diff options
-rw-r--r-- | krb5-lookup_etypes-leak.patch | 42 | ||||
-rw-r--r-- | krb5.spec | 7 |
2 files changed, 48 insertions, 1 deletions
diff --git a/krb5-lookup_etypes-leak.patch b/krb5-lookup_etypes-leak.patch new file mode 100644 index 0000000..9c7e082 --- /dev/null +++ b/krb5-lookup_etypes-leak.patch @@ -0,0 +1,42 @@ +Petr Spacek notes that when we walk the keytab in lookup_etypes_for_keytab(), +we don't free entries when we're finished examining them. Ensure that when +krb5_kt_next_entry() succeeds, we make sure to free the entry storage before we +exit the current loop iteration. (RT#7586) + +--- a/src/lib/krb5/krb/gic_keytab.c ++++ b/src/lib/krb5/krb/gic_keytab.c +@@ -110,9 +110,9 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab, + goto cleanup; + + if (!krb5_c_valid_enctype(entry.key.enctype)) +- continue; ++ goto next_entry; + if (!krb5_principal_compare(context, entry.principal, client)) +- continue; ++ goto next_entry; + /* Make sure our list is for the highest kvno found for client. */ + if (entry.vno > max_kvno) { + free(etypes); +@@ -120,11 +120,12 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab, + count = 0; + max_kvno = entry.vno; + } else if (entry.vno != max_kvno) +- continue; ++ goto next_entry; + + /* Leave room for the terminator and possibly a second entry. */ + p = realloc(etypes, (count + 3) * sizeof(*etypes)); + if (p == NULL) { ++ krb5_free_keytab_entry_contents(context, &entry); + ret = ENOMEM; + goto cleanup; + } +@@ -136,6 +137,8 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab, + entry.key.enctype == ENCTYPE_DES_CBC_MD4) + etypes[count++] = ENCTYPE_DES_CBC_CRC; + etypes[count] = 0; ++next_entry: ++ krb5_free_keytab_entry_contents(context, &entry); + } + + ret = 0; @@ -20,7 +20,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.10.2 -Release: 7%{?dist} +Release: 8%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -71,6 +71,7 @@ Patch106: krb5-1.10.2-keytab-etype.patch Patch107: krb5-trunk-pkinit-anchorsign.patch Patch108: http://web.mit.edu/kerberos/advisories/2012-001-patch.txt Patch109: krb5-1.10-pkinit-null.patch +Patch110: krb5-lookup_etypes-leak.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -251,6 +252,7 @@ ln -s NOTICE LICENSE %patch107 -p1 -b .pkinit-anchorsign %patch108 -p1 -b .2012-001 %patch109 -p1 -b .pkinit-null +%patch110 -p1 -b .lookup_etypes-leak rm src/lib/krb5/krb/deltat.c gzip doc/*.ps @@ -770,6 +772,9 @@ exit 0 %{_sbindir}/uuserver %changelog +* Thu Feb 28 2013 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-8 +- fix a memory leak when acquiring credentials using a keytab (RT#7586, #911110) + * Mon Feb 25 2013 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-7 - incorporate upstream patch to fix a NULL pointer dereference when the client supplies an otherwise-normal-looking PKINIT request (CVE-2013-1415, #914756) |