[krb5/f19] Incorporate fix for CVE-2013-1417
Nalin Dahyabhai
nalin at fedoraproject.org
Fri Nov 15 16:23:25 UTC 2013
commit 69b6689948070b021cf0d022d84c73a710ed6cb6
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Fri Nov 15 11:22:40 2013 -0500
Incorporate fix for CVE-2013-1417
- incorporate fix for a KDC NULL pointer dereference while handling
referrals (CVE-2013-1417, #1030744)
krb5-CVE-2013-1417.patch | 68 ++++++++++++++++++++++++++++++++++++++++++++++
krb5.spec | 8 +++++-
2 files changed, 75 insertions(+), 1 deletions(-)
---
diff --git a/krb5-CVE-2013-1417.patch b/krb5-CVE-2013-1417.patch
new file mode 100644
index 0000000..9b1d0b6
--- /dev/null
+++ b/krb5-CVE-2013-1417.patch
@@ -0,0 +1,68 @@
+commit 4c023ba43c16396f0d199e2df1cfa59b88b62acc
+Author: Tom Yu <tlyu at mit.edu>
+Date: Fri Jun 21 17:58:25 2013 -0400
+
+ KDC null deref due to referrals [CVE-2013-1417]
+
+ An authenticated remote client can cause a KDC to crash by making a
+ valid TGS-REQ to a KDC serving a realm with a single-component name.
+ The process_tgs_req() function dereferences a null pointer because an
+ unusual failure condition causes a helper function to return success.
+
+ While attempting to provide cross-realm referrals for host-based
+ service principals, the find_referral_tgs() function could return a
+ TGS principal for a zero-length realm name (indicating that the
+ hostname in the service principal has no known realm associated with
+ it).
+
+ Subsequently, the find_alternate_tgs() function would attempt to
+ construct a path to this empty-string realm, and return success along
+ with a null pointer in its output parameter. This happens because
+ krb5_walk_realm_tree() returns a list of length one when it attempts
+ to construct a transit path between a single-component realm and the
+ empty-string realm. This list causes a loop in find_alternate_tgs()
+ to iterate over zero elements, resulting in the unexpected output of a
+ null pointer, which process_tgs_req() proceeds to dereference because
+ there is no error condition.
+
+ Add an error condition to find_referral_tgs() when
+ krb5_get_host_realm() returns an empty realm name. Also add an error
+ condition to find_alternate_tgs() to handle the length-one output from
+ krb5_walk_realm_tree().
+
+ The vulnerable configuration is not likely to arise in practice.
+ (Realm names that have a single component are likely to be test
+ realms.) Releases prior to krb5-1.11 are not vulnerable.
+
+ Thanks to Sol Jerome for reporting this problem.
+
+ CVSSv2: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
+
+ (cherry picked from commit 3c7f1c21ffaaf6c90f1045f0f5440303c766acc0)
+
+ ticket: 7668
+ version_fixed: 1.11.4
+ status: resolved
+
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index d41bc5d..745a48e 100644
+--- a/src/kdc/do_tgs_req.c
++++ b/src/kdc/do_tgs_req.c
+@@ -1057,6 +1057,8 @@ find_alternate_tgs(kdc_realm_t *kdc_active_realm, krb5_principal princ,
+ goto cleanup;
+ }
+ cleanup:
++ if (retval == 0 && server_ptr == NULL)
++ retval = KRB5_KDB_NOENTRY;
+ if (retval != 0)
+ *status = "UNKNOWN_SERVER";
+
+@@ -1149,7 +1151,7 @@ find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request,
+ goto cleanup;
+ }
+ /* Don't return a referral to the empty realm or the service realm. */
+- if (realms == NULL || realms[0] == '\0' ||
++ if (realms == NULL || realms[0] == NULL || *realms[0] == '\0' ||
+ data_eq_string(srealm, realms[0])) {
+ retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ goto cleanup;
diff --git a/krb5.spec b/krb5.spec
index fed9572..0a94f14 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -32,7 +32,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.11.3
-Release: 11%{?dist}
+Release: 12%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -101,6 +101,7 @@ Patch136: krb5-1.11.3-prompter1.patch
Patch137: krb5-1.11.3-prompter2.patch
Patch138: krb5-1.11.3-gss-ccache-import.patch
Patch139: krb5-CVE-2013-1418.patch
+Patch140: krb5-CVE-2013-1417.patch
# Patches for otp plugin backport
Patch201: krb5-1.11.2-keycheck.patch
@@ -335,6 +336,7 @@ ln -s NOTICE LICENSE
%patch137 -p1 -b .prompter2
%patch138 -p1 -b .gss-ccache-import
%patch139 -p1 -b .CVE-2013-1418
+%patch140 -p1 -b .CVE-2013-1417
%patch201 -p1 -b .keycheck
%patch202 -p1 -b .otp
@@ -928,6 +930,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Fri Nov 15 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-12
+- incorporate fix for a KDC NULL pointer dereference while handling referrals
+ (CVE-2013-1417, #1030744)
+
* Tue Nov 5 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-11
- incorporate upstream patch for remote crash of KDCs which serve multiple
realms simultaneously (RT#7756, CVE-2013-1418)
More information about the scm-commits
mailing list