- incorporate fixes for MITKRB5-SA-2007-004 and MITKRB5-SA-2007-005
This commit is contained in:
parent
196ea67f06
commit
cd3f50fb19
86
2007-004-patch.txt
Normal file
86
2007-004-patch.txt
Normal file
@ -0,0 +1,86 @@
|
||||
*** src/lib/rpc/svc_auth_gssapi.c (revision 20015)
|
||||
--- src/lib/rpc/svc_auth_gssapi.c (local)
|
||||
***************
|
||||
*** 149,154 ****
|
||||
--- 149,156 ----
|
||||
rqst->rq_xprt->xp_auth = &svc_auth_none;
|
||||
|
||||
memset((char *) &call_res, 0, sizeof(call_res));
|
||||
+ creds.client_handle.length = 0;
|
||||
+ creds.client_handle.value = NULL;
|
||||
|
||||
cred = &msg->rm_call.cb_cred;
|
||||
verf = &msg->rm_call.cb_verf;
|
||||
*** src/lib/rpc/svc_auth_unix.c (revision 20015)
|
||||
--- src/lib/rpc/svc_auth_unix.c (local)
|
||||
***************
|
||||
*** 64,71 ****
|
||||
char area_machname[MAX_MACHINE_NAME+1];
|
||||
int area_gids[NGRPS];
|
||||
} *area;
|
||||
! u_int auth_len;
|
||||
! int str_len, gid_len;
|
||||
register int i;
|
||||
|
||||
rqst->rq_xprt->xp_auth = &svc_auth_none;
|
||||
--- 64,70 ----
|
||||
char area_machname[MAX_MACHINE_NAME+1];
|
||||
int area_gids[NGRPS];
|
||||
} *area;
|
||||
! u_int auth_len, str_len, gid_len;
|
||||
register int i;
|
||||
|
||||
rqst->rq_xprt->xp_auth = &svc_auth_none;
|
||||
***************
|
||||
*** 74,80 ****
|
||||
aup = &area->area_aup;
|
||||
aup->aup_machname = area->area_machname;
|
||||
aup->aup_gids = area->area_gids;
|
||||
! auth_len = (u_int)msg->rm_call.cb_cred.oa_length;
|
||||
xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE);
|
||||
buf = XDR_INLINE(&xdrs, (int)auth_len);
|
||||
if (buf != NULL) {
|
||||
--- 73,81 ----
|
||||
aup = &area->area_aup;
|
||||
aup->aup_machname = area->area_machname;
|
||||
aup->aup_gids = area->area_gids;
|
||||
! auth_len = msg->rm_call.cb_cred.oa_length;
|
||||
! if (auth_len > INT_MAX)
|
||||
! return AUTH_BADCRED;
|
||||
xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE);
|
||||
buf = XDR_INLINE(&xdrs, (int)auth_len);
|
||||
if (buf != NULL) {
|
||||
***************
|
||||
*** 84,90 ****
|
||||
stat = AUTH_BADCRED;
|
||||
goto done;
|
||||
}
|
||||
! memmove(aup->aup_machname, (caddr_t)buf, (u_int)str_len);
|
||||
aup->aup_machname[str_len] = 0;
|
||||
str_len = RNDUP(str_len);
|
||||
buf += str_len / BYTES_PER_XDR_UNIT;
|
||||
--- 85,91 ----
|
||||
stat = AUTH_BADCRED;
|
||||
goto done;
|
||||
}
|
||||
! memmove(aup->aup_machname, buf, str_len);
|
||||
aup->aup_machname[str_len] = 0;
|
||||
str_len = RNDUP(str_len);
|
||||
buf += str_len / BYTES_PER_XDR_UNIT;
|
||||
***************
|
||||
*** 104,110 ****
|
||||
* timestamp, hostname len (0), uid, gid, and gids len (0).
|
||||
*/
|
||||
if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) {
|
||||
! (void) printf("bad auth_len gid %d str %d auth %d\n",
|
||||
gid_len, str_len, auth_len);
|
||||
stat = AUTH_BADCRED;
|
||||
goto done;
|
||||
--- 105,111 ----
|
||||
* timestamp, hostname len (0), uid, gid, and gids len (0).
