summaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-connectivity/krb5
diff options
context:
space:
mode:
Diffstat (limited to 'meta-oe/recipes-connectivity/krb5')
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch92
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb (renamed from meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb)28
2 files changed, 24 insertions, 96 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch b/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch
deleted file mode 100644
index 08526610a..000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch
+++ /dev/null
@@ -1,92 +0,0 @@
1From af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca Mon Sep 17 00:00:00 2001
2From: Greg Hudson <ghudson@mit.edu>
3Date: Thu, 21 Aug 2014 13:52:07 -0400
4Subject: [PATCH] Return only new keys in randkey [CVE-2014-5351]
5
6In kadmind's randkey operation, if a client specifies the keepold
7flag, do not include the preserved old keys in the response.
8
9CVE-2014-5351:
10
11An authenticated remote attacker can retrieve the current keys for a
12service principal when generating a new set of keys for that
13principal. The attacker needs to be authenticated as a user who has
14the elevated privilege for randomizing the keys of other principals.
15
16Normally, when a Kerberos administrator randomizes the keys of a
17service principal, kadmind returns only the new keys. This prevents
18an administrator who lacks legitimate privileged access to a service
19from forging tickets to authenticate to that service. If the
20"keepold" flag to the kadmin randkey RPC operation is true, kadmind
21retains the old keys in the KDC database as intended, but also
22unexpectedly returns the old keys to the client, which exposes the
23service to ticket forgery attacks from the administrator.
24
25A mitigating factor is that legitimate clients of the affected service
26will start failing to authenticate to the service once they begin to
27receive service tickets encrypted in the new keys. The affected
28service will be unable to decrypt the newly issued tickets, possibly
29alerting the legitimate administrator of the affected service.
30
31CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
32
33[tlyu@mit.edu: CVE description and CVSS score]
34
35ticket: 8018 (new)
36target_version: 1.13
37tags: pullup
38
39Upstream-Status: Backport
40---
41 src/lib/kadm5/srv/svr_principal.c | 21 ++++++++++++++++++---
42 1 files changed, 18 insertions(+), 3 deletions(-)
43
44diff --git a/lib/kadm5/srv/svr_principal.c b/lib/kadm5/srv/svr_principal.c
45index 5d358bd..d4e74cc 100644
46--- a/lib/kadm5/srv/svr_principal.c
47+++ b/lib/kadm5/srv/svr_principal.c
48@@ -344,6 +344,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
49 *passptr = NULL;
50 }
51
52+/* Return the number of keys with the newest kvno. Assumes that all key data
53+ * with the newest kvno are at the front of the key data array. */
54+static int
55+count_new_keys(int n_key_data, krb5_key_data *key_data)
56+{
57+ int n;
58+
59+ for (n = 1; n < n_key_data; n++) {
60+ if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno)
61+ return n;
62+ }
63+ return n_key_data;
64+}
65+
66 kadm5_ret_t
67 kadm5_create_principal(void *server_handle,
68 kadm5_principal_ent_t entry, long mask,
69@@ -1593,7 +1607,7 @@ kadm5_randkey_principal_3(void *server_handle,
70 osa_princ_ent_rec adb;
71 krb5_int32 now;
72 kadm5_policy_ent_rec pol;
73- int ret, last_pwd;
74+ int ret, last_pwd, n_new_keys;
75 krb5_boolean have_pol = FALSE;
76 kadm5_server_handle_t handle = server_handle;
77 krb5_keyblock *act_mkey;
78@@ -1686,8 +1700,9 @@ kadm5_randkey_principal_3(void *server_handle,
79 kdb->fail_auth_count = 0;
80
81 if (keyblocks) {
82- ret = decrypt_key_data(handle->context,
83- kdb->n_key_data, kdb->key_data,
84+ /* Return only the new keys added by krb5_dbe_crk. */
85+ n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data);
86+ ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data,
87 keyblocks, n_keys);
88 if (ret)
89 goto done;
90--
911.7.4.1
92
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
index c492496b6..ec88296df 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
@@ -14,7 +14,7 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n
14HOMEPAGE = "http://web.mit.edu/Kerberos/" 14HOMEPAGE = "http://web.mit.edu/Kerberos/"
15SECTION = "console/network" 15SECTION = "console/network"
16LICENSE = "MIT" 16LICENSE = "MIT"
17LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=450c80c6258ce03387bd09df37638ebc" 17LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=f64248328d2d9928e1f04158b5243e7f"
18DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native" 18DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native"
19 19
20inherit autotools-brokensep binconfig perlnative 20inherit autotools-brokensep binconfig perlnative
@@ -22,7 +22,6 @@ inherit autotools-brokensep binconfig perlnative
22SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" 22SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
23SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \ 23SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \
24 file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \ 24 file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \
25 file://0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch \
26 file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \ 25 file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \
27 file://crosscompile_nm.patch \ 26 file://crosscompile_nm.patch \
28 file://etc/init.d/krb5-kdc \ 27 file://etc/init.d/krb5-kdc \
@@ -30,8 +29,8 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
30 file://etc/default/krb5-kdc \ 29 file://etc/default/krb5-kdc \
31 file://etc/default/krb5-admin-server \ 30 file://etc/default/krb5-admin-server \
32" 31"
33SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe" 32SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189"
34SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744" 33SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1"
35 34
36S = "${WORKDIR}/${BP}/src/" 35S = "${WORKDIR}/${BP}/src/"
37 36
@@ -77,4 +76,25 @@ do_install_append() {
77 mkdir -p ${D}/etc/init.d ${D}/etc/default 76 mkdir -p ${D}/etc/init.d ${D}/etc/default
78 install -m 0755 ${WORKDIR}/etc/init.d/* ${D}/etc/init.d 77 install -m 0755 ${WORKDIR}/etc/init.d/* ${D}/etc/init.d
79 install -m 0644 ${WORKDIR}/etc/default/* ${D}/etc/default 78 install -m 0644 ${WORKDIR}/etc/default/* ${D}/etc/default
79
80 rm -rf ${D}/var/run
81 mkdir -p ${D}/etc/default/volatiles
82 echo "d root root 0755 ${localstatedir}/run/krb5kdc none" \
83 > ${D}${sysconfdir}/default/volatiles/87_krb5
84 if ${@base_contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
85 install -d ${D}${sysconfdir}/tmpfiles.d
86 echo "d /run/krb5kdc - - - -" \
87 > ${D}${sysconfdir}/tmpfiles.d/krb5.conf
88 fi
89
90}
91
92pkg_postinst_${PN} () {
93 if [ -z "$D" ]; then
94 if command -v systemd-tmpfiles >/dev/null; then
95 systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/krb5.conf
96 elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
97 ${sysconfdir}/init.d/populate-volatile.sh update
98 fi
99 fi
80} 100}