!91 fix CVE-2023-39975
From: @xuraoqing Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee
This commit is contained in:
openeuler-ci-bot
Gitee
commit
cefde919cd
@ -0,0 +1,46 @@
|
|||||||
|
From 88a1701b423c13991a8064feeb26952d3641d840 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Fri, 4 Aug 2023 09:54:06 +0200
|
||||||
|
Subject: [PATCH] Fix double-free in KDC TGS processing
|
||||||
|
|
||||||
|
When issuing a ticket for a TGS renew or validate request, copy only
|
||||||
|
the server field from the outer part of the header ticket to the new
|
||||||
|
ticket. Copying the whole structure causes the enc_part pointer to be
|
||||||
|
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
|
||||||
|
resulting in a double-free if handle_authdata() fails.
|
||||||
|
|
||||||
|
[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
|
||||||
|
than check for aliasing before freeing; rewrote commit message]
|
||||||
|
|
||||||
|
CVE-2023-39975:
|
||||||
|
|
||||||
|
In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
|
||||||
|
free the same pointer twice if it can induce a failure in
|
||||||
|
authorization data handling.
|
||||||
|
|
||||||
|
ticket: 9101 (new)
|
||||||
|
tags: pullup
|
||||||
|
target_version: 1.21-next
|
||||||
|
---
|
||||||
|
src/kdc/do_tgs_req.c | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
|
||||||
|
index 6e4c8fa9f..0acc45850 100644
|
||||||
|
--- a/src/kdc/do_tgs_req.c
|
||||||
|
+++ b/src/kdc/do_tgs_req.c
|
||||||
|
@@ -1010,8 +1010,9 @@ tgs_issue_ticket(kdc_realm_t *realm, struct tgs_req_info *t,
|
||||||
|
}
|
||||||
|
|
||||||
|
if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) {
|
||||||
|
- /* Copy the whole header ticket except for authorization data. */
|
||||||
|
- ticket_reply = *t->header_tkt;
|
||||||
|
+ /* Copy the header ticket server and all enc-part fields except for
|
||||||
|
+ * authorization data. */
|
||||||
|
+ ticket_reply.server = t->header_tkt->server;
|
||||||
|
enc_tkt_reply = *t->header_tkt->enc_part2;
|
||||||
|
enc_tkt_reply.authorization_data = NULL;
|
||||||
|
} else {
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
||||||
@ -26,6 +26,7 @@ Patch2: Adjust-build-configuration.patch
|
|||||||
Patch3: netlib-and-dns.patch
|
Patch3: netlib-and-dns.patch
|
||||||
Patch4: fix-debuginfo-with-y.tab.c.patch
|
Patch4: fix-debuginfo-with-y.tab.c.patch
|
||||||
Patch5: Remove-3des-support.patch
|
Patch5: Remove-3des-support.patch
|
||||||
|
Patch6: fix-CVE-2023-39975-Fix-double-free-in-KDC-TGS-processing.patch
|
||||||
|
|
||||||
BuildRequires: gettext
|
BuildRequires: gettext
|
||||||
BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
|
BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
|
||||||
@ -324,6 +325,9 @@ make -C src check || :
|
|||||||
%{_mandir}/man8/*
|
%{_mandir}/man8/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 29 2023 wangyunjia <yunjia.wang@huawei.com> - 1.21.1-2
|
||||||
|
- fix CVE-2023-39975
|
||||||
|
|
||||||
* Sat Jul 22 2023 wangyunjia <yunjia.wang@huawei.com> - 1.21.1-1
|
* Sat Jul 22 2023 wangyunjia <yunjia.wang@huawei.com> - 1.21.1-1
|
||||||
- Update to 1.21.1
|
- Update to 1.21.1
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user