rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

merge fixes for MITKRB5-SA-2005-002 and MITKRB5-SA-2005-003

Browse Source
This commit is contained in:
Nalin Dahyabhai 2005-07-12 18:09:21 +00:00
parent 73316152b6
commit 80238a2fd8
3 changed files with 219 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
krb5-1.4.1-api.patch Normal file
View File

@ -0,0 +1,30 @@
Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
--- krb5-1.4.1/src/lib/krb5/krb/princ_comp.c 2002-09-02 21:13:46.000000000 -0400
+++ krb5-1.4.1/src/lib/krb5/krb/princ_comp.c 2005-06-29 13:56:55.000000000 -0400
@@ -33,6 +33,13 @@
krb5_boolean KRB5_CALLCONV
krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)
{
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
+ if ((krb5_princ_realm(context, princ1) == NULL) ||
+ (krb5_princ_realm(context, princ2) == NULL))
+ return FALSE;
+
if (krb5_princ_realm(context, princ1)->length !=
krb5_princ_realm(context, princ2)->length ||
memcmp (krb5_princ_realm(context, princ1)->data,
@@ -49,6 +56,9 @@
register int i;
krb5_int32 nelem;
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
nelem = krb5_princ_size(context, princ1);
if (nelem != krb5_princ_size(context, princ2))
return FALSE;

