SHA256
1
0
forked from pool/krb5
OBS User unknown 2007-07-04 23:08:36 +00:00 committed by Git OBS Bridge
parent 8254c4844e
commit 2b46d13d41
6 changed files with 386 additions and 13 deletions

View File

@ -1,7 +1,7 @@
Index: src/include/k5-int.h
===================================================================
--- src/include/k5-int.h (.../tags/krb5-1-6-1-final) (Revision 19540)
+++ src/include/k5-int.h (.../branches/krb5-1-6) (Revision 19540)
--- src/include/k5-int.h (.../tags/krb5-1-6-1-final) (Revision 19657)
+++ src/include/k5-int.h (.../branches/krb5-1-6) (Revision 19657)
@@ -1048,9 +1048,9 @@
#define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000
@ -16,8 +16,8 @@ Index: src/include/k5-int.h
typedef struct _krb5_gic_opt_private {
Index: src/appl/gssftp/ftp/cmds.c
===================================================================
--- src/appl/gssftp/ftp/cmds.c (.../tags/krb5-1-6-1-final) (Revision 19540)
+++ src/appl/gssftp/ftp/cmds.c (.../branches/krb5-1-6) (Revision 19540)
--- src/appl/gssftp/ftp/cmds.c (.../tags/krb5-1-6-1-final) (Revision 19657)
+++ src/appl/gssftp/ftp/cmds.c (.../branches/krb5-1-6) (Revision 19657)
@@ -168,9 +168,7 @@
}
port = htons(iport);
@ -65,10 +65,337 @@ Index: src/appl/gssftp/ftp/cmds.c
overbose = verbose;
if (debug == 0)
verbose = -1;
Index: src/kadmin/server/server_stubs.c
===================================================================
--- src/kadmin/server/server_stubs.c (.../tags/krb5-1-6-1-final) (Revision 19657)
+++ src/kadmin/server/server_stubs.c (.../branches/krb5-1-6) (Revision 19657)
@@ -545,13 +545,14 @@
static generic_ret ret;
char *prime_arg1,
*prime_arg2;
- char prime_arg[BUFSIZ];
gss_buffer_desc client_name,
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
char *errmsg;
+ size_t tlen1, tlen2, clen, slen;
+ char *tdots1, *tdots2, *cdots, *sdots;
xdr_free(xdr_generic_ret, &ret);
@@ -572,7 +573,14 @@
ret.code = KADM5_BAD_PRINCIPAL;
goto exit_func;
}
- sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
+ tlen1 = strlen(prime_arg1);
+ trunc_name(&tlen1, &tdots1);
+ tlen2 = strlen(prime_arg2);
+ trunc_name(&tlen2, &tdots2);
+ clen = client_name.length;
+ trunc_name(&clen, &cdots);
+ slen = service_name.length;
+ trunc_name(&slen, &sdots);
ret.code = KADM5_OK;
if (! CHANGEPW_SERVICE(rqstp)) {
@@ -590,8 +598,15 @@
} else
ret.code = KADM5_AUTH_INSUFFICIENT;
if (ret.code != KADM5_OK) {
- log_unauth("kadm5_rename_principal", prime_arg,
- &client_name, &service_name, rqstp);
+ krb5_klog_syslog(LOG_NOTICE,
+ "Unauthorized request: kadm5_rename_principal, "
+ "%.*s%s to %.*s%s, "
+ "client=%.*s%s, service=%.*s%s, addr=%s",
+ tlen1, prime_arg1, tdots1,
+ tlen2, prime_arg2, tdots2,
+ clen, client_name.value, cdots,
+ slen, service_name.value, sdots,
+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
} else {
ret.code = kadm5_rename_principal((void *)handle, arg->src,
arg->dest);
@@ -600,8 +615,15 @@
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
- log_done("kadm5_rename_principal", prime_arg, errmsg,
- &client_name, &service_name, rqstp);
+ krb5_klog_syslog(LOG_NOTICE,
+ "Request: kadm5_rename_principal, "
+ "%.*s%s to %.*s%s, %s, "
+ "client=%.*s%s, service=%.*s%s, addr=%s",
+ tlen1, prime_arg1, tdots1,
+ tlen2, prime_arg2, tdots2, errmsg,
+ clen, client_name.value, cdots,
+ slen, service_name.value, sdots,
