diff options
author | Nalin Dahyabhai <nalin@redhat.com> | 2013-04-09 11:59:43 -0400 |
---|---|---|
committer | Nalin Dahyabhai <nalin@redhat.com> | 2013-04-09 11:59:43 -0400 |
commit | 57b592e88663b6575be28ad7afa4d4497e2279af (patch) | |
tree | f3fca5e9a36832e6d1eb1355d57e542dd51ea371 | |
parent | df771824e212771bb9251d75d804339275dc427c (diff) | |
download | krb5-57b592e88663b6575be28ad7afa4d4497e2279af.tar.gz krb5-57b592e88663b6575be28ad7afa4d4497e2279af.tar.xz krb5-57b592e88663b6575be28ad7afa4d4497e2279af.zip |
add patch for CVE-2013-1416 (#949984/#949987)krb5-1.10.2-10.fc17
- incorporate upstream patch to fix a NULL pointer dereference while
processing certain TGS requests (CVE-2013-1416, #949984/#949987)
-rw-r--r-- | krb5-1.10-CVE-2013-1416.patch | 50 | ||||
-rw-r--r-- | krb5.spec | 8 |
2 files changed, 57 insertions, 1 deletions
diff --git a/krb5-1.10-CVE-2013-1416.patch b/krb5-1.10-CVE-2013-1416.patch new file mode 100644 index 0000000..f2c4a48 --- /dev/null +++ b/krb5-1.10-CVE-2013-1416.patch @@ -0,0 +1,50 @@ +commit 8ee70ec63931d1e38567905387ab9b1d45734d81 +Author: Tom Yu <tlyu@mit.edu> +Date: Fri Mar 29 19:27:33 2013 -0400 + + KDC TGS-REQ null deref [CVE-2013-1416] + + By sending an unusual but valid TGS-REQ, an authenticated remote + attacker can cause the KDC process to crash by dereferencing a null + pointer. + + prep_reprocess_req() can cause a null pointer dereference when + processing a service principal name. Code in this function can + inappropriately pass a null pointer to strlcpy(). Unmodified client + software can trivially trigger this vulnerability, but the attacker + must have already authenticated and received a valid Kerberos ticket. + + The vulnerable code was introduced by the implementation of new + service principal realm referral functionality in krb5-1.7, but was + corrected as a side effect of the KDC refactoring in krb5-1.11. + + CVSSv2 vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:H/RL:O/RC:C + + ticket: 7600 (new) + version_fixed: 1.10.5 + status: resolved + +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index 9ff80cf..86496e9 100644 +--- a/src/kdc/do_tgs_req.c ++++ b/src/kdc/do_tgs_req.c +@@ -1141,7 +1141,8 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) + retval = ENOMEM; + goto cleanup; + } +- strlcpy(comp1_str,comp1->data,comp1->length+1); ++ if (comp1->data != NULL) ++ memcpy(comp1_str, comp1->data, comp1->length); + + if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST || + krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST || +@@ -1164,7 +1165,8 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) + retval = ENOMEM; + goto cleanup; + } +- strlcpy(temp_buf, comp2->data,comp2->length+1); ++ if (comp2->data != NULL) ++ memcpy(temp_buf, comp2->data, comp2->length); + retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf, &realms); + free(temp_buf); + if (retval) { @@ -20,7 +20,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.10.2 -Release: 9%{?dist} +Release: 10%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -73,6 +73,7 @@ Patch108: http://web.mit.edu/kerberos/advisories/2012-001-patch.txt Patch109: krb5-1.10-pkinit-null.patch Patch110: krb5-lookup_etypes-leak.patch Patch111: krb5-1.10-pkinit-agility.patch +Patch112: krb5-1.10-CVE-2013-1416.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -255,6 +256,7 @@ ln -s NOTICE LICENSE %patch109 -p1 -b .pkinit-null %patch110 -p1 -b .lookup_etypes-leak %patch111 -p1 -b .pkinit-agility +%patch112 -p1 -b .CVE-2013-1416 rm src/lib/krb5/krb/deltat.c gzip doc/*.ps @@ -774,6 +776,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Tue Apr 9 2013 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-10 +- incorporate upstream patch to fix a NULL pointer dereference while processing + certain TGS requests (CVE-2013-1416, #949984/#949987) + * Tue Mar 5 2013 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-9 - add patch to avoid dereferencing a NULL pointer in the KDC when handling a draft9 PKINIT request (#917841, CVE-2012-1016) |