Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
(cherry picked from commit 7e127ebdbf88dccae9f9e5427e90319981a69266)
|
|
If list_union() fails due to an allocation failure, then close_time()
will attempt to fclose users_fp and login_fp a second time.
This bug was originally introduced in commit
be95b52c2d0c21b1fe92f9f90166fc2fa8eecc95, and has been present in
every krb5 release since 1.1.
(cherry picked from commit 0b8c6f3e1e8e561aa56a7d4e2171320119991dae)
ticket: 8768
version_fixed: 1.15.5
|
|
The assertion in return_enc_padata() is reachable because
kdc_make_s4u2self_rep() may have previously added encrypted padata.
It is no longer necessary because the code uses add_pa_data_element()
instead of allocating a new list.
CVE-2018-20217:
In MIT krb5 1.8 or later, an authenticated user who can obtain a TGT
using an older encryption type (DES, DES3, or RC4) can cause an
assertion failure in the KDC by sending an S4U2Self request.
[ghudson@mit.edu: rewrote commit message with CVE description]
(cherry picked from commit 94e5eda5bb94d1d44733a49c3d9b6d1e42c74def)
ticket: 8767
version_fixed: 1.15.5
|
|
In the MEMORY ccache implementation, only yield a cache in the
per-type cursor if it is the context default cache, matching the
behavior of FILE after commit 45360c9688ca963f75a2480f2cf818424fc3dc7b
(ticket 6955).
(cherry picked from commit 49bb627fed70c5258c151c5135ac3d95ed1ee55d)
ticket: 8720
version_fixed: 1.15.5
|
|
|
|
|
|
|
|
|
|
|
|
An attempt to change the kadmin/history key with the -keepold flag
would leak the KDB entry and keysalt tuple as it returned an error.
Use the cleanup handler instead of returning directly. Reported by
Bean Zhang.
(cherry picked from commit c4bdb3a1c890149a472ed98a94cf85316b143265)
ticket: 8759
version_fixed: 1.15.4
|
|
(cherry picked from commit 3023a7d253c3052897b3d77d2f7ce992ff93e913)
ticket: 8743
version_fixed: 1.15.4
|
|
When converting server principal to enterprise name (to be possibly
used for cross-realm), ignore the realm when reparsing, to avoid a
spurious error if a default realm isn't configured.
[ghudson@mit.edu: added rewritten test case; edited commit message]
(cherry picked from commit 13967567ca65a306c2d5fcb4a4aff71fb422cd80)
ticket: 8741
version_fixed: 1.15.4
|
|
If gss_add_cred() is called with both an input_cred_handle and an
output_cred_handle, it creates a new credential with the elements of
the input credential plus the requested element. Making a shallow
copy of mechs_array and cred_array from the old credential creates
aliased pointers which become invalid when one of the two credentials
is released, leading to use-after-free and double-free errors.
Instead, make a full copy of the input cred for this case. Make this
copy at the beginning so that union_cred can always be modified in
place (and freed on error using gss_release_cred() if we created it),
removing the need for new_union_cred, new_mechs_array, and
new_cred_array. Use a stack object for target_mechs to simplify
cleanup and reduce the number of failure cases.
GSSAPI provides no facility for copying a credential; since we mostly
use the GSSAPI as our SPI for mechanisms, we have no simple way to
copy mechanism creds when copying the union cred. Use
gss_export_cred() and gss_import_cred() if the mechanism provides
them; otherwise fall back to gss_inquire_cred() and
gss_acquire_cred().
(cherry picked from commit 288cbada833dc6af7d43dd308563b48b73347dfb)
ticket: 8734
version_fixed: 1.15.4
|
|
Remove the conditionalization around the desired_name processing in
gss_add_cred_from(), so that we always honor the requested name.
