Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-1.9.git;a=commitdiff;h=e9a73b1358bb164a5a7ec9e3803e2dabf76a503a
commit e9a73b1358bb164a5a7ec9e3803e2dabf76a503a Author: kikadf <[email protected]> Date: Sun Oct 5 10:11:07 2014 +0200 krb5-1.10.1-2arcturus2-x86_64 * Fix CVE-2014-5351 diff --git a/source/lib-extra/krb5/CVE-2014-5351-arcturus.patch b/source/lib-extra/krb5/CVE-2014-5351-arcturus.patch new file mode 100644 index 0000000..793c93c --- /dev/null +++ b/source/lib-extra/krb5/CVE-2014-5351-arcturus.patch @@ -0,0 +1,86 @@ +From 3bf9e33f9d66c0eef486cbd83f9e4f13a74d12c3 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <[email protected]> +Date: Thu, 21 Aug 2014 13:52:07 -0400 +Subject: [PATCH] Return only new keys in randkey [CVE-2014-5351] + +In kadmind's randkey operation, if a client specifies the keepold +flag, do not include the preserved old keys in the response. + +CVE-2014-5351: + +An authenticated remote attacker can retrieve the current keys for a +service principal when generating a new set of keys for that +principal. The attacker needs to be authenticated as a user who has +the elevated privilege for randomizing the keys of other principals. + +Normally, when a Kerberos administrator randomizes the keys of a +service principal, kadmind returns only the new keys. This prevents +an administrator who lacks legitimate privileged access to a service +from forging tickets to authenticate to that service. If the +"keepold" flag to the kadmin randkey RPC operation is true, kadmind +retains the old keys in the KDC database as intended, but also +unexpectedly returns the old keys to the client, which exposes the +service to ticket forgery attacks from the administrator. + +A mitigating factor is that legitimate clients of the affected service +will start failing to authenticate to the service once they begin to +receive service tickets encrypted in the new keys. The affected +service will be unable to decrypt the newly issued tickets, possibly +alerting the legitimate administrator of the affected service. + +CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C + +[[email protected]: CVE description and CVSS score] + +(cherry picked from commit af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca) + +ticket: 8018 +version_fixed: 1.13 +status: resolved +--- +diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +index ae36841..dc8393f 100644 +--- a/src/lib/kadm5/srv/svr_principal.c ++++ b/src/lib/kadm5/srv/svr_principal.c +@@ -331,6 +331,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask, + *passptr = NULL; + } + ++/* Return the number of keys with the newest kvno. Assumes that all key data ++ * with the newest kvno are at the front of the key data array. */ ++static int ++count_new_keys(int n_key_data, krb5_key_data *key_data) ++{ ++ int n; ++ ++ for (n = 1; n < n_key_data; n++) { ++ if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno) ++ return n; ++ } ++ return n_key_data; ++} ++ + kadm5_ret_t + kadm5_create_principal(void *server_handle, + kadm5_principal_ent_t entry, long mask, +@@ -1693,7 +1707,7 @@ kadm5_randkey_principal_3(void *server_handle, + osa_princ_ent_rec adb; + krb5_int32 now; + kadm5_policy_ent_rec pol; +- int ret, last_pwd, have_pol = 0; ++ int ret, last_pwd, n_new_keys, have_pol = 0; + kadm5_server_handle_t handle = server_handle; + krb5_keyblock *act_mkey; + int new_n_ks_tuple = 0; +@@ -1781,8 +1795,9 @@ kadm5_randkey_principal_3(void *server_handle, + kdb->fail_auth_count = 0; + + if (keyblocks) { +- ret = decrypt_key_data(handle->context, +- kdb->n_key_data, kdb->key_data, ++ /* Return only the new keys added by krb5_dbe_crk. */ ++ n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data); ++ ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data, + keyblocks, n_keys); + if (ret) + goto done; diff --git a/source/lib-extra/krb5/CVE-2014-5351.patch b/source/lib-extra/krb5/CVE-2014-5351.patch new file mode 100644 index 0000000..46b21da --- /dev/null +++ b/source/lib-extra/krb5/CVE-2014-5351.patch @@ -0,0 +1,90 @@ +# from wget 'https://github.com/krb5/krb5/commit/3bf9e33f9d66c0eef486cbd83f9e4f13a74d12c3.patch' +From 3bf9e33f9d66c0eef486cbd83f9e4f13a74d12c3 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <[email protected]> +Date: Thu, 21 Aug 