- Fix kpropd denial of service

(MITKRB5-SA-2011-001, bnc#662665) CVE-2010-4022 - Fix KDC denial of service attacks with LDAP back end (MITKRB5-SA-2011-002, bnc#663619) CVE-2011-0281, CVE-2011-0282 - Fix kpropd denial of service (MITKRB5-SA-2011-001, bnc#662665) CVE-2010-4022 - Fix KDC denial of service attacks with LDAP back end (MITKRB5-SA-2011-002, bnc#663619) CVE-2011-0281, CVE-2011-0282 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=39
2011-02-09 09:12:27 +00:00 · 2011-02-09 09:12:27 +00:00 · 1e4178c989
commit 1e4178c989
parent daa4016226
6 changed files with 161 additions and 1 deletions
--- a/krb5-1.8-MITKRB5-SA-2011-001.dif
+++ b/krb5-1.8-MITKRB5-SA-2011-001.dif
@ -0,0 +1,20 @@
+Index: krb5-1.8.1/src/slave/kpropd.c
+===================================================================
+--- krb5-1.8.1.orig/src/slave/kpropd.c
+++ krb5-1.8.1/src/slave/kpropd.c
+@@ -404,11 +404,12 @@ retry:
+             }
+ 
+             close(s);
+-            if (iproprole == IPROP_SLAVE)
+            if (iproprole == IPROP_SLAVE) {
+                 close(finet);
+ 
+-            if ((ret = WEXITSTATUS(status)) != 0)
+-                return (ret);
+                if ((ret = WEXITSTATUS(status)) != 0)
+                    return (ret);
+            }
+         }
+         if (iproprole == IPROP_SLAVE)
+             break;
--- a/krb5-1.8-MITKRB5-SA-2011-002.dif
+++ b/krb5-1.8-MITKRB5-SA-2011-002.dif
@ -0,0 +1,112 @@
+Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+===================================================================
+--- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c.orig
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -103,10 +103,10 @@ krb5_ldap_get_principal(krb5_context con
+                         unsigned int flags, krb5_db_entry *entries,
+                         int *nentries, krb5_boolean *more)
+ {
+-    char                        *user=NULL, *filter=NULL, **subtree=NULL;
+    char                        *user=NULL, *filter=NULL, *filtuser=NULL;
+     unsigned int                tree=0, ntrees=1, princlen=0;
+     krb5_error_code             tempst=0, st=0;
+-    char                        **values=NULL, *cname=NULL;
+    char                        **values=NULL, **subtree=NULL, *cname=NULL;
+     LDAP                        *ld=NULL;
+     LDAPMessage                 *result=NULL, *ent=NULL;
+     krb5_ldap_context           *ldap_context=NULL;
+@@ -142,12 +142,18 @@ krb5_ldap_get_principal(krb5_context con
+     if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
+         goto cleanup;
+ 
+-    princlen = strlen(FILTER) + strlen(user) + 2 + 1;      /* 2 for closing brackets */
+    filtuser = ldap_filter_correct(user);
+    if (filtuser == NULL) {
+        st = ENOMEM;
+        goto cleanup;
+    }
+
+    princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1;  /* 2 for closing brackets */
+     if ((filter = malloc(princlen)) == NULL) {
+         st = ENOMEM;
+         goto cleanup;
+     }
+-    snprintf(filter, princlen, FILTER"%s))", user);
+    snprintf(filter, princlen, FILTER"%s))", filtuser);
+ 
+     if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
+         goto cleanup;
+@@ -231,6 +237,9 @@ cleanup:
+     if (user)
+         free(user);
+ 
+    if (filtuser)
+        free(filtuser);
+
+     if (cname)
+         free(cname);
+ 
+Index: src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+===================================================================
+--- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h.orig
+++ src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_contex
+ #define LDAP_SEARCH(base, scope, filter, attrs)   LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
+ 
+ #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check)         \
+-    do {                                                                \
+-        st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
+-        if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
+-            tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
+-            if (ldap_server_handle)                                     \
+-                ld = ldap_server_handle->ldap_handle;                   \
+-        }                                                               \
+-    }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
+    tempst = 0;                                                         \
+    st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL,     \
+                           NULL, &timelimit, LDAP_NO_LIMIT, &result);   \
+    if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
+        tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle);   \
+        if (ldap_server_handle)                                         \
+            ld = ldap_server_handle->ldap_handle;                       \
+        if (tempst == 0)                                                \
+            st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0,   \
+                                   NULL, NULL, &timelimit,              \
+                                   LDAP_NO_LIMIT, &result);             \
+    }                                                                   \
+                                                                         \
+     if (status_check != IGNORE_STATUS) {                                \
+         if (tempst != 0) {                                              \
+Index: src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+===================================================================
+--- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c.orig
+++ src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap
+ {
+     krb5_ldap_server_handle     *handle = *ldap_server_handle;
+ 
+    ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
+     if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
+         || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
+         return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
+Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+===================================================================
+--- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.orig
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+@@ -446,12 +446,11 @@ is_principal_in_realm(krb5_ldap_context
+      * portion, then the first portion of the principal name SHOULD be
+      * "krbtgt".  All this check is done in the immediate block.
+      */
+-    if (searchfor->length == 2)
+-        if ((strncasecmp(searchfor->data[0].data, "krbtgt",
+-                         FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
+-            (strncasecmp(searchfor->data[1].data, defrealm,
+-                         FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
+    if (searchfor->length == 2) {
+        if (data_eq_string(searchfor->data[0], "krbtgt") &&
+            data_eq_string(searchfor->data[1], defrealm))
+             return 0;
+    }
+ 
+     /* first check the length, if they are not equal, then they are not same */
+     if (strlen(defrealm) != searchfor->realm.length)
--- a/krb5-mini.changes
+++ b/krb5-mini.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Jan 19 14:42:27 CET 2011 - mc@suse.de
+
+- Fix kpropd denial of service
+  (MITKRB5-SA-2011-001, bnc#662665)
+  CVE-2010-4022
+- Fix KDC denial of service attacks with LDAP back end
+  (MITKRB5-SA-2011-002, bnc#663619)
+  CVE-2011-0281, CVE-2011-0282 
+
 -------------------------------------------------------------------
 Wed Dec  1 11:44:15 CET 2010 - mc@suse.de

