Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
|
|
Add sanity checks for the output parameters of
generic_gss_create_empty_oid_set() and
generic_gss_add_oid_set_member(), which are used directly by the API
functions gss_create_empty_oid_set() and gss_add_oid_set_member().
[ghudson@mit.edu: edit commit message]
(cherry picked from commit c9e035794caa784b6cdf416e2b3f1d641d011390)
ticket: 8294 (new)
version_fixed: 1.13
status: resolved
|
|
Allow the krb5 mech to query names for the gss_mech_krb5_wrong OID
(the erroneous OID used in old Microsoft SPNEGO implementations).
[ghudson@mit.edu: edit commit message]
(cherry picked from commit 95736f7d51cce7551c3c20450ff56831a71043df)
ticket: 8293 (new)
version_fixed: 1.13.3
status: resolved
|
|
Remove an erroneous double space in the gss_display_status() result
for GSS_S_UNAUTHORIZED.
[ghudson@mit.edu: edit commit message]
(cherry picked from commit 36732bf2084803eef52ad56576e5a50f37ccd115)
ticket: 8292 (new)
version_fixed: 1.13.3
status: resolved
|
|
RFC 2743 adds GSS_S_BAD_MIC as an alias for GSS_S_BAD_SIG.
[ghudson@mit.edu: edit commit messsage]
(cherry picked from commit be87852a12737eed448032875fb74f23e9cbf26b)
ticket: 8291 (new)
version_fixed: 1.13.3
status: resolved
|
|
k5_utf8s_to_ucs2s() reads and ignores one extra byte from the input
string before terminating its loop, possibly overrunning the input
buffer of its caller. This overrun is typically without consequence,
but can show up in tools like asan or valgrind during RC4
string-to-key operations. Fix the bug by swapping the order of the
loop conditions.
(cherry picked from commit eb52da21d72faa3d00b1205a5a0fdbabc45c9e6d)
ticket: 8290 (new)
version_fixed: 1.13.3
status: resolved
|
|
The mechglue functions gss_get_mic_iov(), gss_get_mic_iov_length(),
and gss_verify_mic_iov() don't call map_error() to map
mechanism-specific error codes. As a result, a subsequent call to
gss_display_status() fails with GSS_S_BAD_MECH, because no translation
for the error code is found in the error table.
This patch adds the missing map_error call.
[ghudson@mit.edu: correct a whitespace issue, edit commit message]
(cherry picked from commit 969c976ff021db7e409ce9a38d28316d9acfa2cc)
ticket: 8289 (new)
version_fixed: 1.13.3
status: resolved
|
|
Tabs are not equivalent to spaces in LDIF.
(cherry picked from commit dd2baa849b00fa1f26d722450f22f13e34e71af4)
ticket: 8288 (new)
version_fixed: 1.13.3
status: resolved
|
|
Ticket #7223 added new policy fields and a new dump format version to
marshal them, but did not add a new iprop dump format version. As a
result, slave KDCs running 1.11 or later cannot receive full resyncs
from master KDCs running 1.10 or earlier. (Reported by John
Devitofranceschi.)
Retroactively add support for pre-1.11 policy entries by making
process_r1_11_policy() read the first ten fields, check whether the
next whitespace character is a newline, and then read the rest if it
is not.
(back ported from commit 3c9ab5220bcc3f57641f6f4b6942b17aadb6613d)
ticket: 8286 (new)
version_fixed: 1.13.3
status: resolved
|
|
ksu -D does not work in the default build, so we should not document
it. Remove any mention of it from the usage message and from ksu.rst.
[ghudson@mit.edu: edited commit message; omit change to generated man
page]
(cherry picked from commit f4e3e096af73254f208d0fc0632db12fc559e1ad)
ticket: 8287 (new)
version_fixed: 1.13.3
status: resolved
|
|
The patches for CVE-2015-2695 did not implement a SPNEGO
gss_import_sec_context() function, under the erroneous belief that an
exported SPNEGO context would be tagged with the underlying context
mechanism. Implement it now to allow SPNEGO contexts to be
successfully exported and imported after establishment.
