merge fixes for MITKRB5-SA-2005-002 and MITKRB5-SA-2005-003krb5-1_4_1-6

3 files changed, 219 insertions, 3 deletions

diff --git a/krb5-1.4.1-api.patch b/krb5-1.4.1-api.patch
new file mode 100644
index 0000000..d795f54
--- /dev/null
+++ b/krb5-1.4.1-api.patch
@@ -0,0 +1,30 @@
+Reference docs don't define what happens if you call krb5_realm_compare() with
+malformed krb5_principal structures.  Define a behavior which keeps it from
+crashing if applications don't check ahead of time.
+
+--- krb5-1.4.1/src/lib/krb5/krb/princ_comp.c	2002-09-02 21:13:46.000000000 -0400
++++ krb5-1.4.1/src/lib/krb5/krb/princ_comp.c	2005-06-29 13:56:55.000000000 -0400
+@@ -33,6 +33,13 @@
+ krb5_boolean KRB5_CALLCONV
+ krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)
+ {
++    if ((princ1 == NULL) || (princ2 == NULL))
++	return FALSE;
++
++    if ((krb5_princ_realm(context, princ1) == NULL) ||
++        (krb5_princ_realm(context, princ2) == NULL))
++	return FALSE;
++
+     if (krb5_princ_realm(context, princ1)->length != 
+ 	krb5_princ_realm(context, princ2)->length ||
+ 	memcmp (krb5_princ_realm(context, princ1)->data, 
+@@ -49,6 +56,9 @@
+     register int i;
+     krb5_int32 nelem;
+ 
++    if ((princ1 == NULL) || (princ2 == NULL))
++	return FALSE;
++
+     nelem = krb5_princ_size(context, princ1);
+     if (nelem != krb5_princ_size(context, princ2))
+ 	return FALSE;
diff --git a/krb5-1.4.1-telnet-environ.patch b/krb5-1.4.1-telnet-environ.patch
new file mode 100644
index 0000000..05da88b
--- /dev/null
+++ b/krb5-1.4.1-telnet-environ.patch
@@ -0,0 +1,164 @@
+Port of fixes originally made to the NetKit telnet client.
+
+Previous behavior:
+  Well-defined or exported variables are sent to the server on initial connect.
+  The "environ list" command prints "*" before these variable names.
+  Other variables are sent to the server if it requests them.
+  The "environ list" command prints " " before these variable names.
+New behavior:
+  Well-defined variables are sent to the server on initial connect.
+  The "environ list" command prints "*" before these variable names.
+  Exported variables are sent to the server on initial connect.
+  The "environ list" command prints "+" before these variable names.
+  Other variables are NOT sent to the server.
+  The "environ list" command prints " " before these variable names.
+
+diff -uNr krb5-1.4.1/src/appl/telnet/telnet/authenc.c krb5-1.4.1/src/appl/telnet/telnet/authenc.c
+--- krb5-1.4.1/src/appl/telnet/telnet/authenc.c	2002-11-15 15:21:34.000000000 -0500
++++ krb5-1.4.1/src/appl/telnet/telnet/authenc.c	2005-06-29 21:06:39.000000000 -0400
+@@ -83,13 +83,6 @@
+ }
+ 
+ 	char *
+-telnet_getenv(val)
+-	char *val;
+-{
+-	return((char *)env_getvalue((unsigned char *)val));
+-}
+-
+-	char *
+ telnet_gets(tprompt, result, length, echo)
+ 	char *tprompt;
+ 	char *result;
+diff -uNr krb5-1.4.1/src/appl/telnet/telnet/commands.c krb5-1.4.1/src/appl/telnet/telnet/commands.c
+--- krb5-1.4.1/src/appl/telnet/telnet/commands.c	2005-04-07 17:17:26.000000000 -0400
++++ krb5-1.4.1/src/appl/telnet/telnet/commands.c	2005-06-29 21:11:34.000000000 -0400
+@@ -1889,8 +1889,9 @@
+ 	register struct env_lst *ep;
+ 
+ 	for (ep = envlisthead.next; ep; ep = ep->next) {
+-		printf("%c %-20s %s\r\n", ep->export ? '*' : ' ',
+-					ep->var, ep->value);
++		printf("%c %-20s %s\r\n",
++		       " +*"[(ep->welldefined ? 2 : (ep->export > 0))],
++		       ep->var, ep->value);
+ 	}
+ }
+ 
+@@ -1914,13 +1915,15 @@
+ }
+ 
+ 	unsigned char *
+-env_getvalue(var)
++env_getvalue(var, export_only)
+ 	unsigned char *var;
++	int export_only;
+ {
+ 	register struct env_lst *ep;
+ 
+ 	if ((ep = env_find(var)))
+-		return(ep->value);
++		if (ep->export || !export_only)
++			return(ep->value);
+ 	return(NULL);
+ }
+ 
+diff -uNr krb5-1.4.1/src/appl/telnet/telnet/externs.h krb5-1.4.1/src/appl/telnet/telnet/externs.h
+--- krb5-1.4.1/src/appl/telnet/telnet/externs.h	2003-04-23 23:27:56.000000000 -0400
++++ krb5-1.4.1/src/appl/telnet/telnet/externs.h	2005-06-29 21:05:16.000000000 -0400
