Release 1.14-beta2

This commit is contained in:
Robbie Harwood (frozencemetery) 2015-11-16 18:00:06 +00:00
parent b81fddfea1
commit 806928902d
9 changed files with 11 additions and 1691 deletions

3
.gitignore vendored
View File

@ -124,3 +124,6 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.14-beta1.tar.gz
/krb5-1.14-beta1.tar.gz.asc
/krb5-1.14-beta1-pdfs.tar
/krb5-1.14-beta2.tar.gz.asc
/krb5-1.14-beta2.tar.gz
/krb5-1.14-beta2-pdfs.tar

View File

@ -1,75 +0,0 @@
diff --git a/src/lib/krad/Makefile.in b/src/lib/krad/Makefile.in
index 75431a0..6764d90 100644
--- a/src/lib/krad/Makefile.in
+++ b/src/lib/krad/Makefile.in
@@ -33,12 +33,18 @@ install-unix:: install-libs
clean-unix:: clean-liblinks clean-libs clean-libobjs
check-unix:: t_attr t_attrset t_code t_packet t_remote t_client
- $(RUN_SETUP) $(VALGRIND) ./t_attr
- $(RUN_SETUP) $(VALGRIND) ./t_attrset
- $(RUN_SETUP) $(VALGRIND) ./t_code
- $(RUN_SETUP) $(VALGRIND) ./t_packet $(PYTHON) $(srcdir)/t_daemon.py
- $(RUN_SETUP) $(VALGRIND) ./t_remote $(PYTHON) $(srcdir)/t_daemon.py
- $(RUN_SETUP) $(VALGRIND) ./t_client $(PYTHON) $(srcdir)/t_daemon.py
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
+ $(RUN_SETUP) $(VALGRIND) ./t_attr
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
+ $(RUN_SETUP) $(VALGRIND) ./t_attrset
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
+ $(RUN_SETUP) $(VALGRIND) ./t_code
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
+ $(RUN_SETUP) $(VALGRIND) ./t_packet $(PYTHON) $(srcdir)/t_daemon.py
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
+ $(RUN_SETUP) $(VALGRIND) ./t_remote $(PYTHON) $(srcdir)/t_daemon.py
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
+ $(RUN_SETUP) $(VALGRIND) ./t_client $(PYTHON) $(srcdir)/t_daemon.py
TESTDEPS=t_test.o $(KRB5_BASE_DEPLIBS)
TESTLIBS=t_test.o $(KRB5_BASE_LIBS)
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
index 62f0b90..ba5f761 100644
--- a/src/lib/krb5/krb/Makefile.in
+++ b/src/lib/krb5/krb/Makefile.in
@@ -464,16 +464,22 @@ check-unix:: $(TEST_PROGS)
$(RM) test.out
KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
$(RUN_SETUP) $(VALGRIND) ./t_ser
- $(RUN_SETUP) $(VALGRIND) ./t_deltat
- $(RUN_SETUP) $(VALGRIND) sh $(srcdir)/transit-tests
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
+ $(RUN_SETUP) $(VALGRIND) ./t_deltat
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
+ $(RUN_SETUP) $(VALGRIND) sh $(srcdir)/transit-tests
KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
$(RUN_SETUP) $(VALGRIND) sh $(srcdir)/walktree-tests
KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
- $(RUN_SETUP) $(VALGRIND) ./t_authdata
- $(RUN_SETUP) $(VALGRIND) ./t_pac
- $(RUN_SETUP) $(VALGRIND) ./t_princ
- $(RUN_SETUP) $(VALGRIND) ./t_etypes
- $(RUN_SETUP) $(VALGRIND) ./t_response_items
+ $(RUN_SETUP) $(VALGRIND) ./t_authdata
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
+ $(RUN_SETUP) $(VALGRIND) ./t_pac
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
+ $(RUN_SETUP) $(VALGRIND) ./t_princ
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
+ $(RUN_SETUP) $(VALGRIND) ./t_etypes
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
+ $(RUN_SETUP) $(VALGRIND) ./t_response_items
KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
$(RUN_SETUP) $(VALGRIND) ./t_copy_context
diff --git a/src/lib/krb5/os/Makefile.in b/src/lib/krb5/os/Makefile.in
index 1bd8573..b87e7f9 100644
--- a/src/lib/krb5/os/Makefile.in
+++ b/src/lib/krb5/os/Makefile.in
@@ -233,6 +233,7 @@ check-unix-locate:: t_locate_kdc
check-unix-trace:: t_trace
rm -f t_trace.out
KRB5_TRACE=t_trace.out ; export KRB5_TRACE ; \
+ KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
$(RUN_SETUP) $(VALGRIND) ./t_trace
sed -e 's/^[^:]*: //' t_trace.out | cmp - $(srcdir)/t_trace.ref
rm -f t_trace.out

