From 2bc5a13d2a0da935e029a2b182be0884c5ed5abd Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@fedoraproject.org>
Date: Tue, 8 Aug 2006 22:43:10 +0000
Subject: [PATCH] - apply patch to address MITKRB-SA-2006-001 (CVE-2006-3084)

---
 2006-001-patch_1.5.txt | 269 +++++++++++++++++++++++++++++++++++++++++
 krb5.spec              |   9 +-
 2 files changed, 277 insertions(+), 1 deletion(-)
 create mode 100644 2006-001-patch_1.5.txt

diff --git a/2006-001-patch_1.5.txt b/2006-001-patch_1.5.txt
new file mode 100644
index 0000000..cc7dca8
--- /dev/null
+++ b/2006-001-patch_1.5.txt
@@ -0,0 +1,269 @@
+Index: appl/gssftp/ftpd/ftpd.c
+===================================================================
+*** appl/gssftp/ftpd/ftpd.c	(revision 18419)
+--- appl/gssftp/ftpd/ftpd.c	(working copy)
+***************
+*** 1367,1373 ****
+  			goto bad;
+  		sleep(tries);
+  	}
+! 	(void) krb5_seteuid((uid_t)pw->pw_uid);
+  #ifdef IP_TOS
+  #ifdef IPTOS_THROUGHPUT
+  	on = IPTOS_THROUGHPUT;
+--- 1367,1375 ----
+  			goto bad;
+  		sleep(tries);
+  	}
+! 	if (krb5_seteuid((uid_t)pw->pw_uid)) {
+! 		fatal("seteuid user");
+! 	}
+  #ifdef IP_TOS
+  #ifdef IPTOS_THROUGHPUT
+  	on = IPTOS_THROUGHPUT;
+***************
+*** 1377,1383 ****
+  #endif
+  	return (fdopen(s, fmode));
+  bad:
+! 	(void) krb5_seteuid((uid_t)pw->pw_uid);
+  	(void) close(s);
+  	return (NULL);
+  }
+--- 1379,1387 ----
+  #endif
+  	return (fdopen(s, fmode));
+  bad:
+! 	if (krb5_seteuid((uid_t)pw->pw_uid)) {
+! 		fatal("seteuid user");
+! 	}
+  	(void) close(s);
+  	return (NULL);
+  }
+***************
+*** 2186,2192 ****
+  		(void) krb5_seteuid((uid_t)pw->pw_uid);
+  		goto pasv_error;
+  	}
+! 	(void) krb5_seteuid((uid_t)pw->pw_uid);
+  	len = sizeof(pasv_addr);
+  	if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0)
+  		goto pasv_error;
+--- 2190,2198 ----
+  		(void) krb5_seteuid((uid_t)pw->pw_uid);
+  		goto pasv_error;
+  	}
+! 	if (krb5_seteuid((uid_t)pw->pw_uid)) {
+! 		fatal("seteuid user");
+! 	}
+  	len = sizeof(pasv_addr);
+  	if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0)
+  		goto pasv_error;
+Index: appl/bsd/v4rcp.c
+===================================================================
+*** appl/bsd/v4rcp.c	(revision 18419)
+--- appl/bsd/v4rcp.c	(working copy)
+***************
+*** 436,442 ****
+  			kstream_set_buffer_mode (krem, 0);
+  #endif /* KERBEROS && !NOENCRYPTION */
+  			(void) response();
+! 			(void) setuid(userid);
+  			source(--argc, ++argv);
+  			exit(errs);
+  
+--- 436,445 ----
+  			kstream_set_buffer_mode (krem, 0);
+  #endif /* KERBEROS && !NOENCRYPTION */
+  			(void) response();
+! 			if (setuid(userid)) {
+! 			    error("rcp: can't setuid(user)\n");
+! 			    exit(1);
+! 			}
+  			source(--argc, ++argv);
+  			exit(errs);
+  
+***************
+*** 452,458 ****
+  				krem = kstream_create_from_fd (rem, 0, 0);
+  			kstream_set_buffer_mode (krem, 0);
+  #endif /* KERBEROS && !NOENCRYPTION */
+! 			(void) setuid(userid);
+  			sink(--argc, ++argv);
