diff --git a/bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif b/bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif new file mode 100644 index 0000000..ad7638e --- /dev/null +++ b/bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif @@ -0,0 +1,40 @@ +commit cd5ff932c9d1439c961b0cf9ccff979356686aff +Author: Nalin Dahyabhai +Date: Thu Dec 13 14:26:07 2012 -0500 + + PKINIT (draft9) null ptr deref [CVE-2012-1016] + + Don't check for an agility KDF identifier in the non-draft9 reply + structure when we're building a draft9 reply, because it'll be NULL. + + The KDC plugin for PKINIT can dereference a null pointer when handling + a draft9 request, leading to a crash of the KDC process. An attacker + would need to have a valid PKINIT certificate, or an unauthenticated + attacker could execute the attack if anonymous PKINIT is enabled. + + CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C + + [tlyu@mit.edu: reformat comment and edit log message] + + ticket: 7506 (new) + target_version: 1.11 + tags: pullup + +Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c +=================================================================== +--- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_srv.c ++++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -1016,9 +1016,10 @@ pkinit_server_return_padata(krb5_context + rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) || + (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) { + +- /* If mutually supported KDFs were found, use the alg agility KDF */ +- if (rep->u.dh_Info.kdfID) { +- secret.data = server_key; ++ /* If we're not doing draft 9, and mutually supported KDFs were found, ++ * use the algorithm agility KDF. */ ++ if (rep != NULL && rep->u.dh_Info.kdfID) { ++ secret.data = (char *)server_key; + secret.length = server_key_len; + + retval = pkinit_alg_agility_kdf(context, &secret, diff --git a/krb5-mini.changes b/krb5-mini.changes index 38b446a..0bc981d 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,8 +1,16 @@ +------------------------------------------------------------------- +Wed Mar 6 12:01:32 CET 2013 - mc@suse.de + +- fix PKINIT null pointer deref in pkinit_check_kdc_pkid() + CVE-2012-1016 (bnc#807556) + bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif + ------------------------------------------------------------------- Mon Mar 4 11:23:10 CET 2013 - mc@suse.de - fix PKINIT null pointer deref CVE-2013-1415 (bnc#806715) + bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif ------------------------------------------------------------------- Fri Jan 25 15:29:37 CET 2013 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index 7569226..a39612c 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -67,6 +67,7 @@ Patch20: krb5-1.10-gcc47.patch Patch21: krb5-1.10-selinux-label.patch Patch22: krb5-1.10-spin-loop.patch Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif +Patch24: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -163,6 +164,7 @@ Include Files for Development %patch20 %patch22 -p1 %patch23 -p1 +%patch24 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do diff --git a/krb5.changes b/krb5.changes index 38b446a..0bc981d 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,8 +1,16 @@ +------------------------------------------------------------------- +Wed Mar 6 12:01:32 CET 2013 - mc@suse.de + +- fix PKINIT null pointer deref in pkinit_check_kdc_pkid() + CVE-2012-1016 (bnc#807556) + bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif + ------------------------------------------------------------------- Mon Mar 4 11:23:10 CET 2013 - mc@suse.de - fix PKINIT null pointer deref CVE-2013-1415 (bnc#806715) + bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif ------------------------------------------------------------------- Fri Jan 25 15:29:37 CET 2013 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 2145156..c525292 100644 --- a/krb5.spec +++ b/krb5.spec @@ -67,6 +67,7 @@ Patch20: krb5-1.10-gcc47.patch Patch21: krb5-1.10-selinux-label.patch Patch22: krb5-1.10-spin-loop.patch Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif +Patch24: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -163,6 +164,7 @@ Include Files for Development %patch20 %patch22 -p1 %patch23 -p1 +%patch24 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do