[prev in list] [next in list] [prev in thread] [next in thread]
List: krb5-bugs
Subject: [krbdev.mit.edu #8352] git commit
From: "Greg Hudson via RT" <rt-comment () krbdev ! mit ! edu>
Date: 2017-09-08 16:14:09
Message-ID: rt-8352-47607.1.60345078056956 () krbdev ! mit ! edu
[Download RAW message or body]
Limit ticket lifetime to 2^31-1 seconds
Although timestamps above 2^31-1 are now valid, intervals exceeding
2^31-1 seconds may be treated incorrectly by comparison operations.
The initially computed interval in kdc_get_ticket_endtime() could be
negative if the requested end time is far in the future, causing the
function to yield an incorrect result. (With the new larger value of
kdc_infinity, this could specifically happen if a KDC-REQ contains a
zero till field.) Cap the interval at the maximum valid value.
Reported by Weijun Wang.
Avoid delta comparisons in favor of timestamp comparions in
krb5int_validate_times(), ksu's krb5_check_exp(), and clockskew
checks.
Also use a y2038-safe timestamp comparison in set_request_times() when
comparing the requested renewable end time to the requested ticket end
time.
https://github.com/krb5/krb5/commit/54e58755368b58ba5894a14c1d02626da42d8003
Author: Greg Hudson <ghudson@mit.edu>
Commit: 54e58755368b58ba5894a14c1d02626da42d8003
Branch: master
src/clients/ksu/ccache.c | 2 +-
src/include/k5-int.h | 7 +++++++
src/kdc/kdc_util.c | 7 ++++++-
src/kdc/replay.c | 2 +-
src/kdc/t_replay.c | 2 +-
src/lib/krb5/krb/gc_via_tkt.c | 4 ++--
src/lib/krb5/krb/get_in_tkt.c | 6 +++---
src/lib/krb5/krb/int-proto.h | 3 ---
src/lib/krb5/krb/valid_times.c | 4 ++--
src/lib/krb5/os/timeofday.c | 2 +-
10 files changed, 24 insertions(+), 15 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic