Error applying MITKRB5-SA-2007-002 on krb5-1.5 - Kerberos

This is a discussion on Error applying MITKRB5-SA-2007-002 on krb5-1.5 - Kerberos ; Patch MITKRB5-SA-2007-002 is failing to apply on krb5-1.5: [rpmdev]$ patch -p0 patching file src/kadmin/server/kadm_rpc_svc.c patching file src/kadmin/server/misc.c patching file src/kadmin/server/misc.h patching file src/kadmin/server/ovsec_kadmd.c Hunk #1 succeeded at 989 with fuzz 2 (offset -3 lines). Hunk #2 succeeded at 997 (offset ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Error applying MITKRB5-SA-2007-002 on krb5-1.5

  1. Error applying MITKRB5-SA-2007-002 on krb5-1.5

    Patch MITKRB5-SA-2007-002 is failing to apply on krb5-1.5:
    [rpmdev]$ patch -p0 <2007-002-patch.txt
    patching file src/kadmin/server/kadm_rpc_svc.c
    patching file src/kadmin/server/misc.c
    patching file src/kadmin/server/misc.h
    patching file src/kadmin/server/ovsec_kadmd.c
    Hunk #1 succeeded at 989 with fuzz 2 (offset -3 lines).
    Hunk #2 succeeded at 997 (offset -5 lines).
    Hunk #3 succeeded at 1025 (offset -3 lines).
    patching file src/kadmin/server/schpw.c
    patching file src/kadmin/server/server_stubs.c
    patching file src/kdc/do_tgs_req.c
    Hunk #1 FAILED at 491.
    Hunk #2 succeeded at 550 (offset -2 lines).
    1 out of 3 hunks FAILED -- saving rejects to file
    src/kdc/do_tgs_req.c.rej
    patching file src/kdc/kdc_util.c
    patching file src/lib/kadm5/logger.c

    Here's the complete cmdline output:

    [rpmdev]$ uname -a
    Linux rpmdev 2.4.21-37.ELsmp #1 SMP Wed Sep 7 13:28:55 EDT 2005 i686 i686
    i386 GNU/Linux
    [rpmdev]$ gpgv -v krb5-1.5.tar.gz.asc
    gpgv: armor header: Version: GnuPG v1.4.3 (SunOS)
    gpgv: assuming signed data in `krb5-1.5.tar.gz'
    gpgv: Signature made Fri 30 Jun 2006 10:16:09 PM PDT using RSA key ID
    F376813D
    gpgv: Good signature from "Tom Yu "
    gpgv: aka "Tom Yu "
    [rpmdev]$ md5sum krb5-1.5.tar.gz
    fe62bcd315fe4139e4fa05732ce8abde krb5-1.5.tar.gz

    [rpmdev]$ tar xzf krb5-1.5.tar.gz

    [rpmdev]$ cd krb5-1.5

    [rpmdev]$ wget http://web.mit.edu/kerberos/advisori...-002-patch.txt
    --11:05:42-- http://web.mit.edu/kerberos/advisori...-002-patch.txt
    => `2007-002-patch.txt'
    Length: 41,658 (41K) [text/plain]
    100%[================================================== ==>] 41,658
    106.89K/s
    11:05:43 (106.55 KB/s) - `2007-002-patch.txt' saved [41658/41658]

    [rpmdev]$ md5sum 2007-002-patch.txt
    25b7ae9462b7439f7d11064138aac11e 2007-002-patch.txt
    [rpmdev]$ head 2007-002-patch.txt
    *** src/kadmin/server/kadm_rpc_svc.c (revision 19480)
    --- src/kadmin/server/kadm_rpc_svc.c (local)
    ***************
    *** 250,255 ****
    --- 250,257 ----
    krb5_data *c1, *c2, *realm;
    gss_buffer_desc gss_str;
    kadm5_server_handle_t handle;
    + size_t slen;
    + char *sdots;

