Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) From: tlyu@mit.edu Subject: git commit X-RT-Original-Encoding: iso-8859-1 Content-Length: 1666 Fix IAKERB context export/import [CVE-2015-2698] The patches for CVE-2015-2696 contained a regression in the newly added IAKERB iakerb_gss_export_sec_context() function, which could cause it to corrupt memory. Fix the regression by properly dereferencing the context_handle pointer before casting it. Also, the patches did not implement an IAKERB gss_import_sec_context() function, under the erroneous belief that an exported IAKERB context would be tagged as a krb5 context. Implement it now to allow IAKERB contexts to be successfully exported and imported after establishment. CVE-2015-2698: In any MIT krb5 release with the patches for CVE-2015-2696 applied, an application which calls gss_export_sec_context() may experience memory corruption if the context was established using the IAKERB mechanism. Historically, some vulnerabilities of this nature can be translated into remote code execution, though the necessary exploits must be tailored to the individual application and are usually quite complicated. CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C (cherry picked from commit 3db8dfec1ef50ddd78d6ba9503185995876a39fd) (cherry picked from commit 54222de30a89bfac0247dfbc1759556dc9fd2983) https://github.com/krb5/krb5/commit/9ffff96c98a93bd9bc3846ac044a34cb1566aae7 Author: Greg Hudson Committer: Tom Yu Commit: 9ffff96c98a93bd9bc3846ac044a34cb1566aae7 Branch: krb5-1.13 src/lib/gssapi/krb5/gssapiP_krb5.h | 5 ++++ src/lib/gssapi/krb5/gssapi_krb5.c | 2 +- src/lib/gssapi/krb5/iakerb.c | 42 ++++++++++++++++++++++++++++++------ 3 files changed, 41 insertions(+), 8 deletions(-)