From ea14ad7c342029585be6044b711582e941375405c21d18d348052e3a71c3c73a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= <ismail@i10z.com>
Date: Tue, 10 Nov 2015 16:57:00 +0000
Subject: [PATCH] Accepting request 343479 from home:guohouzuo:branches:network

- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
  to fix a memory corruption regression introduced by resolution of
  CVE-2015-2698. bsc#954204

OBS-URL: https://build.opensuse.org/request/show/343479
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=150
---
 ...-context-export-import-CVE-2015-2698.patch | 120 ++++++++++++++++++
 krb5.changes                                  |   7 +
 krb5.spec                                     |   2 +
 3 files changed, 129 insertions(+)
 create mode 100644 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch

diff --git a/0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch b/0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
new file mode 100644
index 0000000..011a972
--- /dev/null
+++ b/0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
@@ -0,0 +1,120 @@
+From 3db8dfec1ef50ddd78d6ba9503185995876a39fd Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Sun, 1 Nov 2015 22:45:21 -0500
+Subject: [PATCH] Fix IAKERB context export/import [CVE-2015-2698]
+
+The patches for CVE-2015-2696 contained a regression in the newly
+added IAKERB iakerb_gss_export_sec_context() function, which could
+cause it to corrupt memory.  Fix the regression by properly
+dereferencing the context_handle pointer before casting it.
+
+Also, the patches did not implement an IAKERB gss_import_sec_context()
+function, under the erroneous belief that an exported IAKERB context
+would be tagged as a krb5 context.  Implement it now to allow IAKERB
+contexts to be successfully exported and imported after establishment.
+
+CVE-2015-2698:
+
+In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
+application which calls gss_export_sec_context() may experience memory
+corruption if the context was established using the IAKERB mechanism.
+Historically, some vulnerabilities of this nature can be translated
+into remote code execution, though the necessary exploits must be
+tailored to the individual application and are usually quite
+complicated.
+
+    CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
+
+ticket: 8273 (new)
+target_version: 1.14
+tags: pullup
+
+Line numbers are slightly adjusted by Howard Guo <hguo@suse.com>.
+
+diff -rupN krb5-1.12.1/src/lib/gssapi/krb5/gssapi_krb5.c krb5-1.12.1-patched/src/lib/gssapi/krb5/gssapi_krb5.c
+--- krb5-1.12.1/src/lib/gssapi/krb5/gssapi_krb5.c	2015-11-10 15:37:32.209657599 +0100
++++ krb5-1.12.1-patched/src/lib/gssapi/krb5/gssapi_krb5.c	2015-11-10 15:38:52.106323672 +0100
+@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanis
+     NULL,
+ #else
+     iakerb_gss_export_sec_context,
+-    NULL,
++    iakerb_gss_import_sec_context,
+ #endif
+     krb5_gss_inquire_cred_by_mech,
+     krb5_gss_inquire_names_for_mech,
+diff -rupN krb5-1.12.1/src/lib/gssapi/krb5/gssapiP_krb5.h krb5-1.12.1-patched/src/lib/gssapi/krb5/gssapiP_krb5.h
+--- krb5-1.12.1/src/lib/gssapi/krb5/gssapiP_krb5.h	2015-11-10 15:37:32.209657599 +0100
++++ krb5-1.12.1-patched/src/lib/gssapi/krb5/gssapiP_krb5.h	2015-11-10 15:38:52.106323672 +0100
+@@ -1393,6 +1393,11 @@ OM_uint32 KRB5_CALLCONV
+ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+                               gss_ctx_id_t *context_handle,
+                               gss_buffer_t interprocess_token);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_import_sec_context(OM_uint32 *minor_status,
++                              const gss_buffer_t interprocess_token,
++                              gss_ctx_id_t *context_handle);
+ #endif /* LEAN_CLIENT */
+ 
+ OM_uint32 KRB5_CALLCONV
+diff -rupN krb5-1.12.1/src/lib/gssapi/krb5/iakerb.c krb5-1.12.1-patched/src/lib/gssapi/krb5/iakerb.c
+--- krb5-1.12.1/src/lib/gssapi/krb5/iakerb.c	2015-11-10 15:37:32.209657599 +0100
++++ krb5-1.12.1-patched/src/lib/gssapi/krb5/iakerb.c	2015-11-10 15:41:43.431752632 +0100
+@@ -1061,7 +1061,7 @@ iakerb_gss_export_sec_context(OM_uint32
+                               gss_buffer_t interprocess_token)
+ {
+     OM_uint32 maj;
+-    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
+ 
+     /* We don't currently support exporting partially established contexts. */
+     if (!ctx->established)
+@@ -1076,12 +1076,41 @@ iakerb_gss_export_sec_context(OM_uint32
+     return maj;
+ }
+ 
+-/*
+- * Until we implement partial context exports, there are no SPNEGO exported
+- * context tokens, only tokens for the underlying krb5 context.  So we do not
+- * need to implement an iakerb_gss_import_sec_context() yet; it would be
+- * unreachable except via a manually constructed token.
+- */
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_import_sec_context(OM_uint32 *minor_status,
++                              gss_buffer_t interprocess_token,
++                              gss_ctx_id_t *context_handle)
++{
++    OM_uint32 maj, tmpmin;
++    krb5_error_code code;
++    gss_ctx_id_t gssc;
++    krb5_gss_ctx_id_t kctx;
++    iakerb_ctx_id_t ctx;
++
++    maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc);
++    if (maj != GSS_S_COMPLETE)
++        return maj;
++    kctx = (krb5_gss_ctx_id_t)gssc;
++
++    if (!kctx->established) {
++        /* We don't currently support importing partially established
++         * contexts. */
++        krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
++        return GSS_S_FAILURE;
++    }
++
++    code = iakerb_alloc_context(&ctx, kctx->initiate);
++    if (code != 0) {
++        krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
++        *minor_status = code;
++        return GSS_S_FAILURE;
++    }
++
++    ctx->gssc = gssc;
++    ctx->established = 1;
++    *context_handle = (gss_ctx_id_t)ctx;
++    return GSS_S_COMPLETE;
++}
+ 
+ #endif /* LEAN_CLIENT */
+ 
diff --git a/krb5.changes b/krb5.changes
index 1cc012c..df8312f 100644
--- a/krb5.changes
+++ b/krb5.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com
+
+- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
+  to fix a memory corruption regression introduced by resolution of
+  CVE-2015-2698. bsc#954204
+
 -------------------------------------------------------------------
 Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com
 
diff --git a/krb5.spec b/krb5.spec
index a9731db..b66ff79 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -86,6 +86,7 @@ Patch14:        krb5-kvno-230379.patch
 Patch100:       0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
 Patch101:       0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
 Patch102:       0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
+Patch103:       0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@@ -207,6 +208,7 @@ Include Files for Development
 %patch100 -p1
 %patch101 -p1
 %patch102 -p1
+%patch103 -p1
 
 %build
 # needs to be re-generated