[krb5/f14/master] - kadmind: add upstream patch to fix free() on an invalid pointer (MITKRB5-SA-2011-004, CVE-2011-028
Nalin Dahyabhai
nalin at fedoraproject.org
Wed Apr 13 18:51:30 UTC 2011
commit 22137954a641cbd0e5eedf30a295e5876d0fe445
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Wed Apr 13 14:46:20 2011 -0400
- kadmind: add upstream patch to fix free() on an invalid pointer (MITKRB5-SA-2011-004, CVE-2011-0285)
2011-004-patch-r18.txt | 35 +++++++++++++++++++++++++++++++++++
krb5.spec | 8 +++++++-
2 files changed, 42 insertions(+), 1 deletions(-)
---
diff --git a/2011-004-patch-r18.txt b/2011-004-patch-r18.txt
new file mode 100644
index 0000000..43daa9b
--- /dev/null
+++ b/2011-004-patch-r18.txt
@@ -0,0 +1,35 @@
+diff --git a/src/kadmin/server/network.c b/src/kadmin/server/network.c
+index c8ce4f1..bb911ff 100644
+--- a/src/kadmin/server/network.c
++++ b/src/kadmin/server/network.c
+@@ -1384,6 +1384,10 @@ cleanup:
+ if (local_kaddrs != NULL)
+ krb5_free_addresses(server_handle->context, local_kaddrs);
+
++ if ((*response)->data == NULL) {
++ free(*response);
++ *response = NULL;
++ }
+ krb5_kt_close(server_handle->context, kt);
+
+ return ret;
+diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
+index c1b2217..992b55f 100644
+--- a/src/kadmin/server/schpw.c
++++ b/src/kadmin/server/schpw.c
+@@ -74,8 +74,13 @@ process_chpw_request(context, server_handle, realm, keytab,
+ plen = (*ptr++ & 0xff);
+ plen = (plen<<8) | (*ptr++ & 0xff);
+
+- if (plen != req->length)
+- return(KRB5KRB_AP_ERR_MODIFIED);
++ if (plen != req->length) {
++ ret = KRB5KRB_AP_ERR_MODIFIED;
++ numresult = KRB5_KPASSWD_MALFORMED;
++ strlcpy(strresult, "Request length was inconsistent",
++ sizeof(strresult));
++ goto chpwfail;
++ }
+
+ /* verify version number */
+
diff --git a/krb5.spec b/krb5.spec
index fdb817b..26af8a7 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -5,7 +5,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.8.2
-Release: 9%{?dist}
+Release: 10%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.8/krb5-1.8.2-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -61,6 +61,7 @@ Patch82: http://web.mit.edu/kerberos/advisories/2011-001-patch.txt
Patch83: http://web.mit.edu/kerberos/advisories/2011-002-patch.txt
Patch84: http://web.mit.edu/kerberos/advisories/2011-003-patch.txt
Patch85: krb5-1.9-paren.patch
+Patch86: http://web.mit.edu/kerberos/advisories/2011-004-patch-r18.txt
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -212,6 +213,7 @@ ln -s NOTICE LICENSE
%patch83 -p1 -b .2011-002
%patch84 -p1 -b .2011-003
%patch85 -p1 -b .paren
+%patch86 -p1 -b .2011-004
gzip doc/*.ps
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -663,6 +665,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Wed Apr 13 2011 Nalin Dahyabhai <nalin at redhat.com> 1.8.2-10
+- kadmind: add upstream patch to fix free() on an invalid pointer
+ (MITKRB5-SA-2011-004, CVE-2011-0285)
+
* Fri Mar 18 2011 Nalin Dahyabhai <nalin at redhat.com>
- backport change from SVN to fix a computed-value-not-used warning in
kpropd (#684065)
More information about the scm-commits
mailing list