(cherry picked from commit 222b09f6e2f536354555f2a0dedfe29fc10c01d6)
(cherry picked from commit 8e10a780fd3bfefd1ba08ca1552e8d0677917454)
ticket: 8284
version_fixed: 1.13.3
status: resolved
|
|
The patches for CVE-2015-2696 contained a regression in the newly
added IAKERB iakerb_gss_export_sec_context() function, which could
cause it to corrupt memory. Fix the regression by properly
dereferencing the context_handle pointer before casting it.
Also, the patches did not implement an IAKERB gss_import_sec_context()
function, under the erroneous belief that an exported IAKERB context
would be tagged as a krb5 context. Implement it now to allow IAKERB
contexts to be successfully exported and imported after establishment.
CVE-2015-2698:
In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
application which calls gss_export_sec_context() may experience memory
corruption if the context was established using the IAKERB mechanism.
Historically, some vulnerabilities of this nature can be translated
into remote code execution, though the necessary exploits must be
tailored to the individual application and are usually quite
complicated.
CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
(cherry picked from commit 3db8dfec1ef50ddd78d6ba9503185995876a39fd)
(cherry picked from commit 54222de30a89bfac0247dfbc1759556dc9fd2983)
ticket: 8284 (new)
version_fixed: 1.13.3
|
|
The comment explaining why there is no iakerb_gss_import_sec_context()
erroneously referenced SPNEGO instead of IAKERB (noticed by Ben
Kaduk). The comment above iakerb_gss_delete_sec_context() is out of
date after the last commit.
(cherry picked from commit 92d6dd045dfc06cc03d20b327a6ee7a71e6bc24d)
(cherry picked from commit 1be18763f94dc519da9b9928e82566558c8748c2)
|
|
In build_principal_va(), use k5memdup0() instead of strdup() to make a
copy of the realm, to ensure that we allocate the correct number of
bytes and do not read past the end of the input string. This bug
affects krb5_build_principal(), krb5_build_principal_va(), and
krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not
affected.
CVE-2015-2697:
In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte. If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm. Due to a bug in this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash.
CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
(cherry picked from commit f0c094a1b745d91ef2f9a4eae2149aac026a5789)
(cherry picked from commit 67bdf8189b24efca8a244316e7d51bd52d0dbda9)
ticket: 8283 (new)
version_fixed: 1.13.3
status: resolved
|
|
The IAKERB mechanism currently replaces its context handle with the
krb5 mechanism handle upon establishment, under the assumption that
most GSS functions are only called after context establishment. This
assumption is incorrect, and can lead to aliasing violations for some
programs. Maintain the IAKERB context structure after context
establishment and add new IAKERB entry points to refer to it with that
type. Add initiate and established flags to the IAKERB context
structure for use in gss_inquire_context() prior to context
establishment.
CVE-2015-2696:
In MIT krb5 1.9 and later, applications which call
gss_inquire_context() on a partially-established IAKERB context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash. Java server applications using the
native JGSS provider are vulnerable to this bug. A carefully crafted
IAKERB packet might allow the gss_inquire_context() call to succeed
with attacker-determined results, but applications should not make
access control decisions based on gss_inquire_context() results prior
to context establishment.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
[ghudson@mit.edu: several bugfixes, style changes, and edge-case
behavior changes; commit message and CVE description]
(cherry picked from commit e04f0283516e80d2f93366e0d479d13c9b5c8c2a)
(cherry picked from commit 096cfaa18504d20889a3d8829decb1bf72dd0ac5)
ticket: 8282
version_fixed: 1.13.3
|
|
Checking for the generic gss_acquire_cred() function is no guarantee
that gss_acquire_cred_impersonate_name() is also implemented.
[ghudson@mit.edu: edit commit message]
(cherry picked from commit 46a4e225d2ecaa4077aa65f12f64273bf4911d3a)
ticket: 8285 (new)
version_fixed: 1.13.3
status: resolved
|
|
The SPNEGO mechanism currently replaces its context handle with the
mechanism context handle upon establishment, under the assumption that
most GSS functions are only called after context establishment. This
assumption is incorrect, and can lead to aliasing violations for some
programs. Maintain the SPNEGO context structure after context
establishment and refer to it in all GSS methods. Add initiate and
opened flags to the SPNEGO context structure for use in
gss_inquire_context() prior to context establishment.