View File

@ -1,567 +0,0 @@
From b51b33f2bc5d1497ddf5bd107f791c101695000d Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Mon, 14 Sep 2015 12:27:52 -0400
Subject: [PATCH] Fix SPNEGO context aliasing bugs [CVE-2015-2695]
The SPNEGO mechanism currently replaces its context handle with the
mechanism context handle upon establishment, under the assumption that
most GSS functions are only called after context establishment. This
assumption is incorrect, and can lead to aliasing violations for some
programs. Maintain the SPNEGO context structure after context
establishment and refer to it in all GSS methods. Add initiate and
opened flags to the SPNEGO context structure for use in
gss_inquire_context() prior to context establishment.
CVE-2015-2695:
In MIT krb5 1.5 and later, applications which call
gss_inquire_context() on a partially-established SPNEGO context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash. This bug may go unnoticed, because
the most common SPNEGO authentication scenario establishes the context
after just one call to gss_accept_sec_context(). Java server
applications using the native JGSS provider are vulnerable to this
bug. A carefully crafted SPNEGO packet might allow the
gss_inquire_context() call to succeed with attacker-determined
results, but applications should not make access control decisions
based on gss_inquire_context() results prior to context establishment.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
[ghudson@mit.edu: several bugfixes, style changes, and edge-case
behavior changes; commit message and CVE description]
ticket: 8244
target_version: 1.14
tags: pullup
---
src/lib/gssapi/spnego/gssapiP_spnego.h | 2 +
src/lib/gssapi/spnego/spnego_mech.c | 254 ++++++++++++++++++++++++---------
2 files changed, 192 insertions(+), 64 deletions(-)
diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h
index 57372de..5c82764 100644
--- a/src/lib/gssapi/spnego/gssapiP_spnego.h
+++ b/src/lib/gssapi/spnego/gssapiP_spnego.h
@@ -103,6 +103,8 @@ typedef struct {
int firstpass;
int mech_complete;
int nego_done;
+ int initiate;
+ int opened;
OM_uint32 ctx_flags;
gss_name_t internal_name;
gss_OID actual_mech;
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index ef76e1f..7849c85 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -102,7 +102,7 @@ static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t,
gss_cred_usage_t, gss_OID_set *);
static void release_spnego_ctx(spnego_gss_ctx_id_t *);
static void check_spnego_options(spnego_gss_ctx_id_t);
-static spnego_gss_ctx_id_t create_spnego_ctx(void);
+static spnego_gss_ctx_id_t create_spnego_ctx(int);
static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf);
static int put_input_token(unsigned char **, gss_buffer_t, unsigned int);
static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int);
@@ -454,7 +454,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx)
}
static spnego_gss_ctx_id_t
-create_spnego_ctx(void)
+create_spnego_ctx(int initiate)
{
spnego_gss_ctx_id_t spnego_ctx = NULL;
spnego_ctx = (spnego_gss_ctx_id_t)
@@ -477,6 +477,8 @@ create_spnego_ctx(void)
spnego_ctx->mic_rcvd = 0;
spnego_ctx->mech_complete = 0;
spnego_ctx->nego_done = 0;
+ spnego_ctx->opened = 0;
+ spnego_ctx->initiate = initiate;
spnego_ctx->internal_name = GSS_C_NO_NAME;
spnego_ctx->actual_mech = GSS_C_NO_OID;
@@ -642,7 +644,7 @@ init_ctx_new(OM_uint32 *minor_status,
OM_uint32 ret;
spnego_gss_ctx_id_t sc = NULL;
- sc = create_spnego_ctx();
+ sc = create_spnego_ctx(1);
if (sc == NULL)
return GSS_S_FAILURE;
@@ -659,10 +661,7 @@ init_ctx_new(OM_uint32 *minor_status,
ret = GSS_S_FAILURE;
goto cleanup;
}
- /*
- * The actual context is not yet determined, set the output
- * context handle to refer to the spnego context itself.
- */
+
sc->ctx_handle = GSS_C_NO_CONTEXT;
*ctx = (gss_ctx_id_t)sc;
sc = NULL;
@@ -1108,16 +1107,11 @@ cleanup:
}
gss_release_buffer(&tmpmin, &mechtok_out);
if (ret == GSS_S_COMPLETE) {
- /*
- * Now, switch the output context to refer to the
- * negotiated mechanism's context.
- */
- *context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle;
+ spnego_ctx->opened = 1;
if (actual_mech != NULL)
*actual_mech = spnego_ctx->actual_mech;
if (ret_flags != NULL)
*ret_flags = spnego_ctx->ctx_flags;
- release_spnego_ctx(&spnego_ctx);
} else if (ret != GSS_S_CONTINUE_NEEDED) {
if (spnego_ctx != NULL) {
gss_delete_sec_context(&tmpmin,
@@ -1285,7 +1279,7 @@ acc_ctx_hints(OM_uint32 *minor_status,
if (ret != GSS_S_COMPLETE)
goto cleanup;
- sc = create_spnego_ctx();
+ sc = create_spnego_ctx(0);
if (sc == NULL) {
ret = GSS_S_FAILURE;
goto cleanup;
@@ -1367,7 +1361,7 @@ acc_ctx_new(OM_uint32 *minor_status,
gss_release_buffer(&tmpmin, &sc->DER_mechTypes);
assert(mech_wanted != GSS_C_NO_OID);
} else
- sc = create_spnego_ctx();
+ sc = create_spnego_ctx(0);
if (sc == NULL) {
ret = GSS_S_FAILURE;
*return_token = NO_TOKEN_SEND;
@@ -1750,13 +1744,12 @@ cleanup:
ret = GSS_S_FAILURE;
}
if (ret == GSS_S_COMPLETE) {
- *context_handle = (gss_ctx_id_t)sc->ctx_handle;
+ sc->opened = 1;
if (sc->internal_name != GSS_C_NO_NAME &&
src_name != NULL) {
*src_name = sc->internal_name;
sc->internal_name = GSS_C_NO_NAME;
}
- release_spnego_ctx(&sc);
} else if (ret != GSS_S_CONTINUE_NEEDED) {
if (sc != NULL) {
gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
@@ -2069,8 +2062,13 @@ spnego_gss_unwrap(
gss_qop_t *qop_state)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
+
ret = gss_unwrap(minor_status,
- context_handle,
+ sc->ctx_handle,
input_message_buffer,
output_message_buffer,
conf_state,
@@ -2090,8 +2088,13 @@ spnego_gss_wrap(
gss_buffer_t output_message_buffer)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
+
ret = gss_wrap(minor_status,
- context_handle,
+ sc->ctx_handle,
conf_req_flag,
qop_req,
input_message_buffer,
@@ -2108,8 +2111,14 @@ spnego_gss_process_context_token(
const gss_buffer_t token_buffer)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ /* SPNEGO doesn't have its own context tokens. */
+ if (!sc->opened)
+ return (GSS_S_DEFECTIVE_TOKEN);
+
ret = gss_process_context_token(minor_status,
- context_handle,
+ sc->ctx_handle,
token_buffer);
return (ret);
@@ -2133,19 +2142,9 @@ spnego_gss_delete_sec_context(
if (*ctx == NULL)
return (GSS_S_COMPLETE);
- /*
- * If this is still an SPNEGO mech, release it locally.
- */
- if ((*ctx)->magic_num == SPNEGO_MAGIC_ID) {
- (void) gss_delete_sec_context(minor_status,
- &(*ctx)->ctx_handle,
- output_token);
- (void) release_spnego_ctx(ctx);
- } else {
- ret = gss_delete_sec_context(minor_status,
- context_handle,
- output_token);
- }
+ (void) gss_delete_sec_context(minor_status, &(*ctx)->ctx_handle,
+ output_token);
+ (void) release_spnego_ctx(ctx);
return (ret);
}
@@ -2157,8 +2156,13 @@ spnego_gss_context_time(
OM_uint32 *time_rec)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
+
ret = gss_context_time(minor_status,
- context_handle,
+ sc->ctx_handle,
time_rec);
return (ret);
}
@@ -2170,9 +2174,20 @@ spnego_gss_export_sec_context(
