MITKRB5-SA-2007-002: KDC,kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957] - Kerberos

This is a discussion on MITKRB5-SA-2007-002: KDC,kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957] - Kerberos ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2007-002 Original release: 2007-04-03 Last update: 2007-04-03 Topic: KDC, kadmind stack overflow in krb5_klog_syslog Severity: CRITICAL CVE: CVE-2007-0957 CERT: VU#704024 SUMMARY ======= The library function krb5_klog_syslog() can write past the ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: MITKRB5-SA-2007-002: KDC,kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957]

  1. MITKRB5-SA-2007-002: KDC,kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    MIT krb5 Security Advisory 2007-002

    Original release: 2007-04-03
    Last update: 2007-04-03

    Topic: KDC, kadmind stack overflow in krb5_klog_syslog

    Severity: CRITICAL

    CVE: CVE-2007-0957
    CERT: VU#704024

    SUMMARY
    =======

    The library function krb5_klog_syslog() can write past the end of a
    stack buffer. The Kerberos administration daemon (kadmind) as well as
    the KDC, are vulnerable. Exploitation of this vulnerability is
    probably simple.

    This is a vulnerability in the the kadm5 library, which is used by the
    KDC and kadmind, and possibly by some third-party applications. It is
    not a bug in the MIT krb5 protocol libraries or in the Kerberos
    protocol.

    IMPACT
    ======

    An authenticated user may be able to cause a host running kadmind to
    execute arbitrary code.

    An authenticated user may be able to cause a KDC host to execute
    arbitrary code. Also, a user controlling a Kerberos realm sharing a
    key with the target realm may be able to cause a KDC host to execute
    arbitrary code.

    Successful exploitation can compromise the Kerberos key database and
    host security on the host running these programs. (kadmind and the
    KDC typically run as root.) Unsuccessful exploitation attempts will
    likely result in the affected program crashing.

    Third-party applications which call krb5_klog_syslog() may also be
    vulnerable.

    AFFECTED SOFTWARE
    =================

    * MIT krb5 releases through krb5-1.6

    FIXES
    =====

    * The upcoming krb5-1.6.1 release will contain a fix for this
    vulnerability.

    Prior to that release you may:

    * apply the patch

    The patch is available at

    http://web.mit.edu/kerberos/advisori...-002-patch.txt

    A PGP-signed patch is available at

    http://web.mit.edu/kerberos/advisori...-patch.txt.asc

    Systems which definitely provide vsnprintf() may not need the entire
    patch; see "DETAILS".

    Please note that releases prior to krb5-1.5 will require additional
    changes to the configure script src/lib/kadm5/configure in order to
    correctly detect the presence of vsnprintf(). krb5-1.5 and later
    releases already check for vsnprintf() in the top-level configure
    script, and do not have a separate src/lib/kadm5/configure script.

    REFERENCES
    ==========

    This announcement is posted at:

    http://web.mit.edu/kerberos/advisori...002-syslog.txt

    This announcement and related security advisories may be found on the
    MIT Kerberos security advisory page at:

    http://web.mit.edu/kerberos/advisories/index.html

    The main MIT Kerberos web page is at:

    http://web.mit.edu/kerberos/index.html

    CVE: CVE-2007-0957
    http://cve.mitre.org/cgi-bin/cvename...=CVE-2007-0957

    CERT: VU#704024
    http://www.kb.cert.org/vuls/id/704024

    ACKNOWLEDGMENTS
    ===============

    We thank iDefense Labs for notifying us of this vulnerability.
    iDefense credits an anonymous discoverer.

    DETAILS
    =======

    krb5_klog_syslog() uses vsprintf() to format text into a fixed-length
    stack buffer. Format specifiers such as "%s" used in calls to
    krb5_klog_syslog() may allow formatting of strings of sufficient
    length to overwrite memory past the end of the stack buffer.

    Certain strings received from the client by the kadmin daemon are not
    truncated prior to logging. Among these strings is the target
    principal for the kadmin operation.

    The KDC truncates most client-originated strings prior to logging.
    One sort of string which is not truncated is a transited-realms
    string. A malicious KDC sharing a key with the target realm may issue
    tickets with specially-crafted transited-realms strings to exploit
    this vulnerability. There are other places where an authenticated
    user may cause the KDC to log a string which triggers the
    vulnerability.

    On a system where vsnprintf() is confirmed to be available, the
    patches to files other than src/lib/kadm5/logger.c may not be
    necessary to prevent a buffer overflow; these patches are still useful
    to prevent malicious users from causing vsnprintf() to obliterate
    useful log information by means of truncation.

    REVISION HISTORY
    ================

    2007-04-03 original release

    Copyright (C) 2007 Massachusetts Institute of Technology
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (SunOS)

    iQCVAwUBRhKVS6bDgE/zdoE9AQJlZgQAq/IvVdpkf3VNViwuZaAJ31+mqq17gKqX
    9DkxkvpPD2b5/8N/ouywP/ODCpYpT9Y+mU+Cw/hEfL2otv/o1HJcV7CXPRCEFODs
    YKpi2Sahcxs+jl1ZQfsY63oay6urZ0PTcrZTFQuqOv8B0wVd0X UwrSkBLejZszL3
    YUFR4W+wtbg=
    =GsBC
    -----END PGP SIGNATURE-----
    _______________________________________________
    kerberos-announce mailing list
    kerberos-announce@mit.edu
    https://mailman.mit.edu/mailman/list...beros-announce
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: MITKRB5-SA-2007-002: KDC,kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Tue, 3 Apr 2007 at 14:10 (-0400), Tom Yu wrote:

    > AFFECTED SOFTWARE
    > =================
    >
    > * MIT krb5 releases through krb5-1.6

    ....
    > The patch is available at
    >
    > http://web.mit.edu/kerberos/advisori...-002-patch.txt


    Tom,

    Is the above patch supposed to apply to 1.4.2? I find several large
    discrepancies in the line numbers. For example, in
    src/kadmin/server/misc.c, the 1.4.2 version has only 151 lines, yet the
    patch refers to line 171. There are also significant differences in, for
    example, src/kadmin/server/ovsec_kadmd.c. Plus minor line differences in
    other modules for this patch.

