From 19083437612801f74d56a2e2dae84dd4195f8d1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Fri, 20 Apr 2012 15:21:12 +0200 Subject: [PATCH] Avoid private krb5_locate_kdc usage resolves: #754783 Guenther --- samba-3.6.4-krb5_locate_kdc.patch | 162 ++++++++++++++++++++++++++++++ samba.spec | 8 +- 2 files changed, 169 insertions(+), 1 deletion(-) create mode 100644 samba-3.6.4-krb5_locate_kdc.patch diff --git a/samba-3.6.4-krb5_locate_kdc.patch b/samba-3.6.4-krb5_locate_kdc.patch new file mode 100644 index 0000000..d5093e6 --- /dev/null +++ b/samba-3.6.4-krb5_locate_kdc.patch @@ -0,0 +1,162 @@ +From 2464a7b0ddb556bed86a845c9400e26c4d7f584a Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 30 Nov 2011 17:58:30 +0100 +Subject: [PATCH] s3-libsmb: Remove obsolete smb_krb5_locate_kdc. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Günther Deschner + +Autobuild-User: Günther Deschner +Autobuild-Date: Thu Feb 9 14:58:57 CET 2012 on sn-devel-104 +--- + source3/configure.in | 1 - + source3/include/krb5_protos.h | 4 -- + source3/libsmb/clikrb5.c | 89 ----------------------------------------- + source3/wscript | 2 +- + 4 files changed, 1 insertions(+), 95 deletions(-) + +diff --git a/source3/configure.in b/source3/configure.in +index 298fe1b..1ce1a5b 100644 +--- a/source3/configure.in ++++ b/source3/configure.in +@@ -3860,7 +3860,6 @@ if test x"$with_ads_support" != x"no"; then + AC_CHECK_FUNC_EXT(krb5_string_to_key_salt, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_auth_con_setkey, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_auth_con_setuseruserkey, $KRB5_LIBS) +- AC_CHECK_FUNC_EXT(krb5_locate_kdc, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_get_permitted_enctypes, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_get_default_in_tkt_etypes, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_free_data_contents, $KRB5_LIBS) +diff --git a/source3/include/krb5_protos.h b/source3/include/krb5_protos.h +index 32f995c..f16cafd 100644 +--- a/source3/include/krb5_protos.h ++++ b/source3/include/krb5_protos.h +@@ -67,10 +67,6 @@ bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr); + int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt); + bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt); + krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt); +-krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); +-#if defined(HAVE_KRB5_LOCATE_KDC) +-krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); +-#endif + krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes); + bool get_krb5_smb_session_key(TALLOC_CTX *mem_ctx, + krb5_context context, +diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c +index 9af3e49..8cea29c 100644 +--- a/source3/libsmb/clikrb5.c ++++ b/source3/libsmb/clikrb5.c +@@ -488,95 +488,6 @@ + #endif + } + +-#if !defined(HAVE_KRB5_LOCATE_KDC) +- +-/* krb5_locate_kdc is an internal MIT symbol. MIT are not yet willing to commit +- * to a public interface for this functionality, so we have to be able to live +- * without it if the MIT libraries are hiding their internal symbols. +- */ +- +-#if defined(KRB5_KRBHST_INIT) +-/* Heimdal */ +- krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters) +-{ +- krb5_krbhst_handle hnd; +- krb5_krbhst_info *hinfo; +- krb5_error_code rc; +- int num_kdcs, i; +- struct sockaddr *sa; +- struct addrinfo *ai; +- +- *addr_pp = NULL; +- *naddrs = 0; +- +- rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd); +- if (rc) { +- DEBUG(0, ("smb_krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc))); +- return rc; +- } +- +- for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++) +- ; +- +- krb5_krbhst_reset(ctx, hnd); +- +- if (!num_kdcs) { +- DEBUG(0, ("smb_krb5_locate_kdc: zero kdcs found !