diff options
author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-02-25 16:15:21 -0500 |
---|---|---|
committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-02-25 16:15:21 -0500 |
commit | 91ed2ceaea60f24bcd750ef2e2362a412338fc1f (patch) | |
tree | 1e421de9a4b995e1a5ff27d4e95765efcdf6ed2d | |
parent | 7aa88f168e34e897af844737b719bc4949e6c4f9 (diff) | |
download | krb5-91ed2ceaea60f24bcd750ef2e2362a412338fc1f.tar.gz krb5-91ed2ceaea60f24bcd750ef2e2362a412338fc1f.tar.xz krb5-91ed2ceaea60f24bcd750ef2e2362a412338fc1f.zip |
incorporate upstream fix for CVE-2013-1415/#914756
- incorporate upstream patch to fix a NULL pointer dereference when the client
supplies an otherwise-normal-looking PKINIT request (CVE-2013-1415, #914756)
-rw-r--r-- | krb5-1.10-pkinit-null.patch | 47 | ||||
-rw-r--r-- | krb5.spec | 8 |
2 files changed, 54 insertions, 1 deletions
diff --git a/krb5-1.10-pkinit-null.patch b/krb5-1.10-pkinit-null.patch new file mode 100644 index 0000000..cbd02bf --- /dev/null +++ b/krb5-1.10-pkinit-null.patch @@ -0,0 +1,47 @@ +commit dfa3dbb2f5c6d7d32d97c179f6c34e0dbb554111 +Author: Xi Wang <xi.wang@gmail.com> +Date: Thu Feb 14 18:17:40 2013 -0500 + + PKINIT null pointer deref [CVE-2013-1415] + + Don't dereference a null pointer when cleaning up. + + The KDC plugin for PKINIT can dereference a null pointer when a + malformed packet causes processing to terminate early, leading to + a crash of the KDC process. An attacker would need to have a valid + PKINIT certificate or have observed a successful PKINIT authentication, + or an unauthenticated attacker could execute the attack if anonymous + PKINIT is enabled. + + CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C + + This is a minimal commit for pullup; style fixes in a followup. + [kaduk@mit.edu: reformat and edit commit message] + + (cherry picked from commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed) + + ticket: 7577 (new) + version_fixed: 1.10.4 + status: resolved + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 41847a1..7021ff6 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -3249,7 +3249,7 @@ pkinit_check_kdc_pkid(krb5_context context, + pkiDebug("found kdcPkId in AS REQ\n"); + is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len); + if (is == NULL) +- goto cleanup; ++ return retval; + + status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer); + if (!status) { +@@ -3259,7 +3259,6 @@ pkinit_check_kdc_pkid(krb5_context context, + } + + retval = 0; +-cleanup: + X509_NAME_free(is->issuer); + ASN1_INTEGER_free(is->serial); + free(is); @@ -20,7 +20,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.10.2 -Release: 6%{?dist} +Release: 7%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -70,6 +70,7 @@ Patch105: krb5-kvno-230379.patch Patch106: krb5-1.10.2-keytab-etype.patch Patch107: krb5-trunk-pkinit-anchorsign.patch Patch108: http://web.mit.edu/kerberos/advisories/2012-001-patch.txt +Patch109: krb5-1.10-pkinit-null.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -249,6 +250,7 @@ ln -s NOTICE LICENSE %patch106 -p1 -b .keytab-etype %patch107 -p1 -b .pkinit-anchorsign %patch108 -p1 -b .2012-001 +%patch109 -p1 -b .pkinit-null rm src/lib/krb5/krb/deltat.c gzip doc/*.ps @@ -768,6 +770,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Mon Feb 25 2013 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-7 +- incorporate upstream patch to fix a NULL pointer dereference when the client + supplies an otherwise-normal-looking PKINIT request (CVE-2013-1415, #914756) + * Tue Jul 31 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-6 - go back to not messing with library file paths on Fedora 17: it breaks file path dependencies in other packages, and since Fedora 17 is already |