Patch-ID# 115168-26


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security encryption international krbv5 pam_krb5 kerberos libgss.so.1 kerberos nfs
Synopsis: SunOS 5.9_x86: krb5, gss patch
Date: Jul/05/2012


Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reboot is performed. Unless
otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.

Solaris Release: 9_x86

SunOS Release: 5.9_x86

Unbundled Product:

Unbundled Release:

Xref: This patch available for SPARC as patch 112908

Topic: SunOS 5.9_x86: krb5, gss patch

Relevant Architectures: i386

Bugs fixed with this patch:

Sun CR # Bug #
440691415050242
443013815057988
445233915062632
451653715083788
452620215086950
461497915091161
462121915092635
463057415095132
463554615096390
468023015106684
470778815113194
470884615113496
470947515113635
471010815113786
471011115113787
471133515114104
471199315114249
471309715114498
471359215114590
471459615114853
471965415116032
472059515116271
472722415118013
473353215119703
474096915121918
474318115122535
474428015122916
475098915124873
475975915127483
477066115130929
477743615133006
478487215135301
478612615135657
479443615138224
479912215139946
479917315139964
480701015142683
481157515144194
481659015145766
482846715149452
482963715149809
483004415149949
483667615152065
483714015152228
483727815152280
484101315153565
484156615153752
484602415154953
484782715155520
485195215156634
485717915158294
486022615159139
486244915159625
486566415160573
487300515162584
488106615164935
488294615165479
492455415177535
492547215177819
492597015177949
492639115178062
492662415178115
492896415178794
495740615186325
496483915188484
496652115188958
496767415189315
496794515189354
496930615189702
497163015190375
497181015190438
497505715191280
497615515191545
497674515191712
497757415191927
498299115193450
499012215195508
499554315196896
500210015198109
500468815198688
500587015198978
500669015199198
500669515199199
500676215199221
500895015199917
501276515201191
501364015201468
501418015201617
501460015201754
501466315201779
501494615201854
501495115201856
501496915201859
501904415202913
502009615203236
502032515203300
502134715203532
502290315203838
502307415203897
502522715204434
502529615204449
502739415205142
503156215206396
503624215207916
504859615211609
504966015211868
505424015213143
505483515213332
505587515213583
505829315214254
506042515214595
506061815214657
506250815215181
506337515215431
506340715215443
506676715216389
507680415219587
508228215221461
508304815221724
508319715221775
508867015223455
509032415223954
509414215225129
509452815225254
509644515225895
510914715229858
510922515229870
510940415229926
510948715229970
510949615229975
617625615231196
618168015232849
618269515233133
618572615234077
618622415234231
620089415238410
620383315239369
620863815241138
624178215254529
624640515256599
624712615256946
626168515262375
628486415271398
641091915324324
641098715324349
643094115332665
645522515343252
648835215358729
649617815362548
649770315363285
649980415364459
651086615370842
652740315380148
653186415382508
660781315425240
660879915425846
669120615474353
672455715493571
672495915493834
679988415538855
680293115540508
681141415545434
682206215551698
682206615551699
688494315591781
694519615637520
713619315769284


Changes incorporated in this version: 7136193

Patches accumulated and obsoleted by this patch: 113990-05 114263-06

Patches which conflict with this patch:

Patches required with this patch:

Obsoleted by:

Files included with this patch:

/etc/krb5/krb5.conf
/kernel/misc/kgss/gl_kmech_krb5
/usr/include/gssapi/gssapi.h
/usr/include/gssapi/gssapi_ext.h
/usr/lib/abi/abi_libgss.so.1
/usr/lib/gss/gl/abi/abi_mech_krb5.so.1
/usr/lib/gss/gl/mech_krb5.so.1
/usr/lib/gss/gssd
/usr/lib/libgss.so.1
/usr/lib/security/pam_krb5.so.1
/usr/lib/security/pam_krb5_migrate.so
/usr/lib/security/pam_krb5_migrate.so.1
/usr/sbin/gsscred

Problem Description:

