[krb5] * Mon Jan 26 2015 Roland Mainz <rmainz at redhat.com> - 1.13-5 - fix for kinit -C loops (#1184629, MIT/

Roland Mainz gisburn at fedoraproject.org
Mon Jan 26 17:39:30 UTC 2015 

commit fb520967f95c2fe2fc337a797b93dfba5363e5fc
Author: Roland Mainz <rmainz at redhat.com>
Date:   Mon Jan 26 18:38:55 2015 +0100

    * Mon Jan 26 2015 Roland Mainz <rmainz at redhat.com> - 1.13-5
    - fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not
      loop on principal unknown errors").
    - Added "python-sphinx-latex" to the build requirements
      to fix build failures on F22 machines.

 krb5-1.13_kinit_C_loop_krb5bug243.patch |  118 +++++++++++++++++++++++++++++++
 krb5.spec                               |   15 +++-
 2 files changed, 130 insertions(+), 3 deletions(-)
---
diff --git a/krb5-1.13_kinit_C_loop_krb5bug243.patch b/krb5-1.13_kinit_C_loop_krb5bug243.patch
new file mode 100644
index 0000000..f9aa870
--- /dev/null
+++ b/krb5-1.13_kinit_C_loop_krb5bug243.patch
@@ -0,0 +1,118 @@
+From d5755694b620570defeecee772def90a2733c6cc Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo at redhat.com>
+Date: Tue, 20 Jan 2015 13:48:34 -0500
+Subject: [PATCH 1/2] Do not loop on principal unknown errors
+
+If the canonicalize flag is set, the MIT KDC always return the client
+principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.
+
+Check that this is really a referral by testing that the returned
+client realm differs from the requested one.
+
+[ghudson at mit.edu: simplified and narrowed is_referral() contract.
+Note that a WRONG_REALM response with e-data or FAST error padata
+could now be passed through k5_preauth_tryagain() if it has an empty
+crealm or a crealm equal to the requested client realm.  Such a
+response is unexpected in practice and there is nothing dangerous
+about handling it this way.]
+
+ticket: 8060
+target_version: 1.13.1
+tags: pullup
+---
+ src/lib/krb5/krb/get_in_tkt.c | 40 +++++++++++++---------------------------
+ 1 file changed, 13 insertions(+), 27 deletions(-)
+
+diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
+index 2c2b654..f9bc027 100644
+--- a/src/lib/krb5/krb/get_in_tkt.c
++++ b/src/lib/krb5/krb/get_in_tkt.c
+@@ -1379,33 +1379,23 @@ note_req_timestamp(krb5_context context, krb5_init_creds_context ctx,
+         AUTH_OFFSET : UNAUTH_OFFSET;
+ }
+ 
+-/* Determine whether the client realm in a KRB-ERROR is empty. */
+-static krb5_boolean
+-is_empty_crealm(krb5_error *err)
+-{
+-
+-    return (err->client == NULL || err->client->realm.length == 0);
+-}
+-
+ /*
+- * Determine whether a KRB-ERROR is a referral to another realm.
++ * Determine whether err is a client referral to another realm, given the
++ * previously requested client principal name.
+  *
+- * RFC 6806 Section 7 requires that KDCs return the referral realm in
+- * an error type WRONG_REALM, but Microsoft Windows Server 2003 (and
+- * possibly others) return the realm in a PRINCIPAL_UNKNOWN message.
+- * Detect this case by looking for a non-empty client.realm field in
+- * such responses.
++ * RFC 6806 Section 7 requires that KDCs return the referral realm in an error
++ * type WRONG_REALM, but Microsoft Windows Server 2003 (and possibly others)
++ * return the realm in a PRINCIPAL_UNKNOWN message.
+  */
+ static krb5_boolean
+-is_referral(krb5_init_creds_context ctx)
++is_referral(krb5_context context, krb5_error *err, krb5_principal client)
+ {
+-    krb5_error *err = ctx->err_reply;
+-
+-    if (err->error == KDC_ERR_WRONG_REALM)
+-        return TRUE;
+-    if (err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN)
++    if (err->error != KDC_ERR_WRONG_REALM &&
++        err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN)
++        return FALSE;
++    if (err->client == NULL)
+         return FALSE;
+-    return !is_empty_crealm(err);
