From 80238a2fd873c91b4d494b158329b32af226fbf3 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 12 Jul 2005 18:09:21 +0000 Subject: [PATCH] merge fixes for MITKRB5-SA-2005-002 and MITKRB5-SA-2005-003 --- krb5-1.4.1-api.patch | 30 ++++++ krb5-1.4.1-telnet-environ.patch | 164 ++++++++++++++++++++++++++++++++ krb5.spec | 28 +++++- 3 files changed, 219 insertions(+), 3 deletions(-) create mode 100644 krb5-1.4.1-api.patch create mode 100644 krb5-1.4.1-telnet-environ.patch diff --git a/krb5-1.4.1-api.patch b/krb5-1.4.1-api.patch new file mode 100644 index 0000000..d795f54 --- /dev/null +++ b/krb5-1.4.1-api.patch @@ -0,0 +1,30 @@ +Reference docs don't define what happens if you call krb5_realm_compare() with +malformed krb5_principal structures. Define a behavior which keeps it from +crashing if applications don't check ahead of time. + +--- krb5-1.4.1/src/lib/krb5/krb/princ_comp.c 2002-09-02 21:13:46.000000000 -0400 ++++ krb5-1.4.1/src/lib/krb5/krb/princ_comp.c 2005-06-29 13:56:55.000000000 -0400 +@@ -33,6 +33,13 @@ + krb5_boolean KRB5_CALLCONV + krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) + { ++ if ((princ1 == NULL) || (princ2 == NULL)) ++ return FALSE; ++ ++ if ((krb5_princ_realm(context, princ1) == NULL) || ++ (krb5_princ_realm(context, princ2) == NULL)) ++ return FALSE; ++ + if (krb5_princ_realm(context, princ1)->length != + krb5_princ_realm(context, princ2)->length || + memcmp (krb5_princ_realm(context, princ1)->data, +@@ -49,6 +56,9 @@ + register int i; + krb5_int32 nelem; + ++ if ((princ1 == NULL) || (princ2 == NULL)) ++ return FALSE; ++ + nelem = krb5_princ_size(context, princ1); + if (nelem != krb5_princ_size(context, princ2)) + return FALSE; diff --git a/krb5-1.4.1-telnet-environ.patch b/krb5-1.4.1-telnet-environ.patch new file mode 100644 index 0000000..05da88b --- /dev/null +++ b/krb5-1.4.1-telnet-environ.patch @@ -0,0 +1,164 @@ +Port of fixes originally made to the NetKit telnet client. + +Previous behavior: + Well-defined or exported variables are sent to the server on initial connect. + The "environ list" command prints "*" before these variable names. + Other variables are sent to the server if it requests them. + The "environ list" command prints " " before these variable names. +New behavior: + Well-defined variables are sent to the server on initial connect. + The "environ list" command prints "*" before these variable names. + Exported variables are sent to the server on initial connect. + The "environ list" command prints "+" before these variable names. + Other variables are NOT sent to the server. + The "environ list" command prints " " before these variable names. + +diff -uNr krb5-1.4.1/src/appl/telnet/telnet/authenc.c krb5-1.4.1/src/appl/telnet/telnet/authenc.c +--- krb5-1.4.1/src/appl/telnet/telnet/authenc.c 2002-11-15 15:21:34.000000000 -0500 ++++ krb5-1.4.1/src/appl/telnet/telnet/authenc.c 2005-06-29 21:06:39.000000000 -0400 +@@ -83,13 +83,6 @@ + } + + char * +-telnet_getenv(val) +- char *val; +-{ +- return((char *)env_getvalue((unsigned char *)val)); +-} +- +- char * + telnet_gets(tprompt, result, length, echo) + char *tprompt; + char *result; +diff -uNr krb5-1.4.1/src/appl/telnet/telnet/commands.c krb5-1.4.1/src/appl/telnet/telnet/commands.c +--- krb5-1.4.1/src/appl/telnet/telnet/commands.c 2005-04-07 17:17:26.000000000 -0400 ++++ krb5-1.4.1/src/appl/telnet/telnet/commands.c 2005-06-29 21:11:34.000000000 -0400 +@@ -1889,8 +1889,9 @@ + register struct env_lst *ep; + + for (ep = envlisthead.next; ep; ep = ep->next) { +- printf("%c %-20s %s\r\n", ep->export ? '*' : ' ', +- ep->var, ep->value); ++ printf("%c %-20s %s\r\n", ++ " +*"[(ep->welldefined ? 