pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2008Q1]: pkgsrc/security/mit-krb5 Pullup ticket #2417 - reques...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/230ed2e5ad81
branches:  pkgsrc-2008Q1
changeset: 540409:230ed2e5ad81
user:      tron <tron%pkgsrc.org@localhost>
date:      Sun Jun 08 11:47:13 2008 +0000

description:
Pullup ticket #2417 - requested by tonnerre
Security patches for mit-krb5

Revisions pulled up:
- security/mit-krb5/Makefile            1.42
- security/mit-krb5/distinfo            1.17-1.19
- security/mit-krb5/patches/patch-ai    1.3-1.4
- security/mit-krb5/patches/patch-au    1.1-1.2
- security/mit-krb5/patches/patch-av    1.1-1.2
- security/mit-krb5/patches/patch-aw    1.1-1.2
- security/mit-krb5/patches/patch-ax    1.1-1.2
- security/mit-krb5/patches/patch-ay    1.1-1.2
- security/mit-krb5/patches/patch-az    1.1-1.2
- security/mit-krb5/patches/patch-ba    1.1-1.3
- security/mit-krb5/patches/patch-bb    1.1-1.2
- security/mit-krb5/patches/patch-bc    1.1-1.2
- security/mit-krb5/patches/patch-bd    1.1-1.2
- security/mit-krb5/patches/patch-be    1.1-1.2
- security/mit-krb5/patches/patch-bf    1.1
- security/mit-krb5/patches/patch-bg    1.1
---
    Module Name:        pkgsrc
    Committed By:       tonnerre
    Date:               Sat Jun  7 18:36:07 UTC 2008

    Modified Files:
        pkgsrc/security/mit-krb5: Makefile distinfo
    Added Files:
        pkgsrc/security/mit-krb5/patches: patch-ai patch-au patch-av
    patch-aw patch-ax patch-ay patch-az patch-ba patch-bb patch-bc patch-bd
            patch-be

    Log Message:
    Add security patches for 3 Kerberos vulnerabilities:
     - telnetd username and environment sanitizing vulnerabilities ("-f
    root") as described in MIT Kerberos advisory 2007-001.
     - krb5_klog_syslog() problems with overly long log strings as described
       in MIT Kerberos advisory 2007-002.
     - GSS API kg_unseal_v1() double free vulnerability as described in the
       MIT Kerberos advisory 2007-003.
---
    Module Name:        pkgsrc
    Committed By:       tonnerre
    Date:               Sat Jun  7 20:22:18 UTC 2008

    Modified Files:
        pkgsrc/security/mit-krb5: distinfo
        pkgsrc/security/mit-krb5/patches: patch-ai patch-au patch-av
    patch-aw patch-ax patch-ay patch-az patch-ba patch-bb patch-bc patch-bd
            patch-be

    Log Message:
    Remove parts of a different security patch which slipped in but are not
    supported yet. Don't bump revision as the package didn't build before.
---
    Module Name:        pkgsrc
    Committed By:       tonnerre
    Date:               Sat Jun  7 22:26:10 UTC 2008

    Modified Files:
        pkgsrc/security/mit-krb5: distinfo
        pkgsrc/security/mit-krb5/patches: patch-ba
    Added Files:
        pkgsrc/security/mit-krb5/patches: patch-bf patch-bg

    Log Message:
    Add patches for MITKRB5-SA-2007-004 and MITKRB5-SA-2007-005. PKGREVISION
    will be bumped again once some other patches are in.

diffstat:

 security/mit-krb5/Makefile         |    4 +-
 security/mit-krb5/distinfo         |   16 +-
 security/mit-krb5/patches/patch-ai |   44 ++
 security/mit-krb5/patches/patch-au |   14 +
 security/mit-krb5/patches/patch-av |   12 +
 security/mit-krb5/patches/patch-aw |   68 +++
 security/mit-krb5/patches/patch-ax |   53 +++
 security/mit-krb5/patches/patch-ay |   10 +
 security/mit-krb5/patches/patch-az |   28 +
 security/mit-krb5/patches/patch-ba |  630 +++++++++++++++++++++++++++++++++++++
 security/mit-krb5/patches/patch-bb |   34 +
 security/mit-krb5/patches/patch-bc |   17 +
 security/mit-krb5/patches/patch-bd |   35 ++
 security/mit-krb5/patches/patch-be |   17 +
 security/mit-krb5/patches/patch-bf |   13 +
 security/mit-krb5/patches/patch-bg |   43 ++
 16 files changed, 1035 insertions(+), 3 deletions(-)

diffs (truncated from 1122 to 300 lines):

diff -r ccd61643c486 -r 230ed2e5ad81 security/mit-krb5/Makefile
--- a/security/mit-krb5/Makefile        Thu Jun 05 12:26:10 2008 +0000
+++ b/security/mit-krb5/Makefile        Sun Jun 08 11:47:13 2008 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.41 2007/06/22 14:20:01 gdt Exp $
+# $NetBSD: Makefile,v 1.41.8.1 2008/06/08 11:47:13 tron Exp $
 
