Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
No build reason found for OBS_Deps:aarch64
SUSE:SLE-12-SP1:GA
krb5.5523
krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEG...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch of Package krb5.5523
From 524688ce87a15fc75f87efc8c039ba4c7d5c197b Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Tue, 15 Jul 2014 12:56:01 -0400 Subject: [PATCH] Fix null deref in SPNEGO acceptor [CVE-2014-4344] When processing a continuation token, acc_ctx_cont was dereferencing the initial byte of the token without checking the length. This could result in a null dereference. CVE-2014-4344: In MIT krb5 1.5 and newer, an unauthenticated or partially authenticated remote attacker can cause a NULL dereference and application crash during a SPNEGO negotiation by sending an empty token as the second or later context token from initiator to acceptor. The attacker must provide at least one valid context token in the security context negotiation before sending the empty token. This can be done by an unauthenticated attacker by forcing SPNEGO to renegotiate the underlying mechanism, or by using IAKERB to wrap an unauthenticated AS-REQ as the first token. CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C [kaduk@mit.edu: CVE summary, CVSSv2 vector] ticket: 7970 (new) subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344] target_version: 1.12.2 tags: pullup --- src/lib/gssapi/spnego/spnego_mech.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index 8f829d8..2aa6810 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat, ptr = bufstart = buf->value; #define REMAIN (buf->length - (ptr - bufstart)) - if (REMAIN > INT_MAX) + if (REMAIN == 0 || REMAIN > INT_MAX) return GSS_S_DEFECTIVE_TOKEN; /* -- 1.9.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor