krb5: fix CVE-2018-20217

Fix CVE-2018-20217 Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Wenlin Kang <wenlin.kang@windriver.com> 2019-02-28 00:27:27 -0800
committer: Khem Raj <raj.khem@gmail.com> 2019-02-28 09:42:11 -0800
commit: ef6be433a9e580fadef8e9a08855cf66c7569659 (patch)
tree: 4b950df6e34c00fa19a8726e7fc80c7579b01e75 /meta-oe/recipes-connectivity
parent: e8606116247cda0991f7e653d9ff6969cf423b09 (diff)
download: meta-openembedded-ef6be433a9e580fadef8e9a08855cf66c7569659.tar.gz
2 files changed, 81 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/0001-Ignore-password-attributes-for-S4U2Self-requests.patch b/meta-oe/recipes-connectivity/krb5/krb5/0001-Ignore-password-attributes-for-S4U2Self-requests.patch
new file mode 100644
index 000000000..8d1e14358
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/0001-Ignore-password-attributes-for-S4U2Self-requests.patch
@@ -0,0 +1,80 @@
+From 6fad7d45701234c8e81300d50dd5b8037d846d11 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 27 Feb 2019 23:59:59 -0800
+Subject: [PATCH] Ignore password attributes for S4U2Self requests
+For consistency with Windows KDCs, allow protocol transition to work
+even if the password has expired or needs changing.
+Also, when looking up an enterprise principal with an AS request,
+treat ERR_KEY_EXP as confirmation that the client is present in the
+realm.
+[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited
+commit message]
+ticket: 8763 (new)
+tags: pullup
+target_version: 1.17
+Upsteam-Status: Backport [https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086]
+CVE: CVE-2018-20217
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+---
+ src/kdc/kdc_util.c           | 5 +++++
+ src/lib/krb5/krb/s4u_creds.c | 2 +-
+ src/tests/gssapi/t_s4u.py    | 8 ++++++++
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 754570c..034c979 100644
+--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
+@@ -1574,6 +1574,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
+ 
+         memset(&no_server, 0, sizeof(no_server));
+ 
+        /* Ignore password expiration and needchange attributes (as Windows
+         * does), since S4U2Self is not password authentication. */
+        princ->pw_expiration = 0;
+        clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE);
+
+         code = validate_as_request(kdc_active_realm, request, *princ,
+                                    no_server, kdc_time, status, &e_data);
+         if (code) {
+diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
+index 91c02aa..2037984 100644
+--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
+@@ -117,7 +117,7 @@ s4u_identify_user(krb5_context context,
+     code = k5_get_init_creds(context, &creds, client, NULL, NULL, 0, NULL,
+                              opts, krb5_get_as_key_noop, &userid, &use_master,
+                              NULL);
+-    if (code == 0 || code == KRB5_PREAUTH_FAILED) {
+    if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) {
+         *canon_user = userid.user;
+         userid.user = NULL;
+         code = 0;
+diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
+index 3da6544..ba0469e 100755
+--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
+@@ -20,6 +20,14 @@ pservice2 = 'p:' + service2
+ # Get forwardable creds for service1 in the default cache.
+ realm.kinit(service1, None, ['-f', '-k'])
+ 
+# Try S4U2Self for user with a restricted password.
+realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ])
+realm.run(['./t_s4u', 'e:user', '-'])
+realm.run([kadminl, 'modprinc', '-needchange',
+          '-pwexpire', '1/1/2000', realm.user_princ])
+realm.run(['./t_s4u', 'e:user', '-'])
+realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ])
+
+ # Try krb5 -> S4U2Proxy with forwardable user creds.  This should fail
+ # at the S4U2Proxy step since the DB2 back end currently has no
+ # support for allowing it.
+-- 
+2.17.1
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.16.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.16.2.bb
index 76b5d3042..1d3ef8a34 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.16.2.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.16.2.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
           file://etc/default/krb5-admin-server \
           file://krb5-kdc.service \
           file://krb5-admin-server.service \
+           file://0001-Ignore-password-attributes-for-S4U2Self-requests.patch;striplevel=2 \
 "
 SRC_URI[md5sum] = "ffd52595e969fb700d37313606e4dc3d"
 SRC_URI[sha256sum] = "9f721e1fe593c219174740c71de514c7228a97d23eb7be7597b2ae14e487f027"
author	Wenlin Kang <wenlin.kang@windriver.com>	2019-02-28 00:27:27 -0800
committer	Khem Raj <raj.khem@gmail.com>	2019-02-28 09:42:11 -0800
commit	ef6be433a9e580fadef8e9a08855cf66c7569659 (patch)
tree	4b950df6e34c00fa19a8726e7fc80c7579b01e75 /meta-oe/recipes-connectivity
parent	e8606116247cda0991f7e653d9ff6969cf423b09 (diff)
download	meta-openembedded-ef6be433a9e580fadef8e9a08855cf66c7569659.tar.gz