    Is there a different version of this patch for 1.4.2?

    Thanks.

    Mike

    __________________________________________________ _______________________
    Mike Friedman Information Services & Technology
    mikef@ack.Berkeley.EDU 2484 Shattuck Avenue
    1-510-642-1410 University of California at Berkeley
    http://socrates.berkeley.edu/~mikef http://ist.berkeley.edu
    __________________________________________________ _______________________

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUBRhKyna0bf1iNr4mCEQL2twCfUvdwqQLvlG90LbLjlOwyqq B7V9AAoMjJ
    YW4CLEEpQRootDd3r5t8w2Qm
    =86L5
    -----END PGP SIGNATURE-----
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: MITKRB5-SA-2007-002: KDC,kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957]

    >>>>> "mikef" == Mike Friedman writes:

    mikef> On Tue, 3 Apr 2007 at 14:10 (-0400), Tom Yu wrote:
    >> AFFECTED SOFTWARE
    >> =================
    >>
    >> * MIT krb5 releases through krb5-1.6

    mikef> ...
    >> The patch is available at
    >>
    >> http://web.mit.edu/kerberos/advisori...-002-patch.txt


    mikef> Tom,

    mikef> Is the above patch supposed to apply to 1.4.2? I find several large
    mikef> discrepancies in the line numbers. For example, in
    mikef> src/kadmin/server/misc.c, the 1.4.2 version has only 151 lines, yet the
    mikef> patch refers to line 171. There are also significant differences in, for
    mikef> example, src/kadmin/server/ovsec_kadmd.c. Plus minor line differences in
    mikef> other modules for this patch.

    mikef> Is there a different version of this patch for 1.4.2?

    Your patching may be significantly simplified if you are certain that
    vsnprintf() is present on your systems; in that case you may omit the
    changes to files other than src/lib/kadm5/logger.c, at the expense of
    sometimes losing some log data due to vsnprintf() performing
    truncation. Also, it is probably wise to unconditionally call
    vsnprintf() in logger.c (rather than under #ifdef HAVE_VSNPRINTF) in
    that case.

    krb5-1.5.x had significant changes in some of the affected kadmind and
    KDC code; if there is sufficient interest, we may be able to produce
    additional patches for earlier releases.

    ---Tom
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: MITKRB5-SA-2007-002: KDC,kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957]

    Attached is a converted patch for 1.4.3 (closer to your 1.4.2). This
    includes all three advisories. I just finished compiling, but haven't
    tested it yet so use it at your own risk.

    -Mike

    Tom Yu wrote:
    >>>>>> "mikef" == Mike Friedman writes:

    >
    > mikef> On Tue, 3 Apr 2007 at 14:10 (-0400), Tom Yu wrote:
    >>> AFFECTED SOFTWARE
    >>> =================
    >>>
    >>> * MIT krb5 releases through krb5-1.6

    > mikef> ...
    >>> The patch is available at
    >>>
    >>> http://web.mit.edu/kerberos/advisori...-002-patch.txt

    >
    > mikef> Tom,
    >
    > mikef> Is the above patch supposed to apply to 1.4.2? I find several large
    > mikef> discrepancies in the line numbers. For example, in
    > mikef> src/kadmin/server/misc.c, the 1.4.2 version has only 151 lines, yet the
    > mikef> patch refers to line 171. There are also significant differences in, for
    > mikef> example, src/kadmin/server/ovsec_kadmd.c. Plus minor line differences in
    > mikef> other modules for this patch.
    >
    > mikef> Is there a different version of this patch for 1.4.2?
    >
    > Your patching may be significantly simplified if you are certain that
    > vsnprintf() is present on your systems; in that case you may omit the
    > changes to files other than src/lib/kadm5/logger.c, at the expense of
    > sometimes losing some log data due to vsnprintf() performing
    > truncation. Also, it is probably wise to unconditionally call
    > vsnprintf() in logger.c (rather than under #ifdef HAVE_VSNPRINTF) in
    > that case.
    >
    > krb5-1.5.x had significant changes in some of the affected kadmind and
    > KDC code; if there is sufficient interest, we may be able to produce
    > additional patches for earlier releases.
    >
    > ---Tom
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    diff -Nur krb5-040307/appl/telnet/telnetd/state.c krb5/appl/telnet/telnetd/state.c
    --- krb5-040307/appl/telnet/telnetd/state.c 2002-11-15 14:21:51.000000000 -0600
    +++ krb5/appl/telnet/telnetd/state.c 2007-04-03 13:55:13.000000000 -0500
    @@ -1665,7 +1665,8 @@
    strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
    strcmp(varp, "NLSPATH") && /* locale stuff */
    strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
    - strcmp(varp, "IFS")) {
    + strcmp(varp, "IFS") &&
    + !strchr(varp, '-')) {
    return 1;
    } else {
    syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
    diff -Nur krb5-040307/appl/telnet/telnetd/sys_term.c krb5/appl/telnet/telnetd/sys_term.c
    --- krb5-040307/appl/telnet/telnetd/sys_term.c 2006-05-12 11:23:00.000000000 -0500
    +++ krb5/appl/telnet/telnetd/sys_term.c 2007-04-03 13:55:13.000000000 -0500
    @@ -1289,6 +1289,16 @@
    #endif
    #if defined (AUTHENTICATION)
    if (auth_level >= 0 && autologin == AUTH_VALID) {
    + if (name[0] == '-') {
    + /* Authenticated and authorized to log in to an
    + account starting with '-'? Even if that
    + unlikely case comes to pass, the current login
    + program will not parse the resulting command
    + line properly. */
    + syslog(LOG_ERR, "user name cannot start with '-'");
    + fatal(net, "user name cannot start with '-'");
    + exit(1);
    + }
    # if !defined(NO_LOGIN_F)
    #if defined(LOGIN_CAP_F)
    argv = addarg(argv, "-F");
    @@ -1379,11 +1389,19 @@
    } else
    #endif
    if (getenv("USER")) {
    - argv = addarg(argv, getenv("USER"));
    + char *user = getenv("USER");
    + if (user[0] == '-') {
    + /* "telnet -l-x ..." */
    + syslog(LOG_ERR, "user name cannot start with '-'");
    + fatal(net, "user name cannot start with '-'");
    + exit(1);
    + }
    + argv = addarg(argv, user);
    #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
    {
    register char **cpp;
    for (cpp = environ; *cpp; cpp++)
    + if ((*cpp)[0] != '-')
    argv = addarg(argv, *cpp);
    }
    #endif
    diff -Nur krb5-040307/kadmin/server/kadm_rpc_svc.c krb5/kadmin/server/kadm_rpc_svc.c
    --- krb5-040307/kadmin/server/kadm_rpc_svc.c 2004-06-15 22:11:54.000000000 -0500
    +++ krb5/kadmin/server/kadm_rpc_svc.c 2007-04-03 13:55:22.000000000 -0500
    @@ -249,6 +249,8 @@
    krb5_data *c1, *c2, *realm;
    gss_buffer_desc gss_str;
    kadm5_server_handle_t handle;
    + size_t slen;
    + char *sdots;