--- a/krb5-mini.spec
+++ b/krb5-mini.spec
@ -1,5 +1,5 @@
 #
-# spec file for package krb5-mini (Version 1.8.3)
+# spec file for package krb5 (Version 1.8.3)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@ -57,6 +57,8 @@ Patch7:         krb5-1.6.3-ktutil-manpage.dif
 Patch8:         krb5-1.6.3-fix-ipv6-query.dif
 Patch12:        krb5-1.8-MITKRB5-SA-2010-006.dif
 Patch13:        MITKRB5-SA-2010-007-1.8.dif
+Patch14:        krb5-1.8-MITKRB5-SA-2011-001.dif
+Patch15:        krb5-1.8-MITKRB5-SA-2011-002.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@ -206,6 +208,8 @@ Authors:
 %patch8 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
+%patch15 -p0
 # Rename the man pages so that they'll get generated correctly.
 pushd src
 cat %{SOURCE10} | while read manpage ; do
--- a/krb5.changes
+++ b/krb5.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Jan 19 14:42:27 CET 2011 - mc@suse.de
+
+- Fix kpropd denial of service
+  (MITKRB5-SA-2011-001, bnc#662665)
+  CVE-2010-4022
+- Fix KDC denial of service attacks with LDAP back end
+  (MITKRB5-SA-2011-002, bnc#663619)
+  CVE-2011-0281, CVE-2011-0282 
+
 -------------------------------------------------------------------
 Wed Dec  1 11:44:15 CET 2010 - mc@suse.de

--- a/krb5.spec
+++ b/krb5.spec
@ -57,6 +57,8 @@ Patch7:         krb5-1.6.3-ktutil-manpage.dif
 Patch8:         krb5-1.6.3-fix-ipv6-query.dif
 Patch12:        krb5-1.8-MITKRB5-SA-2010-006.dif
 Patch13:        MITKRB5-SA-2010-007-1.8.dif
+Patch14:        krb5-1.8-MITKRB5-SA-2011-001.dif
+Patch15:        krb5-1.8-MITKRB5-SA-2011-002.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@ -206,6 +208,8 @@ Authors:
 %patch8 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
+%patch15 -p0
 # Rename the man pages so that they'll get generated correctly.
 pushd src
 cat %{SOURCE10} | while read manpage ; do