[krb5/f17] add patch to fix CVE-2012-1013 (#827598)

Nalin Dahyabhai nalin at fedoraproject.org
Fri Jun 1 22:11:30 UTC 2012 

commit 1d265fd9dd678ec9e136d8d59c0765300500b7db
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Fri Jun 1 18:01:13 2012 -0400

    add patch to fix CVE-2012-1013 (#827598)
    
    - pull up the patch to correct a possible NULL pointer dereference in
      kadmind (CVE-2012-1013, #827598)

 krb5-kadmind-null-password.patch |   33 +++++++++++++++++++++++++++++++++
 krb5.spec                        |    8 +++++++-
 2 files changed, 40 insertions(+), 1 deletions(-)
---
diff --git a/krb5-kadmind-null-password.patch b/krb5-kadmind-null-password.patch
new file mode 100644
index 0000000..b64f43f
--- /dev/null
+++ b/krb5-kadmind-null-password.patch
@@ -0,0 +1,33 @@
+commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b
+Author: Richard Basch <basch at alum.mit.edu>
+Date:   Tue May 29 14:07:03 2012 -0400
+
+    Null pointer deref in kadmind [CVE-2012-1013]
+    
+    The fix for #6626 could cause kadmind to dereference a null pointer if
+    a create-principal request contains no password but does contain the
+    KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
+    name").  Only clients authorized to create principals can trigger the
+    bug.  Fix the bug by testing for a null password in check_1_6_dummy.
+    
+    CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
+    
+    [ghudson at mit.edu: Minor style change and commit message]
+    
+    ticket: 7152
+    target_version: 1.10.2
+    tags: pullup
+
+diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
+index a0b110d..f5ea005 100644
+--- a/src/lib/kadm5/srv/svr_principal.c
++++ b/src/lib/kadm5/srv/svr_principal.c
+@@ -186,7 +186,7 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
+     char *password = *passptr;
+ 
+     /* Old-style randkey operations disallowed tickets to start. */
+-    if (!(mask & KADM5_ATTRIBUTES) ||
++    if (password == NULL || !(mask & KADM5_ATTRIBUTES) ||
+         !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))
+         return;
+ 
diff --git a/krb5.spec b/krb5.spec
index 816d601..e2e94d6 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -15,7 +15,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.10
-Release: 6%{?dist}
+Release: 7%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -65,6 +65,7 @@ Patch104: krb5-1.10-crashfix.patch
 Patch105: krb5-kvno-230379.patch
 Patch106: krb5-1.10-lookaside.patch
 Patch107: krb5-1.10-string-rpc-acl-fix.patch
+Patch108: krb5-kadmind-null-password.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -238,6 +239,7 @@ ln -s NOTICE LICENSE
 %patch105 -p1 -b .kvno
 %patch106 -p1 -b .7082
 %patch107 -p1 -b .7093
+%patch108 -p1 -b .kadmind-null-password
 rm src/lib/krb5/krb/deltat.c
 
 gzip doc/*.ps
@@ -749,6 +751,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Fri Jun  1 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10-7
+- pull up the patch to correct a possible NULL pointer dereference in
+  kadmind (CVE-2012-1013, #827598)
+
 * Mon May  7 2012 Nalin Dahyabhai <nalin at redhat.com>
 - skip the setfscreatecon() if fopen() is passed "rb" as the open mode (part
   of #819115)

More information about the scm-commits mailing list