Overview

File CVE-2018-14780.patch of Package yubico-piv-tool.8570

From 80d47c82f019d6676e8cc5392a31d7478af8015e Mon Sep 17 00:00:00 2001
From: Klas Lindfors <klas@yubico.com>
Date: Tue, 22 May 2018 13:31:50 +0200
Subject: [PATCH] lib: in _ykpiv_fetch_object() handle bogus length by
 returning

otherwise we might memmove() to much data

Thanks to Eric Sesterhenn of x41 D-Sec for reporting this issue to us.
---
 lib/ykpiv.c |    6 ++++++
 1 file changed, 6 insertions(+)

Index: yubico-piv-tool-1.5.0/lib/ykpiv.c
===================================================================
--- yubico-piv-tool-1.5.0.orig/lib/ykpiv.c
+++ yubico-piv-tool-1.5.0/lib/ykpiv.c
@@ -1250,6 +1250,12 @@ ykpiv_rc _ykpiv_fetch_object(ykpiv_state
     if(offs == 0) {
       return YKPIV_SIZE_ERROR;
     }
+    if(outlen > offs + 1 + *len) {
+      if(state->verbose) {
+        fprintf(stderr, "Invalid length indicated in object, total objlen is %lu, indicated length is %lu.", *len, outlen);
+      }
+      return YKPIV_SIZE_ERROR;
+    }
     memmove(data, data + 1 + offs, outlen);
     *len = outlen;
     return YKPIV_OK;
openSUSE Build Service is sponsored by
Places