* Wed Dec 17 2014 Roland Mainz <rmainz@redhat.com> - 1.13-3
- fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy name crash"
This commit is contained in:
Roland Mainz
parent
a54d1f9ac9
commit
8545575f69
63
krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch
Normal file
63
krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch
Normal file
@ -0,0 +1,63 @@
|
||||
From d1f707024f1d0af6e54a18885322d70fa15ec4d3 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri, 5 Dec 2014 14:01:39 -0500
|
||||
Subject: [PATCH] Fix LDAP misused policy name crash [CVE-2014-5353]
|
||||
|
||||
In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
|
||||
successfully with no results, return KRB5_KDB_NOENTRY instead of
|
||||
returning success with a zeroed-out policy object. This fixes a null
|
||||
dereference when an admin attempts to use an LDAP ticket policy name
|
||||
as a password policy name.
|
||||
|
||||
CVE-2014-5353:
|
||||
|
||||
In MIT krb5, when kadmind is configured to use LDAP for the KDC
|
||||
database, an authenticated remote attacker can cause a NULL dereference
|
||||
by attempting to use a named ticket policy object as a password policy
|
||||
for a principal. The attacker needs to be authenticated as a user who
|
||||
has the elevated privilege for setting password policy by adding or
|
||||
modifying principals.
|
||||
|
||||
Queries to LDAP scoped to the krbPwdPolicy object class will correctly
|
||||
not return entries of other classes, such as ticket policy objects, but
|
||||
may return success with no returned elements if an object with the
|
||||
requested DN exists in a different object class. In this case, the
|
||||
routine to retrieve a password policy returned success with a password
|
||||
policy object that consisted entirely of zeroed memory. In particular,
|
||||
accesses to the policy name will dereference a NULL pointer. KDC
|
||||
operation does not access the policy name field, but most kadmin
|
||||
operations involving the principal with incorrect password policy
|
||||
will trigger the crash.
|
||||
|
||||
Thanks to Patrik Kis for reporting this problem.
|
||||
|
||||
CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
|
||||
|
||||
[kaduk@mit.edu: CVE description and CVSS score]
|
||||
|
||||
ticket: 8051 (new)
|
||||
target_version: 1.13.1
|
||||
tags: pullup
|
||||
---
|
||||
src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
|
||||
index 522773e..6779f51 100644
|
||||
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
|
||||
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
|
||||
@@ -314,10 +314,11 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,
|
||||
LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes);
|
||||
|
||||
ent=ldap_first_entry(ld, result);
|
||||
- if (ent != NULL) {
|
||||
- if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0)
|
||||
- goto cleanup;
|
||||
+ if (ent == NULL) {
|
||||
+ st = KRB5_KDB_NOENTRY;
|
||||
+ goto cleanup;
|
||||
}
|
||||
+ st = populate_policy(context, ld, ent, pol_name, *policy);
|
||||
|
||||
cleanup:
|
||||
ldap_msgfree(result);
|
||||
13
krb5.spec
13
krb5.spec
@ -43,7 +43,7 @@
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.13
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13-signed.tar
|
||||
# - The sources below are stored in a lookaside cache. Upload with
|
||||
@ -94,6 +94,7 @@ Patch105: krb5-kvno-230379.patch
|
||||
Patch129: krb5-1.11-run_user_0.patch
|
||||
Patch134: krb5-1.11-kpasswdtest.patch
|
||||
Patch136: krb5-socket_wrapper_eventfd_prototype_mismatch.patch
|
||||
Patch137: krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -315,6 +316,8 @@ ln NOTICE LICENSE
|
||||
%patch136 -p1
|
||||
%endif
|
||||
|
||||
%patch137 -p1
|
||||
|
||||
# Take the execute bit off of documentation.
|
||||
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
||||
|
||||
@ -985,12 +988,16 @@ exit 0
|
||||
%{_sbindir}/uuserver
|
||||
|
||||
%changelog
|
||||
* Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-0
|
||||
* Wed Dec 17 2014 Roland Mainz <rmainz@redhat.com> - 1.13-3
|
||||
- fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy
|
||||
name crash"
|
||||
|
||||
* Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-2
|
||||
- Bump 1%%{?dist} to 2%%{?dist} to workaround RPM sort issue
|
||||
which would lead yum updates to treat the last alpha as newer
|
||||
than the final version.
|
||||
|
||||
* Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-0
|
||||
* Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-1
|
||||
- Update from krb5-1.13-alpha1 to final krb5-1.13
|
||||
- Removed patch for CVE-2014-5351 (#1145425) "krb5: current
|
||||
keys returned when randomizing the keys for a service principal" -
|
||||
|
||||
Loading…
Reference in New Issue
Block a user