From 49c8edfa6b6f76c91d1b144f0778e16450a3c1b4 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Mon, 11 Nov 2013 14:11:29 -0500 Subject: [PATCH] Catch more strtol() failures when using KEYRINGs - check more thorougly for errors when resolving KEYRING ccache names of type "persistent", which should only have a numeric UID as the next part of the name (#1029110) --- krb5-keyring-strtol.patch | 35 +++++++++++++++++++++++++++++++++++ krb5.spec | 9 ++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 krb5-keyring-strtol.patch diff --git a/krb5-keyring-strtol.patch b/krb5-keyring-strtol.patch new file mode 100644 index 0000000..8d6d047 --- /dev/null +++ b/krb5-keyring-strtol.patch @@ -0,0 +1,35 @@ +commit ffbb8f2fdd54c9d458dc84b544ac29eb3272bd2d +Author: Nalin Dahyabhai +Date: Mon Nov 11 13:10:08 2013 -0500 + + Catch more strtol() failures when using KEYRINGs + + When parsing what should be a UID while resolving a KEYRING ccache name, + don't just depend on strtol() to set errno when the residual that we + pass to it can't be parsed as a number. In addition to checking errno, + pass in and check the value of an "endptr". + +diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c +index 795ccd6..b1fc397 100644 +--- a/src/lib/krb5/ccache/cc_keyring.c ++++ b/src/lib/krb5/ccache/cc_keyring.c +@@ -593,7 +593,7 @@ get_collection(const char *anchor_name, const char *collection_name, + { + krb5_error_code ret; + key_serial_t persistent_id, anchor_id, possess_id = 0; +- char *ckname; ++ char *ckname, *cnend = NULL; + long uidnum; + + *collection_id_out = 0; +@@ -607,8 +607,8 @@ get_collection(const char *anchor_name, const char *collection_name, + */ + if (*collection_name != '\0') { + errno = 0; +- uidnum = strtol(collection_name, NULL, 10); +- if (errno) ++ uidnum = strtol(collection_name, &cnend, 10); ++ if (errno || cnend == NULL || *cnend != '\0') + return KRB5_KCC_INVALID_UID; + } else { + uidnum = geteuid(); diff --git a/krb5.spec b/krb5.spec index b4bc2c8..4928714 100644 --- a/krb5.spec +++ b/krb5.spec @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.11.3 -Release: 29%{?dist} +Release: 30%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar Source0: krb5-%{version}.tar.gz @@ -117,6 +117,7 @@ Patch202: krb5-1.11.2-otp.patch # Patches for kernel-persistent-keyring support (backport) Patch301: persistent_keyring.patch Patch302: krb5-master-kinit-cccol.patch +Patch303: krb5-keyring-strtol.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -313,6 +314,7 @@ ln -s NOTICE LICENSE %patch301 -p1 -b .persistent-keyring %patch302 -p1 -b .kinit-cccol +%patch303 -p1 -b .keyring-strtol %patch60 -p1 -b .pam @@ -1006,6 +1008,11 @@ exit 0 %{_sbindir}/uuserver %changelog +* Mon Nov 11 2013 Nalin Dahyabhai - 1.11.3-30 +- check more thorougly for errors when resolving KEYRING ccache names of type + "persistent", which should only have a numeric UID as the next part of the + name (#1029110) + * Tue Nov 5 2013 Nalin Dahyabhai - 1.11.3-29 - incorporate upstream patch for remote crash of KDCs which serve multiple realms simultaneously (RT#7756, CVE-2013-1418)