diff options
author | salo <salo@pkgsrc.org> | 2006-08-09 17:31:10 +0000 |
---|---|---|
committer | salo <salo@pkgsrc.org> | 2006-08-09 17:31:10 +0000 |
commit | 56e259968eb9e2804772296a69b43209e910b889 (patch) | |
tree | d402f8e51826cf28998215f2f46fe684e6e8247a /security | |
parent | d73d8f89cc70d8ac5b0ec0891f2c13757b43dd0a (diff) | |
download | pkgsrc-56e259968eb9e2804772296a69b43209e910b889.tar.gz |
Security fixes for SA21402:
"A security issue has been reported in Kerberos, which potentially can
be exploited by malicious, local users to perform certain actions with
escalated privileges.
The security issue is caused due to missing checks for whether the
"setuid()" call has succeeded in the bundled krshd and v4rcp
applications. This can be exploited to disclose or manipulate the
contents of arbitrary files or execute arbitrary code with root
privileges if the "setuid()" call fails due to e.g. resource limits."
http://secunia.com/advisories/21402/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3084
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006-001-setuid.txt
Bump PKGREVISION.
Diffstat (limited to 'security')
-rw-r--r-- | security/mit-krb5/Makefile | 4 | ||||
-rw-r--r-- | security/mit-krb5/distinfo | 9 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-am | 39 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-an | 30 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-ao | 38 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-ap | 18 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-aq | 24 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-ar | 20 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-as | 20 |
9 files changed, 199 insertions, 3 deletions
diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile index d6381897227..58df00cbf35 100644 --- a/security/mit-krb5/Makefile +++ b/security/mit-krb5/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.37 2006/04/22 09:22:14 rillig Exp $ +# $NetBSD: Makefile,v 1.38 2006/08/09 17:31:10 salo Exp $ DISTNAME= krb5-1.4.2 PKGNAME= mit-${DISTNAME:S/-signed$//} -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/1.4/ DISTFILES= ${DISTNAME}-signed${EXTRACT_SUFX} diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo index d112bf7fcc6..8bac9094368 100644 --- a/security/mit-krb5/distinfo +++ b/security/mit-krb5/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.14 2006/03/17 15:44:45 joerg Exp $ +$NetBSD: distinfo,v 1.15 2006/08/09 17:31:10 salo Exp $ SHA1 (krb5-1.4.2-signed.tar) = bbc03bd319d539fb9523c2545d80ba0784522e88 RMD160 (krb5-1.4.2-signed.tar) = 44500f5fab8e5959cf43f17f5f52f68e2dc73a1f @@ -14,3 +14,10 @@ SHA1 (patch-ah) = 59a6bfc341a22234b38db406abe83b0d6d358a9f SHA1 (patch-aj) = 5c633571ea932ce349065cbb4c3bf482cc971675 SHA1 (patch-ak) = 9d95372fd8edddbf0366e83a51d7a0b8a507f218 SHA1 (patch-al) = fb611fe47bd7c773d7baf11424e90cd3af70c422 +SHA1 (patch-am) = 050690479d75c5df6e89424bac594ab48ae98a8c +SHA1 (patch-an) = ccf76eecb4a0f3b4c7addd37ab8391dc831caa41 +SHA1 (patch-ao) = 22f907ce8c6d66582523b05326a9e8d56ae28401 +SHA1 (patch-ap) = c77a8f7bc35aa184e510bac576c12f55d5cfbf65 +SHA1 (patch-aq) = 52429b712ca7a478caeb76fd165585c7aab7fa02 +SHA1 (patch-ar) = 37807c14f03533aef8796ac90e5fac36ff98308a +SHA1 (patch-as) = b155219fd512b59f698497af1bf6acf1ca4f4a34 diff --git a/security/mit-krb5/patches/patch-am b/security/mit-krb5/patches/patch-am new file mode 100644 index 00000000000..da683b8dcd1 --- /dev/null +++ b/security/mit-krb5/patches/patch-am @@ -0,0 +1,39 @@ +$NetBSD: patch-am,v 1.1 2006/08/09 17:31:10 salo Exp $ + +Security fix for SA21402. + +--- appl/gssftp/ftpd/ftpd.c.orig 2005-01-21 23:46:46.000000000 +0100 ++++ appl/gssftp/ftpd/ftpd.c 2006-08-09 18:52:53.000000000 +0200 +@@ -1368,7 +1368,9 @@ getdatasock(fmode) + goto bad; + sleep(tries); + } +- (void) krb5_seteuid((uid_t)pw->pw_uid); ++ if (krb5_seteuid((uid_t)pw->pw_uid)) { ++ fatal("seteuid user"); ++ } + #ifdef IP_TOS + #ifdef IPTOS_THROUGHPUT + on = IPTOS_THROUGHPUT; +@@ -1378,7 +1380,9 @@ getdatasock(fmode) + #endif + return (fdopen(s, fmode)); + bad: +- (void) krb5_seteuid((uid_t)pw->pw_uid); ++ if (krb5_seteuid((uid_t)pw->pw_uid)) { ++ fatal("seteuid user"); ++ } + (void) close(s); + return (NULL); + } +@@ -2187,7 +2191,9 @@ passive() + (void) krb5_seteuid((uid_t)pw->pw_uid); + goto pasv_error; + } +- (void) krb5_seteuid((uid_t)pw->pw_uid); ++ if (krb5_seteuid((uid_t)pw->pw_uid)) { ++ fatal("seteuid user"); ++ } + len = sizeof(pasv_addr); + if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0) + goto pasv_error; diff --git a/security/mit-krb5/patches/patch-an b/security/mit-krb5/patches/patch-an new file mode 100644 index 00000000000..822a5c6353b --- /dev/null +++ b/security/mit-krb5/patches/patch-an @@ -0,0 +1,30 @@ +$NetBSD: patch-an,v 1.1 2006/08/09 17:31:10 salo Exp $ + +Security fix for SA21402. + +--- appl/bsd/v4rcp.c.orig 2002-07-12 22:21:31.000000000 +0200 ++++ appl/bsd/v4rcp.c 2006-08-09 18:52:53.000000000 +0200 +@@ -436,7 +436,10 @@ int main(argc, argv) + kstream_set_buffer_mode (krem, 0); + #endif /* KERBEROS && !NOENCRYPTION */ + (void) response(); +- (void) setuid(userid); ++ if (setuid(userid)) { ++ error("rcp: can't setuid(user)\n"); ++ exit(1); ++ } + source(--argc, ++argv); + exit(errs); + +@@ -452,7 +455,10 @@ int main(argc, argv) + krem = kstream_create_from_fd (rem, 0, 0); + kstream_set_buffer_mode (krem, 0); + #endif /* KERBEROS && !NOENCRYPTION */ +- (void) setuid(userid); ++ if (setuid(userid)) { ++ error("rcp: can't setuid(user)\n"); ++ exit(1); ++ } + sink(--argc, ++argv); + exit(errs); + diff --git a/security/mit-krb5/patches/patch-ao b/security/mit-krb5/patches/patch-ao new file mode 100644 index 00000000000..1623919578d --- /dev/null +++ b/security/mit-krb5/patches/patch-ao @@ -0,0 +1,38 @@ +$NetBSD: patch-ao,v 1.1 2006/08/09 17:31:10 salo Exp $ + +Security fix for SA21402. + +--- appl/bsd/krcp.c.orig 2003-05-10 02:00:58.000000000 +0200 ++++ appl/bsd/krcp.c 2006-08-09 18:52:53.000000000 +0200 +@@ -620,7 +620,9 @@ int main(argc, argv) + + euid = geteuid(); + if (euid == 0) { +- (void) setuid(0); ++ if (setuid(0)) { ++ perror("rcp setuid 0"); errs++; exit(errs); ++ } + if(krb5_seteuid(userid)) { + perror("rcp seteuid user"); errs++; exit(errs); + } +@@ -638,11 +640,17 @@ int main(argc, argv) + continue; + rcmd_stream_init_normal(); + #ifdef HAVE_SETREUID +- (void) setreuid(0, userid); ++ if (setreuid(0, userid)) { ++ perror("rcp setreuid 0,user"); errs++; exit(errs); ++ } + sink(1, argv+argc-1); +- (void) setreuid(userid, 0); ++ if (setreuid(userid, 0)) { ++ perror("rcp setreuid user,0"); errs++; exit(errs); ++ } + #else +- (void) setuid(0); ++ if (setuid(0)) { ++ perror("rcp setuid 0"); errs++; exit(errs); ++ } + if(seteuid(userid)) { + perror("rcp seteuid user"); errs++; exit(errs); + } diff --git a/security/mit-krb5/patches/patch-ap b/security/mit-krb5/patches/patch-ap new file mode 100644 index 00000000000..612b419b981 --- /dev/null +++ b/security/mit-krb5/patches/patch-ap @@ -0,0 +1,18 @@ +$NetBSD: patch-ap,v 1.1 2006/08/09 17:31:10 salo Exp $ + +Security fix for SA21402. + +--- appl/bsd/login.c.orig 2005-04-07 23:17:25.000000000 +0200 ++++ appl/bsd/login.c 2006-08-09 18:52:53.000000000 +0200 +@@ -1648,7 +1648,10 @@ int main(argc, argv) + } + #endif /* HAVE_SETLUID */ + #ifdef _IBMR2 +- setuidx(ID_LOGIN, pwd->pw_uid); ++ if (setuidx(ID_LOGIN, pwd->pw_uid) < 0) { ++ perror("setuidx"); ++ sleepexit(1); ++ }; + #endif + + /* This call MUST succeed */ diff --git a/security/mit-krb5/patches/patch-aq b/security/mit-krb5/patches/patch-aq new file mode 100644 index 00000000000..c91badb3ddc --- /dev/null +++ b/security/mit-krb5/patches/patch-aq @@ -0,0 +1,24 @@ +$NetBSD: patch-aq,v 1.1 2006/08/09 17:31:10 salo Exp $ + +Security fix for SA21402. + +--- appl/bsd/krshd.c.orig 2005-04-07 23:17:25.000000000 +0200 ++++ appl/bsd/krshd.c 2006-08-09 18:52:53.000000000 +0200 +@@ -1379,9 +1379,15 @@ void doit(f, fromp) + * If we're on a system which keeps track of login uids, then + * set the login uid. + */ +- setluid((uid_t) pwd->pw_uid); ++ if (setluid((uid_t) pwd->pw_uid) < 0) { ++ perror("setluid"); ++ _exit(1); ++ } + #endif /* HAVE_SETLUID */ +- (void) setuid((uid_t)pwd->pw_uid); ++ if (setuid((uid_t)pwd->pw_uid) < 0) { ++ perror("setuid"); ++ _exit(1); ++ } + /* if TZ is set in the parent, drag it in */ + { + char **findtz = environ; diff --git a/security/mit-krb5/patches/patch-ar b/security/mit-krb5/patches/patch-ar new file mode 100644 index 00000000000..6443fdae025 --- /dev/null +++ b/security/mit-krb5/patches/patch-ar @@ -0,0 +1,20 @@ +$NetBSD: patch-ar,v 1.1 2006/08/09 17:31:10 salo Exp $ + +Security fix for SA21402. + +--- clients/ksu/main.c.orig 2002-08-14 21:14:49.000000000 +0200 ++++ clients/ksu/main.c 2006-08-09 18:52:53.000000000 +0200 +@@ -892,8 +892,11 @@ static void sweep_up(context, cc) + const char * cc_name; + struct stat st_temp; + +- krb5_seteuid(0); +- krb5_seteuid(target_uid); ++ if (krb5_seteuid(0) < 0 || krb5_seteuid(target_uid) < 0) { ++ com_err(prog_name, errno, ++ "while returning to source uid for destroying ccache"); ++ exit(1); ++ } + + cc_name = krb5_cc_get_name(context, cc); + if ( ! stat(cc_name, &st_temp)){ diff --git a/security/mit-krb5/patches/patch-as b/security/mit-krb5/patches/patch-as new file mode 100644 index 00000000000..dd64800c0d2 --- /dev/null +++ b/security/mit-krb5/patches/patch-as @@ -0,0 +1,20 @@ +$NetBSD: patch-as,v 1.1 2006/08/09 17:31:10 salo Exp $ + +Security fix for SA21402. + +--- lib/krb4/kuserok.c.orig 2003-03-05 04:38:51.000000000 +0100 ++++ lib/krb4/kuserok.c 2006-08-09 18:52:53.000000000 +0200 +@@ -159,9 +159,11 @@ kuserok(kdata, luser) + */ + if(getuid() == 0) { + uid_t old_euid = geteuid(); +- seteuid(pwd->pw_uid); ++ if (seteuid(pwd->pw_uid) < 0) ++ return NOTOK; + fp = fopen(pbuf, "r"); +- seteuid(old_euid); ++ if (seteuid(old_euid) < 0) ++ return NOTOK; + if ((fp) == NULL) { + return(NOTOK); + } |