CVE-2015-2695:
In MIT krb5 1.5 and later, applications which call
gss_inquire_context() on a partially-established SPNEGO context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash. This bug may go unnoticed, because
the most common SPNEGO authentication scenario establishes the context
after just one call to gss_accept_sec_context(). Java server
applications using the native JGSS provider are vulnerable to this
bug. A carefully crafted SPNEGO packet might allow the
gss_inquire_context() call to succeed with attacker-determined
results, but applications should not make access control decisions
based on gss_inquire_context() results prior to context establishment.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
[ghudson@mit.edu: several bugfixes, style changes, and edge-case
behavior changes; commit message and CVE description]
(cherry picked from commit b51b33f2bc5d1497ddf5bd107f791c101695000d)
(cherry picked from commit 31fb730f1ad708f230e4387e02ed2f89b93c3607)
ticket: 8282 (new)
subject: SPNEGO and IAKERB context aliasing bugs [CVE-2015-2695][CVE-2015-2696]
version_fixed: 1.13.3
|
|
In release 1.13, commit eba8c4909ec7ba0d7054d5d1b1061319e9970cc7
(ticket #7232) introduced a memory leak when skipping keytab entries
which do not match the application-provided server specification. Fix
it by freeing the keytab entry before continuing the loop on a failure
to match.
[ghudson@mit.edu: commit message]
(cherry picked from commit 3aa8506ee9e1f564e3f396eed5ac5616d7c54b34)
ticket: 8239
version_fixed: 1.13.3
status: resolved
|
|
In the mechglue gss_export_sec_context(), make sure to delete the
union context if the underlying mech context has been deleted. This
can happen if the mech's gss_export_sec_context() returns a failure
and deletes the context (not a behavior exhibited by any of our
in-tree mechanisms, but an allowed behavior for other mechs), or if we
fail to allocate space for the wrapped token.
[ghudson@mit.edu: commit message; rename exit label to "cleanup" and
make it valid for all exit cases]
(cherry picked from commit 4f35b27a9ee38ca0b557ce8e6d059924a63d4eff)
ticket: 8240
version_fixed: 1.13.3
status: resolved
|
|
Although our built-in KDB modules do not support client referrals for
AS requests, the KDC is supposed to return one if a third-party module
returns a DB entry containing a principal in a foreign realm.
Unfortunately, this code has never worked; in prepare_error_as(), we
erroneously compare the protocol code errcode against the com_err code
KRB5KDC_ERR_WRONG_REALM; as a result, we never supply the canonical
client principal. Fix this by comparing errcode against the protocol
code KDC_ERR_WRONG_REALM instead.
Discovered by Alexander Bokovoy and Simo Sorce.
(cherry picked from commit 4e036ef4127a9b09d1a567472da1df24c55cdb89)
ticket: 8241
version_fixed: 1.13.3
status: resolved
|
|
It is possible for the input name's name_type to be GSS_C_NO_OID.
g_OID_equal() does not account for GSS_C_NO_OID, so we have to
manually check before use to prevent null pointer dereferences.
(cherry picked from commit 3fdf09ac9a36581b47f40c9d177e463cc12687ff)
ticket: 8238
version_fixed: 1.13.3
status: resolved
|
|
Currently name_is_MN is left uninitialized for non-mechanism names due
to a typo.
[ghudson@mit.edu: edited commit message]
(cherry picked from commit a3f3f4069858ea795b732ec1d96fae20d5fafe24)
ticket: 8232
version_fixed: 1.13.3
status: resolved
|
|
Before this patch, libkrad would follow the same exact logic for all
socket types when the retries parameter was non-zero. This meant that
when connecting with SOCK_STREAM, multiple requests were sent in case
of packet drops, which, of course, cannot happen for SOCK_STREAM.
Instead, just disable retries for SOCK_STREAM sockets.
