diff options
author | Wenzong Fan <wenzong.fan@windriver.com> | 2015-11-14 05:22:28 -0500 |
---|---|---|
committer | Martin Jansa <Martin.Jansa@gmail.com> | 2015-12-18 12:28:24 +0100 |
commit | c533d4506eb983daf7884ba41bb910c0b1133a3d (patch) | |
tree | 0e732b88f44a92cbd356707db36e9fd7a3d08eff | |
parent | 88368a58260e7e18f6f85901f80759599051bd51 (diff) | |
download | meta-openembedded-contrib-c533d4506eb983daf7884ba41bb910c0b1133a3d.tar.gz |
krb5: fix CVE-2015-2697
The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT
Kerberos 5 (aka krb5) before 1.14 allows remote authenticated users
to cause a denial of service (out-of-bounds read and KDC crash) via
an initial '\0' character in a long realm field within a TGS request.
Backport upstream commit to fix it:
https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
-rw-r--r-- | meta-oe/recipes-connectivity/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch | 58 | ||||
-rw-r--r-- | meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb | 1 |
2 files changed, 59 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch b/meta-oe/recipes-connectivity/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch new file mode 100644 index 0000000000..9b0c18b75f --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch @@ -0,0 +1,58 @@ +From 9cb63711e63042f22da914ba039c4537b22e8fb0 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Fri, 25 Sep 2015 12:51:47 -0400 +Subject: [PATCH 3/4] Fix build_principal memory bug [CVE-2015-2697] + +In build_principal_va(), use k5memdup0() instead of strdup() to make a +copy of the realm, to ensure that we allocate the correct number of +bytes and do not read past the end of the input string. This bug +affects krb5_build_principal(), krb5_build_principal_va(), and +krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not +affected. + +CVE-2015-2697: + +In MIT krb5 1.7 and later, an authenticated attacker may be able to +cause a KDC to crash using a TGS request with a large realm field +beginning with a null byte. If the KDC attempts to find a referral to +answer the request, it constructs a principal name for lookup using +krb5_build_principal() with the requested realm. Due to a bug in this +function, the null byte causes only one byte be allocated for the +realm field of the constructed principal, far less than its length. +Subsequent operations on the lookup principal may cause a read beyond +the end of the mapped memory region, causing the KDC process to crash. + +CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C + +ticket: 8252 (new) +target_version: 1.14 +tags: pullup + +Backport upstream commit: +https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789 + +Upstream-Status: Backport +--- + src/lib/krb5/krb/bld_princ.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c +index ab6fed8..8604268 100644 +--- a/src/lib/krb5/krb/bld_princ.c ++++ b/src/lib/krb5/krb/bld_princ.c +@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ, + data = malloc(size * sizeof(krb5_data)); + if (!data) { retval = ENOMEM; } + +- if (!retval) { +- r = strdup(realm); +- if (!r) { retval = ENOMEM; } +- } ++ if (!retval) ++ r = k5memdup0(realm, rlen, &retval); + + while (!retval && (component = va_arg(ap, char *))) { + if (count == size) { +-- +1.9.1 + diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb index 6c25d825dd..c6b873a3a1 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb @@ -25,6 +25,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \ file://Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch;striplevel=2 \ file://Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch;striplevel=2 \ + file://Fix-build_principal-memory-bug-CVE-2015-2697.patch;striplevel=2 \ file://crosscompile_nm.patch \ file://etc/init.d/krb5-kdc \ file://etc/init.d/krb5-admin-server \ |