[krb5/f16] fixes from MITKRB5-SA-2012-001
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Jul 31 18:21:01 UTC 2012
commit 08a67fb9413bfc07ef141a4042d9af071c501ba0
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Tue Jul 31 14:20:15 2012 -0400
fixes from MITKRB5-SA-2012-001
- add upstream patch to fix freeing an uninitialized pointer in the KDC
(MITKRB5-SA-2012-001, CVE-2012-1015, #838012)
2012-001-1.9-patch.txt | 43 +++++++++++++++++++++++++++++++++++++++++++
krb5.spec | 8 +++++++-
2 files changed, 50 insertions(+), 1 deletions(-)
---
diff --git a/2012-001-1.9-patch.txt b/2012-001-1.9-patch.txt
new file mode 100644
index 0000000..ad48fae
--- /dev/null
+++ b/2012-001-1.9-patch.txt
@@ -0,0 +1,43 @@
+This is http://web.mit.edu/kerberos/advisories/2012-001-patch.txt, minus the
+bits about do_as_req.c.
+
+diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
+index 9d8cb34..d4ece3f 100644
+--- a/src/kdc/kdc_preauth.c
++++ b/src/kdc/kdc_preauth.c
+@@ -1438,7 +1438,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
+ continue;
+
+ }
+- if (request_contains_enctype(context, request, db_etype)) {
++ if (krb5_is_permitted_enctype(context, db_etype) &&
++ request_contains_enctype(context, request, db_etype)) {
+ retval = _make_etype_info_entry(context, client->princ,
+ client_key, db_etype,
+ &entry[i], etype_info2);
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index a43b291..94dad3a 100644
+--- a/src/kdc/kdc_util.c
++++ b/src/kdc/kdc_util.c
+@@ -2461,6 +2461,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request,
+ return 0;
+ pa.magic = KV5M_PA_DATA;
+ pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
++ memset(&checksum, 0, sizeof(checksum));
+ retval = krb5_c_make_checksum(kdc_context,0, reply_key,
+ KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
+ if (retval != 0)
+diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
+index c4bf92e..367c894 100644
+--- a/src/lib/kdb/kdb_default.c
++++ b/src/lib/kdb/kdb_default.c
+@@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
+ krb5_boolean saw_non_permitted = FALSE;
+
+ ret = 0;
++ if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
++ return KRB5_KDB_NO_PERMITTED_KEY;
++
+ if (kvno == -1 && stype == -1 && ktype == -1)
+ kvno = 0;
+
diff --git a/krb5.spec b/krb5.spec
index 94f68f8..13a240a 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -6,7 +6,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.9.4
-Release: 1%{?dist}
+Release: 2%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.4-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -63,6 +63,7 @@ Patch101: krb5-trunk-7047.patch
Patch102: krb5-1.9-7048.patch
Patch103: krb5-kvno-230379.patch
Patch105: krb5-1.9-pkinit-anchorsign.patch
+Patch106: 2012-001-1.9-patch.txt
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -223,6 +224,7 @@ ln -s NOTICE LICENSE
%patch102 -p1 -b .7048
%patch103 -p1 -b .kvno
%patch105 -p1 -b .pkinit-anchorsign
+%patch106 -p1 -b .2012-001
gzip doc/*.ps
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -696,6 +698,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Tue Jul 31 2012 Nalin Dahyabhai <nalin at redhat.com> 1.9.4-2
+- add upstream patch to fix freeing an uninitialized pointer in the KDC
+ (MITKRB5-SA-2012-001, CVE-2012-1015, #838012)
+
* Fri Jun 22 2012 Nalin Dahyabhai <nalin at redhat.com> 1.9.4-1
- rebase to 1.9.4
- drop the backport patch for CVE-2012-1013, no longer needed
More information about the scm-commits
mailing list