Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2013-03-08 10:50:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2013-01-24 10:17:04.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2013-03-08 10:50:15.000000000 +0100 @@ -1,0 +2,19 @@ +Wed Mar 6 12:01:32 CET 2013 - [email protected] + +- fix PKINIT null pointer deref in pkinit_check_kdc_pkid() + CVE-2012-1016 (bnc#807556) + bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif + +------------------------------------------------------------------- +Mon Mar 4 11:23:10 CET 2013 - [email protected] + +- fix PKINIT null pointer deref + CVE-2013-1415 (bnc#806715) + bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif + +------------------------------------------------------------------- +Fri Jan 25 15:29:37 CET 2013 - [email protected] + +- package missing file (bnc#794784) + +------------------------------------------------------------------- @@ -5,0 +25,5 @@ + +------------------------------------------------------------------- +Tue Oct 16 19:35:47 UTC 2012 - [email protected] + +- revert the -p usage in %postun to fix SLE build --- /work/SRC/openSUSE:Factory/krb5/krb5.changes 2013-01-29 14:11:44.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2013-03-08 10:50:15.000000000 +0100 @@ -1,0 +2,14 @@ +Wed Mar 6 12:01:32 CET 2013 - [email protected] + +- fix PKINIT null pointer deref in pkinit_check_kdc_pkid() + CVE-2012-1016 (bnc#807556) + bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif + +------------------------------------------------------------------- +Mon Mar 4 11:23:10 CET 2013 - [email protected] + +- fix PKINIT null pointer deref + CVE-2013-1415 (bnc#806715) + bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif + +------------------------------------------------------------------- New: ---- bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5-mini.spec ++++++ --- /var/tmp/diff_new_pack.20oXSN/_old 2013-03-08 10:50:18.000000000 +0100 +++ /var/tmp/diff_new_pack.20oXSN/_new 2013-03-08 10:50:18.000000000 +0100 @@ -66,6 +66,8 @@ Patch20: krb5-1.10-gcc47.patch Patch21: krb5-1.10-selinux-label.patch Patch22: krb5-1.10-spin-loop.patch +Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif +Patch24: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -161,6 +163,8 @@ %patch19 -p1 %patch20 %patch22 -p1 +%patch23 -p1 +%patch24 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -275,16 +279,16 @@ # cleanup rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* -rm -rf /usr/lib/mit/share -rm -rf %{buildroot}/usr/lib/mit/share - +rm -rf %{buildroot}/usr/lib/mit/share/examples +rm -rf %{buildroot}/usr/lib/mit/share/locale ##################################################### # krb5(-mini) pre/post/postun ##################################################### %post -p /sbin/ldconfig -%postun -p /sbin/ldconfig +%postun +/sbin/ldconfig %if ! %{build_mini} @@ -326,7 +330,8 @@ %post plugin-kdb-ldap -p /sbin/ldconfig -%postun plugin-kdb-ldap -p /sbin/ldconfig +%postun plugin-kdb-ldap +/sbin/ldconfig %endif @@ -339,6 +344,7 @@ %dir /usr/lib/mit %dir /usr/lib/mit/bin %dir /usr/lib/mit/sbin +%dir /usr/lib/mit/share %dir %{_datadir}/aclocal %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so @@ -354,6 +360,7 @@ %{_includedir}/* /usr/lib/mit/bin/krb5-config /usr/lib/mit/sbin/krb5-send-pr +/usr/lib/mit/share/gnats %{_mandir}/man1/krb5-send-pr.1* %{_mandir}/man1/krb5-config.1* %{_datadir}/aclocal/ac_check_krb5.m4 ++++++ krb5.spec ++++++ --- /var/tmp/diff_new_pack.20oXSN/_old 2013-03-08 10:50:18.000000000 +0100 +++ /var/tmp/diff_new_pack.20oXSN/_new 2013-03-08 10:50:18.000000000 +0100 @@ -66,6 +66,8 @@ Patch20: krb5-1.10-gcc47.patch Patch21: krb5-1.10-selinux-label.patch Patch22: krb5-1.10-spin-loop.patch +Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif +Patch24: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -161,6 +163,8 @@ %patch19 -p1 %patch20 %patch22 -p1 +%patch23 -p1 +%patch24 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do ++++++ bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif ++++++ commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed Author: Xi Wang <[email protected]> Date: Thu Feb 14 18:17:40 2013 -0500 PKINIT null pointer deref [CVE-2013-1415] Don't dereference a null pointer when cleaning up. The KDC plugin for PKINIT can dereference a null pointer when a malformed packet causes processing to terminate early, leading to a crash of the KDC process. An attacker would need to have a valid PKINIT certificate or have observed a successful PKINIT authentication, or an unauthenticated attacker could execute the attack if anonymous PKINIT is enabled. CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C This is a minimal commit for pullup; style fixes in a followup. [[email protected]: reformat and edit commit message] ticket: 7570 (new) target_version: 1.11.1 tags: pullup Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c =================================================================== --- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -3242,7 +3242,7 @@ pkinit_check_kdc_pkid(krb5_context conte pkiDebug("found kdcPkId in AS REQ\n"); is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len); if (is == NULL) - goto cleanup; + return retval; status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer); if (!status) { @@ -3252,7 +3252,6 @@ pkinit_check_kdc_pkid(krb5_context conte } retval = 0; -cleanup: X509_NAME_free(is->issuer); ASN1_INTEGER_free(is->serial); free(is); ++++++ bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif ++++++ commit cd5ff932c9d1439c961b0cf9ccff979356686aff Author: Nalin Dahyabhai <[email protected]> Date: Thu Dec 13 14:26:07 2012 -0500 PKINIT (draft9) null ptr deref [CVE-2012-1016] Don't check for an agility KDF identifier in the non-draft9 reply structure when we're building a draft9 reply, because it'll be NULL. The KDC plugin for PKINIT can dereference a null pointer when handling a draft9 request, leading to a crash of the KDC process. An attacker would need to have a valid PKINIT certificate, or an unauthenticated attacker could execute the attack if anonymous PKINIT is enabled. CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C [[email protected]: reformat comment and edit log message] ticket: 7506 (new) target_version: 1.11 tags: pullup Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c =================================================================== --- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_srv.c +++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c @@ -1016,9 +1016,10 @@ pkinit_server_return_padata(krb5_context rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) || (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) { - /* If mutually supported KDFs were found, use the alg agility KDF */ - if (rep->u.dh_Info.kdfID) { - secret.data = server_key; + /* If we're not doing draft 9, and mutually supported KDFs were found, + * use the algorithm agility KDF. */ + if (rep != NULL && rep->u.dh_Info.kdfID) { + secret.data = (char *)server_key; secret.length = server_key_len; retval = pkinit_alg_agility_kdf(context, &secret, -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
