diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-10-14 14:46:07 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-10-14 14:48:23 +0000 |
| commit | d6cac5661df8d1c9fa2cdae9942cd6f274712d7f (patch) | |
| tree | f822c46c9c9f602af71b773786a812ee7d166d5a | |
| parent | 716fb7870a1867cea94cca60f29602002a6f6f21 (diff) | |
| download | aports-d6cac5661df8d1c9fa2cdae9942cd6f274712d7f.tar.bz2 aports-d6cac5661df8d1c9fa2cdae9942cd6f274712d7f.tar.xz | |
main/krb5: security upgrade to 1.13.6 (CVE-2016-3120). Fixes #6161
(cherry picked from commit 291bdb084aa8137594ea6e32a91d1006ae0152a0)
| -rw-r--r-- | main/krb5/APKBUILD | 56 | ||||
| -rw-r--r-- | main/krb5/CVE-2015-2695.patch | 564 | ||||
| -rw-r--r-- | main/krb5/CVE-2015-2696.patch | 731 | ||||
| -rw-r--r-- | main/krb5/CVE-2015-2697.patch | 50 | ||||
| -rw-r--r-- | main/krb5/CVE-2015-2698.patch | 128 | ||||
| -rw-r--r-- | main/krb5/CVE-2015-8629.patch | 45 | ||||
| -rw-r--r-- | main/krb5/CVE-2015-8630.patch | 75 | ||||
| -rw-r--r-- | main/krb5/CVE-2015-8631.patch | 570 | ||||
| -rw-r--r-- | main/krb5/CVE-2016-3119.patch | 38 | ||||
| -rw-r--r-- | main/krb5/Fix-SPNEGO-context-import.patch | 65 | ||||
| -rw-r--r-- | main/krb5/Fix-two-IAKERB-comments.patch | 40 |
11 files changed, 10 insertions, 2352 deletions
diff --git a/main/krb5/APKBUILD b/main/krb5/APKBUILD index 9731da4fd5..a6bf72123e 100644 --- a/main/krb5/APKBUILD +++ b/main/krb5/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=krb5 -pkgver=1.13.2 -pkgrel=1 +pkgver=1.13.6 +pkgrel=0 case $pkgver in *.*.*) _ver=${pkgver%.*};; @@ -20,23 +20,17 @@ install="" options="suid" subpackages="$pkgname-dev $pkgname-doc $pkgname-server $pkgname-server-ldap:ldap $pkgname-pkinit $pkgname-libs" -source="http://web.mit.edu/kerberos/dist/krb5/${_ver}/krb5-$pkgver-signed.tar - CVE-2015-2695.patch - CVE-2015-2696.patch - CVE-2015-2697.patch - Fix-two-IAKERB-comments.patch - CVE-2015-2698.patch - Fix-SPNEGO-context-import.patch - CVE-2015-8629.patch - CVE-2015-8630.patch - CVE-2015-8631.patch - CVE-2016-3119.patch +source="http://web.mit.edu/kerberos/dist/krb5/${_ver}/krb5-$pkgver.tar.gz krb5kadmind.initd krb5kdc.initd krb5kpropd.initd " +# secfixes: +# 1.13.6-r0: +# - CVE-2016-3120 + _builddir="$srcdir"/krb5-$pkgver unpack() { default_unpack @@ -126,45 +120,15 @@ libs() { mkdir -p "$subpkgdir"/usr/ mv "$pkgdir"/usr/lib "$subpkgdir"/usr/ || return 1 } -md5sums="f7ebfa6c99c10b16979ebf9a98343189 krb5-1.13.2-signed.tar -ca73fdd31a2d5c38993afbed909b5417 CVE-2015-2695.patch -dc4c2a99b5b8a9bf7b306d614134c267 CVE-2015-2696.patch -a2369d91ccef67f093af594d941ebc11 CVE-2015-2697.patch -64fda4ee2a108258f23ecd7a592234a6 Fix-two-IAKERB-comments.patch -c071b4321118cd0ca262de0af87262ab CVE-2015-2698.patch -fc1b1bab6d738ec9b21481958d203ea7 Fix-SPNEGO-context-import.patch -51bfc721a58e4dd28ebcf2f600ff3455 CVE-2015-8629.patch -f8b6f512f94dcad5bfdc1250beaf2d11 CVE-2015-8630.patch -380b86bdaa1303a6bc7b0cc3672c3e43 CVE-2015-8631.patch -4c1026deb45e9d6f2daf70198806908b CVE-2016-3119.patch +md5sums="6164ca9c075b4ecc68eadd6d13040417 krb5-1.13.6.tar.gz 29906e70e15025dda8b315d8209cab4c krb5kadmind.initd 47efe7f24c98316d38ea46ad629b3517 krb5kdc.initd 3e0b8313c1e5bfb7625f35e76a5e53f1 krb5kpropd.initd" -sha256sums="e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1 krb5-1.13.2-signed.tar -b83dd0714f1ab164f6eb50d173bec25bb851c739ed5b1c38b35e7a1910cff25b CVE-2015-2695.patch -add426d86d31c57dc8e1c1d9043f61c21f2e532e728d1d9c703b2616bf246d7c CVE-2015-2696.patch -e1d3d6a0dfede9d5a4af83d51c4f5fad13e917e4cb58672ff0ee3e8f34fe0379 CVE-2015-2697.patch -da0cea010734fa4234ee88d689107349f38767dafe8702075dbf064e5fc1fb46 Fix-two-IAKERB-comments.patch -f0a15e9805f4d33e6dfa6985aba5fa89727a7be9eb0344bea88a3151999229a5 CVE-2015-2698.patch -704e47cb9d1d7ab98951f2e56d12b37ca7269bbcb77a642dea3a77d8259b4301 Fix-SPNEGO-context-import.patch -6c462dfa8202be953d3b9dc2acecb94b3576663caf7a1ceb1275b1dcb6b11171 CVE-2015-8629.patch -d87154deff5284b1a22d0c31de1b3c6276e4c2a94d7951b3cb31ed1b2ef405da CVE-2015-8630.patch -7c1860aeba4b0712b1fd0b46ed6acc882f36a5b5b7cbcaa8e496baca65bc881a CVE-2015-8631.patch -77b1fc7ce4ba5fd6360204e023a8984799b38252d60bac9d988011067b851f78 CVE-2016-3119.patch +sha256sums="9c0a46b8918237a53916370d2e02298c2b294f55f0351f9404e18930bc26badc krb5-1.13.6.tar.gz c7a1ec03472996daaaaf1a4703566113c80f72ee8605d247098a25a13dad1f5f krb5kadmind.initd 709309dea043aa306c2fcf0960e0993a6db540c220de64cf92d6b85f1cca23c5 krb5kdc.initd 86b15d691e32b331ac756ee368b7364de6ab238dcae5adfed2a00b57d1b64ef4 krb5kpropd.initd" -sha512sums="d3f8dde220876bd24703c488122ba8e54ffaa7f8f2c7d325e5d198a4e171248673fc1d5d3c997c6d2e66c314e2b7f4609eb980a789c3556a79458ab4411e61b5 krb5-1.13.2-signed.tar -4e1499d799bed90b2857d24de29ea3bb7500b514a86c2a8f4596fb80f97f01445b7dd9d0cb19c1cfb1f03f5c6a8e2a2149a6278c720933181db8e188063dcc6a CVE-2015-2695.patch -d27e836a3e8a1ca6b711c0ce4f9f68cbd42d888cb9dcaf2dcb78fdc9ca7652865c124e14c7026b4e94a722a314a0c30f732cc00344973ee5a180f11901347ed1 CVE-2015-2696.patch -5f6a630b566c9f0cb02528fca3a789547e294acf5f3435eb62b79411187e4fcaaa58b81eff34e8ac6cbca3dacb076bd626a31687c04936b35bf7ab3e35965a31 CVE-2015-2697.patch -25be730f6f7457c15e5ebb4862cac87e7aa34807dbbba4054f7909d3f4e471d381f2f6867db5cabcaea2ae4d9a3ca0c6f661e3771f0388a4f8b7720e57d7eee8 Fix-two-IAKERB-comments.patch -beda374243c5db14f2de5c988443c9b3f4f03dd69e5ac5127851010b52f4d76ed43489f721f04d5443629dfdb2ec2e45b3c87e00b4dcb1ced7594d9864c01544 CVE-2015-2698.patch -10cd8c4ccc54510db44462860410b7177a3cd6fd245ccbf35b3e8637370fc3f3f88028bbd0055452134816e805330352a627369bd17eafc16418ad8d88feacde Fix-SPNEGO-context-import.patch -a4791794fc8cd675605ed0f9d39b099b2e83713c7038648529906490c36b1e92739f05ba6f5a1be9923459a01b45ffb04129e23313873fea2fd41c45f7f42f90 CVE-2015-8629.patch -c91415ff810ea1b3d8ba80d005bc40bb3595be4b7610b69d6c8c97bdcb290c1eb400997ccb091863d558bfb8a4cbb8f00557a690f60c0ada700ba76194960b0a CVE-2015-8630.patch -59b70cf6aa3f462fe8dab0f02e7f649f9615c5e40ad43517a9b9febd2c5d87b0d38f3e620ad6dd006c9ecbc9a4bbcab39655e518c6d37fbe74f40a888545ae79 CVE-2015-8631.patch -0c2bdab9b93e48c3f2c06dbd3196bc1e5aad7b9b969c1b43e1147d8885d78206854900a78d32f4a5813bc0e3297e6bfec344f2878025c02be94d9675f04e8268 CVE-2016-3119.patch +sha512sums="9a12e4dde9bedfecb4ea01aa81b0a58bbb7de2393fa2f3229dc3336b5f729a6cd3c66848b4ff0170c1524174ea25ecc00221f5793d1e7b683f2bf7924196c2be krb5-1.13.6.tar.gz 561af06b4e0f0e130dda345ad934bcdb9984ec00cc38d871df1d3bb3f9e1c7d86f06db5b03229707c88b96ad324e3a2222420f8494aa431002cacea0246b1153 krb5kadmind.initd d6d0076886ce284fc395fafc2dc253b4b3ee97b2986dea51388d96a1e1294680fb171f475efc7844559e2c6aac44b26678a9255921db9a58dcf2e7164f0aeec5 krb5kdc.initd f97d33fa977c132a470d95fd539d8e8db018e03f28dbc9d3e04faf78ebb7392196e7d5135f138c2390979bf37b3ae0265e6827f0c17b44b277eb2dfff0a96f77 krb5kpropd.initd" diff --git a/main/krb5/CVE-2015-2695.patch b/main/krb5/CVE-2015-2695.patch deleted file mode 100644 index 08bc8ab4bb..0000000000 --- a/main/krb5/CVE-2015-2695.patch +++ /dev/null @@ -1,564 +0,0 @@ -From b51b33f2bc5d1497ddf5bd107f791c101695000d Mon Sep 17 00:00:00 2001 -From: Nicolas Williams <nico@twosigma.com> -Date: Mon, 14 Sep 2015 12:27:52 -0400 -Subject: [PATCH] Fix SPNEGO context aliasing bugs [CVE-2015-2695] - -The SPNEGO