diff options
author | Nalin Dahyabhai <nalin@redhat.com> | 2013-06-04 11:07:24 -0400 |
---|---|---|
committer | Nalin Dahyabhai <nalin@redhat.com> | 2013-06-04 11:13:25 -0400 |
commit | 7b66f600ef20913038550aa2da492ab6a52526ad (patch) | |
tree | e8f3abd733338c643c463bb8e1227ef83af26bd1 | |
parent | ff0ee943423e6eecb8328806aa44c65d486dbaa8 (diff) | |
download | krb5-7b66f600ef20913038550aa2da492ab6a52526ad.tar.gz krb5-7b66f600ef20913038550aa2da492ab6a52526ad.tar.xz krb5-7b66f600ef20913038550aa2da492ab6a52526ad.zip |
update to 1.11.3
- update to 1.11.3
- drop patch for RT#7605, fixed in this release
- drop patch for CVE-2002-2443, fixed in this release
- drop patch for RT#7369, fixed in this release
- pull upstream fix for breaking t_skew.py by adding the patch for #961221
-rw-r--r-- | krb5-1.11.2-gss_transited.patch | 81 | ||||
-rw-r--r-- | krb5-1.11.2-kpasswd_pingpong.patch | 64 | ||||
-rw-r--r-- | krb5-1.11.3-skew3.patch | 28 | ||||
-rw-r--r-- | krb5-fast-msg_type.patch | 28 | ||||
-rw-r--r-- | krb5.spec | 21 | ||||
-rw-r--r-- | sources | 6 |
6 files changed, 43 insertions, 185 deletions
diff --git a/krb5-1.11.2-gss_transited.patch b/krb5-1.11.2-gss_transited.patch deleted file mode 100644 index f112f40..0000000 --- a/krb5-1.11.2-gss_transited.patch +++ /dev/null @@ -1,81 +0,0 @@ -Should fix #959685. - -commit b4d2d74082d239e3024254ab8ffb55c9dd087ff7 -Author: Greg Hudson <ghudson@mit.edu> -Date: Mon May 20 11:03:04 2013 -0400 - - Fix transited handling for GSSAPI acceptors - - The Acceptor Names project (#6855) extended krb5_rd_req so that it can - accept a "matching principal" in the server parameter. If the - matching principal has an empty realm, rd_req_decoded_opt attempted to - do transited checking with an empty server realm. - - To fix this, always reset server to req->ticket->server for future - processing steps if we decrypt the ticket using a keytab. - decrypt_ticket replaces req->ticket->server with the principal name - from the keytab entry, so we know this name is correct. - - Based on a bug report and patch from nalin@redhat.com. - - (cherry picked from commit 57acee11b5c6682a7f4f036e35d8b2fc9292875e) - - ticket: 7639 - version_fixed: 1.11.3 - status: resolved - -diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c -index 6495bae..6dacb35 100644 ---- a/src/lib/krb5/krb/rd_req_dec.c -+++ b/src/lib/krb5/krb/rd_req_dec.c -@@ -277,11 +277,16 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, - } - krb5_k_free_key(context, (*auth_context)->key); - (*auth_context)->key = NULL; -+ if (server == NULL) -+ server = req->ticket->server; - } else { - retval = decrypt_ticket(context, req, server, keytab, - check_valid_flag ? &decrypt_key : NULL); - if (retval) - goto cleanup; -+ /* decrypt_ticket placed the principal of the keytab key in -+ * req->ticket->server; always use this for later steps. */ -+ server = req->ticket->server; - } - TRACE_RD_REQ_TICKET(context, req->ticket->enc_part2->client, - req->ticket->server, req->ticket->enc_part2->session); -@@ -308,9 +313,6 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, - goto cleanup; - } - -- if (!server) { -- server = req->ticket->server; -- } - /* Get an rcache if necessary. */ - if (((*auth_context)->rcache == NULL) - && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) -diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py -index e453b71..cafbea1 100755 ---- a/src/tests/gssapi/t_gssapi.py -+++ b/src/tests/gssapi/t_gssapi.py -@@ -117,6 +117,19 @@ if 'host/-nomatch-' not in output: - - realm.stop() - -+# Make sure a GSSAPI acceptor can handle cross-realm tickets with a -+# transited field. (Regression test for #7639.) -+r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)), -+ create_user=False, create_host=False, -+ args=[{'realm': 'A.X', 'create_user': True}, -+ {'realm': 'X'}, -+ {'realm': 'B.X', 'create_host': True}]) -+os.rename(r3.keytab, r1.keytab) -+r1.run_as_client(['./t_accname', 'p:' + r3.host_princ, 'h:host']) -+r1.stop() -+r2.stop() -+r3.stop() -+ - ### Test gss_inquire_cred behavior. - - realm = K5Realm() diff --git a/krb5-1.11.2-kpasswd_pingpong.patch b/krb5-1.11.2-kpasswd_pingpong.patch deleted file mode 100644 index 40a5abe..0000000 --- a/krb5-1.11.2-kpasswd_pingpong.patch +++ /dev/null @@ -1,64 +0,0 @@ -commit cf1a0c411b2668c57c41e9c4efd15ba17b6b322c -Author: Tom Yu <tlyu@mit.edu> -Date: Fri May 3 16:26:46 2013 -0400 - - Fix kpasswd UDP ping-pong [CVE-2002-2443] - - The kpasswd service provided by kadmind was vulnerable to a UDP - "ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless - they pass some basic validation, and don't respond to our own error - packets. - - Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong - attack or UDP ping-pong attacks in general, but there is discussion - leading toward narrowing the definition of CVE-1999-0103 to the echo, - chargen, or other similar built-in inetd services. - - Thanks to Vincent Danen for alerting us to this issue. - - CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C - - ticket: 7637 (new) - target_version: 1.11.3 - tags: pullup - -diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c -index 15b0ab5..7f455d8 100644 ---- a/src/kadmin/server/schpw.c -+++ b/src/kadmin/server/schpw.c -@@ -52,7 +52,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, - ret = KRB5KRB_AP_ERR_MODIFIED; - numresult = KRB5_KPASSWD_MALFORMED; - strlcpy(strresult, "Request was truncated", sizeof(strresult)); -- goto chpwfail; -+ goto bailout; - } - - ptr = req->data; -@@ -67,7 +67,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, - numresult = KRB5_KPASSWD_MALFORMED; - strlcpy(strresult, "Request length was inconsistent", - sizeof(strresult)); -- goto chpwfail; -+ goto bailout; - } - - /* verify version number */ -@@ -80,7 +80,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, - numresult = KRB5_KPASSWD_BAD_VERSION; - snprintf(strresult, sizeof(strresult), - "Request contained unknown protocol version number %d", vno); -- goto chpwfail; -+ goto bailout; - } - - /* read, check ap-req length */ -@@ -93,7 +93,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, - numresult = KRB5_KPASSWD_MALFORMED; - strlcpy(strresult, "Request was truncated in AP-REQ", - sizeof(strresult)); -- goto chpwfail; -+ goto bailout; - } - - /* verify ap_req */ diff --git a/krb5-1.11.3-skew3.patch b/krb5-1.11.3-skew3.patch new file mode 100644 index 0000000..0fe0b28 --- /dev/null +++ b/krb5-1.11.3-skew3.patch @@ -0,0 +1,28 @@ +commit 3b1b31a57cd932eda928932e67f5f2857929f429 +Author: Greg Hudson <ghudson@mit.edu> +Date: Sun Jun 2 15:36:40 2013 -0400 + + Fix spurious clock skew caused by preauth delay + + Commit 37b0e55e21926c7875b7176e24e13005920915a6 (#7063) prevented + clock skew caused by preauth delay by recording the time of the + initial request. However, it failed to take into account delay + between requests due to prompting during preauthentication. Fix this + by recording the request time for each request. + + ticket: 7656 (new) + +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index ff455d3..0dd497e 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1256,6 +1256,9 @@ init_creds_step_request(krb5_context context, + } + } + ++ /* Remember when we sent this request (after any preauth delay). */ ++ ctx->request_time = time(NULL); ++ + if (ctx->encoded_previous_request != NULL) { + krb5_free_data(context, ctx->encoded_previous_request); + ctx->encoded_previous_request = NULL; diff --git a/krb5-fast-msg_type.patch b/krb5-fast-msg_type.patch deleted file mode 100644 index e112272..0000000 --- a/krb5-fast-msg_type.