[ghudson@mit.edu: minor wording edits]
(cherry picked from commit 25e0656fdf9862faf9aa91288023776e9a47caad)
ticket: 8229
version_fixed: 1.13.3
status: resolved
|
|
Release any previous value of ctx->err_padata before setting it in
init_creds_step_reply(). It could have a prior value after a realm
referral or retriable error.
(cherry picked from commit 997eb174f5fd81747ad0ecb671f00c25951931b1)
ticket: 8223
version_fixed: 1.13.3
status: resolved
|
|
In env_variables.rst and krb5_conf.rst, document that KRB5_CONFIG can
contain multiple colon-separated pathnames.
(cherry picked from commit 28dc817d2a065f5e0ab73377350a0529b2f4aa48)
ticket: 8031
version_fixed: 1.13.3
status: resolved
|
|
crypto_retrieve_cert_sans() is allowed to set its princs output to
NULL, although the OpenSSL implementation rarely does. Fix the
TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC for loop to allow this like other
parts of the function do, and also get rid of the unnecessary princptr
variable by using an integer index like other parts of the function.
Based on a patch from Daniel Deptula.
(cherry picked from commit 47b37b9e13ca1456ba6710f31bc41012d050dd07)
ticket: 8214
version_fixed: 1.13.3
status: resolved
|
|
The target_mechs array needs to be freed on successful return.
(cherry picked from commit 02a85d73c4548d27dcbc1c1681b4bf1370b03632)
ticket: 8204
version_fixed: 1.13.3
status: resolved
|
|
This probably should not be a hardcoded string, but we can at
least make it correct for now.
(cherry picked from commit 27e6ab7e5b6a0538f529f440aeb967822eff8f57)
ticket: 8212
version_fixed: 1.13.3
status: resolved
|
|
|
|
|
|
Bump versions as needed.
|
|
Under some circumstances, gss_inquire_name() can call
gss_release_oid() with a null oid pointer, which currently causes a
null dereference. The least invasive fix is for gss_release_oid() to
check for the invalid null pointer and return an error, like other
GSS-API functions do.
(cherry picked from commit 4676e823e6ee9a5731872b31c5588c1b5932e0a3)
ticket: 8201
version_fixed: 1.13.3
status: resolved
|
|
The sa_setport() helper handles conversion to network byte order, so
bindresvport_sa() should not itself call htons() on the port argument.
(This bug was introduced in commit
0d04b60d159ab83b943e43802b1449a3b074bc83 when adding
bindresvport_sa(). It was my fault, not Andreas Schneider's.)
(cherry picked from commit 5c6d218e385755766ff427b3e707510f0ce175c5)
ticket: 8197
version_fixed: 1.13.3
status: resolved
|
|
The current 100-pixel default is too small to fit most principal
names (particularly the realm). There is no reason why all the
columns must be the same width, so promote this one as needing
more space.
(cherry picked from commit d376d5948d2af7dcf60368bc3b6fe6c23172a831)
ticket: 8211
version_fixed: 1.13.3
status: resolved
|
|
Testing reveals that there are a number of machines in the wild
which retain old krb5.ini files across domain configuration changes,
and it is difficult to determine which machines are potentially
affected by incorrect stale configuration data.
To enable domain administrators to easily ensure that the correct
default realm is set, allow the registry hostrealm module to take
precedence over the profile.
Note that the registry hostrealm module can still be disabled
in the hostrealm interface configuration statment in the
[plugins] section of the profile.
(cherry picked from commit 287b8eae295a3ab496b04b327840e92c235efd1a)
ticket: 8209
version_fixed: 1.13.3
status: resolved
|
|
The src attribute has been deprecated for a while in favor of
different (more descriptive) attributes for the different XML
elements involved.
For the File element, use the Source attribute.
For the Directory element, use the FileSource attribute.
For the Merge, Binary, and Text elements, use the SourceFile attribute.
This makes the installer build much quieter, with the warnings from
the light.exe invocation all fitting into the default history buffer.
(cherry picked from commit 0e025dd9bd64169a2acf5c9bea7a17eec7b37a13)
ticket: 8208
version_fixed: 1.13.3
status: resolved
|
|
It is deprecated in favor of more specific XML elements such
as RegistryKey, RegistryValue, and RemoveRegistryKey, so as to
stop overloading a single element for what are fundamentally
different types and operations.
