OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=24

2007-09-13 16:47:35 +00:00 · 2007-09-13 16:47:35 +00:00 · c1c1df81b9
commit c1c1df81b9
parent 47047c041c
7 changed files with 372 additions and 8 deletions
--- a/krb5-1.6.2-post.dif
+++ b/krb5-1.6.2-post.dif
@ -1,7 +1,184 @@
 Index: src/clients/kvno/kvno.M
 ===================================================================
 --- src/clients/kvno/kvno.M	(.../tags/krb5-1-6-2-final)	(Revision 19931)
 +++ src/clients/kvno/kvno.M	(.../branches/krb5-1-6)	(Revision 19931)
@@ -55,6 +55,15 @@
 specifies that Kerberos version 4 tickets should be acquired and
 described.  This option is only available if Kerberos 4 support was
 enabled at compilation time.
 +.TP
 +.B \-S sname
 +specifies that krb5_sname_to_principal() will be used to build
 +principal names.  If this flag is specified, the
 +.B service1 service2 ...
 +arguments are interpreted as hostnames (rather than principal names),
 +and
 +.B sname
 +is interpreted as the service name.
 .SH ENVIRONMENT
 .B Kvno
 uses the following environment variable:
 Index: src/clients/kvno/kvno.c
 ===================================================================
 --- src/clients/kvno/kvno.c	(.../tags/krb5-1-6-2-final)	(Revision 19931)
 +++ src/clients/kvno/kvno.c	(.../branches/krb5-1-6)	(Revision 19931)
@@ -41,10 +41,10 @@
 {
 #ifdef KRB5_KRB4_COMPAT
     fprintf(stderr, 
 -            "usage: %s [-4 | [-c ccache] [-e etype] [-k keytab]] service1 service2 ...\n", 
 +            "usage: %s [-4 | [-c ccache] [-e etype] [-k keytab] [-S sname]] service1 service2 ...\n", 
             prog);
 #else
 -    fprintf(stderr, "usage: %s [-c ccache] [-e etype] [-k keytab] service1 service2 ...\n",
 +    fprintf(stderr, "usage: %s [-c ccache] [-e etype] [-k keytab] [-S sname] service1 service2 ...\n",
             prog);
 #endif
     exit(1);
@@ -54,7 +54,8 @@
 static void do_v4_kvno (int argc, char *argv[]);
 static void do_v5_kvno (int argc, char *argv[], 
 -                        char *ccachestr, char *etypestr, char *keytab_name);
 +                        char *ccachestr, char *etypestr, char *keytab_name,
 +			char *sname);
 #include <com_err.h>
 static void extended_com_err_fn (const char *, errcode_t, const char *,
@@ -64,6 +65,7 @@
 {
     int option;
     char *etypestr = NULL, *ccachestr = NULL, *keytab_name = NULL;
 +    char *sname = NULL;
     int v4 = 0;
     set_com_err_hook (extended_com_err_fn);
@@ -71,7 +73,7 @@
     prog = strrchr(argv[0], '/');
     prog = prog ? (prog + 1) : argv[0];
 -    while ((option = getopt(argc, argv, "c:e:hk:q4")) != -1) {
 +    while ((option = getopt(argc, argv, "c:e:hk:q4S:")) != -1) {
 	switch (option) {
 	case 'c':
 	    ccachestr = optarg;
@@ -91,6 +93,9 @@
 	case '4':
 	    v4 = 1;
 	    break;
 +	case 'S':
 +	    sname = optarg;
 +	    break;
 	default:
 	    xusage();
 	    break;
@@ -103,10 +108,14 @@
