AUX mit-krb5-2015-001-patch-r113.patch 12569 SHA256 c41cb0dd88abb53543697a6e91832d6e0639a99a811c3092904eff03fa4b5ec6 SHA512 9c3d1f75ba6814dc8864a6b6c5a5e53d729ec2f8fe468036bea5cb540ac4a58b4748c5af920c61347fe71af8d900501b68b5d3f538bc89791d7bfde70e1ebb69 WHIRLPOOL 771fa37b8496a77e9913c4882ea7ab8e03cc9dd32b00c024549f54c15d0dba1bbcf3e224abb567dc1acfc13d6e33ffa2b9973c777d4f730c3c5b95b1196e90aa

AUX mit-krb5-CVE-2014-5353.patch 2688 SHA256 fcdfd81dc63abbdeaca4eb5bbcd3c3088c44e3a96aa7fe191f82c341d38f360c SHA512 736753afb36bc494bc42f3cd33fc013ad49625e8d90672b85784f9f4fe96ff8d3f8c014aa1678d8892cb4204243369ee583232047fa9178fcdff03ab4087b171 WHIRLPOOL 710ee1431dce9046a21cbb8c2445fedcfb678553797b5d6ec21c060a8f20aea1cdaa99429f7a92dc5da710b5e26247b4c9bf747756eb4181e523f12a7e142ef0

AUX mit-krb5-CVE-2014-5354.patch 4906 SHA256 616362df107bb63fd060ed3084e98d3523bbea245ff1cef6bd2074a27838ae61 SHA512 e795258f958cd5ce86ff9930bdb7b119253d694bff32c0e4a9a414f184678d52f556a1f24af8032e447a2ecb24de24a50e8590d33019be2028ce452c8915daa9 WHIRLPOOL 2cab97507af57f27bc550ed3ef47617898169b6ecdc5c24c5a953498c9cae18c9b922e7d2e05a2aec7d97a10e148bdeb2ed20a46093a93b428c7dab1cbd47f4f

EBUILD mit-krb5-1.13-r1.ebuild 4002 SHA256 94038732561ff8f9b1f3fda54a7fd1f6ba471da4bcafada60a4a32a08d7368e6 SHA512 f6119ecf686c8b7edfc8631e0c7c7ecc03f23c80a9b496687ed8f9295ce191c7d5b4f50055198379312f3508d9974fc0fcd6936e6fd81aab7a7c5fb6a4c02ee6 WHIRLPOOL b4345ec97b2a610666dfb0442efc47a45439f8283ab787134c50d9238f82334380da68968053112bc719003be598c2e8c15cf3393501a1837d82e0452bdeddb9

diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c

index 3837931..f4d2a7c 100644

--- a/src/kadmin/server/kadm_rpc_svc.c

+++ b/src/kadmin/server/kadm_rpc_svc.c

@@ -4,7 +4,7 @@

  *

  */

-#include <k5-platform.h>

+#include <k5-int.h>

 #include <gssrpc/rpc.h>

 #include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */

 #include <syslog.h>

@@ -296,14 +296,8 @@ check_rpcsec_auth(struct svc_req *rqstp)

      c1 = krb5_princ_component(kctx, princ, 0);

      c2 = krb5_princ_component(kctx, princ, 1);

      realm = krb5_princ_realm(kctx, princ);

-     if (strncmp(handle->params.realm, realm->data, realm->length) == 0

-	 && strncmp("kadmin", c1->data, c1->length) == 0) {

-

-	  if (strncmp("history", c2->data, c2->length) == 0)

-	       goto fail_princ;

-	  else

-	       success = 1;

-     }

+     success = data_eq_string(*realm, handle->params.realm) &&

+	     data_eq_string(*c1, "kadmin") && !data_eq_string(*c2, "history");

 fail_princ:

      if (!success) {

diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c

index b3d1db0..a18cfb0 100644

--- a/src/lib/gssapi/krb5/context_time.c

+++ b/src/lib/gssapi/krb5/context_time.c

@@ -40,7 +40,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec)

     ctx = (krb5_gss_ctx_id_rec *) context_handle;

-    if (! ctx->established) {

+    if (ctx->terminated || !ctx->established) {

         *minor_status = KG_CTX_INCOMPLETE;

         return(GSS_S_NO_CONTEXT);

     }

diff --git a/src/lib/gssapi/krb5/export_sec_context.c b/src/lib/gssapi/krb5/export_sec_context.c

index 18a3a34..1b3de68 100644

--- a/src/lib/gssapi/krb5/export_sec_context.c

+++ b/src/lib/gssapi/krb5/export_sec_context.c

@@ -45,6 +45,11 @@ krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token)

     *minor_status = 0;

     ctx = (krb5_gss_ctx_id_t) *context_handle;

+    if (ctx->terminated) {

+        *minor_status = KG_CTX_INCOMPLETE;

+        return (GSS_S_NO_CONTEXT);

+    }

+

     context = ctx->k5_context;

     kret = krb5_gss_ser_init(context);

     if (kret)

diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h

index 7e807cc..a0e8625 100644

--- a/src/lib/gssapi/krb5/gssapiP_krb5.h

+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h

@@ -206,6 +206,7 @@ typedef struct _krb5_gss_ctx_id_rec {

     unsigned int established : 1;

     unsigned int have_acceptor_subkey : 1;

     unsigned int seed_init : 1;  /* XXX tested but never actually set */

+    unsigned int terminated : 1;

     OM_uint32 gss_flags;

     unsigned char seed[16];

     krb5_gss_name_t here;

diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c

index 6456b23..77b7fff 100644

--- a/src/lib/gssapi/krb5/gssapi_krb5.c

+++ b/src/lib/gssapi/krb5/gssapi_krb5.c

@@ -369,7 +369,7 @@ krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,

     ctx = (krb5_gss_ctx_id_rec *) context_handle;

-    if (!ctx->established)

+    if (ctx->terminated || !ctx->established)

         return GSS_S_NO_CONTEXT;

     for (i = 0; i < sizeof(krb5_gss_inquire_sec_context_by_oid_ops)/

diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c

index eacb0fd..096df2a 100644

--- a/src/lib/gssapi/krb5/inq_context.c

+++ b/src/lib/gssapi/krb5/inq_context.c

@@ -105,7 +105,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name,

     ctx = (krb5_gss_ctx_id_rec *) context_handle;

-    if (! ctx->established) {

+    if (ctx->terminated || !ctx->established) {

         *minor_status = KG_CTX_INCOMPLETE;

         return(GSS_S_NO_CONTEXT);

     }

diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c

index 7665cba..f1c74dd 100644

--- a/src/lib/gssapi/krb5/k5seal.c

+++ b/src/lib/gssapi/krb5/k5seal.c

@@ -342,7 +342,7 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req,

     ctx = (krb5_gss_ctx_id_rec *) context_handle;

-    if (! ctx->established) {

+    if (ctx->terminated || !ctx->established) {

         *minor_status = KG_CTX_INCOMPLETE;

         return(GSS_S_NO_CONTEXT);

     }

diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c

index a129670..b53e348 100644

--- a/src/lib/gssapi/krb5/k5sealiov.c

+++ b/src/lib/gssapi/krb5/k5sealiov.c

@@ -281,7 +281,7 @@ kg_seal_iov(OM_uint32 *minor_status,

     }

     ctx = (krb5_gss_ctx_id_rec *)context_handle;

-    if (!ctx->established) {

+    if (ctx->terminated || !ctx->established) {

         *minor_status = KG_CTX_INCOMPLETE;

         return GSS_S_NO_CONTEXT;

     }

diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c

index 0573958..673c883 100644

--- a/src/lib/gssapi/krb5/k5unseal.c

+++ b/src/lib/gssapi/krb5/k5unseal.c

@@ -492,7 +492,7 @@ kg_unseal(minor_status, context_handle, input_token_buffer,

     ctx = (krb5_gss_ctx_id_rec *) context_handle;

