diff options
| author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2011-12-06 14:09:54 -0500 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2011-12-06 14:09:54 -0500 |
| commit | 4a26f2bc03352f47bcc316e6731d199cdd668d45 (patch) | |
| tree | 82ddb3f6358a69f452c5b33129a69548ab1849c0 | |
| parent | d161b26c4183f46f10e84965511fc930a28caa56 (diff) | |
- apply upstream patch to fix a null pointer dereference when processing TGS requests (CVE-2011-1530, #753748)krb5-1.9.2-4.fc16
| -rw-r--r-- | 2011-007-patch.txt | 40 | ||||
| -rw-r--r-- | krb5.spec | 8 |
2 files changed, 47 insertions, 1 deletions
diff --git a/2011-007-patch.txt b/2011-007-patch.txt new file mode 100644 index 0000000..336a4ad --- /dev/null +++ b/2011-007-patch.txt @@ -0,0 +1,40 @@ +diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in +index f46cad3..102fbaa 100644 +--- a/src/kdc/Makefile.in ++++ b/src/kdc/Makefile.in +@@ -67,6 +67,7 @@ check-unix:: rtest + + check-pytests:: + $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS) ++ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS) + + install:: + $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index c169c54..840a2ef 100644 +--- a/src/kdc/do_tgs_req.c ++++ b/src/kdc/do_tgs_req.c +@@ -243,7 +243,8 @@ tgt_again: + if (!tgs_1 || !data_eq(*server_1, *tgs_1)) { + errcode = find_alternate_tgs(request, &server); + firstpass = 0; +- goto tgt_again; ++ if (errcode == 0) ++ goto tgt_again; + } + } + status = "UNKNOWN_SERVER"; +diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py +new file mode 100644 +index 0000000..1760bcd +--- /dev/null ++++ b/src/kdc/t_emptytgt.py +@@ -0,0 +1,8 @@ ++#!/usr/bin/python ++from k5test import * ++ ++realm = K5Realm(start_kadmind=False, create_host=False) ++output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1) ++if 'not found in Kerberos database' not in output: ++ fail('TGT lookup for empty realm failed in unexpected way') ++success('Empty tgt lookup.') @@ -6,7 +6,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.9.2 -Release: 3%{?dist} +Release: 4%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar Source0: krb5-%{version}.tar.gz @@ -60,6 +60,7 @@ Patch86: krb5-1.9-debuginfo.patch Patch87: krb5-1.9.1-sendto_poll2.patch Patch89: krb5-1.9.1-sendto_poll3.patch Patch90: krb5-1.9-aes-hmac.patch +Patch91: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -217,6 +218,7 @@ ln -s NOTICE LICENSE %patch87 -p1 -b .sendto_poll2 %patch89 -p1 -b .sendto_poll3 %patch90 -p1 -b .aes-hmac +%patch91 -p1 -b .2011-007 gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -695,6 +697,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Tue Dec 6 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.2-4 +- apply upstream patch to fix a null pointer dereference when processing + TGS requests (CVE-2011-1530, #753748) + * Wed Nov 30 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.2-3 - correct a bug in the fix for #754001 so that the file creation context is consistently reset |