[PATCH 0/1] Fix CVE-2015-{8629, 8630, 8631}

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

* [PATCH 0/1] Fix CVE-2015-{8629, 8630, 8631}
@ 2016-02-05  0:49 Leo Famulari
  2016-02-05  0:49 ` [PATCH 1/1] gnu: mit-krb5: " Leo Famulari
  2016-02-05  1:13 ` [PATCH 0/1] " Mark H Weaver
  0 siblings, 2 replies; 4+ messages in thread
From: Leo Famulari @ 2016-02-05  0:49 UTC (permalink / raw)
  To: guix-devel

These are upstream patches, also applied by Debian:
https://security-tracker.debian.org/tracker/CVE-2015-8629

Can somebody that actually uses mit-krb5 test and push? Or if you'd
rather just push, feel free.

By the way, I'm curious about this package's unusual method of applying
patches. Does anyone have any insight? I read the git history but it
doesn't give much detail on why the "normal" method doesn't work.

Leo Famulari (1):
  gnu: mit-krb5: Fix CVE-2015-{8629, 8630, 8631}.

 gnu-system.am                                     |   3 +
 gnu/packages/mit-krb5.scm                         |   6 +-
 gnu/packages/patches/mit-krb5-CVE-2015-8629.patch |  29 ++
 gnu/packages/patches/mit-krb5-CVE-2015-8630.patch |  59 +++
 gnu/packages/patches/mit-krb5-CVE-2015-8631.patch | 550 ++++++++++++++++++++++
 5 files changed, 646 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8629.patch
 create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8630.patch
 create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8631.patch

-- 
2.6.3

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 1/1] gnu: mit-krb5: Fix CVE-2015-{8629, 8630, 8631}.
  2016-02-05  0:49 [PATCH 0/1] Fix CVE-2015-{8629, 8630, 8631} Leo Famulari
@ 2016-02-05  0:49 ` Leo Famulari
  2016-02-05  1:13 ` [PATCH 0/1] " Mark H Weaver
  1 sibling, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2016-02-05  0:49 UTC (permalink / raw)
  To: guix-devel

* gnu/packages/patches/mit-krb5-CVE-2015-8629.patch,
gnu/packages/patches/mit-krb5-CVE-2015-8630.patch,
gnu/packages/patches/mit-krb5-CVE-2015-8631.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/mit-krb5.scm (mit-krb5)[native-inputs]: Apply patches.
---
 gnu-system.am                                     |   3 +
 gnu/packages/mit-krb5.scm                         |   6 +-
 gnu/packages/patches/mit-krb5-CVE-2015-8629.patch |  29 ++
 gnu/packages/patches/mit-krb5-CVE-2015-8630.patch |  59 +++
 gnu/packages/patches/mit-krb5-CVE-2015-8631.patch | 550 ++++++++++++++++++++++
 5 files changed, 646 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8629.patch
 create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8630.patch
 create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8631.patch