 DISTNAME=      krb5-1.4.2
 PKGNAME=       mit-${DISTNAME:S/-signed$//}
-PKGREVISION=   4
+PKGREVISION=   5
 CATEGORIES=    security
 MASTER_SITES=  http://web.mit.edu/kerberos/dist/krb5/1.4/
 DISTFILES=     ${DISTNAME}-signed${EXTRACT_SUFX}
diff -r ccd61643c486 -r 230ed2e5ad81 security/mit-krb5/distinfo
--- a/security/mit-krb5/distinfo        Thu Jun 05 12:26:10 2008 +0000
+++ b/security/mit-krb5/distinfo        Sun Jun 08 11:47:13 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16 2007/01/17 23:43:47 salo Exp $
+$NetBSD: distinfo,v 1.16.10.1 2008/06/08 11:47:13 tron Exp $
 
 SHA1 (krb5-1.4.2-signed.tar) = bbc03bd319d539fb9523c2545d80ba0784522e88
 RMD160 (krb5-1.4.2-signed.tar) = 44500f5fab8e5959cf43f17f5f52f68e2dc73a1f
@@ -11,6 +11,7 @@
 SHA1 (patch-af) = c9631743e3c93aee2aab5c8a370e9bebfc4084e5
 SHA1 (patch-ag) = 5da57455f36a2bd40e0f97db94e93249e90e0b8e
 SHA1 (patch-ah) = 59a6bfc341a22234b38db406abe83b0d6d358a9f
+SHA1 (patch-ai) = 5b0f1ae222e50eb0eb3ed98c79188318ae0969b5
 SHA1 (patch-aj) = 5c633571ea932ce349065cbb4c3bf482cc971675
 SHA1 (patch-ak) = 9d95372fd8edddbf0366e83a51d7a0b8a507f218
 SHA1 (patch-al) = fb611fe47bd7c773d7baf11424e90cd3af70c422
@@ -22,3 +23,16 @@
 SHA1 (patch-ar) = 37807c14f03533aef8796ac90e5fac36ff98308a
 SHA1 (patch-as) = b155219fd512b59f698497af1bf6acf1ca4f4a34
 SHA1 (patch-at) = df0605b0f5fbaef6b7540f87079ae64b2acc464c
+SHA1 (patch-au) = 238f497afd9ad129babc0b6c727eb23e9915536c
+SHA1 (patch-av) = db0fce68f58307be4c359758f2c9b31d62ab8348
+SHA1 (patch-aw) = 0e651b675d166e71f6543cbad8e29eece89d5b67
+SHA1 (patch-ax) = d403c910211e48c6d1dc27cb2dd98d5f20cc688d
+SHA1 (patch-ay) = 9f54c79c105d7baca3f1efa68a25f9b39dbf7683
+SHA1 (patch-az) = 79fd9cbbf34287b78d5c6c2faf72e147457f7f37
+SHA1 (patch-ba) = b413b82de3248600beb003456cde811637d05206
+SHA1 (patch-bb) = 156d3341d1cf40cfbe5833f7ad68b5aec297d3fb
+SHA1 (patch-bc) = 8b422991ca22903596cf157ea3603abb741c50a5
+SHA1 (patch-bd) = 8cf0425d2fedea452f80fa599f3c4515e51d834c
+SHA1 (patch-be) = c4497d7b68cefd8109d615c2125d9dc7aa508e5d
+SHA1 (patch-bf) = 1e16b6cbe51a5aa07ac7c7c3c343e82bf16dcde6
+SHA1 (patch-bg) = fa70e00a2eb283782c9960a2c74a879862b979c5
diff -r ccd61643c486 -r 230ed2e5ad81 security/mit-krb5/patches/patch-ai
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-ai        Sun Jun 08 11:47:13 2008 +0000
@@ -0,0 +1,44 @@
+$NetBSD: patch-ai,v 1.2.24.1 2008/06/08 11:47:13 tron Exp $
+
+--- appl/telnet/telnetd/sys_term.c.orig        2008-06-07 15:55:51.000000000 +0200
++++ appl/telnet/telnetd/sys_term.c
+@@ -1287,6 +1287,16 @@ start_login(host, autologin, name)
+ #endif
+ #if   defined (AUTHENTICATION)
+       if (auth_level >= 0 && autologin == AUTH_VALID) {
++              if (name[0] == '-') {
++                      /* Authenticated and authorized to log in to an
++                         account starting with '-'?  Even if that
++                         unlikely case comes to pass, the current login
++                         program will not parse the resulting command
++                         line properly.  */
++                      syslog(LOG_ERR, "user name cannot start with '-'");
++                      fatal(net, "user name cannot start with '-'");
++                      exit(1);
++              }
+ # if  !defined(NO_LOGIN_F)
+ #if   defined(LOGIN_CAP_F)
+               argv = addarg(argv, "-F");
+@@ -1377,12 +1387,20 @@ start_login(host, autologin, name)
+       } else
+ #endif
+       if (getenv("USER")) {
+-              argv = addarg(argv, getenv("USER"));
++              char *user = getenv("USER");
++              if (user[0] == '-') {
++                      /* "telnet -l-x ..." */
++                      syslog(LOG_ERR, "user name cannot start with '-'");
++                      fatal(net, "user name cannot start with '-'");
++                      exit(EXIT_FAILURE);
++              }
++              argv = addarg(argv, user);
+ #if   defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
+               {
+                       register char **cpp;
+                       for (cpp = environ; *cpp; cpp++)
+-                              argv = addarg(argv, *cpp);
++                              if ((*cpp)[0] != '-')
++                                      argv = addarg(argv, *cpp);
+               }
+ #endif
+               /*
