summaryrefslogtreecommitdiffstats
path: root/meta-oe
diff options
context:
space:
mode:
authorHuang Qiyu <huangqy.fnst@cn.fujitsu.com>2018-03-05 13:48:03 +0800
committerArmin Kuster <akuster808@gmail.com>2018-03-12 09:59:35 -0700
commit5172944a06c2632f66d6f356693e21362168e73c (patch)
treec7ebc59a085ef2eef4463a4910227b3d4c6ea59c /meta-oe
parent32209fbbb351a55d73d04f786fa896d52c1ecc16 (diff)
downloadmeta-openembedded-5172944a06c2632f66d6f356693e21362168e73c.tar.gz
krb5: 1.15.1 -> 1.16
1.Upgrade krb5 from 1.15.1 to 1.16 2.Update the checksum of LIC_FILES_CHKSUM, since krb5 has been changed. But lincese remains the same.just modify the following. -Copyright (C) 1985-2016 by the Massachusetts Institute of Technology. +Copyright (C) 1985-2017 by the Massachusetts Institute of Technology. -The KCM Mach RPC definition file used on OS X has the following +The KCM Mach RPC definition file used on macOS has the following Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-oe')
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/CVE-2017-11462.patch419
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch116
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5_1.16.bb (renamed from meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb)8
3 files changed, 3 insertions, 540 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2017-11462.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2017-11462.patch
deleted file mode 100644
index 4b82f0297..000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2017-11462.patch
+++ /dev/null
@@ -1,419 +0,0 @@
1From 56f7b1bc95a2a3eeb420e069e7655fb181ade5cf Mon Sep 17 00:00:00 2001
2From: Greg Hudson <ghudson@mit.edu>
3Date: Fri, 14 Jul 2017 13:02:46 -0400
4Subject: [PATCH] Preserve GSS context on init/accept failure
5
6After gss_init_sec_context() or gss_accept_sec_context() has created a
7context, don't delete the mechglue context on failures from subsequent
8calls, even if the mechanism deletes the mech-specific context (which
9is allowed by RFC 2744 but not preferred). Check for union contexts
10with no mechanism context in each GSS function which accepts a
11gss_ctx_id_t.
12
13CVE-2017-11462:
14
15RFC 2744 permits a GSS-API implementation to delete an existing
16security context on a second or subsequent call to
17gss_init_sec_context() or gss_accept_sec_context() if the call results
18in an error. This API behavior has been found to be dangerous,
19leading to the possibility of memory errors in some callers. For
20safety, GSS-API implementations should instead preserve existing
21security contexts on error until the caller deletes them.
22
23All versions of MIT krb5 prior to this change may delete acceptor
24contexts on error. Versions 1.13.4 through 1.13.7, 1.14.1 through
251.14.5, and 1.15 through 1.15.1 may also delete initiator contexts on
26error.
27
28ticket: 8598 (new)
29target_version: 1.15-next
30target_version: 1.14-next
31tags: pullup
32
33Upstream-Status: Backport
34CVE: CVE-2017-11462
35
36Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
37---
38 src/lib/gssapi/mechglue/g_accept_sec_context.c | 22 +++++++++++++++-------
39 src/lib/gssapi/mechglue/g_complete_auth_token.c | 2 ++
40 src/lib/gssapi/mechglue/g_context_time.c | 2 ++
41 src/lib/gssapi/mechglue/g_delete_sec_context.c | 14 ++++++++------
42 src/lib/gssapi/mechglue/g_exp_sec_context.c | 2 ++
43 src/lib/gssapi/mechglue/g_init_sec_context.c | 19 +++++++++++--------
44 src/lib/gssapi/mechglue/g_inq_context.c | 2 ++