164
krb5-1.4.1-telnet-environ.patch Normal file
View File

@ -0,0 +1,164 @@
Port of fixes originally made to the NetKit telnet client.
Previous behavior:
Well-defined or exported variables are sent to the server on initial connect.
The "environ list" command prints "*" before these variable names.
Other variables are sent to the server if it requests them.
The "environ list" command prints " " before these variable names.
New behavior:
Well-defined variables are sent to the server on initial connect.
The "environ list" command prints "*" before these variable names.
Exported variables are sent to the server on initial connect.
The "environ list" command prints "+" before these variable names.
Other variables are NOT sent to the server.
The "environ list" command prints " " before these variable names.
diff -uNr krb5-1.4.1/src/appl/telnet/telnet/authenc.c krb5-1.4.1/src/appl/telnet/telnet/authenc.c
--- krb5-1.4.1/src/appl/telnet/telnet/authenc.c 2002-11-15 15:21:34.000000000 -0500
+++ krb5-1.4.1/src/appl/telnet/telnet/authenc.c 2005-06-29 21:06:39.000000000 -0400
@@ -83,13 +83,6 @@
}
char *
-telnet_getenv(val)
- char *val;
-{
- return((char *)env_getvalue((unsigned char *)val));
-}
-
- char *
telnet_gets(tprompt, result, length, echo)
char *tprompt;
char *result;
diff -uNr krb5-1.4.1/src/appl/telnet/telnet/commands.c krb5-1.4.1/src/appl/telnet/telnet/commands.c
--- krb5-1.4.1/src/appl/telnet/telnet/commands.c 2005-04-07 17:17:26.000000000 -0400
+++ krb5-1.4.1/src/appl/telnet/telnet/commands.c 2005-06-29 21:11:34.000000000 -0400
@@ -1889,8 +1889,9 @@
register struct env_lst *ep;
for (ep = envlisthead.next; ep; ep = ep->next) {
- printf("%c %-20s %s\r\n", ep->export ? '*' : ' ',
- ep->var, ep->value);
+ printf("%c %-20s %s\r\n",
+ " +*"[(ep->welldefined ? 2 : (ep->export > 0))],
+ ep->var, ep->value);
}
}
@@ -1914,13 +1915,15 @@
}
unsigned char *
-env_getvalue(var)
+env_getvalue(var, export_only)
unsigned char *var;
+ int export_only;
{
register struct env_lst *ep;
if ((ep = env_find(var)))
- return(ep->value);
+ if (ep->export || !export_only)
+ return(ep->value);
return(NULL);
}
diff -uNr krb5-1.4.1/src/appl/telnet/telnet/externs.h krb5-1.4.1/src/appl/telnet/telnet/externs.h
--- krb5-1.4.1/src/appl/telnet/telnet/externs.h 2003-04-23 23:27:56.000000000 -0400
+++ krb5-1.4.1/src/appl/telnet/telnet/externs.h 2005-06-29 21:05:16.000000000 -0400
@@ -347,7 +347,7 @@
extern unsigned char
*env_default (int, int),
- *env_getvalue (unsigned char *);
+ *env_getvalue (unsigned char *, int);
extern int
env_is_exported (unsigned char *);
diff -uNr krb5-1.4.1/src/appl/telnet/telnet/telnet.c krb5-1.4.1/src/appl/telnet/telnet/telnet.c
--- krb5-1.4.1/src/appl/telnet/telnet/telnet.c 2005-06-29 21:13:29.000000000 -0400
+++ krb5-1.4.1/src/appl/telnet/telnet/telnet.c 2005-06-29 21:09:13.000000000 -0400
@@ -552,7 +552,7 @@
#endif
case TELOPT_XDISPLOC: /* X Display location */
- if (env_getvalue((unsigned char *)"DISPLAY") &&
+ if (env_getvalue((unsigned char *)"DISPLAY", 0) &&
env_is_exported((unsigned char *)"DISPLAY"))
new_state_ok = 1;
break;
@@ -813,7 +813,7 @@
resettermname = 0;
if (tnamep && tnamep != unknown)
free(tnamep);
- if ((tname = (char *)env_getvalue((unsigned char *)"TERM")) &&
+ if ((tname = (char *)env_getvalue((unsigned char *)"TERM", 0)) &&
(setupterm(tname, 1, &err) == 0)) {
tnamep = mklist(termbuf, tname);
} else {
@@ -988,7 +988,7 @@
unsigned char temp[50], *dp;
int len;
- if (((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL) ||
+ if (((dp = env_getvalue((unsigned char *)"DISPLAY", 0)) == NULL) ||
(! env_is_exported((unsigned char *)"DISPLAY"))) {
/*
* Something happened, we no longer have a DISPLAY
@@ -1669,7 +1669,7 @@
env_opt_add(ep);
return;
}
- vp = env_getvalue(ep);
+ vp = env_getvalue(ep, 1);
elen = 2 * (vp ? strlen((char *)vp) : 0) +
2 * strlen((char *)ep) + 6;
if ((opt_replyend - opt_replyp) < elen)
@@ -2327,7 +2327,7 @@
send_will(TELOPT_LINEMODE, 1);
send_will(TELOPT_NEW_ENVIRON, 1);
send_do(TELOPT_STATUS, 1);
- if (env_getvalue((unsigned char *)"DISPLAY") &&
+ if (env_getvalue((unsigned char *)"DISPLAY", 0) &&
env_is_exported((unsigned char *)"DISPLAY"))
send_will(TELOPT_XDISPLOC, 1);
if (eight)
--- krb5-1.4.1/src/appl/telnet/telnetd/authenc.c 2005-06-29 21:25:09.000000000 -0400
+++ krb5-1.4.1/src/appl/telnet/telnetd/authenc.c 2005-06-29 21:25:13.000000000 -0400
@@ -67,14 +67,6 @@
}
char *
-telnet_getenv(val)
- char *val;
-{
- extern char *getenv();
- return(getenv(val));
-}
-
- char *
telnet_gets(prompt, result, length, echo)
char *prompt;
char *result;
--- krb5-1.4.1/src/appl/telnet/telnet/telnet.1 2005-06-29 21:26:55.000000000 -0400
+++ krb5-1.4.1/src/appl/telnet/telnet/telnet.1 2005-06-29 21:29:05.000000000 -0400
@@ -401,7 +401,7 @@
.I variable
to have a value of
.IR value .
-Any variables defined by this command are automatically exported. The
+Variables defined by this command are not automatically exported. The
.I value
may be enclosed in single or double quotes so that tabs and spaces may
be included.
@@ -423,8 +423,8 @@
.TP
.B list
List the current set of environment variables. Those marked with a \&*
-will be sent automatically; other variables will only be sent if
-explicitly requested.
+will be sent automatically; those marked with a \&+ will be sent if the
+other end requests their values, and other variables will not be sent.
.TP
.B \&?
Prints out help information for the

