diff options
author | cy <cy@FreeBSD.org> | 2007-04-05 05:12:17 +0800 |
---|---|---|
committer | cy <cy@FreeBSD.org> | 2007-04-05 05:12:17 +0800 |
commit | b94faf1cbd3018a54728cac091540dd9b94b39f9 (patch) | |
tree | 5516d01e07c1d9509f8adb5d03395a3b88df7766 /security/krb5 | |
parent | 95bf82ea5be5047f7ed8e50215e27afb90fca916 (diff) | |
download | freebsd-ports-gnome-b94faf1cbd3018a54728cac091540dd9b94b39f9.tar.gz freebsd-ports-gnome-b94faf1cbd3018a54728cac091540dd9b94b39f9.tar.zst freebsd-ports-gnome-b94faf1cbd3018a54728cac091540dd9b94b39f9.zip |
MIT KRB5 Security patches:
1. MIT krb5 Security Advisory 2007-001: Telnetd allows login as arbitrary user
CVE: CVE-2007-0956
CERT: VU#220816
2. MIT krb5 Security Advisory 2007-002: KDC, kadmind stack overflow in krb5_klog_syslog
CVE: CVE-2007-0957
CERT: VU#704024
Diffstat (limited to 'security/krb5')
-rw-r--r-- | security/krb5/Makefile | 2 | ||||
-rw-r--r-- | security/krb5/files/patch-appl-telnet-telnetd-state.c | 12 | ||||
-rw-r--r-- | security/krb5/files/patch-appl-telnet-telnetd-sys_term.c | 40 | ||||
-rw-r--r-- | security/krb5/files/patch-kadmin-server-kadm_rpc_svc.c | 31 | ||||
-rw-r--r-- | security/krb5/files/patch-kadmin-server-misc.c | 15 | ||||
-rw-r--r-- | security/krb5/files/patch-kadmin-server-misc.h | 8 | ||||
-rw-r--r-- | security/krb5/files/patch-kadmin-server-ovsec_kadmd.c | 55 | ||||
-rw-r--r-- | security/krb5/files/patch-kadmin-server-schpw | 0 | ||||
-rw-r--r-- | security/krb5/files/patch-kadmin-server-schpw.c | 26 | ||||
-rw-r--r-- | security/krb5/files/patch-kadmin-server-schpw.c.c | 0 | ||||
-rw-r--r-- | security/krb5/files/patch-kadmin-server-server_stubs.c | 608 | ||||
-rw-r--r-- | security/krb5/files/patch-kdc-do_tgs_req.c | 65 | ||||
-rw-r--r-- | security/krb5/files/patch-kdc-kdc_util.c | 10 | ||||
-rw-r--r-- | security/krb5/files/patch-lib-kadm5-logger.c | 33 |
14 files changed, 904 insertions, 1 deletions
diff --git a/security/krb5/Makefile b/security/krb5/Makefile index 84dc9056535e..e67393cb7563 100644 --- a/security/krb5/Makefile +++ b/security/krb5/Makefile @@ -7,7 +7,7 @@ PORTNAME= krb5 PORTVERSION= 1.6 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/ DISTNAME= ${PORTNAME}-${PORTVERSION}-signed diff --git a/security/krb5/files/patch-appl-telnet-telnetd-state.c b/security/krb5/files/patch-appl-telnet-telnetd-state.c new file mode 100644 index 000000000000..9a9b8f2b5d91 --- /dev/null +++ b/security/krb5/files/patch-appl-telnet-telnetd-state.c @@ -0,0 +1,12 @@ +--- appl/telnet/telnetd/state.c.orig Thu Jun 15 15:42:53 2006 ++++ appl/telnet/telnetd/state.c Wed Apr 4 14:02:18 2007 +@@ -1665,7 +1665,8 @@ + strcmp(varp, "RESOLV_HOST_CONF") && /* linux */ + strcmp(varp, "NLSPATH") && /* locale stuff */ + strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */ +- strcmp(varp, "IFS")) { ++ strcmp(varp, "IFS") && ++ !strchr(varp, '-')) { + return 1; + } else { + syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp); diff --git a/security/krb5/files/patch-appl-telnet-telnetd-sys_term.c b/security/krb5/files/patch-appl-telnet-telnetd-sys_term.c new file mode 100644 index 000000000000..ec0cf6e41a0e --- /dev/null +++ b/security/krb5/files/patch-appl-telnet-telnetd-sys_term.c @@ -0,0 +1,40 @@ +--- appl/telnet/telnetd/sys_term.c.orig Fri Nov 15 12:21:51 2002 ++++ appl/telnet/telnetd/sys_term.c Wed Apr 4 14:02:18 2007 +@@ -1287,6 +1287,16 @@ + #endif + #if defined (AUTHENTICATION) + if (auth_level >= 0 && autologin == AUTH_VALID) { ++ if (name[0] == '-') { ++ /* Authenticated and authorized to log in to an ++ account starting with '-'? Even if that ++ unlikely case comes to pass, the current login ++ program will not parse the resulting command ++ line properly. */ ++ syslog(LOG_ERR, "user name