7136193 problem with Kerberos
 
(from 115168-25)
 
6811414 problem with NFS
 
(from 115168-24)
 
6945196 GSS-API library issue
 
(from 115168-23)
 
6497703 pam_krb5(5) should interpret the key expiration field to display expiration warning information
 
(from 115168-22)
 
6884943 122301-45 requires 115168-21, the latter does not apply to SUNWCmreq
 
(from 115168-21)
 
6822062 multiple vulnerabilities in SPNEGO, ASN.1 decoder (CVE-2009-0847, CVE-2009-0845, CVE-2009-0844)
6822066 ASN.1 decoder frees uninitialized pointer (CVE-2009-0846)
 
(from 115168-20)
 
6510866 libgss(3LIB) input checking needs to be improved
 
(from 115168-19)
 
6799884 pam_krb5 could allow authentication to an attacker's KDC
6802931 krb5 NFS issues
 
(from 115168-18)
 
6200894 pam_krb5 shouldn't use setreuid and friends -- that's not MT-safe
6455225 pam_krb5 should overwrite ccache with new credentials when handling pam_setcred(PAM_REFRESH_CRED)
6531864 ktkt_warnd not warning after login
6607813 pam_krb5 setcred coredumps on successful refresh if auth not previously called
6691206 pam_krb5's store_cred should always store new credentials if previous auth pass successful
6724557 potential for memory leak in krb5_setcred's krb5_renew_tgt routine
6724959 pam_modules/krb5/utils.h`set_active_user() declaration is adrift
 
(from 115168-17)
 
6608799 112908-30 can prevent Kerberos commands from authenticating when krb5.conf uses non-master kdc's
 
(from 115168-16)
 
4873005 Kerberos gsscred table entries may not be necessary
5014951 mech_krb5 needs a krb5_gss_store_cred() (PSARC 2003/779)
5027394 gssd dumps core
6186224 gsscred_name_to_unix_cred() should be more careful
6241782 gss_store_cred() overwrite not working; sshd does not overwrite expired creds with delegated creds
 
(from 115168-15)
 
5014663 pam_krb5: auth prompts for password when principal does not exist
5025227 pam_krb5: auth returns PAM_AUTH_ERR in some cases instead of PAM_SYSTEM_ERR
6430941 pam_krb5 pam_sm_setcred can cause /tmp/krb5cc_<PAM_USER> to be owned by euid rather than PAM_USER
6488352 non-Kerberos user attempting to change passwd with pam_krb5.so.1 in pam.conf blanks passwd
6496178 krb5 mech resends AS-REQ to same KDC (master) after user enters bad password
6499804 pam_krb5 account management should not return success if user not defined in Kerberos realm
6527403 pam_krb5 acct mgmt does not respect account authority in certain configurations
 
(from 115168-14)
 
5020096 ssh(1) lets libgss spew on stderr if mech_krb5 not properly configured
 
(from 115168-13)
 
6246405 Solaris 9 (not Sol 10) PAM stack prompts for password twice with pam_unix & pam_krb5
 
(from 115168-12)
 
4967945 krb5_free_authdata() not freeing correctly
4925472 free funcs in kfree.c should set pointers to NULL
 
(from 115168-11)
 
