Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Branch: tags/kfw_3-2-3…
Commits on Jul 22, 2009
  1. tag kfw-3.2.3-alpha1

    tlyu authored
    git-svn-id: svn://anonsvn.mit.edu/krb5/tags/kfw_3-2-3-alpha1@22446 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 6535

    tlyu authored
    subject: jumbo pullup for kfw-3.2.3-alpha1
    version_fixed: 1.6.4
    
    This is a jumbo pullup of multiple KfW-related changes.  The are
    primarily build system fixes, including changes to enable building on
    amd64.  Included are some changes from branches/kpkoch-ccapi that have
    not yet been merged to the trunk.  Relevant RT ticket numbers include:
    
    5817
    5819
    6007
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22445 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Jul 17, 2009
  1. ticket; 6531

    tlyu authored
    version_fixed: 1.6.4
    
    pull up r22443 from trunk
    
     ------------------------------------------------------------------------
     r22443 | tlyu | 2009-07-16 21:35:58 -0400 (Thu, 16 Jul 2009) | 8 lines
    
     ticket: 6531
     target_version: 1.6.4
     tags: pullup
     subject: include win-mac.h in gssftp/ftp/cmds.c for HAVE_STDLIB_H
    
     gssftp/ftp/cmds.c had a preprocessor conditional on HAVE_STDLIB_H that
     will not evaluate correctly on WIN32 unless win-mac.h is included first.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22444 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Jul 16, 2009
  1. ticket: 6433

    tlyu authored
    version_fixed: 1.6.4
    status: resolved
    
    pull up r20479 from trunk.  The ticket numbers don't match because
    reported on the 1.6 branch.
    
     ------------------------------------------------------------------------
     r20479 | raeburn | 2008-06-26 20:31:59 -0400 (Thu, 26 Jun 2008) | 8 lines
    
     ticket: 5925
     status: open
    
     Don't do FD_SETSIZE check on Windows.
     Also, for form's sake, use closesocket instead of close inside the check.
    
     Kevin or Jeff, could you please verify that the code works again?
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22442 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Jul 9, 2009
  1. ticket: 6064

    tlyu authored
    version_fixed: 1.6.4
    status: resolved
    
    pull up r20608 from trunk
    
     ------------------------------------------------------------------------
     r20608 | raeburn | 2008-08-05 20:05:47 -0400 (Tue, 05 Aug 2008) | 9 lines
    
     ticket: new
     subject: fix cleanup code in allocating preauth info
     target_version: 1.6.4
     tags: pullup
    
     After an allocation failure, free up the previously allocated array
     elements by counting back down to zero, not continuing to count up
     until we hit zero.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22429 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 6053

    tlyu authored
    version_fixed: 1.6.4
    
    pull up r20580 from trunk
    
     ------------------------------------------------------------------------
     r20580 | raeburn | 2008-07-25 15:19:06 -0400 (Fri, 25 Jul 2008) | 8 lines
    
     ticket: new
     target_version: 1.6.4
     tags: pullup
     subject: fix possible uninit variable use in error path
    
     Clear gss_client and gss_target before any possible branch to 'error',
     where they can be used.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22428 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 5998

    tlyu authored
    version_fixed: 1.6.4
    
    pull up r20485 from trunk
     ------------------------------------------------------------------------
     r20485 | raeburn | 2008-06-26 23:33:14 -0400 (Thu, 26 Jun 2008) | 8 lines
    
     ticket: new
     target_version: 1.6.4
     tags: pullup
     subject: use-after-free bugs
    