+@@ -347,7 +347,7 @@
+ 
+ extern unsigned char
+     *env_default (int, int),
+-    *env_getvalue (unsigned char *);
++    *env_getvalue (unsigned char *, int);
+ 
+ extern int
+     env_is_exported (unsigned char *);
+diff -uNr krb5-1.4.1/src/appl/telnet/telnet/telnet.c krb5-1.4.1/src/appl/telnet/telnet/telnet.c
+--- krb5-1.4.1/src/appl/telnet/telnet/telnet.c	2005-06-29 21:13:29.000000000 -0400
++++ krb5-1.4.1/src/appl/telnet/telnet/telnet.c	2005-06-29 21:09:13.000000000 -0400
+@@ -552,7 +552,7 @@
+ #endif
+ 
+ 	    case TELOPT_XDISPLOC:	/* X Display location */
+-		if (env_getvalue((unsigned char *)"DISPLAY") &&
++		if (env_getvalue((unsigned char *)"DISPLAY", 0) &&
+ 		    env_is_exported((unsigned char *)"DISPLAY"))
+ 		    new_state_ok = 1;
+ 		break;
+@@ -813,7 +813,7 @@
+ 		resettermname = 0;
+ 		if (tnamep && tnamep != unknown)
+ 			free(tnamep);
+-		if ((tname = (char *)env_getvalue((unsigned char *)"TERM")) &&
++		if ((tname = (char *)env_getvalue((unsigned char *)"TERM", 0)) &&
+ 				(setupterm(tname, 1, &err) == 0)) {
+ 			tnamep = mklist(termbuf, tname);
+ 		} else {
+@@ -988,7 +988,7 @@
+ 	    unsigned char temp[50], *dp;
+ 	    int len;
+ 
+-	    if (((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL) ||
++	    if (((dp = env_getvalue((unsigned char *)"DISPLAY", 0)) == NULL) ||
+ 		(! env_is_exported((unsigned char *)"DISPLAY"))) {
+ 		/*
+ 		 * Something happened, we no longer have a DISPLAY
+@@ -1669,7 +1669,7 @@
+ 			env_opt_add(ep);
+ 		return;
+ 	}
+-	vp = env_getvalue(ep);
++	vp = env_getvalue(ep, 1);
+ 	elen = 2 * (vp ? strlen((char *)vp) : 0) +
+ 		2 * strlen((char *)ep) + 6;
+ 	if ((opt_replyend - opt_replyp) < elen)
+@@ -2327,7 +2327,7 @@
+ 	send_will(TELOPT_LINEMODE, 1);
+ 	send_will(TELOPT_NEW_ENVIRON, 1);
+ 	send_do(TELOPT_STATUS, 1);
+-	if (env_getvalue((unsigned char *)"DISPLAY") &&
++	if (env_getvalue((unsigned char *)"DISPLAY", 0) &&
+ 	    env_is_exported((unsigned char *)"DISPLAY"))
+ 	    send_will(TELOPT_XDISPLOC, 1);
+ 	if (eight)
+--- krb5-1.4.1/src/appl/telnet/telnetd/authenc.c	2005-06-29 21:25:09.000000000 -0400
++++ krb5-1.4.1/src/appl/telnet/telnetd/authenc.c	2005-06-29 21:25:13.000000000 -0400
+@@ -67,14 +67,6 @@
+ }
+ 
+ 	char *
+-telnet_getenv(val)
+-	char *val;
+-{
+-	extern char *getenv();
+-	return(getenv(val));
+-}
+-
+-	char *
+ telnet_gets(prompt, result, length, echo)
+ 	char *prompt;
+ 	char *result;
+--- krb5-1.4.1/src/appl/telnet/telnet/telnet.1	2005-06-29 21:26:55.000000000 -0400
++++ krb5-1.4.1/src/appl/telnet/telnet/telnet.1	2005-06-29 21:29:05.000000000 -0400
+@@ -401,7 +401,7 @@
+ .I variable
+ to have a value of
+ .IR value .
+-Any variables defined by this command are automatically exported.  The
++Variables defined by this command are not automatically exported.  The
+ .I value
+ may be enclosed in single or double quotes so that tabs and spaces may
+ be included.
+@@ -423,8 +423,8 @@
+ .TP
+ .B list
+ List the current set of environment variables.  Those marked with a \&*
+-will be sent automatically; other variables will only be sent if
+-explicitly requested.
++will be sent automatically; those marked with a \&+ will be sent if the
++other end requests their values, and other variables will not be sent.
+ .TP
+ .B \&?
+ Prints out help information for the
diff --git a/krb5.spec b/krb5.spec
index edf433f..676c3a9 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -7,7 +7,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.4.1
-Release: 5
+Release: 6
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -64,6 +64,10 @@ Patch33: krb5-1.3.4-deadlock.patch
 Patch34: krb5-krshd-lehman.patch
 Patch35: krb5-1.4.1-fclose.patch
 Patch36: krb5-1.3.3-rcp-markus.patch
+Patch37: krb5-1.4-MITKRB5-SA-2005-002.patch
+Patch38: krb5-1.4-MITKRB5-SA-2005-003.patch
+Patch39: krb5-1.4.1-api.patch
+Patch40: krb5-1.4.1-telnet-environ.patch
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@@ -128,12 +132,24 @@ network uses Kerberos, this package should be installed on every
 workstation.
 
