[krb5/f16] - apply upstream patch to fix a null pointer dereference when processing TGS requests (CVE-2011-1530
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Dec 6 19:10:33 UTC 2011
commit 4a26f2bc03352f47bcc316e6731d199cdd668d45
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Tue Dec 6 14:09:54 2011 -0500
- apply upstream patch to fix a null pointer dereference when processing TGS requests (CVE-2011-1530, #753748)
2011-007-patch.txt | 40 ++++++++++++++++++++++++++++++++++++++++
krb5.spec | 8 +++++++-
2 files changed, 47 insertions(+), 1 deletions(-)
---
diff --git a/2011-007-patch.txt b/2011-007-patch.txt
new file mode 100644
index 0000000..336a4ad
--- /dev/null
+++ b/2011-007-patch.txt
@@ -0,0 +1,40 @@
+diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
+index f46cad3..102fbaa 100644
+--- a/src/kdc/Makefile.in
++++ b/src/kdc/Makefile.in
+@@ -67,6 +67,7 @@ check-unix:: rtest
+
+ check-pytests::
+ $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
++ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
+
+ install::
+ $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index c169c54..840a2ef 100644
+--- a/src/kdc/do_tgs_req.c
++++ b/src/kdc/do_tgs_req.c
+@@ -243,7 +243,8 @@ tgt_again:
+ if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
+ errcode = find_alternate_tgs(request, &server);
+ firstpass = 0;
+- goto tgt_again;
++ if (errcode == 0)
++ goto tgt_again;
+ }
+ }
+ status = "UNKNOWN_SERVER";
+diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
+new file mode 100644
+index 0000000..1760bcd
+--- /dev/null
++++ b/src/kdc/t_emptytgt.py
+@@ -0,0 +1,8 @@
++#!/usr/bin/python
++from k5test import *
++
++realm = K5Realm(start_kadmind=False, create_host=False)
++output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
++if 'not found in Kerberos database' not in output:
++ fail('TGT lookup for empty realm failed in unexpected way')
++success('Empty tgt lookup.')
diff --git a/krb5.spec b/krb5.spec
index e2a0333..b0c6ed3 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -6,7 +6,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.9.2
-Release: 3%{?dist}
+Release: 4%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -60,6 +60,7 @@ Patch86: krb5-1.9-debuginfo.patch
Patch87: krb5-1.9.1-sendto_poll2.patch
Patch89: krb5-1.9.1-sendto_poll3.patch
Patch90: krb5-1.9-aes-hmac.patch
+Patch91: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -217,6 +218,7 @@ ln -s NOTICE LICENSE
%patch87 -p1 -b .sendto_poll2
%patch89 -p1 -b .sendto_poll3
%patch90 -p1 -b .aes-hmac
+%patch91 -p1 -b .2011-007
gzip doc/*.ps
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -695,6 +697,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Tue Dec 6 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.2-4
+- apply upstream patch to fix a null pointer dereference when processing
+ TGS requests (CVE-2011-1530, #753748)
+
* Wed Nov 30 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.2-3
- correct a bug in the fix for #754001 so that the file creation context is
consistently reset
More information about the scm-commits
mailing list