45 src/lib/gssapi/mechglue/g_prf.c | 2 ++
46 src/lib/gssapi/mechglue/g_process_context.c | 2 ++
47 src/lib/gssapi/mechglue/g_seal.c | 4 ++++
48 src/lib/gssapi/mechglue/g_sign.c | 2 ++
49 src/lib/gssapi/mechglue/g_unseal.c | 2 ++
50 src/lib/gssapi/mechglue/g_unwrap_aead.c | 2 ++
51 src/lib/gssapi/mechglue/g_unwrap_iov.c | 4 ++++
52 src/lib/gssapi/mechglue/g_verify.c | 2 ++
53 src/lib/gssapi/mechglue/g_wrap_aead.c | 2 ++
54 src/lib/gssapi/mechglue/g_wrap_iov.c | 8 ++++++++
55 17 files changed, 72 insertions(+), 21 deletions(-)
56
57diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
58index ddaf874..f28e2b1 100644
59--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
60+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
61@@ -216,6 +216,8 @@ gss_cred_id_t * d_cred;
62 } else {
63 union_ctx_id = (gss_union_ctx_id_t)*context_handle;
64 selected_mech = union_ctx_id->mech_type;
65+ if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT)
66+ return (GSS_S_NO_CONTEXT);
67 }
68
69 /* Now create a new context if we didn't get one. */
70@@ -234,9 +236,6 @@ gss_cred_id_t * d_cred;
71 free(union_ctx_id);
72 return (status);
73 }
74-
75- /* set the new context handle to caller's data */
76- *context_handle = (gss_ctx_id_t)union_ctx_id;
77 }
78
79 /*
80@@ -277,8 +276,10 @@ gss_cred_id_t * d_cred;
81 d_cred ? &tmp_d_cred : NULL);
82
83 /* If there's more work to do, keep going... */
84- if (status == GSS_S_CONTINUE_NEEDED)
85+ if (status == GSS_S_CONTINUE_NEEDED) {
86+ *context_handle = (gss_ctx_id_t)union_ctx_id;
87 return GSS_S_CONTINUE_NEEDED;
88+ }
89
90 /* if the call failed, return with failure */
91 if (status != GSS_S_COMPLETE) {
92@@ -364,14 +365,22 @@ gss_cred_id_t * d_cred;
93 *mech_type = gssint_get_public_oid(actual_mech);
94 if (ret_flags != NULL)
95 *ret_flags = temp_ret_flags;
96- return (status);
97+ *context_handle = (gss_ctx_id_t)union_ctx_id;
98+ return GSS_S_COMPLETE;
99 } else {
100
101 status = GSS_S_BAD_MECH;
102 }
103
104 error_out:
105- if (union_ctx_id) {
106+ /*
107+ * RFC 2744 5.1 requires that we not create a context on a failed first
108+ * call to accept, and recommends that on a failed subsequent call we
109+ * make the caller responsible for calling gss_delete_sec_context.
110+ * Even if the mech deleted its context, keep the union context around
111+ * for the caller to delete.
112+ */
113+ if (union_ctx_id && *context_handle == GSS_C_NO_CONTEXT) {
114 if (union_ctx_id->mech_type) {
115 if (union_ctx_id->mech_type->elements)
116 free(union_ctx_id->mech_type->elements);
117@@ -384,7 +393,6 @@ error_out:
118 GSS_C_NO_BUFFER);
119 }
120 free(union_ctx_id);
121- *context_handle = GSS_C_NO_CONTEXT;
122 }
123
124 if (src_name)
125diff --git a/src/lib/gssapi/mechglue/g_complete_auth_token.c b/src/lib/gssapi/mechglue/g_complete_auth_token.c
126index 9181551..4bcb47e 100644
127--- a/src/lib/gssapi/mechglue/g_complete_auth_token.c
128+++ b/src/lib/gssapi/mechglue/g_complete_auth_token.c
129@@ -52,6 +52,8 @@ gss_complete_auth_token (OM_uint32 *minor_status,
130 */
131
132 ctx = (gss_union_ctx_id_t) context_handle;
133+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
134+ return GSS_S_NO_CONTEXT;
135 mech = gssint_get_mechanism (ctx->mech_type);
136
137 if (mech != NULL) {
138diff --git a/src/lib/gssapi/mechglue/g_context_time.c b/src/lib/gssapi/mechglue/g_context_time.c
139index 2ff8d09..c947e76 100644
140--- a/src/lib/gssapi/mechglue/g_context_time.c
141+++ b/src/lib/gssapi/mechglue/g_context_time.c