    [rpmdev]$ patch -p0 <2007-002-patch.txt
    patching file src/kadmin/server/kadm_rpc_svc.c
    patching file src/kadmin/server/misc.c
    patching file src/kadmin/server/misc.h
    patching file src/kadmin/server/ovsec_kadmd.c
    Hunk #1 succeeded at 989 with fuzz 2 (offset -3 lines).
    Hunk #2 succeeded at 997 (offset -5 lines).
    Hunk #3 succeeded at 1025 (offset -3 lines).
    patching file src/kadmin/server/schpw.c
    patching file src/kadmin/server/server_stubs.c
    patching file src/kdc/do_tgs_req.c
    Hunk #1 FAILED at 491.
    Hunk #2 succeeded at 550 (offset -2 lines).
    1 out of 3 hunks FAILED -- saving rejects to file src/kdc/do_tgs_req.c.rej
    patching file src/kdc/kdc_util.c
    patching file src/lib/kadm5/logger.c

    [rpmdev]$ cat src/kdc/do_tgs_req.c.rej
    ***************
    *** 491,518 ****
    newtransited = 1;
    }
    if (!isflagset (request->kdc_options,
    KDC_OPT_DISABLE_TRANSITED_CHECK)) {
    errcode = krb5_check_transited_list (kdc_context,

    &enc_tkt_reply.transited.tr_contents,
    krb5_princ_realm (kdc_context,
    header_ticket->enc_part2->client),
    krb5_princ_realm (kdc_context,
    request->server));
    if (errcode == 0) {
    setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
    } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
    krb5_klog_syslog (LOG_INFO,
    ! "bad realm transit path from '%s' to '%s' via
    '%.*s'",
    cname ? cname : "",
    sname ? sname : "",
    ! enc_tkt_reply.transited.tr_contents.length,
    ! enc_tkt_reply.transited.tr_contents.data);
    else {
    const char *emsg = krb5_get_error_message(kdc_context, errcode);
    krb5_klog_syslog (LOG_ERR,
    ! "unexpected error checking transit from '%s'
    to '%s' via '%.*s': %s",
    cname ? cname : "",
    sname ? sname : "",
    ! enc_tkt_reply.transited.tr_contents.length,
    enc_tkt_reply.transited.tr_contents.data,
    ! emsg);
    krb5_free_error_message(kdc_context, emsg);
    }
    } else
    --- 491,528 ----
    newtransited = 1;
    }
    if (!isflagset (request->kdc_options,
    KDC_OPT_DISABLE_TRANSITED_CHECK)) {
    + unsigned int tlen;
    + char *tdots;
    +
    errcode = krb5_check_transited_list (kdc_context,

    &enc_tkt_reply.transited.tr_contents,
    krb5_princ_realm (kdc_context,
    header_ticket->enc_part2->client),
    krb5_princ_realm (kdc_context,
    request->server));
    + tlen = enc_tkt_reply.transited.tr_contents.length;
    + tdots = tlen > 125 ? "..." : "";
    + tlen = tlen > 125 ? 125 : tlen;
    +
    if (errcode == 0) {
    setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
    } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
    krb5_klog_syslog (LOG_INFO,
    ! "bad realm transit path from '%s' to '%s' "
    ! "via '%.*s%s'",
    cname ? cname : "",
    sname ? sname : "",
    ! tlen,
    ! enc_tkt_reply.transited.tr_contents.data,
    ! tdots);
    else {
    const char *emsg = krb5_get_error_message(kdc_context, errcode);
    krb5_klog_syslog (LOG_ERR,
    ! "unexpected error checking transit from "
    ! "'%s' to '%s' via '%.*s%s': %s",
    cname ? cname : "",
    sname ? sname : "",
    ! tlen,
    enc_tkt_reply.transited.tr_contents.data,
    ! tdots, emsg);
    krb5_free_error_message(kdc_context, emsg);
    }
    } else

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Error applying MITKRB5-SA-2007-002 on krb5-1.5

    I am having similar problems with version 1.5.2:

    [mbrookov@oneoften krb5-1.5.2]$ patch -b -p0 < ../2007-002-patch.txt
    patching file src/kadmin/server/kadm_rpc_svc.c
    patching file src/kadmin/server/misc.c
    patching file src/kadmin/server/misc.h
    patching file src/kadmin/server/ovsec_kadmd.c
    Hunk #1 succeeded at 989 (offset -3 lines).
    Hunk #3 succeeded at 1025 (offset -3 lines).
    patching file src/kadmin/server/schpw.c
    patching file src/kadmin/server/server_stubs.c
    patching file src/kdc/do_tgs_req.c
    Hunk #1 FAILED at 491.
    1 out of 3 hunks FAILED -- saving rejects to file
    src/kdc/do_tgs_req.c.rej
    patching file src/kdc/kdc_util.c
    patching file src/lib/kadm5/logger.c
    [mbrookov@oneoften krb5-1.5.2]$

    The patches will load, compile and run on version 1.6. Is any body
    running 1.6 in production?

    We are also considering moving the Kerberos servers to Red Hat, they
    have a fix out.

    Matt

    mbrookov@mines.edu


    On Fri, 2007-04-06 at 13:34 -0500, simonst@wellsfargo.com wrote:
    > Patch MITKRB5-SA-2007-002 is failing to apply on krb5-1.5:
    > [rpmdev]$ patch -p0 <2007-002-patch.txt
    > patching file src/kadmin/server/kadm_rpc_svc.c
    > patching file src/kadmin/server/misc.c
    > patching file src/kadmin/server/misc.h
    > patching file src/kadmin/server/ovsec_kadmd.c
    > Hunk #1 succeeded at 989 with fuzz 2 (offset -3 lines).
    > Hunk #2 succeeded at 997 (offset -5 lines).
    > Hunk #3 succeeded at 1025 (offset -3 lines).
    > patching file src/kadmin/server/schpw.c
    > patching file src/kadmin/server/server_stubs.c
    > patching file src/kdc/do_tgs_req.c
    > Hunk #1 FAILED at 491.
    > Hunk #2 succeeded at 550 (offset -2 lines).
    > 1 out of 3 hunks FAILED -- saving rejects to file
    > src/kdc/do_tgs_req.c.rej
    > patching file src/kdc/kdc_util.c
    > patching file src/lib/kadm5/logger.c
    >
    > Here's the complete cmdline output:
    >
    > [rpmdev]$ uname -a
    > Linux rpmdev 2.4.21-37.ELsmp #1 SMP Wed Sep 7 13:28:55 EDT 2005 i686 i686
    > i386 GNU/Linux
    > [rpmdev]$ gpgv -v krb5-1.5.tar.gz.asc
    > gpgv: armor header: Version: GnuPG v1.4.3 (SunOS)
    > gpgv: assuming signed data in `krb5-1.5.tar.gz'
    > gpgv: Signature made Fri 30 Jun 2006 10:16:09 PM PDT using RSA key ID
    > F376813D
    > gpgv: Good signature from "Tom Yu "
    > gpgv: aka "Tom Yu "
    > [rpmdev]$ md5sum krb5-1.5.tar.gz
    > fe62bcd315fe4139e4fa05732ce8abde krb5-1.5.tar.gz
    >
    > [rpmdev]$ tar xzf krb5-1.5.tar.gz
    >
    > [rpmdev]$ cd krb5-1.5
    >
    > [rpmdev]$ wget http://web.mit.edu/kerberos/advisori...-002-patch.txt
    > --11:05:42-- http://web.mit.edu/kerberos/advisori...-002-patch.txt
    > => `2007-002-patch.txt'
    > Length: 41,658 (41K) [text/plain]
    > 100%[================================================== ==>] 41,658
    > 106.89K/s
    > 11:05:43 (106.55 KB/s) - `2007-002-patch.txt' saved [41658/41658]
    >
    > [rpmdev]$ md5sum 2007-002-patch.txt
    > 25b7ae9462b7439f7d11064138aac11e 2007-002-patch.txt
    > [rpmdev]$ head 2007-002-patch.txt
    > *** src/kadmin/server/kadm_rpc_svc.c (revision 19480)
    > --- src/kadmin/server/kadm_rpc_svc.c (local)
    > ***************
    > *** 250,255 ****
    > --- 250,257 ----
    > krb5_data *c1, *c2, *realm;
    > gss_buffer_desc gss_str;
    > kadm5_server_handle_t handle;
    > + size_t slen;
    > + char *sdots;
    >
    > [rpmdev]$ patch -p0 <2007-002-patch.txt
    > patching file src/kadmin/server/kadm_rpc_svc.c