+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
free(prime_arg1);
Index: src/lib/rpc/svc_auth_unix.c
===================================================================
--- src/lib/rpc/svc_auth_unix.c (.../tags/krb5-1-6-1-final) (Revision 19657)
+++ src/lib/rpc/svc_auth_unix.c (.../branches/krb5-1-6) (Revision 19657)
@@ -64,8 +64,7 @@
char area_machname[MAX_MACHINE_NAME+1];
int area_gids[NGRPS];
} *area;
- u_int auth_len;
- int str_len, gid_len;
+ u_int auth_len, str_len, gid_len;
register int i;
rqst->rq_xprt->xp_auth = &svc_auth_none;
@@ -74,7 +73,9 @@
aup = &area->area_aup;
aup->aup_machname = area->area_machname;
aup->aup_gids = area->area_gids;
- auth_len = (u_int)msg->rm_call.cb_cred.oa_length;
+ auth_len = msg->rm_call.cb_cred.oa_length;
+ if (auth_len > INT_MAX)
+ return AUTH_BADCRED;
xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE);
buf = XDR_INLINE(&xdrs, (int)auth_len);
if (buf != NULL) {
@@ -84,7 +85,7 @@
stat = AUTH_BADCRED;
goto done;
}
- memmove(aup->aup_machname, (caddr_t)buf, (u_int)str_len);
+ memmove(aup->aup_machname, buf, str_len);
aup->aup_machname[str_len] = 0;
str_len = RNDUP(str_len);
buf += str_len / BYTES_PER_XDR_UNIT;
@@ -104,7 +105,7 @@
* timestamp, hostname len (0), uid, gid, and gids len (0).
*/
if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) {
- (void) printf("bad auth_len gid %d str %d auth %d\n",
+ (void) printf("bad auth_len gid %u str %u auth %u\n",
gid_len, str_len, auth_len);
stat = AUTH_BADCRED;
goto done;
Index: src/lib/rpc/svc_auth_gssapi.c
===================================================================
--- src/lib/rpc/svc_auth_gssapi.c (.../tags/krb5-1-6-1-final) (Revision 19657)
+++ src/lib/rpc/svc_auth_gssapi.c (.../branches/krb5-1-6) (Revision 19657)
@@ -149,6 +149,8 @@
rqst->rq_xprt->xp_auth = &svc_auth_none;
memset((char *) &call_res, 0, sizeof(call_res));
+ creds.client_handle.length = 0;
+ creds.client_handle.value = NULL;
cred = &msg->rm_call.cb_cred;
verf = &msg->rm_call.cb_verf;
Index: src/lib/krb5/krb/rd_req_dec.c
===================================================================
--- src/lib/krb5/krb/rd_req_dec.c (.../tags/krb5-1-6-1-final) (Revision 19657)
+++ src/lib/krb5/krb/rd_req_dec.c (.../branches/krb5-1-6) (Revision 19657)
@@ -87,14 +87,39 @@
}
static krb5_error_code
-krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket, int check_valid_flag)
+krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
+ const krb5_ap_req *req, krb5_const_principal server,
+ krb5_keytab keytab, krb5_flags *ap_req_options,
+ krb5_ticket **ticket, int check_valid_flag)
{
krb5_error_code retval = 0;
krb5_timestamp currenttime;
+ krb5_principal_data princ_data;
+
+ req->ticket->enc_part2 == NULL;
+ if (server && krb5_is_referral_realm(&server->realm)) {
+ char *realm;
+ princ_data = *server;
+ server = &princ_data;
+ retval = krb5_get_default_realm(context, &realm);
+ if (retval)
+ return retval;
+ princ_data.realm.data = realm;
+ princ_data.realm.length = strlen(realm);
+ }
+ if (server && !krb5_principal_compare(context, server, req->ticket->server)) {
+ char *found_name = 0, *wanted_name = 0;
+ if (krb5_unparse_name(context, server, &wanted_name) == 0
+ && krb5_unparse_name(context, req->ticket->server, &found_name) == 0)
+ krb5_set_error_message(context, KRB5KRB_AP_WRONG_PRINC,
