Package: krb5 / 1.10.1+dfsg-5+deb7u7

Metadata

Package Version Patches format
krb5 1.10.1+dfsg-5+deb7u7 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
debian local/0001 debian install ldap library in subdirectory.patch | (download)

src/plugins/kdb/ldap/Makefile.in | 2 1 + 1 - 0 !
src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 =?utf-8?q?debian:=20install=20ldap=20library=20in=20subdirectory?=
 =?UTF-8?q?=0ADebian=20received=20a=20request=20to=20install=20the=20inter?=
 =?UTF-8?q?nal=20ldap=20library=20not=20in=0Athe=20main=20lib=20directory.?=

Patch-Category: debian-local

debian local/0002 Debian manpage patch.patch | (download)

src/clients/kinit/kinit.M | 2 1 + 1 - 0 !
src/clients/ksu/ksu.M | 30 15 + 15 - 0 !
src/config-files/kdc.conf.M | 6 3 + 3 - 0 !
src/config-files/krb5.conf.M | 4 2 + 2 - 0 !
src/kadmin/cli/kadmin.M | 10 5 + 5 - 0 !
src/kadmin/server/kadmind.M | 2 1 + 1 - 0 !
src/krb5-config.M | 23 12 + 11 - 0 !
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M | 201 0 + 201 - 0 !
src/slave/kprop.M | 4 2 + 2 - 0 !
src/slave/kpropd.M | 10 5 + 5 - 0 !
src/slave/kproplog.M | 2 1 + 1 - 0 !
11 files changed, 47 insertions(+), 247 deletions(-)

 debian manpage patch

Adjust paths in manpages to be more consistent with FHS

Remove edirectory support which is not built on Debian from LDAP man pages.

Patch-Category: debian-local

ksu_environment_fix | (download)

src/clients/ksu/ksu.h | 8 6 + 2 - 0 !
src/clients/ksu/main.c | 2 1 + 1 - 0 !
2 files changed, 7 insertions(+), 3 deletions(-)

 =?utf-8?q?ticket:=20new=0a
 =?UTF-8?q?riable=20handling?=

Fix error messages from ksu

Patch-Category: to-submit
Patch-Name: ksu_environment_fix

0004 Debian HURD compatibility.patch | (download)

src/include/k5-int.h | 9 8 + 1 - 0 !
src/kadmin/ktutil/ktutil_funcs.c | 4 4 + 0 - 0 !
src/lib/gssapi/spnego/spnego_mech.c | 3 3 + 0 - 0 !
src/lib/krb5/os/kuserok.c | 4 4 + 0 - 0 !
src/lib/krb5/os/sn2princ.c | 4 4 + 0 - 0 !
src/plugins/kdb/db2/libdb2/include/db-int.h | 4 4 + 0 - 0 !
src/tests/resolve/resolve.c | 4 4 + 0 - 0 !
7 files changed, 31 insertions(+), 1 deletion(-)

 debian: hurd compatibility

HURd has no MAXPATHLEN or MAXHOSTLEN.

time_locale | (download)

src/clients/klist/klist.c | 1 1 + 0 - 0 !
src/kadmin/cli/ss_wrapper.c | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+)

 =?utf-8?q?ticket:=20new=0a
 =?UTF-8?q?e=20display?=

Call setlocale(LC_TIME) in klist and kadmin to get locale-specific
time display.

Patch-Name: time_locale

0006 Debian set AI_ADDRCONFIG for kprop slave.patch | (download)

src/slave/kprop.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 debian: set ai_addrconfig for kprop slave


debian local/0007 debian suppress usr lib in krb5 config.patch | (download)

src/krb5-config.in | 14 9 + 5 - 0 !
1 file changed, 9 insertions(+), 5 deletions(-)

 debian: suppress /usr/lib in krb5-config

Handel multi-arch suppressions

Patch-Category: debian-local

debian local/0008 debian osconf.hin path changes.patch | (download)

src/include/osconf.hin | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 debian: osconf.hin path changes

