rpms
/
krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import krb5-1.18.2-8.3.el8_4

This commit is contained in:
CentOS Sources 2021-09-21 03:15:10 -04:00 committed by Stepan Oksanichenko
parent 8d2db90722
commit 475028c8e9
3 changed files with 177 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
SOURCES/Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch Normal file
View File

@ -0,0 +1,48 @@
From fa1d7d8d5ade1a1ed8279e5f8753776e470e22c1 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 3 Aug 2021 01:15:27 -0400
Subject: [PATCH] Fix KDC null deref on TGS inner body null server
After the KDC decodes a FAST inner body, it does not check for a null
server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
would typically result in an error from krb5_unparse_name(), but with
the addition of get_local_tgt() it results in a null dereference. Add
a null check.
Reported by Joseph Sutton of Catalyst.
CVE-2021-37750:
In MIT krb5 releases 1.14 and later, an authenticated attacker can
cause a null dereference in the KDC by sending a FAST TGS request with
no server field.
ticket: 9008 (new)
tags: pullup
target_version: 1.19-next
target_version: 1.18-next
(cherry picked from commit d775c95af7606a51bf79547a94fa52ddd1cb7f49)
(cherry picked from commit bb8fa495d00ccd931eec87a01b8920636cf7903e)
(cherry picked from commit dfe383f8251d0edc7e5e08ec5e4fdd9b7f902b2a)
(cherry picked from commit 0a8dfc380fe3b210662ba1b1d452fcec2f84841b)
---
src/kdc/do_tgs_req.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 463a9c0dd..7c596a111 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -208,6 +208,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
status = "FIND_FAST";
goto cleanup;
}
+ if (sprinc == NULL) {
+ status = "NULL_SERVER";
+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ goto cleanup;
+ }
errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
&local_tgt, &local_tgt_storage, &local_tgt_key);

114
SOURCES/Fix-KDC-null-deref-on-bad-encrypted-challenge.patch Normal file
View File

@ -0,0 +1,114 @@
From c11cbb496dae9a133e8a3b503d9944392509491f Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 7 Jul 2021 11:47:44 +1200
Subject: [PATCH] Fix KDC null deref on bad encrypted challenge
The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
to avoid further processing if the armor key is NULL. However, this
check is bypassed by a call to k5memdup0() which overwrites retval
with 0 if the allocation succeeds. If the armor key is NULL, a call
to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
crash. Add a check before the k5memdup0() call to avoid overwriting
retval.
CVE-2021-36222:
In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
cause a null dereference in the KDC by sending a request containing a
PA-ENCRYPTED-CHALLENGE padata element without using FAST.
[ghudson@mit.edu: trimmed patch; added test case; edited commit
message]
(cherry picked from commit fc98f520caefff2e5ee9a0026fdf5109944b3562)
ticket: 9007
version_fixed: 1.18.4
(cherry picked from commit c4a406095b3ea4a67ae5b8ea586cbe9abdbae76f)
(cherry picked from commit 4e8579f0a41b66ed8029f21a52082e1c27ab3996)
---
src/kdc/kdc_preauth_ec.c | 3 ++-
src/tests/Makefile.in | 1 +
src/tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++
3 files changed, 49 insertions(+), 1 deletion(-)
create mode 100644 src/tests/t_cve-2021-36222.py
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
index 7e636b3f9..43a9902cc 100644
--- a/src/kdc/kdc_preauth_ec.c
+++ b/src/kdc/kdc_preauth_ec.c
@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
}
/* Check for a configured FAST ec auth indicator. */
- realmstr = k5memdup0(realm.data, realm.length, &retval);
+ if (retval == 0)
+ realmstr = k5memdup0(realm.data, realm.length, &retval);
if (realmstr != NULL)
retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
realmstr,
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 3f88f1713..0ffbebf56 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -158,6 +158,7 @@ check-pytests: unlockiter s4u2self
$(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS)
$(RM) au.log
$(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
diff --git a/src/tests/t_cve-2021-36222.py b/src/tests/t_cve-2021-36222.py
new file mode 100644
index 000000000..57e04993b
--- /dev/null
+++ b/src/tests/t_cve-2021-36222.py
@@ -0,0 +1,46 @@
+import socket
+from k5test import *
+
+realm = K5Realm()
+
+# CVE-2021-36222 KDC null dereference on encrypted challenge preauth
+# without FAST
+
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+a = (hostname, realm.portbase)
+
+m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE
+ 'A103' '0201' '05' # [1] pvno = 5
+ 'A203' '0201' '0A' # [2] msg-type = 10
+ 'A30E' '300C' # [3] padata = SEQUENCE OF
+ '300A' # SEQUENCE
+ 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE
+ 'A202' '0400' # [2] padata-value = ""
+ 'A48180' '307E' # [4] req-body = SEQUENCE
+ 'A007' '0305' '0000000000' # [0] kdc-options = 0
+ 'A120' '301E' # [1] cname = SEQUENCE
+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
+ 'A117' '3015' # [1] name-string = SEQUENCE-OF
+ '1B06' '6B7262746774' # krbtgt
+ '1B0B' '4B5242544553542E434F4D'
+ # KRBTEST.COM
+ 'A20D' '1B0B' '4B5242544553542E434F4D'
+ # [2] realm = KRBTEST.COM
+ 'A320' '301E' # [3] sname = SEQUENCE
+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
+ 'A117' '3015' # [1] name-string = SEQUENCE-OF
+ '1B06' '6B7262746774' # krbtgt
+ '1B0B' '4B5242544553542E434F4D'
+ # KRBTEST.COM
+ 'A511' '180F' '31393934303631303036303331375A'
+ # [5] till = 19940610060317Z
+ 'A703' '0201' '00' # [7] nonce = 0
+ 'A808' '3006' # [8] etype = SEQUENCE OF
+ '020112' '020111') # aes256-cts aes128-cts
+
+s.sendto(bytes.fromhex(m), a)
+
+# Make sure kinit still works.
+realm.kinit(realm.user_princ, password('user'))
+
+success('CVE-2021-36222 regression test')

16
SPECS/krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.18.2
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 8%{?dist}
Release: 8.3%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@ -76,6 +76,8 @@ Patch130: Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch
Patch131: Unify-kvno-option-documentation.patch
Patch132: Document-k-option-in-kvno-1-synopsis.patch
Patch133: Add-recursion-limit-for-ASN.1-indefinite-lengths.patch
Patch134: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
Patch135: Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -686,6 +688,18 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Wed Aug 25 2021 Robbie Harwood <rharwood@redhat.com> - 1.18.2-8.3
- Fix KDC null deref on TGS inner body null server (CVE-2021-37750)
- Resolves: #1997600
* Wed Jul 21 2021 Robbie Harwood <rharwood@redhat.com> - 1.18.2-8.2
- Rebuild for rpminspect; no code changes
- Resolves: #1983728
* Tue Jul 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.18.2-8.1
- Fix KDC null deref on bad encrypted challenge (CVE-2021-36222)
- Resolves: #1983728
* Wed Dec 16 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-8
- Add recursion limit for ASN.1 indefinite lengths (CVE-2020-28196)
- Resolves: #1906492