summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortez <tez@pkgsrc.org>2014-08-28 22:23:05 +0000
committertez <tez@pkgsrc.org>2014-08-28 22:23:05 +0000
commit2514038b703eec3c024e6ea3a4e8d3bc81450802 (patch)
tree65c84d041dc54cbce6417bcbe3cb4446658384c1
parenta4c25e1d5c3e511152466c69b854ee5f6728829b (diff)
downloadpkgsrc-2514038b703eec3c024e6ea3a4e8d3bc81450802.tar.gz
Add fixes for CVE-2014-4341, CVE-2014-4342 (same patch as CVE-2014-4341)
CVE-2014-4343, CVE-2014-4344 & MITKRB5-SA-2014-001 (CVE-2014-4345).
-rw-r--r--security/mit-krb5/Makefile8
-rw-r--r--security/mit-krb5/distinfo8
-rw-r--r--security/mit-krb5/patches/patch-CVE-2014-4341116
-rw-r--r--security/mit-krb5/patches/patch-CVE-2014-434316
-rw-r--r--security/mit-krb5/patches/patch-CVE-2014-434416
5 files changed, 159 insertions, 5 deletions
diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile
index c95e4215244..15233677abb 100644
--- a/security/mit-krb5/Makefile
+++ b/security/mit-krb5/Makefile
@@ -1,15 +1,15 @@
-# $NetBSD: Makefile,v 1.75 2014/05/29 23:37:20 wiz Exp $
+# $NetBSD: Makefile,v 1.76 2014/08/28 22:23:05 tez Exp $
DISTNAME= krb5-1.10.7
PKGNAME= mit-${DISTNAME}
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= security
MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/
EXTRACT_SUFX= .tar
DISTFILES= ${DISTNAME}-signed${EXTRACT_SUFX}
-#PATCH_SITES= http://web.mit.edu/kerberos/advisories/
-#PATCHFILES= 2011-006-patch-r18.txt
+PATCH_SITES= http://web.mit.edu/kerberos/advisories/
+PATCHFILES= 2014-001-patch.txt
MAINTAINER= tez@NetBSD.org
HOMEPAGE= http://web.mit.edu/kerberos/
diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo
index 597c97f269a..ccc9b532649 100644
--- a/security/mit-krb5/distinfo
+++ b/security/mit-krb5/distinfo
@@ -1,8 +1,14 @@
-$NetBSD: distinfo,v 1.47 2013/12/03 14:08:53 adam Exp $
+$NetBSD: distinfo,v 1.48 2014/08/28 22:23:05 tez Exp $
+SHA1 (2014-001-patch.txt) = 919402bf3b7c289e847e9adc03a7c30f26966769
+RMD160 (2014-001-patch.txt) = a39c8e12e79ab273d562b04c1e7811c414dd70e8
+Size (2014-001-patch.txt) = 592 bytes
SHA1 (krb5-1.10.7-signed.tar) = 982087d617d0b038676bbe8030047421683d508b
RMD160 (krb5-1.10.7-signed.tar) = 16e3a2cdeb410d84d055431679eb81851ae685e9
Size (krb5-1.10.7-signed.tar) = 11632640 bytes
+SHA1 (patch-CVE-2014-4341) = 97b316fb3c5dfc626827a13baa5dcf623d67da3c
+SHA1 (patch-CVE-2014-4343) = e7d4604d81671f71c9cd9461b65a9e87b5982baa
+SHA1 (patch-CVE-2014-4344) = b7ae530beaffcf1c095e6f94bdf608b7a140b064
SHA1 (patch-aa) = 941848a1773dfbe51dff3134d4b8504a850a958d
SHA1 (patch-ad) = b56a7218007560470179dd811c84b8c690c966ac
SHA1 (patch-ae) = c7395b9de5baf6612b8787fad55dbc051a680bfd
diff --git a/security/mit-krb5/patches/patch-CVE-2014-4341 b/security/mit-krb5/patches/patch-CVE-2014-4341
new file mode 100644
index 00000000000..6b56ecc7029
--- /dev/null
+++ b/security/mit-krb5/patches/patch-CVE-2014-4341
@@ -0,0 +1,116 @@
+$NetBSD: patch-CVE-2014-4341,v 1.1 2014/08/28 22:23:05 tez Exp $
+
+Fix for CVE-2014-4341 & CVE-2014-4342 from:
+https://github.com/krb5/krb5/commit/e6ae703ae597d798e310368d52b8f38ee11c6a73
+
+
+--- lib/gssapi/krb5/k5unseal.c
++++ lib/gssapi/krb5/k5unseal.c
+@@ -74,6 +74,7 @@
+ int conflen = 0;
+ int signalg;
+ int sealalg;
++ int bad_pad = 0;
+ gss_buffer_desc token;
+ krb5_checksum cksum;
+ krb5_checksum md5cksum;
+@@ -86,6 +87,7 @@
+ krb5_ui_4 seqnum;
+ OM_uint32 retval;
+ size_t sumlen;
++ size_t padlen;
+ krb5_keyusage sign_usage = KG_USAGE_SIGN;
+
+ if (toktype == KG_TOK_SEAL_MSG) {
+@@ -93,18 +95,23 @@
+ message_buffer->value = NULL;
+ }
+
+- /* get the sign and seal algorithms */
+-
+- signalg = ptr[0] + (ptr[1]<<8);
+- sealalg = ptr[2] + (ptr[3]<<8);
+-
+ /* Sanity checks */
+
+- if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) {
++ if (ctx->seq == NULL) {
++ /* ctx was established using a newer enctype, and cannot process RFC
++ * 1964 tokens. */
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
++ if ((bodysize < 22) || (ptr[4] != 0xff) || (ptr[5] != 0xff)) {
++ *minor_status = 0;
++ return GSS_S_DEFECTIVE_TOKEN;
++ }
++
++ signalg = ptr[0] + (ptr[1]<<8);
++ sealalg = ptr[2] + (ptr[3]<<8);
++
+ if ((toktype != KG_TOK_SEAL_MSG) &&
+ (sealalg != 0xffff)) {
+ *minor_status = 0;
+@@ -153,6 +160,11 @@
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
++ if ((size_t)bodysize < 14 + cksum_len) {
++ *minor_status = 0;
++ return GSS_S_DEFECTIVE_TOKEN;
++ }
++
+ /* get the token parameters */
+
+ if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction,
+@@ -210,7 +222,20 @@
+ token.length = tmsglen;
+ } else {
+ conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
+- token.length = tmsglen - conflen - plain[tmsglen-1];
++ if (tmsglen < conflen) {
++ if (sealalg != 0xffff)
++ xfree(plain);
++ *minor_status = 0;
++ return(GSS_S_DEFECTIVE_TOKEN);
++ }
++ padlen = plain[tmsglen - 1];
++ if (tmsglen - conflen < padlen) {
++ /* Don't error out yet, to avoid padding oracle attacks. We will
++ * treat this as a checksum failure later on. */
++ padlen = 0;
++ bad_pad = 1;
++ }
++ token.length = tmsglen - conflen - padlen;
+ }
+
+ if (token.length) {
+@@ -423,7 +448,7 @@
+
+ /* compare the computed checksum against the transmitted checksum */
+
+- if (code) {
++ if (code || bad_pad) {
+ if (toktype == KG_TOK_SEAL_MSG)
+ gssalloc_free(token.value);
+ *minor_status = 0;
+
+--- lib/gssapi/krb5/k5unsealiov.c
++++ lib/gssapi/krb5/k5unsealiov.c
+@@ -69,7 +69,14 @@ kg_unseal_v1_iov(krb5_context context,
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
+- if (header->buffer.length < token_wrapper_len + 14) {
++ if (ctx->seq == NULL) {
++ /* ctx was established using a newer enctype, and cannot process RFC
++ * 1964 tokens. */
++ *minor_status = 0;
++ return GSS_S_DEFECTIVE_TOKEN;
++ }
++
++ if (header->buffer.length < token_wrapper_len + 22) {
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
diff --git a/security/mit-krb5/patches/patch-CVE-2014-4343 b/security/mit-krb5/patches/patch-CVE-2014-4343
new file mode 100644
index 00000000000..b42b8b1d9ff
--- /dev/null
+++ b/security/mit-krb5/patches/patch-CVE-2014-4343
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2014-4343,v 1.1 2014/08/28 22:23:05 tez Exp $
+
+fix for cve-2014-4343 from:
+https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f
+
+
+--- lib/gssapi/spnego/spnego_mech.c
++++ lib/gssapi/spnego/spnego_mech.c
+@@ -796,7 +796,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
+ OM_uint32 tmpmin;
+ size_t i;
+
+- generic_gss_release_oid(&tmpmin, &sc->internal_mech);
+ gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
+ GSS_C_NO_BUFFER);
+
diff --git a/security/mit-krb5/patches/patch-CVE-2014-4344 b/security/mit-krb5/patches/patch-CVE-2014-4344
new file mode 100644
index 00000000000..a2066f88089
--- /dev/null
+++ b/security/mit-krb5/patches/patch-CVE-2014-4344
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2014-4344,v 1.1 2014/08/28 22:23:05 tez Exp $
+
+fix for CVE-2014-4344 from:
+https://github.com/krb5/krb5/commit/a7886f0ed1277c69142b14a2c6629175a6331edc
+
+--- lib/gssapi/spnego/spnego_mech.c
++++ lib/gssapi/spnego/spnego_mech.c
+@@ -1442,7 +1442,7 @@ acc_ctx_cont(OM_uint32 *minstat,
+
+ ptr = bufstart = buf->value;
+ #define REMAIN (buf->length - (ptr - bufstart))
+- if (REMAIN > INT_MAX)
++ if (REMAIN == 0 || REMAIN > INT_MAX)
+ return GSS_S_DEFECTIVE_TOKEN;
+
+ /*