diff options
| author | Mark H Weaver <[email protected]> | 2016-02-04 02:02:20 -0500 |
|---|---|---|
| committer | Mark H Weaver <[email protected]> | 2016-02-10 10:41:11 -0500 |
| commit | 16114c3494026b908b116bf93b9eee5d871860ef (patch) | |
| tree | efca01aac6efa9edfd3f2ec3bed86859a91b66af /gnu/packages/patches/mit-krb5-CVE-2015-2697.patch | |
| parent | 42395bf5143b39a7b79520a94e825be472692482 (diff) | |
gnu: mit-krb5: Update to 1.13.3; add fixes for CVE-2015-{8629,8630,8631}.
* gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch,
gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch,
gnu/packages/patches/mit-krb5-CVE-2015-2696.patch,
gnu/packages/patches/mit-krb5-CVE-2015-2697.patch,
gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch,
gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch: Delete files.
* gnu/packages/patches/mit-krb5-CVE-2015-8629.patch,
gnu/packages/patches/mit-krb5-CVE-2015-8630.patch,
gnu/packages/patches/mit-krb5-CVE-2015-8631.patch,
gnu/packages/patches/mit-krb5-init-context-null-spnego.patch: New files.
* gnu-system.am (dist_patch_DATA): Adjust accordingly.
* gnu/packages/mit-krb5.scm (mit-krb5): Update to 1.13.3.
[source]: Update URI to download conventional .tar.gz file. Add patches.
[native-inputs]: Remove old patches-as-inputs.
[arguments]: Remove hacks needed to cope with the older unconventional
tarball that contained an inner source tarball and signature: Remove
#:modules argument, and the custom 'unpack' and 'apply-patches' phases.
Diffstat (limited to 'gnu/packages/patches/mit-krb5-CVE-2015-2697.patch')
| -rw-r--r-- | gnu/packages/patches/mit-krb5-CVE-2015-2697.patch | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2697.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2697.patch deleted file mode 100644 index f65ce39623..0000000000 --- a/gnu/packages/patches/mit-krb5-CVE-2015-2697.patch +++ /dev/null @@ -1,55 +0,0 @@ -Copied from Debian. - -From fcafb522a0509bfd6f4f6b57e4a1e93c0092eeb0 Mon Sep 17 00:00:00 2001 -From: Greg Hudson <[email protected]> -Date: Fri, 25 Sep 2015 12:51:47 -0400 -Subject: Fix build_principal memory bug [CVE-2015-2697] - -In build_principal_va(), use k5memdup0() instead of strdup() to make a -copy of the realm, to ensure that we allocate the correct number of -bytes and do not read past the end of the input string. This bug -affects krb5_build_principal(), krb5_build_principal_va(), and -krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not -affected. - -CVE-2015-2697: - -In MIT krb5 1.7 and later, an authenticated attacker may be able to -cause a KDC to crash using a TGS request with a large realm field -beginning with a null byte. If the KDC attempts to find a referral to -answer the request, it constructs a principal name for lookup using -krb5_build_principal() with the requested realm. Due to a bug in this -function, the null byte causes only one byte be allocated for the -realm field of the constructed principal, far less than its length. -Subsequent operations on the lookup principal may cause a read beyond -the end of the mapped memory region, causing the KDC process to crash. - -CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C - -ticket: 8252 (new) -target_version: 1.14 -tags: pullup - -(cherry picked from commit f0c094a1b745d91ef2f9a4eae2149aac026a5789) -Patch-Category: upstream ---- - src/lib/krb5/krb/bld_princ.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c -index ab6fed8..8604268 100644 ---- a/src/lib/krb5/krb/bld_princ.c -+++ b/src/lib/krb5/krb/bld_princ.c -@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ, - data = malloc(size * sizeof(krb5_data)); - if (!data) { retval = ENOMEM; } - -- if (!retval) { -- r = strdup(realm); -- if (!r) { retval = ENOMEM; } -- } -+ if (!retval) -+ r = k5memdup0(realm, rlen, &retval); - - while (!retval && (component = va_arg(ap, char *))) { - if (count == size) { |