summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNalin Dahyabhai <nalin@dahyabhai.net>2011-04-13 15:38:22 -0400
committerNalin Dahyabhai <nalin@dahyabhai.net>2011-04-13 15:38:22 -0400
commit301c9d3ae2fe3dbddf21212a6880a0d8e9767597 (patch)
tree7f055ae75a50fe51b35211cc0abff63a36418ffa
parent5ad8efcad5bb2b49bf858257c1ef2ca75604f0b5 (diff)
downloadkrb5-301c9d3ae2fe3dbddf21212a6880a0d8e9767597.tar.gz
krb5-301c9d3ae2fe3dbddf21212a6880a0d8e9767597.tar.xz
krb5-301c9d3ae2fe3dbddf21212a6880a0d8e9767597.zip
- kadmind: add upstream patch to fix free() on an invalid pointer (MITKRB5-SA-2011-004, CVE-2011-0285)krb5-1.9-9.fc16
Diffstat
-rw-r--r--2011-004-patch.txt39
-rw-r--r--krb5.spec8
2 files changed, 46 insertions, 1 deletions
diff --git a/2011-004-patch.txt b/2011-004-patch.txt
new file mode 100644
index 0000000..6103911
--- /dev/null
+++ b/2011-004-patch.txt
@@ -0,0 +1,39 @@
+diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
+index 1124445..0056885 100644
+--- a/src/kadmin/server/schpw.c
++++ b/src/kadmin/server/schpw.c
+@@ -52,6 +52,7 @@ process_chpw_request(context, server_handle, realm, keytab,
+
+ ret = 0;
+ rep->length = 0;
++ rep->data = NULL;
+
+ auth_context = NULL;
+ changepw = NULL;
+@@ -76,8 +77,13 @@ process_chpw_request(context, server_handle, realm, keytab,
+ plen = (*ptr++ & 0xff);
+ plen = (plen<<8) | (*ptr++ & 0xff);
+
+- if (plen != req->length)
+- return(KRB5KRB_AP_ERR_MODIFIED);
++ if (plen != req->length) {
++ ret = KRB5KRB_AP_ERR_MODIFIED;
++ numresult = KRB5_KPASSWD_MALFORMED;
++ strlcpy(strresult, "Request length was inconsistent",
++ sizeof(strresult));
++ goto chpwfail;
++ }
+
+ /* verify version number */
+
+@@ -531,6 +537,10 @@ cleanup:
+ if (local_kaddrs != NULL)
+ krb5_free_addresses(server_handle->context, local_kaddrs);
+
++ if ((*response)->data == NULL) {
++ free(*response);
++ *response = NULL;
++ }
+ krb5_kt_close(server_handle->context, kt);
+
+ return ret;
diff --git a/krb5.spec b/krb5.spec
index 3feb849..cdb874a 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -6,7 +6,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.9
-Release: 8%{?dist}
+Release: 9%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -55,6 +55,7 @@ Patch75: krb5-pkinit-debug.patch
Patch76: http://web.mit.edu/kerberos/advisories/2011-003-patch.txt
Patch77: krb5-1.9-paren.patch
Patch78: krb5-trunk-chpw-err.patch
+Patch79: http://web.mit.edu/kerberos/advisories/2011-004-patch.txt
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -201,6 +202,7 @@ ln -s NOTICE LICENSE
%patch76 -p1 -b .2011-003
%patch77 -p1 -b .paren
%patch78 -p0 -b .chpw-err
+%patch79 -p1 -b .2011-004
gzip doc/*.ps
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -659,6 +661,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Wed Apr 13 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-9
+- kadmind: add upstream patch to fix free() on an invalid pointer
+ (MITKRB5-SA-2011-004, CVE-2011-0285)
+
* Mon Apr 4 2011 Nalin Dahyabhai <nalin@redhat.com>
- don't discard the error code from an error message received in response
to a change-password request (#658871, RT#6893)
generated by cgit (git 2.34.1) at 2024-06-18 19:58:53 +0000