142@@ -58,6 +58,8 @@ OM_uint32 * time_rec;
143 */
144
145 ctx = (gss_union_ctx_id_t) context_handle;
146+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
147+ return (GSS_S_NO_CONTEXT);
148 mech = gssint_get_mechanism (ctx->mech_type);
149
150 if (mech) {
151diff --git a/src/lib/gssapi/mechglue/g_delete_sec_context.c b/src/lib/gssapi/mechglue/g_delete_sec_context.c
152index 4bf0dec..574ff02 100644
153--- a/src/lib/gssapi/mechglue/g_delete_sec_context.c
154+++ b/src/lib/gssapi/mechglue/g_delete_sec_context.c
155@@ -87,12 +87,14 @@ gss_buffer_t output_token;
156 if (GSSINT_CHK_LOOP(ctx))
157 return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT);
158
159- status = gssint_delete_internal_sec_context(minor_status,
160- ctx->mech_type,
161- &ctx->internal_ctx_id,
162- output_token);
163- if (status)
164- return status;
165+ if (ctx->internal_ctx_id != GSS_C_NO_CONTEXT) {
166+ status = gssint_delete_internal_sec_context(minor_status,
167+ ctx->mech_type,
168+ &ctx->internal_ctx_id,
169+ output_token);
170+ if (status)
171+ return status;
172+ }
173
174 /* now free up the space for the union context structure */
175 free(ctx->mech_type->elements);
176diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c
177index b637452..1d7990b 100644
178--- a/src/lib/gssapi/mechglue/g_exp_sec_context.c
179+++ b/src/lib/gssapi/mechglue/g_exp_sec_context.c
180@@ -95,6 +95,8 @@ gss_buffer_t interprocess_token;
181 */
182
183 ctx = (gss_union_ctx_id_t) *context_handle;
184+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
185+ return (GSS_S_NO_CONTEXT);
186 mech = gssint_get_mechanism (ctx->mech_type);
187 if (!mech)
188 return GSS_S_BAD_MECH;
189diff --git a/src/lib/gssapi/mechglue/g_init_sec_context.c b/src/lib/gssapi/mechglue/g_init_sec_context.c
190index 9f154b8..e2df1ce 100644
191--- a/src/lib/gssapi/mechglue/g_init_sec_context.c
192+++ b/src/lib/gssapi/mechglue/g_init_sec_context.c
193@@ -192,8 +192,13 @@ OM_uint32 * time_rec;
194
195 /* copy the supplied context handle */
196 union_ctx_id->internal_ctx_id = GSS_C_NO_CONTEXT;
197- } else
198+ } else {
199 union_ctx_id = (gss_union_ctx_id_t)*context_handle;
200+ if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT) {
201+ status = GSS_S_NO_CONTEXT;
202+ goto end;
203+ }
204+ }
205
206 /*
207 * get the appropriate cred handle from the union cred struct.
208@@ -224,15 +229,13 @@ OM_uint32 * time_rec;
209
210 if (status != GSS_S_COMPLETE && status != GSS_S_CONTINUE_NEEDED) {
211 /*
212- * The spec says the preferred method is to delete all context info on
213- * the first call to init, and on all subsequent calls make the caller
214- * responsible for calling gss_delete_sec_context. However, if the
215- * mechanism decided to delete the internal context, we should also
216- * delete the union context.
217+ * RFC 2744 5.19 requires that we not create a context on a failed
218+ * first call to init, and recommends that on a failed subsequent call
219+ * we make the caller responsible for calling gss_delete_sec_context.
220+ * Even if the mech deleted its context, keep the union context around
221+ * for the caller to delete.
222 */
223 map_error(minor_status, mech);
224- if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT)
225- *context_handle = GSS_C_NO_CONTEXT;
226 if (*context_handle == GSS_C_NO_CONTEXT) {
227 free(union_ctx_id->mech_type->elements);
228 free(union_ctx_id->mech_type);
229diff --git a/src/lib/gssapi/mechglue/g_inq_context.c b/src/lib/gssapi/mechglue/g_inq_context.c
