pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/mit-krb5 Add patches for MITKRB5-SA-2007-004 ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/cbc4ff835aed
branches: trunk
changeset: 543172:cbc4ff835aed
user: tonnerre <tonnerre%pkgsrc.org@localhost>
date: Sat Jun 07 22:26:10 2008 +0000
description:
Add patches for MITKRB5-SA-2007-004 and MITKRB5-SA-2007-005. PKGREVISION
will be bumped again once some other patches are in.
diffstat:
security/mit-krb5/distinfo | 6 +-
security/mit-krb5/patches/patch-ba | 98 +++++++++++++++++++++++++++----------
security/mit-krb5/patches/patch-bf | 13 +++++
security/mit-krb5/patches/patch-bg | 43 ++++++++++++++++
4 files changed, 132 insertions(+), 28 deletions(-)
diffs (truncated from 342 to 300 lines):
diff -r 9a4057ef524b -r cbc4ff835aed security/mit-krb5/distinfo
--- a/security/mit-krb5/distinfo Sat Jun 07 21:20:46 2008 +0000
+++ b/security/mit-krb5/distinfo Sat Jun 07 22:26:10 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.18 2008/06/07 20:22:18 tonnerre Exp $
+$NetBSD: distinfo,v 1.19 2008/06/07 22:26:10 tonnerre Exp $
SHA1 (krb5-1.4.2-signed.tar) = bbc03bd319d539fb9523c2545d80ba0784522e88
RMD160 (krb5-1.4.2-signed.tar) = 44500f5fab8e5959cf43f17f5f52f68e2dc73a1f
@@ -29,8 +29,10 @@
SHA1 (patch-ax) = d403c910211e48c6d1dc27cb2dd98d5f20cc688d
SHA1 (patch-ay) = 9f54c79c105d7baca3f1efa68a25f9b39dbf7683
SHA1 (patch-az) = 79fd9cbbf34287b78d5c6c2faf72e147457f7f37
-SHA1 (patch-ba) = ae3071aa6039d52ba56eab8f2b105623d62e5689
+SHA1 (patch-ba) = b413b82de3248600beb003456cde811637d05206
SHA1 (patch-bb) = 156d3341d1cf40cfbe5833f7ad68b5aec297d3fb
SHA1 (patch-bc) = 8b422991ca22903596cf157ea3603abb741c50a5
SHA1 (patch-bd) = 8cf0425d2fedea452f80fa599f3c4515e51d834c
SHA1 (patch-be) = c4497d7b68cefd8109d615c2125d9dc7aa508e5d
+SHA1 (patch-bf) = 1e16b6cbe51a5aa07ac7c7c3c343e82bf16dcde6
+SHA1 (patch-bg) = fa70e00a2eb283782c9960a2c74a879862b979c5
diff -r 9a4057ef524b -r cbc4ff835aed security/mit-krb5/patches/patch-ba
--- a/security/mit-krb5/patches/patch-ba Sat Jun 07 21:20:46 2008 +0000
+++ b/security/mit-krb5/patches/patch-ba Sat Jun 07 22:26:10 2008 +0000
@@ -167,15 +167,53 @@
}
free_server_handle(handle);
free(prime_arg);
-@@ -510,17 +556,14 @@ rename_principal_1_svc(rprinc_arg *arg,
+@@ -466,12 +512,13 @@ rename_principal_1_svc(rprinc_arg *arg,
+ static generic_ret ret;
+ char *prime_arg1,
+ *prime_arg2;
+- char prime_arg[BUFSIZ];
+ gss_buffer_desc client_name,
+ service_name;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ restriction_t *rp;
++ size_t tlen1, tlen2, clen, slen;
++ char *tdots1, *tdots2, *cdots, *sdots;
+
+ xdr_free(xdr_generic_ret, &ret);
+
+@@ -492,7 +539,14 @@ rename_principal_1_svc(rprinc_arg *arg,
+ ret.code = KADM5_BAD_PRINCIPAL;
+ return &ret;
+ }
+- sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
++ tlen1 = strlen(prime_arg1);
++ trunc_name(&tlen1, &tdots1);
++ tlen2 = strlen(prime_arg2);
++ trunc_name(&tlen2, &tdots2);
++ clen = client_name.length;
++ trunc_name(&clen, &cdots);
++ slen = service_name.length;
++ trunc_name(&slen, &sdots);
+
+ ret.code = KADM5_OK;
+ if (! CHANGEPW_SERVICE(rqstp)) {
+@@ -510,17 +564,29 @@ rename_principal_1_svc(rprinc_arg *arg,
} else
ret.code = KADM5_AUTH_INSUFFICIENT;
if (ret.code != KADM5_OK) {
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
-+ log_unauth("kadm5_rename_principal", prime_arg,
-+ &client_name, &service_name, rqstp);
++ krb5_klog_syslog(LOG_NOTICE,
