diff --git a/krb5-1.6.2-post.dif b/krb5-1.6.2-post.dif index b764654..3e4cd9b 100644 --- a/krb5-1.6.2-post.dif +++ b/krb5-1.6.2-post.dif @@ -1,7 +1,184 @@ +Index: src/clients/kvno/kvno.M +=================================================================== +--- src/clients/kvno/kvno.M (.../tags/krb5-1-6-2-final) (Revision 19931) ++++ src/clients/kvno/kvno.M (.../branches/krb5-1-6) (Revision 19931) +@@ -55,6 +55,15 @@ + specifies that Kerberos version 4 tickets should be acquired and + described. This option is only available if Kerberos 4 support was + enabled at compilation time. ++.TP ++.B \-S sname ++specifies that krb5_sname_to_principal() will be used to build ++principal names. If this flag is specified, the ++.B service1 service2 ... ++arguments are interpreted as hostnames (rather than principal names), ++and ++.B sname ++is interpreted as the service name. + .SH ENVIRONMENT + .B Kvno + uses the following environment variable: +Index: src/clients/kvno/kvno.c +=================================================================== +--- src/clients/kvno/kvno.c (.../tags/krb5-1-6-2-final) (Revision 19931) ++++ src/clients/kvno/kvno.c (.../branches/krb5-1-6) (Revision 19931) +@@ -41,10 +41,10 @@ + { + #ifdef KRB5_KRB4_COMPAT + fprintf(stderr, +- "usage: %s [-4 | [-c ccache] [-e etype] [-k keytab]] service1 service2 ...\n", ++ "usage: %s [-4 | [-c ccache] [-e etype] [-k keytab] [-S sname]] service1 service2 ...\n", + prog); + #else +- fprintf(stderr, "usage: %s [-c ccache] [-e etype] [-k keytab] service1 service2 ...\n", ++ fprintf(stderr, "usage: %s [-c ccache] [-e etype] [-k keytab] [-S sname] service1 service2 ...\n", + prog); + #endif + exit(1); +@@ -54,7 +54,8 @@ + + static void do_v4_kvno (int argc, char *argv[]); + static void do_v5_kvno (int argc, char *argv[], +- char *ccachestr, char *etypestr, char *keytab_name); ++ char *ccachestr, char *etypestr, char *keytab_name, ++ char *sname); + + #include + static void extended_com_err_fn (const char *, errcode_t, const char *, +@@ -64,6 +65,7 @@ + { + int option; + char *etypestr = NULL, *ccachestr = NULL, *keytab_name = NULL; ++ char *sname = NULL; + int v4 = 0; + + set_com_err_hook (extended_com_err_fn); +@@ -71,7 +73,7 @@ + prog = strrchr(argv[0], '/'); + prog = prog ? (prog + 1) : argv[0]; + +- while ((option = getopt(argc, argv, "c:e:hk:q4")) != -1) { ++ while ((option = getopt(argc, argv, "c:e:hk:q4S:")) != -1) { + switch (option) { + case 'c': + ccachestr = optarg; +@@ -91,6 +93,9 @@ + case '4': + v4 = 1; + break; ++ case 'S': ++ sname = optarg; ++ break; + default: + xusage(); + break; +@@ -103,10 +108,14 @@ + if ((ccachestr != NULL || etypestr != NULL || keytab_name != NULL) && v4) + xusage(); + ++ if (sname != NULL && v4) ++ xusage(); ++ + if (v4) + do_v4_kvno(argc - optind, argv + optind); + else +- do_v5_kvno(argc - optind, argv + optind, ccachestr, etypestr, keytab_name); ++ do_v5_kvno(argc - optind, argv + optind, ++ ccachestr, etypestr, keytab_name, sname); + return 0; + } + +@@ -172,7 +181,8 @@ + } + + static void do_v5_kvno (int count, char *names[], +- char * ccachestr, char *etypestr, char *keytab_name) ++ char * ccachestr, char *etypestr, char *keytab_name, ++ char *sname) + { + krb5_error_code ret; + int i, errors; +@@ -230,7 +240,13 @@ + + in_creds.client = me; + +- ret = krb5_parse_name(context, names[i], &in_creds.server); ++ if (sname != NULL) { ++ ret = krb5_sname_to_principal(context, names[i], ++ sname, KRB5_NT_SRV_HST, ++ &in_creds.server); ++ } else { ++ ret = krb5_parse_name(context, names[i], &in_creds.server); ++ } + if (ret) { + if (!quiet) + com_err(prog, ret, "while parsing principal name %s", names[i]); +Index: src/lib/crypto/prng.c +=================================================================== +--- src/lib/crypto/prng.c (.../tags/krb5-1-6-2-final) (Revision 19931) ++++ src/lib/crypto/prng.c (.../branches/krb5-1-6) (Revision 