Hi. I'd like permission to upload the following patch to s-p-u. I've coordinated with the security team for the security issues and our mutual agreement is that they should be addressed in a point release.
diff --git a/debian/changelog b/debian/changelog
index 27673a6..13cea43 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+krb5 (1.8.3+dfsg-4squeeze1) stable; urgency=low
+
+ * Fix double free with pkinit on KDC, CVE-2011-0284, Closes: #618517
+ * Updated Danish debconf translations, thanks Joe Dalton, Closes:
+ #584282
+ * KDC/LDAP DOS (CVE-2010-4022, CVE-2011-0281, and CVE-2011-0282,
+ Closes: #613487
+ * Fix delegation of credentials against Windows servers; significant
+ interoperability issue, Closes: #611906
+ * Set nt-srv-inst on TGS names to work against W2K8R2 KDCs, Closes:
+ #616429
+ * Don't fail authentication when PAC verification fails; support hmac-
+ md5 checksums even for non-RC4 keys, Closes: #616728
+
+ -- Sam Hartman <hartmans@debian.org> Wed, 16 Mar 2011 11:52:06 -0400
+
krb5 (1.8.3+dfsg-4) unstable; urgency=medium
* Ignore PACs without a server signature generated by OS X Open
diff --git a/debian/po/da.po b/debian/po/da.po
index 11c207a..1a66e29 100644
--- a/debian/po/da.po
+++ b/debian/po/da.po
@@ -1,33 +1,26 @@
-#
-# Translators, if you are not familiar with the PO format, gettext
-# documentation is worth reading, especially sections dedicated to
-# this format, e.g. by running:
-# info -n '(gettext)PO Files'
-# info -n '(gettext)Header Entry'
-# Some information specific to po-debconf are available at
-# /usr/share/doc/po-debconf/README-trans
-# or http://www.debian.org/intl/l10n/po-debconf/README-trans#
-# Developers do not need to manually edit POT or PO files.
-#
+# Dansih translation krb5.
+# Copyright (C) 2010 krb5 & nedenstående oversættere.
+# This file is distributed under the same license as the krb5 package.
# Claus Hindsgaul <claus_h@image.dk>, 2006.
+# Joe Hansen <joedalton2@yahoo.dk>, 2010.
+#
msgid ""
msgstr ""
"Project-Id-Version: krb5\n"
"Report-Msgid-Bugs-To: krb5@packages.debian.org\n"
"POT-Creation-Date: 2009-02-21 13:55-0500\n"
-"PO-Revision-Date: 2006-01-26 21:55+0100\n"
-"Last-Translator: Claus Hindsgaul <claus_h@image.dk>\n"
-"Language-Team: Danish <dansk@klid.dk>\n"
+"PO-Revision-Date: 2010-06-02 17:30+01:00\n"
+"Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n"
+"Language-Team: Danish <debian-l10n-danish@lists.debian.org> \n"
"MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=ISO-8859-1\n"
+"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
-"X-Generator: KBabel 1.11.1\n"
#. Type: note
#. Description
#: ../krb5-admin-server.templates:2001
msgid "Setting up a Kerberos Realm"
-msgstr "Sætter et Kerberos-rige op"
+msgstr "Sætter et Kerberos-rige op"
#. Type: note
#. Description
@@ -36,6 +29,8 @@ msgid ""
"This package contains the administrative tools required to run the Kerberos "
"master server."
msgstr ""
+"Denne pakke indeholder de administrative værktøjer krævet til at køre "
+"Kerberos' masterserver."
#. Type: note
#. Description
@@ -44,6 +39,9 @@ msgid ""
"However, installing this package does not automatically set up a Kerberos "
"realm. This can be done later by running the \"krb5_newrealm\" command."
msgstr ""
+"Installation af denne pakke medfører dog ikke automatisk, at et "
+"Kerberos-rige bliver sat op. Dette kan gøres senere ved at køre kommandoen "
+"»krb5_newrealm«."
#. Type: note
#. Description
@@ -52,13 +50,14 @@ msgid ""
"Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the "
"administration guide found in the krb5-doc package."
msgstr ""
+"Læs venligst også filen /usr/share/doc/krb5-kdc/README.KDC og "
+"administrationsvejledningen, der kan ses i pakken krb5-doc."
#. Type: boolean
#. Description
#: ../krb5-admin-server.templates:3001
-#, fuzzy
msgid "Run the Kerberos V5 administration daemon (kadmind)?"
-msgstr "Skal Kerberos5-administrationsdæmonen (kadmind) køres?"
