rpm/krb5
SHA256
1
0
Fork 0
forked from pool/krb5
Code Pull Requests Activity

- Upgrade from 1.14 to 1.14.1:

Browse Source 
* Remove expired patches:
    0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
    0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
    0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
    krbdev.mit.edu-8301.patch
  * Replace source archives:
    krb5-1.14.tar.gz ->
    krb5-1.14.1.tar.gz
    krb5-1.14.tar.gz.asc ->
    krb5-1.14.1.tar.gz.asc
  * Adjust line numbers in:
    krb5-fix_interposer.patch

- Upgrade from 1.14 to 1.14.1:
  * Remove expired patches:
    0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
    0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
    0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
    krbdev.mit.edu-8301.patch
  * Replace source archives:
    krb5-1.14.tar.gz ->
    krb5-1.14.1.tar.gz
    krb5-1.14.tar.gz.asc ->
    krb5-1.14.1.tar.gz.asc
  * Adjust line numbers in:
    krb5-fix_interposer.patch

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=165
This commit is contained in:
Howard Guo 2016-04-01 07:50:43 +00:00 committed by Git OBS Bridge
parent fcaedabd68
commit 9f56699b06
13 changed files with 64 additions and 747 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
View File

@ -1,45 +0,0 @@
From df17a1224a3406f57477bcd372c61e04c0e5a5bb Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 8 Jan 2016 12:45:25 -0500
Subject: [PATCH] Verify decoded kadmin C strings [CVE-2015-8629]
In xdr_nullstring(), check that the decoded string is terminated with
a zero byte and does not contain any internal zero bytes.
CVE-2015-8629:
In all versions of MIT krb5, an authenticated attacker can cause
kadmind to read beyond the end of allocated memory by sending a string
without a terminating zero byte. Information leakage may be possible
for an attacker with permission to modify the database.
CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
ticket: 8341 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
index 2bef858..ba67084 100644
--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp)
return FALSE;
}
}
- return (xdr_opaque(xdrs, *objp, size));
+ if (!xdr_opaque(xdrs, *objp, size))
+ return FALSE;
+ /* Check that the unmarshalled bytes are a C string. */
+ if ((*objp)[size - 1] != '\0')
+ return FALSE;
+ if (memchr(*objp, '\0', size - 1) != NULL)
+ return FALSE;
+ return TRUE;
case XDR_ENCODE:
if (size != 0)
--
2.7.0

570
0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
View File

@ -1,570 +0,0 @@
From 83ed75feba32e46f736fcce0d96a0445f29b96c2 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 8 Jan 2016 13:16:54 -0500
Subject: [PATCH] Fix leaks in kadmin server stubs [CVE-2015-8631]
In each kadmind server stub, initialize the client_name and
server_name variables, and release them in the cleanup handler. Many
of the stubs will otherwise leak the client and server name if
krb5_unparse_name() fails. Also make sure to free the prime_arg
variables in rename_principal_2_svc(), or we can leak the first one if
unparsing the second one fails. Discovered by Simo Sorce.
CVE-2015-8631:
In all versions of MIT krb5, an authenticated attacker can cause
kadmind to leak memory by supplying a null principal name in a request
which uses one. Repeating these requests will eventually cause
kadmind to exhaust all available memory.
CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
ticket: 8343 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
index 1879dc6..6ac797e 100644
--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -334,7 +334,8 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name, service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
@@ -382,10 +383,10 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
- gss_release_buffer(&minor_stat, &client_name);
- gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
free_server_handle(handle);
return &ret;
}
@@ -395,7 +396,8 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name, service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
@@ -444,10 +446,10 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
- gss_release_buffer(&minor_stat, &client_name);
- gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
free_server_handle(handle);
return &ret;
}
@@ -457,8 +459,8 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -501,10 +503,10 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp)
}
free(prime_arg);
- gss_release_buffer(&minor_stat, &client_name);
- gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
free_server_handle(handle);
return &ret;
}
@@ -514,8 +516,8 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
@@ -559,9 +561,9 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -570,10 +572,9 @@ generic_ret *
rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
- char *prime_arg1,
- *prime_arg2;
- gss_buffer_desc client_name,
- service_name;
+ char *prime_arg1 = NULL, *prime_arg2 = NULL;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
@@ -655,11 +656,11 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
+exit_func:
free(prime_arg1);
free(prime_arg2);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -669,8 +670,8 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp)
{
static gprinc_ret ret;
char *prime_arg, *funcname;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -719,9 +720,9 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -731,8 +732,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
{
static gprincs_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -777,9 +778,9 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -789,8 +790,8 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -840,9 +841,9 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp)
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -852,8 +853,8 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -909,9 +910,9 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp)
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -921,8 +922,8 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -969,9 +970,9 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp)
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -981,8 +982,8 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1029,9 +1030,9 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp)
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1041,8 +1042,8 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1092,9 +1093,9 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp)
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1106,8 +1107,8 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp)
krb5_keyblock *k;
int nkeys;
char *prime_arg, *funcname;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1164,9 +1165,9 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1178,8 +1179,8 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp)
krb5_keyblock *k;
int nkeys;
char *prime_arg, *funcname;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1241,9 +1242,9 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1253,8 +1254,8 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1295,9 +1296,9 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp)
if (errmsg != NULL)
krb5_free_error_message(handle->context, errmsg);
}
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1307,8 +1308,8 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1347,9 +1348,9 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp)
if (errmsg != NULL)
krb5_free_error_message(handle->context, errmsg);
}
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1359,8 +1360,8 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1400,9 +1401,9 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp)
if (errmsg != NULL)
krb5_free_error_message(handle->context, errmsg);
}
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1413,8 +1414,8 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp)
static gpol_ret ret;
kadm5_ret_t ret2;
char *prime_arg, *funcname;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_principal_ent_rec caller_ent;
kadm5_server_handle_t handle;
@@ -1475,9 +1476,9 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp)
log_unauth(funcname, prime_arg,
&client_name, &service_name, rqstp);
}
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
@@ -1488,8 +1489,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp)
{
static gpols_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1531,9 +1532,9 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp)
if (errmsg != NULL)
krb5_free_error_message(handle->context, errmsg);
}
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1541,7 +1542,8 @@ exit_func:
getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
{
static getprivs_ret ret;
- gss_buffer_desc client_name, service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1571,9 +1573,9 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
if (errmsg != NULL)
krb5_free_error_message(handle->context, errmsg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1583,7 +1585,8 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg, *funcname;
- gss_buffer_desc client_name, service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
@@ -1629,9 +1632,9 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1641,8 +1644,8 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
{
static gstrings_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1688,9 +1691,9 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1700,8 +1703,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1744,9 +1747,9 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1754,8 +1757,8 @@ exit_func:
generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
{
static generic_ret ret;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
kadm5_server_handle_t handle;
OM_uint32 minor_stat;
const char *errmsg = NULL;
@@ -1797,10 +1800,10 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
rqstp->rq_cred.oa_flavor);
if (errmsg != NULL)
krb5_free_error_message(NULL, errmsg);
- gss_release_buffer(&minor_stat, &client_name);
- gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
return(&ret);
}
--
2.7.0

75
0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
View File

@ -1,75 +0,0 @@
From b863de7fbf080b15e347a736fdda0a82d42f4f6b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 8 Jan 2016 12:52:28 -0500
Subject: [PATCH] Check for null kadm5 policy name [CVE-2015-8630]
In kadm5_create_principal_3() and kadm5_modify_principal(), check for
entry->policy being null when KADM5_POLICY is included in the mask.
CVE-2015-8630:
In MIT krb5 1.12 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying a null policy value but including KADM5_POLICY in
the mask.
CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
ticket: 8342 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 5b95fa3..1d4365c 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle,
/*
* Argument sanity checking, and opening up the DB
*/
+ if (entry == NULL)
+ return EINVAL;
if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) ||
(mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) ||
(mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle,
return KADM5_BAD_MASK;
if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0)
return KADM5_BAD_MASK;
+ if((mask & KADM5_POLICY) && entry->policy == NULL)
+ return KADM5_BAD_MASK;
if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
return KADM5_BAD_MASK;
if((mask & ~ALL_PRINC_MASK))
return KADM5_BAD_MASK;
- if (entry == NULL)
- return EINVAL;
/*
* Check to see if the principal exists
@@ -643,6 +645,8 @@ kadm5_modify_principal(void *server_handle,
krb5_clear_error_message(handle->context);
+ if(entry == NULL)
+ return EINVAL;
if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) ||
(mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) ||
(mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
@@ -651,10 +655,10 @@ kadm5_modify_principal(void *server_handle,
return KADM5_BAD_MASK;
if((mask & ~ALL_PRINC_MASK))
return KADM5_BAD_MASK;
+ if((mask & KADM5_POLICY) && entry->policy == NULL)
+ return KADM5_BAD_MASK;
if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
return KADM5_BAD_MASK;
- if(entry == (kadm5_principal_ent_t) NULL)
- return EINVAL;
if (mask & KADM5_TL_DATA) {
tl_data_orig = entry->tl_data;
while (tl_data_orig) {
--
2.7.0

