rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New rawhide, new upstream version

Browse Source 
- Drop CVE patches
- Rename fix_interposer.patch to acquire_cred_interposer.patch
- Update acquire_cred_interposer.patch to apply to new source
This commit is contained in:
Robbie Harwood 2016-02-29 23:45:34 +00:00
parent 8bddc884ac
commit f1cb770b53
9 changed files with 16 additions and 802 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -130,3 +130,6 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.14-pdfs.tar
/krb5-1.14.tar.gz
/krb5-1.14.tar.gz.asc
/krb5-1.14.1-pdfs.tar
/krb5-1.14.1.tar.gz
/krb5-1.14.1.tar.gz.asc

39
krb5-1.14.1-interpose-accept_sec_context.patch
View File

@ -1,39 +0,0 @@
From 0b43d10333f4c4b29896cebc9447d8866b661217 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 16 Dec 2015 19:31:22 -0500
Subject: [PATCH] Fix interposed gss_accept_sec_context()
If gss_accept_sec_context() is interposed, selected_mech will be an
interposer OID. In this situation, pass the corresponding public OID
to gss_inquire_attrs_for_mech() to determine whether the mech is
allowed by default.
[ghudson@mit.edu: pared down from larger commit; rewrote commit message]
ticket: 8338 (new)
target_version: 1.14-next
tags: pullup
---
src/lib/gssapi/mechglue/g_accept_sec_context.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index 6c72d1f..ddaf874 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -94,6 +94,12 @@ allow_mech_by_default(gss_OID mech)
gss_OID_set attrs;
int reject = 0, p;
+ /* Whether we accept an interposer mech depends on whether we accept the
+ * mech it interposes. */
+ mech = gssint_get_public_oid(mech);
+ if (mech == GSS_C_NO_OID)
+ return 0;
+
status = gss_inquire_attrs_for_mech(&minor, mech, &attrs, NULL);
if (status)
return 0;
--
2.7.0

48
krb5-CVE-2015-8629.patch
View File

@ -1,48 +0,0 @@
From df17a1224a3406f57477bcd372c61e04c0e5a5bb Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 8 Jan 2016 12:45:25 -0500
Subject: [PATCH 1/3] Verify decoded kadmin C strings [CVE-2015-8629]
In xdr_nullstring(), check that the decoded string is terminated with
a zero byte and does not contain any internal zero bytes.
CVE-2015-8629:
In all versions of MIT krb5, an authenticated attacker can cause
kadmind to read beyond the end of allocated memory by sending a string
without a terminating zero byte. Information leakage may be possible
for an attacker with permission to modify the database.
CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
ticket: 8341 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
---
src/lib/kadm5/kadm_rpc_xdr.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
index 2bef858..ba67084 100644
--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp)
return FALSE;
}
}
- return (xdr_opaque(xdrs, *objp, size));
+ if (!xdr_opaque(xdrs, *objp, size))
+ return FALSE;
+ /* Check that the unmarshalled bytes are a C string. */
+ if ((*objp)[size - 1] != '\0')
+ return FALSE;
+ if (memchr(*objp, '\0', size - 1) != NULL)
+ return FALSE;
+ return TRUE;
case XDR_ENCODE:
if (size != 0)
--
2.7.0.rc3

