aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch')
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch132
1 files changed, 0 insertions, 132 deletions
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch
deleted file mode 100644
index 8725cd4eed..0000000000
--- a/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-Copied from Debian.
-
-From 4b330d5be1f8048be4d079ac3cb38d60c0e99e69 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Wed, 4 Nov 2015 21:28:28 -0500
-Subject: Fix IAKERB context export/import [CVE-2015-2698]
-
-The patches for CVE-2015-2696 contained a regression in the newly
-added IAKERB iakerb_gss_export_sec_context() function, which could
-cause it to corrupt memory. Fix the regression by properly
-dereferencing the context_handle pointer before casting it.
-
-Also, the patches did not implement an IAKERB gss_import_sec_context()
-function, under the erroneous belief than an exported IAKERB context
-would be tagged as a krb5 context. Implement it now to allow IAKERB
-contexts to be successfully exported and imported after establishment.
-
-CVE-2015-2698:
-
-In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
-application which calls gss_export_sec_context() may experience memory
-corruption if the context was established using the IAKERB mechanism.
-Historically, some vulnerabilities of this nature can be translated
-into remote code execution, though the necessary exploits must be
-tailored to the individual application and are usually quite
-complicated.
-
- CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
-
-ticket: 8273 (new)
-target_version: 1.14
-tags: pullup
-
-(cherry picked from commit d8b31c874c7d1039be7649362ef11c89f4e14c27)
-
-Patch-Category: upstream
----
- src/lib/gssapi/krb5/gssapiP_krb5.h | 5 +++++
- src/lib/gssapi/krb5/gssapi_krb5.c | 2 +-
- src/lib/gssapi/krb5/iakerb.c | 42 +++++++++++++++++++++++++++++++-------
- 3 files changed, 41 insertions(+), 8 deletions(-)
-
-diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
-index 05dc321..ac53662 100644
---- a/src/lib/gssapi/krb5/gssapiP_krb5.h
-+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
-@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV
- iakerb_gss_export_sec_context(OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- gss_buffer_t interprocess_token);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_import_sec_context(OM_uint32 *minor_status,
-+ const gss_buffer_t interprocess_token,
-+ gss_ctx_id_t *context_handle);
- #endif /* LEAN_CLIENT */
-
- OM_uint32 KRB5_CALLCONV
-diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
-index 9a23656..d7ba279 100644
---- a/src/lib/gssapi/krb5/gssapi_krb5.c
-+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
-@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = {
- NULL,
- #else
- iakerb_gss_export_sec_context,
-- NULL,
-+ iakerb_gss_import_sec_context,
- #endif
- krb5_gss_inquire_cred_by_mech,
- krb5_gss_inquire_names_for_mech,
-diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
-index e25862d..32a341e 100644
---- a/src/lib/gssapi/krb5/iakerb.c
-+++ b/src/lib/gssapi/krb5/iakerb.c
-@@ -1057,7 +1057,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
- gss_buffer_t interprocess_token)
- {
- OM_uint32 maj;
-- iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
-
- /* We don't currently support exporting partially established contexts. */
- if (!ctx->established)
-@@ -1072,13 +1072,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
- return maj;
- }
-
--/*
-- * Until we implement partial context exports, there are no IAKERB exported
-- * context tokens, only tokens for the underlying krb5 context. So we do not
-- * need to implement an iakerb_gss_import_sec_context() yet; it would be
-- * unreachable except via a manually constructed token.
-- */
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_import_sec_context(OM_uint32 *minor_status,
-+ gss_buffer_t interprocess_token,
-+ gss_ctx_id_t *context_handle)
-+{
-+ OM_uint32 maj, tmpmin;
-+ krb5_error_code code;
-+ gss_ctx_id_t gssc;
-+ krb5_gss_ctx_id_t kctx;
-+ iakerb_ctx_id_t ctx;
-+
-+ maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc);
-+ if (maj != GSS_S_COMPLETE)
-+ return maj;
-+ kctx = (krb5_gss_ctx_id_t)gssc;
-+
-+ if (!kctx->established) {
-+ /* We don't currently support importing partially established
-+ * contexts. */
-+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
-+ return GSS_S_FAILURE;
-+ }
-
-+ code = iakerb_alloc_context(&ctx, kctx->initiate);
-+ if (code != 0) {
-+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
-+ *minor_status = code;
-+ return GSS_S_FAILURE;
-+ }
-+
-+ ctx->gssc = gssc;
-+ ctx->established = 1;
-+ *context_handle = (gss_ctx_id_t)ctx;
-+ return GSS_S_COMPLETE;
-+}
- #endif /* LEAN_CLIENT */
-
- OM_uint32 KRB5_CALLCONV
generated by cgit v1.2.3 (git 2.45.0) at 2024-11-25 13:19:55 +0000