Accepting request 343479 from home:guohouzuo:branches:network

- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch to fix a memory corruption regression introduced by resolution of CVE-2015-2698. bsc#954204 OBS-URL: https://build.opensuse.org/request/show/343479 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=150
2015-11-10 16:57:00 +00:00
parent aa93054403
commit ea14ad7c34
3 changed files with 129 additions and 0 deletions
--- a/0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
+++ b/0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
@@ -0,0 +1,120 @@
 From 3db8dfec1ef50ddd78d6ba9503185995876a39fd Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Sun, 1 Nov 2015 22:45:21 -0500
 Subject: [PATCH] Fix IAKERB context export/import [CVE-2015-2698]
 The patches for CVE-2015-2696 contained a regression in the newly
 added IAKERB iakerb_gss_export_sec_context() function, which could
 cause it to corrupt memory.  Fix the regression by properly
 dereferencing the context_handle pointer before casting it.
 Also, the patches did not implement an IAKERB gss_import_sec_context()
 function, under the erroneous belief that an exported IAKERB context
 would be tagged as a krb5 context.  Implement it now to allow IAKERB
 contexts to be successfully exported and imported after establishment.
 CVE-2015-2698:
 In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
 application which calls gss_export_sec_context() may experience memory
 corruption if the context was established using the IAKERB mechanism.
 Historically, some vulnerabilities of this nature can be translated
 into remote code execution, though the necessary exploits must be
 tailored to the individual application and are usually quite
 complicated.
    CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
 ticket: 8273 (new)
 target_version: 1.14
 tags: pullup
 Line numbers are slightly adjusted by Howard Guo <hguo@suse.com>.
 diff -rupN krb5-1.12.1/src/lib/gssapi/krb5/gssapi_krb5.c krb5-1.12.1-patched/src/lib/gssapi/krb5/gssapi_krb5.c
 --- krb5-1.12.1/src/lib/gssapi/krb5/gssapi_krb5.c	2015-11-10 15:37:32.209657599 +0100
 +++ krb5-1.12.1-patched/src/lib/gssapi/krb5/gssapi_krb5.c	2015-11-10 15:38:52.106323672 +0100
@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanis
     NULL,
 #else
     iakerb_gss_export_sec_context,
 -    NULL,
 +    iakerb_gss_import_sec_context,
 #endif
     krb5_gss_inquire_cred_by_mech,
     krb5_gss_inquire_names_for_mech,
 diff -rupN krb5-1.12.1/src/lib/gssapi/krb5/gssapiP_krb5.h krb5-1.12.1-patched/src/lib/gssapi/krb5/gssapiP_krb5.h
 --- krb5-1.12.1/src/lib/gssapi/krb5/gssapiP_krb5.h	2015-11-10 15:37:32.209657599 +0100
 +++ krb5-1.12.1-patched/src/lib/gssapi/krb5/gssapiP_krb5.h	2015-11-10 15:38:52.106323672 +0100
@@ -1393,6 +1393,11 @@ OM_uint32 KRB5_CALLCONV
 iakerb_gss_export_sec_context(OM_uint32 *minor_status,
                               gss_ctx_id_t *context_handle,
                               gss_buffer_t interprocess_token);
 +
 +OM_uint32 KRB5_CALLCONV
 +iakerb_gss_import_sec_context(OM_uint32 *minor_status,
 +                              const gss_buffer_t interprocess_token,
 +                              gss_ctx_id_t *context_handle);
 #endif /* LEAN_CLIENT */
 OM_uint32 KRB5_CALLCONV
 diff -rupN krb5-1.12.1/src/lib/gssapi/krb5/iakerb.c krb5-1.12.1-patched/src/lib/gssapi/krb5/iakerb.c
 --- krb5-1.12.1/src/lib/gssapi/krb5/iakerb.c	2015-11-10 15:37:32.209657599 +0100
 +++ krb5-1.12.1-patched/src/lib/gssapi/krb5/iakerb.c	2015-11-10 15:41:43.431752632 +0100
@@ -1061,7 +1061,7 @@ iakerb_gss_export_sec_context(OM_uint32
                               gss_buffer_t interprocess_token)
 {
     OM_uint32 maj;
 -    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
 +    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
     /* We don't currently support exporting partially established contexts. */
     if (!ctx->established)
@@ -1076,12 +1076,41 @@ iakerb_gss_export_sec_context(OM_uint32
     return maj;
 }
 -/*
 - * Until we implement partial context exports, there are no SPNEGO exported
 - * context tokens, only tokens for the underlying krb5 context.  So we do not
 - * need to implement an iakerb_gss_import_sec_context() yet; it would be
 - * unreachable except via a manually constructed token.
 - */
 +OM_uint32 KRB5_CALLCONV
 +iakerb_gss_import_sec_context(OM_uint32 *minor_status,
 +                              gss_buffer_t interprocess_token,
 +                              gss_ctx_id_t *context_handle)
 +{
 +    OM_uint32 maj, tmpmin;
 +    krb5_error_code code;
 +    gss_ctx_id_t gssc;
 +    krb5_gss_ctx_id_t kctx;
 +    iakerb_ctx_id_t ctx;
 +
 +    maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc);
 +    if (maj != GSS_S_COMPLETE)
 +        return maj;
 +    kctx = (krb5_gss_ctx_id_t)gssc;
 +
 +    if (!kctx->established) {
 +        /* We don't currently support importing partially established
 +         * contexts. */
 +        krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
 +        return GSS_S_FAILURE;
 +    }
 +
 +    code = iakerb_alloc_context(&ctx, kctx->initiate);
 +    if (code != 0) {
 +        krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
 +        *minor_status = code;
 +        return GSS_S_FAILURE;
 +    }
 +
 +    ctx->gssc = gssc;
 +    ctx->established = 1;
 +    *context_handle = (gss_ctx_id_t)ctx;
 +    return GSS_S_COMPLETE;
 +}
 #endif /* LEAN_CLIENT */
--- a/krb5.changes
+++ b/krb5.changes
@@ -1,3 +1,10 @@
 -------------------------------------------------------------------
 Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com
 - Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
  to fix a memory corruption regression introduced by resolution of
  CVE-2015-2698. bsc#954204
 -------------------------------------------------------------------
 Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com
--- a/krb5.spec
+++ b/krb5.spec
@@ -86,6 +86,7 @@ Patch14:        krb5-kvno-230379.patch
 Patch100:       0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
 Patch101:       0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
 Patch102:       0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
 Patch103:       0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@@ -207,6 +208,7 @@ Include Files for Development
 %patch100 -p1
 %patch101 -p1
 %patch102 -p1
 %patch103 -p1
 %build
 # needs to be re-generated