Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 180392 Details for
Bug 257075
sys-auth/pam_krb5 <3.12 Local privilege escalation {CVE-2009-0360,CVE-2009-0361}
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
pam_krb5-3.9-bug257075.patch
pam_krb5-3.9-bug257075.patch (text/plain), 4.13 KB, created by
Robert Buchholz (RETIRED)
on 2009-01-31 10:46:56 UTC
(
hide
)
Description:
pam_krb5-3.9-bug257075.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2009-01-31 10:46:56 UTC
Size:
4.13 KB
patch
obsolete
>diff --git a/api-auth.c b/api-auth.c >index 4a8a75a..c0f1b3d 100644 >--- a/api-auth.c >+++ b/api-auth.c >@@ -542,6 +542,37 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) > if (reinit) { > const char *name, *k5name; > >+ /* >+ * Solaris su calls pam_setcred as root with PAM_REINITIALIZE_CREDS, >+ * preserving the user-supplied environment. An xlock program may >+ * also do this if it's setuid root and doesn't drop credentials >+ * before calling pam_setcred. >+ * >+ * There isn't any safe way of reinitializing the exiting ticket cache >+ * for the user if we're setuid without calling setreuid(). Calling >+ * setreuid() is possible, but if the calling application is threaded, >+ * it will change credentials for the whole application, with possibly >+ * bizarre and unintended (and insecure) results. Trying to verify >+ * ownership of the existing ticket cache before using it fails under >+ * various race conditions (for example, having one of the elements of >+ * the path be a symlink and changing the target of that symlink >+ * between our check and the call to krb5_cc_resolve. Without calling >+ * setreuid(), we run the risk of replacing a file owned by another >+ * user with a credential cache. >+ * >+ * We could fail with an error in the setuid case, which would be >+ * maximally safe, but it would prevent use of the module for >+ * authentication with programs such as Solaris su. Failure to >+ * reinitialize the cache is normally not a serious problem, just a >+ * missing feature. We therefore log an error and exit with >+ * PAM_SUCCESS for the setuid case. >+ */ >+ if (getuid() != geteuid() || getgid() != getegid()) { >+ pamk5_error(args, "credential reinitialization in a setuid" >+ " context ignored"); >+ pamret = PAM_SUCCESS; >+ goto done; >+ } > name = get_krb5ccname(args, "KRB5CCNAME"); > if (name == NULL) > name = krb5_cc_default_name(ctx->context); >diff --git a/context.c b/context.c >index d4a6ed3..59fe29a 100644 >--- a/context.c >+++ b/context.c >@@ -22,6 +22,7 @@ > #endif > #include <stdlib.h> > #include <string.h> >+#include <unistd.h> > > #include "internal.h" > >@@ -31,6 +32,11 @@ > # define PAM_INCOMPLETE PAM_SERVICE_ERR > #endif > >+/* Heimdal doesn't need krb5_init_secure_context. */ >+#if HAVE_KRB5_HEIMDAL >+# define krb5_init_secure_context(c) krb5_init_context(c) >+#endif >+ > /* > * Create a new context and populate it with the user from PAM and a new > * Kerberos context. Set the default realm if one was configured. >@@ -63,7 +69,10 @@ pamk5_context_new(struct pam_args *args) > goto done; > } > ctx->name = strdup(name); >- retval = krb5_init_context(&ctx->context); >+ if (getuid() != geteuid() || getgid() != getegid()) >+ retval = krb5_init_secure_context(&ctx->context); >+ else >+ retval = krb5_init_context(&ctx->context); > if (retval != 0) { > pamk5_error_krb5(args, "krb5_init_context", retval); > retval = PAM_SERVICE_ERR; >diff --git a/options.c b/options.c >index 7ecbf0f..5ed3add 100644 >--- a/options.c >+++ b/options.c >@@ -16,9 +16,15 @@ > #include <krb5.h> > #include <stdlib.h> > #include <string.h> >+#include <unistd.h> > > #include "internal.h" > >+/* Heimdal doesn't need krb5_init_secure_context. */ >+#if HAVE_KRB5_HEIMDAL >+# define krb5_init_secure_context(c) krb5_init_context(c) >+#endif >+ > /* > * Not all platforms have this, so just implement it ourselves. Copy a > * certain number of characters of a string into a newly allocated >@@ -275,7 +281,10 @@ pamk5_args_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) > * proceed; we'll die soon enough later and this way we'll die after we > * know whether to debug things. > */ >- retval = krb5_init_context(&c); >+ if (getuid() != geteuid() || getgid() != getegid()) >+ retval = krb5_init_secure_context(&c); >+ else >+ retval = krb5_init_context(&c); > if (retval != 0) > c = NULL; > if (c != NULL) {
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 257075
:
180390
| 180392 |
180571
|
180573