parent
e165eeccda
commit
528404bbf5
57
krb5-1.14.4-CVE-2016-3120.patch
Normal file
57
krb5-1.14.4-CVE-2016-3120.patch
Normal file
@ -0,0 +1,57 @@
|
||||
From 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 19 Jul 2016 11:00:28 -0400
|
||||
Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted
|
||||
|
||||
In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
|
||||
use client.princ instead of request->client; the latter is NULL when
|
||||
validating S4U2Self requests.
|
||||
|
||||
CVE-2016-3120:
|
||||
|
||||
In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
|
||||
to dereference a null pointer if the restrict_anonymous_to_tgt option
|
||||
is set to true, by making an S4U2Self request.
|
||||
|
||||
CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
|
||||
|
||||
ticket: 8458 (new)
|
||||
target_version: 1.14-next
|
||||
target_version: 1.13-next
|
||||
---
|
||||
src/kdc/kdc_util.c | 2 +-
|
||||
src/tests/t_pkinit.py | 5 +++++
|
||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
||||
index 776e130..29f9dbb 100644
|
||||
--- a/src/kdc/kdc_util.c
|
||||
+++ b/src/kdc/kdc_util.c
|
||||
@@ -739,7 +739,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
|
||||
return(KDC_ERR_MUST_USE_USER2USER);
|
||||
}
|
||||
|
||||
- if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
|
||||
+ if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
|
||||
*status = "ANONYMOUS NOT ALLOWED";
|
||||
return(KDC_ERR_POLICY);
|
||||
}
|
||||
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
|
||||
index b66c458..f0214b6 100755
|
||||
--- a/src/tests/t_pkinit.py
|
||||
+++ b/src/tests/t_pkinit.py
|
||||
@@ -93,6 +93,11 @@ out = realm.run([kvno, realm.host_princ], expected_code=1)
|
||||
if 'KDC policy rejects request' not in out:
|
||||
fail('Wrong error for restricted anonymous PKINIT')
|
||||
|
||||
+# Regression test for #8458: S4U2Self requests crash the KDC if
|
||||
+# anonymous is restricted.
|
||||
+realm.kinit(realm.host_princ, flags=['-k'])
|
||||
+realm.run([kvno, '-U', 'user', realm.host_princ])
|
||||
+
|
||||
# Go back to a normal KDC and disable anonymous PKINIT.
|
||||
realm.stop_kdc()
|
||||
realm.start_kdc()
|
||||
--
|
||||
2.8.1
|
||||
|
@ -13,7 +13,7 @@
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.14.1
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
|
||||
# - The sources below are stored in a lookaside cache. Upload with
|
||||
@ -73,6 +73,7 @@ Patch165: krb5-1.15-kdc_hooks_test.patch
|
||||
|
||||
Patch166: krb5-1.14.3-fix_otp_as_key.patch
|
||||
Patch167: krb5-1.14.3-krad-recv.patch
|
||||
Patch168: krb5-1.14.4-CVE-2016-3120.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -273,6 +274,7 @@ ln NOTICE LICENSE
|
||||
|
||||
%patch166 -p1 -b .fix_otp_as_key
|
||||
%patch167 -p1 -b .krad-recv
|
||||
%patch168 -p1 -b .CVE-2016-3120
|
||||
|
||||
# Take the execute bit off of documentation.
|
||||
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
||||
@ -803,6 +805,10 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Thu Jul 28 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-9
|
||||
- Fix CVE-2016-3120
|
||||
- Resolves: #1361051
|
||||
|
||||
* Wed Jun 22 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-8
|
||||
- Fix incorrect recv() size calculation in libkrad
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user