summaryrefslogtreecommitdiff
path: root/debian/patches/00list
diff options
context:
space:
mode:
authorTobias Klauser <tklauser@distanz.ch>2009-05-23 16:00:01 +0200
committerTobias Klauser <tklauser@distanz.ch>2009-05-24 12:05:26 +0200
commit29dd244ddd53b8acf4a2b9abe3fd62bf44575bbd (patch)
treee43f66bafe897a2882209865b52b4edbdeff8c77 /debian/patches/00list
parentb37e0da0b7dc72ddfa513e319ca71b5f5b8aeb7d (diff)
Security fix for cscope 15.6-2 in etch (CVE 2009-0148)15.6-2+etch1oldstable-security
Diffstat (limited to 'debian/patches/00list')
-rw-r--r--debian/patches/00list1
1 files changed, 1 insertions, 0 deletions
diff --git a/debian/patches/00list b/debian/patches/00list
index 759b17a..0eaa22f 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -1 +1,2 @@
01-fix-resize-crash-inside-vim
+04-cve-2009-0148
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-04-25 11:50:21 +0000
ublic_key_verify_signature+0x3a7/0x5e0 [<ffffffff81830cb0>] ? public_key_describe+0x80/0x80 [<ffffffff817830f0>] ? keyring_search_aux+0x150/0x150 [<ffffffff818334a4>] ? x509_request_asymmetric_key+0x114/0x370 [<ffffffff814b83f0>] ? kfree+0x220/0x370 [<ffffffff818312c2>] public_key_verify_signature_2+0x32/0x50 [<ffffffff81830b5c>] verify_signature+0x7c/0xb0 [<ffffffff81835d0c>] pkcs7_validate_trust+0x42c/0x5f0 [<ffffffff813c391a>] system_verify_data+0xca/0x170 [<ffffffff813c3850>] ? top_trace_array+0x9b/0x9b [<ffffffff81510b29>] ? __vfs_read+0x279/0x3d0 [<ffffffff8129372f>] mod_verify_sig+0x1ff/0x290 [...] The exact purpose of the len extension isn't clear to me, but due to its form, I suspect that it's a leftover somehow accounting for leading zero bytes within the most significant output limb. Note however that without that len adjustement, the total number of bytes ever processed by the inner loop equals nbytes and thus, the last output limb gets written at this point. Thus the net effect of the len adjustement cited above is just to keep the inner loop running for some more iterations, namely < BYTES_PER_MPI_LIMB ones, reading some extra bytes from beyond the last SGE's buffer and discarding them afterwards. Fix this issue by purging the extension of len beyond the last input SGE's buffer length. Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") Signed-off-by: Nicolai Stange <nicstange@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'lib/mpi/mpicoder.c')