    success = 0;
    handle = (kadm5_server_handle_t)global_server_handle;
    @@ -273,6 +275,8 @@
    if (ret == 0)
    goto fail_name;

    + slen = gss_str.length;
    + trunc_name(&slen, &sdots);
    /*
    * Since we accept with GSS_C_NO_NAME, the client can authenticate
    * against the entire kdb. Therefore, ensure that the service
    @@ -295,8 +299,8 @@

    fail_princ:
    if (!success) {
    - krb5_klog_syslog(LOG_ERR, "bad service principal %.*s",
    - gss_str.length, gss_str.value);
    + krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s",
    + slen, gss_str.value, sdots);
    }
    gss_release_buffer(&min_stat, &gss_str);
    krb5_free_principal(kctx, princ);
    diff -Nur krb5-040307/kadmin/server/misc.c krb5/kadmin/server/misc.c
    --- krb5-040307/kadmin/server/misc.c 2005-10-14 18:04:41.000000000 -0500
    +++ krb5/kadmin/server/misc.c 2007-04-03 13:55:22.000000000 -0500
    @@ -171,3 +171,12 @@

    return kadm5_free_principal_ent(handle->lhandle, &princ);
    }
    +
    +#define MAXPRINCLEN 125
    +
    +void
    +trunc_name(size_t *len, char **dots)
    +{
    + *dots = *len > MAXPRINCLEN ? "..." : "";
    + *len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len;
    +}
    diff -Nur krb5-040307/kadmin/server/misc.h krb5/kadmin/server/misc.h
    --- krb5-040307/kadmin/server/misc.h 2005-10-14 18:04:41.000000000 -0500
    +++ krb5/kadmin/server/misc.h 2007-04-03 13:55:22.000000000 -0500
    @@ -45,3 +45,5 @@
    #ifdef SVC_GETARGS
    void kadm_1(struct svc_req *, SVCXPRT *);
    #endif
    +
    +void trunc_name(size_t *len, char **dots);
    diff -Nur krb5-040307/kadmin/server/ovsec_kadmd.c krb5/kadmin/server/ovsec_kadmd.c
    --- krb5-040307/kadmin/server/ovsec_kadmd.c 2004-09-21 13:20:16.000000000 -0500
    +++ krb5/kadmin/server/ovsec_kadmd.c 2007-04-03 13:55:22.000000000 -0500
    @@ -952,13 +952,25 @@
    rpcproc_t proc;
    int i;
    const char *procname;
    + size_t clen, slen;
    + char *cdots, *sdots;

    (void) gss_display_name(&minor, client_name, &client, &gss_type);
    (void) gss_display_name(&minor, server_name, &server, &gss_type);
    - if (client.value == NULL)
    + if (client.value == NULL) {
    client.value = "(null)";
    - if (server.value == NULL)
    + clen = sizeof("(null)") -1;
    + } else {
    + clen = client.length;
    + }
    + trunc_name(&clen, &cdots);
    + if (server.value == NULL) {
    server.value = "(null)";
    + slen = sizeof("(null)") - 1;
    + } else {
    + slen = server.length;
    + }
    + trunc_name(&slen, &sdots);
    a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);

    proc = msg->rm_call.cb_proc;
    @@ -971,14 +983,14 @@
    }
    if (procname != NULL)
    krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
    - "claimed client = %s, server = %s, addr = %s",
    - procname, client.value,
    - server.value, a);
    + "claimed client = %.*s%s, server = %.*s%s, addr = %s",
    + procname, clen, client.value, cdots,
    + slen, server.value, sdots, a);
    else
    krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "
    - "claimed client = %s, server = %s, addr = %s",
    - proc, client.value,
    - server.value, a);
    + "claimed client = %.*s%s, server = %.*s%s, addr = %s",
    + proc, clen, client.value, cdots,
    + slen, server.value, sdots, a);

    (void) gss_release_buffer(&minor, &client);
    (void) gss_release_buffer(&minor, &server);
    diff -Nur krb5-040307/kadmin/server/schpw.c krb5/kadmin/server/schpw.c
    --- krb5-040307/kadmin/server/schpw.c 2005-10-14 18:04:41.000000000 -0500
    +++ krb5/kadmin/server/schpw.c 2007-04-03 15:38:50.000000000 -0500
    @@ -41,6 +41,8 @@
    int numresult;
    char strresult[1024];
    char *clientstr;
    + size_t clen;
    + char *cdots;

    ret = 0;
    rep->length = 0;
    @@ -259,9 +261,13 @@
    free(ptr);
    clear.length = 0;

    - krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s",
    + clen = strlen(clientstr);
    + trunc_name(&clen, &cdots);
    + krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s",
    inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),
    - clientstr, ret ? error_message(ret) : "success");
    + clen, clientstr, cdots,
    + ret ? error_message(ret) : "success");
    +
    krb5_free_unparsed_name(context, clientstr);

    if (ret) {
    diff -Nur krb5-040307/kadmin/server/server_stubs.c krb5/kadmin/server/server_stubs.c
    --- krb5-040307/kadmin/server/server_stubs.c 2004-08-20 13:45:30.000000000 -0500
    +++ krb5/kadmin/server/server_stubs.c 2007-04-03 15:00:12.000000000 -0500
    @@ -14,6 +14,7 @@
    #include /* inet_ntoa */
    #include /* krb5_klog_syslog */
    #include "misc.h"
    +#include

    #define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s"
    #define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s"
    @@ -237,6 +238,61 @@
    return 0;
    }

    +static int
    +log_unauth(
    + char *op,
    + char *target,
    + gss_buffer_t client,
    + gss_buffer_t server,
    + struct svc_req *rqstp)
    +{
    + size_t tlen, clen, slen;
    + char *tdots, *cdots, *sdots;
    +
    + tlen = strlen(target);
    + trunc_name(&tlen, &tdots);
    + clen = client->length;
    + trunc_name(&clen, &cdots);
    + slen = server->length;
    + trunc_name(&slen, &sdots);
    +
    + return krb5_klog_syslog(LOG_NOTICE,
    + "Unauthorized request: %s, %.*s%s, "
    + "client=%.*s%s, service=%.*s%s, addr=%s",
    + op, tlen, target, tdots,
    + clen, client->value, cdots,
    + slen, server->value, sdots,
    + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    +}
    +
    +static int
    +log_done(
    + char *op,
    + char *target,
    + char *errmsg,
    + gss_buffer_t client,
    + gss_buffer_t server,
    + struct svc_req *rqstp)
    +{
    + size_t tlen, clen, slen;
    + char *tdots, *cdots, *sdots;
    +
    + tlen = strlen(target);
    + trunc_name(&tlen, &tdots);
    + clen = client->length;
    + trunc_name(&clen, &cdots);
    + slen = server->length;
    + trunc_name(&slen, &sdots);
    +
    + return krb5_klog_syslog(LOG_NOTICE,
    + "Request: %s, %.*s%s, %s, "
    + "client=%.*s%s, service=%.*s%s, addr=%s",
    + op, tlen, target, tdots, errmsg,
    + clen, client->value, cdots,
    + slen, server->value, sdots,
    + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    +}
    +
    generic_ret *
    create_principal_1_svc(cprinc_arg *arg, struct svc_req *rqstp)
    {
    @@ -274,18 +330,16 @@
    || kadm5int_acl_impose_restrictions(handle->context,
    &arg->rec, &arg->mask, rp)) {
    ret.code = KADM5_AUTH_ADD;
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth("kadm5_create_principal", prime_arg,
    + &client_name, &service_name, rqstp);
    } else {
    ret.code = kadm5_create_principal((void *)handle,
    &arg->rec, arg->mask,
    arg->passwd);
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
    - prime_arg,((ret.code == 0) ? "success" :
    - error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    +
    + log_done("kadm5_create_principal", prime_arg, ((ret.code == 0) ? "success" : error_message(ret.code)),
    + &client_name, &service_name, rqstp);
    +
    }
    free_server_handle(handle);
    free(prime_arg);
    @@ -331,20 +385,18 @@
    || kadm5int_acl_impose_restrictions(handle->context,
    &arg->rec, &arg->mask, rp)) {
    ret.code = KADM5_AUTH_ADD;
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth("kadm5_create_principal", prime_arg,
    + &client_name, &service_name, rqstp);
    } else {
    ret.code = kadm5_create_principal_3((void *)handle,
    &arg->rec, arg->mask,
    arg->n_ks_tuple,
    arg->ks_tuple,
    arg->passwd);
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
    - prime_arg,((ret.code == 0) ? "success" :
    - error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    +
    + log_done("kadm5_create_principal", prime_arg, ((ret.code == 0) ? "success" : error_message(ret.code)),
    + &client_name, &service_name, rqstp);
    +
    }
    free_server_handle(handle);
    free(prime_arg);
    @@ -388,15 +440,13 @@
    || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,
    arg->princ, NULL)) {
    ret.code = KADM5_AUTH_DELETE;
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal",
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth("kadm5_delete_principal", prime_arg,
    + &client_name, &service_name, rqstp);
    } else {
    ret.code = kadm5_delete_principal((void *)handle, arg->princ);
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal", prime_arg,
    - ((ret.code == 0) ? "success" : error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    +
    + log_done("kadm5_delete_principal", prime_arg, ((ret.code == 0) ? "success" : error_message(ret.code)), &client_name, &service_name, rqstp);
    +
    }
    free(prime_arg);
    free_server_handle(handle);
    @@ -441,17 +491,16 @@
    || kadm5int_acl_impose_restrictions(handle->context,
    &arg->rec, &arg->mask, rp)) {
    ret.code = KADM5_AUTH_MODIFY;
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal",
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth("kadm5_modify_principal", prime_arg,
    + &client_name, &service_name, rqstp);
    } else {
    ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
    arg->mask);
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal",
    - prime_arg, ((ret.code == 0) ? "success" :
    - error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    +
    +
    + log_done("kadm5_modify_principal", prime_arg, ((ret.code == 0) ? "success" : error_message(ret.code)),
    + &client_name, &service_name, rqstp);
    +
    }
    free_server_handle(handle);
    free(prime_arg);
    @@ -510,17 +559,16 @@
    } else
    ret.code = KADM5_AUTH_INSUFFICIENT;
    if (ret.code != KADM5_OK) {
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal",
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth("kadm5_rename_principal", prime_arg,
    + &client_name, &service_name, rqstp);
    } else {
    ret.code = kadm5_rename_principal((void *)handle, arg->src,
    arg->dest);
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal",
    - prime_arg, ((ret.code == 0) ? "success" :
    - error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    +
    +
    + log_done("kadm5_rename_principal", prime_arg, ((ret.code == 0) ? "success" : error_message(ret.code)),
    + &client_name, &service_name, rqstp);
    +
    }
    free_server_handle(handle);
    free(prime_arg1);
    @@ -572,9 +620,8 @@
    arg->princ,
    NULL))) {
    ret.code = KADM5_AUTH_GET;
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth(funcname, prime_arg,
    + &client_name, &service_name, rqstp);
    } else {
    if (handle->api_version == KADM5_API_VERSION_1) {
    ret.code = kadm5_get_principal_v1((void *)handle,
    @@ -589,11 +636,10 @@
    arg->mask);
    }