RegistryValue elements can be children of RegistryKey elements,
allowing the Key attribute to be inherited, or bare within the
containing Component. We do not take advantage of the inheritance
at this time, since that would be a more disruptive change.
WiX would prefer for us to not use the createAndRemoveOnUninstall
attribute of <RegistryKey>, in favor of ForceCreateOnInstall
and/or ForceRemoveOnUninstall, but that can wait for a follow-up
commit.
Some instances of <Registry> were commented-out and can simply be
removed.
Some of the <Registry> elements used to create keys were also
setting the KeyPath attribute, which is not permitted in the
<RegistryKey> element. According to
http://sourceforge.net/p/wix/bugs/3197/ , this should never have
been allowed, and non-value registry keys should not be used as
MSI KeyPaths. In all affected cases, there are child
RegistryValue elements that are suitable for use as KeyPath
elements instead.
Some of the <Registry> elements were present with a duplicate
element with different Id that added no new attributes; those
duplicate elements can safely be removed.
<RemoveRegistryKey> is used to replace <Registry> elements
with Action=removeKeyOnInstall.
(cherry picked from commit 280a4b1125743bae3bf05af266131e2a524c8adf)
ticket: 7392
version_fixed: 1.13.3
status: resolved
|
|
In the Leash "Get Ticket" window, under some user-customized
configurations, the principal field can be pre-populated. In this case,
it makes sense for the default focus to be on the password field,
since most users will only be using a single principal and should
go directly to typing their password.
The focus was already set to the password field in the case when
the principal was not modifiable (such as when the "Get Ticket" dialog
was opened by an application requesting a specific ticket).
(cherry picked from commit 50b3bba748084c99a339bd526ad47ecfccc09472)
ticket: 8032
version_fixed: 1.13.3
status: resolved
|
|
Previously, it was fairly easy to set the default cache to MSLSA:,
which is not collection-enabled (as opposed to the normal default
of API:, which is), and the non-collection behavior proved confusing
to many users.
Ideally there would be an option to choose the output ccache in
the "Get Ticket" window, but that is more complicated to implement
than just a display of what cache a given ticket is in. This
extra display column should still help to alleviate user confusion.
(cherry picked from commit b26d25e97cf3c53ef896092c71948011ceac645d)
ticket: 8207
version_fixed: 1.13.3
status: resolved
|
|
In the absence of a label title for a given command group, the
text "MS Shell Dlg" was inserted, which is somewhat confusing to
the user. Give the ticket-maniuplation group a title consisting
of a space, which removes the confusing text from the display.
(cherry picked from commit bfba2d235370a3902faeeaad8a54d8a2dcc3427b)
ticket: 8206
version_fixed: 1.13.3
status: resolved
|
|
CSAIL and ATHENA are served from different KDCs.
(cherry picked from commit 1b07396924dc4c222ddb6adec415cb53827dbe25)
ticket: 8196
version_fixed: 1.13.3
status: resolved
|
|
|
|
|
|
Bump versions as needed.
|
|
It seems that we need to restart in order to be able to query the
contents of the the LSA cache, even if the only contents of the LSA
cache are what we put there, and even if the Microsoft klist.exe
correctly reports the presence of tickets in the LSA cache.
(cherry picked from commit 50a3c3cbeab32577fba2b21deb72a64015c48ec7)
ticket: 8176
version_fixed: 1.13.3
status: resolved
|
|
Future releases will come from the KfW 4.1.x. series.
(cherry picked from commit 770196087b12affc08591aa0ff7fa78658f467ab)
ticket: 8174
version_fixed: 1.13.3
status: resolved
|
|
Implement a default_realm function that checks the
{HKLM,HKCU}\Software\MIT\Kerberos5\default_realm registry values
on Windows, and just returns KRB5_PLUGIN_NO_HANDLE on Unix.
(cherry picked from commit 90ca670ac42a9aada3c310af491bbf8b924e6a00)
ticket: 8173
version_fixed: 1.13.3
status: resolved
|