diff --git a/krb5-1.7-MITKRB5-SA-2010-002.dif b/krb5-1.7-MITKRB5-SA-2010-002.dif new file mode 100644 index 0000000..79c4e81 --- /dev/null +++ b/krb5-1.7-MITKRB5-SA-2010-002.dif @@ -0,0 +1,71 @@ +Index: src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- src/lib/gssapi/spnego/spnego_mech.c.orig ++++ src/lib/gssapi/spnego/spnego_mech.c +@@ -1576,7 +1576,7 @@ spnego_gss_accept_sec_context( + spnego_gss_ctx_id_t sc = NULL; + spnego_gss_cred_id_t spcred = NULL; + OM_uint32 mechstat = GSS_S_FAILURE; +- int sendTokenInit = 0; ++ int sendTokenInit = 0, tmpret; + + mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER; + +@@ -1609,7 +1609,6 @@ spnego_gss_accept_sec_context( + if (delegated_cred_handle != NULL) + *delegated_cred_handle = GSS_C_NO_CREDENTIAL; + if (input_token->length == 0) { +- sendTokenInit = 1; + ret = acc_ctx_hints(minor_status, + context_handle, spcred, + &mic_out, +@@ -1617,6 +1616,7 @@ spnego_gss_accept_sec_context( + &return_token); + if (ret != GSS_S_COMPLETE) + goto cleanup; ++ sendTokenInit = 1; + ret = GSS_S_CONTINUE_NEEDED; + } else { + /* Can set negState to REQUEST_MIC */ +@@ -1664,27 +1664,21 @@ spnego_gss_accept_sec_context( + &negState, &return_token); + } + cleanup: +- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { +- /* For acceptor-sends-first send a tokenInit */ +- int tmpret; +- ++ if (return_token == INIT_TOKEN_SEND && sendTokenInit) { + assert(sc != NULL); +- +- if (sendTokenInit) { +- tmpret = make_spnego_tokenInit_msg(sc, +- 1, +- mic_out, +- 0, +- GSS_C_NO_BUFFER, +- return_token, +- output_token); +- } else { +- tmpret = make_spnego_tokenTarg_msg(negState, +- sc ? sc->internal_mech : GSS_C_NO_OID, +- &mechtok_out, mic_out, +- return_token, +- output_token); +- } ++ tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0, ++ GSS_C_NO_BUFFER, ++ return_token, output_token); ++ if (tmpret < 0) ++ ret = GSS_S_FAILURE; ++ } else if (return_token != NO_TOKEN_SEND && ++ return_token != CHECK_MIC) { ++ tmpret = make_spnego_tokenTarg_msg(negState, ++ sc ? sc->internal_mech : ++ GSS_C_NO_OID, ++ &mechtok_out, mic_out, ++ return_token, ++ output_token); + if (tmpret < 0) + ret = GSS_S_FAILURE; + } diff --git a/krb5-1.8-POST.dif b/krb5-1.8-POST.dif new file mode 100644 index 0000000..14ccdf3 --- /dev/null +++ b/krb5-1.8-POST.dif @@ -0,0 +1,315 @@ +Index: doc/admin.texinfo +=================================================================== +--- doc/admin.texinfo.orig ++++ doc/admin.texinfo +@@ -516,13 +516,6 @@ DCE do not support the default cache as + Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on + DCE 1.1 systems. The default value is @value{DefaultCcacheType}. + +-@ignore +-@itemx tkt_lifetime +-The default lifetime of a ticket. The default is +-@value{DefaultTktLifetime}. This is currently not supported by the +-code. +-@end ignore +- + @itemx dns_lookup_kdc + Indicate whether DNS SRV records should be used to locate the KDCs and + other servers for a realm, if they are not listed in the information for +@@ -583,6 +576,11 @@ If this flag is set, then an attempt to + fail if the client machine does not have a keytab. The default for the + flag is @value{DefaultVerifyApReqNofail}. + ++@itemx ticket_lifetime ++The value of this tag is the default lifetime for ++initial tickets. The default value for the tag is ++@value{DefaultTktLifetime}. ++ + @itemx renew_lifetime + The value of this tag is the default renewable lifetime for + initial tickets. The default value for the tag is +Index: src/include/krb5/krb5.hin +=================================================================== +--- src/include/krb5/krb5.hin.orig ++++ src/include/krb5/krb5.hin +@@ -1066,7 +1066,7 @@ krb5_verify_checksum(krb5_context contex + #define KRB5_AUTHDATA_SESAME 65 + #define KRB5_AUTHDATA_WIN2K_PAC 128 + #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */ +-#define KRB5_AUTHDATA_SIGNTICKET 142 ++#define KRB5_AUTHDATA_SIGNTICKET 512 /* formerly 142 in krb5 1.8 */ + #define KRB5_AUTHDATA_FX_ARMOR 71 + /* password change constants */ + +@@ -1184,6 +1184,19 @@ typedef struct _krb5_pa_data { + krb5_octet *contents; + } krb5_pa_data; + ++/* typed data */ ++/* ++ * The FAST error handling logic currently assumes that this structure and ++ * krb5_pa_data * can be safely cast to each other if this structure changes, ++ * that code needs to be updated to copy. ++ */ ++typedef struct _krb5_typed_data { ++ krb5_magic magic; ++ krb5_int32 type; ++ unsigned int length; ++ krb5_octet *data; ++} krb5_typed_data; ++ + typedef struct _krb5_kdc_req { + krb5_magic magic; + krb5_msgtype msg_type; /* AS_REQ or TGS_REQ? */ +Index: src/include/k5-int-pkinit.h +=================================================================== +--- src/include/k5-int-pkinit.h.orig ++++ src/include/k5-int-pkinit.h +@@ -101,17 +101,6 @@ typedef struct _krb5_trusted_ca { + } u; + } krb5_trusted_ca; + +-/* typed data */ +-/* The FAST error handling logic currently assumes that this structure and krb5_pa_data * can be safely cast to each other +- * if this structure changes, that code needs to be updated to copy. +- */ +-typedef struct _krb5_typed_data { +- krb5_magic magic; +- krb5_int32 type; +- unsigned int length; +- krb5_octet *data; +-} krb5_typed_data; +- + /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */ + typedef struct _krb5_pa_pk_as_req_draft9 { + krb5_octet_data signedAuthPack; +Index: src/kdc/kdc_authdata.c +=================================================================== +--- src/kdc/kdc_authdata.c.orig ++++ src/kdc/kdc_authdata.c +@@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context contex + enc_sp.length = sp_authdata[0]->length; + + code = decode_krb5_ad_signedpath(&enc_sp, &sp); +- if (code != 0) ++ if (code != 0) { ++ /* Treat an invalid signedpath authdata element as a missing one, since ++ * we believe MS is using the same number for something else. */ ++ code = 0; + goto cleanup; ++ } + + code = verify_ad_signedpath_checksum(context, + krbtgt, +Index: src/kdc/do_tgs_req.c +=================================================================== +--- src/kdc/do_tgs_req.c.orig ++++ src/kdc/do_tgs_req.c +@@ -1215,6 +1215,7 @@ prep_reprocess_req(krb5_kdc_req *request + strlcpy(comp1_str,comp1->data,comp1->length+1); + + if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST || ++ krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST || + (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN && + kdc_active_realm->realm_host_based_services != NULL && + (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, +Index: src/clients/kpasswd/kpasswd.c +=================================================================== +--- src/clients/kpasswd/kpasswd.c.orig ++++ src/clients/kpasswd/kpasswd.c +@@ -47,7 +47,7 @@ int main(int argc, char *argv[]) + { + krb5_error_code ret; + krb5_context context; +- krb5_principal princ; ++ krb5_principal princ = NULL; + char *pname; + krb5_ccache ccache; + krb5_get_init_creds_opt *opts = NULL; +@@ -84,23 +84,27 @@ int main(int argc, char *argv[]) + com_err(argv[0], ret, "parsing client name"); + exit(1); + } +- } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) { +- if (ret) { ++ } else { ++ ret = krb5_cc_default(context, &ccache); ++ if (ret != 0) { + com_err(argv[0], ret, "opening default ccache"); + exit(1); + } + +- if ((ret = krb5_cc_get_principal(context, ccache, &princ))) { ++ ret = krb5_cc_get_principal(context, ccache, &princ); ++ if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) { + com_err(argv[0], ret, "getting principal from ccache"); + exit(1); + } + +- if ((ret = krb5_cc_close(context, ccache))) { ++ ret = krb5_cc_close(context, ccache); ++ if (ret != 0) { + com_err(argv[0], ret, "closing ccache"); + exit(1); + } +- } else { +- get_name_from_passwd_file(argv[0], context, &princ); ++ ++ if (princ == NULL) ++ get_name_from_passwd_file(argv[0], context, &princ); + } + + if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) { +Index: src/config-files/krb5.conf.M +=================================================================== +--- src/config-files/krb5.conf.M.orig ++++ src/config-files/krb5.conf.M +@@ -220,6 +220,10 @@ If this flag is set, then an attempt to + fail if the client machine does not have a keytab. The default for the + flag is false. + ++.IP ticket_lifetime ++The value of this tag is the default lifetime for initial tickets. The ++default value for the tag is 1 day (1d). ++ + .IP renew_lifetime + The value of this tag is the default renewable lifetime for initial + tickets. The default value for the tag is 0. +Index: src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- src/lib/gssapi/spnego/spnego_mech.c.orig ++++ src/lib/gssapi/spnego/spnego_mech.c +@@ -1687,6 +1687,7 @@ cleanup: + if (sc->internal_name != GSS_C_NO_NAME && + src_name != NULL) { + *src_name = sc->internal_name; ++ sc->internal_name = GSS_C_NO_NAME; + } + release_spnego_ctx(&sc); + } else if (ret != GSS_S_CONTINUE_NEEDED) { +@@ -2572,6 +2573,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t * + (void) generic_gss_release_oid(&minor_stat, + &context->internal_mech); + ++ (void) gss_release_name(&minor_stat, &context->internal_name); ++ + if (context->optionStr != NULL) { + free(context->optionStr); + context->optionStr = NULL; +Index: src/lib/kadm5/srv/svr_principal.c +=================================================================== +--- src/lib/kadm5/srv/svr_principal.c.orig ++++ src/lib/kadm5/srv/svr_principal.c +@@ -858,8 +858,8 @@ kadm5_get_principal(void *server_handle, + if (! (mask & KADM5_MOD_TIME)) + entry->mod_date = 0; + if (! (mask & KADM5_MOD_NAME)) { +- krb5_free_principal(handle->context, entry->principal); +- entry->principal = NULL; ++ krb5_free_principal(handle->context, entry->mod_name); ++ entry->mod_name = NULL; + } + } + +@@ -871,10 +871,12 @@ kadm5_get_principal(void *server_handle, + if (kdb.key_data[i].key_data_kvno > entry->kvno) + entry->kvno = kdb.key_data[i].key_data_kvno; + +- ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, +- &entry->mkvno); +- if (ret) +- goto done; ++ if (mask & KADM5_MKVNO) { ++ ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, ++ &entry->mkvno); ++ if (ret) ++ goto done; ++ } + + if (mask & KADM5_MAX_RLIFE) + entry->max_renewable_life = kdb.max_renewable_life; +Index: src/lib/krb5/os/changepw.c +=================================================================== +--- src/lib/krb5/os/changepw.c.orig ++++ src/lib/krb5/os/changepw.c +@@ -65,20 +65,23 @@ locate_kpasswd(krb5_context context, con + int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM); + + code = krb5int_locate_server (context, realm, addrlist, +- locate_service_kpasswd, sockType, AF_INET); ++ locate_service_kpasswd, sockType, AF_UNSPEC); + + if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) { + code = krb5int_locate_server (context, realm, addrlist, + locate_service_kadmin, SOCK_STREAM, +- AF_INET); ++ AF_UNSPEC); + if (!code) { + /* Success with admin_server but now we need to change the + port number to use DEFAULT_KPASSWD_PORT and the socktype. */ + size_t i; + for (i=0; inaddrs; i++) { + struct addrinfo *a = addrlist->addrs[i].ai; ++ krb5_ui_2 kpasswd_port = htons(DEFAULT_KPASSWD_PORT); + if (a->ai_family == AF_INET) +- sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT); ++ sa2sin (a->ai_addr)->sin_port = kpasswd_port; ++ if (a->ai_family == AF_INET6) ++ sa2sin6 (a->ai_addr)->sin6_port = kpasswd_port; + if (sockType != SOCK_STREAM) + a->ai_socktype = sockType; + } +@@ -131,10 +134,16 @@ kpasswd_sendto_msg_callback(struct conn_ + /* some brain-dead OS's don't return useful information from + * the getsockname call. Namely, windows and solaris. */ + +- if (ss2sin(&local_addr)->sin_addr.s_addr != 0) { ++ if (local_addr.ss_family == AF_INET && ++ ss2sin(&local_addr)->sin_addr.s_addr != 0) { + local_kaddr.addrtype = ADDRTYPE_INET; + local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr); + local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr; ++ } else if (local_addr.ss_family == AF_INET6 && ++ ss2sin6(&local_addr)->sin6_addr.s6_addr != 0) { ++ local_kaddr.addrtype = ADDRTYPE_INET6; ++ local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr); ++ local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr; + } else { + krb5_address **addrs; + +@@ -290,9 +299,19 @@ change_set_password(krb5_context context + break; + } + +- remote_kaddr.addrtype = ADDRTYPE_INET; +- remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); +- remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; ++ if (remote_addr.ss_family == AF_INET) { ++ remote_kaddr.addrtype = ADDRTYPE_INET; ++ remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); ++ remote_kaddr.contents = ++ (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; ++ } else if (remote_addr.ss_family == AF_INET6) { ++ remote_kaddr.addrtype = ADDRTYPE_INET6; ++ remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr); ++ remote_kaddr.contents = ++ (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr; ++ } else { ++ break; ++ } + + if ((code = krb5_auth_con_setaddrs(callback_ctx.context, + callback_ctx.auth_context, +Index: src/lib/krb5/krb/gic_pwd.c +=================================================================== +--- src/lib/krb5/krb/gic_pwd.c.orig ++++ src/lib/krb5/krb/gic_pwd.c +@@ -218,7 +218,7 @@ krb5_get_init_creds_password(krb5_contex + * to prompt. Prompting is only disabled if the option has been set + * and the value has been set to false. + */ +- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) ++ if (options && !