rpm/krb5
SHA256
1
0
Fork 0
forked from pool/krb5
Code Pull Requests Activity

- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()

Browse Source 
CVE-2012-1016 (bnc#807556)
  bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
  bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif

- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()
  CVE-2012-1016 (bnc#807556)
  bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
  bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=88
This commit is contained in:
Michael Calmer 2013-03-06 11:03:13 +00:00 committed by Git OBS Bridge
parent b06750d1e3
commit 66ced8b26b
5 changed files with 60 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif Normal file
View File

@ -0,0 +1,40 @@
commit cd5ff932c9d1439c961b0cf9ccff979356686aff
Author: Nalin Dahyabhai <nalin@redhat.com>
Date: Thu Dec 13 14:26:07 2012 -0500
PKINIT (draft9) null ptr deref [CVE-2012-1016]
Don't check for an agility KDF identifier in the non-draft9 reply
structure when we're building a draft9 reply, because it'll be NULL.
The KDC plugin for PKINIT can dereference a null pointer when handling
a draft9 request, leading to a crash of the KDC process. An attacker
would need to have a valid PKINIT certificate, or an unauthenticated
attacker could execute the attack if anonymous PKINIT is enabled.
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
[tlyu@mit.edu: reformat comment and edit log message]
ticket: 7506 (new)
target_version: 1.11
tags: pullup
Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_srv.c
+++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -1016,9 +1016,10 @@ pkinit_server_return_padata(krb5_context
rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
(rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
- /* If mutually supported KDFs were found, use the alg agility KDF */
- if (rep->u.dh_Info.kdfID) {
- secret.data = server_key;
+ /* If we're not doing draft 9, and mutually supported KDFs were found,
+ * use the algorithm agility KDF. */
+ if (rep != NULL && rep->u.dh_Info.kdfID) {
+ secret.data = (char *)server_key;
secret.length = server_key_len;
retval = pkinit_alg_agility_kdf(context, &secret,

8
krb5-mini.changes
View File

@ -1,8 +1,16 @@
-------------------------------------------------------------------
Wed Mar 6 12:01:32 CET 2013 - mc@suse.de
- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()
CVE-2012-1016 (bnc#807556)
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
-------------------------------------------------------------------
Mon Mar 4 11:23:10 CET 2013 - mc@suse.de
- fix PKINIT null pointer deref
CVE-2013-1415 (bnc#806715)
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
-------------------------------------------------------------------
Fri Jan 25 15:29:37 CET 2013 - mc@suse.de

2
krb5-mini.spec
View File

@ -67,6 +67,7 @@ Patch20: krb5-1.10-gcc47.patch
Patch21: krb5-1.10-selinux-label.patch
Patch22: krb5-1.10-spin-loop.patch
Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
Patch24: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -163,6 +164,7 @@ Include Files for Development
%patch20
%patch22 -p1
%patch23 -p1
%patch24 -p1
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do

8
krb5.changes
View File

@ -1,8 +1,16 @@
-------------------------------------------------------------------
Wed Mar 6 12:01:32 CET 2013 - mc@suse.de
- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()
CVE-2012-1016 (bnc#807556)
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
-------------------------------------------------------------------
Mon Mar 4 11:23:10 CET 2013 - mc@suse.de
- fix PKINIT null pointer deref
CVE-2013-1415 (bnc#806715)
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
-------------------------------------------------------------------
Fri Jan 25 15:29:37 CET 2013 - mc@suse.de

2
krb5.spec
View File

@ -67,6 +67,7 @@ Patch20: krb5-1.10-gcc47.patch
Patch21: krb5-1.10-selinux-label.patch
Patch22: krb5-1.10-spin-loop.patch
Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
Patch24: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -163,6 +164,7 @@ Include Files for Development
%patch20
%patch22 -p1
%patch23 -p1
%patch24 -p1
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do