+ "Wrong principal in request (found %s, wanted %s)",
+ found_name, wanted_name);
+ krb5_free_unparsed_name(context, wanted_name);
+ krb5_free_unparsed_name(context, found_name);
+ retval = KRB5KRB_AP_WRONG_PRINC;
+ goto cleanup;
+ }
- if (server && !krb5_principal_compare(context, server, req->ticket->server))
- return KRB5KRB_AP_WRONG_PRINC;
-
/* if (req->ap_options & AP_OPTS_USE_SESSION_KEY)
do we need special processing here ? */
@@ -102,12 +127,12 @@
if ((*auth_context)->keyblock) { /* User to User authentication */
if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock,
req->ticket)))
- return retval;
+goto cleanup;
krb5_free_keyblock(context, (*auth_context)->keyblock);
(*auth_context)->keyblock = NULL;
} else {
if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, keytab)))
- return retval;
+ goto cleanup;
}
/* XXX this is an evil hack. check_valid_flag is set iff the call
@@ -241,15 +266,21 @@
if ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) {
/* no etype check needed */;
} else if ((*auth_context)->permitted_etypes == NULL) {
+ int etype;
/* check against the default set */
if ((!krb5_is_permitted_enctype(context,
- req->ticket->enc_part.enctype)) ||
+ etype = req->ticket->enc_part.enctype)) ||
(!krb5_is_permitted_enctype(context,
- req->ticket->enc_part2->session->enctype)) ||
+ etype = req->ticket->enc_part2->session->enctype)) ||
(((*auth_context)->authentp->subkey) &&
!krb5_is_permitted_enctype(context,
- (*auth_context)->authentp->subkey->enctype))) {
+ etype = (*auth_context)->authentp->subkey->enctype))) {
+ char enctype_name[30];
retval = KRB5_NOPERM_ETYPE;
+ if (krb5_enctype_to_string(etype, enctype_name, sizeof(enctype_name)) == 0)
+ krb5_set_error_message(context, retval,
+ "Encryption type %s not permitted",
+ enctype_name);
goto cleanup;
}
} else {
@@ -261,7 +292,13 @@
req->ticket->enc_part.enctype)
break;
if (!(*auth_context)->permitted_etypes[i]) {
+ char enctype_name[30];
retval = KRB5_NOPERM_ETYPE;
+ if (krb5_enctype_to_string(req->ticket->enc_part.enctype,
+ enctype_name, sizeof(enctype_name)) == 0)
+ krb5_set_error_message(context, retval,
+ "Encryption type %s not permitted",
+ enctype_name);
goto cleanup;
}
@@ -270,7 +307,13 @@
req->ticket->enc_part2->session->enctype)
break;
if (!(*auth_context)->permitted_etypes[i]) {
+ char enctype_name[30];
retval = KRB5_NOPERM_ETYPE;
+ if (krb5_enctype_to_string(req->ticket->enc_part2->session->enctype,
+ enctype_name, sizeof(enctype_name)) == 0)
+ krb5_set_error_message(context, retval,
+ "Encryption type %s not permitted",
+ enctype_name);
goto cleanup;
}
@@ -280,7 +323,14 @@
(*auth_context)->authentp->subkey->enctype)
break;
if (!(*auth_context)->permitted_etypes[i]) {
+ char enctype_name[30];
retval = KRB5_NOPERM_ETYPE;
+ if (krb5_enctype_to_string((*auth_context)->authentp->subkey->enctype,
+ enctype_name,
+ sizeof(enctype_name)) == 0)
+ krb5_set_error_message(context, retval,
+ "Encryption type %s not permitted",
+ enctype_name);
goto cleanup;
}
}
@@ -327,17 +377,23 @@
retval = 0;
cleanup:
+ if (server == &princ_data)
+ krb5_free_default_realm(context, princ_data.realm.data);
if (retval) {
/* only free if we're erroring out...otherwise some
applications will need the output. */
- krb5_free_enc_tkt_part(context, req->ticket->enc_part2);
+ if (req->ticket->enc_part2)
+ krb5_free_enc_tkt_part(context, req->ticket->enc_part2);
