Patch CVE-2015-2698

author: Robbie Harwood (frozencemetery) <rharwood@redhat.com> 2015-11-04 19:11:33 +0000
committer: Robbie Harwood (frozencemetery) <rharwood@redhat.com> 2015-11-04 20:26:21 +0000
commit: b81fddfea1ce7bbc6d051952bf200e604bd0234c (patch)
tree: 774c9aee6eb36f27cb2003bde083192c2fbe12d3
parent: def8c582bbedf7938a8b5b0e90cc50ee1be1b720 (diff)
download: krb5-b81fddfea1ce7bbc6d051952bf200e604bd0234c.tar.gz
krb5-b81fddfea1ce7bbc6d051952bf200e604bd0234c.tar.xz
krb5-b81fddfea1ce7bbc6d051952bf200e604bd0234c.zip
2 files changed, 154 insertions, 1 deletions
diff --git a/krb5-CVE-2015-2698-fix_iakerb_spnego.patch b/krb5-CVE-2015-2698-fix_iakerb_spnego.patch
new file mode 100644
index 0000000..12a86b3
--- /dev/null
+++ b/krb5-CVE-2015-2698-fix_iakerb_spnego.patch
@@ -0,0 +1,148 @@
+Modified version of the patch to 1.14 that are missing test suite
+pieces.  Also backports a random comment fixup we needed from master.
+
+diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
+index 05dc321..ac53662 100644
+--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
+@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV
+ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+                               gss_ctx_id_t *context_handle,
+                               gss_buffer_t interprocess_token);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_import_sec_context(OM_uint32 *minor_status,
++                              const gss_buffer_t interprocess_token,
++                              gss_ctx_id_t *context_handle);
+ #endif /* LEAN_CLIENT */
+ 
+ OM_uint32 KRB5_CALLCONV
+diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
+index 9a23656..d7ba279 100644
+--- a/src/lib/gssapi/krb5/gssapi_krb5.c
++++ b/src/lib/gssapi/krb5/gssapi_krb5.c
+@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = {
+     NULL,
+ #else
+     iakerb_gss_export_sec_context,
+-    NULL,
++    iakerb_gss_import_sec_context,
+ #endif
+     krb5_gss_inquire_cred_by_mech,
+     krb5_gss_inquire_names_for_mech,
+diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
+index 4662bd9..32a341e 100644
+--- a/src/lib/gssapi/krb5/iakerb.c
++++ b/src/lib/gssapi/krb5/iakerb.c
+@@ -727,10 +727,6 @@ cleanup:
+     return code;
+ }
+ 
+-/*
+- * Delete an IAKERB context. This can also accept Kerberos context
+- * handles. The heuristic is similar to SPNEGO's delete_sec_context.
+- */
+ OM_uint32 KRB5_CALLCONV
+ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
+                               gss_ctx_id_t *context_handle,
+@@ -1061,7 +1057,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+                               gss_buffer_t interprocess_token)
+ {
+     OM_uint32 maj;
+-    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
+ 
+     /* We don't currently support exporting partially established contexts. */
+     if (!ctx->established)
+@@ -1076,13 +1072,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+     return maj;
+ }
+ 
+-/*
+- * Until we implement partial context exports, there are no SPNEGO exported
+- * context tokens, only tokens for the underlying krb5 context.  So we do not
+- * need to implement an iakerb_gss_import_sec_context() yet; it would be
+- * unreachable except via a manually constructed token.
+- */
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_import_sec_context(OM_uint32 *minor_status,
++                              gss_buffer_t interprocess_token,
++                              gss_ctx_id_t *context_handle)
++{
++    OM_uint32 maj, tmpmin;
++    krb5_error_code code;
++    gss_ctx_id_t gssc;
++    krb5_gss_ctx_id_t kctx;
++    iakerb_ctx_id_t ctx;
+ 
++    maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc);
