[krb5] Incorporate patch for RT#7755 (CVE-2013-1418)

Nalin Dahyabhai nalin at fedoraproject.org
Tue Nov 5 18:11:29 UTC 2013 

commit a244d8f93c578960ecdd15a172e6f45963f22462
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Mon Nov 4 15:47:55 2013 -0500

    Incorporate patch for RT#7755 (CVE-2013-1418)
    
    - incorporate upstream patch for remote crash of KDCs which serve multiple
      realms simultaneously (RT#7755, CVE-2013-1418)

 krb5-CVE-2013-1418.patch |   35 +++++++++++++++++++++++++++++++++++
 krb5.spec                |    8 +++++++-
 2 files changed, 42 insertions(+), 1 deletions(-)
---
diff --git a/krb5-CVE-2013-1418.patch b/krb5-CVE-2013-1418.patch
new file mode 100644
index 0000000..593c02c
--- /dev/null
+++ b/krb5-CVE-2013-1418.patch
@@ -0,0 +1,35 @@
+Adjusted to apply to 1.11.3.
+
+commit 5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf
+Author: Tom Yu <tlyu at mit.edu>
+Date:   Mon Nov 4 13:44:29 2013 -0500
+
+    Multi-realm KDC null deref [CVE-2013-1418]
+    
+    If a KDC serves multiple realms, certain requests can cause
+    setup_server_realm() to dereference a null pointer, crashing the KDC.
+    
+    CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
+    
+    A related but more minor vulnerability requires authentication to
+    exploit, and is only present if a third-party KDC database module can
+    dereference a null pointer under certain conditions.
+    
+    ticket: 7755 (new)
+    target_version: 1.12
+    tags: pullup
+
+diff --git a/src/kdc/main.c b/src/kdc/main.c
+index 0f5961a..a7ffe63 100644
+--- a/src/kdc/main.c
++++ b/src/kdc/main.c
+@@ -124,6 +124,9 @@ setup_server_realm(struct server_handle *handle, krb5_principal sprinc)
+     kdc_realm_t **kdc_realmlist = handle->kdc_realmlist;
+     int kdc_numrealms = handle->kdc_numrealms;
+ 
++    if (sprinc == NULL)
++        return NULL;
++
+     kret = 0;
+     if (kdc_numrealms > 1) {
+         if (!(newrealm = find_realm_data(handle, sprinc->realm.data,
diff --git a/krb5.spec b/krb5.spec
index bbb1a38..fca997e 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.3
-Release: 28%{?dist}
+Release: 29%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -108,6 +108,7 @@ Patch135: krb5-1.11-check_transited.patch
 Patch136: krb5-1.11.3-prompter1.patch
 Patch137: krb5-1.11.3-prompter2.patch
 Patch138: krb5-1.11.3-gss-ccache-import.patch
+Patch139: krb5-CVE-2013-1418.patch
 
 # Patches for otp plugin backport
 Patch201: krb5-1.11.2-keycheck.patch
@@ -353,6 +354,7 @@ ln -s NOTICE LICENSE
 %patch136 -p1 -b .prompter1
 %patch137 -p1 -b .prompter2
 %patch138 -p1 -b .gss-ccache-import
+%patch139 -p1 -b .CVE-2013-1418
 
 %patch201 -p1 -b .keycheck
 %patch202 -p1 -b .otp
@@ -1004,6 +1006,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Mon Nov  4 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-29
+- incorporate upstream patch for remote crash of KDCs which serve multiple
+  realms simultaneously (RT#7755, CVE-2013-1418)
+
 * Mon Nov  4 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-28
 - drop patch to add additional access() checks to ksu - they add to breakage
   when non-FILE: caches are in use (#1026099), shouldn't be resulting in any

More information about the scm-commits mailing list