- incorporate fixes for MITKRB5-SA-2007-004 and MITKRB5-SA-2007-005

2007-06-27 06:08:01 +00:00 · 2007-06-27 06:08:01 +00:00 · cd3f50fb19
commit cd3f50fb19
parent 196ea67f06
3 changed files with 236 additions and 1 deletions
--- a/2007-004-patch.txt
+++ b/2007-004-patch.txt
@ -0,0 +1,86 @@
+*** src/lib/rpc/svc_auth_gssapi.c	(revision 20015)
+--- src/lib/rpc/svc_auth_gssapi.c	(local)
+***************
+*** 149,154 ****
+--- 149,156 ----
+       rqst->rq_xprt->xp_auth = &svc_auth_none;
+       
+       memset((char *) &call_res, 0, sizeof(call_res));
+      creds.client_handle.length = 0;
+      creds.client_handle.value = NULL;
+       
+       cred = &msg->rm_call.cb_cred;
+       verf = &msg->rm_call.cb_verf;
+*** src/lib/rpc/svc_auth_unix.c	(revision 20015)
+--- src/lib/rpc/svc_auth_unix.c	(local)
+***************
+*** 64,71 ****
+  		char area_machname[MAX_MACHINE_NAME+1];
+  		int area_gids[NGRPS];
+  	} *area;
+! 	u_int auth_len;
+! 	int str_len, gid_len;
+  	register int i;
+  
+  	rqst->rq_xprt->xp_auth = &svc_auth_none;
+--- 64,70 ----
+  		char area_machname[MAX_MACHINE_NAME+1];
+  		int area_gids[NGRPS];
+  	} *area;
+! 	u_int auth_len, str_len, gid_len;
+  	register int i;
+  
+  	rqst->rq_xprt->xp_auth = &svc_auth_none;
+***************
+*** 74,80 ****
+  	aup = &area->area_aup;
+  	aup->aup_machname = area->area_machname;
+  	aup->aup_gids = area->area_gids;
+! 	auth_len = (u_int)msg->rm_call.cb_cred.oa_length;
+  	xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE);
+  	buf = XDR_INLINE(&xdrs, (int)auth_len);
+  	if (buf != NULL) {
+--- 73,81 ----
+  	aup = &area->area_aup;
+  	aup->aup_machname = area->area_machname;
+  	aup->aup_gids = area->area_gids;
+! 	auth_len = msg->rm_call.cb_cred.oa_length;
+! 	if (auth_len > INT_MAX)
+! 		return AUTH_BADCRED;
+  	xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE);
+  	buf = XDR_INLINE(&xdrs, (int)auth_len);
+  	if (buf != NULL) {
+***************
+*** 84,90 ****
+  			stat = AUTH_BADCRED;
+  			goto done;
+  		}
+! 		memmove(aup->aup_machname, (caddr_t)buf, (u_int)str_len);
+  		aup->aup_machname[str_len] = 0;
+  		str_len = RNDUP(str_len);
+  		buf += str_len / BYTES_PER_XDR_UNIT;
+--- 85,91 ----
+  			stat = AUTH_BADCRED;
+  			goto done;
+  		}
+! 		memmove(aup->aup_machname, buf, str_len);
+  		aup->aup_machname[str_len] = 0;
+  		str_len = RNDUP(str_len);
+  		buf += str_len / BYTES_PER_XDR_UNIT;
+***************
+*** 104,110 ****
+  		 * timestamp, hostname len (0), uid, gid, and gids len (0).
+  		 */
+  		if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) {
+! 			(void) printf("bad auth_len gid %d str %d auth %d\n",
+  			    gid_len, str_len, auth_len);
+  			stat = AUTH_BADCRED;
+  			goto done;
+--- 105,111 ----
+  		 * timestamp, hostname len (0), uid, gid, and gids len (0).
+  		 */
+  		if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) {
+! 			(void) printf("bad auth_len gid %u str %u auth %u\n",
+  			    gid_len, str_len, auth_len);
+  			stat = AUTH_BADCRED;
+  			goto done;
--- a/2007-005-patch.txt
+++ b/2007-005-patch.txt
@ -0,0 +1,108 @@
+*** src/kadmin/server/server_stubs.c	(revision 20024)
+--- src/kadmin/server/server_stubs.c	(local)
+***************
+*** 545,557 ****
+      static generic_ret		ret;
+      char			*prime_arg1,
+  				*prime_arg2;
+-     char			prime_arg[BUFSIZ];
+      gss_buffer_desc		client_name,
+  				service_name;
