From d41ac48ab625ad397c54e131dbb52eeaa07b125717722d85366c64217d3dcab4 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Fri, 21 Mar 2008 00:47:13 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=30 --- krb5-1.6-MITKRB5-SA-2008-001.dif | 336 +++++++++++++++++++++++++++++++ krb5-1.6-MITKRB5-SA-2008-002.dif | 76 +++++++ krb5-doc.spec | 3 +- krb5-plugins.spec | 7 +- krb5.changes | 11 + krb5.spec | 15 +- vendor-files.tar.bz2 | 4 +- 7 files changed, 447 insertions(+), 5 deletions(-) create mode 100644 krb5-1.6-MITKRB5-SA-2008-001.dif create mode 100644 krb5-1.6-MITKRB5-SA-2008-002.dif diff --git a/krb5-1.6-MITKRB5-SA-2008-001.dif b/krb5-1.6-MITKRB5-SA-2008-001.dif new file mode 100644 index 0000000..a26c178 --- /dev/null +++ b/krb5-1.6-MITKRB5-SA-2008-001.dif @@ -0,0 +1,336 @@ +Index: krb5-1.6.2/src/kdc/dispatch.c +=================================================================== +--- krb5-1.6.2.orig/src/kdc/dispatch.c ++++ krb5-1.6.2/src/kdc/dispatch.c +@@ -1,7 +1,7 @@ + /* + * kdc/dispatch.c + * +- * Copyright 1990 by the Massachusetts Institute of Technology. ++ * Copyright 1990, 2007 by the Massachusetts Institute of Technology. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. +@@ -107,7 +107,7 @@ dispatch(krb5_data *pkt, const krb5_full + retval = KRB5KRB_AP_ERR_MSG_TYPE; + #ifndef NOCACHE + /* put the response into the lookaside buffer */ +- if (!retval) ++ if (!retval && *response != NULL) + kdc_insert_lookaside(pkt, *response); + #endif + +Index: krb5-1.6.2/src/kdc/kerberos_v4.c +=================================================================== +--- krb5-1.6.2.orig/src/kdc/kerberos_v4.c ++++ krb5-1.6.2/src/kdc/kerberos_v4.c +@@ -1,7 +1,7 @@ + /* + * kdc/kerberos_v4.c + * +- * Copyright 1985, 1986, 1987, 1988,1991 by the Massachusetts Institute ++ * Copyright 1985, 1986, 1987, 1988,1991,2007 by the Massachusetts Institute + * of Technology. + * All Rights Reserved. + * +@@ -87,11 +87,6 @@ extern int krbONE; + #define MSB_FIRST 0 /* 68000, IBM RT/PC */ + #define LSB_FIRST 1 /* Vax, PC8086 */ + +-int f; +- +-/* XXX several files in libkdb know about this */ +-char *progname; +- + #ifndef BACKWARD_COMPAT + static Key_schedule master_key_schedule; + static C_Block master_key; +@@ -143,10 +138,8 @@ static void hang(void); + #include "com_err.h" + #include "extern.h" /* to pick up master_princ */ + +-static krb5_data *response; +- +-void kerberos_v4 (struct sockaddr_in *, KTEXT); +-void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); ++static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT); ++static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); + static int set_tgtkey (char *, krb5_kvno, krb5_boolean); + + /* Attributes converted from V5 to V4 - internal representation */ +@@ -262,12 +255,12 @@ process_v4(const krb5_data *pkt, const k + (void) klog(L_KRB_PERR, "V4 request too long."); + return KRB5KRB_ERR_FIELD_TOOLONG; + } ++ memset( &v4_pkt, 0, sizeof(v4_pkt)); + v4_pkt.length = pkt->length; + v4_pkt.mbz = 0; + memcpy( v4_pkt.dat, pkt->data, pkt->length); + +- kerberos_v4( &client_sockaddr, &v4_pkt); +- *resp = response; ++ *resp = kerberos_v4( &client_sockaddr, &v4_pkt); + return(retval); + } + +@@ -300,19 +293,20 @@ char * v4_klog( int type, const char *fo + } + + static +-int krb4_sendto(int s, const char *msg, int len, int flags, +- const struct sockaddr *to, int to_len) ++krb5_data *make_response(const char *msg, int len) + { ++ krb5_data *response; ++ + if ( !