diff options
| author | Nalin Dahyabhai <nalin@redhat.com> | 2014-07-21 17:18:33 -0400 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@redhat.com> | 2014-07-21 17:19:42 -0400 |
| commit | 24f7f1a446d6ce08196f0796e6a343c85cf94799 (patch) | |
| tree | 839e15793b99a590ccbf572f1ecb5e3305eb5ea6 | |
| parent | 9594be4f3aa19c5c1d8868cfe13163e93782bef5 (diff) | |
| download | krb5-24f7f1a446d6ce08196f0796e6a343c85cf94799.tar.gz krb5-24f7f1a446d6ce08196f0796e6a343c85cf94799.tar.xz krb5-24f7f1a446d6ce08196f0796e6a343c85cf94799.zip | |
Update to upstream patch
Update to the as-committed version of this patch, which affects the
comments it includes.
| -rw-r--r-- | krb5-gssapi-mech-doublefree.patch | 84 | ||||
| -rw-r--r-- | krb5.spec | 2 |
2 files changed, 49 insertions, 37 deletions
diff --git a/krb5-gssapi-mech-doublefree.patch b/krb5-gssapi-mech-doublefree.patch index c020fca..a52d541 100644 --- a/krb5-gssapi-mech-doublefree.patch +++ b/krb5-gssapi-mech-doublefree.patch @@ -1,32 +1,51 @@ -From: David Woodhouse <David.Woodhouse@intel.com> - -In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the -pointer sc->internal_mech became an alias into sc->mech_set->elements[], -which should be considered constant for the duration of the SPNEGO -context. - -So don't free it. - -This led to the obvious crashes in the allocator, and also to strange -behaviour with Firefox failing to fall back to alternative mechanisms -when it should have done. - -https://bugzilla.redhat.com/show_bug.cgi?id=1117963 - -==31436== Invalid free() / delete / delete[] / realloc() -==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) -==31436== by 0x3AE900D6B9: generic_gss_release_oid_set (gssapi_alloc.h:93) -==31436== by 0x3AE903775F: release_spnego_ctx (spnego_mech.c:2895) -==31436== by 0x3AE9037830: spnego_gss_delete_sec_context (spnego_mech.c:2164) -==31436== by 0x3AE9012292: gss_delete_sec_context (g_delete_sec_context.c:90) -==31436== Address 0x4fb5510 is 0 bytes inside a block of size 80 free'd -==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) -==31436== by 0x3AE900C88E: generic_gss_release_oid (oid_ops.c:103) -==31436== by 0x3AE903BE85: spnego_gss_init_sec_context (spnego_mech.c:792) -==31436== by 0x3AE90154CA: gss_init_sec_context (g_init_sec_context.c:210) ---- - src/lib/gssapi/spnego/spnego_mech.c | 1 - - 1 file changed, 1 deletion(-) +commit f18ddf5d82de0ab7591a36e465bc24225776940f +Author: David Woodhouse <David.Woodhouse@intel.com> +Date: Tue Jul 15 12:54:15 2014 -0400 + + Fix double-free in SPNEGO [CVE-2014-4343] + + In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the + pointer sc->internal_mech became an alias into sc->mech_set->elements, + which should be considered constant for the duration of the SPNEGO + context. So don't free it. + + CVE-2014-4343: + + In MIT krb5 releases 1.10 and newer, an unauthenticated remote + attacker with the ability to spoof packets appearing to be from a + GSSAPI acceptor can cause a double-free condition in GSSAPI initiators + (clients) which are using the SPNEGO mechanism, by returning a + different underlying mechanism than was proposed by the initiator. At + this stage of the negotiation, the acceptor is unauthenticated, and + the acceptor's response could be spoofed by an attacker with the + ability to inject traffic to the initiator. + + Historically, some double-free vulnerabilities can be translated into + remote code execution, though the necessary exploits must be tailored + to the individual application and are usually quite + complicated. Double-frees can also be exploited to cause an + application crash, for a denial of service. However, most GSSAPI + client applications are not vulnerable, as the SPNEGO mechanism is not + used by default (when GSS_C_NO_OID is passed as the mech_type argument + to gss_init_sec_context()). The most common use of SPNEGO is for + HTTP-Negotiate, used in web browsers and other web clients. Most such + clients are believed to not offer HTTP-Negotiate by default, instead + requiring a whitelist of sites for which it may be used to be + configured. If the whitelist is configured to only allow + HTTP-Negotiate over TLS connections ("https://"), a successful + attacker must also spoof the web server's SSL certificate, due to the + way the WWW-Authenticate header is sent in a 401 (Unauthorized) + response message. Unfortunately, many instructions for enabling + HTTP-Negotiate in common web browsers do not include a TLS + requirement. + + CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C + + [kaduk@mit.edu: CVE summary and CVSSv2 vector] + + ticket: 7969 (new) + target_version: 1.12.2 + tags: pullup diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index 173c6d2..8f829d8 100644 @@ -40,10 +59,3 @@ index 173c6d2..8f829d8 100644 gss_delete_sec_context(&tmpmin, &sc->ctx_handle, GSS_C_NO_BUFFER); --- -1.9.3 - - --- -David Woodhouse Open Source Technology Centre -David.Woodhouse@intel.com Intel Corporation @@ -1040,7 +1040,7 @@ exit 0 %changelog * Wed Jul 16 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-12 - gssapi: pull in proposed fix for a double free in initiators (David - Woodhouse, #1117963) + Woodhouse, CVE-2014-4343, #1117963) * Sat Jul 12 2014 Tom Callaway <spot@fedoraproject.org> - 1.12.1-11 - fix license handling |