* Thu May 14 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-0

- Update to krb5-1.13.2 - drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2 - drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2 - Add script processing for upcoming Zanata l10n support - Minor spec cleanup
2015-05-15 01:03:28 +02:00 · 2015-05-15 01:03:28 +02:00 · 9997960299
commit 9997960299
parent 3ae7a21305
3 changed files with 3 additions and 210 deletions
--- a/.gitignore
+++ b/.gitignore
@ -117,3 +117,6 @@ krb5-1.8.3-pdf.tar.gz
 /krb5-1.13.tar.gz.asc
 /krb5-1.13-pdf.tar.xz
 /krb5-1.13.1-pdf.pax.xz
 /krb5-1.13.2.tar.gz
 /krb5-1.13.2.tar.gz.asc
 /krb5-1.13.2-pdf.pax.xz
--- a/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch
+++ b/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch
@ -1,110 +0,0 @@
 From 21e4e653d8258d525f4b6ca87797d42a8bccc282 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 9 Dec 2014 12:37:44 -0500
 Subject: [PATCH] Fix krb5_read_message handling [CVE-2014-5355]
 In recvauth_common, do not use strcmp against the data fields of
 krb5_data objects populated by krb5_read_message(), as there is no
 guarantee that they are C strings.  Instead, create an expected
 krb5_data value and use data_eq().
 In the sample user-to-user server application, check that the received
 client principal name is null-terminated before using it with printf
 and krb5_parse_name.
 CVE-2014-5355:
 In MIT krb5, when a server process uses the krb5_recvauth function, an
 unauthenticated remote attacker can cause a NULL dereference by
 sending a zero-byte version string, or a read beyond the end of
 allocated storage by sending a non-null-terminated version string.
 The example user-to-user server application (uuserver) is similarly
 vulnerable to a zero-length or non-null-terminated principal name
 string.
 The krb5_recvauth function reads two version strings from the client
 using krb5_read_message(), which produces a krb5_data structure
 containing a length and a pointer to an octet sequence.  krb5_recvauth
 assumes that the data pointer is a valid C string and passes it to
 strcmp() to verify the versions.  If the client sends an empty octet
 sequence, the data pointer will be NULL and strcmp() will dereference
 a NULL pointer, causing the process to crash.  If the client sends a
 non-null-terminated octet sequence, strcmp() will read beyond the end
 of the allocated storage, possibly causing the process to crash.
 uuserver similarly uses krb5_read_message() to read a client principal
 name, and then passes it to printf() and krb5_parse_name() without
 verifying that it is a valid C string.
 The krb5_recvauth function is used by kpropd and the Kerberized
 versions of the BSD rlogin and rsh daemons.  These daemons are usually
 run out of inetd or in a mode which forks before processing incoming
 connections, so a process crash will generally not result in a
 complete denial of service.
 Thanks to Tim Uglow for discovering this issue.
 CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
 [tlyu@mit.edu: CVSS score]
 (cherry picked from commit 102bb6ebf20f9174130c85c3b052ae104e5073ec)
 ticket: 8050
 version_fixed: 1.13.2
 status: resolved
 ---
 src/appl/user_user/server.c | 4 +++-
 src/lib/krb5/krb/recvauth.c | 9 ++++++---
 2 files changed, 9 insertions(+), 4 deletions(-)
 diff --git a/src/appl/user_user/server.c b/src/appl/user_user/server.c
 index 09ea4e0..f2b5b61 100644
 --- a/src/appl/user_user/server.c
 +++ b/src/appl/user_user/server.c
@@ -111,8 +111,10 @@ int main(argc, argv)
     }
 #endif
 +    /* principal name must be sent null-terminated. */
     retval = krb5_read_message(context, (krb5_pointer) &sock, &pname_data);
 -    if (retval) {
 +    if (retval || pname_data.length == 0 ||
 +        pname_data.data[pname_data.length - 1] != '\0') {
         com_err ("uu-server", retval, "reading pname");
         return 2;
     }
 diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c
 index da836283..5adc6dd 100644
 --- a/src/lib/krb5/krb/recvauth.c
 +++ b/src/lib/krb5/krb/recvauth.c
@@ -59,6 +59,7 @@ recvauth_common(krb5_context context,
     krb5_rcache           rcache = 0;
     krb5_octet            response;
     krb5_data             null_server;
 +    krb5_data             d;
     int                   need_error_free = 0;
     int                   local_rcache = 0, local_authcon = 0;
@@ -77,7 +78,8 @@ recvauth_common(krb5_context context,
          */
         if ((retval = krb5_read_message(context, fd, &inbuf)))
             return(retval);