    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
    - prime_arg,
    - ((ret.code == 0) ? "success" : error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    +
    + log_done(funcname, prime_arg, ((ret.code == 0) ? "success" : error_message(ret.code)),
    + &client_name, &service_name, rqstp);
    +
    }
    free_server_handle(handle);
    free(prime_arg);
    @@ -638,18 +684,16 @@
    NULL,
    NULL)) {
    ret.code = KADM5_AUTH_LIST;
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals",
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth("kadm5_get_principals", prime_arg,
    + &client_name, &service_name, rqstp);
    } else {
    ret.code = kadm5_get_principals((void *)handle,
    arg->exp, &ret.princs,
    &ret.count);
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals",
    - prime_arg,
    - ((ret.code == 0) ? "success" : error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    +
    + log_done("kadm5_get_principals", prime_arg, ((ret.code == 0) ? "success" : error_message(ret.code)),
    + &client_name, &service_name, rqstp);
    +
    }
    free_server_handle(handle);
    gss_release_buffer(&minor_stat, &client_name);
    @@ -697,18 +741,16 @@
    ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
    arg->pass);
    } else {
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth("kadm5_chpass_principal", prime_arg,
    + &client_name, &service_name, rqstp);
    ret.code = KADM5_AUTH_CHANGEPW;
    }

    if(ret.code != KADM5_AUTH_CHANGEPW) {
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",
    - prime_arg, ((ret.code == 0) ? "success" :
    - error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    +
    + log_done("kadm5_chpass_principal", prime_arg, ((ret.code == 0) ? "success" : error_message(ret.code)),
    + &client_name, &service_name, rqstp);
    +
    }

    free_server_handle(handle);
    @@ -764,18 +806,17 @@
    arg->ks_tuple,
    arg->pass);
    } else {
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth("kadm5_chpass_principal", prime_arg,
    + &client_name, &service_name, rqstp);
    ret.code = KADM5_AUTH_CHANGEPW;
    }

    if(ret.code != KADM5_AUTH_CHANGEPW) {
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",
    - prime_arg, ((ret.code == 0) ? "success" :
    - error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    +
    +
    + log_done("kadm5_chpass_principal", prime_arg, ((ret.code == 0) ? "success" : error_message(ret.code)),
    + &client_name, &service_name, rqstp);
    +
    }

    free_server_handle(handle);
    @@ -822,18 +863,16 @@
    ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
    arg->keyblock);
    } else {
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal",
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth("kadm5_setv4key_principal", prime_arg,
    + &client_name, &service_name, rqstp);
    ret.code = KADM5_AUTH_SETKEY;
    }

    if(ret.code != KADM5_AUTH_SETKEY) {
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal",
    - prime_arg, ((ret.code == 0) ? "success" :
    - error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    +
    + log_done("kadm5_setv4key_principal", prime_arg, ((ret.code == 0) ? "success" : error_message(ret.code)),
    + &client_name, &service_name, rqstp);
    +
    }

    free_server_handle(handle);
    @@ -880,18 +919,16 @@
    ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
    arg->keyblocks, arg->n_keys);
    } else {
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth("kadm5_setkey_principal", prime_arg,
    + &client_name, &service_name, rqstp);
    ret.code = KADM5_AUTH_SETKEY;
    }

    if(ret.code != KADM5_AUTH_SETKEY) {
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",
    - prime_arg, ((ret.code == 0) ? "success" :
    - error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    +
    + log_done("kadm5_setkey_principal", prime_arg, ((ret.code == 0) ? "success" : error_message(ret.code)),
    + &client_name, &service_name, rqstp);
    +
    }

    free_server_handle(handle);
    @@ -941,18 +978,14 @@
    arg->ks_tuple,
    arg->keyblocks, arg->n_keys);
    } else {
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth("kadm5_setkey_principal", prime_arg,
    + &client_name, &service_name, rqstp);
    ret.code = KADM5_AUTH_SETKEY;
    }

    if(ret.code != KADM5_AUTH_SETKEY) {
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",
    - prime_arg, ((ret.code == 0) ? "success" :
    - error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_done("kadm5_setkey_principal", prime_arg,((ret.code == 0) ? "success" : error_message(ret.code)),
    + &client_name, &service_name, rqstp);
    }

    free_server_handle(handle);
    @@ -1008,9 +1041,8 @@
    ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
    &k, &nkeys);
    } else {
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth(funcname, prime_arg,
    + &client_name, &service_name, rqstp);
    ret.code = KADM5_AUTH_CHANGEPW;
    }

    @@ -1025,11 +1057,9 @@
    }

    if(ret.code != KADM5_AUTH_CHANGEPW) {
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
    - prime_arg, ((ret.code == 0) ? "success" :
    - error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_done(funcname, prime_arg, ((ret.code == 0) ? "success" : error_message(ret.code)),
    + &client_name, &service_name, rqstp);
    +
    }
    free_server_handle(handle);
    free(prime_arg);
    @@ -1090,9 +1120,8 @@
    arg->ks_tuple,
    &k, &nkeys);
    } else {
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth(funcname, prime_arg,
    + &client_name, &service_name, rqstp);
    ret.code = KADM5_AUTH_CHANGEPW;
    }

