Fix MITKRB5-SA-2008-002: array overrun in libgssrpc.
Don't update the internally-tracked maximum file descriptor value if
the new one is FD_SETSIZE (or NOFILE) or above. Reject TCP file
descriptors of FD_SETSIZE (NOFILE) or above.
Revise patch to avoid 32-byte overflow which remained after the
initial patch. Memory written to by the IXDR macro calls had not been
accounted for. Thanks to Kevin Coffman, Will Fiveash, and Nico
Williams for discovering this bug and assisting with patch
development.
Tom Yu [Wed, 11 Apr 2007 02:25:17 +0000 (02:25 +0000)]
(krb5-1.5.x) fix MITKRB5-SA-2007-003
pull up r19171 from trunk
r19171@cathode-dark-space: raeburn | 2007-02-23 19:56:23 -0500
ticket: 5445
status: open
If a reflection is detected, zap the message buffer pointer output
argument as well as actually freeing the buffer. (Found while using
the gsstest option to exercise error conditions.)
ticket: new
tags: pullup
target_version: 1.5.3
version_fixed: 1.5.3
Tom Yu [Fri, 6 Apr 2007 20:06:24 +0000 (20:06 +0000)]
pull up r19396 from trunk
r19396@cathode-dark-space: tlyu | 2007-04-03 17:27:25 -0400
ticket: new
subject: MITKRB5-SA-2007-001: telnetd allows login as arbitrary user
tags: pullup
target_version: 1.6.1
Fix MITKRB5-SA-2007-001:
* src/appl/telnet/telnetd/sys_term.c (start_login): Add "--"
argument preceding username, in addition to the original patch.
Explicitly check for leading hyphen in username.
* src/appl/telnet/telnetd/state.c (envvarok): Check for leading
hyphen in environment variables. On advice from Shawn Emery, not
using strchr() as in the original patch.
Fix mechglue argument checks so that output pointers are always
initialized regardless of whether the other arguments fail to validate
for some reason. This avoids freeing of uninitialized pointers.
Initialize the gss_buffer_descs in ovsec_kadmd.c.
ticket: new
target_version: 1.5.2
version_fixed: 1.5.2
tags: pullup
component: krb5-libs
Tom Yu [Wed, 10 Jan 2007 01:08:05 +0000 (01:08 +0000)]
fix MITKRB5-SA-2006-002 for 1.5-branch
pull up r19042 from trunk
r19042@cathode-dark-space: tlyu | 2007-01-09 14:45:10 -0500
ticket: new
target_version: 1.6
tags: pullup
subject: MITKRB5-SA-2006-002: svctcp_destroy() can call uninitialized function pointer
component: krb5-libs
Explicitly null out xprt->xp_auth when AUTH_GSSAPI is being used, so
that svctcp_destroy() will not call through an uninitialized function
pointer after code in svc_auth_gssapi.c has destroyed expired state
structures. We can't unconditionally null it because the RPCSEC_GSS
implementation needs it to retrieve state.
ticket: new
tags: pullup
target_version: 1.5.2
version_fixed: 1.5.2
component: krb5-libs
Tom Yu [Fri, 17 Nov 2006 23:48:50 +0000 (23:48 +0000)]
pull up r18840 from trunk
r18840@cathode-dark-space: jaltman | 2006-11-17 18:14:27 -0500
ticket: new
tags: pullup
subject: reset use_master flag when master_kdc cannot be found
krb5_get_init_creds_password:
if the master_kdc cannot be identified reset the use_master
flag. otherwise, the krb5_get_init_creds("kadmin/changepw")
call will attempt to communicate with the master_kdc that
cannot be reached.
Tom Yu [Fri, 17 Nov 2006 19:42:29 +0000 (19:42 +0000)]
pull up r18828 from trunk
r18828@cathode-dark-space: jaltman | 2006-11-17 12:23:24 -0500
ticket: new
subject: commits for KFW 3.1 Beta 4
tags: pullup
KfW 3.1 beta 4 (NetIDMgr 1.1.6.0)
nidmgr32.dll (1.1.6.0)
- Fix a race condition where the initialization process might be
flagged as complete even if the identity provider hasn't finished
initialization yet.
krb5cred.dll (1.1.6.0)
- When assigning the default credentials cache for each identity,
favor API and FILE caches over MSLSA if they exist.
