diff options
Diffstat (limited to 'meta-oe/recipes-connectivity/krb5')
-rw-r--r-- | meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch | 92 | ||||
-rw-r--r-- | meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb (renamed from meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb) | 28 |
2 files changed, 24 insertions, 96 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch b/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch deleted file mode 100644 index 08526610a..000000000 --- a/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch +++ /dev/null | |||
@@ -1,92 +0,0 @@ | |||
1 | From af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca Mon Sep 17 00:00:00 2001 | ||
2 | From: Greg Hudson <ghudson@mit.edu> | ||
3 | Date: Thu, 21 Aug 2014 13:52:07 -0400 | ||
4 | Subject: [PATCH] Return only new keys in randkey [CVE-2014-5351] | ||
5 | |||
6 | In kadmind's randkey operation, if a client specifies the keepold | ||
7 | flag, do not include the preserved old keys in the response. | ||
8 | |||
9 | CVE-2014-5351: | ||
10 | |||
11 | An authenticated remote attacker can retrieve the current keys for a | ||
12 | service principal when generating a new set of keys for that | ||
13 | principal. The attacker needs to be authenticated as a user who has | ||
14 | the elevated privilege for randomizing the keys of other principals. | ||
15 | |||
16 | Normally, when a Kerberos administrator randomizes the keys of a | ||
17 | service principal, kadmind returns only the new keys. This prevents | ||
18 | an administrator who lacks legitimate privileged access to a service | ||
19 | from forging tickets to authenticate to that service. If the | ||
20 | "keepold" flag to the kadmin randkey RPC operation is true, kadmind | ||
21 | retains the old keys in the KDC database as intended, but also | ||
22 | unexpectedly returns the old keys to the client, which exposes the | ||
23 | service to ticket forgery attacks from the administrator. | ||
24 | |||
25 | A mitigating factor is that legitimate clients of the affected service | ||
26 | will start failing to authenticate to the service once they begin to | ||
27 | receive service tickets encrypted in the new keys. The affected | ||
28 | service will be unable to decrypt the newly issued tickets, possibly | ||
29 | alerting the legitimate administrator of the affected service. | ||
30 | |||
31 | CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C | ||
32 | |||
33 | [tlyu@mit.edu: CVE description and CVSS score] | ||
34 | |||
35 | ticket: 8018 (new) | ||
36 | target_version: 1.13 | ||
37 | tags: pullup | ||
38 | |||
39 | Upstream-Status: Backport | ||
40 | --- | ||
41 | src/lib/kadm5/srv/svr_principal.c | 21 ++++++++++++++++++--- | ||
42 | 1 files changed, 18 insertions(+), 3 deletions(-) | ||
43 | |||
44 | diff --git a/lib/kadm5/srv/svr_principal.c b/lib/kadm5/srv/svr_principal.c | ||
45 | index 5d358bd..d4e74cc 100644 | ||
46 | --- a/lib/kadm5/srv/svr_principal.c | ||
47 | +++ b/lib/kadm5/srv/svr_principal.c | ||
48 | @@ -344,6 +344,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask, | ||
49 | *passptr = NULL; | ||
50 | } | ||
51 | |||
52 | +/* Return the number of keys with the newest kvno. Assumes that all key data | ||
53 | + * with the newest kvno are at the front of the key data array. */ | ||
54 | +static int | ||
55 | +count_new_keys(int n_key_data, krb5_key_data *key_data) | ||
56 | +{ | ||
57 | + int n; | ||
58 | + | ||
59 | + for (n = 1; n < n_key_data; n++) { | ||
60 | + if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno) | ||
61 | + return n; | ||
62 | + } | ||
63 | + return n_key_data; | ||
64 | +} | ||
65 | + | ||
66 | kadm5_ret_t | ||
67 | kadm5_create_principal(void *server_handle, | ||
68 | kadm5_principal_ent_t entry, long mask, | ||
69 | @@ -1593,7 +1607,7 @@ kadm5_randkey_principal_3(void *server_handle, | ||
70 | osa_princ_ent_rec adb; | ||
71 | krb5_int32 now; | ||
72 | kadm5_policy_ent_rec pol; | ||
73 | - int ret, last_pwd; | ||
74 | + int ret, last_pwd, n_new_keys; | ||
75 | krb5_boolean have_pol = FALSE; | ||
76 | kadm5_server_handle_t handle = server_handle; | ||
77 | krb5_keyblock *act_mkey; | ||
