From cd3f50fb192d53695158289673cfc98bdf0aae73 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Wed, 27 Jun 2007 06:08:01 +0000 Subject: [PATCH] - incorporate fixes for MITKRB5-SA-2007-004 and MITKRB5-SA-2007-005 --- 2007-004-patch.txt | 86 ++++++++++++++++++++++++++++++++++++ 2007-005-patch.txt | 108 +++++++++++++++++++++++++++++++++++++++++++++ krb5.spec | 43 +++++++++++++++++- 3 files changed, 236 insertions(+), 1 deletion(-) create mode 100644 2007-004-patch.txt create mode 100644 2007-005-patch.txt diff --git a/2007-004-patch.txt b/2007-004-patch.txt new file mode 100644 index 0000000..8adc386 --- /dev/null +++ b/2007-004-patch.txt @@ -0,0 +1,86 @@ +*** src/lib/rpc/svc_auth_gssapi.c (revision 20015) +--- src/lib/rpc/svc_auth_gssapi.c (local) +*************** +*** 149,154 **** +--- 149,156 ---- + rqst->rq_xprt->xp_auth = &svc_auth_none; + + memset((char *) &call_res, 0, sizeof(call_res)); ++ creds.client_handle.length = 0; ++ creds.client_handle.value = NULL; + + cred = &msg->rm_call.cb_cred; + verf = &msg->rm_call.cb_verf; +*** src/lib/rpc/svc_auth_unix.c (revision 20015) +--- src/lib/rpc/svc_auth_unix.c (local) +*************** +*** 64,71 **** + char area_machname[MAX_MACHINE_NAME+1]; + int area_gids[NGRPS]; + } *area; +! u_int auth_len; +! int str_len, gid_len; + register int i; + + rqst->rq_xprt->xp_auth = &svc_auth_none; +--- 64,70 ---- + char area_machname[MAX_MACHINE_NAME+1]; + int area_gids[NGRPS]; + } *area; +! u_int auth_len, str_len, gid_len; + register int i; + + rqst->rq_xprt->xp_auth = &svc_auth_none; +*************** +*** 74,80 **** + aup = &area->area_aup; + aup->aup_machname = area->area_machname; + aup->aup_gids = area->area_gids; +! auth_len = (u_int)msg->rm_call.cb_cred.oa_length; + xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE); + buf = XDR_INLINE(&xdrs, (int)auth_len); + if (buf != NULL) { +--- 73,81 ---- + aup = &area->area_aup; + aup->aup_machname = area->area_machname; + aup->aup_gids = area->area_gids; +! auth_len = msg->rm_call.cb_cred.oa_length; +! if (auth_len > INT_MAX) +! return AUTH_BADCRED; + xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE); + buf = XDR_INLINE(&xdrs, (int)auth_len); + if (buf != NULL) { +*************** +*** 84,90 **** + stat = AUTH_BADCRED; + goto done; + } +! memmove(aup->aup_machname, (caddr_t)buf, (u_int)str_len); + aup->aup_machname[str_len] = 0; + str_len = RNDUP(str_len); + buf += str_len / BYTES_PER_XDR_UNIT; +--- 85,91 ---- + stat = AUTH_BADCRED; + goto done; + } +! memmove(aup->aup_machname, buf, str_len); + aup->aup_machname[str_len] = 0; + str_len = RNDUP(str_len); + buf += str_len / BYTES_PER_XDR_UNIT; +*************** +*** 104,110 **** + * timestamp, hostname len (0), uid, gid, and gids len (0). + */ + if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) { +! (void) printf("bad auth_len gid %d str %d auth %d\n", + gid_len, str_len, auth_len); + stat = AUTH_BADCRED; + goto done; +--- 105,111 ---- + * timestamp, hostname len (0), uid, gid, and gids len (0). + */ + if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) { +! (void) printf("bad auth_len gid %u str %u auth %u\n", + gid_len, str_len, auth_len); + stat = AUTH_BADCRED; + goto done; diff --git a/2007-005-patch.txt b/2007-005-patch.txt new file mode 100644 index 0000000..5c369c1 --- /dev/null +++ b/2007-005-patch.txt @@ -0,0 +1,108 @@ +*** src/kadmin/server/server_stubs.c (revision 20024) +--- src/kadmin/server/server_stubs.c (local) +*************** +*** 545,557 **** + static generic_ret ret; + char *prime_arg1, + *prime_arg2; +- char prime_arg[BUFSIZ]; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; + char *errmsg; + + xdr_free(xdr_generic_ret, &ret); + +--- 545,558 ---- + static generic_ret ret; + char *prime_arg1, + *prime_arg2; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; + char *errmsg; ++ size_t tlen1, tlen2, clen, slen; ++ char *tdots1, *tdots2, *cdots, *sdots; + + xdr_free(xdr_generic_ret, &ret); + +*************** +*** 572,578 **** + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; + } +! sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2); + + ret.code = KADM5_OK; + if (! CHANGEPW_SERVICE(rqstp)) { +--- 573,586 ---- + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; + } +! tlen1 = strlen(prime_arg1); +! trunc_name(&tlen1, &tdots1); +! tlen2 = strlen(prime_arg2); +! trunc_name(&tlen2, &tdots2); +! clen = client_name.length; +! trunc_name(&clen, &cdots); +! slen = service_name.length; +! trunc_name(&slen, &sdots); + + ret.code = KADM5_OK; + if (! CHANGEPW_SERVICE(rqstp)) { +*************** +*** 590,597 **** + } else + ret.code = KADM5_AUTH_INSUFFICIENT; + if (ret.code != KADM5_OK) { +! log_unauth("kadm5_rename_principal", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_rename_principal((void *)handle, arg->src, + arg->dest); +--- 598,612 ---- + } else + ret.code = KADM5_AUTH_INSUFFICIENT; + if (ret.code != KADM5_OK) { +! krb5_klog_syslog(LOG_NOTICE, +! "Unauthorized request: kadm5_rename_principal, " +! "%.