From 23141c22b16d8a7248bc50c6c56dc1836de8d086 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 24 Oct 2017 15:18:59 -0400
Subject: [PATCH] Fix CVE-2017-15088 (Buffer overflow in get_matching_data())

---
 ...INIT-cert-matching-data-construction.patch | 103 ++++++++++++++++++
 krb5.spec                                     |   6 +-
 2 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100644 Fix-PKINIT-cert-matching-data-construction.patch

diff --git a/Fix-PKINIT-cert-matching-data-construction.patch b/Fix-PKINIT-cert-matching-data-construction.patch
new file mode 100644
index 0000000..577db58
--- /dev/null
+++ b/Fix-PKINIT-cert-matching-data-construction.patch
@@ -0,0 +1,103 @@
+From 82854302309e2a513908cf85ed9321113ef26a08 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 24 Oct 2017 15:09:57 -0400
+Subject: [PATCH] Fix PKINIT cert matching data construction
+
+Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
+allocation and to perform proper error checking.
+
+(cherry picked from commit 5a2faf2802480548ff6a7261552ee17efaed7be1)
+---
+ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 61 +++++++---------------
+ 1 file changed, 19 insertions(+), 42 deletions(-)
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index f7640baf1..9fa20a8b2 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -5002,33 +5002,23 @@ out:
+     return retval;
+ }
+ 
+-/*
+- * Return a string format of an X509_NAME in buf where
+- * size is an in/out parameter.  On input it is the size
+- * of the buffer, and on output it is the actual length
+- * of the name.
+- * If buf is NULL, returns the length req'd to hold name
+- */
+-static char *
+-X509_NAME_oneline_ex(X509_NAME * a,
+-                     char *buf,
+-                     unsigned int *size,
+-                     unsigned long flag)
++static krb5_error_code
++rfc2253_name(X509_NAME *name, char **str_out)
+ {
+-    BIO *out = NULL;
++    BIO *b = NULL;
++    char *str;
+ 
+-    out = BIO_new(BIO_s_mem ());
+-    if (X509_NAME_print_ex(out, a, 0, flag) > 0) {
+-        if (buf != NULL && (*size) >  (unsigned int) BIO_number_written(out)) {
+-            memset(buf, 0, *size);
+-            BIO_read(out, buf, (int) BIO_number_written(out));
+-        }
+-        else {
+-            *size = BIO_number_written(out);
+-        }
+-    }
+-    BIO_free(out);
+-    return (buf);
++    *str_out = NULL;
++    b = BIO_new(BIO_s_mem());
++    if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0)
++        return ENOMEM;
++    str = calloc(BIO_number_written(b) + 1, 1);
++    if (str == NULL)
++        return ENOMEM;
++    BIO_read(b, str, BIO_number_written(b));
++    BIO_free(b);
++    *str_out = str;
++    return 0;
+ }
+ 
+ /*
+@@ -5094,8 +5084,6 @@ get_matching_data(krb5_context context,
+     pkinit_cert_matching_data *md = NULL;
+     krb5_principal *pkinit_sans = NULL, *upn_sans = NULL;
+     size_t i, j;
+-    char buf[DN_BUF_LEN];
+-    unsigned int bufsize = sizeof(buf);
+ 
+     *md_out = NULL;
+ 
+@@ -5103,23 +5091,12 @@ get_matching_data(krb5_context context,
+     if (md == NULL)
+         goto cleanup;
+ 
+-    /* Get the subject name (in rfc2253 format). */
+-    X509_NAME_oneline_ex(X509_get_subject_name(cert), buf, &bufsize,
+-                         XN_FLAG_SEP_COMMA_PLUS);
+-    md->subject_dn = strdup(buf);
+-    if (md->subject_dn == NULL) {
+-        ret = ENOMEM;
++    ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn);
++    if (ret)
+         goto cleanup;
+-    }
+-
+-    /* Get the issuer name (in rfc2253 format). */
+-    X509_NAME_oneline_ex(X509_get_issuer_name(cert), buf, &bufsize,
+-                         XN_FLAG_SEP_COMMA_PLUS);
+-    md->issuer_dn = strdup(buf);
+-    if (md->issuer_dn == NULL) {
+-        ret = ENOMEM;
++    ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn);
++    if (ret)
+         goto cleanup;
+-    }
+ 
+     /* Get the SAN data. */
+     ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx,
diff --git a/krb5.spec b/krb5.spec
index c390007..cf24c0a 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.16
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 0.beta1.3%{?dist}
+Release: 0.beta1.4%{?dist}
 
 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
@@ -61,6 +61,7 @@ Patch34: krb5-1.9-debuginfo.patch
 Patch35: krb5-1.11-run_user_0.patch
 Patch36: krb5-1.11-kpasswdtest.patch
 Patch43: Use-GSSAPI-fallback-skiptest.patch
+Patch44: Fix-PKINIT-cert-matching-data-construction.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -713,6 +714,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Tue Oct 24 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-0.beta1.4
+- Fix CVE-2017-15088 (Buffer overflow in get_matching_data())
+
 * Mon Oct 23 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-0.beta1.3
 - Drop dependency on python2-pyrad (dead upstream, broken with new python)