On 2017年08月30日 17:40, Martin Jansa wrote:
done
Thanks. --Kai
On Wed, Aug 30, 2017 at 11:30 AM, Kang Kai <kai.k...@windriver.com <mailto:kai.k...@windriver.com>> wrote:On 2017年08月28日 21:59, kai.k...@windriver.com <mailto:kai.k...@windriver.com> wrote: From: Kai Kang <kai.k...@windriver.com <mailto:kai.k...@windriver.com>> Issue: CVE-2017-11368 Backport patch to fix CVE-2017-11368 for krb5. (LOCAL REV: NOT UPSTREAM) -- Send to oe-devel on 20170828 Hi Martin, Ooops. I forgot to remove inner informations in the commit message. Should I send V2 to remove the following 2 lines? Issue: CVE-2017-11368 (LOCAL REV: NOT UPSTREAM) -- Send to oe-devel on 20170828 Sorry for the inconvenience. --Kai Signed-off-by: Kai Kang <kai.k...@windriver.com <mailto:kai.k...@windriver.com>> --- .../krb5/krb5/fix-CVE-2017-11368.patch | 116 +++++++++++++++++++++ meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb <http://krb5_1.15.1.bb> | 1 + 2 files changed, 117 insertions(+) create mode 100644 meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch diff --git a/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch new file mode 100644 index 000000000..a2eb7bc02 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch @@ -0,0 +1,116 @@ +Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970 <https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970>] + +Backport patch to fix CVE-2017-11368. + +Signed-off-by: Kai Kang <kai.k...@windriver.com <mailto:kai.k...@windriver.com>> +--- +From ffb35baac6981f9e8914f8f3bffd37f284b85970 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghud...@mit.edu <mailto:ghud...@mit.edu>> +Date: Thu, 13 Jul 2017 12:14:20 -0400 +Subject: [PATCH] Prevent KDC unset status assertion failures + +Assign status values if S4U2Self padata fails to decode, if an +S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request +uses an evidence ticket which does not match the canonicalized request +server principal name. Reported by Samuel Cabrero. + +If a status value is not assigned during KDC processing, default to +"UNKNOWN_REASON" rather than failing an assertion. This change will +prevent future denial of service bugs due to similar mistakes, and +will allow us to omit assigning status values for unlikely errors such +as small memory allocation failures. + +CVE-2017-11368: + +In MIT krb5 1.7 and later, an authenticated attacker can cause an +assertion failure in krb5kdc by sending an invalid S4U2Self or +S4U2Proxy request. + + CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C + +ticket: 8599 (new) +target_version: 1.15-next +target_version: 1.14-next +tags: pullup +--- + src/kdc/do_as_req.c | 4 ++-- + src/kdc/do_tgs_req.c | 3 ++- + src/kdc/kdc_util.c | 10 ++++++++-- + 3 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c +index 2d3ad13..9b256c8 100644 +--- a/src/kdc/do_as_req.c ++++ b/src/kdc/do_as_req.c +@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) + did_log = 1; + + egress: +- if (errcode != 0) +- assert (state->status != 0); ++ if (errcode != 0 && state->status == NULL) ++ state->status = "UNKNOWN_REASON"; + + au_state->status = state->status; + au_state->reply = &state->reply; +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index cdc79ad..d8d6719 100644 +--- a/src/kdc/do_tgs_req.c ++++ b/src/kdc/do_tgs_req.c +@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, + free(reply.enc_part.ciphertext.data); + + cleanup: +- assert(status != NULL); ++ if (status == NULL) ++ status = "UNKNOWN_REASON"; + if (reply_key) + krb5_free_keyblock(kdc_context, reply_key); + if (errcode) +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index 778a629..b710aef 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm, + req_data.data = (char *)pa_data->contents; + + code = decode_krb5_pa_for_user(&req_data, &for_user); +- if (code) ++ if (code) { ++ *status = "DECODE_PA_FOR_USER"; + return code; ++ } + + code = verify_for_user_checksum(kdc_context, tgs_session, for_user); + if (code) { +@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context, + req_data.data = (char *)pa_data->contents; + + code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user); +- if (code) ++ if (code) { ++ *status = "DECODE_PA_S4U_X509_USER"; + return code; ++ } + + code = verify_s4u_x509_user_checksum(context, + tgs_subkey ? tgs_subkey : +@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, + * that is validated previously in validate_tgs_request(). + */ + if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) { ++ *status = "INVALID_S4U2PROXY_OPTIONS"; + return KRB5KDC_ERR_BADOPTION; + } + +@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, + if (!krb5_principal_compare(kdc_context, + server->princ, /* after canon */ + server_princ)) { ++ *status = "EVIDENCE_TICKET_MISMATCH"; + return KRB5KDC_ERR_SERVER_NOMATCH; + } + +-- +2.10.1 + diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb <http://krb5_1.15.1.bb> b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb <http://krb5_1.15.1.bb> index 1de884d03..b515eb5dc 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb <http://krb5_1.15.1.bb> +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb <http://krb5_1.15.1.bb> @@ -30,6 +30,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz <http://web.mit.edu/kerberos/dist/$%7BBPN%7D/$%7BSHRT_VER%7D/$%7BBP%7D.tar.gz> \ file://etc/default/krb5-admin-server \ file://krb5-kdc.service \ file://krb5-admin-server.service \ + file://fix-CVE-2017-11368.patch;striplevel=2 \ " SRC_URI[md5sum] = "8022f3a1cde8463e44fd35ef42731f85" SRC_URI[sha256sum] = "437c8831ddd5fde2a993fef425dedb48468109bb3d3261ef838295045a89eb45"-- Regards,Neil | Kai Kang
-- Regards, Neil | Kai Kang -- _______________________________________________ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel
