- add patch for MITKRB5-SA-2007-001

2007-04-03 18:30:50 +00:00 · 2007-04-03 18:30:50 +00:00 · e200cf4e0c
commit e200cf4e0c
parent 1dc23da208
1 changed files with 88 additions and 0 deletions
--- a/krb5-1.6-CVE-2007-0956-prelim.patch
+++ b/krb5-1.6-CVE-2007-0956-prelim.patch
@ -0,0 +1,88 @@
+FIXES
+=====
+
+* a future release of MIT krb5 will contain a fix for this
+  vulnerability
+
+prior to that release you may:
+
+* disable telnetd
+
+or
+
+* apply the following (preliminary) patch:
+
+*** src/appl/telnet/telnetd/state.c     (revision 19480)
+--- src/appl/telnet/telnetd/state.c     (local)
+***************
+*** 1665,1671 ****
+  	    strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
+  	    strcmp(varp, "NLSPATH") && /* locale stuff */
+  	    strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
+! 	    strcmp(varp, "IFS")) {
+  		return 1;
+  	} else {
+  		syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
+--- 1665,1672 ----
+  	    strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
+  	    strcmp(varp, "NLSPATH") && /* locale stuff */
+  	    strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
+! 	    strcmp(varp, "IFS") &&
+! 	    !strchr(varp, '-')) {
+  		return 1;
+  	} else {
+  		syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
+*** src/appl/telnet/telnetd/sys_term.c  (revision 19480)
+--- src/appl/telnet/telnetd/sys_term.c  (local)
+***************
+*** 1287,1292 ****
+--- 1287,1302 ----
+  #endif
+  #if	defined (AUTHENTICATION)
+  	if (auth_level >= 0 && autologin == AUTH_VALID) {
+ 		if (name[0] == '-') {
+ 		    /* Authenticated and authorized to log in to an
+ 		       account starting with '-'?  Even if that
+ 		       unlikely case comes to pass, the current login
+ 		       program will not parse the resulting command
+ 		       line properly.  */
+ 		    syslog(LOG_ERR, "user name cannot start with '-'");
+ 		    fatal(net, "user name cannot start with '-'");
+ 		    exit(1);
+ 		}
+  # if	!defined(NO_LOGIN_F)
+  #if	defined(LOGIN_CAP_F)
+  		argv = addarg(argv, "-F");
+***************
+*** 1377,1387 ****
+  	} else
+  #endif
+  	if (getenv("USER")) {
+! 		argv = addarg(argv, getenv("USER"));
+  #if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
+  		{
+  			register char **cpp;
+  			for (cpp = environ; *cpp; cpp++)
+  				argv = addarg(argv, *cpp);
+  		}
+  #endif
+--- 1387,1405 ----
+  	} else
+  #endif
+  	if (getenv("USER")) {
+! 		char *user = getenv("USER");
+! 		if (user[0] == '-') {
+! 			/* "telnet -l-x ..." */
+! 			syslog(LOG_ERR, "user name cannot start with '-'");
+! 			fatal(net, "user name cannot start with '-'");
+! 			exit(1);
+! 		}
+! 		argv = addarg(argv, user);
+  #if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
+  		{
+  			register char **cpp;
+  			for (cpp = environ; *cpp; cpp++)
+ 			    if ((*cpp)[0] != '-')
+  				argv = addarg(argv, *cpp);
+  		}
+  #endif