summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortez <tez@pkgsrc.org>2010-02-24 19:07:51 +0000
committertez <tez@pkgsrc.org>2010-02-24 19:07:51 +0000
commit78465e099c38f59ac49e5f45ba91df55528229d2 (patch)
tree9cff7193a32eacbed5880211cd06229bee7b04be
parente8b7f5aa0d170359983f5cfc5b5549d5247f4cae (diff)
downloadpkgsrc-78465e099c38f59ac49e5f45ba91df55528229d2.tar.gz
Fix CVE-2009-4212 (MITKRB5-SA-2009-004) using patches from
http://web.mit.edu/kerberos/advisories/2009-004-patch_1.6.3.txt (slightly adjusted for older kerberos version)
-rw-r--r--security/mit-krb5/Makefile4
-rw-r--r--security/mit-krb5/distinfo9
-rw-r--r--security/mit-krb5/patches/patch-bq62
-rw-r--r--security/mit-krb5/patches/patch-br17
-rw-r--r--security/mit-krb5/patches/patch-bs30
-rw-r--r--security/mit-krb5/patches/patch-bt17
-rw-r--r--security/mit-krb5/patches/patch-bu12
-rw-r--r--security/mit-krb5/patches/patch-bv117
-rw-r--r--security/mit-krb5/patches/patch-bw16
9 files changed, 281 insertions, 3 deletions
diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile
index 09691824ea9..53d0cd9ec72 100644
--- a/security/mit-krb5/Makefile
+++ b/security/mit-krb5/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.46 2009/06/30 00:07:22 joerg Exp $
+# $NetBSD: Makefile,v 1.47 2010/02/24 19:07:51 tez Exp $
DISTNAME= krb5-1.4.2
PKGNAME= mit-${DISTNAME:S/-signed$//}
-PKGREVISION= 8
+PKGREVISION= 9
CATEGORIES= security
MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/1.4/
DISTFILES= ${DISTNAME}-signed${EXTRACT_SUFX}
diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo
index a2121326989..2d8c3de2f9c 100644
--- a/security/mit-krb5/distinfo
+++ b/security/mit-krb5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.22 2009/04/21 18:58:17 tez Exp $
+$NetBSD: distinfo,v 1.23 2010/02/24 19:07:51 tez Exp $
SHA1 (krb5-1.4.2-signed.tar) = bbc03bd319d539fb9523c2545d80ba0784522e88
RMD160 (krb5-1.4.2-signed.tar) = 44500f5fab8e5959cf43f17f5f52f68e2dc73a1f
@@ -45,3 +45,10 @@ SHA1 (patch-bm) = d8e46f448fa4a51e3b8a42279cf1ab54b0598dd3
SHA1 (patch-bn) = 82c6f98474f31e1e231d3e89d6a24e20ec7fd123
SHA1 (patch-bo) = dcfeab32537f8b89e3ed6a52a69601e3e7822e35
SHA1 (patch-bp) = 5308176a1229b5ac0d0f24eb2f657fdf48935f80
+SHA1 (patch-bq) = 546e2b0260e4197b44f1f5a6f7a03f72125c768b
+SHA1 (patch-br) = da7884aa9a1ba79e7e31416bf06f74bcc71b2c01
+SHA1 (patch-bs) = b652562c4e545d41fbbfa6676b10b68823ebfbd8
+SHA1 (patch-bt) = 1398369698cc9c029957723c25dbdf53754cf373
+SHA1 (patch-bu) = bf0688bd703c3dcfa27934e0a6bc43230251512e
+SHA1 (patch-bv) = b07fc44dcc577bffece1eb85f5f93e4c10a58e00
+SHA1 (patch-bw) = ffdf13931306b15b9282863926f769f079ffe8f9
diff --git a/security/mit-krb5/patches/patch-bq b/security/mit-krb5/patches/patch-bq
new file mode 100644
index 00000000000..05b83735d3f
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bq
@@ -0,0 +1,62 @@
+$NetBSD: patch-bq,v 1.1 2010/02/24 19:07:51 tez Exp $
+
+--- lib/crypto/Makefile.in.orig 2004-06-16 20:56:28.000000000 -0500
++++ lib/crypto/Makefile.in 2010-02-23 17:33:02.605810700 -0600
+@@ -20,6 +20,7 @@
+ $(srcdir)/t_hmac.c \
+ $(srcdir)/t_pkcs5.c \
+ $(srcdir)/t_cts.c \
++ $(srcdir)/t_short.c \
+ $(srcdir)/vectors.c
+
+ ##DOSBUILDTOP = ..\..
+@@ -170,12 +171,13 @@
+
+ clean-unix:: clean-liblinks clean-libs clean-libobjs
+
+-check-unix:: t_nfold t_encrypt t_prng t_hmac t_pkcs5
++check-unix:: t_nfold t_encrypt t_prng t_hmac t_pkcs5 t_short
+ $(RUN_SETUP) ./t_nfold
+ $(RUN_SETUP) ./t_encrypt
+ $(RUN_SETUP) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \
+ diff t_prng.output $(srcdir)/t_prng.expected
+ $(RUN_SETUP) ./t_hmac
++ $(RUN_SETUP) ./t_short
+
+ # $(RUN_SETUP) ./t_pkcs5
+
+@@ -201,10 +203,14 @@
+ $(CC_LINK) -o $@ t_cts.$(OBJEXT) \
+ $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB)
+
++t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB)
++ $(CC_LINK) -o $@ t_short.$(OBJEXT) \
++ $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB)
++
+
+ clean::
+ $(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \
+- t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o
++ t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_short t_short.o
+ -$(RM) t_prng.output
+
+ all-windows::
+@@ -595,6 +601,13 @@
+ $(SRCTOP)/include/k5-thread.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
++t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): t_short.c $(BUILDTOP)/include/krb5.h \
++ $(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \
++ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
++ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
++ $(SRCTOP)/include/k5-thread.h $(BUILDTOP)/include/profile.h \
++ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
++ $(SRCTOP)/include/krb5/kdb.h
+ vectors.so vectors.po $(OUTPRE)vectors.$(OBJEXT): vectors.c $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \
+ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+@@ -602,4 +615,3 @@
+ $(SRCTOP)/include/k5-thread.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
+-
diff --git a/security/mit-krb5/patches/patch-br b/security/mit-krb5/patches/patch-br
new file mode 100644
index 00000000000..25d0ebe7c84
--- /dev/null
+++ b/security/mit-krb5/patches/patch-br
@@ -0,0 +1,17 @@
+$NetBSD: patch-br,v 1.1 2010/02/24 19:07:51 tez Exp $
+
+--- lib/crypto/arcfour/arcfour.c.orig 2004-02-18 20:46:26.000000000 -0600
++++ lib/crypto/arcfour/arcfour.c 2010-02-23 17:43:53.543585400 -0600
+@@ -203,6 +203,12 @@
+ keylength = enc->keylength;
+ hashsize = hash->hashsize;
+
++ /* Verify input and output lengths. */
++ if (input->length < hashsize + CONFOUNDERLENGTH)
++ return KRB5_BAD_MSIZE;
++ if (output->length < input->length - hashsize - CONFOUNDERLENGTH)
++ return KRB5_BAD_MSIZE;
++
+ d1.length=keybytes;
+ d1.data=malloc(d1.length);
+ if (d1.data == NULL)
diff --git a/security/mit-krb5/patches/patch-bs b/security/mit-krb5/patches/patch-bs
new file mode 100644
index 00000000000..4b442da0bdf
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bs
@@ -0,0 +1,30 @@
+$NetBSD: patch-bs,v 1.1 2010/02/24 19:07:51 tez Exp $
+
+--- lib/crypto/enc_provider/aes.c.orig 2004-05-25 13:06:13.000000000 -0500
++++ lib/crypto/enc_provider/aes.c 2010-02-23 17:43:53.574980200 -0600
+@@ -68,9 +68,11 @@
+ nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+
+ if (nblocks == 1) {
+- /* XXX Used for DK function. */
++ /* Used when deriving keys. */
++ if (input->length < BLOCK_SIZE)
++ return KRB5_BAD_MSIZE;
+ enc(output->data, input->data, &ctx);
+- } else {
++ } else if (nblocks > 1) {
+ unsigned int nleft;
+
+ for (blockno = 0; blockno < nblocks - 2; blockno++) {