+msgstr "Skal administrationsdæmonen Kerberos5 (kadmind) køres?"
#. Type: boolean
#. Description
@@ -67,6 +66,8 @@ msgid ""
"Kadmind serves requests to add/modify/remove principals in the Kerberos "
"database."
msgstr ""
+"Kadmindservere anmoder om at tilføje/ændre/fjerne vigtige ting i "
+"kerberosdatabasen."
#. Type: boolean
#. Description
@@ -75,13 +76,14 @@ msgid ""
"It is required by the kpasswd program, used to change passwords. With "
"standard setups, this daemon should run on the master KDC."
msgstr ""
+"Den er krævet af kpasswd-programmet, brugt til at ændre adgangskoder. "
+"Med standardopsætning, skal denne dæmon køre på master-KDC'en."
#. Type: boolean
#. Description
#: ../krb5-kdc.templates:2001
-#, fuzzy
msgid "Create the Kerberos KDC configuration automatically?"
-msgstr "Opret Kerberos KDC-opsætning med debconf?"
+msgstr "Opret automatisk Kerberos KDC-konfigurationen?"
#. Type: boolean
#. Description
@@ -90,6 +92,8 @@ msgid ""
"The Kerberos Key Distribution Center (KDC) configuration files, in /etc/"
"krb5kdc, may be created automatically."
msgstr ""
+"Konfigurationsfilerne for Kerberos Key Distribution Center (KDC) i /etc/"
+"krb5kdc, kan oprettes automatisk."
#. Type: boolean
#. Description
@@ -98,6 +102,8 @@ msgid ""
"By default, an example template will be copied into this directory with "
"local parameters filled in."
msgstr ""
+"Som standard vil en eksempelskabelon blive kopieret ind i denne mappe med "
+"lokale parametre udfyldt."
#. Type: boolean
#. Description
@@ -106,28 +112,27 @@ msgid ""
"Administrators who already have infrastructure to manage their Kerberos "
"configuration may wish to disable these automatic configuration changes."
msgstr ""
+"Administratorer, som allerede har infrastruktur til håndtering af deres "
+"Kerberoskonfiguration, vil måske ønske at deaktivere disse automatiske "
+"konfigurationsændringer."
#. Type: boolean
#. Description
#: ../krb5-kdc.templates:3001
msgid "Should the KDC database be deleted?"
-msgstr ""
+msgstr "Skal KDC-databasen slettes?"
#. Type: boolean
#. Description
#: ../krb5-kdc.templates:3001
-#, fuzzy
msgid ""
"By default, removing this package will not delete the KDC database in /var/"
"lib/krb5kdc/principal since this database cannot be recovered once it is "
"deleted."
msgstr ""
"Som udgangspunkt vil KDC-databasen i /var/lib/krb5kdc/principal ikke blive "
-"slettet, når pakken afinstalleres, da denne database ikke kan genskabes, når "
-"den er slettet. Hvis du ønsker at slette din KDC-database, når denne pakke "
-"afinstalleres, vel vidende at det betyder at alle dine brugerkonti og "
-"adgangskoder i KDC'en dermed bliver slettet ved afinstallation, skal du "
-"aktivere denne indstilling."
+"slettet, når pakken afinstalleres, da denne database ikke kan genskabes, når "
+"den er slettet."
#. Type: boolean
#. Description
@@ -136,94 +141,6 @@ msgid ""
"Choose this option if you wish to delete the KDC database now, deleting all "
"of the user accounts and passwords in the KDC."
msgstr ""
+"Vælg denne indstilling hvis du ønsker at slette KDC-databasen nu, dermed "
+"slettes alle brugerkonti og adgangskoder i KDC'en."
-#, fuzzy
-#~ msgid "Kerberos V4 compatibility mode to use:"
-#~ msgstr "Kerberos4-kompatibilitetstilstand, der skal benyttes:"
-
-#, fuzzy
-#~ msgid ""
-#~ "By default, Kerberos V4 requests are allowed from principals that do not "
-#~ "require preauthentication (\"nopreauth\"). This allows Kerberos V4 "
-#~ "services to exist while requiring most users to use Kerberos V5 clients "
-#~ "to get their initial tickets. These tickets can then be converted to "
-#~ "Kerberos V4 tickets."
-#~ msgstr ""
-#~ "Som udgangspunkt tillades Kerberos4-forespørgsler fra elementer, der ikke "
-#~ "kræver præ-autentifikation. Det vil gøre det muligt at bevare Kerberos4-"
-#~ "services, mens de fleste brugere tvinges til at bruge Kerberos5-klienter "
-#~ "til at opnå deres første billetter. Disse billetter kan derefter omsættes "
-#~ "til Kerberos4-billeter. Alternativt kan man vælge fuld tilstand, som "
-#~ "tillader Kerberos4 at få de første billetter, selvom præautentifikation "
-#~ "normalt ville have været påkrævet, eller vælge at deaktivere, hvilket vil "
-#~ "deaktivere al understøttelse af Kerberos4."
-
-#~ msgid "Should the data be purged as well as the package files?"
-#~ msgstr "Skal data slettes, når pakkens afinstalleres?"
-
-#~ msgid ""
-#~ "This package contains the administrative tools necessary to run on the "
-#~ "Kerberos master server. However, installing this package does not "
-#~ "automatically set up a Kerberos realm. Doing so requires entering "
-#~ "passwords and as such is not well-suited for package installation. To "
-#~ "create the realm, run the krb5_newrealm command. You may also wish to "
-#~ "read /usr/share/doc/krb5-kdc/README.KDC and the administration guide "
-#~ "found in the krb5-doc package."
-#~ msgstr ""
-#~ "Denne pakke indeholder de nødvendige administrationsværktøjer til kørsel "
-#~ "på Kerberos-hovedserveren. Installationen af denne pakke sætter dog ikke "
-#~ "automatisk et Kerberos-rige ('realm') op. Det kræver indtastning af "
-#~ "adgangskoder, hvilket ikke egner sig til pakkeinstallationen. For at "
-#~ "oprette riget, skal du udføre kommandoen krb5_newrealm. Du kan også læse /"
-#~ "usr/share/doc/krb5-kdc/README.KDC og administrationsguiden i pakken krb5-"
-#~ "doc."
-
-#~ msgid ""
-#~ "Don't forget to set up DNS information so your clients can find your KDC "
-#~ "and admin servers. Doing so is documented in the administration guide."
-#~ msgstr ""
-#~ "Glem ikke at sætte DNS-oplysningerne op, så dine klienter kan finde dine "
-#~ "KDC- og admin-servere. Fremgangsmåden er dokumenteret i "
-#~ "administrationsguiden."
-
-#~ msgid ""
-#~ "Kadmind serves requests to add/modify/remove principals in the Kerberos "
-#~ "database. It also must be running for the kpasswd program to be used to "
-#~ "change passwords. Normally, this daemon runs on the master KDC."
-#~ msgstr ""
-#~ "Kadmind håndterer forespørgsler om at tilføje/ændre/fjerne elementer i "
-#~ "Kerberos-databasen. Den skal køre for at kpasswd-programmet kan benyttes "
-#~ "til at ændre adgangskoder. Normalt kører denne dæmon på hoved-KDC'en."
-
-#~ msgid ""
-#~ "Many sites will wish to have this script automatically create Kerberos "
-#~ "KDC configuration files in /etc/krb5kdc. By default an example template "
-#~ "will be copied into this directory with local parameters filled in. Some "
-#~ "sites who already have infrastructure to manage their own Kerberos "
-#~ "configuration will wish to disable any automatic configuration changes."
-#~ msgstr ""
-#~ "Mange vil vælge at lade dette script oprette Kerberos KDC-opsætningsfiler "
-#~ "i /etc/krb5kdc automatisk. Som udgangspunkt vil en eksempel-skabelon "
-#~ "blive kopieret til denne mappe med lokale paremetre udfyldt på forhånd. "
-#~ "Dem, der allerede har infrastruktur til at håndtere deres egen Kerberos-"
-#~ "opsætning, kan vælge at deaktivere alle automatiske ænderinger i "
-#~ "opsætningen."
-
-#~ msgid "disable, full, nopreauth, none"
-#~ msgstr "deaktivér, fuld, ejpræaut, ingen"
-
-#~ msgid "Run a krb524d?"
-#~ msgstr "Kør en krb524d?"
-
-#~ msgid ""
-#~ "Krb524d is a daemon that converts Kerberos5 tickets into Kerberos4 "
-#~ "tickets for the krb524init program. If you have Kerberos4 enabled at "
-#~ "all, then you probably want to run this program. Especially when "
-#~ "Kerberos4 compatibility is set to nopreauth, krb524d is important if you "
-#~ "have any Kerberos4 services."
