Accepting request 157530 from network
- fix PKINIT null pointer deref in pkinit_check_kdc_pkid() CVE-2012-1016 (bnc#807556) bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif - fix PKINIT null pointer deref CVE-2013-1415 (bnc#806715) bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif - package missing file (bnc#794784) - revert the -p usage in %postun to fix SLE build - fix PKINIT null pointer deref in pkinit_check_kdc_pkid() CVE-2012-1016 (bnc#807556) bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif - fix PKINIT null pointer deref CVE-2013-1415 (bnc#806715) bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif OBS-URL: https://build.opensuse.org/request/show/157530 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=89
This commit is contained in:
commit
b220ddde11
45
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
Normal file
45
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
Normal file
@ -0,0 +1,45 @@
|
||||
commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed
|
||||
Author: Xi Wang <xi.wang@gmail.com>
|
||||
Date: Thu Feb 14 18:17:40 2013 -0500
|
||||
|
||||
PKINIT null pointer deref [CVE-2013-1415]
|
||||
|
||||
Don't dereference a null pointer when cleaning up.
|
||||
|
||||
The KDC plugin for PKINIT can dereference a null pointer when a
|
||||
malformed packet causes processing to terminate early, leading to
|
||||
a crash of the KDC process. An attacker would need to have a valid
|
||||
PKINIT certificate or have observed a successful PKINIT authentication,
|
||||
or an unauthenticated attacker could execute the attack if anonymous
|
||||
PKINIT is enabled.
|
||||
|
||||
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C
|
||||
|
||||
This is a minimal commit for pullup; style fixes in a followup.
|
||||
[kaduk@mit.edu: reformat and edit commit message]
|
||||
|
||||
ticket: 7570 (new)
|
||||
target_version: 1.11.1
|
||||
tags: pullup
|
||||
|
||||
Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -3242,7 +3242,7 @@ pkinit_check_kdc_pkid(krb5_context conte
|
||||
pkiDebug("found kdcPkId in AS REQ\n");
|
||||
is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len);
|
||||
if (is == NULL)
|
||||
- goto cleanup;
|
||||
+ return retval;
|
||||
|
||||
status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer);
|
||||
if (!status) {
|
||||
@@ -3252,7 +3252,6 @@ pkinit_check_kdc_pkid(krb5_context conte
|
||||
}
|
||||
|
||||
retval = 0;
|
||||
-cleanup:
|
||||
X509_NAME_free(is->issuer);
|
||||
ASN1_INTEGER_free(is->serial);
|
||||
free(is);
|
40
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
Normal file
40
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
Normal file
@ -0,0 +1,40 @@
|
||||
commit cd5ff932c9d1439c961b0cf9ccff979356686aff
|
||||
Author: Nalin Dahyabhai <nalin@redhat.com>
|
||||
Date: Thu Dec 13 14:26:07 2012 -0500
|
||||
|
||||
PKINIT (draft9) null ptr deref [CVE-2012-1016]
|
||||
|
||||
Don't check for an agility KDF identifier in the non-draft9 reply
|
||||
structure when we're building a draft9 reply, because it'll be NULL.
|
||||
|
||||
The KDC plugin for PKINIT can dereference a null pointer when handling
|
||||
a draft9 request, leading to a crash of the KDC process. An attacker
|
||||
would need to have a valid PKINIT certificate, or an unauthenticated
|
||||
attacker could execute the attack if anonymous PKINIT is enabled.
|
||||
|
||||
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
|
||||
|
||||
[tlyu@mit.edu: reformat comment and edit log message]
|
||||
|
||||
ticket: 7506 (new)
|
||||
target_version: 1.11
|
||||
tags: pullup
|
||||
|
||||
Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
+++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
@@ -1016,9 +1016,10 @@ pkinit_server_return_padata(krb5_context
|
||||
rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
|
||||
(rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
|
||||
|
||||
- /* If mutually supported KDFs were found, use the alg agility KDF */
|
||||
- if (rep->u.dh_Info.kdfID) {
|
||||
- secret.data = server_key;
|
||||
+ /* If we're not doing draft 9, and mutually supported KDFs were found,
|
||||
+ * use the algorithm agility KDF. */
|
||||
+ if (rep != NULL && rep->u.dh_Info.kdfID) {
|
||||
+ secret.data = (char *)server_key;
|
||||
secret.length = server_key_len;
|
||||
|
||||
retval = pkinit_alg_agility_kdf(context, &secret,
|
@ -1,9 +1,33 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 6 12:01:32 CET 2013 - mc@suse.de
|
||||
|
||||
- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()
|
||||
CVE-2012-1016 (bnc#807556)
|
||||
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 4 11:23:10 CET 2013 - mc@suse.de
|
||||
|
||||
- fix PKINIT null pointer deref
|
||||
CVE-2013-1415 (bnc#806715)
|
||||
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 25 15:29:37 CET 2013 - mc@suse.de
|
||||
|
||||
- package missing file (bnc#794784)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 22 13:55:52 UTC 2013 - lchiquitto@suse.com
|
||||
|
||||
- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc
|
||||
(bnc#793336)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 16 19:35:47 UTC 2012 - coolo@suse.com
|
||||
|
||||
- revert the -p usage in %postun to fix SLE build
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 16 12:05:00 UTC 2012 - coolo@suse.com
