Package: krb5 Severity: grave Justification: user security hole
http://www.gentoo.org/security/en/glsa/glsa-200608-15.xml appies to debian too 2006-001-patch_1.5.txt - is from gentoo, applies to debian krb5 too, with some hunks succeding in different places krb5-1.3.6-patch - is the diff between debian stable krb5 1.3.6-2sarge2 and the patched version, this should apply cleanly -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-2-386 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) -- Package Information: Package: krb5-ftpd Priority: extra Section: net Installed-Size: 104 Maintainer: Sam Hartman <[EMAIL PROTECTED]> Architecture: i386 Source: krb5 Version: 1.3.6-2sarge2 Provides: ftp-server Depends: libc6 (>= 2.3.2.ds1-21), libcomerr2 (>= 1.33-3), libkrb53 (>= 1.3.2), libkrb53 (= 1.3.6-2sarge2), netbase, krb5-config Conflicts: ftpd Filename: pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge2_i386.deb Size: 52186 MD5sum: 00356fdf1a8534d13942ad3d58426da5 SHA1: 92d50e2a319be7e27fcf98c40051495543c8fc7d SHA256: 25d47a7fb63ee8239c5e0438ef3d0a0a8b04bf9f33e9387840f1a4a41ff07037 Description: Secure FTP server supporting MIT Kerberos Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos5.
Index: appl/gssftp/ftpd/ftpd.c =================================================================== *** appl/gssftp/ftpd/ftpd.c (revision 18419) --- appl/gssftp/ftpd/ftpd.c (working copy) *************** *** 1367,1373 **** goto bad; sleep(tries); } ! (void) krb5_seteuid((uid_t)pw->pw_uid); #ifdef IP_TOS #ifdef IPTOS_THROUGHPUT on = IPTOS_THROUGHPUT; --- 1367,1375 ---- goto bad; sleep(tries); } ! if (krb5_seteuid((uid_t)pw->pw_uid)) { ! fatal("seteuid user"); ! } #ifdef IP_TOS #ifdef IPTOS_THROUGHPUT on = IPTOS_THROUGHPUT; *************** *** 1377,1383 **** #endif return (fdopen(s, fmode)); bad: ! (void) krb5_seteuid((uid_t)pw->pw_uid); (void) close(s); return (NULL); } --- 1379,1387 ---- #endif return (fdopen(s, fmode)); bad: ! if (krb5_seteuid((uid_t)pw->pw_uid)) { ! fatal("seteuid user"); ! } (void) close(s); return (NULL); } *************** *** 2186,2192 **** (void) krb5_seteuid((uid_t)pw->pw_uid); goto pasv_error; } ! (void) krb5_seteuid((uid_t)pw->pw_uid); len = sizeof(pasv_addr); if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0) goto pasv_error; --- 2190,2198 ---- (void) krb5_seteuid((uid_t)pw->pw_uid); goto pasv_error; } ! if (krb5_seteuid((uid_t)pw->pw_uid)) { ! fatal("seteuid user"); ! } len = sizeof(pasv_addr); if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0) goto pasv_error; Index: appl/bsd/v4rcp.c =================================================================== *** appl/bsd/v4rcp.c (revision 18419) --- appl/bsd/v4rcp.c (working copy) *************** *** 436,442 **** kstream_set_buffer_mode (krem, 0); #endif /* KERBEROS && !NOENCRYPTION */ (void) response(); ! (void) setuid(userid); source(--argc, ++argv); exit(errs); --- 436,445 ---- kstream_set_buffer_mode (krem, 0); #endif /* KERBEROS && !NOENCRYPTION */ (void) response(); ! if (setuid(userid)) { ! error("rcp: can't