diff options
Diffstat (limited to 'meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch')
-rw-r--r-- | meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch deleted file mode 100644 index dbc46bb79d..0000000000 --- a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 5b9b82d0696f1ffd4e693c1f8eafc0915b15e85b Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Tue, 19 Jul 2016 11:00:28 -0400 -Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted - -cherry-picked from 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 upstream - -In validate_as_request(), when enforcing restrict_anonymous_to_tgt, -use client.princ instead of request->client; the latter is NULL when -validating S4U2Self requests. - -CVE-2016-3120: - -In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc -to dereference a null pointer if the restrict_anonymous_to_tgt option -is set to true, by making an S4U2Self request. - - CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C - -ticket: 8458 (new) -target_version: 1.14-next -target_version: 1.13-next - -Upstream-Status: Backport - -Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com> ---- - src/kdc/kdc_util.c | 2 +- - src/tests/t_pkinit.py | 5 +++++ - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index 48be1ae..10daec4 100644 ---- a/src/kdc/kdc_util.c -+++ b/src/kdc/kdc_util.c -@@ -700,7 +700,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm, - return(KDC_ERR_MUST_USE_USER2USER); - } - -- if (check_anon(kdc_active_realm, request->client, request->server) != 0) { -+ if (check_anon(kdc_active_realm, client.princ, request->server) != 0) { - *status = "ANONYMOUS NOT ALLOWED"; - return(KDC_ERR_POLICY); - } -diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py -index 762e322..d27d05b 100644 ---- a/src/tests/t_pkinit.py -+++ b/src/tests/t_pkinit.py -@@ -94,6 +94,11 @@ out = realm.run([kvno, realm.host_princ], expected_code=1) - if 'KDC policy rejects request' not in out: - fail('Wrong error for restricted anonymous PKINIT') - -+# Regression test for #8458: S4U2Self requests crash the KDC if -+# anonymous is restricted. -+realm.kinit(realm.host_princ, flags=['-k']) -+realm.run([kvno, '-U', 'user', realm.host_princ]) -+ - # Go back to a normal KDC and disable anonymous PKINIT. - realm.stop_kdc() - realm.start_kdc() --- -2.5.0 - |