From 2b46d13d4117d5eb70e5742cfe588863ed96e1095c5913fee356048537238a30 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Wed, 4 Jul 2007 23:08:36 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=20 --- krb5-1.6.1-post.dif | 347 +++++++++++++++++++++++++++++++++++++++++-- krb5-doc.spec | 2 +- krb5-plugins.changes | 13 ++ krb5-plugins.spec | 12 +- krb5.changes | 13 ++ krb5.spec | 12 +- 6 files changed, 386 insertions(+), 13 deletions(-) diff --git a/krb5-1.6.1-post.dif b/krb5-1.6.1-post.dif index 30f3697..245d56c 100644 --- a/krb5-1.6.1-post.dif +++ b/krb5-1.6.1-post.dif @@ -1,7 +1,7 @@ Index: src/include/k5-int.h =================================================================== ---- src/include/k5-int.h (.../tags/krb5-1-6-1-final) (Revision 19540) -+++ src/include/k5-int.h (.../branches/krb5-1-6) (Revision 19540) +--- src/include/k5-int.h (.../tags/krb5-1-6-1-final) (Revision 19657) ++++ src/include/k5-int.h (.../branches/krb5-1-6) (Revision 19657) @@ -1048,9 +1048,9 @@ #define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000 @@ -16,8 +16,8 @@ Index: src/include/k5-int.h typedef struct _krb5_gic_opt_private { Index: src/appl/gssftp/ftp/cmds.c =================================================================== ---- src/appl/gssftp/ftp/cmds.c (.../tags/krb5-1-6-1-final) (Revision 19540) -+++ src/appl/gssftp/ftp/cmds.c (.../branches/krb5-1-6) (Revision 19540) +--- src/appl/gssftp/ftp/cmds.c (.../tags/krb5-1-6-1-final) (Revision 19657) ++++ src/appl/gssftp/ftp/cmds.c (.../branches/krb5-1-6) (Revision 19657) @@ -168,9 +168,7 @@ } port = htons(iport); @@ -65,10 +65,337 @@ Index: src/appl/gssftp/ftp/cmds.c overbose = verbose; if (debug == 0) verbose = -1; +Index: src/kadmin/server/server_stubs.c +=================================================================== +--- src/kadmin/server/server_stubs.c (.../tags/krb5-1-6-1-final) (Revision 19657) ++++ src/kadmin/server/server_stubs.c (.../branches/krb5-1-6) (Revision 19657) +@@ -545,13 +545,14 @@ + static generic_ret ret; + char *prime_arg1, + *prime_arg2; +- char prime_arg[BUFSIZ]; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; + char *errmsg; ++ size_t tlen1, tlen2, clen, slen; ++ char *tdots1, *tdots2, *cdots, *sdots; + + xdr_free(xdr_generic_ret, &ret); + +@@ -572,7 +573,14 @@ + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; + } +- sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2); ++ tlen1 = strlen(prime_arg1); ++ trunc_name(&tlen1, &tdots1); ++ tlen2 = strlen(prime_arg2); ++ trunc_name(&tlen2, &tdots2); ++ clen = client_name.length; ++ trunc_name(&clen, &cdots); ++ slen = service_name.length; ++ trunc_name(&slen, &sdots); + + ret.code = KADM5_OK; + if (! CHANGEPW_SERVICE(rqstp)) { +@@ -590,8 +598,15 @@ + } else + ret.code = KADM5_AUTH_INSUFFICIENT; + if (ret.code != KADM5_OK) { +- log_unauth("kadm5_rename_principal", prime_arg, +- &client_name, &service_name, rqstp); ++ krb5_klog_syslog(LOG_NOTICE, ++ "Unauthorized request: kadm5_rename_principal, " ++ "%.*s%s to %.*s%s, " ++ "client=%.*s%s, service=%.*s%s, addr=%s", ++ tlen1, prime_arg1, tdots1, ++ tlen2, prime_arg2, tdots2, ++ clen, client_name.value, cdots, ++ slen, service_name.value, sdots, ++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_rename_principal((void *)handle, arg->src, + arg->dest); +@@ -600,8 +615,15 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- log_done("kadm5_rename_principal", prime_arg, errmsg, +- &client_name, &service_name, rqstp); ++ krb5_klog_syslog(LOG_NOTICE, ++ "Request: kadm5_rename_principal, " ++ "%.