1 files changed, 75 insertions, 0 deletions

diff --git a/main/krb5/CVE-2015-8630.patch b/main/krb5/CVE-2015-8630.patch
new file mode 100644
index 0000000000..72fefeb896
--- /dev/null
+++ b/main/krb5/CVE-2015-8630.patch
@@ -0,0 +1,75 @@
+From b863de7fbf080b15e347a736fdda0a82d42f4f6b Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 8 Jan 2016 12:52:28 -0500
+Subject: [PATCH] Check for null kadm5 policy name [CVE-2015-8630]
+
+In kadm5_create_principal_3() and kadm5_modify_principal(), check for
+entry->policy being null when KADM5_POLICY is included in the mask.
+
+CVE-2015-8630:
+
+In MIT krb5 1.12 and later, an authenticated attacker with permission
+to modify a principal entry can cause kadmind to dereference a null
+pointer by supplying a null policy value but including KADM5_POLICY in
+the mask.
+
+    CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+ticket: 8342 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+---
+ src/lib/kadm5/srv/svr_principal.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
+index 5b95fa3..1d4365c 100644
+--- a/src/lib/kadm5/srv/svr_principal.c
++++ b/src/lib/kadm5/srv/svr_principal.c
+@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle,
+     /*
+      * Argument sanity checking, and opening up the DB
+      */
++    if (entry == NULL)
++        return EINVAL;
+     if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) ||
+        (mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) ||
+        (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
+@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle,
+         return KADM5_BAD_MASK;
+     if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0)
+         return KADM5_BAD_MASK;
++    if((mask & KADM5_POLICY) && entry->policy == NULL)
++        return KADM5_BAD_MASK;
+     if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
+         return KADM5_BAD_MASK;
+     if((mask & ~ALL_PRINC_MASK))
+         return KADM5_BAD_MASK;
+-    if (entry == NULL)
+-        return EINVAL;
+ 
+     /*
+      * Check to see if the principal exists
+@@ -643,6 +645,8 @@ kadm5_modify_principal(void *server_handle,
+ 
+     krb5_clear_error_message(handle->context);
+ 
++    if(entry == NULL)
++        return EINVAL;
+     if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) ||
+        (mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) ||
+        (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
+@@ -651,10 +655,10 @@ kadm5_modify_principal(void *server_handle,
+         return KADM5_BAD_MASK;
+     if((mask & ~ALL_PRINC_MASK))
+         return KADM5_BAD_MASK;
++    if((mask & KADM5_POLICY) && entry->policy == NULL)
++        return KADM5_BAD_MASK;
+     if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
+         return KADM5_BAD_MASK;
+-    if(entry == (kadm5_principal_ent_t) NULL)
+-        return EINVAL;
+     if (mask & KADM5_TL_DATA) {
+         tl_data_orig = entry->tl_data;
+         while (tl_data_orig) {