(cherry picked from commit 6d4eb6eb473c93f0db05409195448364382760a9)
ticket: 8737
version_fixed: 1.15.4
|
|
If gss_add_cred() is called with no input_cred_handle, it creates a
new credential with one element. At the end of the function, use the
created credential as the output container, rather than creating a
second one and leaking the first.
Add a test program for gss_add_cred() and run it.
(cherry picked from commit 9e32161dc307a323fd36fd59e252583fe7b90526)
ticket: 8729
version_fixed: 1.15.4
|
|
If gss_inquire_cred_by_mech() is called with a mechanism and there is
no corresponding mechanism credential in the union cred, return
GSS_S_NO_CRED (as Heimdal does) instead of interrogating the mechanism
about the default credential.
(cherry picked from commit 8ea7e36661cfa6d8acb2b1af615870092a408cce)
ticket: 8736
version_fixed: 1.15.4
|
|
When copying the realm string, if strdup() returns NULL, fail out with
ENOMEM instead of pretending the realm wasn't specified. When copying
KRB5_DEFAULT_SUPPORTED_ENCTYPES, if strdup() returns NULL, fail out
with ENOMEM instead of crashing. Reported by Bean Zhang.
(cherry picked from commit c0af219be218c02e72160ecd0521bc5b9bad546f)
ticket: 8727
version_fixed: 1.15.4
|
|
In otp_state.c:callback(), avoid invoking the failure callback when we
fall back to the next token. Since request_send() consumes the
request, don't try to free it.
[ghudson@mit.edu: added test case; edited commit message]
(cherry picked from commit 09c9b7d6f64767429e90ad11a529e6ffa9538043)
ticket: 8708
version_fixed: 1.15.4
|
|
In read_secret_file() in the OTP kdcpreauth module, add a cleanup
label and free filename on exit. Also fix the whitespace stripping
code to correctly find the end offset, and use size_t rather than int
offsets. The leak was reported by Bean Zhang.
(cherry picked from commit 396c736c0add2e13f4a9aaaefc9c86445b701953)
ticket: 8704
version_fixed: 1.15.4
|
|
Commit 8f9ade8ec50cde1176411085294f85ecfb2820a4 (ticket 8391) moved
the built-in getopt() and getopt_long() implementations from a static
library in util/windows to util/support, where (on Windows) it is
built into k5sprt32.dll or k5sprt64.dll. The getopt() interface uses
global variables opterr, optind, optopt, and optarg, each renamed via
macro to have a k5_ prefix when we use the built-in implementation.
Data objects exported from DLLs need special handling in Windows; they
must be marked as DATA in the DLL .def file, and they must be declared
with "__declspec(dllimport)" in calling code. Without this handling,
optind begins with a garbage value and getopt_long() returns -1
immediately, so client programs always behave as if they have no
arguments.
Stop unnecessarily declaring optind and optarg in client programs.
Declare the getopt() global variables with __declspec(dllimport) on
Windows, except when compiling getopt.c itself. When creating
libkrb5support.exports on Windows (this file is later used by
lib/Makefile.in to create k5sprt32.def), add a DATA tag to the data
objects.
(cherry picked from commit 63246cf3513a0e8bdfc734db985af14c8c5170c5)
ticket: 8684
version_fixed: 1.15.4
|
|
DNS canonicalization can interfere with the fallback tests by changing
"localhost" to have multiple components, or (less likely) changing the
parent domain of foo.krbtest.com or foo.krbtest2.com.
(cherry picked from commit b5457d8fb719a583b89e1ace186301a144e2c4c9)
|
|
Recent versions of Perl issue a warning or error when an unescaped
open curly brace is used in a position where it might introduce a
quantifier in a regular expression. Escape all regexp literal curly
braces in def-check.pl.
(cherry picked from commit 523e4ab050b13404a6929cc56ef873de8023e25c)
ticket: 8677
version_fixed: 1.15.4
|
|
A memory ccache iterator stores an alias into the cache object's
linked list of credentials. If the cache is reinitialized while the
iterator is active, the alias becomes invalid. Also, multiple handles
referencing the same memory ccache all use aliases to the same data
object; if one of the handles is destroyed, the other contains a
dangling pointer.