6176256 S9 ssh backporting project
4406914 support draft-ietf-secsh-dh-group-exchange-01.txt
4452339 key_fingerprint needs to support md5/sha/bubblebabble output
4614979 ssh connections break after rekey interval elapses on
4621219 sftp prints incorrect error message if connection refused
4635546 superfluous IP options check in ssh should be removed
4680230 usr/src/cmd/ssh/ssh Makefile needs to have lib dependencies
4707788 implement ClientAlive on the server side
4708846 vis in libopenbsd-compat has I18N problem
4709475 ssh and ssh-keygen: not extracted messages for localization
4710108 sshd: locale environments are not passed to shells
4710111 ssh-agent: strings 'echo' should not be extracted for localization
4711335 sshd V1 authentication behaves poorly for invalid users
4713097 sftp: word 'abormally' should be 'abnormally'
4713592 ssh & friends print incorrect error message if server breaks connection at login
4714596 request for filename option in sftp command line
4719654 ssh: localized messages should be extracted per sentence
4720595 ssh-keygen does not finish with dsa key
4733532 scp leaves connection open
4740969 cli_write() in libssh.a has a memory leak
4750989 expired passwords not working with KbdInteractiveAuthentication yes
4759759 ssh(1) doesn't terminate proxy commands on exit
4777436 ssh client should ignore signals which are already ignored
4784872 locales !=  RFC-1766 language tags
4799122 ssh doesn't use getopt(3c) (concatenated options don't work)
4811575 ssh-keygen list fails on long public key entries (base64 encoding > 1024b)
4816590 SSH in Solaris 9 doesn't forward X11 session from 3-party software
4828467 sftp client sends directory path that causes windows interop problems
4837140 SSHD sets bogus fixed path and ignores /etc/default/login
4841566 ksh limits ssh/Xauth using -X option with uid's 99 or less
4857179 SSH and Password expiry do not work
4862449 SUNWssh needs a resync
4924554 resynced SSH cores after connect from Solaris 9 client with mixed locale setting
4925970 sshd logging extra warning messages on console
4926391 fatal_remove_cleanup() should not fatal()
4926624 ssh exits with -1 if stdin is not a terminal
4928964 sshd breaks finger
4964839 SUNWsshdr needs to remove CheckMail from sshd_config
4966521 sshd core dumps/drops connection if server has many locales
4967674 sshd sets LC_ALL and LANG to strange values
4969306 sshd dumps core on root login
4971630 ssh attempts to do exit(-1) arbitrarily when not using ptys
4971810 fix for 4406914 is incomplete - /etc/ssh/moduli is missing
4975057 ssh got smarter about proxy commands, but not enough: always prepends "exec "
4976155 ssh crashes with SEGV when connecting to Sun_SSH_1.1 (in iso_8859_1)
4976745 sshd has a small malloc problem
4977574 sshd dumps core when some clients connect
4982991 Please enter user name: prompt doesn't go away quickly enough
4990122 sshd has a(nother) malloc problem
5002100 ssh displays wrong (useless) 'Last login' date and time
5005870 sshd setsockopt SO_KEEPALIVE Invalid argument error
5006690 sshd does not pass PAM environment variables to its children
5006695 SUNWssh should support GSS-API extensions to SSHv2 (PSARC 2003/778)
5006762 sshd(1M) does not support optimistic key exchange (SSHv2)
5012765 sshd(1M) should do something about privileges (PSARC 2004/677)
5013640 sshd core dumps while trying to log messages, take 2
5014180 SSH should keep /dev/random open
5014600 ssh-add cores if the agent socket could not be opened
5014969 default X11Forwarding to yes in sshd_config (PSARC 2004/011)
5019044 sshd(1M) lets libgss spew on stderr on startup about unconfigured mechs
5020325 sftp: 'get *' coredumps
5021347 ssh commands link with -ldl, shouldn't (-z ignore masked this)
5022903 ssh(1) should support send-break extension
5023074 SUNWsshdr: /etc/ssh is not a valid temp directory during install
5025296 sshd should use closefrom() instead of a 3-to-64 close() loop
5036242 sshd(1M) should workaround KEXGSS_HOSTKEY bug in MacOS ssh(1) with GSS
5048596 ssh(1) host-based authentication should try all client host keys, not just 1st
5049660 locale problems with ssh
5054240 ssh should be more descriptive when GSS key exchange fails
5054835 sshd GSS error logic needs a little work
5058293 ssh packages do not declare dependency on GSS-API
5060425 ssh backspace not working
5060618 ssh-keysign needs to utilize privileges
5062508 GSS option names should match OpenSSH's (PSARC/2004/461)
5063375 sshd(1M) PAM svc change after pam_start() ineffective
5066767 sshd dumps core in finish_userauth_do_pam()
5076804 sshd(1M) logs successful login messages to auth.notice (and thence the console)
5082282 sshd core dumps printing usage message
5083048 accepted yes/no strings itself should be displayed
5083197 another coredump in finish_userauth_do_pam()
5088670 RFE 5062528 breaks ssh-agent (missing privileges)
5090324 session ID confusion with ssh & su
5094142 sshd calls pam_chauthtok() as root, skips pw quality checks
5094528 ssh(1) core dumps in gssapi userauth
5109225 version string missing from sshd's usage message
5109404 missing whitespace in some ssh messages
5109487 language negotiation is not useful after initial key exchange
5109496 packet_set_connection() should be more careful
6181680 sshd doesn't log logouts in utmpx
6182695 sshd debug mode deadlock potential
6185726 MaxStartups now counts all concurrent sessions
5014946 add support to libgss for gss_store_cred() (PSARC 2003/779) (phase 1)
5014951 mech_krb5 needs a krb5_gss_store_cred() (PSARC 2003/779)
6247126 krb5_verify_init_creds returns ERR if def keytab missing even if verify_ap_req_nofail=false
 