(response = (krb5_data *) malloc( sizeof *response))) { +- return ENOMEM; ++ return 0; + } + if ( !(response->data = (char *) malloc( len))) { + krb5_free_data(kdc_context, response); +- return ENOMEM; ++ return 0; + } + response->length = len; + memcpy( response->data, msg, len); +- return( 0); ++ return response; + } + static void + hang(void) +@@ -586,7 +580,7 @@ static void str_length_check(char *str, + *cp = 0; + } + +-void ++static krb5_data * + kerberos_v4(struct sockaddr_in *client, KTEXT pkt) + { + static KTEXT_ST rpkt_st; +@@ -599,7 +593,7 @@ kerberos_v4(struct sockaddr_in *client, + KTEXT auth = &auth_st; + AUTH_DAT ad_st; + AUTH_DAT *ad = &ad_st; +- ++ krb5_data *response = 0; + + static struct in_addr client_host; + static int msg_byte_order; +@@ -637,8 +631,7 @@ kerberos_v4(struct sockaddr_in *client, + inet_ntoa(client_host)); + /* send an error reply */ + req_name_ptr = req_inst_ptr = req_realm_ptr = ""; +- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); +- return; ++ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); + } + + /* check packet version */ +@@ -648,8 +641,7 @@ kerberos_v4(struct sockaddr_in *client, + KRB_PROT_VERSION, req_version, 0); + /* send an error reply */ + req_name_ptr = req_inst_ptr = req_realm_ptr = ""; +- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); +- return; ++ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); + } + msg_byte_order = req_msg_type & 1; + +@@ -707,10 +699,10 @@ kerberos_v4(struct sockaddr_in *client, + + if ((i = check_princ(req_name_ptr, req_inst_ptr, 0, + &a_name_data, &k5key, 0, &ck5life))) { +- kerb_err_reply(client, pkt, i, "check_princ failed"); ++ response = kerb_err_reply(client, pkt, i, "check_princ failed"); + a_name_data.key_low = a_name_data.key_high = 0; + krb5_free_keyblock_contents(kdc_context, &k5key); +- return; ++ return response; + } + /* don't use k5key for client */ + krb5_free_keyblock_contents(kdc_context, &k5key); +@@ -722,11 +714,11 @@ kerberos_v4(struct sockaddr_in *client, + /* this does all the checking */ + if ((i = check_princ(service, instance, lifetime, + &s_name_data, &k5key, 1, &sk5life))) { +- kerb_err_reply(client, pkt, i, "check_princ failed"); ++ response = kerb_err_reply(client, pkt, i, "check_princ failed"); + a_name_data.key_high = a_name_data.key_low = 0; + s_name_data.key_high = s_name_data.key_low = 0; + krb5_free_keyblock_contents(kdc_context, &k5key); +- return; ++ return response; + } + /* Bound requested lifetime with service and user */ + v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life); +@@ -797,8 +789,7 @@ kerberos_v4(struct sockaddr_in *client, + rpkt = create_auth_reply(req_name_ptr, req_inst_ptr, + req_realm_ptr, req_time_ws, 0, a_name_data.exp_date, + a_name_data.key_version, ciph); +- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, +- (struct sockaddr *) client, sizeof (struct sockaddr_in)); ++ response = make_response((char *) rpkt->dat, rpkt->length); + memset(&a_name_data, 0, sizeof(a_name_data)); + memset(&s_name_data, 0, sizeof(s_name_data)); + break; +@@ -824,9 +815,8 @@ kerberos_v4(struct sockaddr_in *client, + lt = klog(L_KRB_PERR, + "APPL request with realm length too long from %s", + inet_ntoa(client_host)); +- kerb_err_reply(client, pkt, RD_AP_INCON, +- "realm length too long"); +- return; ++ return kerb_err_reply(client, pkt, RD_AP_INCON, ++ "realm length too long"); + } + + auth->length += (int) *(pkt->dat + auth->length) + +@@ -835,9 +825,8 @@ kerberos_v4(struct sockaddr_in *client, + lt = klog(L_KRB_PERR, + "APPL request with funky tkt or req_id length from %s", + inet_ntoa(client_host)); +- kerb_err_reply(client, pkt, RD_AP_INCON, +- "funky tkt or req_id length"); +- return; ++ return kerb_err_reply(client, pkt, RD_AP_INCON, ++ "funky tkt or req_id length"); + } + + memcpy(auth->dat, pkt->dat, auth->length); +@@ -848,18 +837,16 @@ kerberos_v4(struct sockaddr_in *client, + if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) { + lt = klog(L_ERR_UNK, + "Cross realm ticket from %s denied by policy,", tktrlm); +- kerb_err_reply(client, pkt, +- KERB_ERR_PRINCIPAL_UNKNOWN, lt); +- return; ++ return kerb_err_reply(client, pkt, ++ KERB_ERR_PRINCIPAL_UNKNOWN, lt); + } + if (set_tgtkey(tktrlm, kvno, 0)) { +- lt = klog(L_ERR_UNK, ++ lt = klog(L_ERR_UNK, + "FAILED set_tgtkey realm %s, kvno %d. Host: %s ", + tktrlm, kvno, inet_ntoa(client_host)); + /* no better error code */ +- kerb_err_reply(client, pkt, +- KERB_ERR_PRINCIPAL_UNKNOWN, lt); +- return; ++ return kerb_err_reply(client, pkt, ++ KERB_ERR_PRINCIPAL_UNKNOWN, lt); + } + kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, + ad, 0); +@@ -869,9 +856,8 @@ kerberos_v4(struct sockaddr_in *client, + "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ", + tktrlm, kvno, inet_ntoa(client_host)); + /* no better error code */ +- kerb_err_reply(client, pkt, +- KERB_ERR_PRINCIPAL_UNKNOWN, lt); +- return; ++ return kerb_err_reply(client, pkt, ++ KERB_ERR_PRINCIPAL_UNKNOWN, lt); + } + kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, + ad, 0); +@@ -881,8 +867,7 @@ kerberos_v4(struct sockaddr_in *client, + klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s", + inet_ntoa(client_host), krb_get_err_text(kerno)); + req_name_ptr = req_inst_ptr = req_realm_ptr = ""; +- kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); +- return; ++ return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); + } + ptr = (char *) pkt->dat + auth->length; + +@@ -904,22 +889,21 @@ kerberos_v4(struct sockaddr_in *client, + req_realm_ptr = ad->prealm; + + if (strcmp(ad->prealm, tktrlm)) { +- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, +- "Can't hop realms"); +- return; ++ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, ++ "Can't hop realms"); + } + if (!strcmp(service, "changepw")) { +- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, +- "Can't authorize password changed based on TGT"); +- return; ++ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, ++ "Can't authorize password changed based on TGT"); + } + kerno = check_princ(service, instance, req_life, + &s_name_data, &k5key, 1, &sk5life); + if (kerno) { +- kerb_err_reply(client, pkt, kerno, "check_princ failed"); ++ response = kerb_err_reply(client, pkt, kerno, ++ "check_princ failed"); + s_name_data.key_high = s_name_data.key_low = 0; + krb5_free_keyblock_contents(kdc_context, &k5key); +- return; ++ return response; + } + /* Bound requested lifetime with service and user */ + v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life); +@@ -975,8 +959,7 @@ kerberos_v4(struct sockaddr_in *client, + rpkt = create_auth_reply(ad->pname, ad->pinst, + ad->prealm, time_ws, + 0, 0, 0, ciph); +- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, +- (struct sockaddr *) client, sizeof (struct sockaddr_in)); ++ response = make_response((char *) rpkt->dat, rpkt->length); + memset(&s_name_data, 0, sizeof(s_name_data)); + break; + } +@@ -1001,6 +984,7 @@ kerberos_v4(struct sockaddr_in *client, + break; + } + } ++ return response; + } + + +@@ -1010,7 +994,7 @@ kerberos_v4(struct sockaddr_in *client, + * client. + */ + +-void ++static krb5_data * + kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string) + { + static KTEXT_ST e_pkt_st; +@@ -1021,9 +1005,7 @@ kerb_err_reply(struct sockaddr_in *clien + strncat(e_msg, string, sizeof(e_msg) - 1 - 19); + cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, + req_time_ws, err, e_msg); +- krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0, +- (struct sockaddr *) client, sizeof (struct sockaddr_in)); +- ++ return make_response((char *) e_pkt->dat, e_pkt->length); + } + + static int +Index: krb5-1.6.2/src/kdc/network.c +=================================================================== +--- krb5-1.6.2.orig/src/kdc/network.c ++++ krb5-1.6.2/src/kdc/network.c +@@ -1,7 +1,7 @@ + /* + * kdc/network.c + * +- * Copyright 1990,2000 by the Massachusetts Institute of Technology. ++ * Copyright 1990,2000,2007 by the Massachusetts Institute of Technology. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. +@@ -747,6 +747,8 @@ static void process_packet(struct connec + com_err(prog, retval, "while dispatching (udp)"); + return; + } ++ if (response == NULL) ++ return; + cc = sendto(port_fd, response->data, (socklen_t) response->length, 0, + (struct sockaddr *)&saddr, saddr_len); + if (cc == -1) { diff --git a/krb5-1.6-MITKRB5-SA-2008-002.dif b/krb5-1.6-MITKRB5-SA-2008-002.dif new file mode 100644 index 0000000..1d62388 --- /dev/null +++ b/krb5-1.6-MITKRB5-SA-2008-002.dif @@ -0,0 +1,76 @@ +=== src/lib/rpc/svc.c +================================================================== +Index: src/lib/rpc/svc.c +=================================================================== +--- src/lib/rpc/svc.c.orig ++++ src/lib/rpc/svc.c +@@ -109,15 +109,17 @@ xprt_register(SVCXPRT *xprt) + if (sock < FD_SETSIZE) { + xports[sock] = xprt; + FD_SET(sock, &svc_fdset); ++ if (sock > svc_maxfd) ++ svc_maxfd = sock; + } + #else + if (sock < NOFILE) { + xports[sock] = xprt; + svc_fds |= (1 << sock); ++ if (sock > svc_maxfd) ++ svc_maxfd = sock; + } + #endif /* def FD_SETSIZE */ +- if (sock > svc_maxfd) +- svc_maxfd = sock; + } + + /* +Index: src/lib/rpc/svc_tcp.c +=================================================================== +--- src/lib/rpc/svc_tcp.c.orig ++++ src/lib/rpc/svc_tcp.c +@@ -53,6 +53,14 @@ static char sccsid[] = "@(#)svc_tcp.c 1. + extern errno; + */ + ++#ifndef FD_SETSIZE ++#ifdef NBBY ++#define NOFILE (sizeof(int) * NBBY) ++#else ++#define NOFILE (sizeof(int) * 8) ++#endif ++#endif ++ + /* + * Ops vector for TCP/IP based rpc service handle + */ +@@ -213,6 +221,19 @@ makefd_xprt( + register SVCXPRT *xprt; + register struct tcp_conn *cd; + ++#ifdef FD_SETSIZE ++ if (fd >= FD_SETSIZE) { ++ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); ++ xprt = NULL; ++ goto done; ++ } ++#else ++ if (fd >= NOFILE) { ++ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); ++ xprt = NULL; ++ goto done; ++ } ++#endif + xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT)); + if (xprt == (SVCXPRT *)NULL) { + (void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n"); +@@ -268,6 +289,10 @@ rendezvous_request( + * make a new transporter (re-uses xprt) + */ + xprt = makefd_xprt(sock, r->sendsize, r->recvsize); ++ if (xprt == NULL) { ++ close(sock); ++ return (FALSE); ++ } + xprt->xp_raddr = addr; + xprt->xp_addrlen = len; + xprt->xp_laddr = laddr; diff --git a/krb5-doc.spec b/krb5-doc.spec