-#~ msgstr ""
-#~ "Krb524d er en dæmon, der omsætter Kerberos5-billetter til Kerberos4-"
-#~ "billetter til programmet krb524init. Hvis du overhovedet har aktiveret "
-#~ "Kerberos4, skal du sikkert køre dette program. krb524d er især vigtig, "
-#~ "hvis Kerberos4-kompatibiliteten er sat til ejpræaut, og du har Kerberos4-"
-#~ "services kørende."
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 3924297..4eb752c 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -784,6 +784,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
pad->contents = td[size]->data;
pad->length = td[size]->length;
pa[size] = pad;
+ td[size]->data = NULL;
+ td[size]->length = 0;
}
krb5_free_typed_data(kdc_context, td);
}
diff --git a/src/lib/crypto/krb/checksum/hmac_md5.c b/src/lib/crypto/krb/checksum/hmac_md5.c
index 4812907..784b746 100644
--- a/src/lib/crypto/krb/checksum/hmac_md5.c
+++ b/src/lib/crypto/krb/checksum/hmac_md5.c
@@ -52,7 +52,7 @@ krb5_error_code krb5int_hmacmd5_checksum(const struct krb5_cksumtypes *ctp,
return KRB5_BAD_ENCTYPE;
if (ctp->ctype == CKSUMTYPE_HMAC_MD5_ARCFOUR) {
/* Compute HMAC(key, "signaturekey\0") to get the signing key ks. */
- ret = alloc_data(&ds, key->keyblock.length);
+ ret = alloc_data(&ds, ctp->hash->hashsize);
if (ret != 0)
goto cleanup;
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index e3358b8..8b6ba20 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -234,9 +234,7 @@ struct gss_checksum_data {
krb5_data checksum_data;
};
-#ifdef CFX_EXERCISE
#include "../../krb5/krb/auth_con.h"
-#endif
static krb5_error_code KRB5_CALLCONV
make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
void *cksum_data, krb5_data **out)
@@ -247,6 +245,7 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
struct gss_checksum_data *data = cksum_data;
krb5_data credmsg;
unsigned int junk;
+ krb5_key send_subkey;
data->checksum_data.data = 0;
credmsg.data = 0;
@@ -262,13 +261,22 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
assert(data->cred->name != NULL);
+ /*
+ * RFC 4121 4.1.1 specifies forwarded credentials must be encrypted in
+ * the session key, but krb5_fwd_tgt_creds will use the send subkey if
+ * it's set in the auth context. Null out the send subkey temporarily.
+ */
+ send_subkey = auth_context->send_subkey;
+ auth_context->send_subkey = NULL;
+
code = krb5_fwd_tgt_creds(context, auth_context, 0,
data->cred->name->princ, data->ctx->there->princ,
data->cred->ccache, 1,
&credmsg);
- /* turn KRB5_AUTH_CONTEXT_DO_TIME back on */
+ /* Turn KRB5_AUTH_CONTEXT_DO_TIME back on and reset the send subkey. */
krb5_auth_con_setflags(context, auth_context, con_flags);
+ auth_context->send_subkey = send_subkey;
if (code) {
/* don't fail here; just don't accept/do the delegation
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index e46e7ac..15619a8 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1023,8 +1023,19 @@ build_in_tkt_name(krb5_context context,
client->realm.length,
client->realm.data,
0);
+ if (ret)
+ return ret;
}
- return ret;
+ /*
+ * Windows Server 2008 R2 RODC insists on TGS principal names having the
+ * right name type.
+ */
+ if (krb5_princ_size(context, *server) == 2 &&
+ data_eq_string(*krb5_princ_component(context, *server, 0),
+ KRB5_TGS_NAME)) {
+ krb5_princ_type(context, *server) = KRB5_NT_SRV_INST;
+ }
+ return 0;
}
void KRB5_CALLCONV
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 50b2969..d89c380 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -684,16 +684,8 @@ krb5_pac_verify(krb5_context context,
return EINVAL;
ret = k5_pac_verify_server_checksum(context, pac, server);
- if (ret == ENOENT) {
- /*
- * Apple Mac OS X Server Open Directory KDC (at least 10.6)
- * appears to provide a PAC that lacks a server checksum.
- */
- pac->verified = FALSE;
- return ret;
- } else if (ret != 0) {
+ if (ret != 0)
return ret;
- }
if (privsvr != NULL) {
ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
@@ -1095,35 +1087,18 @@ mspac_verify(krb5_context kcontext,
if (pacctx->pac == NULL)
return EINVAL;
- code = krb5_pac_verify(kcontext,
- pacctx->pac,
+ code = krb5_pac_verify(kcontext, pacctx->pac,
req->ticket->enc_part2->times.authtime,
- req->ticket->enc_part2->client,
- key,
- NULL);
+ req->ticket->enc_part2->client, key, NULL);
/*
- * If the server checksum is not found, return success to
- * krb5int_authdata_verify() to work around an apparent Open
- * Directory bug. Non-verified PACs won't be returned by
- * mspac_get_attribute().
+ * If the above verification failed, don't fail the whole authentication,
+ * just don't mark the PAC as verified. A checksum mismatch can occur if
+ * the PAC was copied from a cross-realm TGT by an ignorant KDC, and Apple
+ * Mac OS X Server Open Directory (as of 10.6) generates PACs with no
+ * server checksum at all.
*/
- if (code == ENOENT && !pacctx->pac->verified) {
- code = 0;
- }
-
-#if 0
- /*
- * Now, we could return 0 and just set pac->verified to FALSE.
- * Thoughts?
- */
- if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
- assert(pacctx->pac->verified == FALSE);
- code = 0;
- }
-#endif
-
- return code;
+ return 0;
}
static void
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
index 1ca09b4..60caf3d 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er
#define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
#define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \
- do { \
- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
- if (ldap_server_handle) \
- ld = ldap_server_handle->ldap_handle; \
- } \
- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
+ tempst = 0; \
+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \
+ NULL, &timelimit, LDAP_NO_LIMIT, &result); \
+ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
+ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
+ if (ldap_server_handle) \
+ ld = ldap_server_handle->ldap_handle; \
+ if (tempst == 0) \
+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \
+ NULL, NULL, &timelimit, \
+ LDAP_NO_LIMIT, &result); \
+ } \
\
if (status_check != IGNORE_STATUS) { \
if (tempst != 0) { \
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
index 82b0333..84e80ee 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context,
{
krb5_ldap_server_handle *handle = *ldap_server_handle;
+ ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
|| (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index f549e23..b70940f 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -446,12 +446,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context,
* portion, then the first portion of the principal name SHOULD be
* "krbtgt". All this check is done in the immediate block.
*/
- if (searchfor->length == 2)
- if ((strncasecmp(searchfor->data[0].data, "krbtgt",
- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
- (strncasecmp(searchfor->data[1].data, defrealm,
- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
+ if (searchfor->length == 2) {
+ if (data_eq_string(searchfor->data[0], "krbtgt") &&
+ data_eq_string(searchfor->data[1], defrealm))
return 0;
+ }
/* first check the length, if they are not equal, then they are not same */
if (strlen(defrealm) != searchfor->realm.length)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 7ad31da..626ed1f 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -103,10 +103,10 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
unsigned int flags, krb5_db_entry *entries,
int *nentries, krb5_boolean *more)
{
- char *user=NULL, *filter=NULL, **subtree=NULL;
+ char *user=NULL, *filter=NULL, *filtuser=NULL;
unsigned int tree=0, ntrees=1, princlen=0;
krb5_error_code tempst=0, st=0;
- char **values=NULL, *cname=NULL;
+ char **values=NULL, **subtree=NULL, *cname=NULL;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
krb5_ldap_context *ldap_context=NULL;
@@ -142,12 +142,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
goto cleanup;
- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
+ filtuser = ldap_filter_correct(user);
+ if (filtuser == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+
+ princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */
if ((filter = malloc(princlen)) == NULL) {
st = ENOMEM;
goto cleanup;
}
- snprintf(filter, princlen, FILTER"%s))", user);
+ snprintf(filter, princlen, FILTER"%s))", filtuser);
if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
goto cleanup;
@@ -231,6 +237,9 @@ cleanup:
if (user)
free(user);
+ if (filtuser)
+ free(filtuser);
+
if (cname)
free(cname);
diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
index ef43e4a..bf6bdad 100644
--- a/src/slave/kpropd.c
+++ b/src/slave/kpropd.c
@@ -398,11 +398,11 @@ retry:
}
close(s);
- if (iproprole == IPROP_SLAVE)
+ if (iproprole == IPROP_SLAVE) {
close(finet);
-
- if ((ret = WEXITSTATUS(status)) != 0)
- return (ret);
+ if ((ret = WEXITSTATUS(status)) != 0)
+ return (ret);
+ }
}
if (iproprole == IPROP_SLAVE)
break;
Attachment:
pgp1LHFoMZ0oJ.pgp
Description: PGP signature