[samba/f17] Avoid private krb5_locate_kdc usage resolves: #754783
Guenther Deschner
gd at fedoraproject.org
Fri Apr 20 13:22:37 UTC 2012
commit be38d7fefc6704a51a8df5b7410649938ddb43d8
Author: Günther Deschner <gd at samba.org>
Date: Fri Apr 20 15:21:12 2012 +0200
Avoid private krb5_locate_kdc usage
resolves: #754783
Guenther
(cherry picked from commit 19083437612801f74d56a2e2dae84dd4195f8d1c)
samba-3.6.4-krb5_locate_kdc.patch | 162 +++++++++++++++++++++++++++++++++++++
samba.spec | 8 ++-
2 files changed, 169 insertions(+), 1 deletions(-)
---
diff --git a/samba-3.6.4-krb5_locate_kdc.patch b/samba-3.6.4-krb5_locate_kdc.patch
new file mode 100644
index 0000000..d5093e6
--- /dev/null
+++ b/samba-3.6.4-krb5_locate_kdc.patch
@@ -0,0 +1,162 @@
+From 2464a7b0ddb556bed86a845c9400e26c4d7f584a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn at samba.org>
+Date: Wed, 30 Nov 2011 17:58:30 +0100
+Subject: [PATCH] s3-libsmb: Remove obsolete smb_krb5_locate_kdc.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Günther Deschner <gd at samba.org>
+
+Autobuild-User: Günther Deschner <gd at samba.org>
+Autobuild-Date: Thu Feb 9 14:58:57 CET 2012 on sn-devel-104
+---
+ source3/configure.in | 1 -
+ source3/include/krb5_protos.h | 4 --
+ source3/libsmb/clikrb5.c | 89 -----------------------------------------
+ source3/wscript | 2 +-
+ 4 files changed, 1 insertions(+), 95 deletions(-)
+
+diff --git a/source3/configure.in b/source3/configure.in
+index 298fe1b..1ce1a5b 100644
+--- a/source3/configure.in
++++ b/source3/configure.in
+@@ -3860,7 +3860,6 @@ if test x"$with_ads_support" != x"no"; then
+ AC_CHECK_FUNC_EXT(krb5_string_to_key_salt, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_auth_con_setkey, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_auth_con_setuseruserkey, $KRB5_LIBS)
+- AC_CHECK_FUNC_EXT(krb5_locate_kdc, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_permitted_enctypes, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_default_in_tkt_etypes, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_free_data_contents, $KRB5_LIBS)
+diff --git a/source3/include/krb5_protos.h b/source3/include/krb5_protos.h
+index 32f995c..f16cafd 100644
+--- a/source3/include/krb5_protos.h
++++ b/source3/include/krb5_protos.h
+@@ -67,10 +67,6 @@ bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr);
+ int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt);
+ bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt);
+ krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
+-krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
+-#if defined(HAVE_KRB5_LOCATE_KDC)
+-krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
+-#endif
+ krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
+ bool get_krb5_smb_session_key(TALLOC_CTX *mem_ctx,
+ krb5_context context,
+diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
+index 9af3e49..8cea29c 100644
+--- a/source3/libsmb/clikrb5.c
++++ b/source3/libsmb/clikrb5.c
+@@ -488,95 +488,6 @@
+ #endif
+ }
+
+-#if !defined(HAVE_KRB5_LOCATE_KDC)
+-
+-/* krb5_locate_kdc is an internal MIT symbol. MIT are not yet willing to commit
+- * to a public interface for this functionality, so we have to be able to live
+- * without it if the MIT libraries are hiding their internal symbols.
+- */
+-
+-#if defined(KRB5_KRBHST_INIT)
+-/* Heimdal */
+- krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters)
+-{
+- krb5_krbhst_handle hnd;
+- krb5_krbhst_info *hinfo;
+- krb5_error_code rc;
+- int num_kdcs, i;
+- struct sockaddr *sa;
+- struct addrinfo *ai;
+-
+- *addr_pp = NULL;
+- *naddrs = 0;
+-
+- rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd);
+- if (rc) {
+- DEBUG(0, ("smb_krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc)));
+- return rc;
+- }
+-
+- for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++)
+- ;
+-
+- krb5_krbhst_reset(ctx, hnd);
+-
+- if (!num_kdcs) {
+- DEBUG(0, ("smb_krb5_locate_kdc: zero kdcs found !\n"));
+- krb5_krbhst_free(ctx, hnd);
+- return -1;
+- }
+-
+- sa = SMB_MALLOC_ARRAY( struct sockaddr, num_kdcs );
+- if (!sa) {
+- DEBUG(0, ("smb_krb5_locate_kdc: malloc failed\n"));
+- krb5_krbhst_free(ctx, hnd);
+- naddrs = 0;
+- return -1;
+- }
+-
+- memset(sa, '\0', sizeof(struct sockaddr) * num_kdcs );
+-
+- for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) {
+-
+-#if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO)
+- rc = krb5_krbhst_get_addrinfo(ctx, hinfo, &ai);
+- if (rc) {
+- DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc)));
+- continue;
+- }
+-#endif
+- if (hinfo->ai && hinfo->ai->ai_family == AF_INET)
+- memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr));
+- }
+-
+- krb5_krbhst_free(ctx, hnd);
+-
+- *naddrs = num_kdcs;
+- *addr_pp = sa;
+- return 0;
+-}
+-
+-#else /* ! defined(KRB5_KRBHST_INIT) */
+-
+- krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm,
+- struct sockaddr **addr_pp, int *naddrs, int get_masters)
+-{
+- DEBUG(0, ("unable to explicitly locate the KDC on this platform\n"));
+- return KRB5_KDC_UNREACH;
+-}
+-
+-#endif /* KRB5_KRBHST_INIT */
+-
+-#else /* ! HAVE_KRB5_LOCATE_KDC */
+-
+- krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm,
+- struct sockaddr **addr_pp, int *naddrs, int get_masters)
+-{
+- return krb5_locate_kdc(ctx, realm, addr_pp, naddrs, get_masters);
+-}
+-
+-#endif /* HAVE_KRB5_LOCATE_KDC */
+-
+ #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
+ void krb5_free_unparsed_name(krb5_context context, char *val)
+ {
+diff --git a/source3/wscript b/source3/wscript
+index 901d2b6..40b2cde 100644
+--- a/source3/wscript
++++ b/source3/wscript
+@@ -585,7 +585,7 @@ msg.msg_acctrightslen = sizeof(fd);
+ krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes
+ krb5_set_default_tgs_ktypes krb5_principal2salt krb5_use_enctype
+ krb5_string_to_key krb5_get_pw_salt krb5_string_to_key_salt krb5_auth_con_setkey
+-krb5_auth_con_setuseruserkey krb5_locate_kdc krb5_get_permitted_enctypes
++krb5_auth_con_setuseruserkey krb5_get_permitted_enctypes
+ krb5_get_default_in_tkt_etypes krb5_free_data_contents
+ krb5_principal_get_comp_string krb5_free_unparsed_name
+ krb5_free_keytab_entry_contents krb5_kt_free_entry krb5_krbhst_init
+--
+1.7.7.6
+
diff --git a/samba.spec b/samba.spec
index 320307a..c3a0b1c 100644
--- a/samba.spec
+++ b/samba.spec
@@ -1,4 +1,4 @@
-%define main_release 82
+%define main_release 83
%define samba_version 3.6.4
%define tdb_version 1.2.9
%define talloc_version 2.0.5
@@ -45,6 +45,7 @@ Patch104: samba-3.0.0rc3-nmbd-netbiosname.patch
# The passwd part has been applied, but not the group part
Patch107: samba-3.2.0pre1-grouppwd.patch
Patch200: samba-3.2.5-inotify.patch
+Patch201: samba-3.6.4-krb5_locate_kdc.patch
Requires(pre): samba-common = %{epoch}:%{samba_version}-%{release}
Requires: pam >= 0:0.64
@@ -229,6 +230,7 @@ cp %{SOURCE11} packaging/Fedora/
#%patch104 -p1 -b .nmbd-netbiosname # FIXME: does not apply
%patch107 -p1 -b .grouppwd
%patch200 -p0 -b .inotify
+%patch201 -p1 -b .krb5_locate_kdc
mv %samba_source/VERSION %samba_source/VERSION.orig
sed -e 's/SAMBA_VERSION_VENDOR_SUFFIX=$/&\"%{samba_release}\"/' < %samba_source/VERSION.orig > %samba_source/VERSION
@@ -688,6 +690,10 @@ fi
%{_datadir}/pixmaps/samba/logo-small.png
%changelog
+* Fri Apr 20 2012 Guenther Deschner <gdeschner at redhat.com> - 1:3.6.4-83
+- Avoid private krb5_locate_kdc usage
+- resolves: #754783
+
* Thu Apr 12 2012 Jon Ciesla <limburgher at gmail.com> - 1:3.6.4-82
- Update to 3.6.4
- Fixes CVE-2012-1182
More information about the scm-commits
mailing list