Accepting request 95686 from network

- fix KDC null pointer dereference in TGS handling
  (MITKRB5-SA-2011-007, bnc#730393)
  CVE-2011-1530

- fix KDC HA feature introduced with implementing KDC poll
  (RT#6951)

- fix minor error messages for the IAKERB GSSAPI mechanism
  (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)

- fix KDC null pointer dereference in TGS handling
  (MITKRB5-SA-2011-007, bnc#730393)
  CVE-2011-1530

- fix KDC HA feature introduced with implementing KDC poll
  (RT#6951, bnc#731648)

- fix minor error messages for the IAKERB GSSAPI mechanism
  (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)

OBS-URL: https://build.opensuse.org/request/show/95686
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=75
This commit is contained in:
Stephan Kulow 2011-12-12 15:57:09 +00:00 committed by Git OBS Bridge
commit ad7256d1c7
8 changed files with 150 additions and 0 deletions

View File

@ -0,0 +1,42 @@
diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
index f46cad3..102fbaa 100644
--- a/src/kdc/Makefile.in
+++ b/src/kdc/Makefile.in
@@ -67,6 +67,7 @@ check-unix:: rtest
check-pytests::
$(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
install::
$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c169c54..840a2ef 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -243,7 +243,8 @@ tgt_again:
if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
errcode = find_alternate_tgs(request, &server);
firstpass = 0;
- goto tgt_again;
+ if (errcode == 0)
+ goto tgt_again;
}
}
status = "UNKNOWN_SERVER";
diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
new file mode 100644
index 0000000..1760bcd
--- /dev/null
+++ b/src/kdc/t_emptytgt.py
@@ -0,0 +1,8 @@
+#!/usr/bin/python
+from k5test import *
+
+realm = K5Realm(start_kadmind=False, create_host=False)
+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
+if 'not found in Kerberos database' not in output:
+ fail('TGT lookup for empty realm failed in unexpected way')
+success('Empty tgt lookup.')

View File

@ -0,0 +1,14 @@
Index: krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c
===================================================================
--- krb5-1.9.1.orig/src/lib/gssapi/krb5/disp_status.c
+++ krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c
@@ -167,7 +167,8 @@ krb5_gss_display_status(minor_status, st
if ((mech_type != GSS_C_NULL_OID) &&
!g_OID_equal(gss_mech_krb5, mech_type) &&
- !g_OID_equal(gss_mech_krb5_old, mech_type)) {
+ !g_OID_equal(gss_mech_krb5_old, mech_type) &&
+ !g_OID_equal(gss_mech_iakerb, mech_type)) {
*minor_status = 0;
return(GSS_S_BAD_MECH);
}

View File

@ -0,0 +1,22 @@
RT#6951
Index: krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c
===================================================================
--- krb5-1.9.1.orig/src/lib/krb5/os/sendto_kdc.c
+++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c
@@ -895,12 +895,12 @@ maybe_send(krb5_context context, struct
static void
kill_conn(struct conn_state *conn, struct select_state *selstate, int err)
{
+ dprint("abandoning connection %d: %m\n", conn->fd, err);
+ cm_remove_fd(selstate, conn->fd);
+ closesocket(conn->fd);
+ conn->fd = INVALID_SOCKET;
conn->state = FAILED;
conn->err = err;
- shutdown(conn->fd, SHUTDOWN_BOTH);
- cm_remove_fd(selstate, conn->fd);
- dprint("abandoning connection %d: %m\n", conn->fd, err);
- /* Fix up max fd for next select call. */
}
/* Check socket for error. */

View File

@ -0,0 +1,18 @@
If we exit the transmit loop cleanly, don't overestimate the size of the
connections array. This bug appears to have been removed upstream when
this function was rewritten in trunk, and the select()-based implementation
is still what's in 1.9, so this patch has nowhere to go.
--- krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:20.560811664 -0400
+++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:11.396812292 -0400
@@ -1317,7 +1319,10 @@ krb5int_sendto (krb5_context context, co
call with the last one from the above loop, if the loop
actually calls select. */
sel_state->end_time.tv_sec += delay_this_pass;
- e = service_fds(context, sel_state, conns, host+1, &winning_conn,
+ i = host+1;
+ if (i > n_conns)
+ i = n_conns;
+ e = service_fds(context, sel_state, conns, i, &winning_conn,
sel_state+1, msg_handler, msg_handler_data);
if (e)
break;

View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Mon Nov 21 11:24:12 CET 2011 - mc@suse.de
- fix KDC null pointer dereference in TGS handling
(MITKRB5-SA-2011-007, bnc#730393)
CVE-2011-1530
-------------------------------------------------------------------
Mon Nov 21 11:11:54 CET 2011 - mc@suse.de
- fix KDC HA feature introduced with implementing KDC poll
(RT#6951)
-------------------------------------------------------------------
Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de
- fix minor error messages for the IAKERB GSSAPI mechanism
(see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de

View File

@ -72,6 +72,10 @@ Patch24: krb5-trunk-chpw-err.patch
Patch25: krb5-trunk-gss_delete_sec.patch Patch25: krb5-trunk-gss_delete_sec.patch
Patch26: krb5-trunk-kadmin-oldproto.patch Patch26: krb5-trunk-kadmin-oldproto.patch
Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif
Patch31: krb5-1.9-gss_display_status-iakerb.patch
Patch32: krb5-1.9.1-sendto_poll2.patch
Patch33: krb5-1.9.1-sendto_poll3.patch
Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq PreReq: %insserv_prereq %fillup_prereq
@ -234,6 +238,10 @@ Authors:
%patch25 -p1 %patch25 -p1
%patch26 %patch26
%patch30 -p1 %patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
# Rename the man pages so that they'll get generated correctly. # Rename the man pages so that they'll get generated correctly.
pushd src pushd src
cat %{SOURCE10} | while read manpage ; do cat %{SOURCE10} | while read manpage ; do

View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Mon Nov 21 11:24:12 CET 2011 - mc@suse.de
- fix KDC null pointer dereference in TGS handling
(MITKRB5-SA-2011-007, bnc#730393)
CVE-2011-1530
-------------------------------------------------------------------
Mon Nov 21 11:11:54 CET 2011 - mc@suse.de
- fix KDC HA feature introduced with implementing KDC poll
(RT#6951, bnc#731648)
-------------------------------------------------------------------
Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de
- fix minor error messages for the IAKERB GSSAPI mechanism
(see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de

View File

@ -72,6 +72,10 @@ Patch24: krb5-trunk-chpw-err.patch
Patch25: krb5-trunk-gss_delete_sec.patch Patch25: krb5-trunk-gss_delete_sec.patch
Patch26: krb5-trunk-kadmin-oldproto.patch Patch26: krb5-trunk-kadmin-oldproto.patch
Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif
Patch31: krb5-1.9-gss_display_status-iakerb.patch
Patch32: krb5-1.9.1-sendto_poll2.patch
Patch33: krb5-1.9.1-sendto_poll3.patch
Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq PreReq: %insserv_prereq %fillup_prereq
@ -234,6 +238,10 @@ Authors:
%patch25 -p1 %patch25 -p1
%patch26 %patch26
%patch30 -p1 %patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
# Rename the man pages so that they'll get generated correctly. # Rename the man pages so that they'll get generated correctly.
pushd src pushd src
cat %{SOURCE10} | while read manpage ; do cat %{SOURCE10} | while read manpage ; do