This commit is contained in:
OBS User unknown
Git OBS Bridge
parent
6cfd0dc01d
commit
3cf16e937d
253
bug-425861_pam_krb5-2.3.1-ccacheperms.patch
Normal file
253
bug-425861_pam_krb5-2.3.1-ccacheperms.patch
Normal file
@ -0,0 +1,253 @@
|
||||
Index: pam_krb5-2.3.1-1/src/Makefile.am
|
||||
===================================================================
|
||||
--- pam_krb5-2.3.1-1.orig/src/Makefile.am
|
||||
+++ pam_krb5-2.3.1-1/src/Makefile.am
|
||||
@@ -37,6 +37,8 @@ libpam_krb5_la_SOURCES = \
|
||||
kuserok.c \
|
||||
kuserok.h \
|
||||
minikafs.h \
|
||||
+ perms.c \
|
||||
+ perms.h \
|
||||
prompter.c \
|
||||
prompter.h \
|
||||
shmem.c \
|
||||
@@ -112,6 +114,7 @@ harness_LDADD = \
|
||||
map.lo \
|
||||
initopts.lo \
|
||||
options.lo \
|
||||
+ perms.lo \
|
||||
userinfo.lo \
|
||||
sly.lo \
|
||||
v4.lo \
|
||||
@@ -125,6 +128,7 @@ harness_newpag_LDADD = \
|
||||
pam_newpag.lo \
|
||||
logstdio.lo \
|
||||
options.lo \
|
||||
+ perms.lo \
|
||||
v4.lo \
|
||||
v5.lo
|
||||
harness_newpag_LDADD += libpam_krb5.la @PAM_LIBS@ @KRB5_LIBS@ @KRB4_LIBS@ @KEYUTILS_LIBS@
|
||||
Index: pam_krb5-2.3.1-1/src/perms.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ pam_krb5-2.3.1-1/src/perms.c
|
||||
@@ -0,0 +1,89 @@
|
||||
+/*
|
||||
+ * Copyright 2008 Red Hat, Inc.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of the
|
||||
+ * GNU Lesser General Public License, in which case the provisions of the
|
||||
+ * LGPL are required INSTEAD OF the above restrictions.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
|
||||
+ * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
|
||||
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
|
||||
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include "../config.h"
|
||||
+
|
||||
+#include <sys/types.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <unistd.h>
|
||||
+#include "perms.h"
|
||||
+
|
||||
+struct _pam_krb5_perms {
|
||||
+ uid_t ruid, euid;
|
||||
+ gid_t rgid, egid;
|
||||
+};
|
||||
+
|
||||
+struct _pam_krb5_perms *
|
||||
+_pam_krb5_switch_perms(void)
|
||||
+{
|
||||
+ struct _pam_krb5_perms *ret;
|
||||
+ ret = malloc(sizeof(*ret));
|
||||
+ if (ret != NULL) {
|
||||
+ ret->ruid = getuid();
|
||||
+ ret->euid = geteuid();
|
||||
+ ret->rgid = getgid();
|
||||
+ ret->egid = getegid();
|
||||
+ if (ret->ruid == ret->euid) {
|
||||
+ ret->ruid = -1;
|
||||
+ ret->euid = -1;
|
||||
+ }
|
||||
+ if (ret->rgid == ret->egid) {
|
||||
+ ret->rgid = -1;
|
||||
+ ret->egid = -1;
|
||||
+ }
|
||||
+ if (setregid(ret->egid, ret->rgid) == -1) {
|
||||
+ free(ret);
|
||||
+ ret = NULL;
|
||||
+ } else {
|
||||
+ if (setreuid(ret->euid, ret->ruid) == -1) {
|
||||
+ setregid(ret->rgid, ret->egid);
|
||||
+ free(ret);
|
||||
+ ret = NULL;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+_pam_krb5_restore_perms(struct _pam_krb5_perms *saved)
|
||||
+{
|
||||
+ int ret = -1;
|
||||
+ if (saved != NULL) {
|
||||
+ if ((setreuid(saved->ruid, saved->euid) == 0) &&
|
||||
+ (setregid(saved->rgid, saved->egid) == 0)) {
|
||||
+ ret = 0;
|
||||
+ }
|
||||
+ free(saved);
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
Index: pam_krb5-2.3.1-1/src/perms.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ pam_krb5-2.3.1-1/src/perms.h
|
||||
@@ -0,0 +1,40 @@
|
||||
+/*
|
||||
+ * Copyright 2008 Red Hat, Inc.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of the
|
||||
+ * GNU Lesser General Public License, in which case the provisions of the
|
||||
+ * LGPL are required INSTEAD OF the above restrictions.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
|
||||
+ * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
|
||||
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
|
||||
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#ifndef pam_krb5_perms_h
|
||||
+#define pam_krb5_perms_h
|
||||
+
|
||||
+struct _pam_krb5_perms;
|
||||
+struct _pam_krb5_perms *_pam_krb5_switch_perms(void);
|
||||
+int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved);
|
||||
+
|
||||
+#endif
|
||||
Index: pam_krb5-2.3.1-1/src/v5.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.3.1-1.orig/src/v5.c
|
||||
+++ pam_krb5-2.3.1-1/src/v5.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright 2003,2004,2005,2006,2007,2008 Red Hat, Inc.
