Blame - import-layers/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch - openbmc/openbmc

blob: 9b0c18b75f65e0af66884b35a18c4a9d6628a5cd [file] [log] [blame]

Patrick Williams	b48b7b4	2016-08-17 15:04:38 -0500	[diff] [blame^]	1	From 9cb63711e63042f22da914ba039c4537b22e8fb0 Mon Sep 17 00:00:00 2001
				2	From: Greg Hudson <ghudson@mit.edu>
				3	Date: Fri, 25 Sep 2015 12:51:47 -0400
				4	Subject: [PATCH 3/4] Fix build_principal memory bug [CVE-2015-2697]
				5
				6	In build_principal_va(), use k5memdup0() instead of strdup() to make a
				7	copy of the realm, to ensure that we allocate the correct number of
				8	bytes and do not read past the end of the input string. This bug
				9	affects krb5_build_principal(), krb5_build_principal_va(), and
				10	krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not
				11	affected.
				12
				13	CVE-2015-2697:
				14
				15	In MIT krb5 1.7 and later, an authenticated attacker may be able to
				16	cause a KDC to crash using a TGS request with a large realm field
				17	beginning with a null byte. If the KDC attempts to find a referral to
				18	answer the request, it constructs a principal name for lookup using
				19	krb5_build_principal() with the requested realm. Due to a bug in this
				20	function, the null byte causes only one byte be allocated for the
				21	realm field of the constructed principal, far less than its length.
				22	Subsequent operations on the lookup principal may cause a read beyond
				23	the end of the mapped memory region, causing the KDC process to crash.
				24
				25	CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
				26
				27	ticket: 8252 (new)
				28	target_version: 1.14
				29	tags: pullup
				30
				31	Backport upstream commit:
				32	https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789
				33
				34	Upstream-Status: Backport
				35	---
				36	src/lib/krb5/krb/bld_princ.c \| 6 ++----
				37	1 file changed, 2 insertions(+), 4 deletions(-)
				38
				39	diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
				40	index ab6fed8..8604268 100644
				41	--- a/src/lib/krb5/krb/bld_princ.c
				42	+++ b/src/lib/krb5/krb/bld_princ.c
				43	@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ,
				44	data = malloc(size * sizeof(krb5_data));
				45	if (!data) { retval = ENOMEM; }
				46
				47	- if (!retval) {
				48	- r = strdup(realm);
				49	- if (!r) { retval = ENOMEM; }
				50	- }
				51	+ if (!retval)
				52	+ r = k5memdup0(realm, rlen, &retval);
				53
				54	while (!retval && (component = va_arg(ap, char *))) {
				55	if (count == size) {
				56	--
				57	1.9.1
				58