3
krb5-1.14.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c8faa44574246f5bd0ce5a3dedc48c32db48a74cc4323949bf70f0ac2d6f1a99
size 12259025

14
krb5-1.14.1.tar.gz.asc Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJW1KZzAAoJEKMvF/0AVcMF9cQMAKZNlrtrB6ZS6CLFqGpRPfG2
T6WbhJ5GEYl4kmdINbJ/RQUMk2APwxMSmsl7q8VNM1JIxQVAL7cBZTu+7cfs3mZE
z9eCMmQsKdhZ3bnF52KB5LM2JfNUMidGEqzvOwK7mUgMXaPihiqYA0f2P10paOZl
cW1as0bvTbjWrnAO+jpW3AuW50h7zOpicX4F8gmD0gaqzcKZO9uZA3p6bjIgVRsO
XzofLkv0NxKWqcdLWocsVb2s4gezsQuRNIWmvpnR7ZFS2tfTuqrmdRNTm9t/yWMV
5YmTBKE0/R9JRRmqLm/IglIqrq7G/ZYRHSYpT5oSu72iZRrf5pKQ/jwB0jpFMN00
7xORKTWNwiGmAvIBBZqH+3emyIrcIdIw/3MN+HEZaLisJ1K/4bWJLB+0ju9dEcU/
naNhagonxFbVfE7SrlW/WflZpun2PVZ4c9WTG6z1OWPXZkXMLqdv+mNSoCHcvpOt
Z2+3HnWWanFncCn81oSLo/Zp3/0k7XBXtjp2Pb18CQ==
=Py+v
-----END PGP SIGNATURE-----

3
krb5-1.14.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cedb07fad8331e3ff2983d26e977a2ddba622f379c2b19bfea85bd695930f9e9
size 12255176

14
krb5-1.14.tar.gz.asc
View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJWT4hUAAoJEKMvF/0AVcMFE44L/iuBH47TzpEn9RudgxMvxp7L
rREaBF/sIdMg0I8aUONtxw7nvh091s8SXus8UZiRYqPO+trB2pB52P1iQ4G9TBPX
IOkAEtxu/Sojfp2BxRd6NCBw+n90axNQDWogSN8U6XmK1szpiQz2KdaxfNTv5Lzm
Jtx/6p39DM7M72gkrFl8ZDEi2xKqyA1+fcCti3Q/Wdwx73HqWctHYNcjUtJH5bvN
GlTQq1PynPoHf8LqxVz6jquhuBgb2d2z8Q4hhQKlJF8x131vppeiWuDv3ExkcWKP
cvssUz8C1Ty7LF0ax0fwzQo22yEeTIHayvpbVidSiW8RUGUEiMzhaHcD3BTsQ5WF
X+l+xKqvZniB9Vs6KtbP4ErM6Rj+tNQJy8iMzEyDFTIuEFjK0497XGgBIp9FpgOl
6Rh9EXY66GUuU5FTnmGpmm3HxnhYWFDdj/vxj8DKTr5EmxAoc4j0fUp/ze4ZMZ02
P14WS5B4DSfqZO+vaOKHmtmZH0J/ZS/8x7JIuz4cQA==
=xlir
-----END PGP SIGNATURE-----