|
||||
*/
|
||||
if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) {
|
||||
! (void) printf("bad auth_len gid %u str %u auth %u\n",
|
||||
gid_len, str_len, auth_len);
|
||||
stat = AUTH_BADCRED;
|
||||
goto done;
|
108
2007-005-patch.txt
Normal file
108
2007-005-patch.txt
Normal file
@ -0,0 +1,108 @@
|
||||
*** src/kadmin/server/server_stubs.c (revision 20024)
|
||||
--- src/kadmin/server/server_stubs.c (local)
|
||||
***************
|
||||
*** 545,557 ****
|
||||
static generic_ret ret;
|
||||
char *prime_arg1,
|
||||
*prime_arg2;
|
||||
- char prime_arg[BUFSIZ];
|
||||
gss_buffer_desc client_name,
|
||||
service_name;
|
||||
OM_uint32 minor_stat;
|
||||
kadm5_server_handle_t handle;
|
||||
restriction_t *rp;
|
||||
char *errmsg;
|
||||
|
||||
xdr_free(xdr_generic_ret, &ret);
|
||||
|
||||
--- 545,558 ----
|
||||
static generic_ret ret;
|
||||
char *prime_arg1,
|
||||
*prime_arg2;
|
||||
gss_buffer_desc client_name,
|
||||
service_name;
|
||||
OM_uint32 minor_stat;
|
||||
kadm5_server_handle_t handle;
|
||||
restriction_t *rp;
|
||||
char *errmsg;
|
||||
+ size_t tlen1, tlen2, clen, slen;
|
||||
+ char *tdots1, *tdots2, *cdots, *sdots;
|
||||
|
||||
xdr_free(xdr_generic_ret, &ret);
|
||||
|
||||
***************
|
||||
*** 572,578 ****
|
||||
ret.code = KADM5_BAD_PRINCIPAL;
|
||||
goto exit_func;
|
||||
}
|
||||
! sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
|
||||
|
||||
ret.code = KADM5_OK;
|
||||
if (! CHANGEPW_SERVICE(rqstp)) {
|
||||
--- 573,586 ----
|
||||
ret.code = KADM5_BAD_PRINCIPAL;
|
||||
goto exit_func;
|
||||
}
|
||||
! tlen1 = strlen(prime_arg1);
|
||||
! trunc_name(&tlen1, &tdots1);
|
||||
! tlen2 = strlen(prime_arg2);
|
||||
! trunc_name(&tlen2, &tdots2);
|
||||
! clen = client_name.length;
|
||||
! trunc_name(&clen, &cdots);
|
||||
! slen = service_name.length;
|
||||
! trunc_name(&slen, &sdots);
|
||||
|
||||
ret.code = KADM5_OK;
|
||||
if (! CHANGEPW_SERVICE(rqstp)) {
|
||||
***************
|
||||
*** 590,597 ****
|
||||
} else
|
||||
ret.code = KADM5_AUTH_INSUFFICIENT;
|
||||
if (ret.code != KADM5_OK) {
|
||||
! log_unauth("kadm5_rename_principal", prime_arg,
|
||||
! &client_name, &service_name, rqstp);
|
||||
} else {
|
||||
ret.code = kadm5_rename_principal((void *)handle, arg->src,
|
||||
arg->dest);
|
||||
--- 598,612 ----
|
||||
} else
|
||||
ret.code = KADM5_AUTH_INSUFFICIENT;
|
||||
if (ret.code != KADM5_OK) {
|
||||
! krb5_klog_syslog(LOG_NOTICE,
|
||||
! "Unauthorized request: kadm5_rename_principal, "
|
||||
! "%.*s%s to %.*s%s, "
|
||||
! "client=%.*s%s, service=%.*s%s, addr=%s",
|
||||
! tlen1, prime_arg1, tdots1,
|
||||
! tlen2, prime_arg2, tdots2,
|
||||
! clen, client_name.value, cdots,
|
||||
! slen, service_name.value, sdots,
|
||||
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
||||
} else {
|
||||
ret.code = kadm5_rename_principal((void *)handle, arg->src,
|
||||
arg->dest);
|
||||
***************
|
||||
*** 600,607 ****
|
||||
else
|
||||
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
||||
|
||||
! log_done("kadm5_rename_principal", prime_arg, errmsg,
|
||||
! &client_name, &service_name, rqstp);
|
||||
}
|
||||
free_server_handle(handle);
|
||||
free(prime_arg1);
|
||||
--- 615,629 ----
|
||||
else
|
||||
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
||||
|
||||
! krb5_klog_syslog(LOG_NOTICE,
|
||||
! "Request: kadm5_rename_principal, "
|
||||
! "%.*s%s to %.*s%s, %s, "
|
||||
! "client=%.*s%s, service=%.*s%s, addr=%s",
|
||||
! tlen1, prime_arg1, tdots1,
|
||||
! tlen2, prime_arg2, tdots2, errmsg,
|
||||
! clen, client_name.value, cdots,
|
||||
! slen, service_name.value, sdots,
|
||||
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
||||
}
|
||||
free_server_handle(handle);
|
||||
free(prime_arg1);
|
43
krb5.spec
43
krb5.spec
@ -14,7 +14,7 @@
|
||||
Summary: The Kerberos network authentication system.
|
||||
Name: krb5
|
||||
Version: 1.6.1
|
||||
Release: 5
|
||||
Release: 8%{?dist}
|
||||
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.5/krb5-1.5-signed.tar
|
||||
Source0: krb5-%{version}.tar.gz
|
||||
@ -88,6 +88,9 @@ Patch61: krb5-trunk-manpaths.patch
|
||||
Patch62: krb5-any-fixup-patch.txt
|
||||
Patch63: krb5-1.6.1-selinux-label.patch
|
||||
|
||||
Patch70: http://web.mit.edu/kerberos/advisories/2007-004-patch.txt
|
||||
Patch71: http://web.mit.edu/kerberos/advisories/2007-005-patch.txt
|
||||
|
||||
License: MIT, freely distributable.
