Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 395552 Details for
Bug 538842
<app-crypt/mit-krb5-1.13-r1: MITKRB5-SA-2015-001 Vulnerabilities in kadmind, libgssrpc, gss_process_context_token (CVE-2014-{5352,9421,9422,9423})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
updated ebuild
mit-krb5-1.13-r1.patch (text/plain), 31.64 KB, created by
Paul B. Henson
on 2015-02-04 20:44:22 UTC
(
hide
)
Description:
updated ebuild
Filename:
MIME Type:
Creator:
Paul B. Henson
Created:
2015-02-04 20:44:22 UTC
Size:
31.64 KB
patch
obsolete
>diff -Nur mit-krb5-orig/Manifest mit-krb5/Manifest >--- mit-krb5-orig/Manifest 2015-02-04 12:34:37.503633017 -0800 >+++ mit-krb5/Manifest 2015-02-04 12:37:35.798899145 -0800 >@@ -1,30 +1,14 @@ >------BEGIN PGP SIGNED MESSAGE----- >-Hash: SHA256 >- > AUX kpropd.xinetd 194 SHA256 eaa3838a6ca8db901db359cac3435d4f703a9a10534f02eeb37f494dd21a1736 SHA512 c9bbd13f2fadfd2a925bfae834ba61f227cd4386b4c4466b5227d93c792f4549778ef4d6e08353372df99804459277c71f61b41ec71f3afcc600d73c5705f72f WHIRLPOOL d77ae7b0094c4f42a7ea9cee5d36d0dba844a9ed5d59c621e47c7fa4b75c84fec3414e079c570513711b378d1b0fef61156f675a0df79ee61540d9492416fe42 > AUX mit-krb5-1.12_warn_cflags.patch 448 SHA256 67d3c91061933bd5393b9a6ee8fe2e3f5cd287c4eee7b92798cc2e201712c681 SHA512 42364d9cd8c0a6fd28ae661eeac4d0dd3f2001fe290bf9731ee99c2c786a6488805fc93057d59e201e2cef1e5280af4c170187aa5603f4cf542906abc0fccc2b WHIRLPOOL 9fa704dde00b0201d765199893bf787c5c104070596b05bc12e7f41ae21c4c60c8d25b21fe8573ecd3e63ab769238a78c5cf70f4d086a23f71423b1cad283eaa >+AUX mit-krb5-2015-001-patch-r113.patch 12569 SHA256 c41cb0dd88abb53543697a6e91832d6e0639a99a811c3092904eff03fa4b5ec6 SHA512 9c3d1f75ba6814dc8864a6b6c5a5e53d729ec2f8fe468036bea5cb540ac4a58b4748c5af920c61347fe71af8d900501b68b5d3f538bc89791d7bfde70e1ebb69 WHIRLPOOL 771fa37b8496a77e9913c4882ea7ab8e03cc9dd32b00c024549f54c15d0dba1bbcf3e224abb567dc1acfc13d6e33ffa2b9973c777d4f730c3c5b95b1196e90aa >+AUX mit-krb5-CVE-2014-5353.patch 2688 SHA256 fcdfd81dc63abbdeaca4eb5bbcd3c3088c44e3a96aa7fe191f82c341d38f360c SHA512 736753afb36bc494bc42f3cd33fc013ad49625e8d90672b85784f9f4fe96ff8d3f8c014aa1678d8892cb4204243369ee583232047fa9178fcdff03ab4087b171 WHIRLPOOL 710ee1431dce9046a21cbb8c2445fedcfb678553797b5d6ec21c060a8f20aea1cdaa99429f7a92dc5da710b5e26247b4c9bf747756eb4181e523f12a7e142ef0 >+AUX mit-krb5-CVE-2014-5354.patch 4906 SHA256 616362df107bb63fd060ed3084e98d3523bbea245ff1cef6bd2074a27838ae61 SHA512 e795258f958cd5ce86ff9930bdb7b119253d694bff32c0e4a9a414f184678d52f556a1f24af8032e447a2ecb24de24a50e8590d33019be2028ce452c8915daa9 WHIRLPOOL 2cab97507af57f27bc550ed3ef47617898169b6ecdc5c24c5a953498c9cae18c9b922e7d2e05a2aec7d97a10e148bdeb2ed20a46093a93b428c7dab1cbd47f4f > AUX mit-krb5-config_LDFLAGS.patch 466 SHA256 fbb4d9be71ef536a344d415b9c56ea42c5c2a2ef02ec3a866d9da47b3acd93d3 SHA512 9a1ca9b33e7708346eda78d199fdc51f0d7bd08d3d65ea15a19955a6155ab71b8ee0c8989859d6dff293a141f197ea19394a91b3b641181140a289b743e0f0e7 WHIRLPOOL f6c58e652c4c365c4f28894d404413a075cc6c5323f83b18d711dc831bb574623db371ccbc1a5aae0ddf030a1b85e1ad50c06f5904ae5554bb4026e464a2c75f > AUX mit-krb5kadmind.initd-r1 592 SHA256 3e55c79f19aaa6ef6b64a621c03dbb2eac3ad923916dc803f4c1bfe48ce89fbb SHA512 f0595e9bbcd85badb403af7febce1fa28278bd7fc8118498948171ea12a27ce8b3c479a34b36639d7370193bc69a0b093ae7e3b66473078dabc38864fec931e9 WHIRLPOOL 16147fc873ad16c16410e82df817fdb7ff068ef5cc1c50d9bb5558f134db36d516ab80628714e836a20883d0d1dfd17bfca5a41225be4ecca270580f2db28e70 > AUX mit-krb5kdc.initd-r1 556 SHA256 709309dea043aa306c2fcf0960e0993a6db540c220de64cf92d6b85f1cca23c5 SHA512 d6d0076886ce284fc395fafc2dc253b4b3ee97b2986dea51388d96a1e1294680fb171f475efc7844559e2c6aac44b26678a9255921db9a58dcf2e7164f0aeec5 WHIRLPOOL 87e54c3df6b8b45058fe0c90c25946e37228aba32077ebcb595a82a0a6fc7268a516dcb1cfd0ce3fd82afedf19b5df2399ac05931f207d0f3d2e26afd590abef > AUX mit-krb5kpropd.initd-r1 595 SHA256 c374ea05d7e9f15e10c8f9dbd0cad6548e0f92aef7de33e5dbc27222e9407e7b