rpms/krb5
6
0
Fork 0
Code Issues Pull Requests Releases Activity

- apply upstream patch to fix a null pointer dereference when processing TGS requests (CVE-2011-1530, #753748)

Browse Source
This commit is contained in:
Nalin Dahyabhai 2011-12-06 14:12:15 -05:00
parent 4584a88e40
commit 03e76d7832
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
2011-007-patch.txt Normal file
View File

@ -0,0 +1,40 @@
diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
index f46cad3..102fbaa 100644
--- a/src/kdc/Makefile.in
+++ b/src/kdc/Makefile.in
@@ -67,6 +67,7 @@ check-unix:: rtest
check-pytests::
$(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
install::
$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c169c54..840a2ef 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -243,7 +243,8 @@ tgt_again:
if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
errcode = find_alternate_tgs(request, &server);
firstpass = 0;
- goto tgt_again;
+ if (errcode == 0)
+ goto tgt_again;
}
}
status = "UNKNOWN_SERVER";
diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
new file mode 100644
index 0000000..1760bcd
--- /dev/null
+++ b/src/kdc/t_emptytgt.py
@@ -0,0 +1,8 @@
+#!/usr/bin/python
+from k5test import *
+
+realm = K5Realm(start_kadmind=False, create_host=False)
+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
+if 'not found in Kerberos database' not in output:
+ fail('TGT lookup for empty realm failed in unexpected way')
+success('Empty tgt lookup.')

8
krb5.spec
View File

@ -15,7 +15,7 @@
Summary: The Kerberos network authentication system Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.10 Version: 1.10
Release: 0%{?dist}.alpha1.1 Release: 0%{?dist}.alpha1.2
# Maybe we should explode from the now-available-to-everybody tarball instead? # Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-alpha1-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-alpha1-signed.tar
Source0: krb5-%{version}-alpha1.tar.gz Source0: krb5-%{version}-alpha1.tar.gz
@ -58,6 +58,7 @@ Patch71: krb5-1.9-dirsrv-accountlock.patch
Patch75: krb5-pkinit-debug.patch Patch75: krb5-pkinit-debug.patch
Patch86: krb5-1.9-debuginfo.patch Patch86: krb5-1.9-debuginfo.patch
Patch92: krb5-1.10-alpha1-uninit.patch Patch92: krb5-1.10-alpha1-uninit.patch
Patch93: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
@ -223,6 +224,7 @@ ln -s NOTICE LICENSE
%patch71 -p1 -b .dirsrv-accountlock %patch71 -p1 -b .dirsrv-accountlock
#%patch75 -p1 -b .pkinit-debug #%patch75 -p1 -b .pkinit-debug
%patch86 -p0 -b .debuginfo %patch86 -p0 -b .debuginfo
%patch93 -p1 -b .2011-007
# XXX Temporary, backported from trunk. # XXX Temporary, backported from trunk.
%patch92 -p1 -b .uninit %patch92 -p1 -b .uninit
# XXX Temporary, fixed properly in trunk. # XXX Temporary, fixed properly in trunk.
@ -737,6 +739,10 @@ exit 0
%{_sbindir}/uuserver %{_sbindir}/uuserver
%changelog %changelog
* Tue Dec 6 2011 Nalin Dahyabhai <nalin@redhat.com> 1.10-0.alpha1.2
- apply upstream patch to fix a null pointer dereference when processing
TGS requests (CVE-2011-1530, #753748)
* Wed Nov 30 2011 Nalin Dahyabhai <nalin@redhat.com> 1.10-0.alpha1.1 * Wed Nov 30 2011 Nalin Dahyabhai <nalin@redhat.com> 1.10-0.alpha1.1
- correct a bug in the fix for #754001 so that the file creation context is - correct a bug in the fix for #754001 so that the file creation context is
consistently reset consistently reset