drop patch for CVE-2014-4343, included in 1.12.2
This commit is contained in:
parent
56235f0463
commit
b234a3d334
@ -1,61 +0,0 @@
|
||||
commit f18ddf5d82de0ab7591a36e465bc24225776940f
|
||||
Author: David Woodhouse <David.Woodhouse@intel.com>
|
||||
Date: Tue Jul 15 12:54:15 2014 -0400
|
||||
|
||||
Fix double-free in SPNEGO [CVE-2014-4343]
|
||||
|
||||
In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
|
||||
pointer sc->internal_mech became an alias into sc->mech_set->elements,
|
||||
which should be considered constant for the duration of the SPNEGO
|
||||
context. So don't free it.
|
||||
|
||||
CVE-2014-4343:
|
||||
|
||||
In MIT krb5 releases 1.10 and newer, an unauthenticated remote
|
||||
attacker with the ability to spoof packets appearing to be from a
|
||||
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
|
||||
(clients) which are using the SPNEGO mechanism, by returning a
|
||||
different underlying mechanism than was proposed by the initiator. At
|
||||
this stage of the negotiation, the acceptor is unauthenticated, and
|
||||
the acceptor's response could be spoofed by an attacker with the
|
||||
ability to inject traffic to the initiator.
|
||||
|
||||
Historically, some double-free vulnerabilities can be translated into
|
||||
remote code execution, though the necessary exploits must be tailored
|
||||
to the individual application and are usually quite
|
||||
complicated. Double-frees can also be exploited to cause an
|
||||
application crash, for a denial of service. However, most GSSAPI
|
||||
client applications are not vulnerable, as the SPNEGO mechanism is not
|
||||
used by default (when GSS_C_NO_OID is passed as the mech_type argument
|
||||
to gss_init_sec_context()). The most common use of SPNEGO is for
|
||||
HTTP-Negotiate, used in web browsers and other web clients. Most such
|
||||
clients are believed to not offer HTTP-Negotiate by default, instead
|
||||
requiring a whitelist of sites for which it may be used to be
|
||||
configured. If the whitelist is configured to only allow
|
||||
HTTP-Negotiate over TLS connections ("https://"), a successful
|
||||
attacker must also spoof the web server's SSL certificate, due to the
|
||||
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
|
||||
response message. Unfortunately, many instructions for enabling
|
||||
HTTP-Negotiate in common web browsers do not include a TLS
|
||||
requirement.
|
||||
|
||||
CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
|
||||
|
||||
[kaduk@mit.edu: CVE summary and CVSSv2 vector]
|
||||
|
||||
ticket: 7969 (new)
|
||||
target_version: 1.12.2
|
||||
tags: pullup
|
||||
|
||||
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
index 173c6d2..8f829d8 100644
|
||||
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
||||
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
|
||||
OM_uint32 tmpmin;
|
||||
size_t i;
|
||||
|
||||
- generic_gss_release_oid(&tmpmin, &sc->internal_mech);
|
||||
gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
|
||||
GSS_C_NO_BUFFER);
|
||||
|
@ -98,7 +98,6 @@ Patch139: krb5-master-rcache-acquirecred-source.patch
|
||||
Patch141: krb5-master-rcache-acquirecred-test.patch
|
||||
Patch142: krb5-master-move-otp-sockets.patch
|
||||
Patch145: krb5-master-mechd.patch
|
||||
Patch148: krb5-gssapi-mech-doublefree.patch
|
||||
Patch149: krb5-gssapi-spnego-deref.patch
|
||||
Patch150: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt
|
||||
Patch151: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt.asc
|
||||
@ -349,7 +348,6 @@ ln -s NOTICE LICENSE
|
||||
%patch141 -p1 -b .rcache-acquirecred-test
|
||||
%patch142 -p1 -b .move-otp-sockets
|
||||
%patch145 -p1 -b .master-mechd
|
||||
%patch148 -p1 -b .gssapi-mech-doublefree
|
||||
%patch149 -p1 -b .gssapi-spnego-deref
|
||||
%patch150 -p1 -b .2014-001
|
||||
|
||||
@ -1038,6 +1036,7 @@ exit 0
|
||||
- drop patch for RT#7924, fixed in 1.12.2
|
||||
- drop patch for RT#7926, fixed in 1.12.2
|
||||
- drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2
|
||||
- drop patch for CVE-2014-4343, included in 1.12.2
|
||||
- replace older proposed changes for ksu with backports of the changes
|
||||
after review and merging upstream (#1015559, #1026099, #1118347)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user