gss_buffer_t interprocess_token)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = *(spnego_gss_ctx_id_t *)context_handle;
+
+ /* We don't currently support exporting partially established
+ * contexts. */
+ if (!sc->opened)
+ return GSS_S_UNAVAILABLE;
+
ret = gss_export_sec_context(minor_status,
- context_handle,
+ &sc->ctx_handle,
interprocess_token);
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) {
+ release_spnego_ctx(&sc);
+ *context_handle = GSS_C_NO_CONTEXT;
+ }
return (ret);
}
@@ -2182,11 +2197,12 @@ spnego_gss_import_sec_context(
const gss_buffer_t interprocess_token,
gss_ctx_id_t *context_handle)
{
- OM_uint32 ret;
- ret = gss_import_sec_context(minor_status,
- interprocess_token,
- context_handle);
- return (ret);
+ /*
+ * Until we implement partial context exports, there are no SPNEGO
+ * exported context tokens, only tokens for underlying mechs. So just
+ * return an error for now.
+ */
+ return GSS_S_UNAVAILABLE;
}
#endif /* LEAN_CLIENT */
@@ -2203,16 +2219,48 @@ spnego_gss_inquire_context(
int *opened)
{
OM_uint32 ret = GSS_S_COMPLETE;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
- ret = gss_inquire_context(minor_status,
- context_handle,
- src_name,
- targ_name,
- lifetime_rec,
- mech_type,
- ctx_flags,
- locally_initiated,
- opened);
+ if (src_name != NULL)
+ *src_name = GSS_C_NO_NAME;
+ if (targ_name != NULL)
+ *targ_name = GSS_C_NO_NAME;
+ if (lifetime_rec != NULL)
+ *lifetime_rec = 0;
+ if (mech_type != NULL)
+ *mech_type = (gss_OID)gss_mech_spnego;
+ if (ctx_flags != NULL)
+ *ctx_flags = 0;
+ if (locally_initiated != NULL)
+ *locally_initiated = sc->initiate;
+ if (opened != NULL)
+ *opened = sc->opened;
+
+ if (sc->ctx_handle != GSS_C_NO_CONTEXT) {
+ ret = gss_inquire_context(minor_status, sc->ctx_handle,
+ src_name, targ_name, lifetime_rec,
+ mech_type, ctx_flags, NULL, NULL);
+ }
+
+ if (!sc->opened) {
+ /*
+ * We are still doing SPNEGO negotiation, so report SPNEGO as
+ * the OID. After negotiation is complete we will report the
+ * underlying mechanism OID.
+ */
+ if (mech_type != NULL)
+ *mech_type = (gss_OID)gss_mech_spnego;
+
+ /*
+ * Remove flags we don't support with partially-established
+ * contexts. (Change this to keep GSS_C_TRANS_FLAG if we add
+ * support for exporting partial SPNEGO contexts.)
+ */
+ if (ctx_flags != NULL) {
+ *ctx_flags &= ~GSS_C_PROT_READY_FLAG;
+ *ctx_flags &= ~GSS_C_TRANS_FLAG;
+ }
+ }
return (ret);
}
@@ -2227,8 +2275,13 @@ spnego_gss_wrap_size_limit(
OM_uint32 *max_input_size)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
+
ret = gss_wrap_size_limit(minor_status,
- context_handle,
+ sc->ctx_handle,
conf_req_flag,
qop_req,
req_output_size,
@@ -2245,8 +2298,13 @@ spnego_gss_get_mic(
gss_buffer_t message_token)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
+
ret = gss_get_mic(minor_status,
- context_handle,
+ sc->ctx_handle,
qop_req,
message_buffer,
message_token);
@@ -2262,8 +2320,13 @@ spnego_gss_verify_mic(
gss_qop_t *qop_state)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
+
ret = gss_verify_mic(minor_status,
- context_handle,
+ sc->ctx_handle,
msg_buffer,
token_buffer,
qop_state);
@@ -2278,8 +2341,14 @@ spnego_gss_inquire_sec_context_by_oid(
gss_buffer_set_t *data_set)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ /* There are no SPNEGO-specific OIDs for this function. */
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_UNAVAILABLE);
+
ret = gss_inquire_sec_context_by_oid(minor_status,
- context_handle,
+ sc->ctx_handle,
desired_object,
data_set);
return (ret);
@@ -2359,8 +2428,15 @@ spnego_gss_set_sec_context_option(
const gss_buffer_t value)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)*context_handle;
+
+ /* There are no SPNEGO-specific OIDs for this function, and we cannot
+ * construct an empty SPNEGO context with it. */
+ if (sc == NULL || sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_UNAVAILABLE);
+
ret = gss_set_sec_context_option(minor_status,
- context_handle,
+ &sc->ctx_handle,
desired_object,
value);
return (ret);
@@ -2377,8 +2453,13 @@ spnego_gss_wrap_aead(OM_uint32 *minor_status,
gss_buffer_t output_message_buffer)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
+
ret = gss_wrap_aead(minor_status,
- context_handle,
+ sc->ctx_handle,
conf_req_flag,
qop_req,
input_assoc_buffer,
@@ -2399,8 +2480,13 @@ spnego_gss_unwrap_aead(OM_uint32 *minor_status,
gss_qop_t *qop_state)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
+
ret = gss_unwrap_aead(minor_status,
- context_handle,
+ sc->ctx_handle,
input_message_buffer,
input_assoc_buffer,
output_payload_buffer,
@@ -2419,8 +2505,13 @@ spnego_gss_wrap_iov(OM_uint32 *minor_status,
int iov_count)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
+
ret = gss_wrap_iov(minor_status,
- context_handle,
+ sc->ctx_handle,
conf_req_flag,
qop_req,
conf_state,
@@ -2438,8 +2529,13 @@ spnego_gss_unwrap_iov(OM_uint32 *minor_status,
int iov_count)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
+
ret = gss_unwrap_iov(minor_status,
- context_handle,
+ sc->ctx_handle,
conf_state,
qop_state,
iov,
@@ -2457,8 +2553,13 @@ spnego_gss_wrap_iov_length(OM_uint32 *minor_status,
int iov_count)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
+
ret = gss_wrap_iov_length(minor_status,
- context_handle,
+ sc->ctx_handle,
conf_req_flag,
qop_req,
conf_state,
@@ -2475,8 +2576,13 @@ spnego_gss_complete_auth_token(
gss_buffer_t input_message_buffer)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_UNAVAILABLE);
+
ret = gss_complete_auth_token(minor_status,
- context_handle,
+ sc->ctx_handle,
input_message_buffer);
return (ret);
}
@@ -2721,8 +2827,13 @@ spnego_gss_pseudo_random(OM_uint32 *minor_status,
gss_buffer_t prf_out)
{
OM_uint32 ret;
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
+
ret = gss_pseudo_random(minor_status,
- context,
+ sc->ctx_handle,
prf_key,
prf_in,
desired_output_len,
@@ -2863,7 +2974,12 @@ spnego_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
gss_qop_t qop_req, gss_iov_buffer_desc *iov,
int iov_count)
{
- return gss_get_mic_iov(minor_status, context_handle, qop_req, iov,
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
+
+ return gss_get_mic_iov(minor_status, sc->ctx_handle, qop_req, iov,
iov_count);
}
@@ -2872,7 +2988,12 @@ spnego_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
int iov_count)
{
- return gss_verify_mic_iov(minor_status, context_handle, qop_state, iov,
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
+
+ return gss_verify_mic_iov(minor_status, sc->ctx_handle, qop_state, iov,
iov_count);
}
@@ -2881,7 +3002,12 @@ spnego_gss_get_mic_iov_length(OM_uint32 *minor_status,
gss_ctx_id_t context_handle, gss_qop_t qop_req,
gss_iov_buffer_desc *iov, int iov_count)
{
- return gss_get_mic_iov_length(minor_status, context_handle, qop_req, iov,
+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
+
+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
+
+ return gss_get_mic_iov_length(minor_status, sc->ctx_handle, qop_req, iov,
iov_count);
}
--
2.6.1

