fixes for MITKRB5-SA-2012-001 and .so symlinks

- add upstream patch to fix freeing an uninitialized pointer and dereferencing another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014 and CVE-2012-1015, #838012) - fix a thinko in whether or not we mess around with devel .so symlinks on systems without a separate /usr (sbose)
2012-07-31 14:14:12 -04:00 · 2012-07-31 14:14:12 -04:00 · 718a1573e1
commit 718a1573e1
parent a020fb0304
2 changed files with 85 additions and 4 deletions
--- a/2012-001-patch.txt
+++ b/2012-001-patch.txt
@ -0,0 +1,61 @@
+diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 23623fe..8ada9d0 100644
+--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
+@@ -463,7 +463,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
+     krb5_enctype useenctype;
+     struct as_req_state *state;
+ 
+-    state = malloc(sizeof(*state));
+    state = calloc(sizeof(*state), 1);
+     if (!state) {
+         (*respond)(arg, ENOMEM, NULL);
+         return;
+@@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
+     state->authtime = 0;
+     state->c_flags = 0;
+     state->req_pkt = req_pkt;
+    state->inner_body = NULL;
+     state->rstate = NULL;
+     state->sname = 0;
+     state->cname = 0;
+diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
+index 9d8cb34..d4ece3f 100644
+--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
+@@ -1438,7 +1438,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
+                 continue;
+ 
+             }
+-            if (request_contains_enctype(context, request, db_etype)) {
+            if (krb5_is_permitted_enctype(context, db_etype) &&
+                request_contains_enctype(context, request, db_etype)) {
+                 retval = _make_etype_info_entry(context, client->princ,
+                                                 client_key, db_etype,
+                                                 &entry[i], etype_info2);
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index a43b291..94dad3a 100644
+--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
+@@ -2461,6 +2461,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request,
+         return 0;
+     pa.magic = KV5M_PA_DATA;
+     pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
+    memset(&checksum, 0, sizeof(checksum));
+     retval = krb5_c_make_checksum(kdc_context,0, reply_key,
+                                   KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
+     if (retval != 0)
+diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
+index c4bf92e..367c894 100644
+--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
+@@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
+     krb5_boolean        saw_non_permitted = FALSE;
+ 
+     ret = 0;
+    if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
+        return KRB5_KDB_NO_PERMITTED_KEY;
+
+     if (kvno == -1 && stype == -1 && ktype == -1)
+         kvno = 0;
+ 
--- a/krb5.spec
+++ b/krb5.spec
@ -11,16 +11,16 @@
 %global WITH_SYSVERTO 0
 %endif
 %if 0%{?fedora} >= 17 || 0%{?rhel} > 6
-%global no_separate_usr 1
+%global separate_usr 0
 %else
-%global no_separate_usr 0
+%global separate_usr 1
 %endif
 %global gettext_domain mit-krb5

 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.10.2
-Release: 4%{?dist}
+Release: 5%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -69,6 +69,7 @@ Patch103: krb5-1.10-gcc47.patch
 Patch105: krb5-kvno-230379.patch
 Patch106: krb5-1.10.2-keytab-etype.patch
 Patch107: krb5-trunk-pkinit-anchorsign.patch
+Patch108: http://web.mit.edu/kerberos/advisories/2012-001-patch.txt

 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -247,6 +248,7 @@ ln -s NOTICE LICENSE
 %patch105 -p1 -b .kvno
 %patch106 -p1 -b .keytab-etype
 %patch107 -p1 -b .pkinit-anchorsign
+%patch108 -p1 -b .2012-001
 rm src/lib/krb5/krb/deltat.c

 gzip doc/*.ps
@ -441,7 +443,7 @@ make -C src DESTDIR=$RPM_BUILD_ROOT EXAMPLEDIR=%{_docdir}/krb5-libs-%{version}/e
 # list of link flags, and it helps prevent file conflicts on multilib systems.
 sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT%{_bindir}/krb5-config

-%if %{no_separate_usr}
+%if %{separate_usr}
 # Move specific libraries from %{_libdir} to /%{_lib}, and fixup the symlinks.
 touch $RPM_BUILD_ROOT/rootfile
 rellibdir=..
@ -684,14 +686,25 @@ exit 0
 /%{_mandir}/man5/k5identity.5*
 /%{_mandir}/man5/k5login.5*
 /%{_mandir}/man5/krb5.conf.5*
+%if %{separate_usr}
 /%{_lib}/libgssapi_krb5.so.*
 /%{_lib}/libgssrpc.so.*
 /%{_lib}/libk5crypto.so.*
+%else
+%{_libdir}/libgssapi_krb5.so.*
+%{_libdir}/libgssrpc.so.*
+%{_libdir}/libk5crypto.so.*
+%endif
 %{_libdir}/libkadm5clnt_mit.so.*
 %{_libdir}/libkadm5srv_mit.so.*
 %{_libdir}/libkdb5.so.*
+%if %{separate_usr}
 /%{_lib}/libkrb5.so.*
 /%{_lib}/libkrb5support.so.*
+%else
+%{_libdir}/libkrb5.so.*
+%{_libdir}/libkrb5support.so.*
+%endif
 %dir %{_libdir}/krb5
 %dir %{_libdir}/krb5/plugins
 %dir %{_libdir}/krb5/plugins/*
@ -755,6 +768,13 @@ exit 0
 %{_sbindir}/uuserver

 %changelog
+* Tue Jul 31 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-5
+- add upstream patch to fix freeing an uninitialized pointer and dereferencing
+  another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014
+  and CVE-2012-1015, #838012)
+- fix a thinko in whether or not we mess around with devel .so symlinks on
+  systems without a separate /usr (sbose)
+
 * Fri Jul 27 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.10.2-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild