Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 294787 Details for
Bug 432620
CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Upstream patch for CVE-2008-0062 and CVE-2008-0063
MITKRB5-SA-2008-001.diff (text/plain), 10.60 KB, created by
Tomas Hoger
on 2008-02-13 13:56:18 UTC
(
hide
)
Description:
Upstream patch for CVE-2008-0062 and CVE-2008-0063
Filename:
MIME Type:
Creator:
Tomas Hoger
Created:
2008-02-13 13:56:18 UTC
Size:
10.60 KB
patch
obsolete
>Index: src/kdc/dispatch.c >=================================================================== >--- src/kdc/dispatch.c (revision 20192) >+++ src/kdc/dispatch.c (working copy) >@@ -1,7 +1,7 @@ > /* > * kdc/dispatch.c > * >- * Copyright 1990 by the Massachusetts Institute of Technology. >+ * Copyright 1990, 2007 by the Massachusetts Institute of Technology. > * > * Export of this software from the United States of America may > * require a specific license from the United States Government. >@@ -107,7 +107,7 @@ > retval = KRB5KRB_AP_ERR_MSG_TYPE; > #ifndef NOCACHE > /* put the response into the lookaside buffer */ >- if (!retval) >+ if (!retval && *response != NULL) > kdc_insert_lookaside(pkt, *response); > #endif > >Index: src/kdc/kerberos_v4.c >=================================================================== >--- src/kdc/kerberos_v4.c (revision 20192) >+++ src/kdc/kerberos_v4.c (working copy) >@@ -1,7 +1,7 @@ > /* > * kdc/kerberos_v4.c > * >- * Copyright 1985, 1986, 1987, 1988,1991 by the Massachusetts Institute >+ * Copyright 1985, 1986, 1987, 1988,1991,2007 by the Massachusetts Institute > * of Technology. > * All Rights Reserved. > * >@@ -87,11 +87,6 @@ > #define MSB_FIRST 0 /* 68000, IBM RT/PC */ > #define LSB_FIRST 1 /* Vax, PC8086 */ > >-int f; >- >-/* XXX several files in libkdb know about this */ >-char *progname; >- > #ifndef BACKWARD_COMPAT > static Key_schedule master_key_schedule; > static C_Block master_key; >@@ -143,10 +138,8 @@ > #include "com_err.h" > #include "extern.h" /* to pick up master_princ */ > >-static krb5_data *response; >- >-void kerberos_v4 (struct sockaddr_in *, KTEXT); >-void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); >+static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT); >+static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); > static int set_tgtkey (char *, krb5_kvno, krb5_boolean); > > /* Attributes converted from V5 to V4 - internal representation */ >@@ -262,12 +255,12 @@ > (void) klog(L_KRB_PERR, "V4 request too long."); > return KRB5KRB_ERR_FIELD_TOOLONG; > } >+ memset( &v4_pkt, 0, sizeof(v4_pkt)); > v4_pkt.length = pkt->length; > v4_pkt.mbz = 0; > memcpy( v4_pkt.dat, pkt->data, pkt->length); > >- kerberos_v4( &client_sockaddr, &v4_pkt); >- *resp = response; >+ *resp = kerberos_v4( &client_sockaddr, &v4_pkt); > return(retval); > } > >@@ -300,19 +293,20 @@ > } > > static >-int krb4_sendto(int s, const char *msg, int len, int flags, >- const struct sockaddr *to, int to_len) >+krb5_data *make_response(const char *msg, int len) > { >+ krb5_data *response; >+ > if ( !(response = (krb5_data *) malloc( sizeof *response))) { >- return ENOMEM; >+ return 0; > } > if ( !