diff --git a/gnu-system.am b/gnu-system.am
index 04bd519..e6ff131 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -626,6 +626,9 @@ dist_patch_DATA =						\
   gnu/packages/patches/mit-krb5-CVE-2015-2697.patch		\
   gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch		\
   gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch		\
+  gnu/packages/patches/mit-krb5-CVE-2015-8629.patch		\
+  gnu/packages/patches/mit-krb5-CVE-2015-8630.patch		\
+  gnu/packages/patches/mit-krb5-CVE-2015-8631.patch		\
   gnu/packages/patches/mpc123-initialize-ao.patch		\
   gnu/packages/patches/mplayer2-theora-fix.patch		\
   gnu/packages/patches/module-init-tools-moduledir.patch	\
diff --git a/gnu/packages/mit-krb5.scm b/gnu/packages/mit-krb5.scm
index 16bef8d..7591334 100644
--- a/gnu/packages/mit-krb5.scm
+++ b/gnu/packages/mit-krb5.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -54,7 +55,10 @@
                 "CVE-2015-2696"
                 "CVE-2015-2697"
                 "CVE-2015-2698-pt1"
-                "CVE-2015-2698-pt2"))))
+                "CVE-2015-2698-pt2"
+                "CVE-2015-8629"
+                "CVE-2015-8630"
+                "CVE-2015-8631"))))
     (arguments
      `(#:modules ((ice-9 ftw)
                   (ice-9 match)
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch b/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch
new file mode 100644
index 0000000..6d1c3e7
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch
@@ -0,0 +1,29 @@
+Fix CVE-2015-8629 (xdr_nullstring() doesn't check for terminating null
+character).
+
+From upstream git repository, commit
+df17a1224a3406f57477bcd372c61e04c0e5a5bb.
+
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+index 2bef858..ba67084 100644
+--- a/src/lib/kadm5/kadm_rpc_xdr.c
++++ b/src/lib/kadm5/kadm_rpc_xdr.c
+@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp)
+ 		    return FALSE;
+ 	       }
+ 	  }
+-	  return (xdr_opaque(xdrs, *objp, size));
++	  if (!xdr_opaque(xdrs, *objp, size))
++		  return FALSE;
++	  /* Check that the unmarshalled bytes are a C string. */
++	  if ((*objp)[size - 1] != '\0')
++		  return FALSE;
++	  if (memchr(*objp, '\0', size - 1) != NULL)
++		  return FALSE;
++	  return TRUE;
+ 
+      case XDR_ENCODE:
+ 	  if (size != 0)
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch b/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch
new file mode 100644
index 0000000..431eb27
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch
@@ -0,0 +1,59 @@
+Fix CVE-2015-8630 (krb5 doesn't check for null policy when KADM5_POLICY
+is set in the mask).
+
+From upstream git repository, commit
+b863de7fbf080b15e347a736fdda0a82d42f4f6b.
+
+diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
+index 5b95fa3..1d4365c 100644
+--- a/src/lib/kadm5/srv/svr_principal.c
++++ b/src/lib/kadm5/srv/svr_principal.c
+@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle,
+     /*
+      * Argument sanity checking, and opening up the DB
+      */
++    if (entry == NULL)
++        return EINVAL;
+     if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) ||
+        (mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) ||
+        (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
+@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle,
+         return KADM5_BAD_MASK;
+     if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0)
+         return KADM5_BAD_MASK;
++    if((mask & KADM5_POLICY) && entry->policy == NULL)
++        return KADM5_BAD_MASK;
+     if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
+         return KADM5_BAD_MASK;
+     if((mask & ~ALL_PRINC_MASK))
+         return KADM5_BAD_MASK;
+-    if (entry == NULL)
+-        return EINVAL;
+ 
+     /*
+      * Check to see if the principal exists
+@@ -643,6 +645,8 @@ kadm5_modify_principal(void *server_handle,
+ 
+     krb5_clear_error_message(handle->context);
+ 
++    if(entry == NULL)
++        return EINVAL;
+     if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) ||
+        (mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) ||
+        (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
+@@ -651,10 +655,10 @@ kadm5_modify_principal(void *server_handle,
+         return KADM5_BAD_MASK;
+     if((mask & ~ALL_PRINC_MASK))
+         return KADM5_BAD_MASK;
++    if((mask & KADM5_POLICY) && entry->policy == NULL)
++        return KADM5_BAD_MASK;
+     if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
+         return KADM5_BAD_MASK;
+-    if(entry == (kadm5_principal_ent_t) NULL)
+-        return EINVAL;
+     if (mask & KADM5_TL_DATA) {
+         tl_data_orig = entry->tl_data;
+         while (tl_data_orig) {
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8631.patch b/gnu/packages/patches/mit-krb5-CVE-2015-8631.patch
new file mode 100644
index 0000000..ec036d7
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-8631.patch
@@ -0,0 +1,550 @@
+Fix CVE-2016-8631 (Memory leak caused by supplying a null principal name
+in request).
+
+From upstream git repository, commit
+83ed75feba32e46f736fcce0d96a0445f29b96c2.
+
+diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
+index 1879dc6..6ac797e 100644
+--- a/src/kadmin/server/server_stubs.c
++++ b/src/kadmin/server/server_stubs.c
+@@ -334,7 +334,8 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
+ {
+     static generic_ret          ret;
+     char                        *prime_arg;
+-    gss_buffer_desc             client_name, service_name;
++    gss_buffer_desc             client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc             service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                   minor_stat;
+     kadm5_server_handle_t       handle;
+     restriction_t               *rp;
+@@ -382,10 +383,10 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
+             krb5_free_error_message(handle->context, errmsg);
+     }
+     free(prime_arg);
+-    gss_release_buffer(&minor_stat, &client_name);
+-    gss_release_buffer(&minor_stat, &service_name);
+ 
+ exit_func:
++    gss_release_buffer(&minor_stat, &client_name);
++    gss_release_buffer(&minor_stat, &service_name);
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -395,7 +396,8 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
+ {
+     static generic_ret          ret;
+     char                        *prime_arg;
+-    gss_buffer_desc             client_name, service_name;
++    gss_buffer_desc             client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc             service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                   minor_stat;
+     kadm5_server_handle_t       handle;
+     restriction_t               *rp;
+@@ -444,10 +446,10 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
+             krb5_free_error_message(handle->context, errmsg);
+     }
+     free(prime_arg);
+-    gss_release_buffer(&minor_stat, &client_name);
+-    gss_release_buffer(&minor_stat, &service_name);
+ 
+ exit_func:
++    gss_release_buffer(&minor_stat, &client_name);
++    gss_release_buffer(&minor_stat, &service_name);
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -457,8 +459,8 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp)
+ {
+     static generic_ret              ret;
+     char                            *prime_arg;
+-    gss_buffer_desc                 client_name,
+-        service_name;
++    gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                       minor_stat;
