From 70240d81c86b9b509d04858406cd6dec7b131f26 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Mar 09 2012 23:37:47 +0000 Subject: - update to 1.10.1 - drop the KDC crash fix - drop the KDC lookaside cache fix - drop the fix for kadmind RPC ACLs (CVE-2012-1012) --- diff --git a/krb5-1.10-crashfix.patch b/krb5-1.10-crashfix.patch deleted file mode 100644 index 3f4a86b..0000000 --- a/krb5-1.10-crashfix.patch +++ /dev/null @@ -1,39 +0,0 @@ -RT #7081 - -diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c -index 5e69653..4651b72 100644 ---- a/src/kdc/do_as_req.c -+++ b/src/kdc/do_as_req.c -@@ -102,6 +102,7 @@ struct as_req_state { - loop_respond_fn respond; - void *arg; - -+ krb5_principal_data client_princ; - krb5_enc_tkt_part enc_tkt_reply; - krb5_enc_kdc_rep_part reply_encpart; - krb5_ticket ticket_reply; -@@ -458,7 +459,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, - krb5_error_code errcode; - krb5_timestamp rtime; - unsigned int s_flags = 0; -- krb5_principal_data client_princ; - krb5_data encoded_req_body; - krb5_enctype useenctype; - struct as_req_state *state; -@@ -680,13 +680,13 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, - - state->enc_tkt_reply.session = &state->session_key; - if (isflagset(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE)) { -- client_princ = *(state->client->princ); -+ state->client_princ = *(state->client->princ); - } else { -- client_princ = *(state->request->client); -+ state->client_princ = *(state->request->client); - /* The realm is always canonicalized */ -- client_princ.realm = state->client->princ->realm; -+ state->client_princ.realm = state->client->princ->realm; - } -- state->enc_tkt_reply.client = &client_princ; -+ state->enc_tkt_reply.client = &state->client_princ; - state->enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS; - state->enc_tkt_reply.transited.tr_contents = empty_string; diff --git a/krb5-1.10-lookaside.patch b/krb5-1.10-lookaside.patch deleted file mode 100644 index 1afdd82..0000000 --- a/krb5-1.10-lookaside.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 4b9eb1f3dc538f7b29e50b6852983f5b4ddc7536 Mon Sep 17 00:00:00 2001 -From: ghudson -Date: Thu, 26 Jan 2012 21:56:16 +0000 -Subject: [PATCH 1/3] ticket: 7082 subject: Various lookaside cache fixes - target_version: 1.10 tags: pullup - -Don't touch the lookaside cache if we're responding with a lookaside -cache entry. Also, leave the null entry behind if we're deliberately -dropping a request (a rare case) so that we don't have to process it -again. Fixes several lookaside problems in 1.10: - -* When dropping a request because it was already being processed, we - were erroneously removing the null entry, causing us to process the - request again upon a second retransmit. - -* When responding to a finished request with a lookaside entry, we - were removing and re-adding the entry to the cache, resetting its - time and performing unnecessary work. - -* We were not caching responses we couldn't deliver because they were - too big for UDP, causing us to re-process the request when it came - in again via TCP instead of simply delivering the cached response. - -git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25660 dc483132-0cff-0310-8789-dd5450dbe970 ---- - src/kdc/dispatch.c | 40 ++++++++++++++++++++++------------------ - 1 files changed, 22 insertions(+), 18 deletions(-) - -diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c -index b4c02f3..efe7098 100644 ---- a/src/kdc/dispatch.c -+++ b/src/kdc/dispatch.c -@@ -44,20 +44,11 @@ struct dispatch_state { - }; - - static void --finish_dispatch(void *arg, krb5_error_code code, krb5_data *response) -+finish_dispatch(struct dispatch_state *state, krb5_error_code code, -+ krb5_data *response) - { -- struct dispatch_state *state = arg; -- loop_respond_fn oldrespond; -- void *oldarg; -- -- assert(state); -- oldrespond = state->respond; -- oldarg = state->arg; -- --#ifndef NOCACHE -- /* Remove our NULL cache entry to indicate request completion. */ -- kdc_remove_lookaside(kdc_context, state->request); --#endif -+ loop_respond_fn oldrespond = state->respond; -+ void *oldarg = state->arg; - - if (state->is_tcp == 0 && response && - response->length > max_dgram_reply_size) { -@@ -70,14 +61,27 @@ finish_dispatch(void *arg, krb5_error_code code, krb5_data *response) - error_message(code)); - } - -+ free(state); -+ (*oldrespond)(oldarg, code, response); -+} -+ -+static void -+finish_dispatch_cache(void *arg, krb5_error_code code, krb5_data *response) -+{ -+ struct dispatch_state *state = arg; -+ - #ifndef NOCACHE -- /* put the response into the lookaside buffer */ -- else if (!code && response) -+ /* Remove the null cache entry unless we actually want to discard this -+ * request. */ -+ if (code != KRB5KDC_ERR_DISCARD) -+ kdc_remove_lookaside(kdc_context, state->request); -+ -+ /* Put the response into the lookaside buffer (if we produced one). */ -+ if (code == 0 && response != NULL) - kdc_insert_lookaside(state->request, response); - #endif - -- free(state); -- (*oldrespond)(oldarg, code, response); -+ finish_dispatch(state, code, response); - } - - void -@@ -167,7 +171,7 @@ dispatch(void *cb, struct sockaddr *local_saddr, - * process_as_req frees the request if it is called - */ - if (!