Fix when an encryption key is supplied via the TELNET protocol, its length

is not validated before the key is copied into a fixed-size buffer.

Security:	FreeBSD-SA-11:08.telnetd, CVE-2011-4862
Feature safe:	yes

2 files changed, 13 insertions, 0 deletions

diff --git a/security/krb5-appl/Makefile b/security/krb5-appl/Makefile
index 064f262c7579..ffaeb9770d0b 100644
--- a/security/krb5-appl/Makefile
+++ b/security/krb5-appl/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=		krb5-appl
 PORTVERSION=		1.0.2
+PORTREVISION=		1
 CATEGORIES=		security
 MASTER_SITES=		http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
 # PATCH_SITES=		http://web.mit.edu/kerberos/advisories/
diff --git a/security/krb5-appl/files/patch-telnet-libtelnet-encrypt.c b/security/krb5-appl/files/patch-telnet-libtelnet-encrypt.c
new file mode 100644
index 000000000000..20fbba7351a4
--- /dev/null
+++ b/security/krb5-appl/files/patch-telnet-libtelnet-encrypt.c
@@ -0,0 +1,12 @@
+--- telnet/libtelnet/encrypt.c.orig	2009-11-05 12:15:06.000000000 -0800
++++ telnet/libtelnet/encrypt.c	2011-12-26 12:59:08.261571642 -0800
+@@ -757,6 +757,9 @@
+ 	int dir = kp->dir;
+ 	register int ret = 0;
+ 
++	if (len > MAXKEYLEN)
++		len = MAXKEYLEN;
++
+ 	if (!(ep = (*kp->getcrypt)(*kp->modep))) {
+ 		if (len == 0)
+ 			return;