Package: krb5 / 1.12.1+dfsg-19+deb8u4

Metadata

Package Version Patches format
krb5 1.12.1+dfsg-19+deb8u4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 ticket new.patch | (download)

src/clients/ksu/ksu.h | 8 6 + 2 - 0 !
1 file changed, 6 insertions(+), 2 deletions(-)

 =?utf-8?q?ticket:=20new=0a
 =?UTF-8?q?riable=20handling?=

Fix error messages from ksu

patch-name: ksu-fix-env-errors

debian local/0002 Debian HURD compatibility.patch | (download)

src/include/k5-int.h | 3 3 + 0 - 0 !
src/kadmin/ktutil/ktutil_funcs.c | 4 4 + 0 - 0 !
src/lib/gssapi/spnego/spnego_mech.c | 3 3 + 0 - 0 !
src/lib/krb5/os/sn2princ.c | 4 4 + 0 - 0 !
src/plugins/kdb/db2/libdb2/include/db-int.h | 4 4 + 0 - 0 !
src/tests/resolve/resolve.c | 4 4 + 0 - 0 !
6 files changed, 22 insertions(+)

 debian: hurd compatibility

HURD has no MAXPATHLEN or MAXHOSTLEN.

Patch-Category: debian-local

debian local/0003 debian suppress usr lib in krb5 config.patch | (download)

src/build-tools/krb5-config.in | 14 9 + 5 - 0 !
1 file changed, 9 insertions(+), 5 deletions(-)

 debian: suppress /usr/lib in krb5-config

Handel multi-arch suppressions

Patch-Category: debian-local

debian local/0004 debian osconf.hin path changes.patch | (download)

src/include/osconf.hin | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 debian: osconf.hin path changes

Patch-Category: debian-local

debian local/0005 debian install ldap library in subdirectory.patch | (download)

src/plugins/kdb/ldap/Makefile.in | 1 1 + 0 - 0 !
src/plugins/kdb/ldap/ldap_util/Makefile.in | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+)

 debian: install ldap library in subdirectory

Debian received a request to install the internal ldap library not in
the main lib directory.

We are changing SHLIB_DIRS from the default that upstream sets in the
makefile includes; assign unconditionally the full value.

Patch-Category: debian-local

debian local/0006 gssapi never unload mechanisms.patch | (download)

src/lib/gssapi/mechglue/g_initialize.c | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 gssapi: never unload mechanisms

It turns out that many GSSAPI mechanisms link to the main gss-api
library creating a circular reference. Depending on how the linker
breaks the cycle at process exit time, the linker may unload the GSS
library after unloading the mechanisms. The explicit dlclose from the
GSS library tends to cause a libdl assertion failure at that
point. So, never unload plugins. They are refcounted, so dlopen
handles will not leak, although obviously the memory from the plugin
is never reclaimed.

ticket: 7135

Patch-Category: debian-local

debian local/0007 Add substpdf target.patch | (download)

src/doc/Makefile.in | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 add substpdf target

Akin to substhtml, so that we can build PDF documents without
overwriting the upstream-provided versions and causing debian/rules clean
to not return to the original state.

Patch-Category: debian-local

upstream/0008 Move OTP sockets to KDC_RUN_DIR.patch | (download)

doc/admin/otp.rst | 5 3 + 2 - 0 !
doc/conf.py | 3 3 + 0 - 0 !
doc/mitK5defaults.rst | 2 2 + 0 - 0 !
src/Makefile.in | 1 1 + 0 - 0 !
src/configure.in | 6 6 + 0 - 0 !
src/doc/Makefile.in | 2 2 + 0 - 0 !
src/include/Makefile.in | 2 2 + 0 - 0 !
src/include/osconf.hin | 1 1 + 0 - 0 !
src/man/Makefile.in | 2 2 + 0 - 0 !
src/plugins/preauth/otp/otp_state.c | 2 1 + 1 - 0 !
10 files changed, 23 insertions(+), 3 deletions(-)

 move otp sockets to kdc_run_dir

Some system configurations expect Unix-domain sockets to live under
/run or /var/run, and not other parts of /var where persistent
application state lives.  Define a new directory KDC_RUN_DIR using
$runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run
if it's not set) and use that for the default socket path.

