[krb5/f13/master] - add revised upstream patch to fix double-free in KDC while returning typed-data with errors (CVE

Nalin Dahyabhai nalin at fedoraproject.org
Tue Mar 15 18:23:16 UTC 2011 

commit dded32e20c86921913431de22b53be856d7e029f
Author: Nalin Dahyabhai <nalin at redhat.com>
Date:   Tue Mar 15 14:23:32 2011 -0400

    - add revised upstream patch to fix double-free in KDC while returning
      typed-data with errors (CVE-2011-0284, #674325)

 2011-003-patch.txt |   15 +++++++++++++++
 krb5.spec          |    8 +++++++-
 2 files changed, 22 insertions(+), 1 deletions(-)
---
diff --git a/2011-003-patch.txt b/2011-003-patch.txt
new file mode 100644
index 0000000..affaf97
--- /dev/null
+++ b/2011-003-patch.txt
@@ -0,0 +1,15 @@
+Upstream patch, whitespace altered to apply.
+
+diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 46b5fa1..464cb6e 100644
+--- a/src/kdc/do_as_req.c
++++ b/src/kdc/do_as_req.c
+@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
+ 		pad->contents = td[size]->data;
+ 		pad->length = td[size]->length;
+ 		pa[size] = pad;
++		td[size]->data = NULL;
++		td[size]->length = 0;
+ 	    }
+ 	    krb5_free_typed_data(kdc_context, td);
+ 	}
diff --git a/krb5.spec b/krb5.spec
index d8f1b37..2b6aa5c 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -10,7 +10,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.7.1
-Release: 17%{?dist}
+Release: 18%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -94,6 +94,7 @@ Patch104: krb5-1.7.1-explife.patch
 Patch105: http://web.mit.edu/kerberos/advisories/2010-007-patch-r17.txt
 Patch106: http://web.mit.edu/kerberos/advisories/2011-001-patch.txt
 Patch107: http://web.mit.edu/kerberos/advisories/2011-002-patch.txt
+Patch108: http://web.mit.edu/kerberos/advisories/2011-003-patch.txt
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -232,6 +233,10 @@ to obtain initial credentials from a KDC using a private key and a
 certificate.
 
 %changelog
+* Tue Mar 15 2011 Nalin Dahyabhai <nalin at redhat.com> 1.7.1-18
+- add revised upstream patch to fix double-free in KDC while returning
+  typed-data with errors (CVE-2011-0284, #674325)
+
 * Tue Feb  8 2011 Nalin Dahyabhai <nalin at redhat.com> 1.7.1-17
 - add upstream patches to fix standalone kpropd exiting if the per-client
   child process exits with an error (MITKRB5-SA-2011-001), and a hang or
@@ -1678,6 +1683,7 @@ popd
 %patch105 -p1 -b .2010-007
 %patch106 -p1 -b .2011-001
 %patch107 -p1 -b .2011-002
+%patch108 -p1 -b .2011-003
 gzip doc/*.ps
 
 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex

More information about the scm-commits mailing list