aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch')
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch132
1 files changed, 132 insertions, 0 deletions
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch
new file mode 100644
index 0000000000..8725cd4eed
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch
@@ -0,0 +1,132 @@
+Copied from Debian.
+
+From 4b330d5be1f8048be4d079ac3cb38d60c0e99e69 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 4 Nov 2015 21:28:28 -0500
+Subject: Fix IAKERB context export/import [CVE-2015-2698]
+
+The patches for CVE-2015-2696 contained a regression in the newly
+added IAKERB iakerb_gss_export_sec_context() function, which could
+cause it to corrupt memory. Fix the regression by properly
+dereferencing the context_handle pointer before casting it.
+
+Also, the patches did not implement an IAKERB gss_import_sec_context()
+function, under the erroneous belief than an exported IAKERB context
+would be tagged as a krb5 context. Implement it now to allow IAKERB
+contexts to be successfully exported and imported after establishment.
+
+CVE-2015-2698:
+
+In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
+application which calls gss_export_sec_context() may experience memory
+corruption if the context was established using the IAKERB mechanism.
+Historically, some vulnerabilities of this nature can be translated
+into remote code execution, though the necessary exploits must be
+tailored to the individual application and are usually quite
+complicated.
+
+ CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
+
+ticket: 8273 (new)
+target_version: 1.14
+tags: pullup
+
+(cherry picked from commit d8b31c874c7d1039be7649362ef11c89f4e14c27)
+
+Patch-Category: upstream
+---
+ src/lib/gssapi/krb5/gssapiP_krb5.h | 5 +++++
+ src/lib/gssapi/krb5/gssapi_krb5.c | 2 +-
+ src/lib/gssapi/krb5/iakerb.c | 42 +++++++++++++++++++++++++++++++-------
+ 3 files changed, 41 insertions(+), 8 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
+index 05dc321..ac53662 100644
+--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
+@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV
+ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ gss_buffer_t interprocess_token);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_import_sec_context(OM_uint32 *minor_status,
++ const gss_buffer_t interprocess_token,
++ gss_ctx_id_t *context_handle);
+ #endif /* LEAN_CLIENT */
+
+ OM_uint32 KRB5_CALLCONV
+diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
+index 9a23656..d7ba279 100644
+--- a/src/lib/gssapi/krb5/gssapi_krb5.c
++++ b/src/lib/gssapi/krb5/gssapi_krb5.c
+@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = {
+ NULL,
+ #else
+ iakerb_gss_export_sec_context,
+- NULL,
++ iakerb_gss_import_sec_context,
+ #endif
+ krb5_gss_inquire_cred_by_mech,
+ krb5_gss_inquire_names_for_mech,
+diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
+index e25862d..32a341e 100644
+--- a/src/lib/gssapi/krb5/iakerb.c
++++ b/src/lib/gssapi/krb5/iakerb.c
+@@ -1057,7 +1057,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+ gss_buffer_t interprocess_token)
+ {
+ OM_uint32 maj;
+- iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
+
+ /* We don't currently support exporting partially established contexts. */
+ if (!ctx->established)
+@@ -1072,13 +1072,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+ return maj;
+ }
+
+-/*
+- * Until we implement partial context exports, there are no IAKERB exported
+- * context tokens, only tokens for the underlying krb5 context. So we do not
+- * need to implement an iakerb_gss_import_sec_context() yet; it would be
+- * unreachable except via a manually constructed token.
+- */
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_import_sec_context(OM_uint32 *minor_status,
++ gss_buffer_t interprocess_token,
++ gss_ctx_id_t *context_handle)
++{
++ OM_uint32 maj, tmpmin;
++ krb5_error_code code;
++ gss_ctx_id_t gssc;
++ krb5_gss_ctx_id_t kctx;
++ iakerb_ctx_id_t ctx;
++
++ maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc);
++ if (maj != GSS_S_COMPLETE)
++ return maj;
++ kctx = (krb5_gss_ctx_id_t)gssc;
++
++ if (!kctx->established) {
++ /* We don't currently support importing partially established
++ * contexts. */
++ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
++ return GSS_S_FAILURE;
++ }
+
++ code = iakerb_alloc_context(&ctx, kctx->initiate);
++ if (code != 0) {
++ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
++ *minor_status = code;
++ return GSS_S_FAILURE;
++ }
++
++ ctx->gssc = gssc;
++ ctx->established = 1;
++ *context_handle = (gss_ctx_id_t)ctx;
++ return GSS_S_COMPLETE;
++}
+ #endif /* LEAN_CLIENT */
+
+ OM_uint32 KRB5_CALLCONV
generated by cgit v1.2.3 (git 2.45.0) at 2024-11-16 14:42:38 +0000