[krb5/f17] add patch to fix CVE-2012-1013 (#827598)
Nalin Dahyabhai
nalin at fedoraproject.org
Fri Jun 1 22:11:30 UTC 2012
commit 1d265fd9dd678ec9e136d8d59c0765300500b7db
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Fri Jun 1 18:01:13 2012 -0400
add patch to fix CVE-2012-1013 (#827598)
- pull up the patch to correct a possible NULL pointer dereference in
kadmind (CVE-2012-1013, #827598)
krb5-kadmind-null-password.patch | 33 +++++++++++++++++++++++++++++++++
krb5.spec | 8 +++++++-
2 files changed, 40 insertions(+), 1 deletions(-)
---
diff --git a/krb5-kadmind-null-password.patch b/krb5-kadmind-null-password.patch
new file mode 100644
index 0000000..b64f43f
--- /dev/null
+++ b/krb5-kadmind-null-password.patch
@@ -0,0 +1,33 @@
+commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b
+Author: Richard Basch <basch at alum.mit.edu>
+Date: Tue May 29 14:07:03 2012 -0400
+
+ Null pointer deref in kadmind [CVE-2012-1013]
+
+ The fix for #6626 could cause kadmind to dereference a null pointer if
+ a create-principal request contains no password but does contain the
+ KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
+ name"). Only clients authorized to create principals can trigger the
+ bug. Fix the bug by testing for a null password in check_1_6_dummy.
+
+ CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
+
+ [ghudson at mit.edu: Minor style change and commit message]
+
+ ticket: 7152
+ target_version: 1.10.2
+ tags: pullup
+
+diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
+index a0b110d..f5ea005 100644
+--- a/src/lib/kadm5/srv/svr_principal.c
++++ b/src/lib/kadm5/srv/svr_principal.c
+@@ -186,7 +186,7 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
+ char *password = *passptr;
+
+ /* Old-style randkey operations disallowed tickets to start. */
+- if (!(mask & KADM5_ATTRIBUTES) ||
++ if (password == NULL || !(mask & KADM5_ATTRIBUTES) ||
+ !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))
+ return;
+
diff --git a/krb5.spec b/krb5.spec
index 816d601..e2e94d6 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -15,7 +15,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.10
-Release: 6%{?dist}
+Release: 7%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -65,6 +65,7 @@ Patch104: krb5-1.10-crashfix.patch
Patch105: krb5-kvno-230379.patch
Patch106: krb5-1.10-lookaside.patch
Patch107: krb5-1.10-string-rpc-acl-fix.patch
+Patch108: krb5-kadmind-null-password.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -238,6 +239,7 @@ ln -s NOTICE LICENSE
%patch105 -p1 -b .kvno
%patch106 -p1 -b .7082
%patch107 -p1 -b .7093
+%patch108 -p1 -b .kadmind-null-password
rm src/lib/krb5/krb/deltat.c
gzip doc/*.ps
@@ -749,6 +751,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Fri Jun 1 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10-7
+- pull up the patch to correct a possible NULL pointer dereference in
+ kadmind (CVE-2012-1013, #827598)
+
* Mon May 7 2012 Nalin Dahyabhai <nalin at redhat.com>
- skip the setfscreatecon() if fopen() is passed "rb" as the open mode (part
of #819115)
More information about the scm-commits
mailing list