[2261] in Release_7.7_team
Kerberos source patches
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue May 16 15:12:17 2000
Message-Id: <200005161912.PAA26606@localhost.localdomain>
To: release-announce@MIT.EDU
Date: Tue, 16 May 2000 15:12:07 -0400
From: Greg Hudson <ghudson@MIT.EDU>
Some people on this list may maintain non-Athena machines with
Kerberos software and may need source patches, or may know others
in that situation. Here are source patches for krb5 1.0.x and for
krb5 1.1.1, as they were provided to me by the krb5 team.
(To those not in that situation, I apologize for creating extra
traffic for a non-Athena issue.)
------- Forwarded Messages
Return-Path: <tlyu@MIT.EDU>
Received: from MIT.EDU by po12.mit.edu (8.9.2/4.7) id XAA14410; Fri, 28 Apr 2000 23:27:36 -0400 (EDT)
Received: from SAINT-ELMOS-FIRE.MIT.EDU by MIT.EDU with SMTP
id AA20488; Fri, 28 Apr 00 23:29:36 EDT
Received: (from tlyu@localhost) by saint-elmos-fire.mit.edu (8.9.3)
id XAA08769; Fri, 28 Apr 2000 23:27:34 -0400 (EDT)
To: ops@MIT.EDU
Cc: ghudson@MIT.EDU, raeburn@MIT.EDU, tlyu@MIT.EDU
Subject: patches against krb5-1.0.x
From: Tom Yu <tlyu@MIT.EDU>
Date: 28 Apr 2000 23:27:34 -0400
Message-Id: <ldvhfclbn89.fsf@saint-elmos-fire.mit.edu>
Lines: 277
X-Mailer: Gnus v5.5/Emacs 20.3
The following are patches against 1.0.7-beta1 (roughly). The most
critical ones are:
appl/bsd/krshd.c
lib/krb4/rd_req.c
lib/krb5/krb/conv_princ.c
The rest are not as important but you may wish to apply them anyway
out of paranoia.
Index: appl/bsd/krshd.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/appl/bsd/krshd.c,v
retrieving revision 5.66.2.6
diff -c -r5.66.2.6 krshd.c
*** krshd.c 1999/03/09 00:27:31 5.66.2.6
- --- krshd.c 2000/04/29 02:58:52
***************
*** 1469,1483 ****
strcpy((char *) cmdbuf + offst, kprogdir);
cp = copy + 3 + offst;
if (auth_sys == KRB5_RECVAUTH_V4) {
! strcat(cmdbuf, "/v4rcp");
} else {
! strcat(cmdbuf, "/rcp");
}
if (stat((char *)cmdbuf + offst, &s) >= 0)
! strcat(cmdbuf, cp);
else
! strcpy(cmdbuf, copy);
free(copy);
}
#endif
- --- 1469,1484 ----
strcpy((char *) cmdbuf + offst, kprogdir);
cp = copy + 3 + offst;
+ cmdbuf[sizeof(cmdbuf) - 1] = '\0';
if (auth_sys == KRB5_RECVAUTH_V4) {
! strncat(cmdbuf, "/v4rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf));
} else {
! strncat(cmdbuf, "/rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf));
}
if (stat((char *)cmdbuf + offst, &s) >= 0)
! strncat(cmdbuf, cp, sizeof(cmdbuf) - 1 - strlen(cmdbuf));
else
! strncpy(cmdbuf, copy, sizeof(cmdbuf) - 1 - strlen(cmdbuf));
free(copy);
}
#endif
Index: lib/krb4/kuserok.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb4/kuserok.c,v
retrieving revision 1.3
diff -c -r1.3 kuserok.c
*** kuserok.c 1996/01/27 06:06:22 1.3
- --- kuserok.c 2000/04/29 02:59:02
***************
*** 115,122 ****
if ((pwd = getpwnam(luser)) == NULL) {
