- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()

CVE-2012-1016 (bnc#807556) bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif - fix PKINIT null pointer deref in pkinit_check_kdc_pkid() CVE-2012-1016 (bnc#807556) bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=88
2013-03-06 11:03:13 +00:00 · 2013-03-06 11:03:13 +00:00 · 66ced8b26b
commit 66ced8b26b
parent b06750d1e3
5 changed files with 60 additions and 0 deletions
--- a/bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
+++ b/bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
@ -0,0 +1,40 @@
 commit cd5ff932c9d1439c961b0cf9ccff979356686aff
 Author: Nalin Dahyabhai <nalin@redhat.com>
 Date:   Thu Dec 13 14:26:07 2012 -0500
    PKINIT (draft9) null ptr deref [CVE-2012-1016]
    Don't check for an agility KDF identifier in the non-draft9 reply
    structure when we're building a draft9 reply, because it'll be NULL.
    The KDC plugin for PKINIT can dereference a null pointer when handling
    a draft9 request, leading to a crash of the KDC process.  An attacker
    would need to have a valid PKINIT certificate, or an unauthenticated
    attacker could execute the attack if anonymous PKINIT is enabled.
    CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
    [tlyu@mit.edu: reformat comment and edit log message]
    ticket: 7506 (new)
    target_version: 1.11
    tags: pullup
 Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c
 ===================================================================
 --- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_srv.c
 +++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -1016,9 +1016,10 @@ pkinit_server_return_padata(krb5_context
          rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
         (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
 -        /* If mutually supported KDFs were found, use the alg agility KDF */
 -        if (rep->u.dh_Info.kdfID) {
 -            secret.data = server_key;
 +	/* If we're not doing draft 9, and mutually supported KDFs were found,
 +	 * use the algorithm agility KDF. */
 +        if (rep != NULL && rep->u.dh_Info.kdfID) {
 +            secret.data = (char *)server_key;
             secret.length = server_key_len;
             retval = pkinit_alg_agility_kdf(context, &secret,
--- a/krb5-mini.changes
+++ b/krb5-mini.changes
@ -1,8 +1,16 @@
 -------------------------------------------------------------------
 Wed Mar  6 12:01:32 CET 2013 - mc@suse.de
 - fix PKINIT null pointer deref in pkinit_check_kdc_pkid()
  CVE-2012-1016 (bnc#807556)
  bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
 -------------------------------------------------------------------
 Mon Mar  4 11:23:10 CET 2013 - mc@suse.de
 - fix PKINIT null pointer deref
  CVE-2013-1415 (bnc#806715)
  bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
 -------------------------------------------------------------------
 Fri Jan 25 15:29:37 CET 2013 - mc@suse.de
--- a/krb5-mini.spec
+++ b/krb5-mini.spec
@ -67,6 +67,7 @@ Patch20:        krb5-1.10-gcc47.patch
 Patch21:        krb5-1.10-selinux-label.patch
 Patch22:        krb5-1.10-spin-loop.patch
 Patch23:        bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
 Patch24:        bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@ -163,6 +164,7 @@ Include Files for Development
 %patch20
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
 # Rename the man pages so that they'll get generated correctly.
 pushd src
 cat %{SOURCE10} | while read manpage ; do
--- a/krb5.changes
+++ b/krb5.changes
@ -1,8 +1,16 @@
 -------------------------------------------------------------------
 Wed Mar  6 12:01:32 CET 2013 - mc@suse.de
 - fix PKINIT null pointer deref in pkinit_check_kdc_pkid()
  CVE-2012-1016 (bnc#807556)
  bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
 -------------------------------------------------------------------
 Mon Mar  4 11:23:10 CET 2013 - mc@suse.de
 - fix PKINIT null pointer deref
  CVE-2013-1415 (bnc#806715)
  bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
 -------------------------------------------------------------------
 Fri Jan 25 15:29:37 CET 2013 - mc@suse.de
--- a/krb5.spec
+++ b/krb5.spec
@ -67,6 +67,7 @@ Patch20:        krb5-1.10-gcc47.patch
 Patch21:        krb5-1.10-selinux-label.patch
 Patch22:        krb5-1.10-spin-loop.patch
 Patch23:        bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
 Patch24:        bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@ -163,6 +164,7 @@ Include Files for Development
 %patch20
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
 # Rename the man pages so that they'll get generated correctly.
 pushd src
 cat %{SOURCE10} | while read manpage ; do