Security fixes for SA21402:

"A security issue has been reported in Kerberos, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issue is caused due to missing checks for whether the "setuid()" call has succeeded in the bundled krshd and v4rcp applications. This can be exploited to disclose or manipulate the contents of arbitrary files or execute arbitrary code with root privileges if the "setuid()" call fails due to e.g. resource limits." http://secunia.com/advisories/21402/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3084 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006-001-setuid.txt Bump PKGREVISION.
author: salo <salo@pkgsrc.org> 2006-08-09 17:31:10 +0000
committer: salo <salo@pkgsrc.org> 2006-08-09 17:31:10 +0000
commit: bb3e8f5e8d22041da1d45112f433f3ce6e225ca7 (patch)
tree: d402f8e51826cf28998215f2f46fe684e6e8247a /security/mit-krb5
parent: 67a85ba51729156556bc33265838253d69ab6e51 (diff)
download: pkgsrc-bb3e8f5e8d22041da1d45112f433f3ce6e225ca7.tar.gz
9 files changed, 199 insertions, 3 deletions
diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile
index d6381897227..58df00cbf35 100644
--- a/security/mit-krb5/Makefile
+++ b/security/mit-krb5/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.37 2006/04/22 09:22:14 rillig Exp $
+# $NetBSD: Makefile,v 1.38 2006/08/09 17:31:10 salo Exp $
 
 DISTNAME=	krb5-1.4.2
 PKGNAME=	mit-${DISTNAME:S/-signed$//}
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	security
 MASTER_SITES=	http://web.mit.edu/kerberos/dist/krb5/1.4/
 DISTFILES=	${DISTNAME}-signed${EXTRACT_SUFX}
diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo
index d112bf7fcc6..8bac9094368 100644
--- a/security/mit-krb5/distinfo
+++ b/security/mit-krb5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.14 2006/03/17 15:44:45 joerg Exp $
+$NetBSD: distinfo,v 1.15 2006/08/09 17:31:10 salo Exp $
 
 SHA1 (krb5-1.4.2-signed.tar) = bbc03bd319d539fb9523c2545d80ba0784522e88
 RMD160 (krb5-1.4.2-signed.tar) = 44500f5fab8e5959cf43f17f5f52f68e2dc73a1f
@@ -14,3 +14,10 @@ SHA1 (patch-ah) = 59a6bfc341a22234b38db406abe83b0d6d358a9f
 SHA1 (patch-aj) = 5c633571ea932ce349065cbb4c3bf482cc971675
 SHA1 (patch-ak) = 9d95372fd8edddbf0366e83a51d7a0b8a507f218
 SHA1 (patch-al) = fb611fe47bd7c773d7baf11424e90cd3af70c422
+SHA1 (patch-am) = 050690479d75c5df6e89424bac594ab48ae98a8c
+SHA1 (patch-an) = ccf76eecb4a0f3b4c7addd37ab8391dc831caa41
+SHA1 (patch-ao) = 22f907ce8c6d66582523b05326a9e8d56ae28401
+SHA1 (patch-ap) = c77a8f7bc35aa184e510bac576c12f55d5cfbf65
+SHA1 (patch-aq) = 52429b712ca7a478caeb76fd165585c7aab7fa02
+SHA1 (patch-ar) = 37807c14f03533aef8796ac90e5fac36ff98308a
+SHA1 (patch-as) = b155219fd512b59f698497af1bf6acf1ca4f4a34
diff --git a/security/mit-krb5/patches/patch-am b/security/mit-krb5/patches/patch-am
new file mode 100644
index 00000000000..da683b8dcd1
--- /dev/null
+++ b/security/mit-krb5/patches/patch-am
@@ -0,0 +1,39 @@
+$NetBSD: patch-am,v 1.1 2006/08/09 17:31:10 salo Exp $
+
+Security fix for SA21402.
