56 lines
2 KiB
Diff
56 lines
2 KiB
Diff
|
Copied from Debian.
|
||
|
|
||
|
From fcafb522a0509bfd6f4f6b57e4a1e93c0092eeb0 Mon Sep 17 00:00:00 2001
|
||
|
From: Greg Hudson <ghudson@mit.edu>
|
||
|
Date: Fri, 25 Sep 2015 12:51:47 -0400
|
||
|
Subject: Fix build_principal memory bug [CVE-2015-2697]
|
||
|
|
||
|
In build_principal_va(), use k5memdup0() instead of strdup() to make a
|
||
|
copy of the realm, to ensure that we allocate the correct number of
|
||
|
bytes and do not read past the end of the input string. This bug
|
||
|
affects krb5_build_principal(), krb5_build_principal_va(), and
|
||
|
krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not
|
||
|
affected.
|
||
|
|
||
|
CVE-2015-2697:
|
||
|
|
||
|
In MIT krb5 1.7 and later, an authenticated attacker may be able to
|
||
|
cause a KDC to crash using a TGS request with a large realm field
|
||
|
beginning with a null byte. If the KDC attempts to find a referral to
|
||
|
answer the request, it constructs a principal name for lookup using
|
||
|
krb5_build_principal() with the requested realm. Due to a bug in this
|
||
|
function, the null byte causes only one byte be allocated for the
|
||
|
realm field of the constructed principal, far less than its length.
|
||
|
Subsequent operations on the lookup principal may cause a read beyond
|
||
|
the end of the mapped memory region, causing the KDC process to crash.
|
||
|
|
||
|
CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
|
||
|
|
||
|
ticket: 8252 (new)
|
||
|
target_version: 1.14
|
||
|
tags: pullup
|
||
|
|
||
|
(cherry picked from commit f0c094a1b745d91ef2f9a4eae2149aac026a5789)
|
||
|
Patch-Category: upstream
|
||
|
---
|
||
|
src/lib/krb5/krb/bld_princ.c | 6 ++----
|
||
|
1 file changed, 2 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
|
||
|
index ab6fed8..8604268 100644
|
||
|
--- a/src/lib/krb5/krb/bld_princ.c
|
||
|
+++ b/src/lib/krb5/krb/bld_princ.c
|
||
|
@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ,
|
||
|
data = malloc(size * sizeof(krb5_data));
|
||
|
if (!data) { retval = ENOMEM; }
|
||
|
|
||
|
- if (!retval) {
|
||
|
- r = strdup(realm);
|
||
|
- if (!r) { retval = ENOMEM; }
|
||
|
- }
|
||
|
+ if (!retval)
|
||
|
+ r = k5memdup0(realm, rlen, &retval);
|
||
|
|
||
|
while (!retval && (component = va_arg(ap, char *))) {
|
||
|
if (count == size) {
|