On Tue, 16 Apr 2013, Benjamin Kaduk wrote:
Having seen the reproducer, I am of the opinion that this bug should get
fixed in stable.
I am planning to prepare a candidate stable upload (which may include another
bugfix if it seems appropriate) later this week for consideration.
The attached handles cve-2013-1416 (this bug) and cve-2013-1415 (no debian
bug number? Fixed in testing), as well as #704647 (rdns=false is broken).
The last is not exactly a security fix, so the patch is targeted for
stable-proposed-updates. A patch without that change could be targeted
for stable-security, but we see the #704647 issue crop up regularly on the
kerberos mailing lists and it would be very nice to get it fixed as well.
-Ben
diff -u krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c
krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c
--- krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c
+++ krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c
@@ -111,19 +111,12 @@
hostnames associated. */
memset(&hints, 0, sizeof(hints));
- hints.ai_family = AF_INET;
hints.ai_flags = AI_CANONNAME;
- try_getaddrinfo_again:
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
#ifdef DEBUG_REFERRALS
printf("sname_to_princ: probably punting due to bad hostname
of %s\n",hostname);
#endif
- if (hints.ai_family == AF_INET) {
- /* Just in case it's an IPv6-only name. */
- hints.ai_family = 0;
- goto try_getaddrinfo_again;
- }
return KRB5_ERR_BAD_HOSTNAME;
}
remote_host = strdup(ai->ai_canonname ? ai->ai_canonname :
hostname);
diff -u krb5-1.8.3+dfsg/debian/changelog krb5-1.8.3+dfsg/debian/changelog
--- krb5-1.8.3+dfsg/debian/changelog
+++ krb5-1.8.3+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+krb5 (1.8.3+dfsg-4squeeze7) stable-proposed-updates; urgency=high
+
+ * CVE-2013-1416 TGS-REQ null pointer dereference in KDC, Closes: #704775
+ * CVE-2013-1415 KDC null pointer dereference with PKINIT
+ * Import upstream's workaround for a getaddrinfo bug, Closes: #704647
+
+ -- Benjamin Kaduk <ka...@mit.edu> Sun, 21 Apr 2013 15:49:14 -0400
+
krb5 (1.8.3+dfsg-4squeeze6) stable-security; urgency=high
* MITKRB5-SA-2012-001 CVE-2012-1015: KDC frees uninitialized pointer
only in patch2:
unchanged:
--- krb5-1.8.3+dfsg.orig/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ krb5-1.8.3+dfsg/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -2879,7 +2879,7 @@
pkiDebug("found kdcPkId in AS REQ\n");
is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len);
if (is == NULL)
- goto cleanup;
+ return retval;
status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer);
if (!status) {
@@ -2889,7 +2889,6 @@
}
retval = 0;
-cleanup:
X509_NAME_free(is->issuer);
ASN1_INTEGER_free(is->serial);
free(is);
only in patch2:
unchanged:
--- krb5-1.8.3+dfsg.orig/src/kdc/do_tgs_req.c
+++ krb5-1.8.3+dfsg/src/kdc/do_tgs_req.c
@@ -1216,7 +1216,8 @@
retval = ENOMEM;
goto cleanup;
}
- strlcpy(comp1_str,comp1->data,comp1->length+1);
+ if (comp1->data != NULL)
+ memcpy(comp1_str, comp1->data, comp1->length);
if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST
||
krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST
||
@@ -1239,7 +1240,8 @@
retval = ENOMEM;
goto cleanup;
}
- strlcpy(temp_buf, comp2->data,comp2->length+1);
+ if (comp2->data != NULL)
+ memcpy(temp_buf, comp2->data, comp2->length);
retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf,
&realms);
free(temp_buf);
if (retval) {