aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2020-11-24 10:03:52 +0100
committerNatanael Copa <ncopa@alpinelinux.org>2020-11-24 10:03:52 +0100
commit9670eff0ec67c885b695061cd70049aa65e4387c (patch)
tree1ec2856518887ce707cfce29aa60a43daaf0e30c
parentff1e3a24e22b77bb2bee283a1acede5b86a8007f (diff)
downloadaports-9670eff0ec67c885b695061cd70049aa65e4387c.tar.gz
aports-9670eff0ec67c885b695061cd70049aa65e4387c.tar.bz2
aports-9670eff0ec67c885b695061cd70049aa65e4387c.tar.xz
main/krb5: backport security fix for CVE-2020-28196
fixes #12121 Also remove obsolete patch.
-rw-r--r--main/krb5/APKBUILD6
-rw-r--r--main/krb5/CVE-2018-20217.patch72
-rw-r--r--main/krb5/CVE-2020-28196.patch100
3 files changed, 105 insertions, 73 deletions
diff --git a/main/krb5/APKBUILD b/main/krb5/APKBUILD
index a07d7c4106..595c44a0b7 100644
--- a/main/krb5/APKBUILD
+++ b/main/krb5/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=krb5
pkgver=1.15.5
-pkgrel=0
+pkgrel=1
case $pkgver in
*.*.*) _ver=${pkgver%.*};;
@@ -21,6 +21,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-server
$pkgname-server-ldap:ldap $pkgname-pkinit $pkgname-libs"
source="https://web.mit.edu/kerberos/dist/krb5/${_ver}/krb5-$pkgver.tar.gz
mit-krb5_krb5-config_LDFLAGS.patch
+ CVE-2020-28196.patch
krb5kadmind.initd
krb5kdc.initd
@@ -29,6 +30,8 @@ source="https://web.mit.edu/kerberos/dist/krb5/${_ver}/krb5-$pkgver.tar.gz
builddir="$srcdir"/krb5-$pkgver
# secfixes:
+# 1.15.5-r1:
+# - CVE-2020-28196
# 1.15.4-r0:
# - CVE-2018-20217
# 1.15.3-r0:
@@ -114,6 +117,7 @@ libs() {
}
sha512sums="cf2c5764a081acc44c416108da40f76dafa5c764d1fb842cba1736942999548962a57c64e67924a409c068b1b8ed824f17857ea9a34594724f70903e555505b5 krb5-1.15.5.tar.gz
5a3782ff17b383f8cd0415fd13538ab56afd788130d6ad640e9f2682b7deaae7f25713ce358058ed771091040dccf62a3bc87e6fd473d505ec189a95debcc801 mit-krb5_krb5-config_LDFLAGS.patch
+d7b4b55f01f8e70c0b1c9390ba1753d590253ac9ab39aaf22da15b6169506d019923837bb18d856b0c4508afc9c387180068dfe0c6847d6bd7d0970b34769a97 CVE-2020-28196.patch
43b9885b7eb8d0d60920def688de482f2b1701288f9acb1bb21dc76b2395428ff304961959eb04ba5eafd0412bae35668d6d2c8223424b9337bc051eadf51682 krb5kadmind.initd
ede15f15bbbc9d0227235067abe15245bb9713aea260d397379c63275ce74aea0db6c91c15d599e40c6e89612d76f3a0f8fdd21cbafa3f30d426d4310d3e2cec krb5kdc.initd
45be0d421efd41e9dd056125a750c90856586e990317456b68170d733b03cba9ecd18ab87603b20e49575e7839fb4a6d628255533f2631f9e8ddb7f3cc493a90 krb5kpropd.initd"
diff --git a/main/krb5/CVE-2018-20217.patch b/main/krb5/CVE-2018-20217.patch
deleted file mode 100644
index 80f2d55058..0000000000
--- a/main/krb5/CVE-2018-20217.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 5e6d1796106df8ba6bc1973ee0917c170d929086 Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Mon, 3 Dec 2018 02:33:07 +0200
-Subject: [PATCH] Ignore password attributes for S4U2Self requests
-
-For consistency with Windows KDCs, allow protocol transition to work
-even if the password has expired or needs changing.
-
-Also, when looking up an enterprise principal with an AS request,
-treat ERR_KEY_EXP as confirmation that the client is present in the
-realm.
-
-[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited
-commit message]
-
-ticket: 8763 (new)
-tags: pullup
-target_version: 1.17
----
- src/kdc/kdc_util.c | 5 +++++
- src/lib/krb5/krb/s4u_creds.c | 2 +-
- src/tests/gssapi/t_s4u.py | 8 ++++++++
- 3 files changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
-index 6d53173fb0..6517a213cd 100644
---- a/src/kdc/kdc_util.c
-+++ b/src/kdc/kdc_util.c
-@@ -1607,6 +1607,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
-
- memset(&no_server, 0, sizeof(no_server));
-
-+ /* Ignore password expiration and needchange attributes (as Windows
-+ * does), since S4U2Self is not password authentication. */
-+ princ->pw_expiration = 0;
-+ clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE);
-+
- code = validate_as_request(kdc_active_realm, request, *princ,
- no_server, kdc_time, status, &e_data);
- if (code) {
-diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
-index d2fdcb3f16..614ed41908 100644
---- a/src/lib/krb5/krb/s4u_creds.c
-+++ b/src/lib/krb5/krb/s4u_creds.c
-@@ -116,7 +116,7 @@ s4u_identify_user(krb5_context context,
- code = k5_get_init_creds(context, &creds, &client, NULL, NULL, 0, NULL,
- opts, krb5_get_as_key_noop, &userid, &use_master,
- NULL);
-- if (code == 0 || code == KRB5_PREAUTH_FAILED) {
-+ if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) {
- *canon_user = userid.user;
- userid.user = NULL;
- code = 0;
-diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
-index fd29e1a270..84f3fbd752 100755
---- a/src/tests/gssapi/t_s4u.py
-+++ b/src/tests/gssapi/t_s4u.py
-@@ -19,6 +19,14 @@
- # Get forwardable creds for service1 in the default cache.
