SHA256
1
0
forked from pool/krb5

Accepting request 35620 from network

checked in (request 35620)

OBS-URL: https://build.opensuse.org/request/show/35620
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=15
This commit is contained in:
OBS User autobuild 2010-03-25 23:13:30 +00:00 committed by Git OBS Bridge
parent 28dc0dd056
commit 2c72bcf882
8 changed files with 1 additions and 447 deletions

View File

@ -1,71 +0,0 @@
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c.orig
+++ src/lib/gssapi/spnego/spnego_mech.c
@@ -1576,7 +1576,7 @@ spnego_gss_accept_sec_context(
spnego_gss_ctx_id_t sc = NULL;
spnego_gss_cred_id_t spcred = NULL;
OM_uint32 mechstat = GSS_S_FAILURE;
- int sendTokenInit = 0;
+ int sendTokenInit = 0, tmpret;
mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER;
@@ -1609,7 +1609,6 @@ spnego_gss_accept_sec_context(
if (delegated_cred_handle != NULL)
*delegated_cred_handle = GSS_C_NO_CREDENTIAL;
if (input_token->length == 0) {
- sendTokenInit = 1;
ret = acc_ctx_hints(minor_status,
context_handle, spcred,
&mic_out,
@@ -1617,6 +1616,7 @@ spnego_gss_accept_sec_context(
&return_token);
if (ret != GSS_S_COMPLETE)
goto cleanup;
+ sendTokenInit = 1;
ret = GSS_S_CONTINUE_NEEDED;
} else {
/* Can set negState to REQUEST_MIC */
@@ -1664,27 +1664,21 @@ spnego_gss_accept_sec_context(
&negState, &return_token);
}
cleanup:
- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
- /* For acceptor-sends-first send a tokenInit */
- int tmpret;
-
+ if (return_token == INIT_TOKEN_SEND && sendTokenInit) {
assert(sc != NULL);
-
- if (sendTokenInit) {
- tmpret = make_spnego_tokenInit_msg(sc,
- 1,
- mic_out,
- 0,
- GSS_C_NO_BUFFER,
- return_token,
- output_token);
- } else {
- tmpret = make_spnego_tokenTarg_msg(negState,
- sc ? sc->internal_mech : GSS_C_NO_OID,
- &mechtok_out, mic_out,
- return_token,
- output_token);
- }
+ tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0,
+ GSS_C_NO_BUFFER,
+ return_token, output_token);
+ if (tmpret < 0)
+ ret = GSS_S_FAILURE;
+ } else if (return_token != NO_TOKEN_SEND &&
+ return_token != CHECK_MIC) {
+ tmpret = make_spnego_tokenTarg_msg(negState,
+ sc ? sc->internal_mech :
+ GSS_C_NO_OID,
+ &mechtok_out, mic_out,
+ return_token,
+ output_token);
if (tmpret < 0)
ret = GSS_S_FAILURE;
}

