[arch-commits] Commit in krb5/trunk (6 files)
Stéphane Gaudreault
stephane at archlinux.org
Sun Mar 27 01:42:08 UTC 2011
Date: Saturday, March 26, 2011 @ 21:42:07
Author: stephane
Revision: 116971
Security fixes, install initscripts and sample config files
Added:
krb5/trunk/CVE-2010-4022.patch
krb5/trunk/CVE-2011-0281.0282.0283.patch
krb5/trunk/CVE-2011-0284.patch
krb5/trunk/kadmind.rc
krb5/trunk/krb5-kdc.rc
Modified:
krb5/trunk/PKGBUILD
-------------------------------+
CVE-2010-4022.patch | 19 ++++++
CVE-2011-0281.0282.0283.patch | 126 ++++++++++++++++++++++++++++++++++++++++
CVE-2011-0284.patch | 13 ++++
PKGBUILD | 25 ++++++-
kadmind.rc | 40 ++++++++++++
krb5-kdc.rc | 40 ++++++++++++
6 files changed, 259 insertions(+), 4 deletions(-)
Added: CVE-2010-4022.patch
===================================================================
--- CVE-2010-4022.patch (rev 0)
+++ CVE-2010-4022.patch 2011-03-27 01:42:07 UTC (rev 116971)
@@ -0,0 +1,19 @@
+diff -up krb5/src/slave/kpropd.c krb5/src/slave/kpropd.c
+--- krb5/src/slave/kpropd.c 2010-12-17 11:14:26.000000000 -0500
++++ krb5/src/slave/kpropd.c 2010-12-17 11:41:19.000000000 -0500
+@@ -404,11 +404,11 @@ retry:
+ }
+
+ close(s);
+- if (iproprole == IPROP_SLAVE)
++ if (iproprole == IPROP_SLAVE) {
+ close(finet);
+-
+- if ((ret = WEXITSTATUS(status)) != 0)
+- return (ret);
++ if ((ret = WEXITSTATUS(status)) != 0)
++ return (ret);
++ }
+ }
+ if (iproprole == IPROP_SLAVE)
+ break;
Added: CVE-2011-0281.0282.0283.patch
===================================================================
--- CVE-2011-0281.0282.0283.patch (rev 0)
+++ CVE-2011-0281.0282.0283.patch 2011-03-27 01:42:07 UTC (rev 116971)
@@ -0,0 +1,126 @@
+diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
+index 63ff3b3..b4a90bb 100644
+--- a/src/kdc/dispatch.c
++++ b/src/kdc/dispatch.c
+@@ -115,7 +115,8 @@ dispatch(void *cb, struct sockaddr *local_saddr, const krb5_fulladdr *from,
+ kdc_insert_lookaside(pkt, *response);
+ #endif
+
+- if (is_tcp == 0 && (*response)->length > max_dgram_reply_size) {
++ if (is_tcp == 0 && *response != NULL &&
++ (*response)->length > max_dgram_reply_size) {
+ too_big_for_udp:
+ krb5_free_data(kdc_context, *response);
+ retval = make_too_big_error(response);
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+index d677bb2..a356907 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er
+ #define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
+
+ #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \
+- do { \
+- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
+- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
+- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
+- if (ldap_server_handle) \
+- ld = ldap_server_handle->ldap_handle; \
+- } \
+- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
++ tempst = 0; \
++ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \
++ NULL, &timelimit, LDAP_NO_LIMIT, &result); \
++ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
++ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
++ if (ldap_server_handle) \
++ ld = ldap_server_handle->ldap_handle; \
++ if (tempst == 0) \
++ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \
++ NULL, NULL, &timelimit, \
++ LDAP_NO_LIMIT, &result); \
++ } \
+ \
+ if (status_check != IGNORE_STATUS) { \
+ if (tempst != 0) { \
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+index 82b0333..84e80ee 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context,
+ {
+ krb5_ldap_server_handle *handle = *ldap_server_handle;
+
++ ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
+ if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
+ || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
+ return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+index 86fa4d1..0f49c86 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+@@ -487,12 +487,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context,
+ * portion, then the first portion of the principal name SHOULD be
+ * "krbtgt". All this check is done in the immediate block.