+
+--- appl/gssftp/ftpd/ftpd.c.orig	2005-01-21 23:46:46.000000000 +0100
++++ appl/gssftp/ftpd/ftpd.c	2006-08-09 18:52:53.000000000 +0200
+@@ -1368,7 +1368,9 @@ getdatasock(fmode)
+ 			goto bad;
+ 		sleep(tries);
+ 	}
+-	(void) krb5_seteuid((uid_t)pw->pw_uid);
++	if (krb5_seteuid((uid_t)pw->pw_uid)) {
++		fatal("seteuid user");
++	}
+ #ifdef IP_TOS
+ #ifdef IPTOS_THROUGHPUT
+ 	on = IPTOS_THROUGHPUT;
+@@ -1378,7 +1380,9 @@ getdatasock(fmode)
+ #endif
+ 	return (fdopen(s, fmode));
+ bad:
+-	(void) krb5_seteuid((uid_t)pw->pw_uid);
++	if (krb5_seteuid((uid_t)pw->pw_uid)) {
++		fatal("seteuid user");
++	}
+ 	(void) close(s);
+ 	return (NULL);
+ }
+@@ -2187,7 +2191,9 @@ passive()
+ 		(void) krb5_seteuid((uid_t)pw->pw_uid);
+ 		goto pasv_error;
+ 	}
+-	(void) krb5_seteuid((uid_t)pw->pw_uid);
++	if (krb5_seteuid((uid_t)pw->pw_uid)) {
++		fatal("seteuid user");
++	}
+ 	len = sizeof(pasv_addr);
+ 	if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0)
+ 		goto pasv_error;
diff --git a/security/mit-krb5/patches/patch-an b/security/mit-krb5/patches/patch-an
new file mode 100644
index 00000000000..822a5c6353b
--- /dev/null
+++ b/security/mit-krb5/patches/patch-an
@@ -0,0 +1,30 @@
+$NetBSD: patch-an,v 1.1 2006/08/09 17:31:10 salo Exp $
+
+Security fix for SA21402.
+
+--- appl/bsd/v4rcp.c.orig	2002-07-12 22:21:31.000000000 +0200
++++ appl/bsd/v4rcp.c	2006-08-09 18:52:53.000000000 +0200
+@@ -436,7 +436,10 @@ int main(argc, argv)
+ 			kstream_set_buffer_mode (krem, 0);
+ #endif /* KERBEROS && !NOENCRYPTION */
+ 			(void) response();
+-			(void) setuid(userid);
++			if (setuid(userid)) {
++			    error("rcp: can't setuid(user)\n");
++			    exit(1);
++			}
+ 			source(--argc, ++argv);
+ 			exit(errs);
+ 
+@@ -452,7 +455,10 @@ int main(argc, argv)
+ 				krem = kstream_create_from_fd (rem, 0, 0);
+ 			kstream_set_buffer_mode (krem, 0);
+ #endif /* KERBEROS && !NOENCRYPTION */
+-			(void) setuid(userid);
++			if (setuid(userid)) {
++			    error("rcp: can't setuid(user)\n");
++			    exit(1);
++			}
+ 			sink(--argc, ++argv);
+ 			exit(errs);
+ 
diff --git a/security/mit-krb5/patches/patch-ao b/security/mit-krb5/patches/patch-ao
new file mode 100644
index 00000000000..1623919578d
--- /dev/null
+++ b/security/mit-krb5/patches/patch-ao
@@ -0,0 +1,38 @@
+$NetBSD: patch-ao,v 1.1 2006/08/09 17:31:10 salo Exp $
+
+Security fix for SA21402.
+
+--- appl/bsd/krcp.c.orig	2003-05-10 02:00:58.000000000 +0200
++++ appl/bsd/krcp.c	2006-08-09 18:52:53.000000000 +0200
+@@ -620,7 +620,9 @@ int main(argc, argv)
+ 				   
+ 		euid = geteuid();
+ 		if (euid == 0) {
+-		    (void) setuid(0);
++		    if (setuid(0)) {
++			perror("rcp setuid 0"); errs++; exit(errs);
++		    }
+ 		    if(krb5_seteuid(userid)) {
+ 			perror("rcp seteuid user"); errs++; exit(errs);
+ 		    }
+@@ -638,11 +640,17 @@ int main(argc, argv)
+ 		  continue;
+ 		rcmd_stream_init_normal();
+ #ifdef HAVE_SETREUID
+-		(void) setreuid(0, userid);
++		if (setreuid(0, userid)) {
++		    perror("rcp setreuid 0,user"); errs++; exit(errs);
++		}
+ 		sink(1, argv+argc-1);
+-		(void) setreuid(userid, 0);
++		if (setreuid(userid, 0)) {
++		    perror("rcp setreuid user,0"); errs++; exit(errs);
++		}
+ #else
+-		(void) setuid(0);
++		if (setuid(0)) {
++		  perror("rcp setuid 0"); errs++; exit(errs);
++		}
+ 		if(seteuid(userid)) {
+ 		  perror("rcp seteuid user"); errs++; exit(errs);
+ 		}
diff --git a/security/mit-krb5/patches/patch-ap b/security/mit-krb5/patches/patch-ap
new file mode 100644
index 00000000000..612b419b981
--- /dev/null
+++ b/security/mit-krb5/patches/patch-ap
@@ -0,0 +1,18 @@
+$NetBSD: patch-ap,v 1.1 2006/08/09 17:31:10 salo Exp $
+
+Security fix for SA21402.
