[krb5] fixes for MITKRB5-SA-2012-001 and .so symlinks
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Jul 31 18:23:31 UTC 2012
commit 718a1573e15d4bb8ca52a2fca678d655fc29e2f9
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Tue Jul 31 14:14:12 2012 -0400
fixes for MITKRB5-SA-2012-001 and .so symlinks
- add upstream patch to fix freeing an uninitialized pointer and dereferencing
another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014
and CVE-2012-1015, #838012)
- fix a thinko in whether or not we mess around with devel .so symlinks on
systems without a separate /usr (sbose)
2012-001-patch.txt | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++
krb5.spec | 28 ++++++++++++++++++++---
2 files changed, 85 insertions(+), 4 deletions(-)
---
diff --git a/2012-001-patch.txt b/2012-001-patch.txt
new file mode 100644
index 0000000..938b565
--- /dev/null
+++ b/2012-001-patch.txt
@@ -0,0 +1,61 @@
+diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 23623fe..8ada9d0 100644
+--- a/src/kdc/do_as_req.c
++++ b/src/kdc/do_as_req.c
+@@ -463,7 +463,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
+ krb5_enctype useenctype;
+ struct as_req_state *state;
+
+- state = malloc(sizeof(*state));
++ state = calloc(sizeof(*state), 1);
+ if (!state) {
+ (*respond)(arg, ENOMEM, NULL);
+ return;
+@@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
+ state->authtime = 0;
+ state->c_flags = 0;
+ state->req_pkt = req_pkt;
++ state->inner_body = NULL;
+ state->rstate = NULL;
+ state->sname = 0;
+ state->cname = 0;
+diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
+index 9d8cb34..d4ece3f 100644
+--- a/src/kdc/kdc_preauth.c
++++ b/src/kdc/kdc_preauth.c
+@@ -1438,7 +1438,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
+ continue;
+
+ }
+- if (request_contains_enctype(context, request, db_etype)) {
++ if (krb5_is_permitted_enctype(context, db_etype) &&
++ request_contains_enctype(context, request, db_etype)) {
+ retval = _make_etype_info_entry(context, client->princ,
+ client_key, db_etype,
+ &entry[i], etype_info2);
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index a43b291..94dad3a 100644
+--- a/src/kdc/kdc_util.c
++++ b/src/kdc/kdc_util.c
+@@ -2461,6 +2461,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request,
+ return 0;
+ pa.magic = KV5M_PA_DATA;
+ pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
++ memset(&checksum, 0, sizeof(checksum));
+ retval = krb5_c_make_checksum(kdc_context,0, reply_key,
+ KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
+ if (retval != 0)
+diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
+index c4bf92e..367c894 100644
+--- a/src/lib/kdb/kdb_default.c
++++ b/src/lib/kdb/kdb_default.c
+@@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
+ krb5_boolean saw_non_permitted = FALSE;
+
+ ret = 0;
++ if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
++ return KRB5_KDB_NO_PERMITTED_KEY;
++
+ if (kvno == -1 && stype == -1 && ktype == -1)
+ kvno = 0;
+
diff --git a/krb5.spec b/krb5.spec
index c6a859a..b0b8544 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -11,16 +11,16 @@
%global WITH_SYSVERTO 0
%endif
%if 0%{?fedora} >= 17 || 0%{?rhel} > 6
-%global no_separate_usr 1
+%global separate_usr 0
%else
-%global no_separate_usr 0
+%global separate_usr 1
%endif
%global gettext_domain mit-krb5
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.10.2
-Release: 4%{?dist}
+Release: 5%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -69,6 +69,7 @@ Patch103: krb5-1.10-gcc47.patch
Patch105: krb5-kvno-230379.patch
Patch106: krb5-1.10.2-keytab-etype.patch
Patch107: krb5-trunk-pkinit-anchorsign.patch
+Patch108: http://web.mit.edu/kerberos/advisories/2012-001-patch.txt
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -247,6 +248,7 @@ ln -s NOTICE LICENSE
%patch105 -p1 -b .kvno
%patch106 -p1 -b .keytab-etype
%patch107 -p1 -b .pkinit-anchorsign
+%patch108 -p1 -b .2012-001
rm src/lib/krb5/krb/deltat.c
gzip doc/*.ps
@@ -441,7 +443,7 @@ make -C src DESTDIR=$RPM_BUILD_ROOT EXAMPLEDIR=%{_docdir}/krb5-libs-%{version}/e
# list of link flags, and it helps prevent file conflicts on multilib systems.
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT%{_bindir}/krb5-config
-%if %{no_separate_usr}
+%if %{separate_usr}
# Move specific libraries from %{_libdir} to /%{_lib}, and fixup the symlinks.
touch $RPM_BUILD_ROOT/rootfile
rellibdir=..
@@ -684,14 +686,25 @@ exit 0
/%{_mandir}/man5/k5identity.5*
/%{_mandir}/man5/k5login.5*
/%{_mandir}/man5/krb5.conf.5*
+%if %{separate_usr}
/%{_lib}/libgssapi_krb5.so.*
/%{_lib}/libgssrpc.so.*
/%{_lib}/libk5crypto.so.*
+%else
+%{_libdir}/libgssapi_krb5.so.*
+%{_libdir}/libgssrpc.so.*
+%{_libdir}/libk5crypto.so.*
+%endif
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*
%{_libdir}/libkdb5.so.*
+%if %{separate_usr}
/%{_lib}/libkrb5.so.*
/%{_lib}/libkrb5support.so.*
+%else
+%{_libdir}/libkrb5.so.*
+%{_libdir}/libkrb5support.so.*
+%endif
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/*
@@ -755,6 +768,13 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Tue Jul 31 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10.2-5
+- add upstream patch to fix freeing an uninitialized pointer and dereferencing
+ another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014
+ and CVE-2012-1015, #838012)
+- fix a thinko in whether or not we mess around with devel .so symlinks on
+ systems without a separate /usr (sbose)
+
* Fri Jul 27 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.10.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
More information about the scm-commits
mailing list