78
krb5-CVE-2015-8630.patch
View File

@ -1,78 +0,0 @@
From b863de7fbf080b15e347a736fdda0a82d42f4f6b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 8 Jan 2016 12:52:28 -0500
Subject: [PATCH 2/3] Check for null kadm5 policy name [CVE-2015-8630]
In kadm5_create_principal_3() and kadm5_modify_principal(), check for
entry->policy being null when KADM5_POLICY is included in the mask.
CVE-2015-8630:
In MIT krb5 1.12 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying a null policy value but including KADM5_POLICY in
the mask.
CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
ticket: 8342 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
---
src/lib/kadm5/srv/svr_principal.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 5b95fa3..1d4365c 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle,
/*
* Argument sanity checking, and opening up the DB
*/
+ if (entry == NULL)
+ return EINVAL;
if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) ||
(mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) ||
(mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle,
return KADM5_BAD_MASK;
if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0)
return KADM5_BAD_MASK;
+ if((mask & KADM5_POLICY) && entry->policy == NULL)
+ return KADM5_BAD_MASK;
if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
return KADM5_BAD_MASK;
if((mask & ~ALL_PRINC_MASK))
return KADM5_BAD_MASK;
- if (entry == NULL)
- return EINVAL;
/*
* Check to see if the principal exists
@@ -643,6 +645,8 @@ kadm5_modify_principal(void *server_handle,
krb5_clear_error_message(handle->context);
+ if(entry == NULL)
+ return EINVAL;
if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) ||
(mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) ||
(mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
@@ -651,10 +655,10 @@ kadm5_modify_principal(void *server_handle,
return KADM5_BAD_MASK;
if((mask & ~ALL_PRINC_MASK))
return KADM5_BAD_MASK;
+ if((mask & KADM5_POLICY) && entry->policy == NULL)
+ return KADM5_BAD_MASK;
if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
return KADM5_BAD_MASK;
- if(entry == (kadm5_principal_ent_t) NULL)
- return EINVAL;
if (mask & KADM5_TL_DATA) {
tl_data_orig = entry->tl_data;
while (tl_data_orig) {
--
2.7.0.rc3

