Accepting request 241736 from network

1 OBS-URL: https://build.opensuse.org/request/show/241736 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=100
2014-07-27 06:25:40 +00:00 · 2014-07-27 06:25:40 +00:00 · ec41724c92
commit ec41724c92
parent 76cd6119cf 3ac7b19a80
6 changed files with 221 additions and 7 deletions
--- a/krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
+++ b/krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
@ -0,0 +1,168 @@
 From fb99962cbd063ac04c9a9d2cc7c75eab73f3533d Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 19 Jun 2014 13:49:16 -0400
 Subject: [PATCH] Handle invalid RFC 1964 tokens [CVE-2014-4341...]
 Detect the following cases which would otherwise cause invalid memory
 accesses and/or integer underflow:
 * An RFC 1964 token being processed by an RFC 4121-only context
  [CVE-2014-4342]
 * A header with fewer than 22 bytes after the token ID or an
  incomplete checksum [CVE-2014-4341 CVE-2014-4342]
 * A ciphertext shorter than the confounder [CVE-2014-4341]
 * A declared padding length longer than the plaintext [CVE-2014-4341]
 If we detect a bad pad byte, continue on to compute the checksum to
 avoid creating a padding oracle, but treat the checksum as invalid
 even if it compares equal.
 CVE-2014-4341:
 In MIT krb5, an unauthenticated remote attacker with the ability to
 inject packets into a legitimately established GSSAPI application
 session can cause a program crash due to invalid memory references
 when attempting to read beyond the end of a buffer.
    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
 CVE-2014-4342:
 In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote
 attacker with the ability to inject packets into a legitimately
 established GSSAPI application session can cause a program crash due
 to invalid memory references when reading beyond the end of a buffer
 or by causing a null pointer dereference.
    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
 [tlyu@mit.edu: CVE summaries, CVSS]
 ticket: 7949 (new)
 subject: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342]
 taget_version: 1.12.2
 tags: pullup
 ---
 src/lib/gssapi/krb5/k5unseal.c    | 41 +++++++++++++++++++++++++++++++--------
 src/lib/gssapi/krb5/k5unsealiov.c |  9 ++++++++-
 2 files changed, 41 insertions(+), 9 deletions(-)
 diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
 index 30c12b9..0573958 100644
 --- a/src/lib/gssapi/krb5/k5unseal.c
 +++ b/src/lib/gssapi/krb5/k5unseal.c
@@ -74,6 +74,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
     int conflen = 0;
     int signalg;
     int sealalg;
 +    int bad_pad = 0;
     gss_buffer_desc token;
     krb5_checksum cksum;
     krb5_checksum md5cksum;
@@ -86,6 +87,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
     krb5_ui_4 seqnum;
     OM_uint32 retval;
     size_t sumlen;
 +    size_t padlen;
     krb5_keyusage sign_usage = KG_USAGE_SIGN;
     if (toktype == KG_TOK_SEAL_MSG) {
@@ -93,18 +95,23 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
         message_buffer->value = NULL;
     }
 -    /* get the sign and seal algorithms */
 -
 -    signalg = ptr[0] + (ptr[1]<<8);
 -    sealalg = ptr[2] + (ptr[3]<<8);
 -
     /* Sanity checks */
 -    if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) {
 +    if (ctx->seq == NULL) {
 +        /* ctx was established using a newer enctype, and cannot process RFC
 +         * 1964 tokens. */
 +        *minor_status = 0;
 +        return GSS_S_DEFECTIVE_TOKEN;
 +    }
 +
 +    if ((bodysize < 22) || (ptr[4] != 0xff) || (ptr[5] != 0xff)) {
         *minor_status = 0;
         return GSS_S_DEFECTIVE_TOKEN;
     }
 +    signalg = ptr[0] + (ptr[1]<<8);
 +    sealalg = ptr[2] + (ptr[3]<<8);
