= Fix possible telnetd vulnerability in option processing.

Obtained from: heimdal-discuss@sics.se = Fix bug in GSSAPI accept_sec_context() that prevented credential forwarding from working in some cases.
svn path=/head/; revision=45257
2024-10-25 21:07:40 +00:00 · 2001-07-19 21:43:42 +00:00 · 2001-07-19 21:43:42 +00:00 · 65947fb078 · 2021-03-31 03:12:20 +00:00
commit 65947fb078
parent 6bf1507aad
3 changed files with 64 additions and 0 deletions
--- a/security/heimdal/Makefile
+++ b/security/heimdal/Makefile
@ -7,6 +7,7 @@

 PORTNAME=		heimdal
 PORTVERSION=	0.4b
+PORTREVISION=	1
 CATEGORIES=		security ipv6
 MASTER_SITES=	ftp://ftp.pdc.kth.se/pub/heimdal/src/ \
 				ftp://ftp.replay.com/pub/replay/crypto/APPS/kerberos/heimdal/ \
--- a/security/heimdal/files/patch-ad
+++ b/security/heimdal/files/patch-ad
@ -0,0 +1,34 @@
+--- lib/gssapi/accept_sec_context.c.orig	Mon Jul 16 22:28:38 2001
+++ lib/gssapi/accept_sec_context.c	Tue Jul 17 08:10:32 2001
+@@ -283,12 +283,27 @@
+       
+       krb5_ccache ccache;
+       
+-      if (delegated_cred_handle == NULL || *delegated_cred_handle == NULL)
+      if (delegated_cred_handle == NULL)
+          /* XXX Create a new delegated_cred_handle? */
+          kret = krb5_cc_default (gssapi_krb5_context, &ccache);
+-      
+-      else {
+-         if ((*delegated_cred_handle)->ccache == NULL)
+      else if (*delegated_cred_handle == NULL) {
+	 if ((*delegated_cred_handle =
+	      calloc(1, sizeof(**delegated_cred_handle))) == NULL) {
+	    kret = ENOMEM;
+	    krb5_set_error_string(gssapi_krb5_context, "out of memory");
+	    gssapi_krb5_set_error_string();
+	    goto failure;
+	 }
+	 if ((kret = gss_duplicate_name(minor_status, ticket->client,
+				&(*delegated_cred_handle)->principal)) != 0) {
+	    flags &= ~GSS_C_DELEG_FLAG;
+	    free(*delegated_cred_handle);
+	    *delegated_cred_handle = NULL;
+	    goto end_fwd;
+	 }
+      }
+      if (delegated_cred_handle != NULL &&
+	  (*delegated_cred_handle)->ccache == NULL) {
+             kret = krb5_cc_gen_new (gssapi_krb5_context,
+                                     &krb5_mcc_ops,
+                                     &(*delegated_cred_handle)->ccache);
--- a/security/heimdal/files/patch-ae
+++ b/security/heimdal/files/patch-ae
@ -0,0 +1,29 @@
+--- appl/telnet/telnetd/global.c	1997/05/11 06:29:59	1.12
+++ appl/telnet/telnetd/global.c	2001/07/19 16:00:42	1.13
+@@ -36,7 +36,7 @@
+ 
+ #include "telnetd.h"
+ 
+-RCSID("$Id: global.c,v 1.12 1997/05/11 06:29:59 assar Exp $");
+RCSID("$Id: global.c,v 1.13 2001/07/19 16:00:42 assar Exp $");
+ 
+ /*
+  * Telnet server variable declarations
+@@ -93,7 +93,7 @@
+ output_data (const char *format, ...)
+ {
+   va_list args;
+-  size_t remaining, ret;
+  int remaining, ret;
+ 
+   va_start(args, format);
+   remaining = BUFSIZ - (nfrontp - netobuf);
+@@ -101,7 +101,7 @@
+ 		   remaining,
+ 		   format,
+ 		   args);
+-  nfrontp += ret;
+  nfrontp += min(ret, remaining-1);
+   va_end(args);
+   return ret;
+ }