View File

@ -1,734 +0,0 @@
From e04f0283516e80d2f93366e0d479d13c9b5c8c2a Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Mon, 14 Sep 2015 12:28:36 -0400
Subject: [PATCH] Fix IAKERB context aliasing bugs [CVE-2015-2696]
The IAKERB mechanism currently replaces its context handle with the
krb5 mechanism handle upon establishment, under the assumption that
most GSS functions are only called after context establishment. This
assumption is incorrect, and can lead to aliasing violations for some
programs. Maintain the IAKERB context structure after context
establishment and add new IAKERB entry points to refer to it with that
type. Add initiate and established flags to the IAKERB context
structure for use in gss_inquire_context() prior to context
establishment.
CVE-2015-2696:
In MIT krb5 1.9 and later, applications which call
gss_inquire_context() on a partially-established IAKERB context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash. Java server applications using the
native JGSS provider are vulnerable to this bug. A carefully crafted
IAKERB packet might allow the gss_inquire_context() call to succeed
with attacker-determined results, but applications should not make
access control decisions based on gss_inquire_context() results prior
to context establishment.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
[ghudson@mit.edu: several bugfixes, style changes, and edge-case
behavior changes; commit message and CVE description]
ticket: 8244
target_version: 1.14
tags: pullup
---
src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++
src/lib/gssapi/krb5/gssapi_krb5.c | 105 +++++++++--
src/lib/gssapi/krb5/iakerb.c | 351 +++++++++++++++++++++++++++++++++----
3 files changed, 529 insertions(+), 41 deletions(-)
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 9aae12a..97e090d 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -621,6 +621,21 @@ OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext
);
#endif /* LEAN_CLIENT */
+OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid
+(OM_uint32*, /* minor_status */
+ const gss_ctx_id_t,
+ /* context_handle */
+ const gss_OID, /* desired_object */
+ gss_buffer_set_t* /* data_set */
+);
+
+OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option
+(OM_uint32*, /* minor_status */
+ gss_ctx_id_t*, /* context_handle */
+ const gss_OID, /* desired_object */
+ const gss_buffer_t/* value */
+);
+
OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token
(OM_uint32*, /* minor_status */
gss_ctx_id_t, /* context_handle */
@@ -1302,6 +1317,105 @@ OM_uint32 KRB5_CALLCONV
krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token,
gss_cred_id_t *cred_handle);
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_process_context_token(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_buffer_t token_buffer);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ OM_uint32 *time_rec);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_inquire_context(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle, gss_name_t *src_name,
+ gss_name_t *targ_name, OM_uint32 *lifetime_rec,
+ gss_OID *mech_type, OM_uint32 *ctx_flags,
+ int *locally_initiated, int *opened);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ gss_qop_t qop_req, gss_buffer_t message_buffer,
+ gss_buffer_t message_token);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ gss_qop_t qop_req, gss_iov_buffer_desc *iov,
+ int iov_count);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle, gss_qop_t qop_req,
+ gss_iov_buffer_desc *iov, int iov_count);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
+ gss_qop_t *qop_state);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
+ int iov_count);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ int conf_req_flag, gss_qop_t qop_req,
+ gss_buffer_t input_message_buffer, int *conf_state,
+ gss_buffer_t output_message_buffer);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ int conf_req_flag, gss_qop_t qop_req, int *conf_state,
+ gss_iov_buffer_desc *iov, int iov_count);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle, int conf_req_flag,
+ gss_qop_t qop_req, int *conf_state,
+ gss_iov_buffer_desc *iov, int iov_count);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ gss_buffer_t input_message_buffer,
+ gss_buffer_t output_message_buffer, int *conf_state,
+ gss_qop_t *qop_state);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ int *conf_state, gss_qop_t *qop_state,
+ gss_iov_buffer_desc *iov, int iov_count);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle, int conf_req_flag,
+ gss_qop_t qop_req, OM_uint32 req_output_size,
+ OM_uint32 *max_input_size);
+
+#ifndef LEAN_CLIENT
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ gss_buffer_t interprocess_token);
+#endif /* LEAN_CLIENT */
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ const gss_OID desired_object,
+ const gss_buffer_t value);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ int prf_key, const gss_buffer_t prf_in,
+ ssize_t desired_output_len, gss_buffer_t prf_out);
+
/* Magic string to identify exported krb5 GSS credentials. Increment this if
* the format changes. */
#define CRED_EXPORT_MAGIC "K5C1"
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
index 0be92e4..c4dfdd6 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
@@ -351,7 +351,7 @@ static struct {
}
};
-static OM_uint32 KRB5_CALLCONV
+OM_uint32 KRB5_CALLCONV
krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_OID desired_object,
@@ -465,7 +465,7 @@ static struct {
};
#endif
-static OM_uint32 KRB5_CALLCONV
+OM_uint32 KRB5_CALLCONV
krb5_gss_set_sec_context_option (OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
const gss_OID desired_object,
@@ -929,20 +929,103 @@ static struct gss_config krb5_mechanism = {
krb5_gss_get_mic_iov_length,
};
+/* Functions which use security contexts or acquire creds are IAKERB-specific;
+ * other functions can borrow from the krb5 mech. */
+static struct gss_config iakerb_mechanism = {
+ { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID },
+ NULL,
+ iakerb_gss_acquire_cred,
+ krb5_gss_release_cred,
+ iakerb_gss_init_sec_context,
+#ifdef LEAN_CLIENT
+ NULL,
+#else
+ iakerb_gss_accept_sec_context,
+#endif
+ iakerb_gss_process_context_token,
+ iakerb_gss_delete_sec_context,
+ iakerb_gss_context_time,
+ iakerb_gss_get_mic,
+ iakerb_gss_verify_mic,
+#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE)
+ NULL,
+#else
+ iakerb_gss_wrap,
+#endif
+#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE)
+ NULL,
+#else
+ iakerb_gss_unwrap,
+#endif
+ krb5_gss_display_status,
+ krb5_gss_indicate_mechs,
+ krb5_gss_compare_name,
+ krb5_gss_display_name,
+ krb5_gss_import_name,
+ krb5_gss_release_name,
+ krb5_gss_inquire_cred,
+ NULL, /* add_cred */
+#ifdef LEAN_CLIENT
+ NULL,
+ NULL,
+#else
+ iakerb_gss_export_sec_context,
+ NULL,
+#endif
+ krb5_gss_inquire_cred_by_mech,
+ krb5_gss_inquire_names_for_mech,
+ iakerb_gss_inquire_context,
+ krb5_gss_internal_release_oid,
+ iakerb_gss_wrap_size_limit,
+ krb5_gss_localname,
+ krb5_gss_authorize_localname,
+ krb5_gss_export_name,
+ krb5_gss_duplicate_name,
+ krb5_gss_store_cred,
+ iakerb_gss_inquire_sec_context_by_oid,
+ krb5_gss_inquire_cred_by_oid,
+ iakerb_gss_set_sec_context_option,
+ krb5_gssspi_set_cred_option,
+ krb5_gssspi_mech_invoke,
+ NULL, /* wrap_aead */
+ NULL, /* unwrap_aead */
+ iakerb_gss_wrap_iov,
+ iakerb_gss_unwrap_iov,
+ iakerb_gss_wrap_iov_length,
+ NULL, /* complete_auth_token */
+ NULL, /* acquire_cred_impersonate_name */
+ NULL, /* add_cred_impersonate_name */
+ NULL, /* display_name_ext */
+ krb5_gss_inquire_name,
+ krb5_gss_get_name_attribute,
+ krb5_gss_set_name_attribute,
+ krb5_gss_delete_name_attribute,
+ krb5_gss_export_name_composite,
+ krb5_gss_map_name_to_any,
+ krb5_gss_release_any_name_mapping,
+ iakerb_gss_pseudo_random,
+ NULL, /* set_neg_mechs */
+ krb5_gss_inquire_saslname_for_mech,
+ krb5_gss_inquire_mech_for_saslname,
+ krb5_gss_inquire_attrs_for_mech,
+ krb5_gss_acquire_cred_from,
+ krb5_gss_store_cred_into,
+ iakerb_gss_acquire_cred_with_password,
+ krb5_gss_export_cred,
+ krb5_gss_import_cred,
+ NULL, /* import_sec_context_by_mech */
+ NULL, /* import_name_by_mech */
+ NULL, /* import_cred_by_mech */
+ iakerb_gss_get_mic_iov,
+ iakerb_gss_verify_mic_iov,
+ iakerb_gss_get_mic_iov_length,
+};
+
#ifdef _GSS_STATIC_LINK
#include "mglueP.h"
static int gss_iakerbmechglue_init(void)
{
struct gss_mech_config mech_iakerb;
- struct gss_config iakerb_mechanism = krb5_mechanism;
-
- /* IAKERB mechanism mirrors krb5, but with different context SPIs */
- iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context;
- iakerb_mechanism.gss_init_sec_context = iakerb_gss_init_sec_context;
- iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context;
- iakerb_mechanism.gss_acquire_cred = iakerb_gss_acquire_cred;
- iakerb_mechanism.gssspi_acquire_cred_with_password
- = iakerb_gss_acquire_cred_with_password;
memset(&mech_iakerb, 0, sizeof(mech_iakerb));
mech_iakerb.mech = &iakerb_mechanism;
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index f30de32..4662bd9 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -47,6 +47,8 @@ struct _iakerb_ctx_id_rec {
gss_ctx_id_t gssc;
krb5_data conv; /* conversation for checksumming */
unsigned int count; /* number of round trips */
+ int initiate;
+ int established;
krb5_get_init_creds_opt *gic_opts;
};
@@ -695,7 +697,7 @@ cleanup:
* Allocate and initialise an IAKERB context
*/
static krb5_error_code
-iakerb_alloc_context(iakerb_ctx_id_t *pctx)
+iakerb_alloc_context(iakerb_ctx_id_t *pctx, int initiate)
{
iakerb_ctx_id_t ctx;
krb5_error_code code;
@@ -709,6 +711,8 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx)
ctx->magic = KG_IAKERB_CONTEXT;
ctx->state = IAKERB_AS_REQ;
ctx->count = 0;
+ ctx->initiate = initiate;
+ ctx->established = 0;
code = krb5_gss_init_context(&ctx->k5c);
if (code != 0)
@@ -732,7 +736,7 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t output_token)
{
- OM_uint32 major_status = GSS_S_COMPLETE;
+ iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
if (output_token != GSS_C_NO_BUFFER) {
output_token->length = 0;
@@ -740,23 +744,10 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
}
*minor_status = 0;
+ *context_handle = GSS_C_NO_CONTEXT;
+ iakerb_release_context(iakerb_ctx);
- if (*context_handle != GSS_C_NO_CONTEXT) {
- iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
-
- if (iakerb_ctx->magic == KG_IAKERB_CONTEXT) {
- iakerb_release_context(iakerb_ctx);
- *context_handle = GSS_C_NO_CONTEXT;
- } else {
- assert(iakerb_ctx->magic == KG_CONTEXT);
-
- major_status = krb5_gss_delete_sec_context(minor_status,
- context_handle,
- output_token);
- }
- }
-
- return major_status;
+ return GSS_S_COMPLETE;
}
static krb5_boolean
@@ -802,7 +793,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
if (initialContextToken) {
- code = iakerb_alloc_context(&ctx);
+ code = iakerb_alloc_context(&ctx, 0);
if (code != 0)
goto cleanup;
@@ -854,11 +845,8 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
time_rec,
delegated_cred_handle,
&exts);
- if (major_status == GSS_S_COMPLETE) {
- *context_handle = ctx->gssc;
- ctx->gssc = NULL;
- iakerb_release_context(ctx);
- }
+ if (major_status == GSS_S_COMPLETE)
+ ctx->established = 1;
if (mech_type != NULL)
*mech_type = (gss_OID)gss_mech_krb5;
}
@@ -897,7 +885,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
if (initialContextToken) {
- code = iakerb_alloc_context(&ctx);
+ code = iakerb_alloc_context(&ctx, 1);
if (code != 0) {
*minor_status = code;
goto cleanup;
@@ -983,11 +971,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
ret_flags,
time_rec,
&exts);
- if (major_status == GSS_S_COMPLETE) {
- *context_handle = ctx->gssc;
- ctx->gssc = GSS_C_NO_CONTEXT;
- iakerb_release_context(ctx);
- }
+ if (major_status == GSS_S_COMPLETE)
+ ctx->established = 1;
if (actual_mech_type != NULL)
*actual_mech_type = (gss_OID)gss_mech_krb5;
} else {
@@ -1010,3 +995,309 @@ cleanup:
return major_status;
}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ gss_buffer_t input_message_buffer,
+ gss_buffer_t output_message_buffer, int *conf_state,
+ gss_qop_t *qop_state)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
+
+ return krb5_gss_unwrap(minor_status, ctx->gssc, input_message_buffer,
+ output_message_buffer, conf_state, qop_state);
+}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ int conf_req_flag, gss_qop_t qop_req,
+ gss_buffer_t input_message_buffer, int *conf_state,
