* Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-0

- Update from krb5-1.13-alpha1 to final krb5-1.13 - Removed patch for CVE-2014-5351 (#1145425) "krb5: current keys returned when randomizing the keys for a service principal" - now part of upstream sources - Use patch for glibc |eventfd()| prototype mismatch (#1147887) only for Fedora > 20
2014-10-29 21:48:06 +01:00 · 2014-10-29 21:48:06 +01:00 · 6a0c01a783
commit 6a0c01a783
parent 210ae0a2c1
3 changed files with 6 additions and 93 deletions
--- a/.gitignore
+++ b/.gitignore
@ -113,3 +113,6 @@ krb5-1.8.3-pdf.tar.gz
 /krb5-1.13-alpha1.tar.gz
 /krb5-1.13-alpha1.tar.gz.asc
 /krb5-1.13-alpha1-pdf.tar.xz
 /krb5-1.13.tar.gz
 /krb5-1.13.tar.gz.asc
 /krb5-1.13-pdf.tar.xz
--- a/krb5-bug_1145425_CVE-2014-5351.patch
+++ b/krb5-bug_1145425_CVE-2014-5351.patch
@ -1,90 +0,0 @@
 # from wget 'https://github.com/krb5/krb5/commit/3bf9e33f9d66c0eef486cbd83f9e4f13a74d12c3.patch'
 From 3bf9e33f9d66c0eef486cbd83f9e4f13a74d12c3 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 21 Aug 2014 13:52:07 -0400
 Subject: [PATCH] Return only new keys in randkey [CVE-2014-5351]
 In kadmind's randkey operation, if a client specifies the keepold
 flag, do not include the preserved old keys in the response.
 CVE-2014-5351:
 An authenticated remote attacker can retrieve the current keys for a
 service principal when generating a new set of keys for that
 principal.  The attacker needs to be authenticated as a user who has
 the elevated privilege for randomizing the keys of other principals.
 Normally, when a Kerberos administrator randomizes the keys of a
 service principal, kadmind returns only the new keys.  This prevents
 an administrator who lacks legitimate privileged access to a service
 from forging tickets to authenticate to that service.  If the
 "keepold" flag to the kadmin randkey RPC operation is true, kadmind
 retains the old keys in the KDC database as intended, but also
 unexpectedly returns the old keys to the client, which exposes the
 service to ticket forgery attacks from the administrator.
 A mitigating factor is that legitimate clients of the affected service
 will start failing to authenticate to the service once they begin to
 receive service tickets encrypted in the new keys.  The affected
 service will be unable to decrypt the newly issued tickets, possibly
 alerting the legitimate administrator of the affected service.
 CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
 [tlyu@mit.edu: CVE description and CVSS score]
 (cherry picked from commit af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca)
 ticket: 8018
 version_fixed: 1.13
 status: resolved
 ---
 src/lib/kadm5/srv/svr_principal.c | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)
 diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
 index 5d358bd..d4e74cc 100644
 --- krb5-1.11.3/src/lib/kadm5/srv/svr_principal.c
 +++ krb5-1.11.3/src/lib/kadm5/srv/svr_principal.c
@@ -344,6 +344,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
     *passptr = NULL;
 }
 +/* Return the number of keys with the newest kvno.  Assumes that all key data
 + * with the newest kvno are at the front of the key data array. */
 +static int
 +count_new_keys(int n_key_data, krb5_key_data *key_data)
 +{
 +    int n;
 +
 +    for (n = 1; n < n_key_data; n++) {
 +        if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno)
 +            return n;
 +    }
 +    return n_key_data;
 +}
 +
 kadm5_ret_t
 kadm5_create_principal(void *server_handle,
                        kadm5_principal_ent_t entry, long mask,
@@ -1593,7 +1607,7 @@ kadm5_randkey_principal_3(void *server_handle,
     osa_princ_ent_rec           adb;
     krb5_int32                  now;
     kadm5_policy_ent_rec        pol;
 -    int                         ret, last_pwd;
 +    int                         ret, last_pwd, n_new_keys;
     krb5_boolean                have_pol = FALSE;
     kadm5_server_handle_t       handle = server_handle;
     krb5_keyblock               *act_mkey;
@@ -1686,8 +1700,9 @@ kadm5_randkey_principal_3(void *server_handle,
     kdb->fail_auth_count = 0;
     if (keyblocks) {
 -        ret = decrypt_key_data(handle->context,
 -                               kdb->n_key_data, kdb->key_data,
 +        /* Return only the new keys added by krb5_dbe_crk. */
 +        n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data);
 +        ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data,
                                keyblocks, n_keys);
         if (ret)
             goto done;
--- a/6
+++ b/6
@ -1,5 +1,5 @@
-c0b597b78cd13be105aff29c600883b9  krb5-1.13-alpha1.tar.gz
+addb5fd7150f76059ed2a11a3970c957  krb5-1.13.tar.gz
-49a891e6007a42a7e6f82e5943899a2c  krb5-1.13-alpha1.tar.gz.asc
+39b6cad419762cbb96211cf282227e49  krb5-1.13.tar.gz.asc
-d3c480887984f14ecd8d93fd30a11896  krb5-1.13-alpha1-pdf.tar.xz
+d3c480887984f14ecd8d93fd30a11896  krb5-1.13-pdf.tar.xz
 142c7f3f8d2b08936d2cee3de743133e  nss_wrapper-0.0-20140204195100.git3d58327.tar.xz
 d8e42cf537192765463c3f1bad870250  socket_wrapper-0.0-20140204194748.gitf3b2ece.tar.xz