19931) +@@ -162,7 +162,7 @@ + krb5_data data; + struct stat sb; + int fd; +- unsigned char buf[YARROW_SLOW_THRESH/8]; ++ unsigned char buf[YARROW_SLOW_THRESH/8], *bp; + int left; + fd = open (device, O_RDONLY); + if (fd == -1) +@@ -173,14 +173,16 @@ + close(fd); + return 0; + } +- for (left = sizeof (buf); left > 0;) { ++ ++ for (bp = &buf, left = sizeof (buf); left > 0;) { + ssize_t count; +- count = read (fd, &buf, (unsigned) left); ++ count = read (fd, bp, (unsigned) left); + if (count <= 0) { + close(fd); + return 0; + } + left -= count; ++ bp += count; + } + close (fd); + data.length = sizeof (buf); +@@ -199,7 +201,7 @@ + int unused; + int *oursuccess = success?success:&unused; + *oursuccess = 0; +- /* If we are getting strong data then try that first. We aare ++ /* If we are getting strong data then try that first. We are + guaranteed to cause a reseed of some kind if strong is true and + we have both /dev/random and /dev/urandom. We want the strong + data included in the reseed so we get it first.*/ +Index: src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- src/lib/gssapi/spnego/spnego_mech.c (.../tags/krb5-1-6-2-final) (Revision 19931) ++++ src/lib/gssapi/spnego/spnego_mech.c (.../branches/krb5-1-6) (Revision 19931) +@@ -61,7 +61,7 @@ + /* private routines for spnego_mechanism */ + static spnego_token_t make_spnego_token(char *); + static gss_buffer_desc make_err_msg(char *); +-static int g_token_size(gss_OID_const, OM_uint32); ++static int g_token_size(gss_OID_const, unsigned int); + static int g_make_token_header(gss_OID_const, unsigned int, + unsigned char **, unsigned int); + static int g_verify_token_header(gss_OID_const, unsigned int *, +@@ -835,6 +835,7 @@ + ret = GSS_S_FAILURE; + } + } ++ gss_release_buffer(&tmpmin, &mechtok_out); + if (ret == GSS_S_COMPLETE) { + /* + * Now, switch the output context to refer to the Index: src/lib/krb5/ccache/cc_file.c =================================================================== ---- src/lib/krb5/ccache/cc_file.c (.../tags/krb5-1-6-2-final) (Revision 19755) -+++ src/lib/krb5/ccache/cc_file.c (.../branches/krb5-1-6) (Revision 19755) +--- src/lib/krb5/ccache/cc_file.c (.../tags/krb5-1-6-2-final) (Revision 19931) ++++ src/lib/krb5/ccache/cc_file.c (.../branches/krb5-1-6) (Revision 19931) @@ -1954,6 +1954,9 @@ char scratch[sizeof(TKT_ROOT)+6+1]; /* +6 for the scratch part, +1 for NUL */ @@ -143,10 +320,79 @@ Index: src/lib/krb5/ccache/cc_file.c err_out: krb5_xfree(((krb5_fcc_data *) lid->data)->filename); +Index: src/lib/krb5/ccache/ccfns.c +=================================================================== +--- src/lib/krb5/ccache/ccfns.c (.../tags/krb5-1-6-2-final) (Revision 19931) ++++ src/lib/krb5/ccache/ccfns.c (.../branches/krb5-1-6) (Revision 19931) +@@ -1,7 +1,7 @@ + /* + * lib/krb5/ccache/ccfns.c + * +- * Copyright 2000 by the Massachusetts Institute of Technology. ++ * Copyright 2000, 2007 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may +@@ -65,7 +65,29 @@ + krb5_cc_store_cred (krb5_context context, krb5_ccache cache, + krb5_creds *creds) + { +- return cache->ops->store(context, cache, creds); ++ krb5_error_code ret; ++ krb5_ticket *tkt; ++ krb5_principal s1, s2; ++ ++ ret = cache->ops->store(context, cache, creds); ++ if (ret) return ret; ++ ++ /* ++ * If creds->server and the server in the decoded ticket differ, ++ * store both principals. ++ */ ++ s1 = creds->server; ++ ret = decode_krb5_ticket(&creds->ticket, &tkt); ++ /* Bail out on errors in case someone is storing a non-ticket. */ ++ if (ret) return 0; ++ s2 = tkt->server; ++ if (!krb5_principal_compare(context, s1, s2)) { ++ creds->server = s2; ++ ret = cache->ops->store(context, cache, creds); ++ creds->server = s1; ++ } ++ krb5_free_ticket(context, tkt); ++ return ret; + } + + krb5_error_code KRB5_CALLCONV +@@ -73,7 +95,23 @@ + krb5_flags flags, krb5_creds *mcreds, + krb5_creds *creds) + { +- return