krb5: upgrade to 1.13.2

Upgrade to include the CVE fixes: [CVE-2014-5354] [CVE-2014-5353]... Remove the 0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch Regenerate the /var/run/krb5kdc dir Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Roy Li <rongqing.li@windriver.com> 2015-05-13 14:14:48 +0800
committer: Martin Jansa <Martin.Jansa@gmail.com> 2015-05-17 09:46:29 +0200
commit: adf34d4b1354014caff40a3fc3a957bd29c881b4 (patch)
tree: bb7b4bc0e55e192dced94c35d00e1cdc0cb64134 /meta-oe/recipes-connectivity
parent: 45b0b62b761d3be7ca1226b16d03557169b86041 (diff)
download: meta-openembedded-adf34d4b1354014caff40a3fc3a957bd29c881b4.tar.gz
2 files changed, 24 insertions, 96 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch b/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch
deleted file mode 100644
index 08526610a..000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Thu, 21 Aug 2014 13:52:07 -0400
-Subject: [PATCH] Return only new keys in randkey [CVE-2014-5351]
-In kadmind's randkey operation, if a client specifies the keepold
-flag, do not include the preserved old keys in the response.
-CVE-2014-5351:
-An authenticated remote attacker can retrieve the current keys for a
-service principal when generating a new set of keys for that
-principal.  The attacker needs to be authenticated as a user who has
-the elevated privilege for randomizing the keys of other principals.
-Normally, when a Kerberos administrator randomizes the keys of a
-service principal, kadmind returns only the new keys.  This prevents
-an administrator who lacks legitimate privileged access to a service
-from forging tickets to authenticate to that service.  If the
-"keepold" flag to the kadmin randkey RPC operation is true, kadmind
-retains the old keys in the KDC database as intended, but also
-unexpectedly returns the old keys to the client, which exposes the
-service to ticket forgery attacks from the administrator.
-A mitigating factor is that legitimate clients of the affected service
-will start failing to authenticate to the service once they begin to
-receive service tickets encrypted in the new keys.  The affected
-service will be unable to decrypt the newly issued tickets, possibly
-alerting the legitimate administrator of the affected service.
-CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
-[tlyu@mit.edu: CVE description and CVSS score]
-ticket: 8018 (new)
-target_version: 1.13
-tags: pullup
-Upstream-Status: Backport
---
- src/lib/kadm5/srv/svr_principal.c |   21 ++++++++++++++++++---
- 1 files changed, 18 insertions(+), 3 deletions(-)
-diff --git a/lib/kadm5/srv/svr_principal.c b/lib/kadm5/srv/svr_principal.c
-index 5d358bd..d4e74cc 100644
--- a/lib/kadm5/srv/svr_principal.c
-+++ b/lib/kadm5/srv/svr_principal.c
-@@ -344,6 +344,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
-     *passptr = NULL;
- }
- 
-+/* Return the number of keys with the newest kvno.  Assumes that all key data
-+ * with the newest kvno are at the front of the key data array. */
-+static int
-+count_new_keys(int n_key_data, krb5_key_data *key_data)
-+{
-+    int n;
-+
-+    for (n = 1; n < n_key_data; n++) {
-+        if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno)
-+            return n;
-+    }
-+    return n_key_data;
-+}
-+
- kadm5_ret_t
- kadm5_create_principal(void *server_handle,
-                        kadm5_principal_ent_t entry, long mask,
-@@ -1593,7 +1607,7 @@ kadm5_randkey_principal_3(void *server_handle,
-     osa_princ_ent_rec           adb;
-     krb5_int32                  now;
-     kadm5_policy_ent_rec        pol;
-    int                         ret, last_pwd;
-+    int                         ret, last_pwd, n_new_keys;
-     krb5_boolean                have_pol = FALSE;
-     kadm5_server_handle_t       handle = server_handle;
-     krb5_keyblock               *act_mkey;
-@@ -1686,8 +1700,9 @@ kadm5_randkey_principal_3(void *server_handle,
-     kdb->fail_auth_count = 0;
- 
-     if (keyblocks) {
-        ret = decrypt_key_data(handle->context,
-                               kdb->n_key_data, kdb->key_data,
-+        /* Return only the new keys added by krb5_dbe_crk. */
-+        n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data);
-+        ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data,
-                                keyblocks, n_keys);
-         if (ret)
-             goto done;
-- 
-1.7.4.1
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
index c492496b6..ec88296df 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
