[krb5/f20] Add proposed fix for a double-free in gss clients
Nalin Dahyabhai
nalin at fedoraproject.org
Wed Jul 16 19:14:38 UTC 2014
commit c42f43ea1ddb1bccddfa56d03740e02a34be57b2
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Wed Jul 16 15:13:24 2014 -0400
Add proposed fix for a double-free in gss clients
- gssapi: pull in proposed fix for a double free in initiators (David
Woodhouse, #1117963)
krb5-gssapi-mech-doublefree.patch | 49 +++++++++++++++++++++++++++++++++++++
krb5.spec | 10 +++++++-
2 files changed, 58 insertions(+), 1 deletions(-)
---
diff --git a/krb5-gssapi-mech-doublefree.patch b/krb5-gssapi-mech-doublefree.patch
new file mode 100644
index 0000000..c020fca
--- /dev/null
+++ b/krb5-gssapi-mech-doublefree.patch
@@ -0,0 +1,49 @@
+From: David Woodhouse <David.Woodhouse at intel.com>
+
+In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
+pointer sc->internal_mech became an alias into sc->mech_set->elements[],
+which should be considered constant for the duration of the SPNEGO
+context.
+
+So don't free it.
+
+This led to the obvious crashes in the allocator, and also to strange
+behaviour with Firefox failing to fall back to alternative mechanisms
+when it should have done.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1117963
+
+==31436== Invalid free() / delete / delete[] / realloc()
+==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
+==31436== by 0x3AE900D6B9: generic_gss_release_oid_set (gssapi_alloc.h:93)
+==31436== by 0x3AE903775F: release_spnego_ctx (spnego_mech.c:2895)
+==31436== by 0x3AE9037830: spnego_gss_delete_sec_context (spnego_mech.c:2164)
+==31436== by 0x3AE9012292: gss_delete_sec_context (g_delete_sec_context.c:90)
+==31436== Address 0x4fb5510 is 0 bytes inside a block of size 80 free'd
+==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
+==31436== by 0x3AE900C88E: generic_gss_release_oid (oid_ops.c:103)
+==31436== by 0x3AE903BE85: spnego_gss_init_sec_context (spnego_mech.c:792)
+==31436== by 0x3AE90154CA: gss_init_sec_context (g_init_sec_context.c:210)
+---
+ src/lib/gssapi/spnego/spnego_mech.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 173c6d2..8f829d8 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
+ OM_uint32 tmpmin;
+ size_t i;
+
+- generic_gss_release_oid(&tmpmin, &sc->internal_mech);
+ gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
+ GSS_C_NO_BUFFER);
+
+--
+1.9.3
+
+
+--
+David Woodhouse Open Source Technology Centre
+David.Woodhouse at intel.com Intel Corporation
diff --git a/krb5.spec b/krb5.spec
index 66d9689..1aabc09 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -41,7 +41,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.11.5
-Release: 8%{?dist}
+Release: 9%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.5-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -127,6 +127,8 @@ Patch161: krb5-1.11-mechd.patch
Patch162: krb5-1.12-CVE-2014-4341_4342.patch
Patch163: krb5-1.11-CVE-2014-4341_4342-tests.patch
+Patch164: krb5-gssapi-mech-doublefree.patch
+
# Patches for otp plugin backport
Patch201: krb5-1.11.2-keycheck.patch
Patch202: krb5-1.11.2-otp.patch
@@ -413,6 +415,8 @@ ln -s NOTICE LICENSE
%patch162 -p1 -b .CVE-2014-4341_4342
%patch163 -p1 -b .CVE-2014-4341_4342-tests
+%patch164 -p1 -b .gssapi-mech-doublefree
+
%patch201 -p1 -b .keycheck
%patch202 -p1 -b .otp
%patch203 -p1 -b .otp2
@@ -1085,6 +1089,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Wed Jul 16 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-9
+- gssapi: pull in proposed fix for a double free in initiators (David
+ Woodhouse, #1117963)
+
* Mon Jul 7 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-8
- pull in fix for denial of service by injection of malformed GSSAPI tokens
(CVE-2014-4341, CVE-2014-4342, #1116181)
More information about the scm-commits
mailing list