diff --git a/2004-002-dblfree_patch.txt b/2004-002-dblfree_patch.txt new file mode 100644 index 0000000..2703b0f --- /dev/null +++ b/2004-002-dblfree_patch.txt @@ -0,0 +1,268 @@ +Index: src/clients/klist/klist.c +=================================================================== +RCS file: /cvs/krbdev/krb5/src/clients/klist/klist.c,v +retrieving revision 5.63 +diff -c -r5.63 klist.c +*** src/clients/klist/klist.c 11 Apr 2002 03:21:46 -0000 5.63 +--- src/clients/klist/klist.c 23 Aug 2004 03:37:26 -0000 +*************** +*** 614,619 **** +--- 614,622 ---- + + if (show_etype) { + retval = krb5_decode_ticket(&cred->ticket, &tkt); ++ if (retval) ++ goto err_tkt; ++ + if (!extra_field) + fputs("\t",stdout); + else +*************** +*** 622,629 **** + etype_string(cred->keyblock.enctype)); + printf("%s ", + etype_string(tkt->enc_part.enctype)); +- krb5_free_ticket(kcontext, tkt); + extra_field++; + } + + /* if any additional info was printed, extra_field is non-zero */ +--- 625,635 ---- + etype_string(cred->keyblock.enctype)); + printf("%s ", + etype_string(tkt->enc_part.enctype)); + extra_field++; ++ ++ err_tkt: ++ if (tkt != NULL) ++ krb5_free_ticket(kcontext, tkt); + } + + /* if any additional info was printed, extra_field is non-zero */ +Index: src/krb524/krb524d.c +=================================================================== +RCS file: /cvs/krbdev/krb5/src/krb524/krb524d.c,v +retrieving revision 1.55.2.3 +diff -c -r1.55.2.3 krb524d.c +*** src/krb524/krb524d.c 28 May 2003 04:06:31 -0000 1.55.2.3 +--- src/krb524/krb524d.c 23 Aug 2004 03:37:26 -0000 +*************** +*** 582,589 **** + printf("v4 credentials encoded\n"); + + error: +! if (v5tkt->enc_part2) + krb5_free_enc_tkt_part(context, v5tkt->enc_part2); + + if(v5_service_key.contents) + krb5_free_keyblock_contents(context, &v5_service_key); +--- 582,591 ---- + printf("v4 credentials encoded\n"); + + error: +! if (v5tkt->enc_part2) { + krb5_free_enc_tkt_part(context, v5tkt->enc_part2); ++ v5tkt->enc_part2 = NULL; ++ } + + if(v5_service_key.contents) + krb5_free_keyblock_contents(context, &v5_service_key); +Index: src/lib/krb5/asn.1/asn1buf.c +=================================================================== +RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v +retrieving revision 5.24 +diff -c -r5.24 asn1buf.c +*** src/lib/krb5/asn.1/asn1buf.c 12 Mar 2003 04:33:30 -0000 5.24 +--- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:37:27 -0000 +*************** +*** 255,260 **** +--- 255,261 ---- + (*code)->data = (char*)malloc((((*code)->length)+1)*sizeof(char)); + if ((*code)->data == NULL) { + free(*code); ++ *code = NULL; + return ENOMEM; + } + for(i=0; i < (*code)->length; i++) +Index: src/lib/krb5/asn.1/krb5_decode.c +=================================================================== +RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/krb5_decode.c,v +retrieving revision 5.40.2.5 +diff -c -r5.40.2.5 krb5_decode.c +*** src/lib/krb5/asn.1/krb5_decode.c 10 Oct 2003 23:57:38 -0000 5.40.2.5 +--- src/lib/krb5/asn.1/krb5_decode.c 23 Aug 2004 03:37:27 -0000 +*************** +*** 183,190 **** + #define cleanup(cleanup_routine)\ + return 0; \ + error_out: \ +! if (rep && *rep) \ + cleanup_routine(*rep); \ + return retval; + + #define cleanup_none()\ +--- 183,192 ---- + #define cleanup(cleanup_routine)\ + return 0; \ + error_out: \ +! if (rep && *rep) { \ + cleanup_routine(*rep); \ ++ *rep = NULL; \ ++ } \ + return retval; + + #define cleanup_none()\ +*************** +*** 233,238 **** +--- 235,241 ---- + free_field(*rep,checksum); + free_field(*rep,client); + free(*rep); ++ *rep = NULL; + } + return retval; + } +*************** +*** 254,260 **** + { begin_structure(); + { krb5_kvno kvno; + get_field(kvno,0,asn1_decode_kvno); +! if(kvno != KVNO) return KRB5KDC_ERR_BAD_PVNO; + } + alloc_field((*rep)->server,krb5_principal_data); + get_field((*rep)->server,1,asn1_decode_realm); +--- 257,263 ---- + { begin_structure(); + { krb5_kvno kvno; + get_field(kvno,0,asn1_decode_kvno); +! if(kvno != KVNO) clean_return(KRB5KDC_ERR_BAD_PVNO); + } + alloc_field((*rep)->server,krb5_principal_data); + get_field((*rep)->server,1,asn1_decode_realm); +*************** +*** 268,273 **** +--- 271,277 ---- + if (rep && *rep) { + free_field(*rep,server); + free(*rep); ++ *rep = NULL; + } + return retval; + } +*************** +*** 320,325 **** +--- 324,330 ---- + free_field(*rep,session); + free_field(*rep,client); + free(*rep); ++ *rep = NULL; + } + return retval; + } +*************** +*** 403,408 **** +--- 408,414 ---- + if (rep && *rep) { + free_field(*rep,ticket); + free(*rep); ++ *rep = NULL; + } + return retval; + } +*************** +*** 451,456 **** +--- 457,463 ---- + if (rep && *rep) { + free_field(*rep,subkey); + free(*rep); ++ *rep = NULL; + } + return retval; + } +*************** +*** 556,561 **** +--- 563,569 ---- + if (rep && *rep) { + free_field(*rep,checksum); + free(*rep); ++ *rep = NULL; + } + return retval; + } +*************** +*** 614,619 **** +--- 622,628 ---- + free_field(*rep,r_address); + free_field(*rep,s_address); + free(*rep); ++ *rep = NULL; + } + return retval; + } +*************** +*** 668,673 **** +--- 677,683 ---- + free_field(*rep,r_address); + free_field(*rep,s_address); + free(*rep); ++ *rep = NULL; + } + return retval; + } +*************** +*** 713,718 **** +--- 723,729 ---- + free_field(*rep,server); + free_field(*rep,client); + free(*rep); ++ *rep = NULL; + } + return retval; + } +Index: src/lib/krb5/krb/rd_rep.c +=================================================================== +RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/rd_rep.c,v +retrieving revision 5.33.2.2 +diff -c -r5.33.2.2 rd_rep.c +*** src/lib/krb5/krb/rd_rep.c 14 Jun 2003 00:09:47 -0000 5.33.2.2 +--- src/lib/krb5/krb/rd_rep.c 23 Aug 2004 03:37:27 -0000 +*************** +*** 71,76 **** +--- 71,78 ---- + + /* now decode the decrypted stuff */ + retval = decode_krb5_ap_rep_enc_part(&scratch, repl); ++ if (retval) ++ goto clean_scratch; + + /* Check reply fields */ + if (((*repl)->ctime != auth_context->authentp->ctime) || +Index: src/lib/krb5/krb/send_tgs.c +=================================================================== +RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/send_tgs.c,v +retrieving revision 5.55.2.1 +diff -c -r5.55.2.1 send_tgs.c +*** src/lib/krb5/krb/send_tgs.c 13 May 2004 19:27:59 -0000 5.55.2.1 +--- src/lib/krb5/krb/send_tgs.c 23 Aug 2004 03:37:27 -0000 +*************** +*** 269,274 **** +--- 269,276 ---- + if (!tcp_only) { + krb5_error *err_reply; + retval = decode_krb5_error(&rep->response, &err_reply); ++ if (retval) ++ goto send_tgs_error_3; + if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) { + tcp_only = 1; + krb5_free_error(context, err_reply); +*************** +*** 277,282 **** +--- 279,286 ---- + goto