Patch-Category: debian-local

0009 Debian .gbp.conf.patch | (download)

.gbp.conf | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 debian: .gbp.conf


0010 autoreconf.patch | (download)

src/configure | 494 245 + 249 - 0 !
1 file changed, 245 insertions(+), 249 deletions(-)

 autoreconf


upstream/0011 yUse correct name type in TGS REQs for 2008R2 RODCs.patch | (download)

src/lib/krb5/krb/fwd_tgt.c | 12 4 + 8 - 0 !
src/lib/krb5/krb/tgtname.c | 19 15 + 4 - 0 !
2 files changed, 19 insertions(+), 12 deletions(-)

 yuse correct name-type in tgs-reqs for 2008r2 rodcs

Correctly set the name-type for the TGS principals to KRB5_NT_SRV_INST
in TGS-REQs.  (Previously, only AS-REQs had the name-type set in this
way.)  Windows Server 2008 R2 read-only domain controllers (RODCs)
insist on having the correct name-type for the TGS principal in
TGS-REQs as well as AS-REQs, at least for the TGT-forwarding case.

Thanks to Sebastian Galiano for reporting this bug and helping with
testing.

ticket: 7120
target_version: 1.10.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25839 dc483132-0cff-0310-8789-dd5450dbe970
(cherry picked from commit c87074d47185f2844780bc2c0f7eefeb1e3297e0)
Patch-Category: upstream

upstream/0012 Clear preauth use counts for each AS request.patch | (download)

src/lib/krb5/krb/preauth2.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 clear preauth use counts for each as request

Initialize use_count fields in krb5_preauth_request_context_init,
which is invoked before each AS request.  Previously they were
initialized only in krb5_init_preauth_context, which is only invoked
once per krb5 library context.

ticket: 7119
target_version: 1.10.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25822 dc483132-0cff-0310-8789-dd5450dbe970
(cherry picked from commit fc00ade45e2bfb6bf9a9b3f8cdb8ebbf65e75f72)
Patch-Category: upstream

upstream/0013 Try all history keys to decrypt password history.patch | (download)

src/lib/kadm5/server_internal.h | 6 4 + 2 - 0 !
src/lib/kadm5/srv/server_kdb.c | 55 35 + 20 - 0 !
src/lib/kadm5/srv/svr_principal.c | 46 23 + 23 - 0 !
src/tests/Makefile.in | 5 4 + 1 - 0 !
src/tests/hist.c | 99 99 + 0 - 0 !
src/tests/t_pwhist.py | 20 20 + 0 - 0 !
6 files changed, 185 insertions(+), 46 deletions(-)

 try all history keys to decrypt password history

A database created prior to 1.3 will have multiple password history
keys, and kadmin prior to 1.8 won't necessarily choose the first one.
So if there are multiple keys, we have to try them all.  If none of
the keys can decrypt a password history entry, don't fail the password
change operation; it's not worth it without positive evidence of
password reuse.

ticket: 7099

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25819 dc483132-0cff-0310-8789-dd5450dbe970
(cherry picked from commit db26c5f1e52bbad213ffa8b50871b5c5db2c1124)
Patch-Category: upstream

Conflicts:

	src/tests/Makefile.in

upstream/0014 Suppress some gcc uninitialized variable warnings.patch | (download)

src/kdc/do_as_req.c | 1 1 + 0 - 0 !
src/lib/kadm5/srv/svr_iters.c | 2 1 + 1 - 0 !
src/slave/kprop.c | 5 3 + 2 - 0 !
3 files changed, 5 insertions(+), 3 deletions(-)

 =?utf-8?q?suppress=20some=20gcc=20uninitialized=20variable=20warn?=
 =?UTF-8?q?ings=0Aticket:=207107=0Agcc=204.6.2=20reportedly=20finds=20some?=
 =?UTF-8?q?=20spurious=20maybe-uninitialized=20warnings.=0ASuppress=20them?=
 =?UTF-8?q?.=20=20Patch=20from=20Eray=20Aslan=20with=20some=20adjustment.?=

