Subversion Repositories libspf2

Compare Revisions

Ignore whitespace Rev 38 → Rev 39

/branches/lenny/debian/changelog
2,8 → 2,12
 
* 51_actually-keep-track-of-max_var_len.dpatch: Fix possible DoS with
long sender addresses. Thanks to Hannah Schroeter.
* 52_compile_bufoverflow.dpatch: Prevent buffer overflows in SPF_compile
from mechanisms with huge domainspecs. Workaround suggested by
upstream. Limits the size of mechanisms and modifiers, but that
shouldn't be a problem in practice.
 
-- Magnus Holmgren <holmgren@debian.org> Tue, 04 Nov 2008 21:56:56 +0100
-- Magnus Holmgren <holmgren@debian.org> Wed, 05 Nov 2008 10:34:13 +0100
 
libspf2 (1.2.5.dfsg-5+lenny1) testing-security; urgency=high
 
/branches/lenny/debian/patches/52_compile_bufoverflow.dpatch
0,0 → 1,30
#! /bin/sh /usr/share/dpatch/dpatch-run
## 52_compile_bufoverflow.dpatch by Magnus Holmgren <holmgren@debian.org>
##
## DP: Prevent buffer overflows from mechanisms with huge domainspecs.
## DP: As suggested by upstream.
 
@DPATCH@
diff -urNad lenny~/src/libspf2/spf_compile.c lenny/src/libspf2/spf_compile.c
--- lenny~/src/libspf2/spf_compile.c 2008-11-04 21:51:22.000000000 +0100
+++ lenny/src/libspf2/spf_compile.c 2008-11-04 21:53:22.000000000 +0100
@@ -711,6 +711,9 @@
SPF_errcode_t err;
+ if (strlen(*mech_value) > (sizeof(buf) >> 1))
+ return SPF_E_BIG_MECH;
+
memset(buf, 'B', sizeof(buf)); /* Poison the buffer. */
memset(spf_mechanism, 0, sizeof(SPF_mech_t));
@@ -858,6 +861,9 @@
SPF_errcode_t err;
+ if (strlen(*mod_value) > (sizeof(buf) >> 1))
+ return SPF_E_BIG_MOD;
+
memset(buf, 'A', sizeof(buf));
memset(spf_modifier, 0, sizeof(SPF_mod_t));
Property changes:
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property