From 6e6175d4bc19f0e15599756f51b64722c8456067492a90e26a3342df74ae47ae Mon Sep 17 00:00:00 2001
From: Michael Calmer <mc@suse.com>
Date: Wed, 7 Dec 2011 08:41:31 +0000
Subject: [PATCH] - fix KDC null pointer dereference in TGS handling  
 (MITKRB5-SA-2011-007, bnc#730393)   CVE-2011-1530

- fix KDC null pointer dereference in TGS handling
  (MITKRB5-SA-2011-007, bnc#730393)
  CVE-2011-1530
  (RT#6951, bnc#731648)

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=56
---
 krb5-1.9-MITKRB5-SA-2011-007.dif | 42 ++++++++++++++++++++++++++++++++
 krb5-mini.changes                |  7 ++++++
 krb5-mini.spec                   |  2 ++
 krb5.changes                     |  9 ++++++-
 krb5.spec                        |  2 ++
 5 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 krb5-1.9-MITKRB5-SA-2011-007.dif

diff --git a/krb5-1.9-MITKRB5-SA-2011-007.dif b/krb5-1.9-MITKRB5-SA-2011-007.dif
new file mode 100644
index 0000000..9435410
--- /dev/null
+++ b/krb5-1.9-MITKRB5-SA-2011-007.dif
@@ -0,0 +1,42 @@
+diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
+index f46cad3..102fbaa 100644
+--- a/src/kdc/Makefile.in
++++ b/src/kdc/Makefile.in
+@@ -67,6 +67,7 @@ check-unix:: rtest
+ 
+ check-pytests::
+ 	$(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
++	$(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
+ 
+ install::
+ 	$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index c169c54..840a2ef 100644
+--- a/src/kdc/do_tgs_req.c
++++ b/src/kdc/do_tgs_req.c
+@@ -243,7 +243,8 @@ tgt_again:
+                     if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
+                         errcode = find_alternate_tgs(request, &server);
+                         firstpass = 0;
+-                        goto tgt_again;
++                        if (errcode == 0)
++                            goto tgt_again;
+                     }
+                 }
+                 status = "UNKNOWN_SERVER";
+diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
+new file mode 100644
+index 0000000..1760bcd
+--- /dev/null
++++ b/src/kdc/t_emptytgt.py
+@@ -0,0 +1,8 @@
++#!/usr/bin/python
++from k5test import *
++
++realm = K5Realm(start_kadmind=False, create_host=False)
++output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
++if 'not found in Kerberos database' not in output:
++    fail('TGT lookup for empty realm failed in unexpected way')
++success('Empty tgt lookup.')
+
+
diff --git a/krb5-mini.changes b/krb5-mini.changes
index 1735131..2fa37a8 100644
--- a/krb5-mini.changes
+++ b/krb5-mini.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Nov 21 11:24:12 CET 2011 - mc@suse.de
+
+- fix KDC null pointer dereference in TGS handling
+  (MITKRB5-SA-2011-007, bnc#730393)
+  CVE-2011-1530
+
 -------------------------------------------------------------------
 Mon Nov 21 11:11:54 CET 2011 - mc@suse.de
 
diff --git a/krb5-mini.spec b/krb5-mini.spec
index 3a09d9a..bb4eed3 100644
--- a/krb5-mini.spec
+++ b/krb5-mini.spec
@@ -75,6 +75,7 @@ Patch30:        krb5-1.9-MITKRB5-SA-2011-006.dif
 Patch31:        krb5-1.9-gss_display_status-iakerb.patch
 Patch32:        krb5-1.9.1-sendto_poll2.patch
 Patch33:        krb5-1.9.1-sendto_poll3.patch
+Patch34:        krb5-1.9-MITKRB5-SA-2011-007.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@@ -240,6 +241,7 @@ Authors:
 %patch31 -p1
 %patch32 -p1
 %patch33 -p1
+%patch34 -p1
 # Rename the man pages so that they'll get generated correctly.
 pushd src
 cat %{SOURCE10} | while read manpage ; do
diff --git a/krb5.changes b/krb5.changes
index 1735131..0be899d 100644
--- a/krb5.changes
+++ b/krb5.changes
@@ -1,8 +1,15 @@
+-------------------------------------------------------------------
+Mon Nov 21 11:24:12 CET 2011 - mc@suse.de
+
+- fix KDC null pointer dereference in TGS handling
+  (MITKRB5-SA-2011-007, bnc#730393)
+  CVE-2011-1530
+
 -------------------------------------------------------------------
 Mon Nov 21 11:11:54 CET 2011 - mc@suse.de
 
 - fix KDC HA feature introduced with implementing KDC poll
-  (RT#6951)
+  (RT#6951, bnc#731648)
 
 -------------------------------------------------------------------
 Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de
diff --git a/krb5.spec b/krb5.spec
index 9dbd734..e1ab109 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -75,6 +75,7 @@ Patch30:        krb5-1.9-MITKRB5-SA-2011-006.dif
 Patch31:        krb5-1.9-gss_display_status-iakerb.patch
 Patch32:        krb5-1.9.1-sendto_poll2.patch
 Patch33:        krb5-1.9.1-sendto_poll3.patch
+Patch34:        krb5-1.9-MITKRB5-SA-2011-007.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@@ -240,6 +241,7 @@ Authors:
 %patch31 -p1
 %patch32 -p1
 %patch33 -p1
+%patch34 -p1
 # Rename the man pages so that they'll get generated correctly.
 pushd src
 cat %{SOURCE10} | while read manpage ; do