(retval = setup_server_realm(as_req->server))) { -- process_as_req(as_req, pkt, from, vctx, finish_dispatch, -+ process_as_req(as_req, pkt, from, vctx, finish_dispatch_cache, - state); - return; - } --- -1.7.7.5 - diff --git a/krb5-1.10-string-rpc-acl-fix.patch b/krb5-1.10-string-rpc-acl-fix.patch deleted file mode 100644 index bd82356..0000000 --- a/krb5-1.10-string-rpc-acl-fix.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 725b97bfba7067907a5fc534c21349c0d28bf6b8 Mon Sep 17 00:00:00 2001 -From: ghudson -Date: Tue, 21 Feb 2012 19:14:47 +0000 -Subject: [PATCH] ticket: 7093 subject: Access controls for string RPCs - [CVE-2012-1012] target_version: 1.10.1 tags: pullup - -In the kadmin protocol, make the access controls for -get_strings/set_string mirror those of get_principal/modify_principal. -Previously, anyone with global list privileges could get or modify -string attributes on any principal. The impact of this depends on how -generous the kadmind acl is with list permission and whether string -attributes are used in a deployment (nothing in the core code uses -them yet). - -CVSSv2 vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C - -git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25704 dc483132-0cff-0310-8789-dd5450dbe970 ---- - src/kadmin/server/server_stubs.c | 19 +++++++++++-------- - 1 files changed, 11 insertions(+), 8 deletions(-) - -diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c -index 8dbe756..0de627f 100644 ---- a/src/kadmin/server/server_stubs.c -+++ b/src/kadmin/server/server_stubs.c -@@ -1634,10 +1634,13 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) - goto exit_func; - } - -- if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, -- rqst2name(rqstp), -- ACL_LIST, NULL, NULL)) { -- ret.code = KADM5_AUTH_LIST; -+ if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) && -+ (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, -+ rqst2name(rqstp), -+ ACL_INQUIRE, -+ arg->princ, -+ NULL))) { -+ ret.code = KADM5_AUTH_GET; - log_unauth("kadm5_get_strings", prime_arg, - &client_name, &service_name, rqstp); - } else { -@@ -1690,10 +1693,10 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) - goto exit_func; - } - -- if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, -- rqst2name(rqstp), -- ACL_LIST, NULL, NULL)) { -- ret.code = KADM5_AUTH_LIST; -+ if (CHANGEPW_SERVICE(rqstp) -+ || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, -+ arg->princ, NULL)) { -+ ret.code = KADM5_AUTH_MODIFY; - log_unauth("kadm5_mod_strings", prime_arg, - &client_name, &service_name, rqstp); - } else { --- -1.7.7.6 - diff --git a/krb5.spec b/krb5.spec index a007348..cc5c00f 100644 --- a/krb5.spec +++ b/krb5.spec @@ -14,10 +14,10 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.10 -Release: 5%{?dist} +Version: 1.10.1 +Release: 1%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? -# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-signed.tar +# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.1-signed.tar Source0: krb5-%{version}.tar.gz Source1: krb5-%{version}.tar.gz.asc Source2: kprop.service @@ -61,10 +61,7 @@ Patch100: krb5-trunk-7046.patch Patch101: krb5-trunk-7047.patch Patch102: krb5-trunk-7048.patch Patch103: krb5-1.10-gcc47.patch -Patch104: krb5-1.10-crashfix.patch Patch105: krb5-kvno-230379.patch -Patch106: krb5-1.10-lookaside.patch -Patch107: krb5-1.10-string-rpc-acl-fix.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -234,10 +231,7 @@ ln -s NOTICE LICENSE %patch101 -p1 -b .7047 %patch102 -p1 -b .7048 %patch103 -p0 -b .gcc47 -%patch104 -p1 -b .crashfix %patch105 -p1 -b .kvno -%patch106 -p1 -b .7082 -%patch107 -p1 -b .7093 rm src/lib/krb5/krb/deltat.c gzip doc/*.ps @@ -749,6 +743,12 @@ exit 0 %{_sbindir}/uuserver %changelog +* Fri Mar 9 2012 Nalin Dahyabhai 1.10.1-1 +- update to 1.10.1 + - drop the KDC crash fix + - drop the KDC lookaside cache fix + - drop the fix for kadmind RPC ACLs (CVE-2012-1012) + * Wed Mar 7 2012 Nalin Dahyabhai 1.10-5 - when removing -workstation, remove our files from the info index while the file is still there, in %%preun, rather than %%postun, and use the diff --git a/sources b/sources index 926961b..e69de29 100644 --- a/sources +++ b/sources @@ -1,3 +0,0 @@ -ff442dfc34c58ad6f601cc8aec6b84e2 krb5-1.10.tar.gz -24dab4f2d8506eb64e364dc1527ba03c krb5-1.10.tar.gz.asc -54ac50d94320c754b3a9553159c6351f krb5-1.10-pdf.tar.xz