230index 6f1c71e..6c0d98d 100644
231--- a/src/lib/gssapi/mechglue/g_inq_context.c
232+++ b/src/lib/gssapi/mechglue/g_inq_context.c
233@@ -104,6 +104,8 @@ gss_inquire_context(
234 */
235
236 ctx = (gss_union_ctx_id_t) context_handle;
237+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
238+ return (GSS_S_NO_CONTEXT);
239 mech = gssint_get_mechanism (ctx->mech_type);
240
241 if (!mech || !mech->gss_inquire_context || !mech->gss_display_name ||
242diff --git a/src/lib/gssapi/mechglue/g_prf.c b/src/lib/gssapi/mechglue/g_prf.c
243index fcca3e4..9e168ad 100644
244--- a/src/lib/gssapi/mechglue/g_prf.c
245+++ b/src/lib/gssapi/mechglue/g_prf.c
246@@ -59,6 +59,8 @@ gss_pseudo_random (OM_uint32 *minor_status,
247 */
248
249 ctx = (gss_union_ctx_id_t) context_handle;
250+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
251+ return GSS_S_NO_CONTEXT;
252 mech = gssint_get_mechanism (ctx->mech_type);
253
254 if (mech != NULL) {
255diff --git a/src/lib/gssapi/mechglue/g_process_context.c b/src/lib/gssapi/mechglue/g_process_context.c
256index bc260ae..3968b5d 100644
257--- a/src/lib/gssapi/mechglue/g_process_context.c
258+++ b/src/lib/gssapi/mechglue/g_process_context.c
259@@ -61,6 +61,8 @@ gss_buffer_t token_buffer;
260 */
261
262 ctx = (gss_union_ctx_id_t) context_handle;
263+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
264+ return (GSS_S_NO_CONTEXT);
265 mech = gssint_get_mechanism (ctx->mech_type);
266
267 if (mech) {
268diff --git a/src/lib/gssapi/mechglue/g_seal.c b/src/lib/gssapi/mechglue/g_seal.c
269index f17241c..3db1ee0 100644
270--- a/src/lib/gssapi/mechglue/g_seal.c
271+++ b/src/lib/gssapi/mechglue/g_seal.c
272@@ -92,6 +92,8 @@ gss_wrap( OM_uint32 *minor_status,
273 */
274
275 ctx = (gss_union_ctx_id_t) context_handle;
276+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
277+ return (GSS_S_NO_CONTEXT);
278 mech = gssint_get_mechanism (ctx->mech_type);
279
280 if (mech) {
281@@ -226,6 +228,8 @@ gss_wrap_size_limit(OM_uint32 *minor_status,
282 */
283
284 ctx = (gss_union_ctx_id_t) context_handle;
285+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
286+ return (GSS_S_NO_CONTEXT);
287 mech = gssint_get_mechanism (ctx->mech_type);
288
289 if (!mech)
290diff --git a/src/lib/gssapi/mechglue/g_sign.c b/src/lib/gssapi/mechglue/g_sign.c
291index 86d641a..03fbd8c 100644
292--- a/src/lib/gssapi/mechglue/g_sign.c
293+++ b/src/lib/gssapi/mechglue/g_sign.c
294@@ -94,6 +94,8 @@ gss_buffer_t msg_token;
295 */
296
297 ctx = (gss_union_ctx_id_t) context_handle;
298+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
299+ return (GSS_S_NO_CONTEXT);
300 mech = gssint_get_mechanism (ctx->mech_type);
301
302 if (mech) {
303diff --git a/src/lib/gssapi/mechglue/g_unseal.c b/src/lib/gssapi/mechglue/g_unseal.c
304index 3e8053c..c208635 100644
305--- a/src/lib/gssapi/mechglue/g_unseal.c
306+++ b/src/lib/gssapi/mechglue/g_unseal.c
307@@ -76,6 +76,8 @@ gss_qop_t * qop_state;
308 * call it.
309 */
310 ctx = (gss_union_ctx_id_t) context_handle;
311+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
312+ return (GSS_S_NO_CONTEXT);
313 mech = gssint_get_mechanism (ctx->mech_type);
314
315 if (mech) {
316diff --git a/src/lib/gssapi/mechglue/g_unwrap_aead.c b/src/lib/gssapi/mechglue/g_unwrap_aead.c
317index e78bff2..0682bd8 100644
318--- a/src/lib/gssapi/mechglue/g_unwrap_aead.c
319+++ b/src/lib/gssapi/mechglue/g_unwrap_aead.c
320@@ -186,6 +186,8 @@ gss_qop_t *qop_state;
321 * call it.