|
||||
+ * Copyright 2003,2004,2005,2006,2007 Red Hat, Inc.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -66,6 +66,7 @@
|
||||
|
||||
#include "conv.h"
|
||||
#include "log.h"
|
||||
+#include "perms.h"
|
||||
#include "prompter.h"
|
||||
#include "stash.h"
|
||||
#include "userinfo.h"
|
||||
@@ -833,6 +834,7 @@ v5_get_creds(krb5_context ctx,
|
||||
const char *realm;
|
||||
struct pam_message message;
|
||||
struct _pam_krb5_prompter_data prompter_data;
|
||||
+ struct _pam_krb5_perms *saved_perms;
|
||||
krb5_principal service_principal;
|
||||
krb5_creds tmpcreds;
|
||||
krb5_ccache ccache;
|
||||
@@ -884,28 +886,46 @@ v5_get_creds(krb5_context ctx,
|
||||
"from %s", krb5_cc_default_name(ctx));
|
||||
}
|
||||
memset(&ccache, 0, sizeof(ccache));
|
||||
- if (krb5_cc_default(ctx, &ccache) == 0) {
|
||||
+ /* In case we're setuid/setgid, switch to the caller's
|
||||
+ * permissions. */
|
||||
+ saved_perms = _pam_krb5_switch_perms();
|
||||
+ if ((saved_perms != NULL) &&
|
||||
+ (krb5_cc_default(ctx, &ccache) == 0)) {
|
||||
tmpcreds.client = userinfo->principal_name;
|
||||
tmpcreds.server = service_principal;
|
||||
i = krb5_cc_retrieve_cred(ctx, ccache, 0,
|
||||
&tmpcreds, creds);
|
||||
+ /* FIXME: check if the creds are expired?
|
||||
+ * What's the right error code if we check, and
|
||||
+ * they are? */
|
||||
memset(&tmpcreds, 0, sizeof(tmpcreds));
|
||||
krb5_cc_close(ctx, ccache);
|
||||
- switch (v5_validate(ctx, creds, options)) {
|
||||
- case 0:
|
||||
- /* we're fine */
|
||||
- break;
|
||||
- default:
|
||||
- /* something (anything) went wrong --
|
||||
- * discard them */
|
||||
- krb5_free_cred_contents(ctx, creds);
|
||||
- i = KRB5KRB_ERR_GENERIC;
|
||||
- break;
|
||||
+ /* In case we're setuid/setgid, restore the
|
||||
+ * previous permissions. */
|
||||
+ if (saved_perms != NULL) {
|
||||
+ if (_pam_krb5_restore_perms(saved_perms) != 0) {
|
||||
+ krb5_free_cred_contents(ctx, creds);
|
||||
+ memset(creds, 0, sizeof(*creds));
|
||||
+ krb5_free_principal(ctx, service_principal);
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+ saved_perms = NULL;
|
||||
}
|
||||
} else {
|
||||
warn("error opening default ccache");
|
||||
i = KRB5_CC_NOTFOUND;
|
||||
}
|
||||
+ /* In case we're setuid/setgid, switch back to the
|
||||
+ * previous permissions if we didn't already. */
|
||||
+ if (saved_perms != NULL) {
|
||||
+ if (_pam_krb5_restore_perms(saved_perms) != 0) {
|
||||
+ krb5_free_cred_contents(ctx, creds);
|
||||
+ memset(creds, 0, sizeof(*creds));
|
||||
+ krb5_free_principal(ctx, service_principal);
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+ saved_perms = NULL;
|
||||
+ }
|
||||
krb5_free_principal(ctx, service_principal);
|
||||
} else {
|
||||
warn("error parsing TGT principal name (%s) "
|
||||
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 6 16:34:48 CEST 2008 - mc@suse.de
|
||||
|
||||
- fixing pam_krb5 existing_ticket permission flaw (CVE-2008-3825)
|
||||
(bnc#425861)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 4 10:21:53 CEST 2008 - mc@suse.de
|
||||
|
||||
|
||||
@ -21,12 +21,12 @@
|
||||
Name: pam_krb5
|
||||
BuildRequires: krb5-client krb5-devel krb5-server openssl-devel pam-devel
|
||||
%define PAM_RELEASE 1
|
||||
License: GPL v2 or later
|
||||
License: BSD 3-Clause; LGPL v2.0 or later
|
||||
Group: Productivity/Networking/Security
|
||||
Provides: pam_krb
|
||||
AutoReqProv: on
|
||||
Version: 2.3.1
|
||||
Release: 30
|
||||
Release: 37
|
||||
Summary: PAM Module for Kerberos Authentication
|
||||
Url: http://sourceforge.net/projects/pam-krb5/
|
||||
Source: pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2
|
||||
@ -37,6 +37,7 @@ Patch3: pam_krb5-2.3.1-log-choise.dif
|
||||
Patch4: pam_krb5-po-Makevars.dif
|
||||
Patch5: pam_krb5-LINGUAS.dif
|
||||
Patch6: pam_krb5-2.3.1-post.dif
|
||||
Patch7: bug-425861_pam_krb5-2.3.1-ccacheperms.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
|
||||
%description
|
||||
@ -59,6 +60,7 @@ Authors:
|
||||
%patch4 -p1
|
||||
%patch5
|
||||
%patch6
|
||||
%patch7 -p1
|
||||
|
||||
%build
|
||||
%{suse_update_config -f}
|
||||
@ -93,6 +95,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%attr(755,root,root) /usr/bin/afs5log
|
||||
|
||||
%changelog
|
||||
* Mon Oct 06 2008 mc@suse.de
|
||||
- fixing pam_krb5 existing_ticket permission flaw (CVE-2008-3825)
|
||||
(bnc#425861)
|
||||
* Thu Sep 04 2008 mc@suse.de
|
||||
- if the realm name given to us is NULL, don't bother consulting
|
||||
the appdefaults
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user