- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)

krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch Fix null deref in SPNEGO acceptor [CVE-2014-4344] krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=124
2014-07-28 09:58:41 +00:00 · 2014-07-28 09:58:41 +00:00 · f2e853070c
commit f2e853070c
parent 3ac7b19a80
6 changed files with 140 additions and 1 deletions
--- a/krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
+++ b/krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
@ -0,0 +1,66 @@
 From f18ddf5d82de0ab7591a36e465bc24225776940f Mon Sep 17 00:00:00 2001
 From: David Woodhouse <David.Woodhouse@intel.com>
 Date: Tue, 15 Jul 2014 12:54:15 -0400
 Subject: [PATCH] Fix double-free in SPNEGO [CVE-2014-4343]
 In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
 pointer sc->internal_mech became an alias into sc->mech_set->elements,
 which should be considered constant for the duration of the SPNEGO
 context.  So don't free it.
 CVE-2014-4343:
 In MIT krb5 releases 1.10 and newer, an unauthenticated remote
 attacker with the ability to spoof packets appearing to be from a
 GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
 (clients) which are using the SPNEGO mechanism, by returning a
 different underlying mechanism than was proposed by the initiator.  At
 this stage of the negotiation, the acceptor is unauthenticated, and
 the acceptor's response could be spoofed by an attacker with the
 ability to inject traffic to the initiator.
 Historically, some double-free vulnerabilities can be translated into
 remote code execution, though the necessary exploits must be tailored
 to the individual application and are usually quite
 complicated. Double-frees can also be exploited to cause an
 application crash, for a denial of service.  However, most GSSAPI
 client applications are not vulnerable, as the SPNEGO mechanism is not
 used by default (when GSS_C_NO_OID is passed as the mech_type argument
 to gss_init_sec_context()).  The most common use of SPNEGO is for
 HTTP-Negotiate, used in web browsers and other web clients.  Most such
 clients are believed to not offer HTTP-Negotiate by default, instead
 requiring a whitelist of sites for which it may be used to be
 configured.  If the whitelist is configured to only allow
 HTTP-Negotiate over TLS connections ("https://"), a successful
 attacker must also spoof the web server's SSL certificate, due to the
 way the WWW-Authenticate header is sent in a 401 (Unauthorized)
 response message.  Unfortunately, many instructions for enabling
 HTTP-Negotiate in common web browsers do not include a TLS
 requirement.
    CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
 [kaduk@mit.edu: CVE summary and CVSSv2 vector]
 ticket: 7969 (new)
 target_version: 1.12.2
 tags: pullup
 ---
 src/lib/gssapi/spnego/spnego_mech.c | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
 index 173c6d2..8f829d8 100644
 --- a/src/lib/gssapi/spnego/spnego_mech.c
 +++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
 	OM_uint32 tmpmin;
 	size_t i;
 -	generic_gss_release_oid(&tmpmin, &sc->internal_mech);
 	gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
 			       GSS_C_NO_BUFFER);
 -- 
 1.9.3
--- a/krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
+++ b/krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
@ -0,0 +1,49 @@
 From 524688ce87a15fc75f87efc8c039ba4c7d5c197b Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 15 Jul 2014 12:56:01 -0400
 Subject: [PATCH] Fix null deref in SPNEGO acceptor [CVE-2014-4344]
 When processing a continuation token, acc_ctx_cont was dereferencing
 the initial byte of the token without checking the length.  This could
 result in a null dereference.
 CVE-2014-4344:
 In MIT krb5 1.5 and newer, an unauthenticated or partially
 authenticated remote attacker can cause a NULL dereference and
 application crash during a SPNEGO negotiation by sending an empty
 token as the second or later context token from initiator to acceptor.
 The attacker must provide at least one valid context token in the
 security context negotiation before sending the empty token.  This can
 be done by an unauthenticated attacker by forcing SPNEGO to
 renegotiate the underlying mechanism, or by using IAKERB to wrap an
 unauthenticated AS-REQ as the first token.
    CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
 [kaduk@mit.edu: CVE summary, CVSSv2 vector]
 ticket: 7970 (new)
 subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344]
 target_version: 1.12.2
 tags: pullup
 ---
 src/lib/gssapi/spnego/spnego_mech.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
 index 8f829d8..2aa6810 100644
 --- a/src/lib/gssapi/spnego/spnego_mech.c
 +++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat,
 	ptr = bufstart = buf->value;
 #define REMAIN (buf->length - (ptr - bufstart))
 -	if (REMAIN > INT_MAX)
 +	if (REMAIN == 0 || REMAIN > INT_MAX)
 		return GSS_S_DEFECTIVE_TOKEN;
 	/*
 -- 
 1.9.3
--- a/krb5-mini.changes
+++ b/krb5-mini.changes
@ -1,3 +1,11 @@
 -------------------------------------------------------------------
 Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com
 - Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)
  krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
  Fix null deref in SPNEGO acceptor [CVE-2014-4344]
  krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
 -------------------------------------------------------------------
 Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com
--- a/krb5-mini.spec
+++ b/krb5-mini.spec
@ -49,7 +49,7 @@ BuildRequires:  python-lxml
 BuildRequires:  pkgconfig(systemd)
 %{?systemd_requires}
 %else
-PreReq:         %insserv_prereq
+PreReq:         %insserv_prereq 
 %endif
 # bug437293
 %ifarch ppc64
@ -84,6 +84,8 @@ Patch13:        krb5-1.9-debuginfo.patch
 Patch14:        krb5-kvno-230379.patch
 Patch15:        krb5-master-keyring-kdcsync.patch
 Patch16:        krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
 Patch17:        krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
 Patch18:        krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@ -205,6 +207,8 @@ Include Files for Development
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
 %patch18 -p1
 %build
 # needs to be re-generated
--- a/krb5.changes
+++ b/krb5.changes
@ -1,3 +1,11 @@
 -------------------------------------------------------------------
 Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com
 - Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)
  krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
  Fix null deref in SPNEGO acceptor [CVE-2014-4344]
  krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
 -------------------------------------------------------------------
 Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com
--- a/krb5.spec
+++ b/krb5.spec
@ -84,6 +84,8 @@ Patch13:        krb5-1.9-debuginfo.patch
 Patch14:        krb5-kvno-230379.patch
 Patch15:        krb5-master-keyring-kdcsync.patch
 Patch16:        krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
 Patch17:        krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
 Patch18:        krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@ -205,6 +207,8 @@ Include Files for Development
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
 %patch18 -p1
 %build
 # needs to be re-generated