 -        if (strcmp(inbuf.data, sendauth_version)) {
 +        d = make_data((char *)sendauth_version, strlen(sendauth_version) + 1);
 +        if (!data_eq(inbuf, d)) {
             problem = KRB5_SENDAUTH_BADAUTHVERS;
             response = 1;
         }
@@ -93,8 +95,9 @@ recvauth_common(krb5_context context,
      */
     if ((retval = krb5_read_message(context, fd, &inbuf)))
         return(retval);
 -    if (appl_version && strcmp(inbuf.data, appl_version)) {
 -        if (!problem) {
 +    if (appl_version != NULL && !problem) {
 +        d = make_data(appl_version, strlen(appl_version) + 1);
 +        if (!data_eq(inbuf, d)) {
             problem = KRB5_SENDAUTH_BADAPPLVERS;
             response = 2;
         }
--- a/krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC.patch
+++ b/krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC.patch
@ -1,100 +0,0 @@
 From e3b5a5e5267818c97750b266df50b6a3d4649604 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 24 Mar 2015 12:02:37 -0400
 Subject: [PATCH] Prevent requires_preauth bypass [CVE-2015-2694]
 In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until
 the request is successfully verified.  In the PKINIT kdcpreauth
 module, don't respond with code 0 on empty input or an unconfigured
 realm.  Together these bugs could cause the KDC preauth framework to
 erroneously treat a request as pre-authenticated.
 CVE-2015-2694:
 In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
 support, an unauthenticated remote attacker can bypass the
 requires_preauth flag on a client principal and obtain a ciphertext
 encrypted in the principal's long-term key.  This ciphertext could be
 used to conduct an off-line dictionary attack against the user's
 password.
    CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C
 ticket: 8160 (new)
 target_version: 1.13.2
 tags: pullup
 subject: requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694]
 ---
 src/plugins/preauth/otp/main.c          | 10 +++++++---
 src/plugins/preauth/pkinit/pkinit_srv.c |  4 ++--
 2 files changed, 9 insertions(+), 5 deletions(-)
 diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c
 index bf9c6a8..7941b4a 100644
 --- a/src/plugins/preauth/otp/main.c
 +++ b/src/plugins/preauth/otp/main.c
@@ -42,6 +42,7 @@ static krb5_preauthtype otp_pa_type_list[] =
 struct request_state {
     krb5_kdcpreauth_verify_respond_fn respond;
     void *arg;
 +    krb5_enc_tkt_part *enc_tkt_reply;
 };
 static krb5_error_code
@@ -159,6 +160,9 @@ on_response(void *data, krb5_error_code retval, otp_response response)
     if (retval == 0 && response != otp_response_success)
         retval = KRB5_PREAUTH_FAILED;
 +    if (retval == 0)
 +        rs.enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
 +
     rs.respond(rs.arg, retval, NULL, NULL, NULL);
 }
@@ -263,8 +267,6 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
     krb5_data d, plaintext;
     char *config;
 -    enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
 -
     /* Get the FAST armor key. */
     armor_key = cb->fast_armor(context, rock);
     if (armor_key == NULL) {
@@ -298,12 +300,14 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
         goto error;
     }
 -    /* Create the request state. */
 +    /* Create the request state.  Save the response callback, and the
 +     * enc_tkt_reply pointer so we can set the TKT_FLG_PRE_AUTH flag later. */
     rs = k5alloc(sizeof(struct request_state), &retval);
     if (rs == NULL)
         goto error;
     rs->arg = arg;
     rs->respond = respond;
 +    rs->enc_tkt_reply = enc_tkt_reply;
     /* Get the principal's OTP configuration string. */
     retval = cb->get_string(context, rock, "otp", &config);
 diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
 index b472741..5b1d73e 100644
 --- a/src/plugins/preauth/pkinit/pkinit_srv.c
 +++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -301,7 +301,7 @@ pkinit_server_verify_padata(krb5_context context,
     pkiDebug("pkinit_verify_padata: entered!\n");
     if (data == NULL || data->length <= 0 || data->contents == NULL) {
 -        (*respond)(arg, 0, NULL, NULL, NULL);
 +        (*respond)(arg, EINVAL, NULL, NULL, NULL);
         return;
     }
@@ -313,7 +313,7 @@ pkinit_server_verify_padata(krb5_context context,
     plgctx = pkinit_find_realm_context(context, moddata, request->server);
     if (plgctx == NULL) {
 -        (*respond)(arg, 0, NULL, NULL, NULL);
 +        (*respond)(arg, EINVAL, NULL, NULL, NULL);
         return;
     }