summary refs log tree commit diff
path: root/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch')
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch132
1 files changed, 0 insertions, 132 deletions
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch
deleted file mode 100644
index 8725cd4eed..0000000000
--- a/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-Copied from Debian.
-
-From 4b330d5be1f8048be4d079ac3cb38d60c0e99e69 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Wed, 4 Nov 2015 21:28:28 -0500
-Subject: Fix IAKERB context export/import [CVE-2015-2698]
-
-The patches for CVE-2015-2696 contained a regression in the newly
-added IAKERB iakerb_gss_export_sec_context() function, which could
-cause it to corrupt memory.  Fix the regression by properly
-dereferencing the context_handle pointer before casting it.
-
-Also, the patches did not implement an IAKERB gss_import_sec_context()
-function, under the erroneous belief than an exported IAKERB context
-would be tagged as a krb5 context.  Implement it now to allow IAKERB
-contexts to be successfully exported and imported after establishment.
-
-CVE-2015-2698:
-
-In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
-application which calls gss_export_sec_context() may experience memory
-corruption if the context was established using the IAKERB mechanism.
-Historically, some vulnerabilities of this nature can be translated
-into remote code execution, though the necessary exploits must be
-tailored to the individual application and are usually quite
-complicated.
-
-    CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
-
-ticket: 8273 (new)
-target_version: 1.14
-tags: pullup
-
-(cherry picked from commit d8b31c874c7d1039be7649362ef11c89f4e14c27)
-
-Patch-Category: upstream
----
- src/lib/gssapi/krb5/gssapiP_krb5.h |  5 +++++
- src/lib/gssapi/krb5/gssapi_krb5.c  |  2 +-
- src/lib/gssapi/krb5/iakerb.c       | 42 +++++++++++++++++++++++++++++++-------
- 3 files changed, 41 insertions(+), 8 deletions(-)
-
-diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
-index 05dc321..ac53662 100644
---- a/src/lib/gssapi/krb5/gssapiP_krb5.h
-+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
-@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV
- iakerb_gss_export_sec_context(OM_uint32 *minor_status,
-                               gss_ctx_id_t *context_handle,
-                               gss_buffer_t interprocess_token);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_import_sec_context(OM_uint32 *minor_status,
-+                              const gss_buffer_t interprocess_token,
-+                              gss_ctx_id_t *context_handle);
- #endif /* LEAN_CLIENT */
- 
- OM_uint32 KRB5_CALLCONV
-diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
-index 9a23656..d7ba279 100644
---- a/src/lib/gssapi/krb5/gssapi_krb5.c
-+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
-@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = {
-     NULL,
- #else
-     iakerb_gss_export_sec_context,
--    NULL,
-+    iakerb_gss_import_sec_context,
- #endif
-     krb5_gss_inquire_cred_by_mech,
-     krb5_gss_inquire_names_for_mech,
-diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
-index e25862d..32a341e 100644
---- a/src/lib/gssapi/krb5/iakerb.c
-+++ b/src/lib/gssapi/krb5/iakerb.c
-@@ -1057,7 +1057,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
-                               gss_buffer_t interprocess_token)
- {
-     OM_uint32 maj;
--    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
- 
-     /* We don't currently support exporting partially established contexts. */
-     if (!ctx->established)
-@@ -1072,13 +1072,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
-     return maj;
- }
- 
--/*
-- * Until we implement partial context exports, there are no IAKERB exported
-- * context tokens, only tokens for the underlying krb5 context.  So we do not
-- * need to implement an iakerb_gss_import_sec_context() yet; it would be
-- * unreachable except via a manually constructed token.
-- */
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_import_sec_context(OM_uint32 *minor_status,
-+                              gss_buffer_t interprocess_token,
-+                              gss_ctx_id_t *context_handle)
-+{
-+    OM_uint32 maj, tmpmin;
-+    krb5_error_code code;
-+    gss_ctx_id_t gssc;
-+    krb5_gss_ctx_id_t kctx;
-+    iakerb_ctx_id_t ctx;
-+
-+    maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc);
-+    if (maj != GSS_S_COMPLETE)
-+        return maj;
-+    kctx = (krb5_gss_ctx_id_t)gssc;
-+
-+    if (!kctx->established) {
-+        /* We don't currently support importing partially established
-+         * contexts. */
-+        krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
-+        return GSS_S_FAILURE;
-+    }
- 
-+    code = iakerb_alloc_context(&ctx, kctx->initiate);
-+    if (code != 0) {
-+        krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
-+        *minor_status = code;
-+        return GSS_S_FAILURE;
-+    }
-+
-+    ctx->gssc = gssc;
-+    ctx->established = 1;
-+    *context_handle = (gss_ctx_id_t)ctx;
-+    return GSS_S_COMPLETE;
-+}
- #endif /* LEAN_CLIENT */
- 
- OM_uint32 KRB5_CALLCONV