update to 1.11.3

- update to 1.11.3 - drop patch for RT#7605, fixed in this release - drop patch for CVE-2002-2443, fixed in this release - drop patch for RT#7369, fixed in this release - pull upstream fix for breaking t_skew.py by adding the patch for #961221
2013-06-04 11:07:24 -04:00 · 2013-06-04 11:07:24 -04:00 · 7b66f600ef
commit 7b66f600ef
parent ff0ee94342
6 changed files with 43 additions and 185 deletions
--- a/krb5-1.11.2-gss_transited.patch
+++ b/krb5-1.11.2-gss_transited.patch
@ -1,81 +0,0 @@
-Should fix #959685.
-
-commit b4d2d74082d239e3024254ab8ffb55c9dd087ff7
-Author: Greg Hudson <ghudson@mit.edu>
-Date:   Mon May 20 11:03:04 2013 -0400
-
-    Fix transited handling for GSSAPI acceptors
-    
-    The Acceptor Names project (#6855) extended krb5_rd_req so that it can
-    accept a "matching principal" in the server parameter.  If the
-    matching principal has an empty realm, rd_req_decoded_opt attempted to
-    do transited checking with an empty server realm.
-    
-    To fix this, always reset server to req->ticket->server for future
-    processing steps if we decrypt the ticket using a keytab.
-    decrypt_ticket replaces req->ticket->server with the principal name
-    from the keytab entry, so we know this name is correct.
-    
-    Based on a bug report and patch from nalin@redhat.com.
-    
-    (cherry picked from commit 57acee11b5c6682a7f4f036e35d8b2fc9292875e)
-    
-    ticket: 7639
-    version_fixed: 1.11.3
-    status: resolved
-
-diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
-index 6495bae..6dacb35 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
-+++ b/src/lib/krb5/krb/rd_req_dec.c
-@@ -277,11 +277,16 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
-         }
-         krb5_k_free_key(context, (*auth_context)->key);
-         (*auth_context)->key = NULL;
-+        if (server == NULL)
-+            server = req->ticket->server;
-     } else {
-         retval = decrypt_ticket(context, req, server, keytab,
-                                 check_valid_flag ? &decrypt_key : NULL);
-         if (retval)
-             goto cleanup;
-+        /* decrypt_ticket placed the principal of the keytab key in
-+         * req->ticket->server; always use this for later steps. */
-+        server = req->ticket->server;
-     }
-     TRACE_RD_REQ_TICKET(context, req->ticket->enc_part2->client,
-                         req->ticket->server, req->ticket->enc_part2->session);
-@@ -308,9 +313,6 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
-         goto cleanup;
-     }
- 
-    if (!server) {
-        server = req->ticket->server;
-    }
-     /* Get an rcache if necessary. */
-     if (((*auth_context)->rcache == NULL)
-         && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME)
-diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
-index e453b71..cafbea1 100755
--- a/src/tests/gssapi/t_gssapi.py
-+++ b/src/tests/gssapi/t_gssapi.py
-@@ -117,6 +117,19 @@ if 'host/-nomatch-' not in output:
- 
- realm.stop()
- 
-+# Make sure a GSSAPI acceptor can handle cross-realm tickets with a
-+# transited field.  (Regression test for #7639.)
-+r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
-+                          create_user=False, create_host=False,
-+                          args=[{'realm': 'A.X', 'create_user': True},
-+                                {'realm': 'X'},
-+                                {'realm': 'B.X', 'create_host': True}])
-+os.rename(r3.keytab, r1.keytab)
-+r1.run_as_client(['./t_accname', 'p:' + r3.host_princ, 'h:host'])
-+r1.stop()
-+r2.stop()
-+r3.stop()
-+
- ### Test gss_inquire_cred behavior.
- 
- realm = K5Realm()
--- a/krb5-1.11.2-kpasswd_pingpong.patch
+++ b/krb5-1.11.2-kpasswd_pingpong.patch
@ -1,64 +0,0 @@
-commit cf1a0c411b2668c57c41e9c4efd15ba17b6b322c
-Author: Tom Yu <tlyu@mit.edu>
-Date:   Fri May 3 16:26:46 2013 -0400
-
-    Fix kpasswd UDP ping-pong [CVE-2002-2443]
-    
-    The kpasswd service provided by kadmind was vulnerable to a UDP
-    "ping-pong" attack [CVE-2002-2443].  Don't respond to packets unless
-    they pass some basic validation, and don't respond to our own error
-    packets.
-    
-    Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
