Fix off-by-one bug in ISC SPNEGO implementation (#1929965)
Because of other failures in rebase, doing just security patch this time.
This commit is contained in:
Petr Menšík
parent
9bba50dd4a
commit
71c1a9ec1e
45
bind-9.16-CVE-2020-8625.patch
Normal file
45
bind-9.16-CVE-2020-8625.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From b04cb88462863d762093760ffcfe1946200e30f5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Thu, 7 Jan 2021 10:44:46 +0100
|
||||
Subject: [PATCH] Fix off-by-one bug in ISC SPNEGO implementation
|
||||
|
||||
The ISC SPNEGO implementation is based on mod_auth_kerb code. When
|
||||
CVE-2006-5989 was disclosed, the relevant fix was not applied to the
|
||||
BIND 9 codebase, making the latter vulnerable to the aforementioned flaw
|
||||
when "tkey-gssapi-keytab" or "tkey-gssapi-credential" is set in
|
||||
named.conf.
|
||||
|
||||
The original description of CVE-2006-5989 was:
|
||||
|
||||
Off-by-one error in the der_get_oid function in mod_auth_kerb 5.0
|
||||
allows remote attackers to cause a denial of service (crash) via a
|
||||
crafted Kerberos message that triggers a heap-based buffer overflow
|
||||
in the component array.
|
||||
|
||||
Later research revealed that this flaw also theoretically enables remote
|
||||
code execution, though achieving the latter in real-world conditions is
|
||||
currently deemed very difficult.
|
||||
|
||||
This vulnerability was responsibly reported as ZDI-CAN-12302 ("ISC BIND
|
||||
TKEY Query Heap-based Buffer Overflow Remote Code Execution
|
||||
Vulnerability") by Trend Micro Zero Day Initiative.
|
||||
---
|
||||
lib/dns/spnego.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
|
||||
index e61d1c600f..753dc8049f 100644
|
||||
--- a/lib/dns/spnego.c
|
||||
+++ b/lib/dns/spnego.c
|
||||
@@ -848,7 +848,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
|
||||
return (ASN1_OVERRUN);
|
||||
}
|
||||
|
||||
- data->components = malloc(len * sizeof(*data->components));
|
||||
+ data->components = malloc((len + 1) * sizeof(*data->components));
|
||||
if (data->components == NULL) {
|
||||
return (ENOMEM);
|
||||
}
|
||||
--
|
||||
2.26.2
|
||||
|
||||
@ -66,7 +66,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
|
||||
Name: bind
|
||||
License: MPLv2.0
|
||||
Version: 9.16.11
|
||||
Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
|
||||
Release: 4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
|
||||
Epoch: 32
|
||||
Url: https://www.isc.org/downloads/bind/
|
||||
#
|
||||
@ -120,6 +120,8 @@ Patch170:bind-9.11-feature-test-named.patch
|
||||
Patch171:bind-9.11-tests-variants.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4582
|
||||
Patch172:bind-9.16-unit-tests-multicore.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/b04cb88462863d762093760ffcfe1946200e30f5
|
||||
Patch173:bind-9.16-CVE-2020-8625.patch
|
||||
|
||||
Requires(post): systemd
|
||||
Requires(preun): systemd
|
||||
@ -434,6 +436,7 @@ in HTML and PDF format.
|
||||
%patch170 -p1 -b .featuretest-named
|
||||
%patch171 -p1 -b .test-variant
|
||||
%patch172 -p1 -b .multicore
|
||||
%patch173 -p1 -b .CVE-2020-8625
|
||||
|
||||
%if %{with PKCS11}
|
||||
%patch135 -p1 -b .config-pkcs11
|
||||
@ -1164,6 +1167,9 @@ fi;
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 22 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.11-4
|
||||
- Fix off-by-one bug in ISC SPNEGO implementation (#1929965)
|
||||
|
||||
* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 32:9.16.11-3
|
||||
- rebuild for libpq ABI fix rhbz#1908268
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user