cannot start with '-'"); ++ fatal(net, "user name cannot start with '-'"); ++ exit(1); ++ } + # if !defined(NO_LOGIN_F) + #if defined(LOGIN_CAP_F) + argv = addarg(argv, "-F"); +@@ -1377,11 +1387,19 @@ + } else + #endif + if (getenv("USER")) { +- argv = addarg(argv, getenv("USER")); ++ char *user = getenv("USER"); ++ if (user[0] == '-') { ++ /* "telnet -l-x ..." */ ++ syslog(LOG_ERR, "user name cannot start with '-'"); ++ fatal(net, "user name cannot start with '-'"); ++ exit(1); ++ } ++ argv = addarg(argv, user); + #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) + { + register char **cpp; + for (cpp = environ; *cpp; cpp++) ++ if ((*cpp)[0] != '-') + argv = addarg(argv, *cpp); + } + #endif diff --git a/security/krb5/files/patch-kadmin-server-kadm_rpc_svc.c b/security/krb5/files/patch-kadmin-server-kadm_rpc_svc.c new file mode 100644 index 000000000000..40cc158e5fe3 --- /dev/null +++ b/security/krb5/files/patch-kadmin-server-kadm_rpc_svc.c @@ -0,0 +1,31 @@ +--- kadmin/server/kadm_rpc_svc.c.orig Fri Mar 31 19:08:17 2006 ++++ kadmin/server/kadm_rpc_svc.c Wed Apr 4 13:53:04 2007 +@@ -250,6 +250,8 @@ + krb5_data *c1, *c2, *realm; + gss_buffer_desc gss_str; + kadm5_server_handle_t handle; ++ size_t slen; ++ char *sdots; + + success = 0; + handle = (kadm5_server_handle_t)global_server_handle; +@@ -274,6 +276,8 @@ + if (ret == 0) + goto fail_name; + ++ slen = gss_str.length; ++ trunc_name(&slen, &sdots); + /* + * Since we accept with GSS_C_NO_NAME, the client can authenticate + * against the entire kdb. Therefore, ensure that the service +@@ -296,8 +300,8 @@ + + fail_princ: + if (!success) { +- krb5_klog_syslog(LOG_ERR, "bad service principal %.*s", +- gss_str.length, gss_str.value); ++ krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s", ++ slen, gss_str.value, sdots); + } + gss_release_buffer(&min_stat, &gss_str); + krb5_free_principal(kctx, princ); diff --git a/security/krb5/files/patch-kadmin-server-misc.c b/security/krb5/files/patch-kadmin-server-misc.c new file mode 100644 index 000000000000..ed09a06ac7c6 --- /dev/null +++ b/security/krb5/files/patch-kadmin-server-misc.c @@ -0,0 +1,15 @@ +--- kadmin/server/misc.c.orig Sat Mar 11 14:23:28 2006 ++++ kadmin/server/misc.c Wed Apr 4 13:53:04 2007 +@@ -171,3 +171,12 @@ + + return kadm5_free_principal_ent(handle->lhandle, &princ); + } ++ ++#define MAXPRINCLEN 125 ++ ++void ++trunc_name(size_t *len, char **dots) ++{ ++ *dots = *len > MAXPRINCLEN ? "..." : ""; ++ *len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len; ++} diff --git a/security/krb5/files/patch-kadmin-server-misc.h b/security/krb5/files/patch-kadmin-server-misc.h new file mode 100644 index 000000000000..bdae6f75806f --- /dev/null +++ b/security/krb5/files/patch-kadmin-server-misc.h @@ -0,0 +1,8 @@ +--- kadmin/server/misc.h.orig Tue Oct 11 21:09:19 2005 ++++ kadmin/server/misc.h Wed Apr 4 13:53:04 2007 +@@ -45,3 +45,5 @@ + #ifdef SVC_GETARGS + void kadm_1(struct svc_req *, SVCXPRT *); + #endif ++ ++void trunc_name(size_t *len, char **dots); diff --git a/security/krb5/files/patch-kadmin-server-ovsec_kadmd.c b/security/krb5/files/patch-kadmin-server-ovsec_kadmd.c new file mode 100644 index 000000000000..461aa2b0b700 --- /dev/null +++ b/security/krb5/files/patch-kadmin-server-ovsec_kadmd.c @@ -0,0 +1,55 @@ +--- kadmin/server/ovsec_kadmd.c.orig Tue Jan 9 12:21:43 2007 ++++ kadmin/server/ovsec_kadmd.c Wed Apr 4 13:53:04 2007 +@@ -992,6 +992,8 @@ + rpcproc_t proc; + int i; + const char *procname; ++ size_t clen, slen; ++ char *cdots, *sdots; + + client.length = 0; + client.value = NULL; +@@ -1000,10 +1002,20 @@ + + (void) gss_display_name(&minor, client_name, &client, &gss_type); + (void) gss_display_name(&minor, server_name, &server, &gss_type); +- if (client.value == NULL) ++ if (client.value == NULL) { + client.value = "(null)"; +- if (server.value == NULL) ++ clen = sizeof("(null)") -1; ++ } else { ++ clen = client.length; ++ } ++ trunc_name(&clen, &cdots); ++ if (server.value == NULL) { + server.value = "(null)"; ++ slen = sizeof("(null)") - 1; ++ } else { ++ slen = server.length; ++ } ++ trunc_name(&slen, &sdots); + a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); + + proc = msg->rm_call.cb_proc; +@@ -1016,14 +1028,14 @@ + } + if (procname != NULL) + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " +- "claimed client = %s, server = %s, addr = %s", +- procname, client.value, +- server.value, a); ++ "claimed client = %.*s%s, server = %.*s%s, addr = %s", ++ procname, clen, client.value, cdots, ++ slen, server.value, sdots, a); + else + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " +- "claimed client = %s, server = %s, addr = %s", +- proc, client.value, +- server.value, a); ++ "claimed client = %.*s%s, server = %.*s%s, addr = %s", ++ proc, clen, client.value, cdots, ++ slen, server.value, sdots, a); + + (void) gss_release_buffer(&minor, &client); + (void) gss_release_buffer(&minor, &server); diff --git a/security/krb5/files/patch-kadmin-server-schpw b/security/krb5/files/patch-kadmin-server-schpw new file mode 100644 index 000000000000..e69de29bb2d1 --- /dev/null +++ b/security/krb5/files/patch-kadmin-server-schpw diff --git a/security/krb5/files/patch-kadmin-server-schpw.c b/security/krb5/files/patch-kadmin-server-schpw.c new file mode 100644 index 000000000000..673d69b4e937 --- /dev/null +++ b/security/krb5/files/patch-kadmin-server-schpw.c @@ -0,0 +1,26 @@ +--- kadmin/server/schpw.c.orig Thu Apr 13 11:58:56 2006 ++++ kadmin/server/schpw.c Wed Apr 4 13:53:04 2007 +@@ -40,6 +40,8 @@ + int numresult; + char strresult[1024]; + char *clientstr; ++ size_t clen; ++ char *cdots; + + ret = 0; + rep->length = 0; +@@ -258,9 +260,12 @@ + free(ptr); + clear.length = 0; + +- krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s", ++ clen = strlen(clientstr); ++ trunc_name(&clen, &cdots); ++ krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s", + inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr), +- clientstr, ret ? krb5_get_error_message (context, ret) : "success"); ++ clen, clientstr, cdots, ++ ret ? krb5_get_error_message (context, ret) : "success"); + krb5_free_unparsed_name(context, clientstr); + + if (ret) { diff --git a/security/krb5/files/patch-kadmin-server-schpw.c.c b/security/krb5/files/patch-kadmin-server-schpw.c.c new file mode 100644 index 000000000000..e69de29bb2d1 --- /dev/null +++ b/security/krb5/files/patch-kadmin-server-schpw.c.c diff --git a/security/krb5/files/patch-kadmin-server-server_stubs.c b/security/krb5/files/patch-kadmin-server-server_stubs.c new file mode 100644 index 000000000000..927cd1900593 --- /dev/null +++ b/security/krb5/files/patch-kadmin-server-server_stubs.c @@ -0,0 +1,608 @@ +--- kadmin/server/server_stubs.c.orig Thu Apr 13 11:58:56 2006 ++++ kadmin/server/server_stubs.c Wed Apr 4 13:53:04 2007 +@@ -14,6 +14,7 @@ + #include <arpa/inet.h> /* inet_ntoa */ + #include <adm_proto.h> /* krb5_klog_syslog */ + #include "misc.h" ++#include <string.h> + + #define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s" + #define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s" +@@ -237,6 +238,61 @@ + return 0; + } + ++static int ++log_unauth( ++ char *op, ++ char *target, ++ gss_buffer_t client, ++ gss_buffer_t server, ++ struct svc_req *rqstp) ++{ ++ size_t tlen, clen, slen; ++ char *tdots, *cdots, *sdots; ++ ++ tlen = strlen(target); ++ trunc_name(&tlen, &tdots); ++ clen = client->length; ++ trunc_name(&clen, &cdots); ++ slen = server->length; ++ trunc_name(&slen, &sdots); ++ ++ return krb5_klog_syslog(LOG_NOTICE, ++ "Unauthorized request: %s, %.