View File

@ -1,315 +0,0 @@
Index: doc/admin.texinfo
===================================================================
--- doc/admin.texinfo.orig
+++ doc/admin.texinfo
@@ -516,13 +516,6 @@ DCE do not support the default cache as
Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on
DCE 1.1 systems. The default value is @value{DefaultCcacheType}.
-@ignore
-@itemx tkt_lifetime
-The default lifetime of a ticket. The default is
-@value{DefaultTktLifetime}. This is currently not supported by the
-code.
-@end ignore
-
@itemx dns_lookup_kdc
Indicate whether DNS SRV records should be used to locate the KDCs and
other servers for a realm, if they are not listed in the information for
@@ -583,6 +576,11 @@ If this flag is set, then an attempt to
fail if the client machine does not have a keytab. The default for the
flag is @value{DefaultVerifyApReqNofail}.
+@itemx ticket_lifetime
+The value of this tag is the default lifetime for
+initial tickets. The default value for the tag is
+@value{DefaultTktLifetime}.
+
@itemx renew_lifetime
The value of this tag is the default renewable lifetime for
initial tickets. The default value for the tag is
Index: src/include/krb5/krb5.hin
===================================================================
--- src/include/krb5/krb5.hin.orig
+++ src/include/krb5/krb5.hin
@@ -1066,7 +1066,7 @@ krb5_verify_checksum(krb5_context contex
#define KRB5_AUTHDATA_SESAME 65
#define KRB5_AUTHDATA_WIN2K_PAC 128
#define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */
-#define KRB5_AUTHDATA_SIGNTICKET 142
+#define KRB5_AUTHDATA_SIGNTICKET 512 /* formerly 142 in krb5 1.8 */
#define KRB5_AUTHDATA_FX_ARMOR 71
/* password change constants */
@@ -1184,6 +1184,19 @@ typedef struct _krb5_pa_data {
krb5_octet *contents;
} krb5_pa_data;
+/* typed data */
+/*
+ * The FAST error handling logic currently assumes that this structure and
+ * krb5_pa_data * can be safely cast to each other if this structure changes,
+ * that code needs to be updated to copy.
+ */
+typedef struct _krb5_typed_data {
+ krb5_magic magic;
+ krb5_int32 type;
+ unsigned int length;
+ krb5_octet *data;
+} krb5_typed_data;
+
typedef struct _krb5_kdc_req {
krb5_magic magic;
krb5_msgtype msg_type; /* AS_REQ or TGS_REQ? */
Index: src/include/k5-int-pkinit.h
===================================================================
--- src/include/k5-int-pkinit.h.orig
+++ src/include/k5-int-pkinit.h
@@ -101,17 +101,6 @@ typedef struct _krb5_trusted_ca {
} u;
} krb5_trusted_ca;
-/* typed data */
-/* The FAST error handling logic currently assumes that this structure and krb5_pa_data * can be safely cast to each other
- * if this structure changes, that code needs to be updated to copy.
- */
-typedef struct _krb5_typed_data {
- krb5_magic magic;
- krb5_int32 type;
- unsigned int length;
- krb5_octet *data;
-} krb5_typed_data;
-
/* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */
typedef struct _krb5_pa_pk_as_req_draft9 {
krb5_octet_data signedAuthPack;
Index: src/kdc/kdc_authdata.c
===================================================================
--- src/kdc/kdc_authdata.c.orig
+++ src/kdc/kdc_authdata.c
@@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context contex
enc_sp.length = sp_authdata[0]->length;
code = decode_krb5_ad_signedpath(&enc_sp, &sp);
- if (code != 0)
+ if (code != 0) {
+ /* Treat an invalid signedpath authdata element as a missing one, since
+ * we believe MS is using the same number for something else. */
+ code = 0;
goto cleanup;
+ }
code = verify_ad_signedpath_checksum(context,
krbtgt,
Index: src/kdc/do_tgs_req.c
===================================================================
--- src/kdc/do_tgs_req.c.orig
+++ src/kdc/do_tgs_req.c
@@ -1215,6 +1215,7 @@ prep_reprocess_req(krb5_kdc_req *request
strlcpy(comp1_str,comp1->data,comp1->length+1);
if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
+ krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST ||
(krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN &&
kdc_active_realm->realm_host_based_services != NULL &&
(krb5_match_config_pattern(kdc_active_realm->realm_host_based_services,
Index: src/clients/kpasswd/kpasswd.c
===================================================================
--- src/clients/kpasswd/kpasswd.c.orig
+++ src/clients/kpasswd/kpasswd.c
@@ -47,7 +47,7 @@ int main(int argc, char *argv[])
{
krb5_error_code ret;
krb5_context context;
- krb5_principal princ;
+ krb5_principal princ = NULL;
char *pname;
krb5_ccache ccache;
krb5_get_init_creds_opt *opts = NULL;
@@ -84,23 +84,27 @@ int main(int argc, char *argv[])
com_err(argv[0], ret, "parsing client name");
exit(1);
}
- } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) {
- if (ret) {
+ } else {
+ ret = krb5_cc_default(context, &ccache);
+ if (ret != 0) {
com_err(argv[0], ret, "opening default ccache");
exit(1);
}
- if ((ret = krb5_cc_get_principal(context, ccache, &princ))) {
+ ret = krb5_cc_get_principal(context, ccache, &princ);
+ if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) {
com_err(argv[0], ret, "getting principal from ccache");
exit(1);
}
- if ((ret = krb5_cc_close(context, ccache))) {
+ ret = krb5_cc_close(context, ccache);
+ if (ret != 0) {
com_err(argv[0], ret, "closing ccache");
exit(1);
}
- } else {
- get_name_from_passwd_file(argv[0], context, &princ);
+
+ if (princ == NULL)
+ get_name_from_passwd_file(argv[0], context, &princ);
}
if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) {
