krb5: fix CVE-2021-36222

Source: https://git.openembedded.org/meta-openembedded MR: 112165 Type: Security Fix Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-oe/recipes-connectivity/krb5?id=69087d69d01a4530e2d588036fcbeaf8856b2ff1 ChangeID: e7cdfd1c4530312b4773103cf58d322451af1421 Description: CVE-2021-36222: ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation. References: https://nvd.nist.gov/vuln/detail/CVE-2021-36222 Patches from: https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 620badcbf8a59fbd2cdda6ab01c4ffba1c3ee327) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 523f6d834d2fddb0ecc73c6d7d8b1845f65f5279) [Fixup for Dunfell context] Signed-off-by: Armin Kuster <akuster@mvista.com>
author: Yi Zhao <yi.zhao@windriver.com> 2021-09-06 14:32:53 +0800
committer: Armin Kuster <akuster@mvista.com> 2021-09-10 13:23:06 -0700
commit: 06d80777f47891ec876b55212790deb5fef9116e (patch)
tree: 52c29f0f9737d5c9490c5fdebc32e27ad4881cf2
parent: 892b724cd147de92dd806235e22c15516931ea64 (diff)
download: meta-openembedded-06d80777f47891ec876b55212790deb5fef9116e.tar.gz
2 files changed, 122 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch
new file mode 100644
index 000000000..fe871cecb
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch
@@ -0,0 +1,121 @@
+From fc98f520caefff2e5ee9a0026fdf5109944b3562 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 7 Jul 2021 11:47:44 +1200
+Subject: [PATCH] Fix KDC null deref on bad encrypted challenge
+The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
+to avoid further processing if the armor key is NULL.  However, this
+check is bypassed by a call to k5memdup0() which overwrites retval
+with 0 if the allocation succeeds.  If the armor key is NULL, a call
+to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
+crash.  Add a check before the k5memdup0() call to avoid overwriting
+retval.
+CVE-2021-36222:
+In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
+cause a null dereference in the KDC by sending a request containing a
+PA-ENCRYPTED-CHALLENGE padata element without using FAST.
+[ghudson@mit.edu: trimmed patch; added test case; edited commit
+message]
+ticket: 9007 (new)
+tags: pullup
+target_version: 1.19-next
+target_version: 1.18-next
+CVE: CVE-2021-36222
+Upstream-Status: Backport
+[https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ kdc/kdc_preauth_ec.c      |  3 ++-
+ tests/Makefile.in         |  1 +
+ tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++
+ 3 files changed, 49 insertions(+), 1 deletion(-)
+ create mode 100644 src/tests/t_cve-2021-36222.py
+diff --git a/kdc/kdc_preauth_ec.c b/kdc/kdc_preauth_ec.c
+index 7e636b3f9..43a9902cc 100644
+--- a/kdc/kdc_preauth_ec.c
+++ b/kdc/kdc_preauth_ec.c
+@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
+     }
+ 
+     /* Check for a configured FAST ec auth indicator. */
+-    realmstr = k5memdup0(realm.data, realm.length, &retval);
+    if (retval == 0)
+        realmstr = k5memdup0(realm.data, realm.length, &retval);
+     if (realmstr != NULL)
+         retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
+                                     realmstr,
+diff --git a/tests/Makefile.in b/tests/Makefile.in
+index fc6fcc0c3..1a1938306 100644
+--- a/tests/Makefile.in
+++ b/tests/Makefile.in
+@@ -166,6 +166,7 @@ check-pytests: unlockiter s4u2self
+        $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
+        $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
+        $(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS)
+       $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS)
+        $(RM) au.log
+        $(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
+        $(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
+diff --git a/tests/t_cve-2021-36222.py b/tests/t_cve-2021-36222.py
