Security fix (CVE-2016-3119). Fixes #5453

1 files changed, 38 insertions, 0 deletions

diff --git a/main/krb5/CVE-2016-3119.patch b/main/krb5/CVE-2016-3119.patch
new file mode 100644
index 0000000000..4e94534e98
--- /dev/null
+++ b/main/krb5/CVE-2016-3119.patch
@@ -0,0 +1,38 @@
+From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 14 Mar 2016 17:26:34 -0400
+Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119]
+
+In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
+if there is an empty string in the db_args array.  Check for this case
+and avoid dereferencing a null pointer.
+
+CVE-2016-3119:
+
+In MIT krb5 1.6 and later, an authenticated attacker with permission
+to modify a principal entry can cause kadmind to dereference a null
+pointer by supplying an empty DB argument to the modify_principal
+command, if kadmind is configured to use the LDAP KDB module.
+
+    CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
+
+ticket: 8383 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+---
+ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index 6e591e1..79c4cf0 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -296,6 +296,7 @@ process_db_args(krb5_context context, char **db_args, xargs_t *xargs,
+     if (db_args) {
+         for (i=0; db_args[i]; ++i) {
+             arg = strtok_r(db_args[i], "=", &arg_val);
++            arg = (arg != NULL) ? arg : "";
+             if (strcmp(arg, TKTPOLICY_ARG) == 0) {
+                 dptr = &xargs->tktpolicydn;
+             } else {