- fix PKINIT null pointer deref

CVE-2013-1415 (bnc#806715)

- package missing file (bnc#794784)

- revert the -p usage in %postun to fix SLE build

- fix PKINIT null pointer deref
  CVE-2013-1415 (bnc#806715)

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=87

bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif

@@ -0,0 +1,45 @@
+commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed
+Author: Xi Wang <xi.wang@gmail.com>
+Date:   Thu Feb 14 18:17:40 2013 -0500
+
+    PKINIT null pointer deref [CVE-2013-1415]
+    
+    Don't dereference a null pointer when cleaning up.
+    
+    The KDC plugin for PKINIT can dereference a null pointer when a
+    malformed packet causes processing to terminate early, leading to
+    a crash of the KDC process.  An attacker would need to have a valid
+    PKINIT certificate or have observed a successful PKINIT authentication,
+    or an unauthenticated attacker could execute the attack if anonymous
+    PKINIT is enabled.
+    
+    CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C
+    
+    This is a minimal commit for pullup; style fixes in a followup.
+    [kaduk@mit.edu: reformat and edit commit message]
+    
+    ticket: 7570 (new)
+    target_version: 1.11.1
+    tags: pullup
+
+Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+===================================================================
+--- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -3242,7 +3242,7 @@ pkinit_check_kdc_pkid(krb5_context conte
+     pkiDebug("found kdcPkId in AS REQ\n");
+     is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len);
+     if (is == NULL)
+-        goto cleanup;
++        return retval;
+ 
+     status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer);
+     if (!status) {
+@@ -3252,7 +3252,6 @@ pkinit_check_kdc_pkid(krb5_context conte
+     }
+ 
+     retval = 0;
+-cleanup:
+     X509_NAME_free(is->issuer);
+     ASN1_INTEGER_free(is->serial);
+     free(is);

krb5-mini.changes

@@ -1,9 +1,25 @@
+-------------------------------------------------------------------
+Mon Mar  4 11:23:10 CET 2013 - mc@suse.de
+
+- fix PKINIT null pointer deref
+  CVE-2013-1415 (bnc#806715)
+
+-------------------------------------------------------------------
+Fri Jan 25 15:29:37 CET 2013 - mc@suse.de
+
+- package missing file (bnc#794784)
+
 -------------------------------------------------------------------
 Tue Jan 22 13:55:52 UTC 2013 - lchiquitto@suse.com
 
 - krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc
   (bnc#793336)
 
+-------------------------------------------------------------------
+Tue Oct 16 19:35:47 UTC 2012 - coolo@suse.com
+
+- revert the -p usage in %postun to fix SLE build
+
 -------------------------------------------------------------------
 Tue Oct 16 12:05:00 UTC 2012 - coolo@suse.com
 

krb5-mini.spec

@@ -66,6 +66,7 @@ Patch19:        krb5-1.9-ksu-path.patch
 Patch20:        krb5-1.10-gcc47.patch
 Patch21:        krb5-1.10-selinux-label.patch
 Patch22:        krb5-1.10-spin-loop.patch
+Patch23:        bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@@ -161,6 +162,7 @@ Include Files for Development
 %patch19 -p1
 %patch20
 %patch22 -p1
+%patch23 -p1
 # Rename the man pages so that they'll get generated correctly.
 pushd src
 cat %{SOURCE10} | while read manpage ; do
@@ -275,16 +277,16 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos
 # cleanup
 rm -f  %{buildroot}/usr/share/man/man1/tmac.doc*
 rm -f  /usr/share/man/man1/tmac.doc*
-rm -rf /usr/lib/mit/share
-rm -rf %{buildroot}/usr/lib/mit/share
-
+rm -rf %{buildroot}/usr/lib/mit/share/examples
+rm -rf %{buildroot}/usr/lib/mit/share/locale
 #####################################################
 # krb5(-mini) pre/post/postun
 #####################################################
 
 %post -p /sbin/ldconfig
 
-%postun -p /sbin/ldconfig
+%postun
+/sbin/ldconfig
 
 %if ! %{build_mini}
 
@@ -326,7 +328,8 @@ rm -rf %{buildroot}/usr/lib/mit/share
 
 %post plugin-kdb-ldap -p /sbin/ldconfig
 
-%postun plugin-kdb-ldap -p /sbin/ldconfig
+%postun plugin-kdb-ldap
+/sbin/ldconfig
 
 %endif
 
@@ -339,6 +342,7 @@ rm -rf %{buildroot}/usr/lib/mit/share
 %dir /usr/lib/mit
 %dir /usr/lib/mit/bin
 %dir /usr/lib/mit/sbin
+%dir /usr/lib/mit/share
 %dir %{_datadir}/aclocal
 %{_libdir}/libgssrpc.so
 %{_libdir}/libk5crypto.so
@@ -354,6 +358,7 @@ rm -rf %{buildroot}/usr/lib/mit/share
 %{_includedir}/*
 /usr/lib/mit/bin/krb5-config
 /usr/lib/mit/sbin/krb5-send-pr
+/usr/lib/mit/share/gnats
 %{_mandir}/man1/krb5-send-pr.1*
 %{_mandir}/man1/krb5-config.1*
 %{_datadir}/aclocal/ac_check_krb5.m4

krb5.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Mar  4 11:23:10 CET 2013 - mc@suse.de
+
+- fix PKINIT null pointer deref
+  CVE-2013-1415 (bnc#806715)
+
 -------------------------------------------------------------------
 Fri Jan 25 15:29:37 CET 2013 - mc@suse.de
 

krb5.spec

@@ -66,6 +66,7 @@ Patch19:        krb5-1.9-ksu-path.patch
 Patch20:        krb5-1.10-gcc47.patch
 Patch21:        krb5-1.10-selinux-label.patch
 Patch22:        krb5-1.10-spin-loop.patch
+Patch23:        bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@@ -161,6 +162,7 @@ Include Files for Development
 %patch19 -p1
 %patch20
 %patch22 -p1
+%patch23 -p1
 # Rename the man pages so that they'll get generated correctly.
 pushd src
 cat %{SOURCE10} | while read manpage ; do