+     kadm5_server_handle_t           handle;
+     const char                      *errmsg = NULL;
+@@ -501,10 +503,10 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp)
+ 
+     }
+     free(prime_arg);
+-    gss_release_buffer(&minor_stat, &client_name);
+-    gss_release_buffer(&minor_stat, &service_name);
+ 
+ exit_func:
++    gss_release_buffer(&minor_stat, &client_name);
++    gss_release_buffer(&minor_stat, &service_name);
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -514,8 +516,8 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp)
+ {
+     static generic_ret              ret;
+     char                            *prime_arg;
+-    gss_buffer_desc                 client_name,
+-        service_name;
++    gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                       minor_stat;
+     kadm5_server_handle_t           handle;
+     restriction_t                   *rp;
+@@ -559,9 +561,9 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp)
+             krb5_free_error_message(handle->context, errmsg);
+     }
+     free(prime_arg);
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -570,10 +572,9 @@ generic_ret *
+ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
+ {
+     static generic_ret          ret;
+-    char                        *prime_arg1,
+-        *prime_arg2;
+-    gss_buffer_desc             client_name,
+-        service_name;
++    char                        *prime_arg1 = NULL, *prime_arg2 = NULL;
++    gss_buffer_desc             client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc             service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                   minor_stat;
+     kadm5_server_handle_t       handle;
+     restriction_t               *rp;
+@@ -655,11 +656,11 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
+             krb5_free_error_message(handle->context, errmsg);
+ 
+     }
++exit_func:
+     free(prime_arg1);
+     free(prime_arg2);
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -669,8 +670,8 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp)
+ {
+     static gprinc_ret               ret;
+     char                            *prime_arg, *funcname;
+-    gss_buffer_desc                 client_name,
+-        service_name;
++    gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                       minor_stat;
+     kadm5_server_handle_t           handle;
+     const char                      *errmsg = NULL;
+@@ -719,9 +720,9 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp)
+             krb5_free_error_message(handle->context, errmsg);
+     }
+     free(prime_arg);
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -731,8 +732,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
+ {
+     static gprincs_ret              ret;
+     char                            *prime_arg;
+-    gss_buffer_desc                 client_name,
+-        service_name;
++    gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                       minor_stat;
+     kadm5_server_handle_t           handle;
+     const char                      *errmsg = NULL;
+@@ -777,9 +778,9 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
+             krb5_free_error_message(handle->context, errmsg);
+ 
+     }
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -789,8 +790,8 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp)
+ {
+     static generic_ret              ret;
+     char                            *prime_arg;
+-    gss_buffer_desc                 client_name,
+-        service_name;
++    gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                       minor_stat;
+     kadm5_server_handle_t           handle;
+     const char                      *errmsg = NULL;
+@@ -840,9 +841,9 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp)
+     }
+ 
+     free(prime_arg);
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -852,8 +853,8 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp)
+ {
+     static generic_ret              ret;
+     char                            *prime_arg;
+-    gss_buffer_desc                 client_name,
+-        service_name;
++    gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                       minor_stat;
+     kadm5_server_handle_t           handle;
+     const char                      *errmsg = NULL;
+@@ -909,9 +910,9 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp)
+     }
+ 
+     free(prime_arg);
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -921,8 +922,8 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp)
+ {
+     static generic_ret              ret;
+     char                            *prime_arg;
+-    gss_buffer_desc                 client_name,
+-        service_name;
++    gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                       minor_stat;
+     kadm5_server_handle_t           handle;
+     const char                      *errmsg = NULL;
+@@ -969,9 +970,9 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp)
+     }
+ 
+     free(prime_arg);
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -981,8 +982,8 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp)
+ {
+     static generic_ret              ret;
+     char                            *prime_arg;
+-    gss_buffer_desc                 client_name,
+-        service_name;
++    gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                       minor_stat;
+     kadm5_server_handle_t           handle;
+     const char                      *errmsg = NULL;
+@@ -1029,9 +1030,9 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp)
+     }
+ 
+     free(prime_arg);
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -1041,8 +1042,8 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp)
+ {
+     static generic_ret              ret;
+     char                            *prime_arg;
+-    gss_buffer_desc                 client_name,
+-        service_name;
++    gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                       minor_stat;
+     kadm5_server_handle_t           handle;
+     const char                      *errmsg = NULL;
+@@ -1092,9 +1093,9 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp)
+     }
+ 
+     free(prime_arg);
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -1106,8 +1107,8 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp)
+     krb5_keyblock               *k;
+     int                         nkeys;
+     char                        *prime_arg, *funcname;
+-    gss_buffer_desc             client_name,
+-        service_name;
++    gss_buffer_desc             client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc             service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                   minor_stat;
+     kadm5_server_handle_t       handle;
+     const char                  *errmsg = NULL;
+@@ -1164,9 +1165,9 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp)
+             krb5_free_error_message(handle->context, errmsg);
+     }
+     free(prime_arg);
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -1178,8 +1179,8 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp)
+     krb5_keyblock               *k;
+     int                         nkeys;
+     char                        *prime_arg, *funcname;
+-    gss_buffer_desc             client_name,
+-        service_name;
++    gss_buffer_desc             client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc             service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                   minor_stat;