(from 115168-10)
 
6203833 GSSAPI needs method to acquire initial creds with a password
6208638 krb5_gss_release_cred() can leak
 
(from 115168-09)
 
4957406 NFS on kerberized file systems thinks I'm nobody
4860226 fix for 4786126 is not complete
4786126 delegated credentials not provided to caller of gss_accept_sec_context
 
(from 115168-08)
 
4851952 krb5_os_localaddr() doesn't work correctly when multiple interfaces configured
6261685 security: buffer overflow, heap corruption in KDC
6284864 krb5_recvauth() may free memory twice under certain conditions
 
(from 115168-07)
 
5096445 Kerberos mech should renew expired svc tickets if presented with valid tgt
5109147 krb5 NFS fails because of stale xrealm tgt
4770661 no support for GSS_C_NO_CREDENTIAL in gss_accept_sec_context() krb5 mech
 
(from 115168-06)
 
5031562 rlogin -x fails after Kerberos patch install
 
(from 115168-05)
 
4807010 crash in the gssapi module
4837278 Kerberos utilities should include automigrate capability
5055875 buffer overflow in (undocumented) auth_to_local rules
4865664 gssapi/krb5 may hang with corrupted data
5063407 memory corruption between decode_krb5_ap_req() and krb5_gss_accept_sec_context()
 
(from 115168-04)
 
4995543 pam_krb5.so.1 from 112908-12 causes SEGV when using *su* or dtsession lock
5004688 Kerberos patch 112908-12 causes user passwords to be logged in clear text
 
(from 115168-03)
 
4794436 strict TGT verification in pam_krb5 should be configurable
4430138 pam_krb5 has wrong return codes for some service module function
4516537 pam_krb5 does not conform to PAM standards set forth in pam(3PAM)
4711993 mech_krb5:  memory caching MUST be enabled in Kerberos mech
4841013 krb5 memory cache code should use mktemp instead of mkstemp
4846024 krb5 err msg: login: /tmp/krb5cc_35224 owned by 35224 instead of 0
4881066 pam_krb5 setcred function causes BUS error due to incorrectly freed memory
 
(from 115168-02)
 
4836676 bounds checks not in place for princs in krbv5
 
(from 115168-01)
 
4830044 pam_krb5 needs to be repository aware
 
(from 113990-05)
 
4882946 GSS_C_NO_BUFFER: gss_init_sec_context gives an Error code
 
(from 113990-04)
 
4836676 bounds checks not in place for princs in krbv5
 
(from 113990-03)
 
4847827 Kerberos patch 112908-07 Error verifying TGT with host, Bad encryption type
 
(from 113990-02)
 
4630574 pam_krb5 should not re-implement utility functions and use libpam utilities
4743181 gss/Kerberos frees a buffer returned to caller
 
(from 113990-01)
 
4526202 pam_krb5 auth can fail with multiple ftp sessions of same user
4727224 user application hangs at rpc_gss_seccreate()
4744280 gss_display_status() always returning error
 