(response->data = (char *) malloc( len))) { > krb5_free_data(kdc_context, response); >- return ENOMEM; >+ return 0; > } > response->length = len; > memcpy( response->data, msg, len); >- return( 0); >+ return response; > } > static void > hang(void) >@@ -586,7 +580,7 @@ > *cp = 0; > } > >-void >+static krb5_data * > kerberos_v4(struct sockaddr_in *client, KTEXT pkt) > { > static KTEXT_ST rpkt_st; >@@ -599,8 +593,8 @@ > KTEXT auth = &auth_st; > AUTH_DAT ad_st; > AUTH_DAT *ad = &ad_st; >+ krb5_data *response = 0; > >- > static struct in_addr client_host; > static int msg_byte_order; > static int swap_bytes; >@@ -637,8 +631,7 @@ > inet_ntoa(client_host)); > /* send an error reply */ > req_name_ptr = req_inst_ptr = req_realm_ptr = ""; >- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); >- return; >+ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); > } > > /* check packet version */ >@@ -648,8 +641,7 @@ > KRB_PROT_VERSION, req_version, 0); > /* send an error reply */ > req_name_ptr = req_inst_ptr = req_realm_ptr = ""; >- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); >- return; >+ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); > } > msg_byte_order = req_msg_type & 1; > >@@ -707,10 +699,10 @@ > > if ((i = check_princ(req_name_ptr, req_inst_ptr, 0, > &a_name_data, &k5key, 0, &ck5life))) { >- kerb_err_reply(client, pkt, i, "check_princ failed"); >+ response = kerb_err_reply(client, pkt, i, "check_princ failed"); > a_name_data.key_low = a_name_data.key_high = 0; > krb5_free_keyblock_contents(kdc_context, &k5key); >- return; >+ return response; > } > /* don't use k5key for client */ > krb5_free_keyblock_contents(kdc_context, &k5key); >@@ -722,11 +714,11 @@ > /* this does all the checking */ > if ((i = check_princ(service, instance, lifetime, > &s_name_data, &k5key, 1, &sk5life))) { >- kerb_err_reply(client, pkt, i, "check_princ failed"); >+ response = kerb_err_reply(client, pkt, i, "check_princ failed"); > a_name_data.key_high = a_name_data.key_low = 0; > s_name_data.key_high = s_name_data.key_low = 0; > krb5_free_keyblock_contents(kdc_context, &k5key); >- return; >+ return response; > } > /* Bound requested lifetime with service and user */ > v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life); >@@ -797,8 +789,7 @@ > rpkt = create_auth_reply(req_name_ptr, req_inst_ptr, > req_realm_ptr, req_time_ws, 0, a_name_data.exp_date, > a_name_data.key_version, ciph); >- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, >- (struct sockaddr *) client, sizeof (struct sockaddr_in)); >+ response = make_response((char *) rpkt->dat, rpkt->length); > memset(&a_name_data, 0, sizeof(a_name_data)); > memset(&s_name_data, 0, sizeof(s_name_data)); > break; >@@ -824,9 +815,8 @@ > lt = klog(L_KRB_PERR, > "APPL request with realm length too long from %s", > inet_ntoa(client_host)); >- kerb_err_reply(client, pkt, RD_AP_INCON, >- "realm length too long"); >- return; >+ return kerb_err_reply(client, pkt, RD_AP_INCON, >+ "realm length too long"); > } > > auth->length += (int) *(pkt->dat + auth->length) + >@@ -835,9 +825,8 @@ > lt = klog(L_KRB_PERR, > "APPL request with funky tkt or req_id length from %s", > inet_ntoa(client_host)); >- kerb_err_reply(client, pkt, RD_AP_INCON, >- "funky tkt or req_id length"); >- return; >+ return kerb_err_reply(client, pkt, RD_AP_INCON, >+ "funky tkt or req_id length"); > } > > memcpy(auth->dat, pkt->dat, auth->length); >@@ -848,18 +837,16 @@ > if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) { > lt = klog(L_ERR_UNK, > "Cross realm ticket from %s denied by policy,", tktrlm); >- kerb_err_reply(client, pkt, >- KERB_ERR_PRINCIPAL_UNKNOWN, lt); >- return; >+ return kerb_err_reply(client, pkt, >+ KERB_ERR_PRINCIPAL_UNKNOWN, lt); > } > if (set_tgtkey(tktrlm, kvno, 0)) { >- lt = klog(L_ERR_UNK, >+ lt = klog(L_ERR_UNK, > "FAILED set_tgtkey realm %s, kvno %d. Host: %s ", > tktrlm, kvno, inet_ntoa(client_host)); > /* no better error code */ >- kerb_err_reply(client, pkt, >- KERB_ERR_PRINCIPAL_UNKNOWN, lt); >- return; >+ return kerb_err_reply(client, pkt, >+ KERB_ERR_PRINCIPAL_UNKNOWN, lt); > } > kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, > ad, 