diff options
author | Alexandru Moise <alexandru.moise@windriver.com> | 2016-08-26 12:22:57 +0300 |
---|---|---|
committer | Martin Jansa <Martin.Jansa@gmail.com> | 2016-09-05 13:30:50 +0200 |
commit | 19dc7117fd0e95d1477eb5797fbe2a3cca8f7760 (patch) | |
tree | 8cdbb5e0937e2bc010b64ab680fdbfb4ee45fda6 /meta-oe | |
parent | 0887841f141359acda72a5e8584bfe953bb24cdc (diff) | |
download | meta-openembedded-contrib-19dc7117fd0e95d1477eb5797fbe2a3cca8f7760.tar.gz |
krb5: Fix S4U2Self KDC crash when anon is restricted
This is CVE-2016-3120
The validate_as_request function in kdc_util.c in the Key Distribution
Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before
1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect
client data structure, which allows remote authenticated users to cause
a denial of service (NULL pointer dereference and daemon crash) via an
S4U2Self request.
Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-oe')
-rw-r--r-- | meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch | 63 | ||||
-rw-r--r-- | meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb | 1 |
2 files changed, 64 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch new file mode 100644 index 0000000000..dbc46bb79d --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch @@ -0,0 +1,63 @@ +From 5b9b82d0696f1ffd4e693c1f8eafc0915b15e85b Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Tue, 19 Jul 2016 11:00:28 -0400 +Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted + +cherry-picked from 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 upstream + +In validate_as_request(), when enforcing restrict_anonymous_to_tgt, +use client.princ instead of request->client; the latter is NULL when +validating S4U2Self requests. + +CVE-2016-3120: + +In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc +to dereference a null pointer if the restrict_anonymous_to_tgt option +is set to true, by making an S4U2Self request. + + CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C + +ticket: 8458 (new) +target_version: 1.14-next +target_version: 1.13-next + +Upstream-Status: Backport + +Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com> +--- + src/kdc/kdc_util.c | 2 +- + src/tests/t_pkinit.py | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index 48be1ae..10daec4 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -700,7 +700,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm, + return(KDC_ERR_MUST_USE_USER2USER); + } + +- if (check_anon(kdc_active_realm, request->client, request->server) != 0) { ++ if (check_anon(kdc_active_realm, client.princ, request->server) != 0) { + *status = "ANONYMOUS NOT ALLOWED"; + return(KDC_ERR_POLICY); + } +diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +index 762e322..d27d05b 100644 +--- a/src/tests/t_pkinit.py ++++ b/src/tests/t_pkinit.py +@@ -94,6 +94,11 @@ out = realm.run([kvno, realm.host_princ], expected_code=1) + if 'KDC policy rejects request' not in out: + fail('Wrong error for restricted anonymous PKINIT') + ++# Regression test for #8458: S4U2Self requests crash the KDC if ++# anonymous is restricted. ++realm.kinit(realm.host_princ, flags=['-k']) ++realm.run([kvno, '-U', 'user', realm.host_princ]) ++ + # Go back to a normal KDC and disable anonymous PKINIT. + realm.stop_kdc() + realm.start_kdc() +-- +2.5.0 + diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb index 3a3886bce0..12d35319c8 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb @@ -36,6 +36,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar file://krb5-admin-server.service \ file://krb5-CVE-2016-3119.patch;striplevel=2 \ file://0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch;striplevel=2 \ + file://krb5-CVE-2016-3120.patch;striplevel=2 \ " SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189" SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1" |