req->ticket->enc_part2 = NULL;
}
return retval;
}
krb5_error_code
-krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket)
+krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context,
+ const krb5_ap_req *req, krb5_const_principal server,
+ krb5_keytab keytab, krb5_flags *ap_req_options,
+ krb5_ticket **ticket)
{
krb5_error_code retval;
retval = krb5_rd_req_decoded_opt(context, auth_context,
@@ -348,7 +404,11 @@
}
krb5_error_code
-krb5_rd_req_decoded_anyflag(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket)
+krb5_rd_req_decoded_anyflag(krb5_context context,
+ krb5_auth_context *auth_context,
+ const krb5_ap_req *req,
+ krb5_const_principal server, krb5_keytab keytab,
+ krb5_flags *ap_req_options, krb5_ticket **ticket)
{
krb5_error_code retval;
retval = krb5_rd_req_decoded_opt(context, auth_context,
@@ -359,7 +419,8 @@
}
static krb5_error_code
-decrypt_authenticator(krb5_context context, const krb5_ap_req *request, krb5_authenticator **authpp, int is_ap_req)
+decrypt_authenticator(krb5_context context, const krb5_ap_req *request,
+ krb5_authenticator **authpp, int is_ap_req)
{
krb5_authenticator *local_auth;
krb5_error_code retval;
@@ -390,4 +451,3 @@
clean_scratch();
return retval;
}
-
Index: src/lib/krb5/krb/walk_rtree.c
===================================================================
--- src/lib/krb5/krb/walk_rtree.c (.../tags/krb5-1-6-1-final) (Revision 19657)
+++ src/lib/krb5/krb/walk_rtree.c (.../branches/krb5-1-6) (Revision 19657)
@@ -167,6 +167,9 @@
links++;
}
}
+ if (cap_nodes[links] != NULL)
+ krb5_xfree(cap_nodes[links]);
+
cap_nodes[links] = cap_server; /* put server on end of list */
/* this simplifies the code later and make */
/* cleanup eaiser as well */
Index: src/lib/krb5/krb/gc_frm_kdc.c
===================================================================
--- src/lib/krb5/krb/gc_frm_kdc.c (.../tags/krb5-1-6-1-final) (Revision 19540)
+++ src/lib/krb5/krb/gc_frm_kdc.c (.../branches/krb5-1-6) (Revision 19540)
--- src/lib/krb5/krb/gc_frm_kdc.c (.../tags/krb5-1-6-1-final) (Revision 19657)
+++ src/lib/krb5/krb/gc_frm_kdc.c (.../branches/krb5-1-6) (Revision 19657)
@@ -1043,6 +1043,7 @@
krb5_free_creds(context, (*tgts)[i]);
}
@ -79,8 +406,8 @@ Index: src/lib/krb5/krb/gc_frm_kdc.c
retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS,
Index: src/lib/krb5/krb/gic_opt.c
===================================================================
--- src/lib/krb5/krb/gic_opt.c (.../tags/krb5-1-6-1-final) (Revision 19540)
+++ src/lib/krb5/krb/gic_opt.c (.../branches/krb5-1-6) (Revision 19540)
--- src/lib/krb5/krb/gic_opt.c (.../tags/krb5-1-6-1-final) (Revision 19657)
+++ src/lib/krb5/krb/gic_opt.c (.../branches/krb5-1-6) (Revision 19657)
@@ -206,8 +206,18 @@
oe = krb5int_gic_opte_alloc(context);
if (NULL == oe)
@ -104,8 +431,8 @@ Index: src/lib/krb5/krb/gic_opt.c
Index: src/util/profile/prof_parse.c
===================================================================
--- src/util/profile/prof_parse.c (.../tags/krb5-1-6-1-final) (Revision 19540)
+++ src/util/profile/prof_parse.c (.../branches/krb5-1-6) (Revision 19540)
--- src/util/profile/prof_parse.c (.../tags/krb5-1-6-1-final) (Revision 19657)
+++ src/util/profile/prof_parse.c (.../branches/krb5-1-6) (Revision 19657)
@@ -306,8 +306,10 @@
*/
static int need_double_quotes(char *str)

