From 30a6cd9b758cd3309ca5e41e523460c2358de89b Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Mon, 21 Jul 2014 18:07:02 -0400 Subject: Add patch for CVE-2014-4344 - gssapi: pull in upstream fix for a possible NULL dereference in spnego (CVE-2014-4344) --- krb5-gssapi-spnego-deref.patch | 44 ++++++++++++++++++++++++++++++++++++++++++ krb5.spec | 8 +++++++- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 krb5-gssapi-spnego-deref.patch diff --git a/krb5-gssapi-spnego-deref.patch b/krb5-gssapi-spnego-deref.patch new file mode 100644 index 0000000..b529d03 --- /dev/null +++ b/krb5-gssapi-spnego-deref.patch @@ -0,0 +1,44 @@ +commit 524688ce87a15fc75f87efc8c039ba4c7d5c197b +Author: Greg Hudson +Date: Tue Jul 15 12:56:01 2014 -0400 + + Fix null deref in SPNEGO acceptor [CVE-2014-4344] + + When processing a continuation token, acc_ctx_cont was dereferencing + the initial byte of the token without checking the length. This could + result in a null dereference. + + CVE-2014-4344: + + In MIT krb5 1.5 and newer, an unauthenticated or partially + authenticated remote attacker can cause a NULL dereference and + application crash during a SPNEGO negotiation by sending an empty + token as the second or later context token from initiator to acceptor. + The attacker must provide at least one valid context token in the + security context negotiation before sending the empty token. This can + be done by an unauthenticated attacker by forcing SPNEGO to + renegotiate the underlying mechanism, or by using IAKERB to wrap an + unauthenticated AS-REQ as the first token. + + CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C + + [kaduk@mit.edu: CVE summary, CVSSv2 vector] + + ticket: 7970 (new) + subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344] + target_version: 1.12.2 + tags: pullup + +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 8f829d8..2aa6810 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat, + + ptr = bufstart = buf->value; + #define REMAIN (buf->length - (ptr - bufstart)) +- if (REMAIN > INT_MAX) ++ if (REMAIN == 0 || REMAIN > INT_MAX) + return GSS_S_DEFECTIVE_TOKEN; + + /* diff --git a/krb5.spec b/krb5.spec index 09e914e..d44eebb 100644 --- a/krb5.spec +++ b/krb5.spec @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.12.1 -Release: 12%{?dist} +Release: 13%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar Source0: krb5-%{version}.tar.gz @@ -107,6 +107,7 @@ Patch145: krb5-master-mechd.patch Patch146: krb5-1.12-CVE-2014-4341_4342.patch Patch147: krb5-1.12-CVE-2014-4341_4342-tests.patch Patch148: krb5-gssapi-mech-doublefree.patch +Patch149: krb5-gssapi-spnego-deref.patch Patch201: 0001-Don-t-try-to-stat-not-on-disk-ccache-residuals.patch Patch202: 0002-Use-an-in-memory-cache-until-we-need-the-target-s.patch Patch203: 0003-Learn-to-destroy-the-ccache-we-re-copying-from.patch @@ -362,6 +363,7 @@ ln -s NOTICE LICENSE %patch146 -p1 -b .CVE-2014-4341_4342 %patch147 -p1 -b .CVE-2014-4341_4342 %patch148 -p1 -b .gssapi-mech-doublefree +%patch149 -p1 -b .gssapi-spnego-deref # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -1038,6 +1040,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Mon Jul 21 2014 Nalin Dahyabhai - 1.12.1-13 +- gssapi: pull in upstream fix for a possible NULL dereference + in spnego (CVE-2014-4344) + * Wed Jul 16 2014 Nalin Dahyabhai - 1.12.1-12 - gssapi: pull in proposed fix for a double free in initiators (David Woodhouse, #1117963) -- cgit