return(NOTOK);
}
! (void) strcpy(pbuf, pwd->pw_dir);
! (void) strcat(pbuf, "/.klogin");
if (access(pbuf, F_OK)) { /* not accessible */
/*
- --- 115,125 ----
if ((pwd = getpwnam(luser)) == NULL) {
return(NOTOK);
}
! if (strlen (pwd->pw_dir) + sizeof ("/.klogin") >= sizeof (pbuf))
! return NOTOK;
! (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
! pbuf[sizeof(pbuf) - 1] = '\0';
! (void) strncat(pbuf, "/.klogin", sizeof(pbuf) - 1 - strlen(pbuf));
if (access(pbuf, F_OK)) { /* not accessible */
/*
Index: lib/krb4/rd_req.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb4/rd_req.c,v
retrieving revision 1.4
diff -c -r1.4 rd_req.c
*** rd_req.c 1996/02/24 14:29:26 1.4
- --- rd_req.c 2000/04/29 02:59:02
***************
*** 155,160 ****
- --- 155,162 ----
Kerberos used to encrypt ticket */
int status;
+ tkt->mbz = req_id->mbz = 0;
+
if (authent->length <= 0)
return(RD_AP_MODIFIED);
***************
*** 190,197 ****
mutual = 0;
#endif /* lint */
s_kvno = *ptr++; /* get server key version */
! (void) strcpy(realm,ptr); /* And the realm of the issuing KDC */
! ptr += strlen(ptr) + 1; /* skip the realm "hint" */
/*
* If "fn" is NULL, key info should already be set; don't
- --- 192,200 ----
mutual = 0;
#endif /* lint */
s_kvno = *ptr++; /* get server key version */
! (void) strncpy(realm,ptr,REALM_SZ); /* And the realm of the issuing KDC */
! realm[REALM_SZ-1] = '\0';
! ptr += strlen(realm) + 1; /* skip the realm "hint" */
/*
* If "fn" is NULL, key info should already be set; don't
***************
*** 277,289 ****
#define check_ptr() if ((ptr - (char *) req_id->dat) > req_id->length) return(RD_AP_MODIFIED);
ptr = (char *) req_id->dat;
! (void) strcpy(r_aname,ptr); /* Authentication name */
ptr += strlen(r_aname)+1;
check_ptr();
! (void) strcpy(r_inst,ptr); /* Authentication instance */
ptr += strlen(r_inst)+1;
check_ptr();
! (void) strcpy(r_realm,ptr); /* Authentication name */
ptr += strlen(r_realm)+1;
check_ptr();
memcpy((char *)&ad->checksum, ptr, 4); /* Checksum */
- --- 280,295 ----
#define check_ptr() if ((ptr - (char *) req_id->dat) > req_id->length) return(RD_AP_MODIFIED);
ptr = (char *) req_id->dat;
! (void) strncpy(r_aname,ptr,ANAME_SZ); /* Authentication name */
! r_aname[ANAME_SZ-1] = '\0';
ptr += strlen(r_aname)+1;
check_ptr();
! (void) strncpy(r_inst,ptr,INST_SZ); /* Authentication instance */
! r_inst[INST_SZ-1] = '\0';
ptr += strlen(r_inst)+1;
check_ptr();
! (void) strncpy(r_realm,ptr,REALM_SZ); /* Authentication name */
! r_realm[REALM_SZ-1] = '\0';
ptr += strlen(r_realm)+1;
check_ptr();
memcpy((char *)&ad->checksum, ptr, 4); /* Checksum */
Index: lib/krb5/krb/conv_princ.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/conv_princ.c,v
retrieving revision 1.19.8.1
diff -c -r1.19.8.1 conv_princ.c
*** conv_princ.c 1999/02/07 00:52:01 1.19.8.1
- --- conv_princ.c 2000/04/29 02:59:04
