Accepting request 915042 from home:scabrero:branches:network

- Fix KDC null pointer dereference via a FAST inner body that
  lacks a server field; (CVE-2021-37750); (bsc#1189929);
- Added patches:
  * 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch

OBS-URL: https://build.opensuse.org/request/show/915042
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=253

0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch

@@ -0,0 +1,48 @@
+From 74444508aa249bf8d34865e25413c6432e7583b4 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 3 Aug 2021 01:15:27 -0400
+Subject: [PATCH] Fix KDC null deref on TGS inner body null server
+
+After the KDC decodes a FAST inner body, it does not check for a null
+server.  Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
+would typically result in an error from krb5_unparse_name(), but with
+the addition of get_local_tgt() it results in a null dereference.  Add
+a null check.
+
+Reported by Joseph Sutton of Catalyst.
+
+CVE-2021-37750:
+
+In MIT krb5 releases 1.14 and later, an authenticated attacker can
+cause a null dereference in the KDC by sending a FAST TGS request with
+no server field.
+
+ticket: 9008 (new)
+tags: pullup
+target_version: 1.19-next
+target_version: 1.18-next
+
+(cherry picked from commit d775c95af7606a51bf79547a94fa52ddd1cb7f49)
+---
+ src/kdc/do_tgs_req.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index 6d244ffd4..39a504ca1 100644
+--- a/src/kdc/do_tgs_req.c
++++ b/src/kdc/do_tgs_req.c
+@@ -207,6 +207,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
+         status = "FIND_FAST";
+         goto cleanup;
+     }
++    if (sprinc == NULL) {
++        status = "NULL_SERVER";
++        errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
++        goto cleanup;
++    }
+ 
+     errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
+                             &local_tgt, &local_tgt_storage, &local_tgt_key);
+-- 
+2.33.0
+

krb5-mini.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Aug 30 12:45:25 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
+
+- Fix KDC null pointer dereference via a FAST inner body that
+  lacks a server field; (CVE-2021-37750); (bsc#1189929);
+- Added patches:
+  * 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
+
 -------------------------------------------------------------------
 Mon Aug  2 08:39:31 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
 

krb5-mini.spec

@@ -44,6 +44,7 @@ Patch5:         0005-krb5-1.6.3-ktutil-manpage.patch
 Patch6:         0006-krb5-1.12-api.patch
 Patch7:         0007-SELinux-integration.patch
 Patch8:         0008-krb5-1.9-debuginfo.patch
+Patch9:         0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
 BuildRequires:  autoconf
 BuildRequires:  bison
 BuildRequires:  keyutils

krb5.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Aug 30 12:45:25 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
+
+- Fix KDC null pointer dereference via a FAST inner body that
+  lacks a server field; (CVE-2021-37750); (bsc#1189929);
+- Added patches:
+  * 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
+
 -------------------------------------------------------------------
 Mon Aug  2 08:39:31 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
 

krb5.spec

@@ -42,6 +42,7 @@ Patch5:         0005-krb5-1.6.3-ktutil-manpage.patch
 Patch6:         0006-krb5-1.12-api.patch
 Patch7:         0007-SELinux-integration.patch
 Patch8:         0008-krb5-1.9-debuginfo.patch
+Patch9:         0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
 BuildRequires:  autoconf
 BuildRequires:  bison
 BuildRequires:  cyrus-sasl-devel