    > patching file src/kadmin/server/misc.c
    > patching file src/kadmin/server/misc.h
    > patching file src/kadmin/server/ovsec_kadmd.c
    > Hunk #1 succeeded at 989 with fuzz 2 (offset -3 lines).
    > Hunk #2 succeeded at 997 (offset -5 lines).
    > Hunk #3 succeeded at 1025 (offset -3 lines).
    > patching file src/kadmin/server/schpw.c
    > patching file src/kadmin/server/server_stubs.c
    > patching file src/kdc/do_tgs_req.c
    > Hunk #1 FAILED at 491.
    > Hunk #2 succeeded at 550 (offset -2 lines).
    > 1 out of 3 hunks FAILED -- saving rejects to file src/kdc/do_tgs_req.c.rej
    > patching file src/kdc/kdc_util.c
    > patching file src/lib/kadm5/logger.c
    >
    > [rpmdev]$ cat src/kdc/do_tgs_req.c.rej
    > ***************
    > *** 491,518 ****
    > newtransited = 1;
    > }
    > if (!isflagset (request->kdc_options,
    > KDC_OPT_DISABLE_TRANSITED_CHECK)) {
    > errcode = krb5_check_transited_list (kdc_context,
    >
    > &enc_tkt_reply.transited.tr_contents,
    > krb5_princ_realm (kdc_context,
    > header_ticket->enc_part2->client),
    > krb5_princ_realm (kdc_context,
    > request->server));
    > if (errcode == 0) {
    > setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
    > } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
    > krb5_klog_syslog (LOG_INFO,
    > ! "bad realm transit path from '%s' to '%s' via
    > '%.*s'",
    > cname ? cname : "",
    > sname ? sname : "",
    > ! enc_tkt_reply.transited.tr_contents.length,
    > ! enc_tkt_reply.transited.tr_contents.data);
    > else {
    > const char *emsg = krb5_get_error_message(kdc_context, errcode);
    > krb5_klog_syslog (LOG_ERR,
    > ! "unexpected error checking transit from '%s'
    > to '%s' via '%.*s': %s",
    > cname ? cname : "",
    > sname ? sname : "",
    > ! enc_tkt_reply.transited.tr_contents.length,
    > enc_tkt_reply.transited.tr_contents.data,
    > ! emsg);
    > krb5_free_error_message(kdc_context, emsg);
    > }
    > } else
    > --- 491,528 ----
    > newtransited = 1;
    > }
    > if (!isflagset (request->kdc_options,
    > KDC_OPT_DISABLE_TRANSITED_CHECK)) {
    > + unsigned int tlen;
    > + char *tdots;
    > +
    > errcode = krb5_check_transited_list (kdc_context,
    >
    > &enc_tkt_reply.transited.tr_contents,
    > krb5_princ_realm (kdc_context,
    > header_ticket->enc_part2->client),
    > krb5_princ_realm (kdc_context,
    > request->server));
    > + tlen = enc_tkt_reply.transited.tr_contents.length;
    > + tdots = tlen > 125 ? "..." : "";
    > + tlen = tlen > 125 ? 125 : tlen;
    > +
    > if (errcode == 0) {
    > setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
    > } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
    > krb5_klog_syslog (LOG_INFO,
    > ! "bad realm transit path from '%s' to '%s' "
    > ! "via '%.*s%s'",
    > cname ? cname : "",
    > sname ? sname : "",
    > ! tlen,
    > ! enc_tkt_reply.transited.tr_contents.data,
    > ! tdots);
    > else {
    > const char *emsg = krb5_get_error_message(kdc_context, errcode);
    > krb5_klog_syslog (LOG_ERR,
    > ! "unexpected error checking transit from "
    > ! "'%s' to '%s' via '%.*s%s': %s",
    > cname ? cname : "",
    > sname ? sname : "",
    > ! tlen,
    > enc_tkt_reply.transited.tr_contents.data,
    > ! tdots, emsg);
    > krb5_free_error_message(kdc_context, emsg);
    > }
    > } else
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Error applying MITKRB5-SA-2007-002 on krb5-1.5

