Fix CVE-2016-3119 (NULL deref in LDAP module)
This commit is contained in:
Robbie Harwood
parent
7b4e88e425
commit
f0b5fc56f2
41
krb5-CVE-2016-3119.patch
Normal file
41
krb5-CVE-2016-3119.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 14 Mar 2016 17:26:34 -0400
|
||||
Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119]
|
||||
|
||||
In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
|
||||
if there is an empty string in the db_args array. Check for this case
|
||||
and avoid dereferencing a null pointer.
|
||||
|
||||
CVE-2016-3119:
|
||||
|
||||
In MIT krb5 1.6 and later, an authenticated attacker with permission
|
||||
to modify a principal entry can cause kadmind to dereference a null
|
||||
pointer by supplying an empty DB argument to the modify_principal
|
||||
command, if kadmind is configured to use the LDAP KDB module.
|
||||
|
||||
CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
|
||||
|
||||
ticket: 8383 (new)
|
||||
target_version: 1.14-next
|
||||
target_version: 1.13-next
|
||||
tags: pullup
|
||||
---
|
||||
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
||||
index 6e591e1..79c4cf0 100644
|
||||
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
||||
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
||||
@@ -296,6 +296,7 @@ process_db_args(krb5_context context, char **db_args, xargs_t *xargs,
|
||||
if (db_args) {
|
||||
for (i=0; db_args[i]; ++i) {
|
||||
arg = strtok_r(db_args[i], "=", &arg_val);
|
||||
+ arg = (arg != NULL) ? arg : "";
|
||||
if (strcmp(arg, TKTPOLICY_ARG) == 0) {
|
||||
dptr = &xargs->tktpolicydn;
|
||||
} else {
|
||||
--
|
||||
2.7.0
|
||||
|
||||
@ -13,7 +13,7 @@
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.14.1
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
|
||||
# - The sources below are stored in a lookaside cache. Upload with
|
||||
@ -66,6 +66,8 @@ Patch160: krb5-1.14.1-interpose-inquire_saslname_for_mech.patch
|
||||
Patch161: krb5-1.14.1-interpose-public_oid_fixups.patch
|
||||
Patch162: krb5-1.14.2-Revisit-inquire_attrs_for_mech-on-old-mechs.patch
|
||||
|
||||
Patch163: krb5-CVE-2016-3119.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
Group: System Environment/Libraries
|
||||
@ -247,6 +249,8 @@ ln NOTICE LICENSE
|
||||
%patch161 -p1 -b .interpose-public_oid_fixups
|
||||
%patch162 -p1 -b .inquire_attrs_for_mech-on-old-mechs
|
||||
|
||||
%patch163 -p1 -b .CVE-2016-3119
|
||||
|
||||
# Take the execute bit off of documentation.
|
||||
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
||||
|
||||
@ -768,6 +772,9 @@ exit 0
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Mar 18 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-3
|
||||
- Fix CVE-2016-3119 (NULL deref in LDAP module)
|
||||
|
||||
* Thu Mar 17 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-2
|
||||
- Backport OID mech fix
|
||||
- Resolves: #1317609
|
||||
|
||||
Loading…
Reference in New Issue
Block a user