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25783 dc483132-0cff-0310-8789-dd5450dbe970
(cherry picked from commit 254c31d2be4e5250932e7701c68d23a27edec8de)

Patch-Category: upstream

upstream/0015 Try all host keys by default in vfy_increds.patch | (download)

src/include/krb5/krb5.hin | 31 16 + 15 - 0 !
src/lib/krb5/krb/t_vfy_increds.c | 34 27 + 7 - 0 !
src/lib/krb5/krb/t_vfy_increds.py | 55 51 + 4 - 0 !
src/lib/krb5/krb/vfy_increds.c | 205 141 + 64 - 0 !
src/util/k5test.py | 4 4 + 0 - 0 !
5 files changed, 239 insertions(+), 90 deletions(-)

 try all host keys by default in vfy_increds

Factor out the core code of krb5_verify_init_creds into a helper, add
new helper functions to retrieve the list of unique host principals
from a keytab, and make krb5_verify_init_creds drive the helper once
per host principal.

Augment the test harness and test cases to better test the new
behavior.  Add a k5test method to retrieve an NFS principal for the
test realm for the sake of the new test cases.

ticket: 7125

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25845 dc483132-0cff-0310-8789-dd5450dbe970
(cherry picked from commit 2198b0504fdc84152a81fff3743c7d22c1f821dc)
Patch-Category: upstream

upstream/0016 ticket 7080.patch | (download)

src/lib/krb5/krb/deltat.c | 47 24 + 23 - 0 !
src/lib/krb5/krb/x-deltat.y | 1 1 + 0 - 0 !
2 files changed, 25 insertions(+), 23 deletions(-)

 ticket: 7080

Suppress maybe-uninitialized warning in x-deltat.y

Recent versions of gcc can generate a maybe-uninitialized warning from
bison output instead of a regular uninitialized warning.  Suppress
both.  Fix from nalin@redhat.com.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25665 dc483132-0cff-0310-8789-dd5450dbe970
(cherry picked from commit 18e303107321c7f565d90111bf54d2ecb4901f4b)
Patch-Category: upstream

0017 MITKRB5 SA 2012 001.patch | (download)

src/kdc/do_as_req.c | 3 2 + 1 - 0 !
src/kdc/kdc_preauth.c | 3 2 + 1 - 0 !
src/kdc/kdc_util.c | 1 1 + 0 - 0 !
src/lib/kdb/kdb_default.c | 3 3 + 0 - 0 !
4 files changed, 8 insertions(+), 2 deletions(-)

 mitkrb5-sa-2012-001

MITKRB5-SA-2012-001

MIT krb5 Security Advisory 2012-001
Original release: YYYY-MM-DD
Last update: YYYY-MM-DD

Topic: KDC heap corruption and crash vulnerabilities

CVE-2012-1015: KDC frees uninitialized pointer

CVSSv2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      9.3

Access Vector:          Network
Access Complexity:      Medium
Authentication:         None
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  7.3

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

CVE-2012-1014: KDC dereferences uninitialized pointer

CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score:      9
CVSSv2 Temporal Score:  7

upstream/0018 Don t free caller s principal in vfy_increds.patch | (download)

src/lib/krb5/krb/vfy_increds.c | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 don't free caller's principal in vfy_increds

but left in the corresponding free, so it was freeing a caller-owned
principal.  Reported by Russ Allbery.

ticket: 7162
(cherry picked from commit dd64191e02df0a13b29345e4c50fe03e039dc207)

Patch-Category: upstream

upstream/0019 Null pointer deref in kadmind CVE 2012 1013.patch | (download)

src/lib/kadm5/srv/svr_principal.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 null pointer deref in kadmind [cve-2012-1013]

The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name").  Only clients authorized to create principals can trigger the
bug.  Fix the bug by testing for a null password in check_1_6_dummy.

CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C

[ghudson@mit.edu: Minor style change and commit message]

ticket: 7152
target_version: 1.10.2
tags: pullup
(cherry picked from commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b)

Patch-Category: upstream

0020 gssapi never unload mechanisms.patch | (download)

src/lib/gssapi/mechglue/g_initialize.c | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 gssapi: never unload mechanisms

It turns out that many GSSAPI mechanisms link to the main gss-api
library creating a circular reference. Depending on how the linker
breaks the cycle at process exit time, the linker may unload the GSS
library after unloading the mechanisms. The explicit dlclose from the
GSS library tends to cause a libdl assertion failure at that
point. So, never unload plugins. They are refcounted, so dlopen
handles will not leak, although obviously the memory from the plugin
is never reclaimed.

ticket: 7135

0021 PKINIT null pointer deref CVE 2013 1415.patch | (download)

src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 pkinit null pointer deref [cve-2013-1415]

Don't dereference a null pointer when cleaning up.

The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process.  An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.

CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C

This is a minimal commit for pullup; style fixes in a followup.
[kaduk@mit.edu: reformat and edit commit message]

ticket: 7570 (new)
target_version: 1.11.1
tags: pullup

0022 CVE patch from krb5 1.10.1 dfsg 4 nmu1.patch | (download)

src/plugins/preauth/pkinit/pkinit_srv.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 cve patch from krb5-1.10.1+dfsg-4+nmu1


0023 Work around getaddrinfo bug.patch | (download)

src/lib/krb5/os/sn2princ.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 work around getaddrinfo bug

Per upstream ticket #7124, avoid getting PTR lookups when they are
not requested.  This addresses part of #697662.
This is upstream's revision c3ab5fe0b.

0024 KDC TGS REQ null deref CVE 2013 1416.patch | (download)

src/kdc/do_tgs_req.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 kdc tgs-req null deref [cve-2013-1416]

By sending an unusual but valid TGS-REQ, an authenticated remote
attacker can cause the KDC process to crash by dereferencing a null
pointer.

prep_reprocess_req() can cause a null pointer dereference when
processing a service principal name.  Code in this function can
inappropriately pass a null pointer to strlcpy().  Unmodified client
software can trivially trigger this vulnerability, but the attacker
must have already authenticated and received a valid Kerberos ticket.

The vulnerable code was introduced by the implementation of new
service principal realm referral functionality in krb5-1.7, but was
corrected as a side effect of the KDC refactoring in krb5-1.11.

CVSSv2 vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:H/RL:O/RC:C

ticket: 7600 (new)
version_fixed: 1.10.5
status: resolved

upstream/7637 | (download)

src/kadmin/server/schpw.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 fix kpasswd udp ping-pong [cve-2002-2443]

The kpasswd service provided by kadmind was vulnerable to a UDP
"ping-pong" attack [CVE-2002-2443].  Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
packets.

Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.

Thanks to Vincent Danen for alerting us to this issue.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C

ticket: 7637 (new)
target_version: 1.11.3
tags: pullup

(cherry picked from commit cf1a0c411b2668c57c41e9c4efd15ba17b6b322c)

Patch-Name: upstream/7637

upstream/0026 Handle invalid RFC 1964 tokens CVE 2014 4341.patch | (download)

src/lib/gssapi/krb5/k5unseal.c | 41 33 + 8 - 0 !
src/lib/gssapi/krb5/k5unsealiov.c | 9 8 + 1 - 0 !
2 files changed, 41 insertions(+), 9 deletions(-)

 handle invalid rfc 1964 tokens [cve-2014-4341 cve-2014-4342]
taget_version: 1.12.2
tags: pullup

(cherry picked from commit fb99962cbd063ac04c9a9d2cc7c75eab73f3533d)

Patch-Category: upstream

upstream/0027 Fix double free in SPNEGO CVE 2014 4343.patch | (download)

src/lib/gssapi/spnego/spnego_mech.c | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 fix double-free in spnego [cve-2014-4343]

In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
pointer sc->internal_mech became an alias into sc->mech_set->elements,
which should be considered constant for the duration of the SPNEGO
context.  So don't free it.

CVE-2014-4343:

In MIT krb5 releases 1.10 and newer, an unauthenticated remote
attacker with the ability to spoof packets appearing to be from a
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
(clients) which are using the SPNEGO mechanism, by returning a
upstream/0028 Fix null deref in SPNEGO acceptor CVE 2014 4344.patch | (download)

src/lib/gssapi/spnego/spnego_mech.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 null dereference in spnego acceptor for continuation tokens [cve-2014-4344]
target_version: 1.12.2
tags: pullup

(cherry picked from commit 524688ce87a15fc75f87efc8c039ba4c7d5c197b)

Patch-Category: upstream

upstream/0029 Fix LDAP key data segmentation CVE 2014 4345.patch | (download)

src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 fix ldap key data segmentation [cve-2014-4345]

For principal entries having keys with multiple kvnos (due to use of
-keepold), the LDAP KDB module makes an attempt to store all the keys
having the same kvno into a single krbPrincipalKey attribute value.
There is a fencepost error in the loop, causing currkvno to be set to
the just-processed value instead of the next kvno.  As a result, the
second and all following groups of multiple keys by kvno are each
stored in two krbPrincipalKey attribute values.  Fix the loop to use
the correct kvno value.

CVE-2014-4345:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overrun) by performing multiple cpw
-keepold operations.  An off-by-one error while copying key
information to the new database entry results in keys sharing a common
upstream/0030 MITKRB5 SA 2015 0001.patch | (download)

src/kadmin/server/kadm_rpc_svc.c | 12 3 + 9 - 0 !
src/lib/gssapi/krb5/context_time.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/export_sec_context.c | 5 5 + 0 - 0 !
src/lib/gssapi/krb5/gssapiP_krb5.h | 1 1 + 0 - 0 !
src/lib/gssapi/krb5/gssapi_krb5.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/inq_context.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/k5seal.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/k5sealiov.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/k5unseal.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/k5unsealiov.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/lucid_context.c | 5 5 + 0 - 0 !
src/lib/gssapi/krb5/prf.c | 4 4 + 0 - 0 !
src/lib/gssapi/krb5/process_context_token.c | 17 12 + 5 - 0 !
src/lib/gssapi/krb5/wrap_size_limit.c | 2 1 + 1 - 0 !
src/lib/kadm5/kadm_rpc_xdr.c | 2 2 + 0 - 0 !
src/lib/rpc/auth_gssapi_misc.c | 1 0 + 1 - 0 !
src/lib/rpc/svc_auth_gss.c | 25 2 + 23 - 0 !
17 files changed, 42 insertions(+), 46 deletions(-)

 mitkrb5-sa-2015-0001

Topic: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token

CVE-2014-5352: gss_process_context_token() incorrectly frees context

CVSSv2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      9.0

Access Vector:          Network
Access Complexity:      Low
Authentication:         Single
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  7.0

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

CVE-2014-9421: kadmind doubly frees partial deserialization results

CVSSv2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score:      9.0
CVSSv2 Temporal Score:  7.0

CVE-2014-9422: kadmind incorrectly validates server principal name

CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:P/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score:      6.1
CVSSv2 Temporal Score:  4.8

CVE-2014-9423: libgssrpc server applications leak uninitialized bytes

CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C
CVSSv2 Base Score:      5.0
CVSSv2 Temporal Score:  4.4

Patch-Category: upstream

upstream/0031 Fix SPNEGO context aliasing bugs CVE 2015 2695.patch | (download)

src/lib/gssapi/spnego/gssapiP_spnego.h | 2 2 + 0 - 0 !
src/lib/gssapi/spnego/spnego_mech.c | 233 172 + 61 - 0 !
2 files changed, 174 insertions(+), 61 deletions(-)

 fix spnego context aliasing bugs [cve-2015-2695]

The SPNEGO mechanism currently replaces its context handle with the
mechanism context handle upon establishment, under the assumption that
most GSS functions are only called after context establishment.  This
assumption is incorrect, and can lead to aliasing violations for some
programs.  Maintain the SPNEGO context structure after context
establishment and refer to it in all GSS methods.  Add initiate and
opened flags to the SPNEGO context structure for use in
gss_inquire_context() prior to context establishment.