SHA512 a18c523aebbb6b8512cd261eac2149c7422214ef6a233e1ceb1b4da9187eeca317ddd75a153b13382571778931bbed00b1803ed015ff01875c8d565b3f3a593f WHIRLPOOL 869f8aec4764a12b5b5506a2fab8ea2641b58cb347a1db60110cccbb011dc51ab9115824828184abc55efccf540d6b014a57e0891b1d6d4ce28ff35405197aeb > DIST krb5-1.13-signed.tar 12083200 SHA256 dc8f79ae9ab777d0f815e84ed02ac4ccfe3d5826eb4947a195dfce9fd95a9582 SHA512 99cf647ab39f5a34acaf2049908f91d3f3822f4afd3b9dad1630b31c72518398069f4f3d3840168122cb12aa5e5540466729bc714fbda96eb9403e635f88d244 WHIRLPOOL 4cb9bff7c9bf97cbe2a41eaa0f253a8c891b9beff9a2e65f1652eae235c90b811efeae1ee7b608e90ad993a3959a787a06a34f62cec1a709b2fe6ec59f91e3d1 >+EBUILD mit-krb5-1.13-r1.ebuild 4002 SHA256 94038732561ff8f9b1f3fda54a7fd1f6ba471da4bcafada60a4a32a08d7368e6 SHA512 f6119ecf686c8b7edfc8631e0c7c7ecc03f23c80a9b496687ed8f9295ce191c7d5b4f50055198379312f3508d9974fc0fcd6936e6fd81aab7a7c5fb6a4c02ee6 WHIRLPOOL b4345ec97b2a610666dfb0442efc47a45439f8283ab787134c50d9238f82334380da68968053112bc719003be598c2e8c15cf3393501a1837d82e0452bdeddb9 > EBUILD mit-krb5-1.13.ebuild 3852 SHA256 517b74d24b7aaf6262974ea579527f726ddb2b660d00fada3537820bd1aa93fa SHA512 1b6051b7a2f0dd14ab15f77285efc49861e095ba2cac7b6ae9d96cbaac8095b2fc5bb2043b19be118996689841f0c14ebbe673773d304ae224eed20343e6b5a0 WHIRLPOOL 91343588511735397042a93154e17800af95f84cb9a022c51aa8433975fa1edc16615a4902bc81f71570c54abb693d3c0216604cbbcb1937ebadedf350f188a3 > MISC ChangeLog 66879 SHA256 44c911cb03f9aff015ad41938c3584182bc0f7a716ed28b19578ead8536a7756 SHA512 81ba6c44652b497323608c6e9089e458ae861d35b8e5a01effe8062d39cfb20ef7b17632272694c0c3fce0a0883714e403e182f7dca6e0de2eebc9142e51e04d WHIRLPOOL 78992f6a54210d75bdfcb6c89a8a6a7bb0b41e6565afcf27b94021d6de6bf93bd1178f0dd502c8fe80f0f07d20a427efcecf31432fdfa4ff183a3d1130f5eae4 > MISC metadata.xml 668 SHA256 da5862dde92f34b882870961cb9f1e4aa8209fc549e32a43d99770a9de8b232d SHA512 0038aeb7cda74161d2e2fe97c5124ee6cc86a24b9503714c128cd8b9af8b8050a89cf5dd3aadd66b1714c1d1aeb8564d50479547a586200793ea485e9f9c6c8b WHIRLPOOL 52394a4f4d5acb11f3bf2e76e036707c7f7741990d70bafb5c87a6da5d191b6aee3cb8383f6e66694cbda7458eb1a869c7ec8758750741835e2f1af4e028378c >------BEGIN PGP SIGNATURE----- >-Version: GnuPG v2 >- >-iQIcBAEBCAAGBQJUcvIfAAoJEHfx8XVYajsf4/YP/jSNvDrqyihf26FzbvaBxmHw >-0FJJdmx05rp0Mlv4SaTcGg3hw11SP3YhV1b9Opx4n4j8a8IUiAezRXdOVfch8hpy >-7tQyE0ZKgTpC9G/Rgh8P/6crk+pyDSUIVI7mnnWH/hQ5nCGaXPUgQn7XSD7nT4/a >-XQGkILl60Dhslp2wsv0uVMEhdlwHfEt3I4oCLm3eor+feEBgyrF//Yes0iFLW4G0 >-lgiVW0tqvK45idoHJywlqjt0lMsoHxDI+qSaj+R0QVYKX/lCq+i454j726hAACuw >-MxEGe0l9m1kSuIDHJfXV8avOjtHUoeoGooeH9wnU+oFbT4FFEK0CeeLz/ipVQDnV >-EXzOdExCVDVPv4kd6WDbcpB30dp0NYl0TL6lTBkAFCx3hF0vCLEZru53qzSogLHC >-Ex6ImvFDHjsHRL6tYko0gC8kxic7zjJx3YrQ24qFUSWiVmlAainSvpDYGx5mgtC6 >-mFCw1ih14OW0+UbCDKZTFHQ5ONfsyVq9IPRV7zrxeIcFScpK7A45mqD5EGczwSd2 >-NQsL/qvZi1X4wcYYsvQaMgZg62CRHiOjiL/rAVUfQ0vwsabIfihaHzfmDPMmCJyC >-+EnPvuxn20vI/r+B65mwoX5SBkb4KHc9nQmysdpubkvg+TTmKNRMtvVk4KWHmjwa >-X3WAVeq7CarzN1/Un2oJ >-=aNu4 >------END PGP SIGNATURE----- >diff -Nur mit-krb5-orig/files/mit-krb5-2015-001-patch-r113.patch mit-krb5/files/mit-krb5-2015-001-patch-r113.patch >--- mit-krb5-orig/files/mit-krb5-2015-001-patch-r113.patch 1969-12-31 16:00:00.000000000 -0800 >+++ mit-krb5/files/mit-krb5-2015-001-patch-r113.patch 2015-02-04 12:35:25.848789787 -0800 >@@ -0,0 +1,343 @@ >+diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c >+index 3837931..f4d2a7c 100644 >+--- a/src/kadmin/server/kadm_rpc_svc.c >++++ b/src/kadmin/server/kadm_rpc_svc.c >+@@ -4,7 +4,7 @@ >+ * >+ */ >+ >+-#include <k5-platform.h> >++#include <k5-int.h> >+ #include <gssrpc/rpc.h> >+ #include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */ >+ #include <syslog.h> >+@@ -296,14 +296,8 @@ check_rpcsec_auth(struct svc_req *rqstp) >+ c1 = krb5_princ_component(kctx, princ, 0); >+ c2 = krb5_princ_component(kctx, princ, 1); >+ realm = krb5_princ_realm(kctx, princ); >+- if (strncmp(handle->params.realm, realm->data, realm->length) == 0 >+- && strncmp("kadmin", c1->data, c1->length) == 0) { >+- >+- if (strncmp("history", c2->data, c2->length) == 0) >+- goto fail_princ; >+- else >+- success = 1; >+- } >++ success = data_eq_string(*realm, handle->params.realm) && >++ data_eq_string(*c1, "kadmin") && !data_eq_string(*c2, "history"); >+ >+ fail_princ: >+ if (!success) { >+diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c >+index b3d1db0..a18cfb0 100644 >+--- a/src/lib/gssapi/krb5/context_time.c >++++ b/src/lib/gssapi/krb5/context_time.c >+@@ -40,7 +40,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec) >+ >+ ctx = (krb5_gss_ctx_id_rec *) context_handle; >+ >+- if (! ctx->established) { >++ if (ctx->terminated || !ctx->established) { >+ *minor_status = KG_CTX_INCOMPLETE; >+ return(GSS_S_NO_CONTEXT); >+ } >+diff --git a/src/lib/gssapi/krb5/export_sec_context.c b/src/lib/gssapi/krb5/export_sec_context.c >+index 18a3a34..1b3de68 100644 >+--- a/src/lib/gssapi/krb5/export_sec_context.c >++++ b/src/lib/gssapi/krb5/export_sec_context.c >+@@ -45,6 +45,11 @@ krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token) >+ *minor_status = 0; >+ >+ ctx = (krb5_gss_ctx_id_t) *context_handle; >++ if (ctx->terminated) { >++ *minor_status = KG_CTX_INCOMPLETE; >++ return (GSS_S_NO_CONTEXT); >++ } >++ >+ context = ctx->k5_context; >+ kret = krb5_gss_ser_init(context); >+ if (kret) >+diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h >+index 7e807cc..a0e8625 100644 >+--- a/src/lib/gssapi/krb5/gssapiP_krb5.h >++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h >+@@ -206,6 +206,7 @@ typedef struct _krb5_gss_ctx_id_rec { >+ unsigned int established : 1; >+ unsigned int have_acceptor_subkey : 1; >+ unsigned int seed_init : 1; /* XXX tested but never actually set */ >++ unsigned int terminated : 1; >+ OM_uint32 gss_flags; >+ unsigned char seed[16]; >+ krb5_gss_name_t here; >+diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c >+index 6456b23..77b7fff 100644 >+--- a/src/lib/gssapi/krb5/gssapi_krb5.c >++++ b/src/lib/gssapi/krb5/gssapi_krb5.c >+@@ -369,7 +369,7 @@ krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, >+ >+ ctx = (krb5_gss_ctx_id_rec *) context_handle; >+ >+- if (!ctx->established) >++ if (ctx->terminated || !ctx->established) >+ return GSS_S_NO_CONTEXT; >+ >+ for (i = 0; i < sizeof(krb5_gss_inquire_sec_context_by_oid_ops)/ >+diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c >+index eacb0fd..096df2a 100644 >+--- a/src/lib/gssapi/krb5/inq_context.c >++++ b/src/lib/gssapi/krb5/inq_context.c >+@@ -105,7 +105,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name, >+ >+ ctx = (krb5_gss_ctx_id_rec *) context_handle; >+ >+- if (! ctx->established) { >++ if (ctx->terminated || !ctx->established) { >+ *minor_status = KG_CTX_INCOMPLETE; >+ return(GSS_S_NO_CONTEXT); >+ } >+diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c >+index 7665cba..f1c74dd 100644 >+--- a/src/lib/gssapi/krb5/k5seal.c >++++ b/src/lib/gssapi/krb5/k5seal.c >+@@ -342,7 +342,7 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, >+ >+ ctx = (krb5_gss_ctx_id_rec *) context_handle; >+ >+- if (! ctx->established) { >++ if (ctx->terminated || !ctx->established) { >+ *minor_status = KG_CTX_INCOMPLETE; >+ return(GSS_S_NO_CONTEXT); >+ } >+diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c >+index a129670..b53e348 100644 >+--- a/src/lib/gssapi/krb5/k5sealiov.c >++++ b/src/lib/gssapi/krb5/k5sealiov.c >+@@ -281,7 +281,7 @@ kg_seal_iov(OM_uint32 *minor_status, >+ } >+ >+ ctx = (krb5_gss_ctx_id_rec *)context_handle; >+- if (!ctx->established) { >++ if (ctx->terminated || !ctx->established) { >+ *minor_status = KG_CTX_INCOMPLETE; >+ return GSS_S_NO_CONTEXT; >+ } >+diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c >+index 0573958..673c883 100644 >+--- a/src/lib/gssapi/krb5/k5unseal.c >++++ b/src/lib/gssapi/krb5/k5unseal.c >+@@ -492,7 +492,7 @@ kg_unseal(minor_status, context_handle, input_token_buffer, >+ >+ ctx = (krb5_gss_ctx_id_rec *) context_handle; >+ >+- if (! ctx->established) { >++ if (ctx->terminated || !ctx->established) { >+ *minor_status = KG_CTX_INCOMPLETE; >+ return(GSS_S_NO_CONTEXT); >+ } >+diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c >+index f34d802..8b67042 100644 >+--- a/src/lib/gssapi/krb5/k5unsealiov.c >++++ b/src/lib/gssapi/krb5/k5unsealiov.c >+@@ -625,7 +625,7 @@ kg_unseal_iov(OM_uint32 *minor_status, >+ OM_uint32 code; >+ >+ ctx = (krb5_gss_ctx_id_rec *)context_handle; >+- if (!ctx->established) { >++ if (ctx->terminated || !ctx->established) { >+ *minor_status = KG_CTX_INCOMPLETE; >+ return GSS_S_NO_CONTEXT; >+ } >+diff --git a/src/lib/gssapi/krb5/lucid_context.c b/src/lib/gssapi/krb5/lucid_context.c >+index 85df7fd..449e71f 100644 >+--- a/src/lib/gssapi/krb5/lucid_context.c >++++ b/src/lib/gssapi/krb5/lucid_context.c >+@@ -75,6 +75,11 @@ gss_krb5int_export_lucid_sec_context( >+ *minor_status = 0; >+ *data_set = GSS_C_NO_BUFFER_SET; >+ >++ if (ctx->terminated || !ctx->established) { >++ *minor_status = KG_CTX_INCOMPLETE; >++ return GSS_S_NO_CONTEXT; >++ } >++ >+ retval = generic_gss_oid_decompose(minor_status, >+ GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID, >+ GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH, >+diff --git a/src/lib/gssapi/krb5/prf.c b/src/lib/gssapi/krb5/prf.c >+index e19291f..e897074 100644 >+--- a/src/lib/gssapi/krb5/prf.c >++++ b/src/lib/gssapi/krb5/prf.c >+@@ -58,6 +58,10 @@ krb5_gss_pseudo_random(OM_uint32 *minor_status, >+ ns.data = NULL; >+ >+ ctx = (krb5_gss_ctx_id_t)context; >++ if (ctx->terminated || !ctx->established) { >++ *minor_status = KG_CTX_INCOMPLETE; >++ return GSS_S_NO_CONTEXT; >++ } >+ >+ switch (prf_key) { >+ case GSS_C_PRF_KEY_FULL: >+diff --git a/src/lib/gssapi/krb5/process_context_token.c b/src/lib/gssapi/krb5/process_context_token.c >+index ae33180..a672f48 100644 >+--- a/src/lib/gssapi/krb5/process_context_token.c >++++ b/src/lib/gssapi/krb5/process_context_token.c >+@@ -39,11 +39,18 @@ krb5_gss_process_context_token(minor_status, context_handle, >+ >+ ctx = (krb5_gss_ctx_id_t) context_handle; >+ >+- if (! ctx->established) { >++ if (ctx->terminated || !ctx->established) { >+ *minor_status = KG_CTX_INCOMPLETE; >+ return(GSS_S_NO_CONTEXT); >+ } >+ >++ /* We only support context deletion tokens for now, and RFC 4121 does not >++ * define a context deletion token. */ >++ if (ctx->proto) { >++ *minor_status = 0; >++ return(GSS_S_DEFECTIVE_TOKEN); >++ } >++ >+ /* "unseal" the token */ >+ >+ if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle, >+@@ -52,8 +59,8 @@ krb5_gss_process_context_token(minor_status, context_handle, >+ KG_TOK_DEL_CTX))) >+ return(majerr); >+ >+- /* that's it. delete the context */ >+- >+- return(krb5_gss_delete_sec_context(minor_status, &context_handle, >+- GSS_C_NO_BUFFER)); >++ /* Mark the context as terminated, but do not delete it (as that would >++ * leave the caller with a dangling context handle). */ >++ ctx->terminated = 1; >++ return(GSS_S_COMPLETE); >+ } >+diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c >+index 7bc4221..ed5c599 100644 >+--- a/src/lib/gssapi/krb5/wrap_size_limit.c >++++ b/src/lib/gssapi/krb5/wrap_size_limit.c >+@@ -95,7 +95,7 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, >+ } >+ >+ ctx = (krb5_gss_ctx_id_rec *) context_handle; >+- if (! ctx->established) { >++ if (ctx->terminated || !ctx->established) { >+ *minor_status = KG_CTX_INCOMPLETE; >+ return(GSS_S_NO_CONTEXT); >+ } >+diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h >+index e56b9c1..2b5145e 100644 >+--- a/src/lib/gssapi/mechglue/mglueP.h >++++ b/src/lib/gssapi/mechglue/mglueP.h >+@@ -25,7 +25,6 @@ do { \ >+ */ >+ typedef struct gss_union_ctx_id_struct { >+ struct gss_union_ctx_id_struct *loopback; >+- struct gss_union_ctx_id_struct *interposer; >+ gss_OID mech_type; >+ gss_ctx_id_t internal_ctx_id; >+ } gss_union_ctx_id_desc, *gss_union_ctx_id_t; >+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c >+index 42ac783..975f94c 100644 >+--- a/src/lib/kadm5/kadm_rpc_xdr.c >++++ b/src/lib/kadm5/kadm_rpc_xdr.c >+@@ -320,6 +320,7 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head) >+ free(tl); >+ tl = tl2; >+ } >++ *tl_data_head = NULL; >+ break; >+ >+ case XDR_ENCODE: >+@@ -1096,6 +1097,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp) >+ case XDR_FREE: >+ if(*objp != NULL) >+ krb5_free_principal(context, *objp); >++ *objp = NULL; >+ break; >+ } >+ return TRUE; >+diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c >+index 53bdb98..a05ea19 100644 >+--- a/src/lib/rpc/auth_gssapi_misc.c >++++ b/src/lib/rpc/auth_gssapi_misc.c >+@@ -322,7 +322,6 @@ bool_t auth_gssapi_unwrap_data( >+ if (! (*xdr_func)(&temp_xdrs, xdr_ptr)) { >+ PRINTF(("gssapi_unwrap_data: deserializing arguments failed\n")); >+ gss_release_buffer(minor, &out_buf); >+- xdr_free(xdr_func, xdr_ptr); >+ XDR_DESTROY(&temp_xdrs); >+ return FALSE; >+ } >+diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c >+index 09a3534..b81c4a3 100644 >+--- a/src/lib/rpc/svc_auth_gss.c >++++ b/src/lib/rpc/svc_auth_gss.c >+@@ -65,16 +65,6 @@ extern const gss_OID_desc * const gss_mech_spkm3; >+ >+ extern SVCAUTH svc_auth_none; >+ >+-/* >+- * from mit-krb5-1.2.1 mechglue/mglueP.h: >+- * Array of context IDs typed by mechanism OID >+- */ >+-typedef struct gss_union_ctx_id_t { >+- gss_OID mech_type; >+- gss_ctx_id_t internal_ctx_id; >+-} gss_union_ctx_id_desc, *gss_union_ctx_id_t; >+- >+- >+ static auth_gssapi_log_badauth_func log_badauth = NULL; >+ static caddr_t log_badauth_data = NULL; >+ static auth_gssapi_log_badauth2_func log_badauth2 = NULL; >+@@ -239,16 +229,8 @@ svcauth_gss_accept_sec_context(struct svc_req *rqst, >+ gd->ctx = GSS_C_NO_CONTEXT; >+ goto errout; >+ } >+- /* >+- * ANDROS: krb5 mechglue returns ctx of size 8 - two pointers, >+- * one to the mechanism oid, one to the internal_ctx_id >+- */ >+- if ((gr->gr_ctx.value = mem_alloc(sizeof(gss_union_ctx_id_desc))) == NULL) { >+- fprintf(stderr, "svcauth_gss_accept_context: out of memory\n"); >+- goto errout; >+- } >+- memcpy(gr->gr_ctx.value, gd->ctx, sizeof(gss_union_ctx_id_desc)); >+- gr->gr_ctx.length = sizeof(gss_union_ctx_id_desc); >++ gr->gr_ctx.value = "xxxx"; >++ gr->gr_ctx.length = 4; >+ >+ /* gr->gr_win = 0x00000005; ANDROS: for debugging linux kernel version... */ >+ gr->gr_win = sizeof(gd->seqmask) * 8; >+@@ -520,8 +502,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg, >+ >+ if (!svcauth_gss_nextverf(rqst, htonl(gr.gr_win))) { >+ gss_release_buffer(&min_stat, &gr.gr_token); >+- mem_free(gr.gr_ctx.value, >+- sizeof(gss_union_ctx_id_desc)); >+ ret_freegc (AUTH_FAILED); >+ } >+ *no_dispatch = TRUE; >+@@ -531,7 +511,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg, >+ >+ gss_release_buffer(&min_stat, &gr.gr_token); >+ gss_release_buffer(&min_stat, &gd->checksum); >+- mem_free(gr.gr_ctx.value, sizeof(gss_union_ctx_id_desc)); >+ if (!call_stat) >+ ret_freegc (AUTH_FAILED); >+ >+diff --git a/src/tests/gssapi/t_prf.c b/src/tests/gssapi/t_prf.c >+index 254f8fb..7f04899 100644 >+--- a/src/tests/gssapi/t_prf.c >++++ b/src/tests/gssapi/t_prf.c >+@@ -127,6 +127,7 @@ main(int argc, char *argv[]) >+ uctx.mech_type = &mech_krb5; >+ uctx.internal_ctx_id = (gss_ctx_id_t)&kgctx; >+ kgctx.k5_context = NULL; >++ kgctx.established = 1; >+ kgctx.have_acceptor_subkey = 1; >+ kb1.contents = k1buf; >+ kb2.contents = k2buf; >diff -Nur mit-krb5-orig/files/mit-krb5-CVE-2014-5353.patch mit-krb5/files/mit-krb5-CVE-2014-5353.patch >--- mit-krb5-orig/files/mit-krb5-CVE-2014-5353.patch 1969-12-31 16:00:00.000000000 -0800 >+++ mit-krb5/files/mit-krb5-CVE-2014-5353.patch 2015-02-04 12:35:25.846789739 -0800 >@@ -0,0 +1,63 @@ >+From d1f707024f1d0af6e54a18885322d70fa15ec4d3 Mon Sep 17 00:00:00 2001 >+From: Greg Hudson <ghudson@mit.edu> >+Date: Fri, 5 Dec 2014 14:01:39 -0500 >+Subject: [PATCH] Fix