From f1cb770b53923018ec6c35e981d160db219286f9 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood(a)redhat.com&gt; Date: Mon, 29 Feb 2016 23:45:34 +0000 Subject: New rawhide, new upstream version - Drop CVE patches - Rename fix_interposer.patch to acquire_cred_interposer.patch - Update acquire_cred_interposer.patch to apply to new source --- .gitignore | 3 + krb5-1.14.1-interpose-accept_sec_context.patch | 39 -- krb5-CVE-2015-8629.patch | 48 --- krb5-CVE-2015-8630.patch | 78 ---- krb5-CVE-2015-8631.patch | 573 ------------------------- krb5-acquire_cred_interposer.patch | 222 ++++++++++ krb5-fix_interposer.patch | 222 ---------- krb5-init_context_null_spnego.patch | 46 -- krb5.spec | 23 +- sources | 6 +- 10 files changed, 237 insertions(+), 1023 deletions(-) delete mode 100644 krb5-1.14.1-interpose-accept_sec_context.patch delete mode 100644 krb5-CVE-2015-8629.patch delete mode 100644 krb5-CVE-2015-8630.patch delete mode 100644 krb5-CVE-2015-8631.patch create mode 100644 krb5-acquire_cred_interposer.patch delete mode 100644 krb5-fix_interposer.patch delete mode 100644 krb5-init_context_null_spnego.patch diff --git a/.gitignore b/.gitignore index 3d18229..f2aef73 100644 --- a/.gitignore +++ b/.gitignore @@ -130,3 +130,6 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.14-pdfs.tar /krb5-1.14.tar.gz /krb5-1.14.tar.gz.asc +/krb5-1.14.1-pdfs.tar +/krb5-1.14.1.tar.gz +/krb5-1.14.1.tar.gz.asc diff --git a/krb5-1.14.1-interpose-accept_sec_context.patch b/krb5-1.14.1-interpose-accept_sec_context.patch deleted file mode 100644 index 333d388..0000000 --- a/krb5-1.14.1-interpose-accept_sec_context.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 0b43d10333f4c4b29896cebc9447d8866b661217 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood <rharwood(a)redhat.com&gt; -Date: Wed, 16 Dec 2015 19:31:22 -0500 -Subject: [PATCH] Fix interposed gss_accept_sec_context() - -If gss_accept_sec_context() is interposed, selected_mech will be an -interposer OID. In this situation, pass the corresponding public OID -to gss_inquire_attrs_for_mech() to determine whether the mech is -allowed by default. - -[ghudson(a)mit.edu: pared down from larger commit; rewrote commit message] - -ticket: 8338 (new) -target_version: 1.14-next -tags: pullup ---- - src/lib/gssapi/mechglue/g_accept_sec_context.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c -index 6c72d1f..ddaf874 100644 ---- a/src/lib/gssapi/mechglue/g_accept_sec_context.c -+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c -@@ -94,6 +94,12 @@ allow_mech_by_default(gss_OID mech) - gss_OID_set attrs; - int reject = 0, p; - -+ /* Whether we accept an interposer mech depends on whether we accept the -+ * mech it interposes. */ -+ mech = gssint_get_public_oid(mech); -+ if (mech == GSS_C_NO_OID) -+ return 0; -+ - status = gss_inquire_attrs_for_mech(&minor, mech, &attrs, NULL); - if (status) - return 0; --- -2.7.0 - diff --git a/krb5-CVE-2015-8629.patch b/krb5-CVE-2015-8629.patch deleted file mode 100644 index 2eb0edd..0000000 --- a/krb5-CVE-2015-8629.patch +++ /dev/null @@ -1,48 +0,0 @@ -From df17a1224a3406f57477bcd372c61e04c0e5a5bb Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson(a)mit.edu&gt; -Date: Fri, 8 Jan 2016 12:45:25 -0500 -Subject: [PATCH 1/3] Verify decoded kadmin C strings [CVE-2015-8629] - -In xdr_nullstring(), check that the decoded string is terminated with -a zero byte and does not contain any internal zero bytes. - -CVE-2015-8629: - -In all versions of MIT krb5, an authenticated attacker can cause -kadmind to read beyond the end of allocated memory by sending a string -without a terminating zero byte. Information leakage may be possible -for an attacker with permission to modify the database. - - CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C - -ticket: 8341 (new) -target_version: 1.14-next -target_version: 1.13-next -tags: pullup ---- - src/lib/kadm5/kadm_rpc_xdr.