573
krb5-CVE-2015-8631.patch
View File

@ -1,573 +0,0 @@
From 83ed75feba32e46f736fcce0d96a0445f29b96c2 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 8 Jan 2016 13:16:54 -0500
Subject: [PATCH 3/3] Fix leaks in kadmin server stubs [CVE-2015-8631]
In each kadmind server stub, initialize the client_name and
server_name variables, and release them in the cleanup handler. Many
of the stubs will otherwise leak the client and server name if
krb5_unparse_name() fails. Also make sure to free the prime_arg
variables in rename_principal_2_svc(), or we can leak the first one if
unparsing the second one fails. Discovered by Simo Sorce.
CVE-2015-8631:
In all versions of MIT krb5, an authenticated attacker can cause
kadmind to leak memory by supplying a null principal name in a request
which uses one. Repeating these requests will eventually cause
kadmind to exhaust all available memory.
CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
ticket: 8343 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
---
src/kadmin/server/server_stubs.c | 151 ++++++++++++++++++++-------------------
1 file changed, 77 insertions(+), 74 deletions(-)
diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
index 1879dc6..6ac797e 100644
--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -334,7 +334,8 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name, service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
@@ -382,10 +383,10 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
- gss_release_buffer(&minor_stat, &client_name);
- gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
free_server_handle(handle);
return &ret;
}
@@ -395,7 +396,8 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name, service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
@@ -444,10 +446,10 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
- gss_release_buffer(&minor_stat, &client_name);
- gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
free_server_handle(handle);
return &ret;
}
@@ -457,8 +459,8 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -501,10 +503,10 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp)
}
free(prime_arg);
- gss_release_buffer(&minor_stat, &client_name);
- gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
free_server_handle(handle);
return &ret;
}
@@ -514,8 +516,8 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
@@ -559,9 +561,9 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -570,10 +572,9 @@ generic_ret *
rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
- char *prime_arg1,
- *prime_arg2;
- gss_buffer_desc client_name,
- service_name;
+ char *prime_arg1 = NULL, *prime_arg2 = NULL;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
@@ -655,11 +656,11 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
+exit_func:
free(prime_arg1);
free(prime_arg2);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -669,8 +670,8 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp)
{
static gprinc_ret ret;
char *prime_arg, *funcname;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -719,9 +720,9 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -731,8 +732,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
{
static gprincs_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -777,9 +778,9 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -789,8 +790,8 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -840,9 +841,9 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp)
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -852,8 +853,8 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -909,9 +910,9 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp)
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -921,8 +922,8 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -969,9 +970,9 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp)
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -981,8 +982,8 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1029,9 +1030,9 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp)
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1041,8 +1042,8 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1092,9 +1093,9 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp)
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1106,8 +1107,8 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp)
krb5_keyblock *k;
int nkeys;
char *prime_arg, *funcname;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1164,9 +1165,9 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1178,8 +1179,8 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp)
krb5_keyblock *k;
int nkeys;
char *prime_arg, *funcname;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1241,9 +1242,9 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1253,8 +1254,8 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1295,9 +1296,9 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp)
if (errmsg != NULL)
krb5_free_error_message(handle->context, errmsg);
}
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1307,8 +1308,8 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1347,9 +1348,9 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp)
if (errmsg != NULL)
krb5_free_error_message(handle->context, errmsg);
}
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1359,8 +1360,8 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1400,9 +1401,9 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp)
if (errmsg != NULL)
krb5_free_error_message(handle->context, errmsg);
}
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1413,8 +1414,8 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp)
static gpol_ret ret;
kadm5_ret_t ret2;
char *prime_arg, *funcname;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_principal_ent_rec caller_ent;
kadm5_server_handle_t handle;
@@ -1475,9 +1476,9 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp)
log_unauth(funcname, prime_arg,
&client_name, &service_name, rqstp);
}
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
@@ -1488,8 +1489,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp)
{
static gpols_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1531,9 +1532,9 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp)
if (errmsg != NULL)
krb5_free_error_message(handle->context, errmsg);
}
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1541,7 +1542,8 @@ exit_func:
getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
{
static getprivs_ret ret;
- gss_buffer_desc client_name, service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1571,9 +1573,9 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
if (errmsg != NULL)
krb5_free_error_message(handle->context, errmsg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1583,7 +1585,8 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg, *funcname;
- gss_buffer_desc client_name, service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
@@ -1629,9 +1632,9 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1641,8 +1644,8 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
{
static gstrings_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1688,9 +1691,9 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1700,8 +1703,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
const char *errmsg = NULL;
@@ -1744,9 +1747,9 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
free(prime_arg);
+exit_func:
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-exit_func:
free_server_handle(handle);
return &ret;
}
@@ -1754,8 +1757,8 @@ exit_func:
generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
{
static generic_ret ret;
- gss_buffer_desc client_name,
- service_name;
+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
kadm5_server_handle_t handle;
OM_uint32 minor_stat;
const char *errmsg = NULL;
@@ -1797,10 +1800,10 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
rqstp->rq_cred.oa_flavor);
if (errmsg != NULL)
krb5_free_error_message(NULL, errmsg);
- gss_release_buffer(&minor_stat, &client_name);
- gss_release_buffer(&minor_stat, &service_name);
exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
return(&ret);
}
--
2.7.0.rc3

2
krb5-fix_interposer.patch → krb5-acquire_cred_interposer.patch
View File

@ -43,7 +43,7 @@ index 0dd4f87..9eab25e 100644
+ mech = gssint_get_mechanism(selected_mech);
if (!mech)
return GSS_S_BAD_MECH;
else if (!mech->gss_acquire_cred)
else if (!mech->gss_acquire_cred_impersonate_name)
@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
internal_name = GSS_C_NO_NAME;
} else {

