b06750d1e3
CVE-2013-1415 (bnc#806715) - package missing file (bnc#794784) - revert the -p usage in %postun to fix SLE build - fix PKINIT null pointer deref CVE-2013-1415 (bnc#806715) OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=87
46 lines
1.6 KiB
Plaintext
46 lines
1.6 KiB
Plaintext
commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed
|
|
Author: Xi Wang <xi.wang@gmail.com>
|
|
Date: Thu Feb 14 18:17:40 2013 -0500
|
|
|
|
PKINIT null pointer deref [CVE-2013-1415]
|
|
|
|
Don't dereference a null pointer when cleaning up.
|
|
|
|
The KDC plugin for PKINIT can dereference a null pointer when a
|
|
malformed packet causes processing to terminate early, leading to
|
|
a crash of the KDC process. An attacker would need to have a valid
|
|
PKINIT certificate or have observed a successful PKINIT authentication,
|
|
or an unauthenticated attacker could execute the attack if anonymous
|
|
PKINIT is enabled.
|
|
|
|
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C
|
|
|
|
This is a minimal commit for pullup; style fixes in a followup.
|
|
[kaduk@mit.edu: reformat and edit commit message]
|
|
|
|
ticket: 7570 (new)
|
|
target_version: 1.11.1
|
|
tags: pullup
|
|
|
|
Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
===================================================================
|
|
--- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
+++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
@@ -3242,7 +3242,7 @@ pkinit_check_kdc_pkid(krb5_context conte
|
|
pkiDebug("found kdcPkId in AS REQ\n");
|
|
is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len);
|
|
if (is == NULL)
|
|
- goto cleanup;
|
|
+ return retval;
|
|
|
|
status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer);
|
|
if (!status) {
|
|
@@ -3252,7 +3252,6 @@ pkinit_check_kdc_pkid(krb5_context conte
|
|
}
|
|
|
|
retval = 0;
|
|
-cleanup:
|
|
X509_NAME_free(is->issuer);
|
|
ASN1_INTEGER_free(is->serial);
|
|
free(is);
|