aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2019-01-07 07:52:08 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2019-01-07 08:03:07 +0000
commit5cfdd452b362cbbfe18efc625b108a7e89d86765 (patch)
tree89ad1132313854324b2329bd6745a07d75883297
parent27c4e5a614c7b015c0329794016f392591b4319c (diff)
downloadaports-5cfdd452b362cbbfe18efc625b108a7e89d86765.tar.gz
aports-5cfdd452b362cbbfe18efc625b108a7e89d86765.tar.bz2
aports-5cfdd452b362cbbfe18efc625b108a7e89d86765.tar.xz
main/krb5: upgrade to 1.15.4, security fix for CVE-2018-20217
Fixes #9804
-rw-r--r--main/krb5/APKBUILD21
-rw-r--r--main/krb5/CVE-2018-20217.patch72
2 files changed, 84 insertions, 9 deletions
diff --git a/main/krb5/APKBUILD b/main/krb5/APKBUILD
index 525d220cf1..4e349dba9f 100644
--- a/main/krb5/APKBUILD
+++ b/main/krb5/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=krb5
-pkgver=1.15.3
+pkgver=1.15.4
pkgrel=0
case $pkgver in
@@ -22,19 +22,21 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-server
source="http://web.mit.edu/kerberos/dist/krb5/${_ver}/krb5-$pkgver.tar.gz
mit-krb5_krb5-config_LDFLAGS.patch
libressl.patch
+ CVE-2018-20217.patch
krb5kadmind.initd
krb5kdc.initd
krb5kpropd.initd
"
-
-_builddir="$srcdir"/krb5-$pkgver
+builddir="$srcdir"/krb5-$pkgver
# secfixes:
+# 1.15.4-r0:
+# - CVE-2018-20217
# 1.15.3-r0:
-# - CVE-2017-15088
-# - CVE-2018-5709
-# - CVE-2018-5710
+# - CVE-2017-15088
+# - CVE-2018-5709
+# - CVE-2018-5710
unpack() {
default_unpack
@@ -43,7 +45,7 @@ unpack() {
}
build() {
- cd "$_builddir"/src
+ cd "$builddir"/src
./configure \
CPPFLAGS="$CPPFLAGS -fPIC -I/usr/include/et" \
WARN_CFLAGS= \
@@ -63,7 +65,7 @@ build() {
}
package() {
- cd "$_builddir"/src
+ cd "$builddir"/src
make install DESTDIR="$pkgdir"
mkdir -p "$pkgdir"/usr/share/doc/$pkgname
mv "$pkgdir"/usr/share/examples "$pkgdir"/usr/share/doc/$pkgname/
@@ -112,9 +114,10 @@ libs() {
mkdir -p "$subpkgdir"/usr/
mv "$pkgdir"/usr/lib "$subpkgdir"/usr/
}
-sha512sums="68ef90ffe96392a4957747d99b880f17b23f66c7b6c4c66b0b321af08f7f54645a17d6e70f533e8681132b565f72f36fefde4fb1dcd48fb663a9feb1af697637 krb5-1.15.3.tar.gz
+sha512sums="b15885595a50d01b85d27c7084a43de905d0f891cc280aca58f437d69da07181687f06041a686b68c77a48be55247418e49a15b8371a87e0947139bf06bef4a6 krb5-1.15.4.tar.gz
5a3782ff17b383f8cd0415fd13538ab56afd788130d6ad640e9f2682b7deaae7f25713ce358058ed771091040dccf62a3bc87e6fd473d505ec189a95debcc801 mit-krb5_krb5-config_LDFLAGS.patch
1bcfd92f610ccee6edeb22d3cfef1388ed52f999eb976f158e7be3e4d65394ceb82d915f232e4fa1f365cd35814e4a97a657d70b6d9d64c1f8c08541adcdcc23 libressl.patch
+30891c26b191ced94956bea869996a78147f4b87fb9bb511790bf20ff9a04fe5075e3584e03b19206327b954a2ad630b4f90cd443d5855481d521c640fe9d125 CVE-2018-20217.patch
43b9885b7eb8d0d60920def688de482f2b1701288f9acb1bb21dc76b2395428ff304961959eb04ba5eafd0412bae35668d6d2c8223424b9337bc051eadf51682 krb5kadmind.initd
ede15f15bbbc9d0227235067abe15245bb9713aea260d397379c63275ce74aea0db6c91c15d599e40c6e89612d76f3a0f8fdd21cbafa3f30d426d4310d3e2cec krb5kdc.initd
