OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=20

krb5-1.6.1-post.dif

@@ -1,7 +1,7 @@
 Index: src/include/k5-int.h
 ===================================================================
---- src/include/k5-int.h	(.../tags/krb5-1-6-1-final)	(Revision 19540)
+--- src/include/k5-int.h	(.../tags/krb5-1-6-1-final)	(Revision 19657)
-+++ src/include/k5-int.h	(.../branches/krb5-1-6)	(Revision 19540)
++++ src/include/k5-int.h	(.../branches/krb5-1-6)	(Revision 19657)
 @@ -1048,9 +1048,9 @@
  #define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000
  
@@ -16,8 +16,8 @@ Index: src/include/k5-int.h
  typedef struct _krb5_gic_opt_private {
 Index: src/appl/gssftp/ftp/cmds.c
 ===================================================================
---- src/appl/gssftp/ftp/cmds.c	(.../tags/krb5-1-6-1-final)	(Revision 19540)
+--- src/appl/gssftp/ftp/cmds.c	(.../tags/krb5-1-6-1-final)	(Revision 19657)
-+++ src/appl/gssftp/ftp/cmds.c	(.../branches/krb5-1-6)	(Revision 19540)
++++ src/appl/gssftp/ftp/cmds.c	(.../branches/krb5-1-6)	(Revision 19657)
 @@ -168,9 +168,7 @@
  		}
  		port = htons(iport);
@@ -65,10 +65,337 @@ Index: src/appl/gssftp/ftp/cmds.c
  		overbose = verbose;
  		if (debug == 0)
  			verbose = -1;
+Index: src/kadmin/server/server_stubs.c
+===================================================================
+--- src/kadmin/server/server_stubs.c	(.../tags/krb5-1-6-1-final)	(Revision 19657)
++++ src/kadmin/server/server_stubs.c	(.../branches/krb5-1-6)	(Revision 19657)
+@@ -545,13 +545,14 @@
+     static generic_ret		ret;
+     char			*prime_arg1,
+ 				*prime_arg2;
+-    char			prime_arg[BUFSIZ];
+     gss_buffer_desc		client_name,
+ 				service_name;
+     OM_uint32			minor_stat;
+     kadm5_server_handle_t	handle;
+     restriction_t		*rp;
+     char                        *errmsg;
++    size_t			tlen1, tlen2, clen, slen;
++    char			*tdots1, *tdots2, *cdots, *sdots;
+ 
+     xdr_free(xdr_generic_ret, &ret);
+ 
+@@ -572,7 +573,14 @@
+ 	 ret.code = KADM5_BAD_PRINCIPAL;
+ 	 goto exit_func;
+     }
+-    sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
++    tlen1 = strlen(prime_arg1);
++    trunc_name(&tlen1, &tdots1);
++    tlen2 = strlen(prime_arg2);
++    trunc_name(&tlen2, &tdots2);
++    clen = client_name.length;
++    trunc_name(&clen, &cdots);
++    slen = service_name.length;
++    trunc_name(&slen, &sdots);
+ 
+     ret.code = KADM5_OK;
+     if (! CHANGEPW_SERVICE(rqstp)) {
+@@ -590,8 +598,15 @@
+     } else
+ 	 ret.code = KADM5_AUTH_INSUFFICIENT;
+     if (ret.code != KADM5_OK) {
+-	 log_unauth("kadm5_rename_principal", prime_arg,
+-		    &client_name, &service_name, rqstp);
++	 krb5_klog_syslog(LOG_NOTICE,
++			  "Unauthorized request: kadm5_rename_principal, "
++			  "%.*s%s to %.*s%s, "
++			  "client=%.*s%s, service=%.*s%s, addr=%s",
++			  tlen1, prime_arg1, tdots1,
++			  tlen2, prime_arg2, tdots2,
++			  clen, client_name.value, cdots,
++			  slen, service_name.value, sdots,
++			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+     } else {
+ 	 ret.code = kadm5_rename_principal((void *)handle, arg->src,
+ 						arg->dest);
+@@ -600,8 +615,15 @@
+ 	 else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	 log_done("kadm5_rename_principal", prime_arg, errmsg,
+-		  &client_name, &service_name, rqstp);
++	 krb5_klog_syslog(LOG_NOTICE,
++			  "Request: kadm5_rename_principal, "
++			  "%.*s%s to %.*s%s, %s, "
++			  "client=%.*s%s, service=%.*s%s, addr=%s",
++			  tlen1, prime_arg1, tdots1,
++			  tlen2, prime_arg2, tdots2, errmsg,
++			  clen, client_name.value, cdots,
