* Mon Jan 26 2015 Roland Mainz <rmainz@redhat.com> - 1.13-5
- fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not loop on principal unknown errors"). - Added "python-sphinx-latex" to the build requirements to fix build failures on F22 machines.
This commit is contained in:
Roland Mainz
parent
6baee3e656
commit
fb520967f9
118
krb5-1.13_kinit_C_loop_krb5bug243.patch
Normal file
118
krb5-1.13_kinit_C_loop_krb5bug243.patch
Normal file
@ -0,0 +1,118 @@
|
||||
From d5755694b620570defeecee772def90a2733c6cc Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Tue, 20 Jan 2015 13:48:34 -0500
|
||||
Subject: [PATCH 1/2] Do not loop on principal unknown errors
|
||||
|
||||
If the canonicalize flag is set, the MIT KDC always return the client
|
||||
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.
|
||||
|
||||
Check that this is really a referral by testing that the returned
|
||||
client realm differs from the requested one.
|
||||
|
||||
[ghudson@mit.edu: simplified and narrowed is_referral() contract.
|
||||
Note that a WRONG_REALM response with e-data or FAST error padata
|
||||
could now be passed through k5_preauth_tryagain() if it has an empty
|
||||
crealm or a crealm equal to the requested client realm. Such a
|
||||
response is unexpected in practice and there is nothing dangerous
|
||||
about handling it this way.]
|
||||
|
||||
ticket: 8060
|
||||
target_version: 1.13.1
|
||||
tags: pullup
|
||||
---
|
||||
src/lib/krb5/krb/get_in_tkt.c | 40 +++++++++++++---------------------------
|
||||
1 file changed, 13 insertions(+), 27 deletions(-)
|
||||
|
||||
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
||||
index 2c2b654..f9bc027 100644
|
||||
--- a/src/lib/krb5/krb/get_in_tkt.c
|
||||
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
||||
@@ -1379,33 +1379,23 @@ note_req_timestamp(krb5_context context, krb5_init_creds_context ctx,
|
||||
AUTH_OFFSET : UNAUTH_OFFSET;
|
||||
}
|
||||
|
||||
-/* Determine whether the client realm in a KRB-ERROR is empty. */
|
||||
-static krb5_boolean
|
||||
-is_empty_crealm(krb5_error *err)
|
||||
-{
|
||||
-
|
||||
- return (err->client == NULL || err->client->realm.length == 0);
|
||||
-}
|
||||
-
|
||||
/*
|
||||
- * Determine whether a KRB-ERROR is a referral to another realm.
|
||||
+ * Determine whether err is a client referral to another realm, given the
|
||||
+ * previously requested client principal name.
|
||||
*
|
||||
- * RFC 6806 Section 7 requires that KDCs return the referral realm in
|
||||
- * an error type WRONG_REALM, but Microsoft Windows Server 2003 (and
|
||||
- * possibly others) return the realm in a PRINCIPAL_UNKNOWN message.
|
||||
- * Detect this case by looking for a non-empty client.realm field in
|
||||
- * such responses.
|
||||
+ * RFC 6806 Section 7 requires that KDCs return the referral realm in an error
|
||||
+ * type WRONG_REALM, but Microsoft Windows Server 2003 (and possibly others)
|
||||
+ * return the realm in a PRINCIPAL_UNKNOWN message.