- When renewing an identity which was the result of importing
credentials from the MSLSA cache, attempt to re-import the
credentials from MSLSA instead of renewing the imported credentials.
- Prevent possible crash if a Kerberos 5 context could not be obtained
during the renewal operation.
- Prevent memory leak in the credentials destroy handler due to the
failure to free a Kerberos 5 context.
- Properly match principals and realms when importing credentials from
the MSLSA cache.
- Determine the correct credentials cache to place imported
credentials in by checking the configuration for preferred cache
name.
- Keep track of identities where credentials imports have occurred.
- When setting the default identity, ignore the KRB5CCNAME environment
variable.
- Do not re-compute the credentials cache and timestamps when updating
an identity. The cache and timestamp information is computed when
listing credentials and do not change between listing and identity
update.
- When refreshing the default identity, also handle the case where the
default credentials cache does not contain a principal, but the name
of the cache can be used to infer the principal name.
- Invoke a listing of credentials after a successful import.
- Do not free a Kerberos 5 context prematurely during plug-in
initialization.
netidmgr.exe (1.1.6.0)
- Fix the UI context logic to handle layouts which aren't based around
identities.
- Don't try to show a property sheet when there are no property pages
supplied for the corresponding UI context.
- Use consistent context menus.
- Bring a modal dialog box to the foreground when it should be active.
- Do not accept action triggers when the application is not ready to
process actions yet.
- Do not force the new credentials dialog to the top if there's
already a modal dialog box showing.
- Change the default per-identity layout to also group by location.
- The configuration provider was incorrectly handling the case where a
configuration value also specifies a configuration path, resulting
in the configuration value not being found. Fixed.
- Fix a race condition when refreshing identities where removing an
identity during a refresh cycle may a crash.
- Fix a bug which would cause an assertion to fail if an item was
removed from one of the system defined menus.
- When creating an indirect UI context, khui_context_create() will
correctly fill up a credential set using the selected credentials.
krb5cred.dll (1.1.4.0)
- Fix a race condition during new credentials acquisition which may
cause the Krb5 plug-in to abandon a call to
krb5_get_init_creds_password() and make another call unnecessarily.
- If krb5_get_init_creds_password() KRB5KDC_ERR_KEY_EXP, the new
credentials dialog will automatically prompt for a password change
instead of notifying the user that the password needs to be changed.
- When handling WMNC_DIALOG_PREPROCESS messages, the plug-in thread
would only be notified of any changes to option if the user
confirmed the new credentials operation instead of cancelling it.
- Additional debug output for the DEBUG build.
- Reset the sync flag when reloading new credentials options for an
identity. Earlier, the flag was not being reset, which can result
in the new credentials dialog not obtaining credentials using the
new options.
- Handle the case where the new credentials dialog maybe closed during
the plug-in thread is processing a request.
- Fix a condition which would cause the Krb5 plug-in to clear the
custom prompts even if Krb5 was not the identity provider.
- Once a password is changed, use the new password to obtain new
credentials for the identity.
netidmgr.exe (1.1.4.0)
- Fix a redraw issue which left areas of the credentials window
unupdated if another window was dragged across it.
- Handle WM_PRINTCLIENT messages so that the NetIDMgr window will
support window animation and other features that require a valid
WM_PRINTCLIENT handler.
- During window repaints, NetIDMgr will no longer invoke the default
window procedure.
- Add support for properly activating and bringing the NetIDMgr window
to the foreground when necessary. If the window cannot be brought
to the foreground, it will flash the window to notify the user that
she needs to manually activate the NetIDMgr window.
- When a new credentials dialog is launched as a result of an external
application requesting credentials, if the NetIDMgr application is
not minimized, it will be brought to the foreground before the new
credentials dialog is brought to the foreground. Earlier, the new
credentials dialog may remain hidden behind other windows in some
circumstances.
- When displaying custom prompts for the new credentials dialog, align
the input controls on the right.
