aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKai Kang <kai.kang@windriver.com>2017-08-28 21:59:12 +0800
committerArmin Kuster <akuster808@gmail.com>2017-09-13 17:16:28 -0700
commit425b672bff822c5c54f0f1bb669b6f5ba9594f1d (patch)
tree1e31dad42d0beb504ca1dc11bfeed4094ade1aab
parent3232999d645d166cad1e6f678afd45e974fb506b (diff)
downloadmeta-openembedded-contrib-425b672bff822c5c54f0f1bb669b6f5ba9594f1d.tar.gz
meta-openembedded-contrib-425b672bff822c5c54f0f1bb669b6f5ba9594f1d.tar.bz2
meta-openembedded-contrib-425b672bff822c5c54f0f1bb669b6f5ba9594f1d.zip
krb5: fix CVE-2017-11368
Backport patch to fix CVE-2017-11368 for krb5. Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> (cherry picked from commit d9f7ef40d74659a0348248841efadaf120d52c30) Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch116
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb1
2 files changed, 117 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
new file mode 100644
index 0000000000..a2eb7bc027
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
@@ -0,0 +1,116 @@
+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970]
+
+Backport patch to fix CVE-2017-11368.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From ffb35baac6981f9e8914f8f3bffd37f284b85970 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Thu, 13 Jul 2017 12:14:20 -0400
+Subject: [PATCH] Prevent KDC unset status assertion failures
+
+Assign status values if S4U2Self padata fails to decode, if an
+S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
+uses an evidence ticket which does not match the canonicalized request
+server principal name. Reported by Samuel Cabrero.
+
+If a status value is not assigned during KDC processing, default to
+"UNKNOWN_REASON" rather than failing an assertion. This change will
+prevent future denial of service bugs due to similar mistakes, and
+will allow us to omit assigning status values for unlikely errors such
+as small memory allocation failures.
+
+CVE-2017-11368:
+
+In MIT krb5 1.7 and later, an authenticated attacker can cause an
+assertion failure in krb5kdc by sending an invalid S4U2Self or
+S4U2Proxy request.
+
+ CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
+
+ticket: 8599 (new)
+target_version: 1.15-next
+target_version: 1.14-next
+tags: pullup
+---
+ src/kdc/do_as_req.c | 4 ++--
+ src/kdc/do_tgs_req.c | 3 ++-
+ src/kdc/kdc_util.c | 10 ++++++++--
+ 3 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 2d3ad13..9b256c8 100644
+--- a/src/kdc/do_as_req.c
++++ b/src/kdc/do_as_req.c
+@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
+ did_log = 1;
+
+ egress:
+- if (errcode != 0)
+- assert (state->status != 0);
++ if (errcode != 0 && state->status == NULL)
++ state->status = "UNKNOWN_REASON";
+
+ au_state->status = state->status;
+ au_state->reply = &state->reply;
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index cdc79ad..d8d6719 100644
+--- a/src/kdc/do_tgs_req.c
++++ b/src/kdc/do_tgs_req.c
+@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
+ free(reply.enc_part.ciphertext.data);
+
+ cleanup:
+- assert(status != NULL);
++ if (status == NULL)
++ status = "UNKNOWN_REASON";
+ if (reply_key)
+ krb5_free_keyblock(kdc_context, reply_key);
+ if (errcode)
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 778a629..b710aef 100644
+--- a/src/kdc/kdc_util.c
++++ b/src/kdc/kdc_util.c
+@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
+ req_data.data = (char *)pa_data->contents;
+
+ code = decode_krb5_pa_for_user(&req_data, &for_user);
+- if (code)
++ if (code) {
++ *status = "DECODE_PA_FOR_USER";
+ return code;
++ }
+
+ code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
+ if (code) {
+@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
+ req_data.data = (char *)pa_data->contents;
+
+ code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
+- if (code)
++ if (code) {
++ *status = "DECODE_PA_S4U_X509_USER";
+ return code;
++ }
+
+ code = verify_s4u_x509_user_checksum(context,
+ tgs_subkey ? tgs_subkey :
+@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
+ * that is validated previously in validate_tgs_request().
+ */
+ if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
++ *status = "INVALID_S4U2PROXY_OPTIONS";
+ return KRB5KDC_ERR_BADOPTION;
+ }
+
+@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
+ if (!krb5_principal_compare(kdc_context,
+ server->princ, /* after canon */
+ server_princ)) {
++ *status = "EVIDENCE_TICKET_MISMATCH";
+ return KRB5KDC_ERR_SERVER_NOMATCH;
+ }
+
+--
+2.10.1
+
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
index 1de884d034..b515eb5dc9 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
file://etc/default/krb5-admin-server \
file://krb5-kdc.service \
file://krb5-admin-server.service \
+ file://fix-CVE-2017-11368.patch;striplevel=2 \
"
SRC_URI[md5sum] = "8022f3a1cde8463e44fd35ef42731f85"
SRC_URI[sha256sum] = "437c8831ddd5fde2a993fef425dedb48468109bb3d3261ef838295045a89eb45"