mechanism currently replaces its context handle with the -mechanism context handle upon establishment, under the assumption that -most GSS functions are only called after context establishment. This -assumption is incorrect, and can lead to aliasing violations for some -programs. Maintain the SPNEGO context structure after context -establishment and refer to it in all GSS methods. Add initiate and -opened flags to the SPNEGO context structure for use in -gss_inquire_context() prior to context establishment. - -CVE-2015-2695: - -In MIT krb5 1.5 and later, applications which call -gss_inquire_context() on a partially-established SPNEGO context can -cause the GSS-API library to read from a pointer using the wrong type, -generally causing a process crash. This bug may go unnoticed, because -the most common SPNEGO authentication scenario establishes the context -after just one call to gss_accept_sec_context(). Java server -applications using the native JGSS provider are vulnerable to this -bug. A carefully crafted SPNEGO packet might allow the -gss_inquire_context() call to succeed with attacker-determined -results, but applications should not make access control decisions -based on gss_inquire_context() results prior to context establishment. - - CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C - -[ghudson@mit.edu: several bugfixes, style changes, and edge-case -behavior changes; commit message and CVE description] - -ticket: 8244 -target_version: 1.14 -tags: pullup ---- - src/lib/gssapi/spnego/gssapiP_spnego.h | 2 + - src/lib/gssapi/spnego/spnego_mech.c | 254 ++++++++++++++++++++++++--------- - 2 files changed, 192 insertions(+), 64 deletions(-) - -diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h -index 57372de..5c82764 100644 ---- a/src/lib/gssapi/spnego/gssapiP_spnego.h -+++ b/src/lib/gssapi/spnego/gssapiP_spnego.h -@@ -103,6 +103,8 @@ typedef struct { - int firstpass; - int mech_complete; - int nego_done; -+ int initiate; -+ int opened; - OM_uint32 ctx_flags; - gss_name_t internal_name; - gss_OID actual_mech; -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index ef76e1f..7849c85 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -102,7 +102,7 @@ static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t, - gss_cred_usage_t, gss_OID_set *); - static void release_spnego_ctx(spnego_gss_ctx_id_t *); - static void check_spnego_options(spnego_gss_ctx_id_t); --static spnego_gss_ctx_id_t create_spnego_ctx(void); -+static spnego_gss_ctx_id_t create_spnego_ctx(int); - static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf); - static int put_input_token(unsigned char **, gss_buffer_t, unsigned int); - static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int); -@@ -454,7 +454,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx) - } - - static spnego_gss_ctx_id_t --create_spnego_ctx(void) -+create_spnego_ctx(int initiate) - { - spnego_gss_ctx_id_t spnego_ctx = NULL; - spnego_ctx = (spnego_gss_ctx_id_t) -@@ -477,6 +477,8 @@ create_spnego_ctx(void) - spnego_ctx->mic_rcvd = 0; - spnego_ctx->mech_complete = 0; - spnego_ctx->nego_done = 0; -+ spnego_ctx->opened = 0; -+ spnego_ctx->initiate = initiate; - spnego_ctx->internal_name = GSS_C_NO_NAME; - spnego_ctx->actual_mech = GSS_C_NO_OID; - -@@ -642,7 +644,7 @@ init_ctx_new(OM_uint32 *minor_status, - OM_uint32 ret; - spnego_gss_ctx_id_t sc = NULL; - -- sc = create_spnego_ctx(); -+ sc = create_spnego_ctx(1); - if (sc == NULL) - return GSS_S_FAILURE; - -@@ -659,10 +661,7 @@ init_ctx_new(OM_uint32 *minor_status, - ret = GSS_S_FAILURE; - goto cleanup; - } -- /* -- * The actual context is not yet determined, set the output -- * context handle to refer to the spnego context itself. -- */ -+ - sc->ctx_handle = GSS_C_NO_CONTEXT; - *ctx = (gss_ctx_id_t)sc; - sc = NULL; -@@ -1108,16 +1107,11 @@ spnego_gss_init_sec_context( - } - gss_release_buffer(&tmpmin, &mechtok_out); - if (ret == GSS_S_COMPLETE) { -- /* -- * Now, switch the output context to refer to the -- * negotiated mechanism's context. -- */ -- *context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle; -+ spnego_ctx->opened = 1; - if (actual_mech != NULL) - *actual_mech = spnego_ctx->actual_mech; - if (ret_flags != NULL) - *ret_flags = spnego_ctx->ctx_flags; -- release_spnego_ctx(&spnego_ctx); - } else if (ret != GSS_S_CONTINUE_NEEDED) { - if (spnego_ctx != NULL) { - gss_delete_sec_context(&tmpmin, -@@ -1285,7 +1279,7 @@ acc_ctx_hints(OM_uint32 *minor_status, - if (ret != GSS_S_COMPLETE) - goto cleanup; - -- sc = create_spnego_ctx(); -+ sc = create_spnego_ctx(0); - if (sc == NULL) { - ret = GSS_S_FAILURE; - goto cleanup; -@@ -1367,7 +1361,7 @@ acc_ctx_new(OM_uint32 *minor_status, - gss_release_buffer(&tmpmin, &sc->DER_mechTypes); - assert(mech_wanted != GSS_C_NO_OID); - } else -- sc = create_spnego_ctx(); -+ sc = create_spnego_ctx(0); - if (sc == NULL) { - ret = GSS_S_FAILURE; - *return_token = NO_TOKEN_SEND; -@@ -1750,13 +1744,12 @@ spnego_gss_accept_sec_context( - ret = GSS_S_FAILURE; - } - if (ret == GSS_S_COMPLETE) { -- *context_handle = (gss_ctx_id_t)sc->ctx_handle; -+ sc->opened = 1; - if (sc->internal_name != GSS_C_NO_NAME && - src_name != NULL) { - *src_name = sc->internal_name; - sc->internal_name = GSS_C_NO_NAME; - } -- release_spnego_ctx(&sc); - } else if (ret != GSS_S_CONTINUE_NEEDED) { - if (sc != NULL) { - gss_delete_sec_context(&tmpmin, &sc->ctx_handle, -@@ -2069,8 +2062,13 @@ spnego_gss_unwrap( - gss_qop_t *qop_state) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_unwrap(minor_status, -- context_handle, -+ sc->ctx_handle, - input_message_buffer, - output_message_buffer, - conf_state, -@@ -2090,8 +2088,13 @@ spnego_gss_wrap( - gss_buffer_t output_message_buffer) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_wrap(minor_status, -- context_handle, -+ sc->ctx_handle, - conf_req_flag, - qop_req, - input_message_buffer, -@@ -2108,8 +2111,14 @@ spnego_gss_process_context_token( - const gss_buffer_t token_buffer) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ /* SPNEGO doesn't have its own context tokens. */ -+ if (!sc->opened) -+ return (GSS_S_DEFECTIVE_TOKEN); -+ - ret = gss_process_context_token(minor_status, -- context_handle, -+ sc->ctx_handle, - token_buffer); - - return (ret); -@@ -2133,19 +2142,9 @@ spnego_gss_delete_sec_context( - if (*ctx == NULL) - return (GSS_S_COMPLETE); - -- /* -- * If this is still an SPNEGO mech, release it locally. -- */ -- if ((*ctx)->magic_num == SPNEGO_MAGIC_ID) { -- (void) gss_delete_sec_context(minor_status, -- &(*ctx)->ctx_handle, -- output_token); -- (void) release_spnego_ctx(ctx); -- } else { -- ret = gss_delete_sec_context(minor_status, -- context_handle, -- output_token); -- } -+ (void) gss_delete_sec_context(minor_status, &(*ctx)->ctx_handle, -+ output_token); -+ (void) release_spnego_ctx(ctx); - - return (ret); - } -@@ -2157,8 +2156,13 @@ spnego_gss_context_time( - OM_uint32 *time_rec) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_context_time(minor_status, -- context_handle, -+ sc->ctx_handle, - time_rec); - return (ret); - } -@@ -2170,9 +2174,20 @@ spnego_gss_export_sec_context( - gss_buffer_t interprocess_token) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = *(spnego_gss_ctx_id_t *)context_handle; -+ -+ /* We don't currently support exporting partially established -+ * contexts. */ -+ if (!sc->opened) -+ return GSS_S_UNAVAILABLE; -+ - ret = gss_export_sec_context(minor_status, -- context_handle, -+ &sc->ctx_handle, - interprocess_token); -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) { -+ release_spnego_ctx(&sc); -+ *context_handle = GSS_C_NO_CONTEXT; -+ } - return (ret); - } - -@@ -2182,11 +2197,12 @@ spnego_gss_import_sec_context( - const gss_buffer_t interprocess_token, - gss_ctx_id_t *context_handle) - { -- OM_uint32 ret; -- ret = gss_import_sec_context(minor_status, -- interprocess_token, -- context_handle); -- return (ret); -+ /* -+ * Until we implement partial context exports, there are no SPNEGO -+ * exported context tokens, only tokens for underlying mechs. So just -+ * return an error for now. -+ */ -+ return GSS_S_UNAVAILABLE; - } - #endif /* LEAN_CLIENT */ - -@@ -2203,16 +2219,48 @@ spnego_gss_inquire_context( - int *opened) - { - OM_uint32 ret = GSS_S_COMPLETE; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (src_name != NULL) -+ *src_name = GSS_C_NO_NAME; -+ if (targ_name != NULL) -+ *targ_name = GSS_C_NO_NAME; -+ if (lifetime_rec != NULL) -+ *lifetime_rec = 0; -+ if (mech_type != NULL) -+ *mech_type = (gss_OID)gss_mech_spnego; -+ if (ctx_flags != NULL) -+ *ctx_flags = 0; -+ if (locally_initiated != NULL) -+ *locally_initiated = sc->initiate; -+ if (opened != NULL) -+ *opened = sc->opened; -+ -+ if (sc->ctx_handle != GSS_C_NO_CONTEXT) { -+ ret = gss_inquire_context(minor_status, sc->ctx_handle, -+ src_name, targ_name, lifetime_rec, -+ mech_type, ctx_flags, NULL, NULL); -+ } - -- ret = gss_inquire_context(minor_status, -- context_handle, -- src_name, -- targ_name, -- lifetime_rec, -- mech_type, -- ctx_flags, -- locally_initiated, -- opened); -+ if (!sc->opened) { -+ /* -+ * We are still doing SPNEGO negotiation, so report SPNEGO as -+ * the OID. After negotiation is complete we will report the -+ * underlying mechanism OID. -+ */ -+ if (mech_type != NULL) -+ *mech_type = (gss_OID)gss_mech_spnego; -+ -+ /* -+ * Remove flags we don't support with partially-established -+ * contexts. (Change this to keep GSS_C_TRANS_FLAG if we add -+ * support for exporting partial SPNEGO contexts.) -+ */ -+ if (ctx_flags != NULL) { -+ *ctx_flags &= ~GSS_C_PROT_READY_FLAG; -+ *ctx_flags &= ~GSS_C_TRANS_FLAG; -+ } -+ } - - return (ret); - } -@@ -2227,8 +2275,13 @@ spnego_gss_wrap_size_limit( - OM_uint32 *max_input_size) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_wrap_size_limit(minor_status, -- context_handle, -+ sc->ctx_handle, - conf_req_flag, - qop_req, - req_output_size, -@@ -2245,8 +2298,13 @@ spnego_gss_get_mic( - gss_buffer_t message_token) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_get_mic(minor_status, -- context_handle, -+ sc->ctx_handle, - qop_req, - message_buffer, - message_token); -@@ -2262,8 +2320,13 @@ spnego_gss_verify_mic( - gss_qop_t *qop_state) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_verify_mic(minor_status, -- context_handle, -+ sc->ctx_handle, - msg_buffer, - token_buffer, - qop_state); -@@ -2278,8 +2341,14 @@ spnego_gss_inquire_sec_context_by_oid( - gss_buffer_set_t *data_set) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ /* There are no SPNEGO-specific OIDs for this function. */ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_UNAVAILABLE); -+ - ret = gss_inquire_sec_context_by_oid(minor_status, -- context_handle, -+ sc->ctx_handle, - desired_object, - data_set); - return (ret); -@@ -2359,8 +2428,15 @@ spnego_gss_set_sec_context_option( - const gss_buffer_t value) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)*context_handle; -+ -+ /* There are no SPNEGO-specific OIDs for this function, and we cannot -+ * construct an empty SPNEGO context with it. */ -+ if (sc == NULL || sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_UNAVAILABLE); -+ - ret = gss_set_sec_context_option(minor_status, -- context_handle, -+ &sc->ctx_handle, - desired_object, - value); - return (ret); -@@ -2377,8 +2453,13 @@ spnego_gss_wrap_aead(OM_uint32 *minor_status, - gss_buffer_t output_message_buffer) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_wrap_aead(minor_status, -- context_handle, -+ sc->ctx_handle, - conf_req_flag, - qop_req, - input_assoc_buffer, -@@ -2399,8 +2480,13 @@ spnego_gss_unwrap_aead(OM_uint32 *minor_status, - gss_qop_t *qop_state) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_unwrap_aead(minor_status, -- context_handle, -+ sc->ctx_handle, - input_message_buffer, - input_assoc_buffer, - output_payload_buffer, -@@ -2419,8 +2505,13 @@ spnego_gss_wrap_iov(OM_uint32 *minor_status, - int iov_count) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_wrap_iov(minor_status, -- context_handle, -+ sc->ctx_handle, - conf_req_flag, - qop_req, - conf_state, -@@ -2438,8 +2529,13 @@ spnego_gss_unwrap_iov(OM_uint32 *minor_status, - int iov_count) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_unwrap_iov(minor_status, -- context_handle, -+ sc->ctx_handle, - conf_state, - qop_state, - iov, -@@ -2457,8 +2553,13 @@ spnego_gss_wrap_iov_length(OM_uint32 *minor_status, - int iov_count) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_wrap_iov_length(minor_status, -- context_handle, -+ sc->ctx_handle, - conf_req_flag, - qop_req, - conf_state, -@@ -2475,8 +2576,13 @@ spnego_gss_complete_auth_token( - gss_buffer_t input_message_buffer) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_UNAVAILABLE); -+ - ret = gss_complete_auth_token(minor_status, -- context_handle, -+ sc->ctx_handle, - input_message_buffer); - return (ret); - } -@@ -2721,8 +2827,13 @@ spnego_gss_pseudo_random(OM_uint32 *minor_status, - gss_buffer_t prf_out) - { - OM_uint32 ret; -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ - ret = gss_pseudo_random(minor_status, -- context, -+ sc->ctx_handle, - prf_key, - prf_in, - desired_output_len, -@@ -2863,7 +2974,12 @@ spnego_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, - gss_qop_t qop_req, gss_iov_buffer_desc *iov, - int iov_count) - { -- return gss_get_mic_iov(minor_status, context_handle, qop_req, iov, -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ -+ return gss_get_mic_iov(minor_status, sc->ctx_handle, qop_req, iov, - iov_count); - } - -@@ -2872,7 +2988,12 @@ spnego_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, - gss_qop_t *qop_state, gss_iov_buffer_desc *iov, - int iov_count) - { -- return gss_verify_mic_iov(minor_status, context_handle, qop_state, iov, -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ -+ return gss_verify_mic_iov(minor_status, sc->ctx_handle, qop_state, iov, - iov_count); - } - -@@ -2881,7 +3002,12 @@ spnego_gss_get_mic_iov_length(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, gss_qop_t qop_req, - gss_iov_buffer_desc *iov, int iov_count) - { -- return gss_get_mic_iov_length(minor_status, context_handle, qop_req, iov, -+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; -+ -+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); -+ -+ return gss_get_mic_iov_length(minor_status, sc->ctx_handle, qop_req, iov, - iov_count); - } - diff --git a/main/krb5/CVE-2015-2696.patch b/main/krb5/CVE-2015-2696.patch deleted file mode 100644 index c1f50a59c2..0000000000 --- a/main/krb5/CVE-2015-2696.patch +++ /dev/null @@ -1,731 +0,0 @@ -From e04f0283516e80d2f93366e0d479d13c9b5c8c2a Mon Sep 17 00:00:00 2001 -From: Nicolas Williams <nico@twosigma.com> -Date: Mon, 14 Sep 2015 12:28:36 -0400 -Subject: [PATCH] Fix IAKERB context aliasing bugs [CVE-2015-2696] - -The IAKERB mechanism currently replaces its context handle with the -krb5 mechanism handle upon establishment, under the assumption that -most GSS functions are only called after context establishment. This -assumption is incorrect, and can lead to aliasing violations for some -programs. Maintain the IAKERB context structure after context -establishment and add new IAKERB entry points to refer to it with that -type. Add initiate and established flags to the IAKERB context -structure for use in gss_inquire_context() prior to context -establishment. - -CVE-2015-2696: - -In MIT krb5 1.9 and later, applications which call -gss_inquire_context() on a partially-established IAKERB context can -cause the GSS-API library to read from a pointer using the wrong type, -generally causing a process crash. Java server applications using the -native JGSS provider are vulnerable to this bug. A carefully crafted -IAKERB packet might allow the gss_inquire_context() call to succeed -with attacker-determined results, but applications should not make -access control decisions based on gss_inquire_context() results prior -to context establishment. - - CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C - -[ghudson@mit.edu: several bugfixes, style changes, and edge-case -behavior changes; commit message and CVE description] - -ticket: 8244 -target_version: 1.14 -tags: pullup ---- - src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++ - src/lib/gssapi/krb5/gssapi_krb5.c | 105 +++++++++-- - src/lib/gssapi/krb5/iakerb.c | 351 +++++++++++++++++++++++++++++++++---- - 3 files changed, 529 insertions(+), 41 deletions(-) - -diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h -index 9aae12a..97e090d 100644 ---- a/src/lib/gssapi/krb5/gssapiP_krb5.h -+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h -@@ -621,6 +621,21 @@ OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext - ); - #endif /* LEAN_CLIENT */ - -+OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid -+(OM_uint32*, /* minor_status */ -+ const gss_ctx_id_t, -+ /* context_handle */ -+ const gss_OID, /* desired_object */ -+ gss_buffer_set_t* /* data_set */ -+); -+ -+OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option -+(OM_uint32*, /* minor_status */ -+ gss_ctx_id_t*, /* context_handle */ -+ const gss_OID, /* desired_object */ -+ const gss_buffer_t/* value */ -+); -+ - OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token - (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ -@@ -1302,6 +1317,105 @@ OM_uint32 KRB5_CALLCONV - krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token, - gss_cred_id_t *cred_handle); - -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_process_context_token(OM_uint32 *minor_status, -+ const gss_ctx_id_t context_handle, -+ const gss_buffer_t token_buffer); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ OM_uint32 *time_rec); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_inquire_context(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, gss_name_t *src_name, -+ gss_name_t *targ_name, OM_uint32 *lifetime_rec, -+ gss_OID *mech_type, OM_uint32 *ctx_flags, -+ int *locally_initiated, int *opened); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_qop_t qop_req, gss_buffer_t message_buffer, -+ gss_buffer_t message_token); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_qop_t qop_req, gss_iov_buffer_desc *iov, -+ int iov_count); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, gss_qop_t qop_req, -+ gss_iov_buffer_desc *iov, int iov_count); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_buffer_t msg_buffer, gss_buffer_t token_buffer, -+ gss_qop_t *qop_state); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_qop_t *qop_state, gss_iov_buffer_desc *iov, -+ int iov_count); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int conf_req_flag, gss_qop_t qop_req, -+ gss_buffer_t input_message_buffer, int *conf_state, -+ gss_buffer_t output_message_buffer); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int conf_req_flag, gss_qop_t qop_req, int *conf_state, -+ gss_iov_buffer_desc *iov, int iov_count); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap_iov_length(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, int conf_req_flag, -+ gss_qop_t qop_req, int *conf_state, -+ gss_iov_buffer_desc *iov, int iov_count); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_buffer_t input_message_buffer, -+ gss_buffer_t output_message_buffer, int *conf_state, -+ gss_qop_t *qop_state); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int *conf_state, gss_qop_t *qop_state, -+ gss_iov_buffer_desc *iov, int iov_count); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap_size_limit(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, int conf_req_flag, -+ gss_qop_t qop_req, OM_uint32 req_output_size, -+ OM_uint32 *max_input_size); -+ -+#ifndef LEAN_CLIENT -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_export_sec_context(OM_uint32 *minor_status, -+ gss_ctx_id_t *context_handle, -+ gss_buffer_t interprocess_token); -+#endif /* LEAN_CLIENT */ -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status, -+ const gss_ctx_id_t context_handle, -+ const gss_OID desired_object, -+ gss_buffer_set_t *data_set); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_set_sec_context_option(OM_uint32 *minor_status, -+ gss_ctx_id_t *context_handle, -+ const gss_OID desired_object, -+ const gss_buffer_t value); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int prf_key, const gss_buffer_t prf_in, -+ ssize_t desired_output_len, gss_buffer_t prf_out); -+ - /* Magic string to identify exported krb5 GSS credentials. Increment this if - * the format changes. */ - #define CRED_EXPORT_MAGIC "K5C1" -diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c -index 0be92e4..c4dfdd6 100644 ---- a/src/lib/gssapi/krb5/gssapi_krb5.c -+++ b/src/lib/gssapi/krb5/gssapi_krb5.c -@@ -351,7 +351,7 @@ static struct { - } - }; - --static OM_uint32 KRB5_CALLCONV -+OM_uint32 KRB5_CALLCONV - krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_OID desired_object, -@@ -465,7 +465,7 @@ static struct { - }; - #endif - --static OM_uint32 KRB5_CALLCONV -+OM_uint32 KRB5_CALLCONV - krb5_gss_set_sec_context_option (OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - const gss_OID desired_object, -@@ -929,20 +929,103 @@ static struct gss_config krb5_mechanism = { - krb5_gss_get_mic_iov_length, - }; - -+/* Functions which use security contexts or acquire creds are IAKERB-specific; -+ * other functions can borrow from the krb5 mech. */ -+static struct gss_config iakerb_mechanism = { -+ { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID }, -+ NULL, -+ iakerb_gss_acquire_cred, -+ krb5_gss_release_cred, -+ iakerb_gss_init_sec_context, -+#ifdef LEAN_CLIENT -+ NULL, -+#else -+ iakerb_gss_accept_sec_context, -+#endif -+ iakerb_gss_process_context_token, -+ iakerb_gss_delete_sec_context, -+ iakerb_gss_context_time, -+ iakerb_gss_get_mic, -+ iakerb_gss_verify_mic, -+#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE) -+ NULL, -+#else -+ iakerb_gss_wrap, -+#endif -+#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE) -+ NULL, -+#else -+ iakerb_gss_unwrap, -+#endif -+ krb5_gss_display_status, -+ krb5_gss_indicate_mechs, -+ krb5_gss_compare_name, -+ krb5_gss_display_name, -+ krb5_gss_import_name, -+ krb5_gss_release_name, -+ krb5_gss_inquire_cred, -+ NULL, /* add_cred */ -+#ifdef LEAN_CLIENT -+ NULL, -+ NULL, -+#else -+ iakerb_gss_export_sec_context, -+ NULL, -+#endif -+ krb5_gss_inquire_cred_by_mech, -+ krb5_gss_inquire_names_for_mech, -+ iakerb_gss_inquire_context, -+ krb5_gss_internal_release_oid, -+ iakerb_gss_wrap_size_limit, -+ krb5_gss_localname, -+ krb5_gss_authorize_localname, -+ krb5_gss_export_name, -+ krb5_gss_duplicate_name, -+ krb5_gss_store_cred, -+ iakerb_gss_inquire_sec_context_by_oid, -+ krb5_gss_inquire_cred_by_oid, -+ iakerb_gss_set_sec_context_option, -+ krb5_gssspi_set_cred_option, -+ krb5_gssspi_mech_invoke, -+ NULL, /* wrap_aead */ -+ NULL, /* unwrap_aead */ -+ iakerb_gss_wrap_iov, -+ iakerb_gss_unwrap_iov, -+ iakerb_gss_wrap_iov_length, -+ NULL, /* complete_auth_token */ -+ NULL, /* acquire_cred_impersonate_name */ -+ NULL, /* add_cred_impersonate_name */ -+ NULL, /* display_name_ext */ -+ krb5_gss_inquire_name, -+ krb5_gss_get_name_attribute, -+ krb5_gss_set_name_attribute, -+ krb5_gss_delete_name_attribute, -+ krb5_gss_export_name_composite, -+ krb5_gss_map_name_to_any, -+ krb5_gss_release_any_name_mapping, -+ iakerb_gss_pseudo_random, -+ NULL, /* set_neg_mechs */ -+ krb5_gss_inquire_saslname_for_mech, -+ krb5_gss_inquire_mech_for_saslname, -+ krb5_gss_inquire_attrs_for_mech, -+ krb5_gss_acquire_cred_from, -+ krb5_gss_store_cred_into, -+ iakerb_gss_acquire_cred_with_password, -+ krb5_gss_export_cred, -+ krb5_gss_import_cred, -+ NULL, /* import_sec_context_by_mech */ -+ NULL, /* import_name_by_mech */ -+ NULL, /* import_cred_by_mech */ -+ iakerb_gss_get_mic_iov, -+ iakerb_gss_verify_mic_iov, -+ iakerb_gss_get_mic_iov_length, -+}; -+ - #ifdef _GSS_STATIC_LINK - #include "mglueP.h" - static int gss_iakerbmechglue_init(void) - { - struct gss_mech_config mech_iakerb; -- struct gss_config iakerb_mechanism = krb5_mechanism; -- -- /* IAKERB mechanism mirrors krb5, but with different context SPIs */ -- iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context; -- iakerb_mechanism.gss_init_sec_context = iakerb_gss_init_sec_context; -- iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context; -- iakerb_mechanism.gss_acquire_cred = iakerb_gss_acquire_cred; -- iakerb_mechanism.gssspi_acquire_cred_with_password -- = iakerb_gss_acquire_cred_with_password; - - memset(&mech_iakerb, 0, sizeof(mech_iakerb)); - mech_iakerb.mech = &iakerb_mechanism; -diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c -index f30de32..4662bd9 100644 ---- a/src/lib/gssapi/krb5/iakerb.c -+++ b/src/lib/gssapi/krb5/iakerb.c -@@ -47,6 +47,8 @@ struct _iakerb_ctx_id_rec { - gss_ctx_id_t gssc; - krb5_data conv; /* conversation for checksumming */ - unsigned int count; /* number of round trips */ -+ int initiate; -+ int established; - krb5_get_init_creds_opt *gic_opts; - }; - -@@ -695,7 +697,7 @@ iakerb_get_initial_state(iakerb_ctx_id_t ctx, - * Allocate and initialise an IAKERB context - */ - static krb5_error_code --iakerb_alloc_context(iakerb_ctx_id_t *pctx) -+iakerb_alloc_context(iakerb_ctx_id_t *pctx, int initiate) - { - iakerb_ctx_id_t ctx; - krb5_error_code code; -@@ -709,6 +711,8 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx) - ctx->magic = KG_IAKERB_CONTEXT; - ctx->state = IAKERB_AS_REQ; - ctx->count = 0; -+ ctx->initiate = initiate; -+ ctx->established = 0; - - code = krb5_gss_init_context(&ctx->k5c); - if (code != 0) -@@ -732,7 +736,7 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - gss_buffer_t output_token) - { -- OM_uint32 major_status = GSS_S_COMPLETE; -+ iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle; - - if (output_token != GSS_C_NO_BUFFER) { - output_token->length = 0; -@@ -740,23 +744,10 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status, - } - - *minor_status = 0; -+ *context_handle = GSS_C_NO_CONTEXT; -+ iakerb_release_context(iakerb_ctx); - -- if (*context_handle != GSS_C_NO_CONTEXT) { -- iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle; -- -- if (iakerb_ctx->magic == KG_IAKERB_CONTEXT) { -- iakerb_release_context(iakerb_ctx); -- *context_handle = GSS_C_NO_CONTEXT; -- } else { -- assert(iakerb_ctx->magic == KG_CONTEXT); -- -- major_status = krb5_gss_delete_sec_context(minor_status, -- context_handle, -- output_token); -- } -- } -- -- return major_status; -+ return GSS_S_COMPLETE; - } - - static krb5_boolean -@@ -802,7 +793,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status, - int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT); - - if (initialContextToken) { -- code = iakerb_alloc_context(&ctx); -+ code = iakerb_alloc_context(&ctx, 0); - if (code != 0) - goto cleanup; - -@@ -854,11 +845,8 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status, - time_rec, - delegated_cred_handle, - &exts); -- if (major_status == GSS_S_COMPLETE) { -- *context_handle = ctx->gssc; -- ctx->gssc = NULL; -- iakerb_release_context(ctx); -- } -+ if (major_status == GSS_S_COMPLETE) -+ ctx->established = 1; - if (mech_type != NULL) - *mech_type = (gss_OID)gss_mech_krb5; - } -@@ -897,7 +885,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, - int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT); - - if (initialContextToken) { -- code = iakerb_alloc_context(&ctx); -+ code = iakerb_alloc_context(&ctx, 1); - if (code != 0) { - *minor_status = code; - goto cleanup; -@@ -983,11 +971,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, - ret_flags, - time_rec, - &exts); -- if (major_status == GSS_S_COMPLETE) { -- *context_handle = ctx->gssc; -- ctx->gssc = GSS_C_NO_CONTEXT; -- iakerb_release_context(ctx); -- } -+ if (major_status == GSS_S_COMPLETE) -+ ctx->established = 1; - if (actual_mech_type != NULL) - *actual_mech_type = (gss_OID)gss_mech_krb5; - } else { -@@ -1010,3 +995,309 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, - - return major_status; - } -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_buffer_t input_message_buffer, -+ gss_buffer_t output_message_buffer, int *conf_state, -+ gss_qop_t *qop_state) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_unwrap(minor_status, ctx->gssc, input_message_buffer, -+ output_message_buffer, conf_state, qop_state); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int conf_req_flag, gss_qop_t qop_req, -+ gss_buffer_t input_message_buffer, int *conf_state, -+ gss_buffer_t output_message_buffer) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_wrap(minor_status, ctx->gssc, conf_req_flag, qop_req, -+ input_message_buffer, conf_state, -+ output_message_buffer); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_process_context_token(OM_uint32 *minor_status, -+ const gss_ctx_id_t context_handle, -+ const gss_buffer_t token_buffer) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_DEFECTIVE_TOKEN; -+ -+ return krb5_gss_process_context_token(minor_status, ctx->gssc, -+ token_buffer); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ OM_uint32 *time_rec) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_context_time(minor_status, ctx->gssc, time_rec); -+} -+ -+#ifndef LEAN_CLIENT -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_export_sec_context(OM_uint32 *minor_status, -+ gss_ctx_id_t *context_handle, -+ gss_buffer_t interprocess_token) -+{ -+ OM_uint32 maj; -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ /* We don't currently support exporting partially established contexts. */ -+ if (!ctx->established) -+ return GSS_S_UNAVAILABLE; -+ -+ maj = krb5_gss_export_sec_context(minor_status, &ctx->gssc, -+ interprocess_token); -+ if (ctx->gssc == GSS_C_NO_CONTEXT) { -+ iakerb_release_context(ctx); -+ *context_handle = GSS_C_NO_CONTEXT; -+ } -+ return maj; -+} -+ -+/* -+ * Until we implement partial context exports, there are no SPNEGO exported -+ * context tokens, only tokens for the underlying krb5 context. So we do not -+ * need to implement an iakerb_gss_import_sec_context() yet; it would be -+ * unreachable except via a manually constructed token. -+ */ -+ -+#endif /* LEAN_CLIENT */ -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_inquire_context(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, gss_name_t *src_name, -+ gss_name_t *targ_name, OM_uint32 *lifetime_rec, -+ gss_OID *mech_type, OM_uint32 *ctx_flags, -+ int *initiate, int *opened) -+{ -+ OM_uint32 ret; -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (src_name != NULL) -+ *src_name = GSS_C_NO_NAME; -+ if (targ_name != NULL) -+ *targ_name = GSS_C_NO_NAME; -+ if (lifetime_rec != NULL) -+ *lifetime_rec = 0; -+ if (mech_type != NULL) -+ *mech_type = (gss_OID)gss_mech_iakerb; -+ if (ctx_flags != NULL) -+ *ctx_flags = 0; -+ if (initiate != NULL) -+ *initiate = ctx->initiate; -+ if (opened != NULL) -+ *opened = ctx->established; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_COMPLETE; -+ -+ ret = krb5_gss_inquire_context(minor_status, ctx->gssc, src_name, -+ targ_name, lifetime_rec, mech_type, -+ ctx_flags, initiate, opened); -+ -+ if (!ctx->established) { -+ /* Report IAKERB as the mech OID until the context is established. */ -+ if (mech_type != NULL) -+ *mech_type = (gss_OID)gss_mech_iakerb; -+ -+ /* We don't support exporting partially-established contexts. */ -+ if (ctx_flags != NULL) -+ *ctx_flags &= ~GSS_C_TRANS_FLAG; -+ } -+ -+ return ret; -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap_size_limit(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, int conf_req_flag, -+ gss_qop_t qop_req, OM_uint32 req_output_size, -+ OM_uint32 *max_input_size) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_wrap_size_limit(minor_status, ctx->gssc, conf_req_flag, -+ qop_req, req_output_size, max_input_size); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_qop_t qop_req, gss_buffer_t message_buffer, -+ gss_buffer_t message_token) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_get_mic(minor_status, ctx->gssc, qop_req, message_buffer, -+ message_token); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_buffer_t msg_buffer, gss_buffer_t token_buffer, -+ gss_qop_t *qop_state) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_verify_mic(minor_status, ctx->gssc, msg_buffer, -+ token_buffer, qop_state); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status, -+ const gss_ctx_id_t context_handle, -+ const gss_OID desired_object, -+ gss_buffer_set_t *data_set) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_UNAVAILABLE; -+ -+ return krb5_gss_inquire_sec_context_by_oid(minor_status, ctx->gssc, -+ desired_object, data_set); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_set_sec_context_option(OM_uint32 *minor_status, -+ gss_ctx_id_t *context_handle, -+ const gss_OID desired_object, -+ const gss_buffer_t value) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle; -+ -+ if (ctx == NULL || ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_UNAVAILABLE; -+ -+ return krb5_gss_set_sec_context_option(minor_status, &ctx->gssc, -+ desired_object, value); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int conf_req_flag, gss_qop_t qop_req, int *conf_state, -+ gss_iov_buffer_desc *iov, int iov_count) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_wrap_iov(minor_status, ctx->gssc, conf_req_flag, qop_req, -+ conf_state, iov, iov_count); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int *conf_state, gss_qop_t *qop_state, -+ gss_iov_buffer_desc *iov, int iov_count) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_unwrap_iov(minor_status, ctx->gssc, conf_state, qop_state, -+ iov, iov_count); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_wrap_iov_length(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, int conf_req_flag, -+ gss_qop_t qop_req, int *conf_state, -+ gss_iov_buffer_desc *iov, int iov_count) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_wrap_iov_length(minor_status, ctx->gssc, conf_req_flag, -+ qop_req, conf_state, iov, iov_count); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ int prf_key, const gss_buffer_t prf_in, -+ ssize_t desired_output_len, gss_buffer_t prf_out) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_pseudo_random(minor_status, ctx->gssc, prf_key, prf_in, -+ desired_output_len, prf_out); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_qop_t qop_req, gss_iov_buffer_desc *iov, -+ int iov_count) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_get_mic_iov(minor_status, ctx->gssc, qop_req, iov, -+ iov_count); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, -+ gss_qop_t *qop_state, gss_iov_buffer_desc *iov, -+ int iov_count) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_verify_mic_iov(minor_status, ctx->gssc, qop_state, iov, -+ iov_count); -+} -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, gss_qop_t qop_req, -+ gss_iov_buffer_desc *iov, int iov_count) -+{ -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ -+ if (ctx->gssc == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; -+ -+ return krb5_gss_get_mic_iov_length(minor_status, ctx->gssc, qop_req, iov, -+ iov_count); -+} diff --git a/main/krb5/CVE-2015-2697.patch b/main/krb5/CVE-2015-2697.patch deleted file mode 100644 index af2f42a3ab..0000000000 --- a/main/krb5/CVE-2015-2697.patch +++ /dev/null @@ -1,50 +0,0 @@ -From f0c094a1b745d91ef2f9a4eae2149aac026a5789 Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Fri, 25 Sep 2015 12:51:47 -0400 -Subject: [PATCH] Fix build_principal memory bug [CVE-2015-2697] - -In build_principal_va(), use k5memdup0() instead of strdup() to make a -copy of the realm, to ensure that we allocate the correct number of -bytes and do not read past the end of the input string. This bug -affects krb5_build_principal(), krb5_build_principal_va(), and -krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not -affected. - -CVE-2015-2697: - -In MIT krb5 1.7 and later, an authenticated attacker may be able to -cause a KDC to crash using a TGS request with a large realm field -beginning with a null byte. If the KDC attempts to find a referral to -answer the request, it constructs a principal name for lookup using -krb5_build_principal() with the requested realm. Due to a bug in this -function, the null byte causes only one byte be allocated for the -realm field of the constructed principal, far less than its length. -Subsequent operations on the lookup principal may cause a read beyond -the end of the mapped memory region, causing the KDC process to crash. - -CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C - -ticket: 8252 (new) -target_version: 1.14 -tags: pullup ---- - src/lib/krb5/krb/bld_princ.