[krb5/f15] add patch to fix CVE-2012-1013 (#827598)
Nalin Dahyabhai
nalin at fedoraproject.org
Fri Jun 1 22:02:03 UTC 2012
commit 05e616fc6afc8983ca4c29d60549c7d47ea8eb2b
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Fri Jun 1 18:01:01 2012 -0400
add patch to fix CVE-2012-1013 (#827598)
- pull up the patch to correct a possible NULL pointer dereference in
kadmind (CVE-2012-1013, #827598)
krb5-kadmind-null-password.patch | 33 +++++++++++++++++++++++++++++++++
krb5.spec | 8 +++++++-
2 files changed, 40 insertions(+), 1 deletions(-)
---
diff --git a/krb5-kadmind-null-password.patch b/krb5-kadmind-null-password.patch
new file mode 100644
index 0000000..b64f43f
--- /dev/null
+++ b/krb5-kadmind-null-password.patch
@@ -0,0 +1,33 @@
+commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b
+Author: Richard Basch <basch at alum.mit.edu>
+Date: Tue May 29 14:07:03 2012 -0400
+
+ Null pointer deref in kadmind [CVE-2012-1013]
+
+ The fix for #6626 could cause kadmind to dereference a null pointer if
+ a create-principal request contains no password but does contain the
+ KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
+ name"). Only clients authorized to create principals can trigger the
+ bug. Fix the bug by testing for a null password in check_1_6_dummy.
+
+ CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
+
+ [ghudson at mit.edu: Minor style change and commit message]
+
+ ticket: 7152
+ target_version: 1.10.2
+ tags: pullup
+
+diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
+index a0b110d..f5ea005 100644
+--- a/src/lib/kadm5/srv/svr_principal.c
++++ b/src/lib/kadm5/srv/svr_principal.c
+@@ -186,7 +186,7 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
+ char *password = *passptr;
+
+ /* Old-style randkey operations disallowed tickets to start. */
+- if (!(mask & KADM5_ATTRIBUTES) ||
++ if (password == NULL || !(mask & KADM5_ATTRIBUTES) ||
+ !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))
+ return;
+
diff --git a/krb5.spec b/krb5.spec
index 2cc65a4..c77c0e6 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -6,7 +6,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.9.3
-Release: 1%{?dist}
+Release: 2%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.3-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -63,6 +63,7 @@ Patch100: krb5-1.9-7046.patch
Patch101: krb5-trunk-7047.patch
Patch102: krb5-1.9-7048.patch
Patch103: krb5-kvno-230379.patch
+Patch104: krb5-kadmind-null-password.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -219,6 +220,7 @@ ln -s NOTICE LICENSE
%patch101 -p1 -b .7047
%patch102 -p1 -b .7048
%patch103 -p1 -b .kvno
+%patch104 -p1 -b .kadmind-null-password
gzip doc/*.ps
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -680,6 +682,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Fri Jun 1 2012 Nalin Dahyabhai <nalin at redhat.com> 1.9.3-2
+- pull up the patch to correct a possible NULL pointer dereference in
+ kadmind (CVE-2012-1013, #827598)
+
* Thu Mar 8 2012 Nalin Dahyabhai <nalin at redhat.com> 1.9.3-1
- update to 1.9.3
- drop patch for CVE-2011-1530, incorporated upstream
More information about the scm-commits
mailing list