-------------------------------------------------------------------
Tue May 2 12:37:22 IST 2006 - smanojna@novell.com - Description: CASAManager GUI shall now support a maximum of 512 characters in length. User will not be able to create secrets and key-value pairs of lenght more than 512 characters from within CASAManager GUI. This check is essential to protect CASA from possible buffer overflow attacks. Modified files: casa.glade -------------------------------------------------------------------
This commit is contained in:
smanojna
parent
243d49616a
commit
0df6145a35
132
CASA.changes
132
CASA.changes
@ -1,69 +1,81 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue May 2 12:37:22 IST 2006 - smanojna@novell.com
|
||||
- Description:
|
||||
CASAManager GUI shall now support a maximum of 512 characters in
|
||||
length. User will not be able to create secrets and key-value pairs
|
||||
of lenght more than 512 characters from within CASAManager GUI.
|
||||
This check is essential to protect CASA from possible buffer
|
||||
overflow attacks.
|
||||
|
||||
Modified files:
|
||||
casa.glade
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 26 16:17:00 MST 2006 - jnorman@novell.com
|
||||
- Bug 165283. Remove reference to Mac OS from help file.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 26 15:50:00 MST 2006 - jnorman@novell.com
|
||||
- Security Audit Recap:
|
||||
- Item 4.1, File: c_micasad/lss/Rfc2898DeriveBytes.c
|
||||
1. This item is awaiting licensing on a portable random number
|
||||
generator received through a contribution to the the project.
|
||||
- Item 4.2 File: c_micasad/cache/KeyValue.c
|
||||
1. Fix is in line 202 of the file. We improved XOR algorithm by
|
||||
increasing the size of the key to equate the value.
|
||||
- Item 4.3 File: c_micasad/lss/LocalStorage.cs
|
||||
1. Now files are checked for ownership before being removed.
|
||||
New methods added and there are changes through out the file to support this.
|
||||
- Item 4.4 File: c_micasad/lss/CASACrypto.cs
|
||||
1. IV fix will be checked in as soon as the item No. 1 above is approved.
|
||||
2. For this item now we testing the file to make sure it is not a
|
||||
symbolic link. (line 454, 455 in the file.)
|
||||
3. This was a low priority item and we are investigating this.
|
||||
4. This function was not used hence removed.
|
||||
5. The default behavior of the file creation was modified to set the
|
||||
rights at creation time.
|
||||
- Item 5.1 File: c_micasad/communication/UnixCommunication
|
||||
1. This was fixed by checking to see if the root was not the owner
|
||||
of the socket to remove the file.
|
||||
- Item 5.2 File: c_micasad/lib/communication/UnixIPCClientChannel.cs
|
||||
1. This was fixed by validating the owner of the socket before use.
|
||||
- Item 5.3 File: c_micasad/lib/communication/UnixIPCClientChannel.cs
|
||||
1. This was fixed by validating the buffer size before allocation of memory.
|
||||
- Item 5.4 File: c_micasad/lss/CASACrypto.cs
|
||||
1. This was fixed by checking for minimum length.
|
||||
2. We can't check for upper limit for memory for maximum file size because
|
||||
we don't know how big the file can get. System will swap the pages out
|
||||
of the cache if it gets big and those pages are fragments of the encrypted
|
||||
cache. The original decrypted cache will be subject to garbage collection
|
||||
by Mono or .Net. We have added the forced garbage collection after
|
||||
finishing the decryption operation.
|
||||
- Item 5.5 File: c_micasad/verbs/ObjectSerializtion.cs
|
||||
1. The memory size checks have been added to the code for validation.
|
||||
- Item 5.6 File: c_micasad/verbs/OpenSecretStore.cs
|
||||
1. The buffer size validation is added.
|
||||
2. MsgId 0x1001 is not correct.
|
||||
- Item 5.7 File: c_micasad/verbs/SetMasterPasscode.cs
|
||||
1. The buffer size validation is added.
|
||||
- Item 5.8 File: c_micasad/common/SessionManager.cs
|
||||
1. We are running as root so $PATH is root's $PATH.
|
||||
2. We can go through he while loop twice that is the reason we used the loop.
|
||||
- Item 5.9 File: c_micasad/sscs_ndk.c
|
||||
1. All of the instances of strcpy, strcmp, strcat, strlen, were replaced
|
||||
with strncpy, strncmp, strncat and strlen was eliminated.
|
||||
2. TheUtf8 macros were modified to force a null at the end of the string
|
||||
buffer where the length was declared.
|
||||
3. All of the buffer lengths for upper bounds are being validated before use.
|
||||
4. sscsshs_ChkEscapeString was fixed.
|
||||
- Item 5.10 File: auth_token/kbr5_token/linux/get.c
|
||||
1. This file is not build as a part of CASA 1.6 yet and is supposed to be
|
||||
completed and shipped in CASA 1.7. The fix will be applied later.
