rpms/krb5
6
0
Fork 0
Code Issues Pull Requests Releases Activity

- update to 1.10.1

Browse Source 
- drop the KDC crash fix
  - drop the KDC lookaside cache fix
  - drop the fix for kadmind RPC ACLs (CVE-2012-1012)
This commit is contained in:
Nalin Dahyabhai 2012-03-09 18:37:47 -05:00
parent df8a03bc2b
commit 70240d81c8
5 changed files with 9 additions and 213 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
krb5-1.10-crashfix.patch
View File

@ -1,39 +0,0 @@
RT #7081
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 5e69653..4651b72 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -102,6 +102,7 @@ struct as_req_state {
loop_respond_fn respond;
void *arg;
+ krb5_principal_data client_princ;
krb5_enc_tkt_part enc_tkt_reply;
krb5_enc_kdc_rep_part reply_encpart;
krb5_ticket ticket_reply;
@@ -458,7 +459,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
krb5_error_code errcode;
krb5_timestamp rtime;
unsigned int s_flags = 0;
- krb5_principal_data client_princ;
krb5_data encoded_req_body;
krb5_enctype useenctype;
struct as_req_state *state;
@@ -680,13 +680,13 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
state->enc_tkt_reply.session = &state->session_key;
if (isflagset(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
- client_princ = *(state->client->princ);
+ state->client_princ = *(state->client->princ);
} else {
- client_princ = *(state->request->client);
+ state->client_princ = *(state->request->client);
/* The realm is always canonicalized */
- client_princ.realm = state->client->princ->realm;
+ state->client_princ.realm = state->client->princ->realm;
}
- state->enc_tkt_reply.client = &client_princ;
+ state->enc_tkt_reply.client = &state->client_princ;
state->enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
state->enc_tkt_reply.transited.tr_contents = empty_string;

101
krb5-1.10-lookaside.patch
View File

@ -1,101 +0,0 @@
From 4b9eb1f3dc538f7b29e50b6852983f5b4ddc7536 Mon Sep 17 00:00:00 2001
From: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Thu, 26 Jan 2012 21:56:16 +0000
Subject: [PATCH 1/3] ticket: 7082 subject: Various lookaside cache fixes
target_version: 1.10 tags: pullup
Don't touch the lookaside cache if we're responding with a lookaside
cache entry. Also, leave the null entry behind if we're deliberately
dropping a request (a rare case) so that we don't have to process it
again. Fixes several lookaside problems in 1.10:
* When dropping a request because it was already being processed, we
were erroneously removing the null entry, causing us to process the
request again upon a second retransmit.
* When responding to a finished request with a lookaside entry, we
were removing and re-adding the entry to the cache, resetting its
time and performing unnecessary work.
* We were not caching responses we couldn't deliver because they were
too big for UDP, causing us to re-process the request when it came
in again via TCP instead of simply delivering the cached response.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25660 dc483132-0cff-0310-8789-dd5450dbe970
---
src/kdc/dispatch.c | 40 ++++++++++++++++++++++------------------
1 files changed, 22 insertions(+), 18 deletions(-)
diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
index b4c02f3..efe7098 100644
--- a/src/kdc/dispatch.c
+++ b/src/kdc/dispatch.c
@@ -44,20 +44,11 @@ struct dispatch_state {
};
static void
-finish_dispatch(void *arg, krb5_error_code code, krb5_data *response)
+finish_dispatch(struct dispatch_state *state, krb5_error_code code,
+ krb5_data *response)
{
- struct dispatch_state *state = arg;
- loop_respond_fn oldrespond;
- void *oldarg;
-
- assert(state);
- oldrespond = state->respond;
- oldarg = state->arg;
-
-#ifndef NOCACHE
- /* Remove our NULL cache entry to indicate request completion. */
- kdc_remove_lookaside(kdc_context, state->request);
-#endif
+ loop_respond_fn oldrespond = state->respond;
+ void *oldarg = state->arg;
if (state->is_tcp == 0 && response &&
response->length > max_dgram_reply_size) {
@@ -70,14 +61,27 @@ finish_dispatch(void *arg, krb5_error_code code, krb5_data *response)
error_message(code));
}
+ free(state);
+ (*oldrespond)(oldarg, code, response);
+}
+
+static void
+finish_dispatch_cache(void *arg, krb5_error_code code, krb5_data *response)
+{
+ struct dispatch_state *state = arg;
+
#ifndef NOCACHE
- /* put the response into the lookaside buffer */
- else if (!code && response)
+ /* Remove the null cache entry unless we actually want to discard this
+ * request. */
+ if (code != KRB5KDC_ERR_DISCARD)
+ kdc_remove_lookaside(kdc_context, state->request);
+
+ /* Put the response into the lookaside buffer (if we produced one). */
+ if (code == 0 && response != NULL)
kdc_insert_lookaside(state->request, response);
#endif
- free(state);
- (*oldrespond)(oldarg, code, response);
+ finish_dispatch(state, code, response);
}
void
@@ -167,7 +171,7 @@ dispatch(void *cb, struct sockaddr *local_saddr,
* process_as_req frees the request if it is called
*/
if (!(retval = setup_server_realm(as_req->server))) {
- process_as_req(as_req, pkt, from, vctx, finish_dispatch,
+ process_as_req(as_req, pkt, from, vctx, finish_dispatch_cache,
state);
return;
}
--
1.7.7.5

