diff --git a/krb5-1.9-MITKRB5-SA-2011-007.dif b/krb5-1.9-MITKRB5-SA-2011-007.dif new file mode 100644 index 0000000..9435410 --- /dev/null +++ b/krb5-1.9-MITKRB5-SA-2011-007.dif @@ -0,0 +1,42 @@ +diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in +index f46cad3..102fbaa 100644 +--- a/src/kdc/Makefile.in ++++ b/src/kdc/Makefile.in +@@ -67,6 +67,7 @@ check-unix:: rtest + + check-pytests:: + $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS) ++ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS) + + install:: + $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index c169c54..840a2ef 100644 +--- a/src/kdc/do_tgs_req.c ++++ b/src/kdc/do_tgs_req.c +@@ -243,7 +243,8 @@ tgt_again: + if (!tgs_1 || !data_eq(*server_1, *tgs_1)) { + errcode = find_alternate_tgs(request, &server); + firstpass = 0; +- goto tgt_again; ++ if (errcode == 0) ++ goto tgt_again; + } + } + status = "UNKNOWN_SERVER"; +diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py +new file mode 100644 +index 0000000..1760bcd +--- /dev/null ++++ b/src/kdc/t_emptytgt.py +@@ -0,0 +1,8 @@ ++#!/usr/bin/python ++from k5test import * ++ ++realm = K5Realm(start_kadmind=False, create_host=False) ++output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1) ++if 'not found in Kerberos database' not in output: ++ fail('TGT lookup for empty realm failed in unexpected way') ++success('Empty tgt lookup.') + + diff --git a/krb5-1.9-gss_display_status-iakerb.patch b/krb5-1.9-gss_display_status-iakerb.patch new file mode 100644 index 0000000..9fa917a --- /dev/null +++ b/krb5-1.9-gss_display_status-iakerb.patch @@ -0,0 +1,14 @@ +Index: krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c +=================================================================== +--- krb5-1.9.1.orig/src/lib/gssapi/krb5/disp_status.c ++++ krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c +@@ -167,7 +167,8 @@ krb5_gss_display_status(minor_status, st + + if ((mech_type != GSS_C_NULL_OID) && + !g_OID_equal(gss_mech_krb5, mech_type) && +- !g_OID_equal(gss_mech_krb5_old, mech_type)) { ++ !g_OID_equal(gss_mech_krb5_old, mech_type) && ++ !g_OID_equal(gss_mech_iakerb, mech_type)) { + *minor_status = 0; + return(GSS_S_BAD_MECH); + } diff --git a/krb5-1.9.1-sendto_poll2.patch b/krb5-1.9.1-sendto_poll2.patch new file mode 100644 index 0000000..5a323d7 --- /dev/null +++ b/krb5-1.9.1-sendto_poll2.patch @@ -0,0 +1,22 @@ +RT#6951 +Index: krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c +=================================================================== +--- krb5-1.9.1.orig/src/lib/krb5/os/sendto_kdc.c ++++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c +@@ -895,12 +895,12 @@ maybe_send(krb5_context context, struct + static void + kill_conn(struct conn_state *conn, struct select_state *selstate, int err) + { ++ dprint("abandoning connection %d: %m\n", conn->fd, err); ++ cm_remove_fd(selstate, conn->fd); ++ closesocket(conn->fd); ++ conn->fd = INVALID_SOCKET; + conn->state = FAILED; + conn->err = err; +- shutdown(conn->fd, SHUTDOWN_BOTH); +- cm_remove_fd(selstate, conn->fd); +- dprint("abandoning connection %d: %m\n", conn->fd, err); +- /* Fix up max fd for next select call. */ + } + + /* Check socket for error. */ diff --git a/krb5-1.9.1-sendto_poll3.patch b/krb5-1.9.1-sendto_poll3.patch new file mode 100644 index 0000000..60f966d --- /dev/null +++ b/krb5-1.9.1-sendto_poll3.patch @@ -0,0 +1,18 @@ +If we exit the transmit loop cleanly, don't overestimate the size of the +connections array. This bug appears to have been removed upstream when +this function was rewritten in trunk, and the select()-based implementation +is still what's in 1.9, so this patch has nowhere to go. +--- krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:20.560811664 -0400 ++++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:11.396812292 -0400 +@@ -1317,7 +1319,10 @@ krb5int_sendto (krb5_context context, co + call with the last one from the above loop, if the loop + actually calls select. */ + sel_state->end_time.tv_sec += delay_this_pass; +- e = service_fds(context, sel_state, conns, host+1, &winning_conn, ++ i = host+1; ++ if (i > n_conns) ++ i = n_conns; ++ e = service_fds(context, sel_state, conns, i, &winning_conn, + sel_state+1, msg_handler, msg_handler_data); + if (e) + break; diff --git a/krb5-mini.changes b/krb5-mini.changes index 416c4a5..2fa37a8 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Mon Nov 21 11:24:12 CET 2011 - mc@suse.de + +- fix KDC null pointer dereference in TGS handling + (MITKRB5-SA-2011-007, bnc#730393) + CVE-2011-1530 + +------------------------------------------------------------------- +Mon Nov 21 11:11:54 CET 2011 - mc@suse.de + +- fix KDC HA feature introduced with implementing KDC poll + (RT#6951) + +------------------------------------------------------------------- +Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de + +- fix minor error messages for the IAKERB GSSAPI mechanism + (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020) + ------------------------------------------------------------------- Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index 85dc3aa..bb4eed3 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -72,6 +72,10 @@ Patch24: krb5-trunk-chpw-err.patch Patch25: krb5-trunk-gss_delete_sec.patch Patch26: krb5-trunk-kadmin-oldproto.patch Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif +Patch31: krb5-1.9-gss_display_status-iakerb.patch +Patch32: krb5-1.9.1-sendto_poll2.patch +Patch33: krb5-1.9.1-sendto_poll3.patch +Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -234,6 +238,10 @@ Authors: %patch25 -p1 %patch26 %patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do diff --git a/krb5.changes b/krb5.changes index 416c4a5..0be899d 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Mon Nov 21 11:24:12 CET 2011 - mc@suse.de + +- fix KDC null pointer dereference in TGS handling + (MITKRB5-SA-2011-007, bnc#730393) + CVE-2011-1530 + +------------------------------------------------------------------- +Mon Nov 21 11:11:54 CET 2011 - mc@suse.de + +- fix KDC HA feature introduced with implementing KDC poll + (RT#6951, bnc#731648) + +------------------------------------------------------------------- +Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de + +- fix minor error messages for the IAKERB GSSAPI mechanism + (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020) + ------------------------------------------------------------------- Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 08b9c75..e1ab109 100644 --- a/krb5.spec +++ b/krb5.spec @@ -72,6 +72,10 @@ Patch24: krb5-trunk-chpw-err.patch Patch25: krb5-trunk-gss_delete_sec.patch Patch26: krb5-trunk-kadmin-oldproto.patch Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif +Patch31: krb5-1.9-gss_display_status-iakerb.patch +Patch32: krb5-1.9.1-sendto_poll2.patch +Patch33: krb5-1.9.1-sendto_poll3.patch +Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -234,6 +238,10 @@ Authors: %patch25 -p1 %patch26 %patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do