++ "Unauthorized request: kadm5_rename_principal, "
++ "%.*s%s to %.*s%s, "
++ "client=%.*s%s, service=%.*s%s, addr=%s",
++ tlen1, prime_arg1, tdots1,
++ tlen2, prime_arg2, tdots2,
++ clen, client_name.value, cdots,
++ slen, service_name.value, sdots,
++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
} else {
ret.code = kadm5_rename_principal((void *)handle, arg->src,
arg->dest);
@@ -184,13 +222,21 @@
- error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
-+ log_done("kadm5_rename_principal", prime_arg,
-+ ((ret.code == 0) ? "success" : error_message(ret.code)),
-+ &client_name, &service_name, rqstp);
++ krb5_klog_syslog(LOG_NOTICE,
++ "Request: kadm5_rename_principal, "
++ "%.*s%s to %.*s%s, %s, "
++ "client=%.*s%s, service=%.*s%s, addr=%s",
++ tlen1, prime_arg1, tdots1,
++ tlen2, prime_arg2, tdots2,
++ ((ret.code == 0) ? "success" :
++ error_message(ret.code)),
++ clen, client_name.value, cdots,
++ slen, service_name.value, sdots,
++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
free(prime_arg1);
-@@ -572,9 +615,8 @@ get_principal_1_svc(gprinc_arg *arg, str
+@@ -572,9 +638,8 @@ get_principal_1_svc(gprinc_arg *arg, str
arg->princ,
NULL))) {
ret.code = KADM5_AUTH_GET;
@@ -202,7 +248,7 @@
} else {
if (handle->api_version == KADM5_API_VERSION_1) {
ret.code = kadm5_get_principal_v1((void *)handle,
-@@ -588,12 +630,10 @@ get_principal_1_svc(gprinc_arg *arg, str
+@@ -588,12 +653,10 @@ get_principal_1_svc(gprinc_arg *arg, str
arg->princ, &ret.rec,
arg->mask);
}
@@ -219,7 +265,7 @@
}
free_server_handle(handle);
free(prime_arg);
-@@ -638,18 +678,15 @@ get_princs_1_svc(gprincs_arg *arg, struc
+@@ -638,18 +701,15 @@ get_princs_1_svc(gprincs_arg *arg, struc
NULL,
NULL)) {
ret.code = KADM5_AUTH_LIST;
@@ -242,7 +288,7 @@
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
-@@ -697,18 +734,15 @@ chpass_principal_1_svc(chpass_arg *arg,
+@@ -697,18 +757,15 @@ chpass_principal_1_svc(chpass_arg *arg,
ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
arg->pass);
} else {
@@ -266,7 +312,7 @@
}
free_server_handle(handle);
-@@ -764,18 +798,15 @@ chpass_principal3_1_svc(chpass3_arg *arg
+@@ -764,18 +821,15 @@ chpass_principal3_1_svc(chpass3_arg *arg
arg->ks_tuple,
arg->pass);
} else {
@@ -290,7 +336,7 @@
}
free_server_handle(handle);
-@@ -822,18 +853,15 @@ setv4key_principal_1_svc(setv4key_arg *a
+@@ -822,18 +876,15 @@ setv4key_principal_1_svc(setv4key_arg *a
ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
arg->keyblock);
} else {
@@ -314,7 +360,7 @@
}
free_server_handle(handle);
-@@ -880,18 +908,15 @@ setkey_principal_1_svc(setkey_arg *arg,
+@@ -880,18 +931,15 @@ setkey_principal_1_svc(setkey_arg *arg,
ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
arg->keyblocks, arg->n_keys);
} else {
@@ -338,7 +384,7 @@
}
free_server_handle(handle);
-@@ -941,18 +966,15 @@ setkey_principal3_1_svc(setkey3_arg *arg
+@@ -941,18 +989,15 @@ setkey_principal3_1_svc(setkey3_arg *arg
arg->ks_tuple,
arg->keyblocks, arg->n_keys);
} else {
@@ -362,7 +408,7 @@
}
free_server_handle(handle);
-@@ -1008,9 +1030,8 @@ chrand_principal_1_svc(chrand_arg *arg,
+@@ -1008,9 +1053,8 @@ chrand_principal_1_svc(chrand_arg *arg,
ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
&k, &nkeys);
} else {
@@ -374,7 +420,7 @@
ret.code = KADM5_AUTH_CHANGEPW;
}
-@@ -1025,11 +1046,9 @@ chrand_principal_1_svc(chrand_arg *arg,
+@@ -1025,11 +1069,9 @@ chrand_principal_1_svc(chrand_arg *arg,
}
if(ret.code != KADM5_AUTH_CHANGEPW) {
