drop patch for CVE-2014-4343, included in 1.12.2
This commit is contained in:
Nalin Dahyabhai
parent
56235f0463
commit
b234a3d334
@ -1,61 +0,0 @@
|
|||||||
commit f18ddf5d82de0ab7591a36e465bc24225776940f
|
|
||||||
Author: David Woodhouse <David.Woodhouse@intel.com>
|
|
||||||
Date: Tue Jul 15 12:54:15 2014 -0400
|
|
||||||
|
|
||||||
Fix double-free in SPNEGO [CVE-2014-4343]
|
|
||||||
|
|
||||||
In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
|
|
||||||
pointer sc->internal_mech became an alias into sc->mech_set->elements,
|
|
||||||
which should be considered constant for the duration of the SPNEGO
|
|
||||||
context. So don't free it.
|
|
||||||
|
|
||||||
CVE-2014-4343:
|
|
||||||
|
|
||||||
In MIT krb5 releases 1.10 and newer, an unauthenticated remote
|
|
||||||
attacker with the ability to spoof packets appearing to be from a
|
|
||||||
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
|
|
||||||
(clients) which are using the SPNEGO mechanism, by returning a
|
|
||||||
different underlying mechanism than was proposed by the initiator. At
|
|
||||||
this stage of the negotiation, the acceptor is unauthenticated, and
|
|
||||||
the acceptor's response could be spoofed by an attacker with the
|
|
||||||
ability to inject traffic to the initiator.
|
|
||||||
|
|
||||||
Historically, some double-free vulnerabilities can be translated into
|
|
||||||
remote code execution, though the necessary exploits must be tailored
|
|
||||||
to the individual application and are usually quite
|
|
||||||
complicated. Double-frees can also be exploited to cause an
|
|
||||||
application crash, for a denial of service. However, most GSSAPI
|
|
||||||
client applications are not vulnerable, as the SPNEGO mechanism is not
|
|
||||||
used by default (when GSS_C_NO_OID is passed as the mech_type argument
|
|
||||||
to gss_init_sec_context()). The most common use of SPNEGO is for
|
|
||||||
HTTP-Negotiate, used in web browsers and other web clients. Most such
|
|
||||||
clients are believed to not offer HTTP-Negotiate by default, instead
|
|
||||||
requiring a whitelist of sites for which it may be used to be
|
|
||||||
configured. If the whitelist is configured to only allow
|
|
||||||
HTTP-Negotiate over TLS connections ("https://"), a successful
|
|
||||||
attacker must also spoof the web server's SSL certificate, due to the
|
|
||||||
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
|
|
||||||
response message. Unfortunately, many instructions for enabling
|
|
||||||
HTTP-Negotiate in common web browsers do not include a TLS
|
|
||||||
requirement.
|
|
||||||
|
|
||||||
CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
|
|
||||||
|
|
||||||
[kaduk@mit.edu: CVE summary and CVSSv2 vector]
|
|
||||||
|
|
||||||
ticket: 7969 (new)
|
|
||||||
target_version: 1.12.2
|
|
||||||
tags: pullup
|
|
||||||
|
|
||||||
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
|
||||||
index 173c6d2..8f829d8 100644
|
|
||||||
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
|
||||||
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
|
||||||
@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
|
|
||||||
OM_uint32 tmpmin;
|
|
||||||
size_t i;
|
|
||||||
|
|
||||||
- generic_gss_release_oid(&tmpmin, &sc->internal_mech);
|
|
||||||
gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
|
|
||||||
GSS_C_NO_BUFFER);
|
|
||||||
|
|
||||||
@ -98,7 +98,6 @@ Patch139: krb5-master-rcache-acquirecred-source.patch
|
|||||||
Patch141: krb5-master-rcache-acquirecred-test.patch
|
Patch141: krb5-master-rcache-acquirecred-test.patch
|
||||||
Patch142: krb5-master-move-otp-sockets.patch
|
Patch142: krb5-master-move-otp-sockets.patch
|
||||||
Patch145: krb5-master-mechd.patch
|
Patch145: krb5-master-mechd.patch
|
||||||
Patch148: krb5-gssapi-mech-doublefree.patch
|
|
||||||
Patch149: krb5-gssapi-spnego-deref.patch
|
Patch149: krb5-gssapi-spnego-deref.patch
|
||||||
Patch150: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt
|
Patch150: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt
|
||||||
Patch151: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt.asc
|
Patch151: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt.asc
|
||||||
@ -349,7 +348,6 @@ ln -s NOTICE LICENSE
|
|||||||
%patch141 -p1 -b .rcache-acquirecred-test
|
%patch141 -p1 -b .rcache-acquirecred-test
|
||||||
%patch142 -p1 -b .move-otp-sockets
|
%patch142 -p1 -b .move-otp-sockets
|
||||||
%patch145 -p1 -b .master-mechd
|
%patch145 -p1 -b .master-mechd
|
||||||
%patch148 -p1 -b .gssapi-mech-doublefree
|
|
||||||
%patch149 -p1 -b .gssapi-spnego-deref
|
%patch149 -p1 -b .gssapi-spnego-deref
|
||||||
%patch150 -p1 -b .2014-001
|
%patch150 -p1 -b .2014-001
|
||||||
|
|
||||||
@ -1038,6 +1036,7 @@ exit 0
|
|||||||
- drop patch for RT#7924, fixed in 1.12.2
|
- drop patch for RT#7924, fixed in 1.12.2
|
||||||
- drop patch for RT#7926, fixed in 1.12.2
|
- drop patch for RT#7926, fixed in 1.12.2
|
||||||
- drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2
|
- drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2
|
||||||
|
- drop patch for CVE-2014-4343, included in 1.12.2
|
||||||
- replace older proposed changes for ksu with backports of the changes
|
- replace older proposed changes for ksu with backports of the changes
|
||||||
after review and merging upstream (#1015559, #1026099, #1118347)
|
after review and merging upstream (#1015559, #1026099, #1118347)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user