+     kadm5_server_handle_t       handle;
+     const char                  *errmsg = NULL;
+@@ -1241,9 +1242,9 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp)
+             krb5_free_error_message(handle->context, errmsg);
+     }
+     free(prime_arg);
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -1253,8 +1254,8 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp)
+ {
+     static generic_ret              ret;
+     char                            *prime_arg;
+-    gss_buffer_desc                 client_name,
+-        service_name;
++    gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                       minor_stat;
+     kadm5_server_handle_t           handle;
+     const char                      *errmsg = NULL;
+@@ -1295,9 +1296,9 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp)
+         if (errmsg != NULL)
+             krb5_free_error_message(handle->context, errmsg);
+     }
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -1307,8 +1308,8 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp)
+ {
+     static generic_ret              ret;
+     char                            *prime_arg;
+-    gss_buffer_desc                 client_name,
+-        service_name;
++    gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                       minor_stat;
+     kadm5_server_handle_t           handle;
+     const char                      *errmsg = NULL;
+@@ -1347,9 +1348,9 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp)
+         if (errmsg != NULL)
+             krb5_free_error_message(handle->context, errmsg);
+     }
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -1359,8 +1360,8 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp)
+ {
+     static generic_ret              ret;
+     char                            *prime_arg;
+-    gss_buffer_desc                 client_name,
+-        service_name;
++    gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                       minor_stat;
+     kadm5_server_handle_t           handle;
+     const char                      *errmsg = NULL;
+@@ -1400,9 +1401,9 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp)
+         if (errmsg != NULL)
+             krb5_free_error_message(handle->context, errmsg);
+     }
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -1413,8 +1414,8 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp)
+     static gpol_ret             ret;
+     kadm5_ret_t         ret2;
+     char                        *prime_arg, *funcname;
+-    gss_buffer_desc             client_name,
+-        service_name;
++    gss_buffer_desc             client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc             service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                   minor_stat;
+     kadm5_principal_ent_rec     caller_ent;
+     kadm5_server_handle_t       handle;
+@@ -1475,9 +1476,9 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp)
+         log_unauth(funcname, prime_arg,
+                    &client_name, &service_name, rqstp);
+     }
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ 
+@@ -1488,8 +1489,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp)
+ {
+     static gpols_ret                ret;
+     char                            *prime_arg;
+-    gss_buffer_desc                 client_name,
+-        service_name;
++    gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                       minor_stat;
+     kadm5_server_handle_t           handle;
+     const char                      *errmsg = NULL;
+@@ -1531,9 +1532,9 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp)
+         if (errmsg != NULL)
+             krb5_free_error_message(handle->context, errmsg);
+     }
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -1541,7 +1542,8 @@ exit_func:
+ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
+ {
+     static getprivs_ret            ret;
+-    gss_buffer_desc                client_name, service_name;
++    gss_buffer_desc                client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                      minor_stat;
+     kadm5_server_handle_t          handle;
+     const char                     *errmsg = NULL;
+@@ -1571,9 +1573,9 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
+     if (errmsg != NULL)
+         krb5_free_error_message(handle->context, errmsg);
+ 
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -1583,7 +1585,8 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp)
+ {
+     static generic_ret          ret;
+     char                        *prime_arg, *funcname;
+-    gss_buffer_desc             client_name, service_name;
++    gss_buffer_desc             client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc             service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                   minor_stat;
+     kadm5_server_handle_t       handle;
+ 
+@@ -1629,9 +1632,9 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp)
+             krb5_free_error_message(handle->context, errmsg);
+     }
+     free(prime_arg);
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -1641,8 +1644,8 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
+ {
+     static gstrings_ret             ret;
+     char                            *prime_arg;
+-    gss_buffer_desc                 client_name,
+-        service_name;
++    gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                       minor_stat;
+     kadm5_server_handle_t           handle;
+     const char                      *errmsg = NULL;
+@@ -1688,9 +1691,9 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
+             krb5_free_error_message(handle->context, errmsg);
+     }
+     free(prime_arg);
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -1700,8 +1703,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
+ {
+     static generic_ret              ret;
+     char                            *prime_arg;
+-    gss_buffer_desc                 client_name,
+-        service_name;
++    gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
+     OM_uint32                       minor_stat;
+     kadm5_server_handle_t           handle;
+     const char                      *errmsg = NULL;
+@@ -1744,9 +1747,9 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
+             krb5_free_error_message(handle->context, errmsg);
+     }
+     free(prime_arg);
++exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+     free_server_handle(handle);
+     return &ret;
+ }
+@@ -1754,8 +1757,8 @@ exit_func:
+ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
+ {
+     static generic_ret         ret;
+-    gss_buffer_desc            client_name,
+-        service_name;
++    gss_buffer_desc            client_name = GSS_C_EMPTY_BUFFER;
++    gss_buffer_desc            service_name = GSS_C_EMPTY_BUFFER;
+     kadm5_server_handle_t      handle;
+     OM_uint32                  minor_stat;
+     const char                 *errmsg = NULL;
+@@ -1797,10 +1800,10 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
+                      rqstp->rq_cred.oa_flavor);
+     if (errmsg != NULL)
+         krb5_free_error_message(NULL, errmsg);
+-    gss_release_buffer(&minor_stat, &client_name);
+-    gss_release_buffer(&minor_stat, &service_name);
+ 
+ exit_func:
++    gss_release_buffer(&minor_stat, &client_name);
++    gss_release_buffer(&minor_stat, &service_name);
+     return(&ret);
+ }
+ 
+-- 
+2.6.3
+
-- 
2.6.3