LDAP misused policy name crash [CVE-2014-5353] >+ >+In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns >+successfully with no results, return KRB5_KDB_NOENTRY instead of >+returning success with a zeroed-out policy object. This fixes a null >+dereference when an admin attempts to use an LDAP ticket policy name >+as a password policy name. >+ >+CVE-2014-5353: >+ >+In MIT krb5, when kadmind is configured to use LDAP for the KDC >+database, an authenticated remote attacker can cause a NULL dereference >+by attempting to use a named ticket policy object as a password policy >+for a principal. The attacker needs to be authenticated as a user who >+has the elevated privilege for setting password policy by adding or >+modifying principals. >+ >+Queries to LDAP scoped to the krbPwdPolicy object class will correctly >+not return entries of other classes, such as ticket policy objects, but >+may return success with no returned elements if an object with the >+requested DN exists in a different object class. In this case, the >+routine to retrieve a password policy returned success with a password >+policy object that consisted entirely of zeroed memory. In particular, >+accesses to the policy name will dereference a NULL pointer. KDC >+operation does not access the policy name field, but most kadmin >+operations involving the principal with incorrect password policy >+will trigger the crash. >+ >+Thanks to Patrik Kis for reporting this problem. >+ >+CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C >+ >+[kaduk@mit.edu: CVE description and CVSS score] >+ >+ticket: 8051 (new) >+target_version: 1.13.1 >+tags: pullup >+--- >+ src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 ++++--- >+ 1 file changed, 4 insertions(+), 3 deletions(-) >+ >+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c >+index 522773e..6779f51 100644 >+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c >++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c >+@@ -314,10 +314,11 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name, >+ LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes); >+ >+ ent=ldap_first_entry(ld, result); >+- if (ent != NULL) { >+- if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0) >+- goto cleanup; >++ if (ent == NULL) { >++ st = KRB5_KDB_NOENTRY; >++ goto cleanup; >+ } >++ st = populate_policy(context, ld, ent, pol_name, *policy); >+ >+ cleanup: >+ ldap_msgfree(result); >diff -Nur mit-krb5-orig/files/mit-krb5-CVE-2014-5354.patch mit-krb5/files/mit-krb5-CVE-2014-5354.patch >--- mit-krb5-orig/files/mit-krb5-CVE-2014-5354.patch 1969-12-31 16:00:00.000000000 -0800 >+++ mit-krb5/files/mit-krb5-CVE-2014-5354.patch 2015-02-04 12:35:25.859790050 -0800 >@@ -0,0 +1,113 @@ >+From 04038bf3633c4b909b5ded3072dc88c8c419bf16 Mon Sep 17 00:00:00 2001 >+From: Ben Kaduk <kaduk@mit.edu> >+Date: Wed, 19 Nov 2014 12:04:46 -0500 >+Subject: [PATCH] Support keyless principals in LDAP [CVE-2014-5354] >+ >+Operations like "kadmin -q 'addprinc -nokey foo'" or >+"kadmin -q 'purgekeys -all foo'" result in principal entries with >+no keys present, so krb5_encode_krbsecretkey() would just return >+NULL, which then got unconditionally dereferenced in >+krb5_add_ber_mem_ldap_mod(). >+ >+Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key >+principals better, correct the test for an allocation failure, and >+slightly restructure the cleanup handler to be shorter and more >+appropriate for the usage. Once it no longer short-circuits when >+n_key_data is zero, it will produce an array of length two with both >+entries NULL, which is treated as an empty list by the LDAP library, >+the correct behavior for a keyless principal. >+ >+However, attributes with empty values are only handled by the LDAP >+library for Modify operations, not Add operations (which only get >+a sequence of Attribute, with no operation field). Therefore, only >+add an empty krbprincipalkey to the modlist when we will