diff options
author | Robbie Harwood (frozencemetery) <rharwood@redhat.com> | 2015-11-04 19:11:33 +0000 |
---|---|---|
committer | Robbie Harwood (frozencemetery) <rharwood@redhat.com> | 2015-11-04 20:26:21 +0000 |
commit | b81fddfea1ce7bbc6d051952bf200e604bd0234c (patch) | |
tree | 774c9aee6eb36f27cb2003bde083192c2fbe12d3 | |
parent | def8c582bbedf7938a8b5b0e90cc50ee1be1b720 (diff) | |
download | krb5-b81fddfea1ce7bbc6d051952bf200e604bd0234c.tar.gz krb5-b81fddfea1ce7bbc6d051952bf200e604bd0234c.tar.xz krb5-b81fddfea1ce7bbc6d051952bf200e604bd0234c.zip |
Patch CVE-2015-2698
-rw-r--r-- | krb5-CVE-2015-2698-fix_iakerb_spnego.patch | 148 | ||||
-rw-r--r-- | krb5.spec | 7 |
2 files changed, 154 insertions, 1 deletions
diff --git a/krb5-CVE-2015-2698-fix_iakerb_spnego.patch b/krb5-CVE-2015-2698-fix_iakerb_spnego.patch new file mode 100644 index 0000000..12a86b3 --- /dev/null +++ b/krb5-CVE-2015-2698-fix_iakerb_spnego.patch @@ -0,0 +1,148 @@ +Modified version of the patch to 1.14 that are missing test suite +pieces. Also backports a random comment fixup we needed from master. + +diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h +index 05dc321..ac53662 100644 +--- a/src/lib/gssapi/krb5/gssapiP_krb5.h ++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h +@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV + iakerb_gss_export_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_buffer_t interprocess_token); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_import_sec_context(OM_uint32 *minor_status, ++ const gss_buffer_t interprocess_token, ++ gss_ctx_id_t *context_handle); + #endif /* LEAN_CLIENT */ + + OM_uint32 KRB5_CALLCONV +diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c +index 9a23656..d7ba279 100644 +--- a/src/lib/gssapi/krb5/gssapi_krb5.c ++++ b/src/lib/gssapi/krb5/gssapi_krb5.c +@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = { + NULL, + #else + iakerb_gss_export_sec_context, +- NULL, ++ iakerb_gss_import_sec_context, + #endif + krb5_gss_inquire_cred_by_mech, + krb5_gss_inquire_names_for_mech, +diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c +index 4662bd9..32a341e 100644 +--- a/src/lib/gssapi/krb5/iakerb.c ++++ b/src/lib/gssapi/krb5/iakerb.c +@@ -727,10 +727,6 @@ cleanup: + return code; + } + +-/* +- * Delete an IAKERB context. This can also accept Kerberos context +- * handles. The heuristic is similar to SPNEGO's delete_sec_context. +- */ + OM_uint32 KRB5_CALLCONV + iakerb_gss_delete_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, +@@ -1061,7 +1057,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, + gss_buffer_t interprocess_token) + { + OM_uint32 maj; +- iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle; + + /* We don't currently support exporting partially established contexts. */ + if (!ctx->established) +@@ -1076,13 +1072,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, + return maj; + } + +-/* +- * Until we implement partial context exports, there are no SPNEGO exported +- * context tokens, only tokens for the underlying krb5 context. So we do not +- * need to implement an iakerb_gss_import_sec_context() yet; it would be +- * unreachable except via a manually constructed token. +- */ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_import_sec_context(OM_uint32 *minor_status, ++ gss_buffer_t interprocess_token, ++ gss_ctx_id_t *context_handle) ++{ ++ OM_uint32 maj, tmpmin; ++ krb5_error_code code; ++ gss_ctx_id_t gssc; ++ krb5_gss_ctx_id_t kctx; ++ iakerb_ctx_id_t ctx; + ++ maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc); ++ if (maj != GSS_S_COMPLETE) ++ return maj; ++ kctx = (krb5_gss_ctx_id_t)gssc; ++ ++ if (!kctx->established) { ++ /* We don't currently support importing partially established ++ * contexts. */ ++ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER); ++ return GSS_S_FAILURE; ++ } ++ ++ code = iakerb_alloc_context(&ctx, kctx->initiate); ++ if (code != 0) { ++ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER); ++ *minor_status = code; ++ return GSS_S_FAILURE; ++ } ++ ++ ctx->gssc = gssc; ++ ctx->established = 1; ++ *context_handle = (gss_ctx_id_t)ctx; ++ return GSS_S_COMPLETE; ++} + #endif /* LEAN_CLIENT */ + + OM_uint32 KRB5_CALLCONV +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 3423f22..ec38eea 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -2253,12 +2253,33 @@ spnego_gss_import_sec_context( + const gss_buffer_t interprocess_token, + gss_ctx_id_t *context_handle) + { +- /* +- * Until we implement partial context exports, there are no SPNEGO +- * exported context tokens, only tokens for underlying mechs. So just +- * return an error for now. +- */ +- return GSS_S_UNAVAILABLE; ++ OM_uint32 ret, tmpmin; ++ gss_ctx_id_t mctx; ++ spnego_gss_ctx_id_t sc; ++ int initiate, opened; ++ ++ ret = gss_import_sec_context(minor_status, interprocess_token, &mctx); ++ if (ret != GSS_S_COMPLETE) ++ return ret; ++ ++ ret = gss_inquire_context(&tmpmin, mctx, NULL, NULL, NULL, NULL, NULL, ++ &initiate, &opened); ++ if (ret != GSS_S_COMPLETE || !opened) { ++ /* We don't currently support importing partially established ++ * contexts. */ ++ (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER); ++ return GSS_S_FAILURE; ++ } ++ ++ sc = create_spnego_ctx(initiate); ++ if (sc == NULL) { ++ (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER); ++ return GSS_S_FAILURE; ++ } ++ sc->ctx_handle = mctx; ++ sc->opened = 1; ++ *context_handle = (gss_ctx_id_t)sc; ++ return GSS_S_COMPLETE; + } + #endif /* LEAN_CLIENT */ + @@ -43,7 +43,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14 -Release: 6%{?dist} +Release: 7%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -93,6 +93,7 @@ Patch149: krb5-1.14-pwsize_initialize.patch Patch150: krb5-CVE-2015-2695-SPNEGO_aliasing.patch Patch151: krb5-CVE-2015-2696-IAKERB_aliasing.patch Patch152: krb5-CVE-2015-2697-build_principal_memory.patch +Patch153: krb5-CVE-2015-2698-fix_iakerb_spnego.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -283,6 +284,7 @@ ln NOTICE LICENSE %patch150 -p1 -b .CVE-2015-2695-SPNEGO_aliasing %patch151 -p1 -b .CVE-2015-2696-IAKERB_aliasing %patch152 -p1 -b .CVE-2015-2697-build_principal_memory +%patch153 -p1 -b .CVE-2015-2698-fix_iakerb_spnego # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -898,6 +900,9 @@ exit 0 %changelog +* Wed Nov 04 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-beta1-7 +- Patch CVE-2015-2698 + * Tue Oct 27 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-beta1-6 - Patch CVE-2015-2697, CVE-2015-2696, CVE-2015-2695 |