Pull in a couple of interop and memory leak fixeskrb5-1.11.3-35.fc20

- pull in fix from master to return a NULL pointer rather than allocating zero bytes of memory if we read a zero-length input token (RT#7794, part of #1043962) - pull in fix from master to ignore an empty token from an acceptor if we've already finished authenticating (RT#7797, part of #1043962) - pull in fix from master to avoid a memory leak when a mechanism's init_sec_context function fails (RT#7803, part of #1043962) - pull in fix from master to avoid a memory leak in a couple of error cases which could occur while obtaining acceptor credentials (RT#7805, part of #1043962)
author: Nalin Dahyabhai <nalin@dahyabhai.net> 2013-12-18 14:59:46 -0500
committer: Nalin Dahyabhai <nalin@dahyabhai.net> 2013-12-18 14:59:46 -0500
commit: 2264c6de22017dd200e429d46cd26c2c795bd846 (patch)
tree: 5342ded619d68985a2d063276f04da3ead64441c
parent: 9f751be356f337298c8d55d246f8aa35cafa6346 (diff)
5 files changed, 164 insertions, 1 deletions
diff --git a/krb5-master-gss_oid_leak.patch b/krb5-master-gss_oid_leak.patch
new file mode 100644
index 0000000..9613823
--- /dev/null
+++ b/krb5-master-gss_oid_leak.patch
@@ -0,0 +1,28 @@
+commit 1cda48a7ed4069cfc052f974ec3d76a9137c8c5a
+Author: Simo Sorce <simo@redhat.com>
+Date:   Fri Dec 13 12:00:41 2013 -0500
+
+    Fix memory leak in SPNEGO initiator
+    
+    If we eliminate a mechanism from the initiator list because
+    gss_init_sec_context fails, free the memory for that mech OID before
+    removing it from the list.
+    
+    [ghudson@mit.edu: clarified commit message]
+    
+    ticket: 7803 (new)
+    target_version: 1.12.1
+    tags: pullup
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 818a1b4..06cfab0 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -890,6 +890,7 @@ init_ctx_call_init(OM_uint32 *minor_status,
+ 	 * can do this with recursion.  If all mechanisms produce errors, the
+ 	 * caller should get the error from the first mech in the list.
+ 	 */
++	gssalloc_free(sc->mech_set->elements->elements);
+ 	memmove(sc->mech_set->elements, sc->mech_set->elements + 1,
+ 		--sc->mech_set->count * sizeof(*sc->mech_set->elements));
+ 	if (sc->mech_set->count == 0)
diff --git a/krb5-master-ignore-empty-unnecessary-final-token.patch b/krb5-master-ignore-empty-unnecessary-final-token.patch
new file mode 100644
index 0000000..3ebb888
--- /dev/null
+++ b/krb5-master-ignore-empty-unnecessary-final-token.patch
@@ -0,0 +1,37 @@
+commit 37af638b742dbd642eb70092e4f7781c3f69d86d
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Tue Dec 10 12:04:18 2013 -0500
+
+    Fix SPNEGO one-hop interop against old IIS
+    
+    IIS 6.0 and similar return a zero length reponse buffer in the last
+    SPNEGO packet when context initiation is performed without mutual
+    authentication.  In this case the underlying Kerberos mechanism has
+    already completed successfully on the first invocation, and SPNEGO
+    does not expect a mech response token in the answer.  If we get an
+    empty mech response token when the mech is complete during
+    negotiation, ignore it.
+    
+    [ghudson@mit.edu: small code style and commit message changes]
+    
+    ticket: 7797 (new)
+    target_version: 1.12.1
+    tags: pullup
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 3937662..d82934b 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
+ 			map_errcode(minor_status);
+ 			ret = GSS_S_DEFECTIVE_TOKEN;
+ 		}
++	} else if ((*responseToken)->length == 0 && sc->mech_complete) {
++		/* Handle old IIS servers returning empty token instead of
++		 * null tokens in the non-mutual auth case. */
++		*negState = ACCEPT_COMPLETE;
++		*tokflag = NO_TOKEN_SEND;
++		ret = GSS_S_COMPLETE;
+ 	} else if (sc->mech_complete) {
+ 		/* Reject spurious mech token. */
+ 		ret = GSS_S_DEFECTIVE_TOKEN;
diff --git a/krb5-master-keytab_close.patch b/krb5-master-keytab_close.patch
new file mode 100644
index 0000000..d020ae6
--- /dev/null
+++ b/krb5-master-keytab_close.patch
@@ -0,0 +1,39 @@
+commit decccbcb5075f8fbc28a535a9b337afc84a15dee
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Mon Dec 16 15:37:56 2013 -0500
+
+    Fix GSS krb5 acceptor acquire_cred error handling
+    
+    When acquiring acceptor creds with a specified name, if we fail to
+    open a replay cache, we leak the keytab handle.  If there is no
+    specified name and we discover that there is no content in the keytab,
+    we leak the keytab handle and return the wrong major code.  Memory
+    leak reported by Andrea Campi.
+    
+    ticket: 7805
+    target_version: 1.12.1
+    tags: pullup
+
+diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
+index 0efcad4..9547207 100644
+--- a/src/lib/gssapi/krb5/acquire_cred.c
++++ b/src/lib/gssapi/krb5/acquire_cred.c
+@@ -225,6 +225,7 @@ acquire_accept_cred(krb5_context context,
+         code = krb5_get_server_rcache(context, &cred->name->princ->data[0],
+                                       &cred->rcache);
+         if (code) {
++            krb5_kt_close(context, kt);
+             *minor_status = code;
+             return GSS_S_FAILURE;
+         }
+@@ -232,8 +233,9 @@ acquire_accept_cred(krb5_context context,
+         /* Make sure we have a keytab with keys in it. */
+         code = krb5_kt_have_content(context, kt);
+         if (code) {
++            krb5_kt_close(context, kt);
+             *minor_status = code;
+-            return GSS_S_FAILURE;
++            return GSS_S_CRED_UNAVAIL;
+         }
+     }
+ 
diff --git a/krb5-master-no-malloc0.patch b/krb5-master-no-malloc0.patch
new file mode 100644
index 0000000..e5b0e63
--- /dev/null
+++ b/krb5-master-no-malloc0.patch
@@ -0,0 +1,39 @@
+commit 13fd26e1863c79f616653f6a10a58c01f65fceff
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Fri Dec 6 18:56:56 2013 -0500
+
+    Avoid malloc(0) in SPNEGO get_input_token
+    
+    If we read a zero-length token in spnego_mech.c's get_input_token(),
+    set the value pointer to NULL instead of calling malloc(0).
+    
+    ticket: 7794 (new)
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 24c3440..3937662 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -3140,14 +3140,17 @@ get_input_token(unsigned char **buff_in, unsigned int buff_length)
+ 		return (NULL);
+ 
+ 	input_token->length = len;
+-	input_token->value = gssalloc_malloc(input_token->length);
++	if (input_token->length > 0) {
++		input_token->value = gssalloc_malloc(input_token->length);
++		if (input_token->value == NULL) {
++			free(input_token);
++			return (NULL);
++		}
+ 
+-	if (input_token->value == NULL) {
+-		free(input_token);
+-		return (NULL);
++		memcpy(input_token->value, *buff_in, input_token->length);
++	} else {
++		input_token->value = NULL;
+ 	}
+-
+-	(void) memcpy(input_token->value, *buff_in, input_token->length);
+ 	*buff_in += input_token->length;
+ 	return (input_token);
+ }
diff --git a/krb5.spec b/krb5.spec
index eee950d..c4a4859 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.3
-Release: 34%{?dist}
+Release: 35%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -113,6 +113,10 @@ Patch140: krb5-CVE-2013-1417.patch
 Patch141: krb5-1.11.3-client-loop.patch
 Patch142: krb5-master-keyring-offsets.patch
 Patch143: krb5-master-keyring-expiration.patch
+Patch144: krb5-master-no-malloc0.patch
+Patch145: krb5-master-ignore-empty-unnecessary-final-token.patch
+Patch146: krb5-master-gss_oid_leak.patch
+Patch147: krb5-master-keytab_close.patch
 