+new file mode 100644
+index 000000000..57e04993b
+--- /dev/null
+++ b/tests/t_cve-2021-36222.py
+@@ -0,0 +1,46 @@
+import socket
+from k5test import *
+
+realm = K5Realm()
+
+# CVE-2021-36222 KDC null dereference on encrypted challenge preauth
+# without FAST
+
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+a = (hostname, realm.portbase)
+
+m = ('6A81A0' '30819D'          # [APPLICATION 10] SEQUENCE
+     'A103' '0201' '05'         #  [1] pvno = 5
+     'A203' '0201' '0A'         #  [2] msg-type = 10
+     'A30E' '300C'              #  [3] padata = SEQUENCE OF
+     '300A'                     #   SEQUENCE
+     'A104' '0202' '008A'       #    [1] padata-type = PA-ENCRYPTED-CHALLENGE
+     'A202' '0400'              #    [2] padata-value = ""
+     'A48180' '307E'            #  [4] req-body = SEQUENCE
+     'A007' '0305' '0000000000' #   [0] kdc-options = 0
+     'A120' '301E'              #   [1] cname = SEQUENCE
+     'A003' '0201' '01'         #    [0] name-type = NT-PRINCIPAL
+     'A117' '3015'              #    [1] name-string = SEQUENCE-OF
+     '1B06' '6B7262746774'      #     krbtgt
+     '1B0B' '4B5242544553542E434F4D'
+                                #     KRBTEST.COM
+     'A20D' '1B0B' '4B5242544553542E434F4D'
+                                #   [2] realm = KRBTEST.COM
+     'A320' '301E'              #   [3] sname = SEQUENCE
+     'A003' '0201' '01'         #    [0] name-type = NT-PRINCIPAL
+     'A117' '3015'              #    [1] name-string = SEQUENCE-OF
+     '1B06' '6B7262746774'      #     krbtgt
+     '1B0B' '4B5242544553542E434F4D'
+                                #     KRBTEST.COM
+     'A511' '180F' '31393934303631303036303331375A'
+                                #   [5] till = 19940610060317Z
+     'A703' '0201' '00'         #   [7] nonce = 0
+     'A808' '3006'              #   [8] etype = SEQUENCE OF
+     '020112' '020111')         #    aes256-cts aes128-cts
+
+s.sendto(bytes.fromhex(m), a)
+
+# Make sure kinit still works.
+realm.kinit(realm.user_princ, password('user'))
+
+success('CVE-2021-36222 regression test')
+-- 
+2.25.1
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb
index 6164c8248..ae58e2df3 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
           file://etc/default/krb5-admin-server \
           file://krb5-kdc.service \
           file://krb5-admin-server.service \
+           file://CVE-2021-36222.patch \
 "
 SRC_URI[md5sum] = "417d654c72526ac51466e7fe84608878"
 SRC_URI[sha256sum] = "3706d7ec2eaa773e0e32d3a87bf742ebaecae7d064e190443a3acddfd8afb181"
author	Yi Zhao <yi.zhao@windriver.com>	2021-09-06 14:32:53 +0800
committer	Armin Kuster <akuster@mvista.com>	2021-09-10 13:23:06 -0700
commit	06d80777f47891ec876b55212790deb5fef9116e (patch)
tree	52c29f0f9737d5c9490c5fdebc32e27ad4881cf2
parent	892b724cd147de92dd806235e22c15516931ea64 (diff)
download	meta-openembedded-06d80777f47891ec876b55212790deb5fef9116e.tar.gz

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch new file mode 100644 index 000000000..fe871cecb --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch
@@ -0,0 +1,121 @@
		1	From fc98f520caefff2e5ee9a0026fdf5109944b3562 Mon Sep 17 00:00:00 2001
		2	From: Joseph Sutton <josephsutton@catalyst.net.nz>
		3	Date: Wed, 7 Jul 2021 11:47:44 +1200
		4	Subject: [PATCH] Fix KDC null deref on bad encrypted challenge
		5
		6	The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
		7	to avoid further processing if the armor key is NULL. However, this
		8	check is bypassed by a call to k5memdup0() which overwrites retval
		9	with 0 if the allocation succeeds. If the armor key is NULL, a call
		10	to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
		11	crash. Add a check before the k5memdup0() call to avoid overwriting
		12	retval.
