From tlyu at MIT.EDU Tue Apr 6 20:21:27 2004 From: tlyu at MIT.EDU (Tom Yu) Date: Tue Apr 6 19:22:57 2004 Subject: krb5-1.3.3 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.3.3. Please see below for a list of some major changes since krb5-1.3.2, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.3.3 =================================== You may retrieve the Kerberos 5 Release 1.3.3 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.3.3 release is: http://web.mit.edu/kerberos/krb5-1.3/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ MAJOR CHANGES SINCE RELEASE 1.3.2 ================================= * [2284] Fixed accept_sec_context to use a replay cache in the GSS_C_NO_CREDENTIAL case. Reported by Cesar Garcia. * [2426] Fixed a spurious SIGPIPE that happened in the TCP sendto_kdc code on AIX. Thanks to Bill Dodd. * [2430] Fixed a crash in the MSLSA ccache. * [2453] The AES string-to-key function no longer returns a pointer to stack memory when given a password longer than 64 characters. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) iQCVAwUBQHM7habDgE/zdoE9AQHrQAP+KHVnCT5DLw/BycQLh94nciovqFaDrd+4 6ksBQrD475anAK3uZQp+pl45yLeFrrOJT3bAisvUSd+V7nEfHMiqdOTdlgXsciJj kT6VT4HUzSH7u83UydvyZknCwpPNYxIrIFZ4TAaaTje7T47Pr4D81xMs+C4bKxKv npq68XyAChI= =x/U5 -----END PGP SIGNATURE----- From tlyu at MIT.EDU Wed Apr 14 18:20:14 2004 From: tlyu at MIT.EDU (Tom Yu) Date: Wed Apr 14 17:22:06 2004 Subject: MIT Kerberos for Windows 2.6.1 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The MIT Kerberos Team announces the availability of MIT Kerberos for Windows 2.6.1. The distribution packages and Release Notes are available from the download link on the MIT Kerberos distribution page, http://web.mit.edu/kerberos/dist/ The main MIT Kerberos web page is http://web.mit.edu/kerberos/ MIT Kerberos for Windows 2.6.1 is the currently supported release for Microsoft Windows 98/98SE/ME/NT4/2000/XP/2003. (Windows 95 is not supported). MIT KfW includes redistributable binaries, an SDK, documentation, source code, and an interactive installer. Please consult the Release Notes file included in the distribution package for further details on changes. Changes since KfW 2.6: * Includes MIT Kerberos 5 Release 1.3.3 * Compatibility issues with Windows 98/98SE/ME resolved * krb524d is no longer required when obtaining AFS tokens with Leash or aklog when using OpenAFS.ORG 1.3.63 or later releases. * kvno.exe, gss-client.exe, gss-server.exe now included in the distribution * The Leash Change Password function once again works with expired passwords * GSS-API applications will display an Obtain Tickets dialog when existing tickets are expired End user questions related to MIT KfW 2.6.1 should be addressed to kerberos@mit.edu. Bug reports should be addressed to kfw-bugs@mit.edu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) iQCVAwUBQH2rEqbDgE/zdoE9AQHJgQQAp4cCCeOtWxorDZIgbuekNWtKo/0QQF9d bMe+1euZrNSi9e983m6QUzQVyyBrgeqYmzHWBAabteOQlvF6V7ACJ28VTcMfBrln OaW9KlFYE45r8gWTOJJAeEaUoHaekug7FrTAbdGCrL9aAAn2QINEO7UgpW9xulI0 eJzgkbNVXP4= =eueq -----END PGP SIGNATURE----- From tlyu at MIT.EDU Tue May 25 12:12:50 2004 From: tlyu at MIT.EDU (Tom Yu) Date: Tue May 25 11:19:09 2004 Subject: MIT Kerberos for Windows 2.6.2 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The MIT Kerberos Team announces the availability of MIT Kerberos for Windows 2.6.2. The distribution packages and Release Notes are available from the download link on the MIT Kerberos distribution page, http://web.mit.edu/kerberos/dist/ The main MIT Kerberos web page is http://web.mit.edu/kerberos/ MIT Kerberos for Windows 2.6.2 is the currently supported release for Microsoft Windows 98/98SE/ME/NT4/2000/XP/2003. (Windows 95 is not supported). MIT KfW includes