
|
||||
- return (0);
|
||||
+if (in[0] == '+' && in[1] == ' ')
|
||||
+ in += 2;
|
||||
+if (*in == '\r')
|
||||
+ return (0);
|
||||
|
||||
- do
|
||||
+do
|
||||
+ {
|
||||
+ if (len >= outlength) /* Added by PH */
|
||||
+ return -1; /* Added by PH */
|
||||
+ digit1 = in[0];
|
||||
+ if (DECODE64 (digit1) == BAD)
|
||||
+ return -1;
|
||||
+ digit2 = in[1];
|
||||
+ if (DECODE64 (digit2) == BAD)
|
||||
+ return -1;
|
||||
+ digit3 = in[2];
|
||||
+ if (digit3 != '=' && DECODE64 (digit3) == BAD)
|
||||
+ return -1;
|
||||
+ digit4 = in[3];
|
||||
+ if (digit4 != '=' && DECODE64 (digit4) == BAD)
|
||||
+ return -1;
|
||||
+ in += 4;
|
||||
+ *out++ = (DECODE64 (digit1) << 2) | (DECODE64 (digit2) >> 4);
|
||||
+ ++len;
|
||||
+ if (digit3 != '=')
|
||||
{
|
||||
+ if (len >= outlength) /* Added by PH */
|
||||
+ return -1; /* Added by PH */
|
||||
+ *out++ =
|
||||
+ ((DECODE64 (digit2) << 4) & 0xf0) | (DECODE64 (digit3) >> 2);
|
||||
+ ++len;
|
||||
+ if (digit4 != '=')
|
||||
+ {
|
||||
if (len >= outlength) /* Added by PH */
|
||||
- return (-1); /* Added by PH */
|
||||
- digit1 = in[0];
|
||||
- if (DECODE64 (digit1) == BAD)
|
||||
- return (-1);
|
||||
- digit2 = in[1];
|
||||
- if (DECODE64 (digit2) == BAD)
|
||||
- return (-1);
|
||||
- digit3 = in[2];
|
||||
- if (digit3 != '=' && DECODE64 (digit3) == BAD)
|
||||
- return (-1);
|
||||
- digit4 = in[3];
|
||||
- if (digit4 != '=' && DECODE64 (digit4) == BAD)
|
||||
- return (-1);
|
||||
- in += 4;
|
||||
- *out++ = (DECODE64 (digit1) << 2) | (DECODE64 (digit2) >> 4);
|
||||
+ return -1; /* Added by PH */
|
||||
+ *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4);
|
||||
++len;
|
||||
- if (digit3 != '=')
|
||||
- {
|
||||
- if (len >= outlength) /* Added by PH */
|
||||
- return (-1); /* Added by PH */
|
||||
- *out++ =
|
||||
- ((DECODE64 (digit2) << 4) & 0xf0) | (DECODE64 (digit3) >> 2);
|
||||
- ++len;
|
||||
- if (digit4 != '=')
|
||||
- {
|
||||
- if (len >= outlength) /* Added by PH */
|
||||
- return (-1); /* Added by PH */
|
||||
- *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4);
|
||||
- ++len;
|
||||
- }
|
||||
- }
|
||||
+ }
|
||||
}
|
||||
- while (*in && *in != '\r' && digit4 != '=');
|
||||
+ }
|
||||
+while (*in && *in != '\r' && digit4 != '=');
|
||||
|
||||
- return (len);
|
||||
+return len;
|
||||
}
|
||||
|
||||
|
||||
diff --git a/src/auths/spa.c b/src/auths/spa.c
|
||||
index 97e3b10..5bffdfb 100644
|
||||
--- a/src/auths/spa.c
|
||||
+++ b/src/auths/spa.c
|
||||
@@ -139,7 +139,8 @@ SPAAuthChallenge challenge;
|
||||
SPAAuthResponse response;
|
||||
SPAAuthResponse *responseptr = &response;
|
||||
uschar msgbuf[2048];
|
||||
-uschar *clearpass;
|
||||
+uschar *clearpass, *s;
|
||||
+unsigned off;
|
||||
|
||||
/* send a 334, MS Exchange style, and grab the client's request,
|
||||
unless we already have it via an initial response. */
|
||||
@@ -194,9 +195,19 @@ that causes failure if the size of msgbuf is exceeded. ****/
|
||||
|
||||
{
|
||||
int i;
|
||||
- char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0);
|
||||
+ char * p;
|
||||
int len = SVAL(&responseptr->uUser.len,0)/2;
|
||||
|
||||
+ if ( (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
|
||||
+ || len >= sizeof(responseptr->buffer)/2
|
||||
+ || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
|
||||
+ )
|
||||
+ {
|
||||
+ DEBUG(D_auth)
|
||||
+ debug_printf("auth_spa_server(): bad uUser spec in response\n");
|
||||
+ return FAIL;
|
||||
+ }
|
||||
+
|
||||
if (len + 1 >= sizeof(msgbuf)) return FAIL;
|
||||
for (i = 0; i < len; ++i)
|
||||
{
|
||||
@@ -245,9 +256,16 @@ spa_smb_nt_encrypt (clearpass, challenge.challengeData, ntRespData);
|
||||
|
||||
/* compare NT hash (LM may not be available) */
|
||||
|
||||
-if (memcmp(ntRespData,
|
||||
- ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0),
|
||||
- 24) == 0)
|
||||
+off = IVAL(&responseptr->ntResponse.offset,0);
|
||||
+if (off >= sizeof(SPAAuthResponse) - 24)
|
||||
+ {
|
||||
+ DEBUG(D_auth)
|
||||
+ debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
|
||||
+ return FAIL;
|
||||
+ }
|
||||
+s = (US responseptr) + off;
|
||||
+
|
||||
+if (memcmp(ntRespData, s, 24) == 0)
|
||||
/* success. we have a winner. */
|
||||
{
|
||||
return auth_check_serv_cond(ablock);
|
||||
|
|
@ -12,7 +12,7 @@
|
|||
Summary: The exim mail transfer agent
|
||||
Name: exim
|
||||
Version: 4.93
|
||||
Release: 7%{?dist}
|
||||
Release: 8%{?dist}
|
||||
License: GPLv2+
|
||||
Url: https://www.exim.org/
|
||||
|
||||
|
|
@ -46,6 +46,7 @@ Patch0: exim-4.93-config.patch
|
|||
Patch1: exim-4.93-libdir.patch
|
||||
Patch2: exim-4.93-dlopen-localscan.patch
|
||||
Patch3: exim-4.85-pic.patch
|
||||
Patch4: exim-4.93-CVE-2020-12783.patch
|
||||
|
||||
Requires: /etc/pki/tls/certs /etc/pki/tls/private
|
||||
Requires: /etc/aliases
|
||||
|
|
@ -159,6 +160,7 @@ greylisting unconditional.
|
|||
%patch1 -p1 -b .libdir
|
||||
%patch2 -p1 -b .dl
|
||||
%patch3 -p1 -b .fpic
|
||||
%patch4 -p1 -b .CVE-2020-12783
|
||||
|
||||
cp src/EDITME Local/Makefile
|
||||
sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
|
||||
|
|
@ -479,6 +481,10 @@ fi
|
|||
%{_sysconfdir}/cron.daily/greylist-tidy.sh
|
||||
|
||||
%changelog
|
||||
* Fri May 15 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.93-8
|
||||
- Fixed out-of-bounds read in the SPA authenticator
|
||||
Resolves: CVE-2020-12783
|
||||
|
||||
* Wed Apr 29 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.93-7
|
||||
- Improved the spec file not to override LDFLAGS
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue