~hartmans/ubuntu/trusty/krb5/gss-infinite-loop

Viewing changes to debian/patches/CVE-2014-4345.patch

Committer: Sam Hartman
Date: 2014-08-12 11:31:13 UTC
mfrom: (59.1.1 krb5)
Revision ID: hartmans@debian.org-20140812113113-wxcusslnf8u2pjhc

* SECURITY UPDATE: denial of service via invalid tokens
  - debian/patches/CVE-2014-4341-4342.patch: handle invalid tokens in
    src/lib/gssapi/krb5/k5unseal.c, src/lib/gssapi/krb5/k5unsealiov.c.
  - CVE-2014-4341
  - CVE-2014-4342
* SECURITY UPDATE: denial of service via double-free in SPNEGO
  - debian/patches/CVE-2014-4343.patch: fix double-free in
    src/lib/gssapi/spnego/spnego_mech.c.
  - CVE-2014-4343
* SECURITY UPDATE: denial of service via null deref in SPNEGO acceptor
  - debian/patches/CVE-2014-4344.patch: validate REMAIN in
    src/lib/gssapi/spnego/spnego_mech.c.
  - CVE-2014-4344
* SECURITY UPDATE: denial of service and possible code execution in
  kadmind with LDAP backend
  - debian/patches/CVE-2014-4345.patch: fix off-by-one in
    src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
  - CVE-2014-4345

files added:
.pc/CVE-2014-4341-4342.patch

.pc/CVE-2014-4341-4342.patch/src

.pc/CVE-2014-4341-4342.patch/src/lib

.pc/CVE-2014-4341-4342.patch/src/lib/gssapi

.pc/CVE-2014-4341-4342.patch/src/lib/gssapi/krb5

.pc/CVE-2014-4341-4342.patch/src/lib/gssapi/krb5/k5unseal.c

.pc/CVE-2014-4341-4342.patch/src/lib/gssapi/krb5/k5unsealiov.c

.pc/CVE-2014-4343.patch

.pc/CVE-2014-4343.patch/src

.pc/CVE-2014-4343.patch/src/lib

.pc/CVE-2014-4343.patch/src/lib/gssapi

.pc/CVE-2014-4343.patch/src/lib/gssapi/spnego

.pc/CVE-2014-4343.patch/src/lib/gssapi/spnego/spnego_mech.c

.pc/CVE-2014-4344.patch

.pc/CVE-2014-4344.patch/src

.pc/CVE-2014-4344.patch/src/lib

.pc/CVE-2014-4344.patch/src/lib/gssapi

.pc/CVE-2014-4344.patch/src/lib/gssapi/spnego

.pc/CVE-2014-4344.patch/src/lib/gssapi/spnego/spnego_mech.c

.pc/CVE-2014-4345.patch

.pc/CVE-2014-4345.patch/src

.pc/CVE-2014-4345.patch/src/plugins

.pc/CVE-2014-4345.patch/src/plugins/kdb

.pc/CVE-2014-4345.patch/src/plugins/kdb/ldap

.pc/CVE-2014-4345.patch/src/plugins/kdb/ldap/libkdb_ldap

.pc/CVE-2014-4345.patch/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c

debian/patches/CVE-2014-4341-4342.patch

debian/patches/CVE-2014-4343.patch

debian/patches/CVE-2014-4344.patch

debian/patches/CVE-2014-4345.patch

files removed:
.pc/Use-TAILQ-macros-instead-of-CIRCLEQ-in-libdb2.patch/.timestamp

.pc/avoid_mechglue_recursive_calls_new_symbols/.timestamp

files modified:
.pc/applied-patches

debian/changelog

debian/patches/series

src/lib/gssapi/krb5/k5unseal.c

src/lib/gssapi/krb5/k5unsealiov.c

src/lib/gssapi/spnego/spnego_mech.c

src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c

Show diffs side-by-side

added added

removed removed

debian/patches/CVE-2014-4345.patch

From 81c332e29f10887c6b9deb065f81ba259f4c7e03 Mon Sep 17 00:00:00 2001

From: Tomas Kuthan <tkuthan@gmail.com>

Date: Fri, 1 Aug 2014 15:25:50 +0200

Subject: [PATCH] Fix LDAP key data segmentation [CVE-2014-4345]

For principal entries having keys with multiple kvnos (due to use of

-keepold), the LDAP KDB module makes an attempt to store all the keys

having the same kvno into a single krbPrincipalKey attribute value.

There is a fencepost error in the loop, causing currkvno to be set to

the just-processed value instead of the next kvno. As a result, the

second and all following groups of multiple keys by kvno are each

stored in two krbPrincipalKey attribute values. Fix the loop to use

the correct kvno value.

CVE-2014-4345:

In MIT krb5, when kadmind is configured to use LDAP for the KDC

database, an authenticated remote attacker can cause it to perform an

out-of-bounds write (buffer overrun) by performing multiple cpw

-keepold operations. An off-by-one error while copying key

information to the new database entry results in keys sharing a common

kvno being written to different array buckets, in an array whose size

is determined by the number of kvnos present. After sufficient

iterations, the extra writes extend past the end of the

(NULL-terminated) array. The NULL terminator is always written after

the end of the loop, so no out-of-bounds data is read, it is only

written.

Historically, it has been possible to convert an out-of-bounds write

into remote code execution in some cases, though the necessary

exploits must be tailored to the individual application and are

usually quite complicated. Depending on the allocated length of the

array, an out-of-bounds write may also cause a segmentation fault

and/or application crash.

CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

[ghudson@mit.edu: clarified commit message]

[kaduk@mit.edu: CVE summary, CVSSv2 vector]

ticket: 7980 (new)

target_version: 1.12.2

tags: pullup

---

src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 ++-

1 file changed, 2 insertions(+), 1 deletion(-)

Index: krb5-1.12+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c

===================================================================

--- krb5-1.12+dfsg.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2014-08-08 14:58:43.701796377 -0400

+++ krb5-1.12+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2014-08-08 14:58:43.693796376 -0400

@@ -443,7 +443,8 @@

j++;

last = i + 1;

- currkvno = key_data[i].key_data_kvno;

+ if (i < n_key_data - 1)

+ currkvno = key_data[i + 1].key_data_kvno;

}

ret[num_versions] = NULL;

Older »