+ gss_buffer_t output_message_buffer)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
+
+ return krb5_gss_wrap(minor_status, ctx->gssc, conf_req_flag, qop_req,
+ input_message_buffer, conf_state,
+ output_message_buffer);
+}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_process_context_token(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_buffer_t token_buffer)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_DEFECTIVE_TOKEN;
+
+ return krb5_gss_process_context_token(minor_status, ctx->gssc,
+ token_buffer);
+}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ OM_uint32 *time_rec)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
+
+ return krb5_gss_context_time(minor_status, ctx->gssc, time_rec);
+}
+
+#ifndef LEAN_CLIENT
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ gss_buffer_t interprocess_token)
+{
+ OM_uint32 maj;
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ /* We don't currently support exporting partially established contexts. */
+ if (!ctx->established)
+ return GSS_S_UNAVAILABLE;
+
+ maj = krb5_gss_export_sec_context(minor_status, &ctx->gssc,
+ interprocess_token);
+ if (ctx->gssc == GSS_C_NO_CONTEXT) {
+ iakerb_release_context(ctx);
+ *context_handle = GSS_C_NO_CONTEXT;
+ }
+ return maj;
+}
+
+/*
+ * Until we implement partial context exports, there are no SPNEGO exported
+ * context tokens, only tokens for the underlying krb5 context. So we do not
+ * need to implement an iakerb_gss_import_sec_context() yet; it would be
+ * unreachable except via a manually constructed token.
+ */
+
+#endif /* LEAN_CLIENT */
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_inquire_context(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle, gss_name_t *src_name,
+ gss_name_t *targ_name, OM_uint32 *lifetime_rec,
+ gss_OID *mech_type, OM_uint32 *ctx_flags,
+ int *initiate, int *opened)
+{
+ OM_uint32 ret;
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (src_name != NULL)
+ *src_name = GSS_C_NO_NAME;
+ if (targ_name != NULL)
+ *targ_name = GSS_C_NO_NAME;
+ if (lifetime_rec != NULL)
+ *lifetime_rec = 0;
+ if (mech_type != NULL)
+ *mech_type = (gss_OID)gss_mech_iakerb;
+ if (ctx_flags != NULL)
+ *ctx_flags = 0;
+ if (initiate != NULL)
+ *initiate = ctx->initiate;
+ if (opened != NULL)
+ *opened = ctx->established;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_COMPLETE;
+
+ ret = krb5_gss_inquire_context(minor_status, ctx->gssc, src_name,
+ targ_name, lifetime_rec, mech_type,
+ ctx_flags, initiate, opened);
+
+ if (!ctx->established) {
+ /* Report IAKERB as the mech OID until the context is established. */
+ if (mech_type != NULL)
+ *mech_type = (gss_OID)gss_mech_iakerb;
+
+ /* We don't support exporting partially-established contexts. */
+ if (ctx_flags != NULL)
+ *ctx_flags &= ~GSS_C_TRANS_FLAG;
+ }
+
+ return ret;
+}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle, int conf_req_flag,
+ gss_qop_t qop_req, OM_uint32 req_output_size,
+ OM_uint32 *max_input_size)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
+
+ return krb5_gss_wrap_size_limit(minor_status, ctx->gssc, conf_req_flag,
+ qop_req, req_output_size, max_input_size);
+}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ gss_qop_t qop_req, gss_buffer_t message_buffer,
+ gss_buffer_t message_token)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
+
+ return krb5_gss_get_mic(minor_status, ctx->gssc, qop_req, message_buffer,
+ message_token);
+}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
+ gss_qop_t *qop_state)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
+
+ return krb5_gss_verify_mic(minor_status, ctx->gssc, msg_buffer,
+ token_buffer, qop_state);
+}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_UNAVAILABLE;
+
+ return krb5_gss_inquire_sec_context_by_oid(minor_status, ctx->gssc,
+ desired_object, data_set);
+}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ const gss_OID desired_object,
+ const gss_buffer_t value)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
+
+ if (ctx == NULL || ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_UNAVAILABLE;
+
+ return krb5_gss_set_sec_context_option(minor_status, &ctx->gssc,
+ desired_object, value);
+}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ int conf_req_flag, gss_qop_t qop_req, int *conf_state,
+ gss_iov_buffer_desc *iov, int iov_count)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
+
+ return krb5_gss_wrap_iov(minor_status, ctx->gssc, conf_req_flag, qop_req,
+ conf_state, iov, iov_count);
+}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ int *conf_state, gss_qop_t *qop_state,
+ gss_iov_buffer_desc *iov, int iov_count)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
+
+ return krb5_gss_unwrap_iov(minor_status, ctx->gssc, conf_state, qop_state,
+ iov, iov_count);
+}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle, int conf_req_flag,
+ gss_qop_t qop_req, int *conf_state,
+ gss_iov_buffer_desc *iov, int iov_count)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
+
+ return krb5_gss_wrap_iov_length(minor_status, ctx->gssc, conf_req_flag,
+ qop_req, conf_state, iov, iov_count);
+}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ int prf_key, const gss_buffer_t prf_in,
+ ssize_t desired_output_len, gss_buffer_t prf_out)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
+
+ return krb5_gss_pseudo_random(minor_status, ctx->gssc, prf_key, prf_in,
+ desired_output_len, prf_out);
+}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ gss_qop_t qop_req, gss_iov_buffer_desc *iov,
+ int iov_count)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
+
+ return krb5_gss_get_mic_iov(minor_status, ctx->gssc, qop_req, iov,
+ iov_count);
+}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
+ int iov_count)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
+
+ return krb5_gss_verify_mic_iov(minor_status, ctx->gssc, qop_state, iov,
+ iov_count);
+}
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle, gss_qop_t qop_req,
+ gss_iov_buffer_desc *iov, int iov_count)
+{
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+
+ if (ctx->gssc == GSS_C_NO_CONTEXT)
+ return GSS_S_NO_CONTEXT;
+
+ return krb5_gss_get_mic_iov_length(minor_status, ctx->gssc, qop_req, iov,
+ iov_count);
+}
--
2.6.1

