summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--krb5-lookup_etypes-leak.patch42
-rw-r--r--krb5.spec7
2 files changed, 48 insertions, 1 deletions
diff --git a/krb5-lookup_etypes-leak.patch b/krb5-lookup_etypes-leak.patch
new file mode 100644
index 0000000..9c7e082
--- /dev/null
+++ b/krb5-lookup_etypes-leak.patch
@@ -0,0 +1,42 @@
+Petr Spacek notes that when we walk the keytab in lookup_etypes_for_keytab(),
+we don't free entries when we're finished examining them. Ensure that when
+krb5_kt_next_entry() succeeds, we make sure to free the entry storage before we
+exit the current loop iteration. (RT#7586)
+
+--- a/src/lib/krb5/krb/gic_keytab.c
++++ b/src/lib/krb5/krb/gic_keytab.c
+@@ -110,9 +110,9 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab,
+ goto cleanup;
+
+ if (!krb5_c_valid_enctype(entry.key.enctype))
+- continue;
++ goto next_entry;
+ if (!krb5_principal_compare(context, entry.principal, client))
+- continue;
++ goto next_entry;
+ /* Make sure our list is for the highest kvno found for client. */
+ if (entry.vno > max_kvno) {
+ free(etypes);
+@@ -120,11 +120,12 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab,
+ count = 0;
+ max_kvno = entry.vno;
+ } else if (entry.vno != max_kvno)
+- continue;
++ goto next_entry;
+
+ /* Leave room for the terminator and possibly a second entry. */
+ p = realloc(etypes, (count + 3) * sizeof(*etypes));
+ if (p == NULL) {
++ krb5_free_keytab_entry_contents(context, &entry);
+ ret = ENOMEM;
+ goto cleanup;
+ }
+@@ -136,6 +137,8 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab,
+ entry.key.enctype == ENCTYPE_DES_CBC_MD4)
+ etypes[count++] = ENCTYPE_DES_CBC_CRC;
+ etypes[count] = 0;
++next_entry:
++ krb5_free_keytab_entry_contents(context, &entry);
+ }
+
+ ret = 0;
diff --git a/krb5.spec b/krb5.spec
index 3fdaa22..40864b3 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -20,7 +20,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.10.2
-Release: 7%{?dist}
+Release: 8%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -71,6 +71,7 @@ Patch106: krb5-1.10.2-keytab-etype.patch
Patch107: krb5-trunk-pkinit-anchorsign.patch
Patch108: http://web.mit.edu/kerberos/advisories/2012-001-patch.txt
Patch109: krb5-1.10-pkinit-null.patch
+Patch110: krb5-lookup_etypes-leak.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -251,6 +252,7 @@ ln -s NOTICE LICENSE
%patch107 -p1 -b .pkinit-anchorsign
%patch108 -p1 -b .2012-001
%patch109 -p1 -b .pkinit-null
+%patch110 -p1 -b .lookup_etypes-leak
rm src/lib/krb5/krb/deltat.c
gzip doc/*.ps
@@ -770,6 +772,9 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Thu Feb 28 2013 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-8
+- fix a memory leak when acquiring credentials using a keytab (RT#7586, #911110)
+
* Mon Feb 25 2013 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-7
- incorporate upstream patch to fix a NULL pointer dereference when the client
supplies an otherwise-normal-looking PKINIT request (CVE-2013-1415, #914756)
generated by cgit (git 2.34.1) at 2024-05-18 12:23:58 +0000