-    if (! ctx->established) {

+    if (ctx->terminated || !ctx->established) {

         *minor_status = KG_CTX_INCOMPLETE;

         return(GSS_S_NO_CONTEXT);

     }

diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c

index f34d802..8b67042 100644

--- a/src/lib/gssapi/krb5/k5unsealiov.c

+++ b/src/lib/gssapi/krb5/k5unsealiov.c

@@ -625,7 +625,7 @@ kg_unseal_iov(OM_uint32 *minor_status,

     OM_uint32 code;

     ctx = (krb5_gss_ctx_id_rec *)context_handle;

-    if (!ctx->established) {

+    if (ctx->terminated || !ctx->established) {

         *minor_status = KG_CTX_INCOMPLETE;

         return GSS_S_NO_CONTEXT;

     }

diff --git a/src/lib/gssapi/krb5/lucid_context.c b/src/lib/gssapi/krb5/lucid_context.c

index 85df7fd..449e71f 100644

--- a/src/lib/gssapi/krb5/lucid_context.c

+++ b/src/lib/gssapi/krb5/lucid_context.c

@@ -75,6 +75,11 @@ gss_krb5int_export_lucid_sec_context(

     *minor_status = 0;

     *data_set = GSS_C_NO_BUFFER_SET;

+    if (ctx->terminated || !ctx->established) {

+        *minor_status = KG_CTX_INCOMPLETE;

+        return GSS_S_NO_CONTEXT;

+    }

+

     retval = generic_gss_oid_decompose(minor_status,

                                        GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID,

                                        GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH,

diff --git a/src/lib/gssapi/krb5/prf.c b/src/lib/gssapi/krb5/prf.c

index e19291f..e897074 100644

--- a/src/lib/gssapi/krb5/prf.c

+++ b/src/lib/gssapi/krb5/prf.c

@@ -58,6 +58,10 @@ krb5_gss_pseudo_random(OM_uint32 *minor_status,

     ns.data = NULL;

     ctx = (krb5_gss_ctx_id_t)context;

+    if (ctx->terminated || !ctx->established) {

+        *minor_status = KG_CTX_INCOMPLETE;

+        return GSS_S_NO_CONTEXT;

+    }

     switch (prf_key) {

     case GSS_C_PRF_KEY_FULL:

diff --git a/src/lib/gssapi/krb5/process_context_token.c b/src/lib/gssapi/krb5/process_context_token.c

index ae33180..a672f48 100644

--- a/src/lib/gssapi/krb5/process_context_token.c

+++ b/src/lib/gssapi/krb5/process_context_token.c

@@ -39,11 +39,18 @@ krb5_gss_process_context_token(minor_status, context_handle,

     ctx = (krb5_gss_ctx_id_t) context_handle;

-    if (! ctx->established) {

+    if (ctx->terminated || !ctx->established) {

         *minor_status = KG_CTX_INCOMPLETE;

         return(GSS_S_NO_CONTEXT);

     }

+    /* We only support context deletion tokens for now, and RFC 4121 does not

+     * define a context deletion token. */

+    if (ctx->proto) {

+        *minor_status = 0;

+        return(GSS_S_DEFECTIVE_TOKEN);

+    }

+

     /* "unseal" the token */

     if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle,

@@ -52,8 +59,8 @@ krb5_gss_process_context_token(minor_status, context_handle,

                                      KG_TOK_DEL_CTX)))

         return(majerr);

-    /* that's it.  delete the context */

-

-    return(krb5_gss_delete_sec_context(minor_status, &context_handle,

-                                       GSS_C_NO_BUFFER));

+    /* Mark the context as terminated, but do not delete it (as that would

+     * leave the caller with a dangling context handle). */

+    ctx->terminated = 1;

+    return(GSS_S_COMPLETE);

