rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

update to 1.11.3

Browse Source 
- update to 1.11.3
  - drop patch for RT#7605, fixed in this release
  - drop patch for CVE-2002-2443, fixed in this release
  - drop patch for RT#7369, fixed in this release
- pull upstream fix for breaking t_skew.py by adding the patch for #961221
This commit is contained in:
Nalin Dahyabhai 2013-06-04 11:07:24 -04:00
parent ff0ee94342
commit 7b66f600ef
6 changed files with 43 additions and 185 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
krb5-1.11.2-gss_transited.patch
View File

@ -1,81 +0,0 @@
Should fix #959685.
commit b4d2d74082d239e3024254ab8ffb55c9dd087ff7
Author: Greg Hudson <ghudson@mit.edu>
Date: Mon May 20 11:03:04 2013 -0400
Fix transited handling for GSSAPI acceptors
The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter. If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.
To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.
Based on a bug report and patch from nalin@redhat.com.
(cherry picked from commit 57acee11b5c6682a7f4f036e35d8b2fc9292875e)
ticket: 7639
version_fixed: 1.11.3
status: resolved
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index 6495bae..6dacb35 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -277,11 +277,16 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
}
krb5_k_free_key(context, (*auth_context)->key);
(*auth_context)->key = NULL;
+ if (server == NULL)
+ server = req->ticket->server;
} else {
retval = decrypt_ticket(context, req, server, keytab,
check_valid_flag ? &decrypt_key : NULL);
if (retval)
goto cleanup;
+ /* decrypt_ticket placed the principal of the keytab key in
+ * req->ticket->server; always use this for later steps. */
+ server = req->ticket->server;
}
TRACE_RD_REQ_TICKET(context, req->ticket->enc_part2->client,
req->ticket->server, req->ticket->enc_part2->session);
@@ -308,9 +313,6 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
goto cleanup;
}
- if (!server) {
- server = req->ticket->server;
- }
/* Get an rcache if necessary. */
if (((*auth_context)->rcache == NULL)
&& ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME)
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index e453b71..cafbea1 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -117,6 +117,19 @@ if 'host/-nomatch-' not in output:
realm.stop()
+# Make sure a GSSAPI acceptor can handle cross-realm tickets with a
+# transited field. (Regression test for #7639.)
+r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
+ create_user=False, create_host=False,
+ args=[{'realm': 'A.X', 'create_user': True},
+ {'realm': 'X'},
+ {'realm': 'B.X', 'create_host': True}])
+os.rename(r3.keytab, r1.keytab)
+r1.run_as_client(['./t_accname', 'p:' + r3.host_princ, 'h:host'])
+r1.stop()
+r2.stop()
+r3.stop()
+
### Test gss_inquire_cred behavior.
realm = K5Realm()

64
krb5-1.11.2-kpasswd_pingpong.patch
View File

@ -1,64 +0,0 @@
commit cf1a0c411b2668c57c41e9c4efd15ba17b6b322c
Author: Tom Yu <tlyu@mit.edu>
Date: Fri May 3 16:26:46 2013 -0400
Fix kpasswd UDP ping-pong [CVE-2002-2443]
The kpasswd service provided by kadmind was vulnerable to a UDP
"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
packets.
Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.
Thanks to Vincent Danen for alerting us to this issue.
CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
ticket: 7637 (new)
target_version: 1.11.3
tags: pullup
diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
index 15b0ab5..7f455d8 100644
--- a/src/kadmin/server/schpw.c
+++ b/src/kadmin/server/schpw.c
@@ -52,7 +52,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
ret = KRB5KRB_AP_ERR_MODIFIED;
numresult = KRB5_KPASSWD_MALFORMED;
strlcpy(strresult, "Request was truncated", sizeof(strresult));
- goto chpwfail;
+ goto bailout;
}
ptr = req->data;
@@ -67,7 +67,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
numresult = KRB5_KPASSWD_MALFORMED;
strlcpy(strresult, "Request length was inconsistent",
sizeof(strresult));
- goto chpwfail;
+ goto bailout;
}
/* verify version number */
@@ -80,7 +80,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
numresult = KRB5_KPASSWD_BAD_VERSION;
snprintf(strresult, sizeof(strresult),
"Request contained unknown protocol version number %d", vno);
- goto chpwfail;
+ goto bailout;
}
/* read, check ap-req length */
@@ -93,7 +93,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
numresult = KRB5_KPASSWD_MALFORMED;
strlcpy(strresult, "Request was truncated in AP-REQ",
sizeof(strresult));
- goto chpwfail;
+ goto bailout;
}
/* verify ap_req */