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 3fbdcd0965180b46c545187e7784350340ae88ee -Author: Greg Hudson <ghudson@mit.edu> -Date: Fri Apr 12 16:28:14 2013 -0400 - - Set msg_type when decoding FAST requests - - An RFC 6113 KrbFastReq contains a padata sequence and a KDC-REQ-BODY, - neither of which contain the msg-type field found in a KDC-REQ. So - when we decode the FAST request, the resulting krb5_kdc_req structure - has a msg_type of 0. Copy msg_type from the outer body, since we make - use of it in further KDC processing. - - ticket: 7605 (new) - target_version: 1.11.3 - tags: pullup - -diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c -index 40c5783..4fa36c6 100644 ---- a/src/kdc/fast_util.c -+++ b/src/kdc/fast_util.c -@@ -239,6 +239,7 @@ kdc_find_fast(krb5_kdc_req **requestptr, - KRB5_PADATA_FX_COOKIE); - if (retval == 0) { - state->fast_options = fast_req->fast_options; -+ fast_req->req_body->msg_type = request->msg_type; - krb5_free_kdc_req( kdc_context, request); - *requestptr = fast_req->req_body; - fast_req->req_body = NULL; @@ -29,10 +29,10 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.11.2 -Release: 10%{?dist} +Version: 1.11.3 +Release: 1%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? -# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.2-signed.tar +# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar Source0: krb5-%{version}.tar.gz Source1: krb5-%{version}.tar.gz.asc # Use a dummy krb5-%{version}-pdf.tar.xz the first time through, then @@ -75,10 +75,7 @@ Patch105: krb5-kvno-230379.patch Patch113: krb5-1.11-alpha1-init.patch Patch116: http://ausil.fedorapeople.org/aarch64/krb5/krb5-aarch64.patch Patch117: krb5-1.11-gss-client-keytab.patch -Patch119: krb5-fast-msg_type.patch -Patch120: krb5-1.11.2-kpasswd_pingpong.patch Patch121: krb5-cccol-primary.patch -Patch122: krb5-1.11.2-gss_transited.patch Patch123: krb5-1.11.2-empty_passwords.patch Patch124: krb5-1.11.2-arcfour_short.patch Patch125: krb5-1.11.2-skew1.patch @@ -86,6 +83,7 @@ Patch126: krb5-1.11.2-skew2.patch Patch127: krb5-master-test_gss_no_udp.patch Patch128: krb5-master-test_no_pmap.patch Patch130: krb5-master-init_referral.patch +Patch131: krb5-1.11.3-skew3.patch # Patches for otp plugin backport Patch201: krb5-1.11.2-keycheck.patch @@ -303,10 +301,7 @@ ln -s NOTICE LICENSE %patch113 -p1 -b .init %patch116 -p1 -b .aarch64 %patch117 -p1 -b .gss-client-keytab -%patch119 -p1 -b .fast-msg_type -%patch120 -p1 -b .kpasswd_pingpong %patch121 -p1 -b .cccol-primary -%patch122 -p1 -b .gss_transited %patch123 -p1 -b .empty_passwords %patch124 -p1 -b .arcfour_short %patch125 -p1 -b .skew1 @@ -314,6 +309,7 @@ ln -s NOTICE LICENSE %patch127 -p1 -b .test_gss_no_udp %patch128 -p1 -b .test_no_pmap %patch130 -p1 -b .init_referral +%patch131 -p1 -b .skew3 %patch201 -p1 -b .keycheck %patch202 -p1 -b .otp @@ -839,6 +835,13 @@ exit 0 %{_sbindir}/uuserver %changelog +* Tue Jun 4 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.3-1 +- update to 1.11.3 + - drop patch for RT#7605, fixed in this release + - drop patch for CVE-2002-2443, fixed in this release + - drop patch for RT#7369, fixed in this release +- pull upstream fix for breaking t_skew.py by adding the patch for #961221 + * Fri May 31 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-10 - respin with updated version of patch for RT#7650 (#969331) @@ -1,3 +1,3 @@ -7db8ba98dcc1503fe6925aea2238b896 krb5-1.11.2.tar.gz -10b368a774933177f64e154b12976820 krb5-1.11.2.tar.gz.asc -d5c8774506d7f67fb096e0b3ac7cb03d krb5-1.11.2-pdf.tar.xz +017285971f1038a32261b15c128502f0 krb5-1.11.3.tar.gz +a9dc7e280af5ac23833d0c951fe44036 krb5-1.11.3.tar.gz.asc +731b6fa7c98b88920fc8f5b934a6187a krb5-1.11.3-pdf.tar.xz |