- add patch for attempt to free uninitialized pointer in libkrb5

    (CVE-2009-0846)

1 files changed, 39 insertions, 0 deletions

diff --git a/krb5-CVE-2009-0846.patch b/krb5-CVE-2009-0846.patch
new file mode 100644
index 0000000..a2dc1fa
--- /dev/null
+++ b/krb5-CVE-2009-0846.patch
@@ -0,0 +1,39 @@
+diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c
+index aa4be32..5f7461d 100644
+--- a/src/lib/krb5/asn.1/asn1_decode.c
++++ b/src/lib/krb5/asn.1/asn1_decode.c
+@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val)
+ 
+   if(length != 15) return ASN1_BAD_LENGTH;
+   retval = asn1buf_remove_charstring(buf,15,&s);
++  if (retval) return retval;
+   /* Time encoding: YYYYMMDDhhmmssZ */
+   if(s[14] != 'Z') {
+       free(s);
+diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
+index 0ff9343..1c427d1 100644
+--- a/src/tests/asn.1/krb5_decode_test.c
++++ b/src/tests/asn.1/krb5_decode_test.c
+@@ -485,6 +485,22 @@ int main(argc, argv)
+     ktest_destroy_keyblock(&(ref.subkey));
+     ref.seq_number = 0;
+     decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
++
++    retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
++    if (retval) {
++	com_err("krb5_decode_test", retval, "while parsing");
++	exit(1);
++    }
++    retval = decode_krb5_ap_rep_enc_part(&code, &var);
++    if (retval != ASN1_OVERRUN) {
++	printf("ERROR: ");
++    } else {
++	printf("OK: ");
++    }
++    printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
++    krb5_free_data_contents(test_context, &code);
++    if (var) krb5_free_ap_rep_enc_part(test_context, var);
++
+     ktest_empty_ap_rep_enc_part(&ref);
+   }
+