(from 114263-06)
 
6410987 bugfix 5008950 will always cause last local user in gsscred table to be selected
6410919 patch 112908-24 will cause kadmin -p kws/admin to exit with error message
 
(from 114263-05)
 
6176256 S9 ssh backporting project
4406914 support draft-ietf-secsh-dh-group-exchange-01.txt
4452339 key_fingerprint needs to support md5/sha/bubblebabble output
4614979 ssh connections break after the rekey interval elapses on
4621219 sftp prints incorrect error message if connection refused
4635546 superfluous IP options check in ssh should be removed
4680230 usr/src/cmd/ssh/ssh Makefile needs to have lib dependencies
4707788 implement ClientAlive on the server side
4708846 vis in libopenbsd-compat has I18N problem
4709475 ssh and ssh-keygen: not extracted messages for localization
4710108 sshd: locale environments not passed to shells
4710111 ssh-agent: strings 'echo' should not be extracted for localization
4711335 sshd V1 authentication behaves poorly for invalid users
4713097 sftp: word 'abormally' should be 'abnormally'
4713592 ssh & friends print incorrect error message if server breaks connection at login
4714596 request for filename option in sftp commandline
4719654 ssh: localized messages should be extracted per sentence
4720595 ssh-keygen does not finish with dsa key
4733532 scp leaves connection open
4740969 cli_write() in libssh.a has a memory leak
4750989 expired passwords not working with KbdInteractiveAuthentication yes
4759759 ssh(1) doesn't terminate proxy commands on exit
4777436 ssh client should ignore signals which are already ignored
4784872 locales != RFC-1766 language tags
4799122 ssh doesn't use getopt(3c) (concatenated options don't work)
4811575 ssh-keygen list fails on long public key entries (base64 encoding > 1024b)
4816590 SSH in Solaris 9 doesn't forward X11 session from 3-party software
4828467 sftp client sends directory path that causes windows interop problems
4837140 SSHD sets bogus fixed path and ignores /etc/default/login
4841566 ksh limits ssh/Xauth using -X option with uid's 99 or less
4857179 SSH and Password expiry do not work
4862449 SUNWssh needs a resync
4924554 resynced SSH cores after connect from Solaris 9 client with mixed locale setting
4925970 sshd logging extra warning messages on console
4926391 fatal_remove_cleanup() should not fatal()
4926624 ssh exits with -1 if stdin is not a terminal
4928964 sshd breaks finger
4964839 SUNWsshdr needs to remove CheckMail from sshd_config
4966521 sshd core dumps/drops connection if server has many locales
4967674 sshd sets LC_ALL and LANG to strange values
4969306 sshd dumps core on root login
4971630 ssh attempts to do exit(-1) arbitrarily when not using ptys
4971810 fix for 4406914 is incomplete - /etc/ssh/moduli is missing
4975057 ssh got smarter about proxycommands, but not enough: always prepends "exec "
4976155 ssh crashes with SEGV when connecting to Sun_SSH_1.1 (in iso_8859_1)
4976745 sshd has a small malloc problem
4977574 sshd dumps core when some clients connect
4982991 Please enter user name: prompt doesn't go away quickly enough
4990122 sshd has a(nother) malloc problem
5002100 ssh displays wrong (useless) 'Last login' date and time
5005870 sshd setsockopt SO_KEEPALIVE Invalid argument error
5006690 sshd does not pass PAM environment variables to its children
5006695 SUNWssh should support GSS-API extensions to SSHv2 (PSARC 2003/778)
5006762 sshd(1M) does not support optimistic key exchange (SSHv2)
5012765 sshd(1M) should do something about privileges (PSARC 2004/677)
5013640 sshd core dumps while trying to log messages, take 2
5014180 SSH should keep /dev/random open
5014600 ssh-add cores if the agent socket could not be opened
5014969 default X11Forwarding to yes in sshd_config (PSARC 2004/011)
5019044 sshd(1M) lets libgss spew on stderr on startup about unconfigured mechs
5020325 sftp: 'get *' coredumps
5021347 ssh commands link with -ldl, shouldn't (-z ignore masked this)
5022903 ssh(1) should support send-break extension
5023074 SUNWsshdr: /etc/ssh is not a valid temp directory during install
5025296 sshd should use closefrom() instead of a 3-to-64 close() loop
5036242 sshd(1M) should workaround KEXGSS_HOSTKEY bug in MacOS ssh(1) with GSS
5048596 ssh(1) hostbased authentication should try all client host keys, not just 1st
5049660 locale problems with ssh
5054240 ssh should be more descriptive when GSS key exchange fails
5054835 sshd GSS error logic needs a little work
5058293 ssh packages do not declare dependency on GSS-API
5060425 ssh backspace not working
5060618 ssh-keysign needs to utilize privileges
5062508 GSS option names should match OpenSSH's (PSARC/2004/461)
5063375 sshd(1M) PAM svc change after pam_start() ineffective
5066767 sshd dumps core in finish_userauth_do_pam()
5076804 sshd(1M) logs successful login messages to auth.notice (and thence the console)
5082282 sshd core dumps printing usage message
5083048 accepted yes/no strings itself should be displayed
5083197 another coredump in finish_userauth_do_pam()
5088670 RFE 5062528 breaks ssh-agent (missing privileges)
5090324 session ID confusion with ssh & su
5094142 sshd calls pam_chauthtok() as root, skips pw quality checks
5094528 ssh(1) core dumps in gssapi userauth
5109225 version string missing from sshd's usage message
5109404 missing whitespace in some ssh messages
5109487 language negotiation is not useful after initial key exchange
5109496 packet_set_connection() should be more careful
6181680 sshd doesn't log logouts in utmpx
6182695 sshd debug mode deadlock potential
6185726 MaxStartups now counts all concurrent sessions
5014946 add support to libgss for gss_store_cred() (PSARC 2003/779) (phase 1)
5014951 mech_krb5 needs a krb5_gss_store_cred() (PSARC 2003/779)
 
