Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2014-07-27 08:25:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5" Changes: -------- --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2014-02-19 11:39:17.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2014-07-27 08:25:45.000000000 +0200 @@ -2 +2,19 @@ -Tue Feb 18 15:27:15 UTC 2014 - [email protected] +Sat Jul 19 12:38:21 UTC 2014 - [email protected] + +- Do not depend of insserv if systemd is used + +------------------------------------------------------------------- +Thu Jul 10 15:59:52 UTC 2014 - [email protected] + +- denial of service flaws when handling RFC 1964 tokens (bnc#886016) + krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch +- start krb5kdc after slapd (bnc#886102) + +------------------------------------------------------------------- +Fri Jun 6 11:08:08 UTC 2014 - [email protected] + +- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674) + similar functionality is provided by krb5-plugin-preauth-pkinit + +------------------------------------------------------------------- +Tue Feb 18 15:25:57 UTC 2014 - [email protected] @@ -7 +25 @@ -Tue Jan 21 14:28:05 UTC 2014 - [email protected] +Tue Jan 21 14:23:37 UTC 2014 - [email protected] @@ -28 +46 @@ -Mon Jan 13 15:40:18 UTC 2014 - [email protected] +Mon Jan 13 15:37:16 UTC 2014 - [email protected] --- /work/SRC/openSUSE:Factory/krb5/krb5.changes 2014-02-19 11:39:17.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2014-07-27 08:25:45.000000000 +0200 @@ -1,0 +2,18 @@ +Sat Jul 19 12:38:21 UTC 2014 - [email protected] + +- Do not depend of insserv if systemd is used + +------------------------------------------------------------------- +Thu Jul 10 15:59:52 UTC 2014 - [email protected] + +- denial of service flaws when handling RFC 1964 tokens (bnc#886016) + krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch +- start krb5kdc after slapd (bnc#886102) + +------------------------------------------------------------------- +Fri Jun 6 11:08:08 UTC 2014 - [email protected] + +- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674) + similar functionality is provided by krb5-plugin-preauth-pkinit + +------------------------------------------------------------------- New: ---- krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5-mini.spec ++++++ --- /var/tmp/diff_new_pack.3rs6QU/_old 2014-07-27 08:25:46.000000000 +0200 +++ /var/tmp/diff_new_pack.3rs6QU/_new 2014-07-27 08:25:46.000000000 +0200 @@ -35,6 +35,7 @@ Summary: MIT Kerberos5 Implementation--Libraries License: MIT Group: Productivity/Networking/Security +Obsoletes: krb5-plugin-preauth-pkinit-nss %if ! 0%{?build_mini} BuildRequires: doxygen BuildRequires: libopenssl-devel @@ -47,6 +48,8 @@ %if 0%{?suse_version} >= 1210 BuildRequires: pkgconfig(systemd) %{?systemd_requires} +%else +PreReq: %insserv_prereq %endif # bug437293 %ifarch ppc64 @@ -80,9 +83,10 @@ Patch13: krb5-1.9-debuginfo.patch Patch14: krb5-kvno-230379.patch Patch15: krb5-master-keyring-kdcsync.patch +Patch16: krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils -PreReq: %insserv_prereq %fillup_prereq +PreReq: %fillup_prereq %description Kerberos V5 is a trusted-third-party network authentication system, @@ -200,6 +204,7 @@ %patch13 -p0 %patch14 -p1 %patch15 -p1 +%patch16 -p1 %build # needs to be re-generated ++++++ krb5.spec ++++++ --- /var/tmp/diff_new_pack.3rs6QU/_old 2014-07-27 08:25:46.000000000 +0200 +++ /var/tmp/diff_new_pack.3rs6QU/_new 2014-07-27 08:25:46.000000000 +0200 @@ -35,6 +35,7 @@ Summary: MIT Kerberos5 Implementation--Libraries License: MIT Group: Productivity/Networking/Security +Obsoletes: krb5-plugin-preauth-pkinit-nss %if ! 0%{?build_mini} BuildRequires: doxygen BuildRequires: libopenssl-devel @@ -47,6 +48,8 @@ %if 0%{?suse_version} >= 1210 BuildRequires: pkgconfig(systemd) %{?systemd_requires} +%else +PreReq: %insserv_prereq %endif # bug437293 %ifarch ppc64 @@ -80,9 +83,10 @@ Patch13: krb5-1.9-debuginfo.patch Patch14: krb5-kvno-230379.patch Patch15: krb5-master-keyring-kdcsync.patch +Patch16: krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils -PreReq: %insserv_prereq %fillup_prereq +PreReq: %fillup_prereq %description Kerberos V5 is a trusted-third-party network authentication system, @@ -200,6 +204,7 @@ %patch13 -p0 %patch14 -p1 %patch15 -p1 +%patch16 -p1 %build # needs to be re-generated ++++++ krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch ++++++ >From fb99962cbd063ac04c9a9d2cc7c75eab73f3533d Mon Sep 17 00:00:00 2001 From: Greg Hudson <[email protected]> Date: Thu, 19 Jun 2014 13:49:16 -0400 Subject: [PATCH] Handle invalid RFC 1964 tokens [CVE-2014-4341...] Detect the following cases which would otherwise cause invalid memory accesses and/or integer underflow: * An RFC 1964 token being processed by an RFC 4121-only context [CVE-2014-4342] * A header with fewer than 22 bytes after the token ID or an incomplete checksum [CVE-2014-4341 CVE-2014-4342] * A ciphertext shorter than the confounder [CVE-2014-4341] * A declared padding length longer than the plaintext [CVE-2014-4341] If we detect a bad pad byte, continue on to compute the checksum to avoid creating a padding oracle, but treat the checksum as invalid even if it compares equal. CVE-2014-4341: In MIT krb5, an unauthenticated remote attacker with the ability to inject packets into a legitimately established GSSAPI application session can cause a program crash due to invalid memory references when attempting to read beyond the end of a buffer. CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C CVE-2014-4342: In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote attacker with the ability to inject packets into a legitimately established GSSAPI application session can cause a program crash due to invalid memory references when reading beyond the end of a buffer or by causing a null pointer dereference. CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C [[email protected]: CVE summaries, CVSS] ticket: 7949 (new) subject: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342] taget_version: 1.12.2 tags: pullup --- src/lib/gssapi/krb5/k5unseal.c | 41 +++++++++++++++++++++++++++++++-------- src/lib/gssapi/krb5/k5unsealiov.c | 9 ++++++++- 2 files changed, 41 insertions(+), 9 deletions(-) diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index 30c12b9..0573958 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -74,6 +74,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, int conflen = 0; int signalg; int sealalg; + int bad_pad = 0; gss_buffer_desc token; krb5_checksum cksum; krb5_checksum md5cksum; @@ -86,6 +87,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, krb5_ui_4 seqnum; OM_uint32 retval; size_t sumlen; + size_t padlen; krb5_keyusage sign_usage = KG_USAGE_SIGN; if (toktype == KG_TOK_SEAL_MSG) { @@ -93,18 +95,23 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, message_buffer->value = NULL; } - /* get the sign and seal algorithms */ - - signalg = ptr[0] + (ptr[1]<<8); - sealalg = ptr[2] + (ptr[3]<<8); - /* Sanity checks */ - if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) { + if (ctx->seq == NULL) { + /* ctx was established using a newer enctype, and cannot process RFC + * 1964 tokens. */ + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + + if ((bodysize < 22) || (ptr[4] != 0xff) || (ptr[5] != 0xff)) { *minor_status = 0; return GSS_S_DEFECTIVE_TOKEN; } + signalg = ptr[0] + (ptr[1]<<8); + sealalg = ptr[2] + (ptr[3]<<8); + if ((toktype != KG_TOK_SEAL_MSG) && (sealalg != 0xffff)) { *minor_status = 0; @@ -153,6 +160,11 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, return GSS_S_DEFECTIVE_TOKEN; } + if ((size_t)bodysize < 14 + cksum_len) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + /* get the token parameters */ if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction, @@ -207,7 +219,20 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, plainlen = tmsglen; conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype); - token.length = tmsglen - conflen - plain[tmsglen-1]; + if (tmsglen < conflen) { + if (sealalg != 0xffff) + xfree(plain); + *minor_status = 0; + return(GSS_S_DEFECTIVE_TOKEN); + } + padlen = plain[tmsglen - 1]; + if (tmsglen - conflen < padlen) { + /* Don't error out yet, to avoid padding oracle attacks. We will + * treat this as a checksum failure later on. */ + padlen = 0; + bad_pad = 1; + } + token.length = tmsglen - conflen - padlen; if (token.length) { if ((token.value = (void *) gssalloc_malloc(token.length)) == NULL) { @@ -403,7 +428,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, /* compare the computed checksum against the transmitted checksum */ - if (code) { + if (code || bad_pad) { if (toktype == KG_TOK_SEAL_MSG) gssalloc_free(token.value); *minor_status = 0; diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c index f7828b8..b654c66 100644 --- a/src/lib/gssapi/krb5/k5unsealiov.c +++ b/src/lib/gssapi/krb5/k5unsealiov.c @@ -69,7 +69,14 @@ kg_unseal_v1_iov(krb5_context context, return GSS_S_DEFECTIVE_TOKEN; } - if (header->buffer.length < token_wrapper_len + 14) { + if (ctx->seq == NULL) { + /* ctx was established using a newer enctype, and cannot process RFC + * 1964 tokens. */ + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + + if (header->buffer.length < token_wrapper_len + 22) { *minor_status = 0; return GSS_S_DEFECTIVE_TOKEN; } -- 1.9.3 ++++++ vendor-files.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/krb5kdc.service new/vendor-files/krb5kdc.service --- old/vendor-files/krb5kdc.service 2013-05-28 19:07:13.000000000 +0200 +++ new/vendor-files/krb5kdc.service 2014-07-10 17:59:28.000000000 +0200 @@ -1,6 +1,6 @@ [Unit] Description=Kerberos 5 KDC -After=network.target +After=network.target slapd.service [Service] Type=forking -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
