Fix CVE-2017-15088 (Buffer overflow in get_matching_data())
This commit is contained in:
Robbie Harwood
parent
6e83fb6a5e
commit
23141c22b1
103
Fix-PKINIT-cert-matching-data-construction.patch
Normal file
103
Fix-PKINIT-cert-matching-data-construction.patch
Normal file
@ -0,0 +1,103 @@
|
||||
From 82854302309e2a513908cf85ed9321113ef26a08 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 24 Oct 2017 15:09:57 -0400
|
||||
Subject: [PATCH] Fix PKINIT cert matching data construction
|
||||
|
||||
Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
|
||||
allocation and to perform proper error checking.
|
||||
|
||||
(cherry picked from commit 5a2faf2802480548ff6a7261552ee17efaed7be1)
|
||||
---
|
||||
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 61 +++++++---------------
|
||||
1 file changed, 19 insertions(+), 42 deletions(-)
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index f7640baf1..9fa20a8b2 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -5002,33 +5002,23 @@ out:
|
||||
return retval;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * Return a string format of an X509_NAME in buf where
|
||||
- * size is an in/out parameter. On input it is the size
|
||||
- * of the buffer, and on output it is the actual length
|
||||
- * of the name.
|
||||
- * If buf is NULL, returns the length req'd to hold name
|
||||
- */
|
||||
-static char *
|
||||
-X509_NAME_oneline_ex(X509_NAME * a,
|
||||
- char *buf,
|
||||
- unsigned int *size,
|
||||
- unsigned long flag)
|
||||
+static krb5_error_code
|
||||
+rfc2253_name(X509_NAME *name, char **str_out)
|
||||
{
|
||||
- BIO *out = NULL;
|
||||
+ BIO *b = NULL;
|
||||
+ char *str;
|
||||
|
||||
- out = BIO_new(BIO_s_mem ());
|
||||
- if (X509_NAME_print_ex(out, a, 0, flag) > 0) {
|
||||
- if (buf != NULL && (*size) > (unsigned int) BIO_number_written(out)) {
|
||||
- memset(buf, 0, *size);
|
||||
- BIO_read(out, buf, (int) BIO_number_written(out));
|
||||
- }
|
||||
- else {
|
||||
- *size = BIO_number_written(out);
|
||||
- }
|
||||
- }
|
||||
- BIO_free(out);
|
||||
- return (buf);
|
||||
+ *str_out = NULL;
|
||||
+ b = BIO_new(BIO_s_mem());
|
||||
+ if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0)
|
||||
+ return ENOMEM;
|
||||
+ str = calloc(BIO_number_written(b) + 1, 1);
|
||||
+ if (str == NULL)
|
||||
+ return ENOMEM;
|
||||
+ BIO_read(b, str, BIO_number_written(b));
|
||||
+ BIO_free(b);
|
||||
+ *str_out = str;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -5094,8 +5084,6 @@ get_matching_data(krb5_context context,
|
||||
pkinit_cert_matching_data *md = NULL;
|
||||
krb5_principal *pkinit_sans = NULL, *upn_sans = NULL;
|
||||
size_t i, j;
|
||||
- char buf[DN_BUF_LEN];
|
||||
- unsigned int bufsize = sizeof(buf);
|
||||
|
||||
*md_out = NULL;
|
||||
|
||||
@@ -5103,23 +5091,12 @@ get_matching_data(krb5_context context,
|
||||
if (md == NULL)
|
||||
goto cleanup;
|
||||
|
||||
- /* Get the subject name (in rfc2253 format). */
|
||||
- X509_NAME_oneline_ex(X509_get_subject_name(cert), buf, &bufsize,
|
||||
- XN_FLAG_SEP_COMMA_PLUS);
|
||||
- md->subject_dn = strdup(buf);
|
||||
- if (md->subject_dn == NULL) {
|
||||
- ret = ENOMEM;
|
||||
+ ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn);
|
||||
+ if (ret)
|
||||
goto cleanup;
|
||||
- }
|
||||
-
|
||||
- /* Get the issuer name (in rfc2253 format). */
|
||||
- X509_NAME_oneline_ex(X509_get_issuer_name(cert), buf, &bufsize,
|
||||
- XN_FLAG_SEP_COMMA_PLUS);
|
||||
- md->issuer_dn = strdup(buf);
|
||||
- if (md->issuer_dn == NULL) {
|
||||
- ret = ENOMEM;
|
||||
+ ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn);
|
||||
+ if (ret)
|
||||
goto cleanup;
|
||||
- }
|
||||
|
||||
/* Get the SAN data. */
|
||||
ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx,
|
||||
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.16
|
||||
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
||||
Release: 0.beta1.3%{?dist}
|
||||
Release: 0.beta1.4%{?dist}
|
||||
|
||||
# lookaside-cached sources; two downloads and a build artifact
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
|
||||
@ -61,6 +61,7 @@ Patch34: krb5-1.9-debuginfo.patch
|
||||
Patch35: krb5-1.11-run_user_0.patch
|
||||
Patch36: krb5-1.11-kpasswdtest.patch
|
||||
Patch43: Use-GSSAPI-fallback-skiptest.patch
|
||||
Patch44: Fix-PKINIT-cert-matching-data-construction.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -713,6 +714,9 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Tue Oct 24 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-0.beta1.4
|
||||
- Fix CVE-2017-15088 (Buffer overflow in get_matching_data())
|
||||
|
||||
* Mon Oct 23 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-0.beta1.3
|
||||
- Drop dependency on python2-pyrad (dead upstream, broken with new python)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user