*s%s, " ++ "client=%.*s%s, service=%.*s%s, addr=%s", ++ op, tlen, target, tdots, ++ clen, client->value, cdots, ++ slen, server->value, sdots, ++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++} ++ ++static int ++log_done( ++ char *op, ++ char *target, ++ char *errmsg, ++ gss_buffer_t client, ++ gss_buffer_t server, ++ struct svc_req *rqstp) ++{ ++ size_t tlen, clen, slen; ++ char *tdots, *cdots, *sdots; ++ ++ tlen = strlen(target); ++ trunc_name(&tlen, &tdots); ++ clen = client->length; ++ trunc_name(&clen, &cdots); ++ slen = server->length; ++ trunc_name(&slen, &sdots); ++ ++ return krb5_klog_syslog(LOG_NOTICE, ++ "Request: %s, %.*s%s, %s, " ++ "client=%.*s%s, service=%.*s%s, addr=%s", ++ op, tlen, target, tdots, errmsg, ++ clen, client->value, cdots, ++ slen, server->value, sdots, ++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++} ++ + generic_ret * + create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) + { +@@ -275,9 +331,8 @@ + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_create_principal", prime_arg, ++ &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_create_principal((void *)handle, + &arg->rec, arg->mask, +@@ -287,10 +342,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_create_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +@@ -341,9 +394,8 @@ + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_create_principal", prime_arg, ++ &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_create_principal_3((void *)handle, + &arg->rec, arg->mask, +@@ -355,10 +407,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_create_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +@@ -406,9 +456,8 @@ + || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, + arg->princ, NULL)) { + ret.code = KADM5_AUTH_DELETE; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_delete_principal", prime_arg, ++ &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_delete_principal((void *)handle, arg->princ); + if( ret.code == 0 ) +@@ -416,10 +465,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_delete_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +@@ -469,9 +516,8 @@ + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_MODIFY; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_modify_principal", prime_arg, ++ &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_modify_principal((void *)handle, &arg->rec, + arg->mask); +@@ -480,10 +526,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_modify_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +@@ -546,9 +590,8 @@ + } else + ret.code = KADM5_AUTH_INSUFFICIENT; + if (ret.code != KADM5_OK) { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_rename_principal", prime_arg, ++ &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_rename_principal((void *)handle, arg->src, + arg->dest); +@@ -557,10 +600,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_rename_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + free(prime_arg1); +@@ -614,9 +655,8 @@ + arg->princ, + NULL))) { + ret.code = KADM5_AUTH_GET; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth(funcname, prime_arg, ++ &client_name, &service_name, rqstp); + } else { + if (handle->api_version == KADM5_API_VERSION_1) { + ret.code = kadm5_get_principal_v1((void *)handle, +@@ -636,11 +676,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +- prime_arg, +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done(funcname, prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + + } + free_server_handle(handle); +@@ -688,9 +725,8 @@ + NULL, + NULL)) { + ret.code = KADM5_AUTH_LIST; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_get_principals", prime_arg, ++ &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_get_principals((void *)handle, + arg->exp, &ret.princs, +@@ -700,11 +736,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals", +- prime_arg, +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_get_principals", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + + } + free_server_handle(handle); +@@ -755,9 +788,8 @@ + ret.code = kadm5_chpass_principal((void *)handle, arg->princ, + arg->pass); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_chpass_principal", prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +@@ -767,10 +799,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_chpass_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +@@ -828,9 +858,8 @@ + arg->ks_tuple, + arg->pass); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_chpass_principal", prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +@@ -840,10 +869,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_chpass_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +@@ -892,9 +919,8 @@ + ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, + arg->keyblock); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_setv4key_principal", prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; + } + +@@ -904,10 +930,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_setv4key_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +@@ -956,9 +980,8 @@ + ret.code = kadm5_setkey_principal((void *)handle, arg->princ, + arg->keyblocks, arg->n_keys); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_setkey_principal", prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; + } + +@@ -968,10 +991,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_setkey_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +@@ -1023,9 +1044,8 @@ + arg->ks_tuple, + arg->keyblocks, arg->n_keys); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_setkey_principal", prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; + } + +@@ -1035,10 +1055,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_setkey_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +@@ -1097,9 +1115,8 @@ + ret.code = kadm5_randkey_principal((void *)handle, arg->princ, + &k, &nkeys); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth(funcname, prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +@@ -1119,10 +1136,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done(funcname, prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + free(prime_arg); +@@ -1185,9 +1200,8 @@ + arg->ks_tuple, + &k, &nkeys); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth(funcname, prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +@@ -1207,10 +1221,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done(funcname, prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + free(prime_arg); +@@ -1253,10 +1265,9 @@ + rqst2name(rqstp), + ACL_ADD, NULL, NULL)) { + ret.code = KADM5_AUTH_ADD; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); +- ++ log_unauth("kadm5_create_policy", prime_arg, ++ &client_name, &service_name, rqstp); ++ + } else { + ret.code = kadm5_create_policy((void *)handle, &arg->rec, + arg->mask); +@@ -1265,11 +1276,9 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy", +- ((prime_arg == NULL) ? "(null)" : prime_arg), +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_create_policy", ++ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +@@ -1310,9 +1319,8 @@ + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_DELETE, NULL, NULL)) { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_delete_policy", prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_DELETE; + } else { + ret.code = kadm5_delete_policy((void *)handle, arg->name); +@@ -1321,11 +1329,9 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy", +- ((prime_arg == NULL) ? "(null)" : prime_arg), +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_delete_policy", ++ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +@@ -1366,9 +1372,8 @@ + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_MODIFY, NULL, NULL)) { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_modify_policy", prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_MODIFY; + } else { + ret.code = kadm5_modify_policy((void *)handle, &arg->rec, +@@ -1378,11 +1383,9 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy", +- ((prime_arg == NULL) ? "(null)" : prime_arg), +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_modify_policy", ++ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +@@ -1464,15 +1467,12 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +- ((prime_arg == NULL) ? "(null)" : prime_arg), +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done(funcname, ++ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, ++ &client_name, &service_name, rqstp); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth(funcname, prime_arg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +@@ -1517,9 +1517,8 @@ + rqst2name(rqstp), + ACL_LIST, NULL, NULL)) { + ret.code = KADM5_AUTH_LIST; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_get_policies", prime_arg, ++ &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_get_policies((void *)handle, + arg->exp, &ret.pols, +@@ -1529,11 +1528,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies", +- prime_arg, +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_get_policies", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +@@ -1573,11 +1569,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs", +- client_name.value, +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_get_privs", client_name.value, errmsg, ++ &client_name, &service_name, rqstp); + + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +@@ -1594,6 +1587,8 @@ + kadm5_server_handle_t handle; + OM_uint32 minor_stat; + char *errmsg = 0; ++ size_t clen, slen; ++ char *cdots, *sdots; + + xdr_free(xdr_generic_ret, &ret); + +@@ -1612,14 +1607,22 @@ + + if (ret.code != 0) + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d", +- (ret.api_version == KADM5_API_VERSION_1 ? +- "kadm5_init (V1)" : "kadm5_init"), +- client_name.value, +- (ret.code == 0) ? "success" : errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), +- rqstp->rq_cred.oa_flavor); ++ else ++ errmsg = "success"; ++ ++ clen = client_name.length; ++ trunc_name(&clen, &cdots); ++ slen = service_name.length; ++ trunc_name(&slen, &sdots); ++ krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, " ++ "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d", ++ (ret.api_version == KADM5_API_VERSION_1 ? ++ "kadm5_init (V1)" : "kadm5_init"), ++ clen, client_name.value, cdots, errmsg, ++ clen, client_name.value, cdots, ++ slen, service_name.value, sdots, ++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), ++ rqstp->rq_cred.oa_flavor); + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); + diff --git a/security/krb5/files/patch-kdc-do_tgs_req.c b/security/krb5/files/patch-kdc-do_tgs_req.c new file mode 100644 index 000000000000..d6cfa2133209 --- /dev/null +++ b/security/krb5/files/patch-kdc-do_tgs_req.c @@ -0,0 +1,65 @@ +--- kdc/do_tgs_req.c.orig Fri Oct 13 14:08:07 2006 ++++ kdc/do_tgs_req.c Wed Apr 4 13:53:04 2007 +@@ -491,28 +491,38 @@ + newtransited = 1; + } + if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { ++ unsigned int tlen; ++ char *tdots; ++ + errcode = krb5_check_transited_list (kdc_context, + &enc_tkt_reply.transited.tr_contents, + krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), + krb5_princ_realm (kdc_context, request->server)); ++ tlen = enc_tkt_reply.transited.tr_contents.length; ++ tdots = tlen > 125 ? "..." : ""; ++ tlen = tlen > 125 ? 125 : tlen; ++ + if (errcode == 0) { + setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); + } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) + krb5_klog_syslog (LOG_INFO, +- "bad realm transit path from '%s' to '%s' via '%.*s'", ++ "bad realm transit path from '%s' to '%s' " ++ "via '%.*s%s'", + cname ? cname : "<unknown client>", + sname ? sname : "<unknown server>", +- enc_tkt_reply.transited.tr_contents.length, +- enc_tkt_reply.transited.tr_contents.data); ++ tlen, ++ enc_tkt_reply.transited.tr_contents.data, ++ tdots); + else { + const char *emsg = krb5_get_error_message(kdc_context, errcode); + krb5_klog_syslog (LOG_ERR, +- "unexpected error checking transit from '%s' to '%s' via '%.*s': %s", ++ "unexpected error checking transit from " ++ "'%s' to '%s' via '%.*s%s': %s", + cname ? cname : "<unknown client>", + sname ? sname : "<unknown server>", +- enc_tkt_reply.transited.tr_contents.length, ++ tlen, + enc_tkt_reply.transited.tr_contents.data, +- emsg); ++ tdots, emsg); + krb5_free_error_message(kdc_context, emsg); + } + } else +@@ -542,6 +552,9 @@ + if (!krb5_principal_compare(kdc_context, request->server, client2)) { + if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp))) + tmp = 0; ++ if (tmp != NULL) ++ limit_string(tmp); ++ + krb5_klog_syslog(LOG_INFO, + "TGS_REQ %s: 2ND_TKT_MISMATCH: " + "authtime %d, %s for %s, 2nd tkt client %s", +@@ -816,6 +829,7 @@ + krb5_klog_syslog(LOG_INFO, + "TGS_REQ: issuing alternate <un-unparseable> TGT"); + } else { ++ limit_string(sname); + krb5_klog_syslog(LOG_INFO, + "TGS_REQ: issuing TGT %s", sname); + free(sname); diff --git a/security/krb5/files/patch-kdc-kdc_util.c b/security/krb5/files/patch-kdc-kdc_util.c new file mode 100644 index 000000000000..7ace820c79c0 --- /dev/null +++ b/security/krb5/files/patch-kdc-kdc_util.c @@ -0,0 +1,10 @@ +--- kdc/kdc_util.c.orig Wed Oct 11 17:33:12 2006 ++++ kdc/kdc_util.c Wed Apr 4 13:53:04 2007 +@@ -404,6 +404,7 @@ + + krb5_db_free_principal(kdc_context, &server, nprincs); + if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { ++ limit_string(sname); + krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", + sname); + free(sname); diff --git a/security/krb5/files/patch-lib-kadm5-logger.c b/security/krb5/files/patch-lib-kadm5-logger.c new file mode 100644 index 000000000000..f553a359e4a2 --- /dev/null +++ b/security/krb5/files/patch-lib-kadm5-logger.c @@ -0,0 +1,33 @@ +--- lib/kadm5/logger.c.orig Mon Jun 19 16:33:36 2006 ++++ lib/kadm5/logger.c Wed Apr 4 13:53:04 2007 +@@ -45,7 +45,7 @@ + #include <varargs.h> + #endif /* HAVE_STDARG_H */ + +-#define KRB5_KLOG_MAX_ERRMSG_SIZE 1024 ++#define KRB5_KLOG_MAX_ERRMSG_SIZE 2048 + #ifndef MAXHOSTNAMELEN + #define MAXHOSTNAMELEN 256 + #endif /* MAXHOSTNAMELEN */ +@@ -261,7 +261,9 @@ + #endif /* HAVE_SYSLOG */ + + /* Now format the actual message */ +-#if HAVE_VSPRINTF ++#if HAVE_VSNPRINTF ++ vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap); ++#elif HAVE_VSPRINTF + vsprintf(cp, actual_format, ap); + #else /* HAVE_VSPRINTF */ + sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1], +@@ -850,7 +852,9 @@ + syslogp = &outbuf[strlen(outbuf)]; + + /* Now format the actual message */ +-#ifdef HAVE_VSPRINTF ++#ifdef HAVE_VSNPRINTF ++ vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist); ++#elif HAVE_VSPRINTF + vsprintf(syslogp, format, arglist); + #else /* HAVE_VSPRINTF */ + sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1], |