Patch CVE-2015-2698
This commit is contained in:
parent
def8c582bb
commit
b81fddfea1
148
krb5-CVE-2015-2698-fix_iakerb_spnego.patch
Normal file
148
krb5-CVE-2015-2698-fix_iakerb_spnego.patch
Normal file
@ -0,0 +1,148 @@
|
||||
Modified version of the patch to 1.14 that are missing test suite
|
||||
pieces. Also backports a random comment fixup we needed from master.
|
||||
|
||||
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||
index 05dc321..ac53662 100644
|
||||
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||
@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV
|
||||
iakerb_gss_export_sec_context(OM_uint32 *minor_status,
|
||||
gss_ctx_id_t *context_handle,
|
||||
gss_buffer_t interprocess_token);
|
||||
+
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_import_sec_context(OM_uint32 *minor_status,
|
||||
+ const gss_buffer_t interprocess_token,
|
||||
+ gss_ctx_id_t *context_handle);
|
||||
#endif /* LEAN_CLIENT */
|
||||
|
||||
OM_uint32 KRB5_CALLCONV
|
||||
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
|
||||
index 9a23656..d7ba279 100644
|
||||
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
|
||||
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
|
||||
@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = {
|
||||
NULL,
|
||||
#else
|
||||
iakerb_gss_export_sec_context,
|
||||
- NULL,
|
||||
+ iakerb_gss_import_sec_context,
|
||||
#endif
|
||||
krb5_gss_inquire_cred_by_mech,
|
||||
krb5_gss_inquire_names_for_mech,
|
||||
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
|
||||
index 4662bd9..32a341e 100644
|
||||
--- a/src/lib/gssapi/krb5/iakerb.c
|
||||
+++ b/src/lib/gssapi/krb5/iakerb.c
|
||||
@@ -727,10 +727,6 @@ cleanup:
|
||||
return code;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * Delete an IAKERB context. This can also accept Kerberos context
|
||||
- * handles. The heuristic is similar to SPNEGO's delete_sec_context.
|
||||
- */
|
||||
OM_uint32 KRB5_CALLCONV
|
||||
iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
|
||||
gss_ctx_id_t *context_handle,
|
||||
@@ -1061,7 +1057,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
|
||||
gss_buffer_t interprocess_token)
|
||||
{
|
||||
OM_uint32 maj;
|
||||
- iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
|
||||
+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
|
||||
|
||||
/* We don't currently support exporting partially established contexts. */
|
||||
if (!ctx->established)
|
||||
@@ -1076,13 +1072,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
|
||||
return maj;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * Until we implement partial context exports, there are no SPNEGO exported
|
||||
- * context tokens, only tokens for the underlying krb5 context. So we do not
|
||||
- * need to implement an iakerb_gss_import_sec_context() yet; it would be
|
||||
- * unreachable except via a manually constructed token.
|
||||
- */
|
||||
+OM_uint32 KRB5_CALLCONV
|
||||
+iakerb_gss_import_sec_context(OM_uint32 *minor_status,
|
||||
+ gss_buffer_t interprocess_token,
|
||||
+ gss_ctx_id_t *context_handle)
|
||||
+{
|
||||
+ OM_uint32 maj, tmpmin;
|
||||
+ krb5_error_code code;
|
||||
+ gss_ctx_id_t gssc;
|
||||
+ krb5_gss_ctx_id_t kctx;
|
||||
+ iakerb_ctx_id_t ctx;
|
||||
|
||||
+ maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc);
|
||||
+ if (maj != GSS_S_COMPLETE)
|
||||
+ return maj;
|
||||
+ kctx = (krb5_gss_ctx_id_t)gssc;
|
||||
+
|
||||
+ if (!kctx->established) {
|
||||
+ /* We don't currently support importing partially established
|
||||
+ * contexts. */
|
||||
+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
|
||||
+ return GSS_S_FAILURE;
|
||||
+ }
|
||||
+
|
||||
+ code = iakerb_alloc_context(&ctx, kctx->initiate);
|
||||
+ if (code != 0) {
|
||||
+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
|
||||
+ *minor_status = code;
|
||||
+ return GSS_S_FAILURE;
|
||||
+ }
|
||||
+
|
||||
+ ctx->gssc = gssc;
|
||||
+ ctx->established = 1;
|
||||
+ *context_handle = (gss_ctx_id_t)ctx;
|
||||
+ return GSS_S_COMPLETE;
|
||||
+}
|
||||
#endif /* LEAN_CLIENT */
|
||||
|
||||
OM_uint32 KRB5_CALLCONV
|
||||
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
index 3423f22..ec38eea 100644
|
||||
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
||||
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
@@ -2253,12 +2253,33 @@ spnego_gss_import_sec_context(
|
||||
const gss_buffer_t interprocess_token,
|
||||
gss_ctx_id_t *context_handle)
|
||||
{
|
||||
- /*
|
||||
- * Until we implement partial context exports, there are no SPNEGO
|
||||
- * exported context tokens, only tokens for underlying mechs. So just
|
||||
- * return an error for now.
|
||||
- */
|
||||
- return GSS_S_UNAVAILABLE;
|
||||
+ OM_uint32 ret, tmpmin;
|
||||
+ gss_ctx_id_t mctx;
|
||||
+ spnego_gss_ctx_id_t sc;
|
||||
+ int initiate, opened;
|
||||
+
|
||||
+ ret = gss_import_sec_context(minor_status, interprocess_token, &mctx);
|
||||
+ if (ret != GSS_S_COMPLETE)
|
||||
+ return ret;
|
||||
+
|
||||
+ ret = gss_inquire_context(&tmpmin, mctx, NULL, NULL, NULL, NULL, NULL,
|
||||
+ &initiate, &opened);
|
||||
+ if (ret != GSS_S_COMPLETE || !opened) {
|
||||
+ /* We don't currently support importing partially established
|
||||
+ * contexts. */
|
||||
+ (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER);
|
||||
+ return GSS_S_FAILURE;
|
||||
+ }
|
||||
+
|
||||
+ sc = create_spnego_ctx(initiate);
|
||||
+ if (sc == NULL) {
|
||||
+ (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER);
|
||||
+ return GSS_S_FAILURE;
|
||||
+ }
|
||||
+ sc->ctx_handle = mctx;
|
||||
+ sc->opened = 1;
|
||||
+ *context_handle = (gss_ctx_id_t)sc;
|
||||
+ return GSS_S_COMPLETE;
|
||||
}
|
||||
#endif /* LEAN_CLIENT */
|
||||
|
@ -43,7 +43,7 @@
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.14
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
|
||||
# - The sources below are stored in a lookaside cache. Upload with
|
||||
@ -93,6 +93,7 @@ Patch149: krb5-1.14-pwsize_initialize.patch
|
||||
Patch150: krb5-CVE-2015-2695-SPNEGO_aliasing.patch
|
||||
Patch151: krb5-CVE-2015-2696-IAKERB_aliasing.patch
|
||||
Patch152: krb5-CVE-2015-2697-build_principal_memory.patch
|
||||
Patch153: krb5-CVE-2015-2698-fix_iakerb_spnego.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -283,6 +284,7 @@ ln NOTICE LICENSE
|
||||
%patch150 -p1 -b .CVE-2015-2695-SPNEGO_aliasing
|
||||
%patch151 -p1 -b .CVE-2015-2696-IAKERB_aliasing
|
||||
%patch152 -p1 -b .CVE-2015-2697-build_principal_memory
|
||||
%patch153 -p1 -b .CVE-2015-2698-fix_iakerb_spnego
|
||||
|
||||
# Take the execute bit off of documentation.
|
||||
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
||||
@ -898,6 +900,9 @@ exit 0
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Nov 04 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-beta1-7
|
||||
- Patch CVE-2015-2698
|
||||
|
||||
* Tue Oct 27 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-beta1-6
|
||||
- Patch CVE-2015-2697, CVE-2015-2696, CVE-2015-2695
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user