1 files changed, 36 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch
new file mode 100644
index 000000000..67fefed89
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch
@@ -0,0 +1,36 @@
+Subject: kerb: Fix LDAP null deref on empty arg [CVE-2016-3119]
+From: Greg Hudson
+In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
+if there is an empty string in the db_args array.  Check for this case
+and avoid dereferencing a null pointer.
+CVE-2016-3119:
+In MIT krb5 1.6 and later, an authenticated attacker with permission
+to modify a principal entry can cause kadmind to dereference a null
+pointer by supplying an empty DB argument to the modify_principal
+command, if kadmind is configured to use the LDAP KDB module.
+    CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
+ticket: 8383 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+Index: krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+===================================================================
+--- krb5-1.13.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-05-09 07:27:02.000000000 +0800
+++ krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c      2016-04-11 15:17:12.874140518 +0800
+@@ -267,6 +267,7 @@
+     if (db_args) {
+         for (i=0; db_args[i]; ++i) {
+             arg = strtok_r(db_args[i], "=", &arg_val);
+            arg = (arg != NULL) ? arg : "";
+             if (strcmp(arg, TKTPOLICY_ARG) == 0) {
+                 dptr = &xargs->tktpolicydn;
+             } else {

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch new file mode 100644 index 000000000..67fefed89 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch
@@ -0,0 +1,36 @@
	1	Subject: kerb: Fix LDAP null deref on empty arg [CVE-2016-3119]
	2	From: Greg Hudson
	3
	4	In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
	5	if there is an empty string in the db_args array. Check for this case
	6	and avoid dereferencing a null pointer.
	7
	8	CVE-2016-3119:
	9
	10	In MIT krb5 1.6 and later, an authenticated attacker with permission
	11	to modify a principal entry can cause kadmind to dereference a null
	12	pointer by supplying an empty DB argument to the modify_principal
	13	command, if kadmind is configured to use the LDAP KDB module.
	14
	15	CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
	16
	17	ticket: 8383 (new)
	18	target_version: 1.14-next
	19	target_version: 1.13-next
	20	tags: pullup
	21
	22	Upstream-Status: Backport
	23
	24	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
	25	Index: krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
	26	===================================================================
	27	--- krb5-1.13.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-05-09 07:27:02.000000000 +0800
	28	+++ krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-04-11 15:17:12.874140518 +0800
	29	@@ -267,6 +267,7 @@
	30	if (db_args) {
	31	for (i=0; db_args[i]; ++i) {
	32	arg = strtok_r(db_args[i], "=", &arg_val);
	33	+ arg = (arg != NULL) ? arg : "";
	34	if (strcmp(arg, TKTPOLICY_ARG) == 0) {
	35	dptr = &xargs->tktpolicydn;
	36	} else {