***************
*** 243,249 ****
if (retval == 0 && full_name && full_name[0]) {
instance = full_name[0];
} else {
! strcpy(buf, instance);
retval = krb5_get_realm_domain(context, realm, &domain);
if (retval)
return retval;
- --- 243,250 ----
if (retval == 0 && full_name && full_name[0]) {
instance = full_name[0];
} else {
! strncpy(buf, instance, sizeof(buf));
! buf[sizeof(buf) - 1] = '\0';
retval = krb5_get_realm_domain(context, realm, &domain);
if (retval)
return retval;
***************
*** 251,258 ****
for (cp = domain; *cp; cp++)
if (isupper(*cp))
*cp = tolower(*cp);
! strcat(buf, ".");
! strcat(buf, domain);
krb5_xfree(domain);
}
instance = buf;
- --- 252,259 ----
for (cp = domain; *cp; cp++)
if (isupper(*cp))
*cp = tolower(*cp);
! strncat(buf, ".", sizeof(buf) - 1 - strlen(buf));
! strncat(buf, domain, sizeof(buf) - 1 - strlen(buf));
krb5_xfree(domain);
}
instance = buf;
Index: lib/krb5/os/kuserok.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/os/kuserok.c,v
retrieving revision 5.19
diff -c -r5.19 kuserok.c
*** kuserok.c 1996/06/12 05:15:02 5.19
- --- kuserok.c 2000/04/29 02:59:04
***************
*** 77,84 ****
if ((pwd = getpwnam(luser)) == NULL) {
return(FALSE);
}
! (void) strcpy(pbuf, pwd->pw_dir);
! (void) strcat(pbuf, "/.k5login");
if (access(pbuf, F_OK)) { /* not accessible */
/*
- --- 77,85 ----
if ((pwd = getpwnam(luser)) == NULL) {
return(FALSE);
}
! (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
! pbuf[sizeof(pbuf) - 1] = '\0';
! (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));
if (access(pbuf, F_OK)) { /* not accessible */
/*
Index: lib/krb5/posix/syslog.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/posix/syslog.c,v
retrieving revision 5.7
diff -c -r5.7 syslog.c
*** syslog.c 1996/06/12 05:16:04 5.7
- --- syslog.c 2000/04/29 02:59:04
***************
*** 115,121 ****
(void)sprintf(tbuf, "<%d>%.15s ", pri, ctime(&now) + 4);
for (p = tbuf; *p; ++p);
if (LogTag) {
! (void)strcpy(p, LogTag);
for (; *p; ++p);
}
if (LogStat & LOG_PID) {
- --- 115,121 ----
(void)sprintf(tbuf, "<%d>%.15s ", pri, ctime(&now) + 4);
for (p = tbuf; *p; ++p);
if (LogTag) {
! (void)strncpy(p, LogTag, sizeof(tbuf) - 1 - (p - tbuf));
for (; *p; ++p);
}
if (LogStat & LOG_PID) {
***************
*** 146,151 ****
- --- 146,156 ----
}
(void)vsprintf(p, fmt_cpy, ap);
+ /* Bounds checking?? If a system doesn't have syslog, we
+ probably can't rely on it having vsnprintf either. Try not
+ to let a buffer overrun be exploited. */
+ if (strlen (tbuf) >= sizeof (tbuf))
+ abort ();
/* output the message to the local logger */
if (send(LogFile, tbuf, cnt = strlen(tbuf), 0) >= 0 ||
***************
*** 169,175 ****
if ((fd = open(CONSOLE, O_WRONLY, 0)) < 0)
return;
(void)alarm((u_int)0);
! (void)strcat(tbuf, "\r");
p = strchr(tbuf, '>') + 1;