     if ((ccachestr != NULL || etypestr != NULL || keytab_name != NULL) && v4)
 	xusage();
 +    if (sname != NULL && v4)
 +	xusage();
 +
     if (v4)
 	do_v4_kvno(argc - optind, argv + optind);
     else
 -	do_v5_kvno(argc - optind, argv + optind, ccachestr, etypestr, keytab_name);
 +	do_v5_kvno(argc - optind, argv + optind,
 +		   ccachestr, etypestr, keytab_name, sname);
     return 0;
 }
@@ -172,7 +181,8 @@
 }
 static void do_v5_kvno (int count, char *names[], 
 -                        char * ccachestr, char *etypestr, char *keytab_name)
 +                        char * ccachestr, char *etypestr, char *keytab_name,
 +			char *sname)
 {
     krb5_error_code ret;
     int i, errors;
@@ -230,7 +240,13 @@
 	in_creds.client = me;
 -	ret = krb5_parse_name(context, names[i], &in_creds.server);
 +	if (sname != NULL) {
 +	    ret = krb5_sname_to_principal(context, names[i],
 +					  sname, KRB5_NT_SRV_HST,
 +					  &in_creds.server);
 +	} else {
 +	    ret = krb5_parse_name(context, names[i], &in_creds.server);
 +	}
 	if (ret) {
 	    if (!quiet)
 		com_err(prog, ret, "while parsing principal name %s", names[i]);
 Index: src/lib/crypto/prng.c
 ===================================================================
 --- src/lib/crypto/prng.c	(.../tags/krb5-1-6-2-final)	(Revision 19931)
 +++ src/lib/crypto/prng.c	(.../branches/krb5-1-6)	(Revision 19931)
@@ -162,7 +162,7 @@
   krb5_data data;
   struct stat sb;
   int fd;
 -  unsigned char buf[YARROW_SLOW_THRESH/8];
 +  unsigned char buf[YARROW_SLOW_THRESH/8], *bp;
   int left;
   fd = open (device, O_RDONLY);
   if (fd == -1)
@@ -173,14 +173,16 @@
     close(fd);
     return 0;
   }
 -  for (left = sizeof (buf); left > 0;) {
 +
 +  for (bp = &buf, left = sizeof (buf); left > 0;) {
     ssize_t count;
 -    count = read (fd, &buf, (unsigned) left);
 +    count = read (fd, bp, (unsigned) left);
     if (count <= 0) {
       close(fd);
       return 0;
     }
     left -= count;
 +    bp += count;
   }
   close (fd);
   data.length = sizeof (buf);
@@ -199,7 +201,7 @@
   int unused;
   int *oursuccess = success?success:&unused;
   *oursuccess = 0;
 -  /* If we are getting strong data then try that first.  We aare
 +  /* If we are getting strong data then try that first.  We are
      guaranteed to cause a reseed of some kind if strong is true and
      we have both /dev/random and /dev/urandom.  We want the strong
      data included in the reseed so we get it first.*/
 Index: src/lib/gssapi/spnego/spnego_mech.c
 ===================================================================
 --- src/lib/gssapi/spnego/spnego_mech.c	(.../tags/krb5-1-6-2-final)	(Revision 19931)
 +++ src/lib/gssapi/spnego/spnego_mech.c	(.../branches/krb5-1-6)	(Revision 19931)
@@ -61,7 +61,7 @@
 /* private routines for spnego_mechanism */
 static spnego_token_t make_spnego_token(char *);
 static gss_buffer_desc make_err_msg(char *);
 -static int g_token_size(gss_OID_const, OM_uint32);
 +static int g_token_size(gss_OID_const, unsigned int);
 static int g_make_token_header(gss_OID_const, unsigned int,
 			       unsigned char **, unsigned int);
 static int g_verify_token_header(gss_OID_const, unsigned int *,
@@ -835,6 +835,7 @@
 			ret = GSS_S_FAILURE;
 		}
 	}
 +	gss_release_buffer(&tmpmin, &mechtok_out);
 	if (ret == GSS_S_COMPLETE) {
 		/*
 		 * Now, switch the output context to refer to the
 Index: src/lib/krb5/ccache/cc_file.c
 ===================================================================
--- src/lib/krb5/ccache/cc_file.c	(.../tags/krb5-1-6-2-final)	(Revision 19755)
+--- src/lib/krb5/ccache/cc_file.c	(.../tags/krb5-1-6-2-final)	(Revision 19931)
-+++ src/lib/krb5/ccache/cc_file.c	(.../branches/krb5-1-6)	(Revision 19755)
+++ src/lib/krb5/ccache/cc_file.c	(.../branches/krb5-1-6)	(Revision 19931)
@@ -1954,6 +1954,9 @@
      char scratch[sizeof(TKT_ROOT)+6+1]; /* +6 for the scratch part, +1 for
 					    NUL */
@ -143,10 +320,79 @@ Index: src/lib/krb5/ccache/cc_file.c
 err_out:
      krb5_xfree(((krb5_fcc_data *) lid->data)->filename);
 Index: src/lib/krb5/ccache/ccfns.c
 ===================================================================
 --- src/lib/krb5/ccache/ccfns.c	(.../tags/krb5-1-6-2-final)	(Revision 19931)
 +++ src/lib/krb5/ccache/ccfns.c	(.../branches/krb5-1-6)	(Revision 19931)
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/ccache/ccfns.c
  *
 - * Copyright 2000 by the Massachusetts Institute of Technology.
 + * Copyright 2000, 2007 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -65,7 +65,29 @@
 krb5_cc_store_cred (krb5_context context, krb5_ccache cache,
 		    krb5_creds *creds)
 {
 -    return cache->ops->store(context, cache, creds);
 +    krb5_error_code ret;
 +    krb5_ticket *tkt;
 +    krb5_principal s1, s2;
 +
 +    ret = cache->ops->store(context, cache, creds);
 +    if (ret) return ret;
 +
 +    /*
 +     * If creds->server and the server in the decoded ticket differ,
 +     * store both principals.
 +     */
 +    s1 = creds->server;
 +    ret = decode_krb5_ticket(&creds->ticket, &tkt);
 +    /* Bail out on errors in case someone is storing a non-ticket. */
 +    if (ret) return 0;
 +    s2 = tkt->server;
 +    if (!krb5_principal_compare(context, s1, s2)) {
 +	creds->server = s2;
 +	ret = cache->ops->store(context, cache, creds);
 +	creds->server = s1;
 +    }
 +    krb5_free_ticket(context, tkt);
 +    return ret;
 }
 krb5_error_code KRB5_CALLCONV
@@ -73,7 +95,23 @@
 		       krb5_flags flags, krb5_creds *mcreds,
 		       krb5_creds *creds)
 {
 -    return cache->ops->retrieve(context, cache, flags, mcreds, creds);
 +    krb5_error_code ret;
 +    krb5_data tmprealm;
 +
 +    ret = cache->ops->retrieve(context, cache, flags, mcreds, creds);
 +    if (ret != KRB5_CC_NOTFOUND)
 +	return ret;
 +    if (!krb5_is_referral_realm(&mcreds->server->realm))
 +	return ret;
 +
 +    /*
 +     * Retry using client's realm if service has referral realm.