28
krb5-1.11.3-skew3.patch Normal file
View File

@ -0,0 +1,28 @@
commit 3b1b31a57cd932eda928932e67f5f2857929f429
Author: Greg Hudson <ghudson@mit.edu>
Date: Sun Jun 2 15:36:40 2013 -0400
Fix spurious clock skew caused by preauth delay
Commit 37b0e55e21926c7875b7176e24e13005920915a6 (#7063) prevented
clock skew caused by preauth delay by recording the time of the
initial request. However, it failed to take into account delay
between requests due to prompting during preauthentication. Fix this
by recording the request time for each request.
ticket: 7656 (new)
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index ff455d3..0dd497e 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1256,6 +1256,9 @@ init_creds_step_request(krb5_context context,
}
}
+ /* Remember when we sent this request (after any preauth delay). */
+ ctx->request_time = time(NULL);
+
if (ctx->encoded_previous_request != NULL) {
krb5_free_data(context, ctx->encoded_previous_request);
ctx->encoded_previous_request = NULL;

28
krb5-fast-msg_type.patch
View File

@ -1,28 +0,0 @@
commit 3fbdcd0965180b46c545187e7784350340ae88ee
Author: Greg Hudson <ghudson@mit.edu>
Date: Fri Apr 12 16:28:14 2013 -0400
Set msg_type when decoding FAST requests
An RFC 6113 KrbFastReq contains a padata sequence and a KDC-REQ-BODY,
neither of which contain the msg-type field found in a KDC-REQ. So
when we decode the FAST request, the resulting krb5_kdc_req structure
has a msg_type of 0. Copy msg_type from the outer body, since we make
use of it in further KDC processing.
ticket: 7605 (new)
target_version: 1.11.3
tags: pullup
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index 40c5783..4fa36c6 100644
--- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -239,6 +239,7 @@ kdc_find_fast(krb5_kdc_req **requestptr,
KRB5_PADATA_FX_COOKIE);
if (retval == 0) {
state->fast_options = fast_req->fast_options;
+ fast_req->req_body->msg_type = request->msg_type;
krb5_free_kdc_req( kdc_context, request);
*requestptr = fast_req->req_body;
fast_req->req_body = NULL;