 }

diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c

index 7bc4221..ed5c599 100644

--- a/src/lib/gssapi/krb5/wrap_size_limit.c

+++ b/src/lib/gssapi/krb5/wrap_size_limit.c

@@ -95,7 +95,7 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag,

     }

     ctx = (krb5_gss_ctx_id_rec *) context_handle;

-    if (! ctx->established) {

+    if (ctx->terminated || !ctx->established) {

         *minor_status = KG_CTX_INCOMPLETE;

         return(GSS_S_NO_CONTEXT);

     }

diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h

index e56b9c1..2b5145e 100644

--- a/src/lib/gssapi/mechglue/mglueP.h

+++ b/src/lib/gssapi/mechglue/mglueP.h

@@ -25,7 +25,6 @@ do {								\

  */

 typedef struct gss_union_ctx_id_struct {

 	struct gss_union_ctx_id_struct *loopback;

-	struct gss_union_ctx_id_struct *interposer;

 	gss_OID			mech_type;

 	gss_ctx_id_t		internal_ctx_id;

 } gss_union_ctx_id_desc, *gss_union_ctx_id_t;

diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c

index 42ac783..975f94c 100644

--- a/src/lib/kadm5/kadm_rpc_xdr.c

+++ b/src/lib/kadm5/kadm_rpc_xdr.c

@@ -320,6 +320,7 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head)

 	       free(tl);

 	       tl = tl2;

 	  }

+	  *tl_data_head = NULL;

 	  break;

      case XDR_ENCODE:

@@ -1096,6 +1097,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp)

     case XDR_FREE:

 	if(*objp != NULL)

 	    krb5_free_principal(context, *objp);

+	*objp = NULL;

 	break;

     }

     return TRUE;

diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c

index 53bdb98..a05ea19 100644

--- a/src/lib/rpc/auth_gssapi_misc.c

+++ b/src/lib/rpc/auth_gssapi_misc.c

@@ -322,7 +322,6 @@ bool_t auth_gssapi_unwrap_data(

      if (! (*xdr_func)(&temp_xdrs, xdr_ptr)) {

 	  PRINTF(("gssapi_unwrap_data: deserializing arguments failed\n"));

 	  gss_release_buffer(minor, &out_buf);

-	  xdr_free(xdr_func, xdr_ptr);

 	  XDR_DESTROY(&temp_xdrs);

 	  return FALSE;

      }

diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c

index 09a3534..b81c4a3 100644

--- a/src/lib/rpc/svc_auth_gss.c

+++ b/src/lib/rpc/svc_auth_gss.c

@@ -65,16 +65,6 @@ extern const gss_OID_desc * const gss_mech_spkm3;

 extern SVCAUTH svc_auth_none;

-/*

- * from mit-krb5-1.2.1 mechglue/mglueP.h:

- * Array of context IDs typed by mechanism OID

- */

-typedef struct gss_union_ctx_id_t {

-  gss_OID     mech_type;

-  gss_ctx_id_t    internal_ctx_id;

-} gss_union_ctx_id_desc, *gss_union_ctx_id_t;

-

-

 static auth_gssapi_log_badauth_func log_badauth = NULL;

 static caddr_t log_badauth_data = NULL;

 static auth_gssapi_log_badauth2_func log_badauth2 = NULL;

@@ -239,16 +229,8 @@ svcauth_gss_accept_sec_context(struct svc_req *rqst,

 		gd->ctx = GSS_C_NO_CONTEXT;

 		goto errout;

 	}

-	/*

-	 * ANDROS: krb5 mechglue returns ctx of size 8 - two pointers,

-	 * one to the mechanism oid, one to the internal_ctx_id

-	 */

-	if ((gr->gr_ctx.value = mem_alloc(sizeof(gss_union_ctx_id_desc))) == NULL) {

-		fprintf(stderr, "svcauth_gss_accept_context: out of memory\n");

-		goto errout;

-	}

-	memcpy(gr->gr_ctx.value, gd->ctx, sizeof(gss_union_ctx_id_desc));

-	gr->gr_ctx.length = sizeof(gss_union_ctx_id_desc);

