aboutsummaryrefslogtreecommitdiffstats
path: root/main/krb5/CVE-2002-2443.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/krb5/CVE-2002-2443.patch')
-rw-r--r--main/krb5/CVE-2002-2443.patch69
1 files changed, 69 insertions, 0 deletions
diff --git a/main/krb5/CVE-2002-2443.patch b/main/krb5/CVE-2002-2443.patch
new file mode 100644
index 0000000000..3ef88155c5
--- /dev/null
+++ b/main/krb5/CVE-2002-2443.patch
@@ -0,0 +1,69 @@
+From cf1a0c411b2668c57c41e9c4efd15ba17b6b322c Mon Sep 17 00:00:00 2001
+From: Tom Yu <tlyu@mit.edu>
+Date: Fri, 3 May 2013 16:26:46 -0400
+Subject: [PATCH] Fix kpasswd UDP ping-pong [CVE-2002-2443]
+
+The kpasswd service provided by kadmind was vulnerable to a UDP
+"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless
+they pass some basic validation, and don't respond to our own error
+packets.
+
+Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
+attack or UDP ping-pong attacks in general, but there is discussion
+leading toward narrowing the definition of CVE-1999-0103 to the echo,
+chargen, or other similar built-in inetd services.
+
+Thanks to Vincent Danen for alerting us to this issue.
+
+CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
+
+ticket: 7637 (new)
+target_version: 1.11.3
+tags: pullup
+---
+ src/kadmin/server/schpw.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
+index 15b0ab5..7f455d8 100644
+--- a/src/kadmin/server/schpw.c
++++ b/src/kadmin/server/schpw.c
+@@ -52,7 +52,7 @@
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ numresult = KRB5_KPASSWD_MALFORMED;
+ strlcpy(strresult, "Request was truncated", sizeof(strresult));
+- goto chpwfail;
++ goto bailout;
+ }
+
+ ptr = req->data;
+@@ -67,7 +67,7 @@
+ numresult = KRB5_KPASSWD_MALFORMED;
+ strlcpy(strresult, "Request length was inconsistent",
+ sizeof(strresult));
+- goto chpwfail;
++ goto bailout;
+ }
+
+ /* verify version number */
+@@ -80,7 +80,7 @@
+ numresult = KRB5_KPASSWD_BAD_VERSION;
+ snprintf(strresult, sizeof(strresult),
+ "Request contained unknown protocol version number %d", vno);
+- goto chpwfail;
++ goto bailout;
+ }
+
+ /* read, check ap-req length */
+@@ -93,7 +93,7 @@
+ numresult = KRB5_KPASSWD_MALFORMED;
+ strlcpy(strresult, "Request was truncated in AP-REQ",
+ sizeof(strresult));
+- goto chpwfail;
++ goto bailout;
+ }
+
+ /* verify ap_req */
+--
+1.8.1.6
+