+@@ -123,9 +125,9 @@
+
+ if (nblocks == 1) {
+ if (input->length < BLOCK_SIZE)
+- abort();
++ return KRB5_BAD_MSIZE;
+ dec(output->data, input->data, &ctx);
+- } else {
++ } else if (nblocks > 1) {
+
+ for (blockno = 0; blockno < nblocks - 2; blockno++) {
+ dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx);
diff --git a/security/mit-krb5/patches/patch-bt b/security/mit-krb5/patches/patch-bt
new file mode 100644
index 00000000000..6148ecc96f5
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bt
@@ -0,0 +1,17 @@
+$NetBSD: patch-bt,v 1.1 2010/02/24 19:07:51 tez Exp $
+
+--- lib/crypto/dk/dk_decrypt.c.orig 2004-02-24 15:07:21.000000000 -0600
++++ lib/crypto/dk/dk_decrypt.c 2010-02-23 17:43:53.607557500 -0600
+@@ -89,6 +89,12 @@
+ else if (hmacsize > hashsize)
+ return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+
++ /* Verify input and output lengths. */
++ if (input->length < blocksize + hmacsize)
++ return KRB5_BAD_MSIZE;
++ if (output->length < input->length - blocksize - hmacsize)
++ return KRB5_BAD_MSIZE;
++
+ enclen = input->length - hmacsize;
+
+ if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
diff --git a/security/mit-krb5/patches/patch-bu b/security/mit-krb5/patches/patch-bu
new file mode 100644
index 00000000000..df48d67201f
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bu
@@ -0,0 +1,12 @@
+$NetBSD: patch-bu,v 1.1 2010/02/24 19:07:51 tez Exp $
+
+--- lib/crypto/raw/raw_decrypt.c.orig 2004-02-18 20:46:30.000000000 -0600
++++ lib/crypto/raw/raw_decrypt.c 2010-02-23 17:43:53.638863200 -0600
+@@ -34,5 +34,7 @@
+ const krb5_data *ivec, const krb5_data *input,
+ krb5_data *output)
+ {
++ if (output->length < input->length)
++ return KRB5_BAD_MSIZE;
+ return((*(enc->decrypt))(key, ivec, input, output));
+ }
diff --git a/security/mit-krb5/patches/patch-bv b/security/mit-krb5/patches/patch-bv
new file mode 100644
index 00000000000..f2b272b8e13
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bv
@@ -0,0 +1,117 @@
+$NetBSD: patch-bv,v 1.1 2010/02/24 19:07:51 tez Exp $
+
+--- lib/crypto/t_short.c.orig 2010-02-23 17:43:53.669981000 -0600
++++ lib/crypto/t_short.c 2010-02-23 17:43:53.670274200 -0600
+@@ -0,0 +1,112 @@
++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
++/*
++ * lib/crypto/crypto_tests/t_short.c
++ *
++ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
++ * All rights reserved.
++ *
++ * Export of this software from the United States of America may
++ * require a specific license from the United States Government.
++ * It is the responsibility of any person or organization contemplating
++ * export to obtain such a license before exporting.
++ *
++ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
++ * distribute this software and its documentation for any purpose and
++ * without fee is hereby granted, provided that the above copyright
++ * notice appear in all copies and that both that copyright notice and
++ * this permission notice appear in supporting documentation, and that
++ * the name of M.I.T. not be used in advertising or publicity pertaining
++ * to distribution of the software without specific, written prior
++ * permission. Furthermore if you modify this software you must label
++ * your software as modified software and not distribute it in such a
++ * fashion that it might be confused with the original M.I.T. software.