++    if (maj != GSS_S_COMPLETE)
++        return maj;
++    kctx = (krb5_gss_ctx_id_t)gssc;
++
++    if (!kctx->established) {
++        /* We don't currently support importing partially established
++         * contexts. */
++        krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
++        return GSS_S_FAILURE;
++    }
++
++    code = iakerb_alloc_context(&ctx, kctx->initiate);
++    if (code != 0) {
++        krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
++        *minor_status = code;
++        return GSS_S_FAILURE;
++    }
++
++    ctx->gssc = gssc;
++    ctx->established = 1;
++    *context_handle = (gss_ctx_id_t)ctx;
++    return GSS_S_COMPLETE;
++}
+ #endif /* LEAN_CLIENT */
+ 
+ OM_uint32 KRB5_CALLCONV
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 3423f22..ec38eea 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -2253,12 +2253,33 @@ spnego_gss_import_sec_context(
+ 	const gss_buffer_t	interprocess_token,
+ 	gss_ctx_id_t		*context_handle)
+ {
+-	/*
+-	 * Until we implement partial context exports, there are no SPNEGO
+-	 * exported context tokens, only tokens for underlying mechs.  So just
+-	 * return an error for now.
+-	 */
+-	return GSS_S_UNAVAILABLE;
++	OM_uint32 ret, tmpmin;
++	gss_ctx_id_t mctx;
++	spnego_gss_ctx_id_t sc;
++	int initiate, opened;
++
++	ret = gss_import_sec_context(minor_status, interprocess_token, &mctx);
++	if (ret != GSS_S_COMPLETE)
++		return ret;
++
++	ret = gss_inquire_context(&tmpmin, mctx, NULL, NULL, NULL, NULL, NULL,
++				  &initiate, &opened);
++	if (ret != GSS_S_COMPLETE || !opened) {
++		/* We don't currently support importing partially established
++		 * contexts. */
++		(void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER);
++		return GSS_S_FAILURE;
++	}
++
++	sc = create_spnego_ctx(initiate);
++	if (sc == NULL) {
++		(void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER);
++		return GSS_S_FAILURE;
++	}
++	sc->ctx_handle = mctx;
++	sc->opened = 1;
++	*context_handle = (gss_ctx_id_t)sc;
++	return GSS_S_COMPLETE;
+ }
+ #endif /* LEAN_CLIENT */
+ 
diff --git a/krb5.spec b/krb5.spec
index 74087c6..b296788 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -43,7 +43,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.14
-Release: 6%{?dist}
+Release: 7%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@@ -93,6 +93,7 @@ Patch149: krb5-1.14-pwsize_initialize.patch
 Patch150: krb5-CVE-2015-2695-SPNEGO_aliasing.patch
 Patch151: krb5-CVE-2015-2696-IAKERB_aliasing.patch
 Patch152: krb5-CVE-2015-2697-build_principal_memory.patch
+Patch153: krb5-CVE-2015-2698-fix_iakerb_spnego.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -283,6 +284,7 @@ ln NOTICE LICENSE
 %patch150 -p1 -b .CVE-2015-2695-SPNEGO_aliasing
 %patch151 -p1 -b .CVE-2015-2696-IAKERB_aliasing
 %patch152 -p1 -b .CVE-2015-2697-build_principal_memory
+%patch153 -p1 -b .CVE-2015-2698-fix_iakerb_spnego
 
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@@ -898,6 +900,9 @@ exit 0
 
 
 %changelog
+* Wed Nov 04 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-beta1-7
+- Patch CVE-2015-2698
+
 * Tue Oct 27 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-beta1-6
 - Patch CVE-2015-2697, CVE-2015-2696, CVE-2015-2695
author	Robbie Harwood (frozencemetery) <rharwood@redhat.com>	2015-11-04 19:11:33 +0000
committer	Robbie Harwood (frozencemetery) <rharwood@redhat.com>	2015-11-04 20:26:21 +0000
commit	b81fddfea1ce7bbc6d051952bf200e604bd0234c (patch)
tree	774c9aee6eb36f27cb2003bde083192c2fbe12d3
parent	def8c582bbedf7938a8b5b0e90cc50ee1be1b720 (diff)
download	krb5-b81fddfea1ce7bbc6d051952bf200e604bd0234c.tar.gz krb5-b81fddfea1ce7bbc6d051952bf200e604bd0234c.tar.xz krb5-b81fddfea1ce7bbc6d051952bf200e604bd0234c.zip