Fri Apr 29 22:32:36 UTC 2011

author: root <root@rshg047.dnsready.net> 2011-04-29 22:32:36 +0000
committer: root <root@rshg047.dnsready.net> 2011-04-29 22:32:36 +0000
commit: 693b5793b8c615601135bc04216a2ca0966087c5 (patch)
tree: 1c1cf0bc5020b0226efff0b39c7847b3414efaa6 /staging/krb5
parent: 19f42937be8f6619a85663cb71e24c05b7e8b6d2 (diff)
7 files changed, 354 insertions, 0 deletions
diff --git a/staging/krb5/CVE-2010-4022.patch b/staging/krb5/CVE-2010-4022.patch
new file mode 100644
index 000000000..30ebf9638
--- /dev/null
+++ b/staging/krb5/CVE-2010-4022.patch
@@ -0,0 +1,19 @@
+diff -up krb5/src/slave/kpropd.c krb5/src/slave/kpropd.c
+--- krb5/src/slave/kpropd.c	2010-12-17 11:14:26.000000000 -0500
++++ krb5/src/slave/kpropd.c	2010-12-17 11:41:19.000000000 -0500
+@@ -404,11 +404,11 @@ retry:
+             }
+ 
+             close(s);
+-            if (iproprole == IPROP_SLAVE)
++            if (iproprole == IPROP_SLAVE) {
+                 close(finet);
+-
+-            if ((ret = WEXITSTATUS(status)) != 0)
+-                return (ret);
++                if ((ret = WEXITSTATUS(status)) != 0)
++                    return (ret);
++            }
+         }
+         if (iproprole == IPROP_SLAVE)
+             break;
diff --git a/staging/krb5/CVE-2011-0281.0282.0283.patch b/staging/krb5/CVE-2011-0281.0282.0283.patch
new file mode 100644
index 000000000..e4623e910
--- /dev/null
+++ b/staging/krb5/CVE-2011-0281.0282.0283.patch
@@ -0,0 +1,126 @@
+diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
+index 63ff3b3..b4a90bb 100644
+--- a/src/kdc/dispatch.c
++++ b/src/kdc/dispatch.c
+@@ -115,7 +115,8 @@ dispatch(void *cb, struct sockaddr *local_saddr, const krb5_fulladdr *from,
+         kdc_insert_lookaside(pkt, *response);
+ #endif
+ 
+-    if (is_tcp == 0 && (*response)->length > max_dgram_reply_size) {
++    if (is_tcp == 0 && *response != NULL &&
++        (*response)->length > max_dgram_reply_size) {
+     too_big_for_udp:
+         krb5_free_data(kdc_context, *response);
+         retval = make_too_big_error(response);
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+index d677bb2..a356907 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er
+ #define LDAP_SEARCH(base, scope, filter, attrs)   LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
+ 
+ #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check)         \
+-    do {                                                                \
+-        st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
+-        if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
+-            tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
+-            if (ldap_server_handle)                                     \
+-                ld = ldap_server_handle->ldap_handle;                   \
+-        }                                                               \
+-    }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
++    tempst = 0;                                                         \
++    st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL,     \
++                           NULL, &timelimit, LDAP_NO_LIMIT, &result);   \
++    if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
++        tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle);   \
++        if (ldap_server_handle)                                         \
++            ld = ldap_server_handle->ldap_handle;                       \
++        if (tempst == 0)                                                \
++            st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0,   \
++                                   NULL, NULL, &timelimit,              \
++                                   LDAP_NO_LIMIT, &result);             \
++    }                                                                   \
+                                                                         \
+     if (status_check != IGNORE_STATUS) {                                \
+         if (tempst != 0) {                                              \
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+index 82b0333..84e80ee 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context,
+ {
+     krb5_ldap_server_handle     *handle = *ldap_server_handle;
+ 
++    ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
+     if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
+         || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
+         return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+index 86fa4d1..0f49c86 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+@@ -487,12 +487,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context,
+      * portion, then the first portion of the principal name SHOULD be
+      * "krbtgt".  All this check is done in the immediate block.