@@ -389,7 +435,7 @@
}
free_server_handle(handle);
free(prime_arg);
-@@ -1090,9 +1109,8 @@ chrand_principal3_1_svc(chrand3_arg *arg
+@@ -1090,9 +1132,8 @@ chrand_principal3_1_svc(chrand3_arg *arg
arg->ks_tuple,
&k, &nkeys);
} else {
@@ -401,7 +447,7 @@
ret.code = KADM5_AUTH_CHANGEPW;
}
-@@ -1107,11 +1125,9 @@ chrand_principal3_1_svc(chrand3_arg *arg
+@@ -1107,11 +1148,9 @@ chrand_principal3_1_svc(chrand3_arg *arg
}
if(ret.code != KADM5_AUTH_CHANGEPW) {
@@ -416,7 +462,7 @@
}
free_server_handle(handle);
free(prime_arg);
-@@ -1152,18 +1168,15 @@ create_policy_1_svc(cpol_arg *arg, struc
+@@ -1152,18 +1191,15 @@ create_policy_1_svc(cpol_arg *arg, struc
rqst2name(rqstp),
ACL_ADD, NULL, NULL)) {
ret.code = KADM5_AUTH_ADD;
@@ -441,7 +487,7 @@
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
-@@ -1202,17 +1215,15 @@ delete_policy_1_svc(dpol_arg *arg, struc
+@@ -1202,17 +1238,15 @@ delete_policy_1_svc(dpol_arg *arg, struc
if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_DELETE, NULL, NULL)) {
@@ -465,7 +511,7 @@
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
-@@ -1251,18 +1262,16 @@ modify_policy_1_svc(mpol_arg *arg, struc
+@@ -1251,18 +1285,16 @@ modify_policy_1_svc(mpol_arg *arg, struc
if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_MODIFY, NULL, NULL)) {
@@ -490,7 +536,7 @@
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
-@@ -1337,15 +1346,13 @@ get_policy_1_svc(gpol_arg *arg, struct s
+@@ -1337,15 +1369,13 @@ get_policy_1_svc(gpol_arg *arg, struct s
&ret.rec);
}
@@ -512,7 +558,7 @@
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
-@@ -1388,18 +1395,15 @@ get_pols_1_svc(gpols_arg *arg, struct sv
+@@ -1388,18 +1418,15 @@ get_pols_1_svc(gpols_arg *arg, struct sv
rqst2name(rqstp),
ACL_LIST, NULL, NULL)) {
ret.code = KADM5_AUTH_LIST;
@@ -536,7 +582,7 @@
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
-@@ -1432,11 +1436,9 @@ getprivs_ret * get_privs_1_svc(krb5_ui_4
+@@ -1432,11 +1459,9 @@ getprivs_ret * get_privs_1_svc(krb5_ui_4
}
ret.code = kadm5_get_privs((void *)handle, &ret.privs);
@@ -551,7 +597,7 @@
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
-@@ -1450,6 +1452,8 @@ generic_ret *init_1_svc(krb5_ui_4 *arg,
+@@ -1450,6 +1475,8 @@ generic_ret *init_1_svc(krb5_ui_4 *arg,
service_name;
kadm5_server_handle_t handle;
OM_uint32 minor_stat;
@@ -560,7 +606,7 @@
xdr_free(xdr_generic_ret, &ret);
-@@ -1466,12 +1470,18 @@ generic_ret *init_1_svc(krb5_ui_4 *arg,
+@@ -1466,12 +1493,18 @@ generic_ret *init_1_svc(krb5_ui_4 *arg,
return &ret;
}
diff -r 9a4057ef524b -r cbc4ff835aed security/mit-krb5/patches/patch-bf
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-bf Sat Jun 07 22:26:10 2008 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-bf,v 1.1 2008/06/07 22:26:10 tonnerre Exp $
+
+--- lib/rpc/svc_auth_gssapi.c.orig 2004-09-17 23:52:11.000000000 +0200
++++ lib/rpc/svc_auth_gssapi.c
+@@ -148,6 +148,8 @@ enum auth_stat gssrpc__svcauth_gssapi(
+ rqst->rq_xprt->xp_auth = &svc_auth_none;
+
+ memset((char *) &call_res, 0, sizeof(call_res));
++ creds.client_handle.length = 0;
++ creds.client_handle.value = NULL;
+
+ cred = &msg->rm_call.cb_cred;
+ verf = &msg->rm_call.cb_verf;
diff -r 9a4057ef524b -r cbc4ff835aed security/mit-krb5/patches/patch-bg
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-bg Sat Jun 07 22:26:10 2008 +0000
@@ -0,0 +1,43 @@
+$NetBSD: patch-bg,v 1.1 2008/06/07 22:26:10 tonnerre Exp $
Home |
Main Index |
Thread Index |
Old Index