    @@ -1107,11 +1136,10 @@
    }

    if(ret.code != KADM5_AUTH_CHANGEPW) {
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
    - prime_arg, ((ret.code == 0) ? "success" :
    - error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    +
    + log_done(funcname, prime_arg, ((ret.code == 0) ? "success" : error_message(ret.code)),
    + &client_name, &service_name, rqstp);
    +
    }
    free_server_handle(handle);
    free(prime_arg);
    @@ -1152,18 +1180,18 @@
    rqst2name(rqstp),
    ACL_ADD, NULL, NULL)) {
    ret.code = KADM5_AUTH_ADD;
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy",
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    -
    + log_unauth("kadm5_create_policy", prime_arg,
    + &client_name, &service_name, rqstp);
    +
    } else {
    ret.code = kadm5_create_policy((void *)handle, &arg->rec,
    arg->mask);
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy",
    +
    + log_done("kadm5_create_policy",
    ((prime_arg == NULL) ? "(null)" : prime_arg),
    ((ret.code == 0) ? "success" : error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + &client_name, &service_name, rqstp);
    +
    }
    free_server_handle(handle);
    gss_release_buffer(&minor_stat, &client_name);
    @@ -1202,17 +1230,16 @@
    if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
    rqst2name(rqstp),
    ACL_DELETE, NULL, NULL)) {
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy",
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth("kadm5_delete_policy", prime_arg,
    + &client_name, &service_name, rqstp);
    ret.code = KADM5_AUTH_DELETE;
    } else {
    ret.code = kadm5_delete_policy((void *)handle, arg->name);
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy",
    + log_done("kadm5_delete_policy",
    ((prime_arg == NULL) ? "(null)" : prime_arg),
    ((ret.code == 0) ? "success" : error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + &client_name, &service_name, rqstp);
    +
    }
    free_server_handle(handle);
    gss_release_buffer(&minor_stat, &client_name);
    @@ -1251,18 +1278,17 @@
    if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
    rqst2name(rqstp),
    ACL_MODIFY, NULL, NULL)) {
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy",
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth("kadm5_modify_policy", prime_arg,
    + &client_name, &service_name, rqstp);
    ret.code = KADM5_AUTH_MODIFY;
    } else {
    ret.code = kadm5_modify_policy((void *)handle, &arg->rec,
    arg->mask);
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy",
    +
    + log_done("kadm5_modify_policy",
    ((prime_arg == NULL) ? "(null)" : prime_arg),
    ((ret.code == 0) ? "success" : error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + &client_name, &service_name, rqstp);
    }
    free_server_handle(handle);
    gss_release_buffer(&minor_stat, &client_name);
    @@ -1336,16 +1362,13 @@
    ret.code = kadm5_get_policy((void *)handle, arg->name,
    &ret.rec);
    }
    -
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
    + log_done(funcname,
    ((prime_arg == NULL) ? "(null)" : prime_arg),
    ((ret.code == 0) ? "success" : error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + &client_name, &service_name, rqstp);
    } else {
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth(funcname, prime_arg,
    + &client_name, &service_name, rqstp);
    }
    free_server_handle(handle);
    gss_release_buffer(&minor_stat, &client_name);
    @@ -1388,18 +1411,17 @@
    rqst2name(rqstp),
    ACL_LIST, NULL, NULL)) {
    ret.code = KADM5_AUTH_LIST;
    - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies",
    - prime_arg, client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + log_unauth("kadm5_get_policies", prime_arg,
    + &client_name, &service_name, rqstp);
    } else {
    ret.code = kadm5_get_policies((void *)handle,
    arg->exp, &ret.pols,
    &ret.count);
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies",
    - prime_arg,
    +
    + log_done("kadm5_get_policies", prime_arg,
    ((ret.code == 0) ? "success" : error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + &client_name, &service_name, rqstp);
    +
    }
    free_server_handle(handle);
    gss_release_buffer(&minor_stat, &client_name);
    @@ -1432,11 +1454,11 @@
    }

    ret.code = kadm5_get_privs((void *)handle, &ret.privs);
    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs",
    - client_name.value,
    +
    + log_done("kadm5_get_privs", client_name.value,
    ((ret.code == 0) ? "success" : error_message(ret.code)),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    + &client_name, &service_name, rqstp);
    +
    free_server_handle(handle);
    gss_release_buffer(&minor_stat, &client_name);
    gss_release_buffer(&minor_stat, &service_name);
    @@ -1450,6 +1472,8 @@
    service_name;
    kadm5_server_handle_t handle;
    OM_uint32 minor_stat;
    + size_t clen, slen;
    + char *cdots, *sdots;

    xdr_free(xdr_generic_ret, &ret);

    @@ -1466,14 +1490,21 @@
    return &ret;
    }

    - krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d",
    - (ret.api_version == KADM5_API_VERSION_1 ?
    - "kadm5_init (V1)" : "kadm5_init"),
    - client_name.value,
    - (ret.code == 0) ? "success" : error_message(ret.code),
    - client_name.value, service_name.value,
    - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
    - rqstp->rq_cred.oa_flavor);
    + clen = client_name.length;
    + trunc_name(&clen, &cdots);
    + slen = service_name.length;
    + trunc_name(&slen, &sdots);
    + krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, "
    + "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d",
    + (ret.api_version == KADM5_API_VERSION_1 ?
    + "kadm5_init (V1)" : "kadm5_init"),
    + clen, client_name.value, cdots,
    + (ret.code == 0) ? "success" : error_message(ret.code),
    + clen, client_name.value, cdots,
    + slen, service_name.value, sdots,
    + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
    + rqstp->rq_cred.oa_flavor);
    +
    gss_release_buffer(&minor_stat, &client_name);
    gss_release_buffer(&minor_stat, &service_name);

