[krb5/f19] Pull in a couple of interop and memory leak fixes
Nalin Dahyabhai
nalin at fedoraproject.org
Wed Dec 18 20:30:00 UTC 2013
commit 727bfbead6dafdad1c3cd871e248cfcf54add86d
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Wed Dec 18 15:29:35 2013 -0500
Pull in a couple of interop and memory leak fixes
- pull in fix from master to return a NULL pointer rather than allocating
zero bytes of memory if we read a zero-length input token (RT#7794, part
of #1043962)
- pull in fix from master to ignore an empty token from an acceptor if
we've already finished authenticating (RT#7797, part of #1043962)
- pull in fix from master to avoid a memory leak when a mechanism's
init_sec_context function fails (RT#7803, part of #1043962)
- pull in fix from master to avoid a memory leak in a couple of error
cases which could occur while obtaining acceptor credentials (RT#7805,
part of #1043962)
krb5-master-gss_oid_leak.patch | 28 ++++++++++++++
...ster-ignore-empty-unnecessary-final-token.patch | 37 +++++++++++++++++++
krb5-master-keytab_close.patch | 39 ++++++++++++++++++++
krb5-master-no-malloc0.patch | 39 ++++++++++++++++++++
krb5.spec | 22 +++++++++++-
5 files changed, 164 insertions(+), 1 deletions(-)
---
diff --git a/krb5-master-gss_oid_leak.patch b/krb5-master-gss_oid_leak.patch
new file mode 100644
index 0000000..9613823
--- /dev/null
+++ b/krb5-master-gss_oid_leak.patch
@@ -0,0 +1,28 @@
+commit 1cda48a7ed4069cfc052f974ec3d76a9137c8c5a
+Author: Simo Sorce <simo at redhat.com>
+Date: Fri Dec 13 12:00:41 2013 -0500
+
+ Fix memory leak in SPNEGO initiator
+
+ If we eliminate a mechanism from the initiator list because
+ gss_init_sec_context fails, free the memory for that mech OID before
+ removing it from the list.
+
+ [ghudson at mit.edu: clarified commit message]
+
+ ticket: 7803 (new)
+ target_version: 1.12.1
+ tags: pullup
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 818a1b4..06cfab0 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -890,6 +890,7 @@ init_ctx_call_init(OM_uint32 *minor_status,
+ * can do this with recursion. If all mechanisms produce errors, the
+ * caller should get the error from the first mech in the list.
+ */
++ gssalloc_free(sc->mech_set->elements->elements);
+ memmove(sc->mech_set->elements, sc->mech_set->elements + 1,
+ --sc->mech_set->count * sizeof(*sc->mech_set->elements));
+ if (sc->mech_set->count == 0)
diff --git a/krb5-master-ignore-empty-unnecessary-final-token.patch b/krb5-master-ignore-empty-unnecessary-final-token.patch
new file mode 100644
index 0000000..3ebb888
--- /dev/null
+++ b/krb5-master-ignore-empty-unnecessary-final-token.patch
@@ -0,0 +1,37 @@
+commit 37af638b742dbd642eb70092e4f7781c3f69d86d
+Author: Greg Hudson <ghudson at mit.edu>
+Date: Tue Dec 10 12:04:18 2013 -0500
+
+ Fix SPNEGO one-hop interop against old IIS
+
+ IIS 6.0 and similar return a zero length reponse buffer in the last
+ SPNEGO packet when context initiation is performed without mutual
+ authentication. In this case the underlying Kerberos mechanism has
+ already completed successfully on the first invocation, and SPNEGO
+ does not expect a mech response token in the answer. If we get an
+ empty mech response token when the mech is complete during
+ negotiation, ignore it.
+
+ [ghudson at mit.edu: small code style and commit message changes]
+
+ ticket: 7797 (new)
+ target_version: 1.12.1
+ tags: pullup
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 3937662..d82934b 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
+ map_errcode(minor_status);
+ ret = GSS_S_DEFECTIVE_TOKEN;
+ }
++ } else if ((*responseToken)->length == 0 && sc->mech_complete) {
++ /* Handle old IIS servers returning empty token instead of
++ * null tokens in the non-mutual auth case. */
++ *negState = ACCEPT_COMPLETE;
++ *tokflag = NO_TOKEN_SEND;
++ ret = GSS_S_COMPLETE;
+ } else if (sc->mech_complete) {
+ /* Reject spurious mech token. */
+ ret = GSS_S_DEFECTIVE_TOKEN;
diff --git a/krb5-master-keytab_close.patch b/krb5-master-keytab_close.patch
new file mode 100644
index 0000000..d020ae6
--- /dev/null
+++ b/krb5-master-keytab_close.patch
@@ -0,0 +1,39 @@
+commit decccbcb5075f8fbc28a535a9b337afc84a15dee
+Author: Greg Hudson <ghudson at mit.edu>
+Date: Mon Dec 16 15:37:56 2013 -0500
+
+ Fix GSS krb5 acceptor acquire_cred error handling
+
+ When acquiring acceptor creds with a specified name, if we fail to
+ open a replay cache, we leak the keytab handle. If there is no
+ specified name and we discover that there is no content in the keytab,
+ we leak the keytab handle and return the wrong major code. Memory
+ leak reported by Andrea Campi.
