From ac127d52638bf5c6daa54f1040d40e4d48a795cd Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: May 05 2011 23:03:10 +0000 Subject: - update to 1.9.1: - drop no-longer-needed patches for CVE-2010-4022, CVE-2011-0281, CVE-2011-0282, CVE-2011-0283, CVE-2011-0284, CVE-2011-0285 --- diff --git a/.gitignore b/.gitignore index 78731eb..a9eda7e 100644 --- a/.gitignore +++ b/.gitignore @@ -53,3 +53,6 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.9.tar.gz /krb5-1.9.tar.gz.asc /krb5-1.9-pdf.tar.bz2 +/krb5-1.9.1.tar.gz +/krb5-1.9.1.tar.gz.asc +/krb5-1.9.1-pdf.tar.bz2 diff --git a/2011-001-patch.txt b/2011-001-patch.txt deleted file mode 100644 index 30ebf96..0000000 --- a/2011-001-patch.txt +++ /dev/null @@ -1,19 +0,0 @@ -diff -up krb5/src/slave/kpropd.c krb5/src/slave/kpropd.c ---- krb5/src/slave/kpropd.c 2010-12-17 11:14:26.000000000 -0500 -+++ krb5/src/slave/kpropd.c 2010-12-17 11:41:19.000000000 -0500 -@@ -404,11 +404,11 @@ retry: - } - - close(s); -- if (iproprole == IPROP_SLAVE) -+ if (iproprole == IPROP_SLAVE) { - close(finet); -- -- if ((ret = WEXITSTATUS(status)) != 0) -- return (ret); -+ if ((ret = WEXITSTATUS(status)) != 0) -+ return (ret); -+ } - } - if (iproprole == IPROP_SLAVE) - break; diff --git a/2011-002-patch.txt b/2011-002-patch.txt deleted file mode 100644 index e4623e9..0000000 --- a/2011-002-patch.txt +++ /dev/null @@ -1,126 +0,0 @@ -diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c -index 63ff3b3..b4a90bb 100644 ---- a/src/kdc/dispatch.c -+++ b/src/kdc/dispatch.c -@@ -115,7 +115,8 @@ dispatch(void *cb, struct sockaddr *local_saddr, const krb5_fulladdr *from, - kdc_insert_lookaside(pkt, *response); - #endif - -- if (is_tcp == 0 && (*response)->length > max_dgram_reply_size) { -+ if (is_tcp == 0 && *response != NULL && -+ (*response)->length > max_dgram_reply_size) { - too_big_for_udp: - krb5_free_data(kdc_context, *response); - retval = make_too_big_error(response); -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -index d677bb2..a356907 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er - #define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS) - - #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \ -- do { \ -- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \ -- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ -- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ -- if (ldap_server_handle) \ -- ld = ldap_server_handle->ldap_handle; \ -- } \ -- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \ -+ tempst = 0; \ -+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \ -+ NULL, &timelimit, LDAP_NO_LIMIT, &result); \ -+ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ -+ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ -+ if (ldap_server_handle) \ -+ ld = ldap_server_handle->ldap_handle; \ -+ if (tempst == 0) \ -+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \ -+ NULL, NULL, &timelimit, \ -+ LDAP_NO_LIMIT, &result); \ -+ } \ - \ - if (status_check != IGNORE_STATUS) { \ - if (tempst != 0) { \ -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c -index 82b0333..84e80ee 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c -@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context, - { - krb5_ldap_server_handle *handle = *ldap_server_handle; - -+ ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL); - if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS) - || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS)) - return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle); -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -index 86fa4d1..0f49c86 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -@@ -487,12 +487,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context, - * portion, then the first portion of the principal name SHOULD be - * "krbtgt". All this check is done in the immediate block. - */ -- if (searchfor->length == 2) -- if ((strncasecmp(searchfor->data[0].data, "krbtgt", -- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) && -- (strncasecmp(searchfor->data[1].data, defrealm, -- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0)) -+ if (searchfor->length == 2) { -+ if (data_eq_string(searchfor->data[0], "krbtgt") && -+ data_eq_string(searchfor->data[1], defrealm)) - return 0; -+ } - - /* first check the length, if they are not equal, then they are not same */ - if (strlen(defrealm) != searchfor->realm.length) -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index 140db1a..552e39a 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -78,10 +78,10 @@ krb5_error_code - krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, - unsigned int flags, krb5_db_entry **entry_ptr) - { -- char *user=NULL, *filter=NULL, **subtree=NULL; -+ char *user=NULL, *filter=NULL, *filtuser=NULL; - unsigned int tree=0, ntrees=1, princlen=0; - krb5_error_code tempst=0, st=0; -- char **values=NULL, *cname=NULL; -+ char **values=NULL, **subtree=NULL, *cname=NULL; - LDAP *ld=NULL; - LDAPMessage *result=NULL, *ent=NULL; - krb5_ldap_context *ldap_context=NULL; -@@ -115,12 +115,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, - if ((st=krb5_ldap_unparse_principal_name(user)) != 0) - goto cleanup; - -- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ -+ filtuser = ldap_filter_correct(user); -+ if (filtuser == NULL) { -+ st = ENOMEM; -+ goto cleanup; -+ } -+ -+ princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */ - if ((filter = malloc(princlen)) == NULL) { - st = ENOMEM; - goto cleanup; - } -- snprintf(filter, princlen, FILTER"%s))", user); -+ snprintf(filter, princlen, FILTER"%s))", filtuser); - - if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0) - goto cleanup; -@@ -207,6 +213,9 @@ cleanup: - if (user) - free(user); - -+ if (filtuser) -+ free(filtuser); -+ - if (cname) - free(cname); - diff --git a/2011-003-patch.txt b/2011-003-patch.txt deleted file mode 100644 index c977275..0000000 --- a/2011-003-patch.txt +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c -index 46b5fa1..464cb6e 100644 ---- a/src/kdc/do_as_req.c -+++ b/src/kdc/do_as_req.c -@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, - pad->contents = td[size]->data; - pad->length = td[size]->length; - pa[size] = pad; -+ td[size]->data = NULL; -+ td[size]->length = 0; - } - krb5_free_typed_data(kdc_context, td); - } diff --git a/2011-004-patch.txt b/2011-004-patch.txt deleted file mode 100644 index 6103911..0000000 --- a/2011-004-patch.txt +++ /dev/null @@ -1,39 +0,0 @@ -diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c -index 1124445..0056885 100644 ---- a/src/kadmin/server/schpw.c -+++ b/src/kadmin/server/schpw.c -@@ -52,6 +52,7 @@ process_chpw_request(context, server_handle, realm, keytab, - - ret = 0; - rep->length = 0; -+ rep->data = NULL; - - auth_context = NULL; - changepw = NULL; -@@ -76,8 +77,13 @@ process_chpw_request(context, server_handle, realm, keytab, - plen = (*ptr++ & 0xff); - plen = (plen<<8) | (*ptr++ & 0xff); - -- if (plen != req->length) -- return(KRB5KRB_AP_ERR_MODIFIED); -+ if (plen != req->length) { -+ ret = KRB5KRB_AP_ERR_MODIFIED; -+ numresult = KRB5_KPASSWD_MALFORMED; -+ strlcpy(strresult, "Request length was inconsistent", -+ sizeof(strresult)); -+ goto chpwfail; -+ } - - /* verify version number */ - -@@ -531,6 +537,10 @@ cleanup: - if (local_kaddrs != NULL) - krb5_free_addresses(server_handle->context, local_kaddrs); - -+ if ((*response)->data == NULL) { -+ free(*response); -+ *response = NULL; -+ } - krb5_kt_close(server_handle->context, kt); - - return ret; diff --git a/krb5.spec b/krb5.spec index 477d9fd..5856dba 100644 --- a/krb5.spec +++ b/krb5.spec @@ -5,8 +5,8 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.9 -Release: 9%{?dist} +Version: 1.9.1 +Release: 1%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9-signed.tar Source0: krb5-%{version}.tar.gz @@ -49,13 +49,9 @@ Patch63: krb5-1.9-selinux-label.patch Patch70: krb5-trunk-kpasswd_tcp2.patch Patch71: krb5-1.9-dirsrv-accountlock.patch Patch72: krb5-pkinit-cms2.patch -Patch73: http://web.mit.edu/kerberos/advisories/2011-001-patch.txt -Patch74: http://web.mit.edu/kerberos/advisories/2011-002-patch.txt Patch75: krb5-pkinit-debug.patch -Patch76: http://web.mit.edu/kerberos/advisories/2011-003-patch.txt Patch77: krb5-1.9-paren.patch Patch78: krb5-trunk-chpw-err.patch -Patch79: http://web.mit.edu/kerberos/advisories/2011-004-patch.txt License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -196,13 +192,9 @@ ln -s NOTICE LICENSE #%patch70 -p0 -b .kpasswd_tcp2 %patch71 -p1 -b .dirsrv-accountlock %patch72 -p1 -b .pkinit_cms2 -%patch73 -p1 -b .2011-001 -%patch74 -p1 -b .2011-002 #%patch75 -p1 -b .pkinit-debug -%patch76 -p1 -b .2011-003 %patch77 -p1 -b .paren %patch78 -p0 -b .chpw-err -%patch79 -p1 -b .2011-004 gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -661,6 +653,11 @@ exit 0 %{_sbindir}/uuserver %changelog +* Thu May 5 2011 Nalin Dahyabhai 1.9.1-1 +- update to 1.9.1: + - drop no-longer-needed patches for CVE-2010-4022, CVE-2011-0281, + CVE-2011-0282, CVE-2011-0283, CVE-2011-0284, CVE-2011-0285 + * Wed Apr 13 2011 Nalin Dahyabhai 1.9-9 - kadmind: add upstream patch to fix free() on an invalid pointer (#696343, MITKRB5-SA-2011-004, CVE-2011-0285) @@ -681,7 +678,7 @@ exit 0 - turn off NSS as the backend for libk5crypto for now to work around its DES string2key not working (#679012) - add revised upstream patch to fix double-free in KDC while returning - typed-data with errors (CVE-2011-0284, #674325) + typed-data with errors (MITKRB5-SA-2011-003, CVE-2011-0284, #674325) * Thu Feb 17 2011 Nalin Dahyabhai - throw in a not-applied-by-default patch to try to make pkinit debugging diff --git a/sources b/sources index fda71f5..fc79d5d 100644 --- a/sources +++ b/sources @@ -1,3 +1,6 @@ f8870f28cdae2e00d2ea0874024bc059 krb5-1.9.tar.gz 998f37422c6739d872e9588e40756312 krb5-1.9.tar.gz.asc 08820591bd2b0067d4b1b9cbf3fefcbd krb5-1.9-pdf.tar.bz2 +88d7bbb869849cd0cce1af3165ac0cc6 krb5-1.9.1.tar.gz +a0bd0c8ff1a2d7e41be77b80e713c319 krb5-1.9.1.tar.gz.asc +9d214707c921ba0887f92fb5408d0370 krb5-1.9.1-pdf.tar.bz2