Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2011-12-12 16:57:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5", Maintainer is "m...@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2011-10-19 14:09:04.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2011-12-12 17:02:16.000000000 +0100 @@ -1,0 +2,19 @@ +Mon Nov 21 11:24:12 CET 2011 - m...@suse.de + +- fix KDC null pointer dereference in TGS handling + (MITKRB5-SA-2011-007, bnc#730393) + CVE-2011-1530 + +------------------------------------------------------------------- +Mon Nov 21 11:11:54 CET 2011 - m...@suse.de + +- fix KDC HA feature introduced with implementing KDC poll + (RT#6951) + +------------------------------------------------------------------- +Fri Nov 18 08:35:52 UTC 2011 - rha...@suse.de + +- fix minor error messages for the IAKERB GSSAPI mechanism + (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020) + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/krb5/krb5.changes 2011-10-19 14:09:04.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2011-12-12 17:02:16.000000000 +0100 @@ -1,0 +2,19 @@ +Mon Nov 21 11:24:12 CET 2011 - m...@suse.de + +- fix KDC null pointer dereference in TGS handling + (MITKRB5-SA-2011-007, bnc#730393) + CVE-2011-1530 + +------------------------------------------------------------------- +Mon Nov 21 11:11:54 CET 2011 - m...@suse.de + +- fix KDC HA feature introduced with implementing KDC poll + (RT#6951, bnc#731648) + +------------------------------------------------------------------- +Fri Nov 18 08:35:52 UTC 2011 - rha...@suse.de + +- fix minor error messages for the IAKERB GSSAPI mechanism + (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020) + +------------------------------------------------------------------- New: ---- krb5-1.9-MITKRB5-SA-2011-007.dif krb5-1.9-gss_display_status-iakerb.patch krb5-1.9.1-sendto_poll2.patch krb5-1.9.1-sendto_poll3.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5-mini.spec ++++++ --- /var/tmp/diff_new_pack.uCrGwX/_old 2011-12-12 17:02:21.000000000 +0100 +++ /var/tmp/diff_new_pack.uCrGwX/_new 2011-12-12 17:02:21.000000000 +0100 @@ -72,6 +72,10 @@ Patch25: krb5-trunk-gss_delete_sec.patch Patch26: krb5-trunk-kadmin-oldproto.patch Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif +Patch31: krb5-1.9-gss_display_status-iakerb.patch +Patch32: krb5-1.9.1-sendto_poll2.patch +Patch33: krb5-1.9.1-sendto_poll3.patch +Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -234,6 +238,10 @@ %patch25 -p1 %patch26 %patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do ++++++ krb5.spec ++++++ --- /var/tmp/diff_new_pack.uCrGwX/_old 2011-12-12 17:02:21.000000000 +0100 +++ /var/tmp/diff_new_pack.uCrGwX/_new 2011-12-12 17:02:21.000000000 +0100 @@ -72,6 +72,10 @@ Patch25: krb5-trunk-gss_delete_sec.patch Patch26: krb5-trunk-kadmin-oldproto.patch Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif +Patch31: krb5-1.9-gss_display_status-iakerb.patch +Patch32: krb5-1.9.1-sendto_poll2.patch +Patch33: krb5-1.9.1-sendto_poll3.patch +Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -234,6 +238,10 @@ %patch25 -p1 %patch26 %patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do ++++++ krb5-1.9-MITKRB5-SA-2011-007.dif ++++++ diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in index f46cad3..102fbaa 100644 --- a/src/kdc/Makefile.in +++ b/src/kdc/Makefile.in @@ -67,6 +67,7 @@ check-unix:: rtest check-pytests:: $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS) install:: $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index c169c54..840a2ef 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -243,7 +243,8 @@ tgt_again: if (!tgs_1 || !data_eq(*server_1, *tgs_1)) { errcode = find_alternate_tgs(request, &server); firstpass = 0; - goto tgt_again; + if (errcode == 0) + goto tgt_again; } } status = "UNKNOWN_SERVER"; diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py new file mode 100644 index 0000000..1760bcd --- /dev/null +++ b/src/kdc/t_emptytgt.py @@ -0,0 +1,8 @@ +#!/usr/bin/python +from k5test import * + +realm = K5Realm(start_kadmind=False, create_host=False) +output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1) +if 'not found in Kerberos database' not in output: + fail('TGT lookup for empty realm failed in unexpected way') +success('Empty tgt lookup.') ++++++ krb5-1.9-gss_display_status-iakerb.patch ++++++ Index: krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c =================================================================== --- krb5-1.9.1.orig/src/lib/gssapi/krb5/disp_status.c +++ krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c @@ -167,7 +167,8 @@ krb5_gss_display_status(minor_status, st if ((mech_type != GSS_C_NULL_OID) && !g_OID_equal(gss_mech_krb5, mech_type) && - !g_OID_equal(gss_mech_krb5_old, mech_type)) { + !g_OID_equal(gss_mech_krb5_old, mech_type) && + !g_OID_equal(gss_mech_iakerb, mech_type)) { *minor_status = 0; return(GSS_S_BAD_MECH); } ++++++ krb5-1.9.1-sendto_poll2.patch ++++++ RT#6951 Index: krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c =================================================================== --- krb5-1.9.1.orig/src/lib/krb5/os/sendto_kdc.c +++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c @@ -895,12 +895,12 @@ maybe_send(krb5_context context, struct static void kill_conn(struct conn_state *conn, struct select_state *selstate, int err) { + dprint("abandoning connection %d: %m\n", conn->fd, err); + cm_remove_fd(selstate, conn->fd); + closesocket(conn->fd); + conn->fd = INVALID_SOCKET; conn->state = FAILED; conn->err = err; - shutdown(conn->fd, SHUTDOWN_BOTH); - cm_remove_fd(selstate, conn->fd); - dprint("abandoning connection %d: %m\n", conn->fd, err); - /* Fix up max fd for next select call. */ } /* Check socket for error. */ ++++++ krb5-1.9.1-sendto_poll3.patch ++++++ If we exit the transmit loop cleanly, don't overestimate the size of the connections array. This bug appears to have been removed upstream when this function was rewritten in trunk, and the select()-based implementation is still what's in 1.9, so this patch has nowhere to go. --- krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:20.560811664 -0400 +++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:11.396812292 -0400 @@ -1317,7 +1319,10 @@ krb5int_sendto (krb5_context context, co call with the last one from the above loop, if the loop actually calls select. */ sel_state->end_time.tv_sec += delay_this_pass; - e = service_fds(context, sel_state, conns, host+1, &winning_conn, + i = host+1; + if (i > n_conns) + i = n_conns; + e = service_fds(context, sel_state, conns, i, &winning_conn, sel_state+1, msg_handler, msg_handler_data); if (e) break; -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org