cache->ops->retrieve(context, cache, flags, mcreds, creds); ++ krb5_error_code ret; ++ krb5_data tmprealm; ++ ++ ret = cache->ops->retrieve(context, cache, flags, mcreds, creds); ++ if (ret != KRB5_CC_NOTFOUND) ++ return ret; ++ if (!krb5_is_referral_realm(&mcreds->server->realm)) ++ return ret; ++ ++ /* ++ * Retry using client's realm if service has referral realm. ++ */ ++ tmprealm = mcreds->server->realm; ++ mcreds->server->realm = mcreds->client->realm; ++ ret = cache->ops->retrieve(context, cache, flags, mcreds, creds); ++ mcreds->server->realm = tmprealm; ++ return ret; + } + + krb5_error_code KRB5_CALLCONV Index: src/lib/krb5/krb/gc_frm_kdc.c =================================================================== ---- src/lib/krb5/krb/gc_frm_kdc.c (.../tags/krb5-1-6-2-final) (Revision 19755) -+++ src/lib/krb5/krb/gc_frm_kdc.c (.../branches/krb5-1-6) (Revision 19755) +--- src/lib/krb5/krb/gc_frm_kdc.c (.../tags/krb5-1-6-2-final) (Revision 19931) ++++ src/lib/krb5/krb/gc_frm_kdc.c (.../branches/krb5-1-6) (Revision 19931) @@ -906,7 +906,6 @@ /* Whether or not that succeeded, we're done. */ goto cleanup; @@ -204,4 +450,3 @@ Index: src/lib/krb5/krb/gc_frm_kdc.c } } - diff --git a/krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif b/krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif new file mode 100644 index 0000000..23eb00e --- /dev/null +++ b/krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif @@ -0,0 +1,41 @@ +--- src/lib/kadm5/srv/svr_policy.c ++++ src/lib/kadm5/srv/svr_policy.c 2007/08/24 14:32:34 +@@ -211,8 +211,9 @@ + if((mask & KADM5_POLICY)) + return KADM5_BAD_MASK; + +- ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt); +- if( ret && (cnt==0) ) ++ if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt))) ++ return ret; ++ if (cnt != 1) + return KADM5_UNK_POLICY; + + if ((mask & KADM5_PW_MAX_LIFE)) + +--- src/lib/rpc/svc_auth_gss.c ++++ src/lib/rpc/svc_auth_gss.c 2007/09/06 08:32:37 +@@ -355,6 +355,15 @@ + memset(rpchdr, 0, sizeof(rpchdr)); + + /* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */ ++ oa = &msg->rm_call.cb_cred; ++ if (oa->oa_length > MAX_AUTH_BYTES) ++ return (FALSE); ++ ++ /* 8 XDR units from the IXDR macro calls. */ ++ if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT + ++ RNDUP(oa->oa_length))) ++ return (FALSE); ++ + buf = (int32_t *)(void *)rpchdr; + IXDR_PUT_LONG(buf, msg->rm_xid); + IXDR_PUT_ENUM(buf, msg->rm_direction); +@@ -362,7 +371,6 @@ + IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); + IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); + IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); +- oa = &msg->rm_call.cb_cred; + IXDR_PUT_ENUM(buf, oa->oa_flavor); + IXDR_PUT_LONG(buf, oa->oa_length); + if (oa->oa_length) { diff --git a/krb5-doc.spec b/krb5-doc.spec index 6e5e188..f0f7dff 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -13,7 +13,7 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive Version: 1.6.2 -Release: 12 +Release: 28 %define srcRoot krb5-1.6.2 Summary: MIT Kerberos5 Implementation--Documentation License: X11/MIT diff --git a/krb5-plugins.changes b/krb5-plugins.changes index 5218979..49c999f 100644 --- a/krb5-plugins.changes +++ b/krb5-plugins.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Tue Sep 11 15:11:34 CEST 2007 - mc@suse.de + +- update krb5-1.6.2-post.dif + * new -S sname option for kvno + * read_entropy_from_device on partial read will not fill buffer + * Bail out if encoded "ticket" doesn't decode correctly. + * patch for referrals loop + +------------------------------------------------------------------- +Thu Sep 6 10:43:50 CEST 2007 - mc@suse.de + +- fix a problem with the originally published patch + for MITKRB5-SA-2007-006 - CVE-2007-3999 + [#302377] + +------------------------------------------------------------------- +Wed Sep 5 12:18:38 CEST 2007 - mc@suse.de + +- fix execute