 # Patches for otp plugin backport
 Patch201: krb5-1.11.2-keycheck.patch
@@ -366,6 +370,10 @@ ln -s NOTICE LICENSE
 %patch141 -p1 -b .client-loop
 %patch142 -p1 -b .keyring-offsets
 %patch143 -p1 -b .keyring-expiration
+%patch144 -p1 -b .no-malloc0
+%patch145 -p1 -b .ignore-empty-unnecessary-final-token
+%patch146 -p1 -b .gss_oid_leak
+%patch147 -p1 -b .keytab_close
 
 %patch201 -p1 -b .keycheck
 %patch202 -p1 -b .otp
@@ -1018,6 +1026,18 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Wed Dec 18 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-35
+- pull in fix from master to return a NULL pointer rather than allocating
+  zero bytes of memory if we read a zero-length input token (RT#7794, part of
+  #1043962)
+- pull in fix from master to ignore an empty token from an acceptor if
+  we've already finished authenticating (RT#7797, part of #1043962)
+- pull in fix from master to avoid a memory leak when a mechanism's
+  init_sec_context function fails (RT#7803, part of #1043962)
+- pull in fix from master to avoid a memory leak in a couple of error
+  cases which could occur while obtaining acceptor credentials (RT#7805, part
+  of #1043962)
+
 * Tue Dec 17 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-34
 - backport additional changes to libkrad to make it function more like
   the version in upstream 1.12, and a few things in the OTP plugin as well
author	Nalin Dahyabhai <nalin@dahyabhai.net>	2013-12-18 14:59:46 -0500
committer	Nalin Dahyabhai <nalin@dahyabhai.net>	2013-12-18 14:59:46 -0500
commit	2264c6de22017dd200e429d46cd26c2c795bd846 (patch)
tree	5342ded619d68985a2d063276f04da3ead64441c
parent	9f751be356f337298c8d55d246f8aa35cafa6346 (diff)