 +     */
 +    tmprealm = mcreds->server->realm;
 +    mcreds->server->realm = mcreds->client->realm;
 +    ret = cache->ops->retrieve(context, cache, flags, mcreds, creds);
 +    mcreds->server->realm = tmprealm;
 +    return ret;
 }
 krb5_error_code KRB5_CALLCONV
 Index: src/lib/krb5/krb/gc_frm_kdc.c
 ===================================================================
--- src/lib/krb5/krb/gc_frm_kdc.c	(.../tags/krb5-1-6-2-final)	(Revision 19755)
+--- src/lib/krb5/krb/gc_frm_kdc.c	(.../tags/krb5-1-6-2-final)	(Revision 19931)
-+++ src/lib/krb5/krb/gc_frm_kdc.c	(.../branches/krb5-1-6)	(Revision 19755)
+++ src/lib/krb5/krb/gc_frm_kdc.c	(.../branches/krb5-1-6)	(Revision 19931)
@@ -906,7 +906,6 @@
 	    /* Whether or not that succeeded, we're done. */
 	    goto cleanup;
@ -204,4 +450,3 @@ Index: src/lib/krb5/krb/gc_frm_kdc.c
 	}
     }
--- a/krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif
+++ b/krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif
@ -0,0 +1,41 @@
 --- src/lib/kadm5/srv/svr_policy.c
 +++ src/lib/kadm5/srv/svr_policy.c	2007/08/24 14:32:34
@@ -211,8 +211,9 @@
     if((mask & KADM5_POLICY))
 	return KADM5_BAD_MASK;
 -    ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt);
 -    if( ret && (cnt==0) )
 +    if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt)))
 + 	return ret;
 +    if (cnt != 1)
 	return KADM5_UNK_POLICY;
     if ((mask & KADM5_PW_MAX_LIFE))
 --- src/lib/rpc/svc_auth_gss.c
 +++ src/lib/rpc/svc_auth_gss.c	2007/09/06 08:32:37
@@ -355,6 +355,15 @@
 	memset(rpchdr, 0, sizeof(rpchdr));
 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
 +	oa = &msg->rm_call.cb_cred;
 +	if (oa->oa_length > MAX_AUTH_BYTES)
 +	     return (FALSE);
 +
 +	/* 8 XDR units from the IXDR macro calls. */
 +	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT + 
 +				RNDUP(oa->oa_length)))
 +             return (FALSE);
 +
 	buf = (int32_t *)(void *)rpchdr;
 	IXDR_PUT_LONG(buf, msg->rm_xid);
 	IXDR_PUT_ENUM(buf, msg->rm_direction);
@@ -362,7 +371,6 @@
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
 -	oa = &msg->rm_call.cb_cred;
 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
 	IXDR_PUT_LONG(buf, oa->oa_length);
 	if (oa->oa_length) {
--- a/krb5-doc.spec
+++ b/krb5-doc.spec
@ -13,7 +13,7 @@
 Name:           krb5-doc
 BuildRequires:  ghostscript-library latex2html texlive
 Version:        1.6.2
-Release:        12
+Release:        28
 %define srcRoot krb5-1.6.2
 Summary:        MIT Kerberos5 Implementation--Documentation
 License:        X11/MIT
--- a/krb5-plugins.changes
+++ b/krb5-plugins.changes
@ -1,3 +1,26 @@
 -------------------------------------------------------------------
 Tue Sep 11 15:11:34 CEST 2007 - mc@suse.de
 - update krb5-1.6.2-post.dif
  * new -S sname option for kvno
  * read_entropy_from_device on partial read will not fill buffer
  * Bail out if encoded "ticket" doesn't decode correctly.
  * patch for referrals loop
 -------------------------------------------------------------------
 Thu Sep  6 10:43:50 CEST 2007 - mc@suse.de
 - fix a problem with the originally published patch
  for MITKRB5-SA-2007-006 - CVE-2007-3999
  [#302377]
 -------------------------------------------------------------------
 Wed Sep  5 12:18:38 CEST 2007 - mc@suse.de
 - fix execute arbitrary code
  (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)
  [#302377]
 -------------------------------------------------------------------
 Tue Aug  7 11:59:05 CEST 2007 - mc@suse.de
--- a/krb5-plugins.spec
+++ b/krb5-plugins.spec
@ -13,7 +13,7 @@
 Name:           krb5-plugins
 Version:        1.6.2
-Release:        2
+Release:        3
 BuildRequires:  bison krb5-devel ncurses-devel openldap2-devel
 %define srcRoot krb5-1.6.2 
 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
@ -45,6 +45,7 @@ Patch22:        krb5-1.5.1-fix-ftp-var-used-uninitialized.dif
 Patch24:        krb5-1.5.1-fix-strncat-warning.dif
 Patch25:        krb5-1.6.1-init-salt-length.dif
 Patch26:        krb5-1.4.3-extra-check-kt_file.c.dif
 Patch27:        krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %description
@ -110,6 +111,7 @@ fi
 %patch24
 %patch25
 %patch26
 %patch27
 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c
 %build
@ -207,6 +209,20 @@ rm -rf %{buildroot}
 %{_mandir}/man8/*
 %changelog
 * Tue Sep 11 2007 - mc@suse.de
 - update krb5-1.6.2-post.dif
  * new -S sname option for kvno
  * read_entropy_from_device on partial read will not fill buffer
  * Bail out if encoded "ticket" doesn't decode correctly.
