svn rev #25512: branches/krb5-1-10/src/ kadmin/cli/ plugins/kdb/ldap/libkdb_ldap/

tlyu@MIT.EDU tlyu at MIT.EDU
Mon Dec 5 15:53:52 EST 2011 

http://src.mit.edu/fisheye/changelog/krb5/?cs=25512
Commit By: tlyu
Log Message:
ticket: 7021
version_fixed: 1.10
status: resolved

pull up r25480 from trunk

 ------------------------------------------------------------------------
 r25480 | ghudson | 2011-11-20 00:19:45 -0500 (Sun, 20 Nov 2011) | 13 lines

 ticket: 7021
 subject: Fix failure interval of 0 in LDAP lockout code
 target_version: 1.10
 tags: pullup

 A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
 pass the lockout check (but didn't cause a reset of the failure count
 in krb5_ldap_lockout_audit).  It should be treated as forever, as in
 the DB2 back end.

 This bug is the previously unknown cause of the assertion failure
 fixed in CVE-2011-1528.


Changed Files:
U   branches/krb5-1-10/src/kadmin/cli/kadmin.M
U   branches/krb5-1-10/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
Modified: branches/krb5-1-10/src/kadmin/cli/kadmin.M
===================================================================
--- branches/krb5-1-10/src/kadmin/cli/kadmin.M	2011-12-05 20:32:57 UTC (rev 25511)
+++ branches/krb5-1-10/src/kadmin/cli/kadmin.M	2011-12-05 20:53:52 UTC (rev 25512)
@@ -726,12 +726,13 @@
 sets the allowable time between authentication failures.  If an
 authentication failure happens after \fIfailuretime\fP has elapsed
 since the previous failure, the number of authentication failures is
-reset to 1.
+reset to 1.  A failure count interval of 0 means forever.
 .TP
 \fB\-lockoutduration\fP \fIlockouttime\fP
 sets the duration for which the principal is locked from
 authenticating if too many authentication failures occur without the
-specified failure count interval elapsing.
+specified failure count interval elapsing.  A duration of 0 means
+forever.
 .sp
 .nf
 .TP

Modified: branches/krb5-1-10/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
===================================================================
--- branches/krb5-1-10/src/plugins/kdb/ldap/libkdb_ldap/lockout.c	2011-12-05 20:32:57 UTC (rev 25511)
+++ branches/krb5-1-10/src/plugins/kdb/ldap/libkdb_ldap/lockout.c	2011-12-05 20:53:52 UTC (rev 25512)
@@ -127,7 +127,7 @@
     code = lookup_lockout_policy(context, entry, &max_fail,
                                  &failcnt_interval,
                                  &lockout_duration);
-    if (code != 0 || failcnt_interval == 0)
+    if (code != 0)
         return code;
 
     if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))

More information about the cvs-krb5 mailing list