Index: src/config-files/krb5.conf.M
===================================================================
--- src/config-files/krb5.conf.M.orig
+++ src/config-files/krb5.conf.M
@@ -220,6 +220,10 @@ If this flag is set, then an attempt to
fail if the client machine does not have a keytab. The default for the
flag is false.
+.IP ticket_lifetime
+The value of this tag is the default lifetime for initial tickets. The
+default value for the tag is 1 day (1d).
+
.IP renew_lifetime
The value of this tag is the default renewable lifetime for initial
tickets. The default value for the tag is 0.
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c.orig
+++ src/lib/gssapi/spnego/spnego_mech.c
@@ -1687,6 +1687,7 @@ cleanup:
if (sc->internal_name != GSS_C_NO_NAME &&
src_name != NULL) {
*src_name = sc->internal_name;
+ sc->internal_name = GSS_C_NO_NAME;
}
release_spnego_ctx(&sc);
} else if (ret != GSS_S_CONTINUE_NEEDED) {
@@ -2572,6 +2573,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t *
(void) generic_gss_release_oid(&minor_stat,
&context->internal_mech);
+ (void) gss_release_name(&minor_stat, &context->internal_name);
+
if (context->optionStr != NULL) {
free(context->optionStr);
context->optionStr = NULL;
Index: src/lib/kadm5/srv/svr_principal.c
===================================================================
--- src/lib/kadm5/srv/svr_principal.c.orig
+++ src/lib/kadm5/srv/svr_principal.c
@@ -858,8 +858,8 @@ kadm5_get_principal(void *server_handle,
if (! (mask & KADM5_MOD_TIME))
entry->mod_date = 0;
if (! (mask & KADM5_MOD_NAME)) {
- krb5_free_principal(handle->context, entry->principal);
- entry->principal = NULL;
+ krb5_free_principal(handle->context, entry->mod_name);
+ entry->mod_name = NULL;
}
}
@@ -871,10 +871,12 @@ kadm5_get_principal(void *server_handle,
if (kdb.key_data[i].key_data_kvno > entry->kvno)
entry->kvno = kdb.key_data[i].key_data_kvno;
- ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist,
- &entry->mkvno);
- if (ret)
- goto done;
+ if (mask & KADM5_MKVNO) {
+ ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist,
+ &entry->mkvno);
+ if (ret)
+ goto done;
+ }
if (mask & KADM5_MAX_RLIFE)
entry->max_renewable_life = kdb.max_renewable_life;
Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c.orig
+++ src/lib/krb5/os/changepw.c
@@ -65,20 +65,23 @@ locate_kpasswd(krb5_context context, con
int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM);
code = krb5int_locate_server (context, realm, addrlist,
- locate_service_kpasswd, sockType, AF_INET);
+ locate_service_kpasswd, sockType, AF_UNSPEC);
if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) {
code = krb5int_locate_server (context, realm, addrlist,
locate_service_kadmin, SOCK_STREAM,
- AF_INET);
+ AF_UNSPEC);
if (!code) {
/* Success with admin_server but now we need to change the
port number to use DEFAULT_KPASSWD_PORT and the socktype. */
size_t i;
for (i=0; i<addrlist->naddrs; i++) {
struct addrinfo *a = addrlist->addrs[i].ai;
+ krb5_ui_2 kpasswd_port = htons(DEFAULT_KPASSWD_PORT);
if (a->ai_family == AF_INET)
- sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT);
+ sa2sin (a->ai_addr)->sin_port = kpasswd_port;
+ if (a->ai_family == AF_INET6)
+ sa2sin6 (a->ai_addr)->sin6_port = kpasswd_port;
if (sockType != SOCK_STREAM)
a->ai_socktype = sockType;
}
@@ -131,10 +134,16 @@ kpasswd_sendto_msg_callback(struct conn_
/* some brain-dead OS's don't return useful information from
* the getsockname call. Namely, windows and solaris. */
- if (ss2sin(&local_addr)->sin_addr.s_addr != 0) {
+ if (local_addr.ss_family == AF_INET &&
+ ss2sin(&local_addr)->sin_addr.s_addr != 0) {
local_kaddr.addrtype = ADDRTYPE_INET;
local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr);
local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr;
+ } else if (local_addr.ss_family == AF_INET6 &&
+ ss2sin6(&local_addr)->sin6_addr.s6_addr != 0) {
+ local_kaddr.addrtype = ADDRTYPE_INET6;
+ local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr);
+ local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr;
} else {
krb5_address **addrs;
@@ -290,9 +299,19 @@ change_set_password(krb5_context context
break;
}
- remote_kaddr.addrtype = ADDRTYPE_INET;
- remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
- remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
+ if (remote_addr.ss_family == AF_INET) {
+ remote_kaddr.addrtype = ADDRTYPE_INET;
+ remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
+ remote_kaddr.contents =
+ (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
+ } else if (remote_addr.ss_family == AF_INET6) {
+ remote_kaddr.addrtype = ADDRTYPE_INET6;
+ remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr);
+ remote_kaddr.contents =
+ (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr;
+ } else {
+ break;
+ }
if ((code = krb5_auth_con_setaddrs(callback_ctx.context,
callback_ctx.auth_context,
Index: src/lib/krb5/krb/gic_pwd.c
===================================================================
--- src/lib/krb5/krb/gic_pwd.c.orig
+++ src/lib/krb5/krb/gic_pwd.c
@@ -218,7 +218,7 @@ krb5_get_init_creds_password(krb5_contex
* to prompt. Prompting is only disabled if the option has been set
* and the value has been set to false.
*/
- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
+ if (options && !(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
goto cleanup;
/* ok, we have an expired password. Give the user a few chances