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
Group: System Environment/Libraries
|
||||
@ -203,6 +206,18 @@ installed on systems which are meant provide these services.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jun 27 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.1-8
|
||||
- incorporate fixes for MITKRB5-SA-2007-004 and MITKRB5-SA-2007-005
|
||||
|
||||
* Mon Jun 25 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.1-7
|
||||
- reintroduce missing %%postun for the non-split_workstation case
|
||||
|
||||
* Mon Jun 25 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.1-6
|
||||
- rebuild
|
||||
|
||||
* Mon Jun 25 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.1-5.1
|
||||
- rebuild
|
||||
|
||||
* Sun Jun 24 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.1-5
|
||||
- add missing pam-devel build requirement, force selinux-or-fail build
|
||||
|
||||
@ -264,6 +279,9 @@ installed on systems which are meant provide these services.
|
||||
the part of the default/example kdc.conf where they'll actually have
|
||||
an effect (#236417)
|
||||
|
||||
* Thu Apr 5 2007 Nalin Dahyabhai <nalin@redhat.com> 1.5-24
|
||||
- merge security fixes from RHSA-2007:0095
|
||||
|
||||
* Tue Apr 3 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6-3
|
||||
- add patch to correct unauthorized access via krb5-aware telnet
|
||||
daemon (#229782, CVE-2007-0956)
|
||||
@ -278,10 +296,24 @@ installed on systems which are meant provide these services.
|
||||
- add buildrequires: on keyutils-libs-devel to enable use of keyring ccaches,
|
||||
dragging keyutils-libs in as a dependency
|
||||
|
||||
* Mon Mar 19 2007 Nalin Dahyabhai <nalin@redhat.com> 1.5-23
|
||||
- fix bug ID in changelog
|
||||
|
||||
* Thu Mar 15 2007 Nalin Dahyabhai <nalin@redhat.com> 1.5-22
|
||||
|
||||
* Thu Mar 15 2007 Nalin Dahyabhai <nalin@redhat.com> 1.5-21
|
||||
- add preliminary patch to fix buffer overflow in krb5kdc and kadmind
|
||||
(#231528, CVE-2007-0957)
|
||||
- add preliminary patch to fix double-free in kadmind (#231537, CVE-2007-1216)
|
||||
|
||||
* Wed Feb 28 2007 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- add patch to build semi-useful static libraries, but don't apply it unless
|
||||
we need them
|
||||
|
||||
* Tue Feb 27 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.5-20
|
||||
- temporarily back out %%post changes, fix for #143289 for security update
|
||||
- add preliminary patch to correct unauthorized access via krb5-aware telnet
|
||||
|
||||
* Mon Feb 19 2007 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- make profile.d scriptlets mode 644 instead of 755 (part of #225974)
|
||||
|
||||
@ -1164,6 +1196,8 @@ popd
|
||||
#%patch55 -p1 -b .empty
|
||||
%patch56 -p0 -b .get_opt_fixup
|
||||
%patch57 -p1 -b .ftp-nospew
|
||||
%patch70 -p0 -b .2007-004
|
||||
%patch71 -p0 -b .2007-005
|
||||
cp src/krb524/README README.krb524
|
||||
gzip doc/*.ps
|
||||
|
||||
@ -1375,13 +1409,20 @@ if [ "$1" -ge 1 ] ; then
|
||||
/sbin/service krb524 condrestart > /dev/null 2>&1 || :
|
||||
/sbin/service kprop condrestart > /dev/null 2>&1 || :
|
||||
fi
|
||||
exit 0
|
||||
|
||||
%if %{split_workstation}
|
||||
%post workstation-servers
|
||||
/sbin/service xinetd reload > /dev/null 2>&1 || :
|
||||
exit 0
|
||||
|
||||
%postun workstation-servers
|
||||
/sbin/service xinetd reload > /dev/null 2>&1 || :
|
||||
exit 0
|
||||
%else
|
||||
%postun workstation
|
||||
/sbin/service xinetd reload > /dev/null 2>&1 || :
|
||||
exit 0
|
||||
%endif
|
||||
|
||||
%post workstation
|
||||
|
Loading…
Reference in New Issue
Block a user