Browse code
apply patch for CVE-2015-8631
Change-Id: Ibf53bce475ac86ce5a8d2f9d90f77f83fd8be661
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/2303
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Priyesh Padmavilasom authored on 2017/04/06 07:59:46Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,569 @@ |
| 0 |
+From 83ed75feba32e46f736fcce0d96a0445f29b96c2 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Greg Hudson <ghudson@mit.edu> |
|
| 2 |
+Date: Fri, 8 Jan 2016 13:16:54 -0500 |
|
| 3 |
+Subject: [PATCH] Fix leaks in kadmin server stubs [CVE-2015-8631] |
|
| 4 |
+ |
|
| 5 |
+In each kadmind server stub, initialize the client_name and |
|
| 6 |
+server_name variables, and release them in the cleanup handler. Many |
|
| 7 |
+of the stubs will otherwise leak the client and server name if |
|
| 8 |
+krb5_unparse_name() fails. Also make sure to free the prime_arg |
|
| 9 |
+variables in rename_principal_2_svc(), or we can leak the first one if |
|
| 10 |
+unparsing the second one fails. Discovered by Simo Sorce. |
|
| 11 |
+ |
|
| 12 |
+CVE-2015-8631: |
|
| 13 |
+ |
|
| 14 |
+In all versions of MIT krb5, an authenticated attacker can cause |
|
| 15 |
+kadmind to leak memory by supplying a null principal name in a request |
|
| 16 |
+which uses one. Repeating these requests will eventually cause |
|
| 17 |
+kadmind to exhaust all available memory. |
|
| 18 |
+ |
|
| 19 |
+ CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C |
|
| 20 |
+ |
|
| 21 |
+ticket: 8343 (new) |
|
| 22 |
+target_version: 1.14-next |
|
| 23 |
+target_version: 1.13-next |
|
| 24 |
+tags: pullup |
|
| 25 |
+--- |
|
| 26 |
+ src/kadmin/server/server_stubs.c | 151 ++++++++++++++++++++------------------- |
|
| 27 |
+ 1 file changed, 77 insertions(+), 74 deletions(-) |
|
| 28 |
+ |
|
| 29 |
+diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c |
|
| 30 |
+index 1879dc6..6ac797e 100644 |
|
| 31 |
+--- a/src/kadmin/server/server_stubs.c |
|
| 32 |
+@@ -334,7 +334,8 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) |
|
| 33 |
+ {
|
|
| 34 |
+ static generic_ret ret; |
|
| 35 |
+ char *prime_arg; |
|
| 36 |
+- gss_buffer_desc client_name, service_name; |
|
| 37 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 38 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 39 |
+ OM_uint32 minor_stat; |
|
| 40 |
+ kadm5_server_handle_t handle; |
|
| 41 |
+ restriction_t *rp; |
|
| 42 |
+@@ -382,10 +383,10 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) |
|
| 43 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 44 |
+ } |
|
| 45 |
+ free(prime_arg); |
|
| 46 |
+- gss_release_buffer(&minor_stat, &client_name); |
|
| 47 |
+- gss_release_buffer(&minor_stat, &service_name); |
|
| 48 |
+ |
|
| 49 |
+ exit_func: |
|
| 50 |
++ gss_release_buffer(&minor_stat, &client_name); |
|
| 51 |
++ gss_release_buffer(&minor_stat, &service_name); |
|
| 52 |
+ free_server_handle(handle); |
|
| 53 |
+ return &ret; |
|
| 54 |
+ } |
|
| 55 |
+@@ -395,7 +396,8 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) |
|
| 56 |
+ {
|
|
| 57 |
+ static generic_ret ret; |
|
| 58 |
+ char *prime_arg; |
|
| 59 |
+- gss_buffer_desc client_name, service_name; |
|
| 60 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 61 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 62 |
+ OM_uint32 minor_stat; |
|
| 63 |
+ kadm5_server_handle_t handle; |
|
| 64 |
+ restriction_t *rp; |
|
| 65 |
+@@ -444,10 +446,10 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) |
|
| 66 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 67 |
+ } |
|
| 68 |
+ free(prime_arg); |
|
| 69 |
+- gss_release_buffer(&minor_stat, &client_name); |
|
| 70 |
+- gss_release_buffer(&minor_stat, &service_name); |
