commit krb5 for openSUSE:Factory

25 Mar 2010

Hello community,

here is the log from the commit of package krb5 for openSUSE:Factory
checked in at Fri Mar 26 00:13:28 CET 2010.



--------

--- krb5/krb5-doc.changes	2010-03-04 11:58:11.000000000 +0100
+++ krb5/krb5-doc.changes	2010-03-23 12:40:50.000000000 +0100
@@ -1,0 +2,6 @@
+Tue Mar 23 12:38:29 CET 2010 - mc@suse.de
+
+- add post 1.8 fixes
+  * Document the ticket_lifetime libdefaults setting
+
+-------------------------------------------------------------------
--- krb5/krb5-mini.changes	2010-03-05 02:08:51.000000000 +0100
+++ krb5/krb5-mini.changes	2010-03-26 00:10:07.492839000 +0100
@@ -1,0 +2,22 @@
+Tue Mar 23 14:32:41 CET 2010 - mc@suse.de
+
+- fix a bug where an unauthenticated remote attacker could cause
+  a GSS-API application including the Kerberos administration
+  daemon (kadmind) to crash.
+  CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) 
+
+-------------------------------------------------------------------
+Tue Mar 23 12:33:26 CET 2010 - mc@suse.de
+
+- add post 1.8 fixes
+  * Add IPv6 support to changepw.c
+  * fix two problems in kadm5_get_principal mask handling 
+  * Ignore improperly encoded signedpath AD elements
+  * handle NT_SRV_INST in service principal referrals
+  * dereference options while checking 
+    KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
+  * Fix the kpasswd fallback from the ccache principal name
+  * Document the ticket_lifetime libdefaults setting
+  * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
+
+-------------------------------------------------------------------
krb5.changes: same change

calling whatdependson for head-i586


New:
----
  krb5-1.7-MITKRB5-SA-2010-002.dif
  krb5-1.8-POST.dif

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ krb5-doc.spec ++++++
--- /var/tmp/diff_new_pack.hXrtuB/_old	2010-03-26 00:10:21.000000000 +0100
+++ /var/tmp/diff_new_pack.hXrtuB/_new	2010-03-26 00:10:21.000000000 +0100
@@ -21,7 +21,7 @@
 Name:           krb5-doc
 BuildRequires:  ghostscript-library latex2html texlive
 Version:        1.8
-Release:        1
+Release:        2
 %define srcRoot krb5-1.8
 Summary:        MIT Kerberos5 Implementation--Documentation
 License:        MIT License (or similar)
@@ -31,6 +31,7 @@
 Source3:        %{name}-%{version}-rpmlintrc
 Patch0:         krb5-1.3.5-perlfix.dif
 Patch1:         krb5-1.6.3-texi2dvi-fix.dif
+Patch2:         krb5-1.8-POST.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
 
@@ -53,6 +54,7 @@
 %setup -n %{srcRoot}
 %patch0
 %patch1
+%patch2
 
 %build
 

++++++ krb5-mini.spec ++++++
--- /var/tmp/diff_new_pack.hXrtuB/_old	2010-03-26 00:10:21.000000000 +0100
+++ /var/tmp/diff_new_pack.hXrtuB/_new	2010-03-26 00:10:21.000000000 +0100
@@ -28,7 +28,7 @@
 BuildRequires:  bison libcom_err-devel ncurses-devel
 BuildRequires:  keyutils keyutils-devel
 Version:        1.8
-Release:        1
+Release:        2
 %if ! 0%{?build_mini}
 BuildRequires:  libopenssl-devel openldap2-devel
 # bug437293
@@ -55,6 +55,8 @@
 Patch41:        krb5-1.6.3-kpasswd_tcp.patch
 Patch44:        krb5-1.6.3-ktutil-manpage.dif
 Patch46:        krb5-1.6.3-fix-ipv6-query.dif
+Patch47:        krb5-1.7-MITKRB5-SA-2010-002.dif
+Patch50:        krb5-1.8-POST.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@@ -202,6 +204,8 @@
 %patch41 
 %patch44 -p1
 %patch46 -p1
+%patch47
+%patch50
 # Rename the man pages so that they'll get generated correctly.
 pushd src
 cat %{SOURCE10} | while read manpage ; do

krb5.spec: same change
++++++ krb5-1.7-MITKRB5-SA-2010-002.dif ++++++
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c.orig
+++ src/lib/gssapi/spnego/spnego_mech.c
@@ -1576,7 +1576,7 @@ spnego_gss_accept_sec_context(
 	spnego_gss_ctx_id_t sc = NULL;
 	spnego_gss_cred_id_t spcred = NULL;
 	OM_uint32 mechstat = GSS_S_FAILURE;
-	int sendTokenInit = 0;
+	int sendTokenInit = 0, tmpret;
 
 	mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER;
 
