rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

drop patch for CVE-2014-4344, included in 1.12.2

Browse Source
This commit is contained in:
Nalin Dahyabhai 2014-08-15 15:02:04 -04:00
parent b234a3d334
commit 7880fca0ad
2 changed files with 1 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
krb5-gssapi-spnego-deref.patch
View File

@ -1,44 +0,0 @@
commit 524688ce87a15fc75f87efc8c039ba4c7d5c197b
Author: Greg Hudson <ghudson@mit.edu>
Date: Tue Jul 15 12:56:01 2014 -0400
Fix null deref in SPNEGO acceptor [CVE-2014-4344]
When processing a continuation token, acc_ctx_cont was dereferencing
the initial byte of the token without checking the length. This could
result in a null dereference.
CVE-2014-4344:
In MIT krb5 1.5 and newer, an unauthenticated or partially
authenticated remote attacker can cause a NULL dereference and
application crash during a SPNEGO negotiation by sending an empty
token as the second or later context token from initiator to acceptor.
The attacker must provide at least one valid context token in the
security context negotiation before sending the empty token. This can
be done by an unauthenticated attacker by forcing SPNEGO to
renegotiate the underlying mechanism, or by using IAKERB to wrap an
unauthenticated AS-REQ as the first token.
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
[kaduk@mit.edu: CVE summary, CVSSv2 vector]
ticket: 7970 (new)
subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344]
target_version: 1.12.2
tags: pullup
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 8f829d8..2aa6810 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat,
ptr = bufstart = buf->value;
#define REMAIN (buf->length - (ptr - bufstart))
- if (REMAIN > INT_MAX)
+ if (REMAIN == 0 || REMAIN > INT_MAX)
return GSS_S_DEFECTIVE_TOKEN;
/*

3
krb5.spec
View File

@ -98,7 +98,6 @@ Patch139: krb5-master-rcache-acquirecred-source.patch
Patch141: krb5-master-rcache-acquirecred-test.patch Patch141: krb5-master-rcache-acquirecred-test.patch
Patch142: krb5-master-move-otp-sockets.patch Patch142: krb5-master-move-otp-sockets.patch
Patch145: krb5-master-mechd.patch Patch145: krb5-master-mechd.patch
Patch149: krb5-gssapi-spnego-deref.patch
Patch150: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt Patch150: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt
Patch151: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt.asc Patch151: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt.asc
Patch201: 0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch Patch201: 0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch
@ -348,7 +347,6 @@ ln -s NOTICE LICENSE
%patch141 -p1 -b .rcache-acquirecred-test %patch141 -p1 -b .rcache-acquirecred-test
%patch142 -p1 -b .move-otp-sockets %patch142 -p1 -b .move-otp-sockets
%patch145 -p1 -b .master-mechd %patch145 -p1 -b .master-mechd
%patch149 -p1 -b .gssapi-spnego-deref
%patch150 -p1 -b .2014-001 %patch150 -p1 -b .2014-001
# Take the execute bit off of documentation. # Take the execute bit off of documentation.
@ -1037,6 +1035,7 @@ exit 0
- drop patch for RT#7926, fixed in 1.12.2 - drop patch for RT#7926, fixed in 1.12.2
- drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2 - drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2
- drop patch for CVE-2014-4343, included in 1.12.2 - drop patch for CVE-2014-4343, included in 1.12.2
- drop patch for CVE-2014-4344, included in 1.12.2
- replace older proposed changes for ksu with backports of the changes - replace older proposed changes for ksu with backports of the changes
after review and merging upstream (#1015559, #1026099, #1118347) after review and merging upstream (#1015559, #1026099, #1118347)