+  			exit(errs);
+  
+--- 455,464 ----
+  				krem = kstream_create_from_fd (rem, 0, 0);
+  			kstream_set_buffer_mode (krem, 0);
+  #endif /* KERBEROS && !NOENCRYPTION */
+! 			if (setuid(userid)) {
+! 			    error("rcp: can't setuid(user)\n");
+! 			    exit(1);
+! 			}
+  			sink(--argc, ++argv);
+  			exit(errs);
+  
+Index: appl/bsd/krcp.c
+===================================================================
+*** appl/bsd/krcp.c	(revision 18419)
+--- appl/bsd/krcp.c	(working copy)
+***************
+*** 620,626 ****
+  				   
+  		euid = geteuid();
+  		if (euid == 0) {
+! 		    (void) setuid(0);
+  		    if(krb5_seteuid(userid)) {
+  			perror("rcp seteuid user"); errs++; exit(errs);
+  		    }
+--- 620,628 ----
+  				   
+  		euid = geteuid();
+  		if (euid == 0) {
+! 		    if (setuid(0)) {
+! 			perror("rcp setuid 0"); errs++; exit(errs);
+! 		    }
+  		    if(krb5_seteuid(userid)) {
+  			perror("rcp seteuid user"); errs++; exit(errs);
+  		    }
+***************
+*** 638,648 ****
+  		  continue;
+  		rcmd_stream_init_normal();
+  #ifdef HAVE_SETREUID
+! 		(void) setreuid(0, userid);
+  		sink(1, argv+argc-1);
+! 		(void) setreuid(userid, 0);
+  #else
+! 		(void) setuid(0);
+  		if(seteuid(userid)) {
+  		  perror("rcp seteuid user"); errs++; exit(errs);
+  		}
+--- 640,656 ----
+  		  continue;
+  		rcmd_stream_init_normal();
+  #ifdef HAVE_SETREUID
+! 		if (setreuid(0, userid)) {
+! 		    perror("rcp setreuid 0,user"); errs++; exit(errs);
+! 		}
+  		sink(1, argv+argc-1);
+! 		if (setreuid(userid, 0)) {
+! 		    perror("rcp setreuid user,0"); errs++; exit(errs);
+! 		}
+  #else
+! 		if (setuid(0)) {
+! 		  perror("rcp setuid 0"); errs++; exit(errs);
+! 		}
+  		if(seteuid(userid)) {
+  		  perror("rcp seteuid user"); errs++; exit(errs);
+  		}
+Index: appl/bsd/login.c
+===================================================================
+*** appl/bsd/login.c	(revision 18419)
+--- appl/bsd/login.c	(working copy)
+***************
+*** 1648,1654 ****
+  	}
+  #endif	/* HAVE_SETLUID */
+  #ifdef _IBMR2
+!     setuidx(ID_LOGIN, pwd->pw_uid);
+  #endif
+  
+      /* This call MUST succeed */
+--- 1648,1657 ----
+  	}
+  #endif	/* HAVE_SETLUID */
+  #ifdef _IBMR2
+!     if (setuidx(ID_LOGIN, pwd->pw_uid) < 0) {
+! 	perror("setuidx");
+! 	sleepexit(1);
+!     };
+  #endif
+  
+      /* This call MUST succeed */
+Index: appl/bsd/krshd.c
+===================================================================
+*** appl/bsd/krshd.c	(revision 18419)
+--- appl/bsd/krshd.c	(working copy)
+***************
+*** 1403,1411 ****
+       * If we're on a system which keeps track of login uids, then
+       * set the login uid. 
+       */
+!     setluid((uid_t) pwd->pw_uid);
+  #endif	/* HAVE_SETLUID */
+!     (void) setuid((uid_t)pwd->pw_uid);
+      /* if TZ is set in the parent, drag it in */
+      {
+        char **findtz = environ;
+--- 1403,1417 ----
+       * If we're on a system which keeps track of login uids, then
+       * set the login uid. 
