| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The list of input files for msgfmt was unsorted find output, resulting
in excessively large changes when running "make update-po".
(cherry picked from commit f131c5a4e266d07753a1f219d35c1bf82d98c0fb)
ticket: 7848 (new)
version_fixed: 1.10.8
status: resolved
|
|
Start the process of deprecating krb5-send-pr. In practice, it causes
frustration for some users, and free-form email is good enough for
most bug reports.
Continue to install krb5-send-pr for now, but plan to remove it from
the tree in the future, probably replaced by a script that instructs
the user to send email manually.
(cherry picked from commit e972ce069dd45aad74e4f4853570ab27cfea05c2)
ticket: 7847 (new)
version_fixed: 1.10.8
status: resolved
|
|
Send encodings that are invalid KDC-REQs, but pass krb5_is_as_req()
and krb5_is_tgs_req(), to make sure that the KDC recovers correctly
from failures in decode_krb5_as_req() and decode_krb5_tgs_req(). Also
send an encoding that isn't a valid KDC-REQ.
(back ported from commit dae7693f8bf970d89d4c697f3d66a7d458281b93)
ticket: 7846 (new)
version_fixed: 1.10.8
status: resolved
|
|
Missing $
(back ported from commit 28633f186a943721b6948875ca85a4a34bc87da4)
ticket: 7845
version_fixed: 1.10.8
status: resolved
|
|
This test program isn't completely proof against the kind of mistakes
we've made with krb5_copy_context in the past, but it at least
exercises krb5_copy_context and can detect some kinds of bugs.
(back ported from commit b78c3c8c5025aec870d20472f80d4a652062f921)
ticket: 7845
|
|
krb5_copy_context has been broken since 1.8 (it broke in r22456)
because k5_copy_etypes crashes on null enctype lists. Subsequent
additions to the context structure were not reflected in
krb5_copy_context, creating double-free bugs. Make k5_copy_etypes
handle null input and account for all new fields in krb5_copy_context.
Reported by Arran Cudbard-Bell.
(back ported from commit c452644d91d57d8b05ef396a029e34d0c7a48920)
ticket: 7845 (new)
|
|
When acquiring acceptor creds with a specified name, if we fail to
open a replay cache, we leak the keytab handle. If there is no
specified name and we discover that there is no content in the keytab,
we leak the keytab handle and return the wrong major code. Memory
leak reported by Andrea Campi.
(cherry picked from commit decccbcb5075f8fbc28a535a9b337afc84a15dee)
ticket: 7844 (new)
version_fixed: 1.10.8
status: resolved
|
|
If we eliminate a mechanism from the initiator list because
gss_init_sec_context fails, free the memory for that mech OID before
removing it from the list.
[ghudson@mit.edu: clarified commit message]
(cherry picked from commit 1cda48a7ed4069cfc052f974ec3d76a9137c8c5a)
ticket: 7843 (new)
version_fixed: 1.10.8
status: resolved
|
|
IIS 6.0 and similar return a zero length reponse buffer in the last
SPNEGO packet when context initiation is performed without mutual
authentication. In this case the underlying Kerberos mechanism has
already completed successfully on the first invocation, and SPNEGO
does not expect a mech response token in the answer. If we get an
empty mech response token when the mech is complete during
negotiation, ignore it.
[ghudson@mit.edu: small code style and commit message changes]
(cherry picked from commit 37af638b742dbd642eb70092e4f7781c3f69d86d)
ticket: 7842 (new)
version_fixed: 1.10.8
status: resolved
|
|
If we read a zero-length token in spnego_mech.c's get_input_token(),
set the value pointer to NULL instead of calling malloc(0).
(cherry picked from commit 13fd26e1863c79f616653f6a10a58c01f65fceff)
ticket: 7841 (new)
version_fixed: 1.10.8
status: resolved
|
|
This configure option hasn't done anything since 1.8, so don't mention
it in configure --help or the documentation. The disable_last_success
and disable_lockout DB options are now used to turn it off.
(back ported from commit 0b3225d63f50d4e6297be5d751cae1d3368fcdb1)
ticket: 7837 (new)
version_fixed: 1.10.8
status: resolved
|
|
|
|
|
|
|
|
If a KDC serves multiple realms, certain requests can cause
setup_server_realm() to dereference a null pointer, crashing the KDC.
CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
A related but more minor vulnerability requires authentication to
exploit, and is only present if a third-party KDC database module can
dereference a null pointer under certain conditions.
(back ported from commit 5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf)
ticket: 7757 (new)
version_fixed: 1.10.7
status: resolved
|
|
In krb5_ldap_initialize, don't just blat the LDAP error into the
extended message; give an indication of which LDAP operation we were
trying to do and show what parameters we gave to it.
(Also, krb5_set_error_message can handle a null context argument, so
don't bother to check before calling.)
(cherry picked from commit 5a77bb85294f37d1dfa4c7faedfdfb0d7faaf8dc)
ticket: 7750 (new)
version_fixed: 1.10.7
status: resolved
|
|
krb5_dbe_lookup_mkey_aux was decoding a 16-bit value directly into an
int, resulting in the wrong value on big-endian platforms. The
consequences are mostly invisible because we ignore this field and try
all mkey_aux nodes in krb5_def_fetch_mkey_list.
(cherry picked from commit 64ec2941af1561ef06e7e885b2ffb65a675516ce)
ticket: 7749 (new)
version_fixed: 1.10.7
status: resolved
|
|
Starting with 1.7, databases are created with actkvno tl-data in the
K/M entry which gives the initial master key version an activation
time of 0. A database created before 1.7 will not have this tl-data,
but we should behave in the same way as we do for a more recent
database.
Move the actkvno list synthesis code from krb5_dbe_fetch_act_key_list
to krb5_dbe_lookup_actkvno so it applies to kdb5_util commands as well
as libkadm5. Synthesize the same list as we would have initialized
the KDB with, with an activation time of 0 for the earliest master
key.
(cherry picked from commit ec560fac83912abaa15fb158101c8174497081c5)
ticket: 7745 (new)
version_fixed: 1.10.7
status: resolved
|
|
kdb5_util list_mkeys was beginning lines with "KNVO" instead of
"KVNO". kdb5_util purge_mkeys was displaying "follwing" instead of
"following" for both dry-run and normal cases.
(cherry picked from commit 7fee58ccadf1b61eec9a8c62f47dac43986e2ad1)
ticket: 7744 (new)
version_fixed: 1.10.7
status: resolved
|
|
draft-ietf-krb-wg-pkinit-alg-agility-07 specifies
KDC_ERR_NO_ACCEPTABLE_KDF as 82, but this value conflicts with
KRB_AP_ERR_PRINCIPAL_UNKNOWN from RFC 6111. The former value has been
reassigned to 100 to fix the conflict. Use the correct value.
We believe that this error won't crop up in practice for a long time
(when SHA-2 has been superceded by other hash algorithms and people
are desupporting it), by which time implementations will mostly have
been upgraded to use the new value.
(cherry picked from commit 2938851a5ec77ab68bcd1f5cfd07991c7ccabea6)
ticket: 7725 (new)
version_fixed: 1.10.7
status: resolved
|
|
The lock inconsistency fixed here is quite possibly the same as
described in https://bugzilla.redhat.com/show_bug.cgi?id=586032 .
The problem is that ctx_unlock() fails to unlock the principal DB if
it fails to unlock the policy DB, and this happens when ctx_lock()
fails to lock the policy DB (likely because the caller is racing
against a kdb5_util load, which will be using a "permanent" lock,
meaning that the lock file will be unlinked after acquiring the
lock). The fix is to perform both unlock operations *then* handle
any errors that either or both might have returned.
(cherry picked from commit 29ee39baa919361ae08e26caab896890d5cb3eb4)
ticket: 7675 (new)
version_fixed: 1.10.7
status: resolved
|
|
|
|
|
|
An RFC 6113 KrbFastReq contains a padata sequence and a KDC-REQ-BODY,
neither of which contain the msg-type field found in a KDC-REQ. So
when we decode the FAST request, the resulting krb5_kdc_req structure
has a msg_type of 0. Copy msg_type from the outer body, since we make
use of it in further KDC processing.
(cherry picked from commit 3a447c5a8c95758501cf5a20c161a2d735a02f6d)
ticket: 7660 (new)
version_fixed: 1.10.6
status: resolved
|
|
Allow configuration to override the default dh_min_bits of 2048 to
1024. Disallow configuration of dh_min_bits < 1024, but continue to
default to 2048.
