* Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-0

- Update from krb5-1.13-alpha1 to final krb5-1.13 - Removed patch for CVE-2014-5351 (#1145425) "krb5: current keys returned when randomizing the keys for a service principal" - now part of upstream sources - Use patch for glibc |eventfd()| prototype mismatch (#1147887) only for Fedora > 20
2014-10-29 21:48:06 +01:00 · 2014-10-29 21:48:06 +01:00 · 6a0c01a783
commit 6a0c01a783
parent 210ae0a2c1
3 changed files with 6 additions and 93 deletions
--- a/.gitignore
+++ b/.gitignore
@ -113,3 +113,6 @@ krb5-1.8.3-pdf.tar.gz
 /krb5-1.13-alpha1.tar.gz
 /krb5-1.13-alpha1.tar.gz.asc
 /krb5-1.13-alpha1-pdf.tar.xz
+/krb5-1.13.tar.gz
+/krb5-1.13.tar.gz.asc
+/krb5-1.13-pdf.tar.xz
--- a/krb5-bug_1145425_CVE-2014-5351.patch
+++ b/krb5-bug_1145425_CVE-2014-5351.patch
@ -1,90 +0,0 @@
-# from wget 'https://github.com/krb5/krb5/commit/3bf9e33f9d66c0eef486cbd83f9e4f13a74d12c3.patch'
-From 3bf9e33f9d66c0eef486cbd83f9e4f13a74d12c3 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Thu, 21 Aug 2014 13:52:07 -0400
-Subject: [PATCH] Return only new keys in randkey [CVE-2014-5351]
-
-In kadmind's randkey operation, if a client specifies the keepold
-flag, do not include the preserved old keys in the response.
-
-CVE-2014-5351:
-
-An authenticated remote attacker can retrieve the current keys for a
-service principal when generating a new set of keys for that
-principal.  The attacker needs to be authenticated as a user who has
-the elevated privilege for randomizing the keys of other principals.
-
-Normally, when a Kerberos administrator randomizes the keys of a
-service principal, kadmind returns only the new keys.  This prevents
-an administrator who lacks legitimate privileged access to a service
-from forging tickets to authenticate to that service.  If the
-"keepold" flag to the kadmin randkey RPC operation is true, kadmind
-retains the old keys in the KDC database as intended, but also
-unexpectedly returns the old keys to the client, which exposes the
-service to ticket forgery attacks from the administrator.
-
-A mitigating factor is that legitimate clients of the affected service
-will start failing to authenticate to the service once they begin to
-receive service tickets encrypted in the new keys.  The affected
-service will be unable to decrypt the newly issued tickets, possibly
-alerting the legitimate administrator of the affected service.
-
-CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
-
-[tlyu@mit.edu: CVE description and CVSS score]
-
-(cherry picked from commit af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca)
-
-ticket: 8018
-version_fixed: 1.13
-status: resolved
---
- src/lib/kadm5/srv/svr_principal.c | 21 ++++++++++++++++++---
- 1 file changed, 18 insertions(+), 3 deletions(-)
-
-diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
-index 5d358bd..d4e74cc 100644
--- krb5-1.11.3/src/lib/kadm5/srv/svr_principal.c
-+++ krb5-1.11.3/src/lib/kadm5/srv/svr_principal.c
-@@ -344,6 +344,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
-     *passptr = NULL;
- }
- 
-+/* Return the number of keys with the newest kvno.  Assumes that all key data
-+ * with the newest kvno are at the front of the key data array. */
-+static int
-+count_new_keys(int n_key_data, krb5_key_data *key_data)
-+{
-+    int n;
-+
-+    for (n = 1; n < n_key_data; n++) {
-+        if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno)
-+            return n;
-+    }
-+    return n_key_data;
-+}
-+
- kadm5_ret_t
- kadm5_create_principal(void *server_handle,
-                        kadm5_principal_ent_t entry, long mask,
-@@ -1593,7 +1607,7 @@ kadm5_randkey_principal_3(void *server_handle,
-     osa_princ_ent_rec           adb;
-     krb5_int32                  now;
-     kadm5_policy_ent_rec        pol;
-    int                         ret, last_pwd;
-+    int                         ret, last_pwd, n_new_keys;
-     krb5_boolean                have_pol = FALSE;
-     kadm5_server_handle_t       handle = server_handle;
-     krb5_keyblock               *act_mkey;
-@@ -1686,8 +1700,9 @@ kadm5_randkey_principal_3(void *server_handle,
-     kdb->fail_auth_count = 0;
- 
-     if (keyblocks) {
-        ret = decrypt_key_data(handle->context,
-                               kdb->n_key_data, kdb->key_data,
-+        /* Return only the new keys added by krb5_dbe_crk. */
-+        n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data);
-+        ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data,
-                                keyblocks, n_keys);
-         if (ret)
-             goto done;
--- a/6
+++ b/6
@ -1,5 +1,5 @@
-c0b597b78cd13be105aff29c600883b9  krb5-1.13-alpha1.tar.gz
-49a891e6007a42a7e6f82e5943899a2c  krb5-1.13-alpha1.tar.gz.asc
-d3c480887984f14ecd8d93fd30a11896  krb5-1.13-alpha1-pdf.tar.xz
+addb5fd7150f76059ed2a11a3970c957  krb5-1.13.tar.gz
+39b6cad419762cbb96211cf282227e49  krb5-1.13.tar.gz.asc
+d3c480887984f14ecd8d93fd30a11896  krb5-1.13-pdf.tar.xz
 142c7f3f8d2b08936d2cee3de743133e  nss_wrapper-0.0-20140204195100.git3d58327.tar.xz
 d8e42cf537192765463c3f1bad870250  socket_wrapper-0.0-20140204194748.gitf3b2ece.tar.xz