* Thu May 14 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-0

- Update to krb5-1.13.2 - drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2 - drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2 - Add script processing for upcoming Zanata l10n support - Minor spec cleanup
2015-05-15 01:03:28 +02:00 · 2015-05-15 01:03:28 +02:00 · 9997960299
commit 9997960299
parent 3ae7a21305
3 changed files with 3 additions and 210 deletions
--- a/.gitignore
+++ b/.gitignore
@ -117,3 +117,6 @@ krb5-1.8.3-pdf.tar.gz
 /krb5-1.13.tar.gz.asc
 /krb5-1.13-pdf.tar.xz
 /krb5-1.13.1-pdf.pax.xz
+/krb5-1.13.2.tar.gz
+/krb5-1.13.2.tar.gz.asc
+/krb5-1.13.2-pdf.pax.xz
--- a/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch
+++ b/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch
@ -1,110 +0,0 @@
-From 21e4e653d8258d525f4b6ca87797d42a8bccc282 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Tue, 9 Dec 2014 12:37:44 -0500
-Subject: [PATCH] Fix krb5_read_message handling [CVE-2014-5355]
-
-In recvauth_common, do not use strcmp against the data fields of
-krb5_data objects populated by krb5_read_message(), as there is no
-guarantee that they are C strings.  Instead, create an expected
-krb5_data value and use data_eq().
-
-In the sample user-to-user server application, check that the received
-client principal name is null-terminated before using it with printf
-and krb5_parse_name.
-
-CVE-2014-5355:
-
-In MIT krb5, when a server process uses the krb5_recvauth function, an
-unauthenticated remote attacker can cause a NULL dereference by
-sending a zero-byte version string, or a read beyond the end of
-allocated storage by sending a non-null-terminated version string.
-The example user-to-user server application (uuserver) is similarly
-vulnerable to a zero-length or non-null-terminated principal name
-string.
-
-The krb5_recvauth function reads two version strings from the client
-using krb5_read_message(), which produces a krb5_data structure
-containing a length and a pointer to an octet sequence.  krb5_recvauth
-assumes that the data pointer is a valid C string and passes it to
-strcmp() to verify the versions.  If the client sends an empty octet
-sequence, the data pointer will be NULL and strcmp() will dereference
-a NULL pointer, causing the process to crash.  If the client sends a
-non-null-terminated octet sequence, strcmp() will read beyond the end
-of the allocated storage, possibly causing the process to crash.
-
-uuserver similarly uses krb5_read_message() to read a client principal
-name, and then passes it to printf() and krb5_parse_name() without
-verifying that it is a valid C string.
-
-The krb5_recvauth function is used by kpropd and the Kerberized
-versions of the BSD rlogin and rsh daemons.  These daemons are usually
-run out of inetd or in a mode which forks before processing incoming
-connections, so a process crash will generally not result in a
-complete denial of service.
-
-Thanks to Tim Uglow for discovering this issue.
-
-CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
-
-[tlyu@mit.edu: CVSS score]
-
-(cherry picked from commit 102bb6ebf20f9174130c85c3b052ae104e5073ec)
-
-ticket: 8050
-version_fixed: 1.13.2
-status: resolved
---
- src/appl/user_user/server.c | 4 +++-
- src/lib/krb5/krb/recvauth.c | 9 ++++++---
- 2 files changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/src/appl/user_user/server.c b/src/appl/user_user/server.c
-index 09ea4e0..f2b5b61 100644
--- a/src/appl/user_user/server.c
-+++ b/src/appl/user_user/server.c
-@@ -111,8 +111,10 @@ int main(argc, argv)
-     }
- #endif
- 
-+    /* principal name must be sent null-terminated. */
-     retval = krb5_read_message(context, (krb5_pointer) &sock, &pname_data);
-    if (retval) {
-+    if (retval || pname_data.length == 0 ||
-+        pname_data.data[pname_data.length - 1] != '\0') {
-         com_err ("uu-server", retval, "reading pname");
-         return 2;
-     }
-diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c
-index da836283..5adc6dd 100644
--- a/src/lib/krb5/krb/recvauth.c
-+++ b/src/lib/krb5/krb/recvauth.c
-@@ -59,6 +59,7 @@ recvauth_common(krb5_context context,
-     krb5_rcache           rcache = 0;
-     krb5_octet            response;
-     krb5_data             null_server;
-+    krb5_data             d;
-     int                   need_error_free = 0;
-     int                   local_rcache = 0, local_authcon = 0;
- 
-@@ -77,7 +78,8 @@ recvauth_common(krb5_context context,
-          */
-         if ((retval = krb5_read_message(context, fd, &inbuf)))
-             return(retval);