|
| 71 |
+ |
|
| 72 |
+ exit_func: |
|
| 73 |
++ gss_release_buffer(&minor_stat, &client_name); |
|
| 74 |
++ gss_release_buffer(&minor_stat, &service_name); |
|
| 75 |
+ free_server_handle(handle); |
|
| 76 |
+ return &ret; |
|
| 77 |
+ } |
|
| 78 |
+@@ -457,8 +459,8 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) |
|
| 79 |
+ {
|
|
| 80 |
+ static generic_ret ret; |
|
| 81 |
+ char *prime_arg; |
|
| 82 |
+- gss_buffer_desc client_name, |
|
| 83 |
+- service_name; |
|
| 84 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 85 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 86 |
+ OM_uint32 minor_stat; |
|
| 87 |
+ kadm5_server_handle_t handle; |
|
| 88 |
+ const char *errmsg = NULL; |
|
| 89 |
+@@ -501,10 +503,10 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) |
|
| 90 |
+ |
|
| 91 |
+ } |
|
| 92 |
+ free(prime_arg); |
|
| 93 |
+- gss_release_buffer(&minor_stat, &client_name); |
|
| 94 |
+- gss_release_buffer(&minor_stat, &service_name); |
|
| 95 |
+ |
|
| 96 |
+ exit_func: |
|
| 97 |
++ gss_release_buffer(&minor_stat, &client_name); |
|
| 98 |
++ gss_release_buffer(&minor_stat, &service_name); |
|
| 99 |
+ free_server_handle(handle); |
|
| 100 |
+ return &ret; |
|
| 101 |
+ } |
|
| 102 |
+@@ -514,8 +516,8 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) |
|
| 103 |
+ {
|
|
| 104 |
+ static generic_ret ret; |
|
| 105 |
+ char *prime_arg; |
|
| 106 |
+- gss_buffer_desc client_name, |
|
| 107 |
+- service_name; |
|
| 108 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 109 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 110 |
+ OM_uint32 minor_stat; |
|
| 111 |
+ kadm5_server_handle_t handle; |
|
| 112 |
+ restriction_t *rp; |
|
| 113 |
+@@ -559,9 +561,9 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) |
|
| 114 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 115 |
+ } |
|
| 116 |
+ free(prime_arg); |
|
| 117 |
++exit_func: |
|
| 118 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 119 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 120 |
+-exit_func: |
|
| 121 |
+ free_server_handle(handle); |
|
| 122 |
+ return &ret; |
|
| 123 |
+ } |
|
| 124 |
+@@ -570,10 +572,9 @@ generic_ret * |
|
| 125 |
+ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) |
|
| 126 |
+ {
|
|
| 127 |
+ static generic_ret ret; |
|
| 128 |
+- char *prime_arg1, |
|
| 129 |
+- *prime_arg2; |
|
| 130 |
+- gss_buffer_desc client_name, |
|
| 131 |
+- service_name; |
|
| 132 |
++ char *prime_arg1 = NULL, *prime_arg2 = NULL; |
|
| 133 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 134 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 135 |
+ OM_uint32 minor_stat; |
|
| 136 |
+ kadm5_server_handle_t handle; |
|
| 137 |
+ restriction_t *rp; |
|
| 138 |
+@@ -655,11 +656,11 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) |
|
| 139 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 140 |
+ |
|
| 141 |
+ } |
|
| 142 |
++exit_func: |
|
| 143 |
+ free(prime_arg1); |
|
| 144 |
+ free(prime_arg2); |
|
| 145 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 146 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 147 |
+-exit_func: |
|
| 148 |
+ free_server_handle(handle); |
|
| 149 |
+ return &ret; |
|
| 150 |
+ } |
|
| 151 |
+@@ -669,8 +670,8 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) |
|
| 152 |
+ {
|
|
| 153 |
+ static gprinc_ret ret; |
|
| 154 |
+ char *prime_arg, *funcname; |
|
| 155 |
+- gss_buffer_desc client_name, |
|
| 156 |
+- service_name; |
|
| 157 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 158 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 159 |
+ OM_uint32 minor_stat; |
|
| 160 |
+ kadm5_server_handle_t handle; |
|
| 161 |
+ const char *errmsg = NULL; |
|
| 162 |
