diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2021-09-06 14:32:53 +0800 |
---|---|---|
committer | Armin Kuster <akuster@mvista.com> | 2021-09-10 13:23:06 -0700 |
commit | 06d80777f47891ec876b55212790deb5fef9116e (patch) | |
tree | 52c29f0f9737d5c9490c5fdebc32e27ad4881cf2 | |
parent | 892b724cd147de92dd806235e22c15516931ea64 (diff) | |
download | meta-openembedded-06d80777f47891ec876b55212790deb5fef9116e.tar.gz |
krb5: fix CVE-2021-36222
Source: https://git.openembedded.org/meta-openembedded
MR: 112165
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-oe/recipes-connectivity/krb5?id=69087d69d01a4530e2d588036fcbeaf8856b2ff1
ChangeID: e7cdfd1c4530312b4773103cf58d322451af1421
Description:
CVE-2021-36222:
ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC)
in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2
allows remote attackers to cause a NULL pointer dereference and daemon
crash. This occurs because a return value is not properly managed in a
certain situation.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-36222
Patches from:
https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 620badcbf8a59fbd2cdda6ab01c4ffba1c3ee327)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 523f6d834d2fddb0ecc73c6d7d8b1845f65f5279)
[Fixup for Dunfell context]
Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r-- | meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch | 121 | ||||
-rw-r--r-- | meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb | 1 |
2 files changed, 122 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch new file mode 100644 index 000000000..fe871cecb --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From fc98f520caefff2e5ee9a0026fdf5109944b3562 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joseph Sutton <josephsutton@catalyst.net.nz> | ||
3 | Date: Wed, 7 Jul 2021 11:47:44 +1200 | ||
4 | Subject: [PATCH] Fix KDC null deref on bad encrypted challenge | ||
5 | |||
6 | The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check | ||
7 | to avoid further processing if the armor key is NULL. However, this | ||
8 | check is bypassed by a call to k5memdup0() which overwrites retval | ||
9 | with 0 if the allocation succeeds. If the armor key is NULL, a call | ||
10 | to krb5_c_fx_cf2_simple() will then dereference it, resulting in a | ||
11 | crash. Add a check before the k5memdup0() call to avoid overwriting | ||
12 | retval. | ||
13 | |||
14 | CVE-2021-36222: | ||
15 | |||
16 | In MIT krb5 releases 1.16 and later, an unauthenticated attacker can | ||
17 | cause a null dereference in the KDC by sending a request containing a | ||
18 | PA-ENCRYPTED-CHALLENGE padata element without using FAST. | ||
19 | |||
20 | [ghudson@mit.edu: trimmed patch; added test case; edited commit | ||
21 | message] | ||
22 | |||
23 | ticket: 9007 (new) | ||
24 | tags: pullup | ||
25 | target_version: 1.19-next | ||
26 | target_version: 1.18-next | ||
27 | |||
28 | CVE: CVE-2021-36222 | ||
29 | |||
30 | Upstream-Status: Backport | ||
31 | [https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562] | ||
32 | |||
33 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
34 | --- | ||
35 | kdc/kdc_preauth_ec.c | 3 ++- | ||
36 | tests/Makefile.in | 1 + | ||
37 | tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++ | ||
38 | 3 files changed, 49 insertions(+), 1 deletion(-) | ||
39 | create mode 100644 src/tests/t_cve-2021-36222.py | ||
40 | |||
41 | diff --git a/kdc/kdc_preauth_ec.c b/kdc/kdc_preauth_ec.c | ||
42 | index 7e636b3f9..43a9902cc 100644 | ||
43 | --- a/kdc/kdc_preauth_ec.c | ||
44 | +++ b/kdc/kdc_preauth_ec.c | ||
45 | @@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, | ||
46 | } | ||
47 | |||
48 | /* Check for a configured FAST ec auth indicator. */ | ||
49 | - realmstr = k5memdup0(realm.data, realm.length, &retval); | ||
50 | + if (retval == 0) | ||
51 | + realmstr = k5memdup0(realm.data, realm.length, &retval); | ||