-        if (strcmp(inbuf.data, sendauth_version)) {
-+        d = make_data((char *)sendauth_version, strlen(sendauth_version) + 1);
-+        if (!data_eq(inbuf, d)) {
-             problem = KRB5_SENDAUTH_BADAUTHVERS;
-             response = 1;
-         }
-@@ -93,8 +95,9 @@ recvauth_common(krb5_context context,
-      */
-     if ((retval = krb5_read_message(context, fd, &inbuf)))
-         return(retval);
-    if (appl_version && strcmp(inbuf.data, appl_version)) {
-        if (!problem) {
-+    if (appl_version != NULL && !problem) {
-+        d = make_data(appl_version, strlen(appl_version) + 1);
-+        if (!data_eq(inbuf, d)) {
-             problem = KRB5_SENDAUTH_BADAPPLVERS;
-             response = 2;
-         }
--- a/krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC.patch
+++ b/krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC.patch
@ -1,100 +0,0 @@
-From e3b5a5e5267818c97750b266df50b6a3d4649604 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Tue, 24 Mar 2015 12:02:37 -0400
-Subject: [PATCH] Prevent requires_preauth bypass [CVE-2015-2694]
-
-In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until
-the request is successfully verified.  In the PKINIT kdcpreauth
-module, don't respond with code 0 on empty input or an unconfigured
-realm.  Together these bugs could cause the KDC preauth framework to
-erroneously treat a request as pre-authenticated.
-
-CVE-2015-2694:
-
-In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
-support, an unauthenticated remote attacker can bypass the
-requires_preauth flag on a client principal and obtain a ciphertext
-encrypted in the principal's long-term key.  This ciphertext could be
-used to conduct an off-line dictionary attack against the user's
-password.
-
-    CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C
-
-ticket: 8160 (new)
-target_version: 1.13.2
-tags: pullup
-subject: requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694]
---
- src/plugins/preauth/otp/main.c          | 10 +++++++---
- src/plugins/preauth/pkinit/pkinit_srv.c |  4 ++--
- 2 files changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c
-index bf9c6a8..7941b4a 100644
--- a/src/plugins/preauth/otp/main.c
-+++ b/src/plugins/preauth/otp/main.c
-@@ -42,6 +42,7 @@ static krb5_preauthtype otp_pa_type_list[] =
- struct request_state {
-     krb5_kdcpreauth_verify_respond_fn respond;
-     void *arg;
-+    krb5_enc_tkt_part *enc_tkt_reply;
- };
- 
- static krb5_error_code
-@@ -159,6 +160,9 @@ on_response(void *data, krb5_error_code retval, otp_response response)
-     if (retval == 0 && response != otp_response_success)
-         retval = KRB5_PREAUTH_FAILED;
- 
-+    if (retval == 0)
-+        rs.enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
-+
-     rs.respond(rs.arg, retval, NULL, NULL, NULL);
- }
- 
-@@ -263,8 +267,6 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
-     krb5_data d, plaintext;
-     char *config;
- 
-    enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
-
-     /* Get the FAST armor key. */
-     armor_key = cb->fast_armor(context, rock);
-     if (armor_key == NULL) {
-@@ -298,12 +300,14 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
-         goto error;
-     }
- 
-    /* Create the request state. */
-+    /* Create the request state.  Save the response callback, and the
-+     * enc_tkt_reply pointer so we can set the TKT_FLG_PRE_AUTH flag later. */
-     rs = k5alloc(sizeof(struct request_state), &retval);
-     if (rs == NULL)
-         goto error;
-     rs->arg = arg;
-     rs->respond = respond;
-+    rs->enc_tkt_reply = enc_tkt_reply;
- 
-     /* Get the principal's OTP configuration string. */
-     retval = cb->get_string(context, rock, "otp", &config);
-diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
-index b472741..5b1d73e 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
-+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
-@@ -301,7 +301,7 @@ pkinit_server_verify_padata(krb5_context context,
- 
-     pkiDebug("pkinit_verify_padata: entered!\n");
-     if (data == NULL || data->length <= 0 || data->contents == NULL) {
-        (*respond)(arg, 0, NULL, NULL, NULL);
-+        (*respond)(arg, EINVAL, NULL, NULL, NULL);
-         return;
-     }
- 
-@@ -313,7 +313,7 @@ pkinit_server_verify_padata(krb5_context context,
- 
-     plgctx = pkinit_find_realm_context(context, moddata, request->server);
-     if (plgctx == NULL) {
-        (*respond)(arg, 0, NULL, NULL, NULL);
-+        (*respond)(arg, EINVAL, NULL, NULL, NULL);
-         return;
-     }
-