From 693b5793b8c615601135bc04216a2ca0966087c5 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 29 Apr 2011 22:32:36 +0000 Subject: Fri Apr 29 22:32:36 UTC 2011 --- staging/krb5/CVE-2010-4022.patch | 19 +++++ staging/krb5/CVE-2011-0281.0282.0283.patch | 126 +++++++++++++++++++++++++++++ staging/krb5/CVE-2011-0284.patch | 13 +++ staging/krb5/CVE-2011-0285.patch | 39 +++++++++ staging/krb5/PKGBUILD | 77 ++++++++++++++++++ staging/krb5/kadmind.rc | 40 +++++++++ staging/krb5/krb5-kdc.rc | 40 +++++++++ 7 files changed, 354 insertions(+) create mode 100644 staging/krb5/CVE-2010-4022.patch create mode 100644 staging/krb5/CVE-2011-0281.0282.0283.patch create mode 100644 staging/krb5/CVE-2011-0284.patch create mode 100644 staging/krb5/CVE-2011-0285.patch create mode 100644 staging/krb5/PKGBUILD create mode 100644 staging/krb5/kadmind.rc create mode 100644 staging/krb5/krb5-kdc.rc (limited to 'staging/krb5') diff --git a/staging/krb5/CVE-2010-4022.patch b/staging/krb5/CVE-2010-4022.patch new file mode 100644 index 000000000..30ebf9638 --- /dev/null +++ b/staging/krb5/CVE-2010-4022.patch @@ -0,0 +1,19 @@ +diff -up krb5/src/slave/kpropd.c krb5/src/slave/kpropd.c +--- krb5/src/slave/kpropd.c 2010-12-17 11:14:26.000000000 -0500 ++++ krb5/src/slave/kpropd.c 2010-12-17 11:41:19.000000000 -0500 +@@ -404,11 +404,11 @@ retry: + } + + close(s); +- if (iproprole == IPROP_SLAVE) ++ if (iproprole == IPROP_SLAVE) { + close(finet); +- +- if ((ret = WEXITSTATUS(status)) != 0) +- return (ret); ++ if ((ret = WEXITSTATUS(status)) != 0) ++ return (ret); ++ } + } + if (iproprole == IPROP_SLAVE) + break; diff --git a/staging/krb5/CVE-2011-0281.0282.0283.patch b/staging/krb5/CVE-2011-0281.0282.0283.patch new file mode 100644 index 000000000..e4623e910 --- /dev/null +++ b/staging/krb5/CVE-2011-0281.0282.0283.patch @@ -0,0 +1,126 @@ +diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c +index 63ff3b3..b4a90bb 100644 +--- a/src/kdc/dispatch.c ++++ b/src/kdc/dispatch.c +@@ -115,7 +115,8 @@ dispatch(void *cb, struct sockaddr *local_saddr, const krb5_fulladdr *from, + kdc_insert_lookaside(pkt, *response); + #endif + +- if (is_tcp == 0 && (*response)->length > max_dgram_reply_size) { ++ if (is_tcp == 0 && *response != NULL && ++ (*response)->length > max_dgram_reply_size) { + too_big_for_udp: + krb5_free_data(kdc_context, *response); + retval = make_too_big_error(response); +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +index d677bb2..a356907 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h ++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er + #define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS) + + #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \ +- do { \ +- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \ +- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ +- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ +- if (ldap_server_handle) \ +- ld = ldap_server_handle->ldap_handle; \ +- } \ +- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \ ++ tempst = 0; \ ++ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \ ++ NULL, &timelimit, LDAP_NO_LIMIT, &result); \ ++ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ ++ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ ++ if (ldap_server_handle) \ ++ ld = ldap_server_handle->ldap_handle; \ ++ if (tempst == 0) \ ++ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \ ++ NULL, NULL, &timelimit, \ ++ LDAP_NO_LIMIT, &result); \ ++ } \ + \ + if (status_check != IGNORE_STATUS) { \ + if (tempst != 0) { \ +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c +index 82b0333..84e80ee 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c +@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context, + { + krb5_ldap_server_handle *handle = *ldap_server_handle; + ++ ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL); + if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS) + || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS)) + return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle); +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +index 