index e6e58e9..622b4e6 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -10,10 +10,11 @@ # norootforbuild + Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive Version: 1.6.3 -Release: 30 +Release: 55 %define srcRoot krb5-1.6.3 Summary: MIT Kerberos5 Implementation--Documentation License: X11/MIT diff --git a/krb5-plugins.spec b/krb5-plugins.spec index 33c6bd8..ef2df08 100644 --- a/krb5-plugins.spec +++ b/krb5-plugins.spec @@ -11,9 +11,10 @@ # norootforbuild # nodebuginfo + Name: krb5-plugins Version: 1.6.3 -Release: 4 +Release: 5 BuildRequires: bison krb5-devel ncurses-devel openldap2-devel %define srcRoot krb5-1.6.3 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ @@ -52,6 +53,8 @@ Patch35: krb5-1.6-fix-CVE-2007-5894.dif Patch36: krb5-1.6-fix-CVE-2007-5902.dif Patch37: krb5-1.6-fix-CVE-2007-5971.dif Patch38: krb5-1.6-fix-CVE-2007-5972.dif +Patch39: krb5-1.6-MITKRB5-SA-2008-001.dif +Patch40: krb5-1.6-MITKRB5-SA-2008-002.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -142,6 +145,8 @@ fi %patch36 %patch37 %patch38 +%patch39 -p1 +%patch40 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c # Rename the man pages so that they'll get generated correctly. pushd src diff --git a/krb5.changes b/krb5.changes index 1918697..8399298 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Fri Mar 14 11:27:55 CET 2008 - mc@suse.de + +- fix two security bugs: + * MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063) + fix double free [bnc#361373] + * MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948) + Memory corruption while too many open file descriptors + [bnc#363151] +- change default config file. Comment out the examples. + ------------------------------------------------------------------- Fri Dec 14 10:48:52 CET 2007 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 595de15..f5d7b94 100644 --- a/krb5.spec +++ b/krb5.spec @@ -10,9 +10,10 @@ # norootforbuild + Name: krb5 Version: 1.6.3 -Release: 20 +Release: 34 BuildRequires: bison libcom_err-devel ncurses-devel %if %{suse_version} > 1010 BuildRequires: keyutils keyutils-devel @@ -56,6 +57,8 @@ Patch35: krb5-1.6-fix-CVE-2007-5894.dif Patch36: krb5-1.6-fix-CVE-2007-5902.dif Patch37: krb5-1.6-fix-CVE-2007-5971.dif Patch38: krb5-1.6-fix-CVE-2007-5972.dif +Patch39: krb5-1.6-MITKRB5-SA-2008-001.dif +Patch40: krb5-1.6-MITKRB5-SA-2008-002.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils @@ -214,6 +217,8 @@ fi %patch36 %patch37 %patch38 +%patch39 -p1 +%patch40 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c # Rename the man pages so that they'll get generated correctly. pushd src @@ -530,6 +535,14 @@ rm -rf %{buildroot} %{_mandir}/man1/krb5-config.1* %changelog +* Fri Mar 14 2008 mc@suse.de +- fix two security bugs: + * MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063) + fix double free [bnc#361373] + * MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948) + Memory corruption while too many open file descriptors + [bnc#363151] +- change default config file. Comment out the examples. * Fri Dec 14 2007 mc@suse.de - fix several security bugs: * CVE-2007-5894 apparent uninit length diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2 index 45da0d3..c227499 100644 --- a/vendor-files.tar.bz2 +++ b/vendor-files.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:7ccfa471ed0c7e2646316277ef0dd77463263faeb3febed2e3292048dd3f79e4 -size 186569 +oid sha256:b66c043ae361cc470893ac3f3dba5e653e836c8b130ba428c64d211f6c51ecfe +size 186668