diff -r ccd61643c486 -r 230ed2e5ad81 security/mit-krb5/patches/patch-au
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-au        Sun Jun 08 11:47:13 2008 +0000
@@ -0,0 +1,14 @@
+$NetBSD$
+
+--- appl/telnet/telnetd/state.c.orig   2002-11-15 21:21:51.000000000 +0100
++++ appl/telnet/telnetd/state.c
+@@ -1665,7 +1665,8 @@ static int envvarok(varp)
+           strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
+           strcmp(varp, "NLSPATH") && /* locale stuff */
+           strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
+-          strcmp(varp, "IFS")) {
++          strcmp(varp, "IFS") &&
++          !strchr(varp, '-')) {
+               return 1;
+       } else {
+               syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
diff -r ccd61643c486 -r 230ed2e5ad81 security/mit-krb5/patches/patch-av
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-av        Sun Jun 08 11:47:13 2008 +0000
@@ -0,0 +1,12 @@
+$NetBSD$
+
+--- kdc/kdc_util.c.orig        2004-02-13 05:20:56.000000000 +0100
++++ kdc/kdc_util.c
+@@ -404,6 +404,7 @@ kdc_get_server_key(krb5_ticket *ticket, 
+ 
+       krb5_db_free_principal(kdc_context, &server, nprincs);
+       if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {
++          limit_string(sname);
+           krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",
+                            sname);
+           free(sname);
diff -r ccd61643c486 -r 230ed2e5ad81 security/mit-krb5/patches/patch-aw
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-aw        Sun Jun 08 11:47:13 2008 +0000
@@ -0,0 +1,68 @@
+$NetBSD$
+
+--- kdc/do_tgs_req.c.orig      2005-07-12 22:59:51.000000000 +0200
++++ kdc/do_tgs_req.c
+@@ -490,27 +490,38 @@ tgt_again:
+       newtransited = 1;
+     }
+     if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
++      unsigned int tlen;
++      char *tdots;
++
+       errcode = krb5_check_transited_list (kdc_context,
+                                            &enc_tkt_reply.transited.tr_contents,
+                                            krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
+                                            krb5_princ_realm (kdc_context, request->server));
++      tlen = enc_tkt_reply.transited.tr_contents.length;
++      tdots = tlen > 125 ? "..." : "";
++      tlen = tlen > 125 ? 125 : tlen;
++
+       if (errcode == 0) {
+           setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
+       } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
+           krb5_klog_syslog (LOG_INFO,
+-                            "bad realm transit path from '%s' to '%s' via '%.*s'",
++                            "bad realm transit path from '%s' to '%s' "
++                            "via '%.*s%s'",
+                             cname ? cname : "<unknown client>",
+                             sname ? sname : "<unknown server>",
+-                            enc_tkt_reply.transited.tr_contents.length,
+-                            enc_tkt_reply.transited.tr_contents.data);
+-      else
++                            tlen,
++                            enc_tkt_reply.transited.tr_contents.data,
++                            tdots);
++      else {
+           krb5_klog_syslog (LOG_ERR,
+-                            "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",
++                            "unexpected error checking transit from "
++                            "'%s' to '%s' via '%.*s%s': %s",
+                             cname ? cname : "<unknown client>",
+                             sname ? sname : "<unknown server>",
+-                            enc_tkt_reply.transited.tr_contents.length,
++                            tlen,
+                             enc_tkt_reply.transited.tr_contents.data,
+-                            error_message (errcode));
++                            tdots, error_message (errcode));
++      }
+     } else
+       krb5_klog_syslog (LOG_INFO, "not checking transit path");
+     if (reject_bad_transit
+@@ -538,6 +549,9 @@ tgt_again:
+       if (!krb5_principal_compare(kdc_context, request->server, client2)) {
+               if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
+                       tmp = 0;
++              if (tmp != NULL)
++                      limit_string(tmp);
++