28
krb5.spec
View File

@ -7,7 +7,7 @@
Summary: The Kerberos network authentication system. Summary: The Kerberos network authentication system.
Name: krb5 Name: krb5
Version: 1.4.1 Version: 1.4.1
Release: 5 Release: 6
# Maybe we should explode from the now-available-to-everybody tarball instead? # Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4.1-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4.1-signed.tar
Source0: krb5-%{version}.tar.gz Source0: krb5-%{version}.tar.gz
@ -64,6 +64,10 @@ Patch33: krb5-1.3.4-deadlock.patch
Patch34: krb5-krshd-lehman.patch Patch34: krb5-krshd-lehman.patch
Patch35: krb5-1.4.1-fclose.patch Patch35: krb5-1.4.1-fclose.patch
Patch36: krb5-1.3.3-rcp-markus.patch Patch36: krb5-1.3.3-rcp-markus.patch
Patch37: krb5-1.4-MITKRB5-SA-2005-002.patch
Patch38: krb5-1.4-MITKRB5-SA-2005-003.patch
Patch39: krb5-1.4.1-api.patch
Patch40: krb5-1.4.1-telnet-environ.patch
License: MIT, freely distributable. License: MIT, freely distributable.
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
Group: System Environment/Libraries Group: System Environment/Libraries
@ -128,12 +132,24 @@ network uses Kerberos, this package should be installed on every
workstation. workstation.
%changelog %changelog
* Fri Jun 24 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-5 * Wed Jun 29 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-6
- rebuild - rebuild
* Wed Jun 29 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-5
- fix telnet client environment variable disclosure the same way NetKit's
telnet client did (CAN-2005-0488) (#159305)
- keep apps which call krb5_principal_compare() or krb5_realm_compare() with
malformed or NULL principal structures from crashing outright (Thomas Biege)
(#161475)
* Tue Jun 28 2005 Nalin Dahyabhai <nalin@redhat.com>
- apply fixes from draft of MIT-KRB5-SA-2005-002 (CAN-2005-1174,CAN-2005-1175)
(#157104)
- apply fixes from draft of MIT-KRB5-SA-2005-003 (CAN-2005-1689) (#159755)
* Fri Jun 24 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-4 * Fri Jun 24 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-4
- fix double-close in keytab handling - fix double-close in keytab handling
- add port of fixes for CAN-2004-0175 to krb5-aware rcp - add port of fixes for CAN-2004-0175 to krb5-aware rcp (#151612)
* Fri May 13 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-3 * Fri May 13 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-3
- prevent spurious EBADF in krshd when stdin is closed by the client while - prevent spurious EBADF in krshd when stdin is closed by the client while
@ -840,6 +856,12 @@ workstation.
%patch34 -p0 -b .krshd-lehman %patch34 -p0 -b .krshd-lehman
%patch35 -p1 -b .fclose %patch35 -p1 -b .fclose
%patch36 -p1 -b .rcp-markus %patch36 -p1 -b .rcp-markus
pushd src
%patch37 -p0 -b .MIT-KRB5-SA-2005-002
%patch38 -p0 -b .MIT-KRB5-SA-2005-003
popd
%patch39 -p1 -b .api
%patch40 -p1 -b .telnet-environ
cp src/krb524/README README.krb524 cp src/krb524/README README.krb524
find . -type f -name "*.info-dir" -exec rm -fv "{}" ";" find . -type f -name "*.info-dir" -exec rm -fv "{}" ";"
gzip doc/*.ps gzip doc/*.ps