Add proposed fix for a double-free in gss clients
- gssapi: pull in proposed fix for a double free in initiators (David Woodhouse, #1117963)
This commit is contained in:
parent
79897b3c5d
commit
9594be4f3a
49
krb5-gssapi-mech-doublefree.patch
Normal file
49
krb5-gssapi-mech-doublefree.patch
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
From: David Woodhouse <David.Woodhouse@intel.com>
|
||||||
|
|
||||||
|
In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
|
||||||
|
pointer sc->internal_mech became an alias into sc->mech_set->elements[],
|
||||||
|
which should be considered constant for the duration of the SPNEGO
|
||||||
|
context.
|
||||||
|
|
||||||
|
So don't free it.
|
||||||
|
|
||||||
|
This led to the obvious crashes in the allocator, and also to strange
|
||||||
|
behaviour with Firefox failing to fall back to alternative mechanisms
|
||||||
|
when it should have done.
|
||||||
|
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=1117963
|
||||||
|
|
||||||
|
==31436== Invalid free() / delete / delete[] / realloc()
|
||||||
|
==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
|
||||||
|
==31436== by 0x3AE900D6B9: generic_gss_release_oid_set (gssapi_alloc.h:93)
|
||||||
|
==31436== by 0x3AE903775F: release_spnego_ctx (spnego_mech.c:2895)
|
||||||
|
==31436== by 0x3AE9037830: spnego_gss_delete_sec_context (spnego_mech.c:2164)
|
||||||
|
==31436== by 0x3AE9012292: gss_delete_sec_context (g_delete_sec_context.c:90)
|
||||||
|
==31436== Address 0x4fb5510 is 0 bytes inside a block of size 80 free'd
|
||||||
|
==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
|
||||||
|
==31436== by 0x3AE900C88E: generic_gss_release_oid (oid_ops.c:103)
|
||||||
|
==31436== by 0x3AE903BE85: spnego_gss_init_sec_context (spnego_mech.c:792)
|
||||||
|
==31436== by 0x3AE90154CA: gss_init_sec_context (g_init_sec_context.c:210)
|
||||||
|
---
|
||||||
|
src/lib/gssapi/spnego/spnego_mech.c | 1 -
|
||||||
|
1 file changed, 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
||||||
|
index 173c6d2..8f829d8 100644
|
||||||
|
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
||||||
|
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
||||||
|
@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
|
||||||
|
OM_uint32 tmpmin;
|
||||||
|
size_t i;
|
||||||
|
|
||||||
|
- generic_gss_release_oid(&tmpmin, &sc->internal_mech);
|
||||||
|
gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
|
||||||
|
GSS_C_NO_BUFFER);
|
||||||
|
|
||||||
|
--
|
||||||
|
1.9.3
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
David Woodhouse Open Source Technology Centre
|
||||||
|
David.Woodhouse@intel.com Intel Corporation
|
@ -41,7 +41,7 @@
|
|||||||
Summary: The Kerberos network authentication system
|
Summary: The Kerberos network authentication system
|
||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.12.1
|
Version: 1.12.1
|
||||||
Release: 11%{?dist}
|
Release: 12%{?dist}
|
||||||
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||||
# http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar
|
# http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar
|
||||||
Source0: krb5-%{version}.tar.gz
|
Source0: krb5-%{version}.tar.gz
|
||||||
@ -106,6 +106,7 @@ Patch144: krb5-1.12-tcl86.patch
|
|||||||
Patch145: krb5-master-mechd.patch
|
Patch145: krb5-master-mechd.patch
|
||||||
Patch146: krb5-1.12-CVE-2014-4341_4342.patch
|
Patch146: krb5-1.12-CVE-2014-4341_4342.patch
|
||||||
Patch147: krb5-1.12-CVE-2014-4341_4342-tests.patch
|
Patch147: krb5-1.12-CVE-2014-4341_4342-tests.patch
|
||||||
|
Patch148: krb5-gssapi-mech-doublefree.patch
|
||||||
Patch201: 0001-Don-t-try-to-stat-not-on-disk-ccache-residuals.patch
|
Patch201: 0001-Don-t-try-to-stat-not-on-disk-ccache-residuals.patch
|
||||||
Patch202: 0002-Use-an-in-memory-cache-until-we-need-the-target-s.patch
|
Patch202: 0002-Use-an-in-memory-cache-until-we-need-the-target-s.patch
|
||||||
Patch203: 0003-Learn-to-destroy-the-ccache-we-re-copying-from.patch
|
Patch203: 0003-Learn-to-destroy-the-ccache-we-re-copying-from.patch
|
||||||
@ -360,6 +361,7 @@ ln -s NOTICE LICENSE
|
|||||||
%patch145 -p1 -b .master-mechd
|
%patch145 -p1 -b .master-mechd
|
||||||
%patch146 -p1 -b .CVE-2014-4341_4342
|
%patch146 -p1 -b .CVE-2014-4341_4342
|
||||||
%patch147 -p1 -b .CVE-2014-4341_4342
|
%patch147 -p1 -b .CVE-2014-4341_4342
|
||||||
|
%patch148 -p1 -b .gssapi-mech-doublefree
|
||||||
|
|
||||||
# Take the execute bit off of documentation.
|
# Take the execute bit off of documentation.
|
||||||
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
||||||
@ -1036,6 +1038,10 @@ exit 0
|
|||||||
%{_sbindir}/uuserver
|
%{_sbindir}/uuserver
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 16 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-12
|
||||||
|
- gssapi: pull in proposed fix for a double free in initiators (David
|
||||||
|
Woodhouse, #1117963)
|
||||||
|
|
||||||
* Sat Jul 12 2014 Tom Callaway <spot@fedoraproject.org> - 1.12.1-11
|
* Sat Jul 12 2014 Tom Callaway <spot@fedoraproject.org> - 1.12.1-11
|
||||||
- fix license handling
|
- fix license handling
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user