[krb5/f19] Incorporate fix for CVE-2013-1417

Nalin Dahyabhai nalin at fedoraproject.org
Fri Nov 15 16:23:25 UTC 2013 

commit 69b6689948070b021cf0d022d84c73a710ed6cb6
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Fri Nov 15 11:22:40 2013 -0500

    Incorporate fix for CVE-2013-1417
    
    - incorporate fix for a KDC NULL pointer dereference while handling
      referrals (CVE-2013-1417, #1030744)

 krb5-CVE-2013-1417.patch |   68 ++++++++++++++++++++++++++++++++++++++++++++++
 krb5.spec                |    8 +++++-
 2 files changed, 75 insertions(+), 1 deletions(-)
---
diff --git a/krb5-CVE-2013-1417.patch b/krb5-CVE-2013-1417.patch
new file mode 100644
index 0000000..9b1d0b6
--- /dev/null
+++ b/krb5-CVE-2013-1417.patch
@@ -0,0 +1,68 @@
+commit 4c023ba43c16396f0d199e2df1cfa59b88b62acc
+Author: Tom Yu <tlyu at mit.edu>
+Date:   Fri Jun 21 17:58:25 2013 -0400
+
+    KDC null deref due to referrals [CVE-2013-1417]
+    
+    An authenticated remote client can cause a KDC to crash by making a
+    valid TGS-REQ to a KDC serving a realm with a single-component name.
+    The process_tgs_req() function dereferences a null pointer because an
+    unusual failure condition causes a helper function to return success.
+    
+    While attempting to provide cross-realm referrals for host-based
+    service principals, the find_referral_tgs() function could return a
+    TGS principal for a zero-length realm name (indicating that the
+    hostname in the service principal has no known realm associated with
+    it).
+    
+    Subsequently, the find_alternate_tgs() function would attempt to
+    construct a path to this empty-string realm, and return success along
+    with a null pointer in its output parameter.  This happens because
+    krb5_walk_realm_tree() returns a list of length one when it attempts
+    to construct a transit path between a single-component realm and the
+    empty-string realm.  This list causes a loop in find_alternate_tgs()
+    to iterate over zero elements, resulting in the unexpected output of a
+    null pointer, which process_tgs_req() proceeds to dereference because
+    there is no error condition.
+    
+    Add an error condition to find_referral_tgs() when
+    krb5_get_host_realm() returns an empty realm name.  Also add an error
+    condition to find_alternate_tgs() to handle the length-one output from
+    krb5_walk_realm_tree().
+    
+    The vulnerable configuration is not likely to arise in practice.
+    (Realm names that have a single component are likely to be test
+    realms.)  Releases prior to krb5-1.11 are not vulnerable.
+    
+    Thanks to Sol Jerome for reporting this problem.
+    
+    CVSSv2: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
+    
+    (cherry picked from commit 3c7f1c21ffaaf6c90f1045f0f5440303c766acc0)
+    
+    ticket: 7668
+    version_fixed: 1.11.4
+    status: resolved
+
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index d41bc5d..745a48e 100644
+--- a/src/kdc/do_tgs_req.c
++++ b/src/kdc/do_tgs_req.c
+@@ -1057,6 +1057,8 @@ find_alternate_tgs(kdc_realm_t *kdc_active_realm, krb5_principal princ,
+         goto cleanup;
+     }
+ cleanup:
++    if (retval == 0 && server_ptr == NULL)
++        retval = KRB5_KDB_NOENTRY;
+     if (retval != 0)
+         *status = "UNKNOWN_SERVER";
+ 
+@@ -1149,7 +1151,7 @@ find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request,
+         goto cleanup;
+     }
+     /* Don't return a referral to the empty realm or the service realm. */
+-    if (realms == NULL || realms[0] == '\0' ||
++    if (realms == NULL || realms[0] == NULL || *realms[0] == '\0' ||
+         data_eq_string(srealm, realms[0])) {
+         retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+         goto cleanup;
diff --git a/krb5.spec b/krb5.spec
index fed9572..0a94f14 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -32,7 +32,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.3
-Release: 11%{?dist}
+Release: 12%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -101,6 +101,7 @@ Patch136: krb5-1.11.3-prompter1.patch
 Patch137: krb5-1.11.3-prompter2.patch
 Patch138: krb5-1.11.3-gss-ccache-import.patch
 Patch139: krb5-CVE-2013-1418.patch
+Patch140: krb5-CVE-2013-1417.patch
 
 # Patches for otp plugin backport
 Patch201: krb5-1.11.2-keycheck.patch
@@ -335,6 +336,7 @@ ln -s NOTICE LICENSE
 %patch137 -p1 -b .prompter2
 %patch138 -p1 -b .gss-ccache-import
 %patch139 -p1 -b .CVE-2013-1418
+%patch140 -p1 -b .CVE-2013-1417
 
 %patch201 -p1 -b .keycheck
 %patch202 -p1 -b .otp
@@ -928,6 +930,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Fri Nov 15 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-12
+- incorporate fix for a KDC NULL pointer dereference while handling referrals
+  (CVE-2013-1417, #1030744)
+
 * Tue Nov  5 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-11
 - incorporate upstream patch for remote crash of KDCs which serve multiple
   realms simultaneously (RT#7756, CVE-2013-1418)

More information about the scm-commits mailing list