diff --git a/krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch b/krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch new file mode 100644 index 0000000..8ede5f3 --- /dev/null +++ b/krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch @@ -0,0 +1,168 @@ +From fb99962cbd063ac04c9a9d2cc7c75eab73f3533d Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Thu, 19 Jun 2014 13:49:16 -0400 +Subject: [PATCH] Handle invalid RFC 1964 tokens [CVE-2014-4341...] + +Detect the following cases which would otherwise cause invalid memory +accesses and/or integer underflow: + +* An RFC 1964 token being processed by an RFC 4121-only context + [CVE-2014-4342] + +* A header with fewer than 22 bytes after the token ID or an + incomplete checksum [CVE-2014-4341 CVE-2014-4342] + +* A ciphertext shorter than the confounder [CVE-2014-4341] + +* A declared padding length longer than the plaintext [CVE-2014-4341] + +If we detect a bad pad byte, continue on to compute the checksum to +avoid creating a padding oracle, but treat the checksum as invalid +even if it compares equal. + +CVE-2014-4341: + +In MIT krb5, an unauthenticated remote attacker with the ability to +inject packets into a legitimately established GSSAPI application +session can cause a program crash due to invalid memory references +when attempting to read beyond the end of a buffer. + + CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C + +CVE-2014-4342: + +In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote +attacker with the ability to inject packets into a legitimately +established GSSAPI application session can cause a program crash due +to invalid memory references when reading beyond the end of a buffer +or by causing a null pointer dereference. + + CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C + +[tlyu@mit.edu: CVE summaries, CVSS] + +ticket: 7949 (new) +subject: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342] +taget_version: 1.12.2 +tags: pullup +--- + src/lib/gssapi/krb5/k5unseal.c | 41 +++++++++++++++++++++++++++++++-------- + src/lib/gssapi/krb5/k5unsealiov.c | 9 ++++++++- + 2 files changed, 41 insertions(+), 9 deletions(-) + +diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c +index 30c12b9..0573958 100644 +--- a/src/lib/gssapi/krb5/k5unseal.c ++++ b/src/lib/gssapi/krb5/k5unseal.c +@@ -74,6 +74,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, + int conflen = 0; + int signalg; + int sealalg; ++ int bad_pad = 0; + gss_buffer_desc token; + krb5_checksum cksum; + krb5_checksum md5cksum; +@@ -86,6 +87,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, + krb5_ui_4 seqnum; + OM_uint32 retval; + size_t sumlen; ++ size_t padlen; + krb5_keyusage sign_usage = KG_USAGE_SIGN; + + if (toktype == KG_TOK_SEAL_MSG) { +@@ -93,18 +95,23 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, + message_buffer->value = NULL; + } + +- /* get the sign and seal algorithms */ +- +- signalg = ptr[0] + (ptr[1]<<8); +- sealalg = ptr[2] + (ptr[3]<<8); +- + /* Sanity checks */ + +- if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) { ++ if (ctx->seq == NULL) { ++ /* ctx was established using a newer enctype, and cannot process RFC ++ * 1964 tokens. */ ++ *minor_status = 0; ++ return GSS_S_DEFECTIVE_TOKEN; ++ } ++ ++ if ((bodysize < 22) || (ptr[4] != 0xff) || (ptr[5] != 0xff)) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + ++ signalg = ptr[0] + (ptr[1]<<8); ++ sealalg = ptr[2] + (ptr[3]<<8); ++ + if ((toktype != KG_TOK_SEAL_MSG) && + (sealalg != 0xffff)) { + *minor_status = 0; +@@ -153,6 +160,11 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, + return GSS_S_DEFECTIVE_TOKEN; + } + ++ if ((size_t)bodysize < 14 + cksum_len) { ++ *minor_status = 0; ++ return GSS_S_DEFECTIVE_TOKEN; ++ } ++ + /* get the token parameters */ + + if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction, +@@ -207,7 +219,20 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, + plainlen = tmsglen; + + conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype); +- token.length = tmsglen - conflen - plain[tmsglen-1]; ++ if (tmsglen < conflen) { ++ if (sealalg != 0xffff) ++ xfree(plain); ++ *minor_status = 0; ++ return(GSS_S_DEFECTIVE_TOKEN); ++ } ++ padlen = plain[tmsglen - 1]; ++ if (tmsglen - conflen < padlen) { ++ /* Don't error out yet, to avoid padding oracle attacks. We will ++ * treat this as a checksum failure later on. */ ++ padlen = 0; ++ bad_pad = 1; ++ } ++ token.length = tmsglen - conflen - padlen; + + if (token.length) { + if ((token.value = (void *) gssalloc_malloc(token.length)) == NULL) { +@@ -403,7 +428,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, + + /* compare the computed checksum against the transmitted checksum */ + +- if (code) { ++ if (code || bad_pad) { + if (toktype == KG_TOK_SEAL_MSG) + gssalloc_free(token.value); + *minor_status = 0; +diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c +index f7828b8..b654c66 100644 +--- a/src/lib/gssapi/krb5/k5unsealiov.c ++++ b/src/lib/gssapi/krb5/k5unsealiov.c +@@ -69,7 +69,14 @@ kg_unseal_v1_iov(krb5_context context, + return GSS_S_DEFECTIVE_TOKEN; + } + +- if (header->buffer.length < token_wrapper_len + 14) { ++ if (ctx->seq == NULL) { ++ /* ctx was established using a newer enctype, and cannot process RFC ++ * 1964 tokens. */ ++ *minor_status = 0; ++ return GSS_S_DEFECTIVE_TOKEN; ++ } ++ ++ if (header->buffer.length < token_wrapper_len + 22) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } +-- +1.9.3 + diff --git a/krb5-mini.changes b/krb5-mini.changes index 6f9e823..a7c3af7 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,10 +1,23 @@ ------------------------------------------------------------------- -Tue Feb 18 15:27:15 UTC 2014 - ckornacker@suse.com +Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com + +- denial of service flaws when handling RFC 1964 tokens (bnc#886016) + krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch +- start krb5kdc after slapd (bnc#886102) + +------------------------------------------------------------------- +Fri Jun 6 11:08:08 UTC 2014 - ckornacker@suse.com + +- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674) + similar functionality is provided by krb5-plugin-preauth-pkinit + +------------------------------------------------------------------- +Tue Feb 18 15:25:57 UTC 2014 - ckornacker@suse.com - don't deliver SysV init files to systemd distributions ------------------------------------------------------------------- -Tue Jan 21 14:28:05 UTC 2014 - ckornacker@suse.com +Tue Jan 21 14:23:37 UTC 2014 - ckornacker@suse.com - update to version 1.12.1 * Make KDC log service principal names more consistently during @@ -25,7 +38,7 @@ Tue Jan 21 14:28:05 UTC 2014 - ckornacker@suse.com krb5-master-keyring-kdcsync.patch (RT#7820) ------------------------------------------------------------------- -Mon Jan 13 15:40:18 UTC 2014 - ckornacker@suse.com +Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com - update to version 1.12 * Add GSSAPI extensions for constructing MIC tokens using IOV lists diff --git a/krb5-mini.spec b/krb5-mini.spec index 6af8cee..7d7a5f1 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -35,6 +35,7 @@ Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT Group: Productivity/Networking/Security +Obsoletes: krb5-plugin-preauth-pkinit-nss %if ! 0%{?build_mini} BuildRequires: doxygen BuildRequires: libopenssl-devel @@ -80,6 +81,7 @@ Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch Patch14: krb5-kvno-230379.patch Patch15: krb5-master-keyring-kdcsync.patch +Patch16: krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -200,6 +202,7 @@ Include Files for Development %patch13 -p0 %patch14 -p1 %patch15 -p1 +%patch16 -p1 %build # needs to be re-generated diff --git a/krb5.changes b/krb5.changes index 969c292..a7c3af7 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com + +- denial of service flaws when handling RFC 1964 tokens (bnc#886016) + krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch +- start krb5kdc after slapd (bnc#886102) + +------------------------------------------------------------------- +Fri Jun 6 11:08:08 UTC 2014 - ckornacker@suse.com + +- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674) + similar functionality is provided by krb5-plugin-preauth-pkinit + ------------------------------------------------------------------- Tue Feb 18 15:25:57 UTC 2014 - ckornacker@suse.com diff --git a/krb5.spec b/krb5.spec index f52023b..3708f0d 100644 --- a/krb5.spec +++ b/krb5.spec @@ -35,6 +35,7 @@ Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT Group: Productivity/Networking/Security +Obsoletes: krb5-plugin-preauth-pkinit-nss %if ! 0%{?build_mini} BuildRequires: doxygen BuildRequires: libopenssl-devel @@ -80,6 +81,7 @@ Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch Patch14: krb5-kvno-230379.patch Patch15: krb5-master-keyring-kdcsync.patch +Patch16: krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -200,6 +202,7 @@ Include Files for Development %patch13 -p0 %patch14 -p1 %patch15 -p1 +%patch16 -p1 %build # needs to be re-generated diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2 index a1aa464..5e942bf 100644 --- a/vendor-files.tar.bz2 +++ b/vendor-files.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:22a9f973ad4e6d2be5b82c9d7036320fa3984f0d2fcf891073f139abe0ee037d -size 183271 +oid sha256:9fbb3f40968cce34b47881db19e2831d0359f621210b90179ac85b76e5c0e9ac +size 183189