[krb5/f19] Add patch for CVE-2014-4344
Nalin Dahyabhai
nalin at fedoraproject.org
Mon Jul 21 22:09:35 UTC 2014
commit e600d5d58e394670d8e6b8cdd5cde88e4cbdfaf4
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Mon Jul 21 18:07:32 2014 -0400
Add patch for CVE-2014-4344
- gssapi: pull in upstream fix for a possible NULL dereference in spnego
(CVE-2014-4344)
krb5-gssapi-spnego-deref.patch | 44 ++++++++++++++++++++++++++++++++++++++++
krb5.spec | 8 ++++++-
2 files changed, 51 insertions(+), 1 deletions(-)
---
diff --git a/krb5-gssapi-spnego-deref.patch b/krb5-gssapi-spnego-deref.patch
new file mode 100644
index 0000000..b529d03
--- /dev/null
+++ b/krb5-gssapi-spnego-deref.patch
@@ -0,0 +1,44 @@
+commit 524688ce87a15fc75f87efc8c039ba4c7d5c197b
+Author: Greg Hudson <ghudson at mit.edu>
+Date: Tue Jul 15 12:56:01 2014 -0400
+
+ Fix null deref in SPNEGO acceptor [CVE-2014-4344]
+
+ When processing a continuation token, acc_ctx_cont was dereferencing
+ the initial byte of the token without checking the length. This could
+ result in a null dereference.
+
+ CVE-2014-4344:
+
+ In MIT krb5 1.5 and newer, an unauthenticated or partially
+ authenticated remote attacker can cause a NULL dereference and
+ application crash during a SPNEGO negotiation by sending an empty
+ token as the second or later context token from initiator to acceptor.
+ The attacker must provide at least one valid context token in the
+ security context negotiation before sending the empty token. This can
+ be done by an unauthenticated attacker by forcing SPNEGO to
+ renegotiate the underlying mechanism, or by using IAKERB to wrap an
+ unauthenticated AS-REQ as the first token.
+
+ CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+ [kaduk at mit.edu: CVE summary, CVSSv2 vector]
+
+ ticket: 7970 (new)
+ subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344]
+ target_version: 1.12.2
+ tags: pullup
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 8f829d8..2aa6810 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat,
+
+ ptr = bufstart = buf->value;
+ #define REMAIN (buf->length - (ptr - bufstart))
+- if (REMAIN > INT_MAX)
++ if (REMAIN == 0 || REMAIN > INT_MAX)
+ return GSS_S_DEFECTIVE_TOKEN;
+
+ /*
diff --git a/krb5.spec b/krb5.spec
index 8c5ec8d..02ed459 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -32,7 +32,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.11.3
-Release: 23%{?dist}
+Release: 24%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -124,6 +124,7 @@ Patch159: krb5-1.12-CVE-2014-4341_4342.patch
Patch160: krb5-1.11-CVE-2014-4341_4342-tests.patch
Patch161: krb5-gssapi-mech-doublefree.patch
+Patch162: krb5-gssapi-spnego-deref.patch
# Patches for otp plugin backport
Patch201: krb5-1.11.2-keycheck.patch
@@ -402,6 +403,7 @@ ln -s NOTICE LICENSE
%patch160 -p1 -b .CVE-2014-4341_4342-tests
%patch161 -p1 -b .gssapi-mech-doublefree
+%patch162 -p1 -b .gssapi-spnego-deref
%patch201 -p1 -b .keycheck
%patch202 -p1 -b .otp
@@ -996,6 +998,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Mon Jul 21 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-24
+- gssapi: pull in upstream fix for a possible NULL dereference
+ in spnego (CVE-2014-4344)
+
* Wed Jul 16 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-23
- gssapi: pull in proposed fix for a double free in initiators (David
Woodhouse, #1117963)
More information about the scm-commits
mailing list