|
||||
|
||||
|
@ -66,6 +66,8 @@ Patch19: krb5-1.9-ksu-path.patch
|
||||
Patch20: krb5-1.10-gcc47.patch
|
||||
Patch21: krb5-1.10-selinux-label.patch
|
||||
Patch22: krb5-1.10-spin-loop.patch
|
||||
Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
|
||||
Patch24: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||
PreReq: %insserv_prereq %fillup_prereq
|
||||
@ -161,6 +163,8 @@ Include Files for Development
|
||||
%patch19 -p1
|
||||
%patch20
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
# Rename the man pages so that they'll get generated correctly.
|
||||
pushd src
|
||||
cat %{SOURCE10} | while read manpage ; do
|
||||
@ -275,16 +279,16 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos
|
||||
# cleanup
|
||||
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
|
||||
rm -f /usr/share/man/man1/tmac.doc*
|
||||
rm -rf /usr/lib/mit/share
|
||||
rm -rf %{buildroot}/usr/lib/mit/share
|
||||
|
||||
rm -rf %{buildroot}/usr/lib/mit/share/examples
|
||||
rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
#####################################################
|
||||
# krb5(-mini) pre/post/postun
|
||||
#####################################################
|
||||
|
||||
%post -p /sbin/ldconfig
|
||||
|
||||
%postun -p /sbin/ldconfig
|
||||
%postun
|
||||
/sbin/ldconfig
|
||||
|
||||
%if ! %{build_mini}
|
||||
|
||||
@ -326,7 +330,8 @@ rm -rf %{buildroot}/usr/lib/mit/share
|
||||
|
||||
%post plugin-kdb-ldap -p /sbin/ldconfig
|
||||
|
||||
%postun plugin-kdb-ldap -p /sbin/ldconfig
|
||||
%postun plugin-kdb-ldap
|
||||
/sbin/ldconfig
|
||||
|
||||
%endif
|
||||
|
||||
@ -339,6 +344,7 @@ rm -rf %{buildroot}/usr/lib/mit/share
|
||||
%dir /usr/lib/mit
|
||||
%dir /usr/lib/mit/bin
|
||||
%dir /usr/lib/mit/sbin
|
||||
%dir /usr/lib/mit/share
|
||||
%dir %{_datadir}/aclocal
|
||||
%{_libdir}/libgssrpc.so
|
||||
%{_libdir}/libk5crypto.so
|
||||
@ -354,6 +360,7 @@ rm -rf %{buildroot}/usr/lib/mit/share
|
||||
%{_includedir}/*
|
||||
/usr/lib/mit/bin/krb5-config
|
||||
/usr/lib/mit/sbin/krb5-send-pr
|
||||
/usr/lib/mit/share/gnats
|
||||
%{_mandir}/man1/krb5-send-pr.1*
|
||||
%{_mandir}/man1/krb5-config.1*
|
||||
%{_datadir}/aclocal/ac_check_krb5.m4
|
||||
|
14
krb5.changes
14
krb5.changes
@ -1,3 +1,17 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 6 12:01:32 CET 2013 - mc@suse.de
|
||||
|
||||
- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()
|
||||
CVE-2012-1016 (bnc#807556)
|
||||
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 4 11:23:10 CET 2013 - mc@suse.de
|
||||
|
||||
- fix PKINIT null pointer deref
|
||||
CVE-2013-1415 (bnc#806715)
|
||||
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 25 15:29:37 CET 2013 - mc@suse.de
|
||||
|
||||
|
@ -66,6 +66,8 @@ Patch19: krb5-1.9-ksu-path.patch
|
||||
Patch20: krb5-1.10-gcc47.patch
|
||||
Patch21: krb5-1.10-selinux-label.patch
|
||||
Patch22: krb5-1.10-spin-loop.patch
|
||||
Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
|
||||
Patch24: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||
PreReq: %insserv_prereq %fillup_prereq
|
||||
@ -161,6 +163,8 @@ Include Files for Development
|
||||
%patch19 -p1
|
||||
%patch20
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
# Rename the man pages so that they'll get generated correctly.
|
||||
pushd src
|
||||
cat %{SOURCE10} | while read manpage ; do
|
||||
|
Loading…
Reference in New Issue
Block a user