merge fixes for MITKRB5-SA-2005-002 and MITKRB5-SA-2005-003

2005-07-12 18:09:21 +00:00 · 2005-07-12 18:09:21 +00:00 · 80238a2fd8
commit 80238a2fd8
parent 73316152b6
3 changed files with 219 additions and 3 deletions
--- a/krb5-1.4.1-api.patch
+++ b/krb5-1.4.1-api.patch
@ -0,0 +1,30 @@
+Reference docs don't define what happens if you call krb5_realm_compare() with
+malformed krb5_principal structures.  Define a behavior which keeps it from
+crashing if applications don't check ahead of time.
+
+--- krb5-1.4.1/src/lib/krb5/krb/princ_comp.c	2002-09-02 21:13:46.000000000 -0400
+++ krb5-1.4.1/src/lib/krb5/krb/princ_comp.c	2005-06-29 13:56:55.000000000 -0400
+@@ -33,6 +33,13 @@
+ krb5_boolean KRB5_CALLCONV
+ krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)
+ {
+    if ((princ1 == NULL) || (princ2 == NULL))
+	return FALSE;
+
+    if ((krb5_princ_realm(context, princ1) == NULL) ||
+        (krb5_princ_realm(context, princ2) == NULL))
+	return FALSE;
+
+     if (krb5_princ_realm(context, princ1)->length != 
+ 	krb5_princ_realm(context, princ2)->length ||
+ 	memcmp (krb5_princ_realm(context, princ1)->data, 
+@@ -49,6 +56,9 @@
+     register int i;
+     krb5_int32 nelem;
+ 
+    if ((princ1 == NULL) || (princ2 == NULL))
+	return FALSE;
+
+     nelem = krb5_princ_size(context, princ1);
+     if (nelem != krb5_princ_size(context, princ2))
+ 	return FALSE;
--- a/krb5-1.4.1-telnet-environ.patch
+++ b/krb5-1.4.1-telnet-environ.patch
@ -0,0 +1,164 @@
+Port of fixes originally made to the NetKit telnet client.
+
+Previous behavior:
+  Well-defined or exported variables are sent to the server on initial connect.
+  The "environ list" command prints "*" before these variable names.
+  Other variables are sent to the server if it requests them.
+  The "environ list" command prints " " before these variable names.
+New behavior:
+  Well-defined variables are sent to the server on initial connect.
+  The "environ list" command prints "*" before these variable names.
+  Exported variables are sent to the server on initial connect.
+  The "environ list" command prints "+" before these variable names.
+  Other variables are NOT sent to the server.
+  The "environ list" command prints " " before these variable names.
+
+diff -uNr krb5-1.4.1/src/appl/telnet/telnet/authenc.c krb5-1.4.1/src/appl/telnet/telnet/authenc.c
+--- krb5-1.4.1/src/appl/telnet/telnet/authenc.c	2002-11-15 15:21:34.000000000 -0500
+++ krb5-1.4.1/src/appl/telnet/telnet/authenc.c	2005-06-29 21:06:39.000000000 -0400
+@@ -83,13 +83,6 @@
+ }
+ 
+ 	char *
+-telnet_getenv(val)
+-	char *val;
+-{
+-	return((char *)env_getvalue((unsigned char *)val));
+-}
+-
+-	char *
+ telnet_gets(tprompt, result, length, echo)
+ 	char *tprompt;
+ 	char *result;
+diff -uNr krb5-1.4.1/src/appl/telnet/telnet/commands.c krb5-1.4.1/src/appl/telnet/telnet/commands.c
+--- krb5-1.4.1/src/appl/telnet/telnet/commands.c	2005-04-07 17:17:26.000000000 -0400
+++ krb5-1.4.1/src/appl/telnet/telnet/commands.c	2005-06-29 21:11:34.000000000 -0400
+@@ -1889,8 +1889,9 @@
+ 	register struct env_lst *ep;
+ 
+ 	for (ep = envlisthead.next; ep; ep = ep->next) {
+-		printf("%c %-20s %s\r\n", ep->export ? '*' : ' ',
+-					ep->var, ep->value);
+		printf("%c %-20s %s\r\n",
+		       " +*"[(ep->welldefined ? 2 : (ep->export > 0))],