322 */
323 ctx = (gss_union_ctx_id_t) context_handle;
324+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
325+ return (GSS_S_NO_CONTEXT);
326 mech = gssint_get_mechanism (ctx->mech_type);
327
328 if (!mech)
329diff --git a/src/lib/gssapi/mechglue/g_unwrap_iov.c b/src/lib/gssapi/mechglue/g_unwrap_iov.c
330index c0dd314..599be2c 100644
331--- a/src/lib/gssapi/mechglue/g_unwrap_iov.c
332+++ b/src/lib/gssapi/mechglue/g_unwrap_iov.c
333@@ -89,6 +89,8 @@ int iov_count;
334 */
335
336 ctx = (gss_union_ctx_id_t) context_handle;
337+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
338+ return (GSS_S_NO_CONTEXT);
339 mech = gssint_get_mechanism (ctx->mech_type);
340
341 if (mech) {
342@@ -128,6 +130,8 @@ gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
343
344 /* Select the approprate underlying mechanism routine and call it. */
345 ctx = (gss_union_ctx_id_t)context_handle;
346+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
347+ return GSS_S_NO_CONTEXT;
348 mech = gssint_get_mechanism(ctx->mech_type);
349 if (mech == NULL)
350 return GSS_S_BAD_MECH;
351diff --git a/src/lib/gssapi/mechglue/g_verify.c b/src/lib/gssapi/mechglue/g_verify.c
352index 1578ae1..8996fce 100644
353--- a/src/lib/gssapi/mechglue/g_verify.c
354+++ b/src/lib/gssapi/mechglue/g_verify.c
355@@ -65,6 +65,8 @@ gss_qop_t * qop_state;
356 */
357
358 ctx = (gss_union_ctx_id_t) context_handle;
359+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
360+ return (GSS_S_NO_CONTEXT);
361 mech = gssint_get_mechanism (ctx->mech_type);
362
363 if (mech) {
364diff --git a/src/lib/gssapi/mechglue/g_wrap_aead.c b/src/lib/gssapi/mechglue/g_wrap_aead.c
365index 96cdf3c..7fe3b7b 100644
366--- a/src/lib/gssapi/mechglue/g_wrap_aead.c
367+++ b/src/lib/gssapi/mechglue/g_wrap_aead.c
368@@ -256,6 +256,8 @@ gss_buffer_t output_message_buffer;
369 * call it.
370 */
371 ctx = (gss_union_ctx_id_t)context_handle;
372+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
373+ return (GSS_S_NO_CONTEXT);
374 mech = gssint_get_mechanism (ctx->mech_type);
375 if (!mech)
376 return (GSS_S_BAD_MECH);
377diff --git a/src/lib/gssapi/mechglue/g_wrap_iov.c b/src/lib/gssapi/mechglue/g_wrap_iov.c
378index 40cd98f..14447c4 100644
379--- a/src/lib/gssapi/mechglue/g_wrap_iov.c
380+++ b/src/lib/gssapi/mechglue/g_wrap_iov.c
381@@ -93,6 +93,8 @@ int iov_count;
382 */
383
384 ctx = (gss_union_ctx_id_t) context_handle;
385+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
386+ return (GSS_S_NO_CONTEXT);
387 mech = gssint_get_mechanism (ctx->mech_type);
388
389 if (mech) {
390@@ -151,6 +153,8 @@ int iov_count;
391 */
392
393 ctx = (gss_union_ctx_id_t) context_handle;
394+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
395+ return (GSS_S_NO_CONTEXT);
396 mech = gssint_get_mechanism (ctx->mech_type);
397
398 if (mech) {
399@@ -190,6 +194,8 @@ gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
400
401 /* Select the approprate underlying mechanism routine and call it. */
402 ctx = (gss_union_ctx_id_t)context_handle;
403+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
404+ return GSS_S_NO_CONTEXT;
405 mech = gssint_get_mechanism(ctx->mech_type);
406 if (mech == NULL)
407 return GSS_S_BAD_MECH;
408@@ -218,6 +224,8 @@ gss_get_mic_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
409
410 /* Select the approprate underlying mechanism routine and call it. */
411 ctx = (gss_union_ctx_id_t)context_handle;
412+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
413+ return GSS_S_NO_CONTEXT;
414 mech = gssint_get_mechanism(ctx->mech_type);
415 if (mech == NULL)
416 return GSS_S_BAD_MECH;
417--
4182.10.2
419
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
deleted file mode 100644
index a2eb7bc02..000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
+++ /dev/null
@@ -1,116 +0,0 @@
1Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970]
2
3Backport patch to fix CVE-2017-11368.
4
5Signed-off-by: Kai Kang <kai.kang@windriver.com>
6---
7From ffb35baac6981f9e8914f8f3bffd37f284b85970 Mon Sep 17 00:00:00 2001
8From: Greg Hudson <ghudson@mit.edu>
9Date: Thu, 13 Jul 2017 12:14:20 -0400
10Subject: [PATCH] Prevent KDC unset status assertion failures
11
12Assign status values if S4U2Self padata fails to decode, if an
13S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
14uses an evidence ticket which does not match the canonicalized request
15server principal name. Reported by Samuel Cabrero.
16
17If a status value is not assigned during KDC processing, default to
18"UNKNOWN_REASON" rather than failing an assertion. This change will
19prevent future denial of service bugs due to similar mistakes, and
20will allow us to omit assigning status values for unlikely errors such
21as small memory allocation failures.
22
23CVE-2017-11368:
24
25In MIT krb5 1.7 and later, an authenticated attacker can cause an
26assertion failure in krb5kdc by sending an invalid S4U2Self or
27S4U2Proxy request.