Fix the first issue by adding a generation counter to the cache and to
cursors, incremented each time the cache is initialized or destroyed.
Check the generation on each cursor step and end the iteration if the
list was invalidated. Fix the second issue by adding a reference
count to the cache object, counting one reference for the table slot
and one for each open handle. Empty the cache object on each destroy
operation, but only release the object when the last handle to it is
destroyed or closed.
Add regression tests for the two issues to t_cc.c.
The first issue was reported by Sorin Manolache.
(cherry picked from commit 146dadec8fe7ccc4149eb2e3f577cc320aee6efb)
ticket: 8202
version_fixed: 1.15.4
|
|
|
|
|
|
|
|
|
|
This matches the expected behavior from other ccache types. Most
notably, the KEYRING equivalent was added in
c25fc42e8eac7350209df61e4a7b9960d17755ca
(cherry picked from commit 58f60f3df7a625ccdcce23dfadd52dc335fd8da7)
ticket: 8675
version_fixed: 1.15.3
|
|
Commit 779a335f4e2deb2d76caf7d0dd3de847a040c050 added the
fail_to_start() helper in ovsec_kadmd.c, accidentally sending the
program name to stderr twice. Remove one of them.
(cherry picked from commit 047d6641bc74696b7cbba0daf56abe632a1b8940)
ticket: 8669
version_fixed: 1.15.3
|
|
For TGS requests, dispatch() doesn't set state->active_realm, which
leads to a NULL dereference in finish_dispatch() if the reply is too
big for UDP. Prior to commit 0a2f14f752c32a24200363cc6b6ae64a92f81379
the active realm was a global and was set when process_tgs_req()
called setup_server_realm().
Move TGS decoding out of process_tgs_req() so that we can set
state->active_realm before any errors requiring response. Add a test
case.
[ghudson@mit.edu: edited commit message; added test case; reduced code
duplication; removed server handle from process_tgs_req() parameters]
(cherry picked from commit 6afa8b4abf8f7c5774d03e6b15ee7288ad68d725)
ticket: 8666
version_fixed: 1.15.3
|
|
The KCM server returns KRB5_CC_END in response to a GET_CACHE_BY_UUID
request to indicate that the specified ccache uuid no longer exists.
In krb5_ptcursor_next(), ignore this error and continue the iteration,
as the Heimdal KCM client code does.
In addition to addressing the case where a third party deletes a cache
between the GET_CACHE_UUID_LIST request and when we reach that uuid in
the iteration, this change also fixes a bug in kdestroy -A where the
caller deletes the primary cache and we later request it by uuid when
iterating over the list.
[ghudson@mit.edu: rewrote commit message; edited comment]
(cherry picked from commit 49087f5e6309f298f8898c35af6f4ade418ced60)
ticket: 8658
version_fixed: 1.15.3
|
|
Commit b72aef2c1cbcc76f7fba14ddc54a4e66e7a4e66c (ticket 6966)
introduced k5_client_realm_path() for use on the client in place of
krb5_walk_realm_tree(), but failed to handle the special case of a
capaths "." value as is done in the latter function. Correct that
omission and add a test case.
(cherry picked from commit f8d0877f848563d07152a0ee191fe82846fdb8f1)
ticket: 8646
version_fixed: 1.15.3
|
|
Commit 0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d separated the
allocation and destruction of encrypting_key, causing it to leak when
any of the intervening calls jump to the cleanup label. Currently the
leak manifests on transited or authdata failures. Move encrypting_key
destruction to the cleanup label so that it can't leak. Reported by
anedvedicky@gmail.com.
(cherry picked from commit 1bcf2742d504a22b7354251bbc1e19c3dacd95f3)
ticket: 8645
version_fixed: 1.15.3
|
|
Commit e5c77a11341a79e6af1e5aef7c587a5b75a9e378 introduced a memory
leak of the client public key in server_process_dh(). Free
client_pubkey on success as well as failure.