View File

@ -1,9 +1,3 @@
-------------------------------------------------------------------
Tue Mar 23 12:38:29 CET 2010 - mc@suse.de
- add post 1.8 fixes
* Document the ticket_lifetime libdefaults setting
-------------------------------------------------------------------
Thu Mar 4 11:45:22 CET 2010 - mc@suse.de

View File

@ -31,7 +31,6 @@ Source: krb5-1.8.tar.bz2
Source3: %{name}-%{version}-rpmlintrc
Patch0: krb5-1.3.5-perlfix.dif
Patch1: krb5-1.6.3-texi2dvi-fix.dif
Patch2: krb5-1.8-POST.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
@ -54,7 +53,6 @@ Authors:
%setup -n %{srcRoot}
%patch0
%patch1
%patch2
%build

View File

@ -1,25 +1,3 @@
-------------------------------------------------------------------
Tue Mar 23 14:32:41 CET 2010 - mc@suse.de
- fix a bug where an unauthenticated remote attacker could cause
a GSS-API application including the Kerberos administration
daemon (kadmind) to crash.
CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557)
-------------------------------------------------------------------
Tue Mar 23 12:33:26 CET 2010 - mc@suse.de
- add post 1.8 fixes
* Add IPv6 support to changepw.c
* fix two problems in kadm5_get_principal mask handling
* Ignore improperly encoded signedpath AD elements
* handle NT_SRV_INST in service principal referrals
* dereference options while checking
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
* Fix the kpasswd fallback from the ccache principal name
* Document the ticket_lifetime libdefaults setting
* Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
-------------------------------------------------------------------
Thu Mar 4 10:42:29 CET 2010 - mc@suse.de

View File

@ -1,5 +1,5 @@
#
# spec file for package krb5 (Version 1.8)
# spec file for package krb5-mini (Version 1.8)
#
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@ -55,8 +55,6 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch41: krb5-1.6.3-kpasswd_tcp.patch
Patch44: krb5-1.6.3-ktutil-manpage.dif
Patch46: krb5-1.6.3-fix-ipv6-query.dif
Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif
Patch50: krb5-1.8-POST.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -204,8 +202,6 @@ Authors:
%patch41
%patch44 -p1
%patch46 -p1
%patch47
%patch50
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do

View File

@ -1,25 +1,3 @@
-------------------------------------------------------------------
Tue Mar 23 14:32:41 CET 2010 - mc@suse.de
- fix a bug where an unauthenticated remote attacker could cause
a GSS-API application including the Kerberos administration
daemon (kadmind) to crash.
CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557)
-------------------------------------------------------------------
Tue Mar 23 12:33:26 CET 2010 - mc@suse.de
- add post 1.8 fixes
* Add IPv6 support to changepw.c
* fix two problems in kadm5_get_principal mask handling
* Ignore improperly encoded signedpath AD elements
* handle NT_SRV_INST in service principal referrals
* dereference options while checking
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
* Fix the kpasswd fallback from the ccache principal name
* Document the ticket_lifetime libdefaults setting
* Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
-------------------------------------------------------------------
Thu Mar 4 10:42:29 CET 2010 - mc@suse.de

View File

@ -55,8 +55,6 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch41: krb5-1.6.3-kpasswd_tcp.patch
Patch44: krb5-1.6.3-ktutil-manpage.dif
Patch46: krb5-1.6.3-fix-ipv6-query.dif
Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif
Patch50: krb5-1.8-POST.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -204,8 +202,6 @@ Authors:
%patch41
%patch44 -p1
%patch46 -p1
%patch47
%patch50
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do