- realm.kinit(service1, None, ['-f', '-k'])
-
-+# Try S4U2Self for user with a restricted password.
-+realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ])
-+realm.run(['./t_s4u', 'e:user', '-'])
-+realm.run([kadminl, 'modprinc', '-needchange',
-+ '-pwexpire', '1/1/2000', realm.user_princ])
-+realm.run(['./t_s4u', 'e:user', '-'])
-+realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ])
-+
- # Try krb5 -> S4U2Proxy with forwardable user creds. This should fail
- # at the S4U2Proxy step since the DB2 back end currently has no
- # support for allowing it.
diff --git a/main/krb5/CVE-2020-28196.patch b/main/krb5/CVE-2020-28196.patch
new file mode 100644
index 0000000000..4d6b423838
--- /dev/null
+++ b/main/krb5/CVE-2020-28196.patch
@@ -0,0 +1,100 @@
+From 2289312180a5162114037df8eaa4f4f990d67447 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Sat, 31 Oct 2020 17:07:05 -0400
+Subject: [PATCH] Add recursion limit for ASN.1 indefinite lengths
+
+The libkrb5 ASN.1 decoder supports BER indefinite lengths. It
+computes the tag length using recursion; the lack of a recursion limit
+allows an attacker to overrun the stack and cause the process to
+crash. Reported by Demi Obenour.
+
+CVE-2020-28196:
+
+In MIT krb5 releases 1.11 and later, an unauthenticated attacker can
+cause a denial of service for any client or server to which it can
+send an ASN.1-encoded Kerberos message of sufficient length.
+
+ticket: 8959 (new)
+tags: pullup
+target_version: 1.18-next
+target_version: 1.17-next
+
+(cherry picked from commit 57415dda6cf04e73ffc3723be518eddfae599bfd)
+---
+ src/lib/krb5/asn.1/asn1_encode.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c
+index a7423b642..8c0cda852 100644
+--- a/src/lib/krb5/asn.1/asn1_encode.c
++++ b/src/lib/krb5/asn.1/asn1_encode.c
+@@ -393,7 +393,7 @@ make_tag(asn1buf *buf, const taginfo *t, size_t len, size_t *retlen)
+ static asn1_error_code
+ get_tag(const unsigned char *asn1, size_t len, taginfo *tag_out,
+ const unsigned char **contents_out, size_t *clen_out,
+- const unsigned char **remainder_out, size_t *rlen_out)
++ const unsigned char **remainder_out, size_t *rlen_out, int recursion)
+ {
+ asn1_error_code ret;
+ unsigned char o;
+@@ -431,9 +431,11 @@ get_tag(const unsigned char *asn1, size_t len, taginfo *tag_out,
+ /* Indefinite form (should not be present in DER, but we accept it). */
+ if (tag_out->construction != CONSTRUCTED)
+ return ASN1_MISMATCH_INDEF;
++ if (recursion >= 32)
++ return ASN1_OVERFLOW;
+ p = asn1;
+ while (!(len >= 2 && p[0] == 0 && p[1] == 0)) {
+- ret = get_tag(p, len, &t, &c, &clen, &p, &len);
++ ret = get_tag(p, len, &t, &c, &clen, &p, &len, recursion + 1);
+ if (ret)
+ return ret;
+ }
+@@ -652,7 +654,7 @@ split_der(asn1buf *buf, unsigned char *const *der, size_t len,
+ const unsigned char *contents, *remainder;
+ size_t clen, rlen;
+
+- ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen);
++ ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen, 0);
+ if (ret)
+ return ret;
+ if (rlen != 0)
+@@ -1259,7 +1261,7 @@ decode_atype(const taginfo *t, const unsigned char *asn1,
+ const unsigned char *rem;
+ size_t rlen;
+ if (!tag->implicit) {
+- ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen);
++ ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen, 0);
+ if (ret)
+ return ret;
+ /* Note: we don't check rlen (it should be 0). */
+@@ -1481,7 +1483,7 @@ decode_sequence(const unsigned char *asn1, size_t len,
+ for (i = 0; i < seq->n_fields; i++) {
+ if (len == 0)
+ break;
+- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len);
++ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0);
+ if (ret)
+ goto error;
+ /*
+@@ -1539,7 +1541,7 @@ decode_sequence_of(const unsigned char *asn1, size_t len,
+ *seq_out = NULL;
+ *count_out = 0;
+ while (len > 0) {
+- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len);
++ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0);
+ if (ret)
+ goto error;
+ if (!check_atype_tag(elemtype, &t)) {
+@@ -1625,7 +1627,7 @@ k5_asn1_full_decode(const krb5_data *code, const struct atype_info *a,
+
+ *retrep = NULL;
+ ret = get_tag((unsigned char *)code->data, code->length, &t, &contents,
+- &clen, &remainder, &rlen);
++ &clen, &remainder, &rlen, 0);
+ if (ret)
+ return ret;
+ /* rlen should be 0, but we don't check it (and due to padding in
+--
+2.20.4
+