16
krb5-fix_interposer.patch
View File

@ -1,4 +1,4 @@
From b3901af6970fb7bde88eb16d51c8d05db6f37746 Mon Sep 17 00:00:00 2001
From a6b7ccabf383f1f667c5d2b549909dfd59df12f6 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 13 Nov 2015 14:54:11 -0500
Subject: [PATCH] Fix impersonate_name to work with interposers
@ -12,10 +12,6 @@ spnego_gss_acquire_cred_impersonate_name() since it is released in the
cleanup handler]
ticket: 8280 (new)
---
src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c | 58 +++++++++++++++--------
src/lib/gssapi/spnego/spnego_mech.c | 35 +++++++-------
2 files changed, 54 insertions(+), 39 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
index 0dd4f87..9eab25e 100644
@ -43,7 +39,7 @@ index 0dd4f87..9eab25e 100644
+ mech = gssint_get_mechanism(selected_mech);
if (!mech)
return GSS_S_BAD_MECH;
else if (!mech->gss_acquire_cred)
else if (!mech->gss_acquire_cred_impersonate_name)
@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
internal_name = GSS_C_NO_NAME;
} else {
@ -154,10 +150,10 @@ index 0dd4f87..9eab25e 100644
if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred)
free(union_cred);
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index e6703eb..28fb9b1 100644
index 5f1ca33..bb754d9 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -2619,10 +2619,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
@@ -2620,10 +2620,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
@ -170,7 +166,7 @@ index e6703eb..28fb9b1 100644
dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n");
@@ -2634,31 +2634,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
@@ -2635,31 +2635,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle;
imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL;
@ -218,5 +214,5 @@ index e6703eb..28fb9b1 100644
return (status);
}
--
2.6.2
2.7.4

17
krb5-mini.changes
View File

@ -1,3 +1,20 @@
-------------------------------------------------------------------
Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com
- Upgrade from 1.14 to 1.14.1:
* Remove expired patches:
0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
krbdev.mit.edu-8301.patch
* Replace source archives:
krb5-1.14.tar.gz ->
krb5-1.14.1.tar.gz
krb5-1.14.tar.gz.asc ->
krb5-1.14.1.tar.gz.asc
* Adjust line numbers in:
krb5-fix_interposer.patch
-------------------------------------------------------------------
Thu Feb 11 15:07:26 UTC 2016 - hguo@suse.com

7
krb5-mini.spec
View File

@ -16,7 +16,7 @@
#
%define srcRoot krb5-1.14
%define srcRoot krb5-1.14.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -29,7 +29,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.14
Version: 1.14.1
Release: 0
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
License: MIT
@ -64,8 +64,6 @@ Patch8: krb5-1.12-api.patch
Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301
Patch14: krbdev.mit.edu-8301.patch
Patch15: krb5-fix_interposer.patch
Patch16: krb5-mechglue_inqure_attrs.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -112,7 +110,6 @@ Include Files for Development
%patch11 -p1
%patch12 -p1
%patch13 -p0
%patch14 -p1
%patch15 -p1
%patch16 -p1

17
krb5.changes
View File

@ -1,3 +1,20 @@
-------------------------------------------------------------------
Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com
- Upgrade from 1.14 to 1.14.1:
* Remove expired patches:
0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
krbdev.mit.edu-8301.patch
* Replace source archives:
krb5-1.14.tar.gz ->
krb5-1.14.1.tar.gz
krb5-1.14.tar.gz.asc ->
krb5-1.14.1.tar.gz.asc
* Adjust line numbers in:
krb5-fix_interposer.patch
-------------------------------------------------------------------
Wed Mar 23 13:02:48 UTC 2016 - hguo@suse.com

19
krb5.spec
View File

@ -16,10 +16,6 @@
#
%define srcRoot krb5-1.14
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
Name: krb5
Url: http://web.mit.edu/kerberos/www/
BuildRequires: autoconf
@ -29,7 +25,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.14
Version: 1.14.1
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
@ -68,13 +64,8 @@ Patch8: krb5-1.12-api.patch
Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301
Patch14: krbdev.mit.edu-8301.patch
Patch15: krb5-fix_interposer.patch
Patch16: krb5-mechglue_inqure_attrs.patch
Patch104: 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
Patch105: 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
Patch106: 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
Patch107: 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
@ -170,6 +161,10 @@ which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes Libraries and
Include Files for Development
%define srcRoot krb5-%{version}
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
%prep
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
@ -183,12 +178,8 @@ Include Files for Development
%patch11 -p1
%patch12 -p1
%patch13 -p0
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch104 -p1
%patch105 -p1
%patch106 -p1
%patch107 -p1
%build

11
krbdev.mit.edu-8301.patch
View File

@ -1,11 +0,0 @@
--- krb5-1.14.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-11-20 21:28:42.000000000 +0100
+++ krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-12-09 20:17:00.465765527 +0100
@@ -684,7 +684,7 @@
if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
int ost = st;
st = EINVAL;
- k5_prependmsg(context, ost, st, _("'%s' not found"),
+ k5_wrapmsg(context, ost, st, _("'%s' not found"),
xargs.containerdn);
}
goto cleanup;