 +
     if ((toktype != KG_TOK_SEAL_MSG) &&
         (sealalg != 0xffff)) {
         *minor_status = 0;
@@ -153,6 +160,11 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
         return GSS_S_DEFECTIVE_TOKEN;
     }
 +    if ((size_t)bodysize < 14 + cksum_len) {
 +        *minor_status = 0;
 +        return GSS_S_DEFECTIVE_TOKEN;
 +    }
 +
     /* get the token parameters */
     if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction,
@@ -207,7 +219,20 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
         plainlen = tmsglen;
         conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
 -        token.length = tmsglen - conflen - plain[tmsglen-1];
 +        if (tmsglen < conflen) {
 +            if (sealalg != 0xffff)
 +                xfree(plain);
 +            *minor_status = 0;
 +            return(GSS_S_DEFECTIVE_TOKEN);
 +        }
 +        padlen = plain[tmsglen - 1];
 +        if (tmsglen - conflen < padlen) {
 +            /* Don't error out yet, to avoid padding oracle attacks.  We will
 +             * treat this as a checksum failure later on. */
 +            padlen = 0;
 +            bad_pad = 1;
 +        }
 +        token.length = tmsglen - conflen - padlen;
         if (token.length) {
             if ((token.value = (void *) gssalloc_malloc(token.length)) == NULL) {
@@ -403,7 +428,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
     /* compare the computed checksum against the transmitted checksum */
 -    if (code) {
 +    if (code || bad_pad) {
         if (toktype == KG_TOK_SEAL_MSG)
             gssalloc_free(token.value);
         *minor_status = 0;
 diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
 index f7828b8..b654c66 100644
 --- a/src/lib/gssapi/krb5/k5unsealiov.c
 +++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -69,7 +69,14 @@ kg_unseal_v1_iov(krb5_context context,
         return GSS_S_DEFECTIVE_TOKEN;
     }
 -    if (header->buffer.length < token_wrapper_len + 14) {
 +    if (ctx->seq == NULL) {
 +        /* ctx was established using a newer enctype, and cannot process RFC
 +         * 1964 tokens. */
 +        *minor_status = 0;
 +        return GSS_S_DEFECTIVE_TOKEN;
 +    }
 +
 +    if (header->buffer.length < token_wrapper_len + 22) {
         *minor_status = 0;
         return GSS_S_DEFECTIVE_TOKEN;
     }
 -- 
 1.9.3
--- a/krb5-mini.changes
+++ b/krb5-mini.changes
@ -1,10 +1,28 @@
 -------------------------------------------------------------------
-Tue Feb 18 15:27:15 UTC 2014 - ckornacker@suse.com
+Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com
 - Do not depend of insserv if systemd is used 
 -------------------------------------------------------------------
 Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com
 - denial of service flaws when handling RFC 1964 tokens (bnc#886016)
  krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
 - start krb5kdc after slapd (bnc#886102)
 -------------------------------------------------------------------
 Fri Jun  6 11:08:08 UTC 2014 - ckornacker@suse.com
 - obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)
  similar functionality is provided by krb5-plugin-preauth-pkinit
 -------------------------------------------------------------------
 Tue Feb 18 15:25:57 UTC 2014 - ckornacker@suse.com
 - don't deliver SysV init files to systemd distributions
 -------------------------------------------------------------------
-Tue Jan 21 14:28:05 UTC 2014 - ckornacker@suse.com
+Tue Jan 21 14:23:37 UTC 2014 - ckornacker@suse.com
 - update to version 1.12.1
  * Make KDC log service principal names more consistently during
@ -25,7 +43,7 @@ Tue Jan 21 14:28:05 UTC 2014 - ckornacker@suse.com
  krb5-master-keyring-kdcsync.patch (RT#7820)