+
+--- appl/bsd/login.c.orig	2005-04-07 23:17:25.000000000 +0200
++++ appl/bsd/login.c	2006-08-09 18:52:53.000000000 +0200
+@@ -1648,7 +1648,10 @@ int main(argc, argv)
+ 	}
+ #endif	/* HAVE_SETLUID */
+ #ifdef _IBMR2
+-    setuidx(ID_LOGIN, pwd->pw_uid);
++    if (setuidx(ID_LOGIN, pwd->pw_uid) < 0) {
++	perror("setuidx");
++	sleepexit(1);
++    };
+ #endif
+ 
+     /* This call MUST succeed */
diff --git a/security/mit-krb5/patches/patch-aq b/security/mit-krb5/patches/patch-aq
new file mode 100644
index 00000000000..c91badb3ddc
--- /dev/null
+++ b/security/mit-krb5/patches/patch-aq
@@ -0,0 +1,24 @@
+$NetBSD: patch-aq,v 1.1 2006/08/09 17:31:10 salo Exp $
+
+Security fix for SA21402.
+
+--- appl/bsd/krshd.c.orig	2005-04-07 23:17:25.000000000 +0200
++++ appl/bsd/krshd.c	2006-08-09 18:52:53.000000000 +0200
+@@ -1379,9 +1379,15 @@ void doit(f, fromp)
+      * If we're on a system which keeps track of login uids, then
+      * set the login uid. 
+      */
+-    setluid((uid_t) pwd->pw_uid);
++    if (setluid((uid_t) pwd->pw_uid) < 0) {
++	perror("setluid");
++	_exit(1);
++    }
+ #endif	/* HAVE_SETLUID */
+-    (void) setuid((uid_t)pwd->pw_uid);
++    if (setuid((uid_t)pwd->pw_uid) < 0) {
++	perror("setuid");
++	_exit(1);
++    }
+     /* if TZ is set in the parent, drag it in */
+     {
+       char **findtz = environ;
diff --git a/security/mit-krb5/patches/patch-ar b/security/mit-krb5/patches/patch-ar
new file mode 100644
index 00000000000..6443fdae025
--- /dev/null
+++ b/security/mit-krb5/patches/patch-ar
@@ -0,0 +1,20 @@
+$NetBSD: patch-ar,v 1.1 2006/08/09 17:31:10 salo Exp $
+
+Security fix for SA21402.
+
+--- clients/ksu/main.c.orig	2002-08-14 21:14:49.000000000 +0200
++++ clients/ksu/main.c	2006-08-09 18:52:53.000000000 +0200
+@@ -892,8 +892,11 @@ static void sweep_up(context, cc)
+     const char * cc_name;
+     struct stat  st_temp;
+ 
+-    krb5_seteuid(0);
+-    krb5_seteuid(target_uid);
++    if (krb5_seteuid(0) < 0 || krb5_seteuid(target_uid) < 0) {
++	com_err(prog_name, errno,
++		"while returning to source uid for destroying ccache");
++	exit(1);
++    }
+     
+     cc_name = krb5_cc_get_name(context, cc);
+     if ( ! stat(cc_name, &st_temp)){
diff --git a/security/mit-krb5/patches/patch-as b/security/mit-krb5/patches/patch-as
new file mode 100644
index 00000000000..dd64800c0d2
--- /dev/null
+++ b/security/mit-krb5/patches/patch-as
@@ -0,0 +1,20 @@
+$NetBSD: patch-as,v 1.1 2006/08/09 17:31:10 salo Exp $
+
+Security fix for SA21402.
+
+--- lib/krb4/kuserok.c.orig	2003-03-05 04:38:51.000000000 +0100
++++ lib/krb4/kuserok.c	2006-08-09 18:52:53.000000000 +0200
+@@ -159,9 +159,11 @@ kuserok(kdata, luser)
+ 	 */
+         if(getuid() == 0) {
+ 	  uid_t old_euid = geteuid();
+-	  seteuid(pwd->pw_uid);
++	  if (seteuid(pwd->pw_uid) < 0)
++	      return NOTOK;
+ 	  fp = fopen(pbuf, "r");
+-	  seteuid(old_euid);	  
++	  if (seteuid(old_euid) < 0)
++	      return NOTOK;
+ 	  if ((fp) == NULL) {
+ 	    return(NOTOK);
+ 	  }
author	salo <salo@pkgsrc.org>	2006-08-09 17:31:10 +0000
committer	salo <salo@pkgsrc.org>	2006-08-09 17:31:10 +0000
commit	bb3e8f5e8d22041da1d45112f433f3ce6e225ca7 (patch)
tree	d402f8e51826cf28998215f2f46fe684e6e8247a /security/mit-krb5
parent	67a85ba51729156556bc33265838253d69ab6e51 (diff)
download	pkgsrc-bb3e8f5e8d22041da1d45112f433f3ce6e225ca7.tar.gz