rpm/krb5
SHA256
1
0
Fork 0
forked from pool/krb5
Code Pull Requests Activity

- denial of service flaws when handling RFC 1964 tokens (bnc#886016)

Browse Source 
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
- start krb5kdc after slapd (bnc#886102)
- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)
  similar functionality is provided by krb5-plugin-preauth-pkinit

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=121
This commit is contained in:
Christian Kornacker 2014-07-15 08:18:37 +00:00 committed by Git OBS Bridge
parent 5f3b47a9fc
commit 3f646c425e
6 changed files with 205 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch Normal file
View File

@ -0,0 +1,168 @@
From fb99962cbd063ac04c9a9d2cc7c75eab73f3533d Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 19 Jun 2014 13:49:16 -0400
Subject: [PATCH] Handle invalid RFC 1964 tokens [CVE-2014-4341...]
Detect the following cases which would otherwise cause invalid memory
accesses and/or integer underflow:
* An RFC 1964 token being processed by an RFC 4121-only context
[CVE-2014-4342]
* A header with fewer than 22 bytes after the token ID or an
incomplete checksum [CVE-2014-4341 CVE-2014-4342]
* A ciphertext shorter than the confounder [CVE-2014-4341]
* A declared padding length longer than the plaintext [CVE-2014-4341]
If we detect a bad pad byte, continue on to compute the checksum to
avoid creating a padding oracle, but treat the checksum as invalid
even if it compares equal.
CVE-2014-4341:
In MIT krb5, an unauthenticated remote attacker with the ability to
inject packets into a legitimately established GSSAPI application
session can cause a program crash due to invalid memory references
when attempting to read beyond the end of a buffer.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
CVE-2014-4342:
In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote
attacker with the ability to inject packets into a legitimately
established GSSAPI application session can cause a program crash due
to invalid memory references when reading beyond the end of a buffer
or by causing a null pointer dereference.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
[tlyu@mit.edu: CVE summaries, CVSS]
ticket: 7949 (new)
subject: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342]
taget_version: 1.12.2
tags: pullup
---
src/lib/gssapi/krb5/k5unseal.c | 41 +++++++++++++++++++++++++++++++--------
src/lib/gssapi/krb5/k5unsealiov.c | 9 ++++++++-
2 files changed, 41 insertions(+), 9 deletions(-)
diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
index 30c12b9..0573958 100644
--- a/src/lib/gssapi/krb5/k5unseal.c
+++ b/src/lib/gssapi/krb5/k5unseal.c
@@ -74,6 +74,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
int conflen = 0;
int signalg;
int sealalg;
+ int bad_pad = 0;
gss_buffer_desc token;
krb5_checksum cksum;
krb5_checksum md5cksum;
@@ -86,6 +87,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
krb5_ui_4 seqnum;
OM_uint32 retval;
size_t sumlen;
+ size_t padlen;
krb5_keyusage sign_usage = KG_USAGE_SIGN;
if (toktype == KG_TOK_SEAL_MSG) {
@@ -93,18 +95,23 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
message_buffer->value = NULL;
}
- /* get the sign and seal algorithms */
-
- signalg = ptr[0] + (ptr[1]<<8);
- sealalg = ptr[2] + (ptr[3]<<8);
-
/* Sanity checks */
- if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) {
+ if (ctx->seq == NULL) {
+ /* ctx was established using a newer enctype, and cannot process RFC
+ * 1964 tokens. */
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
+ if ((bodysize < 22) || (ptr[4] != 0xff) || (ptr[5] != 0xff)) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
+ signalg = ptr[0] + (ptr[1]<<8);
+ sealalg = ptr[2] + (ptr[3]<<8);
+
if ((toktype != KG_TOK_SEAL_MSG) &&
(sealalg != 0xffff)) {
*minor_status = 0;
@@ -153,6 +160,11 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
return GSS_S_DEFECTIVE_TOKEN;
}
+ if ((size_t)bodysize < 14 + cksum_len) {
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
/* get the token parameters */
if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction,
@@ -207,7 +219,20 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
plainlen = tmsglen;
conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
- token.length = tmsglen - conflen - plain[tmsglen-1];
+ if (tmsglen < conflen) {
+ if (sealalg != 0xffff)
+ xfree(plain);
+ *minor_status = 0;
+ return(GSS_S_DEFECTIVE_TOKEN);
+ }
+ padlen = plain[tmsglen - 1];
+ if (tmsglen - conflen < padlen) {
+ /* Don't error out yet, to avoid padding oracle attacks. We will
+ * treat this as a checksum failure later on. */
+ padlen = 0;
+ bad_pad = 1;
+ }
+ token.length = tmsglen - conflen - padlen;
if (token.length) {
if ((token.value = (void *) gssalloc_malloc(token.length)) == NULL) {
@@ -403,7 +428,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
/* compare the computed checksum against the transmitted checksum */
- if (code) {
+ if (code || bad_pad) {
if (toktype == KG_TOK_SEAL_MSG)
gssalloc_free(token.value);
*minor_status = 0;
diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
index f7828b8..b654c66 100644
--- a/src/lib/gssapi/krb5/k5unsealiov.c
+++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -69,7 +69,14 @@ kg_unseal_v1_iov(krb5_context context,
return GSS_S_DEFECTIVE_TOKEN;
}
- if (header->buffer.length < token_wrapper_len + 14) {
+ if (ctx->seq == NULL) {
+ /* ctx was established using a newer enctype, and cannot process RFC
+ * 1964 tokens. */
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
+ if (header->buffer.length < token_wrapper_len + 22) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
--
1.9.3