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/0001-Ignore-password-attributes-for-S4U2Self-requests.patch b/meta-oe/recipes-connectivity/krb5/krb5/0001-Ignore-password-attributes-for-S4U2Self-requests.patch new file mode 100644 index 000000000..8d1e14358 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/0001-Ignore-password-attributes-for-S4U2Self-requests.patch
@@ -0,0 +1,80 @@
		1	From 6fad7d45701234c8e81300d50dd5b8037d846d11 Mon Sep 17 00:00:00 2001
		2	From: Isaac Boukris <iboukris@gmail.com>
		3	Date: Wed, 27 Feb 2019 23:59:59 -0800
		4	Subject: [PATCH] Ignore password attributes for S4U2Self requests
		5
		6	For consistency with Windows KDCs, allow protocol transition to work
		7	even if the password has expired or needs changing.
		8
		9	Also, when looking up an enterprise principal with an AS request,
		10	treat ERR_KEY_EXP as confirmation that the client is present in the
		11	realm.
		12
		13	[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited
		14	commit message]
		15
		16	ticket: 8763 (new)
		17	tags: pullup
		18	target_version: 1.17
		19
		20	Upsteam-Status: Backport [https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086]
		21	CVE: CVE-2018-20217
		22
		23	Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
		24	---
		25	src/kdc/kdc_util.c \| 5 +++++
		26	src/lib/krb5/krb/s4u_creds.c \| 2 +-
		27	src/tests/gssapi/t_s4u.py \| 8 ++++++++
		28	3 files changed, 14 insertions(+), 1 deletion(-)
		29
		30	diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
		31	index 754570c..034c979 100644
		32	--- a/src/kdc/kdc_util.c
		33	+++ b/src/kdc/kdc_util.c
		34	@@ -1574,6 +1574,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
		35
		36	memset(&no_server, 0, sizeof(no_server));
		37
		38	+ /* Ignore password expiration and needchange attributes (as Windows
		39	+ * does), since S4U2Self is not password authentication. */
		40	+ princ->pw_expiration = 0;
		41	+ clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE);
		42	+
		43	code = validate_as_request(kdc_active_realm, request, *princ,
		44	no_server, kdc_time, status, &e_data);
		45	if (code) {
		46	diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
		47	index 91c02aa..2037984 100644
		48	--- a/src/lib/krb5/krb/s4u_creds.c
		49	+++ b/src/lib/krb5/krb/s4u_creds.c
		50	@@ -117,7 +117,7 @@ s4u_identify_user(krb5_context context,
		51	code = k5_get_init_creds(context, &creds, client, NULL, NULL, 0, NULL,
		52	opts, krb5_get_as_key_noop, &userid, &use_master,
		53	NULL);
		54	- if (code == 0 \|\| code == KRB5_PREAUTH_FAILED) {
		55	+ if (!code \|\| code == KRB5_PREAUTH_FAILED \|\| code == KRB5KDC_ERR_KEY_EXP) {
		56	*canon_user = userid.user;
		57	userid.user = NULL;
		58	code = 0;
		59	diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
		60	index 3da6544..ba0469e 100755
		61	--- a/src/tests/gssapi/t_s4u.py
		62	+++ b/src/tests/gssapi/t_s4u.py
		63	@@ -20,6 +20,14 @@ pservice2 = 'p:' + service2
		64	# Get forwardable creds for service1 in the default cache.
		65	realm.kinit(service1, None, ['-f', '-k'])
		66
		67	+# Try S4U2Self for user with a restricted password.
		68	+realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ])
		69	+realm.run(['./t_s4u', 'e:user', '-'])
		70	+realm.run([kadminl, 'modprinc', '-needchange',
		71	+ '-pwexpire', '1/1/2000', realm.user_princ])
		72	+realm.run(['./t_s4u', 'e:user', '-'])
		73	+realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ])
		74	+
		75	# Try krb5 -> S4U2Proxy with forwardable user creds. This should fail
		76	# at the S4U2Proxy step since the DB2 back end currently has no
		77	# support for allowing it.
		78	--
		79	2.17.1
		80


diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.16.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.16.2.bb index 76b5d3042..1d3ef8a34 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.16.2.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.16.2.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
30	file://etc/default/krb5-admin-server \	30	file://etc/default/krb5-admin-server \
31	file://krb5-kdc.service \	31	file://krb5-kdc.service \
32	file://krb5-admin-server.service \	32	file://krb5-admin-server.service \
		33	file://0001-Ignore-password-attributes-for-S4U2Self-requests.patch;striplevel=2 \
33	"	34	"
34	SRC_URI[md5sum] = "ffd52595e969fb700d37313606e4dc3d"	35	SRC_URI[md5sum] = "ffd52595e969fb700d37313606e4dc3d"
35	SRC_URI[sha256sum] = "9f721e1fe593c219174740c71de514c7228a97d23eb7be7597b2ae14e487f027"	36	SRC_URI[sha256sum] = "9f721e1fe593c219174740c71de514c7228a97d23eb7be7597b2ae14e487f027"