Tom Yu [Wed, 8 Nov 2006 23:43:53 +0000 (23:43 +0000)]
pull up r18764 from trunk
r18764@cathode-dark-space: jaltman | 2006-11-06 16:55:13 -0500
ticket: new
tags: pullup
subject: krb5_get_init_creds_password does not consistently prompt for password changing
krb5_get_init_creds_password() previously did not consistently
handle KRB5KDC_ERR_KEY_EXP errors. If there is a "master_kdc"
entry for the realm and the KDC is reachable, then the function
will prompt the user for a password change. Otherwise, it will
return the error code to the caller. If the caller is a ticket
manager, it will prompt the user for a password change with a
dialog that is different from the one generated by the prompter
function passed to krb5_get_init_creds_password.
With this change krb5_get_init_creds_password() will always
prompt the user if it would return KRB5KDC_ERR_KEY_EXP unless
the function is compiled with USE_LOGIN_LIBRARY. (KFM)
Per Paul Vixie: It is necessary to zero out the statbuf before calling
res_ninit(), or else res_vinit() will call res_nclose() and res_ndestroy()
with stack trash as a statbuf, and they will call free() with stack trash,
and programs will dump core.
Tom Yu [Thu, 26 Oct 2006 19:31:24 +0000 (19:31 +0000)]
pull up r18635 from trunk
r18635@cathode-dark-space: epeisach | 2006-10-01 08:05:20 -0400
ticket: new
subject: kdc: make_toolong_error does not initialize all fields for krb5_mk_error
tags: pullup
network.c: make_too_long_error() fails to set the ctime and cusec elements of
the krb5_error structure. Valgrind detects errors in the asn.1 encoding
handlers in reading an unitialized value. Initialize to 0.
Tom Yu [Wed, 11 Oct 2006 19:26:08 +0000 (19:26 +0000)]
pull up r18670 from trunk
r18670@cathode-dark-space: jaltman | 2006-10-09 14:08:10 -0400
ticket: new
subject: final commits for KFW 3.1 Beta 2
tags: pullup
krb5cred.dll (1.1.2.0)
- Fix the control logic so that if the password is expired for an
identity, the krb5 credentials provider will initiate a change
password request. Once the password is successfully changed, the
new password will be used to obtain new credentials.
- Fix an incorrect condition which caused the new credentials dialog
to refresh custom prompts unnecessarily.
- Removing an identity from the list of NetIDMgr identities now causes
the corresponding principal to be removed from the LRU principals
list.
- Properly handle KMSG_CRED_PROCESS message when the user is
cancelling out.
- Add more debug output
- Do not renew Kerberos tickets which are not initial tickets.
- Fix whitespace in source code.
- When providing identity selection controls, disable the realm
selector when the user specifies the realm in the username control.
- k5_ident_valiate_name() will refuse principal names with empty or
unspecified realms.
- When updating identity properties, the identity provider will
correctly set the properties for identities that were destroyed.
This fixes a problem where the values may be incorrect if an
identity has two or more credential caches and one of them is
destroyed.
nidmgr32.dll (1.1.2.0)
- Send out a separate notification if the configuration information
associated with an identity is removed.
- If an identity is being removed from the NetIDMgr identity list in
the configuration panel, do not send out APPLY notifications to the
subpanels after the configuration information has been removed.
Otherwise this causes the configuration information to be reinstated
and prevent the identity from being removed.
- Properly initialize the new credentials blob including the UI
context structure.
netidmgr.exe (1.1.2.0)
- When suppressing error messages, make sure that the final
KMSG_CRED_END notification is sent. Otherwise the new credentials
acquisition operation will not be cleaned up.
- Autoinit option now checks to see if there are identity credentials
for the default identity and triggers the new credentials dialog if
there aren't any.
- Properly synchronize the configuration node list when applying
changes (e.g.: when removing or adding an identity).
- Fix a handle leak when removing an identity from the NetIDMgr
identity list.
- Refresh the properties for the active identities before calculating
the renewal and expiration timers. Otherwise the timestamps being
used might be incorrect.
- Add Identity dialog (in the configuration panel) now uses the
identity selection controls provided by the identity provider.
- Improve type safety when handling timer refreshes.