(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) + goto cleanup; + + /* ok, we have an expired password. Give the user a few chances diff --git a/krb5-doc.changes b/krb5-doc.changes index 6dfd162..7ac797d 100644 --- a/krb5-doc.changes +++ b/krb5-doc.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Mar 23 12:38:29 CET 2010 - mc@suse.de + +- add post 1.8 fixes + * Document the ticket_lifetime libdefaults setting + ------------------------------------------------------------------- Thu Mar 4 11:45:22 CET 2010 - mc@suse.de diff --git a/krb5-doc.spec b/krb5-doc.spec index ea6ce01..86eface 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -21,7 +21,7 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive Version: 1.8 -Release: 1 +Release: 2 %define srcRoot krb5-1.8 Summary: MIT Kerberos5 Implementation--Documentation License: MIT License (or similar) @@ -31,6 +31,7 @@ Source: krb5-1.8.tar.bz2 Source3: %{name}-%{version}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif +Patch2: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -53,6 +54,7 @@ Authors: %setup -n %{srcRoot} %patch0 %patch1 +%patch2 %build diff --git a/krb5-mini.changes b/krb5-mini.changes index 58bfdc3..c00c208 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Tue Mar 23 14:32:41 CET 2010 - mc@suse.de + +- fix a bug where an unauthenticated remote attacker could cause + a GSS-API application including the Kerberos administration + daemon (kadmind) to crash. + CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) + +------------------------------------------------------------------- +Tue Mar 23 12:33:26 CET 2010 - mc@suse.de + +- add post 1.8 fixes + * Add IPv6 support to changepw.c + * fix two problems in kadm5_get_principal mask handling + * Ignore improperly encoded signedpath AD elements + * handle NT_SRV_INST in service principal referrals + * dereference options while checking + KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT + * Fix the kpasswd fallback from the ccache principal name + * Document the ticket_lifetime libdefaults setting + * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 + ------------------------------------------------------------------- Thu Mar 4 10:42:29 CET 2010 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index fe27dc3..8c1b700 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -28,7 +28,7 @@ Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel Version: 1.8 -Release: 1 +Release: 2 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -55,6 +55,8 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif +Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif +Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -202,6 +204,8 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 +%patch47 +%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do diff --git a/krb5.changes b/krb5.changes index 58bfdc3..c00c208 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Tue Mar 23 14:32:41 CET 2010 - mc@suse.de + +- fix a bug where an unauthenticated remote attacker could cause + a GSS-API application including the Kerberos administration + daemon (kadmind) to crash. + CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) + +------------------------------------------------------------------- +Tue Mar 23 12:33:26 CET 2010 - mc@suse.de + +- add post 1.8 fixes + * Add IPv6 support to changepw.c + * fix two problems in kadm5_get_principal mask handling + * Ignore improperly encoded signedpath AD elements + * handle NT_SRV_INST in service principal referrals + * dereference options while checking + KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT + * Fix the kpasswd fallback from the ccache principal name + * Document the ticket_lifetime libdefaults setting + * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 + ------------------------------------------------------------------- Thu Mar 4 10:42:29 CET 2010 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 38bed32..2196e63 100644 --- a/krb5.spec +++ b/krb5.spec @@ -28,7 +28,7 @@ Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel Version: 1.8 -Release: 1 +Release: 2 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -55,6 +55,8 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif +Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif +Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -202,6 +204,8 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 +%patch47 +%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do