Error applying MITKRB5-SA-2007-002 on krb5-1.5
Matthew B. Brookover
mbrookov at mines.edu
Fri Apr 6 16:58:24 EDT 2007
I am having similar problems with version 1.5.2:
[mbrookov at oneoften krb5-1.5.2]$ patch -b -p0 < ../2007-002-patch.txt
patching file src/kadmin/server/kadm_rpc_svc.c
patching file src/kadmin/server/misc.c
patching file src/kadmin/server/misc.h
patching file src/kadmin/server/ovsec_kadmd.c
Hunk #1 succeeded at 989 (offset -3 lines).
Hunk #3 succeeded at 1025 (offset -3 lines).
patching file src/kadmin/server/schpw.c
patching file src/kadmin/server/server_stubs.c
patching file src/kdc/do_tgs_req.c
Hunk #1 FAILED at 491.
1 out of 3 hunks FAILED -- saving rejects to file
src/kdc/do_tgs_req.c.rej
patching file src/kdc/kdc_util.c
patching file src/lib/kadm5/logger.c
[mbrookov at oneoften krb5-1.5.2]$
The patches will load, compile and run on version 1.6. Is any body
running 1.6 in production?
We are also considering moving the Kerberos servers to Red Hat, they
have a fix out.
Matt
mbrookov at mines.edu
On Fri, 2007-04-06 at 13:34 -0500, simonst at wellsfargo.com wrote:
> Patch MITKRB5-SA-2007-002 is failing to apply on krb5-1.5:
> [rpmdev]$ patch -p0 <2007-002-patch.txt
> patching file src/kadmin/server/kadm_rpc_svc.c
> patching file src/kadmin/server/misc.c
> patching file src/kadmin/server/misc.h
> patching file src/kadmin/server/ovsec_kadmd.c
> Hunk #1 succeeded at 989 with fuzz 2 (offset -3 lines).
> Hunk #2 succeeded at 997 (offset -5 lines).
> Hunk #3 succeeded at 1025 (offset -3 lines).
> patching file src/kadmin/server/schpw.c
> patching file src/kadmin/server/server_stubs.c
> patching file src/kdc/do_tgs_req.c
> Hunk #1 FAILED at 491.
> Hunk #2 succeeded at 550 (offset -2 lines).
> 1 out of 3 hunks FAILED -- saving rejects to file
> src/kdc/do_tgs_req.c.rej
> patching file src/kdc/kdc_util.c
> patching file src/lib/kadm5/logger.c
>
> Here's the complete cmdline output:
>
> [rpmdev]$ uname -a
> Linux rpmdev 2.4.21-37.ELsmp #1 SMP Wed Sep 7 13:28:55 EDT 2005 i686 i686
> i386 GNU/Linux
> [rpmdev]$ gpgv -v krb5-1.5.tar.gz.asc
> gpgv: armor header: Version: GnuPG v1.4.3 (SunOS)
> gpgv: assuming signed data in `krb5-1.5.tar.gz'
> gpgv: Signature made Fri 30 Jun 2006 10:16:09 PM PDT using RSA key ID
> F376813D
> gpgv: Good signature from "Tom Yu <tlyu at MIT.EDU>"
> gpgv: aka "Tom Yu <tlyu at MIT.EDU>"
> [rpmdev]$ md5sum krb5-1.5.tar.gz
> fe62bcd315fe4139e4fa05732ce8abde krb5-1.5.tar.gz
>
> [rpmdev]$ tar xzf krb5-1.5.tar.gz
>
> [rpmdev]$ cd krb5-1.5
>
> [rpmdev]$ wget http://web.mit.edu/kerberos/advisories/2007-002-patch.txt
> --11:05:42-- http://web.mit.edu/kerberos/advisories/2007-002-patch.txt
> => `2007-002-patch.txt'
> Length: 41,658 (41K) [text/plain]
> 100%[====================================================>] 41,658
> 106.89K/s
> 11:05:43 (106.55 KB/s) - `2007-002-patch.txt' saved [41658/41658]
>
> [rpmdev]$ md5sum 2007-002-patch.txt
> 25b7ae9462b7439f7d11064138aac11e 2007-002-patch.txt
> [rpmdev]$ head 2007-002-patch.txt
> *** src/kadmin/server/kadm_rpc_svc.c (revision 19480)
> --- src/kadmin/server/kadm_rpc_svc.c (local)
> ***************
> *** 250,255 ****
> --- 250,257 ----
> krb5_data *c1, *c2, *realm;
> gss_buffer_desc gss_str;
> kadm5_server_handle_t handle;
> + size_t slen;
> + char *sdots;
>
> [rpmdev]$ patch -p0 <2007-002-patch.txt
> patching file src/kadmin/server/kadm_rpc_svc.c
> patching file src/kadmin/server/misc.c
> patching file src/kadmin/server/misc.h
> patching file src/kadmin/server/ovsec_kadmd.c
> Hunk #1 succeeded at 989 with fuzz 2 (offset -3 lines).
