Date: Tuesday, July 31, 2012 @ 14:56:05 Author: stephane Revision: 164357
upgpkg: krb5 1.10.2-3 Security update : Fix KDC heap corruption and crash vulnerabilities http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt Added: krb5/trunk/MITKRB5-SA-2012-001.patch Modified: krb5/trunk/PKGBUILD ---------------------------+ MITKRB5-SA-2012-001.patch | 61 ++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 11 +++++-- 2 files changed, 69 insertions(+), 3 deletions(-) Added: MITKRB5-SA-2012-001.patch =================================================================== --- MITKRB5-SA-2012-001.patch (rev 0) +++ MITKRB5-SA-2012-001.patch 2012-07-31 18:56:05 UTC (rev 164357) @@ -0,0 +1,61 @@ +diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c +index 23623fe..8ada9d0 100644 +--- a/src/kdc/do_as_req.c ++++ b/src/kdc/do_as_req.c +@@ -463,7 +463,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, + krb5_enctype useenctype; + struct as_req_state *state; + +- state = malloc(sizeof(*state)); ++ state = calloc(sizeof(*state), 1); + if (!state) { + (*respond)(arg, ENOMEM, NULL); + return; +@@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, + state->authtime = 0; + state->c_flags = 0; + state->req_pkt = req_pkt; ++ state->inner_body = NULL; + state->rstate = NULL; + state->sname = 0; + state->cname = 0; +diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c +index 9d8cb34..d4ece3f 100644 +--- a/src/kdc/kdc_preauth.c ++++ b/src/kdc/kdc_preauth.c +@@ -1438,7 +1438,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request, + continue; + + } +- if (request_contains_enctype(context, request, db_etype)) { ++ if (krb5_is_permitted_enctype(context, db_etype) && ++ request_contains_enctype(context, request, db_etype)) { + retval = _make_etype_info_entry(context, client->princ, + client_key, db_etype, + &entry[i], etype_info2); +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index a43b291..94dad3a 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -2461,6 +2461,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request, + return 0; + pa.magic = KV5M_PA_DATA; + pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP; ++ memset(&checksum, 0, sizeof(checksum)); + retval = krb5_c_make_checksum(kdc_context,0, reply_key, + KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum); + if (retval != 0) +diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c +index c4bf92e..367c894 100644 +--- a/src/lib/kdb/kdb_default.c ++++ b/src/lib/kdb/kdb_default.c +@@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) + krb5_boolean saw_non_permitted = FALSE; + + ret = 0; ++ if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype)) ++ return KRB5_KDB_NO_PERMITTED_KEY; ++ + if (kvno == -1 && stype == -1 && ktype == -1) + kvno = 0; + Modified: PKGBUILD =================================================================== --- PKGBUILD 2012-07-31 16:14:21 UTC (rev 164356) +++ PKGBUILD 2012-07-31 18:56:05 UTC (rev 164357) @@ -3,7 +3,7 @@ pkgname=krb5 pkgver=1.10.2 -pkgrel=2 +pkgrel=3 pkgdesc="The Kerberos network authentication system" arch=('i686' 'x86_64') url="http://web.mit.edu/kerberos/"; @@ -20,7 +20,8 @@ krb5-kpropd krb5-kpropd.service [email protected] - krb5-kpropd.socket) + krb5-kpropd.socket + MITKRB5-SA-2012-001.patch) sha1sums=('8b6e2c5bf0c65aacd368b3698add7888f2a7332d' '78b759d566b1fdefd9bbcd06df14f07f12effe96' '2aa229369079ed1bbb201a1ef72c47bf143f4dbe' @@ -30,7 +31,8 @@ '7f402078fa65bb9ff1beb6cbbbb017450df78560' '614401dd4ac18e310153240bb26eb32ff1e8cf5b' '023a8164f8ee7066ac814486a68bc605e79f6101' - 'f3677d30dbbd7106c581379c2c6ebb1bf7738912') + 'f3677d30dbbd7106c581379c2c6ebb1bf7738912' + '7b32dd24e68dc801efb8be280083e4d8067e392a') options=('!emptydirs') build() { @@ -46,6 +48,9 @@ # FS#25384 sed -i "/KRB5ROOT=/s/\/local//" util/ac_check_krb5.m4 + # Fix KDC heap corruption and crash vulnerabilities + patch -Np2 -i ../../MITKRB5-SA-2012-001.patch + export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all" export CPPFLAGS+=" -I/usr/include/et" ./configure --prefix=/usr \