+	gr->gr_ctx.value = "xxxx";

+	gr->gr_ctx.length = 4;

 	/* gr->gr_win = 0x00000005; ANDROS: for debugging linux kernel version...  */

 	gr->gr_win = sizeof(gd->seqmask) * 8;

@@ -520,8 +502,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg,

 		if (!svcauth_gss_nextverf(rqst, htonl(gr.gr_win))) {

 			gss_release_buffer(&min_stat, &gr.gr_token);

-			mem_free(gr.gr_ctx.value,

-				 sizeof(gss_union_ctx_id_desc));

 			ret_freegc (AUTH_FAILED);

 		}

 		*no_dispatch = TRUE;

@@ -531,7 +511,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg,

 		gss_release_buffer(&min_stat, &gr.gr_token);

 		gss_release_buffer(&min_stat, &gd->checksum);

-		mem_free(gr.gr_ctx.value, sizeof(gss_union_ctx_id_desc));

 		if (!call_stat)

 			ret_freegc (AUTH_FAILED);

diff --git a/src/tests/gssapi/t_prf.c b/src/tests/gssapi/t_prf.c

index 254f8fb..7f04899 100644

--- a/src/tests/gssapi/t_prf.c

+++ b/src/tests/gssapi/t_prf.c

@@ -127,6 +127,7 @@ main(int argc, char *argv[])

     uctx.mech_type = &mech_krb5;

     uctx.internal_ctx_id = (gss_ctx_id_t)&kgctx;

     kgctx.k5_context = NULL;

+    kgctx.established = 1;

     kgctx.have_acceptor_subkey = 1;

     kb1.contents = k1buf;

     kb2.contents = k2buf;

From d1f707024f1d0af6e54a18885322d70fa15ec4d3 Mon Sep 17 00:00:00 2001

From: Greg Hudson <ghudson@mit.edu>

Date: Fri, 5 Dec 2014 14:01:39 -0500

Subject: [PATCH] Fix LDAP misused policy name crash [CVE-2014-5353]

In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns

successfully with no results, return KRB5_KDB_NOENTRY instead of

returning success with a zeroed-out policy object.  This fixes a null

dereference when an admin attempts to use an LDAP ticket policy name

as a password policy name.

CVE-2014-5353:

In MIT krb5, when kadmind is configured to use LDAP for the KDC

database, an authenticated remote attacker can cause a NULL dereference

by attempting to use a named ticket policy object as a password policy

for a principal.  The attacker needs to be authenticated as a user who

has the elevated privilege for setting password policy by adding or

modifying principals.

Queries to LDAP scoped to the krbPwdPolicy object class will correctly

not return entries of other classes, such as ticket policy objects, but

may return success with no returned elements if an object with the

requested DN exists in a different object class.  In this case, the

routine to retrieve a password policy returned success with a password

policy object that consisted entirely of zeroed memory.  In particular,

accesses to the policy name will dereference a NULL pointer.  KDC

operation does not access the policy name field, but most kadmin

operations involving the principal with incorrect password policy

will trigger the crash.

Thanks to Patrik Kis for reporting this problem.

CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C

[kaduk@mit.edu: CVE description and CVSS score]

ticket: 8051 (new)

target_version: 1.13.1

tags: pullup

---

 src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 ++++---

 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c

index 522773e..6779f51 100644

--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c

+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c

@@ -314,10 +314,11 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,

     LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes);

     ent=ldap_first_entry(ld, result);

-    if (ent != NULL) {

-        if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0)

-            goto cleanup;

+    if (ent == NULL) {

+        st = KRB5_KDB_NOENTRY;

+        goto cleanup;

     }

+    st = populate_policy(context, ld, ent, pol_name, *policy);

 cleanup:

     ldap_msgfree(result);

From 04038bf3633c4b909b5ded3072dc88c8c419bf16 Mon Sep 17 00:00:00 2001

From: Ben Kaduk <kaduk@mit.edu>

Date: Wed, 19 Nov 2014 12:04:46 -0500

Subject: [PATCH] Support keyless principals in LDAP [CVE-2014-5354]

Operations like "kadmin -q 'addprinc -nokey foo'" or

"kadmin -q 'purgekeys -all foo'" result in principal entries with

no keys present, so krb5_encode_krbsecretkey() would just return

NULL, which then got unconditionally dereferenced in

krb5_add_ber_mem_ldap_mod().

Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key

principals better, correct the test for an allocation failure, and

slightly restructure the cleanup handler to be shorter and more

appropriate for the usage.  Once it no longer short-circuits when

n_key_data is zero, it will produce an array of length two with both

entries NULL, which is treated as an empty list by the LDAP library,

the correct behavior for a keyless principal.

However, attributes with empty values are only handled by the LDAP

library for Modify operations, not Add operations (which only get

a sequence of Attribute, with no operation field).  Therefore, only

add an empty krbprincipalkey to the modlist when we will be performing a

Modify, and not when we will be performing an Add, which is conditional

on the (misspelled) create_standalone_prinicipal boolean.

CVE-2014-5354:

In MIT krb5, when kadmind is configured to use LDAP for the KDC

database, an authenticated remote attacker can cause a NULL

dereference by inserting into the database a principal entry which

contains no long-term keys.

In order for the LDAP KDC backend to translate a principal entry

from the database abstraction layer into the form expected by the

LDAP schema, the principal's keys are encoded into a

NULL-terminated array of length-value entries to be stored in the

LDAP database.  However, the subroutine which produced this array

did not correctly handle the case where no keys were present,

returning NULL instead of an empty array, and the array was

unconditionally dereferenced while adding to the list of LDAP

operations to perform.

Versions of MIT krb5 prior to 1.12 did not expose a way for

principal entries to have no long-term key material, and

therefore are not vulnerable.

    CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C

ticket: 8041 (new)

tags: pullup

target_version: 1.13.1

subject: kadmind with ldap backend crashes when putting keyless entries

---

 src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 25 +++++++++++++++-------

 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c

index 3e560d9..10b5982 100644

--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c

+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c

@@ -406,14 +406,14 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,

     int num_versions = 1;

     int i, j, last;

     krb5_error_code err = 0;

-    krb5_key_data *key_data;

+    krb5_key_data *key_data = NULL;

-    if (n_key_data <= 0)

+    if (n_key_data < 0)

         return NULL;

     /* Make a shallow copy of the key data so we can alter it. */

     key_data = k5calloc(n_key_data, sizeof(*key_data), &err);

-    if (key_data_in == NULL)

+    if (key_data == NULL)

         goto cleanup;

     memcpy(key_data, key_data_in, n_key_data * sizeof(*key_data));

@@ -467,9 +467,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,

     free(key_data);

     if (err != 0) {

         if (ret != NULL) {

-            for (i = 0; i <= num_versions; i++)

-                if (ret[i] != NULL)

-                    free (ret[i]);

+            for (i = 0; ret[i] != NULL; i++)

+                free (ret[i]);

             free (ret);

             ret = NULL;

         }

@@ -1036,9 +1035,19 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,

         bersecretkey = krb5_encode_krbsecretkey (entry->key_data,

                                                  entry->n_key_data, mkvno);

-        if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",

-                                          LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)

+        if (bersecretkey == NULL) {

+            st = ENOMEM;

             goto cleanup;

+        }

+        /* An empty list of bervals is only accepted for modify operations,

+         * not add operations. */

+        if (bersecretkey[0] != NULL || !create_standalone_prinicipal) {

+            st = krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",

+                                           LDAP_MOD_REPLACE | LDAP_MOD_BVALUES,

+                                           bersecretkey);

+            if (st != 0)

+                goto cleanup;

+        }

         if (!(entry->mask & KADM5_PRINCIPAL)) {

             memset(strval, 0, sizeof(strval));

# Copyright 1999-2014 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.13.ebuild,v 1.11 2014/11/23 19:04:22 zlogene Exp $

