Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) From: tlyu@mit.edu Subject: git commit X-RT-Original-Encoding: iso-8859-1 Content-Length: 1506 Fix gss_process_context_token() [CVE-2014-5352] [MITKRB5-SA-2015-001] The krb5 gss_process_context_token() should not actually delete the context; that leaves the caller with a dangling pointer and no way to know that it is invalid. Instead, mark the context as terminated, and check for terminated contexts in the GSS functions which expect established contexts. Also add checks in export_sec_context and pseudo_random, and adjust t_prf.c for the pseudo_random check. (back ported from commit 82dc33da50338ac84c7b4102dc6513d897d0506a) https://github.com/krb5/krb5/commit/e76dbd8d163e235d821011ed9ea3baa5376da854 Author: Tom Yu Commit: e76dbd8d163e235d821011ed9ea3baa5376da854 Branch: krb5-1.12 src/lib/gssapi/krb5/context_time.c | 2 +- src/lib/gssapi/krb5/export_sec_context.c | 5 +++++ src/lib/gssapi/krb5/gssapiP_krb5.h | 1 + src/lib/gssapi/krb5/gssapi_krb5.c | 2 +- src/lib/gssapi/krb5/inq_context.c | 2 +- src/lib/gssapi/krb5/k5seal.c | 2 +- src/lib/gssapi/krb5/k5sealiov.c | 2 +- src/lib/gssapi/krb5/k5unseal.c | 2 +- src/lib/gssapi/krb5/k5unsealiov.c | 2 +- src/lib/gssapi/krb5/lucid_context.c | 5 +++++ src/lib/gssapi/krb5/prf.c | 4 ++++ src/lib/gssapi/krb5/process_context_token.c | 17 ++++++++++++----- src/lib/gssapi/krb5/wrap_size_limit.c | 2 +- 13 files changed, 35 insertions(+), 13 deletions(-)