718a1573e1
- add upstream patch to fix freeing an uninitialized pointer and dereferencing another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014 and CVE-2012-1015, #838012) - fix a thinko in whether or not we mess around with devel .so symlinks on systems without a separate /usr (sbose)
62 lines
2.4 KiB
Plaintext
62 lines
2.4 KiB
Plaintext
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
|
|
index 23623fe..8ada9d0 100644
|
|
--- a/src/kdc/do_as_req.c
|
|
+++ b/src/kdc/do_as_req.c
|
|
@@ -463,7 +463,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
|
|
krb5_enctype useenctype;
|
|
struct as_req_state *state;
|
|
|
|
- state = malloc(sizeof(*state));
|
|
+ state = calloc(sizeof(*state), 1);
|
|
if (!state) {
|
|
(*respond)(arg, ENOMEM, NULL);
|
|
return;
|
|
@@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
|
|
state->authtime = 0;
|
|
state->c_flags = 0;
|
|
state->req_pkt = req_pkt;
|
|
+ state->inner_body = NULL;
|
|
state->rstate = NULL;
|
|
state->sname = 0;
|
|
state->cname = 0;
|
|
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
|
|
index 9d8cb34..d4ece3f 100644
|
|
--- a/src/kdc/kdc_preauth.c
|
|
+++ b/src/kdc/kdc_preauth.c
|
|
@@ -1438,7 +1438,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
|
|
continue;
|
|
|
|
}
|
|
- if (request_contains_enctype(context, request, db_etype)) {
|
|
+ if (krb5_is_permitted_enctype(context, db_etype) &&
|
|
+ request_contains_enctype(context, request, db_etype)) {
|
|
retval = _make_etype_info_entry(context, client->princ,
|
|
client_key, db_etype,
|
|
&entry[i], etype_info2);
|
|
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
|
index a43b291..94dad3a 100644
|
|
--- a/src/kdc/kdc_util.c
|
|
+++ b/src/kdc/kdc_util.c
|
|
@@ -2461,6 +2461,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request,
|
|
return 0;
|
|
pa.magic = KV5M_PA_DATA;
|
|
pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
|
|
+ memset(&checksum, 0, sizeof(checksum));
|
|
retval = krb5_c_make_checksum(kdc_context,0, reply_key,
|
|
KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
|
|
if (retval != 0)
|
|
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
|
|
index c4bf92e..367c894 100644
|
|
--- a/src/lib/kdb/kdb_default.c
|
|
+++ b/src/lib/kdb/kdb_default.c
|
|
@@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
|
|
krb5_boolean saw_non_permitted = FALSE;
|
|
|
|
ret = 0;
|
|
+ if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
|
|
+ return KRB5_KDB_NO_PERMITTED_KEY;
|
|
+
|
|
if (kvno == -1 && stype == -1 && ktype == -1)
|
|
kvno = 0;
|
|
|