From 83e7befa8430cb355243542728f485a0459028980fa56d59ea15865544500ea9 Mon Sep 17 00:00:00 2001
From: Howard Guo <null@suse.de>
Date: Wed, 23 Mar 2016 13:16:38 +0000
Subject: [PATCH 1/2] Accepting request 378678 from
 home:guohouzuo:branches:network

- Introduce patch
  0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
  to fix CVE-2016-3119 (bsc#971942)

OBS-URL: https://build.opensuse.org/request/show/378678
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=162
---
 ...x-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch | 11 +++++++++++
 krb5.changes                                          |  7 +++++++
 krb5.spec                                             |  2 ++
 3 files changed, 20 insertions(+)
 create mode 100644 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch

diff --git a/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch b/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
new file mode 100644
index 0000000..4905493
--- /dev/null
+++ b/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
@@ -0,0 +1,11 @@
+diff -rupN krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+--- krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2016-03-23 14:00:44.669126353 +0100
++++ krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2016-03-23 14:01:45.993680720 +0100
+@@ -267,6 +267,7 @@ process_db_args(krb5_context context, ch
+     if (db_args) {
+         for (i=0; db_args[i]; ++i) {
+             arg = strtok_r(db_args[i], "=", &arg_val);
++            arg = (arg != NULL) ? arg : "";
+             if (strcmp(arg, TKTPOLICY_ARG) == 0) {
+                 dptr = &xargs->tktpolicydn;
+             } else {
diff --git a/krb5.changes b/krb5.changes
index 5bbbf23..22b01b2 100644
--- a/krb5.changes
+++ b/krb5.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Mar 23 13:02:48 UTC 2016 - hguo@suse.com
+
+- Introduce patch
+  0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
+  to fix CVE-2016-3119 (bsc#971942)
+
 -------------------------------------------------------------------
 Thu Feb 11 15:06:31 UTC 2016 - hguo@suse.com
 
diff --git a/krb5.spec b/krb5.spec
index ddb0217..d606767 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -75,6 +75,7 @@ Patch16:        krb5-mechglue_inqure_attrs.patch
 Patch104:       0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
 Patch105:       0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
 Patch106:       0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
+Patch107:       0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@@ -188,6 +189,7 @@ Include Files for Development
 %patch104 -p1
 %patch105 -p1
 %patch106 -p1
+%patch107 -p1
 
 %build
 # needs to be re-generated

From fcaedabd68bb81d85b8561439d4324de766ca141236a60cf54766b4484d33914 Mon Sep 17 00:00:00 2001
From: Howard Guo <null@suse.de>
Date: Wed, 23 Mar 2016 13:33:17 +0000
Subject: [PATCH 2/2] add credits to patch

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=163
---
 ...ull-deref-on-empty-arg-CVE-2016-3119.patch | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch b/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
index 4905493..28af68b 100644
--- a/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
+++ b/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
@@ -1,3 +1,28 @@
+From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 14 Mar 2016 17:26:34 -0400
+Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119]
+
+In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
+if there is an empty string in the db_args array.  Check for this case
+and avoid dereferencing a null pointer.
+
+CVE-2016-3119:
+
+In MIT krb5 1.6 and later, an authenticated attacker with permission
+to modify a principal entry can cause kadmind to dereference a null
+pointer by supplying an empty DB argument to the modify_principal
+command, if kadmind is configured to use the LDAP KDB module.
+
+    CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
+
+ticket: 8383 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+
+Line numbers are slightly adjusted by Howard Guo <hguo@suse.com> to fit into this older version of Kerberos.
+
 diff -rupN krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
 --- krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2016-03-23 14:00:44.669126353 +0100
 +++ krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2016-03-23 14:01:45.993680720 +0100