From b06750d1e31bedb8145bf7288cf5913c545aea182ee3127c737dbf9c4730ee31 Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Mon, 4 Mar 2013 10:24:33 +0000 Subject: [PATCH] - fix PKINIT null pointer deref CVE-2013-1415 (bnc#806715) - package missing file (bnc#794784) - revert the -p usage in %postun to fix SLE build - fix PKINIT null pointer deref CVE-2013-1415 (bnc#806715) OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=87 --- ...013-1415-fix-PKINIT-null-pointer-deref.dif | 45 +++++++++++++++++++ krb5-mini.changes | 16 +++++++ krb5-mini.spec | 15 ++++--- krb5.changes | 6 +++ krb5.spec | 2 + 5 files changed, 79 insertions(+), 5 deletions(-) create mode 100644 bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif diff --git a/bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif b/bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif new file mode 100644 index 0000000..9b13e87 --- /dev/null +++ b/bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif @@ -0,0 +1,45 @@ +commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed +Author: Xi Wang +Date: Thu Feb 14 18:17:40 2013 -0500 + + PKINIT null pointer deref [CVE-2013-1415] + + Don't dereference a null pointer when cleaning up. + + The KDC plugin for PKINIT can dereference a null pointer when a + malformed packet causes processing to terminate early, leading to + a crash of the KDC process. An attacker would need to have a valid + PKINIT certificate or have observed a successful PKINIT authentication, + or an unauthenticated attacker could execute the attack if anonymous + PKINIT is enabled. + + CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C + + This is a minimal commit for pullup; style fixes in a followup. + [kaduk@mit.edu: reformat and edit commit message] + + ticket: 7570 (new) + target_version: 1.11.1 + tags: pullup + +Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +=================================================================== +--- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -3242,7 +3242,7 @@ pkinit_check_kdc_pkid(krb5_context conte + pkiDebug("found kdcPkId in AS REQ\n"); + is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len); + if (is == NULL) +- goto cleanup; ++ return retval; + + status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer); + if (!status) { +@@ -3252,7 +3252,6 @@ pkinit_check_kdc_pkid(krb5_context conte + } + + retval = 0; +-cleanup: + X509_NAME_free(is->issuer); + ASN1_INTEGER_free(is->serial); + free(is); diff --git a/krb5-mini.changes b/krb5-mini.changes index 6c1e5bb..38b446a 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,9 +1,25 @@ +------------------------------------------------------------------- +Mon Mar 4 11:23:10 CET 2013 - mc@suse.de + +- fix PKINIT null pointer deref + CVE-2013-1415 (bnc#806715) + +------------------------------------------------------------------- +Fri Jan 25 15:29:37 CET 2013 - mc@suse.de + +- package missing file (bnc#794784) + ------------------------------------------------------------------- Tue Jan 22 13:55:52 UTC 2013 - lchiquitto@suse.com - krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc (bnc#793336) +------------------------------------------------------------------- +Tue Oct 16 19:35:47 UTC 2012 - coolo@suse.com + +- revert the -p usage in %postun to fix SLE build + ------------------------------------------------------------------- Tue Oct 16 12:05:00 UTC 2012 - coolo@suse.com diff --git a/krb5-mini.spec b/krb5-mini.spec index f8ed2a2..7569226 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -66,6 +66,7 @@ Patch19: krb5-1.9-ksu-path.patch Patch20: krb5-1.10-gcc47.patch Patch21: krb5-1.10-selinux-label.patch Patch22: krb5-1.10-spin-loop.patch +Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -161,6 +162,7 @@ Include Files for Development %patch19 -p1 %patch20 %patch22 -p1 +%patch23 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -275,16 +277,16 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos # cleanup rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* -rm -rf /usr/lib/mit/share -rm -rf %{buildroot}/usr/lib/mit/share - +rm -rf %{buildroot}/usr/lib/mit/share/examples +rm -rf %{buildroot}/usr/lib/mit/share/locale ##################################################### # krb5(-mini) pre/post/postun ##################################################### %post -p /sbin/ldconfig -%postun -p /sbin/ldconfig +%postun +/sbin/ldconfig %if ! %{build_mini} @@ -326,7 +328,8 @@ rm -rf %{buildroot}/usr/lib/mit/share %post plugin-kdb-ldap -p /sbin/ldconfig -%postun plugin-kdb-ldap -p /sbin/ldconfig +%postun plugin-kdb-ldap +/sbin/ldconfig %endif @@ -339,6 +342,7 @@ rm -rf %{buildroot}/usr/lib/mit/share %dir /usr/lib/mit %dir /usr/lib/mit/bin %dir /usr/lib/mit/sbin +%dir /usr/lib/mit/share %dir %{_datadir}/aclocal %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so @@ -354,6 +358,7 @@ rm -rf %{buildroot}/usr/lib/mit/share %{_includedir}/* /usr/lib/mit/bin/krb5-config /usr/lib/mit/sbin/krb5-send-pr +/usr/lib/mit/share/gnats %{_mandir}/man1/krb5-send-pr.1* %{_mandir}/man1/krb5-config.1* %{_datadir}/aclocal/ac_check_krb5.m4 diff --git a/krb5.changes b/krb5.changes index 592a17c..38b446a 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Mar 4 11:23:10 CET 2013 - mc@suse.de + +- fix PKINIT null pointer deref + CVE-2013-1415 (bnc#806715) + ------------------------------------------------------------------- Fri Jan 25 15:29:37 CET 2013 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index afbe246..2145156 100644 --- a/krb5.spec +++ b/krb5.spec @@ -66,6 +66,7 @@ Patch19: krb5-1.9-ksu-path.patch Patch20: krb5-1.10-gcc47.patch Patch21: krb5-1.10-selinux-label.patch Patch22: krb5-1.10-spin-loop.patch +Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -161,6 +162,7 @@ Include Files for Development %patch19 -p1 %patch20 %patch22 -p1 +%patch23 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do