send_again; + } + krb5_free_error(context, err_reply); ++ send_tgs_error_3: ++ ; + } + rep->message_type = KRB5_ERROR; + } else if (krb5_is_tgs_rep(&rep->response)) diff --git a/2004-003-patch_1.3.4.txt b/2004-003-patch_1.3.4.txt new file mode 100644 index 0000000..57a9213 --- /dev/null +++ b/2004-003-patch_1.3.4.txt @@ -0,0 +1,17 @@ +Index: src/lib/krb5/asn.1/asn1buf.c +=================================================================== +RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v +retrieving revision 5.24 +*** src/lib/krb5/asn.1/asn1buf.c 12 Mar 2003 04:33:30 -0000 5.24 +--- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:43:47 -0000 +*************** +*** 122,127 **** +--- 122,129 ---- + return ASN1_OVERRUN; + } + while (nestlevel > 0) { ++ if (buf->bound - buf->next + 1 <= 0) ++ return ASN1_OVERRUN; + retval = asn1_get_tag_2(buf, &t); + if (retval) return retval; + if (!t.indef) { diff --git a/krb5.spec b/krb5.spec index fc7f03a..c29e75b 100644 --- a/krb5.spec +++ b/krb5.spec @@ -7,7 +7,7 @@ Summary: The Kerberos network authentication system. Name: krb5 Version: 1.3.4 -Release: 2 +Release: 7 # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/www/dist/krb5/1.3/krb5-1.3.4.tar Source0: krb5-%{version}.tar.gz @@ -46,7 +46,6 @@ Patch15: krb5-1.3-check.patch Patch16: krb5-1.3.3-no-rpath.patch Patch17: krb5-1.3-pass-by-address.patch Patch18: krb5-1.2.7-reject-bad-transited.patch -Patch19: krb5-1.2.7-krb524d-double-free.patch Patch20: krb5-1.3.1-varargs.patch Patch21: krb5-selinux.patch Patch22: krb5-1.3.1-32.patch @@ -55,8 +54,8 @@ Patch24: krb5-1.3.1-server-sort.patch Patch25: krb5-1.3.1-null.patch Patch26: krb5-1.3.2-efence.patch Patch27: krb5-1.3.3-rcp-sendlarge.patch -Patch28: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt - +Patch28: http://web.mit.edu/kerberos/advisories/2004-002-dblfree_patch.txt +Patch29: http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt License: MIT, freely distributable. URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -119,6 +118,24 @@ network uses Kerberos, this package should be installed on every workstation. %changelog +* Tue Aug 31 2004 Nalin Dahyabhai 1.3.4-7 +- rebuild + +* Tue Aug 24 2004 Nalin Dahyabhai 1.3.4-6 +- rebuild + +* Tue Aug 24 2004 Nalin Dahyabhai 1.3.4-5 +- incorporate revised fixes from Tom Yu for CAN-2004-0642, CAN-2004-0644, + CAN-2004-0772 + +* Mon Aug 23 2004 Nalin Dahyabhai 1.3.4-4 +- rebuild + +* Mon Aug 23 2004 Nalin Dahyabhai 1.3.4-3 +- incorporate fixes from Tom Yu for CAN-2004-0642, CAN-2004-0772 + (MITKRB5-SA-2004-002, #130732) +- incorporate fixes from Tom Yu for CAN-2004-0644 (MITKRB5-SA-2004-003, #130732) + * Tue Jul 27 2004 Nalin Dahyabhai 1.3.4-2 - fix indexing error in server sorting patch (#127336) @@ -705,7 +722,8 @@ workstation. # Hopefully no longer needed to work around compiler bug. # %patch17 -p1 -b .pass-by-address %patch18 -p1 -b .reject-bad-transited -%patch19 -p1 -b .double-free +# Obsoleted by 2004-002-dblfree_patch, below. +# %patch19 -p1 -b .double-free %patch20 -p1 -b .varargs %if %{WITH_SELINUX} %patch21 -p1 -b .selinux @@ -718,6 +736,8 @@ workstation. # Removes a malloc(0) case, nothing more. # %patch26 -p1 -b .efence %patch27 -p1 -b .rcp-sendlarge +%patch28 -p0 -b .dblfree-2004-002 +%patch29 -p0 -b .asn1buf-2004-003 cp src/krb524/README README.krb524 find . -type f -name "*.info-dir" -exec rm -fv "{}" ";" gzip doc/*.ps