\n")); +- krb5_krbhst_free(ctx, hnd); +- return -1; +- } +- +- sa = SMB_MALLOC_ARRAY( struct sockaddr, num_kdcs ); +- if (!sa) { +- DEBUG(0, ("smb_krb5_locate_kdc: malloc failed\n")); +- krb5_krbhst_free(ctx, hnd); +- naddrs = 0; +- return -1; +- } +- +- memset(sa, '\0', sizeof(struct sockaddr) * num_kdcs ); +- +- for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) { +- +-#if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO) +- rc = krb5_krbhst_get_addrinfo(ctx, hinfo, &ai); +- if (rc) { +- DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc))); +- continue; +- } +-#endif +- if (hinfo->ai && hinfo->ai->ai_family == AF_INET) +- memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr)); +- } +- +- krb5_krbhst_free(ctx, hnd); +- +- *naddrs = num_kdcs; +- *addr_pp = sa; +- return 0; +-} +- +-#else /* ! defined(KRB5_KRBHST_INIT) */ +- +- krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, +- struct sockaddr **addr_pp, int *naddrs, int get_masters) +-{ +- DEBUG(0, ("unable to explicitly locate the KDC on this platform\n")); +- return KRB5_KDC_UNREACH; +-} +- +-#endif /* KRB5_KRBHST_INIT */ +- +-#else /* ! HAVE_KRB5_LOCATE_KDC */ +- +- krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, +- struct sockaddr **addr_pp, int *naddrs, int get_masters) +-{ +- return krb5_locate_kdc(ctx, realm, addr_pp, naddrs, get_masters); +-} +- +-#endif /* HAVE_KRB5_LOCATE_KDC */ +- + #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME) + void krb5_free_unparsed_name(krb5_context context, char *val) + { +diff --git a/source3/wscript b/source3/wscript +index 901d2b6..40b2cde 100644 +--- a/source3/wscript ++++ b/source3/wscript +@@ -585,7 +585,7 @@ msg.msg_acctrightslen = sizeof(fd); + krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes + krb5_set_default_tgs_ktypes krb5_principal2salt krb5_use_enctype + krb5_string_to_key krb5_get_pw_salt krb5_string_to_key_salt krb5_auth_con_setkey +-krb5_auth_con_setuseruserkey krb5_locate_kdc krb5_get_permitted_enctypes ++krb5_auth_con_setuseruserkey krb5_get_permitted_enctypes + krb5_get_default_in_tkt_etypes krb5_free_data_contents + krb5_principal_get_comp_string krb5_free_unparsed_name + krb5_free_keytab_entry_contents krb5_kt_free_entry krb5_krbhst_init +-- +1.7.7.6 + diff --git a/samba.spec b/samba.spec index 320307a..c3a0b1c 100644 --- a/samba.spec +++ b/samba.spec @@ -1,4 +1,4 @@ -%define main_release 82 +%define main_release 83 %define samba_version 3.6.4 %define tdb_version 1.2.9 %define talloc_version 2.0.5 @@ -45,6 +45,7 @@ Patch104: samba-3.0.0rc3-nmbd-netbiosname.patch # The passwd part has been applied, but not the group part Patch107: samba-3.2.0pre1-grouppwd.patch Patch200: samba-3.2.5-inotify.patch +Patch201: samba-3.6.4-krb5_locate_kdc.patch Requires(pre): samba-common = %{epoch}:%{samba_version}-%{release} Requires: pam >= 0:0.64 @@ -229,6 +230,7 @@ cp %{SOURCE11} packaging/Fedora/ #%patch104 -p1 -b .nmbd-netbiosname # FIXME: does not apply %patch107 -p1 -b .grouppwd %patch200 -p0 -b .inotify +%patch201 -p1 -b .krb5_locate_kdc mv %samba_source/VERSION %samba_source/VERSION.orig sed -e 's/SAMBA_VERSION_VENDOR_SUFFIX=$/&\"%{samba_release}\"/' < %samba_source/VERSION.orig > %samba_source/VERSION @@ -688,6 +690,10 @@ fi %{_datadir}/pixmaps/samba/logo-small.png %changelog +* Fri Apr 20 2012 Guenther Deschner - 1:3.6.4-83 +- Avoid private krb5_locate_kdc usage +- resolves: #754783 + * Thu Apr 12 2012 Jon Ciesla - 1:3.6.4-82 - Update to 3.6.4 - Fixes CVE-2012-1182