diff --git a/krb5-1.8-MITKRB5-SA-2011-004.dif b/krb5-1.8-MITKRB5-SA-2011-004.dif new file mode 100644 index 0000000..2b03e85 --- /dev/null +++ b/krb5-1.8-MITKRB5-SA-2011-004.dif @@ -0,0 +1,35 @@ +diff --git a/src/kadmin/server/network.c b/src/kadmin/server/network.c +index c8ce4f1..bb911ff 100644 +--- a/src/kadmin/server/network.c ++++ b/src/kadmin/server/network.c +@@ -1384,6 +1384,10 @@ cleanup: + if (local_kaddrs != NULL) + krb5_free_addresses(server_handle->context, local_kaddrs); + ++ if ((*response)->data == NULL) { ++ free(*response); ++ *response = NULL; ++ } + krb5_kt_close(server_handle->context, kt); + + return ret; +diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c +index c1b2217..992b55f 100644 +--- a/src/kadmin/server/schpw.c ++++ b/src/kadmin/server/schpw.c +@@ -74,8 +74,13 @@ process_chpw_request(context, server_handle, realm, keytab, + plen = (*ptr++ & 0xff); + plen = (plen<<8) | (*ptr++ & 0xff); + +- if (plen != req->length) +- return(KRB5KRB_AP_ERR_MODIFIED); ++ if (plen != req->length) { ++ ret = KRB5KRB_AP_ERR_MODIFIED; ++ numresult = KRB5_KPASSWD_MALFORMED; ++ strlcpy(strresult, "Request length was inconsistent", ++ sizeof(strresult)); ++ goto chpwfail; ++ } + + /* verify version number */ + diff --git a/krb5-mini.changes b/krb5-mini.changes index d830641..82252d7 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de + +- fix kadmind invalid pointer free() + (MITKRB5-SA-2011-004, bnc#687469) + CVE-2011-0285 + ------------------------------------------------------------------- Tue Mar 1 12:43:22 CET 2011 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index dbcace2..a05bdaa 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5-mini +# spec file for package krb5 # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -28,7 +28,7 @@ Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel Version: 1.8.3 -Release: 5 +Release: 18 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -60,6 +60,7 @@ Patch13: MITKRB5-SA-2010-007-1.8.dif Patch14: krb5-1.8-MITKRB5-SA-2011-001.dif Patch15: krb5-1.8-MITKRB5-SA-2011-002.dif Patch16: krb5-1.8-MITKRB5-SA-2011-003.dif +Patch17: krb5-1.8-MITKRB5-SA-2011-004.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -212,6 +213,7 @@ Authors: %patch14 -p1 %patch15 -p0 %patch16 -p1 +%patch17 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do diff --git a/krb5.changes b/krb5.changes index d830641..82252d7 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de + +- fix kadmind invalid pointer free() + (MITKRB5-SA-2011-004, bnc#687469) + CVE-2011-0285 + ------------------------------------------------------------------- Tue Mar 1 12:43:22 CET 2011 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 6b052ea..f04c672 100644 --- a/krb5.spec +++ b/krb5.spec @@ -60,6 +60,7 @@ Patch13: MITKRB5-SA-2010-007-1.8.dif Patch14: krb5-1.8-MITKRB5-SA-2011-001.dif Patch15: krb5-1.8-MITKRB5-SA-2011-002.dif Patch16: krb5-1.8-MITKRB5-SA-2011-003.dif +Patch17: krb5-1.8-MITKRB5-SA-2011-004.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -212,6 +213,7 @@ Authors: %patch14 -p1 %patch15 -p0 %patch16 -p1 +%patch17 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do