From 28dc0dd05689ad57b31db9b315e720e40d1cca57940c3399e6b7825df6b54a99 Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Wed, 24 Mar 2010 09:00:53 +0000 Subject: [PATCH] Accepting request 35618 from home:mcalmer:branches:network Copy from home:mcalmer:branches:network/krb5 via accept of submit request 35618 revision 2. Request was accepted with message: OBS-URL: https://build.opensuse.org/request/show/35618 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=14 --- krb5-1.7-MITKRB5-SA-2010-002.dif | 71 ++++++++++++++++++++++++++++++++ krb5-1.8-POST.dif | 4 +- krb5-mini.changes | 8 ++++ krb5-mini.spec | 2 + krb5.changes | 8 ++++ krb5.spec | 2 + 6 files changed, 93 insertions(+), 2 deletions(-) create mode 100644 krb5-1.7-MITKRB5-SA-2010-002.dif diff --git a/krb5-1.7-MITKRB5-SA-2010-002.dif b/krb5-1.7-MITKRB5-SA-2010-002.dif new file mode 100644 index 0000000..79c4e81 --- /dev/null +++ b/krb5-1.7-MITKRB5-SA-2010-002.dif @@ -0,0 +1,71 @@ +Index: src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- src/lib/gssapi/spnego/spnego_mech.c.orig ++++ src/lib/gssapi/spnego/spnego_mech.c +@@ -1576,7 +1576,7 @@ spnego_gss_accept_sec_context( + spnego_gss_ctx_id_t sc = NULL; + spnego_gss_cred_id_t spcred = NULL; + OM_uint32 mechstat = GSS_S_FAILURE; +- int sendTokenInit = 0; ++ int sendTokenInit = 0, tmpret; + + mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER; + +@@ -1609,7 +1609,6 @@ spnego_gss_accept_sec_context( + if (delegated_cred_handle != NULL) + *delegated_cred_handle = GSS_C_NO_CREDENTIAL; + if (input_token->length == 0) { +- sendTokenInit = 1; + ret = acc_ctx_hints(minor_status, + context_handle, spcred, + &mic_out, +@@ -1617,6 +1616,7 @@ spnego_gss_accept_sec_context( + &return_token); + if (ret != GSS_S_COMPLETE) + goto cleanup; ++ sendTokenInit = 1; + ret = GSS_S_CONTINUE_NEEDED; + } else { + /* Can set negState to REQUEST_MIC */ +@@ -1664,27 +1664,21 @@ spnego_gss_accept_sec_context( + &negState, &return_token); + } + cleanup: +- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { +- /* For acceptor-sends-first send a tokenInit */ +- int tmpret; +- ++ if (return_token == INIT_TOKEN_SEND && sendTokenInit) { + assert(sc != NULL); +- +- if (sendTokenInit) { +- tmpret = make_spnego_tokenInit_msg(sc, +- 1, +- mic_out, +- 0, +- GSS_C_NO_BUFFER, +- return_token, +- output_token); +- } else { +- tmpret = make_spnego_tokenTarg_msg(negState, +- sc ? sc->internal_mech : GSS_C_NO_OID, +- &mechtok_out, mic_out, +- return_token, +- output_token); +- } ++ tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0, ++ GSS_C_NO_BUFFER, ++ return_token, output_token); ++ if (tmpret < 0) ++ ret = GSS_S_FAILURE; ++ } else if (return_token != NO_TOKEN_SEND && ++ return_token != CHECK_MIC) { ++ tmpret = make_spnego_tokenTarg_msg(negState, ++ sc ? sc->internal_mech : ++ GSS_C_NO_OID, ++ &mechtok_out, mic_out, ++ return_token, ++ output_token); + if (tmpret < 0) + ret = GSS_S_FAILURE; + } diff --git a/krb5-1.8-POST.dif b/krb5-1.8-POST.dif index 0db3bf7..14ccdf3 100644 --- a/krb5-1.8-POST.dif +++ b/krb5-1.8-POST.dif @@ -179,7 +179,7 @@ Index: src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- src/lib/gssapi/spnego/spnego_mech.c.orig +++ src/lib/gssapi/spnego/spnego_mech.c -@@ -1693,6 +1693,7 @@ cleanup: +@@ -1687,6 +1687,7 @@ cleanup: if (sc->internal_name != GSS_C_NO_NAME && src_name != NULL) { *src_name = sc->internal_name; @@ -187,7 +187,7 @@ Index: src/lib/gssapi/spnego/spnego_mech.c } release_spnego_ctx(&sc); } else if (ret != GSS_S_CONTINUE_NEEDED) { -@@ -2578,6 +2579,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t * +@@ -2572,6 +2573,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t * (void) generic_gss_release_oid(&minor_stat, &context->internal_mech); diff --git a/krb5-mini.changes b/krb5-mini.changes index bf323bc..c00c208 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Mar 23 14:32:41 CET 2010 - mc@suse.de + +- fix a bug where an unauthenticated remote attacker could cause + a GSS-API application including the Kerberos administration + daemon (kadmind) to crash. + CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) + ------------------------------------------------------------------- Tue Mar 23 12:33:26 CET 2010 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index b4867f2..771f35f 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -55,6 +55,7 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif +Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils @@ -203,6 +204,7 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 +%patch47 %patch50 # Rename the man pages so that they'll get generated correctly. pushd src diff --git a/krb5.changes b/krb5.changes index bf323bc..c00c208 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Mar 23 14:32:41 CET 2010 - mc@suse.de + +- fix a bug where an unauthenticated remote attacker could cause + a GSS-API application including the Kerberos administration + daemon (kadmind) to crash. + CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) + ------------------------------------------------------------------- Tue Mar 23 12:33:26 CET 2010 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 68c13d9..1f59bb2 100644 --- a/krb5.spec +++ b/krb5.spec @@ -55,6 +55,7 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif +Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils @@ -203,6 +204,7 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 +%patch47 %patch50 # Rename the man pages so that they'll get generated correctly. pushd src