- When getting the expiration times and issue times for an identity,
the timer refresh code may fail over to the expiration and issue
times for the credential it is currently looking at. Now the code
makes sure that both the issue and expiration times come from the
identity or the credential but not mixed.
- Not being able to get the time of issue of a credential now does not
result in the credential being skipped from the timer refresh pass.
However, not having a time of issue will result in the half-life
algorithm not being applied for the renew timer.
- Fix a bug which caused a credential to be abandoned from the timer
refresh pass if the reamining lifetime of the credential is less
than the renewal threshold.
- Fix a bug where the vertical scroll bars for the hypertext window
would not appear when the contents of the window changed.
- Trigger a refresh of the configuration nodes when adding or removing
an identity.
source for (1.1.2.0)
- Explicitly include <prsht.h> so that the SDK can be used in build
environments that define WIN32_LEAN_AND_MEAN.
Tom Yu [Mon, 25 Sep 2006 23:02:33 +0000 (23:02 +0000)]
pull up r18561 from trunk
r18561@cathode-dark-space: jaltman | 2006-09-05 14:47:29 -0400
ticket: new
subject: windows ccache and keytab file paths without a prefix
ktbase.c, ccbase.c: When a file path is specified without
the prefix we must infer the use of the "FILE" prefix.
However, we were setting the prefix including the colon
separator when the separator should have been ignored.
Tom Yu [Mon, 25 Sep 2006 22:01:57 +0000 (22:01 +0000)]
pull up r18604 from trunk
r18604@cathode-dark-space: jaltman | 2006-09-21 17:49:41 -0400
ticket: new
subject: KFW 3.1 Beta 2 NetIDMgr Changes
component: windows
tags: pullup
source for (1.1.0.1)
- Updated documentation with additional information and fixed errors.
nidmgr32.dll (1.1.0.1)
- Fixed a deadlock in the configuration provider that may cause
NetIDMgr to deadlock on load.
- Prevent the configuration provider handle list from getting
corrupted in the event of a plug-in freeing a handle twice.
- Add more parameter validation for the configuration provider.
- If a plug-in is only partially registered (only some of the entries
were set in the registry), the completion of the registration didn't
complete successfully, leaving the plug-in in an unusable state.
This has been fixed. Plug-ins will now successfully complete
registration once they are loaded for the first time, assuming the
correct resources are present in the module.
- Fixed notifications for setting a default identity. Notifications
were not being properly sent out resulting in the credentials window
not being updated when the default identity changed.
- Changes to the API for type safety.
- Handling of binary data fields was changed to support validation and
comparison.
- Data types that do not support KCDB_CBSIZE_AUTO now check for and
report an error if it is specified.
- Password fields in the new credentials dialog will trim leading and
trailing whitespace before using a user-entered value.
- Change password action will no longer be disabled if no identity is
selected. An identity selection control is present in the dialog
making this restriction unnecessary.
- When renewing credentials, error messages will be suppressed if the
renewal was for an identity and the identity does not have any
identity credentials associated with it.
- Error messages that are related to credentials acquisition or
password changes will now display the name of the identity that the
error applies to.
- Automatic renewals now renews all identities that have credentials
associated with them instead of just the default identity.
- Fixed a bug where error messages did not have a default button which
can be invoked with the return key or the space bar.
- The new credentials window will force itself to the top. This can
be disabled via a registry setting, but is on by default.
- Fixed the sort order in the new credentials tabs to respect sort
hints provided by plug-ins.
- If a new credentials operation fails, the password fields will be
cleared.
- Once a new credentials operation starts, the controls for specifying
the identity and password and any other custom prompts will be
disabled until the operation completes.
- Notifications during the new credentials operation now supply a
handle to the proper data structures as documented.
- Hyperlinks in the new credentials dialog now support markup that
will prevent the dialog from switching to the credentials type panel
when the link is activated.
- If there are too many buttons added by plug-ins in the new
credentials dialog, they will be resized to accomodate all of them.
- The options button in the new credentials dialog will be disabled
while a new credentials operation is in progress.
- The 'about' dialog retains the original copyright strings included
in the resource.
- Multiple modal dialogs are now supported. Only the topmost one will
be active. Once it is closed, the other dialogs will gain focus in
turn. This allows for error messages to be displayed from other
modal dialogs.
