Accepting request 910457 from server:mail

- Add libesmtp-fix-cve-2019-19977.patch: Fix stack-based buffer over-read in ntlm/ntlmstruct.c (bsc#1160462 bsc#1189097). (forwarded request 910456 from yfjiang) OBS-URL: https://build.opensuse.org/request/show/910457 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libesmtp?expand=0&rev=22
2021-08-11 09:47:04 +00:00 · 2021-08-11 09:47:04 +00:00 · c1eec4e8f2
commit c1eec4e8f2
parent 4d0a20d267 aa877c7d61
3 changed files with 188 additions and 0 deletions
--- a/libesmtp-fix-cve-2019-19977.patch
+++ b/libesmtp-fix-cve-2019-19977.patch
@ -0,0 +1,179 @@
+From 8c85278d28ff4da32106714a1420371fe37ef349 Mon Sep 17 00:00:00 2001
+From: Brian Stafford <contact@brianstafford.info>
+Date: Mon, 24 Aug 2020 16:11:13 +0100
+Subject: [PATCH] CVE-2019-19977 avoid stach overrwrite #6
+
+---
+ ntlm/ntlm.h       |  2 +-
+ ntlm/ntlmdes.c    |  9 ++++--
+ ntlm/ntlmstruct.c | 76 ++++++++++++++---------------------------------
+ 3 files changed, 30 insertions(+), 57 deletions(-)
+
+Index: libesmtp-1.0.6/ntlm/ntlm.h
+===================================================================
+--- libesmtp-1.0.6.orig/ntlm/ntlm.h
+++ libesmtp-1.0.6/ntlm/ntlm.h
+@@ -24,7 +24,7 @@
+  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+  */
+ 
+-char *lm_uccpy (char *dst, size_t dstlen, const char *src);
+int lm_uccpy (char *dst, size_t dstlen, const char *src);
+ unsigned char *nt_unicode (const char *string, size_t len);
+ 
+ void lm_hash_password (unsigned char *hash, const char *pass);
+Index: libesmtp-1.0.6/ntlm/ntlmdes.c
+===================================================================
+--- libesmtp-1.0.6.orig/ntlm/ntlmdes.c
+++ libesmtp-1.0.6/ntlm/ntlmdes.c
+@@ -66,19 +66,19 @@ lm_deshash (void *result, const_des_cblo
+ 
+ /* Copy and convert to upper case.  If supplied string is shorter than the
+    destination, zero pad the remainder. */
+-char *
+int
+ lm_uccpy (char *dst, size_t dstlen, const char *src)
+ {
+   char *p;
+   size_t len;
+ 
+-  if ((len = strlen (src)) > dstlen)
+  if ((len = src != NULL ? strlen (src) : 0) > dstlen)
+     len = dstlen;
+   for (p = dst; len > 0; p++, src++, len--)
+     *p = toupper (*src);
+   if (p < dst + dstlen)
+     memset (p, 0, dst + dstlen - p);
+-  return dst;
+  return len;
+ }
+ 
+ /* create LanManager hashed password */
+@@ -101,6 +101,9 @@ nt_unicode (const char *string, size_t l
+ {
+   unsigned char *uni, *pp;
+ 
+  if (len == 0)
+    return NULL;
+
+   uni = malloc (len * 2);
+   if ((pp = uni) != NULL)
+     while (len-- > 0)
+Index: libesmtp-1.0.6/ntlm/ntlmstruct.c
+===================================================================
+--- libesmtp-1.0.6.orig/ntlm/ntlmstruct.c
+++ libesmtp-1.0.6/ntlm/ntlmstruct.c
+@@ -187,7 +187,6 @@ ntlm_build_type_1 (char *buf, size_t buf
+ {
+   size_t offset = T1SIZE;
+   size_t len;
+-  unsigned char *up;
+   char string[256];
+ 
+   if (buflen < offset)
+@@ -195,25 +194,13 @@ ntlm_build_type_1 (char *buf, size_t buf
+   memcpy (buf, NTLMSSP, 8);
+   write_uint32 (buf, MSGTYPE, 1);
+   write_uint32 (buf, T1FLAGS, flags);
+-  up = NULL;
+-  len = 0;
+-  if (domain != NULL)
+-    {
+-      len = strlen (domain);
+-      if (offset + len > buflen)
+-	return 0;
+-      lm_uccpy (string, len, domain);
+-    }
+  len = lm_uccpy (string, sizeof string, domain);
+  if (offset + len > buflen)
+    return 0;
+   write_string (buf, T1DOMAIN, &offset, string, len);
+-  up = NULL;
+-  len = 0;
+-  if (workstation != NULL)
+-    {
+-      len = strlen (workstation);
+-      if (offset + len > buflen)
+-	return 0;
+-      lm_uccpy (string, len, workstation);
