From 7880fca0ad3fe45d262f8caf211f13716ed2870a Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 15 Aug 2014 15:02:04 -0400 Subject: [PATCH] drop patch for CVE-2014-4344, included in 1.12.2 --- krb5-gssapi-spnego-deref.patch | 44 ---------------------------------- krb5.spec | 3 +-- 2 files changed, 1 insertion(+), 46 deletions(-) delete mode 100644 krb5-gssapi-spnego-deref.patch diff --git a/krb5-gssapi-spnego-deref.patch b/krb5-gssapi-spnego-deref.patch deleted file mode 100644 index b529d03..0000000 --- a/krb5-gssapi-spnego-deref.patch +++ /dev/null @@ -1,44 +0,0 @@ -commit 524688ce87a15fc75f87efc8c039ba4c7d5c197b -Author: Greg Hudson -Date: Tue Jul 15 12:56:01 2014 -0400 - - Fix null deref in SPNEGO acceptor [CVE-2014-4344] - - When processing a continuation token, acc_ctx_cont was dereferencing - the initial byte of the token without checking the length. This could - result in a null dereference. - - CVE-2014-4344: - - In MIT krb5 1.5 and newer, an unauthenticated or partially - authenticated remote attacker can cause a NULL dereference and - application crash during a SPNEGO negotiation by sending an empty - token as the second or later context token from initiator to acceptor. - The attacker must provide at least one valid context token in the - security context negotiation before sending the empty token. This can - be done by an unauthenticated attacker by forcing SPNEGO to - renegotiate the underlying mechanism, or by using IAKERB to wrap an - unauthenticated AS-REQ as the first token. - - CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C - - [kaduk@mit.edu: CVE summary, CVSSv2 vector] - - ticket: 7970 (new) - subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344] - target_version: 1.12.2 - tags: pullup - -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 8f829d8..2aa6810 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat, - - ptr = bufstart = buf->value; - #define REMAIN (buf->length - (ptr - bufstart)) -- if (REMAIN > INT_MAX) -+ if (REMAIN == 0 || REMAIN > INT_MAX) - return GSS_S_DEFECTIVE_TOKEN; - - /* diff --git a/krb5.spec b/krb5.spec index 5734700..0e7c740 100644 --- a/krb5.spec +++ b/krb5.spec @@ -98,7 +98,6 @@ Patch139: krb5-master-rcache-acquirecred-source.patch Patch141: krb5-master-rcache-acquirecred-test.patch Patch142: krb5-master-move-otp-sockets.patch Patch145: krb5-master-mechd.patch -Patch149: krb5-gssapi-spnego-deref.patch Patch150: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt Patch151: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt.asc Patch201: 0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch @@ -348,7 +347,6 @@ ln -s NOTICE LICENSE %patch141 -p1 -b .rcache-acquirecred-test %patch142 -p1 -b .move-otp-sockets %patch145 -p1 -b .master-mechd -%patch149 -p1 -b .gssapi-spnego-deref %patch150 -p1 -b .2014-001 # Take the execute bit off of documentation. @@ -1037,6 +1035,7 @@ exit 0 - drop patch for RT#7926, fixed in 1.12.2 - drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2 - drop patch for CVE-2014-4343, included in 1.12.2 + - drop patch for CVE-2014-4344, included in 1.12.2 - replace older proposed changes for ksu with backports of the changes after review and merging upstream (#1015559, #1026099, #1118347)