+      */
+-    if (searchfor->length == 2)
+-        if ((strncasecmp(searchfor->data[0].data, "krbtgt",
+-                         FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
+-            (strncasecmp(searchfor->data[1].data, defrealm,
+-                         FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
++    if (searchfor->length == 2) {
++        if (data_eq_string(searchfor->data[0], "krbtgt") &&
++            data_eq_string(searchfor->data[1], defrealm))
+             return 0;
++    }
+ 
+     /* first check the length, if they are not equal, then they are not same */
+     if (strlen(defrealm) != searchfor->realm.length)
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index 140db1a..552e39a 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -78,10 +78,10 @@ krb5_error_code
+ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
+                         unsigned int flags, krb5_db_entry **entry_ptr)
+ {
+-    char                        *user=NULL, *filter=NULL, **subtree=NULL;
++    char                        *user=NULL, *filter=NULL, *filtuser=NULL;
+     unsigned int                tree=0, ntrees=1, princlen=0;
+     krb5_error_code             tempst=0, st=0;
+-    char                        **values=NULL, *cname=NULL;
++    char                        **values=NULL, **subtree=NULL, *cname=NULL;
+     LDAP                        *ld=NULL;
+     LDAPMessage                 *result=NULL, *ent=NULL;
+     krb5_ldap_context           *ldap_context=NULL;
+@@ -115,12 +115,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
+     if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
+         goto cleanup;
+ 
+-    princlen = strlen(FILTER) + strlen(user) + 2 + 1;      /* 2 for closing brackets */
++    filtuser = ldap_filter_correct(user);
++    if (filtuser == NULL) {
++        st = ENOMEM;
++        goto cleanup;
++    }
++
++    princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1;  /* 2 for closing brackets */
+     if ((filter = malloc(princlen)) == NULL) {
+         st = ENOMEM;
+         goto cleanup;
+     }
+-    snprintf(filter, princlen, FILTER"%s))", user);
++    snprintf(filter, princlen, FILTER"%s))", filtuser);
+ 
+     if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
+         goto cleanup;
+@@ -207,6 +213,9 @@ cleanup:
+     if (user)
+         free(user);
+ 
++    if (filtuser)
++        free(filtuser);
++
+     if (cname)
+         free(cname);
+ 
diff --git a/staging/krb5/CVE-2011-0284.patch b/staging/krb5/CVE-2011-0284.patch
new file mode 100644
index 000000000..c97727568
--- /dev/null
+++ b/staging/krb5/CVE-2011-0284.patch
@@ -0,0 +1,13 @@
+diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 46b5fa1..464cb6e 100644
+--- a/src/kdc/do_as_req.c
++++ b/src/kdc/do_as_req.c
+@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
+                     pad->contents = td[size]->data;
+                     pad->length = td[size]->length;
+                     pa[size] = pad;
++                    td[size]->data = NULL;
++                    td[size]->length = 0;
+                 }
+             krb5_free_typed_data(kdc_context, td);
+         }
diff --git a/staging/krb5/CVE-2011-0285.patch b/staging/krb5/CVE-2011-0285.patch
new file mode 100644
index 000000000..61039113f
--- /dev/null
+++ b/staging/krb5/CVE-2011-0285.patch
@@ -0,0 +1,39 @@
+diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
+index 1124445..0056885 100644
+--- a/src/kadmin/server/schpw.c
++++ b/src/kadmin/server/schpw.c
+@@ -52,6 +52,7 @@ process_chpw_request(context, server_handle, realm, keytab,
+ 
+     ret = 0;
+     rep->length = 0;
++    rep->data = NULL;
+ 
+     auth_context = NULL;
+     changepw = NULL;
+@@ -76,8 +77,13 @@ process_chpw_request(context, server_handle, realm, keytab,
+     plen = (*ptr++ & 0xff);
+     plen = (plen<<8) | (*ptr++ & 0xff);
+ 
+-    if (plen != req->length)
+-        return(KRB5KRB_AP_ERR_MODIFIED);
++    if (plen != req->length) {
++        ret = KRB5KRB_AP_ERR_MODIFIED;
++        numresult = KRB5_KPASSWD_MALFORMED;
++        strlcpy(strresult, "Request length was inconsistent",
++                sizeof(strresult));
++        goto chpwfail;
++    }
+ 
+     /* verify version number */
+ 
+@@ -531,6 +537,10 @@ cleanup:
+     if (local_kaddrs != NULL)
+         krb5_free_addresses(server_handle->context, local_kaddrs);
+ 
++    if ((*response)->data == NULL) {
++        free(*response);
++        *response = NULL;
++    }
+     krb5_kt_close(server_handle->context, kt);
+ 
+     return ret;
diff --git a/staging/krb5/PKGBUILD b/staging/krb5/PKGBUILD
new file mode 100644
index 000000000..ace8000d4
--- /dev/null
+++ b/staging/krb5/PKGBUILD
@@ -0,0 +1,77 @@
+# $Id: PKGBUILD 121067 2011-04-28 21:24:40Z stephane $
+# Maintainer: Stéphane Gaudreault <stephane@archlinux.org>
+
+pkgname=krb5
+pkgver=1.9
+pkgrel=2
+pkgdesc="The Kerberos network authentication system"
+arch=('i686' 'x86_64')
+url="http://web.mit.edu/kerberos/"
+license=('custom')
+depends=('e2fsprogs' 'libldap' 'keyutils')
+makedepends=('perl')
+provides=('heimdal')
+replaces=('heimdal')
+conflicts=('heimdal')
+backup=('etc/krb5/krb5.conf' 'etc/krb5/kdc.conf')
+source=(http://web.mit.edu/kerberos/dist/${pkgname}/${pkgver}/${pkgname}-${pkgver}-signed.tar
+        kadmind.rc
+        krb5-kdc.rc
+        CVE-2010-4022.patch
+        CVE-2011-0281.0282.0283.patch
+        CVE-2011-0284.patch
+        CVE-2011-0285.patch)
+sha1sums=('a7ad1b4ed37bff4b9087f6c4561b2b222208d779'
+          '640e3046c6558313d2be81cf2252afc8622892b0'
+          '77d2312ecd8bf12a6e72cc8fd871a8ac93b23393'
+          '79ece8b1c140deb2c01bfb64af575636b9bc7704'
+          'fb2486168ce128cb1a2866bd0df8cd7c4bcd7824'
+          '1c72390c5d629eee592e5cb0c2b600b376e2fdc5'
+          'b6ae716616ecd5e92f32ec8203a1ab51b5726184')
+options=('!emptydirs')
+
+build() {
+   tar zxvf ${pkgname}-${pkgver}.tar.gz
+   cd "${srcdir}/${pkgname}-${pkgver}/src"
+
+   patch -Np2 -i ../../CVE-2010-4022.patch
+   patch -Np2 -i ../../CVE-2011-0281.0282.0283.patch
+   patch -Np2 -i ../../CVE-2011-0284.patch
+   patch -Np2 -i ../../CVE-2011-0285.patch
+
+   export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all"
+   export CPPFLAGS+=" -I/usr/include/et"
+   ./configure --prefix=/usr \
+               --sysconfdir=/etc/krb5 \
+               --mandir=/usr/share/man \
+               --localstatedir=/var/lib \
+               --enable-shared \
+               --with-system-et \
+               --with-system-ss \
+               --disable-rpath \
+               --without-tcl \
+               --enable-dns-for-realm \
+               --with-ldap
+
+   make
+}
+
+check() {
+   # We can't do this in the build directory.
