pool/krb5
SHA256
11
0
Fork 1
Code Issues Pull Requests Activity

Accepting request 378714 from network

Browse Source 
- Introduce patch
  0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
  to fix CVE-2016-3119 (bsc#971942)

OBS-URL: https://build.opensuse.org/request/show/378714
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=117
This commit is contained in:
Dominique Leuenberger
2016-03-29 07:53:21 +00:00
committed by Git OBS Bridge
parent 9edf221a87 fcaedabd68
commit 1a837358cb
3 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch Normal file
View File

@@ -0,0 +1,36 @@
From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 14 Mar 2016 17:26:34 -0400
Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119]
In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
if there is an empty string in the db_args array. Check for this case
and avoid dereferencing a null pointer.
CVE-2016-3119:
In MIT krb5 1.6 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying an empty DB argument to the modify_principal
command, if kadmind is configured to use the LDAP KDB module.
CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
ticket: 8383 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
Line numbers are slightly adjusted by Howard Guo <hguo@suse.com> to fit into this older version of Kerberos.
diff -rupN krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
--- krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-03-23 14:00:44.669126353 +0100
+++ krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-03-23 14:01:45.993680720 +0100
@@ -267,6 +267,7 @@ process_db_args(krb5_context context, ch
if (db_args) {
for (i=0; db_args[i]; ++i) {
arg = strtok_r(db_args[i], "=", &arg_val);
+ arg = (arg != NULL) ? arg : "";
if (strcmp(arg, TKTPOLICY_ARG) == 0) {
dptr = &xargs->tktpolicydn;
} else {

7
krb5.changes
View File

@@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Mar 23 13:02:48 UTC 2016 - hguo@suse.com
- Introduce patch
0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
to fix CVE-2016-3119 (bsc#971942)
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Feb 11 15:06:31 UTC 2016 - hguo@suse.com Thu Feb 11 15:06:31 UTC 2016 - hguo@suse.com

2
krb5.spec
View File

@@ -75,6 +75,7 @@ Patch16: krb5-mechglue_inqure_attrs.patch
Patch104: 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch Patch104: 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
Patch105: 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch Patch105: 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
Patch106: 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch Patch106: 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
Patch107: 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq PreReq: %fillup_prereq
@@ -188,6 +189,7 @@ Include Files for Development
%patch104 -p1 %patch104 -p1
%patch105 -p1 %patch105 -p1
%patch106 -p1 %patch106 -p1
%patch107 -p1
%build %build
# needs to be re-generated # needs to be re-generated