+-    }
+  len = lm_uccpy (string, sizeof string, workstation);
+  if (offset + len > buflen)
+    return 0;
+   write_string (buf, T1WKSTN, &offset, string, len);
+   return offset;
+ }
+@@ -232,16 +219,11 @@ ntlm_build_type_2 (char *buf, size_t buf
+     return 0;
+   memcpy (buf, NTLMSSP, 8);
+   write_uint32 (buf, MSGTYPE, 2);
+-  up = NULL;
+-  len = 0;
+-  if (domain != NULL)
+-    {
+-      len = strlen (domain);
+-      if (offset + 2 * len > buflen)
+-	return 0;
+-      up = nt_unicode (lm_uccpy (string, len, domain), 2 * len);
+-    }
+-  write_string (buf, T2AUTHTARGET, &offset, up, len);
+  len = lm_uccpy (string, sizeof string, domain);
+  if (offset + 2 * len > buflen)
+    return 0;
+  up = nt_unicode (string, len);
+  write_string (buf, T2AUTHTARGET, &offset, up, 2 * len);
+   if (up != NULL)
+     free (up);
+   write_uint32 (buf, T2FLAGS, flags);
+@@ -267,39 +249,24 @@ ntlm_build_type_3 (char *buf, size_t buf
+   write_uint32 (buf, MSGTYPE, 3);
+   write_string (buf, T3LMRESPONSE, &offset, lm_resp, 24);
+   write_string (buf, T3NTRESPONSE, &offset, nt_resp, 24);
+-  up = NULL;
+-  len = 0;
+-  if (domain != NULL)
+-    {
+-      len = strlen (domain);
+-      if (offset + 2 * len > buflen)
+-	return 0;
+-      up = nt_unicode (lm_uccpy (string, len, domain), 2 * len);
+-    }
+  len = lm_uccpy (string, sizeof string, domain);
+  if (offset + 2 * len > buflen)
+    return 0;
+  up = nt_unicode (string, len);
+   write_string (buf, T3DOMAIN, &offset, up, 2 * len);
+   if (up != NULL)
+     free (up);
+-  up = NULL;
+-  len = 0;
+-  if (user != NULL)
+-    {
+-      len = strlen (user);
+-      if (offset + 2 * len > buflen)
+-	return 0;
+-      up = nt_unicode (lm_uccpy (string, len, user), 2 * len);
+-    }
+  len = lm_uccpy (string, sizeof string, user);
+  if (offset + 2 * len > buflen)
+    return 0;
+  up = nt_unicode (string, len);
+   write_string (buf, T3USER, &offset, up, 2 * len);
+   if (up != NULL)
+     free (up);
+-  up = NULL;
+-  len = 0;
+-  if (workstation != NULL)
+-    {
+-      len = strlen (workstation);
+-      if (offset + 2 * len > buflen)
+-	return 0;
+-      up = nt_unicode (lm_uccpy (string, len, workstation), 2 * len);
+-    }
+  len = lm_uccpy (string, sizeof string, workstation);
+  if (offset + 2 * len > buflen)
+    return 0;
+  up = nt_unicode (string, len);
+   write_string (buf, T3WKSTN, &offset, up, 2 * len);
+   if (up != NULL)
+     free (up);
--- a/libesmtp.changes
+++ b/libesmtp.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Aug  6 09:16:53 UTC 2021 - Yifan Jiang <yfjiang@suse.com>
+
+- Add libesmtp-fix-cve-2019-19977.patch: Fix stack-based buffer
+  over-read in ntlm/ntlmstruct.c (bsc#1160462 bsc#1189097).
+
 -------------------------------------------------------------------
 Mon Jan 14 14:50:46 CET 2019 - kukuk@suse.de

--- a/libesmtp.spec
+++ b/libesmtp.spec
@ -32,6 +32,8 @@ Patch1:         libesmtp-1.0.4-bloat.patch
 # PATCH-FIX-UPSTREAM libesmtp-tlsv12.patch crrodriguez@opensuse.org -- All TLS clients must support and use the highest TLS version available
 Patch2:         libesmtp-tlsv12.patch
 Patch3:         libesmtp-openssl11.patch
+# PATCH-FIX-UPSTREAM libesmtp-fix-cve-2019-19977.patch yfjiang@suse.com bsc#1189097 bsc#1160462 - Fix stack-based buffer over-read in ntlm/ntlmstruct.c.
+Patch4:         libesmtp-fix-cve-2019-19977.patch
 BuildRequires:  openssl-devel
 BuildRequires:  libtool
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -71,6 +73,7 @@ This subpackage contains the API definition files.
 %patch1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1

 %build
 autoreconf -fiv