diff options
author | Nalin Dahyabhai <nalin@redhat.com> | 2013-03-05 13:08:02 -0500 |
---|---|---|
committer | Nalin Dahyabhai <nalin@redhat.com> | 2013-03-05 13:08:02 -0500 |
commit | df771824e212771bb9251d75d804339275dc427c (patch) | |
tree | 5ee2fda1e7845ca5ec508269484af8bfd0357f6d | |
parent | 7a5767895baad9e875781ddd02992ab623f32c80 (diff) | |
download | krb5-df771824e212771bb9251d75d804339275dc427c.tar.gz krb5-df771824e212771bb9251d75d804339275dc427c.tar.xz krb5-df771824e212771bb9251d75d804339275dc427c.zip |
add patch for CVE-2012-1016krb5-1.10.2-9.fc17
- add patch to avoid dereferencing a NULL pointer in the KDC when handling a
draft9 PKINIT request (#917841, CVE-2012-1016)
-rw-r--r-- | krb5-1.10-pkinit-agility.patch | 42 | ||||
-rw-r--r-- | krb5.spec | 8 |
2 files changed, 49 insertions, 1 deletions
diff --git a/krb5-1.10-pkinit-agility.patch b/krb5-1.10-pkinit-agility.patch new file mode 100644 index 0000000..7245edc --- /dev/null +++ b/krb5-1.10-pkinit-agility.patch @@ -0,0 +1,42 @@ +commit db64ca25d661a47b996b4e2645998b5d7f0eb52c +Author: Nalin Dahyabhai <nalin@redhat.com> +Date: Thu Dec 13 14:26:07 2012 -0500 + + PKINIT (draft9) null ptr deref [CVE-2012-1016] + + Don't check for an agility KDF identifier in the non-draft9 reply + structure when we're building a draft9 reply, because it'll be NULL. + + The KDC plugin for PKINIT can dereference a null pointer when handling + a draft9 request, leading to a crash of the KDC process. An attacker + would need to have a valid PKINIT certificate, or an unauthenticated + attacker could execute the attack if anonymous PKINIT is enabled. + + CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C + + [tlyu@mit.edu: reformat comment and edit log message] + + (back ported from commit cd5ff932c9d1439c961b0cf9ccff979356686aff) + + ticket: 7527 (new) + version_fixed: 1.10.4 + status: resolved + +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 3322310..c271bf9 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -1016,9 +1016,10 @@ pkinit_server_return_padata(krb5_context context, + rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) || + (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) { + +- /* If mutually supported KDFs were found, use the alg agility KDF */ +- if (rep->u.dh_Info.kdfID) { +- secret.data = server_key; ++ /* If we're not doing draft 9, and mutually supported KDFs were found, ++ * use the algorithm agility KDF. */ ++ if (rep != NULL && rep->u.dh_Info.kdfID) { ++ secret.data = (char *)server_key; + secret.length = server_key_len; + + retval = pkinit_alg_agility_kdf(context, &secret, @@ -20,7 +20,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.10.2 -Release: 8%{?dist} +Release: 9%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -72,6 +72,7 @@ Patch107: krb5-trunk-pkinit-anchorsign.patch Patch108: http://web.mit.edu/kerberos/advisories/2012-001-patch.txt Patch109: krb5-1.10-pkinit-null.patch Patch110: krb5-lookup_etypes-leak.patch +Patch111: krb5-1.10-pkinit-agility.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -253,6 +254,7 @@ ln -s NOTICE LICENSE %patch108 -p1 -b .2012-001 %patch109 -p1 -b .pkinit-null %patch110 -p1 -b .lookup_etypes-leak +%patch111 -p1 -b .pkinit-agility rm src/lib/krb5/krb/deltat.c gzip doc/*.ps @@ -772,6 +774,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Tue Mar 5 2013 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-9 +- add patch to avoid dereferencing a NULL pointer in the KDC when handling a + draft9 PKINIT request (#917841, CVE-2012-1016) + * Thu Feb 28 2013 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-8 - fix a memory leak when acquiring credentials using a keytab (RT#7586, #911110) |