> Hunk #2 succeeded at 997 (offset -5 lines).
> Hunk #3 succeeded at 1025 (offset -3 lines).
> patching file src/kadmin/server/schpw.c
> patching file src/kadmin/server/server_stubs.c
> patching file src/kdc/do_tgs_req.c
> Hunk #1 FAILED at 491.
> Hunk #2 succeeded at 550 (offset -2 lines).
> 1 out of 3 hunks FAILED -- saving rejects to file src/kdc/do_tgs_req.c.rej
> patching file src/kdc/kdc_util.c
> patching file src/lib/kadm5/logger.c
>
> [rpmdev]$ cat src/kdc/do_tgs_req.c.rej
> ***************
> *** 491,518 ****
> newtransited = 1;
> }
> if (!isflagset (request->kdc_options,
> KDC_OPT_DISABLE_TRANSITED_CHECK)) {
> errcode = krb5_check_transited_list (kdc_context,
>
> &enc_tkt_reply.transited.tr_contents,
> krb5_princ_realm (kdc_context,
> header_ticket->enc_part2->client),
> krb5_princ_realm (kdc_context,
> request->server));
> if (errcode == 0) {
> setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
> } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
> krb5_klog_syslog (LOG_INFO,
> ! "bad realm transit path from '%s' to '%s' via
> '%.*s'",
> cname ? cname : "<unknown client>",
> sname ? sname : "<unknown server>",
> ! enc_tkt_reply.transited.tr_contents.length,
> ! enc_tkt_reply.transited.tr_contents.data);
> else {
> const char *emsg = krb5_get_error_message(kdc_context, errcode);
> krb5_klog_syslog (LOG_ERR,
> ! "unexpected error checking transit from '%s'
> to '%s' via '%.*s': %s",
> cname ? cname : "<unknown client>",
> sname ? sname : "<unknown server>",
> ! enc_tkt_reply.transited.tr_contents.length,
> enc_tkt_reply.transited.tr_contents.data,
> ! emsg);
> krb5_free_error_message(kdc_context, emsg);
> }
> } else
> --- 491,528 ----
> newtransited = 1;
> }
> if (!isflagset (request->kdc_options,
> KDC_OPT_DISABLE_TRANSITED_CHECK)) {
> + unsigned int tlen;
> + char *tdots;
> +
> errcode = krb5_check_transited_list (kdc_context,
>
> &enc_tkt_reply.transited.tr_contents,
> krb5_princ_realm (kdc_context,
> header_ticket->enc_part2->client),
> krb5_princ_realm (kdc_context,
> request->server));
> + tlen = enc_tkt_reply.transited.tr_contents.length;
> + tdots = tlen > 125 ? "..." : "";
> + tlen = tlen > 125 ? 125 : tlen;
> +
> if (errcode == 0) {
> setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
> } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
> krb5_klog_syslog (LOG_INFO,
> ! "bad realm transit path from '%s' to '%s' "
> ! "via '%.*s%s'",
> cname ? cname : "<unknown client>",
> sname ? sname : "<unknown server>",
> ! tlen,
> ! enc_tkt_reply.transited.tr_contents.data,
> ! tdots);
> else {
> const char *emsg = krb5_get_error_message(kdc_context, errcode);
> krb5_klog_syslog (LOG_ERR,
> ! "unexpected error checking transit from "
> ! "'%s' to '%s' via '%.*s%s': %s",
> cname ? cname : "<unknown client>",
> sname ? sname : "<unknown server>",
> ! tlen,
> enc_tkt_reply.transited.tr_contents.data,
> ! tdots, emsg);
> krb5_free_error_message(kdc_context, emsg);
> }
> } else
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list