redistributable binaries, an SDK, documentation, source code, and an interactive installer. Please consult the Release Notes file included in the distribution package for further details on changes. Changes since KfW 2.6.1 * The behavior of the Leash automatic importing of credentials from the MSLSA credentials cache is now configurable. Options include never, always, and only if the MSLSA principal belongs to the default realm as specified in krb5.ini. * Keberos Ticket Initialization options modified within the Ticket Initialization dialog may now optionally be preserved. * A memory access error introduced in 2.6.1 has been eliminated. This problem was traced to errors in implementation of the MFC CSingleLock class. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) iQCVAwUBQLNidqbDgE/zdoE9AQG87QQA10zfWgon7B3xQd/TaQ/UIRxT1StmGKRn ga1sWSl/ygOqM4eXhGuSXtZv2FFl8nQCeM2ar9qRjvWO3yW3BcZQ5zdpYeEBHOSD Z+wwsbj2+EPoWniKYB+qbC8GpHPg4SiFw6ZV6kLHZD6x4dx62fZ8YpHwRQw2f186 FzPKii6Tn74= =D0yE -----END PGP SIGNATURE----- From tlyu at MIT.EDU Wed May 26 19:25:03 2004 From: tlyu at MIT.EDU (Tom Yu) Date: Wed May 26 18:26:22 2004 Subject: MIT Kerberos for Windows 2.6.3 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The MIT Kerberos Team announces the availability of MIT Kerberos for Windows 2.6.3. The distribution packages and Release Notes are available from the download link on the MIT Kerberos distribution page, http://web.mit.edu/kerberos/dist/ The main MIT Kerberos web page is http://web.mit.edu/kerberos/ MIT Kerberos for Windows 2.6.3 is the currently supported release for Microsoft Windows 98/98SE/ME/NT4/2000/XP/2003. (Windows 95 is not supported). MIT KfW includes redistributable binaries, an SDK, documentation, source code, and an interactive installer. Please consult the Release Notes file included in the distribution package for further details on changes. Changes since 2.6.2: * Prevents Leash from flooding the KDC with TGS_REQ messages when the Windows Logon Session is authenticated using Kerberos. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) iQCVAwUBQLUZQ6bDgE/zdoE9AQHRZAQAhYLaFnvEn2u9zjfoZf7ZEGJmnQJKuMQj 9cDeUz0HPYd2XtuT87/xnznmpB+z/SKjbD8NR7JcgALY9qF39ynMWzExKOL5frao n6nfwxVNV2vA4taHS9QJkD4g5rTZf1NKkjyaieau7WRJ6qS8z+I+AP+6h6KaN76M kQ/u3nx+OVU= =+eNP -----END PGP SIGNATURE----- From tlyu at MIT.EDU Tue Jun 1 17:30:45 2004 From: tlyu at MIT.EDU (Tom Yu) Date: Tue Jun 1 16:31:17 2004 Subject: MITKRB5-SA-2004-001: buffer overflows in krb5_aname_to_localname Message-ID: -----BEGIN PGP SIGNED MESSAGE----- MIT krb5 Security Advisory 2004-001 2004-06-01 Topic: buffer overflows in krb5_aname_to_localname Severity: serious SUMMARY ======= The krb5_aname_to_localname() library function contains multiple buffer overflows which could be exploited to gain unauthorized root access. Exploitation of these flaws requires an unusual combination of factors, including successful authentication to a vulnerable service and a non-default configuration on the target service. (See MITIGATING FACTORS below.) No exploits are known to exist yet. IMPACT ====== A remote attacker can potentially execute arbitrary code on hosts running vulnerable services. MITIGATING FACTORS ================== Only configurations which enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname() are vulnerable. These configurations are not the default. If the explicit mapping functionality is enabled, an attacker must authenticate using a principal name listed in the explicit mapping list. If the rules-based mapping functionality is enabled, an attacker must be able to create arbitrary principal names either in the local Kerberos realm or in a remote realm from which the local realm's services are reachable by cross-realm authentication. AFFECTED