[krb5/f17] add patch for CVE-2013-1416 (#949984/#949987)
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Apr 9 16:24:39 UTC 2013
commit 57b592e88663b6575be28ad7afa4d4497e2279af
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Tue Apr 9 11:59:43 2013 -0400
add patch for CVE-2013-1416 (#949984/#949987)
- incorporate upstream patch to fix a NULL pointer dereference while
processing certain TGS requests (CVE-2013-1416, #949984/#949987)
krb5-1.10-CVE-2013-1416.patch | 50 +++++++++++++++++++++++++++++++++++++++++
krb5.spec | 8 +++++-
2 files changed, 57 insertions(+), 1 deletions(-)
---
diff --git a/krb5-1.10-CVE-2013-1416.patch b/krb5-1.10-CVE-2013-1416.patch
new file mode 100644
index 0000000..f2c4a48
--- /dev/null
+++ b/krb5-1.10-CVE-2013-1416.patch
@@ -0,0 +1,50 @@
+commit 8ee70ec63931d1e38567905387ab9b1d45734d81
+Author: Tom Yu <tlyu at mit.edu>
+Date: Fri Mar 29 19:27:33 2013 -0400
+
+ KDC TGS-REQ null deref [CVE-2013-1416]
+
+ By sending an unusual but valid TGS-REQ, an authenticated remote
+ attacker can cause the KDC process to crash by dereferencing a null
+ pointer.
+
+ prep_reprocess_req() can cause a null pointer dereference when
+ processing a service principal name. Code in this function can
+ inappropriately pass a null pointer to strlcpy(). Unmodified client
+ software can trivially trigger this vulnerability, but the attacker
+ must have already authenticated and received a valid Kerberos ticket.
+
+ The vulnerable code was introduced by the implementation of new
+ service principal realm referral functionality in krb5-1.7, but was
+ corrected as a side effect of the KDC refactoring in krb5-1.11.
+
+ CVSSv2 vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:H/RL:O/RC:C
+
+ ticket: 7600 (new)
+ version_fixed: 1.10.5
+ status: resolved
+
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index 9ff80cf..86496e9 100644
+--- a/src/kdc/do_tgs_req.c
++++ b/src/kdc/do_tgs_req.c
+@@ -1141,7 +1141,8 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
+ retval = ENOMEM;
+ goto cleanup;
+ }
+- strlcpy(comp1_str,comp1->data,comp1->length+1);
++ if (comp1->data != NULL)
++ memcpy(comp1_str, comp1->data, comp1->length);
+
+ if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
+ krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST ||
+@@ -1164,7 +1165,8 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
+ retval = ENOMEM;
+ goto cleanup;
+ }
+- strlcpy(temp_buf, comp2->data,comp2->length+1);
++ if (comp2->data != NULL)
++ memcpy(temp_buf, comp2->data, comp2->length);
+ retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf, &realms);
+ free(temp_buf);
+ if (retval) {
diff --git a/krb5.spec b/krb5.spec
index feaa2c2..e18e509 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -20,7 +20,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.10.2
-Release: 9%{?dist}
+Release: 10%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -73,6 +73,7 @@ Patch108: http://web.mit.edu/kerberos/advisories/2012-001-patch.txt
Patch109: krb5-1.10-pkinit-null.patch
Patch110: krb5-lookup_etypes-leak.patch
Patch111: krb5-1.10-pkinit-agility.patch
+Patch112: krb5-1.10-CVE-2013-1416.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -255,6 +256,7 @@ ln -s NOTICE LICENSE
%patch109 -p1 -b .pkinit-null
%patch110 -p1 -b .lookup_etypes-leak
%patch111 -p1 -b .pkinit-agility
+%patch112 -p1 -b .CVE-2013-1416
rm src/lib/krb5/krb/deltat.c
gzip doc/*.ps
@@ -774,6 +776,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Tue Apr 9 2013 Nalin Dahyabhai <nalin at redhat.com> 1.10.2-10
+- incorporate upstream patch to fix a NULL pointer dereference while processing
+ certain TGS requests (CVE-2013-1416, #949984/#949987)
+
* Tue Mar 5 2013 Nalin Dahyabhai <nalin at redhat.com> 1.10.2-9
- add patch to avoid dereferencing a NULL pointer in the KDC when handling a
draft9 PKINIT request (#917841, CVE-2012-1016)
More information about the scm-commits
mailing list