Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-crypt/mit-krb5/files/CVE-2015-2697.patch
diff options
context:
space:
mode:
Diffstat (limited to 'app-crypt/mit-krb5/files/CVE-2015-2697.patch')
-rw-r--r--app-crypt/mit-krb5/files/CVE-2015-2697.patch50
1 files changed, 0 insertions, 50 deletions
diff --git a/app-crypt/mit-krb5/files/CVE-2015-2697.patch b/app-crypt/mit-krb5/files/CVE-2015-2697.patch
deleted file mode 100644
index af2f42a3ab46..000000000000
--- a/app-crypt/mit-krb5/files/CVE-2015-2697.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From f0c094a1b745d91ef2f9a4eae2149aac026a5789 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Fri, 25 Sep 2015 12:51:47 -0400
-Subject: [PATCH] Fix build_principal memory bug [CVE-2015-2697]
-
-In build_principal_va(), use k5memdup0() instead of strdup() to make a
-copy of the realm, to ensure that we allocate the correct number of
-bytes and do not read past the end of the input string. This bug
-affects krb5_build_principal(), krb5_build_principal_va(), and
-krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not
-affected.
-
-CVE-2015-2697:
-
-In MIT krb5 1.7 and later, an authenticated attacker may be able to
-cause a KDC to crash using a TGS request with a large realm field
-beginning with a null byte. If the KDC attempts to find a referral to
-answer the request, it constructs a principal name for lookup using
-krb5_build_principal() with the requested realm. Due to a bug in this
-function, the null byte causes only one byte be allocated for the
-realm field of the constructed principal, far less than its length.
-Subsequent operations on the lookup principal may cause a read beyond
-the end of the mapped memory region, causing the KDC process to crash.
-
-CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
-
-ticket: 8252 (new)
-target_version: 1.14
-tags: pullup
----
- src/lib/krb5/krb/bld_princ.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
-index ab6fed8..8604268 100644
---- a/src/lib/krb5/krb/bld_princ.c
-+++ b/src/lib/krb5/krb/bld_princ.c
-@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ,
- data = malloc(size * sizeof(krb5_data));
- if (!data) { retval = ENOMEM; }
-
-- if (!retval) {
-- r = strdup(realm);
-- if (!r) { retval = ENOMEM; }
-- }
-+ if (!retval)
-+ r = k5memdup0(realm, rlen, &retval);
-
- while (!retval && (component = va_arg(ap, char *))) {
- if (count == size) {