diff options
| author | Nalin Dahyabhai <nalin@fedoraproject.org> | 2007-04-03 18:30:50 +0000 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@fedoraproject.org> | 2007-04-03 18:30:50 +0000 |
| commit | e200cf4e0c25f2de651e42e4b8f16875f2946028 (patch) | |
| tree | a6f447dcc516b7d80c7a4e3420ab3a6f2db90ea2 | |
| parent | 1dc23da20830dbf64e184075dd28e4cc95f008de (diff) | |
- add patch for MITKRB5-SA-2007-001
| -rw-r--r-- | krb5-1.6-CVE-2007-0956-prelim.patch | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/krb5-1.6-CVE-2007-0956-prelim.patch b/krb5-1.6-CVE-2007-0956-prelim.patch new file mode 100644 index 0000000..7fd5d62 --- /dev/null +++ b/krb5-1.6-CVE-2007-0956-prelim.patch @@ -0,0 +1,88 @@ +FIXES +===== + +* a future release of MIT krb5 will contain a fix for this + vulnerability + +prior to that release you may: + +* disable telnetd + +or + +* apply the following (preliminary) patch: + +*** src/appl/telnet/telnetd/state.c (revision 19480) +--- src/appl/telnet/telnetd/state.c (local) +*************** +*** 1665,1671 **** + strcmp(varp, "RESOLV_HOST_CONF") && /* linux */ + strcmp(varp, "NLSPATH") && /* locale stuff */ + strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */ +! strcmp(varp, "IFS")) { + return 1; + } else { + syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp); +--- 1665,1672 ---- + strcmp(varp, "RESOLV_HOST_CONF") && /* linux */ + strcmp(varp, "NLSPATH") && /* locale stuff */ + strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */ +! strcmp(varp, "IFS") && +! !strchr(varp, '-')) { + return 1; + } else { + syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp); +*** src/appl/telnet/telnetd/sys_term.c (revision 19480) +--- src/appl/telnet/telnetd/sys_term.c (local) +*************** +*** 1287,1292 **** +--- 1287,1302 ---- + #endif + #if defined (AUTHENTICATION) + if (auth_level >= 0 && autologin == AUTH_VALID) { ++ if (name[0] == '-') { ++ /* Authenticated and authorized to log in to an ++ account starting with '-'? Even if that ++ unlikely case comes to pass, the current login ++ program will not parse the resulting command ++ line properly. */ ++ syslog(LOG_ERR, "user name cannot start with '-'"); ++ fatal(net, "user name cannot start with '-'"); ++ exit(1); ++ } + # if !defined(NO_LOGIN_F) + #if defined(LOGIN_CAP_F) + argv = addarg(argv, "-F"); +*************** +*** 1377,1387 **** + } else + #endif + if (getenv("USER")) { +! argv = addarg(argv, getenv("USER")); + #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) + { + register char **cpp; + for (cpp = environ; *cpp; cpp++) + argv = addarg(argv, *cpp); + } + #endif +--- 1387,1405 ---- + } else + #endif + if (getenv("USER")) { +! char *user = getenv("USER"); +! if (user[0] == '-') { +! /* "telnet -l-x ..." */ +! syslog(LOG_ERR, "user name cannot start with '-'"); +! fatal(net, "user name cannot start with '-'"); +! exit(1); +! } +! argv = addarg(argv, user); + #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) + { + register char **cpp; + for (cpp = environ; *cpp; cpp++) ++ if ((*cpp)[0] != '-') + argv = addarg(argv, *cpp); + } + #endif |