+		       ep->var, ep->value);
+ 	}
+ }
+ 
+@@ -1914,13 +1915,15 @@
+ }
+ 
+ 	unsigned char *
+-env_getvalue(var)
+env_getvalue(var, export_only)
+ 	unsigned char *var;
+	int export_only;
+ {
+ 	register struct env_lst *ep;
+ 
+ 	if ((ep = env_find(var)))
+-		return(ep->value);
+		if (ep->export || !export_only)
+			return(ep->value);
+ 	return(NULL);
+ }
+ 
+diff -uNr krb5-1.4.1/src/appl/telnet/telnet/externs.h krb5-1.4.1/src/appl/telnet/telnet/externs.h
+--- krb5-1.4.1/src/appl/telnet/telnet/externs.h	2003-04-23 23:27:56.000000000 -0400
+++ krb5-1.4.1/src/appl/telnet/telnet/externs.h	2005-06-29 21:05:16.000000000 -0400
+@@ -347,7 +347,7 @@
+ 
+ extern unsigned char
+     *env_default (int, int),
+-    *env_getvalue (unsigned char *);
+    *env_getvalue (unsigned char *, int);
+ 
+ extern int
+     env_is_exported (unsigned char *);
+diff -uNr krb5-1.4.1/src/appl/telnet/telnet/telnet.c krb5-1.4.1/src/appl/telnet/telnet/telnet.c
+--- krb5-1.4.1/src/appl/telnet/telnet/telnet.c	2005-06-29 21:13:29.000000000 -0400
+++ krb5-1.4.1/src/appl/telnet/telnet/telnet.c	2005-06-29 21:09:13.000000000 -0400
+@@ -552,7 +552,7 @@
+ #endif
+ 
+ 	    case TELOPT_XDISPLOC:	/* X Display location */
+-		if (env_getvalue((unsigned char *)"DISPLAY") &&
+		if (env_getvalue((unsigned char *)"DISPLAY", 0) &&
+ 		    env_is_exported((unsigned char *)"DISPLAY"))
+ 		    new_state_ok = 1;
+ 		break;
+@@ -813,7 +813,7 @@
+ 		resettermname = 0;
+ 		if (tnamep && tnamep != unknown)
+ 			free(tnamep);
+-		if ((tname = (char *)env_getvalue((unsigned char *)"TERM")) &&
+		if ((tname = (char *)env_getvalue((unsigned char *)"TERM", 0)) &&
+ 				(setupterm(tname, 1, &err) == 0)) {
+ 			tnamep = mklist(termbuf, tname);
+ 		} else {
+@@ -988,7 +988,7 @@
+ 	    unsigned char temp[50], *dp;
+ 	    int len;
+ 
+-	    if (((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL) ||
+	    if (((dp = env_getvalue((unsigned char *)"DISPLAY", 0)) == NULL) ||
+ 		(! env_is_exported((unsigned char *)"DISPLAY"))) {
+ 		/*
+ 		 * Something happened, we no longer have a DISPLAY
+@@ -1669,7 +1669,7 @@
+ 			env_opt_add(ep);
+ 		return;
+ 	}
+-	vp = env_getvalue(ep);
+	vp = env_getvalue(ep, 1);
+ 	elen = 2 * (vp ? strlen((char *)vp) : 0) +
+ 		2 * strlen((char *)ep) + 6;
+ 	if ((opt_replyend - opt_replyp) < elen)
+@@ -2327,7 +2327,7 @@
+ 	send_will(TELOPT_LINEMODE, 1);
+ 	send_will(TELOPT_NEW_ENVIRON, 1);
+ 	send_do(TELOPT_STATUS, 1);
+-	if (env_getvalue((unsigned char *)"DISPLAY") &&
+	if (env_getvalue((unsigned char *)"DISPLAY", 0) &&
+ 	    env_is_exported((unsigned char *)"DISPLAY"))
+ 	    send_will(TELOPT_XDISPLOC, 1);
+ 	if (eight)
+--- krb5-1.4.1/src/appl/telnet/telnetd/authenc.c	2005-06-29 21:25:09.000000000 -0400
+++ krb5-1.4.1/src/appl/telnet/telnetd/authenc.c	2005-06-29 21:25:13.000000000 -0400
+@@ -67,14 +67,6 @@
+ }
+ 
+ 	char *
+-telnet_getenv(val)
+-	char *val;
+-{
+-	extern char *getenv();
+-	return(getenv(val));
+-}
+-
+-	char *
+ telnet_gets(prompt, result, length, echo)
+ 	char *prompt;
+ 	char *result;
+--- krb5-1.4.1/src/appl/telnet/telnet/telnet.1	2005-06-29 21:26:55.000000000 -0400
+++ krb5-1.4.1/src/appl/telnet/telnet/telnet.1	2005-06-29 21:29:05.000000000 -0400
+@@ -401,7 +401,7 @@
+ .I variable
+ to have a value of
+ .IR value .