52 | if (realmstr != NULL) | ||
53 | retval = profile_get_string(context->profile, KRB5_CONF_REALMS, | ||
54 | realmstr, | ||
55 | diff --git a/tests/Makefile.in b/tests/Makefile.in | ||
56 | index fc6fcc0c3..1a1938306 100644 | ||
57 | --- a/tests/Makefile.in | ||
58 | +++ b/tests/Makefile.in | ||
59 | @@ -166,6 +166,7 @@ check-pytests: unlockiter s4u2self | ||
60 | $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS) | ||
61 | $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS) | ||
62 | $(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS) | ||
63 | + $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS) | ||
64 | $(RM) au.log | ||
65 | $(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS) | ||
66 | $(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \ | ||
67 | diff --git a/tests/t_cve-2021-36222.py b/tests/t_cve-2021-36222.py | ||
68 | new file mode 100644 | ||
69 | index 000000000..57e04993b | ||
70 | --- /dev/null | ||
71 | +++ b/tests/t_cve-2021-36222.py | ||
72 | @@ -0,0 +1,46 @@ | ||
73 | +import socket | ||
74 | +from k5test import * | ||
75 | + | ||
76 | +realm = K5Realm() | ||
77 | + | ||
78 | +# CVE-2021-36222 KDC null dereference on encrypted challenge preauth | ||
79 | +# without FAST | ||
80 | + | ||
81 | +s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) | ||
82 | +a = (hostname, realm.portbase) | ||
83 | + | ||
84 | +m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE | ||
85 | + 'A103' '0201' '05' # [1] pvno = 5 | ||
86 | + 'A203' '0201' '0A' # [2] msg-type = 10 | ||
87 | + 'A30E' '300C' # [3] padata = SEQUENCE OF | ||
88 | + '300A' # SEQUENCE | ||
89 | + 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE | ||
90 | + 'A202' '0400' # [2] padata-value = "" | ||
91 | + 'A48180' '307E' # [4] req-body = SEQUENCE | ||
92 | + 'A007' '0305' '0000000000' # [0] kdc-options = 0 | ||
93 | + 'A120' '301E' # [1] cname = SEQUENCE | ||
94 | + 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL | ||
95 | + 'A117' '3015' # [1] name-string = SEQUENCE-OF | ||
96 | + '1B06' '6B7262746774' # krbtgt | ||
97 | + '1B0B' '4B5242544553542E434F4D' | ||
98 | + # KRBTEST.COM | ||
99 | + 'A20D' '1B0B' '4B5242544553542E434F4D' | ||
100 | + # [2] realm = KRBTEST.COM | ||
101 | + 'A320' '301E' # [3] sname = SEQUENCE | ||
102 | + 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL | ||
103 | + 'A117' '3015' # [1] name-string = SEQUENCE-OF | ||
104 | + '1B06' '6B7262746774' # krbtgt | ||
105 | + '1B0B' '4B5242544553542E434F4D' | ||
106 | + # KRBTEST.COM | ||
107 | + 'A511' '180F' '31393934303631303036303331375A' | ||
108 | + # [5] till = 19940610060317Z | ||
109 | + 'A703' '0201' '00' # [7] nonce = 0 | ||
110 | + 'A808' '3006' # [8] etype = SEQUENCE OF | ||
111 | + '020112' '020111') # aes256-cts aes128-cts | ||
112 | + | ||
113 | +s.sendto(bytes.fromhex(m), a) | ||
114 | + | ||
115 | +# Make sure kinit still works. | ||
116 | +realm.kinit(realm.user_princ, password('user')) | ||
117 | + | ||
118 | +success('CVE-2021-36222 regression test') | ||
119 | -- | ||
120 | 2.25.1 | ||
121 | |||
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb index 6164c8248..ae58e2df3 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb | |||
@@ -30,6 +30,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \ | |||
30 | file://etc/default/krb5-admin-server \ | 30 | file://etc/default/krb5-admin-server \ |
31 | file://krb5-kdc.service \ | 31 | file://krb5-kdc.service \ |
32 | file://krb5-admin-server.service \ | 32 | file://krb5-admin-server.service \ |
33 | file://CVE-2021-36222.patch \ | ||
33 | " | 34 | " |
34 | SRC_URI[md5sum] = "417d654c72526ac51466e7fe84608878" | 35 | SRC_URI[md5sum] = "417d654c72526ac51466e7fe84608878" |
35 | SRC_URI[sha256sum] = "3706d7ec2eaa773e0e32d3a87bf742ebaecae7d064e190443a3acddfd8afb181" | 36 | SRC_URI[sha256sum] = "3706d7ec2eaa773e0e32d3a87bf742ebaecae7d064e190443a3acddfd8afb181" |