[krb5/f15] add patch to fix CVE-2012-1013 (#827598)

Nalin Dahyabhai nalin at fedoraproject.org
Fri Jun 1 22:02:03 UTC 2012 

commit 05e616fc6afc8983ca4c29d60549c7d47ea8eb2b
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Fri Jun 1 18:01:01 2012 -0400

    add patch to fix CVE-2012-1013 (#827598)
    
    - pull up the patch to correct a possible NULL pointer dereference in
      kadmind (CVE-2012-1013, #827598)

 krb5-kadmind-null-password.patch |   33 +++++++++++++++++++++++++++++++++
 krb5.spec                        |    8 +++++++-
 2 files changed, 40 insertions(+), 1 deletions(-)
---
diff --git a/krb5-kadmind-null-password.patch b/krb5-kadmind-null-password.patch
new file mode 100644
index 0000000..b64f43f
--- /dev/null
+++ b/krb5-kadmind-null-password.patch
@@ -0,0 +1,33 @@
+commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b
+Author: Richard Basch <basch at alum.mit.edu>
+Date:   Tue May 29 14:07:03 2012 -0400
+
+    Null pointer deref in kadmind [CVE-2012-1013]
+    
+    The fix for #6626 could cause kadmind to dereference a null pointer if
+    a create-principal request contains no password but does contain the
+    KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
+    name").  Only clients authorized to create principals can trigger the
+    bug.  Fix the bug by testing for a null password in check_1_6_dummy.
+    
+    CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
+    
+    [ghudson at mit.edu: Minor style change and commit message]
+    
+    ticket: 7152
+    target_version: 1.10.2
+    tags: pullup
+
+diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
+index a0b110d..f5ea005 100644
+--- a/src/lib/kadm5/srv/svr_principal.c
++++ b/src/lib/kadm5/srv/svr_principal.c
+@@ -186,7 +186,7 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
+     char *password = *passptr;
+ 
+     /* Old-style randkey operations disallowed tickets to start. */
+-    if (!(mask & KADM5_ATTRIBUTES) ||
++    if (password == NULL || !(mask & KADM5_ATTRIBUTES) ||
+         !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))
+         return;
+ 
diff --git a/krb5.spec b/krb5.spec
index 2cc65a4..c77c0e6 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -6,7 +6,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.9.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.3-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -63,6 +63,7 @@ Patch100: krb5-1.9-7046.patch
 Patch101: krb5-trunk-7047.patch
 Patch102: krb5-1.9-7048.patch
 Patch103: krb5-kvno-230379.patch
+Patch104: krb5-kadmind-null-password.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -219,6 +220,7 @@ ln -s NOTICE LICENSE
 %patch101 -p1 -b .7047
 %patch102 -p1 -b .7048
 %patch103 -p1 -b .kvno
+%patch104 -p1 -b .kadmind-null-password
 gzip doc/*.ps
 
 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -680,6 +682,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Fri Jun  1 2012 Nalin Dahyabhai <nalin at redhat.com> 1.9.3-2
+- pull up the patch to correct a possible NULL pointer dereference in
+  kadmind (CVE-2012-1013, #827598)
+
 * Thu Mar  8 2012 Nalin Dahyabhai <nalin at redhat.com> 1.9.3-1
 - update to 1.9.3
   - drop patch for CVE-2011-1530, incorporated upstream

More information about the scm-commits mailing list