-    attack or UDP ping-pong attacks in general, but there is discussion
-    leading toward narrowing the definition of CVE-1999-0103 to the echo,
-    chargen, or other similar built-in inetd services.
-    
-    Thanks to Vincent Danen for alerting us to this issue.
-    
-    CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
-    
-    ticket: 7637 (new)
-    target_version: 1.11.3
-    tags: pullup
-
-diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
-index 15b0ab5..7f455d8 100644
--- a/src/kadmin/server/schpw.c
-+++ b/src/kadmin/server/schpw.c
-@@ -52,7 +52,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
-         ret = KRB5KRB_AP_ERR_MODIFIED;
-         numresult = KRB5_KPASSWD_MALFORMED;
-         strlcpy(strresult, "Request was truncated", sizeof(strresult));
-        goto chpwfail;
-+        goto bailout;
-     }
- 
-     ptr = req->data;
-@@ -67,7 +67,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
-         numresult = KRB5_KPASSWD_MALFORMED;
-         strlcpy(strresult, "Request length was inconsistent",
-                 sizeof(strresult));
-        goto chpwfail;
-+        goto bailout;
-     }
- 
-     /* verify version number */
-@@ -80,7 +80,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
-         numresult = KRB5_KPASSWD_BAD_VERSION;
-         snprintf(strresult, sizeof(strresult),
-                  "Request contained unknown protocol version number %d", vno);
-        goto chpwfail;
-+        goto bailout;
-     }
- 
-     /* read, check ap-req length */
-@@ -93,7 +93,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
-         numresult = KRB5_KPASSWD_MALFORMED;
-         strlcpy(strresult, "Request was truncated in AP-REQ",
-                 sizeof(strresult));
-        goto chpwfail;
-+        goto bailout;
-     }
- 
-     /* verify ap_req */
--- a/krb5-1.11.3-skew3.patch
+++ b/krb5-1.11.3-skew3.patch
@ -0,0 +1,28 @@
+commit 3b1b31a57cd932eda928932e67f5f2857929f429
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Sun Jun 2 15:36:40 2013 -0400
+
+    Fix spurious clock skew caused by preauth delay
+    
+    Commit 37b0e55e21926c7875b7176e24e13005920915a6 (#7063) prevented
+    clock skew caused by preauth delay by recording the time of the
+    initial request.  However, it failed to take into account delay
+    between requests due to prompting during preauthentication.  Fix this
+    by recording the request time for each request.
+    
+    ticket: 7656 (new)
+
+diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
+index ff455d3..0dd497e 100644
+--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
+@@ -1256,6 +1256,9 @@ init_creds_step_request(krb5_context context,
+         }
+     }
+ 
+    /* Remember when we sent this request (after any preauth delay). */
+    ctx->request_time = time(NULL);
+
+     if (ctx->encoded_previous_request != NULL) {
+         krb5_free_data(context, ctx->encoded_previous_request);
+         ctx->encoded_previous_request = NULL;
--- a/krb5-fast-msg_type.patch
+++ b/krb5-fast-msg_type.patch
@ -1,28 +0,0 @@
-commit 3fbdcd0965180b46c545187e7784350340ae88ee
-Author: Greg Hudson <ghudson@mit.edu>
-Date:   Fri Apr 12 16:28:14 2013 -0400
-
-    Set msg_type when decoding FAST requests
-    
-    An RFC 6113 KrbFastReq contains a padata sequence and a KDC-REQ-BODY,
-    neither of which contain the msg-type field found in a KDC-REQ.  So
-    when we decode the FAST request, the resulting krb5_kdc_req structure
-    has a msg_type of 0.  Copy msg_type from the outer body, since we make
-    use of it in further KDC processing.
-    
-    ticket: 7605 (new)
-    target_version: 1.11.3
-    tags: pullup
-
-diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
-index 40c5783..4fa36c6 100644
--- a/src/kdc/fast_util.c
-+++ b/src/kdc/fast_util.c
-@@ -239,6 +239,7 @@ kdc_find_fast(krb5_kdc_req **requestptr,
-                                                  KRB5_PADATA_FX_COOKIE);
-         if (retval == 0) {
-             state->fast_options = fast_req->fast_options;
-+            fast_req->req_body->msg_type = request->msg_type;
-             krb5_free_kdc_req( kdc_context, request);
-             *requestptr = fast_req->req_body;
-             fast_req->req_body = NULL;
--- a/krb5.spec
+++ b/krb5.spec
@ -29,10 +29,10 @@