     Fix some bugs with storage being used immediately after being freed.
     None look like anything an attacker can really manipulate AFAICT.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22427 dc483132-0cff-0310-8789-dd5450dbe970
  4. ticket: 5997

    tlyu authored
    status: resolved
    version_fixed: 1.6.4
    
    pull up r20482, r20481 from trunk
    
     ------------------------------------------------------------------------
     r20482 | raeburn | 2008-06-26 22:51:09 -0400 (Thu, 26 Jun 2008) | 5 lines
    
     ticket: 5997
    
     Memory leak, and possible freed-memory dereference, in an error (small
     allocation failure) path.
     ------------------------------------------------------------------------
     r20481 | raeburn | 2008-06-26 22:47:06 -0400 (Thu, 26 Jun 2008) | 9 lines
    
     ticket: new
     target_version: 1.6.4
     subject: misc memory leaks
     tags: pullup
    
     Fix various memory leaks that show up mostly in error cases (e.g.,
     failure to allocate one small object, and then we forget to free
     another one).
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22426 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Apr 8, 2009
  1. ticket: 6448

    tlyu authored
    subject: CVE-2009-0846 (1.6.x) asn1_decode_generaltime can free uninitialized pointer
    tags: pullup
    target_version: 1.6.4
    version_fixed: 1.6.4
    
    pull up rxxxx from trunk
    
    The asn1_decode_generaltime() function can free an uninitialized
    pointer if asn1buf_remove_charstring() fails.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22181 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 6447

    tlyu authored
    subject: CVE-2009-0847 (1.6.x) asn1buf_imbed incorrect length validatin
    tags: pullup
    target_version: 1.6.4
    version_fixed: 1.6.4
    
    pull up rxxxx from trunk
    
    asn1buf_imbed() can perform pointer arithmetic that causes the "bound"
    pointer of the subbuffer to be less than the "next" pointer.  This can
    lead to malloc() failure or crash.
    
    In asn1buf_imbed(), check the length before doing arithmetic to set
    subbuf->bound.  In asn1buf_remove_octetstring() and
    asn1buf_remove_charstring(), check for invalid buffer pointers before
    executing an unsigned length check against a (casted to size_t)
    negative number.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22180 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 6446

    tlyu authored
    subject: CVE-2009-0844 (1.6.x) SPNEGO can read beyond buffer end
    tags: pullup
    target_version: 1.6.4
    version_fixd: 1.6.4
    
    pull up rxxxxx from trunk
    
    SPNEGO can read beyond the end of a buffer if the claimed DER length
    exceeds the number of bytes in the input buffer. This can lead to
    crash or information disclosure.
    
    Thanks to Apple for reporting this vulnerability and providing
    patches.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22179 dc483132-0cff-0310-8789-dd5450dbe970
  4. ticket: 6426

    tlyu authored
    Apply revised patch from Apple that ensures that a REJECT token is
    sent on error.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22178 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Mar 17, 2009
  1. ticket: 6426

    tlyu authored
    subject: CVE-2009-0845 (1.6.x) SPNEGO can dereference a null pointer
    tags: pullup
    target_version: 1.6.4
    version_fixed: 1.6.4
    
    pull up r22084 from trunk
    
    acc_ctx_new() can return an error condition without establishing a
    SPNEGO context structure.  This can cause a null pointer dereference
    in cleanup code in spnego_gss_accept_sec_context().
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22104 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Aug 11, 2008
  1. ticket: 6047

    tlyu authored
    version_fixed: 1.6.4
    
    pull up r20573 from trunk
    
     r20573@cathode-dark-space:  jaltman | 2008-07-23 11:09:15 -0400
     ticket: 6047
     tags: pullup
     
     The NIM error reporting functions (in src/windows/identity/kherr ) keep
     track of the the error message with the highest severity level that was
     reported for a specific error reporting context.  However, if another
     error message of the same severity is reported, the error message being
     tracked will be updated to be the newly received error.
     
     The user will often only be notified of the error message that was
     tracked for a specific operation.  Therefore, tracking the last message
     with the highest priority has the unfortunate side-effect of not
     reporting the cause of a failure.
     