+               krb5_klog_syslog(LOG_INFO,
+                                "TGS_REQ %s: 2ND_TKT_MISMATCH: "
+                                "authtime %d, %s for %s, 2nd tkt client %s",
+@@ -800,6 +814,7 @@ find_alternate_tgs(krb5_kdc_req *request
+               krb5_klog_syslog(LOG_INFO,
+                      "TGS_REQ: issuing alternate <un-unparseable> TGT");
+           } else {
++              limit_string(sname);
+               krb5_klog_syslog(LOG_INFO,
+                      "TGS_REQ: issuing TGT %s", sname);
+               free(sname);
diff -r ccd61643c486 -r 230ed2e5ad81 security/mit-krb5/patches/patch-ax
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-ax        Sun Jun 08 11:47:13 2008 +0000
@@ -0,0 +1,53 @@
+$NetBSD$
+
+--- kadmin/server/ovsec_kadmd.c.orig   2004-09-21 20:20:16.000000000 +0200
++++ kadmin/server/ovsec_kadmd.c
+@@ -952,13 +952,25 @@ void log_badverf(gss_name_t client_name,
+      rpcproc_t proc;
+      int i;
+      const char *procname;
++     size_t clen, slen;
++     char *cdots, *sdots;
+ 
+      (void) gss_display_name(&minor, client_name, &client, &gss_type);
+      (void) gss_display_name(&minor, server_name, &server, &gss_type);
+-     if (client.value == NULL)
++     if (client.value == NULL) {
+        client.value = "(null)";
+-     if (server.value == NULL)
++       clen = sizeof("(null)") -1;
++     } else {
++       clen = client.length;
++     }
++     trunc_name(&clen, &cdots);
++     if (server.value == NULL) {
+        server.value = "(null)";
++       slen = sizeof("(null)") - 1;
++     } else {
++       slen = server.length;
++     }
++     trunc_name(&slen, &sdots);
+      a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);
+ 
+      proc = msg->rm_call.cb_proc;
+@@ -971,14 +983,14 @@ void log_badverf(gss_name_t client_name,
+      }
+      if (procname != NULL)
+         krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
+-                         "claimed client = %s, server = %s, addr = %s",
+-                         procname, client.value,
+-                         server.value, a);
++                         "claimed client = %.*s%s, server = %.*s%s, addr = %s",
++                         procname, clen, client.value, cdots,
++                         slen, server.value, sdots, a);
+      else
+         krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "
+-                         "claimed client = %s, server = %s, addr = %s",
+-                         proc, client.value,
+-                         server.value, a);
++                         "claimed client = %.*s%s, server = %.*s%s, addr = %s",
++                         proc, clen, client.value, cdots,
++                         slen, server.value, sdots, a);
+ 
+      (void) gss_release_buffer(&minor, &client);
+      (void) gss_release_buffer(&minor, &server);
diff -r ccd61643c486 -r 230ed2e5ad81 security/mit-krb5/patches/patch-ay
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-ay        Sun Jun 08 11:47:13 2008 +0000
@@ -0,0 +1,10 @@
+$NetBSD$
+
+--- kadmin/server/misc.h.orig  2004-10-28 00:12:48.000000000 +0200
++++ kadmin/server/misc.h
+@@ -44,3 +44,5 @@ krb5_error_code process_chpw_request(krb
+ #ifdef SVC_GETARGS
+ void  kadm_1(struct svc_req *, SVCXPRT *);
+ #endif
++
++void trunc_name(size_t *len, char **dots);
diff -r ccd61643c486 -r 230ed2e5ad81 security/mit-krb5/patches/patch-az
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-az        Sun Jun 08 11:47:13 2008 +0000
@@ -0,0 +1,28 @@
+$NetBSD$
+
+--- kadmin/server/schpw.c.orig 2004-10-28 00:12:48.000000000 +0200
++++ kadmin/server/schpw.c
+@@ -41,6 +41,8 @@ process_chpw_request(context, server_han
+     int numresult;
+     char strresult[1024];
+     char *clientstr;
++    size_t clen;
++    char *cdots;
+ 
+     ret = 0;
+     rep->length = 0;
+@@ -259,9 +261,12 @@ process_chpw_request(context, server_han
+     free(ptr);
+     clear.length = 0;
+ 
+-    krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s",
++    clen = strlen(clientstr);
++    trunc_name(&clen, &cdots);
++    krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s",
+                    inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),
+-                   clientstr, ret ? error_message(ret) : "success");



Home | Main Index | Thread Index | Old Index