CVE-2015-2695:

In MIT krb5 1.5 and later, applications which call
gss_inquire_context() on a partially-established SPNEGO context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash.  This bug may go unnoticed, because
the most common SPNEGO authentication scenario establishes the context
after just one call to gss_accept_sec_context().  Java server
applications using the native JGSS provider are vulnerable to this
bug.  A carefully crafted SPNEGO packet might allow the
gss_inquire_context() call to succeed with attacker-determined
results, but applications should not make access control decisions
based on gss_inquire_context() results prior to context establishment.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[ghudson@mit.edu: several bugfixes, style changes, and edge-case
behavior changes; commit message and CVE description]

ticket: 8244
target_version: 1.14
tags: pullup

(cherry picked from commit b51b33f2bc5d1497ddf5bd107f791c101695000d)
Note that krb5 1.10 does not have the gss_export_cred() family of functions,
so some parts of the patch from master are not needed.

Patch-Category: upstream

upstream/0032 Fix IAKERB context aliasing bugs CVE 2015 2696.patch | (download)

src/lib/gssapi/krb5/gssapiP_krb5.h | 102 102 + 0 - 0 !
src/lib/gssapi/krb5/gssapi_krb5.c | 92 83 + 9 - 0 !
src/lib/gssapi/krb5/iakerb.c | 309 279 + 30 - 0 !
3 files changed, 464 insertions(+), 39 deletions(-)

 fix iakerb context aliasing bugs [cve-2015-2696]

The IAKERB mechanism currently replaces its context handle with the
krb5 mechanism handle upon establishment, under the assumption that
most GSS functions are only called after context establishment.  This
assumption is incorrect, and can lead to aliasing violations for some
programs.  Maintain the IAKERB context structure after context
establishment and add new IAKERB entry points to refer to it with that
type.  Add initiate and established flags to the IAKERB context
structure for use in gss_inquire_context() prior to context
establishment.

CVE-2015-2696:

In MIT krb5 1.9 and later, applications which call
gss_inquire_context() on a partially-established IAKERB context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash.  Java server applications using the
native JGSS provider are vulnerable to this bug.  A carefully crafted
IAKERB packet might allow the gss_inquire_context() call to succeed
with attacker-determined results, but applications should not make
access control decisions based on gss_inquire_context() results prior
to context establishment.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[ghudson@mit.edu: several bugfixes, style changes, and edge-case
behavior changes; commit message and CVE description]

ticket: 8244
target_version: 1.14
tags: pullup

(cherry picked from commit e04f0283516e80d2f93366e0d479d13c9b5c8c2a)
Note that krb5 1.10 does not have the gss_export_cred() family of functions,
so some parts of the patch from master are not needed.
The struct gss_config on 1.10 also has many fewer elements, so the
IOV versions of the MIC routines are not needed, either.

Patch-Category: upstream

upstream/0033 Fix two IAKERB comments.patch | (download)

src/lib/gssapi/krb5/iakerb.c | 6 1 + 5 - 0 !
1 file changed, 1 insertion(+), 5 deletions(-)

 fix two iakerb comments

The comment explaining why there is no iakerb_gss_import_sec_context()
erroneously referenced SPNEGO instead of IAKERB (noticed by Ben
Kaduk).  The comment above iakerb_gss_delete_sec_context() is out of
date after the last commit.

(cherry picked from commit 92d6dd045dfc06cc03d20b327a6ee7a71e6bc24d)

Patch-Category: upstream

upstream/0034 Fix IAKERB context export import CVE 2015 2698.patch | (download)

src/lib/gssapi/krb5/gssapiP_krb5.h | 5 5 + 0 - 0 !
src/lib/gssapi/krb5/gssapi_krb5.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/iakerb.c | 42 35 + 7 - 0 !
3 files changed, 41 insertions(+), 8 deletions(-)

 fix iakerb context export/import [cve-2015-2698]

The patches for CVE-2015-2696 contained a regression in the newly
added IAKERB iakerb_gss_export_sec_context() function, which could
cause it to corrupt memory.  Fix the regression by properly
dereferencing the context_handle pointer before casting it.