(void)write(fd, p, cnt + 1 - (p - tbuf));
(void)close(fd);
- --- 174,181 ----
if ((fd = open(CONSOLE, O_WRONLY, 0)) < 0)
return;
(void)alarm((u_int)0);
! tbuf[sizeof(tbuf) - 1] = '\0';
! (void)strncat(tbuf, "\r", sizeof(tbuf) - 1 - strlen(tbuf));
p = strchr(tbuf, '>') + 1;
(void)write(fd, p, cnt + 1 - (p - tbuf));
(void)close(fd);
------- Message 2
Return-Path: <tlyu@MIT.EDU>
Received: from MIT.EDU by po12.mit.edu (8.9.2/4.7) id XAA14481; Fri, 28 Apr 2000 23:27:55 -0400 (EDT)
Received: from SAINT-ELMOS-FIRE.MIT.EDU by MIT.EDU with SMTP
id AA20561; Fri, 28 Apr 00 23:29:56 EDT
Received: (from tlyu@localhost) by saint-elmos-fire.mit.edu (8.9.3)
id XAA08772; Fri, 28 Apr 2000 23:27:54 -0400 (EDT)
To: ops@MIT.EDU
Cc: ghudson@MIT.EDU, raeburn@MIT.EDU, tlyu@MIT.EDU
Subject: patches against 1.1.1
From: Tom Yu <tlyu@MIT.EDU>
Date: 28 Apr 2000 23:27:54 -0400
Message-Id: <ldvg0s5bn7p.fsf@saint-elmos-fire.mit.edu>
Lines: 276
X-Mailer: Gnus v5.5/Emacs 20.3
The following are patches against 1.1.1. The most critical ones are:
appl/bsd/krshd.c
lib/krb4/rd_req.c
lib/krb5/krb/conv_princ.c
The rest are not as important but you may wish to apply them anyway
out of paranoia.
Index: appl/bsd/krshd.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/appl/bsd/krshd.c,v
retrieving revision 5.79.2.1
diff -c -r5.79.2.1 krshd.c
*** krshd.c 1999/08/23 18:55:10 5.79.2.1
- --- krshd.c 2000/04/29 03:00:38
***************
*** 1468,1482 ****
strcpy((char *) cmdbuf + offst, kprogdir);
cp = copy + 3 + offst;
if (auth_sys == KRB5_RECVAUTH_V4) {
! strcat(cmdbuf, "/v4rcp");
} else {
! strcat(cmdbuf, "/rcp");
}
if (stat((char *)cmdbuf + offst, &s) >= 0)
! strcat(cmdbuf, cp);
else
! strcpy(cmdbuf, copy);
free(copy);
}
#endif
- --- 1468,1483 ----
strcpy((char *) cmdbuf + offst, kprogdir);
cp = copy + 3 + offst;
+ cmdbuf[sizeof(cmdbuf) - 1] = '\0';
if (auth_sys == KRB5_RECVAUTH_V4) {
! strncat(cmdbuf, "/v4rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf));
} else {
! strncat(cmdbuf, "/rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf));
}
if (stat((char *)cmdbuf + offst, &s) >= 0)
! strncat(cmdbuf, cp, sizeof(cmdbuf) - 1 - strlen(cmdbuf));
else
! strncpy(cmdbuf, copy, sizeof(cmdbuf) - 1 - strlen(cmdbuf));
free(copy);
}
#endif
Index: lib/krb4/kuserok.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb4/kuserok.c,v
retrieving revision 1.5
diff -c -r1.5 kuserok.c
*** kuserok.c 1997/09/26 02:41:41 1.5
- --- kuserok.c 2000/04/29 03:00:53
***************
*** 118,125 ****
if ((pwd = getpwnam(luser)) == NULL) {
return(NOTOK);
}
! (void) strcpy(pbuf, pwd->pw_dir);
! (void) strcat(pbuf, "/.klogin");
if (access(pbuf, F_OK)) { /* not accessible */
/*
- --- 118,128 ----
if ((pwd = getpwnam(luser)) == NULL) {
return(NOTOK);
}
! if (strlen (pwd->pw_dir) + sizeof ("/.klogin") >= sizeof (pbuf))
! return NOTOK;
! (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