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c -index ab6fed8..8604268 100644 ---- a/src/lib/krb5/krb/bld_princ.c -+++ b/src/lib/krb5/krb/bld_princ.c -@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ, - data = malloc(size * sizeof(krb5_data)); - if (!data) { retval = ENOMEM; } - -- if (!retval) { -- r = strdup(realm); -- if (!r) { retval = ENOMEM; } -- } -+ if (!retval) -+ r = k5memdup0(realm, rlen, &retval); - - while (!retval && (component = va_arg(ap, char *))) { - if (count == size) { diff --git a/main/krb5/CVE-2015-2698.patch b/main/krb5/CVE-2015-2698.patch deleted file mode 100644 index 99c0bbd8a4..0000000000 --- a/main/krb5/CVE-2015-2698.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 9ffff96c98a93bd9bc3846ac044a34cb1566aae7 Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Sun, 1 Nov 2015 22:45:21 -0500 -Subject: [PATCH] Fix IAKERB context export/import [CVE-2015-2698] - -The patches for CVE-2015-2696 contained a regression in the newly -added IAKERB iakerb_gss_export_sec_context() function, which could -cause it to corrupt memory. Fix the regression by properly -dereferencing the context_handle pointer before casting it. - -Also, the patches did not implement an IAKERB gss_import_sec_context() -function, under the erroneous belief that an exported IAKERB context -would be tagged as a krb5 context. Implement it now to allow IAKERB -contexts to be successfully exported and imported after establishment. - -CVE-2015-2698: - -In any MIT krb5 release with the patches for CVE-2015-2696 applied, an -application which calls gss_export_sec_context() may experience memory -corruption if the context was established using the IAKERB mechanism. -Historically, some vulnerabilities of this nature can be translated -into remote code execution, though the necessary exploits must be -tailored to the individual application and are usually quite -complicated. - - CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C - -(cherry picked from commit 3db8dfec1ef50ddd78d6ba9503185995876a39fd) -(cherry picked from commit 54222de30a89bfac0247dfbc1759556dc9fd2983) - -ticket: 8284 (new) -version_fixed: 1.13.3 ---- - src/lib/gssapi/krb5/gssapiP_krb5.h | 5 +++++ - src/lib/gssapi/krb5/gssapi_krb5.c | 2 +- - src/lib/gssapi/krb5/iakerb.c | 42 +++++++++++++++++++++++++++++++------- - 3 files changed, 41 insertions(+), 8 deletions(-) - -diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h -index 05dc321..ac53662 100644 ---- a/src/lib/gssapi/krb5/gssapiP_krb5.h -+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h -@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV - iakerb_gss_export_sec_context(OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - gss_buffer_t interprocess_token); -+ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_import_sec_context(OM_uint32 *minor_status, -+ const gss_buffer_t interprocess_token, -+ gss_ctx_id_t *context_handle); - #endif /* LEAN_CLIENT */ - - OM_uint32 KRB5_CALLCONV -diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c -index 9a23656..d7ba279 100644 ---- a/src/lib/gssapi/krb5/gssapi_krb5.c -+++ b/src/lib/gssapi/krb5/gssapi_krb5.c -@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = { - NULL, - #else - iakerb_gss_export_sec_context, -- NULL, -+ iakerb_gss_import_sec_context, - #endif - krb5_gss_inquire_cred_by_mech, - krb5_gss_inquire_names_for_mech, -diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c -index e25862d..32a341e 100644 ---- a/src/lib/gssapi/krb5/iakerb.c -+++ b/src/lib/gssapi/krb5/iakerb.c -@@ -1057,7 +1057,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, - gss_buffer_t interprocess_token) - { - OM_uint32 maj; -- iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; -+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle; - - /* We don't currently support exporting partially established contexts. */ - if (!ctx->established) -@@ -1072,13 +1072,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, - return maj; - } - --/* -- * Until we implement partial context exports, there are no IAKERB exported -- * context tokens, only tokens for the underlying krb5 context. So we do not -- * need to implement an iakerb_gss_import_sec_context() yet; it would be -- * unreachable except via a manually constructed token. -- */ -+OM_uint32 KRB5_CALLCONV -+iakerb_gss_import_sec_context(OM_uint32 *minor_status, -+ gss_buffer_t interprocess_token, -+ gss_ctx_id_t *context_handle) -+{ -+ OM_uint32 maj, tmpmin; -+ krb5_error_code code; -+ gss_ctx_id_t gssc; -+ krb5_gss_ctx_id_t kctx; -+ iakerb_ctx_id_t ctx; -+ -+ maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc); -+ if (maj != GSS_S_COMPLETE) -+ return maj; -+ kctx = (krb5_gss_ctx_id_t)gssc; -+ -+ if (!kctx->established) { -+ /* We don't currently support importing partially established -+ * contexts. */ -+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER); -+ return GSS_S_FAILURE; -+ } - -+ code = iakerb_alloc_context(&ctx, kctx->initiate); -+ if (code != 0) { -+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER); -+ *minor_status = code; -+ return GSS_S_FAILURE; -+ } -+ -+ ctx->gssc = gssc; -+ ctx->established = 1; -+ *context_handle = (gss_ctx_id_t)ctx; -+ return GSS_S_COMPLETE; -+} - #endif /* LEAN_CLIENT */ - - OM_uint32 KRB5_CALLCONV diff --git a/main/krb5/CVE-2015-8629.patch b/main/krb5/CVE-2015-8629.patch deleted file mode 100644 index 1106460205..0000000000 --- a/main/krb5/CVE-2015-8629.patch +++ /dev/null @@ -1,45 +0,0 @@ -From df17a1224a3406f57477bcd372c61e04c0e5a5bb Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Fri, 8 Jan 2016 12:45:25 -0500 -Subject: [PATCH] Verify decoded kadmin C strings [CVE-2015-8629] - -In xdr_nullstring(), check that the decoded string is terminated with -a zero byte and does not contain any internal zero bytes. - -CVE-2015-8629: - -In all versions of MIT krb5, an authenticated attacker can cause -kadmind to read beyond the end of allocated memory by sending a string -without a terminating zero byte. Information leakage may be possible -for an attacker with permission to modify the database. - - CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C - -ticket: 8341 (new) -target_version: 1.14-next -target_version: 1.13-next -tags: pullup ---- - src/lib/kadm5/kadm_rpc_xdr.