+       */
+!     if (setluid((uid_t) pwd->pw_uid) < 0) {
+! 	perror("setluid");
+! 	_exit(1);
+!     }
+  #endif	/* HAVE_SETLUID */
+!     if (setuid((uid_t)pwd->pw_uid) < 0) {
+! 	perror("setuid");
+! 	_exit(1);
+!     }
+      /* if TZ is set in the parent, drag it in */
+      {
+        char **findtz = environ;
+Index: clients/ksu/main.c
+===================================================================
+*** clients/ksu/main.c	(revision 18419)
+--- clients/ksu/main.c	(working copy)
+***************
+*** 892,900 ****
+      const char * cc_name;
+      struct stat  st_temp;
+  
+!     krb5_seteuid(0);
+!     krb5_seteuid(target_uid);
+!     
+      cc_name = krb5_cc_get_name(context, cc);
+      if ( ! stat(cc_name, &st_temp)){
+  	if ((retval = krb5_cc_destroy(context, cc))){
+--- 892,903 ----
+      const char * cc_name;
+      struct stat  st_temp;
+  
+!     if (krb5_seteuid(0) < 0 || krb5_seteuid(target_uid) < 0) {
+! 	com_err(prog_name, errno,
+! 		"while returning to source uid for destroying ccache");
+! 	exit(1);
+!     }
+! 
+      cc_name = krb5_cc_get_name(context, cc);
+      if ( ! stat(cc_name, &st_temp)){
+  	if ((retval = krb5_cc_destroy(context, cc))){
+Index: lib/krb4/kuserok.c
+===================================================================
+*** lib/krb4/kuserok.c	(revision 18419)
+--- lib/krb4/kuserok.c	(working copy)
+***************
+*** 159,167 ****
+  	 */
+          if(getuid() == 0) {
+  	  uid_t old_euid = geteuid();
+! 	  seteuid(pwd->pw_uid);
+  	  fp = fopen(pbuf, "r");
+! 	  seteuid(old_euid);	  
+  	  if ((fp) == NULL) {
+  	    return(NOTOK);
+  	  }
+--- 159,169 ----
+  	 */
+          if(getuid() == 0) {
+  	  uid_t old_euid = geteuid();
+! 	  if (seteuid(pwd->pw_uid) < 0)
+! 	      return NOTOK;
+  	  fp = fopen(pbuf, "r");
+! 	  if (seteuid(old_euid) < 0)
+! 	      return NOTOK;
+  	  if ((fp) == NULL) {
+  	    return(NOTOK);
+  	  }
diff --git a/krb5.spec b/krb5.spec
index d36643b..4cc7c3a 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -10,7 +10,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.5
-Release: 4
+Release: 5
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.5/krb5-1.5-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -66,6 +66,7 @@ Patch40: krb5-1.4.1-telnet-environ.patch
 Patch41: krb5-1.2.7-login-lpass.patch
 Patch44: krb5-1.4.3-enospc.patch
 Patch45: krb5-1.5-gssinit.patch
+Patch46: http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt
 
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
@@ -131,6 +132,9 @@ network uses Kerberos, this package should be installed on every
 workstation.
 
 %changelog
+* Tue Aug  8 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.5-5
+- apply patch to address MITKRB-SA-2006-001 (CVE-2006-3084)
+
 * Mon Aug  7 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.5-4
 - ensure that the gssapi library's been initialized before walking the
   internal mechanism list in gss_release_oid(), needed if called from
@@ -937,6 +941,9 @@ workstation.
 %patch41 -p1 -b .login-lpass
 %patch44 -p1 -b .enospc
 %patch45 -p1 -b .gssinit
+pushd src
+%patch46 -p0 -b .2006-001
+popd
 cp src/krb524/README README.krb524
 gzip doc/*.ps
 cd src