28
29 CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
30
31ticket: 8599 (new)
32target_version: 1.15-next
33target_version: 1.14-next
34tags: pullup
35---
36 src/kdc/do_as_req.c | 4 ++--
37 src/kdc/do_tgs_req.c | 3 ++-
38 src/kdc/kdc_util.c | 10 ++++++++--
39 3 files changed, 12 insertions(+), 5 deletions(-)
40
41diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
42index 2d3ad13..9b256c8 100644
43--- a/src/kdc/do_as_req.c
44+++ b/src/kdc/do_as_req.c
45@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
46 did_log = 1;
47
48 egress:
49- if (errcode != 0)
50- assert (state->status != 0);
51+ if (errcode != 0 && state->status == NULL)
52+ state->status = "UNKNOWN_REASON";
53
54 au_state->status = state->status;
55 au_state->reply = &state->reply;
56diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
57index cdc79ad..d8d6719 100644
58--- a/src/kdc/do_tgs_req.c
59+++ b/src/kdc/do_tgs_req.c
60@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
61 free(reply.enc_part.ciphertext.data);
62
63 cleanup:
64- assert(status != NULL);
65+ if (status == NULL)
66+ status = "UNKNOWN_REASON";
67 if (reply_key)
68 krb5_free_keyblock(kdc_context, reply_key);
69 if (errcode)
70diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
71index 778a629..b710aef 100644
72--- a/src/kdc/kdc_util.c
73+++ b/src/kdc/kdc_util.c
74@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
75 req_data.data = (char *)pa_data->contents;
76
77 code = decode_krb5_pa_for_user(&req_data, &for_user);
78- if (code)
79+ if (code) {
80+ *status = "DECODE_PA_FOR_USER";
81 return code;
82+ }
83
84 code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
85 if (code) {
86@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
87 req_data.data = (char *)pa_data->contents;
88
89 code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
90- if (code)
91+ if (code) {
92+ *status = "DECODE_PA_S4U_X509_USER";
93 return code;
94+ }
95
96 code = verify_s4u_x509_user_checksum(context,
97 tgs_subkey ? tgs_subkey :
98@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
99 * that is validated previously in validate_tgs_request().
100 */
101 if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
102+ *status = "INVALID_S4U2PROXY_OPTIONS";
103 return KRB5KDC_ERR_BADOPTION;
104 }
105
106@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
107 if (!krb5_principal_compare(kdc_context,
108 server->princ, /* after canon */
109 server_princ)) {
110+ *status = "EVIDENCE_TICKET_MISMATCH";
111 return KRB5KDC_ERR_SERVER_NOMATCH;
112 }
113
114--
1152.10.1
116
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.16.bb
index e75e86138..3bdb090be 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.16.bb
@@ -14,7 +14,7 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n
14HOMEPAGE = "http://web.mit.edu/Kerberos/" 14HOMEPAGE = "http://web.mit.edu/Kerberos/"
15SECTION = "console/network" 15SECTION = "console/network"
16LICENSE = "MIT" 16LICENSE = "MIT"
17LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=3e12b8a065cca25dfdcac734fb3ec0b9" 17LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=59b8da652f07186b44782a8454574f30"
18DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native" 18DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native"
19 19
20inherit autotools-brokensep binconfig perlnative systemd update-rc.d 20inherit autotools-brokensep binconfig perlnative systemd update-rc.d
@@ -30,11 +30,9 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
30 file://etc/default/krb5-admin-server \ 30 file://etc/default/krb5-admin-server \
31 file://krb5-kdc.service \ 31 file://krb5-kdc.service \
32 file://krb5-admin-server.service \ 32 file://krb5-admin-server.service \
33 file://fix-CVE-2017-11368.patch;striplevel=2 \
34 file://CVE-2017-11462.patch;striplevel=2 \
35" 33"
36SRC_URI[md5sum] = "8022f3a1cde8463e44fd35ef42731f85" 34SRC_URI[md5sum] = "23c5e9f07642db4a67f7a5b6168b1319"
37SRC_URI[sha256sum] = "437c8831ddd5fde2a993fef425dedb48468109bb3d3261ef838295045a89eb45" 35SRC_URI[sha256sum] = "faeb125f83b0fb4cdb2f99f088140631bb47d975982de0956d18c85842969e08"
38 36
39CVE_PRODUCT = "kerberos" 37CVE_PRODUCT = "kerberos"
40 38
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-25 13:29:28 +0000