diff --git a/krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch b/krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch new file mode 100644 index 0000000..fb68383 --- /dev/null +++ b/krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch @@ -0,0 +1,66 @@ +From f18ddf5d82de0ab7591a36e465bc24225776940f Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Tue, 15 Jul 2014 12:54:15 -0400 +Subject: [PATCH] Fix double-free in SPNEGO [CVE-2014-4343] + +In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the +pointer sc->internal_mech became an alias into sc->mech_set->elements, +which should be considered constant for the duration of the SPNEGO +context. So don't free it. + +CVE-2014-4343: + +In MIT krb5 releases 1.10 and newer, an unauthenticated remote +attacker with the ability to spoof packets appearing to be from a +GSSAPI acceptor can cause a double-free condition in GSSAPI initiators +(clients) which are using the SPNEGO mechanism, by returning a +different underlying mechanism than was proposed by the initiator. At +this stage of the negotiation, the acceptor is unauthenticated, and +the acceptor's response could be spoofed by an attacker with the +ability to inject traffic to the initiator. + +Historically, some double-free vulnerabilities can be translated into +remote code execution, though the necessary exploits must be tailored +to the individual application and are usually quite +complicated. Double-frees can also be exploited to cause an +application crash, for a denial of service. However, most GSSAPI +client applications are not vulnerable, as the SPNEGO mechanism is not +used by default (when GSS_C_NO_OID is passed as the mech_type argument +to gss_init_sec_context()). The most common use of SPNEGO is for +HTTP-Negotiate, used in web browsers and other web clients. Most such +clients are believed to not offer HTTP-Negotiate by default, instead +requiring a whitelist of sites for which it may be used to be +configured. If the whitelist is configured to only allow +HTTP-Negotiate over TLS connections ("https://"), a successful +attacker must also spoof the web server's SSL certificate, due to the +way the WWW-Authenticate header is sent in a 401 (Unauthorized) +response message. Unfortunately, many instructions for enabling +HTTP-Negotiate in common web browsers do not include a TLS +requirement. + + CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C + +[kaduk@mit.edu: CVE summary and CVSSv2 vector] + +ticket: 7969 (new) +target_version: 1.12.2 +tags: pullup +--- + src/lib/gssapi/spnego/spnego_mech.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 173c6d2..8f829d8 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, + OM_uint32 tmpmin; + size_t i; + +- generic_gss_release_oid(&tmpmin, &sc->internal_mech); + gss_delete_sec_context(&tmpmin, &sc->ctx_handle, + GSS_C_NO_BUFFER); + +-- +1.9.3 + diff --git a/krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch b/krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch new file mode 100644 index 0000000..272ae59 --- /dev/null +++ b/krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch @@ -0,0 +1,49 @@ +From 524688ce87a15fc75f87efc8c039ba4c7d5c197b Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 15 Jul 2014 12:56:01 -0400 +Subject: [PATCH] Fix null deref in SPNEGO acceptor [CVE-2014-4344] + +When processing a continuation token, acc_ctx_cont was dereferencing +the initial byte of the token without checking the length. This could +result in a null dereference. + +CVE-2014-4344: + +In MIT krb5 1.5 and newer, an unauthenticated or partially +authenticated remote attacker can cause a NULL dereference and +application crash during a SPNEGO negotiation by sending an empty +token as the second or later context token from initiator to acceptor. +The attacker must provide at least one valid context token in the +security context negotiation before sending the empty token. This can +be done by an unauthenticated attacker by forcing SPNEGO to +renegotiate the underlying mechanism, or by using IAKERB to wrap an +unauthenticated AS-REQ as the first token. + + CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C + +[kaduk@mit.edu: CVE summary, CVSSv2 vector] + +ticket: 7970 (new) +subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344] +target_version: 1.12.2 +tags: pullup +--- + src/lib/gssapi/spnego/spnego_mech.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 8f829d8..2aa6810 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat, + + ptr = bufstart = buf->value; + #define REMAIN (buf->length - (ptr - bufstart)) +- if (REMAIN > INT_MAX) ++ if (REMAIN == 0 || REMAIN > INT_MAX) + return GSS_S_DEFECTIVE_TOKEN; + + /* +-- +1.9.3 + diff --git a/krb5-mini.changes b/krb5-mini.changes index 55a7c4d..7512d1c 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com + +- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697) + krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch + Fix null deref in SPNEGO acceptor [CVE-2014-4344] + krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch + ------------------------------------------------------------------- Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com diff --git a/krb5-mini.spec b/krb5-mini.spec index 5d50fb1..83c5f9b 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -49,7 +49,7 @@ BuildRequires: python-lxml BuildRequires: pkgconfig(systemd) %{?systemd_requires} %else -PreReq: %insserv_prereq +PreReq: %insserv_prereq %endif # bug437293 %ifarch ppc64 @@ -84,6 +84,8 @@ Patch13: krb5-1.9-debuginfo.patch Patch14: krb5-kvno-230379.patch Patch15: krb5-master-keyring-kdcsync.patch Patch16: krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch +Patch17: krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch +Patch18: krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %fillup_prereq @@ -205,6 +207,8 @@ Include Files for Development %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 +%patch18 -p1 %build # needs to be re-generated diff --git a/krb5.changes b/krb5.changes index 55a7c4d..7512d1c 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com + +- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697) + krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch + Fix null deref in SPNEGO acceptor [CVE-2014-4344] + krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch + ------------------------------------------------------------------- Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com diff --git a/krb5.spec b/krb5.spec index aeaad28..5162e60 100644 --- a/krb5.spec +++ b/krb5.spec @@ -84,6 +84,8 @@ Patch13: krb5-1.9-debuginfo.patch Patch14: krb5-kvno-230379.patch Patch15: krb5-master-keyring-kdcsync.patch Patch16: krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch +Patch17: krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch +Patch18: krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %fillup_prereq @@ -205,6 +207,8 @@ Include Files for Development %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 +%patch18 -p1 %build # needs to be re-generated