rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- obsolete by 1.6.1 release

Browse Source
This commit is contained in:
Nalin Dahyabhai 2007-05-23 21:48:08 +00:00
parent c0edd9e442
commit 15a4beabc5
4 changed files with 0 additions and 1464 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
krb5-1.6-CVE-2007-0956-prelim.patch
View File

@ -1,88 +0,0 @@
FIXES
=====
* a future release of MIT krb5 will contain a fix for this
vulnerability
prior to that release you may:
* disable telnetd
or
* apply the following (preliminary) patch:
*** src/appl/telnet/telnetd/state.c (revision 19480)
--- src/appl/telnet/telnetd/state.c (local)
***************
*** 1665,1671 ****
strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
strcmp(varp, "NLSPATH") && /* locale stuff */
strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
! strcmp(varp, "IFS")) {
return 1;
} else {
syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
--- 1665,1672 ----
strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
strcmp(varp, "NLSPATH") && /* locale stuff */
strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
! strcmp(varp, "IFS") &&
! !strchr(varp, '-')) {
return 1;
} else {
syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
*** src/appl/telnet/telnetd/sys_term.c (revision 19480)
--- src/appl/telnet/telnetd/sys_term.c (local)
***************
*** 1287,1292 ****
--- 1287,1302 ----
#endif
#if defined (AUTHENTICATION)
if (auth_level >= 0 && autologin == AUTH_VALID) {
+ if (name[0] == '-') {
+ /* Authenticated and authorized to log in to an
+ account starting with '-'? Even if that
+ unlikely case comes to pass, the current login
+ program will not parse the resulting command
+ line properly. */
+ syslog(LOG_ERR, "user name cannot start with '-'");
+ fatal(net, "user name cannot start with '-'");
+ exit(1);
+ }
# if !defined(NO_LOGIN_F)
#if defined(LOGIN_CAP_F)
argv = addarg(argv, "-F");
***************
*** 1377,1387 ****
} else
#endif
if (getenv("USER")) {
! argv = addarg(argv, getenv("USER"));
#if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
{
register char **cpp;
for (cpp = environ; *cpp; cpp++)
argv = addarg(argv, *cpp);
}
#endif
--- 1387,1405 ----
} else
#endif
if (getenv("USER")) {
! char *user = getenv("USER");
! if (user[0] == '-') {
! /* "telnet -l-x ..." */
! syslog(LOG_ERR, "user name cannot start with '-'");
! fatal(net, "user name cannot start with '-'");
! exit(1);
! }
! argv = addarg(argv, user);
#if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
{
register char **cpp;
for (cpp = environ; *cpp; cpp++)
+ if ((*cpp)[0] != '-')
argv = addarg(argv, *cpp);
}
#endif

1274
krb5-1.6-CVE-2007-0957-prelim.patch
View File

File diff suppressed because it is too large Load Diff

80
krb5-1.6-CVE-2007-1216-prelim.patch
View File

@ -1,80 +0,0 @@
*** src/lib/gssapi/krb5/k5unseal.c (revision 19510)
--- src/lib/gssapi/krb5/k5unseal.c (revision 19511)
***************
*** 457,464 ****
if ((ctx->initiate && direction != 0xff) ||
(!ctx->initiate && direction != 0)) {
! if (toktype == KG_TOK_SEAL_MSG)
xfree(token.value);
*minor_status = G_BAD_DIRECTION;
return(GSS_S_BAD_SIG);
}
--- 457,467 ----
if ((ctx->initiate && direction != 0xff) ||
(!ctx->initiate && direction != 0)) {
! if (toktype == KG_TOK_SEAL_MSG) {
xfree(token.value);
+ message_buffer->value = NULL;
+ message_buffer->length = 0;
+ }
*minor_status = G_BAD_DIRECTION;
return(GSS_S_BAD_SIG);
}
REFERENCES
==========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVE: CVE-2007-1216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1216
ACKNOWLEDGMENTS
===============
This bug was found while exercising the GSS-API library using the
GSSTEST test program provided by SAP AG.
DETAILS
=======
The kg_unseal_v1() function in src/lib/gssapi/krb5/k5unseal.c frees
memory allocated for the "message_buffer" gss_buffer_t when it detects
an invalid direction encoding on the message. It does not set the
pointer to NULL, nor does it set the length to zero. An application
subsequently calling gss_release_buffer() on this gss_buffer_t will
cause memory to be freed twice.
Much code provided with MIT krb5 does not attempt to call
gss_release_buffer() when gss_unseal() or gss_unwrap() fails, even
though the GSS-API C-bindings specification permits it to do so. The
RPCSEC_GSS authentication flavor for the RPC library, introduced in
krb5-1.4, does call gss_release_buffer() when gss_unwrap() fails.
This allows an authenticated attacker to trigger a double-free
situation.
Third-party applications calling the RPC library provided with MIT
krb5 and using the RPCSEC_GSS authentication flavor are vulnerable.
Third-party applications calling the MIT GSS-API library are
vulnerable if they call gss_release_buffer() when they experience
errors from gss_unseal() or gss_unwrap().
REVISION HISTORY
================
2007-mm-dd original release
Copyright (C) 2007 Massachusetts Institute of Technology

22
krb5-1.6-fix-sendto_kdc-memset.dif
View File

@ -1,22 +0,0 @@
Michael Calmer's fix for a crash bug, RT #5394.
--- src/lib/krb5/os/sendto_kdc.c
+++ src/lib/krb5/os/sendto_kdc.c 2007/01/17 14:17:10
@@ -1100,7 +1100,7 @@
struct sockaddr *remoteaddr, socklen_t *remoteaddrlen,
int *addr_used)
{
- int i, pass;
+ int i = 0, pass;
int delay_this_pass = 2;
krb5_error_code retval;
struct conn_state *conns;
@@ -1135,7 +1135,7 @@
return ENOMEM;
}
- memset(conns, 0, n_conns * sizeof(callback_data[i]));
+ memset(callback_data, 0, n_conns * sizeof(callback_data[i]));
}
for (i = 0; i < n_conns; i++) {