From 23141c22b16d8a7248bc50c6c56dc1836de8d086 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 24 Oct 2017 15:18:59 -0400 Subject: [PATCH] Fix CVE-2017-15088 (Buffer overflow in get_matching_data()) --- ...INIT-cert-matching-data-construction.patch | 103 ++++++++++++++++++ krb5.spec | 6 +- 2 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 Fix-PKINIT-cert-matching-data-construction.patch diff --git a/Fix-PKINIT-cert-matching-data-construction.patch b/Fix-PKINIT-cert-matching-data-construction.patch new file mode 100644 index 0000000..577db58 --- /dev/null +++ b/Fix-PKINIT-cert-matching-data-construction.patch @@ -0,0 +1,103 @@ +From 82854302309e2a513908cf85ed9321113ef26a08 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 24 Oct 2017 15:09:57 -0400 +Subject: [PATCH] Fix PKINIT cert matching data construction + +Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic +allocation and to perform proper error checking. + +(cherry picked from commit 5a2faf2802480548ff6a7261552ee17efaed7be1) +--- + src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 61 +++++++--------------- + 1 file changed, 19 insertions(+), 42 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index f7640baf1..9fa20a8b2 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -5002,33 +5002,23 @@ out: + return retval; + } + +-/* +- * Return a string format of an X509_NAME in buf where +- * size is an in/out parameter. On input it is the size +- * of the buffer, and on output it is the actual length +- * of the name. +- * If buf is NULL, returns the length req'd to hold name +- */ +-static char * +-X509_NAME_oneline_ex(X509_NAME * a, +- char *buf, +- unsigned int *size, +- unsigned long flag) ++static krb5_error_code ++rfc2253_name(X509_NAME *name, char **str_out) + { +- BIO *out = NULL; ++ BIO *b = NULL; ++ char *str; + +- out = BIO_new(BIO_s_mem ()); +- if (X509_NAME_print_ex(out, a, 0, flag) > 0) { +- if (buf != NULL && (*size) > (unsigned int) BIO_number_written(out)) { +- memset(buf, 0, *size); +- BIO_read(out, buf, (int) BIO_number_written(out)); +- } +- else { +- *size = BIO_number_written(out); +- } +- } +- BIO_free(out); +- return (buf); ++ *str_out = NULL; ++ b = BIO_new(BIO_s_mem()); ++ if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0) ++ return ENOMEM; ++ str = calloc(BIO_number_written(b) + 1, 1); ++ if (str == NULL) ++ return ENOMEM; ++ BIO_read(b, str, BIO_number_written(b)); ++ BIO_free(b); ++ *str_out = str; ++ return 0; + } + + /* +@@ -5094,8 +5084,6 @@ get_matching_data(krb5_context context, + pkinit_cert_matching_data *md = NULL; + krb5_principal *pkinit_sans = NULL, *upn_sans = NULL; + size_t i, j; +- char buf[DN_BUF_LEN]; +- unsigned int bufsize = sizeof(buf); + + *md_out = NULL; + +@@ -5103,23 +5091,12 @@ get_matching_data(krb5_context context, + if (md == NULL) + goto cleanup; + +- /* Get the subject name (in rfc2253 format). */ +- X509_NAME_oneline_ex(X509_get_subject_name(cert), buf, &bufsize, +- XN_FLAG_SEP_COMMA_PLUS); +- md->subject_dn = strdup(buf); +- if (md->subject_dn == NULL) { +- ret = ENOMEM; ++ ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn); ++ if (ret) + goto cleanup; +- } +- +- /* Get the issuer name (in rfc2253 format). */ +- X509_NAME_oneline_ex(X509_get_issuer_name(cert), buf, &bufsize, +- XN_FLAG_SEP_COMMA_PLUS); +- md->issuer_dn = strdup(buf); +- if (md->issuer_dn == NULL) { +- ret = ENOMEM; ++ ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn); ++ if (ret) + goto cleanup; +- } + + /* Get the SAN data. */ + ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx, diff --git a/krb5.spec b/krb5.spec index c390007..cf24c0a 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.16 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 0.beta1.3%{?dist} +Release: 0.beta1.4%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz @@ -61,6 +61,7 @@ Patch34: krb5-1.9-debuginfo.patch Patch35: krb5-1.11-run_user_0.patch Patch36: krb5-1.11-kpasswdtest.patch Patch43: Use-GSSAPI-fallback-skiptest.patch +Patch44: Fix-PKINIT-cert-matching-data-construction.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -713,6 +714,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Oct 24 2017 Robbie Harwood - 1.16-0.beta1.4 +- Fix CVE-2017-15088 (Buffer overflow in get_matching_data()) + * Mon Oct 23 2017 Robbie Harwood - 1.16-0.beta1.3 - Drop dependency on python2-pyrad (dead upstream, broken with new python)