From 54e60b1162ab626049c2bd96c70c777b8bd06e82 Mon Sep 17 00:00:00 2001
From: Roland Mainz <rmainz@redhat.com>
Date: Fri, 20 Mar 2015 13:23:20 +0100
Subject: [PATCH] * Thu Mar 19 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-2
 - fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated   denial of service
 in recvauth_common() and others"

---
 ..._5355_fix_krb5_read_message_handling.patch | 110 ++++++++++++++++++
 krb5.spec                                     |   8 +-
 2 files changed, 117 insertions(+), 1 deletion(-)
 create mode 100644 krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch

diff --git a/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch b/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch
new file mode 100644
index 0000000..c90a4dd
--- /dev/null
+++ b/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch
@@ -0,0 +1,110 @@
+From 21e4e653d8258d525f4b6ca87797d42a8bccc282 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 9 Dec 2014 12:37:44 -0500
+Subject: [PATCH] Fix krb5_read_message handling [CVE-2014-5355]
+
+In recvauth_common, do not use strcmp against the data fields of
+krb5_data objects populated by krb5_read_message(), as there is no
+guarantee that they are C strings.  Instead, create an expected
+krb5_data value and use data_eq().
+
+In the sample user-to-user server application, check that the received
+client principal name is null-terminated before using it with printf
+and krb5_parse_name.
+
+CVE-2014-5355:
+
+In MIT krb5, when a server process uses the krb5_recvauth function, an
+unauthenticated remote attacker can cause a NULL dereference by
+sending a zero-byte version string, or a read beyond the end of
+allocated storage by sending a non-null-terminated version string.
+The example user-to-user server application (uuserver) is similarly
+vulnerable to a zero-length or non-null-terminated principal name
+string.
+
+The krb5_recvauth function reads two version strings from the client
+using krb5_read_message(), which produces a krb5_data structure
+containing a length and a pointer to an octet sequence.  krb5_recvauth
+assumes that the data pointer is a valid C string and passes it to
+strcmp() to verify the versions.  If the client sends an empty octet
+sequence, the data pointer will be NULL and strcmp() will dereference
+a NULL pointer, causing the process to crash.  If the client sends a
+non-null-terminated octet sequence, strcmp() will read beyond the end
+of the allocated storage, possibly causing the process to crash.
+
+uuserver similarly uses krb5_read_message() to read a client principal
+name, and then passes it to printf() and krb5_parse_name() without
+verifying that it is a valid C string.
+
+The krb5_recvauth function is used by kpropd and the Kerberized
+versions of the BSD rlogin and rsh daemons.  These daemons are usually
+run out of inetd or in a mode which forks before processing incoming
+connections, so a process crash will generally not result in a
+complete denial of service.
+
+Thanks to Tim Uglow for discovering this issue.
+
+CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
+
+[tlyu@mit.edu: CVSS score]
+
+(cherry picked from commit 102bb6ebf20f9174130c85c3b052ae104e5073ec)
+
+ticket: 8050
+version_fixed: 1.13.2
+status: resolved
+---
+ src/appl/user_user/server.c | 4 +++-
+ src/lib/krb5/krb/recvauth.c | 9 ++++++---
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/appl/user_user/server.c b/src/appl/user_user/server.c
+index 09ea4e0..f2b5b61 100644
+--- a/src/appl/user_user/server.c
++++ b/src/appl/user_user/server.c
+@@ -111,8 +111,10 @@ int main(argc, argv)
+     }
+ #endif
+ 
++    /* principal name must be sent null-terminated. */
+     retval = krb5_read_message(context, (krb5_pointer) &sock, &pname_data);
+-    if (retval) {
++    if (retval || pname_data.length == 0 ||
++        pname_data.data[pname_data.length - 1] != '\0') {
+         com_err ("uu-server", retval, "reading pname");
+         return 2;
+     }
+diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c
+index da836283..5adc6dd 100644
+--- a/src/lib/krb5/krb/recvauth.c
++++ b/src/lib/krb5/krb/recvauth.c
+@@ -59,6 +59,7 @@ recvauth_common(krb5_context context,
+     krb5_rcache           rcache = 0;
+     krb5_octet            response;
+     krb5_data             null_server;
++    krb5_data             d;
+     int                   need_error_free = 0;
+     int                   local_rcache = 0, local_authcon = 0;
+ 
+@@ -77,7 +78,8 @@ recvauth_common(krb5_context context,
+          */
+         if ((retval = krb5_read_message(context, fd, &inbuf)))
+             return(retval);
+-        if (strcmp(inbuf.data, sendauth_version)) {
++        d = make_data((char *)sendauth_version, strlen(sendauth_version) + 1);
++        if (!data_eq(inbuf, d)) {
+             problem = KRB5_SENDAUTH_BADAUTHVERS;
+             response = 1;
+         }
+@@ -93,8 +95,9 @@ recvauth_common(krb5_context context,
+      */
+     if ((retval = krb5_read_message(context, fd, &inbuf)))
+         return(retval);
+-    if (appl_version && strcmp(inbuf.data, appl_version)) {
+-        if (!problem) {
++    if (appl_version != NULL && !problem) {
++        d = make_data(appl_version, strlen(appl_version) + 1);
++        if (!data_eq(inbuf, d)) {
+             problem = KRB5_SENDAUTH_BADAPPLVERS;
+             response = 2;
+         }
diff --git a/krb5.spec b/krb5.spec
index e1c9bac..a2c4f5b 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -43,7 +43,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.13.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.1-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@@ -95,6 +95,7 @@ Patch129: krb5-1.11-run_user_0.patch
 Patch134: krb5-1.11-kpasswdtest.patch
 Patch136: krb5-socket_wrapper_eventfd_prototype_mismatch.patch
 Patch140: krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch
+Patch141: krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -317,6 +318,7 @@ ln NOTICE LICENSE
 %endif
 
 %patch140 -p1 -b .krb5-1.14-support-kdc_err_more_preauth_data_required
+%patch141 -p1 -b .krb5-1.12.1-cve_2014_5355_fix_krb5_read_message_handling
 
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@@ -989,6 +991,10 @@ exit 0
 
 
 %changelog
+* Thu Mar 20 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-2
+- fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated
+  denial of service in recvauth_common() and others"  
+
 * Fri Feb 13 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-1
 - Update to krb5-1.13.1
   - drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1