1e4178c989
(MITKRB5-SA-2011-001, bnc#662665) CVE-2010-4022 - Fix KDC denial of service attacks with LDAP back end (MITKRB5-SA-2011-002, bnc#663619) CVE-2011-0281, CVE-2011-0282 - Fix kpropd denial of service (MITKRB5-SA-2011-001, bnc#662665) CVE-2010-4022 - Fix KDC denial of service attacks with LDAP back end (MITKRB5-SA-2011-002, bnc#663619) CVE-2011-0281, CVE-2011-0282 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=39
113 lines
5.8 KiB
Plaintext
113 lines
5.8 KiB
Plaintext
Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
|
===================================================================
|
|
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c.orig
|
|
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
|
@@ -103,10 +103,10 @@ krb5_ldap_get_principal(krb5_context con
|
|
unsigned int flags, krb5_db_entry *entries,
|
|
int *nentries, krb5_boolean *more)
|
|
{
|
|
- char *user=NULL, *filter=NULL, **subtree=NULL;
|
|
+ char *user=NULL, *filter=NULL, *filtuser=NULL;
|
|
unsigned int tree=0, ntrees=1, princlen=0;
|
|
krb5_error_code tempst=0, st=0;
|
|
- char **values=NULL, *cname=NULL;
|
|
+ char **values=NULL, **subtree=NULL, *cname=NULL;
|
|
LDAP *ld=NULL;
|
|
LDAPMessage *result=NULL, *ent=NULL;
|
|
krb5_ldap_context *ldap_context=NULL;
|
|
@@ -142,12 +142,18 @@ krb5_ldap_get_principal(krb5_context con
|
|
if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
|
|
goto cleanup;
|
|
|
|
- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
|
|
+ filtuser = ldap_filter_correct(user);
|
|
+ if (filtuser == NULL) {
|
|
+ st = ENOMEM;
|
|
+ goto cleanup;
|
|
+ }
|
|
+
|
|
+ princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */
|
|
if ((filter = malloc(princlen)) == NULL) {
|
|
st = ENOMEM;
|
|
goto cleanup;
|
|
}
|
|
- snprintf(filter, princlen, FILTER"%s))", user);
|
|
+ snprintf(filter, princlen, FILTER"%s))", filtuser);
|
|
|
|
if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
|
|
goto cleanup;
|
|
@@ -231,6 +237,9 @@ cleanup:
|
|
if (user)
|
|
free(user);
|
|
|
|
+ if (filtuser)
|
|
+ free(filtuser);
|
|
+
|
|
if (cname)
|
|
free(cname);
|
|
|
|
Index: src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
|
|
===================================================================
|
|
--- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h.orig
|
|
+++ src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
|
|
@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_contex
|
|
#define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
|
|
|
|
#define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \
|
|
- do { \
|
|
- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
|
|
- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
|
|
- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
|
|
- if (ldap_server_handle) \
|
|
- ld = ldap_server_handle->ldap_handle; \
|
|
- } \
|
|
- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
|
|
+ tempst = 0; \
|
|
+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \
|
|
+ NULL, &timelimit, LDAP_NO_LIMIT, &result); \
|
|
+ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
|
|
+ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
|
|
+ if (ldap_server_handle) \
|
|
+ ld = ldap_server_handle->ldap_handle; \
|
|
+ if (tempst == 0) \
|
|
+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \
|
|
+ NULL, NULL, &timelimit, \
|
|
+ LDAP_NO_LIMIT, &result); \
|
|
+ } \
|
|
\
|
|
if (status_check != IGNORE_STATUS) { \
|
|
if (tempst != 0) { \
|
|
Index: src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
|
|
===================================================================
|
|
--- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c.orig
|
|
+++ src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
|
|
@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap
|
|
{
|
|
krb5_ldap_server_handle *handle = *ldap_server_handle;
|
|
|
|
+ ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
|
|
if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
|
|
|| (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
|
|
return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
|
|
Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
|
|
===================================================================
|
|
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.orig
|
|
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
|
|
@@ -446,12 +446,11 @@ is_principal_in_realm(krb5_ldap_context
|
|
* portion, then the first portion of the principal name SHOULD be
|
|
* "krbtgt". All this check is done in the immediate block.
|
|
*/
|
|
- if (searchfor->length == 2)
|
|
- if ((strncasecmp(searchfor->data[0].data, "krbtgt",
|
|
- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
|
|
- (strncasecmp(searchfor->data[1].data, defrealm,
|
|
- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
|
|
+ if (searchfor->length == 2) {
|
|
+ if (data_eq_string(searchfor->data[0], "krbtgt") &&
|
|
+ data_eq_string(searchfor->data[1], defrealm))
|
|
return 0;
|
|
+ }
|
|
|
|
/* first check the length, if they are not equal, then they are not same */
|
|
if (strlen(defrealm) != searchfor->realm.length)
|