rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

drop patch for CVE-2014-4343, included in 1.12.2

Browse Source
This commit is contained in:
Nalin Dahyabhai 2014-08-15 15:01:01 -04:00
parent 56235f0463
commit b234a3d334
2 changed files with 1 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
krb5-gssapi-mech-doublefree.patch
View File

@ -1,61 +0,0 @@
commit f18ddf5d82de0ab7591a36e465bc24225776940f
Author: David Woodhouse <David.Woodhouse@intel.com>
Date: Tue Jul 15 12:54:15 2014 -0400
Fix double-free in SPNEGO [CVE-2014-4343]
In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
pointer sc->internal_mech became an alias into sc->mech_set->elements,
which should be considered constant for the duration of the SPNEGO
context. So don't free it.
CVE-2014-4343:
In MIT krb5 releases 1.10 and newer, an unauthenticated remote
attacker with the ability to spoof packets appearing to be from a
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
(clients) which are using the SPNEGO mechanism, by returning a
different underlying mechanism than was proposed by the initiator. At
this stage of the negotiation, the acceptor is unauthenticated, and
the acceptor's response could be spoofed by an attacker with the
ability to inject traffic to the initiator.
Historically, some double-free vulnerabilities can be translated into
remote code execution, though the necessary exploits must be tailored
to the individual application and are usually quite
complicated. Double-frees can also be exploited to cause an
application crash, for a denial of service. However, most GSSAPI
client applications are not vulnerable, as the SPNEGO mechanism is not
used by default (when GSS_C_NO_OID is passed as the mech_type argument
to gss_init_sec_context()). The most common use of SPNEGO is for
HTTP-Negotiate, used in web browsers and other web clients. Most such
clients are believed to not offer HTTP-Negotiate by default, instead
requiring a whitelist of sites for which it may be used to be
configured. If the whitelist is configured to only allow
HTTP-Negotiate over TLS connections ("https://"), a successful
attacker must also spoof the web server's SSL certificate, due to the
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
response message. Unfortunately, many instructions for enabling
HTTP-Negotiate in common web browsers do not include a TLS
requirement.
CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
[kaduk@mit.edu: CVE summary and CVSSv2 vector]
ticket: 7969 (new)
target_version: 1.12.2
tags: pullup
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 173c6d2..8f829d8 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
OM_uint32 tmpmin;
size_t i;
- generic_gss_release_oid(&tmpmin, &sc->internal_mech);
gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
GSS_C_NO_BUFFER);

3
krb5.spec
View File

@ -98,7 +98,6 @@ Patch139: krb5-master-rcache-acquirecred-source.patch
Patch141: krb5-master-rcache-acquirecred-test.patch
Patch142: krb5-master-move-otp-sockets.patch
Patch145: krb5-master-mechd.patch
Patch148: krb5-gssapi-mech-doublefree.patch
Patch149: krb5-gssapi-spnego-deref.patch
Patch150: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt
Patch151: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt.asc
@ -349,7 +348,6 @@ ln -s NOTICE LICENSE
%patch141 -p1 -b .rcache-acquirecred-test
%patch142 -p1 -b .move-otp-sockets
%patch145 -p1 -b .master-mechd
%patch148 -p1 -b .gssapi-mech-doublefree
%patch149 -p1 -b .gssapi-spnego-deref
%patch150 -p1 -b .2014-001
@ -1038,6 +1036,7 @@ exit 0
- drop patch for RT#7924, fixed in 1.12.2
- drop patch for RT#7926, fixed in 1.12.2
- drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2
- drop patch for CVE-2014-4343, included in 1.12.2
- replace older proposed changes for ksu with backports of the changes
after review and merging upstream (#1015559, #1026099, #1118347)