+@@ -719,9 +720,9 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) |
|
| 163 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 164 |
+ } |
|
| 165 |
+ free(prime_arg); |
|
| 166 |
++exit_func: |
|
| 167 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 168 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 169 |
+-exit_func: |
|
| 170 |
+ free_server_handle(handle); |
|
| 171 |
+ return &ret; |
|
| 172 |
+ } |
|
| 173 |
+@@ -731,8 +732,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) |
|
| 174 |
+ {
|
|
| 175 |
+ static gprincs_ret ret; |
|
| 176 |
+ char *prime_arg; |
|
| 177 |
+- gss_buffer_desc client_name, |
|
| 178 |
+- service_name; |
|
| 179 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 180 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 181 |
+ OM_uint32 minor_stat; |
|
| 182 |
+ kadm5_server_handle_t handle; |
|
| 183 |
+ const char *errmsg = NULL; |
|
| 184 |
+@@ -777,9 +778,9 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) |
|
| 185 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 186 |
+ |
|
| 187 |
+ } |
|
| 188 |
++exit_func: |
|
| 189 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 190 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 191 |
+-exit_func: |
|
| 192 |
+ free_server_handle(handle); |
|
| 193 |
+ return &ret; |
|
| 194 |
+ } |
|
| 195 |
+@@ -789,8 +790,8 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) |
|
| 196 |
+ {
|
|
| 197 |
+ static generic_ret ret; |
|
| 198 |
+ char *prime_arg; |
|
| 199 |
+- gss_buffer_desc client_name, |
|
| 200 |
+- service_name; |
|
| 201 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 202 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 203 |
+ OM_uint32 minor_stat; |
|
| 204 |
+ kadm5_server_handle_t handle; |
|
| 205 |
+ const char *errmsg = NULL; |
|
| 206 |
+@@ -840,9 +841,9 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) |
|
| 207 |
+ } |
|
| 208 |
+ |
|
| 209 |
+ free(prime_arg); |
|
| 210 |
++exit_func: |
|
| 211 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 212 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 213 |
+-exit_func: |
|
| 214 |
+ free_server_handle(handle); |
|
| 215 |
+ return &ret; |
|
| 216 |
+ } |
|
| 217 |
+@@ -852,8 +853,8 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) |
|
| 218 |
+ {
|
|
| 219 |
+ static generic_ret ret; |
|
| 220 |
+ char *prime_arg; |
|
| 221 |
+- gss_buffer_desc client_name, |
|
| 222 |
+- service_name; |
|
| 223 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 224 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 225 |
+ OM_uint32 minor_stat; |
|
| 226 |
+ kadm5_server_handle_t handle; |
|
| 227 |
+ const char *errmsg = NULL; |
|
| 228 |
+@@ -909,9 +910,9 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) |
|
| 229 |
+ } |
|
| 230 |
+ |
|
| 231 |
+ free(prime_arg); |
|
| 232 |
++exit_func: |
|
| 233 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 234 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 235 |
+-exit_func: |
|
| 236 |
+ free_server_handle(handle); |
|
| 237 |
+ return &ret; |
|
| 238 |
+ } |
|
| 239 |
+@@ -921,8 +922,8 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) |
|
| 240 |
+ {
|
|
| 241 |
+ static generic_ret ret; |
|
| 242 |
+ char *prime_arg; |
|
| 243 |
+- gss_buffer_desc client_name, |
|
| 244 |
+- service_name; |
|
| 245 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 246 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 247 |
+ OM_uint32 minor_stat; |
|
| 248 |
+ kadm5_server_handle_t handle; |
|
| 249 |
+ const char *errmsg = NULL; |
|
| 250 |
+@@ -969,9 +970,9 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) |
|
| 251 |
+ } |
|
| 252 |
+ |
|
| 253 |
+ free(prime_arg); |
|
| 254 |