[ghudson@mit.edu: commit message, otp.rst formatting fix]

ticket: 7859 (new)

Patch-Category: upstream

upstream/0009 Avoid duplicate etc krb5.conf in profile path.patch | (download)

src/configure.in | 9 9 + 0 - 0 !
src/include/Makefile.in | 4 3 + 1 - 0 !
src/include/osconf.hin | 4 2 + 2 - 0 !
3 files changed, 14 insertions(+), 3 deletions(-)

 avoid duplicate "/etc/krb5.conf" in profile path

If configure gets run with --sysconfdir=/etc, "/etc/krb5.conf" shows
up twice in the profile path, which causes its contents to be read
twice.  This can cause some confusing and possibly problematic
behavior.

Add some logic to configure.in to avoid adding the duplicate entry for
"/etc/krb5.conf".

Reported independently by Denis Vlasenko and Fredrik Tolf.

ticket: 3277
tags: pullup
target_version: 1.12.2

Patch-Category: upstream

0010 autoreconf.patch | (download)

src/configure | 303 164 + 139 - 0 !
1 file changed, 164 insertions(+), 139 deletions(-)

 autoreconf


upstream/0011 Load mechglue config files from etc gss mech.d.patch | (download)

src/lib/gssapi/mechglue/g_initialize.c | 65 54 + 11 - 0 !
1 file changed, 54 insertions(+), 11 deletions(-)

 load mechglue config files from /etc/gss/mech.d

In addition to loading /etc/gss/mech, glob for *.conf files in
/etc/gss/mech.d.  Load only config files which have changed since the
highest mtime we saw in the previous scan.  Scan at most once per
second to avoid excessive numbers of filesystem syscalls for busy
GSSAPI applications.

[ghudson@mit.edu: rewrote commit message; style changes; added
once-per-second throttle on glob/stat calls]

ticket: 7882 (new)

Patch-Category: upstream

0012 Read etc gss mech when no files in mech.d.patch | (download)

src/lib/gssapi/mechglue/g_initialize.c | 12 11 + 1 - 0 !
1 file changed, 11 insertions(+), 1 deletion(-)

 read /etc/gss/mech when no files in mech.d

If the call to glob fails, it's still necessary to read /etc/gss/mech
if that file exists.

ticket: 7925

0013 Do not loop on add_cred_from and other new methods.patch | (download)

src/lib/gssapi/mechglue/g_initialize.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 do not loop on add_cred_from and other new methods

Several new GSS-API methods were added but GSSAPI_ADD_METHOD was
called to add them rather than GSSAPI_ADD_METHOD_NOLOOP.  This means
that the implementation from the GSS-API mechglue would be used if the
mechanism had no implementation.  As a result, the mechglue will call
into itself exhausting the call stack in an endless loop when one of
these methods is called.

ticket: 7926

0014 Handle invalid RFC 1964 tokens CVE 2014 4341.patch | (download)

src/lib/gssapi/krb5/k5unseal.c | 41 33 + 8 - 0 !
src/lib/gssapi/krb5/k5unsealiov.c | 9 8 + 1 - 0 !
2 files changed, 41 insertions(+), 9 deletions(-)

 handle invalid rfc 1964 tokens [cve-2014-4341 cve-2014-4342]
taget_version: 1.12.2
tags: pullup

upstream/0015 Fix double free in SPNEGO CVE 2014 4343.patch | (download)

src/lib/gssapi/spnego/spnego_mech.c | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 fix double-free in spnego [cve-2014-4343]

In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
pointer sc->internal_mech became an alias into sc->mech_set->elements,
which should be considered constant for the duration of the SPNEGO
context.  So don't free it.

CVE-2014-4343:

In MIT krb5 releases 1.10 and newer, an unauthenticated remote
attacker with the ability to spoof packets appearing to be from a
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
(clients) which are using the SPNEGO mechanism, by returning a
upstream/0016 Fix null deref in SPNEGO acceptor CVE 2014 4344.patch | (download)

src/lib/gssapi/spnego/spnego_mech.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 null dereference in spnego acceptor for continuation tokens [cve-2014-4344]
target_version: 1.12.2
tags: pullup

Patch-Category: upstream

upstream/0017 Use TAILQ macros instead of CIRCLEQ in libdb2.patch | (download)

src/plugins/kdb/db2/libdb2/mpool/mpool.c | 43 20 + 23 - 0 !
src/plugins/kdb/db2/libdb2/mpool/mpool.h | 8 4 + 4 - 0 !
2 files changed, 24 insertions(+), 27 deletions(-)

 use tailq macros instead of circleq in libdb2

The optimizer in gcc 4.8.1 (but not the current gcc head revision)
breaks the queue.h CIRCLEQ macros, apparently due to an overzealous
strict aliasing deduction.  Use TAILQ macros in the libdb2 mpool code
instead.

(cherry picked from commit 26d874412983c4c9979a9f5e7bec51834ad4cda5)

ticket: 7860
version_fixed: 1.12.2
status: resolved

(cherry picked from commit c7bb9278ad12c9278f316479af56f9e952f4d650)

Patch-Category: upstream

debian local/0018 Quick and dirty fix to building O3.patch | (download)

src/kadmin/dbutil/dump.c | 2 1 + 1 - 0 !
src/lib/krb5/os/sendto_kdc.c | 4 2 + 2 - 0 !
src/tests/asn.1/trval.c | 2 1 + 1 - 0 !
3 files changed, 4 insertions(+), 4 deletions(-)

 quick and dirty fix to building -o3

This is a quick and dirty fix to pacify gcc which is over-concerned
about uninitialized variables at -O3.

This should allow Ubuntu to sync krb5 without  need for any ubuntu changes.

Patch-Category: debian-local

upstream/0019 Fix LDAP key data segmentation CVE 2014 4345.patch | (download)

src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 fix ldap key data segmentation [cve-2014-4345]

For principal entries having keys with multiple kvnos (due to use of
-keepold), the LDAP KDB module makes an attempt to store all the keys
having the same kvno into a single krbPrincipalKey attribute value.
There is a fencepost error in the loop, causing currkvno to be set to
the just-processed value instead of the next kvno.  As a result, the
second and all following groups of multiple keys by kvno are each
stored in two krbPrincipalKey attribute values.  Fix the loop to use
the correct kvno value.

CVE-2014-4345:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overrun) by performing multiple cpw
-keepold operations.  An off-by-one error while copying key
information to the new database entry results in keys sharing a common
0020 Treat krb.hin as a C file for doxygen.patch | (download)

src/doc/Doxyfile.in | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 treat krb.hin as a c file for doxygen

Recent releases of doxygen appear to not map unknown extensions to
the C type; since we are processing the configure-input file krb5.hin,
explicitly map it as being a C language file for processing by doxygen.

debian local/0021 Fix pkg config library include paths.patch | (download)

src/build-tools/gssrpc.pc.in | 4 2 + 2 - 0 !
src/build-tools/kadm-client.pc.in | 4 2 + 2 - 0 !
src/build-tools/kadm-server.pc.in | 4 2 + 2 - 0 !
src/build-tools/kdb.pc.in | 4 2 + 2 - 0 !
src/build-tools/mit-krb5-gssapi.pc.in | 4 2 + 2 - 0 !
src/build-tools/mit-krb5.pc.in | 4 2 + 2 - 0 !
6 files changed, 12 insertions(+), 12 deletions(-)

 fix pkg-config library/include paths

Include library and include flags in pkg-config files, so they work when the
symlinks provided by libkrb5-dev are not installed.

Patch-Category: debian-local

debian local/0022 Fix krb5 config paths.patch | (download)

src/build-tools/krb5-config.in | 14 3 + 11 - 0 !
1 file changed, 3 insertions(+), 11 deletions(-)

 fix krb5-config paths

Include library and include flags in krb5-config, so they
work when the symlinks provided by libkrb5-dev are not
installed.

Patch-Category: debian-local

debian local/0023 Use isystem for include paths.patch | (download)

src/build-tools/gssrpc.pc.in | 2 1 + 1 - 0 !
src/build-tools/kadm-client.pc.in | 2 1 + 1 - 0 !
src/build-tools/kadm-server.pc.in | 2 1 + 1 - 0 !
src/build-tools/kdb.pc.in | 2 1 + 1 - 0 !
src/build-tools/krb5-config.in | 2 1 + 1 - 0 !
src/build-tools/mit-krb5-gssapi.pc.in | 2 1 + 1 - 0 !
src/build-tools/mit-krb5.pc.in | 2 1 + 1 - 0 !
7 files changed, 7 insertions(+), 7 deletions(-)

 use -isystem for include paths

 This is necessary so Kerberos headers files are classified as "system headers"
 by the compiler, and thus not subject to the same strict warnings as
 other headers (which breaks compilation if -Werror is specified).
 .
 This fixes the build of folks using -Werror and including Kerberos headers
 when the latter are installed in a non-standard location (e.g.
 /usr/include/tuple/mit-krb5, as Debian is doing).
upstream/0024 Return only new keys in randkey CVE 2014 5351.patch | (download)

src/lib/kadm5/srv/svr_principal.c | 21 18 + 3 - 0 !
1 file changed, 18 insertions(+), 3 deletions(-)

 return only new keys in randkey [cve-2014-5351]

In kadmind's randkey operation, if a client specifies the keepold
flag, do not include the preserved old keys in the response.