+-Any variables defined by this command are automatically exported.  The
+Variables defined by this command are not automatically exported.  The
+ .I value
+ may be enclosed in single or double quotes so that tabs and spaces may
+ be included.
+@@ -423,8 +423,8 @@
+ .TP
+ .B list
+ List the current set of environment variables.  Those marked with a \&*
+-will be sent automatically; other variables will only be sent if
+-explicitly requested.
+will be sent automatically; those marked with a \&+ will be sent if the
+other end requests their values, and other variables will not be sent.
+ .TP
+ .B \&?
+ Prints out help information for the
--- a/krb5.spec
+++ b/krb5.spec
@ -7,7 +7,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.4.1
-Release: 5
+Release: 6
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -64,6 +64,10 @@ Patch33: krb5-1.3.4-deadlock.patch
 Patch34: krb5-krshd-lehman.patch
 Patch35: krb5-1.4.1-fclose.patch
 Patch36: krb5-1.3.3-rcp-markus.patch
+Patch37: krb5-1.4-MITKRB5-SA-2005-002.patch
+Patch38: krb5-1.4-MITKRB5-SA-2005-003.patch
+Patch39: krb5-1.4.1-api.patch
+Patch40: krb5-1.4.1-telnet-environ.patch
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@ -128,12 +132,24 @@ network uses Kerberos, this package should be installed on every
 workstation.

 %changelog
-* Fri Jun 24 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-5
+* Wed Jun 29 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-6
 - rebuild

+* Wed Jun 29 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-5
+- fix telnet client environment variable disclosure the same way NetKit's
+  telnet client did (CAN-2005-0488) (#159305)
+- keep apps which call krb5_principal_compare() or krb5_realm_compare() with
+  malformed or NULL principal structures from crashing outright (Thomas Biege)
+  (#161475)
+
+* Tue Jun 28 2005 Nalin Dahyabhai <nalin@redhat.com>
+- apply fixes from draft of MIT-KRB5-SA-2005-002 (CAN-2005-1174,CAN-2005-1175)
+  (#157104)
+- apply fixes from draft of MIT-KRB5-SA-2005-003 (CAN-2005-1689) (#159755)
+
 * Fri Jun 24 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-4
 - fix double-close in keytab handling
- add port of fixes for CAN-2004-0175 to krb5-aware rcp
+- add port of fixes for CAN-2004-0175 to krb5-aware rcp (#151612)

 * Fri May 13 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-3
 - prevent spurious EBADF in krshd when stdin is closed by the client while
@ -840,6 +856,12 @@ workstation.
 %patch34 -p0 -b .krshd-lehman
 %patch35 -p1 -b .fclose
 %patch36 -p1 -b .rcp-markus
+pushd src
+%patch37 -p0 -b .MIT-KRB5-SA-2005-002
+%patch38 -p0 -b .MIT-KRB5-SA-2005-003
+popd
+%patch39 -p1 -b .api
+%patch40 -p1 -b .telnet-environ
 cp src/krb524/README README.krb524
 find . -type f -name "*.info-dir" -exec rm -fv "{}" ";"
 gzip doc/*.ps