2014 13:52:07 -0400 +Subject: [PATCH] Return only new keys in randkey [CVE-2014-5351] + +In kadmind's randkey operation, if a client specifies the keepold +flag, do not include the preserved old keys in the response. + +CVE-2014-5351: + +An authenticated remote attacker can retrieve the current keys for a +service principal when generating a new set of keys for that +principal. The attacker needs to be authenticated as a user who has +the elevated privilege for randomizing the keys of other principals. + +Normally, when a Kerberos administrator randomizes the keys of a +service principal, kadmind returns only the new keys. This prevents +an administrator who lacks legitimate privileged access to a service +from forging tickets to authenticate to that service. If the +"keepold" flag to the kadmin randkey RPC operation is true, kadmind +retains the old keys in the KDC database as intended, but also +unexpectedly returns the old keys to the client, which exposes the +service to ticket forgery attacks from the administrator. + +A mitigating factor is that legitimate clients of the affected service +will start failing to authenticate to the service once they begin to +receive service tickets encrypted in the new keys. The affected +service will be unable to decrypt the newly issued tickets, possibly +alerting the legitimate administrator of the affected service. + +CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C + +[[email protected]: CVE description and CVSS score] + +(cherry picked from commit af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca) + +ticket: 8018 +version_fixed: 1.13 +status: resolved +--- + src/lib/kadm5/srv/svr_principal.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +index 5d358bd..d4e74cc 100644 +--- krb5-1.11.3/src/lib/kadm5/srv/svr_principal.c ++++ krb5-1.11.3/src/lib/kadm5/srv/svr_principal.c +@@ -344,6 +344,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask, + *passptr = NULL; + } + ++/* Return the number of keys with the newest kvno. Assumes that all key data ++ * with the newest kvno are at the front of the key data array. */ ++static int ++count_new_keys(int n_key_data, krb5_key_data *key_data) ++{ ++ int n; ++ ++ for (n = 1; n < n_key_data; n++) { ++ if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno) ++ return n; ++ } ++ return n_key_data; ++} ++ + kadm5_ret_t + kadm5_create_principal(void *server_handle, + kadm5_principal_ent_t entry, long mask, +@@ -1593,7 +1607,7 @@ kadm5_randkey_principal_3(void *server_handle, + osa_princ_ent_rec adb; + krb5_int32 now; + kadm5_policy_ent_rec pol; +- int ret, last_pwd; ++ int ret, last_pwd, n_new_keys; + krb5_boolean have_pol = FALSE; + kadm5_server_handle_t handle = server_handle; + krb5_keyblock *act_mkey; +@@ -1686,8 +1700,9 @@ kadm5_randkey_principal_3(void *server_handle, + kdb->fail_auth_count = 0; + + if (keyblocks) { +- ret = decrypt_key_data(handle->context, +- kdb->n_key_data, kdb->key_data, ++ /* Return only the new keys added by krb5_dbe_crk. */ ++ n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data); ++ ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data, + keyblocks, n_keys); + if (ret) + goto done; diff --git a/source/lib-extra/krb5/FrugalBuild b/source/lib-extra/krb5/FrugalBuild index 0811dd2..d406419 100644 --- a/source/lib-extra/krb5/FrugalBuild +++ b/source/lib-extra/krb5/FrugalBuild @@ -3,7 +3,7 @@ pkgname=krb5 pkgver=1.10.1 -pkgrel=2arcturus1 +pkgrel=2arcturus2 pkgdesc="Kerberos: The Network Authentication Protocol" url="http://web.mit.edu/kerberos/"; license="MIT licence" @@ -27,12 +27,13 @@ subarchs=('i686 x86_64 arm') # FSA fix *** source=(${source[@]} CVE-2014-4341-4342.patch CVE-2014-4343.patch CVE-2014-4344.patch CVE-2014-4345.patch - gcc47fix.patch) + gcc47fix.patch CVE-2014-5351-arcturus.patch) sha1sums=(${sha1sums[@]} 'f6c18abd4d1c98af1090b2ae898e4c0f8920f3ad' \ '2f3bd4fdd0f7f2be4c594e18e06bb9e328ae313d' \ '73f008acdeacb3fc2ae27aff0c83ffc1548024cd' \ 'c0ccb48f104a4be55f332c59462e5349804e318b' \ - '5f7fab402a03a63ff5e80ecfdb72cfbd13346f50') + '5f7fab402a03a63ff5e80ecfdb72cfbd13346f50' \ + '6d63a7dfc5114591fcce06eaabf498bdb8431ff4') # *********** _______________________________________________ Frugalware-git mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-git
