samba/CVE-2018-16841-1.patch

From b38900c353ca92365f144734c99d156cc39611d4 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 23 Oct 2018 17:33:46 +1300
Subject: [PATCH 3/5] CVE-2018-16841 heimdal: Fix segfault on PKINIT with
 mis-matching principal

In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free
mem_ctx.

This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the
MIT KDC effort.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
---
 source4/kdc/db-glue.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 8ccc34cd665..519060a5641 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -2606,10 +2606,10 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
 	 * comparison */
 	if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
 		talloc_free(mem_ctx);
-#ifdef KRB5_KDC_ERR_CLIENT_NAME_MISMATCH /* Heimdal */
-		return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
-#elif defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
+#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
 		return KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
+#else /* Heimdal (where this is an enum) */
+		return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
 #endif
 	}
 
-- 
2.11.0
Package init 2019-09-30 11:16:38 -04:00			`From b38900c353ca92365f144734c99d156cc39611d4 Mon Sep 17 00:00:00 2001`
			`From: Andrew Bartlett <abartlet@samba.org>`
			`Date: Tue, 23 Oct 2018 17:33:46 +1300`
			`Subject: [PATCH 3/5] CVE-2018-16841 heimdal: Fix segfault on PKINIT with`
			`mis-matching principal`

			`In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free`
			`mem_ctx.`

			`This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the`
			`MIT KDC effort.`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628`

			`Signed-off-by: Andrew Bartlett <abartlet@samba.org>`
			`Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>`
			`---`
			`source4/kdc/db-glue.c \| 6 +++---`
			`1 file changed, 3 insertions(+), 3 deletions(-)`

			`diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c`
			`index 8ccc34cd665..519060a5641 100644`
			`--- a/source4/kdc/db-glue.c`
			`+++ b/source4/kdc/db-glue.c`
			`@@ -2606,10 +2606,10 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context,`
			`* comparison */`
			`if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {`
			`talloc_free(mem_ctx);`
			`-#ifdef KRB5_KDC_ERR_CLIENT_NAME_MISMATCH /* Heimdal */`
			`- return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;`
			`-#elif defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */`
			`+#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */`
			`return KRB5KDC_ERR_CLIENT_NAME_MISMATCH;`
			`+#else /* Heimdal (where this is an enum) */`
			`+ return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;`
			`#endif`
			`}`

			`--`
			`2.11.0`