From 091dcbf7942abf94b8423482bd268e3661f8880d Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 2 Apr 2018 12:37:37 -0400 Subject: [PATCH] Zap data when freeing krb5_spake_factor --- Zap-data-when-freeing-krb5_spake_factor.patch | 29 +++++++++++++++++++ krb5.spec | 6 +++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 Zap-data-when-freeing-krb5_spake_factor.patch diff --git a/Zap-data-when-freeing-krb5_spake_factor.patch b/Zap-data-when-freeing-krb5_spake_factor.patch new file mode 100644 index 0000000..18192c9 --- /dev/null +++ b/Zap-data-when-freeing-krb5_spake_factor.patch @@ -0,0 +1,29 @@ +From 19ed715d39bdf8415f69156d6cef19225cf6355a Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 27 Mar 2018 15:42:28 -0400 +Subject: [PATCH] Zap data when freeing krb5_spake_factor + +krb5_spake_factor structures will sometimes hold sensitive data when +second-factor SPAKE is implemented, so should be zapped when freed. + +ticket: 8647 +(cherry picked from commit 9cc94a3f1ce06a4430f684300a747ec079102403) +--- + src/lib/krb5/krb/kfree.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c +index e1ea1494a..71e7fcad0 100644 +--- a/src/lib/krb5/krb/kfree.c ++++ b/src/lib/krb5/krb/kfree.c +@@ -897,7 +897,9 @@ k5_free_spake_factor(krb5_context context, krb5_spake_factor *val) + { + if (val == NULL) + return; +- krb5_free_data(context, val->data); ++ if (val->data != NULL) ++ zapfree(val->data->data, val->data->length); ++ free(val->data); + free(val); + } + diff --git a/krb5.spec b/krb5.spec index bd92e64..f0df09b 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.16 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 18%{?dist} +Release: 19%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz @@ -87,6 +87,7 @@ Patch60: Add-SPAKE-preauth-support.patch Patch61: Add-doc-index-entries-for-SPAKE-constants.patch Patch62: Fix-SPAKE-memory-leak.patch Patch63: Continue-after-KRB5_CC_END-in-KCM-cache-iteration.patch +Patch64: Zap-data-when-freeing-krb5_spake_factor.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -737,6 +738,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Mon Apr 02 2018 Robbie Harwood - 1.16-19 +- Zap data when freeing krb5_spake_factor + * Thu Mar 29 2018 Robbie Harwood - 1.16-18 - Continue after KRB5_CC_END in KCM cache iteration