*s%s to %.*s%s, %s, " ++ "client=%.*s%s, service=%.*s%s, addr=%s", ++ tlen1, prime_arg1, tdots1, ++ tlen2, prime_arg2, tdots2, errmsg, ++ clen, client_name.value, cdots, ++ slen, service_name.value, sdots, ++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + free(prime_arg1); +Index: src/lib/rpc/svc_auth_unix.c +=================================================================== +--- src/lib/rpc/svc_auth_unix.c (.../tags/krb5-1-6-1-final) (Revision 19657) ++++ src/lib/rpc/svc_auth_unix.c (.../branches/krb5-1-6) (Revision 19657) +@@ -64,8 +64,7 @@ + char area_machname[MAX_MACHINE_NAME+1]; + int area_gids[NGRPS]; + } *area; +- u_int auth_len; +- int str_len, gid_len; ++ u_int auth_len, str_len, gid_len; + register int i; + + rqst->rq_xprt->xp_auth = &svc_auth_none; +@@ -74,7 +73,9 @@ + aup = &area->area_aup; + aup->aup_machname = area->area_machname; + aup->aup_gids = area->area_gids; +- auth_len = (u_int)msg->rm_call.cb_cred.oa_length; ++ auth_len = msg->rm_call.cb_cred.oa_length; ++ if (auth_len > INT_MAX) ++ return AUTH_BADCRED; + xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE); + buf = XDR_INLINE(&xdrs, (int)auth_len); + if (buf != NULL) { +@@ -84,7 +85,7 @@ + stat = AUTH_BADCRED; + goto done; + } +- memmove(aup->aup_machname, (caddr_t)buf, (u_int)str_len); ++ memmove(aup->aup_machname, buf, str_len); + aup->aup_machname[str_len] = 0; + str_len = RNDUP(str_len); + buf += str_len / BYTES_PER_XDR_UNIT; +@@ -104,7 +105,7 @@ + * timestamp, hostname len (0), uid, gid, and gids len (0). + */ + if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) { +- (void) printf("bad auth_len gid %d str %d auth %d\n", ++ (void) printf("bad auth_len gid %u str %u auth %u\n", + gid_len, str_len, auth_len); + stat = AUTH_BADCRED; + goto done; +Index: src/lib/rpc/svc_auth_gssapi.c +=================================================================== +--- src/lib/rpc/svc_auth_gssapi.c (.../tags/krb5-1-6-1-final) (Revision 19657) ++++ src/lib/rpc/svc_auth_gssapi.c (.../branches/krb5-1-6) (Revision 19657) +@@ -149,6 +149,8 @@ + rqst->rq_xprt->xp_auth = &svc_auth_none; + + memset((char *) &call_res, 0, sizeof(call_res)); ++ creds.client_handle.length = 0; ++ creds.client_handle.value = NULL; + + cred = &msg->rm_call.cb_cred; + verf = &msg->rm_call.cb_verf; +Index: src/lib/krb5/krb/rd_req_dec.c +=================================================================== +--- src/lib/krb5/krb/rd_req_dec.c (.../tags/krb5-1-6-1-final) (Revision 19657) ++++ src/lib/krb5/krb/rd_req_dec.c (.../branches/krb5-1-6) (Revision 19657) +@@ -87,14 +87,39 @@ + } + + static krb5_error_code +-krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket, int check_valid_flag) ++krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, ++ const krb5_ap_req *req, krb5_const_principal server, ++ krb5_keytab keytab, krb5_flags *ap_req_options, ++ krb5_ticket **ticket, int check_valid_flag) + { + krb5_error_code retval = 0; + krb5_timestamp currenttime; ++ krb5_principal_data princ_data; ++ ++ req->ticket->enc_part2 == NULL; ++ if (server && krb5_is_referral_realm(&server->realm)) { ++ char *realm; ++ princ_data = *server; ++ server = &princ_data; ++ retval = krb5_get_default_realm(context, &realm); ++ if (retval) ++ return retval; ++ princ_data.realm.data = realm; ++ princ_data.realm.length = strlen(realm); ++ } ++ if (server && !krb5_principal_compare(context, server, req->ticket->server)) { ++ char *found_name = 0, *wanted_name = 0; ++ if (krb5_unparse_name(context, server, &wanted_name) == 0 ++ && krb5_unparse_name(context, req->ticket->server, &found_name) == 0) ++ krb5_set_error_message(context, KRB5KRB_AP_WRONG_PRINC, ++ "Wrong principal in request (found %s, wanted %s)", ++ found_name, wanted_name); ++ krb5_free_unparsed_name(context, wanted_name); ++ krb5_free_unparsed_name(context, found_name); ++ retval = KRB5KRB_AP_WRONG_PRINC; ++ goto cleanup; ++ } + +- if (server && !krb5_principal_compare(context, server, req->ticket->server)) +- return KRB5KRB_AP_WRONG_PRINC; +- + /* if (req->ap_options & AP_OPTS_USE_SESSION_KEY) + do we need special processing here ? */ + +@@ -102,12 +127,12 @@ + if ((*auth_context)->keyblock) { /* User to User authentication */ + if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock, + req->ticket))) +- return retval; ++goto cleanup; + krb5_free_keyblock(context, (*auth_context)->keyblock); + (*auth_context)->keyblock = NULL; + } else { + if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, keytab))) +- return retval; ++ goto cleanup; + } + + /* XXX this is an evil hack. check_valid_flag is set iff the call +@@ -241,15 +266,21 @@ + if ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) { + /* no etype check needed */; + } else if ((*auth_context)->permitted_etypes == NULL) { ++ int etype; + /* check against the default set */ + if ((!krb5_is_permitted_enctype(context, +- req->ticket->enc_part.enctype)) || ++ etype = req->ticket->enc_part.enctype)) || + (!krb5_is_permitted_enctype(context, +- req->ticket->enc_part2->session->enctype)) || ++ etype = req->ticket->enc_part2->session->enctype)) || + (((*auth_context)->authentp->subkey) && + !krb5_is_permitted_enctype(context, +- (*auth_context)->authentp->subkey->enctype))) { ++ etype = (*auth_context)->authentp->subkey->enctype))) { ++ char enctype_name[30]; + retval = KRB5_NOPERM_ETYPE; ++ if (krb5_enctype_to_string(etype, enctype_name, sizeof(enctype_name)) == 0) ++ krb5_set_error_message(context, retval, ++ "Encryption type %s not permitted", ++ enctype_name); + goto cleanup; + } + } else { +@@ -261,7 +292,13 @@ + req->ticket->enc_part.enctype) + break; + if (!(*auth_context)->permitted_etypes[i]) { ++ char enctype_name[30]; + retval = KRB5_NOPERM_ETYPE; ++ if (krb5_enctype_to_string(req->ticket->enc_part.enctype, ++ enctype_name, sizeof(enctype_name)) == 0) ++ krb5_set_error_message(context, retval, ++ "Encryption type %s not permitted", ++ enctype_name); + goto cleanup; + } + +@@ -270,7 +307,13 @@ + req->ticket->enc_part2->session->enctype) + break; + if (!(*auth_context)->permitted_etypes[i]) { ++ char enctype_name[30]; + retval = KRB5_NOPERM_ETYPE; ++ if (krb5_enctype_to_string(req->ticket->enc_part2->session->enctype, ++ enctype_name, sizeof(enctype_name)) == 0) ++ krb5_set_error_message(context, retval, ++ "Encryption type %s not permitted", ++ enctype_name); + goto cleanup; + } + +@@ -280,7 +323,14 @@ + (*auth_context)->authentp->subkey->enctype) + break; + if (!