++    return !krb5_realm_compare(context, err->client, client);
+ }
+ 
+ static krb5_error_code
+@@ -1467,12 +1457,8 @@ init_creds_step_reply(krb5_context context,
+                                              ctx->preauth_to_use);
+             ctx->preauth_required = TRUE;
+ 
+-        } else if (canon_flag && is_referral(ctx)) {
+-            if (is_empty_crealm(ctx->err_reply)) {
+-                /* Only WRONG_REALM referral types can reach this. */
+-                code = KRB5KDC_ERR_WRONG_REALM;
+-                goto cleanup;
+-            }
++        } else if (canon_flag && is_referral(context, ctx->err_reply,
++                                             ctx->request->client)) {
+             TRACE_INIT_CREDS_REFERRAL(context, &ctx->err_reply->client->realm);
+             /* Rewrite request.client with realm from error reply */
+             krb5_free_data_contents(context, &ctx->request->client->realm);
+
+From c0778ab2252ece4c3510788d9b72f7f5e3bb05dd Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson at mit.edu>
+Date: Fri, 23 Jan 2015 12:52:31 -0500
+Subject: [PATCH 2/2] Add test for kinit -C WRONG_REALM response
+
+ticket: 8060
+---
+ src/tests/t_general.py | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/tests/t_general.py b/src/tests/t_general.py
+index 98e77a2..5349b05 100755
+--- a/src/tests/t_general.py
++++ b/src/tests/t_general.py
+@@ -33,6 +33,13 @@
+ 
+ realm = K5Realm(create_host=False)
+ 
++# Test that WRONG_REALM responses aren't treated as referrals unless
++# they contain a crealm field pointing to a different realm.
++# (Regression test for #8060.)
++out = realm.run([kinit, '-C', 'notfoundprinc'], expected_code=1)
++if 'not found in Kerberos database' not in out:
++    fail('Expected error message not seen in kinit -C output')
++
+ # Spot-check KRB5_TRACE output
+ tracefile = os.path.join(realm.testdir, 'trace')
+ realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, realm.user_princ],
diff --git a/krb5.spec b/krb5.spec
index 3c45341..bd08d06 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -43,7 +43,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.13
-Release: 4%{?dist}
+Release: 5%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@@ -96,6 +96,7 @@ Patch134: krb5-1.11-kpasswdtest.patch
 Patch136: krb5-socket_wrapper_eventfd_prototype_mismatch.patch
 Patch137: krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch
 Patch138: krb5-CVE_2014_5354_support_keyless_principals_in_LDAP.patch
+Patch139: krb5-1.13_kinit_C_loop_krb5bug243.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -106,7 +107,7 @@ BuildRequires: autoconf, bison, flex, gawk, gettext, pkgconfig, sed
 BuildRequires: libcom_err-devel, libedit-devel, libss-devel
 %endif
 BuildRequires: gzip, ncurses-devel, tar
-BuildRequires: python-sphinx, texlive-pdftex
+BuildRequires: python-sphinx, python-sphinx-latex, texlive-pdftex
 # The texlive package got a lot more complicated here.
 %if 0%{?fedora} > 17 || 0%{?rhel} > 6
 # Taken from \usepackage directives produced by sphinx:
@@ -319,6 +320,7 @@ ln NOTICE LICENSE
 
 %patch137 -p1
 %patch138 -p1
+%patch139 -p1 -b .krb5_1_13_kinit_C_loop_krb5bug243
 
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@@ -989,8 +991,15 @@ exit 0
 %{_sbindir}/gss-server
 %{_sbindir}/uuserver
 
+
 %changelog
-* Thu Dec 19 2014 Roland Mainz <rmainz at redhat.com> - 1.13-4
+* Mon Jan 26 2015 Roland Mainz <rmainz at redhat.com> - 1.13-5
+- fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not
+  loop on principal unknown errors").
+- Added "python-sphinx-latex" to the build requirements
+  to fix build failures on F22 machines.
+
+* Thu Dec 18 2014 Roland Mainz <rmainz at redhat.com> - 1.13-4
 - fix for CVE-2014-5354 (#1174546) "krb5: NULL pointer
   dereference when using keyless entries"

More information about the scm-commits mailing list