 %changelog
-* Fri Jun 24 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-5
+* Wed Jun 29 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-6
 - rebuild
 
+* Wed Jun 29 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-5
+- fix telnet client environment variable disclosure the same way NetKit's
+  telnet client did (CAN-2005-0488) (#159305)
+- keep apps which call krb5_principal_compare() or krb5_realm_compare() with
+  malformed or NULL principal structures from crashing outright (Thomas Biege)
+  (#161475)
+
+* Tue Jun 28 2005 Nalin Dahyabhai <nalin@redhat.com>
+- apply fixes from draft of MIT-KRB5-SA-2005-002 (CAN-2005-1174,CAN-2005-1175)
+  (#157104)
+- apply fixes from draft of MIT-KRB5-SA-2005-003 (CAN-2005-1689) (#159755)
+
 * Fri Jun 24 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-4
 - fix double-close in keytab handling
-- add port of fixes for CAN-2004-0175 to krb5-aware rcp
+- add port of fixes for CAN-2004-0175 to krb5-aware rcp (#151612)
 
 * Fri May 13 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-3
 - prevent spurious EBADF in krshd when stdin is closed by the client while
@@ -840,6 +856,12 @@ workstation.
 %patch34 -p0 -b .krshd-lehman
 %patch35 -p1 -b .fclose
 %patch36 -p1 -b .rcp-markus
+pushd src
+%patch37 -p0 -b .MIT-KRB5-SA-2005-002
+%patch38 -p0 -b .MIT-KRB5-SA-2005-003
+popd
+%patch39 -p1 -b .api
+%patch40 -p1 -b .telnet-environ
 cp src/krb524/README README.krb524
 find . -type f -name "*.info-dir" -exec rm -fv "{}" ";"
 gzip doc/*.ps