From 3cf16e937ddb8ac7d3364a8cf29235a1223acfed8a89df3cc7c0b3579ac5122f Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Mon, 6 Oct 2008 15:19:48 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam_krb5?expand=0&rev=21 --- bug-425861_pam_krb5-2.3.1-ccacheperms.patch | 253 ++++++++++++++++++++ pam_krb5.changes | 6 + pam_krb5.spec | 9 +- 3 files changed, 266 insertions(+), 2 deletions(-) create mode 100644 bug-425861_pam_krb5-2.3.1-ccacheperms.patch diff --git a/bug-425861_pam_krb5-2.3.1-ccacheperms.patch b/bug-425861_pam_krb5-2.3.1-ccacheperms.patch new file mode 100644 index 0000000..b65733b --- /dev/null +++ b/bug-425861_pam_krb5-2.3.1-ccacheperms.patch @@ -0,0 +1,253 @@ +Index: pam_krb5-2.3.1-1/src/Makefile.am +=================================================================== +--- pam_krb5-2.3.1-1.orig/src/Makefile.am ++++ pam_krb5-2.3.1-1/src/Makefile.am +@@ -37,6 +37,8 @@ libpam_krb5_la_SOURCES = \ + kuserok.c \ + kuserok.h \ + minikafs.h \ ++ perms.c \ ++ perms.h \ + prompter.c \ + prompter.h \ + shmem.c \ +@@ -112,6 +114,7 @@ harness_LDADD = \ + map.lo \ + initopts.lo \ + options.lo \ ++ perms.lo \ + userinfo.lo \ + sly.lo \ + v4.lo \ +@@ -125,6 +128,7 @@ harness_newpag_LDADD = \ + pam_newpag.lo \ + logstdio.lo \ + options.lo \ ++ perms.lo \ + v4.lo \ + v5.lo + harness_newpag_LDADD += libpam_krb5.la @PAM_LIBS@ @KRB5_LIBS@ @KRB4_LIBS@ @KEYUTILS_LIBS@ +Index: pam_krb5-2.3.1-1/src/perms.c +=================================================================== +--- /dev/null ++++ pam_krb5-2.3.1-1/src/perms.c +@@ -0,0 +1,89 @@ ++/* ++ * Copyright 2008 Red Hat, Inc. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of the ++ * GNU Lesser General Public License, in which case the provisions of the ++ * LGPL are required INSTEAD OF the above restrictions. ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN ++ * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF ++ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ++ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "../config.h" ++ ++#include ++#include ++#include ++#include "perms.h" ++ ++struct _pam_krb5_perms { ++ uid_t ruid, euid; ++ gid_t rgid, egid; ++}; ++ ++struct _pam_krb5_perms * ++_pam_krb5_switch_perms(void) ++{ ++ struct _pam_krb5_perms *ret; ++ ret = malloc(sizeof(*ret)); ++ if (ret != NULL) { ++ ret->ruid = getuid(); ++ ret->euid = geteuid(); ++ ret->rgid = getgid(); ++ ret->egid = getegid(); ++ if (ret->ruid == ret->euid) { ++ ret->ruid = -1; ++ ret->euid = -1; ++ } ++ if (ret->rgid == ret->egid) { ++ ret->rgid = -1; ++ ret->egid = -1; ++ } ++ if (setregid(ret->egid, ret->rgid) == -1) { ++ free(ret); ++ ret = NULL; ++ } else { ++ if (setreuid(ret->euid, ret->ruid) == -1) { ++ setregid(ret->rgid, ret->egid); ++ free(ret); ++ ret = NULL; ++ } ++ } ++ } ++ return ret; ++} ++ ++int ++_pam_krb5_restore_perms(struct _pam_krb5_perms *saved) ++{ ++ int ret = -1; ++ if (saved != NULL) { ++ if ((setreuid(saved->ruid, saved->euid) == 0) && ++ (setregid(saved->rgid, saved->egid) == 0)) { ++ ret = 0; ++ } ++ free(saved); ++ } ++ return ret; ++} +Index: pam_krb5-2.3.1-1/src/perms.h +=================================================================== +--- /dev/null ++++ pam_krb5-2.3.1-1/src/perms.h +@@ -0,0 +1,40 @@ ++/* ++ * Copyright 2008 Red Hat, Inc. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of the ++ * GNU Lesser General Public License, in which case the provisions of the ++ * LGPL are required INSTEAD OF the above restrictions. ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN ++ * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF ++ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ++ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#ifndef pam_krb5_perms_h ++#define pam_krb5_perms_h ++ ++struct _pam_krb5_perms; ++struct _pam_krb5_perms *_pam_krb5_switch_perms(void); ++int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved); ++ ++#endif +Index: pam_krb5-2.3.1-1/src/v5.c +=================================================================== +--- pam_krb5-2.3.1-1.orig/src/v5.c ++++ pam_krb5-2.3.1-1/src/v5.