21
krb5.spec
View File

@ -29,10 +29,10 @@
Summary: The Kerberos network authentication system Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.11.2 Version: 1.11.3
Release: 10%{?dist} Release: 1%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead? # Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.2-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
Source0: krb5-%{version}.tar.gz Source0: krb5-%{version}.tar.gz
Source1: krb5-%{version}.tar.gz.asc Source1: krb5-%{version}.tar.gz.asc
# Use a dummy krb5-%{version}-pdf.tar.xz the first time through, then # Use a dummy krb5-%{version}-pdf.tar.xz the first time through, then
@ -75,10 +75,7 @@ Patch105: krb5-kvno-230379.patch
Patch113: krb5-1.11-alpha1-init.patch Patch113: krb5-1.11-alpha1-init.patch
Patch116: http://ausil.fedorapeople.org/aarch64/krb5/krb5-aarch64.patch Patch116: http://ausil.fedorapeople.org/aarch64/krb5/krb5-aarch64.patch
Patch117: krb5-1.11-gss-client-keytab.patch Patch117: krb5-1.11-gss-client-keytab.patch
Patch119: krb5-fast-msg_type.patch
Patch120: krb5-1.11.2-kpasswd_pingpong.patch
Patch121: krb5-cccol-primary.patch Patch121: krb5-cccol-primary.patch
Patch122: krb5-1.11.2-gss_transited.patch
Patch123: krb5-1.11.2-empty_passwords.patch Patch123: krb5-1.11.2-empty_passwords.patch
Patch124: krb5-1.11.2-arcfour_short.patch Patch124: krb5-1.11.2-arcfour_short.patch
Patch125: krb5-1.11.2-skew1.patch Patch125: krb5-1.11.2-skew1.patch
@ -86,6 +83,7 @@ Patch126: krb5-1.11.2-skew2.patch
Patch127: krb5-master-test_gss_no_udp.patch Patch127: krb5-master-test_gss_no_udp.patch
Patch128: krb5-master-test_no_pmap.patch Patch128: krb5-master-test_no_pmap.patch
Patch130: krb5-master-init_referral.patch Patch130: krb5-master-init_referral.patch
Patch131: krb5-1.11.3-skew3.patch
# Patches for otp plugin backport # Patches for otp plugin backport
Patch201: krb5-1.11.2-keycheck.patch Patch201: krb5-1.11.2-keycheck.patch
@ -303,10 +301,7 @@ ln -s NOTICE LICENSE
%patch113 -p1 -b .init %patch113 -p1 -b .init
%patch116 -p1 -b .aarch64 %patch116 -p1 -b .aarch64
%patch117 -p1 -b .gss-client-keytab %patch117 -p1 -b .gss-client-keytab
%patch119 -p1 -b .fast-msg_type
%patch120 -p1 -b .kpasswd_pingpong
%patch121 -p1 -b .cccol-primary %patch121 -p1 -b .cccol-primary
%patch122 -p1 -b .gss_transited
%patch123 -p1 -b .empty_passwords %patch123 -p1 -b .empty_passwords
%patch124 -p1 -b .arcfour_short %patch124 -p1 -b .arcfour_short
%patch125 -p1 -b .skew1 %patch125 -p1 -b .skew1
@ -314,6 +309,7 @@ ln -s NOTICE LICENSE
%patch127 -p1 -b .test_gss_no_udp %patch127 -p1 -b .test_gss_no_udp
%patch128 -p1 -b .test_no_pmap %patch128 -p1 -b .test_no_pmap
%patch130 -p1 -b .init_referral %patch130 -p1 -b .init_referral
%patch131 -p1 -b .skew3
%patch201 -p1 -b .keycheck %patch201 -p1 -b .keycheck
%patch202 -p1 -b .otp %patch202 -p1 -b .otp
@ -839,6 +835,13 @@ exit 0
%{_sbindir}/uuserver %{_sbindir}/uuserver
%changelog %changelog
* Tue Jun 4 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.3-1
- update to 1.11.3
- drop patch for RT#7605, fixed in this release
- drop patch for CVE-2002-2443, fixed in this release
- drop patch for RT#7369, fixed in this release
- pull upstream fix for breaking t_skew.py by adding the patch for #961221
* Fri May 31 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-10 * Fri May 31 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-10
- respin with updated version of patch for RT#7650 (#969331) - respin with updated version of patch for RT#7650 (#969331)

6
sources
View File

@ -1,3 +1,3 @@
7db8ba98dcc1503fe6925aea2238b896 krb5-1.11.2.tar.gz 017285971f1038a32261b15c128502f0 krb5-1.11.3.tar.gz
10b368a774933177f64e154b12976820 krb5-1.11.2.tar.gz.asc a9dc7e280af5ac23833d0c951fe44036 krb5-1.11.3.tar.gz.asc
d5c8774506d7f67fb096e0b3ac7cb03d krb5-1.11.2-pdf.tar.xz 731b6fa7c98b88920fc8f5b934a6187a krb5-1.11.3-pdf.tar.xz