From 528404bbf5b3b33542fab425c2fade925b428f88 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 28 Jul 2016 21:56:30 +0000 Subject: [PATCH] Fix CVE-2016-3120 Resolves: #1361051 --- krb5-1.14.4-CVE-2016-3120.patch | 57 +++++++++++++++++++++++++++++++++ krb5.spec | 8 ++++- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 krb5-1.14.4-CVE-2016-3120.patch diff --git a/krb5-1.14.4-CVE-2016-3120.patch b/krb5-1.14.4-CVE-2016-3120.patch new file mode 100644 index 0000000..fa412aa --- /dev/null +++ b/krb5-1.14.4-CVE-2016-3120.patch @@ -0,0 +1,57 @@ +From 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 19 Jul 2016 11:00:28 -0400 +Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted + +In validate_as_request(), when enforcing restrict_anonymous_to_tgt, +use client.princ instead of request->client; the latter is NULL when +validating S4U2Self requests. + +CVE-2016-3120: + +In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc +to dereference a null pointer if the restrict_anonymous_to_tgt option +is set to true, by making an S4U2Self request. + + CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C + +ticket: 8458 (new) +target_version: 1.14-next +target_version: 1.13-next +--- + src/kdc/kdc_util.c | 2 +- + src/tests/t_pkinit.py | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index 776e130..29f9dbb 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -739,7 +739,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm, + return(KDC_ERR_MUST_USE_USER2USER); + } + +- if (check_anon(kdc_active_realm, request->client, request->server) != 0) { ++ if (check_anon(kdc_active_realm, client.princ, request->server) != 0) { + *status = "ANONYMOUS NOT ALLOWED"; + return(KDC_ERR_POLICY); + } +diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +index b66c458..f0214b6 100755 +--- a/src/tests/t_pkinit.py ++++ b/src/tests/t_pkinit.py +@@ -93,6 +93,11 @@ out = realm.run([kvno, realm.host_princ], expected_code=1) + if 'KDC policy rejects request' not in out: + fail('Wrong error for restricted anonymous PKINIT') + ++# Regression test for #8458: S4U2Self requests crash the KDC if ++# anonymous is restricted. ++realm.kinit(realm.host_princ, flags=['-k']) ++realm.run([kvno, '-U', 'user', realm.host_princ]) ++ + # Go back to a normal KDC and disable anonymous PKINIT. + realm.stop_kdc() + realm.start_kdc() +-- +2.8.1 + diff --git a/krb5.spec b/krb5.spec index f85c1d2..b6ab77e 100644 --- a/krb5.spec +++ b/krb5.spec @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14.1 -Release: 8%{?dist} +Release: 9%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -73,6 +73,7 @@ Patch165: krb5-1.15-kdc_hooks_test.patch Patch166: krb5-1.14.3-fix_otp_as_key.patch Patch167: krb5-1.14.3-krad-recv.patch +Patch168: krb5-1.14.4-CVE-2016-3120.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -273,6 +274,7 @@ ln NOTICE LICENSE %patch166 -p1 -b .fix_otp_as_key %patch167 -p1 -b .krad-recv +%patch168 -p1 -b .CVE-2016-3120 # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -803,6 +805,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Thu Jul 28 2016 Robbie Harwood - 1.14.1-9 +- Fix CVE-2016-3120 +- Resolves: #1361051 + * Wed Jun 22 2016 Robbie Harwood - 1.14.1-8 - Fix incorrect recv() size calculation in libkrad