     This patch changes the condition for updating the tracked error message
     to be the first message with the highest severity.
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20641 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 5745

    tlyu authored
    version_fixed: 1.6.4
    status: resolved
    
    pull up r20572 from trunk
    
     r20572@cathode-dark-space:  jaltman | 2008-07-23 11:04:26 -0400
     ticket: 5745
     tags: pullup
     
     This patch modifies the NIM Kerberos v5 plug-in to use the 
     krb5_get_error_message() function to look up the error string 
     if the call to krb5_get_init_creds_password() fails. If the call 
     to krb5_get_error_message() fails, the caller will failover to 
     the previous method of looking up a suitable error message based 
     on the error code.
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20640 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 6046

    tlyu authored
    version_fixed: 1.6.4
    status: resolved
    
    pull up r20571 from trunk
    
     r20571@cathode-dark-space:  jaltman | 2008-07-23 10:44:50 -0400
     ticket: 6046
     tags: pullup
     
      	
     
     The /src/windows/identity/plugins/common/dynimport.{c,h} files are used
     by the NIM Kerberos v5 plug-ins for run-time dynamic linking.  They
     currently do not declare or import the following functions:
     
     krb5_get_error_message()
     krb5_free_error_message()
     krb5_clear_error_message()
     
     This patch adds declarations and definitions required for locating these
     functions.  Relies on the addition of these functions to the prototype
     list in the Pismere loadfuncs-krb5.h.  See ticket 6045.
     
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20639 dc483132-0cff-0310-8789-dd5450dbe970
  4. ticket: 5605

    tlyu authored
    version_fixed: 1.6.4
    status: resolved
    
    pull up r20570 from trunk
    
     r20570@cathode-dark-space:  jaltman | 2008-07-23 10:38:27 -0400
     ticket: 5605
     tags: pullup
     
     cw_handle_header_msg():
     
     The behavior of the HDN_ENDTRACK notification has changed slightly on
     Vista.  HDM_GETITEMRECT, when used while handling HDN_ENDTRACK, returns
     the item extents that were there prior to the user starting the resizing
     operation.  Earlier it would return the extents that resulted from the
     resizing operation.
     
     This resulted in a visual update problem on Windows Vista/2008
     in the NIM Advanced View.
     
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20638 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Jul 25, 2008
  1. ticket: 5995

    tlyu authored
    version_fixed: 1.6.4
    status: resolved
    
    pull up r20478 from trunk
    
     r20478@cathode-dark-space:  raeburn | 2008-06-26 20:22:43 -0400
     ticket: new
     target_version: 1.6.4
     
     Fix off-by-one error in range check on file descriptor number.
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20587 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 5995

    tlyu authored
    pull up r20127 from trunk
    
     r20127@cathode-dark-space:  raeburn | 2007-10-17 20:14:01 -0400
     Reject socket fds > FD_SETSIZE.
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20586 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 6040

    tlyu authored
    version_fixed: 1.6.4
    status: resolved
    
    pull up r20553 from trunk
    
     r20553@cathode-dark-space:  jaltman | 2008-07-21 14:48:03 -0400
     ticket: new
     subject: Assign fixed ordinals to comerr32.dll exports
     component: krb5-libs
     tags: pullup
     
     All of the other libraries on Windows have fixed assignments
     of ordinals to the exported functions.  Assign the ordinals 
     that were in use in the last public release, kfw 3.2.2, so 
     that they will remain constant into the future in case additional
     exports are added to the library.
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20585 dc483132-0cff-0310-8789-dd5450dbe970
  4. ticket: 5840

    tlyu authored
    version_fixed: 1.6.4
    status: resolved
    
    pull up r20558 from trunk
    
     r20558@cathode-dark-space:  jaltman | 2008-07-21 16:33:53 -0400
     ticket: 5840
     tags: pullup
     
     kadm5_decrypt_key(). This patch prevents the returned keyblock's 
     enctype from being coerced to the requested 'ktype' if the requested 
     'ktype' == -1. A ktype of -1 is documented as meaning "to be ignored".
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20584 dc483132-0cff-0310-8789-dd5450dbe970
  5. ticket: 5442

    tlyu authored
    version_fixed: 1.6.4
    status: resolved
    
     r20575@cathode-dark-space:  tlyu | 2008-07-23 13:06:56 -0400
     ticket: 5442
     
     Fix one missed rename of "exit" label to "done".
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20583 dc483132-0cff-0310-8789-dd5450dbe970
  6. ticket: 5442

    tlyu authored
    pull up r20574 from trunk
    
     r20574@cathode-dark-space:  jaltman | 2008-07-23 12:03:40 -0400
     ticket: 5442
     
     replace "exit" label with "done"
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20582 dc483132-0cff-0310-8789-dd5450dbe970
  7. ticket: 5442

    tlyu authored
    pull up r20559 from trunk
    
     r20559@cathode-dark-space:  jaltman | 2008-07-21 16:47:35 -0400
     ticket: 5442
     tags: pullup
     
     This patch addresses the issues raised in this ticket and ticket 5936.
     
     (a) In the case where 'cred_handle' != 'verifier_cred_handle'[1]
     krb5_gss_accept_sec_context() leaks the 'cred_handle' in the success
     case and the failure cases that result in returning from the function
     prior to reaching the end of the function.
     
     (b) The meaningful 'minor_status' return value is destroyed during the
     cleanup operations.
     
     The approach taken is to add a new 'exit:' label prior to the end of the
     function through which all function returns after reaching the 'fail:'
     label will goto.  After 'exit:', the 'cred_handle' will be released and
     if there is a krb5_context 'context' to be freed, the error info will be
     saved and krb5_free_context() will be called.
     
     In the success case, the krb5_context is saved in the gss context and we
     now set 'context' to NULL to prevent it from being freed.
     
     In order to preserve the minor_status return code, a 'tmp_minor_status'
     variable is added that is used after the 'fail:' label in calls to
     krb5_gss_delete_sec_context() and krb5_gss_release_cred().
     
     
     [1] If 'verifier_cred_handle' is non-NULL, then 'cred_handle' is set to
     the value of 'verifier_cred_handle'.
     
     
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20581 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Jul 21, 2008
  1. ticket: 5980

    tlyu authored
    version_fixed: 1.6.4
    status: resolved
    
    pull up r20561 from trunk
    (includes unrelated cleanup of dead assignment)
    
     r20561@cathode-dark-space:  raeburn | 2008-07-21 16:59:24 -0400
     ticket: 5980
     
     Another check for null return from krb5_cc_default_name.
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20565 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 5980

    tlyu authored
    pull up r20551 from trunk
    
     r20551@cathode-dark-space:  jaltman | 2008-07-21 13:44:43 -0400
     ticket: 5080
     tags: pullup
     
     ccdefault.c:
     krb5_cc_default_name() is permitted to return a NULL
     pointer as a valid output.  Passing a NULL pointer to
     strcmp() will result in an exception as NULL is not
     a valid input parameter to strcmp().
     
     Save the output of krb5_cc_default_name() to a variable
     and modify the conditional to set the new default ccache
     name in the case where there is no existing default 
     ccache name.
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20564 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 5839

    tlyu authored
    status: resolved
    version_fixed: 1.6.4
    
    pull up r20557 from trunk
    
     r20557@cathode-dark-space:  jaltman | 2008-07-21 16:30:44 -0400
     ticket: 5839
     tags: pullup
     
     krb5_string_to_keysalts()
       Fix an infinite loop in the parsing of 'kp' 
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20563 dc483132-0cff-0310-8789-dd5450dbe970
  4. ticket: 5895

    tlyu authored
    status: resolved
    version_fixed: 1.6.4
    
    pull up r20555 from trunk
    
     r20555@cathode-dark-space:  jaltman | 2008-07-21 15:43:21 -0400
     ticket: 5895
     tags: pullup
     
     There are two mutex locking issues that Roland Dowdeswell noticed in 
     the memory ccache.  The first one is in cc_memory.c:krb5_mcc_initialize(). 
     When it is free(3)ing the existing credentials it does not lock the 
     data structures and hence two separate threads can run into issues.
     