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c -index 2bef858..ba67084 100644 ---- a/src/lib/kadm5/kadm_rpc_xdr.c -+++ b/src/lib/kadm5/kadm_rpc_xdr.c -@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp) - return FALSE; - } - } -- return (xdr_opaque(xdrs, *objp, size)); -+ if (!xdr_opaque(xdrs, *objp, size)) -+ return FALSE; -+ /* Check that the unmarshalled bytes are a C string. */ -+ if ((*objp)[size - 1] != '\0') -+ return FALSE; -+ if (memchr(*objp, '\0', size - 1) != NULL) -+ return FALSE; -+ return TRUE; - - case XDR_ENCODE: - if (size != 0) --- -2.7.0.rc3 - diff --git a/krb5-CVE-2015-8630.patch b/krb5-CVE-2015-8630.patch deleted file mode 100644 index 7908969..0000000 --- a/krb5-CVE-2015-8630.patch +++ /dev/null @@ -1,78 +0,0 @@ -From b863de7fbf080b15e347a736fdda0a82d42f4f6b Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson(a)mit.edu&gt; -Date: Fri, 8 Jan 2016 12:52:28 -0500 -Subject: [PATCH 2/3] Check for null kadm5 policy name [CVE-2015-8630] - -In kadm5_create_principal_3() and kadm5_modify_principal(), check for -entry->policy being null when KADM5_POLICY is included in the mask. - -CVE-2015-8630: - -In MIT krb5 1.12 and later, an authenticated attacker with permission -to modify a principal entry can cause kadmind to dereference a null -pointer by supplying a null policy value but including KADM5_POLICY in -the mask. - - CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C - -ticket: 8342 (new) -target_version: 1.14-next -target_version: 1.13-next -tags: pullup ---- - src/lib/kadm5/srv/svr_principal.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c -index 5b95fa3..1d4365c 100644 ---- a/src/lib/kadm5/srv/svr_principal.c -+++ b/src/lib/kadm5/srv/svr_principal.c -@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle, - /* - * Argument sanity checking, and opening up the DB - */ -+ if (entry == NULL) -+ return EINVAL; - if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) || - (mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) || - (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || -@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle, - return KADM5_BAD_MASK; - if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0) - return KADM5_BAD_MASK; -+ if((mask & KADM5_POLICY) && entry->policy == NULL) -+ return KADM5_BAD_MASK; - if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR)) - return KADM5_BAD_MASK; - if((mask & ~ALL_PRINC_MASK)) - return KADM5_BAD_MASK; -- if (entry == NULL) -- return EINVAL; - - /* - * Check to see if the principal exists -@@ -643,6 +645,8 @@ kadm5_modify_principal(void *server_handle, - - krb5_clear_error_message(handle->context); - -+ if(entry == NULL) -+ return EINVAL; - if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) || - (mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) || - (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || -@@ -651,10 +655,10 @@ kadm5_modify_principal(void *server_handle, - return KADM5_BAD_MASK; - if((mask & ~ALL_PRINC_MASK)) - return KADM5_BAD_MASK; -+ if((mask & KADM5_POLICY) && entry->policy == NULL) -+ return KADM5_BAD_MASK; - if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR)) - return KADM5_BAD_MASK; -- if(entry == (kadm5_principal_ent_t) NULL) -- return EINVAL; - if (mask & KADM5_TL_DATA) { - tl_data_orig = entry->tl_data; - while (tl_data_orig) { --- -2.7.0.rc3 - diff --git a/krb5-CVE-2015-8631.patch b/krb5-CVE-2015-8631.patch deleted file mode 100644 index cd5efd5..0000000 --- a/krb5-CVE-2015-8631.patch +++ /dev/null @@ -1,573 +0,0 @@ -From 83ed75feba32e46f736fcce0d96a0445f29b96c2 Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson(a)mit.edu&gt; -Date: Fri, 8 Jan 2016 13:16:54 -0500 -Subject: [PATCH 3/3] Fix leaks in kadmin server stubs [CVE-2015-8631] - -In each kadmind server stub, initialize the client_name and -server_name variables, and release them in the cleanup handler. Many -of the stubs will otherwise leak the client and server name if -krb5_unparse_name() fails. Also make sure to free the prime_arg -variables in rename_principal_2_svc(), or we can leak the first one if -unparsing the second one fails. Discovered by Simo Sorce. - -CVE-2015-8631: - -In all versions of MIT krb5, an authenticated attacker can cause -kadmind to leak memory by supplying a null principal name in a request -which uses one. Repeating these requests will eventually cause -kadmind to exhaust all available memory. - - CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C - -ticket: 8343 (new) -target_version: 1.14-next -target_version: 1.13-next -tags: pullup ---- - src/kadmin/server/server_stubs.c | 151 ++++++++++++++++++++------------------- - 1 file changed, 77 insertions(+), 74 deletions(-) - -diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c -index 1879dc6..6ac797e 100644 ---- a/src/kadmin/server/server_stubs.c -+++ b/src/kadmin/server/server_stubs.c -@@ -334,7 +334,8 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; -@@ -382,10 +383,10 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -- gss_release_buffer(&minor_stat, &client_name); -- gss_release_buffer(&minor_stat, &service_name); - - exit_func: -+ gss_release_buffer(&minor_stat, &client_name); -+ gss_release_buffer(&minor_stat, &service_name); - free_server_handle(handle); - return &ret; - } -@@ -395,7 +396,8 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; -@@ -444,10 +446,10 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -- gss_release_buffer(&minor_stat, &client_name); -- gss_release_buffer(&minor_stat, &service_name); - - exit_func: -+ gss_release_buffer(&minor_stat, &client_name); -+ gss_release_buffer(&minor_stat, &service_name); - free_server_handle(handle); - return &ret; - } -@@ -457,8 +459,8 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -501,10 +503,10 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) - - } - free(prime_arg); -- gss_release_buffer(&minor_stat, &client_name); -- gss_release_buffer(&minor_stat, &service_name); - - exit_func: -+ gss_release_buffer(&minor_stat, &client_name); -+ gss_release_buffer(&minor_stat, &service_name); - free_server_handle(handle); - return &ret; - } -@@ -514,8 +516,8 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; -@@ -559,9 +561,9 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -570,10 +572,9 @@ generic_ret * - rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; -- char *prime_arg1, -- *prime_arg2; -- gss_buffer_desc client_name, -- service_name; -+ char *prime_arg1 = NULL, *prime_arg2 = NULL; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; -@@ -655,11 +656,11 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - - } -+exit_func: - free(prime_arg1); - free(prime_arg2); - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -669,8 +670,8 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) - { - static gprinc_ret ret; - char *prime_arg, *funcname; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -719,9 +720,9 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -731,8 +732,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) - { - static gprincs_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -777,9 +778,9 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -789,8 +790,8 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -840,9 +841,9 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) - } - - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -852,8 +853,8 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -909,9 +910,9 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) - } - - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -921,8 +922,8 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -969,9 +970,9 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) - } - - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -981,8 +982,8 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1029,9 +1030,9 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) - } - - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1041,8 +1042,8 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1092,9 +1093,9 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) - } - - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1106,8 +1107,8 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) - krb5_keyblock *k; - int nkeys; - char *prime_arg, *funcname; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1164,9 +1165,9 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1178,8 +1179,8 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) - krb5_keyblock *k; - int nkeys; - char *prime_arg, *funcname; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1241,9 +1242,9 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1253,8 +1254,8 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1295,9 +1296,9 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1307,8 +1308,8 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1347,9 +1348,9 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1359,8 +1360,8 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1400,9 +1401,9 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1413,8 +1414,8 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) - static gpol_ret ret; - kadm5_ret_t ret2; - char *prime_arg, *funcname; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_principal_ent_rec caller_ent; - kadm5_server_handle_t handle; -@@ -1475,9 +1476,9 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) - log_unauth(funcname, prime_arg, - &client_name, &service_name, rqstp); - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - -@@ -1488,8 +1489,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) - { - static gpols_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1531,9 +1532,9 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1541,7 +1542,8 @@ exit_func: - getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) - { - static getprivs_ret ret; -- gss_buffer_desc client_name, service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1571,9 +1573,9 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1583,7 +1585,8 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg, *funcname; -- gss_buffer_desc client_name, service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - -@@ -1629,9 +1632,9 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1641,8 +1644,8 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) - { - static gstrings_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1688,9 +1691,9 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1700,8 +1703,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1744,9 +1747,9 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1754,8 +1757,8 @@ exit_func: - generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) - { - static generic_ret ret; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - kadm5_server_handle_t handle; - OM_uint32 minor_stat; - const char *errmsg = NULL; -@@ -1797,10 +1800,10 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) - rqstp->rq_cred.oa_flavor); - if (errmsg != NULL) - krb5_free_error_message(NULL, errmsg); -- gss_release_buffer(&minor_stat, &client_name); -- gss_release_buffer(&minor_stat, &service_name); - - exit_func: -+ gss_release_buffer(&minor_stat, &client_name); -+ gss_release_buffer(&minor_stat, &service_name); - return(&ret); - } - --- -2.7.0.rc3 - diff --git a/krb5-acquire_cred_interposer.patch b/krb5-acquire_cred_interposer.patch new file mode 100644 index 0000000..fa1c532 --- /dev/null +++ b/krb5-acquire_cred_interposer.patch @@ -0,0 +1,222 @@ +From b3901af6970fb7bde88eb16d51c8d05db6f37746 Mon Sep 17 00:00:00 2001 +From: Simo Sorce <simo(a)redhat.com&gt; +Date: Fri, 13 Nov 2015 14:54:11 -0500 +Subject: [PATCH] Fix impersonate_name to work with interposers + +This follows the same modifications applied to +gss_acquire_cred_with_password() when interposer plugins were +introduced. + +[ghudson(a)mit.edu: minor whitespace changes; initialize out_mcred in +spnego_gss_acquire_cred_impersonate_name() since it is released in the +cleanup handler] + +ticket: 8280 (new) +--- + src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c | 58 +++++++++++++++-------- + src/lib/gssapi/spnego/spnego_mech.c | 35 +++++++------- + 2 files changed, 54 insertions(+), 39 deletions(-) + +diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c +index 0dd4f87..9eab25e 100644 +--- a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c ++++ b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c +@@ -334,6 +334,8 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + gss_cred_id_t cred = NULL; + gss_OID new_mechs_array = NULL; + gss_cred_id_t * new_cred_array = NULL; ++ gss_OID_set target_mechs = GSS_C_NO_OID_SET; ++ gss_OID selected_mech = GSS_C_NO_OID; + + status = val_add_cred_impersonate_name_args(minor_status, + input_cred_handle, +@@ -350,7 +352,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + if (status != GSS_S_COMPLETE) + return (status); + +- mech = gssint_get_mechanism(desired_mech); ++ status = gssint_select_mech_type(minor_status, desired_mech, ++ &selected_mech); ++ if (status != GSS_S_COMPLETE) ++ return status; ++ ++ mech = gssint_get_mechanism(selected_mech); + if (!mech) + return GSS_S_BAD_MECH; + else if (!mech->gss_acquire_cred_impersonate_name) +@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + internal_name = GSS_C_NO_NAME; + } else { + union_cred = (gss_union_cred_t)input_cred_handle; +- if (gssint_get_mechanism_cred(union_cred, desired_mech) != ++ if (gssint_get_mechanism_cred(union_cred, selected_mech) != + GSS_C_NO_CREDENTIAL) + return (GSS_S_DUPLICATE_ELEMENT); + } + + mech_impersonator_cred = + gssint_get_mechanism_cred((gss_union_cred_t)impersonator_cred_handle, +- desired_mech); ++ selected_mech); + if (mech_impersonator_cred == GSS_C_NO_CREDENTIAL) + return (GSS_S_NO_CRED); + + /* may need to create a mechanism specific name */ + union_name = (gss_union_name_t)desired_name; + if (union_name->mech_type && +- g_OID_equal(union_name->mech_type, +- &mech->mech_type)) ++ g_OID_equal(union_name->mech_type, selected_mech)) + internal_name = union_name->mech_name; + else { + if (gssint_import_internal_name(minor_status, +- &mech->mech_type, union_name, +- &allocated_name) != GSS_S_COMPLETE) ++ selected_mech, union_name, ++ &allocated_name) != GSS_S_COMPLETE) + return (GSS_S_BAD_NAME); + internal_name = allocated_name; + } +@@ -402,11 +408,21 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + else + time_req = 0; + ++ status = gss_create_empty_oid_set(minor_status, &target_mechs); ++ if (status != GSS_S_COMPLETE) ++ goto errout; ++ ++ status = gss_add_oid_set_member(minor_status, ++ gssint_get_public_oid(selected_mech), ++ &target_mechs); ++ if (status != GSS_S_COMPLETE) ++ goto errout; ++ + status = mech->gss_acquire_cred_impersonate_name(minor_status, + mech_impersonator_cred, + internal_name, + time_req, +- GSS_C_NULL_OID_SET, ++ target_mechs, + cred_usage, + &cred, + NULL, +@@ -445,19 +461,15 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + + new_cred_array[union_cred->count] = cred; + if ((new_mechs_array[union_cred->count].elements = +- malloc(mech->mech_type.length)) == NULL) ++ malloc(selected_mech->length)) == NULL) + goto errout; + +- g_OID_copy(&new_mechs_array[union_cred->count], +- &mech->mech_type); ++ g_OID_copy(&new_mechs_array[union_cred->count], selected_mech); + + if (actual_mechs != NULL) { +- gss_OID_set_desc oids; +- +- oids.count = union_cred->count + 1; +- oids.elements = new_mechs_array; +- +- status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs); ++ status = gssint_make_public_oid_set(minor_status, new_mechs_array, ++ union_cred->count + 1, ++ actual_mechs); + if (GSS_ERROR(status)) { + free(new_mechs_array[union_cred->count].elements); + goto errout; +@@ -486,10 +498,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + /* We're done with the internal name. Free it if we allocated it. */ + + if (allocated_name) +- (void) gssint_release_internal_name(&temp_minor_status, +- &mech->mech_type, ++ (void) gssint_release_internal_name(&temp_minor_status, selected_mech, + &allocated_name); + ++ if (target_mechs) ++ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); ++ + return (GSS_S_COMPLETE); + + errout: +@@ -503,8 +517,10 @@ errout: + + if (allocated_name) + (void) gssint_release_internal_name(&temp_minor_status, +- &mech->mech_type, +- &allocated_name); ++ selected_mech, &allocated_name); ++ ++ if (target_mechs) ++ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); + + if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred) + free(union_cred); +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index e6703eb..28fb9b1 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -2619,10 +2619,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, + gss_OID_set *actual_mechs, + OM_uint32 *time_rec) + { +- OM_uint32 status; ++ OM_uint32 status, tmpmin; + gss_OID_set amechs = GSS_C_NULL_OID_SET; + spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL; +- gss_cred_id_t imp_mcred, out_mcred; ++ gss_cred_id_t imp_mcred, out_mcred = GSS_C_NO_CREDENTIAL; + + dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n"); + +@@ -2634,31 +2634,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, + + imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle; + imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL; +- if (desired_mechs == GSS_C_NO_OID_SET) { +- status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, +- NULL, &amechs); +- if (status != GSS_S_COMPLETE) +- return status; +- +- desired_mechs = amechs; +- } ++ status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, ++ NULL, &amechs); ++ if (status != GSS_S_COMPLETE) ++ return status; + + status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred, + desired_name, time_req, +- desired_mechs, cred_usage, ++ amechs, cred_usage, + &out_mcred, actual_mechs, + time_rec); +- +- if (amechs != GSS_C_NULL_OID_SET) +- (void) gss_release_oid_set(minor_status, &amechs); ++ if (status != GSS_S_COMPLETE) ++ goto cleanup; + + status = create_spnego_cred(minor_status, out_mcred, &out_spcred); +- if (status != GSS_S_COMPLETE) { +- gss_release_cred(minor_status, &out_mcred); +- return (status); +- } ++ if (status != GSS_S_COMPLETE) ++ goto cleanup; ++ ++ out_mcred = GSS_C_NO_CREDENTIAL; + *output_cred_handle = (gss_cred_id_t)out_spcred; + ++cleanup: ++ (void) gss_release_oid_set(&tmpmin, &amechs); ++ (void) gss_release_cred(&tmpmin, &out_mcred); ++ + dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n"); + return (status); + } +-- +2.6.2 + diff --git a/krb5-fix_interposer.patch b/krb5-fix_interposer.patch deleted file mode 100644 index 8a6aa19..0000000 --- a/krb5-fix_interposer.patch +++ /dev/null @@ -1,222 +0,0 @@ -From b3901af6970fb7bde88eb16d51c8d05db6f37746 Mon Sep 17 00:00:00 2001 -From: Simo Sorce <simo(a)redhat.com&gt; -Date: Fri, 13 Nov 2015 14:54:11 -0500 -Subject: [PATCH] Fix impersonate_name to work with interposers - -This follows the same modifications applied to -gss_acquire_cred_with_password() when interposer plugins were -introduced. - -[ghudson(a)mit.edu: minor whitespace changes; initialize out_mcred in -spnego_gss_acquire_cred_impersonate_name() since it is released in the -cleanup handler] - -ticket: 8280 (new) ---- - src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c | 58 +++++++++++++++-------- - src/lib/gssapi/spnego/spnego_mech.c | 35 +++++++------- - 2 files changed, 54 insertions(+), 39 deletions(-) - -diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c -index 0dd4f87..9eab25e 100644 ---- a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c -+++ b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c -@@ -334,6 +334,8 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - gss_cred_id_t cred = NULL; - gss_OID new_mechs_array = NULL; - gss_cred_id_t * new_cred_array = NULL; -+ gss_OID_set target_mechs = GSS_C_NO_OID_SET; -+ gss_OID selected_mech = GSS_C_NO_OID; - - status = val_add_cred_impersonate_name_args(minor_status, - input_cred_handle, -@@ -350,7 +352,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - if (status != GSS_S_COMPLETE) - return (status); - -- mech = gssint_get_mechanism(desired_mech); -+ status = gssint_select_mech_type(minor_status, desired_mech, -+ &selected_mech); -+ if (status != GSS_S_COMPLETE) -+ return status; -+ -+ mech = gssint_get_mechanism(selected_mech); - if (!mech) - return GSS_S_BAD_MECH; - else if (!mech->gss_acquire_cred) -@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - internal_name = GSS_C_NO_NAME; - } else { - union_cred = (gss_union_cred_t)input_cred_handle; -- if (gssint_get_mechanism_cred(union_cred, desired_mech) != -+ if (gssint_get_mechanism_cred(union_cred, selected_mech) != - GSS_C_NO_CREDENTIAL) - return (GSS_S_DUPLICATE_ELEMENT); - } - - mech_impersonator_cred = - gssint_get_mechanism_cred((gss_union_cred_t)impersonator_cred_handle, -- desired_mech); -+ selected_mech); - if (mech_impersonator_cred == GSS_C_NO_CREDENTIAL) - return (GSS_S_NO_CRED); - - /* may need to create a mechanism specific name */ - union_name = (gss_union_name_t)desired_name; - if (union_name->mech_type && -- g_OID_equal(union_name->mech_type, -- &mech->mech_type)) -+ g_OID_equal(union_name->mech_type, selected_mech)) - internal_name = union_name->mech_name; - else { - if (gssint_import_internal_name(minor_status, -- &mech->mech_type, union_name, -- &allocated_name) != GSS_S_COMPLETE) -+ selected_mech, union_name, -+ &allocated_name) != GSS_S_COMPLETE) - return (GSS_S_BAD_NAME); - internal_name = allocated_name; - } -@@ -402,11 +408,21 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - else - time_req = 0; - -+ status = gss_create_empty_oid_set(minor_status, &target_mechs); -+ if (status != GSS_S_COMPLETE) -+ goto errout; -+ -+ status = gss_add_oid_set_member(minor_status, -+ gssint_get_public_oid(selected_mech), -+ &target_mechs); -+ if (status != GSS_S_COMPLETE) -+ goto errout; -+ - status = mech->gss_acquire_cred_impersonate_name(minor_status, - mech_impersonator_cred, - internal_name, - time_req, -- GSS_C_NULL_OID_SET, -+ target_mechs, - cred_usage, - &cred, - NULL, -@@ -445,19 +461,15 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - - new_cred_array[union_cred->count] = cred; - if ((new_mechs_array[union_cred->count].elements = -- malloc(mech->mech_type.length)) == NULL) -+ malloc(selected_mech->length)) == NULL) - goto errout; - -- g_OID_copy(&new_mechs_array[union_cred->count], -- &mech->mech_type); -+ g_OID_copy(&new_mechs_array[union_cred->count], selected_mech); - - if (actual_mechs != NULL) { -- gss_OID_set_desc oids; -- -- oids.count = union_cred->count + 1; -- oids.elements = new_mechs_array; -- -- status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs); -+ status = gssint_make_public_oid_set(minor_status, new_mechs_array, -+ union_cred->count + 1, -+ actual_mechs); - if (GSS_ERROR(status)) { - free(new_mechs_array[union_cred->count].elements); - goto errout; -@@ -486,10 +498,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, - /* We're done with the internal name. Free it if we allocated it. */ - - if (allocated_name) -- (void) gssint_release_internal_name(&temp_minor_status, -- &mech->mech_type, -+ (void) gssint_release_internal_name(&temp_minor_status, selected_mech, - &allocated_name); - -+ if (target_mechs) -+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); -+ - return (GSS_S_COMPLETE); - - errout: -@@ -503,8 +517,10 @@ errout: - - if (allocated_name) - (void) gssint_release_internal_name(&temp_minor_status, -- &mech->mech_type, -- &allocated_name); -+ selected_mech, &allocated_name); -+ -+ if (target_mechs) -+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); - - if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred) - free(union_cred); -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index e6703eb..28fb9b1 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -2619,10 +2619,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, - gss_OID_set *actual_mechs, - OM_uint32 *time_rec) - { -- OM_uint32 status; -+ OM_uint32 status, tmpmin; - gss_OID_set amechs = GSS_C_NULL_OID_SET; - spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL; -- gss_cred_id_t imp_mcred, out_mcred; -+ gss_cred_id_t imp_mcred, out_mcred = GSS_C_NO_CREDENTIAL; - - dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n"); - -@@ -2634,31 +2634,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, - - imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle; - imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL; -- if (desired_mechs == GSS_C_NO_OID_SET) { -- status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, -- NULL, &amechs); -- if (status != GSS_S_COMPLETE) -- return status; -- -- desired_mechs = amechs; -- } -+ status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, -+ NULL, &amechs); -+ if (status != GSS_S_COMPLETE) -+ return status; - - status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred, - desired_name, time_req, -- desired_mechs, cred_usage, -+ amechs, cred_usage, - &out_mcred, actual_mechs, - time_rec); -- -- if (amechs != GSS_C_NULL_OID_SET) -- (void) gss_release_oid_set(minor_status, &amechs); -+ if (status != GSS_S_COMPLETE) -+ goto cleanup; - - status = create_spnego_cred(minor_status, out_mcred, &out_spcred); -- if (status != GSS_S_COMPLETE) { -- gss_release_cred(minor_status, &out_mcred); -- return (status); -- } -+ if (status != GSS_S_COMPLETE) -+ goto cleanup; -+ -+ out_mcred = GSS_C_NO_CREDENTIAL; - *output_cred_handle = (gss_cred_id_t)out_spcred; - -+cleanup: -+ (void) gss_release_oid_set(&tmpmin, &amechs); -+ (void) gss_release_cred(&tmpmin, &out_mcred); -+ - dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n"); - return (status); - } --- -2.6.2 - diff --git a/krb5-init_context_null_spnego.patch b/krb5-init_context_null_spnego.patch deleted file mode 100644 index af147cd..0000000 --- a/krb5-init_context_null_spnego.