Also, the patches did not implement an IAKERB gss_import_sec_context()
function, under the erroneous belief than an exported IAKERB context
would be tagged as a krb5 context.  Implement it now to allow IAKERB
contexts to be successfully exported and imported after establishment.

CVE-2015-2698:

In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
application which calls gss_export_sec_context() may experience memory
corruption if the context was established using the IAKERB mechanism.
Historically, some vulnerabilities of this nature can be translated
into remote code execution, though the necessary exploits must be
tailored to the individual application and are usually quite
complicated.

    CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

ticket: 8273 (new)
target_version: 1.14
tags: pullup

(cherry picked from commit d8b31c874c7d1039be7649362ef11c89f4e14c27)

Patch-Category: upstream

upstream/0035 Fix SPNEGO context import.patch | (download)

src/lib/gssapi/spnego/spnego_mech.c | 33 27 + 6 - 0 !
1 file changed, 27 insertions(+), 6 deletions(-)

 fix spnego context import

The patches for CVE-2015-2695 did not implement a SPNEGO
gss_import_sec_context() function, under the erroneous belief than an
exported SPNEGO context would be tagged with the underlying context
mechanism.  Implement it now to allow SPNEGO contexts to be
successfully exported and imported after establishment.

ticket: 8273
(cherry picked from commit fbb565f913c52eba9bea82f1694aba7a8c90e93d)

Patch-Category: upstream

upstream/0036 Fix build_principal memory bug CVE 2015 2697.patch | (download)

src/lib/krb5/krb/bld_princ.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 fix build_principal memory bug [cve-2015-2697]

In build_principal_va(), use k5memdup0() instead of strdup() to make a
copy of the realm, to ensure that we allocate the correct number of
bytes and do not read past the end of the input string.  This bug
affects krb5_build_principal(), krb5_build_principal_va(), and
krb5_build_principal_alloc_va().  krb5_build_principal_ext() is not
affected.

CVE-2015-2697:

In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte.  If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm.  Due to a bug in this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash.

CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C

ticket: 8252 (new)
target_version: 1.14
tags: pullup

(cherry picked from commit f0c094a1b745d91ef2f9a4eae2149aac026a5789)
k5memdup0() is not available on the 1.10 branch, so inline the
implementation manually at the one call site.  k5alloc() always
returns zeroed memory via calloc().

Patch-Category: upstream

upstream/0037 Verify decoded kadmin C strings CVE 2015 8629.patch | (download)

src/lib/kadm5/kadm_rpc_xdr.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 [patch] verify decoded kadmin c strings [cve-2015-8629]

In xdr_nullstring(), check that the decoded string is terminated with
a zero byte and does not contain any internal zero bytes.

CVE-2015-8629:

In all versions of MIT krb5, an authenticated attacker can cause
kadmind to read beyond the end of allocated memory by sending a string
without a terminating zero byte.  Information leakage may be possible
for an attacker with permission to modify the database.

    CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C

ticket: 8341 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup

upstream/0038 Fix leaks in kadmin server stubs CVE 2015 8631.patch | (download)

src/kadmin/server/server_stubs.c | 151 77 + 74 - 0 !
1 file changed, 77 insertions(+), 74 deletions(-)

 [patch] fix leaks in kadmin server stubs [cve-2015-8631]

In each kadmind server stub, initialize the client_name and
server_name variables, and release them in the cleanup handler.  Many
of the stubs will otherwise leak the client and server name if
krb5_unparse_name() fails.  Also make sure to free the prime_arg
variables in rename_principal_2_svc(), or we can leak the first one if
unparsing the second one fails.  Discovered by Simo Sorce.

CVE-2015-8631:

In all versions of MIT krb5, an authenticated attacker can cause
kadmind to leak memory by supplying a null principal name in a request
which uses one.  Repeating these requests will eventually cause
kadmind to exhaust all available memory.

    CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C

ticket: 8343 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup