diff --git a/2006-001-patch_1.5.txt b/2006-001-patch_1.5.txt new file mode 100644 index 0000000..cc7dca8 --- /dev/null +++ b/2006-001-patch_1.5.txt @@ -0,0 +1,269 @@ +Index: appl/gssftp/ftpd/ftpd.c +=================================================================== +*** appl/gssftp/ftpd/ftpd.c (revision 18419) +--- appl/gssftp/ftpd/ftpd.c (working copy) +*************** +*** 1367,1373 **** + goto bad; + sleep(tries); + } +! (void) krb5_seteuid((uid_t)pw->pw_uid); + #ifdef IP_TOS + #ifdef IPTOS_THROUGHPUT + on = IPTOS_THROUGHPUT; +--- 1367,1375 ---- + goto bad; + sleep(tries); + } +! if (krb5_seteuid((uid_t)pw->pw_uid)) { +! fatal("seteuid user"); +! } + #ifdef IP_TOS + #ifdef IPTOS_THROUGHPUT + on = IPTOS_THROUGHPUT; +*************** +*** 1377,1383 **** + #endif + return (fdopen(s, fmode)); + bad: +! (void) krb5_seteuid((uid_t)pw->pw_uid); + (void) close(s); + return (NULL); + } +--- 1379,1387 ---- + #endif + return (fdopen(s, fmode)); + bad: +! if (krb5_seteuid((uid_t)pw->pw_uid)) { +! fatal("seteuid user"); +! } + (void) close(s); + return (NULL); + } +*************** +*** 2186,2192 **** + (void) krb5_seteuid((uid_t)pw->pw_uid); + goto pasv_error; + } +! (void) krb5_seteuid((uid_t)pw->pw_uid); + len = sizeof(pasv_addr); + if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0) + goto pasv_error; +--- 2190,2198 ---- + (void) krb5_seteuid((uid_t)pw->pw_uid); + goto pasv_error; + } +! if (krb5_seteuid((uid_t)pw->pw_uid)) { +! fatal("seteuid user"); +! } + len = sizeof(pasv_addr); + if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0) + goto pasv_error; +Index: appl/bsd/v4rcp.c +=================================================================== +*** appl/bsd/v4rcp.c (revision 18419) +--- appl/bsd/v4rcp.c (working copy) +*************** +*** 436,442 **** + kstream_set_buffer_mode (krem, 0); + #endif /* KERBEROS && !NOENCRYPTION */ + (void) response(); +! (void) setuid(userid); + source(--argc, ++argv); + exit(errs); + +--- 436,445 ---- + kstream_set_buffer_mode (krem, 0); + #endif /* KERBEROS && !NOENCRYPTION */ + (void) response(); +! if (setuid(userid)) { +! error("rcp: can't setuid(user)\n"); +! exit(1); +! } + source(--argc, ++argv); + exit(errs); + +*************** +*** 452,458 **** + krem = kstream_create_from_fd (rem, 0, 0); + kstream_set_buffer_mode (krem, 0); + #endif /* KERBEROS && !NOENCRYPTION */ +! (void) setuid(userid); + sink(--argc, ++argv); + exit(errs); + +--- 455,464 ---- + krem = kstream_create_from_fd (rem, 0, 0); + kstream_set_buffer_mode (krem, 0); + #endif /* KERBEROS && !NOENCRYPTION */ +! if (setuid(userid)) { +! error("rcp: can't setuid(user)\n"); +! exit(1); +! } + sink(--argc, ++argv); + exit(errs); + +Index: appl/bsd/krcp.c +=================================================================== +*** appl/bsd/krcp.c (revision 18419) +--- appl/bsd/krcp.c (working copy) +*************** +*** 620,626 **** + + euid = geteuid(); + if (euid == 0) { +! (void) setuid(0); + if(krb5_seteuid(userid)) { + perror("rcp seteuid user"); errs++; exit(errs); + } +--- 620,628 ---- + + euid = geteuid(); + if (euid == 0) { +! if (setuid(0)) { +! perror("rcp setuid 0"); errs++; exit(errs); +! } + if(krb5_seteuid(userid)) { + perror("rcp seteuid user"); errs++; exit(errs); + } +*************** +*** 638,648 **** + continue; + rcmd_stream_init_normal(); + #ifdef HAVE_SETREUID +! (void) setreuid(0, userid); + sink(1, argv+argc-1); +! (void) setreuid(userid, 0); + #else +! (void) setuid(0); + if(seteuid(userid)) { + perror("rcp seteuid user"); errs++; exit(errs); + } +--- 640,656 ---- + continue; + rcmd_stream_init_normal(); + #ifdef HAVE_SETREUID +! if (setreuid(0, userid)) { +! perror("rcp setreuid 0,user"); errs++; exit(errs); +! } + sink(1, argv+argc-1); +! if (setreuid(userid, 0)) { +! perror("rcp setreuid user,0"); errs++; exit(errs); +! } + #else +! if (setuid(0)) { +! perror("rcp setuid 0"); errs++; exit(errs); +! } + if(seteuid(userid)) { + perror("rcp seteuid user"); errs++; exit(errs); + } +Index: appl/bsd/login.c +=================================================================== +*** appl/bsd/login.c (revision 18419) +--- appl/bsd/login.c (working copy) +*************** +*** 1648,1654 **** + } + #endif /* HAVE_SETLUID */ + #ifdef _IBMR2 +! setuidx(ID_LOGIN, pwd->pw_uid); + #endif + + /* This call MUST succeed */ +--- 1648,1657 ---- + } + #endif /* HAVE_SETLUID */ + #ifdef _IBMR2 +! if (setuidx(ID_LOGIN, pwd->pw_uid) < 0) { +! perror("setuidx"); +! sleepexit(1); +! }; + #endif + + /* This call MUST succeed */ +Index: appl/bsd/krshd.c +=================================================================== +*** appl/bsd/krshd.c (revision 18419) +--- appl/bsd/krshd.c (working copy) +*************** +*** 1403,1411 **** + * If we're on a system which keeps track of login uids, then + * set the login uid. + */ +! setluid((uid_t) pwd->pw_uid); + #endif /* HAVE_SETLUID */ +! (void) setuid((uid_t)pwd->pw_uid); + /* if TZ is set in the parent, drag it in */ + { + char **findtz = environ; +--- 1403,1417 ---- + * If we're on a system which keeps track of login uids, then + * set the login uid. + */ +! if (setluid((uid_t) pwd->pw_uid) < 0) { +! perror("setluid"); +! _exit(1); +! } + #endif /* HAVE_SETLUID */ +! if (setuid((uid_t)pwd->pw_uid) < 0) { +! perror("setuid"); +! _exit(1); +! } + /* if TZ is set in the parent, drag it in */ + { + char **findtz = environ; +Index: clients/ksu/main.c +=================================================================== +*** clients/ksu/main.c (revision 18419) +--- clients/ksu/main.c (working copy) +*************** +*** 892,900 **** + const char * cc_name; + struct stat st_temp; + +! krb5_seteuid(0); +! krb5_seteuid(target_uid); +! + cc_name = krb5_cc_get_name(context, cc); + if ( ! stat(cc_name, &st_temp)){ + if ((retval = krb5_cc_destroy(context, cc))){ +--- 892,903 ---- + const char * cc_name; + struct stat st_temp; + +! if (krb5_seteuid(0) < 0 || krb5_seteuid(target_uid) < 0) { +! com_err(prog_name, errno, +! "while returning to source uid for destroying ccache"); +! exit(1); +! } +! + cc_name = krb5_cc_get_name(context, cc); + if ( ! stat(cc_name, &st_temp)){ + if ((retval = krb5_cc_destroy(context, cc))){ +Index: lib/krb4/kuserok.c +=================================================================== +*** lib/krb4/kuserok.c (revision 18419) +--- lib/krb4/kuserok.c (working copy) +*************** +*** 159,167 **** + */ + if(getuid() == 0) { + uid_t old_euid = geteuid(); +! seteuid(pwd->pw_uid); + fp = fopen(pbuf, "r"); +! seteuid(old_euid); + if ((fp) == NULL) { + return(NOTOK); + } +--- 159,169 ---- + */ + if(getuid() == 0) { + uid_t old_euid = geteuid(); +! if (seteuid(pwd->pw_uid) < 0) +! return NOTOK; + fp = fopen(pbuf, "r"); +! if (seteuid(old_euid) < 0) +! return NOTOK; + if ((fp) == NULL) { + return(NOTOK); + } diff --git a/krb5.spec b/krb5.spec index d36643b..4cc7c3a 100644 --- a/krb5.spec +++ b/krb5.spec @@ -10,7 +10,7 @@ Summary: The Kerberos network authentication system. Name: krb5 Version: 1.5 -Release: 4 +Release: 5 # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.5/krb5-1.5-signed.tar Source0: krb5-%{version}.tar.gz @@ -66,6 +66,7 @@ Patch40: krb5-1.4.1-telnet-environ.patch Patch41: krb5-1.2.7-login-lpass.patch Patch44: krb5-1.4.3-enospc.patch Patch45: krb5-1.5-gssinit.patch +Patch46: http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt License: MIT, freely distributable. URL: http://web.mit.edu/kerberos/www/ @@ -131,6 +132,9 @@ network uses Kerberos, this package should be installed on every workstation. %changelog +* Tue Aug 8 2006 Nalin Dahyabhai - 1.5-5 +- apply patch to address MITKRB-SA-2006-001 (CVE-2006-3084) + * Mon Aug 7 2006 Nalin Dahyabhai - 1.5-4 - ensure that the gssapi library's been initialized before walking the internal mechanism list in gss_release_oid(), needed if called from @@ -937,6 +941,9 @@ workstation. %patch41 -p1 -b .login-lpass %patch44 -p1 -b .enospc %patch45 -p1 -b .gssinit +pushd src +%patch46 -p0 -b .2006-001 +popd cp src/krb524/README README.krb524 gzip doc/*.ps cd src