19
krb5-mini.changes
View File

@ -1,10 +1,23 @@
-------------------------------------------------------------------
Tue Feb 18 15:27:15 UTC 2014 - ckornacker@suse.com
Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com
- denial of service flaws when handling RFC 1964 tokens (bnc#886016)
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
- start krb5kdc after slapd (bnc#886102)
-------------------------------------------------------------------
Fri Jun 6 11:08:08 UTC 2014 - ckornacker@suse.com
- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)
similar functionality is provided by krb5-plugin-preauth-pkinit
-------------------------------------------------------------------
Tue Feb 18 15:25:57 UTC 2014 - ckornacker@suse.com
- don't deliver SysV init files to systemd distributions
-------------------------------------------------------------------
Tue Jan 21 14:28:05 UTC 2014 - ckornacker@suse.com
Tue Jan 21 14:23:37 UTC 2014 - ckornacker@suse.com
- update to version 1.12.1
* Make KDC log service principal names more consistently during
@ -25,7 +38,7 @@ Tue Jan 21 14:28:05 UTC 2014 - ckornacker@suse.com
krb5-master-keyring-kdcsync.patch (RT#7820)
-------------------------------------------------------------------
Mon Jan 13 15:40:18 UTC 2014 - ckornacker@suse.com
Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com
- update to version 1.12
* Add GSSAPI extensions for constructing MIC tokens using IOV lists

3
krb5-mini.spec
View File

@ -35,6 +35,7 @@ Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
Group: Productivity/Networking/Security
Obsoletes: krb5-plugin-preauth-pkinit-nss
%if ! 0%{?build_mini}
BuildRequires: doxygen
BuildRequires: libopenssl-devel
@ -80,6 +81,7 @@ Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Patch14: krb5-kvno-230379.patch
Patch15: krb5-master-keyring-kdcsync.patch
Patch16: krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -200,6 +202,7 @@ Include Files for Development
%patch13 -p0
%patch14 -p1
%patch15 -p1
%patch16 -p1
%build
# needs to be re-generated

13
krb5.changes
View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com
- denial of service flaws when handling RFC 1964 tokens (bnc#886016)
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
- start krb5kdc after slapd (bnc#886102)
-------------------------------------------------------------------
Fri Jun 6 11:08:08 UTC 2014 - ckornacker@suse.com
- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)
similar functionality is provided by krb5-plugin-preauth-pkinit
-------------------------------------------------------------------
Tue Feb 18 15:25:57 UTC 2014 - ckornacker@suse.com

3
krb5.spec
View File

@ -35,6 +35,7 @@ Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
Group: Productivity/Networking/Security
Obsoletes: krb5-plugin-preauth-pkinit-nss
%if ! 0%{?build_mini}
BuildRequires: doxygen
BuildRequires: libopenssl-devel
@ -80,6 +81,7 @@ Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Patch14: krb5-kvno-230379.patch
Patch15: krb5-master-keyring-kdcsync.patch
Patch16: krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -200,6 +202,7 @@ Include Files for Development
%patch13 -p0
%patch14 -p1
%patch15 -p1
%patch16 -p1
%build
# needs to be re-generated

4
vendor-files.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:22a9f973ad4e6d2be5b82c9d7036320fa3984f0d2fcf891073f139abe0ee037d
size 183271
oid sha256:9fbb3f40968cce34b47881db19e2831d0359f621210b90179ac85b76e5c0e9ac
size 183189