+      OM_uint32			minor_stat;
+      kadm5_server_handle_t	handle;
+      restriction_t		*rp;
+      char                        *errmsg;
+  
+      xdr_free(xdr_generic_ret, &ret);
+  
+--- 545,558 ----
+      static generic_ret		ret;
+      char			*prime_arg1,
+  				*prime_arg2;
+      gss_buffer_desc		client_name,
+  				service_name;
+      OM_uint32			minor_stat;
+      kadm5_server_handle_t	handle;
+      restriction_t		*rp;
+      char                        *errmsg;
+     size_t			tlen1, tlen2, clen, slen;
+     char			*tdots1, *tdots2, *cdots, *sdots;
+  
+      xdr_free(xdr_generic_ret, &ret);
+  
+***************
+*** 572,578 ****
+  	 ret.code = KADM5_BAD_PRINCIPAL;
+  	 goto exit_func;
+      }
+!     sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
+  
+      ret.code = KADM5_OK;
+      if (! CHANGEPW_SERVICE(rqstp)) {
+--- 573,586 ----
+  	 ret.code = KADM5_BAD_PRINCIPAL;
+  	 goto exit_func;
+      }
+!     tlen1 = strlen(prime_arg1);
+!     trunc_name(&tlen1, &tdots1);
+!     tlen2 = strlen(prime_arg2);
+!     trunc_name(&tlen2, &tdots2);
+!     clen = client_name.length;
+!     trunc_name(&clen, &cdots);
+!     slen = service_name.length;
+!     trunc_name(&slen, &sdots);
+  
+      ret.code = KADM5_OK;
+      if (! CHANGEPW_SERVICE(rqstp)) {
+***************
+*** 590,597 ****
+      } else
+  	 ret.code = KADM5_AUTH_INSUFFICIENT;
+      if (ret.code != KADM5_OK) {
+! 	 log_unauth("kadm5_rename_principal", prime_arg,
+! 		    &client_name, &service_name, rqstp);
+      } else {
+  	 ret.code = kadm5_rename_principal((void *)handle, arg->src,
+  						arg->dest);
+--- 598,612 ----
+      } else
+  	 ret.code = KADM5_AUTH_INSUFFICIENT;
+      if (ret.code != KADM5_OK) {
+! 	 krb5_klog_syslog(LOG_NOTICE,
+! 			  "Unauthorized request: kadm5_rename_principal, "
+! 			  "%.*s%s to %.*s%s, "
+! 			  "client=%.*s%s, service=%.*s%s, addr=%s",
+! 			  tlen1, prime_arg1, tdots1,
+! 			  tlen2, prime_arg2, tdots2,
+! 			  clen, client_name.value, cdots,
+! 			  slen, service_name.value, sdots,
+! 			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+      } else {
+  	 ret.code = kadm5_rename_principal((void *)handle, arg->src,
+  						arg->dest);
+***************
+*** 600,607 ****
+  	 else
+  	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+  
+! 	 log_done("kadm5_rename_principal", prime_arg, errmsg,
+! 		  &client_name, &service_name, rqstp);
+      }
+      free_server_handle(handle);
+      free(prime_arg1);
+--- 615,629 ----
+  	 else
+  	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+  
+! 	 krb5_klog_syslog(LOG_NOTICE,
+! 			  "Request: kadm5_rename_principal, "
+! 			  "%.*s%s to %.*s%s, %s, "
+! 			  "client=%.*s%s, service=%.*s%s, addr=%s",
+! 			  tlen1, prime_arg1, tdots1,
+! 			  tlen2, prime_arg2, tdots2, errmsg,
+! 			  clen, client_name.value, cdots,
+! 			  slen, service_name.value, sdots,
+! 			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+      }
+      free_server_handle(handle);
+      free(prime_arg1);
--- a/krb5.spec
+++ b/krb5.spec
@ -14,7 +14,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.6.1
-Release: 5
+Release: 8%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.5/krb5-1.5-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -88,6 +88,9 @@ Patch61: krb5-trunk-manpaths.patch
 Patch62: krb5-any-fixup-patch.txt
 Patch63: krb5-1.6.1-selinux-label.patch