		13
		14	CVE-2021-36222:
		15
		16	In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
		17	cause a null dereference in the KDC by sending a request containing a
		18	PA-ENCRYPTED-CHALLENGE padata element without using FAST.
		19
		20	[ghudson@mit.edu: trimmed patch; added test case; edited commit
		21	message]
		22
		23	ticket: 9007 (new)
		24	tags: pullup
		25	target_version: 1.19-next
		26	target_version: 1.18-next
		27
		28	CVE: CVE-2021-36222
		29
		30	Upstream-Status: Backport
		31	[https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562]
		32
		33	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		34	---
		35	kdc/kdc_preauth_ec.c \| 3 ++-
		36	tests/Makefile.in \| 1 +
		37	tests/t_cve-2021-36222.py \| 46 +++++++++++++++++++++++++++++++++++
		38	3 files changed, 49 insertions(+), 1 deletion(-)
		39	create mode 100644 src/tests/t_cve-2021-36222.py
		40
		41	diff --git a/kdc/kdc_preauth_ec.c b/kdc/kdc_preauth_ec.c
		42	index 7e636b3f9..43a9902cc 100644
		43	--- a/kdc/kdc_preauth_ec.c
		44	+++ b/kdc/kdc_preauth_ec.c
		45	@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data req_pkt, krb5_kdc_req request,
		46	}
		47
		48	/* Check for a configured FAST ec auth indicator. */
		49	- realmstr = k5memdup0(realm.data, realm.length, &retval);
		50	+ if (retval == 0)
		51	+ realmstr = k5memdup0(realm.data, realm.length, &retval);
		52	if (realmstr != NULL)
		53	retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
		54	realmstr,
		55	diff --git a/tests/Makefile.in b/tests/Makefile.in
		56	index fc6fcc0c3..1a1938306 100644
		57	--- a/tests/Makefile.in
		58	+++ b/tests/Makefile.in
		59	@@ -166,6 +166,7 @@ check-pytests: unlockiter s4u2self
		60	$(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
		61	$(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
		62	$(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS)
		63	+ $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS)
		64	$(RM) au.log
		65	$(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
		66	$(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
		67	diff --git a/tests/t_cve-2021-36222.py b/tests/t_cve-2021-36222.py
		68	new file mode 100644
		69	index 000000000..57e04993b
		70	--- /dev/null
		71	+++ b/tests/t_cve-2021-36222.py
		72	@@ -0,0 +1,46 @@
		73	+import socket
		74	+from k5test import *
		75	+
		76	+realm = K5Realm()
		77	+
		78	+# CVE-2021-36222 KDC null dereference on encrypted challenge preauth
		79	+# without FAST
		80	+
		81	+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
		82	+a = (hostname, realm.portbase)
		83	+
		84	+m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE
		85	+ 'A103' '0201' '05' # [1] pvno = 5
		86	+ 'A203' '0201' '0A' # [2] msg-type = 10
		87	+ 'A30E' '300C' # [3] padata = SEQUENCE OF
		88	+ '300A' # SEQUENCE
		89	+ 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE
		90	+ 'A202' '0400' # [2] padata-value = ""
		91	+ 'A48180' '307E' # [4] req-body = SEQUENCE
		92	+ 'A007' '0305' '0000000000' # [0] kdc-options = 0
		93	+ 'A120' '301E' # [1] cname = SEQUENCE
		94	+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
		95	+ 'A117' '3015' # [1] name-string = SEQUENCE-OF
		96	+ '1B06' '6B7262746774' # krbtgt
		97	+ '1B0B' '4B5242544553542E434F4D'
		98	+ # KRBTEST.COM
		99	+ 'A20D' '1B0B' '4B5242544553542E434F4D'
		100	+ # [2] realm = KRBTEST.COM
		101	+ 'A320' '301E' # [3] sname = SEQUENCE
		102	+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
		103	+ 'A117' '3015' # [1] name-string = SEQUENCE-OF
		104	+ '1B06' '6B7262746774' # krbtgt
		105	+ '1B0B' '4B5242544553542E434F4D'
		106	+ # KRBTEST.COM
		107	+ 'A511' '180F' '31393934303631303036303331375A'
		108	+ # [5] till = 19940610060317Z
		109	+ 'A703' '0201' '00' # [7] nonce = 0
		110	+ 'A808' '3006' # [8] etype = SEQUENCE OF
		111	+ '020112' '020111') # aes256-cts aes128-cts
		112	+
		113	+s.sendto(bytes.fromhex(m), a)
		114	+
		115	+# Make sure kinit still works.
		116	+realm.kinit(realm.user_princ, password('user'))
		117	+
		118	+success('CVE-2021-36222 regression test')
		119	--
		120	2.25.1
		121


diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb index 6164c8248..ae58e2df3 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
30	file://etc/default/krb5-admin-server \	30	file://etc/default/krb5-admin-server \
31	file://krb5-kdc.service \	31	file://krb5-kdc.service \
32	file://krb5-admin-server.service \	32	file://krb5-admin-server.service \
		33	file://CVE-2021-36222.patch \
33	"	34	"
34	SRC_URI[md5sum] = "417d654c72526ac51466e7fe84608878"	35	SRC_URI[md5sum] = "417d654c72526ac51466e7fe84608878"
35	SRC_URI[sha256sum] = "3706d7ec2eaa773e0e32d3a87bf742ebaecae7d064e190443a3acddfd8afb181"	36	SRC_URI[sha256sum] = "3706d7ec2eaa773e0e32d3a87bf742ebaecae7d064e190443a3acddfd8afb181"