From 46ef3c181c5b99c14e330b0702c6017f8b75b3b7c2333b159c22d18d084ff1f9 Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Mon, 21 Nov 2011 09:54:25 +0000 Subject: [PATCH 1/3] Accepting request 92055 from home:rhafer:branches:network fix minor error messages for the IAKERB GSSAPI mechanism (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020) OBS-URL: https://build.opensuse.org/request/show/92055 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=54 --- krb5-1.9-gss_display_status-iakerb.patch | 14 ++++++++++++++ krb5-mini.changes | 6 ++++++ krb5-mini.spec | 2 ++ krb5.changes | 6 ++++++ krb5.spec | 2 ++ 5 files changed, 30 insertions(+) create mode 100644 krb5-1.9-gss_display_status-iakerb.patch diff --git a/krb5-1.9-gss_display_status-iakerb.patch b/krb5-1.9-gss_display_status-iakerb.patch new file mode 100644 index 0000000..9fa917a --- /dev/null +++ b/krb5-1.9-gss_display_status-iakerb.patch @@ -0,0 +1,14 @@ +Index: krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c +=================================================================== +--- krb5-1.9.1.orig/src/lib/gssapi/krb5/disp_status.c ++++ krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c +@@ -167,7 +167,8 @@ krb5_gss_display_status(minor_status, st + + if ((mech_type != GSS_C_NULL_OID) && + !g_OID_equal(gss_mech_krb5, mech_type) && +- !g_OID_equal(gss_mech_krb5_old, mech_type)) { ++ !g_OID_equal(gss_mech_krb5_old, mech_type) && ++ !g_OID_equal(gss_mech_iakerb, mech_type)) { + *minor_status = 0; + return(GSS_S_BAD_MECH); + } diff --git a/krb5-mini.changes b/krb5-mini.changes index 416c4a5..530f8a5 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de + +- fix minor error messages for the IAKERB GSSAPI mechanism + (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020) + ------------------------------------------------------------------- Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index 85dc3aa..1630ab5 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -72,6 +72,7 @@ Patch24: krb5-trunk-chpw-err.patch Patch25: krb5-trunk-gss_delete_sec.patch Patch26: krb5-trunk-kadmin-oldproto.patch Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif +Patch31: krb5-1.9-gss_display_status-iakerb.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -234,6 +235,7 @@ Authors: %patch25 -p1 %patch26 %patch30 -p1 +%patch31 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do diff --git a/krb5.changes b/krb5.changes index 416c4a5..530f8a5 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de + +- fix minor error messages for the IAKERB GSSAPI mechanism + (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020) + ------------------------------------------------------------------- Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 08b9c75..0b2146b 100644 --- a/krb5.spec +++ b/krb5.spec @@ -72,6 +72,7 @@ Patch24: krb5-trunk-chpw-err.patch Patch25: krb5-trunk-gss_delete_sec.patch Patch26: krb5-trunk-kadmin-oldproto.patch Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif +Patch31: krb5-1.9-gss_display_status-iakerb.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -234,6 +235,7 @@ Authors: %patch25 -p1 %patch26 %patch30 -p1 +%patch31 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do From f4d30b42a28bc6d42ba6f4b9b17b6d71468973bd0d744f31c368c5c0e06ca12d Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Mon, 21 Nov 2011 10:17:08 +0000 Subject: [PATCH 2/3] - fix KDC HA feature introduced with implementing KDC poll (RT#6951) - fix KDC HA feature introduced with implementing KDC poll (RT#6951) OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=55 --- krb5-1.9.1-sendto_poll2.patch | 22 ++++++++++++++++++++++ krb5-1.9.1-sendto_poll3.patch | 18 ++++++++++++++++++ krb5-mini.changes | 6 ++++++ krb5-mini.spec | 4 ++++ krb5.changes | 6 ++++++ krb5.spec | 4 ++++ 6 files changed, 60 insertions(+) create mode 100644 krb5-1.9.1-sendto_poll2.patch create mode 100644 krb5-1.9.1-sendto_poll3.patch diff --git a/krb5-1.9.1-sendto_poll2.patch