[krbdev.mit.edu #8352] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Fri Sep 8 12:14:09 EDT 2017
Limit ticket lifetime to 2^31-1 seconds
Although timestamps above 2^31-1 are now valid, intervals exceeding
2^31-1 seconds may be treated incorrectly by comparison operations.
The initially computed interval in kdc_get_ticket_endtime() could be
negative if the requested end time is far in the future, causing the
function to yield an incorrect result. (With the new larger value of
kdc_infinity, this could specifically happen if a KDC-REQ contains a
zero till field.) Cap the interval at the maximum valid value.
Reported by Weijun Wang.
Avoid delta comparisons in favor of timestamp comparions in
krb5int_validate_times(), ksu's krb5_check_exp(), and clockskew
checks.
Also use a y2038-safe timestamp comparison in set_request_times() when
comparing the requested renewable end time to the requested ticket end
time.
https://github.com/krb5/krb5/commit/54e58755368b58ba5894a14c1d02626da42d8003
Author: Greg Hudson <ghudson at mit.edu>
Commit: 54e58755368b58ba5894a14c1d02626da42d8003
Branch: master
src/clients/ksu/ccache.c | 2 +-
src/include/k5-int.h | 7 +++++++
src/kdc/kdc_util.c | 7 ++++++-
src/kdc/replay.c | 2 +-
src/kdc/t_replay.c | 2 +-
src/lib/krb5/krb/gc_via_tkt.c | 4 ++--
src/lib/krb5/krb/get_in_tkt.c | 6 +++---
src/lib/krb5/krb/int-proto.h | 3 ---
src/lib/krb5/krb/valid_times.c | 4 ++--
src/lib/krb5/os/timeofday.c | 2 +-
10 files changed, 24 insertions(+), 15 deletions(-)
More information about the krb5-bugs
mailing list