@@ -14,7 +14,7 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n
 HOMEPAGE = "http://web.mit.edu/Kerberos/"
 SECTION = "console/network"
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=450c80c6258ce03387bd09df37638ebc"
+LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=f64248328d2d9928e1f04158b5243e7f"
 DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native"
 inherit autotools-brokensep binconfig perlnative
@@ -22,7 +22,6 @@ inherit autotools-brokensep binconfig perlnative
 SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
 SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \
           file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \
-           file://0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch \
           file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \
           file://crosscompile_nm.patch \
           file://etc/init.d/krb5-kdc \
@@ -30,8 +29,8 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
           file://etc/default/krb5-kdc \
           file://etc/default/krb5-admin-server \
 "
-SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe"
+SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189"
-SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744"
+SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1"
 S = "${WORKDIR}/${BP}/src/"
@@ -77,4 +76,25 @@ do_install_append() {
    mkdir -p ${D}/etc/init.d ${D}/etc/default
    install -m 0755 ${WORKDIR}/etc/init.d/* ${D}/etc/init.d
    install -m 0644 ${WORKDIR}/etc/default/* ${D}/etc/default
+    rm -rf ${D}/var/run
+    mkdir -p ${D}/etc/default/volatiles
+    echo "d root root 0755 ${localstatedir}/run/krb5kdc none" \
+           > ${D}${sysconfdir}/default/volatiles/87_krb5
+    if ${@base_contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+        install -d ${D}${sysconfdir}/tmpfiles.d
+        echo "d /run/krb5kdc - - - -" \
+              > ${D}${sysconfdir}/tmpfiles.d/krb5.conf
+    fi
+}
+pkg_postinst_${PN} () {
+    if [ -z "$D" ]; then
+        if command -v systemd-tmpfiles >/dev/null; then
+            systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/krb5.conf
+        elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
+            ${sysconfdir}/init.d/populate-volatile.sh update
+        fi
+    fi
 }
author	Roy Li <rongqing.li@windriver.com>	2015-05-13 14:14:48 +0800
committer	Martin Jansa <Martin.Jansa@gmail.com>	2015-05-17 09:46:29 +0200
commit	adf34d4b1354014caff40a3fc3a957bd29c881b4 (patch)
tree	bb7b4bc0e55e192dced94c35d00e1cdc0cb64134 /meta-oe/recipes-connectivity
parent	45b0b62b761d3be7ca1226b16d03557169b86041 (diff)
download	meta-openembedded-adf34d4b1354014caff40a3fc3a957bd29c881b4.tar.gz

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch b/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch deleted file mode 100644 index 08526610a..000000000 --- a/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch +++ /dev/null
@@ -1,92 +0,0 @@
1	From af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca Mon Sep 17 00:00:00 2001
2	From: Greg Hudson <ghudson@mit.edu>
3	Date: Thu, 21 Aug 2014 13:52:07 -0400
4	Subject: [PATCH] Return only new keys in randkey [CVE-2014-5351]
5
6	In kadmind's randkey operation, if a client specifies the keepold
7	flag, do not include the preserved old keys in the response.
8
9	CVE-2014-5351:
10
11	An authenticated remote attacker can retrieve the current keys for a
12	service principal when generating a new set of keys for that
13	principal. The attacker needs to be authenticated as a user who has
14	the elevated privilege for randomizing the keys of other principals.
15
16	Normally, when a Kerberos administrator randomizes the keys of a
17	service principal, kadmind returns only the new keys. This prevents
18	an administrator who lacks legitimate privileged access to a service
19	from forging tickets to authenticate to that service. If the
20	"keepold" flag to the kadmin randkey RPC operation is true, kadmind
21	retains the old keys in the KDC database as intended, but also
22	unexpectedly returns the old keys to the client, which exposes the
23	service to ticket forgery attacks from the administrator.
24
25	A mitigating factor is that legitimate clients of the affected service
26	will start failing to authenticate to the service once they begin to
27	receive service tickets encrypted in the new keys. The affected
28	service will be unable to decrypt the newly issued tickets, possibly
29	alerting the legitimate administrator of the affected service.
