diff options
author | Nalin Dahyabhai <nalin@redhat.com> | 2014-09-05 15:45:38 -0400 |
---|---|---|
committer | Nalin Dahyabhai <nalin@redhat.com> | 2014-09-05 18:18:58 -0400 |
commit | f69697ba82697909efed00f34c51901f881e1989 (patch) | |
tree | cec4d1c74331270ec6d4c7c5d49726c2c10f60a8 | |
parent | a05b95f5142d935c918cc0ecffdef6d6e09a7052 (diff) | |
download | krb5-f69697ba82697909efed00f34c51901f881e1989.tar.gz krb5-f69697ba82697909efed00f34c51901f881e1989.tar.xz krb5-f69697ba82697909efed00f34c51901f881e1989.zip |
Backport skipping kpasswd reply address checks
- backport patch to make the client skip checking the server's reply
address when processing responses to password-change requests, which
between NAT and upcoming HTTPS support, can cause us to erroneously
report an error to the user when the server actually reported success
(RT #7886)
-rw-r--r-- | krb5-1.12-kpasswd-skip-address-check.patch | 55 | ||||
-rw-r--r-- | krb5.spec | 12 |
2 files changed, 66 insertions, 1 deletions
diff --git a/krb5-1.12-kpasswd-skip-address-check.patch b/krb5-1.12-kpasswd-skip-address-check.patch new file mode 100644 index 0000000..9873b93 --- /dev/null +++ b/krb5-1.12-kpasswd-skip-address-check.patch @@ -0,0 +1,55 @@ +commit b562400826409deceb0d52ffbe6570670ee9db55 +Author: Nalin Dahyabhai <nalin@dahyabhai.net> +Date: Wed Oct 9 15:03:16 2013 -0400 + + Don't check kpasswd reply address + + Don't check the address of the kpasswd server when parsing the reply + we received from it. If the server's address was modified by a proxy + or other network element, the user will be incorrectly warned that the + password change failed when it succeeded. The check is unnecessary as + the kpasswd protocol is not subject to a reflection attack. + + [ghudson@mit.edu: edit commit message] + + ticket: 7886 (new) + +diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c +index 462910f..4d8abd9 100644 +--- a/src/lib/krb5/os/changepw.c ++++ b/src/lib/krb5/os/changepw.c +@@ -214,7 +214,6 @@ change_set_password(krb5_context context, + krb5_data *result_string) + { + krb5_data chpw_rep; +- krb5_address remote_kaddr; + krb5_boolean use_tcp = 0; + GETSOCKNAME_ARG3_TYPE addrlen; + krb5_error_code code = 0; +@@ -272,26 +271,6 @@ change_set_password(krb5_context context, + break; + } + +- if (remote_addr.ss_family == AF_INET) { +- remote_kaddr.addrtype = ADDRTYPE_INET; +- remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); +- remote_kaddr.contents = +- (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; +- } else if (remote_addr.ss_family == AF_INET6) { +- remote_kaddr.addrtype = ADDRTYPE_INET6; +- remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr); +- remote_kaddr.contents = +- (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr; +- } else { +- break; +- } +- +- if ((code = krb5_auth_con_setaddrs(callback_ctx.context, +- callback_ctx.auth_context, +- NULL, +- &remote_kaddr))) +- break; +- + code = krb5int_rd_chpw_rep(callback_ctx.context, + callback_ctx.auth_context, + &chpw_rep, &local_result_code, @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.12.2 -Release: 5%{?dist} +Release: 6%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -108,6 +108,7 @@ Patch204: 0004-Make-ksu-respect-the-default_ccache_name-setting.patch Patch205: 0005-Copy-config-entries-to-the-ksu-target-ccache.patch Patch206: 0006-Use-more-randomness-for-ksu-secondary-cache-names.patch Patch207: 0007-Make-krb5_cc_new_unique-create-DIR-directories.patch +Patch300: krb5-1.12-kpasswd-skip-address-check.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -318,6 +319,8 @@ ln -s NOTICE LICENSE %patch206 -p1 -b .Use-more-randomness-for-ksu-secondary-cache-names %patch207 -p1 -b .Make-krb5_cc_new_unique-create-DIR-directories +%patch300 -p1 -b .kpasswd-skip-address-check + %patch1 -p1 -b .pwdch-fast %patch60 -p1 -b .pam @@ -1027,6 +1030,13 @@ exit 0 %{_sbindir}/uuserver %changelog +* Fri Sep 5 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.2-6 +- backport patch to make the client skip checking the server's reply + address when processing responses to password-change requests, which + between NAT and upcoming HTTPS support, can cause us to erroneously + report an error to the user when the server actually reported success + (RT #7886) + * Thu Aug 28 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.2-5 - backport fix for trying all compatible keys when not being strict about acceptor names while reading AP-REQs (RT#7883, #1078888) |