OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam_krb5?expand=0&rev=21

bug-425861_pam_krb5-2.3.1-ccacheperms.patch

@@ -0,0 +1,253 @@
+Index: pam_krb5-2.3.1-1/src/Makefile.am
+===================================================================
+--- pam_krb5-2.3.1-1.orig/src/Makefile.am
++++ pam_krb5-2.3.1-1/src/Makefile.am
+@@ -37,6 +37,8 @@ libpam_krb5_la_SOURCES = \
+ 	kuserok.c \
+ 	kuserok.h \
+ 	minikafs.h \
++	perms.c \
++	perms.h \
+ 	prompter.c \
+ 	prompter.h \
+ 	shmem.c \
+@@ -112,6 +114,7 @@ harness_LDADD = \
+ 	map.lo \
+ 	initopts.lo \
+ 	options.lo \
++	perms.lo \
+ 	userinfo.lo \
+ 	sly.lo \
+ 	v4.lo \
+@@ -125,6 +128,7 @@ harness_newpag_LDADD = \
+ 	pam_newpag.lo \
+ 	logstdio.lo \
+ 	options.lo \
++	perms.lo \
+ 	v4.lo \
+ 	v5.lo
+ harness_newpag_LDADD += libpam_krb5.la @PAM_LIBS@ @KRB5_LIBS@ @KRB4_LIBS@ @KEYUTILS_LIBS@
+Index: pam_krb5-2.3.1-1/src/perms.c
+===================================================================
+--- /dev/null
++++ pam_krb5-2.3.1-1/src/perms.c
+@@ -0,0 +1,89 @@
++/*
++ * Copyright 2008 Red Hat, Inc.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, and the entire permission notice in its entirety,
++ *    including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ *    products derived from this software without specific prior
++ *    written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of the
++ * GNU Lesser General Public License, in which case the provisions of the
++ * LGPL are required INSTEAD OF the above restrictions.
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
++ * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
++ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
++ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "../config.h"
++
++#include <sys/types.h>
++#include <stdlib.h>
++#include <unistd.h>
++#include "perms.h"
++
++struct _pam_krb5_perms {
++	uid_t ruid, euid;
++	gid_t rgid, egid;
++};
++
++struct _pam_krb5_perms *
++_pam_krb5_switch_perms(void)
++{
++	struct _pam_krb5_perms *ret;
++	ret = malloc(sizeof(*ret));
++	if (ret != NULL) {
++		ret->ruid = getuid();
++		ret->euid = geteuid();
++		ret->rgid = getgid();
++		ret->egid = getegid();
++		if (ret->ruid == ret->euid) {
++			ret->ruid = -1;
++			ret->euid = -1;
++		}
++		if (ret->rgid == ret->egid) {
++			ret->rgid = -1;
++			ret->egid = -1;
++		}
++		if (setregid(ret->egid, ret->rgid) == -1) {
++			free(ret);
++			ret = NULL;
++		} else {
++			if (setreuid(ret->euid, ret->ruid) == -1) {
++				setregid(ret->rgid, ret->egid);
++				free(ret);
++				ret = NULL;
++			}
++		}
++	}
++	return ret;
++}
++
++int
++_pam_krb5_restore_perms(struct _pam_krb5_perms *saved)
++{
++	int ret = -1;
++	if (saved != NULL) {
++		if ((setreuid(saved->ruid, saved->euid) == 0) &&
++		    (setregid(saved->rgid, saved->egid) == 0)) {
++			ret = 0;
++		}
++		free(saved);
++	}
++	return ret;
++}
+Index: pam_krb5-2.3.1-1/src/perms.h
+===================================================================
+--- /dev/null
++++ pam_krb5-2.3.1-1/src/perms.h
+@@ -0,0 +1,40 @@
++/*
++ * Copyright 2008 Red Hat, Inc.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, and the entire permission notice in its entirety,
++ *    including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ *    products derived from this software without specific prior
++ *    written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of the
++ * GNU Lesser General Public License, in which case the provisions of the
++ * LGPL are required INSTEAD OF the above restrictions.
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
++ * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
++ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
++ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#ifndef pam_krb5_perms_h
++#define pam_krb5_perms_h
++
++struct _pam_krb5_perms;
++struct _pam_krb5_perms *_pam_krb5_switch_perms(void);
++int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved);
++
++#endif
+Index: pam_krb5-2.3.1-1/src/v5.c
+===================================================================
+--- pam_krb5-2.3.1-1.orig/src/v5.c
++++ pam_krb5-2.3.1-1/src/v5.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2003,2004,2005,2006,2007,2008 Red Hat, Inc.
++ * Copyright 2003,2004,2005,2006,2007 Red Hat, Inc.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions
+@@ -66,6 +66,7 @@
+ 
+ #include "conv.h"
+ #include "log.h"
++#include "perms.h"
+ #include "prompter.h"
+ #include "stash.h"
+ #include "userinfo.h"
+@@ -833,6 +834,7 @@ v5_get_creds(krb5_context ctx,
+ 	const char *realm;
+ 	struct pam_message message;
+ 	struct _pam_krb5_prompter_data prompter_data;
++	struct _pam_krb5_perms *saved_perms;
+ 	krb5_principal service_principal;
+ 	krb5_creds tmpcreds;
+ 	krb5_ccache ccache;
+@@ -884,28 +886,46 @@ v5_get_creds(krb5_context ctx,
+ 				      "from %s", krb5_cc_default_name(ctx));
+ 			}
+ 			memset(&ccache, 0, sizeof(ccache));
+-			if (krb5_cc_default(ctx, &ccache) == 0) {
++			/* In case we're setuid/setgid, switch to the caller's
++			 * permissions. */
++			saved_perms = _pam_krb5_switch_perms();
++			if ((saved_perms != NULL) &&
++				(krb5_cc_default(ctx, &ccache) == 0)) {
+ 				tmpcreds.client = userinfo->principal_name;
+ 				tmpcreds.server = service_principal;
+ 				i = krb5_cc_retrieve_cred(ctx, ccache, 0,
+ 							  &tmpcreds, creds);
++				/* FIXME: check if the creds are expired?
++				 * What's the right error code if we check, and
++				 * they are? */
+ 				memset(&tmpcreds, 0, sizeof(tmpcreds));
+ 				krb5_cc_close(ctx, ccache);
+-				switch (v5_validate(ctx, creds, options)) {
+-				case 0:
+-				       /* we're fine */
+-				       break;
+-				default:
+-				       /* something (anything) went wrong --
+-				        * discard them */
+-				       krb5_free_cred_contents(ctx, creds);
+-				       i = KRB5KRB_ERR_GENERIC;
+-				       break;
++				/* In case we're setuid/setgid, restore the
++				 * previous permissions. */
++				if (saved_perms != NULL) {
++					if (_pam_krb5_restore_perms(saved_perms) != 0) {
++						krb5_free_cred_contents(ctx, creds);
++						memset(creds, 0, sizeof(*creds));
++						krb5_free_principal(ctx, service_principal);
++						return PAM_SYSTEM_ERR;
++					}
++					saved_perms = NULL;
+ 				}
+ 			} else {
+ 				warn("error opening default ccache");
+ 				i = KRB5_CC_NOTFOUND;
+ 			}
++			/* In case we're setuid/setgid, switch back to the
++			 * previous permissions if we didn't already. */
++			if (saved_perms != NULL) {
++				if (_pam_krb5_restore_perms(saved_perms) != 0) {
++					krb5_free_cred_contents(ctx, creds);
++					memset(creds, 0, sizeof(*creds));
++					krb5_free_principal(ctx, service_principal);
++					return PAM_SYSTEM_ERR;
++				}
++				saved_perms = NULL;
++			}
+ 			krb5_free_principal(ctx, service_principal);
+ 		} else {
+ 			warn("error parsing TGT principal name (%s) "