CVE-2014-5351:

An authenticated remote attacker can retrieve the current keys for a
service principal when generating a new set of keys for that
principal.  The attacker needs to be authenticated as a user who has
the elevated privilege for randomizing the keys of other principals.

Normally, when a Kerberos administrator randomizes the keys of a
service principal, kadmind returns only the new keys.  This prevents
an administrator who lacks legitimate privileged access to a service
from forging tickets to authenticate to that service.  If the
"keepold" flag to the kadmin randkey RPC operation is true, kadmind
retains the old keys in the KDC database as intended, but also
unexpectedly returns the old keys to the client, which exposes the
service to ticket forgery attacks from the administrator.

A mitigating factor is that legitimate clients of the affected service
will start failing to authenticate to the service once they begin to
receive service tickets encrypted in the new keys.  The affected
service will be unable to decrypt the newly issued tickets, possibly
alerting the legitimate administrator of the affected service.

CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C

[tlyu@mit.edu: CVE description and CVSS score]

ticket: 8018 (new)
target_version: 1.13
tags: pullup

(cherry picked from commit af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca)
Patch-Category: upstream

upstream/0025 Fix build on systems without RTM_OLD.patch | (download)

src/lib/apputils/net-server.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 fix build on systems without rtm_old*

For example, FreeBSD has removed RTM_OLDADD and RTM_OLDDEL from its API
in March 2014, with the message:
Garbage collect long time obsoleted (or never used) stuff from routing API

Only attempt to define behavior for these cases if they are defined.

(cherry picked from commit fd352d41a79013114708e99510b6be3836200237)

ticket: 7955
version_fixed: 1.12.2
status: resolved

(cherry picked from commit 37f87c189ff050c01282f3d8da7bc97fe8a9ea92)
Patch-Category: upstream

upstream/0026 Remove rtm_type_name.patch | (download)

src/lib/apputils/net-server.c | 35 0 + 35 - 0 !
1 file changed, 35 deletions(-)

 remove rtm_type_name()

It has been unused since 2009 when Ken decided that the routing log
messages were too verbose (commit 91fc077c96926dd60).

(cherry picked from commit bcc91c8d8b3d5b775cfde1ee461d7e0394070852)

There was a slight conflict because commit
3a8eaa43045fb242739ad9729bb66f915be209b9 had #if 0'd this function, but
that commit is too large for the current purpose.

Patch-Category: upstream

upstream/0027 Fix LDAP misused policy name crash CVE 2014 5353.patch | (download)

src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 fix ldap misused policy name crash [cve-2014-5353]

In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
successfully with no results, return KRB5_KDB_NOENTRY instead of
returning success with a zeroed-out policy object.  This fixes a null
dereference when an admin attempts to use an LDAP ticket policy name
as a password policy name.

CVE-2014-5353:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by attempting to use a named ticket policy object as a password policy
for a principal.  The attacker needs to be authenticated as a user who
has the elevated privilege for setting password policy by adding or
modifying principals.

Queries to LDAP scoped to the krbPwdPolicy object class will correctly
not return entries of other classes, such as ticket policy objects, but
may return success with no returned elements if an object with the
0028 Support keyless principals in LDAP CVE 2014 5354.patch | (download)

src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 23 17 + 6 - 0 !
1 file changed, 17 insertions(+), 6 deletions(-)

 kadmind with ldap backend crashes when putting keyless entries

(cherry picked from commit 04038bf3633c4b909b5ded3072dc88c8c419bf16)
Some of the "other fixes" to krb5_encode_krbsecretkey() do not apply on
the 1.12 branch.  The patch needed to be modified slightly to account
for the absence of commit 1825455ede7e61ab934b16262fb5b12b78a52f1a
on the 1.12 branch upon which this branch is based.  The tests added
to exercise this fuctionality do pass, even with the modified form
of the commit.

Patch-category: upstream

upstream/0029 MITKRB5 SA 2015 0001.patch | (download)

src/kadmin/server/kadm_rpc_svc.c | 12 3 + 9 - 0 !
src/lib/gssapi/krb5/context_time.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/export_sec_context.c | 5 5 + 0 - 0 !
src/lib/gssapi/krb5/gssapiP_krb5.h | 1 1 + 0 - 0 !
src/lib/gssapi/krb5/gssapi_krb5.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/inq_context.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/k5seal.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/k5sealiov.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/k5unseal.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/k5unsealiov.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/lucid_context.c | 5 5 + 0 - 0 !
src/lib/gssapi/krb5/prf.c | 4 4 + 0 - 0 !
src/lib/gssapi/krb5/process_context_token.c | 17 12 + 5 - 0 !
src/lib/gssapi/krb5/wrap_size_limit.c | 2 1 + 1 - 0 !
src/lib/gssapi/mechglue/mglueP.h | 1 0 + 1 - 0 !
src/lib/kadm5/kadm_rpc_xdr.c | 2 2 + 0 - 0 !
src/lib/rpc/auth_gssapi_misc.c | 1 0 + 1 - 0 !
src/lib/rpc/svc_auth_gss.c | 25 2 + 23 - 0 !
18 files changed, 42 insertions(+), 47 deletions(-)

 mitkrb5-sa-2015-0001

Topic: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token

CVE-2014-5352: gss_process_context_token() incorrectly frees context

CVSSv2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      9.0

Access Vector:          Network
Access Complexity:      Low
Authentication:         Single
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  7.0

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

CVE-2014-9421: kadmind doubly frees partial deserialization results

CVSSv2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score:      9.0
CVSSv2 Temporal Score:  7.0

CVE-2014-9422: kadmind incorrectly validates server principal name

CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:P/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score:      6.1
CVSSv2 Temporal Score:  4.8

CVE-2014-9423: libgssrpc server applications leak uninitialized bytes

CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C
CVSSv2 Base Score:      5.0
CVSSv2 Temporal Score:  4.4

Patch-Category: upstream

upstream/0030 Fix krb5_read_message handling CVE 2014 5355.patch | (download)

src/appl/user_user/server.c | 4 3 + 1 - 0 !
src/lib/krb5/krb/recvauth.c | 9 6 + 3 - 0 !
2 files changed, 9 insertions(+), 4 deletions(-)

 fix krb5_read_message handling [cve-2014-5355]

In recvauth_common, do not use strcmp against the data fields of
krb5_data objects populated by krb5_read_message(), as there is no
guarantee that they are C strings.  Instead, create an expected
krb5_data value and use data_eq().

In the sample user-to-user server application, check that the received
client principal name is null-terminated before using it with printf
and krb5_parse_name.

CVE-2014-5355:

In MIT krb5, when a server process uses the krb5_recvauth function, an
unauthenticated remote attacker can cause a NULL dereference by
sending a zero-byte version string, or a read beyond the end of
allocated storage by sending a non-null-terminated version string.
The example user-to-user server application (uuserver) is similarly
vulnerable to a zero-length or non-null-terminated principal name
string.

The krb5_recvauth function reads two version strings from the client
using krb5_read_message(), which produces a krb5_data structure
containing a length and a pointer to an octet sequence.  krb5_recvauth
assumes that the data pointer is a valid C string and passes it to
strcmp() to verify the versions.  If the client sends an empty octet
sequence, the data pointer will be NULL and strcmp() will dereference
a NULL pointer, causing the process to crash.  If the client sends a
non-null-terminated octet sequence, strcmp() will read beyond the end
of the allocated storage, possibly causing the process to crash.

uuserver similarly uses krb5_read_message() to read a client principal
name, and then passes it to printf() and krb5_parse_name() without
verifying that it is a valid C string.

The krb5_recvauth function is used by kpropd and the Kerberized
versions of the BSD rlogin and rsh daemons.  These daemons are usually
run out of inetd or in a mode which forks before processing incoming
connections, so a process crash will generally not result in a
complete denial of service.