++exit_func: |
|
| 255 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 256 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 257 |
+-exit_func: |
|
| 258 |
+ free_server_handle(handle); |
|
| 259 |
+ return &ret; |
|
| 260 |
+ } |
|
| 261 |
+@@ -981,8 +982,8 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) |
|
| 262 |
+ {
|
|
| 263 |
+ static generic_ret ret; |
|
| 264 |
+ char *prime_arg; |
|
| 265 |
+- gss_buffer_desc client_name, |
|
| 266 |
+- service_name; |
|
| 267 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 268 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 269 |
+ OM_uint32 minor_stat; |
|
| 270 |
+ kadm5_server_handle_t handle; |
|
| 271 |
+ const char *errmsg = NULL; |
|
| 272 |
+@@ -1029,9 +1030,9 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) |
|
| 273 |
+ } |
|
| 274 |
+ |
|
| 275 |
+ free(prime_arg); |
|
| 276 |
++exit_func: |
|
| 277 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 278 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 279 |
+-exit_func: |
|
| 280 |
+ free_server_handle(handle); |
|
| 281 |
+ return &ret; |
|
| 282 |
+ } |
|
| 283 |
+@@ -1041,8 +1042,8 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) |
|
| 284 |
+ {
|
|
| 285 |
+ static generic_ret ret; |
|
| 286 |
+ char *prime_arg; |
|
| 287 |
+- gss_buffer_desc client_name, |
|
| 288 |
+- service_name; |
|
| 289 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 290 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 291 |
+ OM_uint32 minor_stat; |
|
| 292 |
+ kadm5_server_handle_t handle; |
|
| 293 |
+ const char *errmsg = NULL; |
|
| 294 |
+@@ -1092,9 +1093,9 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) |
|
| 295 |
+ } |
|
| 296 |
+ |
|
| 297 |
+ free(prime_arg); |
|
| 298 |
++exit_func: |
|
| 299 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 300 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 301 |
+-exit_func: |
|
| 302 |
+ free_server_handle(handle); |
|
| 303 |
+ return &ret; |
|
| 304 |
+ } |
|
| 305 |
+@@ -1106,8 +1107,8 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) |
|
| 306 |
+ krb5_keyblock *k; |
|
| 307 |
+ int nkeys; |
|
| 308 |
+ char *prime_arg, *funcname; |
|
| 309 |
+- gss_buffer_desc client_name, |
|
| 310 |
+- service_name; |
|
| 311 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 312 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 313 |
+ OM_uint32 minor_stat; |
|
| 314 |
+ kadm5_server_handle_t handle; |
|
| 315 |
+ const char *errmsg = NULL; |
|
| 316 |
+@@ -1164,9 +1165,9 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) |
|
| 317 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 318 |
+ } |
|
| 319 |
+ free(prime_arg); |
|
| 320 |
++exit_func: |
|
| 321 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 322 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 323 |
+-exit_func: |
|
| 324 |
+ free_server_handle(handle); |
|
| 325 |
+ return &ret; |
|
| 326 |
+ } |
|
| 327 |
+@@ -1178,8 +1179,8 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) |
|
| 328 |
+ krb5_keyblock *k; |
|
| 329 |
+ int nkeys; |
|
| 330 |
+ char *prime_arg, *funcname; |
|
| 331 |
+- gss_buffer_desc client_name, |
|
| 332 |
+- service_name; |
|
| 333 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 334 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 335 |
+ OM_uint32 minor_stat; |
|
| 336 |
+ kadm5_server_handle_t handle; |
|
| 337 |
+ const char *errmsg = NULL; |
|
| 338 |
+@@ -1241,9 +1242,9 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) |
|
| 339 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 340 |
+ } |
|
| 341 |
+ free(prime_arg); |
|
| 342 |
++exit_func: |
|
