add credits to patch

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=163
2016-03-23 13:33:17 +00:00 · 2016-03-23 13:33:17 +00:00 · fcaedabd68
commit fcaedabd68
parent 83e7befa84
1 changed files with 25 additions and 0 deletions
--- a/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
+++ b/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
@ -1,3 +1,28 @@
+From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 14 Mar 2016 17:26:34 -0400
+Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119]
+
+In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
+if there is an empty string in the db_args array.  Check for this case
+and avoid dereferencing a null pointer.
+
+CVE-2016-3119:
+
+In MIT krb5 1.6 and later, an authenticated attacker with permission
+to modify a principal entry can cause kadmind to dereference a null
+pointer by supplying an empty DB argument to the modify_principal
+command, if kadmind is configured to use the LDAP KDB module.
+
+    CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
+
+ticket: 8383 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+
+Line numbers are slightly adjusted by Howard Guo <hguo@suse.com> to fit into this older version of Kerberos.
+
 diff -rupN krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
 --- krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2016-03-23 14:00:44.669126353 +0100
 +++ krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2016-03-23 14:01:45.993680720 +0100