    Please try the 1.5.x patch at:

    http://web.mit.edu/kerberos/advisori...02-patch15.txt

    PGP-signed version:

    http://web.mit.edu/kerberos/advisori...atch15.txt.asc

    Advisory will be updated shortly.

    ---Tom
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Error applying MITKRB5-SA-2007-002 on krb5-1.5

    In article <1175893104.6642.18.camel@merlin.Mines.EDU>,
    Matthew B. Brookover wrote:

    >The patches will load, compile and run on version 1.6. Is any body
    >running 1.6 in production?


    Yes, CSAIL.MIT.EDU is, as of about a month ago. No issues.

    -GAWollman

    --
    Garrett A. Wollman | The real tragedy of human existence is not that we are
    wollman@csail.mit.edu| nasty by nature, but that a cruel structural asymmetry
    Opinions not those | grants to rare events of meanness such power to shape
    of MIT or CSAIL. | our history. - S.J. Gould, Ten Thousand Acts of Kindness

  5. Re: 2007-002-patch15.txt works on krb5-1.5

    Thank you Tom, the new patch looks good. I have not tried to set up a
    kdc yet, but configure, make, make install, and make check look good.

    Simon, if you patch the 1.5.2 package, it will not have any offsets or
    fuzz:
    [mbrookov@k-one krb5-1.5.2]$ patch -p0 -b < ../2007-002-patch15.txt
    patching file src/kdc/kdc_util.c
    patching file src/kdc/do_tgs_req.c
    patching file src/kadmin/server/ovsec_kadmd.c
    patching file src/kadmin/server/misc.h
    patching file src/kadmin/server/schpw.c
    patching file src/kadmin/server/server_stubs.c
    patching file src/kadmin/server/kadm_rpc_svc.c
    patching file src/kadmin/server/misc.c
    patching file src/lib/kadm5/logger.c
    [mbrookov@k-one krb5-1.5.2]$

    Matt


    On Fri, 2007-04-06 at 17:54 -0500, simonst@wellsfargo.com wrote:
    > The 2007-002-patch15.txt patch applied successfully on my krb5-1.5 - thanks!
    >
    > $ patch -p0 <2007-002-patch15.txt
    > patching file src/kdc/kdc_util.c
    > patching file src/kdc/do_tgs_req.c
    > Hunk #1 succeeded at 489 (offset -2 lines).
    > Hunk #3 succeeded at 827 (offset -2 lines).
    > patching file src/kadmin/server/ovsec_kadmd.c
    > Hunk #1 succeeded at 989 with fuzz 2.
    > Hunk #2 succeeded at 994 (offset -5 lines).
    > patching file src/kadmin/server/misc.h
    > patching file src/kadmin/server/schpw.c
    > patching file src/kadmin/server/server_stubs.c
    > patching file src/kadmin/server/kadm_rpc_svc.c
    > patching file src/kadmin/server/misc.c
    > patching file src/lib/kadm5/logger.c
    >
    > -----Original Message-----
    > From: Tom Yu [mailto:tlyu@MIT.EDU]
    > Sent: Friday, April 06, 2007 2:13 PM
    > To: mbrookov@mines.edu
    > Cc: Simons, Tom; kerberos@MIT.EDU
    > Subject: Re: Error applying MITKRB5-SA-2007-002 on krb5-1.5
    >
    > Please try the 1.5.x patch at:
    >
    > http://web.mit.edu/kerberos/advisori...02-patch15.txt
    >
    > PGP-signed version:
    >
    > http://web.mit.edu/kerberos/advisori...atch15.txt.asc
    >
    > Advisory will be updated shortly.
    >
    > ---Tom
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread