diff options
Diffstat (limited to 'meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch')
-rw-r--r-- | meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch new file mode 100644 index 000000000..67fefed89 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | Subject: kerb: Fix LDAP null deref on empty arg [CVE-2016-3119] | ||
2 | From: Greg Hudson | ||
3 | |||
4 | In the LDAP KDB module's process_db_args(), strtok_r() may return NULL | ||
5 | if there is an empty string in the db_args array. Check for this case | ||
6 | and avoid dereferencing a null pointer. | ||
7 | |||
8 | CVE-2016-3119: | ||
9 | |||
10 | In MIT krb5 1.6 and later, an authenticated attacker with permission | ||
11 | to modify a principal entry can cause kadmind to dereference a null | ||
12 | pointer by supplying an empty DB argument to the modify_principal | ||
13 | command, if kadmind is configured to use the LDAP KDB module. | ||
14 | |||
15 | CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND | ||
16 | |||
17 | ticket: 8383 (new) | ||
18 | target_version: 1.14-next | ||
19 | target_version: 1.13-next | ||
20 | tags: pullup | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | |||
24 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
25 | Index: krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | ||
26 | =================================================================== | ||
27 | --- krb5-1.13.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-05-09 07:27:02.000000000 +0800 | ||
28 | +++ krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-04-11 15:17:12.874140518 +0800 | ||
29 | @@ -267,6 +267,7 @@ | ||
30 | if (db_args) { | ||
31 | for (i=0; db_args[i]; ++i) { | ||
32 | arg = strtok_r(db_args[i], "=", &arg_val); | ||
33 | + arg = (arg != NULL) ? arg : ""; | ||
34 | if (strcmp(arg, TKTPOLICY_ARG) == 0) { | ||
35 | dptr = &xargs->tktpolicydn; | ||
36 | } else { | ||