! pbuf[sizeof(pbuf) - 1] = '\0';
! (void) strncat(pbuf, "/.klogin", sizeof(pbuf) - 1 - strlen(pbuf));
if (access(pbuf, F_OK)) { /* not accessible */
/*
Index: lib/krb4/rd_req.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb4/rd_req.c,v
retrieving revision 1.9
diff -c -r1.9 rd_req.c
*** rd_req.c 1999/02/09 02:57:14 1.9
- --- rd_req.c 2000/04/29 03:00:53
***************
*** 184,189 ****
- --- 184,191 ----
krb5_keyblock keyblock;
int status;
+ tkt->mbz = req_id->mbz = 0;
+
if (authent->length <= 0)
return(RD_AP_MODIFIED);
***************
*** 219,226 ****
mutual = 0;
#endif /* lint */
s_kvno = *ptr++; /* get server key version */
! (void) strcpy(realm,ptr); /* And the realm of the issuing KDC */
! ptr += strlen(ptr) + 1; /* skip the realm "hint" */
/*
* If "fn" is NULL, key info should already be set; don't
- --- 221,229 ----
mutual = 0;
#endif /* lint */
s_kvno = *ptr++; /* get server key version */
! (void) strncpy(realm,ptr,REALM_SZ); /* And the realm of the issuing KDC */
! realm[REALM_SZ-1] = '\0';
! ptr += strlen(realm) + 1; /* skip the realm "hint" */
/*
* If "fn" is NULL, key info should already be set; don't
***************
*** 324,336 ****
#define check_ptr() if ((ptr - (char *) req_id->dat) > req_id->length) return(RD_AP_MODIFIED);
ptr = (char *) req_id->dat;
! (void) strcpy(r_aname,ptr); /* Authentication name */
ptr += strlen(r_aname)+1;
check_ptr();
! (void) strcpy(r_inst,ptr); /* Authentication instance */
ptr += strlen(r_inst)+1;
check_ptr();
! (void) strcpy(r_realm,ptr); /* Authentication name */
ptr += strlen(r_realm)+1;
check_ptr();
memcpy((char *)&ad->checksum, ptr, 4); /* Checksum */
- --- 327,342 ----
#define check_ptr() if ((ptr - (char *) req_id->dat) > req_id->length) return(RD_AP_MODIFIED);
ptr = (char *) req_id->dat;
! (void) strncpy(r_aname,ptr,ANAME_SZ); /* Authentication name */
! r_aname[ANAME_SZ-1] = '\0';
ptr += strlen(r_aname)+1;
check_ptr();
! (void) strncpy(r_inst,ptr,INST_SZ); /* Authentication instance */
! r_inst[INST_SZ-1] = '\0';
ptr += strlen(r_inst)+1;
check_ptr();
! (void) strncpy(r_realm,ptr,REALM_SZ); /* Authentication name */
! r_realm[REALM_SZ-1] = '\0';
ptr += strlen(r_realm)+1;
check_ptr();
memcpy((char *)&ad->checksum, ptr, 4); /* Checksum */
Index: lib/krb5/krb/conv_princ.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/conv_princ.c,v
retrieving revision 1.23.2.2
diff -c -r1.23.2.2 conv_princ.c
*** conv_princ.c 1999/10/12 23:16:58 1.23.2.2
- --- conv_princ.c 2000/04/29 03:00:55
***************
*** 234,240 ****
if (retval == 0 && full_name && full_name[0]) {
instance = full_name[0];
} else {
! strcpy(buf, instance);
retval = krb5_get_realm_domain(context, realm, &domain);
if (retval)
return retval;
- --- 234,241 ----
if (retval == 0 && full_name && full_name[0]) {
instance = full_name[0];
} else {