  * patch for referrals loop
 * Thu Sep 06 2007 - mc@suse.de
 - fix a problem with the originally published patch
  for MITKRB5-SA-2007-006 - CVE-2007-3999
  [#302377]
 * Wed Sep 05 2007 - mc@suse.de
 - fix execute arbitrary code
  (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)
  [#302377]
 * Tue Aug 07 2007 - mc@suse.de
 - add krb5-1.6.2-post.dif
  * during the referrals loop, check to see if the
--- a/krb5.changes
+++ b/krb5.changes
@ -1,3 +1,26 @@
 -------------------------------------------------------------------
 Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de
 - update krb5-1.6.2-post.dif
  * new -S sname option for kvno
  * read_entropy_from_device on partial read will not fill buffer
  * Bail out if encoded "ticket" doesn't decode correctly.
  * patch for referrals loop 
 -------------------------------------------------------------------
 Thu Sep  6 10:43:39 CEST 2007 - mc@suse.de
 - fix a problem with the originally published patch
  for MITKRB5-SA-2007-006 - CVE-2007-3999
  [#302377]
 -------------------------------------------------------------------
 Wed Sep  5 12:18:21 CEST 2007 - mc@suse.de
 - fix execute arbitrary code
  (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)
  [#302377]
 -------------------------------------------------------------------
 Tue Aug  7 11:56:41 CEST 2007 - mc@suse.de
--- a/krb5.spec
+++ b/krb5.spec
@ -12,7 +12,7 @@
 Name:           krb5
 Version:        1.6.2
-Release:        9
+Release:        18
 BuildRequires:  bison libcom_err-devel ncurses-devel
 %if %{suse_version} > 1010
 BuildRequires:  keyutils keyutils-devel
@ -49,6 +49,7 @@ Patch22:        krb5-1.5.1-fix-ftp-var-used-uninitialized.dif
 Patch24:        krb5-1.5.1-fix-strncat-warning.dif
 Patch25:        krb5-1.6.1-init-salt-length.dif
 Patch26:        krb5-1.4.3-extra-check-kt_file.c.dif
 Patch27:        krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch 
@ -201,6 +202,7 @@ fi
 %patch24
 %patch25
 %patch26
 %patch27
 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c
 %build
@ -511,6 +513,20 @@ rm -rf %{buildroot}
 %{_mandir}/man1/krb5-config.1*
 %changelog
 * Tue Sep 11 2007 - mc@suse.de
 - update krb5-1.6.2-post.dif
  * new -S sname option for kvno
  * read_entropy_from_device on partial read will not fill buffer
  * Bail out if encoded "ticket" doesn't decode correctly.
  * patch for referrals loop
 * Thu Sep 06 2007 - mc@suse.de
 - fix a problem with the originally published patch
  for MITKRB5-SA-2007-006 - CVE-2007-3999
  [#302377]
 * Wed Sep 05 2007 - mc@suse.de
 - fix execute arbitrary code
  (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)
  [#302377]
 * Tue Aug 07 2007 - mc@suse.de
 - add krb5-1.6.2-post.dif
  * during the referrals loop, check to see if the