summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'gnome-extra/evolution-data-server/files/evolution-data-server-CVE-2009-0582.patch')
-rw-r--r--gnome-extra/evolution-data-server/files/evolution-data-server-CVE-2009-0582.patch144
1 files changed, 0 insertions, 144 deletions
diff --git a/gnome-extra/evolution-data-server/files/evolution-data-server-CVE-2009-0582.patch b/gnome-extra/evolution-data-server/files/evolution-data-server-CVE-2009-0582.patch
deleted file mode 100644
index 46231c0c0c39..000000000000
--- a/gnome-extra/evolution-data-server/files/evolution-data-server-CVE-2009-0582.patch
+++ /dev/null
@@ -1,144 +0,0 @@
-Index: camel/camel-sasl-ntlm.c
-===================================================================
---- camel/camel-sasl-ntlm.c (revision 10105)
-+++ camel/camel-sasl-ntlm.c (working copy)
-@@ -74,9 +74,8 @@ camel_sasl_ntlm_get_type (void)
-
- #define NTLM_REQUEST "NTLMSSP\x00\x01\x00\x00\x00\x06\x82\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x30\x00\x00\x00"
-
--#define NTLM_CHALLENGE_NONCE_OFFSET 24
--#define NTLM_CHALLENGE_DOMAIN_OFFSET 48
--#define NTLM_CHALLENGE_DOMAIN_LEN_OFFSET 44
-+#define NTLM_CHALLENGE_DOMAIN_OFFSET 12
-+#define NTLM_CHALLENGE_NONCE_OFFSET 24
-
- #define NTLM_RESPONSE_HEADER "NTLMSSP\x00\x03\x00\x00\x00"
- #define NTLM_RESPONSE_FLAGS "\x82\x01"
-@@ -93,22 +92,60 @@ static void ntlm_calc_response (const
- guchar results[24]);
- static void ntlm_lanmanager_hash (const char *password, char hash[21]);
- static void ntlm_nt_hash (const char *password, char hash[21]);
--static void ntlm_set_string (GByteArray *ba, int offset,
-- const char *data, int len);
-+
-+typedef struct {
-+ guint16 length;
-+ guint16 allocated;
-+ guint32 offset;
-+} SecurityBuffer;
-+
-+static GString *
-+ntlm_get_string (GByteArray *ba, int offset)
-+{
-+ SecurityBuffer *secbuf;
-+ GString *string;
-+ gchar *buf_string;
-+ guint16 buf_length;
-+ guint32 buf_offset;
-+
-+ secbuf = (SecurityBuffer *) &ba->data[offset];
-+ buf_length = GUINT16_FROM_LE (secbuf->length);
-+ buf_offset = GUINT32_FROM_LE (secbuf->offset);
-+
-+ if (ba->len < buf_offset + buf_length)
-+ return NULL;
-+
-+ string = g_string_sized_new (buf_length);
-+ buf_string = (gchar *) &ba->data[buf_offset];
-+ g_string_append_len (string, buf_string, buf_length);
-+
-+ return string;
-+}
-+
-+static void
-+ntlm_set_string (GByteArray *ba, int offset, const char *data, int len)
-+{
-+ SecurityBuffer *secbuf;
-+
-+ secbuf = (SecurityBuffer *) &ba->data[offset];
-+ secbuf->length = GUINT16_TO_LE (len);
-+ secbuf->offset = GUINT32_TO_LE (ba->len);
-+ secbuf->allocated = secbuf->length;
-+
-+ g_byte_array_append (ba, (guint8 *) data, len);
-+}
-
- static GByteArray *
- ntlm_challenge (CamelSasl *sasl, GByteArray *token, CamelException *ex)
- {
- GByteArray *ret;
- guchar nonce[8], hash[21], lm_resp[24], nt_resp[24];
-+ GString *domain;
-
- ret = g_byte_array_new ();
-
-- if (!token || !token->len) {
-- g_byte_array_append (ret, (guint8 *) NTLM_REQUEST,
-- sizeof (NTLM_REQUEST) - 1);
-- return ret;
-- }
-+ if (!token || token->len < NTLM_CHALLENGE_NONCE_OFFSET + 8)
-+ goto fail;
-
- memcpy (nonce, token->data + NTLM_CHALLENGE_NONCE_OFFSET, 8);
- ntlm_lanmanager_hash (sasl->service->url->passwd, (char *) hash);
-@@ -116,7 +153,11 @@ ntlm_challenge (CamelSasl *sasl, GByteAr
- ntlm_nt_hash (sasl->service->url->passwd, (char *) hash);
- ntlm_calc_response (hash, nonce, nt_resp);
-
-- ret = g_byte_array_new ();
-+ domain = ntlm_get_string (token, NTLM_CHALLENGE_DOMAIN_OFFSET);
-+ if (domain == NULL)
-+ goto fail;
-+
-+ /* Don't jump to 'fail' label after this point. */
- g_byte_array_set_size (ret, NTLM_RESPONSE_BASE_SIZE);
- memset (ret->data, 0, NTLM_RESPONSE_BASE_SIZE);
- memcpy (ret->data, NTLM_RESPONSE_HEADER,
-@@ -125,8 +166,7 @@ ntlm_challenge (CamelSasl *sasl, GByteAr
- NTLM_RESPONSE_FLAGS, sizeof (NTLM_RESPONSE_FLAGS) - 1);
-
- ntlm_set_string (ret, NTLM_RESPONSE_DOMAIN_OFFSET,
-- (const char *) token->data + NTLM_CHALLENGE_DOMAIN_OFFSET,
-- atoi ((char *) token->data + NTLM_CHALLENGE_DOMAIN_LEN_OFFSET));
-+ domain->str, domain->len);
- ntlm_set_string (ret, NTLM_RESPONSE_USER_OFFSET,
- sasl->service->url->user,
- strlen (sasl->service->url->user));
-@@ -138,6 +178,18 @@ ntlm_challenge (CamelSasl *sasl, GByteAr
- (const char *) nt_resp, sizeof (nt_resp));
-
- sasl->authenticated = TRUE;
-+
-+ g_string_free (domain, TRUE);
-+
-+ goto exit;
-+
-+fail:
-+ /* If the challenge is malformed, restart authentication.
-+ * XXX A malicious server could make this loop indefinitely. */
-+ g_byte_array_append (ret, (guint8 *) NTLM_REQUEST,
-+ sizeof (NTLM_REQUEST) - 1);
-+
-+exit:
- return ret;
- }
-
-@@ -201,17 +253,6 @@ ntlm_nt_hash (const char *password, char
- g_free (buf);
- }
-
--static void
--ntlm_set_string (GByteArray *ba, int offset, const char *data, int len)
--{
-- ba->data[offset ] = ba->data[offset + 2] = len & 0xFF;
-- ba->data[offset + 1] = ba->data[offset + 3] = (len >> 8) & 0xFF;
-- ba->data[offset + 4] = ba->len & 0xFF;
-- ba->data[offset + 5] = (ba->len >> 8) & 0xFF;
-- g_byte_array_append (ba, (guint8 *) data, len);
--}
--
--
- #define KEYBITS(k,s) \
- (((k[(s)/8] << ((s)%8)) & 0xFF) | (k[(s)/8+1] >> (8-(s)%8)))
-