*s%s to %.*s%s, " +! "client=%.*s%s, service=%.*s%s, addr=%s", +! tlen1, prime_arg1, tdots1, +! tlen2, prime_arg2, tdots2, +! clen, client_name.value, cdots, +! slen, service_name.value, sdots, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_rename_principal((void *)handle, arg->src, + arg->dest); +*************** +*** 600,607 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_rename_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + free(prime_arg1); +--- 615,629 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, +! "Request: kadm5_rename_principal, " +! "%.*s%s to %.*s%s, %s, " +! "client=%.*s%s, service=%.*s%s, addr=%s", +! tlen1, prime_arg1, tdots1, +! tlen2, prime_arg2, tdots2, errmsg, +! clen, client_name.value, cdots, +! slen, service_name.value, sdots, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + free(prime_arg1); diff --git a/krb5.spec b/krb5.spec index 0472f56..10052f9 100644 --- a/krb5.spec +++ b/krb5.spec @@ -14,7 +14,7 @@ Summary: The Kerberos network authentication system. Name: krb5 Version: 1.6.1 -Release: 5 +Release: 8%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.5/krb5-1.5-signed.tar Source0: krb5-%{version}.tar.gz @@ -88,6 +88,9 @@ Patch61: krb5-trunk-manpaths.patch Patch62: krb5-any-fixup-patch.txt Patch63: krb5-1.6.1-selinux-label.patch +Patch70: http://web.mit.edu/kerberos/advisories/2007-004-patch.txt +Patch71: http://web.mit.edu/kerberos/advisories/2007-005-patch.txt + License: MIT, freely distributable. URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -203,6 +206,18 @@ installed on systems which are meant provide these services. %endif %changelog +* Wed Jun 27 2007 Nalin Dahyabhai 1.6.1-8 +- incorporate fixes for MITKRB5-SA-2007-004 and MITKRB5-SA-2007-005 + +* Mon Jun 25 2007 Nalin Dahyabhai 1.6.1-7 +- reintroduce missing %%postun for the non-split_workstation case + +* Mon Jun 25 2007 Nalin Dahyabhai 1.6.1-6 +- rebuild + +* Mon Jun 25 2007 Nalin Dahyabhai 1.6.1-5.1 +- rebuild + * Sun Jun 24 2007 Nalin Dahyabhai 1.6.1-5 - add missing pam-devel build requirement, force selinux-or-fail build @@ -264,6 +279,9 @@ installed on systems which are meant provide these services. the part of the default/example kdc.conf where they'll actually have an effect (#236417) +* Thu Apr 5 2007 Nalin Dahyabhai 1.5-24 +- merge security fixes from RHSA-2007:0095 + * Tue Apr 3 2007 Nalin Dahyabhai 1.6-3 - add patch to correct unauthorized access via krb5-aware telnet daemon (#229782, CVE-2007-0956) @@ -278,10 +296,24 @@ installed on systems which are meant provide these services. - add buildrequires: on keyutils-libs-devel to enable use of keyring ccaches, dragging keyutils-libs in as a dependency +* Mon Mar 19 2007 Nalin Dahyabhai 1.5-23 +- fix bug ID in changelog + +* Thu Mar 15 2007 Nalin Dahyabhai 1.5-22 + +* Thu Mar 15 2007 Nalin Dahyabhai 1.5-21 +- add preliminary patch to fix buffer overflow in krb5kdc and kadmind + (#231528, CVE-2007-0957) +- add preliminary patch to fix double-free in kadmind (#231537, CVE-2007-1216) + * Wed Feb 28 2007 Nalin Dahyabhai - add patch to build semi-useful static libraries, but don't apply it unless we need them +* Tue Feb 27 2007 Nalin Dahyabhai - 1.5-20 +- temporarily back out %%post changes, fix for #143289 for security update +- add preliminary patch to correct unauthorized access via krb5-aware telnet + * Mon Feb 19 2007 Nalin Dahyabhai - make profile.d scriptlets mode 644 instead of 755 (part of #225974) @@ -1164,6 +1196,8 @@ popd #%patch55 -p1 -b .empty %patch56 -p0 -b .get_opt_fixup %patch57 -p1 -b .ftp-nospew +%patch70 -p0 -b .2007-004 +%patch71 -p0 -b .2007-005 cp src/krb524/README README.krb524 gzip doc/*.ps @@ -1375,13 +1409,20 @@ if [ "$1" -ge 1 ] ; then /sbin/service krb524 condrestart > /dev/null 2>&1 || : /sbin/service kprop condrestart > /dev/null 2>&1 || : fi +exit 0 %if %{split_workstation} %post workstation-servers /sbin/service xinetd reload > /dev/null 2>&1 || : +exit 0 %postun workstation-servers /sbin/service xinetd reload > /dev/null 2>&1 || : +exit 0 +%else +%postun workstation +/sbin/service xinetd reload > /dev/null 2>&1 || : +exit 0 %endif %post workstation