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2003,2004,2005,2006,2007,2008 Red Hat, Inc. ++ * Copyright 2003,2004,2005,2006,2007 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -66,6 +66,7 @@ + + #include "conv.h" + #include "log.h" ++#include "perms.h" + #include "prompter.h" + #include "stash.h" + #include "userinfo.h" +@@ -833,6 +834,7 @@ v5_get_creds(krb5_context ctx, + const char *realm; + struct pam_message message; + struct _pam_krb5_prompter_data prompter_data; ++ struct _pam_krb5_perms *saved_perms; + krb5_principal service_principal; + krb5_creds tmpcreds; + krb5_ccache ccache; +@@ -884,28 +886,46 @@ v5_get_creds(krb5_context ctx, + "from %s", krb5_cc_default_name(ctx)); + } + memset(&ccache, 0, sizeof(ccache)); +- if (krb5_cc_default(ctx, &ccache) == 0) { ++ /* In case we're setuid/setgid, switch to the caller's ++ * permissions. */ ++ saved_perms = _pam_krb5_switch_perms(); ++ if ((saved_perms != NULL) && ++ (krb5_cc_default(ctx, &ccache) == 0)) { + tmpcreds.client = userinfo->principal_name; + tmpcreds.server = service_principal; + i = krb5_cc_retrieve_cred(ctx, ccache, 0, + &tmpcreds, creds); ++ /* FIXME: check if the creds are expired? ++ * What's the right error code if we check, and ++ * they are? */ + memset(&tmpcreds, 0, sizeof(tmpcreds)); + krb5_cc_close(ctx, ccache); +- switch (v5_validate(ctx, creds, options)) { +- case 0: +- /* we're fine */ +- break; +- default: +- /* something (anything) went wrong -- +- * discard them */ +- krb5_free_cred_contents(ctx, creds); +- i = KRB5KRB_ERR_GENERIC; +- break; ++ /* In case we're setuid/setgid, restore the ++ * previous permissions. */ ++ if (saved_perms != NULL) { ++ if (_pam_krb5_restore_perms(saved_perms) != 0) { ++ krb5_free_cred_contents(ctx, creds); ++ memset(creds, 0, sizeof(*creds)); ++ krb5_free_principal(ctx, service_principal); ++ return PAM_SYSTEM_ERR; ++ } ++ saved_perms = NULL; + } + } else { + warn("error opening default ccache"); + i = KRB5_CC_NOTFOUND; + } ++ /* In case we're setuid/setgid, switch back to the ++ * previous permissions if we didn't already. */ ++ if (saved_perms != NULL) { ++ if (_pam_krb5_restore_perms(saved_perms) != 0) { ++ krb5_free_cred_contents(ctx, creds); ++ memset(creds, 0, sizeof(*creds)); ++ krb5_free_principal(ctx, service_principal); ++ return PAM_SYSTEM_ERR; ++ } ++ saved_perms = NULL; ++ } + krb5_free_principal(ctx, service_principal); + } else { + warn("error parsing TGT principal name (%s) " diff --git a/pam_krb5.changes b/pam_krb5.changes index 1dc13c6..48f10aa 100644 --- a/pam_krb5.changes +++ b/pam_krb5.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Oct 6 16:34:48 CEST 2008 - mc@suse.de + +- fixing pam_krb5 existing_ticket permission flaw (CVE-2008-3825) + (bnc#425861) + ------------------------------------------------------------------- Thu Sep 4 10:21:53 CEST 2008 - mc@suse.de diff --git a/pam_krb5.spec b/pam_krb5.spec index 93d2966..3d679bc 100644 --- a/pam_krb5.spec +++ b/pam_krb5.spec @@ -21,12 +21,12 @@ Name: pam_krb5 BuildRequires: krb5-client krb5-devel krb5-server openssl-devel pam-devel %define PAM_RELEASE 1 -License: GPL v2 or later +License: BSD 3-Clause; LGPL v2.0 or later Group: Productivity/Networking/Security Provides: pam_krb AutoReqProv: on Version: 2.3.1 -Release: 30 +Release: 37 Summary: PAM Module for Kerberos Authentication Url: http://sourceforge.net/projects/pam-krb5/ Source: pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2 @@ -37,6 +37,7 @@ Patch3: pam_krb5-2.3.1-log-choise.dif Patch4: pam_krb5-po-Makevars.dif Patch5: pam_krb5-LINGUAS.dif Patch6: pam_krb5-2.3.1-post.dif +Patch7: bug-425861_pam_krb5-2.3.1-ccacheperms.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -59,6 +60,7 @@ Authors: %patch4 -p1 %patch5 %patch6 +%patch7 -p1 %build %{suse_update_config -f} @@ -93,6 +95,9 @@ rm -rf $RPM_BUILD_ROOT %attr(755,root,root) /usr/bin/afs5log %changelog +* Mon Oct 06 2008 mc@suse.de +- fixing pam_krb5 existing_ticket permission flaw (CVE-2008-3825) + (bnc#425861) * Thu Sep 04 2008 mc@suse.de - if the realm name given to us is NULL, don't bother consulting the appdefaults