|
||||
*/
|
||||
static krb5_boolean
|
||||
-is_referral(krb5_init_creds_context ctx)
|
||||
+is_referral(krb5_context context, krb5_error *err, krb5_principal client)
|
||||
{
|
||||
- krb5_error *err = ctx->err_reply;
|
||||
-
|
||||
- if (err->error == KDC_ERR_WRONG_REALM)
|
||||
- return TRUE;
|
||||
- if (err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN)
|
||||
+ if (err->error != KDC_ERR_WRONG_REALM &&
|
||||
+ err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN)
|
||||
+ return FALSE;
|
||||
+ if (err->client == NULL)
|
||||
return FALSE;
|
||||
- return !is_empty_crealm(err);
|
||||
+ return !krb5_realm_compare(context, err->client, client);
|
||||
}
|
||||
|
||||
static krb5_error_code
|
||||
@@ -1467,12 +1457,8 @@ init_creds_step_reply(krb5_context context,
|
||||
ctx->preauth_to_use);
|
||||
ctx->preauth_required = TRUE;
|
||||
|
||||
- } else if (canon_flag && is_referral(ctx)) {
|
||||
- if (is_empty_crealm(ctx->err_reply)) {
|
||||
- /* Only WRONG_REALM referral types can reach this. */
|
||||
- code = KRB5KDC_ERR_WRONG_REALM;
|
||||
- goto cleanup;
|
||||
- }
|
||||
+ } else if (canon_flag && is_referral(context, ctx->err_reply,
|
||||
+ ctx->request->client)) {
|
||||
TRACE_INIT_CREDS_REFERRAL(context, &ctx->err_reply->client->realm);
|
||||
/* Rewrite request.client with realm from error reply */
|
||||
krb5_free_data_contents(context, &ctx->request->client->realm);
|
||||
|
||||
From c0778ab2252ece4c3510788d9b72f7f5e3bb05dd Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri, 23 Jan 2015 12:52:31 -0500
|
||||
Subject: [PATCH 2/2] Add test for kinit -C WRONG_REALM response
|
||||
|
||||
ticket: 8060
|
||||
---
|
||||
src/tests/t_general.py | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/tests/t_general.py b/src/tests/t_general.py
|
||||
index 98e77a2..5349b05 100755
|
||||
--- a/src/tests/t_general.py
|
||||
+++ b/src/tests/t_general.py
|
||||
@@ -33,6 +33,13 @@
|
||||
|
||||
realm = K5Realm(create_host=False)
|
||||
|
||||
+# Test that WRONG_REALM responses aren't treated as referrals unless
|
||||
+# they contain a crealm field pointing to a different realm.
|
||||
+# (Regression test for #8060.)
|
||||
+out = realm.run([kinit, '-C', 'notfoundprinc'], expected_code=1)
|
||||
+if 'not found in Kerberos database' not in out:
|
||||
+ fail('Expected error message not seen in kinit -C output')
|
||||
+
|
||||
# Spot-check KRB5_TRACE output
|
||||
tracefile = os.path.join(realm.testdir, 'trace')
|
||||
realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, realm.user_princ],
|
||||
15
krb5.spec
15
krb5.spec
@ -43,7 +43,7 @@
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.13
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13-signed.tar
|
||||
# - The sources below are stored in a lookaside cache. Upload with
|
||||
@ -96,6 +96,7 @@ Patch134: krb5-1.11-kpasswdtest.patch
|
||||
Patch136: krb5-socket_wrapper_eventfd_prototype_mismatch.patch
|
||||
Patch137: krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch
|
||||
Patch138: krb5-CVE_2014_5354_support_keyless_principals_in_LDAP.patch
|
||||
Patch139: krb5-1.13_kinit_C_loop_krb5bug243.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -106,7 +107,7 @@ BuildRequires: autoconf, bison, flex, gawk, gettext, pkgconfig, sed
|
||||
BuildRequires: libcom_err-devel, libedit-devel, libss-devel
|
||||
%endif
|
||||
BuildRequires: gzip, ncurses-devel, tar
|
||||
BuildRequires: python-sphinx, texlive-pdftex
|
||||
BuildRequires: python-sphinx, python-sphinx-latex, texlive-pdftex
|
||||
# The texlive package got a lot more complicated here.
|
||||
%if 0%{?fedora} > 17 || 0%{?rhel} > 6
|
||||
# Taken from \usepackage directives produced by sphinx:
|
||||
@ -319,6 +320,7 @@ ln NOTICE LICENSE
|
||||
|
||||
%patch137 -p1
|
||||
%patch138 -p1
|
||||
%patch139 -p1 -b .krb5_1_13_kinit_C_loop_krb5bug243
|
||||
|
||||
# Take the execute bit off of documentation.
|
||||
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
||||
@ -989,8 +991,15 @@ exit 0
|
||||
%{_sbindir}/gss-server
|
||||
%{_sbindir}/uuserver
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Dec 19 2014 Roland Mainz <rmainz@redhat.com> - 1.13-4
|
||||
* Mon Jan 26 2015 Roland Mainz <rmainz@redhat.com> - 1.13-5
|
||||
- fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not
|
||||
loop on principal unknown errors").
|
||||
- Added "python-sphinx-latex" to the build requirements
|
||||
to fix build failures on F22 machines.
|
||||
|
||||
* Thu Dec 18 2014 Roland Mainz <rmainz@redhat.com> - 1.13-4
|
||||
- fix for CVE-2014-5354 (#1174546) "krb5: NULL pointer
|
||||
dereference when using keyless entries"
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user