@@ -1609,7 +1609,6 @@ spnego_gss_accept_sec_context(
 		if (delegated_cred_handle != NULL)
 			*delegated_cred_handle = GSS_C_NO_CREDENTIAL;
 		if (input_token->length == 0) {
-			sendTokenInit = 1;
 			ret = acc_ctx_hints(minor_status,
 					    context_handle, spcred,
 					    &mic_out,
@@ -1617,6 +1616,7 @@ spnego_gss_accept_sec_context(
 					    &return_token);
 			if (ret != GSS_S_COMPLETE)
 				goto cleanup;
+			sendTokenInit = 1;
 			ret = GSS_S_CONTINUE_NEEDED;
 		} else {
 			/* Can set negState to REQUEST_MIC */
@@ -1664,27 +1664,21 @@ spnego_gss_accept_sec_context(
 				 &negState, &return_token);
 	}
 cleanup:
-	if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
-		/* For acceptor-sends-first send a tokenInit */
-		int tmpret;
-
+	if (return_token == INIT_TOKEN_SEND && sendTokenInit) {
 		assert(sc != NULL);
-
-		if (sendTokenInit) {
-			tmpret = make_spnego_tokenInit_msg(sc,
-							   1,
-							   mic_out,
-							   0,
-							   GSS_C_NO_BUFFER,
-							   return_token,
-							   output_token);
-		} else {
-			tmpret = make_spnego_tokenTarg_msg(negState,
-							   sc ? sc->internal_mech : GSS_C_NO_OID,
-							   &mechtok_out, mic_out,
-							   return_token,
-							   output_token);
-		}
+		tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0,
+						   GSS_C_NO_BUFFER,
+						   return_token, output_token);
+		if (tmpret < 0)
+			ret = GSS_S_FAILURE;
+	} else if (return_token != NO_TOKEN_SEND &&
+		   return_token != CHECK_MIC) {
+		tmpret = make_spnego_tokenTarg_msg(negState,
+						   sc ? sc->internal_mech :
+						   GSS_C_NO_OID,
+						   &mechtok_out, mic_out,
+						   return_token,
+						   output_token);
 		if (tmpret < 0)
 			ret = GSS_S_FAILURE;
 	}
++++++ krb5-1.8-POST.dif ++++++
Index: doc/admin.texinfo
===================================================================
--- doc/admin.texinfo.orig
+++ doc/admin.texinfo
@@ -516,13 +516,6 @@ DCE do not support the default cache as
 Kerberos.  Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on
 DCE 1.1 systems.  The default value is @value{DefaultCcacheType}.
 
-@ignore
-@itemx tkt_lifetime
-The default lifetime of a ticket.  The default is
-@value{DefaultTktLifetime}.  This is currently not supported by the
-code.
-@end ignore
-
 @itemx dns_lookup_kdc
 Indicate whether DNS SRV records should be used to locate the KDCs and
 other servers for a realm, if they are not listed in the information for
@@ -583,6 +576,11 @@ If this flag is set, then an attempt to
 fail if the client machine does not have a keytab.  The default for the
 flag is @value{DefaultVerifyApReqNofail}.
 
+@itemx ticket_lifetime
+The value of this tag is the default lifetime for
+initial tickets.  The default value for the tag is
+@value{DefaultTktLifetime}.
+
 @itemx renew_lifetime
 The value of this tag is the default renewable lifetime for
 initial tickets.  The default value for the tag is
Index: src/include/krb5/krb5.hin
===================================================================
--- src/include/krb5/krb5.hin.orig
+++ src/include/krb5/krb5.hin
@@ -1066,7 +1066,7 @@ krb5_verify_checksum(krb5_context contex
 #define KRB5_AUTHDATA_SESAME    65
 #define KRB5_AUTHDATA_WIN2K_PAC 128
 #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129     /* RFC 4537 */
-#define KRB5_AUTHDATA_SIGNTICKET        142
+#define KRB5_AUTHDATA_SIGNTICKET        512     /* formerly 142 in krb5 1.8 */
 #define KRB5_AUTHDATA_FX_ARMOR 71
 /* password change constants */
 
@@ -1184,6 +1184,19 @@ typedef struct _krb5_pa_data {
     krb5_octet *contents;
 } krb5_pa_data;
 
+/* typed data */
+/*
+ * The FAST error handling logic currently assumes that this structure and
+ * krb5_pa_data * can be safely cast to each other if this structure changes,
+ * that code needs to be updated to copy.
+ */
+typedef struct _krb5_typed_data {
+    krb5_magic magic;
+    krb5_int32  type;
+    unsigned int length;
+    krb5_octet *data;
+} krb5_typed_data;
+
 typedef struct _krb5_kdc_req {
     krb5_magic magic;
     krb5_msgtype msg_type;              /* AS_REQ or TGS_REQ? */
Index: src/include/k5-int-pkinit.h
===================================================================
--- src/include/k5-int-pkinit.h.orig
+++ src/include/k5-int-pkinit.h
@@ -101,17 +101,6 @@ typedef struct _krb5_trusted_ca {
     } u;
 } krb5_trusted_ca;
 
