krb5: fix CVE-2017-11368

Backport patch to fix CVE-2017-11368 for krb5. Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> (cherry picked from commit d9f7ef40d74659a0348248841efadaf120d52c30) Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Kai Kang <kai.kang@windriver.com> 2017-08-28 21:59:12 +0800
committer: Armin Kuster <akuster808@gmail.com> 2017-09-13 17:16:28 -0700
commit: 425b672bff822c5c54f0f1bb669b6f5ba9594f1d (patch)
tree: 1e31dad42d0beb504ca1dc11bfeed4094ade1aab
parent: 3232999d645d166cad1e6f678afd45e974fb506b (diff)
download: meta-openembedded-425b672bff822c5c54f0f1bb669b6f5ba9594f1d.tar.gz
2 files changed, 117 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
new file mode 100644
index 000000000..a2eb7bc02
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
@@ -0,0 +1,116 @@
+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970]
+Backport patch to fix CVE-2017-11368.
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From ffb35baac6981f9e8914f8f3bffd37f284b85970 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Thu, 13 Jul 2017 12:14:20 -0400
+Subject: [PATCH] Prevent KDC unset status assertion failures
+Assign status values if S4U2Self padata fails to decode, if an
+S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
+uses an evidence ticket which does not match the canonicalized request
+server principal name.  Reported by Samuel Cabrero.
+If a status value is not assigned during KDC processing, default to
+"UNKNOWN_REASON" rather than failing an assertion.  This change will
+prevent future denial of service bugs due to similar mistakes, and
+will allow us to omit assigning status values for unlikely errors such
+as small memory allocation failures.
+CVE-2017-11368:
+In MIT krb5 1.7 and later, an authenticated attacker can cause an
+assertion failure in krb5kdc by sending an invalid S4U2Self or
+S4U2Proxy request.
+  CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
+ticket: 8599 (new)
+target_version: 1.15-next
+target_version: 1.14-next
+tags: pullup
+---
+ src/kdc/do_as_req.c  |  4 ++--
+ src/kdc/do_tgs_req.c |  3 ++-
+ src/kdc/kdc_util.c   | 10 ++++++++--
+ 3 files changed, 12 insertions(+), 5 deletions(-)
+diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 2d3ad13..9b256c8 100644
+--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
+@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
+     did_log = 1;
+ 
+ egress:
+-    if (errcode != 0)
+-        assert (state->status != 0);
+    if (errcode != 0 && state->status == NULL)
+        state->status = "UNKNOWN_REASON";
+ 
+     au_state->status = state->status;
+     au_state->reply = &state->reply;
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index cdc79ad..d8d6719 100644
+--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
+@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
+     free(reply.enc_part.ciphertext.data);
+ 
+ cleanup:
+-    assert(status != NULL);
+    if (status == NULL)
+        status = "UNKNOWN_REASON";
+     if (reply_key)
+         krb5_free_keyblock(kdc_context, reply_key);
+     if (errcode)
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 778a629..b710aef 100644
+--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
+@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
+     req_data.data = (char *)pa_data->contents;
+ 
+     code = decode_krb5_pa_for_user(&req_data, &for_user);
+-    if (code)
+    if (code) {
+        *status = "DECODE_PA_FOR_USER";
+         return code;
+    }
+ 
+     code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
+     if (code) {
+@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
+     req_data.data = (char *)pa_data->contents;
+ 
+     code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
+-    if (code)
+    if (code) {
+        *status = "DECODE_PA_S4U_X509_USER";
+         return code;
+    }
+ 
+     code = verify_s4u_x509_user_checksum(context,
+                                          tgs_subkey ? tgs_subkey :
+@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
+      * that is validated previously in validate_tgs_request().
+      */
+     if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
+        *status = "INVALID_S4U2PROXY_OPTIONS";
+         return KRB5KDC_ERR_BADOPTION;
+     }
+ 
+@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
+     if (!krb5_principal_compare(kdc_context,
+                                 server->princ, /* after canon */
+                                 server_princ)) {
+        *status = "EVIDENCE_TICKET_MISMATCH";
+         return KRB5KDC_ERR_SERVER_NOMATCH;
+     }
+ 
+-- 
+2.10.1
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
index 1de884d03..b515eb5dc 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
           file://etc/default/krb5-admin-server \
           file://krb5-kdc.service \
           file://krb5-admin-server.service \
+           file://fix-CVE-2017-11368.patch;striplevel=2 \
 "
 SRC_URI[md5sum] = "8022f3a1cde8463e44fd35ef42731f85"
 SRC_URI[sha256sum] = "437c8831ddd5fde2a993fef425dedb48468109bb3d3261ef838295045a89eb45"
author	Kai Kang <kai.kang@windriver.com>	2017-08-28 21:59:12 +0800
committer	Armin Kuster <akuster808@gmail.com>	2017-09-13 17:16:28 -0700
commit	425b672bff822c5c54f0f1bb669b6f5ba9594f1d (patch)
tree	1e31dad42d0beb504ca1dc11bfeed4094ade1aab
parent	3232999d645d166cad1e6f678afd45e974fb506b (diff)
download	meta-openembedded-425b672bff822c5c54f0f1bb669b6f5ba9594f1d.tar.gz

