krb5-CVE-2016-3119.patch

Backport <commit 08c642c09c38a9c6454ab43a9b53b2a89b9eef99> from krb5 upstream <https://github.com/krb5/krb5> to fix CVE-2016-3119 avoid remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal. Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Zhixiong Chi <zhixiong.chi@windriver.com> 2016-04-25 17:34:56 +0800
committer: Armin Kuster <akuster808@gmail.com> 2016-04-28 12:30:46 -0700
commit: 41ccc871ae8b00435195aafecf365298ee685fbc (patch)
tree: 566be4fdb6541ca70f529fbb5df355e1bddef3a9
parent: 3f95cc9086dd3ca0f77f2ee8b50b039ecdacc29c (diff)
download: meta-openembedded-41ccc871ae8b00435195aafecf365298ee685fbc.tar.gz
2 files changed, 37 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch
new file mode 100644
index 000000000..67fefed89
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch
@@ -0,0 +1,36 @@
+Subject: kerb: Fix LDAP null deref on empty arg [CVE-2016-3119]
+From: Greg Hudson
+In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
+if there is an empty string in the db_args array.  Check for this case
+and avoid dereferencing a null pointer.
+CVE-2016-3119:
+In MIT krb5 1.6 and later, an authenticated attacker with permission
+to modify a principal entry can cause kadmind to dereference a null
+pointer by supplying an empty DB argument to the modify_principal
+command, if kadmind is configured to use the LDAP KDB module.
+    CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
+ticket: 8383 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+Index: krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+===================================================================
+--- krb5-1.13.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-05-09 07:27:02.000000000 +0800
+++ krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c      2016-04-11 15:17:12.874140518 +0800
+@@ -267,6 +267,7 @@
+     if (db_args) {
+         for (i=0; db_args[i]; ++i) {
+             arg = strtok_r(db_args[i], "=", &arg_val);
+            arg = (arg != NULL) ? arg : "";
+             if (strcmp(arg, TKTPOLICY_ARG) == 0) {
+                 dptr = &xargs->tktpolicydn;
+             } else {
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
index ecb4edac2..d4ecae41d 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
           file://etc/init.d/krb5-admin-server \
           file://etc/default/krb5-kdc \
           file://etc/default/krb5-admin-server \
+           file://krb5-CVE-2016-3119.patch;striplevel=2 \
 "
 SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189"
 SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1"
author	Zhixiong Chi <zhixiong.chi@windriver.com>	2016-04-25 17:34:56 +0800
committer	Armin Kuster <akuster808@gmail.com>	2016-04-28 12:30:46 -0700
commit	41ccc871ae8b00435195aafecf365298ee685fbc (patch)
tree	566be4fdb6541ca70f529fbb5df355e1bddef3a9
parent	3f95cc9086dd3ca0f77f2ee8b50b039ecdacc29c (diff)
download	meta-openembedded-41ccc871ae8b00435195aafecf365298ee685fbc.tar.gz

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch new file mode 100644 index 000000000..67fefed89 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch
@@ -0,0 +1,36 @@
		1	Subject: kerb: Fix LDAP null deref on empty arg [CVE-2016-3119]
		2	From: Greg Hudson
		3
		4	In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
		5	if there is an empty string in the db_args array. Check for this case
		6	and avoid dereferencing a null pointer.
		7
		8	CVE-2016-3119:
		9
		10	In MIT krb5 1.6 and later, an authenticated attacker with permission
		11	to modify a principal entry can cause kadmind to dereference a null
		12	pointer by supplying an empty DB argument to the modify_principal
		13	command, if kadmind is configured to use the LDAP KDB module.
		14
		15	CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
		16
		17	ticket: 8383 (new)
		18	target_version: 1.14-next
		19	target_version: 1.13-next
		20	tags: pullup
		21
		22	Upstream-Status: Backport
		23
		24	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		25	Index: krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
		26	===================================================================
		27	--- krb5-1.13.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-05-09 07:27:02.000000000 +0800
		28	+++ krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-04-11 15:17:12.874140518 +0800
		29	@@ -267,6 +267,7 @@
		30	if (db_args) {
		31	for (i=0; db_args[i]; ++i) {
		32	arg = strtok_r(db_args[i], "=", &arg_val);
		33	+ arg = (arg != NULL) ? arg : "";
		34	if (strcmp(arg, TKTPOLICY_ARG) == 0) {
		35	dptr = &xargs->tktpolicydn;
		36	} else {


diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb index ecb4edac2..d4ecae41d 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
32	file://etc/init.d/krb5-admin-server \	32	file://etc/init.d/krb5-admin-server \
33	file://etc/default/krb5-kdc \	33	file://etc/default/krb5-kdc \
34	file://etc/default/krb5-admin-server \	34	file://etc/default/krb5-admin-server \
		35	file://krb5-CVE-2016-3119.patch;striplevel=2 \
35	"	36	"
36	SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189"	37	SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189"
37	SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1"	38	SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1"