Thanks to Tim Uglow for discovering this issue.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C

[tlyu@mit.edu: CVSS score]

ticket: 8050 (new)
target_version: 1.13.1
tags: pullup

(cherry picked from commit 102bb6ebf20f9174130c85c3b052ae104e5073ec)

Patch-Category: upstream

upstream/0031 Fix SPNEGO context aliasing bugs CVE 2015 2695.patch | (download)

src/lib/gssapi/spnego/gssapiP_spnego.h | 2 2 + 0 - 0 !
src/lib/gssapi/spnego/spnego_mech.c | 254 190 + 64 - 0 !
2 files changed, 192 insertions(+), 64 deletions(-)

 fix spnego context aliasing bugs [cve-2015-2695]

The SPNEGO mechanism currently replaces its context handle with the
mechanism context handle upon establishment, under the assumption that
most GSS functions are only called after context establishment.  This
assumption is incorrect, and can lead to aliasing violations for some
programs.  Maintain the SPNEGO context structure after context
establishment and refer to it in all GSS methods.  Add initiate and
opened flags to the SPNEGO context structure for use in
gss_inquire_context() prior to context establishment.

CVE-2015-2695:

In MIT krb5 1.5 and later, applications which call
gss_inquire_context() on a partially-established SPNEGO context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash.  This bug may go unnoticed, because
the most common SPNEGO authentication scenario establishes the context
after just one call to gss_accept_sec_context().  Java server
applications using the native JGSS provider are vulnerable to this
bug.  A carefully crafted SPNEGO packet might allow the
gss_inquire_context() call to succeed with attacker-determined
results, but applications should not make access control decisions
based on gss_inquire_context() results prior to context establishment.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[ghudson@mit.edu: several bugfixes, style changes, and edge-case
behavior changes; commit message and CVE description]

ticket: 8244
target_version: 1.14
tags: pullup

(cherry picked from commit b51b33f2bc5d1497ddf5bd107f791c101695000d)
(cherry picked from commit b813d5811432faed844a2dfd3daecde914978f2c)

Patch-Category: upstream

upstream/0032 Fix IAKERB context aliasing bugs CVE 2015 2696.patch | (download)

src/lib/gssapi/krb5/gssapiP_krb5.h | 114 114 + 0 - 0 !
src/lib/gssapi/krb5/gssapi_krb5.c | 105 94 + 11 - 0 !
src/lib/gssapi/krb5/iakerb.c | 351 321 + 30 - 0 !
3 files changed, 529 insertions(+), 41 deletions(-)

 fix iakerb context aliasing bugs [cve-2015-2696]

The IAKERB mechanism currently replaces its context handle with the
krb5 mechanism handle upon establishment, under the assumption that
most GSS functions are only called after context establishment.  This
assumption is incorrect, and can lead to aliasing violations for some
programs.  Maintain the IAKERB context structure after context
establishment and add new IAKERB entry points to refer to it with that
type.  Add initiate and established flags to the IAKERB context
structure for use in gss_inquire_context() prior to context
establishment.

CVE-2015-2696:

In MIT krb5 1.9 and later, applications which call
gss_inquire_context() on a partially-established IAKERB context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash.  Java server applications using the
native JGSS provider are vulnerable to this bug.  A carefully crafted
IAKERB packet might allow the gss_inquire_context() call to succeed
with attacker-determined results, but applications should not make
access control decisions based on gss_inquire_context() results prior
to context establishment.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[ghudson@mit.edu: several bugfixes, style changes, and edge-case
behavior changes; commit message and CVE description]

ticket: 8244
target_version: 1.14
tags: pullup

(cherry picked from commit e04f0283516e80d2f93366e0d479d13c9b5c8c2a)
(cherry picked from commit ebea85358bc72ec20c53130d83acb93f95853b76)

Patch-Category: upstream

upstream/0033 Fix build_principal memory bug CVE 2015 2697.patch | (download)

src/lib/krb5/krb/bld_princ.c | 6 2 + 4 - 0 !
1 file changed, 2 insertions(+), 4 deletions(-)

 fix build_principal memory bug [cve-2015-2697]

In build_principal_va(), use k5memdup0() instead of strdup() to make a
copy of the realm, to ensure that we allocate the correct number of
bytes and do not read past the end of the input string.  This bug
affects krb5_build_principal(), krb5_build_principal_va(), and
krb5_build_principal_alloc_va().  krb5_build_principal_ext() is not
affected.

CVE-2015-2697:

In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte.  If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm.  Due to a bug in this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash.

CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C

ticket: 8252 (new)
target_version: 1.14
tags: pullup

(cherry picked from commit f0c094a1b745d91ef2f9a4eae2149aac026a5789)
(cherry picked from commit fcafb522a0509bfd6f4f6b57e4a1e93c0092eeb0)

Patch-Category: upstream

upstream/0034 Fix two IAKERB comments.patch | (download)

src/lib/gssapi/krb5/iakerb.c | 6 1 + 5 - 0 !
1 file changed, 1 insertion(+), 5 deletions(-)

 fix two iakerb comments

The comment explaining why there is no iakerb_gss_import_sec_context()
erroneously referenced SPNEGO instead of IAKERB (noticed by Ben
Kaduk).  The comment above iakerb_gss_delete_sec_context() is out of
date after the last commit.

(cherry picked from commit 92d6dd045dfc06cc03d20b327a6ee7a71e6bc24d)

Patch-Category: upstream

upstream/0035 Fix IAKERB context export import CVE 2015 2698.patch | (download)

src/lib/gssapi/krb5/gssapiP_krb5.h | 5 5 + 0 - 0 !
src/lib/gssapi/krb5/gssapi_krb5.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/iakerb.c | 42 35 + 7 - 0 !
3 files changed, 41 insertions(+), 8 deletions(-)

 fix iakerb context export/import [cve-2015-2698]

The patches for CVE-2015-2696 contained a regression in the newly
added IAKERB iakerb_gss_export_sec_context() function, which could
cause it to corrupt memory.  Fix the regression by properly
dereferencing the context_handle pointer before casting it.

Also, the patches did not implement an IAKERB gss_import_sec_context()
function, under the erroneous belief than an exported IAKERB context
would be tagged as a krb5 context.  Implement it now to allow IAKERB
contexts to be successfully exported and imported after establishment.

CVE-2015-2698:

In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
application which calls gss_export_sec_context() may experience memory
corruption if the context was established using the IAKERB mechanism.
Historically, some vulnerabilities of this nature can be translated
into remote code execution, though the necessary exploits must be
tailored to the individual application and are usually quite
complicated.

    CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

ticket: 8273 (new)
target_version: 1.14
tags: pullup

(cherry picked from commit d8b31c874c7d1039be7649362ef11c89f4e14c27)

Patch-Category: upstream

upstream/0036 Fix SPNEGO context import.patch | (download)

src/lib/gssapi/spnego/spnego_mech.c | 33 27 + 6 - 0 !
1 file changed, 27 insertions(+), 6 deletions(-)

 fix spnego context import

The patches for CVE-2015-2695 did not implement a SPNEGO
gss_import_sec_context() function, under the erroneous belief than an
exported SPNEGO context would be tagged with the underlying context
mechanism.  Implement it now to allow SPNEGO contexts to be
successfully exported and imported after establishment.

ticket: 8273
(cherry picked from commit fbb565f913c52eba9bea82f1694aba7a8c90e93d)

Patch-Category: upstream

upstream/0037 Verify decoded kadmin C strings CVE 2015 8629.patch | (download)

src/lib/kadm5/kadm_rpc_xdr.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 [patch] verify decoded kadmin c strings [cve-2015-8629]

In xdr_nullstring(), check that the decoded string is terminated with
a zero byte and does not contain any internal zero bytes.

CVE-2015-8629:

In all versions of MIT krb5, an authenticated attacker can cause
kadmind to read beyond the end of allocated memory by sending a string
without a terminating zero byte.  Information leakage may be possible
for an attacker with permission to modify the database.

    CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C

ticket: 8341 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup

upstream/0038 Check for null kadm5 policy name CVE 2015 8630.patch | (download)

src/lib/kadm5/srv/svr_principal.c | 12 8 + 4 - 0 !
1 file changed, 8 insertions(+), 4 deletions(-)

 [patch] check for null kadm5 policy name [cve-2015-8630]

In kadm5_create_principal_3() and kadm5_modify_principal(), check for
entry->policy being null when KADM5_POLICY is included in the mask.

CVE-2015-8630:

In MIT krb5 1.12 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying a null policy value but including KADM5_POLICY in
the mask.

    CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C

ticket: 8342 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup

upstream/0039 Fix leaks in kadmin server stubs CVE 2015 8631.patch | (download)

src/kadmin/server/server_stubs.c | 151 77 + 74 - 0 !
1 file changed, 77 insertions(+), 74 deletions(-)

 [patch] fix leaks in kadmin server stubs [cve-2015-8631]

In each kadmind server stub, initialize the client_name and
server_name variables, and release them in the cleanup handler.  Many
of the stubs will otherwise leak the client and server name if
krb5_unparse_name() fails.  Also make sure to free the prime_arg
variables in rename_principal_2_svc(), or we can leak the first one if
unparsing the second one fails.  Discovered by Simo Sorce.

