From 9594be4f3aa19c5c1d8868cfe13163e93782bef5 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Wed, 16 Jul 2014 15:14:38 -0400 Subject: [PATCH] Add proposed fix for a double-free in gss clients - gssapi: pull in proposed fix for a double free in initiators (David Woodhouse, #1117963) --- krb5-gssapi-mech-doublefree.patch | 49 +++++++++++++++++++++++++++++++ krb5.spec | 8 ++++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 krb5-gssapi-mech-doublefree.patch diff --git a/krb5-gssapi-mech-doublefree.patch b/krb5-gssapi-mech-doublefree.patch new file mode 100644 index 0000000..c020fca --- /dev/null +++ b/krb5-gssapi-mech-doublefree.patch @@ -0,0 +1,49 @@ +From: David Woodhouse + +In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the +pointer sc->internal_mech became an alias into sc->mech_set->elements[], +which should be considered constant for the duration of the SPNEGO +context. + +So don't free it. + +This led to the obvious crashes in the allocator, and also to strange +behaviour with Firefox failing to fall back to alternative mechanisms +when it should have done. + +https://bugzilla.redhat.com/show_bug.cgi?id=1117963 + +==31436== Invalid free() / delete / delete[] / realloc() +==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) +==31436== by 0x3AE900D6B9: generic_gss_release_oid_set (gssapi_alloc.h:93) +==31436== by 0x3AE903775F: release_spnego_ctx (spnego_mech.c:2895) +==31436== by 0x3AE9037830: spnego_gss_delete_sec_context (spnego_mech.c:2164) +==31436== by 0x3AE9012292: gss_delete_sec_context (g_delete_sec_context.c:90) +==31436== Address 0x4fb5510 is 0 bytes inside a block of size 80 free'd +==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) +==31436== by 0x3AE900C88E: generic_gss_release_oid (oid_ops.c:103) +==31436== by 0x3AE903BE85: spnego_gss_init_sec_context (spnego_mech.c:792) +==31436== by 0x3AE90154CA: gss_init_sec_context (g_init_sec_context.c:210) +--- + src/lib/gssapi/spnego/spnego_mech.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 173c6d2..8f829d8 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, + OM_uint32 tmpmin; + size_t i; + +- generic_gss_release_oid(&tmpmin, &sc->internal_mech); + gss_delete_sec_context(&tmpmin, &sc->ctx_handle, + GSS_C_NO_BUFFER); + +-- +1.9.3 + + +-- +David Woodhouse Open Source Technology Centre +David.Woodhouse@intel.com Intel Corporation diff --git a/krb5.spec b/krb5.spec index 778d4fa..09e914e 100644 --- a/krb5.spec +++ b/krb5.spec @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.12.1 -Release: 11%{?dist} +Release: 12%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar Source0: krb5-%{version}.tar.gz @@ -106,6 +106,7 @@ Patch144: krb5-1.12-tcl86.patch Patch145: krb5-master-mechd.patch Patch146: krb5-1.12-CVE-2014-4341_4342.patch Patch147: krb5-1.12-CVE-2014-4341_4342-tests.patch +Patch148: krb5-gssapi-mech-doublefree.patch Patch201: 0001-Don-t-try-to-stat-not-on-disk-ccache-residuals.patch Patch202: 0002-Use-an-in-memory-cache-until-we-need-the-target-s.patch Patch203: 0003-Learn-to-destroy-the-ccache-we-re-copying-from.patch @@ -360,6 +361,7 @@ ln -s NOTICE LICENSE %patch145 -p1 -b .master-mechd %patch146 -p1 -b .CVE-2014-4341_4342 %patch147 -p1 -b .CVE-2014-4341_4342 +%patch148 -p1 -b .gssapi-mech-doublefree # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -1036,6 +1038,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Wed Jul 16 2014 Nalin Dahyabhai - 1.12.1-12 +- gssapi: pull in proposed fix for a double free in initiators (David + Woodhouse, #1117963) + * Sat Jul 12 2014 Tom Callaway - 1.12.1-11 - fix license handling