aboutsummaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch')
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch63
1 files changed, 0 insertions, 63 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch
deleted file mode 100644
index dbc46bb79d..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 5b9b82d0696f1ffd4e693c1f8eafc0915b15e85b Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Tue, 19 Jul 2016 11:00:28 -0400
-Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted
-
-cherry-picked from 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 upstream
-
-In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
-use client.princ instead of request->client; the latter is NULL when
-validating S4U2Self requests.
-
-CVE-2016-3120:
-
-In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
-to dereference a null pointer if the restrict_anonymous_to_tgt option
-is set to true, by making an S4U2Self request.
-
- CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
-
-ticket: 8458 (new)
-target_version: 1.14-next
-target_version: 1.13-next
-
-Upstream-Status: Backport
-
-Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
----
- src/kdc/kdc_util.c | 2 +-
- src/tests/t_pkinit.py | 5 +++++
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
-index 48be1ae..10daec4 100644
---- a/src/kdc/kdc_util.c
-+++ b/src/kdc/kdc_util.c
-@@ -700,7 +700,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
- return(KDC_ERR_MUST_USE_USER2USER);
- }
-
-- if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
-+ if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
- *status = "ANONYMOUS NOT ALLOWED";
- return(KDC_ERR_POLICY);
- }
-diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
-index 762e322..d27d05b 100644
---- a/src/tests/t_pkinit.py
-+++ b/src/tests/t_pkinit.py
-@@ -94,6 +94,11 @@ out = realm.run([kvno, realm.host_princ], expected_code=1)
- if 'KDC policy rejects request' not in out:
- fail('Wrong error for restricted anonymous PKINIT')
-
-+# Regression test for #8458: S4U2Self requests crash the KDC if
-+# anonymous is restricted.
-+realm.kinit(realm.host_princ, flags=['-k'])
-+realm.run([kvno, '-U', 'user', realm.host_princ])
-+
- # Go back to a normal KDC and disable anonymous PKINIT.
- realm.stop_kdc()
- realm.start_kdc()
---
-2.5.0
-