86fa4d1..0f49c86 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +@@ -487,12 +487,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context, + * portion, then the first portion of the principal name SHOULD be + * "krbtgt". All this check is done in the immediate block. + */ +- if (searchfor->length == 2) +- if ((strncasecmp(searchfor->data[0].data, "krbtgt", +- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) && +- (strncasecmp(searchfor->data[1].data, defrealm, +- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0)) ++ if (searchfor->length == 2) { ++ if (data_eq_string(searchfor->data[0], "krbtgt") && ++ data_eq_string(searchfor->data[1], defrealm)) + return 0; ++ } + + /* first check the length, if they are not equal, then they are not same */ + if (strlen(defrealm) != searchfor->realm.length) +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +index 140db1a..552e39a 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +@@ -78,10 +78,10 @@ krb5_error_code + krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, + unsigned int flags, krb5_db_entry **entry_ptr) + { +- char *user=NULL, *filter=NULL, **subtree=NULL; ++ char *user=NULL, *filter=NULL, *filtuser=NULL; + unsigned int tree=0, ntrees=1, princlen=0; + krb5_error_code tempst=0, st=0; +- char **values=NULL, *cname=NULL; ++ char **values=NULL, **subtree=NULL, *cname=NULL; + LDAP *ld=NULL; + LDAPMessage *result=NULL, *ent=NULL; + krb5_ldap_context *ldap_context=NULL; +@@ -115,12 +115,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, + if ((st=krb5_ldap_unparse_principal_name(user)) != 0) + goto cleanup; + +- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ ++ filtuser = ldap_filter_correct(user); ++ if (filtuser == NULL) { ++ st = ENOMEM; ++ goto cleanup; ++ } ++ ++ princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */ + if ((filter = malloc(princlen)) == NULL) { + st = ENOMEM; + goto cleanup; + } +- snprintf(filter, princlen, FILTER"%s))", user); ++ snprintf(filter, princlen, FILTER"%s))", filtuser); + + if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0) + goto cleanup; +@@ -207,6 +213,9 @@ cleanup: + if (user) + free(user); + ++ if (filtuser) ++ free(filtuser); ++ + if (cname) + free(cname); + diff --git a/staging/krb5/CVE-2011-0284.patch b/staging/krb5/CVE-2011-0284.patch new file mode 100644 index 000000000..c97727568 --- /dev/null +++ b/staging/krb5/CVE-2011-0284.patch @@ -0,0 +1,13 @@ +diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c +index 46b5fa1..464cb6e 100644 +--- a/src/kdc/do_as_req.c ++++ b/src/kdc/do_as_req.c +@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, + pad->contents = td[size]->data; + pad->length = td[size]->length; + pa[size] = pad; ++ td[size]->data = NULL; ++ td[size]->length = 0; + } + krb5_free_typed_data(kdc_context, td); + } diff --git a/staging/krb5/CVE-2011-0285.patch b/staging/krb5/CVE-2011-0285.patch new file mode 100644 index 000000000..61039113f --- /dev/null +++ b/staging/krb5/CVE-2011-0285.patch @@ -0,0 +1,39 @@ +diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c +index 1124445..0056885 100644 +--- a/src/kadmin/server/schpw.c ++++ b/src/kadmin/server/schpw.c +@@ -52,6 +52,7 @@ process_chpw_request(context, server_handle, realm, keytab, + + ret = 0; + rep->length = 0; ++ rep->data = NULL; + + auth_context = NULL; + changepw = NULL; +@@ -76,8 +77,13 @@ process_chpw_request(context, server_handle, realm, keytab, + plen = (*ptr++ & 0xff); + plen = (plen<<8) | (*ptr++ & 0xff); + +- if (plen != req->length) +- return(KRB5KRB_AP_ERR_MODIFIED); ++ if (plen != req->length) { ++ ret = KRB5KRB_AP_ERR_MODIFIED; ++ numresult = KRB5_KPASSWD_MALFORMED; ++ strlcpy(strresult, "Request length was inconsistent", ++ sizeof(strresult)); ++ goto chpwfail; ++ } + + /* verify version number */ + +@@ -531,6 +537,10 @@ cleanup: + if (local_kaddrs != NULL) + krb5_free_addresses(server_handle->context, local_kaddrs); + ++ if ((*response)->data == NULL) { ++ free(*response); ++ *response = NULL; ++ } + krb5_kt_close(server_handle->context, kt); + + return ret; diff --git a/staging/krb5/PKGBUILD b/staging/krb5/PKGBUILD new file mode 100644 index 000000000..ace8000d4 --- /dev/null +++ b/staging/krb5/PKGBUILD @@ -0,0 +1,77 @@ +# $Id: PKGBUILD 121067 2011-04-28 21:24:40Z stephane $ +# Maintainer: Stéphane Gaudreault + +pkgname=krb5 +pkgver=1.9 +pkgrel=2 +pkgdesc="The Kerberos network authentication system" +arch=('i686' 'x86_64') +url="http://web.mit.edu/kerberos/" +license=('custom') +depends=('e2fsprogs' 'libldap' 'keyutils') +makedepends=('perl') +provides=('heimdal') +replaces=('heimdal') +conflicts=('heimdal') +backup=('etc/krb5/krb5.conf' 'etc/krb5/kdc.conf') +source=(http://web.mit.edu/kerberos/dist/${pkgname}/${pkgver}/${pkgname}-${pkgver}-signed.tar + kadmind.rc + krb5-kdc.rc + CVE-2010-4022.patch + CVE-2011-0281.0282.0283.patch + CVE-2011-0284.patch + CVE-2011-0285.patch) +sha1sums=('a7ad1b4ed37bff4b9087f6c4561b2b222208d779' + '640e3046c6558313d2be81cf2252afc8622892b0' + '77d2312ecd8bf12a6e72cc8fd871a8ac93b23393' + '79ece8b1c140deb2c01bfb64af575636b9bc7704' + 'fb2486168ce128cb1a2866bd0df8cd7c4bcd7824' + '1c72390c5d629eee592e5cb0c2b600b376e2fdc5' + 'b6ae716616ecd5e92f32ec8203a1ab51b5726184') +options=('!emptydirs') + +build() { + tar zxvf ${pkgname}-${pkgver}.tar.gz + cd "${srcdir}/${pkgname}-${pkgver}/src" + + patch -Np2 -i ../../CVE-2010-4022.patch + patch -Np2 -i ../../CVE-2011-0281.0282.0283.patch + patch -Np2 -i ../../CVE-2011-0284.patch + patch -Np2 -i ../../CVE-2011-0285.patch + + export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all" + export CPPFLAGS+=" -I/usr/include/et" + ./configure --prefix=/usr \ + --sysconfdir=/etc/krb5 \ + --mandir=/usr/share/man \ + --localstatedir=/var/lib \ + --enable-shared \ + --with-system-et \ + --with-system-ss \ + --disable-rpath \ + --without-tcl \ + --enable-dns-for-realm \ + --with-ldap + + make +} + +check() { + # We can't do this in the build directory. + cd "${srcdir}/${pkgname}-${pkgver}" + make -C src check +} + +package() { + cd "${srcdir}/${pkgname}-${pkgver}/src" + make DESTDIR="${pkgdir}" EXAMPLEDIR="/usr/share/doc/${pkgname}/examples" install + + install -D -m 644 config-files/kdc.conf "${pkgdir}"/etc/krb5/kdc.conf + install -D -m 644 config-files/krb5.conf "${pkgdir}"/etc/krb5/krb5.conf + + install -d -m 755 "${pkgdir}"/etc/rc.d + install -m 755 ../../krb5-kdc.rc "${pkgdir}"/etc/rc.d + install -m 755 ../../kadmind.rc "${pkgdir}"/etc/rc.d + + install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE +} diff --git a/staging/krb5/kadmind.rc b/staging/krb5/kadmind.rc new file mode 100644 index 000000000..45835e35b --- /dev/null +++ b/staging/krb5/kadmind.rc @@ -0,0 +1,40 @@ +#!/bin/bash + +# general config +. /etc/rc.conf +. /etc/rc.d/functions + +PID=`pidof -o %PPID /usr/sbin/kadmind` +case "$1" in + start) + stat_busy "Starting Kerberos Admin Daemon" + if [ -z "$PID" ]; then + /usr/sbin/kadmind + fi + if [ ! -z "$PID" -o $? -gt 0 ]; then + stat_fail + else + add_daemon kadmind + stat_done + fi + ;; + stop) + stat_busy "Stopping Kerberos Admin Daemon" + [ ! -z "$PID" ] && kill $PID &> /dev/null + if [ $? -gt 0 ]; then + stat_fail + else + rm_daemon kadmind + stat_done + fi + ;; + restart) + $0 stop + sleep 1 + $0 start + ;; + *) + echo "usage: $0 {start|stop|restart}" + ;; +esac +exit 0 diff --git a/staging/krb5/krb5-kdc.rc b/staging/krb5/krb5-kdc.rc new file mode 100644 index 000000000..05a03411e --- /dev/null +++ b/staging/krb5/krb5-kdc.rc @@ -0,0 +1,40 @@ +#!/bin/bash + +# general config +. /etc/rc.conf +. /etc/rc.d/functions + +PID=`pidof -o %PPID /usr/sbin/krb5kdc` +case "$1" in + start) + stat_busy "Starting Kerberos Authentication" + if [ -z "$PID" ]; then + /usr/sbin/krb5kdc + fi + if [ ! -z "$PID" -o $? -gt 0 ]; then + stat_fail + else + add_daemon krb5-kdc + stat_done + fi + ;; + stop) + stat_busy "Stopping Kerberos Authentication" + [ ! -z "$PID" ] && kill $PID &> /dev/null + if [ $? -gt 0 ]; then + stat_fail + else + rm_daemon krb5-kdc + stat_done + fi + ;; + restart) + $0 stop + sleep 1 + $0 start + ;; + *) + echo "usage: $0 {start|stop|restart}" + ;; +esac +exit 0 -- cgit v1.2.3-54-g00ecf