diff options
Diffstat (limited to 'krb5-gssapi-spnego-deref.patch')
-rw-r--r-- | krb5-gssapi-spnego-deref.patch | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/krb5-gssapi-spnego-deref.patch b/krb5-gssapi-spnego-deref.patch new file mode 100644 index 0000000..b529d03 --- /dev/null +++ b/krb5-gssapi-spnego-deref.patch @@ -0,0 +1,44 @@ +commit 524688ce87a15fc75f87efc8c039ba4c7d5c197b +Author: Greg Hudson <ghudson@mit.edu> +Date: Tue Jul 15 12:56:01 2014 -0400 + + Fix null deref in SPNEGO acceptor [CVE-2014-4344] + + When processing a continuation token, acc_ctx_cont was dereferencing + the initial byte of the token without checking the length. This could + result in a null dereference. + + CVE-2014-4344: + + In MIT krb5 1.5 and newer, an unauthenticated or partially + authenticated remote attacker can cause a NULL dereference and + application crash during a SPNEGO negotiation by sending an empty + token as the second or later context token from initiator to acceptor. + The attacker must provide at least one valid context token in the + security context negotiation before sending the empty token. This can + be done by an unauthenticated attacker by forcing SPNEGO to + renegotiate the underlying mechanism, or by using IAKERB to wrap an + unauthenticated AS-REQ as the first token. + + CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C + + [kaduk@mit.edu: CVE summary, CVSSv2 vector] + + ticket: 7970 (new) + subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344] + target_version: 1.12.2 + tags: pullup + +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 8f829d8..2aa6810 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat, + + ptr = bufstart = buf->value; + #define REMAIN (buf->length - (ptr - bufstart)) +- if (REMAIN > INT_MAX) ++ if (REMAIN == 0 || REMAIN > INT_MAX) + return GSS_S_DEFECTIVE_TOKEN; + + /* |