+   cd "${srcdir}/${pkgname}-${pkgver}"
+   make -C src check
+}
+
+package() {
+   cd "${srcdir}/${pkgname}-${pkgver}/src"
+   make DESTDIR="${pkgdir}" EXAMPLEDIR="/usr/share/doc/${pkgname}/examples" install
+
+   install -D -m 644 config-files/kdc.conf "${pkgdir}"/etc/krb5/kdc.conf
+   install -D -m 644 config-files/krb5.conf "${pkgdir}"/etc/krb5/krb5.conf
+
+   install -d -m 755 "${pkgdir}"/etc/rc.d
+   install -m 755 ../../krb5-kdc.rc "${pkgdir}"/etc/rc.d
+   install -m 755 ../../kadmind.rc "${pkgdir}"/etc/rc.d
+
+   install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE
+}
diff --git a/staging/krb5/kadmind.rc b/staging/krb5/kadmind.rc
new file mode 100644
index 000000000..45835e35b
--- /dev/null
+++ b/staging/krb5/kadmind.rc
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# general config
+. /etc/rc.conf
+. /etc/rc.d/functions
+
+PID=`pidof -o %PPID /usr/sbin/kadmind`
+case "$1" in
+    start)
+        stat_busy "Starting Kerberos Admin Daemon"
+        if [ -z "$PID" ]; then
+           /usr/sbin/kadmind
+        fi
+        if [ ! -z "$PID" -o $? -gt 0 ]; then
+            stat_fail
+        else
+            add_daemon kadmind
+            stat_done
+        fi
+        ;;
+    stop)
+        stat_busy "Stopping Kerberos Admin Daemon"
+	    [ ! -z "$PID" ] && kill $PID &> /dev/null
+        if [ $? -gt 0 ]; then
+            stat_fail
+        else
+            rm_daemon kadmind
+            stat_done
+        fi
+        ;;
+    restart)
+        $0 stop
+	sleep 1
+        $0 start
+        ;;
+    *)
+        echo "usage: $0 {start|stop|restart}"
+	;;
+esac
+exit 0
diff --git a/staging/krb5/krb5-kdc.rc b/staging/krb5/krb5-kdc.rc
new file mode 100644
index 000000000..05a03411e
--- /dev/null
+++ b/staging/krb5/krb5-kdc.rc
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# general config
+. /etc/rc.conf
+. /etc/rc.d/functions
+
+PID=`pidof -o %PPID /usr/sbin/krb5kdc`
+case "$1" in
+    start)
+        stat_busy "Starting Kerberos Authentication"
+        if [ -z "$PID" ]; then
+           /usr/sbin/krb5kdc
+        fi
+        if [ ! -z "$PID" -o $? -gt 0 ]; then
+            stat_fail
+        else
+            add_daemon krb5-kdc
+            stat_done
+        fi
+        ;;
+    stop)
+        stat_busy "Stopping Kerberos Authentication"
+	    [ ! -z "$PID" ] && kill $PID &> /dev/null
+        if [ $? -gt 0 ]; then
+            stat_fail
+        else
+            rm_daemon krb5-kdc
+            stat_done
+        fi
+        ;;
+    restart)
+        $0 stop
+	sleep 1
+        $0 start
+        ;;
+    *)
+        echo "usage: $0 {start|stop|restart}"
+	;;
+esac
+exit 0
author	root <root@rshg047.dnsready.net>	2011-04-29 22:32:36 +0000
committer	root <root@rshg047.dnsready.net>	2011-04-29 22:32:36 +0000
commit	693b5793b8c615601135bc04216a2ca0966087c5 (patch)
tree	1c1cf0bc5020b0226efff0b39c7847b3414efaa6 /staging/krb5
parent	19f42937be8f6619a85663cb71e24c05b7e8b6d2 (diff)