| 343 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 344 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 345 |
+-exit_func: |
|
| 346 |
+ free_server_handle(handle); |
|
| 347 |
+ return &ret; |
|
| 348 |
+ } |
|
| 349 |
+@@ -1253,8 +1254,8 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) |
|
| 350 |
+ {
|
|
| 351 |
+ static generic_ret ret; |
|
| 352 |
+ char *prime_arg; |
|
| 353 |
+- gss_buffer_desc client_name, |
|
| 354 |
+- service_name; |
|
| 355 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 356 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 357 |
+ OM_uint32 minor_stat; |
|
| 358 |
+ kadm5_server_handle_t handle; |
|
| 359 |
+ const char *errmsg = NULL; |
|
| 360 |
+@@ -1295,9 +1296,9 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) |
|
| 361 |
+ if (errmsg != NULL) |
|
| 362 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 363 |
+ } |
|
| 364 |
++exit_func: |
|
| 365 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 366 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 367 |
+-exit_func: |
|
| 368 |
+ free_server_handle(handle); |
|
| 369 |
+ return &ret; |
|
| 370 |
+ } |
|
| 371 |
+@@ -1307,8 +1308,8 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) |
|
| 372 |
+ {
|
|
| 373 |
+ static generic_ret ret; |
|
| 374 |
+ char *prime_arg; |
|
| 375 |
+- gss_buffer_desc client_name, |
|
| 376 |
+- service_name; |
|
| 377 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 378 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 379 |
+ OM_uint32 minor_stat; |
|
| 380 |
+ kadm5_server_handle_t handle; |
|
| 381 |
+ const char *errmsg = NULL; |
|
| 382 |
+@@ -1347,9 +1348,9 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) |
|
| 383 |
+ if (errmsg != NULL) |
|
| 384 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 385 |
+ } |
|
| 386 |
++exit_func: |
|
| 387 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 388 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 389 |
+-exit_func: |
|
| 390 |
+ free_server_handle(handle); |
|
| 391 |
+ return &ret; |
|
| 392 |
+ } |
|
| 393 |
+@@ -1359,8 +1360,8 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) |
|
| 394 |
+ {
|
|
| 395 |
+ static generic_ret ret; |
|
| 396 |
+ char *prime_arg; |
|
| 397 |
+- gss_buffer_desc client_name, |
|
| 398 |
+- service_name; |
|
| 399 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 400 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 401 |
+ OM_uint32 minor_stat; |
|
| 402 |
+ kadm5_server_handle_t handle; |
|
| 403 |
+ const char *errmsg = NULL; |
|
| 404 |
+@@ -1400,9 +1401,9 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) |
|
| 405 |
+ if (errmsg != NULL) |
|
| 406 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 407 |
+ } |
|
| 408 |
++exit_func: |
|
| 409 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 410 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 411 |
+-exit_func: |
|
| 412 |
+ free_server_handle(handle); |
|
| 413 |
+ return &ret; |
|
| 414 |
+ } |
|
| 415 |
+@@ -1413,8 +1414,8 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) |
|
| 416 |
+ static gpol_ret ret; |
|
| 417 |
+ kadm5_ret_t ret2; |
|
| 418 |
+ char *prime_arg, *funcname; |
|
| 419 |
+- gss_buffer_desc client_name, |
|
| 420 |
+- service_name; |
|
| 421 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 422 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 423 |
+ OM_uint32 minor_stat; |
|
| 424 |
+ kadm5_principal_ent_rec caller_ent; |
|
| 425 |
+ kadm5_server_handle_t handle; |
|
| 426 |
+@@ -1475,9 +1476,9 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) |
|
| 427 |
+ log_unauth(funcname, prime_arg, |
|
| 428 |
+ &client_name, &service_name, rqstp); |
|
| 429 |
+ } |
|
| 430 |
++exit_func: |
|
