diff --git a/.gitignore b/.gitignore index 97c3f9a..da4132e 100644 --- a/.gitignore +++ b/.gitignore @@ -117,3 +117,6 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.13.tar.gz.asc /krb5-1.13-pdf.tar.xz /krb5-1.13.1-pdf.pax.xz +/krb5-1.13.2.tar.gz +/krb5-1.13.2.tar.gz.asc +/krb5-1.13.2-pdf.pax.xz diff --git a/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch b/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch deleted file mode 100644 index c90a4dd..0000000 --- a/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 21e4e653d8258d525f4b6ca87797d42a8bccc282 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 9 Dec 2014 12:37:44 -0500 -Subject: [PATCH] Fix krb5_read_message handling [CVE-2014-5355] - -In recvauth_common, do not use strcmp against the data fields of -krb5_data objects populated by krb5_read_message(), as there is no -guarantee that they are C strings. Instead, create an expected -krb5_data value and use data_eq(). - -In the sample user-to-user server application, check that the received -client principal name is null-terminated before using it with printf -and krb5_parse_name. - -CVE-2014-5355: - -In MIT krb5, when a server process uses the krb5_recvauth function, an -unauthenticated remote attacker can cause a NULL dereference by -sending a zero-byte version string, or a read beyond the end of -allocated storage by sending a non-null-terminated version string. -The example user-to-user server application (uuserver) is similarly -vulnerable to a zero-length or non-null-terminated principal name -string. - -The krb5_recvauth function reads two version strings from the client -using krb5_read_message(), which produces a krb5_data structure -containing a length and a pointer to an octet sequence. krb5_recvauth -assumes that the data pointer is a valid C string and passes it to -strcmp() to verify the versions. If the client sends an empty octet -sequence, the data pointer will be NULL and strcmp() will dereference -a NULL pointer, causing the process to crash. If the client sends a -non-null-terminated octet sequence, strcmp() will read beyond the end -of the allocated storage, possibly causing the process to crash. - -uuserver similarly uses krb5_read_message() to read a client principal -name, and then passes it to printf() and krb5_parse_name() without -verifying that it is a valid C string. - -The krb5_recvauth function is used by kpropd and the Kerberized -versions of the BSD rlogin and rsh daemons. These daemons are usually -run out of inetd or in a mode which forks before processing incoming -connections, so a process crash will generally not result in a -complete denial of service. - -Thanks to Tim Uglow for discovering this issue. - -CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C - -[tlyu@mit.edu: CVSS score] - -(cherry picked from commit 102bb6ebf20f9174130c85c3b052ae104e5073ec) - -ticket: 8050 -version_fixed: 1.13.2 -status: resolved ---- - src/appl/user_user/server.c | 4 +++- - src/lib/krb5/krb/recvauth.c | 9 ++++++--- - 2 files changed, 9 insertions(+), 4 deletions(-) - -diff --git a/src/appl/user_user/server.c b/src/appl/user_user/server.c -index 09ea4e0..f2b5b61 100644 ---- a/src/appl/user_user/server.c -+++ b/src/appl/user_user/server.c -@@ -111,8 +111,10 @@ int main(argc, argv) - } - #endif - -+ /* principal name must be sent null-terminated. */ - retval = krb5_read_message(context, (krb5_pointer) &sock, &pname_data); -- if (retval) { -+ if (retval || pname_data.length == 0 || -+ pname_data.data[pname_data.length - 1] != '\0') { - com_err ("uu-server", retval, "reading pname"); - return 2; - } -diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c -index da836283..5adc6dd 100644 ---- a/src/lib/krb5/krb/recvauth.c -+++ b/src/lib/krb5/krb/recvauth.c -@@ -59,6 +59,7 @@ recvauth_common(krb5_context context, - krb5_rcache rcache = 0; - krb5_octet response; - krb5_data null_server; -+ krb5_data d; - int need_error_free = 0; - int local_rcache = 0, local_authcon = 0; - -@@ -77,7 +78,8 @@ recvauth_common(krb5_context context, - */ - if ((retval = krb5_read_message(context, fd, &inbuf))) - return(retval); -- if (strcmp(inbuf.data, sendauth_version)) { -+ d = make_data((char *)sendauth_version, strlen(sendauth_version) + 1); -+ if (!data_eq(inbuf, d)) { - problem = KRB5_SENDAUTH_BADAUTHVERS; - response = 1; - } -@@ -93,8 +95,9 @@ recvauth_common(krb5_context context, - */ - if ((retval = krb5_read_message(context, fd, &inbuf))) - return(retval); -- if (appl_version && strcmp(inbuf.data, appl_version)) { -- if (!problem) { -+ if (appl_version != NULL && !problem) { -+ d = make_data(appl_version, strlen(appl_version) + 1); -+ if (!data_eq(inbuf, d)) { - problem = KRB5_SENDAUTH_BADAPPLVERS; - response = 2; - } diff --git a/krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC.patch b/krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC.patch deleted file mode 100644 index 153566b..0000000 --- a/krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC.patch +++ /dev/null @@ -1,100 +0,0 @@ -From e3b5a5e5267818c97750b266df50b6a3d4649604 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 24 Mar 2015 12:02:37 -0400 -Subject: [PATCH] Prevent requires_preauth bypass [CVE-2015-2694] - -In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until -the request is successfully verified. In the PKINIT kdcpreauth -module, don't respond with code 0 on empty input or an unconfigured -realm. Together these bugs could cause the KDC preauth framework to -erroneously treat a request as pre-authenticated. - -CVE-2015-2694: - -In MIT krb5 1.12 and later, when the KDC is configured with PKINIT -support, an unauthenticated remote attacker can bypass the -requires_preauth flag on a client principal and obtain a ciphertext -encrypted in the principal's long-term key. This ciphertext could be -used to conduct an off-line dictionary attack against the user's -password. - - CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C - -ticket: 8160 (new) -target_version: 1.13.2 -tags: pullup -subject: requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694] ---- - src/plugins/preauth/otp/main.c | 10 +++++++--- - src/plugins/preauth/pkinit/pkinit_srv.c | 4 ++-- - 2 files changed, 9 insertions(+), 5 deletions(-) - -diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c -index bf9c6a8..7941b4a 100644 ---- a/src/plugins/preauth/otp/main.c -+++ b/src/plugins/preauth/otp/main.c -@@ -42,6 +42,7 @@ static krb5_preauthtype otp_pa_type_list[] = - struct request_state { - krb5_kdcpreauth_verify_respond_fn respond; - void *arg; -+ krb5_enc_tkt_part *enc_tkt_reply; - }; - - static krb5_error_code -@@ -159,6 +160,9 @@ on_response(void *data, krb5_error_code retval, otp_response response) - if (retval == 0 && response != otp_response_success) - retval = KRB5_PREAUTH_FAILED; - -+ if (retval == 0) -+ rs.enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; -+ - rs.respond(rs.arg, retval, NULL, NULL, NULL); - } - -@@ -263,8 +267,6 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, - krb5_data d, plaintext; - char *config; - -- enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; -- - /* Get the FAST armor key. */ - armor_key = cb->fast_armor(context, rock); - if (armor_key == NULL) { -@@ -298,12 +300,14 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, - goto error; - } - -- /* Create the request state. */ -+ /* Create the request state. Save the response callback, and the -+ * enc_tkt_reply pointer so we can set the TKT_FLG_PRE_AUTH flag later. */ - rs = k5alloc(sizeof(struct request_state), &retval); - if (rs == NULL) - goto error; - rs->arg = arg; - rs->respond = respond; -+ rs->enc_tkt_reply = enc_tkt_reply; - - /* Get the principal's OTP configuration string. */ - retval = cb->get_string(context, rock, "otp", &config); -diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c -index b472741..5b1d73e 100644 ---- a/src/plugins/preauth/pkinit/pkinit_srv.c -+++ b/src/plugins/preauth/pkinit/pkinit_srv.c -@@ -301,7 +301,7 @@ pkinit_server_verify_padata(krb5_context context, - - pkiDebug("pkinit_verify_padata: entered!\n"); - if (data == NULL || data->length <= 0 || data->contents == NULL) { -- (*respond)(arg, 0, NULL, NULL, NULL); -+ (*respond)(arg, EINVAL, NULL, NULL, NULL); - return; - } - -@@ -313,7 +313,7 @@ pkinit_server_verify_padata(krb5_context context, - - plgctx = pkinit_find_realm_context(context, moddata, request->server); - if (plgctx == NULL) { -- (*respond)(arg, 0, NULL, NULL, NULL); -+ (*respond)(arg, EINVAL, NULL, NULL, NULL); - return; - } -