    diff -Nur krb5-040307/kdc/do_tgs_req.c krb5/kdc/do_tgs_req.c
    --- krb5-040307/kdc/do_tgs_req.c 2005-07-12 15:59:52.000000000 -0500
    +++ krb5/kdc/do_tgs_req.c 2007-04-03 15:27:06.000000000 -0500
    @@ -490,27 +490,38 @@
    newtransited = 1;
    }
    if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
    + unsigned int tlen;
    + char *tdots;
    +
    errcode = krb5_check_transited_list (kdc_context,
    &enc_tkt_reply.transited.tr_contents,
    krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
    krb5_princ_realm (kdc_context, request->server));
    + tlen = enc_tkt_reply.transited.tr_contents.length;
    + tdots = tlen > 125 ? "..." : "";
    + tlen = tlen > 125 ? 125 : tlen;
    +
    +
    if (errcode == 0) {
    setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
    } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
    krb5_klog_syslog (LOG_INFO,
    - "bad realm transit path from '%s' to '%s' via '%.*s'",
    + "bad realm transit path from '%s' to '%s' "
    + "via '%.*s%s'",
    cname ? cname : "",
    sname ? sname : "",
    - enc_tkt_reply.transited.tr_contents.length,
    - enc_tkt_reply.transited.tr_contents.data);
    + tlen,
    + enc_tkt_reply.transited.tr_contents.data,
    + tdots);
    else
    krb5_klog_syslog (LOG_ERR,
    - "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",
    + "unexpected error checking transit from "
    + "'%s' to '%s' via '%.*s%s': %s",
    cname ? cname : "",
    sname ? sname : "",
    - enc_tkt_reply.transited.tr_contents.length,
    + tlen,
    enc_tkt_reply.transited.tr_contents.data,
    - error_message (errcode));
    + tdots, error_message (errcode));
    } else
    krb5_klog_syslog (LOG_INFO, "not checking transit path");
    if (reject_bad_transit
    @@ -538,6 +549,9 @@
    if (!krb5_principal_compare(kdc_context, request->server, client2)) {
    if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
    tmp = 0;
    + if (tmp != NULL)
    + limit_string(tmp);
    +
    krb5_klog_syslog(LOG_INFO,
    "TGS_REQ %s: 2ND_TKT_MISMATCH: "
    "authtime %d, %s for %s, 2nd tkt client %s",
    @@ -800,6 +814,7 @@
    krb5_klog_syslog(LOG_INFO,
    "TGS_REQ: issuing alternate TGT");
    } else {
    + limit_string(sname);
    krb5_klog_syslog(LOG_INFO,
    "TGS_REQ: issuing TGT %s", sname);
    free(sname);
    diff -Nur krb5-040307/kdc/kdc_util.c krb5/kdc/kdc_util.c
    --- krb5-040307/kdc/kdc_util.c 2004-02-12 22:20:56.000000000 -0600
    +++ krb5/kdc/kdc_util.c 2007-04-03 13:55:22.000000000 -0500
    @@ -404,6 +404,7 @@

    krb5_db_free_principal(kdc_context, &server, nprincs);
    if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {
    + limit_string(sname);
    krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",
    sname);
    free(sname);
    diff -Nur krb5-040307/lib/gssapi/krb5/k5unseal.c krb5/lib/gssapi/krb5/k5unseal.c
    --- krb5-040307/lib/gssapi/krb5/k5unseal.c 2004-04-13 15:00:19.000000000 -0500
    +++ krb5/lib/gssapi/krb5/k5unseal.c 2007-04-03 14:58:52.000000000 -0500
    @@ -457,8 +457,11 @@

    if ((ctx->initiate && direction != 0xff) ||
    (!ctx->initiate && direction != 0)) {
    - if (toktype == KG_TOK_SEAL_MSG)
    + if (toktype == KG_TOK_SEAL_MSG) {
    xfree(token.value);
    + message_buffer->value = NULL;
    + message_buffer->length = 0;
    + }
    *minor_status = G_BAD_DIRECTION;
    return(GSS_S_BAD_SIG);
    }
    diff -Nur krb5-040307/lib/kadm5/configure krb5/lib/kadm5/configure
    --- krb5-040307/lib/kadm5/configure 2005-11-16 16:47:28.000000000 -0600
    +++ krb5/lib/kadm5/configure 2007-04-03 15:15:04.000000000 -0500
    @@ -5453,7 +5453,7 @@



    -for ac_func in openlog syslog closelog strftime vsprintf
    +for ac_func in openlog syslog closelog strftime vsprintf vsnprintf
    do
    as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
    echo "$as_me:$LINENO: checking for $ac_func" >&5
    diff -Nur krb5-040307/lib/kadm5/logger.c krb5/lib/kadm5/logger.c
    --- krb5-040307/lib/kadm5/logger.c 2002-09-18 15:44:13.000000000 -0500
    +++ krb5/lib/kadm5/logger.c 2007-04-03 13:55:22.000000000 -0500
    @@ -45,7 +45,7 @@
    #include
    #endif /* HAVE_STDARG_H */

    -#define KRB5_KLOG_MAX_ERRMSG_SIZE 1024
    +#define KRB5_KLOG_MAX_ERRMSG_SIZE 2048
    #ifndef MAXHOSTNAMELEN
    #define MAXHOSTNAMELEN 256
    #endif /* MAXHOSTNAMELEN */
    @@ -256,7 +256,9 @@
    #endif /* HAVE_SYSLOG */

    /* Now format the actual message */
    -#if HAVE_VSPRINTF
    +#if HAVE_VSNPRINTF
    + vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap);
    +#elif HAVE_VSPRINTF
    vsprintf(cp, actual_format, ap);
    #else /* HAVE_VSPRINTF */
    sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1],
    @@ -843,7 +845,9 @@
    syslogp = &outbuf[strlen(outbuf)];

    /* Now format the actual message */
    -#ifdef HAVE_VSPRINTF
    +#ifdef HAVE_VSNPRINTF
    + vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist);
    +#elif HAVE_VSPRINTF
    vsprintf(syslogp, format, arglist);
    #else /* HAVE_VSPRINTF */
    sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1],

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. RE: MITKRB5-SA-2007-002: KDC,kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957]

    Is 1.6 affect be these holes?

