[krb5/f15/master] - add revised upstream patch to fix double-free in KDC while returning typed-data with errors (CVE

Nalin Dahyabhai nalin at fedoraproject.org
Tue Mar 15 18:18:13 UTC 2011 

commit 8d6d671baaf53d4f4579b6094254ab0c62d02b28
Author: Nalin Dahyabhai <nalin at redhat.com>
Date:   Tue Mar 15 14:17:57 2011 -0400

    - add revised upstream patch to fix double-free in KDC while returning
      typed-data with errors (CVE-2011-0284, #674325)

 2011-003-patch.txt |   13 +++++++++++++
 krb5.spec          |    8 +++++++-
 2 files changed, 20 insertions(+), 1 deletions(-)
---
diff --git a/2011-003-patch.txt b/2011-003-patch.txt
new file mode 100644
index 0000000..c977275
--- /dev/null
+++ b/2011-003-patch.txt
@@ -0,0 +1,13 @@
+diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 46b5fa1..464cb6e 100644
+--- a/src/kdc/do_as_req.c
++++ b/src/kdc/do_as_req.c
+@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
+                     pad->contents = td[size]->data;
+                     pad->length = td[size]->length;
+                     pa[size] = pad;
++                    td[size]->data = NULL;
++                    td[size]->length = 0;
+                 }
+             krb5_free_typed_data(kdc_context, td);
+         }
diff --git a/krb5.spec b/krb5.spec
index 5d63110..1275285 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -6,7 +6,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.9
-Release: 5%{?dist}
+Release: 6%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -51,6 +51,7 @@ Patch71: krb5-1.9-dirsrv-accountlock.patch
 Patch72: krb5-pkinit-cms2.patch
 Patch73: http://web.mit.edu/kerberos/advisories/2011-001-patch.txt
 Patch74: http://web.mit.edu/kerberos/advisories/2011-002-patch.txt
+Patch75: http://web.mit.edu/kerberos/advisories/2011-003-patch.txt
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -190,6 +191,7 @@ ln -s NOTICE LICENSE
 %patch72 -p1 -b .pkinit_cms2
 %patch73 -p1 -b .2011-001
 %patch74 -p1 -b .2011-002
+%patch75 -p1 -b .2011-003
 gzip doc/*.ps
 
 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -648,6 +650,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Tue Mar 15 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9-6
+- add revised upstream patch to fix double-free in KDC while returning
+  typed-data with errors (CVE-2011-0284, #674325)
+
 * Wed Feb  9 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9-5
 - krb5kdc init script: prototype some changes to do a quick spot-check
   of the TGS and kadmind keys and warn if there aren't any non-weak keys

More information about the scm-commits mailing list