45be0d421efd41e9dd056125a750c90856586e990317456b68170d733b03cba9ecd18ab87603b20e49575e7839fb4a6d628255533f2631f9e8ddb7f3cc493a90 krb5kpropd.initd"
diff --git a/main/krb5/CVE-2018-20217.patch b/main/krb5/CVE-2018-20217.patch
new file mode 100644
index 0000000000..80f2d55058
--- /dev/null
+++ b/main/krb5/CVE-2018-20217.patch
@@ -0,0 +1,72 @@
+From 5e6d1796106df8ba6bc1973ee0917c170d929086 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Mon, 3 Dec 2018 02:33:07 +0200
+Subject: [PATCH] Ignore password attributes for S4U2Self requests
+
+For consistency with Windows KDCs, allow protocol transition to work
+even if the password has expired or needs changing.
+
+Also, when looking up an enterprise principal with an AS request,
+treat ERR_KEY_EXP as confirmation that the client is present in the
+realm.
+
+[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited
+commit message]
+
+ticket: 8763 (new)
+tags: pullup
+target_version: 1.17
+---
+ src/kdc/kdc_util.c | 5 +++++
+ src/lib/krb5/krb/s4u_creds.c | 2 +-
+ src/tests/gssapi/t_s4u.py | 8 ++++++++
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 6d53173fb0..6517a213cd 100644
+--- a/src/kdc/kdc_util.c
++++ b/src/kdc/kdc_util.c
+@@ -1607,6 +1607,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
+
+ memset(&no_server, 0, sizeof(no_server));
+
++ /* Ignore password expiration and needchange attributes (as Windows
++ * does), since S4U2Self is not password authentication. */
++ princ->pw_expiration = 0;
++ clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE);
++
+ code = validate_as_request(kdc_active_realm, request, *princ,
+ no_server, kdc_time, status, &e_data);
+ if (code) {
+diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
+index d2fdcb3f16..614ed41908 100644
+--- a/src/lib/krb5/krb/s4u_creds.c
++++ b/src/lib/krb5/krb/s4u_creds.c
+@@ -116,7 +116,7 @@ s4u_identify_user(krb5_context context,
+ code = k5_get_init_creds(context, &creds, &client, NULL, NULL, 0, NULL,
+ opts, krb5_get_as_key_noop, &userid, &use_master,
+ NULL);
+- if (code == 0 || code == KRB5_PREAUTH_FAILED) {
++ if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) {
+ *canon_user = userid.user;
+ userid.user = NULL;
+ code = 0;
+diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
+index fd29e1a270..84f3fbd752 100755
+--- a/src/tests/gssapi/t_s4u.py
++++ b/src/tests/gssapi/t_s4u.py
+@@ -19,6 +19,14 @@
+ # Get forwardable creds for service1 in the default cache.
+ realm.kinit(service1, None, ['-f', '-k'])
+
++# Try S4U2Self for user with a restricted password.
++realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ])
++realm.run(['./t_s4u', 'e:user', '-'])
++realm.run([kadminl, 'modprinc', '-needchange',
++ '-pwexpire', '1/1/2000', realm.user_princ])
++realm.run(['./t_s4u', 'e:user', '-'])
++realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ])
++
+ # Try krb5 -> S4U2Proxy with forwardable user creds. This should fail
+ # at the S4U2Proxy step since the DB2 back end currently has no
+ # support for allowing it.