From 41ccc871ae8b00435195aafecf365298ee685fbc Mon Sep 17 00:00:00 2001 From: Zhixiong Chi Date: Mon, 25 Apr 2016 17:34:56 +0800 Subject: krb5-CVE-2016-3119.patch Backport from krb5 upstream to fix CVE-2016-3119 avoid remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal. Signed-off-by: Zhixiong Chi Signed-off-by: Martin Jansa Signed-off-by: Armin Kuster --- .../krb5/krb5/krb5-CVE-2016-3119.patch | 36 ++++++++++++++++++++++ meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch new file mode 100644 index 0000000000..67fefed898 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch @@ -0,0 +1,36 @@ +Subject: kerb: Fix LDAP null deref on empty arg [CVE-2016-3119] +From: Greg Hudson + +In the LDAP KDB module's process_db_args(), strtok_r() may return NULL +if there is an empty string in the db_args array. Check for this case +and avoid dereferencing a null pointer. + +CVE-2016-3119: + +In MIT krb5 1.6 and later, an authenticated attacker with permission +to modify a principal entry can cause kadmind to dereference a null +pointer by supplying an empty DB argument to the modify_principal +command, if kadmind is configured to use the LDAP KDB module. + + CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND + +ticket: 8383 (new) +target_version: 1.14-next +target_version: 1.13-next +tags: pullup + +Upstream-Status: Backport + +Signed-off-by: Zhixiong Chi +Index: krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +=================================================================== +--- krb5-1.13.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-05-09 07:27:02.000000000 +0800 ++++ krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-04-11 15:17:12.874140518 +0800 +@@ -267,6 +267,7 @@ + if (db_args) { + for (i=0; db_args[i]; ++i) { + arg = strtok_r(db_args[i], "=", &arg_val); ++ arg = (arg != NULL) ? arg : ""; + if (strcmp(arg, TKTPOLICY_ARG) == 0) { + dptr = &xargs->tktpolicydn; + } else { diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb index ecb4edac28..d4ecae41d6 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb @@ -32,6 +32,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar file://etc/init.d/krb5-admin-server \ file://etc/default/krb5-kdc \ file://etc/default/krb5-admin-server \ + file://krb5-CVE-2016-3119.patch;striplevel=2 \ " SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189" SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1" -- cgit 1.2.3-korg