61
krb5-1.10-string-rpc-acl-fix.patch
View File

@ -1,61 +0,0 @@
From 725b97bfba7067907a5fc534c21349c0d28bf6b8 Mon Sep 17 00:00:00 2001
From: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue, 21 Feb 2012 19:14:47 +0000
Subject: [PATCH] ticket: 7093 subject: Access controls for string RPCs
[CVE-2012-1012] target_version: 1.10.1 tags: pullup
In the kadmin protocol, make the access controls for
get_strings/set_string mirror those of get_principal/modify_principal.
Previously, anyone with global list privileges could get or modify
string attributes on any principal. The impact of this depends on how
generous the kadmind acl is with list permission and whether string
attributes are used in a deployment (nothing in the core code uses
them yet).
CVSSv2 vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25704 dc483132-0cff-0310-8789-dd5450dbe970
---
src/kadmin/server/server_stubs.c | 19 +++++++++++--------
1 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
index 8dbe756..0de627f 100644
--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -1634,10 +1634,13 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
goto exit_func;
}
- if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
- rqst2name(rqstp),
- ACL_LIST, NULL, NULL)) {
- ret.code = KADM5_AUTH_LIST;
+ if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) &&
+ (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
+ rqst2name(rqstp),
+ ACL_INQUIRE,
+ arg->princ,
+ NULL))) {
+ ret.code = KADM5_AUTH_GET;
log_unauth("kadm5_get_strings", prime_arg,
&client_name, &service_name, rqstp);
} else {
@@ -1690,10 +1693,10 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
goto exit_func;
}
- if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
- rqst2name(rqstp),
- ACL_LIST, NULL, NULL)) {
- ret.code = KADM5_AUTH_LIST;
+ if (CHANGEPW_SERVICE(rqstp)
+ || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
+ arg->princ, NULL)) {
+ ret.code = KADM5_AUTH_MODIFY;
log_unauth("kadm5_mod_strings", prime_arg,
&client_name, &service_name, rqstp);
} else {
--
1.7.7.6

18
krb5.spec
View File

@ -14,10 +14,10 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.10
Release: 5%{?dist}
Version: 1.10.1
Release: 1%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-signed.tar
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.1-signed.tar
Source0: krb5-%{version}.tar.gz
Source1: krb5-%{version}.tar.gz.asc
Source2: kprop.service
@ -61,10 +61,7 @@ Patch100: krb5-trunk-7046.patch
Patch101: krb5-trunk-7047.patch
Patch102: krb5-trunk-7048.patch
Patch103: krb5-1.10-gcc47.patch
Patch104: krb5-1.10-crashfix.patch
Patch105: krb5-kvno-230379.patch
Patch106: krb5-1.10-lookaside.patch
Patch107: krb5-1.10-string-rpc-acl-fix.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -234,10 +231,7 @@ ln -s NOTICE LICENSE
%patch101 -p1 -b .7047
%patch102 -p1 -b .7048
%patch103 -p0 -b .gcc47
%patch104 -p1 -b .crashfix
%patch105 -p1 -b .kvno
%patch106 -p1 -b .7082
%patch107 -p1 -b .7093
rm src/lib/krb5/krb/deltat.c
gzip doc/*.ps
@ -749,6 +743,12 @@ exit 0
%{_sbindir}/uuserver
%changelog
* Fri Mar 9 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.1-1
- update to 1.10.1
- drop the KDC crash fix
- drop the KDC lookaside cache fix
- drop the fix for kadmind RPC ACLs (CVE-2012-1012)
* Wed Mar 7 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10-5
- when removing -workstation, remove our files from the info index while
the file is still there, in %%preun, rather than %%postun, and use the

3
sources
View File

@ -1,3 +0,0 @@
ff442dfc34c58ad6f601cc8aec6b84e2 krb5-1.10.tar.gz
24dab4f2d8506eb64e364dc1527ba03c krb5-1.10.tar.gz.asc
54ac50d94320c754b3a9553159c6351f krb5-1.10-pdf.tar.xz