    Sincerely,
    Jason Edgecombe


    Jason Edgecombe
    Solaris & Linux Administrator
    Mosaic Computing Group, College of Engineering
    UNC-Charlotte
    Phone: (704) 687-3514


    -----Original Message-----
    From: kerberos-bounces@MIT.EDU [mailto:kerberos-bounces@MIT.EDU] On
    Behalf Of Tom Yu
    Sent: Tuesday, April 03, 2007 2:11 PM
    To: kerberos-announce@MIT.EDU
    Subject: MITKRB5-SA-2007-002: KDC,kadmind stack overflow in
    krb5_klog_syslog [CVE-2007-0957]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    MIT krb5 Security Advisory 2007-002

    Original release: 2007-04-03
    Last update: 2007-04-03

    Topic: KDC, kadmind stack overflow in krb5_klog_syslog

    Severity: CRITICAL

    CVE: CVE-2007-0957
    CERT: VU#704024

    SUMMARY
    =======

    The library function krb5_klog_syslog() can write past the end of a
    stack buffer. The Kerberos administration daemon (kadmind) as well as
    the KDC, are vulnerable. Exploitation of this vulnerability is
    probably simple.

    This is a vulnerability in the the kadm5 library, which is used by the
    KDC and kadmind, and possibly by some third-party applications. It is
    not a bug in the MIT krb5 protocol libraries or in the Kerberos
    protocol.

    IMPACT
    ======

    An authenticated user may be able to cause a host running kadmind to
    execute arbitrary code.

    An authenticated user may be able to cause a KDC host to execute
    arbitrary code. Also, a user controlling a Kerberos realm sharing a
    key with the target realm may be able to cause a KDC host to execute
    arbitrary code.

    Successful exploitation can compromise the Kerberos key database and
    host security on the host running these programs. (kadmind and the
    KDC typically run as root.) Unsuccessful exploitation attempts will
    likely result in the affected program crashing.

    Third-party applications which call krb5_klog_syslog() may also be
    vulnerable.

    AFFECTED SOFTWARE
    =================

    * MIT krb5 releases through krb5-1.6

    FIXES
    =====

    * The upcoming krb5-1.6.1 release will contain a fix for this
    vulnerability.

    Prior to that release you may:

    * apply the patch

    The patch is available at

    http://web.mit.edu/kerberos/advisori...-002-patch.txt

    A PGP-signed patch is available at

    http://web.mit.edu/kerberos/advisori...-patch.txt.asc

    Systems which definitely provide vsnprintf() may not need the entire
    patch; see "DETAILS".

    Please note that releases prior to krb5-1.5 will require additional
    changes to the configure script src/lib/kadm5/configure in order to
    correctly detect the presence of vsnprintf(). krb5-1.5 and later
    releases already check for vsnprintf() in the top-level configure
    script, and do not have a separate src/lib/kadm5/configure script.

    REFERENCES
    ==========

    This announcement is posted at:

    http://web.mit.edu/kerberos/advisori...002-syslog.txt

    This announcement and related security advisories may be found on the
    MIT Kerberos security advisory page at:

    http://web.mit.edu/kerberos/advisories/index.html

    The main MIT Kerberos web page is at:

    http://web.mit.edu/kerberos/index.html

    CVE: CVE-2007-0957
    http://cve.mitre.org/cgi-bin/cvename...=CVE-2007-0957

    CERT: VU#704024
    http://www.kb.cert.org/vuls/id/704024

    ACKNOWLEDGMENTS
    ===============

    We thank iDefense Labs for notifying us of this vulnerability.
    iDefense credits an anonymous discoverer.

    DETAILS
    =======

    krb5_klog_syslog() uses vsprintf() to format text into a fixed-length
    stack buffer. Format specifiers such as "%s" used in calls to
    krb5_klog_syslog() may allow formatting of strings of sufficient
    length to overwrite memory past the end of the stack buffer.

    Certain strings received from the client by the kadmin daemon are not
    truncated prior to logging. Among these strings is the target
    principal for the kadmin operation.

    The KDC truncates most client-originated strings prior to logging.
    One sort of string which is not truncated is a transited-realms
    string. A malicious KDC sharing a key with the target realm may issue
    tickets with specially-crafted transited-realms strings to exploit
    this vulnerability. There are other places where an authenticated
    user may cause the KDC to log a string which triggers the
    vulnerability.

    On a system where vsnprintf() is confirmed to be available, the
    patches to files other than src/lib/kadm5/logger.c may not be
    necessary to prevent a buffer overflow; these patches are still useful
    to prevent malicious users from causing vsnprintf() to obliterate
    useful log information by means of truncation.

    REVISION HISTORY
    ================

    2007-04-03 original release

    Copyright (C) 2007 Massachusetts Institute of Technology
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (SunOS)

    iQCVAwUBRhKVS6bDgE/zdoE9AQJlZgQAq/IvVdpkf3VNViwuZaAJ31+mqq17gKqX
    9DkxkvpPD2b5/8N/ouywP/ODCpYpT9Y+mU+Cw/hEfL2otv/o1HJcV7CXPRCEFODs
    YKpi2Sahcxs+jl1ZQfsY63oay6urZ0PTcrZTFQuqOv8B0wVd0X UwrSkBLejZszL3
    YUFR4W+wtbg=
    =GsBC
    -----END PGP SIGNATURE-----
    _______________________________________________
    kerberos-announce mailing list
    kerberos-announce@mit.edu
    https://mailman.mit.edu/mailman/list...beros-announce
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread