- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)

krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
  Fix null deref in SPNEGO acceptor [CVE-2014-4344]
  krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=124

krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch

@@ -0,0 +1,66 @@
+From f18ddf5d82de0ab7591a36e465bc24225776940f Mon Sep 17 00:00:00 2001
+From: David Woodhouse <David.Woodhouse@intel.com>
+Date: Tue, 15 Jul 2014 12:54:15 -0400
+Subject: [PATCH] Fix double-free in SPNEGO [CVE-2014-4343]
+
+In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
+pointer sc->internal_mech became an alias into sc->mech_set->elements,
+which should be considered constant for the duration of the SPNEGO
+context.  So don't free it.
+
+CVE-2014-4343:
+
+In MIT krb5 releases 1.10 and newer, an unauthenticated remote
+attacker with the ability to spoof packets appearing to be from a
+GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
+(clients) which are using the SPNEGO mechanism, by returning a
+different underlying mechanism than was proposed by the initiator.  At
+this stage of the negotiation, the acceptor is unauthenticated, and
+the acceptor's response could be spoofed by an attacker with the
+ability to inject traffic to the initiator.
+
+Historically, some double-free vulnerabilities can be translated into
+remote code execution, though the necessary exploits must be tailored
+to the individual application and are usually quite
+complicated. Double-frees can also be exploited to cause an
+application crash, for a denial of service.  However, most GSSAPI
+client applications are not vulnerable, as the SPNEGO mechanism is not
+used by default (when GSS_C_NO_OID is passed as the mech_type argument
+to gss_init_sec_context()).  The most common use of SPNEGO is for
+HTTP-Negotiate, used in web browsers and other web clients.  Most such
+clients are believed to not offer HTTP-Negotiate by default, instead
+requiring a whitelist of sites for which it may be used to be
+configured.  If the whitelist is configured to only allow
+HTTP-Negotiate over TLS connections ("https://"), a successful
+attacker must also spoof the web server's SSL certificate, due to the
+way the WWW-Authenticate header is sent in a 401 (Unauthorized)
+response message.  Unfortunately, many instructions for enabling
+HTTP-Negotiate in common web browsers do not include a TLS
+requirement.
+
+    CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
+
+[kaduk@mit.edu: CVE summary and CVSSv2 vector]
+
+ticket: 7969 (new)
+target_version: 1.12.2
+tags: pullup
+---
+ src/lib/gssapi/spnego/spnego_mech.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 173c6d2..8f829d8 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
+ 	OM_uint32 tmpmin;
+ 	size_t i;
+ 
+-	generic_gss_release_oid(&tmpmin, &sc->internal_mech);
+ 	gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
+ 			       GSS_C_NO_BUFFER);
+ 
+-- 
+1.9.3
+

krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch

@@ -0,0 +1,49 @@
+From 524688ce87a15fc75f87efc8c039ba4c7d5c197b Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 15 Jul 2014 12:56:01 -0400
+Subject: [PATCH] Fix null deref in SPNEGO acceptor [CVE-2014-4344]
+
+When processing a continuation token, acc_ctx_cont was dereferencing
+the initial byte of the token without checking the length.  This could
+result in a null dereference.
+
+CVE-2014-4344:
+
+In MIT krb5 1.5 and newer, an unauthenticated or partially
+authenticated remote attacker can cause a NULL dereference and
+application crash during a SPNEGO negotiation by sending an empty
+token as the second or later context token from initiator to acceptor.
+The attacker must provide at least one valid context token in the
+security context negotiation before sending the empty token.  This can
+be done by an unauthenticated attacker by forcing SPNEGO to
+renegotiate the underlying mechanism, or by using IAKERB to wrap an
+unauthenticated AS-REQ as the first token.
+
+    CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+[kaduk@mit.edu: CVE summary, CVSSv2 vector]
+
+ticket: 7970 (new)
+subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344]
+target_version: 1.12.2
+tags: pullup
+---
+ src/lib/gssapi/spnego/spnego_mech.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 8f829d8..2aa6810 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat,
+ 
+ 	ptr = bufstart = buf->value;
+ #define REMAIN (buf->length - (ptr - bufstart))
+-	if (REMAIN > INT_MAX)
++	if (REMAIN == 0 || REMAIN > INT_MAX)
+ 		return GSS_S_DEFECTIVE_TOKEN;
+ 
+ 	/*
+-- 
+1.9.3
+

krb5-mini.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com
+
+- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)
+  krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
+  Fix null deref in SPNEGO acceptor [CVE-2014-4344]
+  krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
+
 -------------------------------------------------------------------
 Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com
 

krb5-mini.spec

@@ -49,7 +49,7 @@ BuildRequires:  python-lxml
 BuildRequires:  pkgconfig(systemd)
 %{?systemd_requires}
 %else
-PreReq:         %insserv_prereq
+PreReq:         %insserv_prereq 
 %endif
 # bug437293
 %ifarch ppc64
@@ -84,6 +84,8 @@ Patch13:        krb5-1.9-debuginfo.patch
 Patch14:        krb5-kvno-230379.patch
 Patch15:        krb5-master-keyring-kdcsync.patch
 Patch16:        krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
+Patch17:        krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
+Patch18:        krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@@ -205,6 +207,8 @@ Include Files for Development
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
+%patch17 -p1
+%patch18 -p1
 
 %build
 # needs to be re-generated

krb5.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com
+
+- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)
+  krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
+  Fix null deref in SPNEGO acceptor [CVE-2014-4344]
+  krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
+
 -------------------------------------------------------------------
 Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com
 

krb5.spec

@@ -84,6 +84,8 @@ Patch13:        krb5-1.9-debuginfo.patch
 Patch14:        krb5-kvno-230379.patch
 Patch15:        krb5-master-keyring-kdcsync.patch
 Patch16:        krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
+Patch17:        krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
+Patch18:        krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@@ -205,6 +207,8 @@ Include Files for Development
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
+%patch17 -p1
+%patch18 -p1
 
 %build
 # needs to be re-generated