Fix CVE-2017-15088 (Buffer overflow in get_matching_data())
This commit is contained in:
parent
6e83fb6a5e
commit
23141c22b1
103
Fix-PKINIT-cert-matching-data-construction.patch
Normal file
103
Fix-PKINIT-cert-matching-data-construction.patch
Normal file
@ -0,0 +1,103 @@
|
|||||||
|
From 82854302309e2a513908cf85ed9321113ef26a08 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Tue, 24 Oct 2017 15:09:57 -0400
|
||||||
|
Subject: [PATCH] Fix PKINIT cert matching data construction
|
||||||
|
|
||||||
|
Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
|
||||||
|
allocation and to perform proper error checking.
|
||||||
|
|
||||||
|
(cherry picked from commit 5a2faf2802480548ff6a7261552ee17efaed7be1)
|
||||||
|
---
|
||||||
|
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 61 +++++++---------------
|
||||||
|
1 file changed, 19 insertions(+), 42 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
index f7640baf1..9fa20a8b2 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
@@ -5002,33 +5002,23 @@ out:
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
-/*
|
||||||
|
- * Return a string format of an X509_NAME in buf where
|
||||||
|
- * size is an in/out parameter. On input it is the size
|
||||||
|
- * of the buffer, and on output it is the actual length
|
||||||
|
- * of the name.
|
||||||
|
- * If buf is NULL, returns the length req'd to hold name
|
||||||
|
- */
|
||||||
|
-static char *
|
||||||
|
-X509_NAME_oneline_ex(X509_NAME * a,
|
||||||
|
- char *buf,
|
||||||
|
- unsigned int *size,
|
||||||
|
- unsigned long flag)
|
||||||
|
+static krb5_error_code
|
||||||
|
+rfc2253_name(X509_NAME *name, char **str_out)
|
||||||
|
{
|
||||||
|
- BIO *out = NULL;
|
||||||
|
+ BIO *b = NULL;
|
||||||
|
+ char *str;
|
||||||
|
|
||||||
|
- out = BIO_new(BIO_s_mem ());
|
||||||
|
- if (X509_NAME_print_ex(out, a, 0, flag) > 0) {
|
||||||
|
- if (buf != NULL && (*size) > (unsigned int) BIO_number_written(out)) {
|
||||||
|
- memset(buf, 0, *size);
|
||||||
|
- BIO_read(out, buf, (int) BIO_number_written(out));
|
||||||
|
- }
|
||||||
|
- else {
|
||||||
|
- *size = BIO_number_written(out);
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- BIO_free(out);
|
||||||
|
- return (buf);
|
||||||
|
+ *str_out = NULL;
|
||||||
|
+ b = BIO_new(BIO_s_mem());
|
||||||
|
+ if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0)
|
||||||
|
+ return ENOMEM;
|
||||||
|
+ str = calloc(BIO_number_written(b) + 1, 1);
|
||||||
|
+ if (str == NULL)
|
||||||
|
+ return ENOMEM;
|
||||||
|
+ BIO_read(b, str, BIO_number_written(b));
|
||||||
|
+ BIO_free(b);
|
||||||
|
+ *str_out = str;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -5094,8 +5084,6 @@ get_matching_data(krb5_context context,
|
||||||
|
pkinit_cert_matching_data *md = NULL;
|
||||||
|
krb5_principal *pkinit_sans = NULL, *upn_sans = NULL;
|
||||||
|
size_t i, j;
|
||||||
|
- char buf[DN_BUF_LEN];
|
||||||
|
- unsigned int bufsize = sizeof(buf);
|
||||||
|
|
||||||
|
*md_out = NULL;
|
||||||
|
|
||||||
|
@@ -5103,23 +5091,12 @@ get_matching_data(krb5_context context,
|
||||||
|
if (md == NULL)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
- /* Get the subject name (in rfc2253 format). */
|
||||||
|
- X509_NAME_oneline_ex(X509_get_subject_name(cert), buf, &bufsize,
|
||||||
|
- XN_FLAG_SEP_COMMA_PLUS);
|
||||||
|
- md->subject_dn = strdup(buf);
|
||||||
|
- if (md->subject_dn == NULL) {
|
||||||
|
- ret = ENOMEM;
|
||||||
|
+ ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn);
|
||||||
|
+ if (ret)
|
||||||
|
goto cleanup;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* Get the issuer name (in rfc2253 format). */
|
||||||
|
- X509_NAME_oneline_ex(X509_get_issuer_name(cert), buf, &bufsize,
|
||||||
|
- XN_FLAG_SEP_COMMA_PLUS);
|
||||||
|
- md->issuer_dn = strdup(buf);
|
||||||
|
- if (md->issuer_dn == NULL) {
|
||||||
|
- ret = ENOMEM;
|
||||||
|
+ ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn);
|
||||||
|
+ if (ret)
|
||||||
|
goto cleanup;
|
||||||
|
- }
|
||||||
|
|
||||||
|
/* Get the SAN data. */
|
||||||
|
ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx,
|
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
|||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.16
|
Version: 1.16
|
||||||
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
||||||
Release: 0.beta1.3%{?dist}
|
Release: 0.beta1.4%{?dist}
|
||||||
|
|
||||||
# lookaside-cached sources; two downloads and a build artifact
|
# lookaside-cached sources; two downloads and a build artifact
|
||||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
|
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
|
||||||
@ -61,6 +61,7 @@ Patch34: krb5-1.9-debuginfo.patch
|
|||||||
Patch35: krb5-1.11-run_user_0.patch
|
Patch35: krb5-1.11-run_user_0.patch
|
||||||
Patch36: krb5-1.11-kpasswdtest.patch
|
Patch36: krb5-1.11-kpasswdtest.patch
|
||||||
Patch43: Use-GSSAPI-fallback-skiptest.patch
|
Patch43: Use-GSSAPI-fallback-skiptest.patch
|
||||||
|
Patch44: Fix-PKINIT-cert-matching-data-construction.patch
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://web.mit.edu/kerberos/www/
|
URL: http://web.mit.edu/kerberos/www/
|
||||||
@ -713,6 +714,9 @@ exit 0
|
|||||||
%{_libdir}/libkadm5srv_mit.so.*
|
%{_libdir}/libkadm5srv_mit.so.*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Oct 24 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-0.beta1.4
|
||||||
|
- Fix CVE-2017-15088 (Buffer overflow in get_matching_data())
|
||||||
|
|
||||||
* Mon Oct 23 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-0.beta1.3
|
* Mon Oct 23 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-0.beta1.3
|
||||||
- Drop dependency on python2-pyrad (dead upstream, broken with new python)
|
- Drop dependency on python2-pyrad (dead upstream, broken with new python)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user