(cherry picked from commit cae44d2d014985022a001924dce4a56d12c63818)
ticket: 7659 (new)
version_fixed: 1.10.6
status: resolved
|
|
Some implementations don't send the required Q value in dh_params, so
allow it to be absent.
(cherry picked from commit ed77a25c53ed6afd41372838f205a98a561a89fb)
ticket: 7658 (new)
version_fixed: 1.10.6
status: resolved
|
|
The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter. If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.
To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.
Based on a bug report and patch from nalin@redhat.com.
(cherry picked from commit 57acee11b5c6682a7f4f036e35d8b2fc9292875e)
[tlyu@mit.edu: removed test due to k5test.py incompatibility]
ticket: 7649 (new)
version_fixed: 1.10.6
status: resolved
|
|
The kpasswd service provided by kadmind was vulnerable to a UDP
"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
packets.
Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.
Thanks to Vincent Danen for alerting us to this issue.
CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
(cherry picked from commit cf1a0c411b2668c57c41e9c4efd15ba17b6b322c)
ticket: 7638 (new)
target_version: 1.10.6
status: resolved
|
|
|
|
|
|
If an iprop slave tries to load a dump from the master and it fails,
reset the ulog header so we take another full dump, instead of
reporting that the slave is current when it isn't.
[ghudson@mit.edu: commit message]
[tlyu@mit.edu: remove ulog_sync_header call]
(cherry picked from commit 74b3f961e15d2eee5bad93d2a224c10834bbaab8)
ticket: 7607 (new)
version_fixed: 1.10.5
status: resolved
|
|
Found by clang's warnings.
(cherry picked from commit 18796a2eb6c05706c6635453b3e425955aab93f4)
ticket: 7606 (new)
version_fixed: 1.10.5
status: resolved
|
|
By sending an unusual but valid TGS-REQ, an authenticated remote
attacker can cause the KDC process to crash by dereferencing a null
pointer.
prep_reprocess_req() can cause a null pointer dereference when
processing a service principal name. Code in this function can
inappropriately pass a null pointer to strlcpy(). Unmodified client
software can trivially trigger this vulnerability, but the attacker
must have already authenticated and received a valid Kerberos ticket.
The vulnerable code was introduced by the implementation of new
service principal realm referral functionality in krb5-1.7, but was
corrected as a side effect of the KDC refactoring in krb5-1.11.
CVSSv2 vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:H/RL:O/RC:C
ticket: 7600 (new)
version_fixed: 1.10.5
status: resolved
|
|
|
|
|
|
Also update copyright years.
|
|
Correct three cases where the wrong expression was checked to see if
an allocation function returned null.
[ghudson@mit.edu: commit message, patch splitting]
[tlyu@mit.edu: omit inapplicable lib/kadm/srv/svr_principal.c change]
(back ported from commit a9ee4a040eeacab1d410ff9e4c862484b531c401)
ticket: 7582
version_fixed: 1.10.4
status: resolved
|
|
gssrpc raw services could not work because svcraw_create did not set
svcraw_private after allocating memory for it.
[ghudson@mit.edu: commit message, patch splitting]
(cherry picked from commit 5e3bf4ac6cb02601c5f10c5b2804fd5028c80119)
ticket: 7582 (new)
subject: Minor pointer management patches
|
|
Some versions of clang report an uninitialized variable warning (which
we treat as an error) in process_k5beta_record. Due to the if-ladder
style of the function, uninitialized tmpint values can be copied
around in certain error cases, although the garbage values would be
ultimately ignored. As a minimal fix, initialize the tmpint
variables.
(cherry picked from commit 1b7f7eef8a95bda0135159b2c06a168b56d9f42b)
ticket: 7581 (new)
version_fixed: 1.10.4
status: resolved
|
|
If no_host_referral is set in both [kdcdefaults] and the realm
subsection, we're supposed to concatenate their values. But the logic
in handle_referral_params would overwrite the value with the
non-concatenated realm value. Similar bugs of this nature were fixed
in 639c9d0f5a7c68dc98a2a452abc05ca32443cddf (r22037) but this one was
missed.