-/* typed data */
-/* The FAST error handling logic currently assumes that this structure  and krb5_pa_data * can be safely cast to each other
- * if this structure changes, that code needs to be updated to copy.
- */
-typedef struct _krb5_typed_data {
-    krb5_magic magic;
-    krb5_int32  type;
-    unsigned int length;
-    krb5_octet *data;
-} krb5_typed_data;
-
 /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */
 typedef struct _krb5_pa_pk_as_req_draft9 {
     krb5_octet_data signedAuthPack;
Index: src/kdc/kdc_authdata.c
===================================================================
--- src/kdc/kdc_authdata.c.orig
+++ src/kdc/kdc_authdata.c
@@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context contex
     enc_sp.length = sp_authdata[0]->length;
 
     code = decode_krb5_ad_signedpath(&enc_sp, &sp);
-    if (code != 0)
+    if (code != 0) {
+        /* Treat an invalid signedpath authdata element as a missing one, since
+         * we believe MS is using the same number for something else. */
+        code = 0;
         goto cleanup;
+    }
 
     code = verify_ad_signedpath_checksum(context,
                                          krbtgt,
Index: src/kdc/do_tgs_req.c
===================================================================
--- src/kdc/do_tgs_req.c.orig
+++ src/kdc/do_tgs_req.c
@@ -1215,6 +1215,7 @@ prep_reprocess_req(krb5_kdc_req *request
         strlcpy(comp1_str,comp1->data,comp1->length+1);
 
         if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
+             krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST ||
              (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN &&
               kdc_active_realm->realm_host_based_services != NULL &&
               (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services,
Index: src/clients/kpasswd/kpasswd.c
===================================================================
--- src/clients/kpasswd/kpasswd.c.orig
+++ src/clients/kpasswd/kpasswd.c
@@ -47,7 +47,7 @@ int main(int argc, char *argv[])
 {
     krb5_error_code ret;
     krb5_context context;
-    krb5_principal princ;
+    krb5_principal princ = NULL;
     char *pname;
     krb5_ccache ccache;
     krb5_get_init_creds_opt *opts = NULL;
@@ -84,23 +84,27 @@ int main(int argc, char *argv[])
             com_err(argv[0], ret, "parsing client name");
             exit(1);
         }
-    } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) {
-        if (ret) {
+    } else {
+        ret = krb5_cc_default(context, &ccache);
+        if (ret != 0) {
             com_err(argv[0], ret, "opening default ccache");
             exit(1);
         }
 
-        if ((ret = krb5_cc_get_principal(context, ccache, &princ))) {
+        ret = krb5_cc_get_principal(context, ccache, &princ);
+        if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) {
             com_err(argv[0], ret, "getting principal from ccache");
             exit(1);
         }
 
-        if ((ret = krb5_cc_close(context, ccache))) {
+        ret = krb5_cc_close(context, ccache);
+        if (ret != 0) {
             com_err(argv[0], ret, "closing ccache");
             exit(1);
         }
-    } else {
-        get_name_from_passwd_file(argv[0], context, &princ);
+
+        if (princ == NULL)
+            get_name_from_passwd_file(argv[0], context, &princ);
     }
 
     if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) {
Index: src/config-files/krb5.conf.M
===================================================================
--- src/config-files/krb5.conf.M.orig
+++ src/config-files/krb5.conf.M
@@ -220,6 +220,10 @@ If this flag is set, then an attempt to
 fail if the client machine does not have a keytab.  The default for the
 flag is false.
 
+.IP ticket_lifetime
+The value of this tag is the default lifetime for initial tickets.  The
+default value for the tag is 1 day (1d).
+
 .IP renew_lifetime
 The value of this tag is the default renewable lifetime for initial
 tickets.  The default value for the tag is 0.
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c.orig
+++ src/lib/gssapi/spnego/spnego_mech.c
@@ -1687,6 +1687,7 @@ cleanup:
 		if (sc->internal_name != GSS_C_NO_NAME &&
 		    src_name != NULL) {
 			*src_name = sc->internal_name;
+			sc->internal_name = GSS_C_NO_NAME;
 		}
 		release_spnego_ctx(&sc);
 	} else if (ret != GSS_S_CONTINUE_NEEDED) {
@@ -2572,6 +2573,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t *
 		(void) generic_gss_release_oid(&minor_stat,
 				&context->internal_mech);
 
