diff options
author | tez <tez@pkgsrc.org> | 2014-08-28 22:23:05 +0000 |
---|---|---|
committer | tez <tez@pkgsrc.org> | 2014-08-28 22:23:05 +0000 |
commit | 2514038b703eec3c024e6ea3a4e8d3bc81450802 (patch) | |
tree | 65c84d041dc54cbce6417bcbe3cb4446658384c1 | |
parent | a4c25e1d5c3e511152466c69b854ee5f6728829b (diff) | |
download | pkgsrc-2514038b703eec3c024e6ea3a4e8d3bc81450802.tar.gz |
Add fixes for CVE-2014-4341, CVE-2014-4342 (same patch as CVE-2014-4341)
CVE-2014-4343, CVE-2014-4344 & MITKRB5-SA-2014-001 (CVE-2014-4345).
-rw-r--r-- | security/mit-krb5/Makefile | 8 | ||||
-rw-r--r-- | security/mit-krb5/distinfo | 8 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-CVE-2014-4341 | 116 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-CVE-2014-4343 | 16 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-CVE-2014-4344 | 16 |
5 files changed, 159 insertions, 5 deletions
diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile index c95e4215244..15233677abb 100644 --- a/security/mit-krb5/Makefile +++ b/security/mit-krb5/Makefile @@ -1,15 +1,15 @@ -# $NetBSD: Makefile,v 1.75 2014/05/29 23:37:20 wiz Exp $ +# $NetBSD: Makefile,v 1.76 2014/08/28 22:23:05 tez Exp $ DISTNAME= krb5-1.10.7 PKGNAME= mit-${DISTNAME} -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/ EXTRACT_SUFX= .tar DISTFILES= ${DISTNAME}-signed${EXTRACT_SUFX} -#PATCH_SITES= http://web.mit.edu/kerberos/advisories/ -#PATCHFILES= 2011-006-patch-r18.txt +PATCH_SITES= http://web.mit.edu/kerberos/advisories/ +PATCHFILES= 2014-001-patch.txt MAINTAINER= tez@NetBSD.org HOMEPAGE= http://web.mit.edu/kerberos/ diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo index 597c97f269a..ccc9b532649 100644 --- a/security/mit-krb5/distinfo +++ b/security/mit-krb5/distinfo @@ -1,8 +1,14 @@ -$NetBSD: distinfo,v 1.47 2013/12/03 14:08:53 adam Exp $ +$NetBSD: distinfo,v 1.48 2014/08/28 22:23:05 tez Exp $ +SHA1 (2014-001-patch.txt) = 919402bf3b7c289e847e9adc03a7c30f26966769 +RMD160 (2014-001-patch.txt) = a39c8e12e79ab273d562b04c1e7811c414dd70e8 +Size (2014-001-patch.txt) = 592 bytes SHA1 (krb5-1.10.7-signed.tar) = 982087d617d0b038676bbe8030047421683d508b RMD160 (krb5-1.10.7-signed.tar) = 16e3a2cdeb410d84d055431679eb81851ae685e9 Size (krb5-1.10.7-signed.tar) = 11632640 bytes +SHA1 (patch-CVE-2014-4341) = 97b316fb3c5dfc626827a13baa5dcf623d67da3c +SHA1 (patch-CVE-2014-4343) = e7d4604d81671f71c9cd9461b65a9e87b5982baa +SHA1 (patch-CVE-2014-4344) = b7ae530beaffcf1c095e6f94bdf608b7a140b064 SHA1 (patch-aa) = 941848a1773dfbe51dff3134d4b8504a850a958d SHA1 (patch-ad) = b56a7218007560470179dd811c84b8c690c966ac SHA1 (patch-ae) = c7395b9de5baf6612b8787fad55dbc051a680bfd diff --git a/security/mit-krb5/patches/patch-CVE-2014-4341 b/security/mit-krb5/patches/patch-CVE-2014-4341 new file mode 100644 index 00000000000..6b56ecc7029 --- /dev/null +++ b/security/mit-krb5/patches/patch-CVE-2014-4341 @@ -0,0 +1,116 @@ +$NetBSD: patch-CVE-2014-4341,v 1.1 2014/08/28 22:23:05 tez Exp $ + +Fix for CVE-2014-4341 & CVE-2014-4342 from: +https://github.com/krb5/krb5/commit/e6ae703ae597d798e310368d52b8f38ee11c6a73 + + +--- lib/gssapi/krb5/k5unseal.c ++++ lib/gssapi/krb5/k5unseal.c +@@ -74,6 +74,7 @@ + int conflen = 0; + int signalg; + int sealalg; ++ int bad_pad = 0; + gss_buffer_desc token; + krb5_checksum cksum; + krb5_checksum md5cksum; +@@ -86,6 +87,7 @@ + krb5_ui_4 seqnum; + OM_uint32 retval; + size_t sumlen; ++ size_t padlen; + krb5_keyusage sign_usage = KG_USAGE_SIGN; + + if (toktype == KG_TOK_SEAL_MSG) { +@@ -93,18 +95,23 @@ + message_buffer->value = NULL; + } + +- /* get the sign and seal algorithms */ +- +- signalg = ptr[0] + (ptr[1]<<8); +- sealalg = ptr[2] + (ptr[3]<<8); +- + /* Sanity checks */ + +- if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) { ++ if (ctx->seq == NULL) { ++ /* ctx was established using a newer enctype, and cannot process RFC ++ * 1964 tokens. */ + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + ++ if ((bodysize < 22) || (ptr[4] != 0xff) || (ptr[5] != 0xff)) { ++ *minor_status = 0; ++ return GSS_S_DEFECTIVE_TOKEN; ++ } ++ ++ signalg = ptr[0] + (ptr[1]<<8); ++ sealalg = ptr[2] + (ptr[3]<<8); ++ + if ((toktype != KG_TOK_SEAL_MSG) && + (sealalg != 0xffff)) { + *minor_status = 0; +@@ -153,6 +160,11 @@ + return GSS_S_DEFECTIVE_TOKEN; + } + ++ if ((size_t)bodysize < 14 + cksum_len) { ++ *minor_status = 0; ++ return GSS_S_DEFECTIVE_TOKEN; ++ } ++ + /* get the token parameters */ + + if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction, +@@ -210,7 +222,20 @@ + token.length = tmsglen; + } else { + conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype); +- token.length = tmsglen - conflen - plain[tmsglen-1]; ++ if (tmsglen < conflen) { ++ if (sealalg != 0xffff) ++ xfree(plain); ++ *minor_status = 0; ++ return(GSS_S_DEFECTIVE_TOKEN); ++ } ++ padlen = plain[tmsglen - 1]; ++ if (tmsglen - conflen < padlen) { ++ /* Don't error out yet, to avoid padding oracle attacks. We will ++ * treat this as a checksum failure later on. */ ++ padlen = 0; ++ bad_pad = 1; ++ } ++ token.length = tmsglen - conflen - padlen; + } + + if (token.length) { +@@ -423,7 +448,7 @@ + + /* compare the computed checksum against the transmitted checksum */ + +- if (code) { ++ if (code || bad_pad) { + if (toktype == KG_TOK_SEAL_MSG) + gssalloc_free(token.value); + *minor_status = 0; + +--- lib/gssapi/krb5/k5unsealiov.c ++++ lib/gssapi/krb5/k5unsealiov.c +@@ -69,7 +69,14 @@ kg_unseal_v1_iov(krb5_context context, + return GSS_S_DEFECTIVE_TOKEN; + } + +- if (header->buffer.length < token_wrapper_len + 14) { ++ if (ctx->seq == NULL) { ++ /* ctx was established using a newer enctype, and cannot process RFC ++ * 1964 tokens. */ ++ *minor_status = 0; ++ return GSS_S_DEFECTIVE_TOKEN; ++ } ++ ++ if (header->buffer.length < token_wrapper_len + 22) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } diff --git a/security/mit-krb5/patches/patch-CVE-2014-4343 b/security/mit-krb5/patches/patch-CVE-2014-4343 new file mode 100644 index 00000000000..b42b8b1d9ff --- /dev/null +++ b/security/mit-krb5/patches/patch-CVE-2014-4343 @@ -0,0 +1,16 @@ +$NetBSD: patch-CVE-2014-4343,v 1.1 2014/08/28 22:23:05 tez Exp $ + +fix for cve-2014-4343 from: +https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f + + +--- lib/gssapi/spnego/spnego_mech.c ++++ lib/gssapi/spnego/spnego_mech.c +@@ -796,7 +796,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, + OM_uint32 tmpmin; + size_t i; + +- generic_gss_release_oid(&tmpmin, &sc->internal_mech); + gss_delete_sec_context(&tmpmin, &sc->ctx_handle, + GSS_C_NO_BUFFER); + diff --git a/security/mit-krb5/patches/patch-CVE-2014-4344 b/security/mit-krb5/patches/patch-CVE-2014-4344 new file mode 100644 index 00000000000..a2066f88089 --- /dev/null +++ b/security/mit-krb5/patches/patch-CVE-2014-4344 @@ -0,0 +1,16 @@ +$NetBSD: patch-CVE-2014-4344,v 1.1 2014/08/28 22:23:05 tez Exp $ + +fix for CVE-2014-4344 from: +https://github.com/krb5/krb5/commit/a7886f0ed1277c69142b14a2c6629175a6331edc + +--- lib/gssapi/spnego/spnego_mech.c ++++ lib/gssapi/spnego/spnego_mech.c +@@ -1442,7 +1442,7 @@ acc_ctx_cont(OM_uint32 *minstat, + + ptr = bufstart = buf->value; + #define REMAIN (buf->length - (ptr - bufstart)) +- if (REMAIN > INT_MAX) ++ if (REMAIN == 0 || REMAIN > INT_MAX) + return GSS_S_DEFECTIVE_TOKEN; + + /* |