- kadmind: add upstream patch to fix free() on an invalid pointer (MITKRB5-SA-2011-004, CVE-2011-0285)

2011-04-13 15:38:22 -04:00 · 2011-04-13 15:38:22 -04:00 · 301c9d3ae2
commit 301c9d3ae2
parent 5ad8efcad5
2 changed files with 46 additions and 1 deletions
--- a/2011-004-patch.txt
+++ b/2011-004-patch.txt
@ -0,0 +1,39 @@
+diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
+index 1124445..0056885 100644
+--- a/src/kadmin/server/schpw.c
+++ b/src/kadmin/server/schpw.c
+@@ -52,6 +52,7 @@ process_chpw_request(context, server_handle, realm, keytab,
+ 
+     ret = 0;
+     rep->length = 0;
+    rep->data = NULL;
+ 
+     auth_context = NULL;
+     changepw = NULL;
+@@ -76,8 +77,13 @@ process_chpw_request(context, server_handle, realm, keytab,
+     plen = (*ptr++ & 0xff);
+     plen = (plen<<8) | (*ptr++ & 0xff);
+ 
+-    if (plen != req->length)
+-        return(KRB5KRB_AP_ERR_MODIFIED);
+    if (plen != req->length) {
+        ret = KRB5KRB_AP_ERR_MODIFIED;
+        numresult = KRB5_KPASSWD_MALFORMED;
+        strlcpy(strresult, "Request length was inconsistent",
+                sizeof(strresult));
+        goto chpwfail;
+    }
+ 
+     /* verify version number */
+ 
+@@ -531,6 +537,10 @@ cleanup:
+     if (local_kaddrs != NULL)
+         krb5_free_addresses(server_handle->context, local_kaddrs);
+ 
+    if ((*response)->data == NULL) {
+        free(*response);
+        *response = NULL;
+    }
+     krb5_kt_close(server_handle->context, kt);
+ 
+     return ret;
--- a/krb5.spec
+++ b/krb5.spec
@ -6,7 +6,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.9
-Release: 8%{?dist}
+Release: 9%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -55,6 +55,7 @@ Patch75: krb5-pkinit-debug.patch
 Patch76: http://web.mit.edu/kerberos/advisories/2011-003-patch.txt
 Patch77: krb5-1.9-paren.patch
 Patch78: krb5-trunk-chpw-err.patch
+Patch79: http://web.mit.edu/kerberos/advisories/2011-004-patch.txt

 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -201,6 +202,7 @@ ln -s NOTICE LICENSE
 %patch76 -p1 -b .2011-003
 %patch77 -p1 -b .paren
 %patch78 -p0 -b .chpw-err
+%patch79 -p1 -b .2011-004
 gzip doc/*.ps

 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@ -659,6 +661,10 @@ exit 0
 %{_sbindir}/uuserver

 %changelog
+* Wed Apr 13 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-9
+- kadmind: add upstream patch to fix free() on an invalid pointer
+  (MITKRB5-SA-2011-004, CVE-2011-0285)
+
 * Mon Apr  4 2011 Nalin Dahyabhai <nalin@redhat.com>
 - don't discard the error code from an error message received in response
  to a change-password request (#658871, RT#6893)