diff options
| author |   Wenlin Kang <wenlin.kang@windriver.com> | 2019-02-28 00:27:27 -0800 |
|---|---|---|
| committer |   Khem Raj <raj.khem@gmail.com> | 2019-02-28 09:42:11 -0800 |
| commit | ef6be433a9e580fadef8e9a08855cf66c7569659 (patch) | |
| tree | 4b950df6e34c00fa19a8726e7fc80c7579b01e75 /meta-oe/recipes-connectivity | |
| parent | e8606116247cda0991f7e653d9ff6969cf423b09 (diff) | |
| download | meta-openembedded-contrib-ef6be433a9e580fadef8e9a08855cf66c7569659.tar.gz | |
krb5: fix CVE-2018-20217
Fix CVE-2018-20217
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-oe/recipes-connectivity')
| -rw-r--r-- | meta-oe/recipes-connectivity/krb5/krb5/0001-Ignore-password-attributes-for-S4U2Self-requests.patch | 80 | ||||
| -rw-r--r-- | meta-oe/recipes-connectivity/krb5/krb5_1.16.2.bb | 1 |
2 files changed, 81 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/0001-Ignore-password-attributes-for-S4U2Self-requests.patch b/meta-oe/recipes-connectivity/krb5/krb5/0001-Ignore-password-attributes-for-S4U2Self-requests.patch new file mode 100644 index 0000000000..8d1e14358d --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/0001-Ignore-password-attributes-for-S4U2Self-requests.patch @@ -0,0 +1,80 @@ +From 6fad7d45701234c8e81300d50dd5b8037d846d11 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris <iboukris@gmail.com> +Date: Wed, 27 Feb 2019 23:59:59 -0800 +Subject: [PATCH] Ignore password attributes for S4U2Self requests + +For consistency with Windows KDCs, allow protocol transition to work +even if the password has expired or needs changing. + +Also, when looking up an enterprise principal with an AS request, +treat ERR_KEY_EXP as confirmation that the client is present in the +realm. + +[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited +commit message] + +ticket: 8763 (new) +tags: pullup +target_version: 1.17 + +Upsteam-Status: Backport [https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086] +CVE: CVE-2018-20217 + +Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> +--- + src/kdc/kdc_util.c | 5 +++++ + src/lib/krb5/krb/s4u_creds.c | 2 +- + src/tests/gssapi/t_s4u.py | 8 ++++++++ + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index 754570c..034c979 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1574,6 +1574,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, + + memset(&no_server, 0, sizeof(no_server)); + ++ /* Ignore password expiration and needchange attributes (as Windows ++ * does), since S4U2Self is not password authentication. */ ++ princ->pw_expiration = 0; ++ clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE); ++ + code = validate_as_request(kdc_active_realm, request, *princ, + no_server, kdc_time, status, &e_data); + if (code) { +diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c +index 91c02aa..2037984 100644 +--- a/src/lib/krb5/krb/s4u_creds.c ++++ b/src/lib/krb5/krb/s4u_creds.c +@@ -117,7 +117,7 @@ s4u_identify_user(krb5_context context, + code = k5_get_init_creds(context, &creds, client, NULL, NULL, 0, NULL, + opts, krb5_get_as_key_noop, &userid, &use_master, + NULL); +- if (code == 0 || code == KRB5_PREAUTH_FAILED) { ++ if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) { + *canon_user = userid.user; + userid.user = NULL; + code = 0; +diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py +index 3da6544..ba0469e 100755 +--- a/src/tests/gssapi/t_s4u.py ++++ b/src/tests/gssapi/t_s4u.py +@@ -20,6 +20,14 @@ pservice2 = 'p:' + service2 + # Get forwardable creds for service1 in the default cache. + realm.kinit(service1, None, ['-f', '-k']) + ++# Try S4U2Self for user with a restricted password. ++realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ]) ++realm.run(['./t_s4u', 'e:user', '-']) ++realm.run([kadminl, 'modprinc', '-needchange', ++ '-pwexpire', '1/1/2000', realm.user_princ]) ++realm.run(['./t_s4u', 'e:user', '-']) ++realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ]) ++ + # Try krb5 -> S4U2Proxy with forwardable user creds. This should fail + # at the S4U2Proxy step since the DB2 back end currently has no + # support for allowing it. +-- +2.17.1 + diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.16.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.16.2.bb index 76b5d3042b..1d3ef8a34b 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.16.2.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.16.2.bb @@ -30,6 +30,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \ file://etc/default/krb5-admin-server \ file://krb5-kdc.service \ file://krb5-admin-server.service \ + file://0001-Ignore-password-attributes-for-S4U2Self-requests.patch;striplevel=2 \ " SRC_URI[md5sum] = "ffd52595e969fb700d37313606e4dc3d" SRC_URI[sha256sum] = "9f721e1fe593c219174740c71de514c7228a97d23eb7be7597b2ae14e487f027" |