SOFTWARE ================= All releases of MIT Kerberos 5, up to and including krb5-1.3.3. The upcoming krb5-1.3.4 release will contain a fix for this problem. Affected services contained in these releases include the remote login applications (e.g., ftp, rsh, rlogin, telnet), as well as ksu. Third-party application servers using the affected functionality of the krb5 library may be vulnerable. These services are only vulnerable in non-default configurations. FIXES ===== * If you are using the vulnerable functionality, consider disabling it immediately. Complete disabling of any configuration of explicit mapping or rules-based mapping should prevent exploitation. * The upcoming krb5-1.3.4 release will contain a fix for this problem. * Apply the following patch to src/lib/krb5/os/an_to_ln.c, and recompile the affected libraries and applications. Index: an_to_ln.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb5/os/an_to_ln.c,v retrieving revision 5.39 diff -c -r5.39 an_to_ln.c *** an_to_ln.c 2002/09/03 19:29:34 5.39 - --- an_to_ln.c 2004/05/14 19:39:21 *************** *** 270,278 **** * If no regcomp() then just return the input string verbatim in the output * string. */ ! static void do_replacement(char *regexp, char *repl, int doall, char *in, char *out) { #if HAVE_REGCOMP regex_t match_exp; regmatch_t match_match; - --- 270,283 ---- * If no regcomp() then just return the input string verbatim in the output * string. */ ! #define use_bytes(x) \ ! out_used += (x); \ ! if (out_used > MAX_FORMAT_BUFFER) goto mem_err ! ! static int do_replacement(char *regexp, char *repl, int doall, char *in, char *out) { + size_t out_used = 0; #if HAVE_REGCOMP regex_t match_exp; regmatch_t match_match; *************** *** 287,303 **** do { if (!regexec(&match_exp, cp, 1, &match_match, 0)) { if (match_match.rm_so) { strncpy(op, cp, match_match.rm_so); op += match_match.rm_so; } strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); op += strlen(op); cp += match_match.rm_eo; ! if (!doall) strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 1; } else { strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 0; } - --- 292,313 ---- do { if (!regexec(&match_exp, cp, 1, &match_match, 0)) { if (match_match.rm_so) { + use_bytes(match_match.rm_so); strncpy(op, cp, match_match.rm_so); op += match_match.rm_so; } + use_bytes(strlen(repl)); strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); op += strlen(op); cp += match_match.rm_eo; ! if (!doall) { ! use_bytes(strlen(cp)); strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); + } matched = 1; } else { + use_bytes(strlen(cp)); strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 0; } *************** *** 322,338 **** - --- 332,352 ---- sdispl = (size_t) (loc1 - cp); edispl = (size_t) (loc2 - cp); if (sdispl) { + use_bytes(sdispl); strncpy(op, cp, sdispl); op += sdispl; } + use_bytes(strlen(repl)); strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); op += strlen(repl); cp += edispl; if (!doall) + use_bytes(strlen(cp)); strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 1; } else { + use_bytes(strlen(cp)); strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 0; } *************** *** 340,346 **** - --- 354,368 ---- #else /* HAVE_REGEXP_H */ memcpy(out, in, MAX_FORMAT_BUFFER); #endif /* HAVE_REGCOMP */ + return 1; + mem_err: + #ifdef HAVE_REGCMP + regfree(&match_exp); + #endif + return 0; + } + #undef use_bytes /* * aname_replacer() - Perform the specified substitutions on the input *************** *** 412,418 **** /* Do the replacemenbt */ memset(out, '\0', MAX_FORMAT_BUFFER); ! do_replacement(rule, repl, doglobal, in, out); free(rule); free(repl); - --- 434,445 ---- /* Do the replacemenbt */ memset(out, '\0', MAX_FORMAT_BUFFER); ! if (!do_replacement(rule, repl, doglobal, in, out)) { ! free(rule); ! free(repl); ! kret = KRB5_LNAME_NOTRANS; ! break; ! } free(rule); free(repl); *************** *** 459,464 **** - --- 486,492 ---- char *fprincname; char *selstring = 0; int num_comps, compind; + size_t selstring_used; char *cout; krb5_data *datap; char *outstring; *************** *** 479,484 **** - --- 507,513 ---- */ current = strchr(current, ':'); selstring = (char *) malloc(MAX_FORMAT_BUFFER); + selstring_used = 0; if (current && selstring) { current++; cout = selstring; *************** *** 497,502 **** - --- 526,539 ---- aname, compind-1)) ) { + if ((datap->length < MAX_FORMAT_BUFFER) + && (selstring_used+datap->length + < MAX_FORMAT_BUFFER)) { + selstring_used += datap->length; + } else { + kret = ENOMEM; + goto errout; + } strncpy(cout, datap->data, (unsigned) datap->length); *************** *** 527,533 **** else kret = KRB5_CONFIG_BADFORMAT; ! if (kret) free(selstring); } } - --- 564,570 ---- else kret = KRB5_CONFIG_BADFORMAT; ! errout: if (kret) free(selstring); } } *************** *** 643,649 **** const char *hierarchy[5]; char **mapping_values; int i, nvalid; ! char *cp; char *typep, *argp; unsigned int lnsize; - --- 680,686 ---- const char *hierarchy[5]; char **mapping_values; int i, nvalid; ! char *cp, *s; char *typep, *argp; unsigned int lnsize; *************** *** 677,687 **** /* Just use the last one. */ /* Trim the value. */ ! cp = &mapping_values[nvalid-1] ! [strlen(mapping_values[nvalid-1])]; ! while (isspace((int) (*cp))) cp--; ! cp++; ! *cp = '\0'; /* Copy out the value if there's enough room */ if (strlen(mapping_values[nvalid-1])+1 <= (size_t) lnsize) - --- 714,727 ---- /* Just use the last one. */ /* Trim the value. */ ! s = mapping_values[nvalid-1]; ! cp = s + strlen(s); ! while (cp > s) { ! cp--; ! if (!isspace((int)(*cp))) ! break; ! *cp = '\0'; ! } /* Copy out the value if there's enough room */ if (strlen(mapping_values[nvalid-1])+1 <= (size_t) lnsize) The patch was generated against krb5-1.3.3; it may apply, with some offset, to other releases. This patch may also be found at: http://web.mit.edu/kerberos/advisories/2004-001-an_to_ln_patch.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2004-001-an_to_ln_patch.txt.asc REFERENCES ========== This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html ACKNOWLEDGMENTS =============== Thanks to Christopher Nebergall for finding the single-byte overflow. Thanks to Nico Williams for finding a vulnerability in the rules-based mapping. Thanks to Matt Crawford for useful comments. DETAILS ======= krb5_aname_to_localname() translates a Kerberos principal name to a local account name, typically a UNIX username. In the file src/lib/krb5/os/an_to_ln.c, the helper functions aname_replacer(), do_replacement(), and rule_an_to_ln() do not perform adequate checks of the lengths of strings which contain the name of the principal whose authorization is being checked. This can result in the overflow of heap buffers when an attacker authenticates using a sufficiently long principal name. In addition, the implementation of the explicit mapping functionality in krb5_aname_to_localname() consistently writes a zero byte at a location one byte past the end of a heap buffer when handling a principal name matching an explicit mapping. Single-byte overflows of heap buffers are known to be exploitable on some architectures. The vulnerability in the explicit mapping functionality was fixed around December 2003 in the development sources, but the fix was not propagated to the krb5-1.3.x release branch. REVISION HISTORY ================ 2004-06-01 original release Copyright (C) 2004 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) iQCVAwUBQLzhKKbDgE/zdoE9AQEIQAP+Nr2GZig5o2TM/0hxmuSDKuDCHQ8k4KBr