- The hypertext window supports italics.
krb4cred.dll (1.1.0.1)
- Fixed a bug where the plug-in would attempt to free a handle twice.
- Fixed a handle leak.
- Changed the facility name used for event reporting to match the
credentials type name.
krb5cred.dll (1.1.0.1)
- Fixed handling of expired passwords. If the password for an
identity is found to have expired at the time a new credentials
acquisition is in progress, the user will be given an opportunity to
change the password. If this is successful, the new credentials
operation will continue with the new password.
- Prevent the new credentials dialog from switching to the Kerberos 5
credentials panel during a password change.
- Prompts that were cached indefinitely will now have a limited
lifetime. Prompt caches that were created using prior versions of
the plug-in will automatically expire.
- Multistrings in the resource files were converted to CSV to protect
them against a bug in Visual Studio 2005 which corrupted
multistrings.
- Added handling of and reporting WinSock errors that are returned
from the Kerberos 5 libraries.
- Fixed uninitialized variables.
- The username and realm that is entered when selecting an identity
will be trimmed of leading and trailing whitespace.
- Changed the facility name used for event reporting to match the
credentials type name.
Tom Yu [Mon, 25 Sep 2006 20:52:38 +0000 (20:52 +0000)]
pull up r18600 from trunk
r18600@cathode-dark-space: jaltman | 2006-09-20 22:43:12 -0400
ticket: new
subject: windows thread support frees thread local storage after TlsSetValue
tags: pullup
threads.c: The return value of TlsSetValue is non-zero on
success. As a result of misinterpreting the
return value, the memory set in TLS is then freed.
A subsequent call to TlsGetValue returns the
invalid pointer.
Tom Yu [Tue, 22 Aug 2006 21:49:44 +0000 (21:49 +0000)]
pull up r18464 from trunk
r18464@cathode-dark-space: jaltman | 2006-08-16 21:21:00 -0400
ticket: new
subject: NetIDMgr Credential Provider Sample Code and Documentation
tags: pullup
This commit provides a template for a Network Identity Manager
Credential Provider. It doesn't provide any real functionality
but it does provide all of the functions that need to be specified
and filled in as part of the process of producing a NetIdMgr plug-in.
This code should be pulled up to 1.4.x for inclusion in the KFW 3.1
SDK as well as to 1.5.x.
* src/clients/ksu/main.c (sweep_up): Don't check return value of
krb5_seteuid(0), as it is not harmful for it to fail, and it will
fail after setuid(target_user). Correct error message.
* src/lib/gssapi/mechglue/mglueP.h: Add loopback field to opaque
structs of gss_ctx_id_t, gss_name_t, gss_cred_id_t to catch some
application programming errors. Add new macro GSSINT_CHK_LOOP()
which returns non-zero if loopback field doesn't point to itself.
Tom Yu [Tue, 1 Aug 2006 23:57:54 +0000 (23:57 +0000)]
pull up r18330 from trunk
r18330@cathode-dark-space: tlyu | 2006-07-17 12:39:35 -0400
ticket: new
target_version: 1.5.1
tags: pullup
subject: reverse test for copy_oid_set in lib/gssapi/krb5/indicate_mechs.c
* src/lib/gssapi/krb5/indicate_mechs.c: Reverse sense of test,
since gssint_copy_oid_set() returns 0 on success.
Tom Yu [Tue, 25 Jul 2006 02:32:04 +0000 (02:32 +0000)]
pull up r18379 from trunk
r18379@cathode-dark-space: jaltman | 2006-07-24 02:58:23 -0400
ticket: new
subject: Windows Integrated Login Fixes for KFW 3.1
tags: pullup
component: windows
KFW integrated login was failing when the user is
not a power user or administrator. This was occurring
because the temporary file ccache was being created in
a directory the user could not read. While fixing this
it was noticed that the ACLs on the ccache were too broad.
Instead of applying a fix to the FILE: krb5_ccache
implementation it was decided that simply applying a new
set of ACLs (SYSTEM and "user" with no inheritance) to
the file immediately after the krb5_cc_initialize() call
would close the broadest security issues.
