From a6185d31c7c58cfcfc5f85a355be752af33cd32d Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Mon, 21 Jul 2014 18:08:29 -0400
Subject: Update to upstream patch

Update to the as-committed version of this patch, which affects the
comments it includes.
---
 krb5-gssapi-mech-doublefree.patch | 84 ++++++++++++++++++++++-----------------
 krb5.spec                         |  2 +-
 2 files changed, 49 insertions(+), 37 deletions(-)

diff --git a/krb5-gssapi-mech-doublefree.patch b/krb5-gssapi-mech-doublefree.patch
index c020fca..a52d541 100644
--- a/krb5-gssapi-mech-doublefree.patch
+++ b/krb5-gssapi-mech-doublefree.patch
@@ -1,32 +1,51 @@
-From: David Woodhouse <David.Woodhouse@intel.com>
-
-In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
-pointer sc->internal_mech became an alias into sc->mech_set->elements[],
-which should be considered constant for the duration of the SPNEGO
-context.
-
-So don't free it.
-
-This led to the obvious crashes in the allocator, and also to strange
-behaviour with Firefox failing to fall back to alternative mechanisms
-when it should have done.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1117963
-
-==31436== Invalid free() / delete / delete[] / realloc()
-==31436==    at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
-==31436==    by 0x3AE900D6B9: generic_gss_release_oid_set (gssapi_alloc.h:93)
-==31436==    by 0x3AE903775F: release_spnego_ctx (spnego_mech.c:2895)
-==31436==    by 0x3AE9037830: spnego_gss_delete_sec_context (spnego_mech.c:2164)
-==31436==    by 0x3AE9012292: gss_delete_sec_context (g_delete_sec_context.c:90)
-==31436==  Address 0x4fb5510 is 0 bytes inside a block of size 80 free'd
-==31436==    at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
-==31436==    by 0x3AE900C88E: generic_gss_release_oid (oid_ops.c:103)
-==31436==    by 0x3AE903BE85: spnego_gss_init_sec_context (spnego_mech.c:792)
-==31436==    by 0x3AE90154CA: gss_init_sec_context (g_init_sec_context.c:210)
----
- src/lib/gssapi/spnego/spnego_mech.c | 1 -
- 1 file changed, 1 deletion(-)
+commit f18ddf5d82de0ab7591a36e465bc24225776940f
+Author: David Woodhouse <David.Woodhouse@intel.com>
+Date:   Tue Jul 15 12:54:15 2014 -0400
+
+    Fix double-free in SPNEGO [CVE-2014-4343]
+    
+    In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
+    pointer sc->internal_mech became an alias into sc->mech_set->elements,
+    which should be considered constant for the duration of the SPNEGO
+    context.  So don't free it.
+    
+    CVE-2014-4343:
+    
+    In MIT krb5 releases 1.10 and newer, an unauthenticated remote
+    attacker with the ability to spoof packets appearing to be from a
+    GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
+    (clients) which are using the SPNEGO mechanism, by returning a
+    different underlying mechanism than was proposed by the initiator.  At
+    this stage of the negotiation, the acceptor is unauthenticated, and
+    the acceptor's response could be spoofed by an attacker with the
+    ability to inject traffic to the initiator.
+    
+    Historically, some double-free vulnerabilities can be translated into
+    remote code execution, though the necessary exploits must be tailored
+    to the individual application and are usually quite
+    complicated. Double-frees can also be exploited to cause an
+    application crash, for a denial of service.  However, most GSSAPI
+    client applications are not vulnerable, as the SPNEGO mechanism is not
+    used by default (when GSS_C_NO_OID is passed as the mech_type argument
+    to gss_init_sec_context()).  The most common use of SPNEGO is for
+    HTTP-Negotiate, used in web browsers and other web clients.  Most such
+    clients are believed to not offer HTTP-Negotiate by default, instead
+    requiring a whitelist of sites for which it may be used to be
+    configured.  If the whitelist is configured to only allow
+    HTTP-Negotiate over TLS connections ("https://"), a successful
+    attacker must also spoof the web server's SSL certificate, due to the
+    way the WWW-Authenticate header is sent in a 401 (Unauthorized)
+    response message.  Unfortunately, many instructions for enabling
+    HTTP-Negotiate in common web browsers do not include a TLS
+    requirement.
+    
+        CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
+    
+    [kaduk@mit.edu: CVE summary and CVSSv2 vector]
+    
+    ticket: 7969 (new)
+    target_version: 1.12.2
+    tags: pullup
 
 diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
 index 173c6d2..8f829d8 100644
@@ -40,10 +59,3 @@ index 173c6d2..8f829d8 100644
  	gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
  			       GSS_C_NO_BUFFER);
  
--- 
-1.9.3
-
-
--- 
-David Woodhouse                            Open Source Technology Centre
-David.Woodhouse@intel.com                              Intel Corporation
diff --git a/krb5.spec b/krb5.spec
index d44eebb..5bb72db 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -1046,7 +1046,7 @@ exit 0
 
 * Wed Jul 16 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-12
 - gssapi: pull in proposed fix for a double free in initiators (David
-  Woodhouse, #1117963)
+  Woodhouse, CVE-2014-4343, #1117963)
 
 * Sat Jul 12 2014 Tom Callaway <spot@fedoraproject.org> - 1.12.1-11
 - fix license handling
-- 
cgit