From a244d8f93c578960ecdd15a172e6f45963f22462 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Mon, 4 Nov 2013 15:47:55 -0500 Subject: [PATCH] Incorporate patch for RT#7755 (CVE-2013-1418) - incorporate upstream patch for remote crash of KDCs which serve multiple realms simultaneously (RT#7755, CVE-2013-1418) --- krb5-CVE-2013-1418.patch | 35 +++++++++++++++++++++++++++++++++++ krb5.spec | 8 +++++++- 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 krb5-CVE-2013-1418.patch diff --git a/krb5-CVE-2013-1418.patch b/krb5-CVE-2013-1418.patch new file mode 100644 index 0000000..593c02c --- /dev/null +++ b/krb5-CVE-2013-1418.patch @@ -0,0 +1,35 @@ +Adjusted to apply to 1.11.3. + +commit 5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf +Author: Tom Yu +Date: Mon Nov 4 13:44:29 2013 -0500 + + Multi-realm KDC null deref [CVE-2013-1418] + + If a KDC serves multiple realms, certain requests can cause + setup_server_realm() to dereference a null pointer, crashing the KDC. + + CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C + + A related but more minor vulnerability requires authentication to + exploit, and is only present if a third-party KDC database module can + dereference a null pointer under certain conditions. + + ticket: 7755 (new) + target_version: 1.12 + tags: pullup + +diff --git a/src/kdc/main.c b/src/kdc/main.c +index 0f5961a..a7ffe63 100644 +--- a/src/kdc/main.c ++++ b/src/kdc/main.c +@@ -124,6 +124,9 @@ setup_server_realm(struct server_handle *handle, krb5_principal sprinc) + kdc_realm_t **kdc_realmlist = handle->kdc_realmlist; + int kdc_numrealms = handle->kdc_numrealms; + ++ if (sprinc == NULL) ++ return NULL; ++ + kret = 0; + if (kdc_numrealms > 1) { + if (!(newrealm = find_realm_data(handle, sprinc->realm.data, diff --git a/krb5.spec b/krb5.spec index bbb1a38..fca997e 100644 --- a/krb5.spec +++ b/krb5.spec @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.11.3 -Release: 28%{?dist} +Release: 29%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar Source0: krb5-%{version}.tar.gz @@ -108,6 +108,7 @@ Patch135: krb5-1.11-check_transited.patch Patch136: krb5-1.11.3-prompter1.patch Patch137: krb5-1.11.3-prompter2.patch Patch138: krb5-1.11.3-gss-ccache-import.patch +Patch139: krb5-CVE-2013-1418.patch # Patches for otp plugin backport Patch201: krb5-1.11.2-keycheck.patch @@ -353,6 +354,7 @@ ln -s NOTICE LICENSE %patch136 -p1 -b .prompter1 %patch137 -p1 -b .prompter2 %patch138 -p1 -b .gss-ccache-import +%patch139 -p1 -b .CVE-2013-1418 %patch201 -p1 -b .keycheck %patch202 -p1 -b .otp @@ -1004,6 +1006,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Mon Nov 4 2013 Nalin Dahyabhai - 1.11.3-29 +- incorporate upstream patch for remote crash of KDCs which serve multiple + realms simultaneously (RT#7755, CVE-2013-1418) + * Mon Nov 4 2013 Nalin Dahyabhai - 1.11.3-28 - drop patch to add additional access() checks to ksu - they add to breakage when non-FILE: caches are in use (#1026099), shouldn't be resulting in any