Add patch for CVE-2014-4344

- gssapi: pull in upstream fix for a possible NULL dereference in spnego
  (CVE-2014-4344)

2 files changed, 51 insertions, 1 deletions

diff --git a/krb5-gssapi-spnego-deref.patch b/krb5-gssapi-spnego-deref.patch
new file mode 100644
index 0000000..b529d03
--- /dev/null
+++ b/krb5-gssapi-spnego-deref.patch
@@ -0,0 +1,44 @@
+commit 524688ce87a15fc75f87efc8c039ba4c7d5c197b
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Tue Jul 15 12:56:01 2014 -0400
+
+    Fix null deref in SPNEGO acceptor [CVE-2014-4344]
+    
+    When processing a continuation token, acc_ctx_cont was dereferencing
+    the initial byte of the token without checking the length.  This could
+    result in a null dereference.
+    
+    CVE-2014-4344:
+    
+    In MIT krb5 1.5 and newer, an unauthenticated or partially
+    authenticated remote attacker can cause a NULL dereference and
+    application crash during a SPNEGO negotiation by sending an empty
+    token as the second or later context token from initiator to acceptor.
+    The attacker must provide at least one valid context token in the
+    security context negotiation before sending the empty token.  This can
+    be done by an unauthenticated attacker by forcing SPNEGO to
+    renegotiate the underlying mechanism, or by using IAKERB to wrap an
+    unauthenticated AS-REQ as the first token.
+    
+        CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+    
+    [kaduk@mit.edu: CVE summary, CVSSv2 vector]
+    
+    ticket: 7970 (new)
+    subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344]
+    target_version: 1.12.2
+    tags: pullup
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 8f829d8..2aa6810 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat,
+ 
+ 	ptr = bufstart = buf->value;
+ #define REMAIN (buf->length - (ptr - bufstart))
+-	if (REMAIN > INT_MAX)
++	if (REMAIN == 0 || REMAIN > INT_MAX)
+ 		return GSS_S_DEFECTIVE_TOKEN;
+ 
+ 	/*
diff --git a/krb5.spec b/krb5.spec
index 09e914e..d44eebb 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.12.1
-Release: 12%{?dist}
+Release: 13%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -107,6 +107,7 @@ Patch145: krb5-master-mechd.patch
 Patch146: krb5-1.12-CVE-2014-4341_4342.patch
 Patch147: krb5-1.12-CVE-2014-4341_4342-tests.patch
 Patch148: krb5-gssapi-mech-doublefree.patch
+Patch149: krb5-gssapi-spnego-deref.patch
 Patch201: 0001-Don-t-try-to-stat-not-on-disk-ccache-residuals.patch
 Patch202: 0002-Use-an-in-memory-cache-until-we-need-the-target-s.patch
 Patch203: 0003-Learn-to-destroy-the-ccache-we-re-copying-from.patch
@@ -362,6 +363,7 @@ ln -s NOTICE LICENSE
 %patch146 -p1 -b .CVE-2014-4341_4342
 %patch147 -p1 -b .CVE-2014-4341_4342
 %patch148 -p1 -b .gssapi-mech-doublefree
+%patch149 -p1 -b .gssapi-spnego-deref
 
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@@ -1038,6 +1040,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Mon Jul 21 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-13
+- gssapi: pull in upstream fix for a possible NULL dereference
+  in spnego (CVE-2014-4344)
+
 * Wed Jul 16 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-12
 - gssapi: pull in proposed fix for a double free in initiators (David
   Woodhouse, #1117963)