arbitrary code + (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) + [#302377] + ------------------------------------------------------------------- Tue Aug 7 11:59:05 CEST 2007 - mc@suse.de diff --git a/krb5-plugins.spec b/krb5-plugins.spec index c89678d..8a32f69 100644 --- a/krb5-plugins.spec +++ b/krb5-plugins.spec @@ -13,7 +13,7 @@ Name: krb5-plugins Version: 1.6.2 -Release: 2 +Release: 3 BuildRequires: bison krb5-devel ncurses-devel openldap2-devel %define srcRoot krb5-1.6.2 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ @@ -45,6 +45,7 @@ Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif Patch24: krb5-1.5.1-fix-strncat-warning.dif Patch25: krb5-1.6.1-init-salt-length.dif Patch26: krb5-1.4.3-extra-check-kt_file.c.dif +Patch27: krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -110,6 +111,7 @@ fi %patch24 %patch25 %patch26 +%patch27 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c %build @@ -207,6 +209,20 @@ rm -rf %{buildroot} %{_mandir}/man8/* %changelog +* Tue Sep 11 2007 - mc@suse.de +- update krb5-1.6.2-post.dif + * new -S sname option for kvno + * read_entropy_from_device on partial read will not fill buffer + * Bail out if encoded "ticket" doesn't decode correctly. + * patch for referrals loop +* Thu Sep 06 2007 - mc@suse.de +- fix a problem with the originally published patch + for MITKRB5-SA-2007-006 - CVE-2007-3999 + [#302377] +* Wed Sep 05 2007 - mc@suse.de +- fix execute arbitrary code + (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) + [#302377] * Tue Aug 07 2007 - mc@suse.de - add krb5-1.6.2-post.dif * during the referrals loop, check to see if the diff --git a/krb5.changes b/krb5.changes index de6feff..af52eac 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de + +- update krb5-1.6.2-post.dif + * new -S sname option for kvno + * read_entropy_from_device on partial read will not fill buffer + * Bail out if encoded "ticket" doesn't decode correctly. + * patch for referrals loop + +------------------------------------------------------------------- +Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de + +- fix a problem with the originally published patch + for MITKRB5-SA-2007-006 - CVE-2007-3999 + [#302377] + +------------------------------------------------------------------- +Wed Sep 5 12:18:21 CEST 2007 - mc@suse.de + +- fix execute arbitrary code + (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) + [#302377] + ------------------------------------------------------------------- Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index f53a7c9..b7a89e8 100644 --- a/krb5.spec +++ b/krb5.spec @@ -12,7 +12,7 @@ Name: krb5 Version: 1.6.2 -Release: 9 +Release: 18 BuildRequires: bison libcom_err-devel ncurses-devel %if %{suse_version} > 1010 BuildRequires: keyutils keyutils-devel @@ -49,6 +49,7 @@ Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif Patch24: krb5-1.5.1-fix-strncat-warning.dif Patch25: krb5-1.6.1-init-salt-length.dif Patch26: krb5-1.4.3-extra-check-kt_file.c.dif +Patch27: krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch @@ -201,6 +202,7 @@ fi %patch24 %patch25 %patch26 +%patch27 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c %build @@ -511,6 +513,20 @@ rm -rf %{buildroot} %{_mandir}/man1/krb5-config.1* %changelog +* Tue Sep 11 2007 - mc@suse.de +- update krb5-1.6.2-post.dif + * new -S sname option for kvno + * read_entropy_from_device on partial read will not fill buffer + * Bail out if encoded "ticket" doesn't decode correctly. + * patch for referrals loop +* Thu Sep 06 2007 - mc@suse.de +- fix a problem with the originally published patch + for MITKRB5-SA-2007-006 - CVE-2007-3999 + [#302377] +* Wed Sep 05 2007 - mc@suse.de +- fix execute arbitrary code + (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) + [#302377] * Tue Aug 07 2007 - mc@suse.de - add krb5-1.6.2-post.dif * during the referrals loop, check to see if the