- add patch for MITKRB5-SA-2007-003

2007-04-03 18:14:37 +00:00 · 2007-04-03 18:14:37 +00:00 · 1dc23da208
commit 1dc23da208
parent aece600301
1 changed files with 80 additions and 0 deletions
--- a/krb5-1.6-CVE-2007-1216-prelim.patch
+++ b/krb5-1.6-CVE-2007-1216-prelim.patch
@ -0,0 +1,80 @@
+*** src/lib/gssapi/krb5/k5unseal.c      (revision 19510)
+--- src/lib/gssapi/krb5/k5unseal.c      (revision 19511)
+***************
+*** 457,464 ****
+
+      if ((ctx->initiate && direction != 0xff) ||
+  	(!ctx->initiate && direction != 0)) {
+! 	if (toktype == KG_TOK_SEAL_MSG)
+  	    xfree(token.value);
+  	*minor_status = G_BAD_DIRECTION;
+  	return(GSS_S_BAD_SIG);
+      }
+--- 457,467 ----
+
+      if ((ctx->initiate && direction != 0xff) ||
+  	(!ctx->initiate && direction != 0)) {
+! 	if (toktype == KG_TOK_SEAL_MSG) {
+  	    xfree(token.value);
+ 	    message_buffer->value = NULL;
+ 	    message_buffer->length = 0;
+ 	}
+  	*minor_status = G_BAD_DIRECTION;
+  	return(GSS_S_BAD_SIG);
+      }
+
+REFERENCES
+==========
+
+This announcement is posted at:
+
+  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt
+
+This announcement and related security advisories may be found on the
+MIT Kerberos security advisory page at:
+
+        http://web.mit.edu/kerberos/advisories/index.html
+
+The main MIT Kerberos web page is at:
+
+        http://web.mit.edu/kerberos/index.html
+
+CVE: CVE-2007-1216
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1216
+
+ACKNOWLEDGMENTS
+===============
+
+This bug was found while exercising the GSS-API library using the
+GSSTEST test program provided by SAP AG.
+
+DETAILS
+=======
+
+The kg_unseal_v1() function in src/lib/gssapi/krb5/k5unseal.c frees
+memory allocated for the "message_buffer" gss_buffer_t when it detects
+an invalid direction encoding on the message.  It does not set the
+pointer to NULL, nor does it set the length to zero.  An application
+subsequently calling gss_release_buffer() on this gss_buffer_t will
+cause memory to be freed twice.
+
+Much code provided with MIT krb5 does not attempt to call
+gss_release_buffer() when gss_unseal() or gss_unwrap() fails, even
+though the GSS-API C-bindings specification permits it to do so.  The
+RPCSEC_GSS authentication flavor for the RPC library, introduced in
+krb5-1.4, does call gss_release_buffer() when gss_unwrap() fails.
+This allows an authenticated attacker to trigger a double-free
+situation.
+
+Third-party applications calling the RPC library provided with MIT
+krb5 and using the RPCSEC_GSS authentication flavor are vulnerable.
+Third-party applications calling the MIT GSS-API library are
+vulnerable if they call gss_release_buffer() when they experience
+errors from gss_unseal() or gss_unwrap().
+
+REVISION HISTORY
+================
+
+2007-mm-dd      original release
+
+Copyright (C) 2007 Massachusetts Institute of Technology