(*auth_context)->permitted_etypes[i]) { ++ char enctype_name[30]; + retval = KRB5_NOPERM_ETYPE; ++ if (krb5_enctype_to_string((*auth_context)->authentp->subkey->enctype, ++ enctype_name, ++ sizeof(enctype_name)) == 0) ++ krb5_set_error_message(context, retval, ++ "Encryption type %s not permitted", ++ enctype_name); + goto cleanup; + } + } +@@ -327,17 +377,23 @@ + retval = 0; + + cleanup: ++ if (server == &princ_data) ++ krb5_free_default_realm(context, princ_data.realm.data); + if (retval) { + /* only free if we're erroring out...otherwise some + applications will need the output. */ +- krb5_free_enc_tkt_part(context, req->ticket->enc_part2); ++ if (req->ticket->enc_part2) ++ krb5_free_enc_tkt_part(context, req->ticket->enc_part2); + req->ticket->enc_part2 = NULL; + } + return retval; + } + + krb5_error_code +-krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket) ++krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, ++ const krb5_ap_req *req, krb5_const_principal server, ++ krb5_keytab keytab, krb5_flags *ap_req_options, ++ krb5_ticket **ticket) + { + krb5_error_code retval; + retval = krb5_rd_req_decoded_opt(context, auth_context, +@@ -348,7 +404,11 @@ + } + + krb5_error_code +-krb5_rd_req_decoded_anyflag(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket) ++krb5_rd_req_decoded_anyflag(krb5_context context, ++ krb5_auth_context *auth_context, ++ const krb5_ap_req *req, ++ krb5_const_principal server, krb5_keytab keytab, ++ krb5_flags *ap_req_options, krb5_ticket **ticket) + { + krb5_error_code retval; + retval = krb5_rd_req_decoded_opt(context, auth_context, +@@ -359,7 +419,8 @@ + } + + static krb5_error_code +-decrypt_authenticator(krb5_context context, const krb5_ap_req *request, krb5_authenticator **authpp, int is_ap_req) ++decrypt_authenticator(krb5_context context, const krb5_ap_req *request, ++ krb5_authenticator **authpp, int is_ap_req) + { + krb5_authenticator *local_auth; + krb5_error_code retval; +@@ -390,4 +451,3 @@ + clean_scratch(); + return retval; + } +- +Index: src/lib/krb5/krb/walk_rtree.c +=================================================================== +--- src/lib/krb5/krb/walk_rtree.c (.../tags/krb5-1-6-1-final) (Revision 19657) ++++ src/lib/krb5/krb/walk_rtree.c (.../branches/krb5-1-6) (Revision 19657) +@@ -167,6 +167,9 @@ + links++; + } + } ++ if (cap_nodes[links] != NULL) ++ krb5_xfree(cap_nodes[links]); ++ + cap_nodes[links] = cap_server; /* put server on end of list */ + /* this simplifies the code later and make */ + /* cleanup eaiser as well */ Index: src/lib/krb5/krb/gc_frm_kdc.c =================================================================== ---- src/lib/krb5/krb/gc_frm_kdc.c (.../tags/krb5-1-6-1-final) (Revision 19540) -+++ src/lib/krb5/krb/gc_frm_kdc.c (.../branches/krb5-1-6) (Revision 19540) +--- src/lib/krb5/krb/gc_frm_kdc.c (.../tags/krb5-1-6-1-final) (Revision 19657) ++++ src/lib/krb5/krb/gc_frm_kdc.c (.../branches/krb5-1-6) (Revision 19657) @@ -1043,6 +1043,7 @@ krb5_free_creds(context, (*tgts)[i]); } @@ -79,8 +406,8 @@ Index: src/lib/krb5/krb/gc_frm_kdc.c retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS, Index: src/lib/krb5/krb/gic_opt.c =================================================================== ---- src/lib/krb5/krb/gic_opt.c (.../tags/krb5-1-6-1-final) (Revision 19540) -+++ src/lib/krb5/krb/gic_opt.c (.../branches/krb5-1-6) (Revision 19540) +--- src/lib/krb5/krb/gic_opt.c (.../tags/krb5-1-6-1-final) (Revision 19657) ++++ src/lib/krb5/krb/gic_opt.c (.../branches/krb5-1-6) (Revision 19657) @@ -206,8 +206,18 @@ oe = krb5int_gic_opte_alloc(context); if (NULL == oe) @@ -104,8 +431,8 @@ Index: src/lib/krb5/krb/gic_opt.c Index: src/util/profile/prof_parse.c =================================================================== ---- src/util/profile/prof_parse.c (.../tags/krb5-1-6-1-final) (Revision 19540) -+++ src/util/profile/prof_parse.c (.../branches/krb5-1-6) (Revision 19540) +--- src/util/profile/prof_parse.c (.../tags/krb5-1-6-1-final) (Revision 19657) ++++ src/util/profile/prof_parse.c (.../branches/krb5-1-6) (Revision 19657) @@ -306,8 +306,10 @@ */ static int need_double_quotes(char *str) diff --git a/krb5-doc.spec b/krb5-doc.spec index ac1b721..566fbc1 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -13,7 +13,7 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive Version: 1.6.1 -Release: 29 +Release: 31 %define srcRoot krb5-1.6.1 Summary: MIT Kerberos5 Implementation--Documentation License: X11/MIT diff --git a/krb5-plugins.changes b/krb5-plugins.changes index f365841..cd53339 100644 --- a/krb5-plugins.changes +++ b/krb5-plugins.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Mon Jul 2 11:39:54 CEST 2007 - mc@suse.de + +- update krb5-1.6.1-post.dif + * fix leak in krb5_walk_realm_tree + * rd_req_decoded needs to deal with referral realms + * fix buffer overflow in kadmind + (MITKRB5-SA-2007-005 - CVE-2007-2798) + [#278689] + * fix kadmind code execution bug + (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) + [#271191] + ------------------------------------------------------------------- Wed May 9 15:31:08 CEST 2007 - mc@suse.de diff --git a/krb5-plugins.spec b/krb5-plugins.spec index 9d14272..9fb7fba 100644 --- a/krb5-plugins.spec +++ b/krb5-plugins.spec @@ -13,7 +13,7 @@ Name: krb5-plugins Version: 1.6.1 -Release: 7 +Release: 8 BuildRequires: bison krb5-devel ncurses-devel openldap2-devel %define srcRoot krb5-1.6.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ @@ -207,6 +207,16 @@ rm -rf %{buildroot} %{_mandir}/man8/* %changelog +* Mon Jul 02 2007 - mc@suse.de +- update krb5-1.6.1-post.dif + * fix leak in krb5_walk_realm_tree + * rd_req_decoded needs to deal with referral realms + * fix buffer overflow in kadmind + (MITKRB5-SA-2007-005 - CVE-2007-2798) + [#278689] + * fix kadmind code execution bug + (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) + [#271191] * Wed May 09 2007 - mc@suse.de - fix uninitialized salt length - add extra check for keytab file diff --git a/krb5.changes b/krb5.changes index e640263..5965111 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de + +- update krb5-1.6.1-post.dif + * fix leak in krb5_walk_realm_tree + * rd_req_decoded needs to deal with referral realms + * fix buffer overflow in kadmind + (MITKRB5-SA-2007-005 - CVE-2007-2798) + [#278689] + * fix kadmind code execution bug + (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) + [#271191] + ------------------------------------------------------------------- Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 90ea9d6..7285d9f 100644 --- a/krb5.spec +++ b/krb5.spec @@ -12,7 +12,7 @@ Name: krb5 Version: 1.6.1 -Release: 24 +Release: 26 BuildRequires: bison libcom_err ncurses-devel %if %{suse_version} > 1010 BuildRequires: keyutils keyutils-devel @@ -511,6 +511,16 @@ rm -rf %{buildroot} %{_mandir}/man1/krb5-config.1* %changelog +* Mon Jul 02 2007 - mc@suse.de +- update krb5-1.6.1-post.dif + * fix leak in krb5_walk_realm_tree + * rd_req_decoded needs to deal with referral realms + * fix buffer overflow in kadmind + (MITKRB5-SA-2007-005 - CVE-2007-2798) + [#278689] + * fix kadmind code execution bug + (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) + [#271191] * Thu Jun 14 2007 - mc@suse.de - fix unstripped-binary-or-object rpmlint warning * Mon Jun 11 2007 - sschober@suse.de