 Summary: The Kerberos network authentication system
 Name: krb5
-Version: 1.11.2
-Release: 10%{?dist}
+Version: 1.11.3
+Release: 1%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
-# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.2-signed.tar
+# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
 Source0: krb5-%{version}.tar.gz
 Source1: krb5-%{version}.tar.gz.asc
 # Use a dummy krb5-%{version}-pdf.tar.xz the first time through, then
@ -75,10 +75,7 @@ Patch105: krb5-kvno-230379.patch
 Patch113: krb5-1.11-alpha1-init.patch
 Patch116: http://ausil.fedorapeople.org/aarch64/krb5/krb5-aarch64.patch
 Patch117: krb5-1.11-gss-client-keytab.patch
-Patch119: krb5-fast-msg_type.patch
-Patch120: krb5-1.11.2-kpasswd_pingpong.patch
 Patch121: krb5-cccol-primary.patch
-Patch122: krb5-1.11.2-gss_transited.patch
 Patch123: krb5-1.11.2-empty_passwords.patch
 Patch124: krb5-1.11.2-arcfour_short.patch
 Patch125: krb5-1.11.2-skew1.patch
@ -86,6 +83,7 @@ Patch126: krb5-1.11.2-skew2.patch
 Patch127: krb5-master-test_gss_no_udp.patch
 Patch128: krb5-master-test_no_pmap.patch 
 Patch130: krb5-master-init_referral.patch
+Patch131: krb5-1.11.3-skew3.patch

 # Patches for otp plugin backport
 Patch201: krb5-1.11.2-keycheck.patch
@ -303,10 +301,7 @@ ln -s NOTICE LICENSE
 %patch113 -p1 -b .init
 %patch116 -p1 -b .aarch64
 %patch117 -p1 -b .gss-client-keytab
-%patch119 -p1 -b .fast-msg_type
-%patch120 -p1 -b .kpasswd_pingpong
 %patch121 -p1 -b .cccol-primary
-%patch122 -p1 -b .gss_transited
 %patch123 -p1 -b .empty_passwords
 %patch124 -p1 -b .arcfour_short
 %patch125 -p1 -b .skew1
@ -314,6 +309,7 @@ ln -s NOTICE LICENSE
 %patch127 -p1 -b .test_gss_no_udp
 %patch128 -p1 -b .test_no_pmap
 %patch130 -p1 -b .init_referral
+%patch131 -p1 -b .skew3

 %patch201 -p1 -b .keycheck
 %patch202 -p1 -b .otp
@ -839,6 +835,13 @@ exit 0
 %{_sbindir}/uuserver

 %changelog
+* Tue Jun  4 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.3-1
+- update to 1.11.3
+  - drop patch for RT#7605, fixed in this release
+  - drop patch for CVE-2002-2443, fixed in this release
+  - drop patch for RT#7369, fixed in this release
+- pull upstream fix for breaking t_skew.py by adding the patch for #961221
+
 * Fri May 31 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-10
 - respin with updated version of patch for RT#7650 (#969331)

--- a/6
+++ b/6
@ -1,3 +1,3 @@
-7db8ba98dcc1503fe6925aea2238b896  krb5-1.11.2.tar.gz
-10b368a774933177f64e154b12976820  krb5-1.11.2.tar.gz.asc
-d5c8774506d7f67fb096e0b3ac7cb03d  krb5-1.11.2-pdf.tar.xz
+017285971f1038a32261b15c128502f0  krb5-1.11.3.tar.gz
+a9dc7e280af5ac23833d0c951fe44036  krb5-1.11.3.tar.gz.asc
+731b6fa7c98b88920fc8f5b934a6187a  krb5-1.11.3-pdf.tar.xz