+
+ ticket: 7805
+ target_version: 1.12.1
+ tags: pullup
+
+diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
+index 0efcad4..9547207 100644
+--- a/src/lib/gssapi/krb5/acquire_cred.c
++++ b/src/lib/gssapi/krb5/acquire_cred.c
+@@ -225,6 +225,7 @@ acquire_accept_cred(krb5_context context,
+ code = krb5_get_server_rcache(context, &cred->name->princ->data[0],
+ &cred->rcache);
+ if (code) {
++ krb5_kt_close(context, kt);
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+@@ -232,8 +233,9 @@ acquire_accept_cred(krb5_context context,
+ /* Make sure we have a keytab with keys in it. */
+ code = krb5_kt_have_content(context, kt);
+ if (code) {
++ krb5_kt_close(context, kt);
+ *minor_status = code;
+- return GSS_S_FAILURE;
++ return GSS_S_CRED_UNAVAIL;
+ }
+ }
+
diff --git a/krb5-master-no-malloc0.patch b/krb5-master-no-malloc0.patch
new file mode 100644
index 0000000..e5b0e63
--- /dev/null
+++ b/krb5-master-no-malloc0.patch
@@ -0,0 +1,39 @@
+commit 13fd26e1863c79f616653f6a10a58c01f65fceff
+Author: Greg Hudson <ghudson at mit.edu>
+Date: Fri Dec 6 18:56:56 2013 -0500
+
+ Avoid malloc(0) in SPNEGO get_input_token
+
+ If we read a zero-length token in spnego_mech.c's get_input_token(),
+ set the value pointer to NULL instead of calling malloc(0).
+
+ ticket: 7794 (new)
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 24c3440..3937662 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -3140,14 +3140,17 @@ get_input_token(unsigned char **buff_in, unsigned int buff_length)
+ return (NULL);
+
+ input_token->length = len;
+- input_token->value = gssalloc_malloc(input_token->length);
++ if (input_token->length > 0) {
++ input_token->value = gssalloc_malloc(input_token->length);
++ if (input_token->value == NULL) {
++ free(input_token);
++ return (NULL);
++ }
+
+- if (input_token->value == NULL) {
+- free(input_token);
+- return (NULL);
++ memcpy(input_token->value, *buff_in, input_token->length);
++ } else {
++ input_token->value = NULL;
+ }
+-
+- (void) memcpy(input_token->value, *buff_in, input_token->length);
+ *buff_in += input_token->length;
+ return (input_token);
+ }
diff --git a/krb5.spec b/krb5.spec
index 7ad064c..0dc7597 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -32,7 +32,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.11.3
-Release: 14%{?dist}
+Release: 15%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -103,6 +103,10 @@ Patch138: krb5-1.11.3-gss-ccache-import.patch
Patch139: krb5-CVE-2013-1418.patch
Patch140: krb5-CVE-2013-1417.patch
Patch141: krb5-1.11.3-client-loop.patch
+Patch142: krb5-master-no-malloc0.patch
+Patch143: krb5-master-ignore-empty-unnecessary-final-token.patch
+Patch144: krb5-master-gss_oid_leak.patch
+Patch145: krb5-master-keytab_close.patch
# Patches for otp plugin backport
Patch201: krb5-1.11.2-keycheck.patch
@@ -340,6 +344,10 @@ ln -s NOTICE LICENSE
%patch139 -p1 -b .CVE-2013-1418
%patch140 -p1 -b .CVE-2013-1417
%patch141 -p1 -b .client-loop
+%patch142 -p1 -b .no-malloc0
+%patch143 -p1 -b .ignore-empty-unnecessary-final-token
+%patch144 -p1 -b .gss_oid_leak
+%patch145 -p1 -b .keytab_close
%patch201 -p1 -b .keycheck
%patch202 -p1 -b .otp
@@ -934,6 +942,18 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Wed Dec 18 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-15
+- pull in fix from master to return a NULL pointer rather than allocating
+ zero bytes of memory if we read a zero-length input token (RT#7794, part
+ of #1043962)
+- pull in fix from master to ignore an empty token from an acceptor if
+ we've already finished authenticating (RT#7797, part of #1043962)
+- pull in fix from master to avoid a memory leak when a mechanism's
+ init_sec_context function fails (RT#7803, part of #1043962)
+- pull in fix from master to avoid a memory leak in a couple of error
+ cases which could occur while obtaining acceptor credentials (RT#7805,
+ part of #1043962)
+
* Tue Dec 17 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-14
- backport additional changes to libkrad to make it function more like
the version in upstream 1.12, and a few things in the OTP plugin as well
More information about the scm-commits
mailing list