diff options
author | Nalin Dahyabhai <nalin@redhat.com> | 2014-08-22 09:54:26 -0400 |
---|---|---|
committer | Nalin Dahyabhai <nalin@redhat.com> | 2014-08-22 09:54:26 -0400 |
commit | ee2694e92716e4435688396138f977b1fa90b9c4 (patch) | |
tree | fd2bed8b0f574f91758812d4a5577531869ef80d | |
parent | b883d575b9cac81039e9f4c224c3faeccdce18eb (diff) | |
download | krb5-1.12.2-3.fc21.tar.gz krb5-1.12.2-3.fc21.tar.xz krb5-1.12.2-3.fc21.zip |
Drop obsolete patchkrb5-1.12.2-3.fc21
-rw-r--r-- | krb5-gssapi-mech-doublefree.patch | 61 | ||||
-rw-r--r-- | krb5-gssapi-spnego-deref.patch | 44 |
2 files changed, 0 insertions, 105 deletions
diff --git a/krb5-gssapi-mech-doublefree.patch b/krb5-gssapi-mech-doublefree.patch deleted file mode 100644 index a52d541..0000000 --- a/krb5-gssapi-mech-doublefree.patch +++ /dev/null @@ -1,61 +0,0 @@ -commit f18ddf5d82de0ab7591a36e465bc24225776940f -Author: David Woodhouse <David.Woodhouse@intel.com> -Date: Tue Jul 15 12:54:15 2014 -0400 - - Fix double-free in SPNEGO [CVE-2014-4343] - - In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the - pointer sc->internal_mech became an alias into sc->mech_set->elements, - which should be considered constant for the duration of the SPNEGO - context. So don't free it. - - CVE-2014-4343: - - In MIT krb5 releases 1.10 and newer, an unauthenticated remote - attacker with the ability to spoof packets appearing to be from a - GSSAPI acceptor can cause a double-free condition in GSSAPI initiators - (clients) which are using the SPNEGO mechanism, by returning a - different underlying mechanism than was proposed by the initiator. At - this stage of the negotiation, the acceptor is unauthenticated, and - the acceptor's response could be spoofed by an attacker with the - ability to inject traffic to the initiator. - - Historically, some double-free vulnerabilities can be translated into - remote code execution, though the necessary exploits must be tailored - to the individual application and are usually quite - complicated. Double-frees can also be exploited to cause an - application crash, for a denial of service. However, most GSSAPI - client applications are not vulnerable, as the SPNEGO mechanism is not - used by default (when GSS_C_NO_OID is passed as the mech_type argument - to gss_init_sec_context()). The most common use of SPNEGO is for - HTTP-Negotiate, used in web browsers and other web clients. Most such - clients are believed to not offer HTTP-Negotiate by default, instead - requiring a whitelist of sites for which it may be used to be - configured. If the whitelist is configured to only allow - HTTP-Negotiate over TLS connections ("https://"), a successful - attacker must also spoof the web server's SSL certificate, due to the - way the WWW-Authenticate header is sent in a 401 (Unauthorized) - response message. Unfortunately, many instructions for enabling - HTTP-Negotiate in common web browsers do not include a TLS - requirement. - - CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C - - [kaduk@mit.edu: CVE summary and CVSSv2 vector] - - ticket: 7969 (new) - target_version: 1.12.2 - tags: pullup - -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 173c6d2..8f829d8 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, - OM_uint32 tmpmin; - size_t i; - -- generic_gss_release_oid(&tmpmin, &sc->internal_mech); - gss_delete_sec_context(&tmpmin, &sc->ctx_handle, - GSS_C_NO_BUFFER); - diff --git a/krb5-gssapi-spnego-deref.patch b/krb5-gssapi-spnego-deref.patch deleted file mode 100644 index b529d03..0000000 --- a/krb5-gssapi-spnego-deref.patch +++ /dev/null @@ -1,44 +0,0 @@ -commit 524688ce87a15fc75f87efc8c039ba4c7d5c197b -Author: Greg Hudson <ghudson@mit.edu> -Date: Tue Jul 15 12:56:01 2014 -0400 - - Fix null deref in SPNEGO acceptor [CVE-2014-4344] - - When processing a continuation token, acc_ctx_cont was dereferencing - the initial byte of the token without checking the length. This could - result in a null dereference. - - CVE-2014-4344: - - In MIT krb5 1.5 and newer, an unauthenticated or partially - authenticated remote attacker can cause a NULL dereference and - application crash during a SPNEGO negotiation by sending an empty - token as the second or later context token from initiator to acceptor. - The attacker must provide at least one valid context token in the - security context negotiation before sending the empty token. This can - be done by an unauthenticated attacker by forcing SPNEGO to - renegotiate the underlying mechanism, or by using IAKERB to wrap an - unauthenticated AS-REQ as the first token. - - CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C - - [kaduk@mit.edu: CVE summary, CVSSv2 vector] - - ticket: 7970 (new) - subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344] - target_version: 1.12.2 - tags: pullup - -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 8f829d8..2aa6810 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat, - - ptr = bufstart = buf->value; - #define REMAIN (buf->length - (ptr - bufstart)) -- if (REMAIN > INT_MAX) -+ if (REMAIN == 0 || REMAIN > INT_MAX) - return GSS_S_DEFECTIVE_TOKEN; - - /* |