 -------------------------------------------------------------------
-Mon Jan 13 15:40:18 UTC 2014 - ckornacker@suse.com
+Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com
 - update to version 1.12
  * Add GSSAPI extensions for constructing MIC tokens using IOV lists
--- a/krb5-mini.spec
+++ b/krb5-mini.spec
@ -35,6 +35,7 @@ Release:        0
 Summary:        MIT Kerberos5 Implementation--Libraries
 License:        MIT
 Group:          Productivity/Networking/Security
 Obsoletes:      krb5-plugin-preauth-pkinit-nss
 %if ! 0%{?build_mini}
 BuildRequires:  doxygen
 BuildRequires:  libopenssl-devel
@ -47,6 +48,8 @@ BuildRequires:  python-lxml
 %if 0%{?suse_version} >= 1210
 BuildRequires:  pkgconfig(systemd)
 %{?systemd_requires}
 %else
 PreReq:         %insserv_prereq
 %endif
 # bug437293
 %ifarch ppc64
@ -80,9 +83,10 @@ Patch12:        krb5-1.12-selinux-label.patch
 Patch13:        krb5-1.9-debuginfo.patch
 Patch14:        krb5-kvno-230379.patch
 Patch15:        krb5-master-keyring-kdcsync.patch
 Patch16:        krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
-PreReq:         %insserv_prereq %fillup_prereq 
+PreReq:         %fillup_prereq 
 %description
 Kerberos V5 is a trusted-third-party network authentication system,
@ -200,6 +204,7 @@ Include Files for Development
 %patch13 -p0
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
 %build
 # needs to be re-generated
--- a/krb5.changes
+++ b/krb5.changes
@ -1,3 +1,21 @@
 -------------------------------------------------------------------
 Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com
 - Do not depend of insserv if systemd is used 
 -------------------------------------------------------------------
 Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com
 - denial of service flaws when handling RFC 1964 tokens (bnc#886016)
  krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
 - start krb5kdc after slapd (bnc#886102)
 -------------------------------------------------------------------
 Fri Jun  6 11:08:08 UTC 2014 - ckornacker@suse.com
 - obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)
  similar functionality is provided by krb5-plugin-preauth-pkinit
 -------------------------------------------------------------------
 Tue Feb 18 15:25:57 UTC 2014 - ckornacker@suse.com
--- a/krb5.spec
+++ b/krb5.spec
@ -35,6 +35,7 @@ Release:        0
 Summary:        MIT Kerberos5 Implementation--Libraries
 License:        MIT
 Group:          Productivity/Networking/Security
 Obsoletes:      krb5-plugin-preauth-pkinit-nss
 %if ! 0%{?build_mini}
 BuildRequires:  doxygen
 BuildRequires:  libopenssl-devel
@ -47,6 +48,8 @@ BuildRequires:  python-lxml
 %if 0%{?suse_version} >= 1210
 BuildRequires:  pkgconfig(systemd)
 %{?systemd_requires}
 %else
 PreReq:         %insserv_prereq 
 %endif
 # bug437293
 %ifarch ppc64
@ -80,9 +83,10 @@ Patch12:        krb5-1.12-selinux-label.patch
 Patch13:        krb5-1.9-debuginfo.patch
 Patch14:        krb5-kvno-230379.patch
 Patch15:        krb5-master-keyring-kdcsync.patch
 Patch16:        krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
-PreReq:         %insserv_prereq %fillup_prereq 
+PreReq:         %fillup_prereq 
 %description
 Kerberos V5 is a trusted-third-party network authentication system,
@ -200,6 +204,7 @@ Include Files for Development
 %patch13 -p0
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
 %build
 # needs to be re-generated
--- a/vendor-files.tar.bz2
+++ b/vendor-files.tar.bz2
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:22a9f973ad4e6d2be5b82c9d7036320fa3984f0d2fcf891073f139abe0ee037d
+oid sha256:9fbb3f40968cce34b47881db19e2831d0359f621210b90179ac85b76e5c0e9ac
-size 183271
+size 183189