| 431 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 432 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 433 |
+-exit_func: |
|
| 434 |
+ free_server_handle(handle); |
|
| 435 |
+ return &ret; |
|
| 436 |
+ |
|
| 437 |
+@@ -1488,8 +1489,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) |
|
| 438 |
+ {
|
|
| 439 |
+ static gpols_ret ret; |
|
| 440 |
+ char *prime_arg; |
|
| 441 |
+- gss_buffer_desc client_name, |
|
| 442 |
+- service_name; |
|
| 443 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 444 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 445 |
+ OM_uint32 minor_stat; |
|
| 446 |
+ kadm5_server_handle_t handle; |
|
| 447 |
+ const char *errmsg = NULL; |
|
| 448 |
+@@ -1531,9 +1532,9 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) |
|
| 449 |
+ if (errmsg != NULL) |
|
| 450 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 451 |
+ } |
|
| 452 |
++exit_func: |
|
| 453 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 454 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 455 |
+-exit_func: |
|
| 456 |
+ free_server_handle(handle); |
|
| 457 |
+ return &ret; |
|
| 458 |
+ } |
|
| 459 |
+@@ -1541,7 +1542,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) |
|
| 460 |
+ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) |
|
| 461 |
+ {
|
|
| 462 |
+ static getprivs_ret ret; |
|
| 463 |
+- gss_buffer_desc client_name, service_name; |
|
| 464 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 465 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 466 |
+ OM_uint32 minor_stat; |
|
| 467 |
+ kadm5_server_handle_t handle; |
|
| 468 |
+ const char *errmsg = NULL; |
|
| 469 |
+@@ -1571,9 +1573,9 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) |
|
| 470 |
+ if (errmsg != NULL) |
|
| 471 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 472 |
+ |
|
| 473 |
++exit_func: |
|
| 474 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 475 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 476 |
+-exit_func: |
|
| 477 |
+ free_server_handle(handle); |
|
| 478 |
+ return &ret; |
|
| 479 |
+ } |
|
| 480 |
+@@ -1583,7 +1585,8 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp) |
|
| 481 |
+ {
|
|
| 482 |
+ static generic_ret ret; |
|
| 483 |
+ char *prime_arg, *funcname; |
|
| 484 |
+- gss_buffer_desc client_name, service_name; |
|
| 485 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 486 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 487 |
+ OM_uint32 minor_stat; |
|
| 488 |
+ kadm5_server_handle_t handle; |
|
| 489 |
+ |
|
| 490 |
+@@ -1629,9 +1632,9 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp) |
|
| 491 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 492 |
+ } |
|
| 493 |
+ free(prime_arg); |
|
| 494 |
++exit_func: |
|
| 495 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 496 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 497 |
+-exit_func: |
|
| 498 |
+ free_server_handle(handle); |
|
| 499 |
+ return &ret; |
|
| 500 |
+ } |
|
| 501 |
+@@ -1641,8 +1644,8 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) |
|
| 502 |
+ {
|
|
| 503 |
+ static gstrings_ret ret; |
|
| 504 |
+ char *prime_arg; |
|
| 505 |
+- gss_buffer_desc client_name, |
|
| 506 |
+- service_name; |
|
| 507 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 508 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 509 |
+ OM_uint32 minor_stat; |
|
| 510 |
+ kadm5_server_handle_t handle; |
|
| 511 |
+ const char *errmsg = NULL; |
|
| 512 |
+@@ -1688,9 +1691,9 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) |
|
| 513 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 514 |
+ } |
|
| 515 |
+ free(prime_arg); |
|
| 516 |
++exit_func: |
|
| 517 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 518 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 519 |
+-exit_func: |
|
| 520 |
+ free_server_handle(handle); |
|
| 521 |
+ return &ret; |
|
| 522 |
+ } |
|
| 523 |
+@@ -1700,8 +1703,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) |
|
| 524 |
+ {
|
|
| 525 |
+ static generic_ret ret; |
|
| 526 |
+ char *prime_arg; |
|
| 527 |
+- gss_buffer_desc client_name, |
|
| 528 |
+- service_name; |
|
| 529 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 530 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 531 |
+ OM_uint32 minor_stat; |
|
| 532 |
+ kadm5_server_handle_t handle; |
|
| 533 |
+ const char *errmsg = NULL; |
|
| 534 |
+@@ -1744,9 +1747,9 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) |
|
| 535 |
+ krb5_free_error_message(handle->context, errmsg); |
|
| 536 |
+ } |
|
| 537 |
+ free(prime_arg); |
|
| 538 |
++exit_func: |
|
| 539 |
+ gss_release_buffer(&minor_stat, &client_name); |
|
| 540 |
+ gss_release_buffer(&minor_stat, &service_name); |
|
| 541 |
+-exit_func: |
|
| 542 |
+ free_server_handle(handle); |
|
| 543 |
+ return &ret; |
|
| 544 |
+ } |
|
| 545 |
+@@ -1754,8 +1757,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) |
|
| 546 |
+ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) |
|
| 547 |
+ {
|
|
| 548 |
+ static generic_ret ret; |
|
| 549 |
+- gss_buffer_desc client_name, |
|
| 550 |
+- service_name; |
|
| 551 |
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; |
|
| 552 |
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; |
|
| 553 |
+ kadm5_server_handle_t handle; |
|
| 554 |
+ OM_uint32 minor_stat; |
|
| 555 |
+ const char *errmsg = NULL; |
|
| 556 |
+@@ -1797,10 +1800,10 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) |
|
| 557 |
+ rqstp->rq_cred.oa_flavor); |
|
| 558 |
+ if (errmsg != NULL) |
|
| 559 |
+ krb5_free_error_message(NULL, errmsg); |
|
| 560 |
+- gss_release_buffer(&minor_stat, &client_name); |
|
| 561 |
+- gss_release_buffer(&minor_stat, &service_name); |
|
| 562 |
+ |
|
| 563 |
+ exit_func: |
|
| 564 |
++ gss_release_buffer(&minor_stat, &client_name); |
|
| 565 |
++ gss_release_buffer(&minor_stat, &service_name); |
|
| 566 |
+ return(&ret); |
|
| 567 |
+ } |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: The Kerberos newtork authentication system |
| 2 | 2 |
Name: krb5 |
| 3 | 3 |
Version: 1.14 |
| 4 |
-Release: 4%{?dist}
|
|
| 4 |
+Release: 5%{?dist}
|
|
| 5 | 5 |
License: MIT |
| 6 | 6 |
URL: http://cyrusimap.web.cmu.edu/ |
| 7 | 7 |
Group: System Environment/Security |
| ... | ... |
@@ -11,6 +11,7 @@ Source0: http://web.mit.edu/kerberos/www/dist/%{name}/%{version}/%{name}-%{versi
|
| 11 | 11 |
%define sha1 krb5=02973f6605b1170bec812af9c8da4e447eeca9a9 |
| 12 | 12 |
Patch0: krb5-1.14-skip-unnecessary-mech-calls.patch |
| 13 | 13 |
Patch1: krb5-1.14-never-unload-mechanisms.patch |
| 14 |
+Patch2: krb5-1.14-CVE-2015-8631.patch |
|
| 14 | 15 |
Requires: openssl |
| 15 | 16 |
Requires: e2fsprogs |
| 16 | 17 |
BuildRequires: openssl-devel |
| ... | ... |
@@ -23,6 +24,7 @@ practice of clear text passwords. |
| 23 | 23 |
%setup -q |
| 24 | 24 |
%patch0 -p1 |
| 25 | 25 |
%patch1 -p1 |
| 26 |
+%patch2 -p1 |
|
| 26 | 27 |
%build |
| 27 | 28 |
|
| 28 | 29 |
cd src && |
| ... | ... |
@@ -92,6 +94,8 @@ rm -rf %{buildroot}/*
|
| 92 | 92 |
%{_datarootdir}/man/man5/.k5login.5.gz
|
| 93 | 93 |
%{_docdir}/%{name}-%{version}
|
| 94 | 94 |
%changelog |
| 95 |
+* Wed Apr 05 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.14-5 |
|
| 96 |
+- Patch for CVE-2015-8631 |
|
| 95 | 97 |
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.14-4 |
| 96 | 98 |
- GA - Bump release of all rpms |
| 97 | 99 |
* Mon Mar 21 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.14-3 |