setuid(user)\n"); ! exit(1); ! } source(--argc, ++argv); exit(errs); *************** *** 452,458 **** krem = kstream_create_from_fd (rem, 0, 0); kstream_set_buffer_mode (krem, 0); #endif /* KERBEROS && !NOENCRYPTION */ ! (void) setuid(userid); sink(--argc, ++argv); exit(errs); --- 455,464 ---- krem = kstream_create_from_fd (rem, 0, 0); kstream_set_buffer_mode (krem, 0); #endif /* KERBEROS && !NOENCRYPTION */ ! if (setuid(userid)) { ! error("rcp: can't setuid(user)\n"); ! exit(1); ! } sink(--argc, ++argv); exit(errs); Index: appl/bsd/krcp.c =================================================================== *** appl/bsd/krcp.c (revision 18419) --- appl/bsd/krcp.c (working copy) *************** *** 620,626 **** euid = geteuid(); if (euid == 0) { ! (void) setuid(0); if(krb5_seteuid(userid)) { perror("rcp seteuid user"); errs++; exit(errs); } --- 620,628 ---- euid = geteuid(); if (euid == 0) { ! if (setuid(0)) { ! perror("rcp setuid 0"); errs++; exit(errs); ! } if(krb5_seteuid(userid)) { perror("rcp seteuid user"); errs++; exit(errs); } *************** *** 638,648 **** continue; rcmd_stream_init_normal(); #ifdef HAVE_SETREUID ! (void) setreuid(0, userid); sink(1, argv+argc-1); ! (void) setreuid(userid, 0); #else ! (void) setuid(0); if(seteuid(userid)) { perror("rcp seteuid user"); errs++; exit(errs); } --- 640,656 ---- continue; rcmd_stream_init_normal(); #ifdef HAVE_SETREUID ! if (setreuid(0, userid)) { ! perror("rcp setreuid 0,user"); errs++; exit(errs); ! } sink(1, argv+argc-1); ! if (setreuid(userid, 0)) { ! perror("rcp setreuid user,0"); errs++; exit(errs); ! } #else ! if (setuid(0)) { ! perror("rcp setuid 0"); errs++; exit(errs); ! } if(seteuid(userid)) { perror("rcp seteuid user"); errs++; exit(errs); } Index: appl/bsd/login.c =================================================================== *** appl/bsd/login.c (revision 18419) --- appl/bsd/login.c (working copy) *************** *** 1648,1654 **** } #endif /* HAVE_SETLUID */ #ifdef _IBMR2 ! setuidx(ID_LOGIN, pwd->pw_uid); #endif /* This call MUST succeed */ --- 1648,1657 ---- } #endif /* HAVE_SETLUID */ #ifdef _IBMR2 ! if (setuidx(ID_LOGIN, pwd->pw_uid) < 0) { ! perror("setuidx"); ! sleepexit(1); ! }; #endif /* This call MUST succeed */ Index: appl/bsd/krshd.c =================================================================== *** appl/bsd/krshd.c (revision 18419) --- appl/bsd/krshd.c (working copy) *************** *** 1403,1411 **** * If we're on a system which keeps track of login uids, then * set the login uid. */ ! setluid((uid_t) pwd->pw_uid); #endif /* HAVE_SETLUID */ ! (void) setuid((uid_t)pwd->pw_uid); /* if TZ is set in the parent, drag it in */ { char **findtz = environ; --- 1403,1417 ---- * If we're on a system which keeps track of login uids, then * set the login uid. */ ! if (setluid((uid_t) pwd->pw_uid) < 0) { ! perror("setluid"); ! _exit(1); ! } #endif /* HAVE_SETLUID */ ! if (setuid((uid_t)pwd->pw_uid) < 0) { ! perror("setuid"); ! _exit(1); ! } /* if TZ is set in the parent, drag it in */ { char **findtz = environ; Index: clients/ksu/main.c =================================================================== *** clients/ksu/main.c (revision 18419) --- clients/ksu/main.c (working copy) *************** *** 892,900 **** const char * cc_name; struct stat st_temp; ! krb5_seteuid(0); ! krb5_seteuid(target_uid); ! cc_name = krb5_cc_get_name(context, cc); if ( ! stat(cc_name, &st_temp)){ if ((retval = krb5_cc_destroy(context, cc))){ --- 892,903 ---- const char * cc_name; struct stat st_temp; ! if (krb5_seteuid(0) < 0 || krb5_seteuid(target_uid) < 0) { ! com_err(prog_name, errno, ! "while returning to source uid for destroying ccache"); ! exit(1); ! } ! cc_name = krb5_cc_get_name(context, cc); if ( ! stat(cc_name, &st_temp)){ if ((retval = krb5_cc_destroy(context, cc))){ Index: lib/krb4/kuserok.c =================================================================== *** lib/krb4/kuserok.c (revision 18419) --- lib/krb4/kuserok.c (working copy) *************** *** 159,167 **** */ if(getuid() == 0) { uid_t old_euid = geteuid(); ! seteuid(pwd->pw_uid); fp = fopen(pbuf, "r"); ! seteuid(old_euid); if ((fp) == NULL) { return(NOTOK); } --- 159,169 ---- */ if(getuid() == 0) { uid_t old_euid = geteuid(); ! if (seteuid(pwd->pw_uid) < 0) ! return NOTOK; fp = fopen(pbuf, "r"); ! if (seteuid(old_euid) < 0) ! return NOTOK; if ((fp) == NULL) { return(NOTOK); }
diff -urN krb5-1.3.6/src/appl/bsd/krcp.c krb5-1.3.6-new/src/appl/bsd/krcp.c --- krb5-1.3.6/src/appl/bsd/krcp.c 2003-05-13 01:20:15.000000000 +0300 +++ krb5-1.3.6-new/src/appl/bsd/krcp.c 2006-08-10 19:26:12.015275472 +0300 @@ -620,7 +620,9 @@ euid = geteuid(); if (euid == 0) { - (void) setuid(0); + if (setuid(0)) { + perror("rcp setuid 0"); errs++; exit(errs); + } if(krb5_seteuid(userid)) { perror("rcp seteuid user"); errs++; exit(errs); } @@ -638,11 +640,17 @@ continue; rcmd_stream_init_normal(); #ifdef HAVE_SETREUID - (void) setreuid(0, userid); + if (setreuid(0, userid)) { + perror("rcp setreuid 0,user"); errs++; exit(errs); + } sink(1, argv+argc-1); - (void) setreuid(userid, 0); + if (setreuid(userid, 0)) { + perror("rcp setreuid user,0"); errs++; exit(errs); + } #else - (void) setuid(0); + if (setuid(0)) { + perror("rcp setuid 0"); errs++; exit(errs); + } if(seteuid(userid)) { perror("rcp seteuid user"); errs++; exit(errs); } diff -urN krb5-1.3.6/src/appl/bsd/krshd.c krb5-1.3.6-new/src/appl/bsd/krshd.c --- krb5-1.3.6/src/appl/bsd/krshd.c 2003-09-11 02:28:04.000000000 +0300 +++ krb5-1.3.6-new/src/appl/bsd/krshd.c 2006-08-10 19:26:12.019274864 +0300 @@ -1379,9 +1379,15 @@ * If we're on a system which keeps track of login uids, then * set the login uid. */ - setluid((uid_t) pwd->pw_uid); + if (setluid((uid_t) pwd->pw_uid) < 0) { + perror("setluid"); + _exit(1); + } #endif /* HAVE_SETLUID */ - (void) setuid((uid_t)pwd->pw_uid); + if (setuid((uid_t)pwd->pw_uid) < 0) { + perror("setuid"); + _exit(1); + } /* if TZ is set in the parent, drag it in */ { char **findtz = environ; diff -urN krb5-1.3.6/src/appl/bsd/login.c krb5-1.3.6-new/src/appl/bsd/login.c --- krb5-1.3.6/src/appl/bsd/login.c 2003-05-28 07:06:25.000000000 +0300 +++ krb5-1.3.6-new/src/appl/bsd/login.c 2006-08-10 19:26:12.017275168 +0300 @@ -1648,7 +1648,10 @@ } #endif /* HAVE_SETLUID */ #ifdef _IBMR2 - setuidx(ID_LOGIN, pwd->pw_uid); + if (setuidx(ID_LOGIN, pwd->pw_uid) < 0) { + perror("setuidx"); + sleepexit(1); + }; #endif /* This call MUST succeed */ diff -urN krb5-1.3.6/src/appl/bsd/v4rcp.c krb5-1.3.6-new/src/appl/bsd/v4rcp.c --- krb5-1.3.6/src/appl/bsd/v4rcp.c 2002-07-12 23:21:31.000000000 +0300 +++ krb5-1.3.6-new/src/appl/bsd/v4rcp.c 2006-08-10 19:26:12.013275776 +0300 @@ -436,7 +436,10 @@ kstream_set_buffer_mode (krem, 0); #endif /* KERBEROS && !NOENCRYPTION */ (void) response(); - (void) setuid(userid); + if (setuid(userid)) { + error("rcp: can't setuid(user)\n"); + exit(1); + } source(--argc, ++argv); exit(errs); @@ -452,7 +455,10 @@ krem = kstream_create_from_fd (rem, 0, 0); kstream_set_buffer_mode (krem, 0); #endif /* KERBEROS && !NOENCRYPTION */ - (void) setuid(userid); + if (setuid(userid)) { + error("rcp: can't setuid(user)\n"); + exit(1); + } sink(--argc, ++argv); exit(errs); diff -urN krb5-1.3.6/src/appl/gssftp/ftpd/ftpd.c krb5-1.3.6-new/src/appl/gssftp/ftpd/ftpd.c --- krb5-1.3.6/src/appl/gssftp/ftpd/ftpd.c 2004-08-31 23:18:25.000000000 +0300 +++ krb5-1.3.6-new/src/appl/gssftp/ftpd/ftpd.c 2006-08-10 19:26:12.011276080 +0300 @@ -1360,7 +1360,9 @@ goto bad; sleep(tries); } - (void) krb5_seteuid((uid_t)pw->pw_uid); + if (krb5_seteuid((uid_t)pw->pw_uid)) { + fatal("seteuid user"); + } #ifdef IP_TOS #ifdef IPTOS_THROUGHPUT on = IPTOS_THROUGHPUT; @@ -1370,7 +1372,9 @@ #endif return (fdopen(s, fmode)); bad: - (void) krb5_seteuid((uid_t)pw->pw_uid); + if (krb5_seteuid((uid_t)pw->pw_uid)) { + fatal("seteuid user"); + } (void) close(s); return (NULL); } @@ -2179,7 +2183,9 @@ (void) krb5_seteuid((uid_t)pw->pw_uid); goto pasv_error; } - (void) krb5_seteuid((uid_t)pw->pw_uid); + if (krb5_seteuid((uid_t)pw->pw_uid)) { + fatal("seteuid user"); + } len = sizeof(pasv_addr); if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0) goto pasv_error; diff -urN krb5-1.3.6/src/clients/ksu/main.c krb5-1.3.6-new/src/clients/ksu/main.c --- krb5-1.3.6/src/clients/ksu/main.c 2002-08-14 22:14:49.000000000 +0300 +++ krb5-1.3.6-new/src/clients/ksu/main.c 2006-08-10 19:26:12.021274560 +0300 @@ -892,9 +892,12 @@ const char * cc_name; struct stat st_temp; - krb5_seteuid(0); - krb5_seteuid(target_uid); - + if (krb5_seteuid(0) < 0 || krb5_seteuid(target_uid) < 0) { + com_err(prog_name, errno, + "while returning to source uid for destroying ccache"); + exit(1); + } + cc_name = krb5_cc_get_name(context, cc); if ( ! stat(cc_name, &st_temp)){ if ((retval = krb5_cc_destroy(context, cc))){ diff -urN krb5-1.3.6/src/lib/krb4/kuserok.c krb5-1.3.6-new/src/lib/krb4/kuserok.c --- krb5-1.3.6/src/lib/krb4/kuserok.c 2003-03-05 05:38:51.000000000 +0200 +++ krb5-1.3.6-new/src/lib/krb4/kuserok.c 2006-08-10 19:26:12.022274408 +0300 @@ -159,9 +159,11 @@ */ if(getuid() == 0) { uid_t old_euid = geteuid(); - seteuid(pwd->pw_uid); + if (seteuid(pwd->pw_uid) < 0) + return NOTOK; fp = fopen(pbuf, "r"); - seteuid(old_euid); + if (seteuid(old_euid) < 0) + return NOTOK; if ((fp) == NULL) { return(NOTOK); }