+ */
+- if (searchfor->length == 2)
+- if ((strncasecmp(searchfor->data[0].data, "krbtgt",
+- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
+- (strncasecmp(searchfor->data[1].data, defrealm,
+- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
++ if (searchfor->length == 2) {
++ if (data_eq_string(searchfor->data[0], "krbtgt") &&
++ data_eq_string(searchfor->data[1], defrealm))
+ return 0;
++ }
+
+ /* first check the length, if they are not equal, then they are not same */
+ if (strlen(defrealm) != searchfor->realm.length)
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index 140db1a..552e39a 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -78,10 +78,10 @@ krb5_error_code
+ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
+ unsigned int flags, krb5_db_entry **entry_ptr)
+ {
+- char *user=NULL, *filter=NULL, **subtree=NULL;
++ char *user=NULL, *filter=NULL, *filtuser=NULL;
+ unsigned int tree=0, ntrees=1, princlen=0;
+ krb5_error_code tempst=0, st=0;
+- char **values=NULL, *cname=NULL;
++ char **values=NULL, **subtree=NULL, *cname=NULL;
+ LDAP *ld=NULL;
+ LDAPMessage *result=NULL, *ent=NULL;
+ krb5_ldap_context *ldap_context=NULL;
+@@ -115,12 +115,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
+ if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
+ goto cleanup;
+
+- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
++ filtuser = ldap_filter_correct(user);
++ if (filtuser == NULL) {
++ st = ENOMEM;
++ goto cleanup;
++ }
++
++ princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */
+ if ((filter = malloc(princlen)) == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+- snprintf(filter, princlen, FILTER"%s))", user);
++ snprintf(filter, princlen, FILTER"%s))", filtuser);
+
+ if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
+ goto cleanup;
+@@ -207,6 +213,9 @@ cleanup:
+ if (user)
+ free(user);
+
++ if (filtuser)
++ free(filtuser);
++
+ if (cname)
+ free(cname);
+
Added: CVE-2011-0284.patch
===================================================================
--- CVE-2011-0284.patch (rev 0)
+++ CVE-2011-0284.patch 2011-03-27 01:42:07 UTC (rev 116971)
@@ -0,0 +1,13 @@
+diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 46b5fa1..464cb6e 100644
+--- a/src/kdc/do_as_req.c
++++ b/src/kdc/do_as_req.c
+@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
+ pad->contents = td[size]->data;
+ pad->length = td[size]->length;
+ pa[size] = pad;
++ td[size]->data = NULL;
++ td[size]->length = 0;
+ }
+ krb5_free_typed_data(kdc_context, td);
+ }
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2011-03-26 17:47:29 UTC (rev 116970)
+++ PKGBUILD 2011-03-27 01:42:07 UTC (rev 116971)
@@ -8,13 +8,25 @@
arch=('i686' 'x86_64')
url="http://web.mit.edu/kerberos/"
license=('custom')
-depends=('e2fsprogs' 'openssl' 'libldap')
+depends=('e2fsprogs' 'libldap' 'keyutils')
makedepends=('perl')
provides=('heimdal')
replaces=('heimdal')
conflicts=('heimdal')
-source=(http://web.mit.edu/kerberos/dist/${pkgname}/${pkgver}/${pkgname}-${pkgver}-signed.tar)
