Fix string RPC ACLs (RT#7093); CVE-2012-1012
This commit is contained in:
parent
1b8eb90a4f
commit
b44189a932
61
krb5-1.10-string-rpc-acl-fix.patch
Normal file
61
krb5-1.10-string-rpc-acl-fix.patch
Normal file
@ -0,0 +1,61 @@
|
||||
From 725b97bfba7067907a5fc534c21349c0d28bf6b8 Mon Sep 17 00:00:00 2001
|
||||
From: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
|
||||
Date: Tue, 21 Feb 2012 19:14:47 +0000
|
||||
Subject: [PATCH] ticket: 7093 subject: Access controls for string RPCs
|
||||
[CVE-2012-1012] target_version: 1.10.1 tags: pullup
|
||||
|
||||
In the kadmin protocol, make the access controls for
|
||||
get_strings/set_string mirror those of get_principal/modify_principal.
|
||||
Previously, anyone with global list privileges could get or modify
|
||||
string attributes on any principal. The impact of this depends on how
|
||||
generous the kadmind acl is with list permission and whether string
|
||||
attributes are used in a deployment (nothing in the core code uses
|
||||
them yet).
|
||||
|
||||
CVSSv2 vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C
|
||||
|
||||
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25704 dc483132-0cff-0310-8789-dd5450dbe970
|
||||
---
|
||||
src/kadmin/server/server_stubs.c | 19 +++++++++++--------
|
||||
1 files changed, 11 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
|
||||
index 8dbe756..0de627f 100644
|
||||
--- a/src/kadmin/server/server_stubs.c
|
||||
+++ b/src/kadmin/server/server_stubs.c
|
||||
@@ -1634,10 +1634,13 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
|
||||
goto exit_func;
|
||||
}
|
||||
|
||||
- if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
|
||||
- rqst2name(rqstp),
|
||||
- ACL_LIST, NULL, NULL)) {
|
||||
- ret.code = KADM5_AUTH_LIST;
|
||||
+ if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) &&
|
||||
+ (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
|
||||
+ rqst2name(rqstp),
|
||||
+ ACL_INQUIRE,
|
||||
+ arg->princ,
|
||||
+ NULL))) {
|
||||
+ ret.code = KADM5_AUTH_GET;
|
||||
log_unauth("kadm5_get_strings", prime_arg,
|
||||
&client_name, &service_name, rqstp);
|
||||
} else {
|
||||
@@ -1690,10 +1693,10 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
|
||||
goto exit_func;
|
||||
}
|
||||
|
||||
- if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
|
||||
- rqst2name(rqstp),
|
||||
- ACL_LIST, NULL, NULL)) {
|
||||
- ret.code = KADM5_AUTH_LIST;
|
||||
+ if (CHANGEPW_SERVICE(rqstp)
|
||||
+ || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
|
||||
+ arg->princ, NULL)) {
|
||||
+ ret.code = KADM5_AUTH_MODIFY;
|
||||
log_unauth("kadm5_mod_strings", prime_arg,
|
||||
&client_name, &service_name, rqstp);
|
||||
} else {
|
||||
--
|
||||
1.7.7.6
|
||||
|
@ -15,7 +15,7 @@
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.10
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-signed.tar
|
||||
Source0: krb5-%{version}.tar.gz
|
||||
@ -64,6 +64,7 @@ Patch103: krb5-1.10-gcc47.patch
|
||||
Patch104: krb5-1.10-crashfix.patch
|
||||
Patch105: krb5-kvno-230379.patch
|
||||
Patch106: krb5-1.10-lookaside.patch
|
||||
Patch107: krb5-1.10-string-rpc-acl-fix.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -236,6 +237,7 @@ ln -s NOTICE LICENSE
|
||||
%patch104 -p1 -b .crashfix
|
||||
%patch105 -p1 -b .kvno
|
||||
%patch106 -p1 -b .7082
|
||||
%patch107 -p1 -b .7093
|
||||
rm src/lib/krb5/krb/deltat.c
|
||||
|
||||
gzip doc/*.ps
|
||||
@ -747,6 +749,9 @@ exit 0
|
||||
%{_sbindir}/uuserver
|
||||
|
||||
%changelog
|
||||
* Tue Feb 21 2012 Nathaniel McCallum <nathaniel@natemccallum.com> - 1.10-4
|
||||
- Fix string RPC ACLs (RT#7093); CVE-2012-1012
|
||||
|
||||
* Tue Jan 31 2012 Nathaniel McCallum <nathaniel@natemccallum.com> - 1.10-3
|
||||
- Add upstream lookaside cache behavior fix (RT#7082)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user