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch new file mode 100644 index 000000000..a2eb7bc02 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
@@ -0,0 +1,116 @@
		1	Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970]
		2
		3	Backport patch to fix CVE-2017-11368.
		4
		5	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		6	---
		7	From ffb35baac6981f9e8914f8f3bffd37f284b85970 Mon Sep 17 00:00:00 2001
		8	From: Greg Hudson <ghudson@mit.edu>
		9	Date: Thu, 13 Jul 2017 12:14:20 -0400
		10	Subject: [PATCH] Prevent KDC unset status assertion failures
		11
		12	Assign status values if S4U2Self padata fails to decode, if an
		13	S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
		14	uses an evidence ticket which does not match the canonicalized request
		15	server principal name. Reported by Samuel Cabrero.
		16
		17	If a status value is not assigned during KDC processing, default to
		18	"UNKNOWN_REASON" rather than failing an assertion. This change will
		19	prevent future denial of service bugs due to similar mistakes, and
		20	will allow us to omit assigning status values for unlikely errors such
		21	as small memory allocation failures.
		22
		23	CVE-2017-11368:
		24
		25	In MIT krb5 1.7 and later, an authenticated attacker can cause an
		26	assertion failure in krb5kdc by sending an invalid S4U2Self or
		27	S4U2Proxy request.
		28
		29	CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
		30
		31	ticket: 8599 (new)
		32	target_version: 1.15-next
		33	target_version: 1.14-next
		34	tags: pullup
		35	---
		36	src/kdc/do_as_req.c \| 4 ++--
		37	src/kdc/do_tgs_req.c \| 3 ++-
		38	src/kdc/kdc_util.c \| 10 ++++++++--
		39	3 files changed, 12 insertions(+), 5 deletions(-)
		40
		41	diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
		42	index 2d3ad13..9b256c8 100644
		43	--- a/src/kdc/do_as_req.c
		44	+++ b/src/kdc/do_as_req.c
		45	@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
		46	did_log = 1;
		47
		48	egress:
		49	- if (errcode != 0)
		50	- assert (state->status != 0);
		51	+ if (errcode != 0 && state->status == NULL)
		52	+ state->status = "UNKNOWN_REASON";
		53
		54	au_state->status = state->status;
		55	au_state->reply = &state->reply;
		56	diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
		57	index cdc79ad..d8d6719 100644
		58	--- a/src/kdc/do_tgs_req.c
		59	+++ b/src/kdc/do_tgs_req.c
		60	@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle handle, krb5_data pkt,
		61	free(reply.enc_part.ciphertext.data);
		62
		63	cleanup:
		64	- assert(status != NULL);
		65	+ if (status == NULL)
		66	+ status = "UNKNOWN_REASON";
		67	if (reply_key)
		68	krb5_free_keyblock(kdc_context, reply_key);
		69	if (errcode)
		70	diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
		71	index 778a629..b710aef 100644
		72	--- a/src/kdc/kdc_util.c
		73	+++ b/src/kdc/kdc_util.c
		74	@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
		75	req_data.data = (char *)pa_data->contents;
		76
		77	code = decode_krb5_pa_for_user(&req_data, &for_user);
		78	- if (code)
		79	+ if (code) {
		80	+ *status = "DECODE_PA_FOR_USER";
		81	return code;
		82	+ }
		83
		84	code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
		85	if (code) {
		86	@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
		87	req_data.data = (char *)pa_data->contents;
		88
		89	code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
		90	- if (code)
		91	+ if (code) {
		92	+ *status = "DECODE_PA_S4U_X509_USER";
		93	return code;
		94	+ }
		95
		96	code = verify_s4u_x509_user_checksum(context,
		97	tgs_subkey ? tgs_subkey :
		98	@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
		99	* that is validated previously in validate_tgs_request().
		100	*/
		101	if (request->kdc_options & (NON_TGT_OPTION \| KDC_OPT_ENC_TKT_IN_SKEY)) {
		102	+ *status = "INVALID_S4U2PROXY_OPTIONS";
		103	return KRB5KDC_ERR_BADOPTION;
		104	}
		105
		106	@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
		107	if (!krb5_principal_compare(kdc_context,
		108	server->princ, /* after canon */
		109	server_princ)) {
		110	+ *status = "EVIDENCE_TICKET_MISMATCH";
		111	return KRB5KDC_ERR_SERVER_NOMATCH;
		112	}
		113
		114	--
		115	2.10.1
		116


diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb index 1de884d03..b515eb5dc 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
30	file://etc/default/krb5-admin-server \	30	file://etc/default/krb5-admin-server \
31	file://krb5-kdc.service \	31	file://krb5-kdc.service \
32	file://krb5-admin-server.service \	32	file://krb5-admin-server.service \
		33	file://fix-CVE-2017-11368.patch;striplevel=2 \
33	"	34	"
34	SRC_URI[md5sum] = "8022f3a1cde8463e44fd35ef42731f85"	35	SRC_URI[md5sum] = "8022f3a1cde8463e44fd35ef42731f85"
35	SRC_URI[sha256sum] = "437c8831ddd5fde2a993fef425dedb48468109bb3d3261ef838295045a89eb45"	36	SRC_URI[sha256sum] = "437c8831ddd5fde2a993fef425dedb48468109bb3d3261ef838295045a89eb45"