CVE-2015-8631:

In all versions of MIT krb5, an authenticated attacker can cause
kadmind to leak memory by supplying a null principal name in a request
which uses one.  Repeating these requests will eventually cause
kadmind to exhaust all available memory.

    CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C

ticket: 8343 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup

prevent requires_preauth bypass cve 2015.patch | (download)

src/plugins/preauth/otp/main.c | 10 7 + 3 - 0 !
src/plugins/preauth/pkinit/pkinit_srv.c | 4 2 + 2 - 0 !
2 files changed, 9 insertions(+), 5 deletions(-)

 prevent requires_preauth bypass [cve-2015-2694]

In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until
the request is successfully verified.  In the PKINIT kdcpreauth
module, don't respond with code 0 on empty input or an unconfigured
realm.  Together these bugs could cause the KDC preauth framework to
erroneously treat a request as pre-authenticated.

CVE-2015-2694:

In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
support, an unauthenticated remote attacker can bypass the
requires_preauth flag on a client principal and obtain a ciphertext
encrypted in the principal's long-term key.  This ciphertext could be
used to conduct an off-line dictionary attack against the user's
password.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C

(cherry picked from commit e3b5a5e5267818c97750b266df50b6a3d4649604)

ticket: 8160
version_fixed: 1.13.2
status: resolved

(cherry picked from commit df8afc60d970a7176a55ffe7ce21cfd57ba423cd)
patch-category: upstream
(cherry picked from commit 8159057a3dfa382ffd6c1cceaab436011e92f435)


fix s4u2self kdc crash when anon is rest.patch | (download)

src/kdc/kdc_util.c | 2 1 + 1 - 0 !
src/tests/t_pkinit.py | 5 5 + 0 - 0 !
2 files changed, 6 insertions(+), 1 deletion(-)

 fix s4u2self kdc crash when anon is restricted

In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
use client.princ instead of request->client; the latter is NULL when
validating S4U2Self requests.

CVE-2016-3120:

In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
to dereference a null pointer if the restrict_anonymous_to_tgt option
is set to true, by making an S4U2Self request.

  CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C

(cherry picked from commit 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7)

ticket: 8458
version_fixed: 1.14.3

(cherry picked from commit 85c3046d42eeb821967ad5625fcb08e8c6177b1a)


fix ldap null deref on empty arg cve 201.patch | (download)

src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 fix ldap null deref on empty arg [cve-2016-3119]

In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
if there is an empty string in the db_args array.  Check for this case
and avoid dereferencing a null pointer.

CVE-2016-3119:

In MIT krb5 1.6 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying an empty DB argument to the modify_principal
command, if kadmind is configured to use the LDAP KDB module.

    CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND

(cherry picked from commit 08c642c09c38a9c6454ab43a9b53b2a89b9eef99)

ticket: 8383
version_fixed: 1.14.2

(cherry picked from commit b5abd8c4872d7a024d49439342a6643f774afb1c)


prevent kdc unset status assertion failu.patch | (download)

src/kdc/do_as_req.c | 4 2 + 2 - 0 !
src/kdc/do_tgs_req.c | 3 2 + 1 - 0 !
src/kdc/kdc_util.c | 10 8 + 2 - 0 !
3 files changed, 12 insertions(+), 5 deletions(-)

 prevent kdc unset status assertion failures

Assign status values if S4U2Self padata fails to decode, if an
S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
uses an evidence ticket which does not match the canonicalized request
server principal name.  Reported by Samuel Cabrero.

If a status value is not assigned during KDC processing, default to
"UNKNOWN_REASON" rather than failing an assertion.  This change will
prevent future denial of service bugs due to similar mistakes, and
will allow us to omit assigning status values for unlikely errors such
as small memory allocation failures.

CVE-2017-11368:

In MIT krb5 1.7 and later, an authenticated attacker can cause an
assertion failure in krb5kdc by sending an invalid S4U2Self or
S4U2Proxy request.

  CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C

ticket: 8599 (new)
target_version: 1.15-next
target_version: 1.14-next
tags: pullup

Patch-Category: upstream
(cherry picked from commit 38903df0ecd26089efefd0cd52cf4ebe8e3e1dd3)