Add fixes for CVE-2014-4341, CVE-2014-4342 (same patch as CVE-2014-4341)

CVE-2014-4343, CVE-2014-4344 & MITKRB5-SA-2014-001 (CVE-2014-4345).

5 files changed, 159 insertions, 5 deletions

diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile
index c95e4215244..15233677abb 100644
--- a/security/mit-krb5/Makefile
+++ b/security/mit-krb5/Makefile
@@ -1,15 +1,15 @@
-# $NetBSD: Makefile,v 1.75 2014/05/29 23:37:20 wiz Exp $
+# $NetBSD: Makefile,v 1.76 2014/08/28 22:23:05 tez Exp $
 
 DISTNAME=	krb5-1.10.7
 PKGNAME=	mit-${DISTNAME}
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	security
 MASTER_SITES=	http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/
 EXTRACT_SUFX=	.tar
 DISTFILES=	${DISTNAME}-signed${EXTRACT_SUFX}
 
-#PATCH_SITES=	http://web.mit.edu/kerberos/advisories/
-#PATCHFILES=	2011-006-patch-r18.txt
+PATCH_SITES=	http://web.mit.edu/kerberos/advisories/
+PATCHFILES=	2014-001-patch.txt
 
 MAINTAINER=	tez@NetBSD.org
 HOMEPAGE=	http://web.mit.edu/kerberos/
diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo
index 597c97f269a..ccc9b532649 100644
--- a/security/mit-krb5/distinfo
+++ b/security/mit-krb5/distinfo
@@ -1,8 +1,14 @@
-$NetBSD: distinfo,v 1.47 2013/12/03 14:08:53 adam Exp $
+$NetBSD: distinfo,v 1.48 2014/08/28 22:23:05 tez Exp $
 
