From 0d31eba5cf4d743d8cdc1b67e55b404df7d4eff3 Mon Sep 17 00:00:00 2001 From: tez Date: Wed, 25 Feb 2015 22:28:58 +0000 Subject: Backported fixes for: http://web.mit.edu/kerberos/advisories/2015-001-patch-r111.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9423 and: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5353 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5355 (also apparently known as SA62976) --- security/mit-krb5/Makefile | 4 +- security/mit-krb5/distinfo | 5 +- .../mit-krb5/patches/patch-2015-001-patch-r110 | 312 +++++++++++++++++++++ security/mit-krb5/patches/patch-CVE-2014-5353 | 29 ++ security/mit-krb5/patches/patch-CVE-2014-5355 | 53 ++++ 5 files changed, 400 insertions(+), 3 deletions(-) create mode 100644 security/mit-krb5/patches/patch-2015-001-patch-r110 create mode 100644 security/mit-krb5/patches/patch-CVE-2014-5353 create mode 100644 security/mit-krb5/patches/patch-CVE-2014-5355 (limited to 'security') diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile index 61a45bb4e12..8d9230ef6dd 100644 --- a/security/mit-krb5/Makefile +++ b/security/mit-krb5/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.77 2014/11/25 23:40:49 tez Exp $ +# $NetBSD: Makefile,v 1.78 2015/02/25 22:28:58 tez Exp $ DISTNAME= krb5-1.10.7 PKGNAME= mit-${DISTNAME} -PKGREVISION= 4 +PKGREVISION= 5 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/ EXTRACT_SUFX= .tar diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo index abeb8602a2c..e930913c19c 100644 --- a/security/mit-krb5/distinfo +++ b/security/mit-krb5/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.49 2014/11/25 23:40:49 tez Exp $ +$NetBSD: distinfo,v 1.50 2015/02/25 22:28:58 tez Exp $ SHA1 (2014-001-patch.txt) = 919402bf3b7c289e847e9adc03a7c30f26966769 RMD160 (2014-001-patch.txt) = a39c8e12e79ab273d562b04c1e7811c414dd70e8 @@ -6,10 +6,13 @@ Size (2014-001-patch.txt) = 592 bytes SHA1 (krb5-1.10.7-signed.tar) = 982087d617d0b038676bbe8030047421683d508b RMD160 (krb5-1.10.7-signed.tar) = 16e3a2cdeb410d84d055431679eb81851ae685e9 Size (krb5-1.10.7-signed.tar) = 11632640 bytes +SHA1 (patch-2015-001-patch-r110) = 17343091958096cfb45caae490018e60c79430cf SHA1 (patch-CVE-2014-4341) = 97b316fb3c5dfc626827a13baa5dcf623d67da3c SHA1 (patch-CVE-2014-4343) = e7d4604d81671f71c9cd9461b65a9e87b5982baa SHA1 (patch-CVE-2014-4344) = b7ae530beaffcf1c095e6f94bdf608b7a140b064 SHA1 (patch-CVE-2014-5351) = 2948e2a9f7adb97b8cb70bb8f0043c45e5822465 +SHA1 (patch-CVE-2014-5353) = 93217bb5f249b153b8dcb0be07a565ee8cca879a +SHA1 (patch-CVE-2014-5355) = de4f540d079b88fcf2e0ecdc504d977d47d628ab SHA1 (patch-aa) = 941848a1773dfbe51dff3134d4b8504a850a958d SHA1 (patch-ad) = b56a7218007560470179dd811c84b8c690c966ac SHA1 (patch-ae) = c7395b9de5baf6612b8787fad55dbc051a680bfd diff --git a/security/mit-krb5/patches/patch-2015-001-patch-r110 b/security/mit-krb5/patches/patch-2015-001-patch-r110 new file mode 100644 index 00000000000..072f58df850 --- /dev/null +++ b/security/mit-krb5/patches/patch-2015-001-patch-r110 @@ -0,0 +1,312 @@ +$NetBSD: patch-2015-001-patch-r110,v 1.1 2015/02/25 22:28:58 tez Exp $ + +Patch for MITKRB5-SA-2015-001.txt backported +based on http://web.mit.edu/kerberos/advisories/2015-001-patch-r111.txt +Fixes: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5352 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9421 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9423 + + +--- ./kadmin/server/kadm_rpc_svc.c.orig 2015-02-25 19:03:47.134238800 +0000 ++++ ./kadmin/server/kadm_rpc_svc.c +@@ -4,7 +4,7 @@ + * + */ + +-#include ++#include + #include + #include /* for gss_nt_krb5_name */ + #include +@@ -301,14 +301,8 @@ check_rpcsec_auth(struct svc_req *rqstp) + c1 = krb5_princ_component(kctx, princ, 0); + c2 = krb5_princ_component(kctx, princ, 1); + realm = krb5_princ_realm(kctx, princ); +- if (strncmp(handle->params.realm, realm->data, realm->length) == 0 +- && strncmp("kadmin", c1->data, c1->length) == 0) { +- +- if (strncmp("history", c2->data, c2->length) == 0) +- goto fail_princ; +- else +- success = 1; +- } ++ success = data_eq_string(*realm, handle->params.realm) && ++ data_eq_string(*c1, "kadmin") && !data_eq_string(*c2, "history"); + + fail_princ: + if (!success) { + +--- ./lib/gssapi/krb5/context_time.c.orig 2015-02-25 19:49:12.558472400 +0000 ++++ ./lib/gssapi/krb5/context_time.c +@@ -40,7 +40,7 @@ krb5_gss_context_time(minor_status, cont + + ctx = (krb5_gss_ctx_id_rec *) context_handle; + +- if (! ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } + +--- ./lib/gssapi/krb5/export_sec_context.c.orig 2015-02-25 20:12:11.511021400 +0000 ++++ ./lib/gssapi/krb5/export_sec_context.c +@@ -45,6 +45,11 @@ krb5_gss_export_sec_context(minor_status + *minor_status = 0; + + ctx = (krb5_gss_ctx_id_t) *context_handle; ++ if (ctx->terminated) { ++ *minor_status = KG_CTX_INCOMPLETE; ++ return (GSS_S_NO_CONTEXT); ++ } ++ + context = ctx->k5_context; + kret = krb5_gss_ser_init(context); + if (kret) + +--- ./lib/gssapi/krb5/gssapiP_krb5.h.orig 2015-02-25 20:13:50.580912000 +0000 ++++ ./lib/gssapi/krb5/gssapiP_krb5.h +@@ -202,6 +202,7 @@ typedef struct _krb5_gss_ctx_id_rec { + unsigned int big_endian : 1; + unsigned int have_acceptor_subkey : 1; + unsigned int seed_init : 1; /* XXX tested but never actually set */ ++ unsigned int terminated : 1; + OM_uint32 gss_flags; + unsigned char seed[16]; + krb5_gss_name_t here; + +--- ./lib/gssapi/krb5/gssapi_krb5.c.orig 2015-02-25 20:15:28.221874100 +0000 ++++ ./lib/gssapi/krb5/gssapi_krb5.c +@@ -369,7 +369,7 @@ krb5_gss_inquire_sec_context_by_oid (OM_ + + ctx = (krb5_gss_ctx_id_rec *) context_handle; + +- if (!ctx->established) ++ if (ctx->terminated || !ctx->established) + return GSS_S_NO_CONTEXT; + + for (i = 0; i < sizeof(krb5_gss_inquire_sec_context_by_oid_ops)/ + +--- ./lib/gssapi/krb5/inq_context.c.orig 2015-02-25 20:17:05.258340000 +0000 ++++ ./lib/gssapi/krb5/inq_context.c +@@ -105,7 +105,7 @@ krb5_gss_inquire_context(minor_status, c + + ctx = (krb5_gss_ctx_id_rec *) context_handle; + +- if (! ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } + +--- ./lib/gssapi/krb5/k5seal.c.orig 2015-02-25 20:18:07.402899400 +0000 ++++ ./lib/gssapi/krb5/k5seal.c +@@ -347,7 +347,7 @@ kg_seal(minor_status, context_handle, co + + ctx = (krb5_gss_ctx_id_rec *) context_handle; + +- if (! ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } + +--- ./lib/gssapi/krb5/k5sealiov.c.orig 2015-02-25 20:19:26.092234800 +0000 ++++ ./lib/gssapi/krb5/k5sealiov.c +@@ -285,7 +285,7 @@ kg_seal_iov(OM_uint32 *minor_status, + } + + ctx = (krb5_gss_ctx_id_rec *)context_handle; +- if (!ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } + +--- ./lib/gssapi/krb5/k5unseal.c.orig 2013-11-06 20:52:23.000000000 +0000 ++++ ./lib/gssapi/krb5/k5unseal.c +@@ -487,7 +487,7 @@ kg_unseal(minor_status, context_handle, + + ctx = (krb5_gss_ctx_id_rec *) context_handle; + +- if (! ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } + +--- ./lib/gssapi/krb5/k5unsealiov.c.orig 2013-11-06 20:52:23.000000000 +0000 ++++ ./lib/gssapi/krb5/k5unsealiov.c +@@ -628,7 +628,7 @@ kg_unseal_iov(OM_uint32 *minor_status, + OM_uint32 code; + + ctx = (krb5_gss_ctx_id_rec *)context_handle; +- if (!ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } + +--- ./lib/gssapi/krb5/lucid_context.c.orig 2015-02-25 20:27:11.529478500 +0000 ++++ ./lib/gssapi/krb5/lucid_context.c +@@ -75,6 +75,11 @@ gss_krb5int_export_lucid_sec_context( + *minor_status = 0; + *data_set = GSS_C_NO_BUFFER_SET; + ++ if (ctx->terminated || !ctx->established) { ++ *minor_status = KG_CTX_INCOMPLETE; ++ return GSS_S_NO_CONTEXT; ++ } ++ + retval = generic_gss_oid_decompose(minor_status, + GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID, + GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH, + +--- ./lib/gssapi/krb5/prf.c.orig 2015-02-25 20:28:38.970661400 +0000 ++++ ./lib/gssapi/krb5/prf.c +@@ -60,6 +60,10 @@ krb5_gss_pseudo_random(OM_uint32 *minor_ + ns.data = NULL; + + ctx = (krb5_gss_ctx_id_t)context; ++ if (ctx->terminated || !ctx->established) { ++ *minor_status = KG_CTX_INCOMPLETE; ++ return GSS_S_NO_CONTEXT; ++ } + + switch (prf_key) { + case GSS_C_PRF_KEY_FULL: + +--- ./lib/gssapi/krb5/process_context_token.c.orig 2015-02-25 20:29:45.187213100 +0000 ++++ ./lib/gssapi/krb5/process_context_token.c +@@ -39,11 +39,18 @@ krb5_gss_process_context_token(minor_sta + + ctx = (krb5_gss_ctx_id_t) context_handle; + +- if (! ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } + ++ /* We only support context deletion tokens for now, and RFC 4121 does not ++ * define a context deletion token. */ ++ if (ctx->proto) { ++ *minor_status = 0; ++ return(GSS_S_DEFECTIVE_TOKEN); ++ } ++ + /* "unseal" the token */ + + if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle, +@@ -52,8 +59,8 @@ krb5_gss_process_context_token(minor_sta + KG_TOK_DEL_CTX))) + return(majerr); + +- /* that's it. delete the context */ +- +- return(krb5_gss_delete_sec_context(minor_status, &context_handle, +- GSS_C_NO_BUFFER)); ++ /* Mark the context as terminated, but do not delete it (as that would ++ * leave the caller with a dangling context handle). */ ++ ctx->terminated = 1; ++ return(GSS_S_COMPLETE); + } + +--- ./lib/gssapi/krb5/wrap_size_limit.c.orig 2015-02-25 20:32:00.325325300 +0000 ++++ ./lib/gssapi/krb5/wrap_size_limit.c +@@ -95,7 +95,7 @@ krb5_gss_wrap_size_limit(minor_status, c + } + + ctx = (krb5_gss_ctx_id_rec *) context_handle; +- if (! ctx->established) { ++ if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } + +--- ./lib/kadm5/kadm_rpc_xdr.c.orig 2015-02-25 20:48:14.376390200 +0000 ++++ ./lib/kadm5/kadm_rpc_xdr.c +@@ -320,6 +320,7 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_ + free(tl); + tl = tl2; + } ++ *tl_data_head = NULL; + break; + + case XDR_ENCODE: +@@ -1067,6 +1068,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_princ + case XDR_FREE: + if(*objp != NULL) + krb5_free_principal(context, *objp); ++ *objp = NULL; + break; + } + return TRUE; + +--- ./lib/rpc/auth_gssapi_misc.c.orig 2015-02-25 20:51:31.250618000 +0000 ++++ ./lib/rpc/auth_gssapi_misc.c +@@ -321,7 +321,6 @@ bool_t auth_gssapi_unwrap_data( + if (! (*xdr_func)(&temp_xdrs, xdr_ptr)) { + PRINTF(("gssapi_unwrap_data: deserializing arguments failed\n")); + gss_release_buffer(minor, &out_buf); +- xdr_free(xdr_func, xdr_ptr); + XDR_DESTROY(&temp_xdrs); + return FALSE; + } + +--- ./lib/rpc/svc_auth_gss.c.orig 2015-02-25 20:52:40.715734700 +0000 ++++ ./lib/rpc/svc_auth_gss.c +@@ -68,16 +68,6 @@ extern const gss_OID_desc * const gss_me + + extern SVCAUTH svc_auth_none; + +-/* +- * from mit-krb5-1.2.1 mechglue/mglueP.h: +- * Array of context IDs typed by mechanism OID +- */ +-typedef struct gss_union_ctx_id_t { +- gss_OID mech_type; +- gss_ctx_id_t internal_ctx_id; +-} gss_union_ctx_id_desc, *gss_union_ctx_id_t; +- +- + static auth_gssapi_log_badauth_func log_badauth = NULL; + static caddr_t log_badauth_data = NULL; + static auth_gssapi_log_badverf_func log_badverf = NULL; +@@ -235,16 +225,8 @@ svcauth_gss_accept_sec_context(struct sv + gd->ctx = GSS_C_NO_CONTEXT; + goto errout; + } +- /* +- * ANDROS: krb5 mechglue returns ctx of size 8 - two pointers, +- * one to the mechanism oid, one to the internal_ctx_id +- */ +- if ((gr->gr_ctx.value = mem_alloc(sizeof(gss_union_ctx_id_desc))) == NULL) { +- fprintf(stderr, "svcauth_gss_accept_context: out of memory\n"); +- goto errout; +- } +- memcpy(gr->gr_ctx.value, gd->ctx, sizeof(gss_union_ctx_id_desc)); +- gr->gr_ctx.length = sizeof(gss_union_ctx_id_desc); ++ gr->gr_ctx.value = "xxxx"; ++ gr->gr_ctx.length = 4; + + /* gr->gr_win = 0x00000005; ANDROS: for debugging linux kernel version... */ + gr->gr_win = sizeof(gd->seqmask) * 8; +@@ -516,8 +498,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst + + if (!svcauth_gss_nextverf(rqst, htonl(gr.gr_win))) { + gss_release_buffer(&min_stat, &gr.gr_token); +- mem_free(gr.gr_ctx.value, +- sizeof(gss_union_ctx_id_desc)); + ret_freegc (AUTH_FAILED); + } + *no_dispatch = TRUE; +@@ -527,7 +507,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst + + gss_release_buffer(&min_stat, &gr.gr_token); + gss_release_buffer(&min_stat, &gd->checksum); +- mem_free(gr.gr_ctx.value, sizeof(gss_union_ctx_id_desc)); + if (!call_stat) + ret_freegc (AUTH_FAILED); + diff --git a/security/mit-krb5/patches/patch-CVE-2014-5353 b/security/mit-krb5/patches/patch-CVE-2014-5353 new file mode 100644 index 00000000000..52d8e266697 --- /dev/null +++ b/security/mit-krb5/patches/patch-CVE-2014-5353 @@ -0,0 +1,29 @@ +$NetBSD: patch-CVE-2014-5353,v 1.1 2015/02/25 22:28:58 tez Exp $ + +Fix for CVE-2014-5353 from: +https://github.com/krb5/krb5/commit/5fbb56c4624df9e6b0d0a80f46e5ad37eb79c6c0 + + +--- plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c.orig 2015-02-25 18:57:47.261119800 +0000 ++++ plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c +@@ -261,9 +261,9 @@ krb5_ldap_get_password_policy_from_dn(kr + #endif /**************** END IFDEF'ed OUT *******************************/ + + ent=ldap_first_entry(ld, result); +- if (ent != NULL) { +- if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0) +- goto cleanup; ++ if (ent == NULL) { ++ st = KRB5_KDB_NOENTRY; ++ goto cleanup; + #if 0 /************** Begin IFDEF'ed OUT *******************************/ + krb5_ldap_get_value(ld, ent, "krbmaxpwdlife", &((*policy)->pw_max_life)); + krb5_ldap_get_value(ld, ent, "krbminpwdlife", &((*policy)->pw_min_life)); +@@ -279,6 +279,7 @@ krb5_ldap_get_password_policy_from_dn(kr + ld); + #endif /**************** END IFDEF'ed OUT *******************************/ + } ++ st = populate_policy(context, ld, ent, pol_name, *policy); + + cleanup: + ldap_msgfree(result); diff --git a/security/mit-krb5/patches/patch-CVE-2014-5355 b/security/mit-krb5/patches/patch-CVE-2014-5355 new file mode 100644 index 00000000000..b4bb8c4cb81 --- /dev/null +++ b/security/mit-krb5/patches/patch-CVE-2014-5355 @@ -0,0 +1,53 @@ +$NetBSD: patch-CVE-2014-5355,v 1.1 2015/02/25 22:28:58 tez Exp $ + +Patch for CVE-2014-5355 from: +https://github.com/krb5/krb5/commit/102bb6ebf20f9174130c85c3b052ae104e5073ec + + +--- ./appl/user_user/server.c.orig 2015-02-25 21:22:16.608302700 +0000 ++++ ./appl/user_user/server.c +@@ -113,8 +113,10 @@ int main(argc, argv) + } + #endif + ++ /* principal name must be sent null-terminated. */ + retval = krb5_read_message(context, (krb5_pointer) &sock, &pname_data); +- if (retval) { ++ if (retval || pname_data.length == 0 || ++ pname_data.data[pname_data.length - 1] != '\0') { + com_err ("uu-server", retval, "reading pname"); + return 2; + } + +--- ./lib/krb5/krb/recvauth.c.orig 2015-02-25 21:24:52.754211700 +0000 ++++ ./lib/krb5/krb/recvauth.c +@@ -59,6 +59,7 @@ recvauth_common(krb5_context context, + krb5_rcache rcache = 0; + krb5_octet response; + krb5_data null_server; ++ krb5_data d; + int need_error_free = 0; + int local_rcache = 0, local_authcon = 0; + +@@ -77,7 +78,8 @@ recvauth_common(krb5_context context, + */ + if ((retval = krb5_read_message(context, fd, &inbuf))) + return(retval); +- if (strcmp(inbuf.data, sendauth_version)) { ++ d = make_data((char *)sendauth_version, strlen(sendauth_version) + 1); ++ if (!data_eq(inbuf, d)) { + problem = KRB5_SENDAUTH_BADAUTHVERS; + response = 1; + } +@@ -93,8 +95,9 @@ recvauth_common(krb5_context context, + */ + if ((retval = krb5_read_message(context, fd, &inbuf))) + return(retval); +- if (appl_version && strcmp(inbuf.data, appl_version)) { +- if (!problem) { ++ if (appl_version != NULL && !problem) { ++ d = make_data(appl_version, strlen(appl_version) + 1); ++ if (!data_eq(inbuf, d)) { + problem = KRB5_SENDAUTH_BADAPPLVERS; + response = 2; + } -- cgit v1.2.3