rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Catch more strtol() failures when using KEYRINGs

Browse Source 
- check more thorougly for errors when resolving KEYRING ccache names of type
  "persistent", which should only have a numeric UID as the next part of the
  name (#1029110)
This commit is contained in:
Nalin Dahyabhai 2013-11-11 14:11:29 -05:00
parent bfdc4351bf
commit 49c8edfa6b
2 changed files with 43 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
krb5-keyring-strtol.patch Normal file
View File

@ -0,0 +1,35 @@
commit ffbb8f2fdd54c9d458dc84b544ac29eb3272bd2d
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Mon Nov 11 13:10:08 2013 -0500
Catch more strtol() failures when using KEYRINGs
When parsing what should be a UID while resolving a KEYRING ccache name,
don't just depend on strtol() to set errno when the residual that we
pass to it can't be parsed as a number. In addition to checking errno,
pass in and check the value of an "endptr".
diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
index 795ccd6..b1fc397 100644
--- a/src/lib/krb5/ccache/cc_keyring.c
+++ b/src/lib/krb5/ccache/cc_keyring.c
@@ -593,7 +593,7 @@ get_collection(const char *anchor_name, const char *collection_name,
{
krb5_error_code ret;
key_serial_t persistent_id, anchor_id, possess_id = 0;
- char *ckname;
+ char *ckname, *cnend = NULL;
long uidnum;
*collection_id_out = 0;
@@ -607,8 +607,8 @@ get_collection(const char *anchor_name, const char *collection_name,
*/
if (*collection_name != '\0') {
errno = 0;
- uidnum = strtol(collection_name, NULL, 10);
- if (errno)
+ uidnum = strtol(collection_name, &cnend, 10);
+ if (errno || cnend == NULL || *cnend != '\0')
return KRB5_KCC_INVALID_UID;
} else {
uidnum = geteuid();

9
krb5.spec
View File

@ -41,7 +41,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.11.3
Release: 29%{?dist}
Release: 30%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
Source0: krb5-%{version}.tar.gz
@ -117,6 +117,7 @@ Patch202: krb5-1.11.2-otp.patch
# Patches for kernel-persistent-keyring support (backport)
Patch301: persistent_keyring.patch
Patch302: krb5-master-kinit-cccol.patch
Patch303: krb5-keyring-strtol.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -313,6 +314,7 @@ ln -s NOTICE LICENSE
%patch301 -p1 -b .persistent-keyring
%patch302 -p1 -b .kinit-cccol
%patch303 -p1 -b .keyring-strtol
%patch60 -p1 -b .pam
@ -1006,6 +1008,11 @@ exit 0
%{_sbindir}/uuserver
%changelog
* Mon Nov 11 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-30
- check more thorougly for errors when resolving KEYRING ccache names of type
"persistent", which should only have a numeric UID as the next part of the
name (#1029110)
* Tue Nov 5 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-29
- incorporate upstream patch for remote crash of KDCs which serve multiple
realms simultaneously (RT#7756, CVE-2013-1418)