The file is initially created in the SYSTEM %TEMP% directory
with "SYSTEM" ACL only. Then it is moved to the user's %TEMP%
directory with "SYSTEM" and "user" ACLs. Finally, after
copying the credentials to the API: ccache, the file is deleted.
This commit corrects errors in the Wix installer script
files that violate the Wix schema but which were not
caught by earlier releases of the Wix 2.0 installer.
* add scrollbars to option tree pane in configuration dialog
* convert to using Microsoft's safe string library both to ensure
safe string manipulation and to avoid deprecation warnings
* disable deprecation warnings for Platform SDK header shlwapi.h
which cannot otherwise be compiled
* add kerberos 5 kvno property to tickets. display in properties
dialog and main window if column selected by user
* improve manifest handling in order to support both manifests
generated by the compiler and those hand crafted in order to
specify the correct versions of the custom control libraries.
* update khimaira message types and credential acquisition
documentation
Tom Yu [Sat, 1 Jul 2006 01:53:18 +0000 (01:53 +0000)]
pull up r18313 from trunk
r18313@cathode-dark-space: tlyu | 2006-06-30 21:50:37 -0400
ticket: new
target_version: 1.5
tags: pullup
version_reported: 1.5
subject: work around failure to load into nonexistent db
component: test
* src/tests/Makefile.in (kdb_check): Run kdb5_util create after
destroying to work around a behavior change from DAL integration.
Tom Yu [Sat, 1 Jul 2006 01:20:06 +0000 (01:20 +0000)]
pull up r18277 from trunk as it is a missing pre-req
r18277@cathode-dark-space: raeburn | 2006-06-29 20:17:43 -0400
(add_db_arg): Fix silly bug.
(extended_com_err_fn): Don't look up or print error message if the error code
is 0.
Tom Yu [Fri, 30 Jun 2006 23:34:40 +0000 (23:34 +0000)]
pull up r18308 from trunk
r18308@cathode-dark-space: raeburn | 2006-06-30 19:22:32 -0400
ticket: new
subject: test kdb5_util dump/load functionality in dejagnu
target_version: 1.5
tags: pullup
This new test just dumps and reloads the database. It doesn't examine
the resulting database, but kinit and other tests are run after it,
using the reloaded database.
* standalone.exp (dump_and_reload): New proc.
(doit): Invoke it.
Tom Yu [Fri, 30 Jun 2006 23:11:41 +0000 (23:11 +0000)]
pull up r18276 as a prereq
r18276@cathode-dark-space: raeburn | 2006-06-29 19:51:55 -0400
* kdb5_util.c (add_db_arg): New function.
(main): Use it.
* kdb5_util.h (add_db_arg): Declare it.
* kdb5_create.c (kdb5_create): Use it.
* dump.c (load_db): Use it.
Tom Yu [Fri, 30 Jun 2006 23:11:33 +0000 (23:11 +0000)]
pull up r18295 from trunk
r18295@cathode-dark-space: raeburn | 2006-06-30 17:05:21 -0400
ticket: 3964
status: open
* kdb_db2.c: Don't include kdb_compat.h.
(OLD_COMPAT_VERSION_1): Don't define.
(krb5_db2_db_create): For temporary db, use different names for all files.
(krb5_db2_open, krb5_db2_create, krb5_db2_destroy): Fix check for "temporary"
in supplied db_args.
(krb5_db2_db_rename): New function, restored from pre-DAL code and hacked up
a lot to mostly work.
(krb5_db2_promote_db): New function.
* db2_exp.c: Add promote_db entry.
* src/lib/krb5/krb/srv_rcache.c (krb5_get_server_rcache):
Oops, krb5_rc_close actually does free rcache, so actually do null
rcache on error from krb5_rc_recover_or_initialize. Thanks to
Shawn Emery for noticing.
* src/lib/krb5/krb/srv_rcache.c (krb5_get_server_rcache): Adapted
patch from Shawn Emery to set rcache = 0 in case of
krb5_rc_resolve_full failure because krb5_rc_resolve_full frees
but doesn't null rcache. Also restore free of rcache in cleanup
code. Continue to not null rcache in failure on
krb5_rc_recover_or_initialize because krb5_rc_close doesn't free
rcache.
projects / thirdparty / krb5.git / log
