rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2017-11368 (remote triggerable assertion failure)

Browse Source
This commit is contained in:
Robbie Harwood 2017-07-20 15:31:42 +00:00
parent bb9cd0748a
commit 45c6f63563
2 changed files with 114 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
Prevent-KDC-unset-status-assertion-failures.patch Normal file
View File

@ -0,0 +1,109 @@
From af6570ad6c306fe8e2bf425810236dd8c6271885 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 13 Jul 2017 12:14:20 -0400
Subject: [PATCH] Prevent KDC unset status assertion failures
Assign status values if S4U2Self padata fails to decode, if an
S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
uses an evidence ticket which does not match the canonicalized request
server principal name. Reported by Samuel Cabrero.
If a status value is not assigned during KDC processing, default to
"UNKNOWN_REASON" rather than failing an assertion. This change will
prevent future denial of service bugs due to similar mistakes, and
will allow us to omit assigning status values for unlikely errors such
as small memory allocation failures.
CVE-2017-11368:
In MIT krb5 1.7 and later, an authenticated attacker can cause an
assertion failure in krb5kdc by sending an invalid S4U2Self or
S4U2Proxy request.
CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
ticket: 8599 (new)
target_version: 1.15-next
target_version: 1.14-next
tags: pullup
(cherry picked from commit a860385dd8fbd239fdb31b347e07f4e6b2fbdcc2)
---
src/kdc/do_as_req.c | 4 ++--
src/kdc/do_tgs_req.c | 3 ++-
src/kdc/kdc_util.c | 10 ++++++++--
3 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 712ccb794..a4bf91b1b 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -365,8 +365,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
did_log = 1;
egress:
- if (errcode != 0)
- assert (state->status != 0);
+ if (errcode != 0 && state->status == NULL)
+ state->status = "UNKNOWN_REASON";
au_state->status = state->status;
au_state->reply = &state->reply;
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 547a41441..339259fd1 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
free(reply.enc_part.ciphertext.data);
cleanup:
- assert(status != NULL);
+ if (status == NULL)
+ status = "UNKNOWN_REASON";
if (reply_key)
krb5_free_keyblock(kdc_context, reply_key);
if (errcode)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 29f9dbbf0..30c501c67 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
req_data.data = (char *)pa_data->contents;
code = decode_krb5_pa_for_user(&req_data, &for_user);
- if (code)
+ if (code) {
+ *status = "DECODE_PA_FOR_USER";
return code;
+ }
code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
if (code) {
@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
req_data.data = (char *)pa_data->contents;
code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
- if (code)
+ if (code) {
+ *status = "DECODE_PA_S4U_X509_USER";
return code;
+ }
code = verify_s4u_x509_user_checksum(context,
tgs_subkey ? tgs_subkey :
@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
* that is validated previously in validate_tgs_request().
*/
if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
+ *status = "INVALID_S4U2PROXY_OPTIONS";
return KRB5KDC_ERR_BADOPTION;
}
@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
if (!krb5_principal_compare(kdc_context,
server->princ, /* after canon */
server_princ)) {
+ *status = "EVIDENCE_TICKET_MISMATCH";
return KRB5KDC_ERR_SERVER_NOMATCH;
}

6
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.15.1 Version: 1.15.1
# for prerelease, should be e.g., 0.3.beta2%{?dist} # for prerelease, should be e.g., 0.3.beta2%{?dist}
Release: 16%{?dist} Release: 17%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead? # - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with # - The sources below are stored in a lookaside cache. Upload with
@ -79,6 +79,7 @@ Patch50: Correct-error-handling-bug-in-prior-commit.patch
Patch51: Add-k5test-expected_msg-expected_trace.patch Patch51: Add-k5test-expected_msg-expected_trace.patch
Patch52: Fix-leaks-in-gss_inquire_cred_by_oid.patch Patch52: Fix-leaks-in-gss_inquire_cred_by_oid.patch
Patch53: Add-support-to-query-the-SSF-of-a-GSS-context.patch Patch53: Add-support-to-query-the-SSF-of-a-GSS-context.patch
Patch54: Prevent-KDC-unset-status-assertion-failures.patch
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
@ -741,6 +742,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkadm5srv_mit.so.*
%changelog %changelog
* Thu Jul 20 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-17
- Fix CVE-2017-11368 (remote triggerable assertion failure)
* Wed Jul 19 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-16 * Wed Jul 19 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-16
- Explicitly require python2 packages - Explicitly require python2 packages