Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2016-03-29 09:53:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5" Changes: -------- --- /work/SRC/openSUSE:Factory/krb5/krb5.changes 2016-02-25 21:52:26.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2016-03-29 09:53:26.000000000 +0200 @@ -1,0 +2,7 @@ +Wed Mar 23 13:02:48 UTC 2016 - [email protected] + +- Introduce patch + 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch + to fix CVE-2016-3119 (bsc#971942) + +------------------------------------------------------------------- New: ---- 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5.spec ++++++ --- /var/tmp/diff_new_pack.QoJbbI/_old 2016-03-29 09:53:28.000000000 +0200 +++ /var/tmp/diff_new_pack.QoJbbI/_new 2016-03-29 09:53:28.000000000 +0200 @@ -75,6 +75,7 @@ Patch104: 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch Patch105: 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch Patch106: 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch +Patch107: 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %fillup_prereq @@ -188,6 +189,7 @@ %patch104 -p1 %patch105 -p1 %patch106 -p1 +%patch107 -p1 %build # needs to be re-generated ++++++ 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch ++++++ >From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001 From: Greg Hudson <[email protected]> Date: Mon, 14 Mar 2016 17:26:34 -0400 Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119] In the LDAP KDB module's process_db_args(), strtok_r() may return NULL if there is an empty string in the db_args array. Check for this case and avoid dereferencing a null pointer. CVE-2016-3119: In MIT krb5 1.6 and later, an authenticated attacker with permission to modify a principal entry can cause kadmind to dereference a null pointer by supplying an empty DB argument to the modify_principal command, if kadmind is configured to use the LDAP KDB module. CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND ticket: 8383 (new) target_version: 1.14-next target_version: 1.13-next tags: pullup Line numbers are slightly adjusted by Howard Guo <[email protected]> to fit into this older version of Kerberos. diff -rupN krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c --- krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-03-23 14:00:44.669126353 +0100 +++ krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-03-23 14:01:45.993680720 +0100 @@ -267,6 +267,7 @@ process_db_args(krb5_context context, ch if (db_args) { for (i=0; db_args[i]; ++i) { arg = strtok_r(db_args[i], "=", &arg_val); + arg = (arg != NULL) ? arg : ""; if (strcmp(arg, TKTPOLICY_ARG) == 0) { dptr = &xargs->tktpolicydn; } else {
