Update to upstream patch
Update to the as-committed version of this patch, which affects the comments it includes.
This commit is contained in:
Nalin Dahyabhai
parent
9594be4f3a
commit
24f7f1a446
@ -1,32 +1,51 @@
|
||||
From: David Woodhouse <David.Woodhouse@intel.com>
|
||||
commit f18ddf5d82de0ab7591a36e465bc24225776940f
|
||||
Author: David Woodhouse <David.Woodhouse@intel.com>
|
||||
Date: Tue Jul 15 12:54:15 2014 -0400
|
||||
|
||||
Fix double-free in SPNEGO [CVE-2014-4343]
|
||||
|
||||
In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
|
||||
pointer sc->internal_mech became an alias into sc->mech_set->elements[],
|
||||
pointer sc->internal_mech became an alias into sc->mech_set->elements,
|
||||
which should be considered constant for the duration of the SPNEGO
|
||||
context.
|
||||
context. So don't free it.
|
||||
|
||||
So don't free it.
|
||||
CVE-2014-4343:
|
||||
|
||||
This led to the obvious crashes in the allocator, and also to strange
|
||||
behaviour with Firefox failing to fall back to alternative mechanisms
|
||||
when it should have done.
|
||||
In MIT krb5 releases 1.10 and newer, an unauthenticated remote
|
||||
attacker with the ability to spoof packets appearing to be from a
|
||||
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
|
||||
(clients) which are using the SPNEGO mechanism, by returning a
|
||||
different underlying mechanism than was proposed by the initiator. At
|
||||
this stage of the negotiation, the acceptor is unauthenticated, and
|
||||
the acceptor's response could be spoofed by an attacker with the
|
||||
ability to inject traffic to the initiator.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1117963
|
||||
Historically, some double-free vulnerabilities can be translated into
|
||||
remote code execution, though the necessary exploits must be tailored
|
||||
to the individual application and are usually quite
|
||||
complicated. Double-frees can also be exploited to cause an
|
||||
application crash, for a denial of service. However, most GSSAPI
|
||||
client applications are not vulnerable, as the SPNEGO mechanism is not
|
||||
used by default (when GSS_C_NO_OID is passed as the mech_type argument
|
||||
to gss_init_sec_context()). The most common use of SPNEGO is for
|
||||
HTTP-Negotiate, used in web browsers and other web clients. Most such
|
||||
clients are believed to not offer HTTP-Negotiate by default, instead
|
||||
requiring a whitelist of sites for which it may be used to be
|
||||
configured. If the whitelist is configured to only allow
|
||||
HTTP-Negotiate over TLS connections ("https://"), a successful
|
||||
attacker must also spoof the web server's SSL certificate, due to the
|
||||
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
|
||||
response message. Unfortunately, many instructions for enabling
|
||||
HTTP-Negotiate in common web browsers do not include a TLS
|
||||
requirement.
|
||||
|
||||
==31436== Invalid free() / delete / delete[] / realloc()
|
||||
==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
|
||||
==31436== by 0x3AE900D6B9: generic_gss_release_oid_set (gssapi_alloc.h:93)
|
||||
==31436== by 0x3AE903775F: release_spnego_ctx (spnego_mech.c:2895)
|
||||
==31436== by 0x3AE9037830: spnego_gss_delete_sec_context (spnego_mech.c:2164)
|
||||
==31436== by 0x3AE9012292: gss_delete_sec_context (g_delete_sec_context.c:90)
|
||||
==31436== Address 0x4fb5510 is 0 bytes inside a block of size 80 free'd
|
||||
==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
|
||||
==31436== by 0x3AE900C88E: generic_gss_release_oid (oid_ops.c:103)
|
||||
==31436== by 0x3AE903BE85: spnego_gss_init_sec_context (spnego_mech.c:792)
|
||||
==31436== by 0x3AE90154CA: gss_init_sec_context (g_init_sec_context.c:210)
|
||||
---
|
||||
src/lib/gssapi/spnego/spnego_mech.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
|
||||
|
||||
[kaduk@mit.edu: CVE summary and CVSSv2 vector]
|
||||
|
||||
ticket: 7969 (new)
|
||||
target_version: 1.12.2
|
||||
tags: pullup
|
||||
|
||||
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
index 173c6d2..8f829d8 100644
|
||||
@ -40,10 +59,3 @@ index 173c6d2..8f829d8 100644
|
||||
gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
|
||||
GSS_C_NO_BUFFER);
|
||||
|
||||
--
|
||||
1.9.3
|
||||
|
||||
|
||||
--
|
||||
David Woodhouse Open Source Technology Centre
|
||||
David.Woodhouse@intel.com Intel Corporation
|
||||
|
||||
@ -1040,7 +1040,7 @@ exit 0
|
||||
%changelog
|
||||
* Wed Jul 16 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-12
|
||||
- gssapi: pull in proposed fix for a double free in initiators (David
|
||||
Woodhouse, #1117963)
|
||||
Woodhouse, CVE-2014-4343, #1117963)
|
||||
|
||||
* Sat Jul 12 2014 Tom Callaway <spot@fedoraproject.org> - 1.12.1-11
|
||||
- fix license handling
|
||||
|
||||
Loading…
Reference in New Issue
Block a user