be performing a >+Modify, and not when we will be performing an Add, which is conditional >+on the (misspelled) create_standalone_prinicipal boolean. >+ >+CVE-2014-5354: >+ >+In MIT krb5, when kadmind is configured to use LDAP for the KDC >+database, an authenticated remote attacker can cause a NULL >+dereference by inserting into the database a principal entry which >+contains no long-term keys. >+ >+In order for the LDAP KDC backend to translate a principal entry >+from the database abstraction layer into the form expected by the >+LDAP schema, the principal's keys are encoded into a >+NULL-terminated array of length-value entries to be stored in the >+LDAP database. However, the subroutine which produced this array >+did not correctly handle the case where no keys were present, >+returning NULL instead of an empty array, and the array was >+unconditionally dereferenced while adding to the list of LDAP >+operations to perform. >+ >+Versions of MIT krb5 prior to 1.12 did not expose a way for >+principal entries to have no long-term key material, and >+therefore are not vulnerable. >+ >+ CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C >+ >+ticket: 8041 (new) >+tags: pullup >+target_version: 1.13.1 >+subject: kadmind with ldap backend crashes when putting keyless entries >+--- >+ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 25 +++++++++++++++------- >+ 1 file changed, 17 insertions(+), 8 deletions(-) >+ >+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c >+index 3e560d9..10b5982 100644 >+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c >++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c >+@@ -406,14 +406,14 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data, >+ int num_versions = 1; >+ int i, j, last; >+ krb5_error_code err = 0; >+- krb5_key_data *key_data; >++ krb5_key_data *key_data = NULL; >+ >+- if (n_key_data <= 0) >++ if (n_key_data < 0) >+ return NULL; >+ >+ /* Make a shallow copy of the key data so we can alter it. */ >+ key_data = k5calloc(n_key_data, sizeof(*key_data), &err); >+- if (key_data_in == NULL) >++ if (key_data == NULL) >+ goto cleanup; >+ memcpy(key_data, key_data_in, n_key_data * sizeof(*key_data)); >+ >+@@ -467,9 +467,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data, >+ free(key_data); >+ if (err != 0) { >+ if (ret != NULL) { >+- for (i = 0; i <= num_versions; i++) >+- if (ret[i] != NULL) >+- free (ret[i]); >++ for (i = 0; ret[i] != NULL; i++) >++ free (ret[i]); >+ free (ret); >+ ret = NULL; >+ } >+@@ -1036,9 +1035,19 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, >+ bersecretkey = krb5_encode_krbsecretkey (entry->key_data, >+ entry->n_key_data, mkvno); >+ >+- if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", >+- LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0) >++ if (bersecretkey == NULL) { >++ st = ENOMEM; >+ goto cleanup; >++ } >++ /* An empty list of bervals is only accepted for modify operations, >++ * not add operations. */ >++ if (bersecretkey[0] != NULL || !create_standalone_prinicipal) { >++ st = krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", >++ LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, >++ bersecretkey); >++ if (st != 0) >++ goto cleanup; >++ } >+ >+ if (!(entry->mask & KADM5_PRINCIPAL)) { >+ memset(strval, 0, sizeof(strval)); >diff -Nur mit-krb5-orig/mit-krb5-1.13-r1.ebuild mit-krb5/mit-krb5-1.13-r1.ebuild >--- mit-krb5-orig/mit-krb5-1.13-r1.ebuild 1969-12-31 16:00:00.000000000 -0800 >+++ mit-krb5/mit-krb5-1.13-r1.ebuild 2015-02-04 12:36:18.566051170 -0800 >@@ -0,0 +1,147 @@ >+# Copyright 1999-2014 Gentoo Foundation >+# Distributed under the terms of the GNU General Public License v2 >+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.13.ebuild,v 1.11 2014/11/23 19:04:22 zlogene Exp $ >+ >+EAPI=5 >+PYTHON_COMPAT=( python{2_6,2_7} ) >+inherit autotools eutils flag-o-matic multilib-minimal python-any-r1 versionator >+ >+MY_P="${P/mit-}" >+P_DIR=$(get_version_component_range 