(cherry picked from commit 6338d039cbd0b138642e3b123ac58dc802d1d907)
ticket: 7580 (new)
version_fixed: 1.10.4
status: resolved
|
|
gss_str_to_oid wasn't outputting any bytes for a zero-valued arc. It
should output one byte with value 0.
[ghudson@mit.edu: commit message]
(cherry picked from commit 54fa4433df7412267375240aba40959e97ac4fe2)
ticket: 7579 (new)
version_fixed: 1.10.4
status: resolved
|
|
(cherry picked from commit 74bee54227deb64a41c2e79f57dd2a2c5ea010a3)
ticket: 7578 (new)
version_fixed: 1.10.4
status: resolved
|
|
Don't dereference a null pointer when cleaning up.
The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process. An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C
This is a minimal commit for pullup; style fixes in a followup.
[kaduk@mit.edu: reformat and edit commit message]
(cherry picked from commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed)
ticket: 7577 (new)
version_fixed: 1.10.4
status: resolved
|
|
Result code 0 used to be converted properly by krb5_set_password,
though not krb5_change_password; this changed in 1.10 when
krb5int_setpw_result_code_string was folded into
krb5_chpw_result_code_string. Restore the old behavior, and make it
apply to krb5_change_password as well, by making
krb5_chpw_result_code_string convert result code 0.
[ghudson@mit.edu: commit message]
(cherry picked from commit 316bf74b4696058e2b60c95c9d0fc90d6c2c2ffe)
ticket: 7576 (new)
version_fixed: 1.10.4
status: resolved
|
|
In krb5_auth_con_initivector and mk_priv/rd_priv, stop assuming that
the enctype's block size is the size of the cipher state. Instead,
make and discard a cipher state to get the size.
(cherry picked from commit 8d01455ec9ed88bd3ccae939961a6e123bb3d45f)
ticket: 7575 (new)
version_fixed: 1.10.4
status: resolved
|
|
In kdc_util.c and spnego_mech.c, error returns from ASN.1 length
functions could be ignored because they were assigned to unsigned
values. In spnego_mech.c, two buffer size checks could be rewritten
to reduce the likelihood of pointer overflow. In dump.c and
kdc_preauth.c, calloc() could be used to simplify the code and avoid
multiplication overflow. In pkinit_clnt.c, the wrong value was
checked for a null result from malloc(), and the code could be
simplified.
Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.
(cherry picked from commit d3c5450ddf0b20855e86dab41735d56c6860156b)
[tlyu@mit.edu: omitted pkinit and kdb5_util fixes because they're not
conservative]
ticket: 7545 (new)
version_fixed: 1.10.4
status: resolved
|
|
If a PKINIT Diffie-Hellman reply contains no certificates in the
SignedData object, that may be because the signer certificate was a
trust anchor as transmitted to the KDC. Heimdal's KDC, for instance,
filters client trust anchors out of the returned set of certificates.
Match against idctx->trustedCAs and idctx->intermediateCAs to handle
this case. This fix only works with OpenSSL 1.0 or later; when built
against OpenSSL 0.9.x, the client will still require a cert in the
reply.
Code changes suggested by nalin@redhat.com.
(cherry picked from commit db83abc7dcfe369bd4467c78eebb7028ba0c0e0d)
ticket: 7544 (new)
version_fixed: 1.10.4
status: resolved
|
|
gcc 4.6.2 reportedly finds some spurious maybe-uninitialized warnings.
Suppress them. Patch from Eray Aslan with some adjustment.
(cherry picked from commit cc2f16af06800bf9882c1589d3d6e9b8f19b6d6f)
ticket: 7543 (new)
version_fixed: 1.10.4
status: resolved
|
|
asserts may be compiled out with -DNDEBUG, so it's wrong to use an
assert expression with an important side effect.
(We also have scores of side-effecting asserts in test programs, but
those are less important and can be dealt with separately.)
(cherry picked from commit 221cd4a23691601a14500bc00146c265b50bdc94)
ticket: 7542 (new)
version_fixed: 1.10.4
status: resolved
|
|
Recent versions of gcc can generate a maybe-uninitialized warning from
bison output instead of a regular uninitialized warning. Suppress
both. Fix from nalin@redhat.com.
(cherry picked from commit d4f98cdd40559620531622c9c6d988f6aa850bd0)
ticket: 7541 (new)
version_fixed: 1.10.4
status: resolved
|