46
krb5-init_context_null_spnego.patch
View File

@ -1,46 +0,0 @@
From 3beb564cea3d219efcf71682b6576cad548c2d23 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 5 Jan 2016 12:11:59 -0500
Subject: [PATCH] Check internal context on init context errors
If the mechanism deletes the internal context handle on error, the
mechglue must do the same with the union context, to avoid crashes if
the application calls other functions with this invalid union context.
[ghudson@mit.edu: edit commit message and code comment]
ticket: 8337 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
---
src/lib/gssapi/mechglue/g_init_sec_context.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_init_sec_context.c b/src/lib/gssapi/mechglue/g_init_sec_context.c
index aaae767..9f154b8 100644
--- a/src/lib/gssapi/mechglue/g_init_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_init_sec_context.c
@@ -224,12 +224,15 @@ OM_uint32 * time_rec;
if (status != GSS_S_COMPLETE && status != GSS_S_CONTINUE_NEEDED) {
/*
- * the spec says (the preferred) method is to delete all
- * context info on the first call to init, and on all
- * subsequent calls make the caller responsible for
- * calling gss_delete_sec_context
+ * The spec says the preferred method is to delete all context info on
+ * the first call to init, and on all subsequent calls make the caller
+ * responsible for calling gss_delete_sec_context. However, if the
+ * mechanism decided to delete the internal context, we should also
+ * delete the union context.
*/
map_error(minor_status, mech);
+ if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT)
+ *context_handle = GSS_C_NO_CONTEXT;
if (*context_handle == GSS_C_NO_CONTEXT) {
free(union_ctx_id->mech_type->elements);
free(union_ctx_id->mech_type);
--
2.6.4

23
krb5.spec
View File

@ -12,8 +12,8 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.14
Release: 23%{?dist}
Version: 1.14.1
Release: 1%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with
@ -57,14 +57,9 @@ Patch86: krb5-1.9-debuginfo.patch
Patch129: krb5-1.11-run_user_0.patch
Patch134: krb5-1.11-kpasswdtest.patch
Patch148: krb5-disable_ofd_locks.patch
Patch150: krb5-fix_interposer.patch
Patch152: krb5-init_context_null_spnego.patch
Patch150: krb5-acquire_cred_interposer.patch
Patch153: krb5-1.14.1-log_file_permissions.patch
Patch154: krb5-CVE-2015-8629.patch
Patch155: krb5-CVE-2015-8630.patch
Patch156: krb5-CVE-2015-8631.patch
Patch157: krb5-1.14.1-interpose-accept_sec_context.patch
Patch158: krb5-1.14.1-interpose-enable-inquire_attrs_for_mech.patch
Patch159: krb5-1.14.1-interpose-fix-inquire_attrs_for_mech.patch
Patch160: krb5-1.14.1-interpose-inquire_saslname_for_mech.patch
@ -243,14 +238,8 @@ ln NOTICE LICENSE
%patch148 -p1 -b .disable_ofd_locks
%patch150 -p1 -b .fix_interposer
%patch152 -p1 -b .init_context_null_spnego
%patch153 -p1 -b .log_file_permissions
%patch154 -p1 -b .CVE-2015-8629
%patch155 -p1 -b .CVE-2015-8630
%patch156 -p1 -b .CVE-2015-8631
%patch157 -p1 -b .interpose-accept_sec_context
%patch158 -p1 -b .interpose-enable-inquire_attrs_for_mech
%patch159 -p1 -b .interpose-fix-inquire_attrs_for_mech
%patch160 -p1 -b .interpose-inquire_saslname_for_mech
@ -777,6 +766,12 @@ exit 0
%changelog
* Mon Feb 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-1
- New rawhide, new upstream version
- Drop CVE patches
- Rename fix_interposer.patch to acquire_cred_interposer.patch
- Update acquire_cred_interposer.patch to apply to new source
* Mon Feb 22 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-23
- Fix log file permissions patch with our selinux
- Resolves: #1309421

6
sources
View File

@ -1,3 +1,3 @@
ac45469a7dc1aef4d03632dada893aca krb5-1.14-pdfs.tar
0727968764d0208388b85ad31aafde24 krb5-1.14.tar.gz
5206449ace5db12ef70856e4d5f3a064 krb5-1.14.tar.gz.asc
ac45469a7dc1aef4d03632dada893aca krb5-1.14.1-pdfs.tar
400de0cabbfbe85c2c36f60347bf7dc6 krb5-1.14.1.tar.gz
98a82e313a0f23498122eba3338f7576 krb5-1.14.1.tar.gz.asc