+		(void) gss_release_name(&minor_stat, &context->internal_name);
+
 		if (context->optionStr != NULL) {
 			free(context->optionStr);
 			context->optionStr = NULL;
Index: src/lib/kadm5/srv/svr_principal.c
===================================================================
--- src/lib/kadm5/srv/svr_principal.c.orig
+++ src/lib/kadm5/srv/svr_principal.c
@@ -858,8 +858,8 @@ kadm5_get_principal(void *server_handle,
         if (! (mask & KADM5_MOD_TIME))
             entry->mod_date = 0;
         if (! (mask & KADM5_MOD_NAME)) {
-            krb5_free_principal(handle->context, entry->principal);
-            entry->principal = NULL;
+            krb5_free_principal(handle->context, entry->mod_name);
+            entry->mod_name = NULL;
         }
     }
 
@@ -871,10 +871,12 @@ kadm5_get_principal(void *server_handle,
             if (kdb.key_data[i].key_data_kvno > entry->kvno)
                 entry->kvno = kdb.key_data[i].key_data_kvno;
 
-    ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist,
-                             &entry->mkvno);
-    if (ret)
-        goto done;
+    if (mask & KADM5_MKVNO) {
+        ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist,
+                                 &entry->mkvno);
+        if (ret)
+            goto done;
+    }
 
     if (mask & KADM5_MAX_RLIFE)
         entry->max_renewable_life = kdb.max_renewable_life;
Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c.orig
+++ src/lib/krb5/os/changepw.c
@@ -65,20 +65,23 @@ locate_kpasswd(krb5_context context, con
     int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM);
 
     code = krb5int_locate_server (context, realm, addrlist,
-                                  locate_service_kpasswd, sockType, AF_INET);
+                                  locate_service_kpasswd, sockType, AF_UNSPEC);
 
     if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) {
         code = krb5int_locate_server (context, realm, addrlist,
                                       locate_service_kadmin, SOCK_STREAM,
-                                      AF_INET);
+                                      AF_UNSPEC);
         if (!code) {
             /* Success with admin_server but now we need to change the
                port number to use DEFAULT_KPASSWD_PORT and the socktype.  */
             size_t i;
             for (i=0; i<addrlist->naddrs; i++) {
                 struct addrinfo *a = addrlist->addrs[i].ai;
+                krb5_ui_2 kpasswd_port = htons(DEFAULT_KPASSWD_PORT);
                 if (a->ai_family == AF_INET)
-                    sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT);
+                    sa2sin (a->ai_addr)->sin_port = kpasswd_port;
+                if (a->ai_family == AF_INET6)
+                    sa2sin6 (a->ai_addr)->sin6_port = kpasswd_port;
                 if (sockType != SOCK_STREAM)
                     a->ai_socktype = sockType;
             }
@@ -131,10 +134,16 @@ kpasswd_sendto_msg_callback(struct conn_
     /* some brain-dead OS's don't return useful information from
      * the getsockname call.  Namely, windows and solaris.  */
 
-    if (ss2sin(&local_addr)->sin_addr.s_addr != 0) {
+    if (local_addr.ss_family == AF_INET &&
+        ss2sin(&local_addr)->sin_addr.s_addr != 0) {
         local_kaddr.addrtype = ADDRTYPE_INET;
         local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr);
         local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr;
+    } else if (local_addr.ss_family == AF_INET6 &&
+               ss2sin6(&local_addr)->sin6_addr.s6_addr != 0) {
+        local_kaddr.addrtype = ADDRTYPE_INET6;
+        local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr);
+        local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr;
     } else {
         krb5_address **addrs;
 
@@ -290,9 +299,19 @@ change_set_password(krb5_context context
             break;
         }
 
-        remote_kaddr.addrtype = ADDRTYPE_INET;
-        remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
-        remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
+        if (remote_addr.ss_family == AF_INET) {
+            remote_kaddr.addrtype = ADDRTYPE_INET;
+            remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
+            remote_kaddr.contents =
+                (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
+        } else if (remote_addr.ss_family == AF_INET6) {
+            remote_kaddr.addrtype = ADDRTYPE_INET6;
+            remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr);
+            remote_kaddr.contents =
+                (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr;
+        } else {
+            break;
+        }
 
         if ((code = krb5_auth_con_setaddrs(callback_ctx.context,
                                            callback_ctx.auth_context,
Index: src/lib/krb5/krb/gic_pwd.c
===================================================================
--- src/lib/krb5/krb/gic_pwd.c.orig
+++ src/lib/krb5/krb/gic_pwd.c
@@ -218,7 +218,7 @@ krb5_get_init_creds_password(krb5_contex
      * to prompt.  Prompting is only disabled if the option has been set
      * and the value has been set to false.
      */
-    if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
+    if (options && !(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
         goto cleanup;
 
     /* ok, we have an expired password.  Give the user a few chances

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org

    

root＠Hilbert.suse.de

tags

participants (1)