++			  slen, service_name.value, sdots,
++			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+     }
+     free_server_handle(handle);
+     free(prime_arg1);
+Index: src/lib/rpc/svc_auth_unix.c
+===================================================================
+--- src/lib/rpc/svc_auth_unix.c	(.../tags/krb5-1-6-1-final)	(Revision 19657)
++++ src/lib/rpc/svc_auth_unix.c	(.../branches/krb5-1-6)	(Revision 19657)
+@@ -64,8 +64,7 @@
+ 		char area_machname[MAX_MACHINE_NAME+1];
+ 		int area_gids[NGRPS];
+ 	} *area;
+-	u_int auth_len;
+-	int str_len, gid_len;
++	u_int auth_len, str_len, gid_len;
+ 	register int i;
+ 
+ 	rqst->rq_xprt->xp_auth = &svc_auth_none;
+@@ -74,7 +73,9 @@
+ 	aup = &area->area_aup;
+ 	aup->aup_machname = area->area_machname;
+ 	aup->aup_gids = area->area_gids;
+-	auth_len = (u_int)msg->rm_call.cb_cred.oa_length;
++	auth_len = msg->rm_call.cb_cred.oa_length;
++	if (auth_len > INT_MAX)
++		return AUTH_BADCRED;
+ 	xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE);
+ 	buf = XDR_INLINE(&xdrs, (int)auth_len);
+ 	if (buf != NULL) {
+@@ -84,7 +85,7 @@
+ 			stat = AUTH_BADCRED;
+ 			goto done;
+ 		}
+-		memmove(aup->aup_machname, (caddr_t)buf, (u_int)str_len);
++		memmove(aup->aup_machname, buf, str_len);
+ 		aup->aup_machname[str_len] = 0;
+ 		str_len = RNDUP(str_len);
+ 		buf += str_len / BYTES_PER_XDR_UNIT;
+@@ -104,7 +105,7 @@
+ 		 * timestamp, hostname len (0), uid, gid, and gids len (0).
+ 		 */
+ 		if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) {
+-			(void) printf("bad auth_len gid %d str %d auth %d\n",
++			(void) printf("bad auth_len gid %u str %u auth %u\n",
+ 			    gid_len, str_len, auth_len);
+ 			stat = AUTH_BADCRED;
+ 			goto done;
+Index: src/lib/rpc/svc_auth_gssapi.c
+===================================================================
+--- src/lib/rpc/svc_auth_gssapi.c	(.../tags/krb5-1-6-1-final)	(Revision 19657)
++++ src/lib/rpc/svc_auth_gssapi.c	(.../branches/krb5-1-6)	(Revision 19657)
+@@ -149,6 +149,8 @@
+      rqst->rq_xprt->xp_auth = &svc_auth_none;
+      
+      memset((char *) &call_res, 0, sizeof(call_res));
++     creds.client_handle.length = 0;
++     creds.client_handle.value = NULL;
+      
+      cred = &msg->rm_call.cb_cred;
+      verf = &msg->rm_call.cb_verf;
+Index: src/lib/krb5/krb/rd_req_dec.c
+===================================================================
+--- src/lib/krb5/krb/rd_req_dec.c	(.../tags/krb5-1-6-1-final)	(Revision 19657)
++++ src/lib/krb5/krb/rd_req_dec.c	(.../branches/krb5-1-6)	(Revision 19657)
+@@ -87,14 +87,39 @@
+ }
+ 
+ static krb5_error_code
+-krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket, int check_valid_flag)
++krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
++			const krb5_ap_req *req, krb5_const_principal server,
++			krb5_keytab keytab, krb5_flags *ap_req_options,
++			krb5_ticket **ticket, int check_valid_flag)
+ {
+     krb5_error_code 	  retval = 0;
+     krb5_timestamp 	  currenttime;
++    krb5_principal_data princ_data;
++    
++    req->ticket->enc_part2 == NULL;
++    if (server && krb5_is_referral_realm(&server->realm)) {
++	char *realm;
++	princ_data = *server;
++	server = &princ_data;
++	retval = krb5_get_default_realm(context, &realm);
++	if (retval)
++	    return retval;
++	princ_data.realm.data = realm;
++	princ_data.realm.length = strlen(realm);
++    }
++    if (server && !krb5_principal_compare(context, server, req->ticket->server)) {
++	char *found_name = 0, *wanted_name = 0;
++	if (krb5_unparse_name(context, server, &wanted_name) == 0
++	    && krb5_unparse_name(context, req->ticket->server, &found_name) == 0)
++	    krb5_set_error_message(context, KRB5KRB_AP_WRONG_PRINC,
++				   "Wrong principal in request (found %s, wanted %s)",
++				   found_name, wanted_name);
++	krb5_free_unparsed_name(context, wanted_name);
++	krb5_free_unparsed_name(context, found_name);
++	retval =  KRB5KRB_AP_WRONG_PRINC;
++	goto cleanup;
++    }
+ 
+-    if (server && !krb5_principal_compare(context, server, req->ticket->server))
+-	return KRB5KRB_AP_WRONG_PRINC;
+-
+     /* if (req->ap_options & AP_OPTS_USE_SESSION_KEY)
+        do we need special processing here ?	*/
+ 
+@@ -102,12 +127,12 @@
+     if ((*auth_context)->keyblock) { /* User to User authentication */
+     	if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock,
+ 					    req->ticket)))
+-	    return retval;
++goto cleanup;
+ 	krb5_free_keyblock(context, (*auth_context)->keyblock);
+ 	(*auth_context)->keyblock = NULL;
+     } else {
+     	if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, keytab)))
+-	    return retval;
++	    goto cleanup;
+     }
+ 
+     /* XXX this is an evil hack.  check_valid_flag is set iff the call
+@@ -241,15 +266,21 @@
+     if ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) {
+ 	/* no etype check needed */;
+     } else if ((*auth_context)->permitted_etypes == NULL) {
++	int etype;
+ 	/* check against the default set */
+ 	if ((!krb5_is_permitted_enctype(context,
+-					req->ticket->enc_part.enctype)) ||
++					etype = req->ticket->enc_part.enctype)) ||
+ 	    (!krb5_is_permitted_enctype(context,
+-					req->ticket->enc_part2->session->enctype)) ||
++					etype = req->ticket->enc_part2->session->enctype)) ||
+ 	    (((*auth_context)->authentp->subkey) &&
+ 	     !krb5_is_permitted_enctype(context,
+-					(*auth_context)->authentp->subkey->enctype))) {
++					etype = (*auth_context)->authentp->subkey->enctype))) {
++	    char enctype_name[30];
+ 	    retval = KRB5_NOPERM_ETYPE;
++	    if (krb5_enctype_to_string(etype, enctype_name, sizeof(enctype_name)) == 0)
++		krb5_set_error_message(context, retval,
++				       "Encryption type %s not permitted",
++				       enctype_name);
+ 	    goto cleanup;
+ 	}
+     } else {
+@@ -261,7 +292,13 @@
+ 		req->ticket->enc_part.enctype)
+ 		break;
+ 	if (!(*auth_context)->permitted_etypes[i]) {
++	    char enctype_name[30];
+ 	    retval = KRB5_NOPERM_ETYPE;
++	    if (krb5_enctype_to_string(req->ticket->enc_part.enctype,
++				       enctype_name, sizeof(enctype_name)) == 0)
++		krb5_set_error_message(context, retval,
++				       "Encryption type %s not permitted",
++				       enctype_name);
+ 	    goto cleanup;
+ 	}
+ 	
+@@ -270,7 +307,13 @@
+ 		req->ticket->enc_part2->session->enctype)
+ 		break;
+ 	if (!(*auth_context)->permitted_etypes[i]) {
++	    char enctype_name[30];
+ 	    retval = KRB5_NOPERM_ETYPE;
++	    if (krb5_enctype_to_string(req->ticket->enc_part2->session->enctype,
++				       enctype_name, sizeof(enctype_name)) == 0)
++		krb5_set_error_message(context, retval,
++				       "Encryption type %s not permitted",
++				       enctype_name);
+ 	    goto cleanup;
+ 	}
+ 	
+@@ -280,7 +323,14 @@
+ 		    (*auth_context)->authentp->subkey->enctype)
+ 		    break;
+ 	    if (!(*auth_context)->permitted_etypes[i]) {
++		char enctype_name[30];
+ 		retval = KRB5_NOPERM_ETYPE;
++		if (krb5_enctype_to_string((*auth_context)->authentp->subkey->enctype,
++					   enctype_name,
++					   sizeof(enctype_name)) == 0)
++		    krb5_set_error_message(context, retval,
++					   "Encryption type %s not permitted",
