diff options
| author | Robbie Harwood <rharwood@redhat.com> | 2016-03-18 21:02:11 +0000 |
|---|---|---|
| committer | Robbie Harwood <rharwood@redhat.com> | 2016-03-18 21:02:15 +0000 |
| commit | f0b5fc56f2cfcee3c8880e557661a2477a0e8c32 (patch) | |
| tree | a9ca0b0fb9960d4f25616141d3d8a20eec4a0f16 | |
| parent | 7b4e88e425b05ac9c7ab88447f6797117916f62a (diff) | |
| download | krb5-f0b5fc56f2cfcee3c8880e557661a2477a0e8c32.tar.gz krb5-f0b5fc56f2cfcee3c8880e557661a2477a0e8c32.tar.xz krb5-f0b5fc56f2cfcee3c8880e557661a2477a0e8c32.zip | |
Fix CVE-2016-3119 (NULL deref in LDAP module)
| -rw-r--r-- | krb5-CVE-2016-3119.patch | 41 | ||||
| -rw-r--r-- | krb5.spec | 9 |
2 files changed, 49 insertions, 1 deletions
diff --git a/krb5-CVE-2016-3119.patch b/krb5-CVE-2016-3119.patch new file mode 100644 index 0000000..15f2528 --- /dev/null +++ b/krb5-CVE-2016-3119.patch @@ -0,0 +1,41 @@ +From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Mon, 14 Mar 2016 17:26:34 -0400 +Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119] + +In the LDAP KDB module's process_db_args(), strtok_r() may return NULL +if there is an empty string in the db_args array. Check for this case +and avoid dereferencing a null pointer. + +CVE-2016-3119: + +In MIT krb5 1.6 and later, an authenticated attacker with permission +to modify a principal entry can cause kadmind to dereference a null +pointer by supplying an empty DB argument to the modify_principal +command, if kadmind is configured to use the LDAP KDB module. + + CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND + +ticket: 8383 (new) +target_version: 1.14-next +target_version: 1.13-next +tags: pullup +--- + src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +index 6e591e1..79c4cf0 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +@@ -296,6 +296,7 @@ process_db_args(krb5_context context, char **db_args, xargs_t *xargs, + if (db_args) { + for (i=0; db_args[i]; ++i) { + arg = strtok_r(db_args[i], "=", &arg_val); ++ arg = (arg != NULL) ? arg : ""; + if (strcmp(arg, TKTPOLICY_ARG) == 0) { + dptr = &xargs->tktpolicydn; + } else { +-- +2.7.0 + @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14.1 -Release: 2%{?dist} +Release: 3%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -66,6 +66,8 @@ Patch160: krb5-1.14.1-interpose-inquire_saslname_for_mech.patch Patch161: krb5-1.14.1-interpose-public_oid_fixups.patch Patch162: krb5-1.14.2-Revisit-inquire_attrs_for_mech-on-old-mechs.patch +Patch163: krb5-CVE-2016-3119.patch + License: MIT URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -247,6 +249,8 @@ ln NOTICE LICENSE %patch161 -p1 -b .interpose-public_oid_fixups %patch162 -p1 -b .inquire_attrs_for_mech-on-old-mechs +%patch163 -p1 -b .CVE-2016-3119 + # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -768,6 +772,9 @@ exit 0 %changelog +* Fri Mar 18 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-3 +- Fix CVE-2016-3119 (NULL deref in LDAP module) + * Thu Mar 17 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-2 - Backport OID mech fix - Resolves: #1317609 |