(from 114263-04)
 
6203833 GSSAPI needs method to acquire initial creds with a password
6208638 krb5_gss_release_cred() can leak
 
(from 114263-03)
 
4957406 NFS on kerberized file systems thinks I'm nobody
4860226 bugfix for 4786126 is not complete
4786126 delegated credentials not provided to caller of gss_accept_sec_context
5008950 fix for 4957406 is incomplete
 
(from 114263-02)
 
4799173 GSSAPI_MECH_CONF environment variable should be removed
 
(from 114263-01)
 
4829637 RFC2744 implementation in Kerberos Solaris 8 and 9/ Generic Security Service API


Patch Installation Instructions:
--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.


Special Install Instructions:
-----------------------------
 
NOTE 1:  Perform patch installation in single user mode.
         Reboot system immediately after patch installation.
 
NOTE 2:  To get the complete fix for BugId 4836676 (bounds checks not
         in place for princs in krbv5), please also install the
         following patches:
 
         116044-01 (or greater)  kdb5_util patch
         116045-01 (or greater)  krb5kdc patch
         116046-02 (or greater)  libkadm5srv.so.1 patch
 
NOTE 3:  To get the complete fix for BugId 4837278 (Kerberos utilities
         should include automigrate capability), please also install
         the following patches:
 
         116044-02 (or greater)  kdb5_util patch
         116046-04 (or greater)  libkadm5srv.so.1 patch
 
NOTE 4:  To get the complete fix for ALL the bugs for the rev -11
         of this patch, please also install the following patches:
 
         117178-02 (or greater)  lib/gss module patch
         114357-07 (or greater)  /usr/bin/ssh patch
         114858-09 (or greater)  /usr/lib/ssh/sshd patch
 
NOTE 5:  To get the complete fix for BugId 6496178 (krb5 mech resends AS-REQ
         to the same KDC (master) after user enters a bad password), please
         also install the following patch:
 
         116046-08 (or greater) libkadm5 patch


README -- Last modified date: Saturday, November 10, 2012