2 : (ep->export > 0))], ++ ep->var, ep->value); + } + } + +@@ -1914,13 +1915,15 @@ + } + + unsigned char * +-env_getvalue(var) ++env_getvalue(var, export_only) + unsigned char *var; ++ int export_only; + { + register struct env_lst *ep; + + if ((ep = env_find(var))) +- return(ep->value); ++ if (ep->export || !export_only) ++ return(ep->value); + return(NULL); + } + +diff -uNr krb5-1.4.1/src/appl/telnet/telnet/externs.h krb5-1.4.1/src/appl/telnet/telnet/externs.h +--- krb5-1.4.1/src/appl/telnet/telnet/externs.h 2003-04-23 23:27:56.000000000 -0400 ++++ krb5-1.4.1/src/appl/telnet/telnet/externs.h 2005-06-29 21:05:16.000000000 -0400 +@@ -347,7 +347,7 @@ + + extern unsigned char + *env_default (int, int), +- *env_getvalue (unsigned char *); ++ *env_getvalue (unsigned char *, int); + + extern int + env_is_exported (unsigned char *); +diff -uNr krb5-1.4.1/src/appl/telnet/telnet/telnet.c krb5-1.4.1/src/appl/telnet/telnet/telnet.c +--- krb5-1.4.1/src/appl/telnet/telnet/telnet.c 2005-06-29 21:13:29.000000000 -0400 ++++ krb5-1.4.1/src/appl/telnet/telnet/telnet.c 2005-06-29 21:09:13.000000000 -0400 +@@ -552,7 +552,7 @@ + #endif + + case TELOPT_XDISPLOC: /* X Display location */ +- if (env_getvalue((unsigned char *)"DISPLAY") && ++ if (env_getvalue((unsigned char *)"DISPLAY", 0) && + env_is_exported((unsigned char *)"DISPLAY")) + new_state_ok = 1; + break; +@@ -813,7 +813,7 @@ + resettermname = 0; + if (tnamep && tnamep != unknown) + free(tnamep); +- if ((tname = (char *)env_getvalue((unsigned char *)"TERM")) && ++ if ((tname = (char *)env_getvalue((unsigned char *)"TERM", 0)) && + (setupterm(tname, 1, &err) == 0)) { + tnamep = mklist(termbuf, tname); + } else { +@@ -988,7 +988,7 @@ + unsigned char temp[50], *dp; + int len; + +- if (((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL) || ++ if (((dp = env_getvalue((unsigned char *)"DISPLAY", 0)) == NULL) || + (! env_is_exported((unsigned char *)"DISPLAY"))) { + /* + * Something happened, we no longer have a DISPLAY +@@ -1669,7 +1669,7 @@ + env_opt_add(ep); + return; + } +- vp = env_getvalue(ep); ++ vp = env_getvalue(ep, 1); + elen = 2 * (vp ? strlen((char *)vp) : 0) + + 2 * strlen((char *)ep) + 6; + if ((opt_replyend - opt_replyp) < elen) +@@ -2327,7 +2327,7 @@ + send_will(TELOPT_LINEMODE, 1); + send_will(TELOPT_NEW_ENVIRON, 1); + send_do(TELOPT_STATUS, 1); +- if (env_getvalue((unsigned char *)"DISPLAY") && ++ if (env_getvalue((unsigned char *)"DISPLAY", 0) && + env_is_exported((unsigned char *)"DISPLAY")) + send_will(TELOPT_XDISPLOC, 1); + if (eight) +--- krb5-1.4.1/src/appl/telnet/telnetd/authenc.c 2005-06-29 21:25:09.000000000 -0400 ++++ krb5-1.4.1/src/appl/telnet/telnetd/authenc.c 2005-06-29 21:25:13.000000000 -0400 +@@ -67,14 +67,6 @@ + } + + char * +-telnet_getenv(val) +- char *val; +-{ +- extern char *getenv(); +- return(getenv(val)); +-} +- +- char * + telnet_gets(prompt, result, length, echo) + char *prompt; + char *result; +--- krb5-1.4.1/src/appl/telnet/telnet/telnet.1 2005-06-29 21:26:55.000000000 -0400 ++++ krb5-1.4.1/src/appl/telnet/telnet/telnet.1 2005-06-29 21:29:05.000000000 -0400 +@@ -401,7 +401,7 @@ + .I variable + to have a value of + .IR value . +-Any variables defined by this command are automatically exported. The ++Variables defined by this command are not automatically exported. The + .I value + may be enclosed in single or double quotes so that tabs and spaces may + be included. +@@ -423,8 +423,8 @@ + .TP + .B list + List the current set of environment variables. Those marked with a \&* +-will be sent automatically; other variables will only be sent if +-explicitly requested. ++will be sent automatically; those marked with a \&+ will be sent if the ++other end requests their values, and other variables will not be sent. + .TP + .B \&? + Prints out help information for the diff --git a/krb5.spec b/krb5.spec index edf433f..676c3a9 100644 --- a/krb5.spec +++ b/krb5.spec @@ -7,7 +7,7 @@ Summary: The Kerberos network authentication system. Name: krb5 Version: 1.4.1 -Release: 5 +Release: 6 # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4.1-signed.tar Source0: krb5-%{version}.tar.gz @@ -64,6 +64,10 @@ Patch33: krb5-1.3.4-deadlock.patch Patch34: krb5-krshd-lehman.patch Patch35: krb5-1.4.1-fclose.patch Patch36: krb5-1.3.3-rcp-markus.patch +Patch37: krb5-1.4-MITKRB5-SA-2005-002.patch +Patch38: krb5-1.4-MITKRB5-SA-2005-003.patch +Patch39: krb5-1.4.1-api.patch +Patch40: krb5-1.4.1-telnet-environ.patch License: MIT, freely distributable. URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -128,12 +132,24 @@ network uses Kerberos, this package should be installed on every workstation. %changelog -* Fri Jun 24 2005 Nalin Dahyabhai 1.4.1-5 +* Wed Jun 29 2005 Nalin Dahyabhai 1.4.1-6 - rebuild +* Wed Jun 29 2005 Nalin Dahyabhai 1.4.1-5 +- fix telnet client environment variable disclosure the same way NetKit's + telnet client did (CAN-2005-0488) (#159305) +- keep apps which call krb5_principal_compare() or krb5_realm_compare() with + malformed or NULL principal structures from crashing outright (Thomas Biege) + (#161475) + +* Tue Jun 28 2005 Nalin Dahyabhai +- apply fixes from draft of MIT-KRB5-SA-2005-002 (CAN-2005-1174,CAN-2005-1175) + (#157104) +- apply fixes from draft of MIT-KRB5-SA-2005-003 (CAN-2005-1689) (#159755) + * Fri Jun 24 2005 Nalin Dahyabhai 1.4.1-4 - fix double-close in keytab handling -- add port of fixes for CAN-2004-0175 to krb5-aware rcp +- add port of fixes for CAN-2004-0175 to krb5-aware rcp (#151612) * Fri May 13 2005 Nalin Dahyabhai 1.4.1-3 - prevent spurious EBADF in krshd when stdin is closed by the client while @@ -840,6 +856,12 @@ workstation. %patch34 -p0 -b .krshd-lehman %patch35 -p1 -b .fclose %patch36 -p1 -b .rcp-markus +pushd src +%patch37 -p0 -b .MIT-KRB5-SA-2005-002 +%patch38 -p0 -b .MIT-KRB5-SA-2005-003 +popd +%patch39 -p1 -b .api +%patch40 -p1 -b .telnet-environ cp src/krb524/README README.krb524 find . -type f -name "*.info-dir" -exec rm -fv "{}" ";" gzip doc/*.ps