From 2091f2939975551a5bfbe8b53ee5d74fa588f03e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 4 Aug 2020 14:24:08 -0400 Subject: [PATCH] Fix leak in KERB_AP_OPTIONS_CBT server support --- ...n-KERB_AP_OPTIONS_CBT-server-support.patch | 59 +++++++++++++++++++ krb5.spec | 6 +- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch diff --git a/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch b/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch new file mode 100644 index 0000000..54f2550 --- /dev/null +++ b/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch @@ -0,0 +1,59 @@ +From 044e2209586fd1935d9a637df76d52f48c4f3e6e Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 24 Jul 2020 16:05:24 -0400 +Subject: [PATCH] Fix leak in KERB_AP_OPTIONS_CBT server support + +In check_cbt(), use a local variable to hold the retrieved authdata +list, and free it before returning. + +ticket: 8900 +(cherry picked from commit bf2ddff13c178e0c291f8fb382b040080d159e4f) +--- + src/lib/gssapi/krb5/accept_sec_context.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c +index 175a24c4e..3d5b84b15 100644 +--- a/src/lib/gssapi/krb5/accept_sec_context.c ++++ b/src/lib/gssapi/krb5/accept_sec_context.c +@@ -433,27 +433,30 @@ static const uint8_t null_cb[CB_MD5_LEN]; + /* Look for AP_OPTIONS in authdata. If present and the options include + * KERB_AP_OPTIONS_CBT, set *cbt_out to true. */ + static krb5_error_code +-check_cbt(krb5_context context, krb5_authdata **authdata, ++check_cbt(krb5_context context, krb5_authdata *const *authdata, + krb5_boolean *cbt_out) + { + krb5_error_code code; ++ krb5_authdata **ad; + uint32_t ad_ap_options; + const uint32_t KERB_AP_OPTIONS_CBT = 0x4000; + + *cbt_out = FALSE; + + code = krb5_find_authdata(context, NULL, authdata, +- KRB5_AUTHDATA_AP_OPTIONS, &authdata); +- if (code || authdata == NULL) ++ KRB5_AUTHDATA_AP_OPTIONS, &ad); ++ if (code || ad == NULL) + return code; +- if (authdata[1] != NULL || authdata[0]->length != 4) +- return KRB5KRB_AP_ERR_MSG_TYPE; ++ if (ad[1] != NULL || ad[0]->length != 4) { ++ code = KRB5KRB_AP_ERR_MSG_TYPE; ++ } else { ++ ad_ap_options = load_32_le(ad[0]->contents); ++ if (ad_ap_options & KERB_AP_OPTIONS_CBT) ++ *cbt_out = TRUE; ++ } + +- ad_ap_options = load_32_le(authdata[0]->contents); +- if (ad_ap_options & KERB_AP_OPTIONS_CBT) +- *cbt_out = TRUE; +- +- return 0; ++ krb5_free_authdata(context, ad); ++ return code; + } + + /* diff --git a/krb5.spec b/krb5.spec index 4a61316..7199f35 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 17%{?dist} +Release: 18%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -70,6 +70,7 @@ Patch31: Add-channel-bindings-tests.patch Patch32: Use-two-queues-for-concurrent-t_otp.py-daemons.patch Patch33: Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch Patch34: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch +Patch35: Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -631,6 +632,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Aug 04 2020 Robbie Harwood - 1.18.2-18 +- Fix leak in KERB_AP_OPTIONS_CBT server support + * Mon Aug 03 2020 Robbie Harwood - 1.18.2-17 - Revert qualify_shortname removal