! strncpy(buf, instance, sizeof(buf));
! buf[sizeof(buf) - 1] = '\0';
retval = krb5_get_realm_domain(context, realm, &domain);
if (retval)
return retval;
***************
*** 242,249 ****
for (cp = domain; *cp; cp++)
if (isupper(*cp))
*cp = tolower(*cp);
! strcat(buf, ".");
! strcat(buf, domain);
krb5_xfree(domain);
}
instance = buf;
- --- 243,250 ----
for (cp = domain; *cp; cp++)
if (isupper(*cp))
*cp = tolower(*cp);
! strncat(buf, ".", sizeof(buf) - 1 - strlen(buf));
! strncat(buf, domain, sizeof(buf) - 1 - strlen(buf));
krb5_xfree(domain);
}
instance = buf;
Index: lib/krb5/os/kuserok.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/os/kuserok.c,v
retrieving revision 5.20.4.2
diff -c -r5.20.4.2 kuserok.c
*** kuserok.c 1999/09/23 00:50:45 5.20.4.2
- --- kuserok.c 2000/04/29 03:00:55
***************
*** 80,87 ****
if ((pwd = getpwnam(luser)) == NULL) {
return(FALSE);
}
! (void) strcpy(pbuf, pwd->pw_dir);
! (void) strcat(pbuf, "/.k5login");
if (access(pbuf, F_OK)) { /* not accessible */
/*
- --- 80,88 ----
if ((pwd = getpwnam(luser)) == NULL) {
return(FALSE);
}
! (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
! pbuf[sizeof(pbuf) - 1] = '\0';
! (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));
if (access(pbuf, F_OK)) { /* not accessible */
/*
Index: lib/krb5/posix/syslog.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/posix/syslog.c,v
retrieving revision 5.8
diff -c -r5.8 syslog.c
*** syslog.c 1998/07/17 20:39:43 5.8
- --- syslog.c 2000/04/29 03:00:55
***************
*** 115,121 ****
(void)sprintf(tbuf, "<%d>%.15s ", pri, ctime(&now) + 4);
for (p = tbuf; *p; ++p);
if (LogTag) {
! (void)strcpy(p, LogTag);
for (; *p; ++p);
}
if (LogStat & LOG_PID) {
- --- 115,121 ----
(void)sprintf(tbuf, "<%d>%.15s ", pri, ctime(&now) + 4);
for (p = tbuf; *p; ++p);
if (LogTag) {
! (void)strncpy(p, LogTag, sizeof(tbuf) - 1 - (p - tbuf));
for (; *p; ++p);
}
if (LogStat & LOG_PID) {
***************
*** 146,151 ****
- --- 146,156 ----
}
(void)vsprintf(p, fmt_cpy, ap);
+ /* Bounds checking?? If a system doesn't have syslog, we
+ probably can't rely on it having vsnprintf either. Try not
+ to let a buffer overrun be exploited. */
+ if (strlen (tbuf) >= sizeof (tbuf))
+ abort ();
/* output the message to the local logger */
if (send(LogFile, tbuf, cnt = strlen(tbuf), 0) >= 0 ||
***************
*** 169,175 ****
if ((fd = open(CONSOLE, O_WRONLY, 0)) < 0)
return;
(void)alarm((u_int)0);
! (void)strcat(tbuf, "\r");
p = strchr(tbuf, '>') + 1;
(void)write(fd, p, cnt + 1 - (p - tbuf));
(void)close(fd);
- --- 174,181 ----
if ((fd = open(CONSOLE, O_WRONLY, 0)) < 0)
return;
(void)alarm((u_int)0);
! tbuf[sizeof(tbuf) - 1] = '\0';
! (void)strncat(tbuf, "\r", sizeof(tbuf) - 1 - strlen(tbuf));
p = strchr(tbuf, '>') + 1;
(void)write(fd, p, cnt + 1 - (p - tbuf));
(void)close(fd);
------- End of Forwarded Messages
