rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to upstream patch

Browse Source 
Update to the as-committed version of this patch, which affects the
comments it includes.
This commit is contained in:
Nalin Dahyabhai 2014-07-21 17:18:33 -04:00
parent 9594be4f3a
commit 24f7f1a446
2 changed files with 48 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
krb5-gssapi-mech-doublefree.patch
View File

@ -1,32 +1,51 @@
From: David Woodhouse <David.Woodhouse@intel.com> commit f18ddf5d82de0ab7591a36e465bc24225776940f
Author: David Woodhouse <David.Woodhouse@intel.com>
Date: Tue Jul 15 12:54:15 2014 -0400
In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the Fix double-free in SPNEGO [CVE-2014-4343]
pointer sc->internal_mech became an alias into sc->mech_set->elements[],
which should be considered constant for the duration of the SPNEGO
context.
So don't free it. In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
pointer sc->internal_mech became an alias into sc->mech_set->elements,
which should be considered constant for the duration of the SPNEGO
context. So don't free it.
This led to the obvious crashes in the allocator, and also to strange CVE-2014-4343:
behaviour with Firefox failing to fall back to alternative mechanisms
when it should have done.
https://bugzilla.redhat.com/show_bug.cgi?id=1117963 In MIT krb5 releases 1.10 and newer, an unauthenticated remote
attacker with the ability to spoof packets appearing to be from a
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
(clients) which are using the SPNEGO mechanism, by returning a
different underlying mechanism than was proposed by the initiator. At
this stage of the negotiation, the acceptor is unauthenticated, and
the acceptor's response could be spoofed by an attacker with the
ability to inject traffic to the initiator.
==31436== Invalid free() / delete / delete[] / realloc() Historically, some double-free vulnerabilities can be translated into
==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) remote code execution, though the necessary exploits must be tailored
==31436== by 0x3AE900D6B9: generic_gss_release_oid_set (gssapi_alloc.h:93) to the individual application and are usually quite
==31436== by 0x3AE903775F: release_spnego_ctx (spnego_mech.c:2895) complicated. Double-frees can also be exploited to cause an
==31436== by 0x3AE9037830: spnego_gss_delete_sec_context (spnego_mech.c:2164) application crash, for a denial of service. However, most GSSAPI
==31436== by 0x3AE9012292: gss_delete_sec_context (g_delete_sec_context.c:90) client applications are not vulnerable, as the SPNEGO mechanism is not
==31436== Address 0x4fb5510 is 0 bytes inside a block of size 80 free'd used by default (when GSS_C_NO_OID is passed as the mech_type argument
==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) to gss_init_sec_context()). The most common use of SPNEGO is for
==31436== by 0x3AE900C88E: generic_gss_release_oid (oid_ops.c:103) HTTP-Negotiate, used in web browsers and other web clients. Most such
==31436== by 0x3AE903BE85: spnego_gss_init_sec_context (spnego_mech.c:792) clients are believed to not offer HTTP-Negotiate by default, instead
==31436== by 0x3AE90154CA: gss_init_sec_context (g_init_sec_context.c:210) requiring a whitelist of sites for which it may be used to be
--- configured. If the whitelist is configured to only allow
src/lib/gssapi/spnego/spnego_mech.c | 1 - HTTP-Negotiate over TLS connections ("https://"), a successful
1 file changed, 1 deletion(-) attacker must also spoof the web server's SSL certificate, due to the
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
response message. Unfortunately, many instructions for enabling
HTTP-Negotiate in common web browsers do not include a TLS
requirement.
CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
[kaduk@mit.edu: CVE summary and CVSSv2 vector]
ticket: 7969 (new)
target_version: 1.12.2
tags: pullup
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 173c6d2..8f829d8 100644 index 173c6d2..8f829d8 100644
@ -40,10 +59,3 @@ index 173c6d2..8f829d8 100644
gss_delete_sec_context(&tmpmin, &sc->ctx_handle, gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
GSS_C_NO_BUFFER); GSS_C_NO_BUFFER);
--
1.9.3
--
David Woodhouse Open Source Technology Centre
David.Woodhouse@intel.com Intel Corporation

2
krb5.spec
View File

@ -1040,7 +1040,7 @@ exit 0
%changelog %changelog
* Wed Jul 16 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-12 * Wed Jul 16 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-12
- gssapi: pull in proposed fix for a double free in initiators (David - gssapi: pull in proposed fix for a double free in initiators (David
Woodhouse, #1117963) Woodhouse, CVE-2014-4343, #1117963)
* Sat Jul 12 2014 Tom Callaway <spot@fedoraproject.org> - 1.12.1-11 * Sat Jul 12 2014 Tom Callaway <spot@fedoraproject.org> - 1.12.1-11
- fix license handling - fix license handling