++					   enctype_name);
+ 		goto cleanup;
+ 	    }
+ 	}
+@@ -327,17 +377,23 @@
+     retval = 0;
+     
+ cleanup:
++    if (server == &princ_data)
++	krb5_free_default_realm(context, princ_data.realm.data);
+     if (retval) {
+ 	/* only free if we're erroring out...otherwise some
+ 	   applications will need the output. */
+-        krb5_free_enc_tkt_part(context, req->ticket->enc_part2);
++	if (req->ticket->enc_part2)
++	    krb5_free_enc_tkt_part(context, req->ticket->enc_part2);
+ 	req->ticket->enc_part2 = NULL;
+     }
+     return retval;
+ }
+ 
+ krb5_error_code
+-krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket)
++krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context,
++		    const krb5_ap_req *req, krb5_const_principal server,
++		    krb5_keytab keytab, krb5_flags *ap_req_options,
++		    krb5_ticket **ticket)
+ {
+   krb5_error_code retval;
+   retval = krb5_rd_req_decoded_opt(context, auth_context,
+@@ -348,7 +404,11 @@
+ }
+ 
+ krb5_error_code
+-krb5_rd_req_decoded_anyflag(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket)
++krb5_rd_req_decoded_anyflag(krb5_context context,
++			    krb5_auth_context *auth_context,
++			    const krb5_ap_req *req,
++			    krb5_const_principal server, krb5_keytab keytab,
++			    krb5_flags *ap_req_options, krb5_ticket **ticket)
+ {
+   krb5_error_code retval;
+   retval = krb5_rd_req_decoded_opt(context, auth_context,
+@@ -359,7 +419,8 @@
+ }
+ 
+ static krb5_error_code
+-decrypt_authenticator(krb5_context context, const krb5_ap_req *request, krb5_authenticator **authpp, int is_ap_req)
++decrypt_authenticator(krb5_context context, const krb5_ap_req *request,
++		      krb5_authenticator **authpp, int is_ap_req)
+ {
+     krb5_authenticator *local_auth;
+     krb5_error_code retval;
+@@ -390,4 +451,3 @@
+     clean_scratch();
+     return retval;
+ }
+-
+Index: src/lib/krb5/krb/walk_rtree.c
+===================================================================
+--- src/lib/krb5/krb/walk_rtree.c	(.../tags/krb5-1-6-1-final)	(Revision 19657)
++++ src/lib/krb5/krb/walk_rtree.c	(.../branches/krb5-1-6)	(Revision 19657)
+@@ -167,6 +167,9 @@
+ 		links++;
+ 	    }
+ 	}
++	if (cap_nodes[links] != NULL)
++	    krb5_xfree(cap_nodes[links]);
++
+ 	cap_nodes[links] = cap_server; /* put server on end of list */
+ 	/* this simplifies the code later and make */
+ 	/* cleanup eaiser as well */
 Index: src/lib/krb5/krb/gc_frm_kdc.c
 ===================================================================
---- src/lib/krb5/krb/gc_frm_kdc.c	(.../tags/krb5-1-6-1-final)	(Revision 19540)
+--- src/lib/krb5/krb/gc_frm_kdc.c	(.../tags/krb5-1-6-1-final)	(Revision 19657)
-+++ src/lib/krb5/krb/gc_frm_kdc.c	(.../branches/krb5-1-6)	(Revision 19540)
++++ src/lib/krb5/krb/gc_frm_kdc.c	(.../branches/krb5-1-6)	(Revision 19657)
 @@ -1043,6 +1043,7 @@
  	    krb5_free_creds(context, (*tgts)[i]);
  	}
@@ -79,8 +406,8 @@ Index: src/lib/krb5/krb/gc_frm_kdc.c
      retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS,
 Index: src/lib/krb5/krb/gic_opt.c
 ===================================================================
---- src/lib/krb5/krb/gic_opt.c	(.../tags/krb5-1-6-1-final)	(Revision 19540)
+--- src/lib/krb5/krb/gic_opt.c	(.../tags/krb5-1-6-1-final)	(Revision 19657)
-+++ src/lib/krb5/krb/gic_opt.c	(.../branches/krb5-1-6)	(Revision 19540)
++++ src/lib/krb5/krb/gic_opt.c	(.../branches/krb5-1-6)	(Revision 19657)
 @@ -206,8 +206,18 @@
      oe = krb5int_gic_opte_alloc(context);
      if (NULL == oe)
@@ -104,8 +431,8 @@ Index: src/lib/krb5/krb/gic_opt.c
  
