Fix CVE-2020-10595:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10595

Patch copied from upstream advisory:

https://seclists.org/oss-sec/2020/q1/128

diff --git a/prompting.c b/prompting.c
index e985d95..d81054f 100644
--- a/prompting.c
+++ b/prompting.c
@@ -314,26 +314,27 @@ pamk5_prompter_krb5(krb5_context context UNUSED, void *data, const char *name,
     /*
      * Reuse pam_prompts as a starting index and copy the data into the reply
      * area of the krb5_prompt structs.
      */
     pam_prompts = 0;
     if (name != NULL && !args->silent)
         pam_prompts++;
     if (banner != NULL && !args->silent)
         pam_prompts++;
     for (i = 0; i < num_prompts; i++, pam_prompts++) {
-        size_t len;
+        size_t len, allowed;

         if (resp[pam_prompts].resp == NULL)
             goto cleanup;
         len = strlen(resp[pam_prompts].resp);
-        if (len > prompts[i].reply->length)
+        allowed = prompts[i].reply->length;
+        if (allowed == 0 || len > allowed - 1)
             goto cleanup;

         /*
          * The trailing nul is not included in length, but other applications
          * expect it to be there.  Therefore, we copy one more byte than the
          * actual length of the password, but set length to just the length of
          * the password.
          */
         memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len + 1);
         prompts[i].reply->length = (unsigned int) len;
cm?id=7c06b0abfc0453c361aafaeaf1dda1678b2b744f'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/gnu/packages/busybox.scm'>
<input type='hidden' name='id' value='7c06b0abfc0453c361aafaeaf1dda1678b2b744f'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=7c06b0abfc0453c361aafaeaf1dda1678b2b744f'>root</a>/<a href='/guix/log/gnu?id=7c06b0abfc0453c361aafaeaf1dda1678b2b744f'>gnu</a>/<a href='/guix/log/gnu/packages?id=7c06b0abfc0453c361aafaeaf1dda1678b2b744f'>packages</a>/<a href='/guix/log/gnu/packages/busybox.scm?id=7c06b0abfc0453c361aafaeaf1dda1678b2b744f'>busybox.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/gnu/packages/busybox.scm?id=7c06b0abfc0453c361aafaeaf1dda1678b2b744f&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2023-05-30 18:04:18 +0800'>2023-05-30</span></td><td><a href='/guix/commit/gnu/packages/busybox.scm?id=52fed8fbd75737a38d5200c80d31aea2c0c853f6'>gnu: busybox: Update to 1.36.1.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/busybox.scm (busybox): Update to 1.36.1.

Signed-off-by: 宋文武 &lt;iyzsong@member.fsf.org&gt;
</span></span></td><td>Hilton Chain</td></tr>
<tr><td><span title='2023-02-02 18:52:07 +0200'>2023-02-02</span></td><td><a href='/guix/commit/gnu/packages/busybox.scm?id=301f12832601eef6b130f3946d9d597ae43a514a'>gnu: busybox: Update to 1.36.0.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/busybox.scm (busybox): Update to 1.36.0.
</span></span></td><td>Efraim Flashner</td></tr>
<tr><td><span title='2022-11-06 15:18:43 +0100'>2022-11-06</span></td><td><a href='/guix/commit/gnu/packages/busybox.scm?id=f1380352271b1407b08823c31aedc13d70008ae9'>gnu: busybox: Update to 1.35.0.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/busybox.scm (busybox): Update to 1.35.0.

Signed-off-by: Christopher Baines &lt;mail@cbaines.net&gt;
</span></span></td><td>Hilton Chain</td></tr>
<tr><td><span title='2022-09-26 23:29:38 +0200'>2022-09-26</span></td><td><a href='/guix/commit/gnu/packages/busybox.scm?id=e5fc55493d85f01e8c6036401c73cdb73d2ec30a'>gnu: busybox: Fix cross-compilation.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/busybox.scm (busybox)[arguments]: Switch to gexps.
Honor #:tests? in 'check' phase.  Add #:make-flags.

Signed-off-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
</span></span></td><td>Lu Hui</td></tr>

Age	Commit message (Expand)	Author
2023-05-30	gnu: busybox: Update to 1.36.1....* gnu/packages/busybox.scm (busybox): Update to 1.36.1. Signed-off-by: 宋文武 <iyzsong@member.fsf.org>	Hilton Chain
2023-02-02	gnu: busybox: Update to 1.36.0....* gnu/packages/busybox.scm (busybox): Update to 1.36.0.	Efraim Flashner
2022-11-06	gnu: busybox: Update to 1.35.0....* gnu/packages/busybox.scm (busybox): Update to 1.35.0. Signed-off-by: Christopher Baines <mail@cbaines.net>	Hilton Chain
2022-09-26	gnu: busybox: Fix cross-compilation....* gnu/packages/busybox.scm (busybox)[arguments]: Switch to gexps. Honor #:tests? in 'check' phase. Add #:make-flags. Signed-off-by: Ludovic Courtès <ludo@gnu.org>	Lu Hui