1 files changed, 41 insertions, 0 deletions

diff --git a/main/samba/0001-CVE-2018-16841-heimdal-Fix-segfault-on-PKINIT-with-m.patch b/main/samba/0001-CVE-2018-16841-heimdal-Fix-segfault-on-PKINIT-with-m.patch
new file mode 100644
index 0000000000..32dab1e0ea
--- /dev/null
+++ b/main/samba/0001-CVE-2018-16841-heimdal-Fix-segfault-on-PKINIT-with-m.patch
@@ -0,0 +1,41 @@
+From e1026a1685b5838f2ca67965025b2381751c35cb Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 23 Oct 2018 17:33:46 +1300
+Subject: [PATCH] CVE-2018-16841 heimdal: Fix segfault on PKINIT with
+ mis-matching principal
+
+In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free
+mem_ctx.
+
+This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the
+MIT KDC effort.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
+---
+ source4/kdc/db-glue.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
+index 9ac5a1d38f0..4d7ac333fcc 100644
+--- a/source4/kdc/db-glue.c
++++ b/source4/kdc/db-glue.c
+@@ -2578,10 +2578,10 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
+ 	 * comparison */
+ 	if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
+ 		talloc_free(mem_ctx);
+-#ifdef KRB5_KDC_ERR_CLIENT_NAME_MISMATCH /* Heimdal */
+-		return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+-#elif defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
++#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
+ 		return KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
++#else /* Heimdal (where this is an enum) */
++		return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+ #endif
+ 	}
+ 
+-- 
+2.18.1
+