View File

@ -1,53 +0,0 @@
From f0c094a1b745d91ef2f9a4eae2149aac026a5789 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 25 Sep 2015 12:51:47 -0400
Subject: [PATCH] Fix build_principal memory bug [CVE-2015-2697]
In build_principal_va(), use k5memdup0() instead of strdup() to make a
copy of the realm, to ensure that we allocate the correct number of
bytes and do not read past the end of the input string. This bug
affects krb5_build_principal(), krb5_build_principal_va(), and
krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not
affected.
CVE-2015-2697:
In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte. If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm. Due to a bug in this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash.
CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
ticket: 8252 (new)
target_version: 1.14
tags: pullup
---
src/lib/krb5/krb/bld_princ.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
index ab6fed8..8604268 100644
--- a/src/lib/krb5/krb/bld_princ.c
+++ b/src/lib/krb5/krb/bld_princ.c
@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ,
data = malloc(size * sizeof(krb5_data));
if (!data) { retval = ENOMEM; }
- if (!retval) {
- r = strdup(realm);
- if (!r) { retval = ENOMEM; }
- }
+ if (!retval)
+ r = k5memdup0(realm, rlen, &retval);
while (!retval && (component = va_arg(ap, char *))) {
if (count == size) {
--
2.6.1

View File

@ -1,148 +0,0 @@
Modified version of the patch to 1.14 that are missing test suite
pieces. Also backports a random comment fixup we needed from master.
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 05dc321..ac53662 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV
iakerb_gss_export_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t interprocess_token);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_import_sec_context(OM_uint32 *minor_status,
+ const gss_buffer_t interprocess_token,
+ gss_ctx_id_t *context_handle);
#endif /* LEAN_CLIENT */
OM_uint32 KRB5_CALLCONV
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
index 9a23656..d7ba279 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = {
NULL,
#else
iakerb_gss_export_sec_context,
- NULL,
+ iakerb_gss_import_sec_context,
#endif
krb5_gss_inquire_cred_by_mech,
krb5_gss_inquire_names_for_mech,
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index 4662bd9..32a341e 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -727,10 +727,6 @@ cleanup:
return code;
}
-/*
- * Delete an IAKERB context. This can also accept Kerberos context
- * handles. The heuristic is similar to SPNEGO's delete_sec_context.
- */
OM_uint32 KRB5_CALLCONV
iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
@@ -1061,7 +1057,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
gss_buffer_t interprocess_token)
{
OM_uint32 maj;
- iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
/* We don't currently support exporting partially established contexts. */
if (!ctx->established)
@@ -1076,13 +1072,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
return maj;
}
-/*
- * Until we implement partial context exports, there are no SPNEGO exported
- * context tokens, only tokens for the underlying krb5 context. So we do not
- * need to implement an iakerb_gss_import_sec_context() yet; it would be
- * unreachable except via a manually constructed token.
- */
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_import_sec_context(OM_uint32 *minor_status,
+ gss_buffer_t interprocess_token,
+ gss_ctx_id_t *context_handle)
+{
+ OM_uint32 maj, tmpmin;
+ krb5_error_code code;
+ gss_ctx_id_t gssc;
+ krb5_gss_ctx_id_t kctx;
+ iakerb_ctx_id_t ctx;
+ maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc);
+ if (maj != GSS_S_COMPLETE)
+ return maj;
+ kctx = (krb5_gss_ctx_id_t)gssc;
+
+ if (!kctx->established) {
+ /* We don't currently support importing partially established
+ * contexts. */
+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
+ return GSS_S_FAILURE;
+ }
+
+ code = iakerb_alloc_context(&ctx, kctx->initiate);
+ if (code != 0) {
+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+
+ ctx->gssc = gssc;
+ ctx->established = 1;
+ *context_handle = (gss_ctx_id_t)ctx;
+ return GSS_S_COMPLETE;
+}
#endif /* LEAN_CLIENT */
OM_uint32 KRB5_CALLCONV
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 3423f22..ec38eea 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -2253,12 +2253,33 @@ spnego_gss_import_sec_context(
const gss_buffer_t interprocess_token,
gss_ctx_id_t *context_handle)
{
- /*
- * Until we implement partial context exports, there are no SPNEGO
- * exported context tokens, only tokens for underlying mechs. So just
- * return an error for now.
- */
- return GSS_S_UNAVAILABLE;
+ OM_uint32 ret, tmpmin;
+ gss_ctx_id_t mctx;
+ spnego_gss_ctx_id_t sc;
+ int initiate, opened;
+
+ ret = gss_import_sec_context(minor_status, interprocess_token, &mctx);
+ if (ret != GSS_S_COMPLETE)
+ return ret;
+
+ ret = gss_inquire_context(&tmpmin, mctx, NULL, NULL, NULL, NULL, NULL,
+ &initiate, &opened);
+ if (ret != GSS_S_COMPLETE || !opened) {
+ /* We don't currently support importing partially established
+ * contexts. */
+ (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER);
+ return GSS_S_FAILURE;
+ }
+
+ sc = create_spnego_ctx(initiate);
+ if (sc == NULL) {
+ (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER);
+ return GSS_S_FAILURE;
+ }
+ sc->ctx_handle = mctx;
+ sc->opened = 1;
+ *context_handle = (gss_ctx_id_t)sc;
+ return GSS_S_COMPLETE;
}
#endif /* LEAN_CLIENT */