78 | @@ -1686,8 +1700,9 @@ kadm5_randkey_principal_3(void *server_handle, | ||
79 | kdb->fail_auth_count = 0; | ||
80 | |||
81 | if (keyblocks) { | ||
82 | - ret = decrypt_key_data(handle->context, | ||
83 | - kdb->n_key_data, kdb->key_data, | ||
84 | + /* Return only the new keys added by krb5_dbe_crk. */ | ||
85 | + n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data); | ||
86 | + ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data, | ||
87 | keyblocks, n_keys); | ||
88 | if (ret) | ||
89 | goto done; | ||
90 | -- | ||
91 | 1.7.4.1 | ||
92 | |||
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb index c492496b6..ec88296df 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb | |||
@@ -14,7 +14,7 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n | |||
14 | HOMEPAGE = "http://web.mit.edu/Kerberos/" | 14 | HOMEPAGE = "http://web.mit.edu/Kerberos/" |
15 | SECTION = "console/network" | 15 | SECTION = "console/network" |
16 | LICENSE = "MIT" | 16 | LICENSE = "MIT" |
17 | LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=450c80c6258ce03387bd09df37638ebc" | 17 | LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=f64248328d2d9928e1f04158b5243e7f" |
18 | DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native" | 18 | DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native" |
19 | 19 | ||
20 | inherit autotools-brokensep binconfig perlnative | 20 | inherit autotools-brokensep binconfig perlnative |
@@ -22,7 +22,6 @@ inherit autotools-brokensep binconfig perlnative | |||
22 | SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" | 22 | SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" |
23 | SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \ | 23 | SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \ |
24 | file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \ | 24 | file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \ |
25 | file://0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch \ | ||
26 | file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \ | 25 | file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \ |
27 | file://crosscompile_nm.patch \ | 26 | file://crosscompile_nm.patch \ |
28 | file://etc/init.d/krb5-kdc \ | 27 | file://etc/init.d/krb5-kdc \ |
@@ -30,8 +29,8 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar | |||
30 | file://etc/default/krb5-kdc \ | 29 | file://etc/default/krb5-kdc \ |
31 | file://etc/default/krb5-admin-server \ | 30 | file://etc/default/krb5-admin-server \ |
32 | " | 31 | " |
33 | SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe" | 32 | SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189" |
34 | SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744" | 33 | SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1" |
35 | 34 | ||
36 | S = "${WORKDIR}/${BP}/src/" | 35 | S = "${WORKDIR}/${BP}/src/" |
37 | 36 | ||
@@ -77,4 +76,25 @@ do_install_append() { | |||
77 | mkdir -p ${D}/etc/init.d ${D}/etc/default | 76 | mkdir -p ${D}/etc/init.d ${D}/etc/default |
78 | install -m 0755 ${WORKDIR}/etc/init.d/* ${D}/etc/init.d | 77 | install -m 0755 ${WORKDIR}/etc/init.d/* ${D}/etc/init.d |
79 | install -m 0644 ${WORKDIR}/etc/default/* ${D}/etc/default | 78 | install -m 0644 ${WORKDIR}/etc/default/* ${D}/etc/default |
79 | |||
80 | rm -rf ${D}/var/run | ||
81 | mkdir -p ${D}/etc/default/volatiles | ||
82 | echo "d root root 0755 ${localstatedir}/run/krb5kdc none" \ | ||
83 | > ${D}${sysconfdir}/default/volatiles/87_krb5 | ||
84 | if ${@base_contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then | ||
85 | install -d ${D}${sysconfdir}/tmpfiles.d | ||
86 | echo "d /run/krb5kdc - - - -" \ | ||
87 | > ${D}${sysconfdir}/tmpfiles.d/krb5.conf | ||
88 | fi | ||
89 | |||
90 | } | ||
91 | |||
92 | pkg_postinst_${PN} () { | ||
93 | if [ -z "$D" ]; then | ||
94 | if command -v systemd-tmpfiles >/dev/null; then | ||
95 | systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/krb5.conf | ||
96 | elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then | ||
97 | ${sysconfdir}/init.d/populate-volatile.sh update | ||
98 | fi | ||
99 | fi | ||
80 | } | 100 | } |