pull up fix for kpasswd service ping-pong attack

- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443,
  #962531,#962534)
This commit is contained in:
Nalin Dahyabhai 2013-05-13 18:32:51 -04:00
parent c0d2f3b96d
commit fbd06d348b
2 changed files with 71 additions and 1 deletions

View File

@ -0,0 +1,64 @@
commit cf1a0c411b2668c57c41e9c4efd15ba17b6b322c
Author: Tom Yu <tlyu@mit.edu>
Date: Fri May 3 16:26:46 2013 -0400
Fix kpasswd UDP ping-pong [CVE-2002-2443]
The kpasswd service provided by kadmind was vulnerable to a UDP
"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
packets.
Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.
Thanks to Vincent Danen for alerting us to this issue.
CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
ticket: 7637 (new)
target_version: 1.11.3
tags: pullup
diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
index 15b0ab5..7f455d8 100644
--- a/src/kadmin/server/schpw.c
+++ b/src/kadmin/server/schpw.c
@@ -52,7 +52,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
ret = KRB5KRB_AP_ERR_MODIFIED;
numresult = KRB5_KPASSWD_MALFORMED;
strlcpy(strresult, "Request was truncated", sizeof(strresult));
- goto chpwfail;
+ goto bailout;
}
ptr = req->data;
@@ -67,7 +67,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
numresult = KRB5_KPASSWD_MALFORMED;
strlcpy(strresult, "Request length was inconsistent",
sizeof(strresult));
- goto chpwfail;
+ goto bailout;
}
/* verify version number */
@@ -80,7 +80,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
numresult = KRB5_KPASSWD_BAD_VERSION;
snprintf(strresult, sizeof(strresult),
"Request contained unknown protocol version number %d", vno);
- goto chpwfail;
+ goto bailout;
}
/* read, check ap-req length */
@@ -93,7 +93,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
numresult = KRB5_KPASSWD_MALFORMED;
strlcpy(strresult, "Request was truncated in AP-REQ",
sizeof(strresult));
- goto chpwfail;
+ goto bailout;
}
/* verify ap_req */

View File

@ -30,7 +30,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.11.2
Release: 4%{?dist}
Release: 5%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.2-signed.tar
Source0: krb5-%{version}.tar.gz
@ -77,6 +77,7 @@ Patch116: http://ausil.fedorapeople.org/aarch64/krb5/krb5-aarch64.patch
Patch117: krb5-1.11-gss-client-keytab.patch
Patch118: krb5-1.11.1-rpcbind.patch
Patch119: krb5-fast-msg_type.patch
Patch120: krb5-1.11.2-kpasswd_pingpong.patch
# Patches for otp plugin backport
Patch201: krb5-1.11.2-keycheck.patch
@ -296,6 +297,7 @@ ln -s NOTICE LICENSE
%patch117 -p1 -b .gss-client-keytab
%patch118 -p1 -b .rpcbind
%patch119 -p1 -b .fast-msg_type
%patch120 -p1 -b .kpasswd_pingpong
%patch201 -p1 -b .keycheck
%patch202 -p1 -b .otp
@ -821,6 +823,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
* Mon May 13 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-5
- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443,
#962531,#962534)
* Mon Apr 29 2013 Nathaniel McCallum <npmccallum@redhat.com> 1.11.2-4
- Update otp patches
- Merge otp patches into a single patch