pam_krb5.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Oct  6 16:34:48 CEST 2008 - mc@suse.de
+
+- fixing pam_krb5 existing_ticket permission flaw (CVE-2008-3825)
+  (bnc#425861)
+
 -------------------------------------------------------------------
 Thu Sep  4 10:21:53 CEST 2008 - mc@suse.de
 

pam_krb5.spec

@@ -21,12 +21,12 @@
 Name:           pam_krb5
 BuildRequires:  krb5-client krb5-devel krb5-server openssl-devel pam-devel
 %define       PAM_RELEASE 1
-License:        GPL v2 or later
+License:        BSD 3-Clause; LGPL v2.0 or later
 Group:          Productivity/Networking/Security
 Provides:       pam_krb
 AutoReqProv:    on
 Version:        2.3.1
-Release:        30
+Release:        37
 Summary:        PAM Module for Kerberos Authentication
 Url:            http://sourceforge.net/projects/pam-krb5/
 Source:         pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2
@@ -37,6 +37,7 @@ Patch3:         pam_krb5-2.3.1-log-choise.dif
 Patch4:         pam_krb5-po-Makevars.dif
 Patch5:         pam_krb5-LINGUAS.dif
 Patch6:         pam_krb5-2.3.1-post.dif
+Patch7:         bug-425861_pam_krb5-2.3.1-ccacheperms.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -59,6 +60,7 @@ Authors:
 %patch4 -p1
 %patch5
 %patch6
+%patch7 -p1
 
 %build
 %{suse_update_config -f}
@@ -93,6 +95,9 @@ rm -rf $RPM_BUILD_ROOT
 %attr(755,root,root) /usr/bin/afs5log
 
 %changelog
+* Mon Oct 06 2008 mc@suse.de
+- fixing pam_krb5 existing_ticket permission flaw (CVE-2008-3825)
+  (bnc#425861)
 * Thu Sep 04 2008 mc@suse.de
 - if the realm name given to us is NULL, don't bother consulting
   the appdefaults