|
||||
- Item 5.11 File: c_micasacache/sscs_ipc
|
||||
1. Handling of the end files has been added to the code.
|
||||
- Item 5.12 File: c_micasacache/sscs_unx_ipc_client.c
|
||||
1. Tokenize function has been fixed.
|
||||
2. Validation of the buflen is added where applicable.
|
||||
- Item 5.13 File: c_adlib/ad_gk/native.c
|
||||
1. The validation of the buffer length has been added to the code.
|
||||
- Security Audit Recap:
|
||||
- Item 4.1, File: c_micasad/lss/Rfc2898DeriveBytes.c
|
||||
1. This item is awaiting licensing on a portable random number
|
||||
generator received through a contribution to the the project.
|
||||
- Item 4.2 File: c_micasad/cache/KeyValue.c
|
||||
1. Fix is in line 202 of the file. We improved XOR algorithm by
|
||||
increasing the size of the key to equate the value.
|
||||
- Item 4.3 File: c_micasad/lss/LocalStorage.cs
|
||||
1. Now files are checked for ownership before being removed.
|
||||
New methods added and there are changes through out the file to support this.
|
||||
- Item 4.4 File: c_micasad/lss/CASACrypto.cs
|
||||
1. IV fix will be checked in as soon as the item No. 1 above is approved.
|
||||
2. For this item now we testing the file to make sure it is not a
|
||||
symbolic link. (line 454, 455 in the file.)
|
||||
3. This was a low priority item and we are investigating this.
|
||||
4. This function was not used hence removed.
|
||||
5. The default behavior of the file creation was modified to set the
|
||||
rights at creation time.
|
||||
- Item 5.1 File: c_micasad/communication/UnixCommunication
|
||||
1. This was fixed by checking to see if the root was not the owner
|
||||
of the socket to remove the file.
|
||||
- Item 5.2 File: c_micasad/lib/communication/UnixIPCClientChannel.cs
|
||||
1. This was fixed by validating the owner of the socket before use.
|
||||
- Item 5.3 File: c_micasad/lib/communication/UnixIPCClientChannel.cs
|
||||
1. This was fixed by validating the buffer size before allocation of memory.
|
||||
- Item 5.4 File: c_micasad/lss/CASACrypto.cs
|
||||
1. This was fixed by checking for minimum length.
|
||||
2. We can't check for upper limit for memory for maximum file size because
|
||||
we don't know how big the file can get. System will swap the pages out
|
||||
of the cache if it gets big and those pages are fragments of the encrypted
|
||||
cache. The original decrypted cache will be subject to garbage collection
|
||||
by Mono or .Net. We have added the forced garbage collection after
|
||||
finishing the decryption operation.
|
||||
- Item 5.5 File: c_micasad/verbs/ObjectSerializtion.cs
|
||||
1. The memory size checks have been added to the code for validation.
|
||||
- Item 5.6 File: c_micasad/verbs/OpenSecretStore.cs
|
||||
1. The buffer size validation is added.
|
||||
2. MsgId 0x1001 is not correct.
|
||||
- Item 5.7 File: c_micasad/verbs/SetMasterPasscode.cs
|
||||
1. The buffer size validation is added.
|
||||
- Item 5.8 File: c_micasad/common/SessionManager.cs
|
||||
1. We are running as root so $PATH is root's $PATH.
|
||||
2. We can go through he while loop twice that is the reason we used the loop.
|
||||
- Item 5.9 File: c_micasad/sscs_ndk.c
|
||||
1. All of the instances of strcpy, strcmp, strcat, strlen, were replaced
|
||||
with strncpy, strncmp, strncat and strlen was eliminated.
|
||||
2. TheUtf8 macros were modified to force a null at the end of the string
|
||||
buffer where the length was declared.
|
||||
3. All of the buffer lengths for upper bounds are being validated before use.
|
||||
4. sscsshs_ChkEscapeString was fixed.
|
||||
- Item 5.10 File: auth_token/kbr5_token/linux/get.c
|
||||
1. This file is not build as a part of CASA 1.6 yet and is supposed to be
|
||||
completed and shipped in CASA 1.7. The fix will be applied later.
|
||||
- Item 5.11 File: c_micasacache/sscs_ipc
|
||||
1. Handling of the end files has been added to the code.
|
||||
- Item 5.12 File: c_micasacache/sscs_unx_ipc_client.c
|
||||
1. Tokenize function has been fixed.
|
||||
2. Validation of the buflen is added where applicable.
|
||||
- Item 5.13 File: c_adlib/ad_gk/native.c
|
||||
1. The validation of the buffer length has been added to the code.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 26 15:39:00 MST 2006 - jnorman@novell.com
|
||||
|
||||
21646
c_gui/images/casa.glade
21646
c_gui/images/casa.glade
File diff suppressed because it is too large
Load Diff
@ -1,9 +1,9 @@
|
||||
<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
||||
<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
|
||||
|
||||
<glade-project>
|
||||
<name>Casa</name>
|
||||
<program_name>casa</program_name>
|
||||
<pixmaps_directory></pixmaps_directory>
|
||||
<gnome_support>FALSE</gnome_support>
|
||||
</glade-project>
|
||||
<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
||||
<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
|
||||
|
||||
<glade-project>
|
||||
<name>Casa</name>
|
||||
<program_name>casa</program_name>
|
||||
<pixmaps_directory></pixmaps_directory>
|
||||
<gnome_support>FALSE</gnome_support>
|
||||
</glade-project>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user