0); >@@ -869,9 +856,8 @@ > "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ", > tktrlm, kvno, inet_ntoa(client_host)); > /* no better error code */ >- kerb_err_reply(client, pkt, >- KERB_ERR_PRINCIPAL_UNKNOWN, lt); >- return; >+ return kerb_err_reply(client, pkt, >+ KERB_ERR_PRINCIPAL_UNKNOWN, lt); > } > kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, > ad, 0); >@@ -881,8 +867,7 @@ > klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s", > inet_ntoa(client_host), krb_get_err_text(kerno)); > req_name_ptr = req_inst_ptr = req_realm_ptr = ""; >- kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); >- return; >+ return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); > } > ptr = (char *) pkt->dat + auth->length; > >@@ -904,22 +889,21 @@ > req_realm_ptr = ad->prealm; > > if (strcmp(ad->prealm, tktrlm)) { >- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, >- "Can't hop realms"); >- return; >+ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, >+ "Can't hop realms"); > } > if (!strcmp(service, "changepw")) { >- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, >- "Can't authorize password changed based on TGT"); >- return; >+ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, >+ "Can't authorize password changed based on TGT"); > } > kerno = check_princ(service, instance, req_life, > &s_name_data, &k5key, 1, &sk5life); > if (kerno) { >- kerb_err_reply(client, pkt, kerno, "check_princ failed"); >+ response = kerb_err_reply(client, pkt, kerno, >+ "check_princ failed"); > s_name_data.key_high = s_name_data.key_low = 0; > krb5_free_keyblock_contents(kdc_context, &k5key); >- return; >+ return response; > } > /* Bound requested lifetime with service and user */ > v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life); >@@ -975,8 +959,7 @@ > rpkt = create_auth_reply(ad->pname, ad->pinst, > ad->prealm, time_ws, > 0, 0, 0, ciph); >- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, >- (struct sockaddr *) client, sizeof (struct sockaddr_in)); >+ response = make_response((char *) rpkt->dat, rpkt->length); > memset(&s_name_data, 0, sizeof(s_name_data)); > break; > } >@@ -1001,6 +984,7 @@ > break; > } > } >+ return response; > } > > >@@ -1010,7 +994,7 @@ > * client. > */ > >-void >+static krb5_data * > kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string) > { > static KTEXT_ST e_pkt_st; >@@ -1021,9 +1005,7 @@ > strncat(e_msg, string, sizeof(e_msg) - 1 - 19); > cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, > req_time_ws, err, e_msg); >- krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0, >- (struct sockaddr *) client, sizeof (struct sockaddr_in)); >- >+ return make_response((char *) e_pkt->dat, e_pkt->length); > } > > static int >Index: src/kdc/network.c >=================================================================== >--- src/kdc/network.c (revision 20192) >+++ src/kdc/network.c (working copy) >@@ -1,7 +1,7 @@ > /* > * kdc/network.c > * >- * Copyright 1990,2000 by the Massachusetts Institute of Technology. >+ * Copyright 1990,2000,2007 by the Massachusetts Institute of Technology. > * > * Export of this software from the United States of America may > * require a specific license from the United States Government. >@@ -747,6 +747,8 @@ > com_err(prog, retval, "while dispatching (udp)"); > return; > } >+ if (response == NULL) >+ return; > cc = sendto(port_fd, response->data, (socklen_t) response->length, 0, > (struct sockaddr *)&saddr, saddr_len); > if (cc == -1) { >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=294787">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 432620
: 294787