NCucgV8qVfhXw6MLX+PLX96CniyaFjuKGlS6PS7z2eTRt6qsvxohR1gAfZ7olN5u pDOl5/D9CXnNqwz5ulh7TiaWuVXZab5RfjveZSvxi2fR2CCdUnBab/J4jzOeQyl+ bjJPpeMJiQE= =yGUt -----END PGP SIGNATURE----- From tlyu at MIT.EDU Thu Jun 3 18:01:16 2004 From: tlyu at MIT.EDU (Tom Yu) Date: Thu Jun 3 17:02:06 2004 Subject: UPDATED: MITKRB5-SA-2004-001: krb5_aname_to_localname Message-ID: -----BEGIN PGP SIGNED MESSAGE----- MIT krb5 Security Advisory 2004-001 Original release: 2004-06-01 Last update: 2004-06-02 Topic: buffer overflows in krb5_aname_to_localname Severity: serious SUMMARY ======= [ patch corrected since original release ] The krb5_aname_to_localname() library function contains multiple buffer overflows which could be exploited to gain unauthorized root access. Exploitation of these flaws requires an unusual combination of factors, including successful authentication to a vulnerable service and a non-default configuration on the target service. (See MITIGATING FACTORS below.) No exploits are known to exist yet. IMPACT ====== A remote attacker can potentially execute arbitrary code on hosts running vulnerable services. MITIGATING FACTORS ================== Only configurations which enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname() are vulnerable. These configurations are not the default, and we believe that they are uncommon. If the explicit mapping functionality is enabled, an attacker must authenticate using a principal name listed in the explicit mapping list. If the rules-based mapping functionality is enabled, an attacker must be able to create arbitrary principal names either in the local Kerberos realm or in a remote realm from which the local realm's services are reachable by cross-realm authentication. AFFECTED SOFTWARE ================= All releases of MIT Kerberos 5, up to and including krb5-1.3.3. The upcoming krb5-1.3.4 release will contain a fix for this problem. Affected services contained in these releases include the remote login applications (e.g., ftp, rsh, rlogin, telnet), as well as ksu. Third-party application servers using the affected functionality of the krb5 library may be vulnerable. These services are only vulnerable in non-default configurations. To learn if a configuration is vulnerable, examine the /etc/krb5.conf or other relevant krb5 configuration file, and look for entries of the (explicit mapping) form: auth_to_local_names = { aname = lname } or of the (rule-based mapping) form: auth_to_local = RULE:foo within a realm subsection. FIXES ===== * If you are using the vulnerable functionality, consider disabling it immediately. Complete disabling of any configuration of explicit mapping or rules-based mapping should prevent exploitation. * The upcoming krb5-1.3.4 release will contain a fix for this problem. * Apply the following patch to src/lib/krb5/os/an_to_ln.c, and recompile the affected libraries and applications. Index: an_to_ln.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb5/os/an_to_ln.c,v retrieving revision 5.39 diff -c -r5.39 an_to_ln.c *** an_to_ln.c 3 Sep 2002 19:29:34 -0000 5.39 - --- an_to_ln.c 2 Jun 2004 22:04:21 -0000 *************** *** 270,278 **** * If no regcomp() then just return the input string verbatim in the output * string. */ ! static void do_replacement(char *regexp, char *repl, int doall, char *in, char *out) { #if HAVE_REGCOMP regex_t match_exp; regmatch_t match_match; - --- 270,283 ---- * If no regcomp() then just return the input string verbatim in the output * string. */ ! #define use_bytes(x) \ ! out_used += (x); \ ! if (out_used > MAX_FORMAT_BUFFER) goto mem_err ! ! static int do_replacement(char *regexp, char *repl, int doall, char *in, char *out) { + size_t out_used = 0; #if HAVE_REGCOMP regex_t match_exp; regmatch_t match_match; *************** *** 