diff options
author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2011-04-13 15:38:22 -0400 |
---|---|---|
committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2011-04-13 15:38:22 -0400 |
commit | 301c9d3ae2fe3dbddf21212a6880a0d8e9767597 (patch) | |
tree | 7f055ae75a50fe51b35211cc0abff63a36418ffa | |
parent | 5ad8efcad5bb2b49bf858257c1ef2ca75604f0b5 (diff) | |
download | krb5-301c9d3ae2fe3dbddf21212a6880a0d8e9767597.tar.gz krb5-301c9d3ae2fe3dbddf21212a6880a0d8e9767597.tar.xz krb5-301c9d3ae2fe3dbddf21212a6880a0d8e9767597.zip |
- kadmind: add upstream patch to fix free() on an invalid pointer (MITKRB5-SA-2011-004, CVE-2011-0285)krb5-1.9-9.fc16
-rw-r--r-- | 2011-004-patch.txt | 39 | ||||
-rw-r--r-- | krb5.spec | 8 |
2 files changed, 46 insertions, 1 deletions
diff --git a/2011-004-patch.txt b/2011-004-patch.txt new file mode 100644 index 0000000..6103911 --- /dev/null +++ b/2011-004-patch.txt @@ -0,0 +1,39 @@ +diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c +index 1124445..0056885 100644 +--- a/src/kadmin/server/schpw.c ++++ b/src/kadmin/server/schpw.c +@@ -52,6 +52,7 @@ process_chpw_request(context, server_handle, realm, keytab, + + ret = 0; + rep->length = 0; ++ rep->data = NULL; + + auth_context = NULL; + changepw = NULL; +@@ -76,8 +77,13 @@ process_chpw_request(context, server_handle, realm, keytab, + plen = (*ptr++ & 0xff); + plen = (plen<<8) | (*ptr++ & 0xff); + +- if (plen != req->length) +- return(KRB5KRB_AP_ERR_MODIFIED); ++ if (plen != req->length) { ++ ret = KRB5KRB_AP_ERR_MODIFIED; ++ numresult = KRB5_KPASSWD_MALFORMED; ++ strlcpy(strresult, "Request length was inconsistent", ++ sizeof(strresult)); ++ goto chpwfail; ++ } + + /* verify version number */ + +@@ -531,6 +537,10 @@ cleanup: + if (local_kaddrs != NULL) + krb5_free_addresses(server_handle->context, local_kaddrs); + ++ if ((*response)->data == NULL) { ++ free(*response); ++ *response = NULL; ++ } + krb5_kt_close(server_handle->context, kt); + + return ret; @@ -6,7 +6,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.9 -Release: 8%{?dist} +Release: 9%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9-signed.tar Source0: krb5-%{version}.tar.gz @@ -55,6 +55,7 @@ Patch75: krb5-pkinit-debug.patch Patch76: http://web.mit.edu/kerberos/advisories/2011-003-patch.txt Patch77: krb5-1.9-paren.patch Patch78: krb5-trunk-chpw-err.patch +Patch79: http://web.mit.edu/kerberos/advisories/2011-004-patch.txt License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -201,6 +202,7 @@ ln -s NOTICE LICENSE %patch76 -p1 -b .2011-003 %patch77 -p1 -b .paren %patch78 -p0 -b .chpw-err +%patch79 -p1 -b .2011-004 gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -659,6 +661,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Wed Apr 13 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-9 +- kadmind: add upstream patch to fix free() on an invalid pointer + (MITKRB5-SA-2011-004, CVE-2011-0285) + * Mon Apr 4 2011 Nalin Dahyabhai <nalin@redhat.com> - don't discard the error code from an error message received in response to a change-password request (#658871, RT#6893) |