Remove incorrect KDC assertion

This commit is contained in:
Robbie Harwood 2018-12-20 18:00:42 -05:00
parent 6c692d18f2
commit 7338b669da
2 changed files with 66 additions and 1 deletions

View File

@ -0,0 +1,61 @@
From 5ab44ff3ecdf362a792f193cf18df42866b70f80 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 15 Dec 2018 11:56:36 +0200
Subject: [PATCH] Remove incorrect KDC assertion
The assertion in return_enc_padata() is reachable because
kdc_make_s4u2self_rep() may have previously added encrypted padata.
It is no longer necessary because the code uses add_pa_data_element()
instead of allocating a new list.
CVE-2018-20217:
In MIT krb5 1.8 or later, an authenticated user who can obtain a TGT
using an older encryption type (DES, DES3, or RC4) can cause an
assertion failure in the KDC by sending an S4U2Self request.
[ghudson@mit.edu: rewrote commit message with CVE description]
ticket: 8767 (new)
tags: pullup
target_version: 1.17
target_version: 1.16-next
target_version: 1.15-next
(cherry picked from commit 94e5eda5bb94d1d44733a49c3d9b6d1e42c74def)
---
src/kdc/kdc_preauth.c | 1 -
src/tests/gssapi/t_s4u.py | 8 ++++++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 74953c99f..caf133c14 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1683,7 +1683,6 @@ return_enc_padata(krb5_context context, krb5_data *req_pkt,
krb5_error_code code = 0;
/* This should be initialized and only used for Win2K compat and other
* specific standardized uses such as FAST negotiation. */
- assert(reply_encpart->enc_padata == NULL);
if (is_referral) {
code = return_referral_enc_padata(context, reply_encpart, server);
if (code)
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index fd29e1a27..f02c2fd13 100755
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -139,6 +139,14 @@ if 'auth1: user@' not in out or 'auth2: user@' not in out:
realm.stop()
+mark('S4U2Self with various enctypes')
+for realm in multipass_realms(create_host=False, get_creds=False):
+ service1 = 'service/1@%s' % realm.realm
+ realm.addprinc(service1)
+ realm.extract_keytab(service1, realm.keytab)
+ realm.kinit(service1, None, ['-k'])
+ realm.run(['./t_s4u', 'e:user', '-'])
+
# Test cross realm S4U2Self using server referrals.
mark('cross-realm S4U2Self')
testprincs = {'krbtgt/SREALM': {'keys': 'aes128-cts'},

View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.17 Version: 1.17
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 1.beta2.3%{?dist} Release: 1.beta2.4%{?dist}
# lookaside-cached sources; two downloads and a build artifact # lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
@ -63,6 +63,7 @@ Patch36: krb5-1.11-kpasswdtest.patch
Patch88: Become-FIPS-aware.patch Patch88: Become-FIPS-aware.patch
Patch89: In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch Patch89: In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch
Patch90: Add-tests-for-KCM-ccache-type.patch Patch90: Add-tests-for-KCM-ccache-type.patch
Patch91: Remove-incorrect-KDC-assertion.patch
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
@ -710,6 +711,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkadm5srv_mit.so.*
%changelog %changelog
* Thu Dec 20 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta2.4
- Remove incorrect KDC assertion
* Thu Dec 20 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta2.3 * Thu Dec 20 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta2.3
- Fix syntax on pkinit_anchors field in default krb5.conf - Fix syntax on pkinit_anchors field in default krb5.conf