View File

@ -1,96 +0,0 @@
#
# krb5-tests_use_libs_from_build.patch - patch to ensure the tests
# in the upstream sources use the libraries from the local tree
# and not those from the underlying build system.
3
# Originally repoted as RedHat Bug #1164304 ("Upstream unit tests loads
# the installed shared libraries instead the ones from the build")
#
#
# Description of problem:
# krb5-1.12.2/src/lib/kadm5/unit-test fails (segfaults) when
# krb5-pkinit is installed on the sysytem.
# Monitoring via audit showed that unit tests from this directory
# loads pkinit.so from the installed package and not the one that
# was built.
# On top of that, monitoring showed that libs from the installed
# krb5-libs (whatever version installed) are loaded too.
# This questions the effectiveness of upstream testing.
#
# Version-Release number of selected component (if applicable):
# krb5-libs-1.12.2-8.el7
#
# How reproducible:
# always
#
# Steps to Reproduce:
#
# # rpm -qa krb5\*
# krb5-devel-1.11.3-49.el7.ppc64
# krb5-libs-1.11.3-49.el7.ppc64
# krb5-pkinit-1.11.3-49.el7.ppc64
# #
# # rpm -ivh krb5-1.12.2-8.el7.src.rpm
# ... snip ...
# # rpmbuild -bc ~/rpmbuild/SPECS/krb5.spec
# ... snip ...
# #
# # cd ~/rpmbuild/BUILD/krb5-1.12.2/src/
# # make runenv.py
# LD_LIBRARY_PATH=`echo -L./lib | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH; \
# for i in LD_LIBRARY_PATH; do \
# eval echo 'env['\\\'$i\\\''] = '\\\'\$$i\\\'; \
# done > pyrunenv.vals
# echo "proxy_tls_impl = 'openssl'" >> pyrunenv.vals
# echo 'env = {}' > runenv.py
# cat pyrunenv.vals >> runenv.py
# # cd lib/kadm5/unit-test/
# # make check
# .. snip ...
# KINIT=../../../clients/kinit/kinit \
# KDESTROY=../../../clients/kdestroy/kdestroy \
# KADMIN_LOCAL=../../../kadmin/cli/kadmin.local \
# PRIOCNTL_HACK=0 VALGRIND="" \
#
# WARNING: Couldn't find the global config file.
# WARNING: Couldn't find tool init file
# Test Run By root on Fri Nov 14 10:30:35 2014
# Native configuration is powerpc64-redhat-linux-gnu
#
# === api tests ===
#
# Schedule of variations:
# unix
#
# Running target unix
# Using /usr/share/dejagnu/baseboards/unix.exp as board description file for target.
# Using /usr/share/dejagnu/config/unix.exp as generic interface file for target.
# Using ./config/unix.exp as tool-and-target-specific interface file.
# Running ./api.2/crte-policy.exp ...
# FAIL: create-policy 1: eof
# ERROR: create-policy 1: unexpected failure in init
# ERROR: create-policy 2: unexpected failure in init
# ERROR: create-policy 3: unexpected failure in init
#
diff -ur krb5/src/kadmin/testing/proto/krb5.conf.proto krb5/src/kadmin/testing/proto/krb5.conf.proto
--- krb5/src/kadmin/testing/proto/krb5.conf.proto 2014-11-14 10:16:22.106948323 -0500
+++ krb5/src/kadmin/testing/proto/krb5.conf.proto 2014-11-14 10:14:16.955948323 -0500
@@ -2,6 +2,7 @@
default_realm = __REALM__
default_keytab_name = FILE:__K5ROOT__/v5srvtab
dns_fallback = no
+ plugin_base_dir = __PLUGIN_DIR__
[realms]
__REALM__ = {
diff -ur krb5/src/kadmin/testing/scripts/start_servers krb5/src/kadmin/testing/scripts/start_servers
--- krb5/src/kadmin/testing/scripts/start_servers 2014-08-11 18:46:27.000000000 -0400
+++ krb5/src/kadmin/testing/scripts/start_servers 2014-11-14 10:14:56.409948323 -0500
@@ -40,6 +40,7 @@
-e "s/__KDCHOST__/$hostname/g" \
-e "s/__LOCALHOST__/$localname/g" \
-e "s#__MODDIR__#$TOP/../plugins/kdb#g"\
+ -e "s#__PLUGIN_DIR__#$TOP/../plugins#g"\
< $STESTDIR/proto/krb5.conf.proto > $K5ROOT/krb5.conf
# Using /usr/ucb/rsh and getting rid of "-k $REALM" until we get

View File

@ -38,12 +38,12 @@
%global configured_default_ccache_name KEYRING:persistent:%%{uid}
%endif
%global prerelease -beta1
%global prerelease -beta2
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.14
Release: 7%{?dist}
Release: 8%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with
@ -86,14 +86,8 @@ Patch71: krb5-1.13-dirsrv-accountlock.patch
Patch86: krb5-1.9-debuginfo.patch
Patch129: krb5-1.11-run_user_0.patch
Patch134: krb5-1.11-kpasswdtest.patch
Patch143: krb5-tests_use_libs_from_build.patch
Patch146: krb5-1.14-no_system_krb5_conf.patch
Patch148: krb5-disable_ofd_locks.patch
Patch149: krb5-1.14-pwsize_initialize.patch
Patch150: krb5-CVE-2015-2695-SPNEGO_aliasing.patch
Patch151: krb5-CVE-2015-2696-IAKERB_aliasing.patch
Patch152: krb5-CVE-2015-2697-build_principal_memory.patch
Patch153: krb5-CVE-2015-2698-fix_iakerb_spnego.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -276,16 +270,9 @@ ln NOTICE LICENSE
%patch134 -p1 -b .kpasswdtest
%patch143 -p1 -b .krb5-tests_use_libs_from_build
%patch146 -p1 -b .no_system_krb5_conf
%patch148 -p1 -b .disable_ofd_locks
%patch149 -p1 -b .pwsize_initialize
%patch150 -p1 -b .CVE-2015-2695-SPNEGO_aliasing
%patch151 -p1 -b .CVE-2015-2696-IAKERB_aliasing
%patch152 -p1 -b .CVE-2015-2697-build_principal_memory
%patch153 -p1 -b .CVE-2015-2698-fix_iakerb_spnego
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -900,6 +887,9 @@ exit 0
%changelog
* Mon Nov 16 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-beta2-8
- New upstream beta version
* Wed Nov 04 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-beta1-7
- Patch CVE-2015-2698

View File

@ -1,3 +1,3 @@
59b5f990857356285a869060f13b904b krb5-1.14-beta1-pdfs.tar
17d4fd5136ca39579f54860d4e21eeea krb5-1.14-beta1.tar.gz
be9d1d40f589a1a2afcb1a285a030c73 krb5-1.14-beta1.tar.gz.asc
8c0876e0d034341b73947771a468ea97 krb5-1.14-beta2.tar.gz.asc
85b27f3ebb0e4c24959a7b67e3c5bb51 krb5-1.14-beta2.tar.gz
b51379533c1d0b1bf008c3c1f082872e krb5-1.14-beta2-pdfs.tar