30
31	CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
32
33	[tlyu@mit.edu: CVE description and CVSS score]
34
35	ticket: 8018 (new)
36	target_version: 1.13
37	tags: pullup
38
39	Upstream-Status: Backport
40	---
41	src/lib/kadm5/srv/svr_principal.c \| 21 ++++++++++++++++++---
42	1 files changed, 18 insertions(+), 3 deletions(-)
43
44	diff --git a/lib/kadm5/srv/svr_principal.c b/lib/kadm5/srv/svr_principal.c
45	index 5d358bd..d4e74cc 100644
46	--- a/lib/kadm5/srv/svr_principal.c
47	+++ b/lib/kadm5/srv/svr_principal.c
48	@@ -344,6 +344,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
49	*passptr = NULL;
50	}
51
52	+/* Return the number of keys with the newest kvno. Assumes that all key data
53	+ * with the newest kvno are at the front of the key data array. */
54	+static int
55	+count_new_keys(int n_key_data, krb5_key_data *key_data)
56	+{
57	+ int n;
58	+
59	+ for (n = 1; n < n_key_data; n++) {
60	+ if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno)
61	+ return n;
62	+ }
63	+ return n_key_data;
64	+}
65	+
66	kadm5_ret_t
67	kadm5_create_principal(void *server_handle,
68	kadm5_principal_ent_t entry, long mask,
69	@@ -1593,7 +1607,7 @@ kadm5_randkey_principal_3(void *server_handle,
70	osa_princ_ent_rec adb;
71	krb5_int32 now;
72	kadm5_policy_ent_rec pol;
73	- int ret, last_pwd;
74	+ int ret, last_pwd, n_new_keys;
75	krb5_boolean have_pol = FALSE;
76	kadm5_server_handle_t handle = server_handle;
77	krb5_keyblock *act_mkey;
78	@@ -1686,8 +1700,9 @@ kadm5_randkey_principal_3(void *server_handle,
79	kdb->fail_auth_count = 0;
80
81	if (keyblocks) {
82	- ret = decrypt_key_data(handle->context,
83	- kdb->n_key_data, kdb->key_data,
84	+ /* Return only the new keys added by krb5_dbe_crk. */
85	+ n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data);
86	+ ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data,
87	keyblocks, n_keys);
88	if (ret)
89	goto done;
90	--
91	1.7.4.1
92


diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb index c492496b6..ec88296df 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
@@ -14,7 +14,7 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n
14	HOMEPAGE = "http://web.mit.edu/Kerberos/"	14	HOMEPAGE = "http://web.mit.edu/Kerberos/"
15	SECTION = "console/network"	15	SECTION = "console/network"
16	LICENSE = "MIT"	16	LICENSE = "MIT"
17	LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=450c80c6258ce03387bd09df37638ebc"	17	LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=f64248328d2d9928e1f04158b5243e7f"
18	DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native"	18	DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native"
19		19
20	inherit autotools-brokensep binconfig perlnative	20	inherit autotools-brokensep binconfig perlnative
@@ -22,7 +22,6 @@ inherit autotools-brokensep binconfig perlnative
22	SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"	22	SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
23	SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \	23	SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \
24	file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \	24	file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \
25	file://0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch \
26	file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \	25	file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \
27	file://crosscompile_nm.patch \	26	file://crosscompile_nm.patch \
28	file://etc/init.d/krb5-kdc \	27	file://etc/init.d/krb5-kdc \
@@ -30,8 +29,8 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
30	file://etc/default/krb5-kdc \	29	file://etc/default/krb5-kdc \
31	file://etc/default/krb5-admin-server \	30	file://etc/default/krb5-admin-server \
32	"	31	"
33	SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe"	32	SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189"
34	SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744"	33	SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1"
35		34
36	S = "${WORKDIR}/${BP}/src/"	35	S = "${WORKDIR}/${BP}/src/"
37		36
@@ -77,4 +76,25 @@ do_install_append() {
77	mkdir -p ${D}/etc/init.d ${D}/etc/default	76	mkdir -p ${D}/etc/init.d ${D}/etc/default
78	install -m 0755 ${WORKDIR}/etc/init.d/* ${D}/etc/init.d	77	install -m 0755 ${WORKDIR}/etc/init.d/* ${D}/etc/init.d
79	install -m 0644 ${WORKDIR}/etc/default/* ${D}/etc/default	78	install -m 0644 ${WORKDIR}/etc/default/* ${D}/etc/default
		79
		80	rm -rf ${D}/var/run
		81	mkdir -p ${D}/etc/default/volatiles
		82	echo "d root root 0755 ${localstatedir}/run/krb5kdc none" \
		83	> ${D}${sysconfdir}/default/volatiles/87_krb5
		84	if ${@base_contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
		85	install -d ${D}${sysconfdir}/tmpfiles.d
		86	echo "d /run/krb5kdc - - - -" \
		87	> ${D}${sysconfdir}/tmpfiles.d/krb5.conf
		88	fi
		89
		90	}
		91
		92	pkg_postinst_${PN} () {
		93	if [ -z "$D" ]; then
		94	if command -v systemd-tmpfiles >/dev/null; then
		95	systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/krb5.conf
		96	elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
		97	${sysconfdir}/init.d/populate-volatile.sh update
		98	fi
		99	fi
80	}	100	}