+SHA1 (2014-001-patch.txt) = 919402bf3b7c289e847e9adc03a7c30f26966769
+RMD160 (2014-001-patch.txt) = a39c8e12e79ab273d562b04c1e7811c414dd70e8
+Size (2014-001-patch.txt) = 592 bytes
 SHA1 (krb5-1.10.7-signed.tar) = 982087d617d0b038676bbe8030047421683d508b
 RMD160 (krb5-1.10.7-signed.tar) = 16e3a2cdeb410d84d055431679eb81851ae685e9
 Size (krb5-1.10.7-signed.tar) = 11632640 bytes
+SHA1 (patch-CVE-2014-4341) = 97b316fb3c5dfc626827a13baa5dcf623d67da3c
+SHA1 (patch-CVE-2014-4343) = e7d4604d81671f71c9cd9461b65a9e87b5982baa
+SHA1 (patch-CVE-2014-4344) = b7ae530beaffcf1c095e6f94bdf608b7a140b064
 SHA1 (patch-aa) = 941848a1773dfbe51dff3134d4b8504a850a958d
 SHA1 (patch-ad) = b56a7218007560470179dd811c84b8c690c966ac
 SHA1 (patch-ae) = c7395b9de5baf6612b8787fad55dbc051a680bfd
diff --git a/security/mit-krb5/patches/patch-CVE-2014-4341 b/security/mit-krb5/patches/patch-CVE-2014-4341
new file mode 100644
index 00000000000..6b56ecc7029
--- /dev/null
+++ b/security/mit-krb5/patches/patch-CVE-2014-4341
@@ -0,0 +1,116 @@
+$NetBSD: patch-CVE-2014-4341,v 1.1 2014/08/28 22:23:05 tez Exp $
+
+Fix for CVE-2014-4341 & CVE-2014-4342 from:
+https://github.com/krb5/krb5/commit/e6ae703ae597d798e310368d52b8f38ee11c6a73
+
+
+--- lib/gssapi/krb5/k5unseal.c
++++ lib/gssapi/krb5/k5unseal.c
+@@ -74,6 +74,7 @@
+     int conflen = 0;
+     int signalg;
+     int sealalg;
++    int bad_pad = 0;
+     gss_buffer_desc token;
+     krb5_checksum cksum;
+     krb5_checksum md5cksum;
+@@ -86,6 +87,7 @@
+     krb5_ui_4 seqnum;
+     OM_uint32 retval;
+     size_t sumlen;
++    size_t padlen;
+     krb5_keyusage sign_usage = KG_USAGE_SIGN;
+ 
+     if (toktype == KG_TOK_SEAL_MSG) {
+@@ -93,18 +95,23 @@
+         message_buffer->value = NULL;
+     }
+ 
+-    /* get the sign and seal algorithms */
+-
+-    signalg = ptr[0] + (ptr[1]<<8);
+-    sealalg = ptr[2] + (ptr[3]<<8);
+-
+     /* Sanity checks */
+ 
+-    if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) {
++    if (ctx->seq == NULL) {
++        /* ctx was established using a newer enctype, and cannot process RFC
++         * 1964 tokens. */
+         *minor_status = 0;
+         return GSS_S_DEFECTIVE_TOKEN;
+     }
+ 
++    if ((bodysize < 22) || (ptr[4] != 0xff) || (ptr[5] != 0xff)) {
++        *minor_status = 0;
++        return GSS_S_DEFECTIVE_TOKEN;
++    }
++
++    signalg = ptr[0] + (ptr[1]<<8);
++    sealalg = ptr[2] + (ptr[3]<<8);
++
+     if ((toktype != KG_TOK_SEAL_MSG) &&
+         (sealalg != 0xffff)) {
+         *minor_status = 0;
+@@ -153,6 +160,11 @@
+         return GSS_S_DEFECTIVE_TOKEN;
+     }
+ 
++    if ((size_t)bodysize < 14 + cksum_len) {
++        *minor_status = 0;
++        return GSS_S_DEFECTIVE_TOKEN;
++    }
++
+     /* get the token parameters */
+ 
+     if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction,
+@@ -210,7 +222,20 @@
+             token.length = tmsglen;
+         } else {
+             conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
+-            token.length = tmsglen - conflen - plain[tmsglen-1];
++            if (tmsglen < conflen) {
++                if (sealalg != 0xffff)
++                    xfree(plain);
++                *minor_status = 0;
++                return(GSS_S_DEFECTIVE_TOKEN);
++            }
++            padlen = plain[tmsglen - 1];
++            if (tmsglen - conflen < padlen) {
++                /* Don't error out yet, to avoid padding oracle attacks.  We will
++                 * treat this as a checksum failure later on. */
++                padlen = 0;
++                bad_pad = 1;
++            }
++            token.length = tmsglen - conflen - padlen;
+         }
+ 
+         if (token.length) {
+@@ -423,7 +448,7 @@
+ 
+     /* compare the computed checksum against the transmitted checksum */
+ 
+-    if (code) {
++    if (code || bad_pad) {
+         if (toktype == KG_TOK_SEAL_MSG)
+             gssalloc_free(token.value);
+         *minor_status = 0;
+
+--- lib/gssapi/krb5/k5unsealiov.c
++++ lib/gssapi/krb5/k5unsealiov.c
+@@ -69,7 +69,14 @@ kg_unseal_v1_iov(krb5_context context,
+         return GSS_S_DEFECTIVE_TOKEN;
+     }
+ 
+-    if (header->buffer.length < token_wrapper_len + 14) {
++    if (ctx->seq == NULL) {
++        /* ctx was established using a newer enctype, and cannot process RFC
++         * 1964 tokens. */
++        *minor_status = 0;
++        return GSS_S_DEFECTIVE_TOKEN;
++    }
++
++    if (header->buffer.length < token_wrapper_len + 22) {
+         *minor_status = 0;
+         return GSS_S_DEFECTIVE_TOKEN;
+     }
diff --git a/security/mit-krb5/patches/patch-CVE-2014-4343 b/security/mit-krb5/patches/patch-CVE-2014-4343
new file mode 100644
index 00000000000..b42b8b1d9ff
--- /dev/null
+++ b/security/mit-krb5/patches/patch-CVE-2014-4343
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2014-4343,v 1.1 2014/08/28 22:23:05 tez Exp $
+
+fix for cve-2014-4343 from:
+https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f
+
+
+--- lib/gssapi/spnego/spnego_mech.c
++++ lib/gssapi/spnego/spnego_mech.c
+@@ -796,7 +796,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
+ 	OM_uint32 tmpmin;
+ 	size_t i;
+ 
+-	generic_gss_release_oid(&tmpmin, &sc->internal_mech);
+ 	gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
+ 			       GSS_C_NO_BUFFER);
+ 
diff --git a/security/mit-krb5/patches/patch-CVE-2014-4344 b/security/mit-krb5/patches/patch-CVE-2014-4344
new file mode 100644
index 00000000000..a2066f88089
--- /dev/null
+++ b/security/mit-krb5/patches/patch-CVE-2014-4344
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2014-4344,v 1.1 2014/08/28 22:23:05 tez Exp $
+
+fix for CVE-2014-4344 from:
+https://github.com/krb5/krb5/commit/a7886f0ed1277c69142b14a2c6629175a6331edc
+
+--- lib/gssapi/spnego/spnego_mech.c
++++ lib/gssapi/spnego/spnego_mech.c
+@@ -1442,7 +1442,7 @@ acc_ctx_cont(OM_uint32 *minstat,
+ 
+ 	ptr = bufstart = buf->value;
+ #define REMAIN (buf->length - (ptr - bufstart))
+-	if (REMAIN > INT_MAX)
++	if (REMAIN == 0 || REMAIN > INT_MAX)
+ 		return GSS_S_DEFECTIVE_TOKEN;
+ 
+ 	/*