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 0/1] Fix CVE-2015-{8629, 8630, 8631}
  2016-02-05  0:49 [PATCH 0/1] Fix CVE-2015-{8629, 8630, 8631} Leo Famulari
  2016-02-05  0:49 ` [PATCH 1/1] gnu: mit-krb5: " Leo Famulari
@ 2016-02-05  1:13 ` Mark H Weaver
  2016-02-05  2:32   ` Leo Famulari
  1 sibling, 1 reply; 4+ messages in thread
From: Mark H Weaver @ 2016-02-05  1:13 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> writes:

> These are upstream patches, also applied by Debian:
> https://security-tracker.debian.org/tracker/CVE-2015-8629

Thanks for this, but I already updated mit-krb5 and applied fixes for
these CVEs on the new 'security-updates' branch about 17 hours ago.

I'm sorry that your effort was wasted.

     Mark

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 0/1] Fix CVE-2015-{8629, 8630, 8631}
  2016-02-05  1:13 ` [PATCH 0/1] " Mark H Weaver
@ 2016-02-05  2:32   ` Leo Famulari
  0 siblings, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2016-02-05  2:32 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: guix-devel

On Thu, Feb 04, 2016 at 08:13:18PM -0500, Mark H Weaver wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > These are upstream patches, also applied by Debian:
> > https://security-tracker.debian.org/tracker/CVE-2015-8629
> 
> Thanks for this, but I already updated mit-krb5 and applied fixes for
> these CVEs on the new 'security-updates' branch about 17 hours ago.
> 
> I'm sorry that your effort was wasted.

It's okay. Your version is much better!

> 
>      Mark

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-02-05  2:32 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-05  0:49 [PATCH 0/1] Fix CVE-2015-{8629, 8630, 8631} Leo Famulari
2016-02-05  0:49 ` [PATCH 1/1] gnu: mit-krb5: " Leo Famulari
2016-02-05  1:13 ` [PATCH 0/1] " Mark H Weaver
2016-02-05  2:32   ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).