Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
In krb5_parse_pac(), check for buffer counts large enough to threaten
integer overflow in the header length and memory length calculations.
Avoid potential integer overflows when checking the length of each
buffer. Credit to OSS-Fuzz for discovering one of the issues.
CVE-2022-42898:
In MIT krb5 releases 1.8 and later, an authenticated attacker may be
able to cause a KDC or kadmind process to crash by reading beyond the
bounds of allocated memory, creating a denial of service. A
privileged attacker may similarly be able to cause a Kerberos or GSS
application service to crash. On 32-bit platforms, an attacker can
also cause insufficient memory to be allocated for the result,
potentially leading to remote code execution in a KDC, kadmind, or GSS
or Kerberos application server process. An attacker with the
privileges of a cross-realm KDC may be able to extract secrets from a
KDC process's memory by having them copied into the PAC of a new
ticket.
(cherry picked from commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583)
ticket: 9074
version_fixed: 1.19.4
|
|
PKINIT per-request module data objects are normally created by
pkinit_server_verify_padata() and freed by
pkinit_server_return_padata(). In some unusual circumstances, the KDC
may not call the return_padata method after verification succeeds.
Add a free_modreq method and free the object there instead.
[ghudson@mit.edu: rewrote commit message]
(cherry picked from commit 883415036a4b4e0372b84a5a6e46c10b3a67aba0)
ticket: 9065
version_fixed: 1.19.4
|
|
The KDC supplies the verto context to kdcpreauth modules via the loop
method (added in commit 83b4ecd20e50ad330cd761977d5dadefe30a785b).
This context should remain valid until kdcpreauth modules are
unloaded, as modules might refer to it during cleanup. In particular,
the OTP module references the verto context when freeing the RADIUS
client object (commit e89abc2d4ea1fea1ec28d470f297514b828e4842), which
can cause a memory error during KDC shutdown without this change.
(cherry picked from commit 8dcace04945723cd6a3c8ea2c1ba467c22eb6584)
ticket: 9064
version_fixed: 1.19.4
|
|
In otp_edata(), free the generated nonce.
(cherry picked from commit 5ad465bc8e0d957a4945218bea487b77622bf433)
ticket: 9063
version_fixed: 1.19.4
|
|
|
|
|
|
|
|
|
|
Although some C compilers allow a function returning void to be called
in a return statement from another function returning void, it isn't
conformant and generates an error from (at least) the HP-UX native
compiler. Reported by Michael Osipov.
(cherry picked from commit 6fe25e755f510c0fc86b899d96db9f80acf03ac5)
ticket: 9023
version_fixed: 1.19.3
|
|
After the KDC decodes a FAST inner body, it does not check for a null
server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
would typically result in an error from krb5_unparse_name(), but with
the addition of get_local_tgt() it results in a null dereference. Add
a null check.
Reported by Joseph Sutton of Catalyst.
CVE-2021-37750:
In MIT krb5 releases 1.14 and later, an authenticated attacker can
cause a null dereference in the KDC by sending a FAST TGS request with
no server field.
(cherry picked from commit d775c95af7606a51bf79547a94fa52ddd1cb7f49)
ticket: 9008
version_fixed: 1.19.3
|
|
|
|
|
|
Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory
management of krb5_gss_inquire_cred(), introducing defcred to act as
an owner pointer when the function must acquire a default credential.
The commit neglected to update the code to release the default cred
along the successful path. The old code does not trigger because
cred_handle is now reassigned, so the default credential is leaked.
Reported by Pavel Březina.
(a minimal alternative to commit 593e16448e1af23eef74689afe06a7bcc86e79c7)
ticket: 9016
version_fixed: 1.19.2
|
|
Since elements of the queue can be removed on out-of-memory errors,
the correct call is K5_TAILQ_FOREACH_SAFE, not K5_TAILQ_FOREACH.
Reported by Coverity.