(cherry picked from commit cefc250efd71515dd665b606bcb993e617068758)
ticket: 8644
version_fixed: 1.15.3
|
|
KDB_TL_USER_INFO tl-data is intended to be internal to the LDAP KDB
module, and not used in disk or wire principal entries. Prevent
kadmin clients from sending KDB_TL_USER_INFO tl-data by giving it a
type number less than 256 and filtering out type numbers less than 256
in kadm5_create_principal_3(). (We already filter out low type
numbers in kadm5_modify_principal()).
In the LDAP KDB module, if containerdn and linkdn are both specified
in a put_principal operation, check both linkdn and the computed
standalone_principal_dn for container membership. To that end, factor
out the checks into helper functions and call them on all applicable
client-influenced DNs.
CVE-2018-5729:
In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can cause a null
dereference in kadmind, or circumvent a DN container check, by
supplying tagged data intended to be internal to the database module.
Thanks to Sharwan Ram and Pooja Anil for discovering the potential
null dereference.
CVE-2018-5730:
In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can circumvent a DN
containership check by supplying both a "linkdn" and "containerdn"
database argument, or by supplying a DN string which is a left
extension of a container DN string but is not hierarchically within
the container DN.
(cherry picked from commit e1caf6fb74981da62039846931ebdffed71309d1)
ticket: 8643
version_fixed: 1.15.3
|
|
gcc 7 cannot determine that appdefault_get() always sets *ret_value
when it returns zero, so issues a "may be used uninitialized" warning
in its caller. Set *ret_value at the beginning of the function body
in accordance with current practices.
[ghudson@mit.edu: clarified commit message]
(cherry picked from commit 364c608911af2f227695bb527d4e42f091ee8bd3)
ticket: 8639
version_fixed: 1.15.3
|
|
Modify profile_add_node() to return the existing node, rather than
making a new one, when adding subsection configuration.
This fixes an issue where the first instance of a subsection will hide
the second instance entirely. In particular, it was previously
impossible to split realm-specific configuration across multiple
config files.
[ghudson@mit.edu: adjusted style, added test case]
(cherry picked from commit efab9fa5a6d23c486467264e20b58bf5a9c60f0c)
ticket: 7863
version_fixed: 1.15.3
|
|
(cherry picked from commit ef7fc96fe51b6d4b757b925259f8c3f36d305090)
|
|
gssint_get_mech_type_oid() is used by gss_accept_sec_context() to
determine the mechanism of the token. Without length checking, it
might read a few bytes past the end of the input token buffer. Add
length checking as well as test cases for truncated encapsulations.
Reported by Bar Katz.
(cherry picked from commit f949e990f930f48df1f108fe311c58ae3da18b24)
ticket: 8620
version_fixed: 1.15.3
|
|
Commit 4c234d8754c063177bc627c6298b85020d91c223 added the aes-sha2
enctypes to the documented default enctypes, but in the wrong order.
Reported by Weijun Wang.
(cherry picked from commit e4ffb911497ecd3348c89fb459cc8ccae40bfe42)
ticket: 8616
version_fixed: 1.15.3
|
|
Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
allocation and to perform proper error checking.
(cherry picked from commit fbb687db1088ddd894d975996e5f6a4252b9a2b4)
ticket: 8617
version_fixed: 1.15.3
|
|
|
|
|
|
|
|
|
|
(cherry picked from commit d7cea23604b95e790bcc581c0e8e8f77090f7718)
|
|
If krb5_db_fetch_mkey() prompts for a master key and needs to
determine the kvno, check that the master entry contains any key data
before dereferencing the first element. Reported by Joshua Schaeffer.
(cherry picked from commit 29c504504f0c56c861d968ba2498590bf34714cd)
ticket: 8600
version_fixed: 1.15.2
|