-sha1sums=('a7ad1b4ed37bff4b9087f6c4561b2b222208d779')
+backup=('etc/krb5/krb5.conf' 'etc/krb5/kdc.conf')
+source=(http://web.mit.edu/kerberos/dist/${pkgname}/${pkgver}/${pkgname}-${pkgver}-signed.tar
+ kadmind.rc
+ krb5-kdc.rc
+ CVE-2010-4022.patch
+ CVE-2011-0281.0282.0283.patch
+ CVE-2011-0284.patch)
+sha1sums=('a7ad1b4ed37bff4b9087f6c4561b2b222208d779'
+ '640e3046c6558313d2be81cf2252afc8622892b0'
+ '049571fd560e7100a7779d7f8f497f6d7f3b8ec6'
+ '79ece8b1c140deb2c01bfb64af575636b9bc7704'
+ 'fb2486168ce128cb1a2866bd0df8cd7c4bcd7824'
+ '1c72390c5d629eee592e5cb0c2b600b376e2fdc5')
+options=('!emptydirs')
build() {
tar zxvf ${pkgname}-${pkgver}.tar.gz
@@ -39,7 +51,12 @@
package() {
cd "${srcdir}/${pkgname}-${pkgver}/src"
- make DESTDIR="${pkgdir}" EXAMPLEDIR="${pkgdir}/usr/share/doc/${pkgname}/examples" install
+ make DESTDIR="${pkgdir}" EXAMPLEDIR="/usr/share/doc/${pkgname}/examples" install
+ install -D -m 644 config-files/kdc.conf "${pkgdir}"/etc/krb5/kdc.conf
+ install -D -m 644 config-files/krb5.conf "${pkgdir}"/etc/krb5/krb5.conf
+ install -D -m 755 ../../krb5-kdc.rc ${startdir}/pkg/etc/rc.d
+ install -D -m 755 ../../kadmind.rc ${startdir}/pkg/etc/rc.d
+
install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE
}
Added: kadmind.rc
===================================================================
--- kadmind.rc (rev 0)
+++ kadmind.rc 2011-03-27 01:42:07 UTC (rev 116971)
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# general config
+. /etc/rc.conf
+. /etc/rc.d/functions
+
+PID=`pidof -o %PPID /usr/sbin/kadmind`
+case "$1" in
+ start)
+ stat_busy "Starting Kerberos Admin Daemon"
+ if [ -z "$PID" ]; then
+ /usr/sbin/kadmind
+ fi
+ if [ ! -z "$PID" -o $? -gt 0 ]; then
+ stat_fail
+ else
+ add_daemon kadmind
+ stat_done
+ fi
+ ;;
+ stop)
+ stat_busy "Stopping Kerberos Admin Daemon"
+ [ ! -z "$PID" ] && kill $PID &> /dev/null
+ if [ $? -gt 0 ]; then
+ stat_fail
+ else
+ rm_daemon kadmind
+ stat_done
+ fi
+ ;;
+ restart)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+ *)
+ echo "usage: $0 {start|stop|restart}"
+ ;;
+esac
+exit 0
Added: krb5-kdc.rc
===================================================================
--- krb5-kdc.rc (rev 0)
+++ krb5-kdc.rc 2011-03-27 01:42:07 UTC (rev 116971)
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# general config
+. /etc/rc.conf
+. /etc/rc.d/functions
+
+PID=`pidof -o %PPID /usr/sbin/krb5kdc`
+case "$1" in
+ start)
+ stat_busy "Starting Kerberos Authentication"
+ if [ -z "$PID" ]; then
+ /usr/sbin/krb5kdc --detach
+ fi
+ if [ ! -z "$PID" -o $? -gt 0 ]; then
+ stat_fail
+ else
+ add_daemon krb5-kdc
+ stat_done
+ fi
+ ;;
+ stop)
+ stat_busy "Stopping Kerberos Authentication"
+ [ ! -z "$PID" ] && kill $PID &> /dev/null
+ if [ $? -gt 0 ]; then
+ stat_fail
+ else
+ rm_daemon krb5-kdc
+ stat_done
+ fi
+ ;;
+ restart)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+ *)
+ echo "usage: $0 {start|stop|restart}"
+ ;;
+esac
+exit 0
More information about the arch-commits
mailing list