(cherry picked from commit 8c88defb16b34937d5b72b4832c854ce2dbe32d1)
ticket: 9015
version_fixed: 1.19.2
|
|
Without locking, the principal pointer could be freed out from under
krb5_copy_principal() by another thread calling krb5_cc_initialize()
or krb5_cc_destroy().
(cherry picked from commit 1848447291c68e21311f441b0458ae53471d00d3)
ticket: 9014
version_fixed: 1.19.2
|
|
(cherry picked from commit dbdde71a924777f271288f64012c6f2fa08fdda9)
|
|
The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
to avoid further processing if the armor key is NULL. However, this
check is bypassed by a call to k5memdup0() which overwrites retval
with 0 if the allocation succeeds. If the armor key is NULL, a call
to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
crash. Add a check before the k5memdup0() call to avoid overwriting
retval.
CVE-2021-36222:
In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
cause a null dereference in the KDC by sending a request containing a
PA-ENCRYPTED-CHALLENGE padata element without using FAST.
[ghudson@mit.edu: trimmed patch; added test case; edited commit
message]
(cherry picked from commit fc98f520caefff2e5ee9a0026fdf5109944b3562)
ticket: 9007
version_fixed: 1.19.2
|
|
Use app.add_css_file() to register krb5.css if possible (it was added
in Sphinx 1.8), since the old name app.add_stylesheet() was removed in
Sphinx 4.0.
Use the highlight directive instead of the highlightlang directive,
which was removed in Sphinx 4.0.
Remove two duplicate table of contents entries to fix warnings.
In the Github Actions configuration, add a second doc build using the
newest version of Sphinx.
(cherry picked from commit 3fa40a32e22cb9de91fa1d18deddcba446515855)
ticket: 9006
version_fixed: 1.19.2
|
|
Fix three Windows-specific argument type errors, including a crash bug
in the default replay cache type. Change the compiler flags to treat
several argument type warnings as errors.
The replay cache bug was reported by Thomas Wagner.
(cherry picked from commit 65b21aee6ab5e7d0851302b98647261c15c71c96)
ticket: 9005
version_fixed: 1.19.2
|
|
rand() can output different sequences on different platforms with the
same seed, and (since commit cb5f190056ef4d123c5fe5d4923982b830288438)
we want fixed output. Use specified inputs instead. Reported by Ken
Hornstein.
(cherry picked from commit ae40b2eabb8954679e55f0ae79c3aaa96974fb40)
ticket: 8992
version_fixed: 1.19.2
|
|
(cherry picked from commit 61375be10beed5e95ea241e22fc580483caabf52)
ticket: 8989
version_fixed: 1.19.2
|
|
|
|
|
|
|
|
Command-line options are described in the following places:
- .rst file "SYNOPSIS" section
- .rst file "OPTIONS" section
- parameters to getopt()
- results of getopt() that are actually handled
- a usage() or xusage() function
- occasionally, a long form in usage()/xusage()
- occasionally, libss subcommand specifications
Over time, these have drifted. Make an effort to correct this drift,
marking deprecated options as such. For consistency, remove mention
of long arguments that have an equivalent short form.
(cherry picked from commit bd912c8583261f1f2521a06e5c05757cec032580)
ticket: 8987
version_fixed: 1.19.1
|
|
Move the crypto_load_certs() probe from pkinit_identity_initialize()
to process_option_identity(). This will attempt to load a certificate
for each pkinit_identities value, and if the certificate load fails to
move to the next line.
For PKCS11, return an error if pkinit_open_session() fails, but do not
fail in pkinit_open_session() just because identity prompts are
deferred.
[ghudson@mit.edu: added test case; moved cert probe to
process_option_identity(); rewrote commit message]
(cherry picked from commit 13ae08e70a05768d4f65978ce1a8d4e16fec0d35)
ticket: 8984
version_fixed: 1.19.1
|
|
Samba only uses the correct name (krb5_set_default_tgs_enctypes) if it
cannot find the old one in the library, so removing the name causes a
linker error for existing builds.