EAPI=5

PYTHON_COMPAT=( python{2_6,2_7} )

inherit autotools eutils flag-o-matic multilib-minimal python-any-r1 versionator

MY_P="${P/mit-}"

P_DIR=$(get_version_component_range 1-2)

DESCRIPTION="MIT Kerberos V"

HOMEPAGE="http://web.mit.edu/kerberos/www/"

SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"

LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"

SLOT="0"

KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86"

IUSE="doc +keyutils openldap +pkinit selinux +threads test xinetd"

CDEPEND="!!app-crypt/heimdal

	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]

	|| ( >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]

		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]

		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}] )

	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )

	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )

	pkinit? ( >=dev-libs/openssl-1.0.1h-r2[${MULTILIB_USEDEP}] )

	xinetd? ( sys-apps/xinetd )

	abi_x86_32? (

		!<=app-emulation/emul-linux-x86-baselibs-20140508-r1

		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]

	)"

DEPEND="${CDEPEND}

	${PYTHON_DEPS}

	virtual/yacc

	doc? ( virtual/latex-base )

	test? ( ${PYTHON_DEPS}

			dev-lang/tcl

			dev-util/dejagnu )"

RDEPEND="${CDEPEND}

	selinux? ( sec-policy/selinux-kerberos )"

S=${WORKDIR}/${MY_P}/src

MULTILIB_CHOST_TOOLS=(

	/usr/bin/krb5-config

)

src_unpack() {

	unpack ${A}

	unpack ./"${MY_P}".tar.gz

}

src_prepare() {

	epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"

	epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"

	epatch "${FILESDIR}/${PN}-CVE-2014-5354.patch"

	epatch "${FILESDIR}/${PN}-CVE-2014-5353.patch"

	epatch "${FILESDIR}/${PN}-2015-001-patch-r113.patch"

	eautoreconf

}

src_configure() {

	append-cppflags "-I${EPREFIX}/usr/include/et"

	# QA

	append-flags -fno-strict-aliasing

	append-flags -fno-strict-overflow

	multilib-minimal_src_configure

}

multilib_src_configure() {

	use keyutils || export ac_cv_header_keyutils_h=no

	ECONF_SOURCE=${S} \

	WARN_CFLAGS="set" \

	econf \

		$(use_with openldap ldap) \

		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \

		$(use_enable pkinit) \

		$(use_enable threads thread-support) \

		--without-hesiod \

		--enable-shared \

		--with-system-et \

		--with-system-ss \

		--enable-dns-for-realm \

		--enable-kdc-lookaside-cache \

		--with-system-verto \

		--disable-rpath

}

multilib_src_compile() {

	emake -j1

}

multilib_src_test() {

	multilib_is_native_abi && emake -j1 check

}

multilib_src_install() {

	emake \

		DESTDIR="${D}" \

		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \

		install

}

multilib_src_install_all() {

	# default database dir

	keepdir /var/lib/krb5kdc

	cd ..

	dodoc README

	if use doc; then

		dohtml -r doc/html/*

		docinto pdf

		dodoc doc/pdf/*.pdf

	fi

	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r1 mit-krb5kadmind

	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r1 mit-krb5kdc

	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r1 mit-krb5kpropd

	insinto /etc

	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example

	insinto /var/lib/krb5kdc

	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example

	if use openldap ; then

		insinto /etc/openldap/schema

		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"

	fi

	if use xinetd ; then

		insinto /etc/xinetd.d

		newins "${FILESDIR}/kpropd.xinetd" kpropd

	fi

}

pkg_preinst() {

	if has_version "<${CATEGORY}/${PN}-1.8.0" ; then

		elog "MIT split the Kerberos applications from the base Kerberos"

		elog "distribution.  Kerberized versions of telnet, rlogin, rsh, rcp,"

		elog "ftp clients and telnet, ftp deamons now live in"

		elog "\"app-crypt/mit-krb5-appl\" package."

	fi

}