View File

@ -13,7 +13,7 @@
Name: krb5-doc
BuildRequires: ghostscript-library latex2html texlive
Version: 1.6.1
Release: 29
Release: 31
%define srcRoot krb5-1.6.1
Summary: MIT Kerberos5 Implementation--Documentation
License: X11/MIT

View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Mon Jul 2 11:39:54 CEST 2007 - mc@suse.de
- update krb5-1.6.1-post.dif
* fix leak in krb5_walk_realm_tree
* rd_req_decoded needs to deal with referral realms
* fix buffer overflow in kadmind
(MITKRB5-SA-2007-005 - CVE-2007-2798)
[#278689]
* fix kadmind code execution bug
(MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
[#271191]
-------------------------------------------------------------------
Wed May 9 15:31:08 CEST 2007 - mc@suse.de

View File

@ -13,7 +13,7 @@
Name: krb5-plugins
Version: 1.6.1
Release: 7
Release: 8
BuildRequires: bison krb5-devel ncurses-devel openldap2-devel
%define srcRoot krb5-1.6.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
@ -207,6 +207,16 @@ rm -rf %{buildroot}
%{_mandir}/man8/*
%changelog
* Mon Jul 02 2007 - mc@suse.de
- update krb5-1.6.1-post.dif
* fix leak in krb5_walk_realm_tree
* rd_req_decoded needs to deal with referral realms
* fix buffer overflow in kadmind
(MITKRB5-SA-2007-005 - CVE-2007-2798)
[#278689]
* fix kadmind code execution bug
(MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
[#271191]
* Wed May 09 2007 - mc@suse.de
- fix uninitialized salt length
- add extra check for keytab file

View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de
- update krb5-1.6.1-post.dif
* fix leak in krb5_walk_realm_tree
* rd_req_decoded needs to deal with referral realms
* fix buffer overflow in kadmind
(MITKRB5-SA-2007-005 - CVE-2007-2798)
[#278689]
* fix kadmind code execution bug
(MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
[#271191]
-------------------------------------------------------------------
Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de

View File

@ -12,7 +12,7 @@
Name: krb5
Version: 1.6.1
Release: 24
Release: 26
BuildRequires: bison libcom_err ncurses-devel
%if %{suse_version} > 1010
BuildRequires: keyutils keyutils-devel
@ -511,6 +511,16 @@ rm -rf %{buildroot}
%{_mandir}/man1/krb5-config.1*
%changelog
* Mon Jul 02 2007 - mc@suse.de
- update krb5-1.6.1-post.dif
* fix leak in krb5_walk_realm_tree
* rd_req_decoded needs to deal with referral realms
* fix buffer overflow in kadmind
(MITKRB5-SA-2007-005 - CVE-2007-2798)
[#278689]
* fix kadmind code execution bug
(MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
[#271191]
* Thu Jun 14 2007 - mc@suse.de
- fix unstripped-binary-or-object rpmlint warning
* Mon Jun 11 2007 - sschober@suse.de