1-2) >+DESCRIPTION="MIT Kerberos V" >+HOMEPAGE="http://web.mit.edu/kerberos/www/" >+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar" >+ >+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )" >+SLOT="0" >+KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86" >+IUSE="doc +keyutils openldap +pkinit selinux +threads test xinetd" >+ >+CDEPEND="!!app-crypt/heimdal >+ >=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}] >+ || ( >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}] >+ >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}] >+ >=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}] ) >+ keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] ) >+ openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] ) >+ pkinit? ( >=dev-libs/openssl-1.0.1h-r2[${MULTILIB_USEDEP}] ) >+ xinetd? ( sys-apps/xinetd ) >+ abi_x86_32? ( >+ !<=app-emulation/emul-linux-x86-baselibs-20140508-r1 >+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)] >+ )" >+DEPEND="${CDEPEND} >+ ${PYTHON_DEPS} >+ virtual/yacc >+ doc? ( virtual/latex-base ) >+ test? ( ${PYTHON_DEPS} >+ dev-lang/tcl >+ dev-util/dejagnu )" >+RDEPEND="${CDEPEND} >+ selinux? ( sec-policy/selinux-kerberos )" >+ >+S=${WORKDIR}/${MY_P}/src >+ >+MULTILIB_CHOST_TOOLS=( >+ /usr/bin/krb5-config >+) >+ >+src_unpack() { >+ unpack ${A} >+ unpack ./"${MY_P}".tar.gz >+} >+ >+src_prepare() { >+ epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch" >+ epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch" >+ epatch "${FILESDIR}/${PN}-CVE-2014-5354.patch" >+ epatch "${FILESDIR}/${PN}-CVE-2014-5353.patch" >+ epatch "${FILESDIR}/${PN}-2015-001-patch-r113.patch" >+ >+ eautoreconf >+} >+ >+src_configure() { >+ append-cppflags "-I${EPREFIX}/usr/include/et" >+ # QA >+ append-flags -fno-strict-aliasing >+ append-flags -fno-strict-overflow >+ >+ multilib-minimal_src_configure >+} >+ >+multilib_src_configure() { >+ use keyutils || export ac_cv_header_keyutils_h=no >+ ECONF_SOURCE=${S} \ >+ WARN_CFLAGS="set" \ >+ econf \ >+ $(use_with openldap ldap) \ >+ "$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \ >+ $(use_enable pkinit) \ >+ $(use_enable threads thread-support) \ >+ --without-hesiod \ >+ --enable-shared \ >+ --with-system-et \ >+ --with-system-ss \ >+ --enable-dns-for-realm \ >+ --enable-kdc-lookaside-cache \ >+ --with-system-verto \ >+ --disable-rpath >+} >+ >+multilib_src_compile() { >+ emake -j1 >+} >+ >+multilib_src_test() { >+ multilib_is_native_abi && emake -j1 check >+} >+ >+multilib_src_install() { >+ emake \ >+ DESTDIR="${D}" \ >+ EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \ >+ install >+} >+ >+multilib_src_install_all() { >+ # default database dir >+ keepdir /var/lib/krb5kdc >+ >+ cd .. >+ dodoc README >+ >+ if use doc; then >+ dohtml -r doc/html/* >+ docinto pdf >+ dodoc doc/pdf/*.pdf >+ fi >+ >+ newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r1 mit-krb5kadmind >+ newinitd "${FILESDIR}"/mit-krb5kdc.initd-r1 mit-krb5kdc >+ newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r1 mit-krb5kpropd >+ >+ insinto /etc >+ newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example >+ insinto /var/lib/krb5kdc >+ newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example >+ >+ if use openldap ; then >+ insinto /etc/openldap/schema >+ doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" >+ fi >+ >+ if use xinetd ; then >+ insinto /etc/xinetd.d >+ newins "${FILESDIR}/kpropd.xinetd" kpropd >+ fi >+} >+ >+pkg_preinst() { >+ if has_version "<${CATEGORY}/${PN}-1.8.0" ; then >+ elog "MIT split the Kerberos applications from the base Kerberos" >+ elog "distribution. Kerberized versions of telnet, rlogin, rsh, rcp," >+ elog "ftp clients and telnet, ftp deamons now live in" >+ elog "\"app-crypt/mit-krb5-appl\" package." >+ fi >+}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=395552">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 538842
: 395552