b/krb5-1.9.1-sendto_poll2.patch new file mode 100644 index 0000000..5a323d7 --- /dev/null +++ b/krb5-1.9.1-sendto_poll2.patch @@ -0,0 +1,22 @@ +RT#6951 +Index: krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c +=================================================================== +--- krb5-1.9.1.orig/src/lib/krb5/os/sendto_kdc.c ++++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c +@@ -895,12 +895,12 @@ maybe_send(krb5_context context, struct + static void + kill_conn(struct conn_state *conn, struct select_state *selstate, int err) + { ++ dprint("abandoning connection %d: %m\n", conn->fd, err); ++ cm_remove_fd(selstate, conn->fd); ++ closesocket(conn->fd); ++ conn->fd = INVALID_SOCKET; + conn->state = FAILED; + conn->err = err; +- shutdown(conn->fd, SHUTDOWN_BOTH); +- cm_remove_fd(selstate, conn->fd); +- dprint("abandoning connection %d: %m\n", conn->fd, err); +- /* Fix up max fd for next select call. */ + } + + /* Check socket for error. */ diff --git a/krb5-1.9.1-sendto_poll3.patch b/krb5-1.9.1-sendto_poll3.patch new file mode 100644 index 0000000..60f966d --- /dev/null +++ b/krb5-1.9.1-sendto_poll3.patch @@ -0,0 +1,18 @@ +If we exit the transmit loop cleanly, don't overestimate the size of the +connections array. This bug appears to have been removed upstream when +this function was rewritten in trunk, and the select()-based implementation +is still what's in 1.9, so this patch has nowhere to go. +--- krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:20.560811664 -0400 ++++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:11.396812292 -0400 +@@ -1317,7 +1319,10 @@ krb5int_sendto (krb5_context context, co + call with the last one from the above loop, if the loop + actually calls select. */ + sel_state->end_time.tv_sec += delay_this_pass; +- e = service_fds(context, sel_state, conns, host+1, &winning_conn, ++ i = host+1; ++ if (i > n_conns) ++ i = n_conns; ++ e = service_fds(context, sel_state, conns, i, &winning_conn, + sel_state+1, msg_handler, msg_handler_data); + if (e) + break; diff --git a/krb5-mini.changes b/krb5-mini.changes index 530f8a5..1735131 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Nov 21 11:11:54 CET 2011 - mc@suse.de + +- fix KDC HA feature introduced with implementing KDC poll + (RT#6951) + ------------------------------------------------------------------- Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index 1630ab5..3a09d9a 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -73,6 +73,8 @@ Patch25: krb5-trunk-gss_delete_sec.patch Patch26: krb5-trunk-kadmin-oldproto.patch Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif Patch31: krb5-1.9-gss_display_status-iakerb.patch +Patch32: krb5-1.9.1-sendto_poll2.patch +Patch33: krb5-1.9.1-sendto_poll3.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -236,6 +238,8 @@ Authors: %patch26 %patch30 -p1 %patch31 -p1 +%patch32 -p1 +%patch33 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do diff --git a/krb5.changes b/krb5.changes index 530f8a5..1735131 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Nov 21 11:11:54 CET 2011 - mc@suse.de + +- fix KDC HA feature introduced with implementing KDC poll + (RT#6951) + ------------------------------------------------------------------- Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de diff --git a/krb5.spec b/krb5.spec index 0b2146b..9dbd734 100644 --- a/krb5.spec +++ b/krb5.spec @@ -73,6 +73,8 @@ Patch25: krb5-trunk-gss_delete_sec.patch Patch26: krb5-trunk-kadmin-oldproto.patch Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif Patch31: krb5-1.9-gss_display_status-iakerb.patch +Patch32: krb5-1.9.1-sendto_poll2.patch +Patch33: krb5-1.9.1-sendto_poll3.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -236,6 +238,8 @@ Authors: %patch26 %patch30 -p1 %patch31 -p1 +%patch32 -p1 +%patch33 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do From 6e6175d4bc19f0e15599756f51b64722c8456067492a90e26a3342df74ae47ae Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Wed, 7 Dec 2011 08:41:31 +0000 Subject: [PATCH 3/3] - fix KDC null pointer dereference in TGS handling (MITKRB5-SA-2011-007, bnc#730393) CVE-2011-1530 - fix KDC null pointer dereference in TGS handling (MITKRB5-SA-2011-007, bnc#730393) CVE-2011-1530 (RT#6951, bnc#731648) OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=56 --- krb5-1.9-MITKRB5-SA-2011-007.dif | 42 ++++++++++++++++++++++++++++++++ krb5-mini.changes | 7 ++++++ krb5-mini.spec | 2 ++ krb5.changes | 9 ++++++- krb5.spec | 2 ++ 5 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 krb5-1.9-MITKRB5-SA-2011-007.dif diff --git a/krb5-1.9-MITKRB5-SA-2011-007.dif b/krb5-1.9-MITKRB5-SA-2011-007.dif new file mode 100644 index 0000000..9435410 --- /dev/null +++ b/krb5-1.9-MITKRB5-SA-2011-007.dif @@ -0,0 +1,42 @@ +diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in +index f46cad3..102fbaa 100644 +--- a/src/kdc/Makefile.in ++++ b/src/kdc/Makefile.in +@@ -67,6 +67,7 @@ check-unix:: rtest + + check-pytests:: + $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS) ++ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS) + + install:: + $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index c169c54..840a2ef 100644 +--- a/src/kdc/do_tgs_req.c ++++ b/src/kdc/do_tgs_req.c +@@ -243,7 +243,8 @@ tgt_again: + if (!tgs_1 || !data_eq(*server_1, *tgs_1)) { + errcode = find_alternate_tgs(request, &server); + firstpass = 0; +- goto tgt_again; ++ if (errcode == 0) ++ goto tgt_again; + } + } + status = "UNKNOWN_SERVER"; +diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py +new file mode 100644 +index 0000000..1760bcd +--- /dev/null ++++ b/src/kdc/t_emptytgt.py +@@ -0,0 +1,8 @@ ++#!/usr/bin/python ++from k5test import * ++ ++realm = K5Realm(start_kadmind=False, create_host=False) ++output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1) ++if 'not found in Kerberos database' not in output: ++ fail('TGT lookup for empty realm failed in unexpected way') ++success('Empty tgt lookup.') + + diff --git a/krb5-mini.changes b/krb5-mini.changes index 1735131..2fa37a8 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Nov 21 11:24:12 CET 2011 - mc@suse.de + +- fix KDC null pointer dereference in TGS handling + (MITKRB5-SA-2011-007, bnc#730393) + CVE-2011-1530 + ------------------------------------------------------------------- Mon Nov 21 11:11:54 CET 2011 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index 3a09d9a..bb4eed3 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -75,6 +75,7 @@ Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif Patch31: krb5-1.9-gss_display_status-iakerb.patch Patch32: krb5-1.9.1-sendto_poll2.patch Patch33: krb5-1.9.1-sendto_poll3.patch +Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -240,6 +241,7 @@ Authors: %patch31 -p1 %patch32 -p1 %patch33 -p1 +%patch34 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do diff --git a/krb5.changes b/krb5.changes index 1735131..0be899d 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,8 +1,15 @@ +------------------------------------------------------------------- +Mon Nov 21 11:24:12 CET 2011 - mc@suse.de + +- fix KDC null pointer dereference in TGS handling + (MITKRB5-SA-2011-007, bnc#730393) + CVE-2011-1530 + ------------------------------------------------------------------- Mon Nov 21 11:11:54 CET 2011 - mc@suse.de - fix KDC HA feature introduced with implementing KDC poll - (RT#6951) + (RT#6951, bnc#731648) ------------------------------------------------------------------- Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de diff --git a/krb5.spec b/krb5.spec index 9dbd734..e1ab109 100644 --- a/krb5.spec +++ b/krb5.spec @@ -75,6 +75,7 @@ Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif Patch31: krb5-1.9-gss_display_status-iakerb.patch Patch32: krb5-1.9.1-sendto_poll2.patch Patch33: krb5-1.9.1-sendto_poll3.patch +Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -240,6 +241,7 @@ Authors: %patch31 -p1 %patch32 -p1 %patch33 -p1 +%patch34 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do