     The same problem exists in cc_memory.c:krb5_mcc_destroy().
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20562 dc483132-0cff-0310-8789-dd5450dbe970
  5. ticket: 6033

    tlyu authored
    status: resolved
    version_fixed: 1.6.4
    
    pull up r20527 from trunk
    
     r20527@cathode-dark-space:  tlyu | 2008-07-15 17:43:35 -0400
     ticket: new
     subject: krb5_get_cred_via_tkt() should null out_cred on errors
     tags: pullup
     target_version: 1.6.4
     component: krb5-libs
     
     Helper function krb5_kdcrep2creds(), called from
     krb5_get_cred_via_tkt(), should null its output pointer after freeing
     allocated memory, to avoid returning an invalid pointer.
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20550 dc483132-0cff-0310-8789-dd5450dbe970
  6. ticket: 6030

    tlyu authored
    status: resolved
    version_fixed: 1.6.4
    
    pull up r20532 from trunk
    
     r20532@cathode-dark-space:  tlyu | 2008-07-17 11:44:43 -0400
     ticket: 6030
     tags: pullup
     target_version: 1.6.4
     
     Apply patch from Mark Phalan to correctly use progname instead of
     argv[0].
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20549 dc483132-0cff-0310-8789-dd5450dbe970
  7. ticket: 6028

    tlyu authored
    status: resolved
    version_fixed: 1.6.4
    
    pull up r20531 from trunk
    
     r20531@cathode-dark-space:  tlyu | 2008-07-16 19:01:54 -0400
     ticket: 6028
     target_version: 1.6.4
     tags: pullup
     
     Apply patch from Mark Phalan to initialize progname before use.
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20548 dc483132-0cff-0310-8789-dd5450dbe970
  8. ticket: 6018

    tlyu authored
    status: resolved
    version_fixed: 1.6.4
    
    pull up r20536 from trunk
    
     r20536@cathode-dark-space:  tlyu | 2008-07-17 19:40:32 -0400
     ticket: 6018
     target_version: 1.6.4
     tags: pullup
     
     In krb5_rc_io_creat(), unlink any existing rcache file before trying
     to create a new rcache.  This allows better recovery from corrupt
     rcache files.
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20547 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Jul 14, 2008
  1. ticket: 6022

    tlyu authored
    version_fixed: 1.6.4
    
    pull up r20503 from trunk
    
     r20503@cathode-dark-space:  tlyu | 2008-07-09 15:54:56 -0400
     ticket: new
     tags: pullup
     component: krb5-libs
     subject: add copyright to lib/crypto/enc_provider/aes.c
     target_version: 1.6.4
     
     lib/crypto/enc_provider/aes.c was missing a copyright statement.
     Added.
     
     
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20524 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 5996

    tlyu authored
    version_fixed: 1.6.4
    
    pull up r20480 from trunk
    
     r20480@cathode-dark-space:  raeburn | 2008-06-26 21:26:08 -0400
     ticket: new
     subject: fix free of automatic storage
     target_version: 1.6.4
     tags: pullup
     
     Fix a possible free of automatic storage that can happen on an
     (unlikely) encoding failure.
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20523 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 5994

    tlyu authored
    version_fixed: 1.6.4
    
    pull up r20477 from trunk
    
     r20477@cathode-dark-space:  raeburn | 2008-06-26 20:20:33 -0400
     ticket: new
     target_version: 1.6.4
     
     Fix possible null pointer deref, possible uninit ptr use, possible
     leak in unlikely small-allocation failure case.
    
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20522 dc483132-0cff-0310-8789-dd5450dbe970
Something went wrong with that request. Please try again.