Fix CVE-2016-3120

Resolves: #1361051

2 files changed, 64 insertions, 1 deletions

diff --git a/krb5-1.14.4-CVE-2016-3120.patch b/krb5-1.14.4-CVE-2016-3120.patch
new file mode 100644
index 0000000..fa412aa
--- /dev/null
+++ b/krb5-1.14.4-CVE-2016-3120.patch
@@ -0,0 +1,57 @@
+From 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 19 Jul 2016 11:00:28 -0400
+Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted
+
+In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
+use client.princ instead of request->client; the latter is NULL when
+validating S4U2Self requests.
+
+CVE-2016-3120:
+
+In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
+to dereference a null pointer if the restrict_anonymous_to_tgt option
+is set to true, by making an S4U2Self request.
+
+  CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
+
+ticket: 8458 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+---
+ src/kdc/kdc_util.c    | 2 +-
+ src/tests/t_pkinit.py | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 776e130..29f9dbb 100644
+--- a/src/kdc/kdc_util.c
++++ b/src/kdc/kdc_util.c
+@@ -739,7 +739,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
+         return(KDC_ERR_MUST_USE_USER2USER);
+     }
+ 
+-    if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
++    if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
+         *status = "ANONYMOUS NOT ALLOWED";
+         return(KDC_ERR_POLICY);
+     }
+diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
+index b66c458..f0214b6 100755
+--- a/src/tests/t_pkinit.py
++++ b/src/tests/t_pkinit.py
+@@ -93,6 +93,11 @@ out = realm.run([kvno, realm.host_princ], expected_code=1)
+ if 'KDC policy rejects request' not in out:
+     fail('Wrong error for restricted anonymous PKINIT')
+ 
++# Regression test for #8458: S4U2Self requests crash the KDC if
++# anonymous is restricted.
++realm.kinit(realm.host_princ, flags=['-k'])
++realm.run([kvno, '-U', 'user', realm.host_princ])
++
+ # Go back to a normal KDC and disable anonymous PKINIT.
+ realm.stop_kdc()
+ realm.start_kdc()
+-- 
+2.8.1
+
diff --git a/krb5.spec b/krb5.spec
index f85c1d2..b6ab77e 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -13,7 +13,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.14.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@@ -73,6 +73,7 @@ Patch165: krb5-1.15-kdc_hooks_test.patch
 
 Patch166: krb5-1.14.3-fix_otp_as_key.patch
 Patch167: krb5-1.14.3-krad-recv.patch
+Patch168: krb5-1.14.4-CVE-2016-3120.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -273,6 +274,7 @@ ln NOTICE LICENSE
 
 %patch166 -p1 -b .fix_otp_as_key
 %patch167 -p1 -b .krad-recv
+%patch168 -p1 -b .CVE-2016-3120
 
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@@ -803,6 +805,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Thu Jul 28 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-9
+- Fix CVE-2016-3120
+- Resolves: #1361051
+
 * Wed Jun 22 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-8
 - Fix incorrect recv() size calculation in libkrad