287,303 **** do { if (!regexec(&match_exp, cp, 1, &match_match, 0)) { if (match_match.rm_so) { strncpy(op, cp, match_match.rm_so); op += match_match.rm_so; } strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); op += strlen(op); cp += match_match.rm_eo; ! if (!doall) strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 1; } else { strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 0; } - --- 292,313 ---- do { if (!regexec(&match_exp, cp, 1, &match_match, 0)) { if (match_match.rm_so) { + use_bytes(match_match.rm_so); strncpy(op, cp, match_match.rm_so); op += match_match.rm_so; } + use_bytes(strlen(repl)); strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); op += strlen(op); cp += match_match.rm_eo; ! if (!doall) { ! use_bytes(strlen(cp)); strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); + } matched = 1; } else { + use_bytes(strlen(cp)); strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 0; } *************** *** 322,338 **** sdispl = (size_t) (loc1 - cp); edispl = (size_t) (loc2 - cp); if (sdispl) { strncpy(op, cp, sdispl); op += sdispl; } strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); op += strlen(repl); cp += edispl; ! if (!doall) strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 1; } else { strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 0; } - --- 332,353 ---- sdispl = (size_t) (loc1 - cp); edispl = (size_t) (loc2 - cp); if (sdispl) { + use_bytes(sdispl); strncpy(op, cp, sdispl); op += sdispl; } + use_bytes(strlen(repl)); strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); op += strlen(repl); cp += edispl; ! if (!doall) { ! use_bytes(strlen(cp)); strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); + } matched = 1; } else { + use_bytes(strlen(cp)); strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 0; } *************** *** 340,346 **** - --- 355,369 ---- #else /* HAVE_REGEXP_H */ memcpy(out, in, MAX_FORMAT_BUFFER); #endif /* HAVE_REGCOMP */ + return 1; + mem_err: + #ifdef HAVE_REGCMP + regfree(&match_exp); + #endif + return 0; + } + #undef use_bytes /* * aname_replacer() - Perform the specified substitutions on the input *************** *** 412,418 **** /* Do the replacemenbt */ memset(out, '\0', MAX_FORMAT_BUFFER); ! do_replacement(rule, repl, doglobal, in, out); free(rule); free(repl); - --- 435,446 ---- /* Do the replacemenbt */ memset(out, '\0', MAX_FORMAT_BUFFER); ! if (!do_replacement(rule, repl, doglobal, in, out)) { ! free(rule); ! free(repl); ! kret = KRB5_LNAME_NOTRANS; ! break; ! } free(rule); free(repl); *************** *** 459,464 **** - --- 487,493 ---- char *fprincname; char *selstring = 0; int num_comps, compind; + size_t selstring_used; char *cout; krb5_data *datap; char *outstring; *************** *** 479,484 **** - --- 508,514 ---- */ current = strchr(current, ':'); selstring = (char *) malloc(MAX_FORMAT_BUFFER); + selstring_used = 0; if (current && selstring) { current++; cout = selstring; *************** *** 497,502 **** - --- 527,540 ---- aname, compind-1)) ) { + if ((datap->length < MAX_FORMAT_BUFFER) + && (selstring_used+datap->length + < MAX_FORMAT_BUFFER)) { + selstring_used += datap->length; + } else { + kret = ENOMEM; + goto errout; + } strncpy(cout, datap->data, (unsigned) datap->length); *************** *** 527,533 **** else kret = KRB5_CONFIG_BADFORMAT; ! if (kret) free(selstring); } } - --- 565,571 ---- else kret = KRB5_CONFIG_BADFORMAT; ! errout: if (kret) free(selstring); } } *************** *** 643,649 **** const char *hierarchy[5]; char **mapping_values; int i, nvalid; ! char *cp; char *typep, *argp; unsigned int lnsize; - --- 681,687 ---- const char *hierarchy[5]; char **mapping_values; int i, nvalid; ! char *cp, *s; char *typep, *argp; unsigned int lnsize; *************** *** 677,687 **** /* Just use the last one. */ /* Trim the value. */ ! cp = &mapping_values[nvalid-1] ! [strlen(mapping_values[nvalid-1])]; ! while (isspace((int) (*cp))) cp--; ! cp++; ! *cp = '\0'; /* Copy out the value if there's enough room */ if (strlen(mapping_values[nvalid-1])+1 <= (size_t) lnsize) - --- 715,728 ---- /* Just use the last one. */ /* Trim the value. */ ! s = mapping_values[nvalid-1]; ! cp = s + strlen(s); ! while (cp > s) { ! cp--; ! if (!isspace((int)(*cp))) ! break; ! *cp = '\0'; ! } /* Copy out the value if there's enough room */ if (strlen(mapping_values[nvalid-1])+1 <= (size_t) lnsize) The patch was generated against krb5-1.3.3; it may apply, with some offset, to other releases. This patch may also be found at: http://web.mit.edu/kerberos/advisories/2004-001-an_to_ln_patch.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2004-001-an_to_ln_patch.txt.asc REFERENCES ========== This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CERT VU#686862: http://www.kb.cert.org/vuls/id/686862 ACKNOWLEDGMENTS =============== Thanks to Christopher Nebergall for finding the single-byte overflow. Thanks to Nico Williams for finding a vulnerability in the rules-based mapping. Thanks to Matt Crawford, John Hascall, and CERT for useful comments. Thanks to Bill Dodd for correcting an error in a prior patch. DETAILS ======= krb5_aname_to_localname() translates a Kerberos principal name to a local account name, typically a UNIX username. In the file src/lib/krb5/os/an_to_ln.c, the helper functions aname_replacer(), do_replacement(), and rule_an_to_ln() do not perform adequate checks of the lengths of strings which contain the name of the principal whose authorization is being checked. This can result in the overflow of heap buffers when an attacker authenticates using a sufficiently long principal name. In addition, the implementation of the explicit mapping functionality in krb5_aname_to_localname() consistently writes a zero byte at a location one byte past the end of a heap buffer when handling a principal name matching an explicit mapping. Single-byte overflows of heap buffers are known to be exploitable on some architectures. The vulnerability in the explicit mapping functionality was fixed around December 2003 in the development sources, but the fix was not propagated to the krb5-1.3.x release branch. REVISION HISTORY ================ 2004-06-02 patch updated to fix error 2004-06-01 original release Copyright (C) 2004 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) iQCVAwUBQL+P0abDgE/zdoE9AQEq+gP+LzNKb1oHemeD8rgL2ogIQ54ovxWIMCQ6 ixmiVO1zMO+89Y4zF7sVilpBVL5fK2cuDR7G2DXlC1whcMHaywVe57mDmGQ/Way+ QwvZM6WQc0fZEZPizBWIPYKTjztuX/FcI8ymHG7Ka1U+aA0dAUp68iWmA60RsiXz D1ncyk9a6FM= =taBK -----END PGP SIGNATURE----- From tlyu at MIT.EDU Fri Jun 11 19:22:59 2004 From: tlyu at MIT.EDU (Tom Yu) Date: Fri Jun 11 18:23:56 2004 Subject: krb5-1.3.4 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.3.4. Please see below for a list of some major changes since krb5-1.3.3, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.3.4 =================================== You may retrieve the Kerberos 5 Release 1.3.4 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.3.4 release is: http://web.mit.edu/kerberos/krb5-1.3/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ MAJOR CHANGES SINCE RELEASE 1.3.3 ================================= * [2024, 2583, 2584] Fixed buffer overflows in krb5_aname_to_localname(). [MITKRB-SA-2004-001] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) iQCVAwUBQMowyqbDgE/zdoE9AQFd0QP9Ff81+V0X0aXfIM7o0SAjGfGSACVc4LCT zrSYCTJFcw7xE6GMHVtD253jukcm1Ep7tAX2q7tRDvcApZ6VPoXDCdLsjGRAQymk /AdNdFaWpSnyxRiSsSAqjiQfG5xWgYAiMXC7WOuDCi1xXgdP5HGOllGMHsOAgteC Lr9txu/1NRk= =8ztC -----END PGP SIGNATURE-----