Accepting request 378714 from network

- Introduce patch 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch to fix CVE-2016-3119 (bsc#971942) OBS-URL: https://build.opensuse.org/request/show/378714 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=117
2016-03-29 07:53:21 +00:00 · 2016-03-29 07:53:21 +00:00 · 1a837358cb
commit 1a837358cb
parent 9edf221a87 fcaedabd68
3 changed files with 45 additions and 0 deletions
--- a/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
+++ b/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
@ -0,0 +1,36 @@
+From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 14 Mar 2016 17:26:34 -0400
+Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119]
+
+In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
+if there is an empty string in the db_args array.  Check for this case
+and avoid dereferencing a null pointer.
+
+CVE-2016-3119:
+
+In MIT krb5 1.6 and later, an authenticated attacker with permission
+to modify a principal entry can cause kadmind to dereference a null
+pointer by supplying an empty DB argument to the modify_principal
+command, if kadmind is configured to use the LDAP KDB module.
+
+    CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
+
+ticket: 8383 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+
+Line numbers are slightly adjusted by Howard Guo <hguo@suse.com> to fit into this older version of Kerberos.
+
+diff -rupN krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+--- krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2016-03-23 14:00:44.669126353 +0100
+++ krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2016-03-23 14:01:45.993680720 +0100
+@@ -267,6 +267,7 @@ process_db_args(krb5_context context, ch
+     if (db_args) {
+         for (i=0; db_args[i]; ++i) {
+             arg = strtok_r(db_args[i], "=", &arg_val);
+            arg = (arg != NULL) ? arg : "";
+             if (strcmp(arg, TKTPOLICY_ARG) == 0) {
+                 dptr = &xargs->tktpolicydn;
+             } else {
--- a/krb5.changes
+++ b/krb5.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Mar 23 13:02:48 UTC 2016 - hguo@suse.com
+
+- Introduce patch
+  0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
+  to fix CVE-2016-3119 (bsc#971942)
+
 -------------------------------------------------------------------
 Thu Feb 11 15:06:31 UTC 2016 - hguo@suse.com

--- a/krb5.spec
+++ b/krb5.spec
@ -75,6 +75,7 @@ Patch16:        krb5-mechglue_inqure_attrs.patch
 Patch104:       0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
 Patch105:       0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
 Patch106:       0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
+Patch107:       0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@ -188,6 +189,7 @@ Include Files for Development
 %patch104 -p1
 %patch105 -p1
 %patch106 -p1
+%patch107 -p1

 %build
 # needs to be re-generated