(cherry picked from commit 17ee97788611f8f8f4a6bd69968a9499f4db2215)
ticket: 8985
version_fixed: 1.19.1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Set localstatedir and runstatedir in config/pre.in so that the default
runstatedir value of ${localstatedir}/run works. Reported by Mike
Jetzer.
(cherry picked from commit fd005a1967510004c9197f7da9f1d85ee81f4734)
ticket: 8975
version_fixed: 1.19
|
|
Field testing of dns_canonicalize_hostname=fallback (ticket 8911)
revealed more disruptive edge cases than anticipated. Many were fixed
by ticket 8930, but host-based GSS initiator names were recently
discovered to not work, and one other edge case could not be resolved
without a change to external code.
Restore the default to true for now. Set the value to fallback in the
test suite, to continue testing the desired configuration and to avoid
restoring tests/resolve.
(cherry picked from commit 15f8c4fd7d62d07ea2759a7b6d684c000430559e)
ticket: 8973
version_fixed: 1.19
|
|
Commit 3fcc365a6f049730b3f47168f7112c03997c5c0b added fallback support
to krb5_rd_req(), but acquiring acceptor creds for a host-based name
could still fail within check_keytab() in the krb5 mech.
Add an internal libkrb5 API k5_kt_have_match() to check for a matching
keytab entry with canonicalization, and use it in check_keytab(). Add
a library-internal function k5_sname_wildcard_host() to share logic
between rd_req and k5_kt_have_match().
(cherry picked from commit 7e0a2a7a3a76205ebd7192f06a99f23bad8dc5bd)
ticket: 8971
version_fixed: 1.19
|
|
Commit becd1ad6830b526d08ddaf5b2b6f213154c6446c attempted to unify the
synopsis, option descriptions, and xusage(), but missed several
options in the synopsis.
(cherry picked from commit b89d63a51271bd0258b9d24732e9f0cb0ba5d006)
ticket: 8969
version_fixed: 1.19
|
|
Although Heimdal's KCM client only continues after KRB5_CC_END,
Heimdal's and macOS's KCM server returns KRB5_FCC_NOFILE if a cache
uuid no longer exists. Check for both errors during iteration. Also
set ret to 0 when continuing, in case the skipped uuid is the last one
in the list.
(cherry picked from commit f7b3cb8bbe90817f7bfbc545f1e427c16f52a79c)
ticket: 8967
version_fixed: 1.19
|
|
When making TGS requests, if start_realm is set in the cache, use the
named realm to look up the initial TGT for referral or cross-realm
requests. (Also correct a comment in struct _tkt_creds_context: the
ccache field is an owner pointer, not an alias.)
Add an internal API k5_cc_store_primary_cred(), which sets start_realm
if the cred being stored is a TGT for a realm other than the client
realm. Use this API when acquiring initial tickets with a
caller-specified output ccache, when renewing or validating tickets
with kinit, when accepting a delegated credential in a GSS context,
and when storing a single cred with kvno --out-cache.
(cherry picked from commit 0d56740ab9fcc40dc7f46c6fbebdf8f1214f9d96)
ticket: 8332
version_fixed: 1.19
|
|
|
|
|
|
|
|
Update from https://git.savannah.gnu.org/cgit/config.git commit
888c8e3d5f7bf7464bba83aaf54304a956eefa60.
|
|
|
|
|
|
If both input and output credentials are provided to gss_add_cred() or
gss_add_cred_from(), check for a duplicate element in the input handle.
[ghudson@mit.edu: reorganized code; rewrote commit message]
ticket: 8966 (new)
|
|
RPM expects this behavior, and systems with contrary policies (like
Debian) address permissions at the packaging layer. Most other build
systems appear to install shared libraries as executable.
[ghudson@mit.edu: edited commit message]
ticket: 8965 (new)
|