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 3beb564cea3d219efcf71682b6576cad548c2d23 Mon Sep 17 00:00:00 2001 -From: Simo Sorce <simo(a)redhat.com&gt; -Date: Tue, 5 Jan 2016 12:11:59 -0500 -Subject: [PATCH] Check internal context on init context errors - -If the mechanism deletes the internal context handle on error, the -mechglue must do the same with the union context, to avoid crashes if -the application calls other functions with this invalid union context. - -[ghudson(a)mit.edu: edit commit message and code comment] - -ticket: 8337 (new) -target_version: 1.14-next -target_version: 1.13-next -tags: pullup ---- - src/lib/gssapi/mechglue/g_init_sec_context.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/src/lib/gssapi/mechglue/g_init_sec_context.c b/src/lib/gssapi/mechglue/g_init_sec_context.c -index aaae767..9f154b8 100644 ---- a/src/lib/gssapi/mechglue/g_init_sec_context.c -+++ b/src/lib/gssapi/mechglue/g_init_sec_context.c -@@ -224,12 +224,15 @@ OM_uint32 * time_rec; - - if (status != GSS_S_COMPLETE && status != GSS_S_CONTINUE_NEEDED) { - /* -- * the spec says (the preferred) method is to delete all -- * context info on the first call to init, and on all -- * subsequent calls make the caller responsible for -- * calling gss_delete_sec_context -+ * The spec says the preferred method is to delete all context info on -+ * the first call to init, and on all subsequent calls make the caller -+ * responsible for calling gss_delete_sec_context. However, if the -+ * mechanism decided to delete the internal context, we should also -+ * delete the union context. - */ - map_error(minor_status, mech); -+ if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT) -+ *context_handle = GSS_C_NO_CONTEXT; - if (*context_handle == GSS_C_NO_CONTEXT) { - free(union_ctx_id->mech_type->elements); - free(union_ctx_id->mech_type); --- -2.6.4 - diff --git a/krb5.spec b/krb5.spec index 893f41c..15ca779 100644 --- a/krb5.spec +++ b/krb5.spec @@ -12,8 +12,8 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.14 -Release: 23%{?dist} +Version: 1.14.1 +Release: 1%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -57,14 +57,9 @@ Patch86: krb5-1.9-debuginfo.patch Patch129: krb5-1.11-run_user_0.patch Patch134: krb5-1.11-kpasswdtest.patch Patch148: krb5-disable_ofd_locks.patch -Patch150: krb5-fix_interposer.patch -Patch152: krb5-init_context_null_spnego.patch +Patch150: krb5-acquire_cred_interposer.patch Patch153: krb5-1.14.1-log_file_permissions.patch -Patch154: krb5-CVE-2015-8629.patch -Patch155: krb5-CVE-2015-8630.patch -Patch156: krb5-CVE-2015-8631.patch -Patch157: krb5-1.14.1-interpose-accept_sec_context.patch Patch158: krb5-1.14.1-interpose-enable-inquire_attrs_for_mech.patch Patch159: krb5-1.14.1-interpose-fix-inquire_attrs_for_mech.patch Patch160: krb5-1.14.1-interpose-inquire_saslname_for_mech.patch @@ -243,14 +238,8 @@ ln NOTICE LICENSE %patch148 -p1 -b .disable_ofd_locks %patch150 -p1 -b .fix_interposer -%patch152 -p1 -b .init_context_null_spnego %patch153 -p1 -b .log_file_permissions -%patch154 -p1 -b .CVE-2015-8629 -%patch155 -p1 -b .CVE-2015-8630 -%patch156 -p1 -b .CVE-2015-8631 - -%patch157 -p1 -b .interpose-accept_sec_context %patch158 -p1 -b .interpose-enable-inquire_attrs_for_mech %patch159 -p1 -b .interpose-fix-inquire_attrs_for_mech %patch160 -p1 -b .interpose-inquire_saslname_for_mech @@ -777,6 +766,12 @@ exit 0 %changelog +* Mon Feb 29 2016 Robbie Harwood <rharwood(a)redhat.com&gt; - 1.14.1-1 +- New rawhide, new upstream version +- Drop CVE patches +- Rename fix_interposer.patch to acquire_cred_interposer.patch +- Update acquire_cred_interposer.patch to apply to new source + * Mon Feb 22 2016 Robbie Harwood <rharwood(a)redhat.com&gt; - 1.14-23 - Fix log file permissions patch with our selinux - Resolves: #1309421 diff --git a/sources b/sources index 74babf7..ce89c20 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -ac45469a7dc1aef4d03632dada893aca krb5-1.14-pdfs.tar -0727968764d0208388b85ad31aafde24 krb5-1.14.tar.gz -5206449ace5db12ef70856e4d5f3a064 krb5-1.14.tar.gz.asc +ac45469a7dc1aef4d03632dada893aca krb5-1.14.1-pdfs.tar +400de0cabbfbe85c2c36f60347bf7dc6 krb5-1.14.1.tar.gz +98a82e313a0f23498122eba3338f7576 krb5-1.14.1.tar.gz.asc -- cgit v0.12 http://pkgs.fedoraproject.org/cgit/krb5.git/commit/?h=master&id=f1cb7...