 Index: src/util/profile/prof_parse.c
 ===================================================================
---- src/util/profile/prof_parse.c	(.../tags/krb5-1-6-1-final)	(Revision 19540)
+--- src/util/profile/prof_parse.c	(.../tags/krb5-1-6-1-final)	(Revision 19657)
-+++ src/util/profile/prof_parse.c	(.../branches/krb5-1-6)	(Revision 19540)
++++ src/util/profile/prof_parse.c	(.../branches/krb5-1-6)	(Revision 19657)
 @@ -306,8 +306,10 @@
   */
  static int need_double_quotes(char *str)

krb5-doc.spec

@@ -13,7 +13,7 @@
 Name:           krb5-doc
 BuildRequires:  ghostscript-library latex2html texlive
 Version:        1.6.1
-Release:        29
+Release:        31
 %define srcRoot krb5-1.6.1
 Summary:        MIT Kerberos5 Implementation--Documentation
 License:        X11/MIT

krb5-plugins.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Mon Jul  2 11:39:54 CEST 2007 - mc@suse.de
+
+- update krb5-1.6.1-post.dif
+  * fix leak in krb5_walk_realm_tree
+  * rd_req_decoded needs to deal with referral realms
+  * fix buffer overflow in kadmind
+    (MITKRB5-SA-2007-005 - CVE-2007-2798)
+    [#278689]
+  * fix kadmind code execution bug
+    (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
+    [#271191]
+
 -------------------------------------------------------------------
 Wed May  9 15:31:08 CEST 2007 - mc@suse.de
 

krb5-plugins.spec

@@ -13,7 +13,7 @@
 
 Name:           krb5-plugins
 Version:        1.6.1
-Release:        7
+Release:        8
 BuildRequires:  bison krb5-devel ncurses-devel openldap2-devel
 %define srcRoot krb5-1.6.1 
 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
@@ -207,6 +207,16 @@ rm -rf %{buildroot}
 %{_mandir}/man8/*
 
 %changelog
+* Mon Jul 02 2007 - mc@suse.de
+- update krb5-1.6.1-post.dif
+  * fix leak in krb5_walk_realm_tree
+  * rd_req_decoded needs to deal with referral realms
+  * fix buffer overflow in kadmind
+  (MITKRB5-SA-2007-005 - CVE-2007-2798)
+  [#278689]
+  * fix kadmind code execution bug
+  (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
+  [#271191]
 * Wed May 09 2007 - mc@suse.de
 - fix uninitialized salt length
 - add extra check for keytab file

krb5.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Mon Jul  2 11:26:47 CEST 2007 - mc@suse.de
+
+- update krb5-1.6.1-post.dif
+  * fix leak in krb5_walk_realm_tree
+  * rd_req_decoded needs to deal with referral realms 
+  * fix buffer overflow in kadmind
+    (MITKRB5-SA-2007-005 - CVE-2007-2798)
+    [#278689]
+  * fix kadmind code execution bug
+    (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
+    [#271191]
+
 -------------------------------------------------------------------
 Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de
 

krb5.spec

@@ -12,7 +12,7 @@
 
 Name:           krb5
 Version:        1.6.1
-Release:        24
+Release:        26
 BuildRequires:  bison libcom_err ncurses-devel
 %if %{suse_version} > 1010
 BuildRequires:  keyutils keyutils-devel
@@ -511,6 +511,16 @@ rm -rf %{buildroot}
 %{_mandir}/man1/krb5-config.1*
 
 %changelog
+* Mon Jul 02 2007 - mc@suse.de
+- update krb5-1.6.1-post.dif
+  * fix leak in krb5_walk_realm_tree
+  * rd_req_decoded needs to deal with referral realms
+  * fix buffer overflow in kadmind
+  (MITKRB5-SA-2007-005 - CVE-2007-2798)
+  [#278689]
+  * fix kadmind code execution bug
+  (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
+  [#271191]
 * Thu Jun 14 2007 - mc@suse.de
 - fix unstripped-binary-or-object rpmlint warning
 * Mon Jun 11 2007 - sschober@suse.de