++ * M.I.T. makes no representations about the suitability of
++ * this software for any purpose. It is provided "as is" without express
++ * or implied warranty.
++ *
++ * Tests the outcome of decrypting overly short tokens. This program can be
++ * run under a tool like valgrind to detect bad memory accesses; when run
++ * normally by the test suite, it verifies that each operation returns
++ * KRB5_BAD_MSIZE.
++ */
++
++#include "k5-int.h"
++
++krb5_enctype interesting_enctypes[] = {
++ ENCTYPE_DES_CBC_CRC,
++ ENCTYPE_DES_CBC_MD4,
++ ENCTYPE_DES_CBC_MD5,
++ ENCTYPE_DES3_CBC_SHA1,
++ ENCTYPE_ARCFOUR_HMAC,
++ ENCTYPE_ARCFOUR_HMAC_EXP,
++ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
++ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
++ 0
++};
++
++/* Abort if an operation unexpectedly fails. */
++static void
++x(krb5_error_code code)
++{
++ if (code != 0)
++ abort();
++}
++
++/* Abort if a decrypt operation doesn't have the expected result. */
++static void
++check_decrypt_result(krb5_error_code code, size_t len, size_t min_len)
++{
++ if (len < min_len) {
++ /* Undersized tokens should always result in BAD_MSIZE. */
++ if (code != KRB5_BAD_MSIZE)
++ abort();
++ } else {
++ /* Min-size tokens should succeed or fail the integrity check. */
++ if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY)
++ abort();
++ }
++}
++
++static void
++test_enctype(krb5_enctype enctype)
++{
++ krb5_error_code ret;
++ krb5_keyblock keyblock;
++ krb5_enc_data input;
++ krb5_data output;
++ size_t min_len, len;
++
++ printf("Testing enctype %d\n", (int) enctype);
++ x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len));
++ x(krb5_c_make_random_key(NULL, enctype, &keyblock));
++ input.enctype = enctype;
++
++ /* Try each length up to the minimum length. */
++ for (len = 0; len <= min_len; len++) {
++ input.ciphertext.data = calloc(len, 1);
++ input.ciphertext.length = len;
++ output.data = calloc(len, 1);
++ output.length = len;
++
++ /* Attempt a normal decryption. */
++ ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output);
++ check_decrypt_result(ret, len, min_len);
++
++ free(input.ciphertext.data);
++ free(output.data);
++ }
++}
++
++int
++main(int argc, char **argv)
++{
++ int i;
++ krb5_data notrandom;
++
++ notrandom.data = "notrandom";
++ notrandom.length = 9;
++ krb5_c_random_seed(NULL, &notrandom);
++ for (i = 0; interesting_enctypes[i]; i++)
++ test_enctype(interesting_enctypes[i]);
++ return 0;
++}
diff --git a/security/mit-krb5/patches/patch-bw b/security/mit-krb5/patches/patch-bw
new file mode 100644
index 00000000000..f4e8c70b63c
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bw
@@ -0,0 +1,16 @@
+$NetBSD: patch-bw,v 1.1 2010/02/24 19:07:51 tez Exp $
+
+--- lib/crypto/old/old_decrypt.c.orig 2003-07-22 14:09:31.000000000 -0500
++++ lib/crypto/old/old_decrypt.c 2010-02-23 17:43:53.702276900 -0600
+@@ -45,8 +45,10 @@
+ blocksize = enc->block_size;
+ hashsize = hash->hashsize;
+
++ /* Verify input and output lengths. */
++ if (input->length < blocksize + hashsize || input->length % blocksize != 0)
++ return(KRB5_BAD_MSIZE);
+ plainsize = input->length - blocksize - hashsize;
+-
+ if (arg_output->length < plainsize)
+ return(KRB5_BAD_MSIZE);
+