+Patch70: http://web.mit.edu/kerberos/advisories/2007-004-patch.txt
+Patch71: http://web.mit.edu/kerberos/advisories/2007-005-patch.txt
+
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@ -203,6 +206,18 @@ installed on systems which are meant provide these services.
 %endif

 %changelog
+* Wed Jun 27 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.1-8
+- incorporate fixes for MITKRB5-SA-2007-004 and MITKRB5-SA-2007-005
+
+* Mon Jun 25 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.1-7
+- reintroduce missing %%postun for the non-split_workstation case
+
+* Mon Jun 25 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.1-6
+- rebuild
+
+* Mon Jun 25 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.1-5.1
+- rebuild
+
 * Sun Jun 24 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.1-5
 - add missing pam-devel build requirement, force selinux-or-fail build

@ -264,6 +279,9 @@ installed on systems which are meant provide these services.
  the part of the default/example kdc.conf where they'll actually have
  an effect (#236417)

+* Thu Apr  5 2007 Nalin Dahyabhai <nalin@redhat.com> 1.5-24
+- merge security fixes from RHSA-2007:0095
+
 * Tue Apr  3 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6-3
 - add patch to correct unauthorized access via krb5-aware telnet
  daemon (#229782, CVE-2007-0956)
@ -278,10 +296,24 @@ installed on systems which are meant provide these services.
 - add buildrequires: on keyutils-libs-devel to enable use of keyring ccaches,
  dragging keyutils-libs in as a dependency

+* Mon Mar 19 2007 Nalin Dahyabhai <nalin@redhat.com> 1.5-23
+- fix bug ID in changelog
+
+* Thu Mar 15 2007 Nalin Dahyabhai <nalin@redhat.com> 1.5-22
+
+* Thu Mar 15 2007 Nalin Dahyabhai <nalin@redhat.com> 1.5-21
+- add preliminary patch to fix buffer overflow in krb5kdc and kadmind
+  (#231528, CVE-2007-0957)
+- add preliminary patch to fix double-free in kadmind (#231537, CVE-2007-1216)
+
 * Wed Feb 28 2007 Nalin Dahyabhai <nalin@redhat.com>
 - add patch to build semi-useful static libraries, but don't apply it unless
  we need them

+* Tue Feb 27 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.5-20
+- temporarily back out %%post changes, fix for #143289 for security update
+- add preliminary patch to correct unauthorized access via krb5-aware telnet
+
 * Mon Feb 19 2007 Nalin Dahyabhai <nalin@redhat.com>
 - make profile.d scriptlets mode 644 instead of 755 (part of #225974)

@ -1164,6 +1196,8 @@ popd
 #%patch55 -p1 -b .empty
 %patch56 -p0 -b .get_opt_fixup
 %patch57 -p1 -b .ftp-nospew
+%patch70 -p0 -b .2007-004
+%patch71 -p0 -b .2007-005
 cp src/krb524/README README.krb524
 gzip doc/*.ps

@ -1375,13 +1409,20 @@ if [ "$1" -ge 1 ] ; then
 	/sbin/service krb524 condrestart > /dev/null 2>&1 || :
 	/sbin/service kprop condrestart > /dev/null 2>&1 || :
 fi
+exit 0

 %if %{split_workstation}
 %post workstation-servers
 /sbin/service xinetd reload > /dev/null 2>&1 || :
+exit 0

 %postun workstation-servers
 /sbin/service xinetd reload > /dev/null 2>&1 || :
+exit 0
+%else
+%postun workstation
+/sbin/service xinetd reload > /dev/null 2>&1 || :
+exit 0
 %endif

 %post workstation