Add proposed fix for a double-free in gss clients

- gssapi: pull in proposed fix for a double free in initiators (David Woodhouse, #1117963)
2014-07-16 15:14:38 -04:00 · 2014-07-16 15:14:38 -04:00 · 9594be4f3a
commit 9594be4f3a
parent 79897b3c5d
2 changed files with 56 additions and 1 deletions
--- a/krb5-gssapi-mech-doublefree.patch
+++ b/krb5-gssapi-mech-doublefree.patch
@ -0,0 +1,49 @@
 From: David Woodhouse <David.Woodhouse@intel.com>
 In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
 pointer sc->internal_mech became an alias into sc->mech_set->elements[],
 which should be considered constant for the duration of the SPNEGO
 context.
 So don't free it.
 This led to the obvious crashes in the allocator, and also to strange
 behaviour with Firefox failing to fall back to alternative mechanisms
 when it should have done.
 https://bugzilla.redhat.com/show_bug.cgi?id=1117963
 ==31436== Invalid free() / delete / delete[] / realloc()
 ==31436==    at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
 ==31436==    by 0x3AE900D6B9: generic_gss_release_oid_set (gssapi_alloc.h:93)
 ==31436==    by 0x3AE903775F: release_spnego_ctx (spnego_mech.c:2895)
 ==31436==    by 0x3AE9037830: spnego_gss_delete_sec_context (spnego_mech.c:2164)
 ==31436==    by 0x3AE9012292: gss_delete_sec_context (g_delete_sec_context.c:90)
 ==31436==  Address 0x4fb5510 is 0 bytes inside a block of size 80 free'd
 ==31436==    at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
 ==31436==    by 0x3AE900C88E: generic_gss_release_oid (oid_ops.c:103)
 ==31436==    by 0x3AE903BE85: spnego_gss_init_sec_context (spnego_mech.c:792)
 ==31436==    by 0x3AE90154CA: gss_init_sec_context (g_init_sec_context.c:210)
 ---
 src/lib/gssapi/spnego/spnego_mech.c | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
 index 173c6d2..8f829d8 100644
 --- a/src/lib/gssapi/spnego/spnego_mech.c
 +++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
 	OM_uint32 tmpmin;
 	size_t i;
 -	generic_gss_release_oid(&tmpmin, &sc->internal_mech);
 	gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
 			       GSS_C_NO_BUFFER);
 -- 
 1.9.3
 -- 
 David Woodhouse                            Open Source Technology Centre
 David.Woodhouse@intel.com                              Intel Corporation
--- a/krb5.spec
+++ b/krb5.spec
@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.12.1
-Release: 11%{?dist}
+Release: 12%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -106,6 +106,7 @@ Patch144: krb5-1.12-tcl86.patch
 Patch145: krb5-master-mechd.patch
 Patch146: krb5-1.12-CVE-2014-4341_4342.patch
 Patch147: krb5-1.12-CVE-2014-4341_4342-tests.patch
 Patch148: krb5-gssapi-mech-doublefree.patch
 Patch201: 0001-Don-t-try-to-stat-not-on-disk-ccache-residuals.patch
 Patch202: 0002-Use-an-in-memory-cache-until-we-need-the-target-s.patch
 Patch203: 0003-Learn-to-destroy-the-ccache-we-re-copying-from.patch
@ -360,6 +361,7 @@ ln -s NOTICE LICENSE
 %patch145 -p1 -b .master-mechd
 %patch146 -p1 -b .CVE-2014-4341_4342
 %patch147 -p1 -b .CVE-2014-4341_4342
 %patch148 -p1 -b .gssapi-mech-doublefree
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -1036,6 +1038,10 @@ exit 0
 %{_sbindir}/uuserver
 %changelog
 * Wed Jul 16 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-12
 - gssapi: pull in proposed fix for a double free in initiators (David
  Woodhouse, #1117963)
 * Sat Jul 12 2014 Tom Callaway <spot@fedoraproject.org> - 1.12.1-11
 - fix license handling