diff options
author | Nathaniel McCallum <nathaniel@themccallums.org> | 2012-02-21 15:40:50 -0500 |
---|---|---|
committer | Nathaniel McCallum <nathaniel@themccallums.org> | 2012-02-21 15:40:50 -0500 |
commit | b44189a932c0a52574afcf79d3aabfab19e5653c (patch) | |
tree | 2711c757fa110a42fae9fbbd51d75ac52b9842ba | |
parent | 1b8eb90a4fb6436cb4be9a575e27aa6e6b4658fa (diff) | |
download | krb5-b44189a932c0a52574afcf79d3aabfab19e5653c.tar.gz krb5-b44189a932c0a52574afcf79d3aabfab19e5653c.tar.xz krb5-b44189a932c0a52574afcf79d3aabfab19e5653c.zip |
Fix string RPC ACLs (RT#7093); CVE-2012-1012
-rw-r--r-- | krb5-1.10-string-rpc-acl-fix.patch | 61 | ||||
-rw-r--r-- | krb5.spec | 7 |
2 files changed, 67 insertions, 1 deletions
diff --git a/krb5-1.10-string-rpc-acl-fix.patch b/krb5-1.10-string-rpc-acl-fix.patch new file mode 100644 index 0000000..bd82356 --- /dev/null +++ b/krb5-1.10-string-rpc-acl-fix.patch @@ -0,0 +1,61 @@ +From 725b97bfba7067907a5fc534c21349c0d28bf6b8 Mon Sep 17 00:00:00 2001 +From: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970> +Date: Tue, 21 Feb 2012 19:14:47 +0000 +Subject: [PATCH] ticket: 7093 subject: Access controls for string RPCs + [CVE-2012-1012] target_version: 1.10.1 tags: pullup + +In the kadmin protocol, make the access controls for +get_strings/set_string mirror those of get_principal/modify_principal. +Previously, anyone with global list privileges could get or modify +string attributes on any principal. The impact of this depends on how +generous the kadmind acl is with list permission and whether string +attributes are used in a deployment (nothing in the core code uses +them yet). + +CVSSv2 vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C + +git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25704 dc483132-0cff-0310-8789-dd5450dbe970 +--- + src/kadmin/server/server_stubs.c | 19 +++++++++++-------- + 1 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c +index 8dbe756..0de627f 100644 +--- a/src/kadmin/server/server_stubs.c ++++ b/src/kadmin/server/server_stubs.c +@@ -1634,10 +1634,13 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) + goto exit_func; + } + +- if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, +- rqst2name(rqstp), +- ACL_LIST, NULL, NULL)) { +- ret.code = KADM5_AUTH_LIST; ++ if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) && ++ (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, ++ rqst2name(rqstp), ++ ACL_INQUIRE, ++ arg->princ, ++ NULL))) { ++ ret.code = KADM5_AUTH_GET; + log_unauth("kadm5_get_strings", prime_arg, + &client_name, &service_name, rqstp); + } else { +@@ -1690,10 +1693,10 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) + goto exit_func; + } + +- if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, +- rqst2name(rqstp), +- ACL_LIST, NULL, NULL)) { +- ret.code = KADM5_AUTH_LIST; ++ if (CHANGEPW_SERVICE(rqstp) ++ || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, ++ arg->princ, NULL)) { ++ ret.code = KADM5_AUTH_MODIFY; + log_unauth("kadm5_mod_strings", prime_arg, + &client_name, &service_name, rqstp); + } else { +-- +1.7.7.6 + @@ -15,7 +15,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.10 -Release: 3%{?dist} +Release: 4%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-signed.tar Source0: krb5-%{version}.tar.gz @@ -64,6 +64,7 @@ Patch103: krb5-1.10-gcc47.patch Patch104: krb5-1.10-crashfix.patch Patch105: krb5-kvno-230379.patch Patch106: krb5-1.10-lookaside.patch +Patch107: krb5-1.10-string-rpc-acl-fix.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -236,6 +237,7 @@ ln -s NOTICE LICENSE %patch104 -p1 -b .crashfix %patch105 -p1 -b .kvno %patch106 -p1 -b .7082 +%patch107 -p1 -b .7093 rm src/lib/krb5/krb/deltat.c gzip doc/*.ps @@ -747,6 +749,9 @@ exit 0 %{_sbindir}/uuserver %changelog +* Tue Feb 21 2012 Nathaniel McCallum <nathaniel@natemccallum.com> - 1.10-4 +- Fix string RPC ACLs (RT#7093); CVE-2012-1012 + * Tue Jan 31 2012 Nathaniel McCallum <nathaniel@natemccallum.com> - 1.10-3 - Add upstream lookaside cache behavior fix (RT#7082) |