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c -index 2bef858..ba67084 100644 ---- a/src/lib/kadm5/kadm_rpc_xdr.c -+++ b/src/lib/kadm5/kadm_rpc_xdr.c -@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp) - return FALSE; - } - } -- return (xdr_opaque(xdrs, *objp, size)); -+ if (!xdr_opaque(xdrs, *objp, size)) -+ return FALSE; -+ /* Check that the unmarshalled bytes are a C string. */ -+ if ((*objp)[size - 1] != '\0') -+ return FALSE; -+ if (memchr(*objp, '\0', size - 1) != NULL) -+ return FALSE; -+ return TRUE; - - case XDR_ENCODE: - if (size != 0) diff --git a/main/krb5/CVE-2015-8630.patch b/main/krb5/CVE-2015-8630.patch deleted file mode 100644 index 72fefeb896..0000000000 --- a/main/krb5/CVE-2015-8630.patch +++ /dev/null @@ -1,75 +0,0 @@ -From b863de7fbf080b15e347a736fdda0a82d42f4f6b Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Fri, 8 Jan 2016 12:52:28 -0500 -Subject: [PATCH] Check for null kadm5 policy name [CVE-2015-8630] - -In kadm5_create_principal_3() and kadm5_modify_principal(), check for -entry->policy being null when KADM5_POLICY is included in the mask. - -CVE-2015-8630: - -In MIT krb5 1.12 and later, an authenticated attacker with permission -to modify a principal entry can cause kadmind to dereference a null -pointer by supplying a null policy value but including KADM5_POLICY in -the mask. - - CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C - -ticket: 8342 (new) -target_version: 1.14-next -target_version: 1.13-next -tags: pullup ---- - src/lib/kadm5/srv/svr_principal.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c -index 5b95fa3..1d4365c 100644 ---- a/src/lib/kadm5/srv/svr_principal.c -+++ b/src/lib/kadm5/srv/svr_principal.c -@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle, - /* - * Argument sanity checking, and opening up the DB - */ -+ if (entry == NULL) -+ return EINVAL; - if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) || - (mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) || - (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || -@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle, - return KADM5_BAD_MASK; - if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0) - return KADM5_BAD_MASK; -+ if((mask & KADM5_POLICY) && entry->policy == NULL) -+ return KADM5_BAD_MASK; - if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR)) - return KADM5_BAD_MASK; - if((mask & ~ALL_PRINC_MASK)) - return KADM5_BAD_MASK; -- if (entry == NULL) -- return EINVAL; - - /* - * Check to see if the principal exists -@@ -643,6 +645,8 @@ kadm5_modify_principal(void *server_handle, - - krb5_clear_error_message(handle->context); - -+ if(entry == NULL) -+ return EINVAL; - if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) || - (mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) || - (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || -@@ -651,10 +655,10 @@ kadm5_modify_principal(void *server_handle, - return KADM5_BAD_MASK; - if((mask & ~ALL_PRINC_MASK)) - return KADM5_BAD_MASK; -+ if((mask & KADM5_POLICY) && entry->policy == NULL) -+ return KADM5_BAD_MASK; - if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR)) - return KADM5_BAD_MASK; -- if(entry == (kadm5_principal_ent_t) NULL) -- return EINVAL; - if (mask & KADM5_TL_DATA) { - tl_data_orig = entry->tl_data; - while (tl_data_orig) { diff --git a/main/krb5/CVE-2015-8631.patch b/main/krb5/CVE-2015-8631.patch deleted file mode 100644 index 038ad48100..0000000000 --- a/main/krb5/CVE-2015-8631.patch +++ /dev/null @@ -1,570 +0,0 @@ -From 83ed75feba32e46f736fcce0d96a0445f29b96c2 Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Fri, 8 Jan 2016 13:16:54 -0500 -Subject: [PATCH] Fix leaks in kadmin server stubs [CVE-2015-8631] - -In each kadmind server stub, initialize the client_name and -server_name variables, and release them in the cleanup handler. Many -of the stubs will otherwise leak the client and server name if -krb5_unparse_name() fails. Also make sure to free the prime_arg -variables in rename_principal_2_svc(), or we can leak the first one if -unparsing the second one fails. Discovered by Simo Sorce. - -CVE-2015-8631: - -In all versions of MIT krb5, an authenticated attacker can cause -kadmind to leak memory by supplying a null principal name in a request -which uses one. Repeating these requests will eventually cause -kadmind to exhaust all available memory. - - CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C - -ticket: 8343 (new) -target_version: 1.14-next -target_version: 1.13-next -tags: pullup ---- - src/kadmin/server/server_stubs.c | 151 ++++++++++++++++++++------------------- - 1 file changed, 77 insertions(+), 74 deletions(-) - -diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c -index 1879dc6..6ac797e 100644 ---- a/src/kadmin/server/server_stubs.c -+++ b/src/kadmin/server/server_stubs.c -@@ -334,7 +334,8 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; -@@ -382,10 +383,10 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -- gss_release_buffer(&minor_stat, &client_name); -- gss_release_buffer(&minor_stat, &service_name); - - exit_func: -+ gss_release_buffer(&minor_stat, &client_name); -+ gss_release_buffer(&minor_stat, &service_name); - free_server_handle(handle); - return &ret; - } -@@ -395,7 +396,8 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; -@@ -444,10 +446,10 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -- gss_release_buffer(&minor_stat, &client_name); -- gss_release_buffer(&minor_stat, &service_name); - - exit_func: -+ gss_release_buffer(&minor_stat, &client_name); -+ gss_release_buffer(&minor_stat, &service_name); - free_server_handle(handle); - return &ret; - } -@@ -457,8 +459,8 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -501,10 +503,10 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) - - } - free(prime_arg); -- gss_release_buffer(&minor_stat, &client_name); -- gss_release_buffer(&minor_stat, &service_name); - - exit_func: -+ gss_release_buffer(&minor_stat, &client_name); -+ gss_release_buffer(&minor_stat, &service_name); - free_server_handle(handle); - return &ret; - } -@@ -514,8 +516,8 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; -@@ -559,9 +561,9 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -570,10 +572,9 @@ generic_ret * - rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; -- char *prime_arg1, -- *prime_arg2; -- gss_buffer_desc client_name, -- service_name; -+ char *prime_arg1 = NULL, *prime_arg2 = NULL; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; -@@ -655,11 +656,11 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - - } -+exit_func: - free(prime_arg1); - free(prime_arg2); - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -669,8 +670,8 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) - { - static gprinc_ret ret; - char *prime_arg, *funcname; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -719,9 +720,9 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -731,8 +732,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) - { - static gprincs_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -777,9 +778,9 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -789,8 +790,8 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -840,9 +841,9 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) - } - - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -852,8 +853,8 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -909,9 +910,9 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) - } - - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -921,8 +922,8 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -969,9 +970,9 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) - } - - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -981,8 +982,8 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1029,9 +1030,9 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) - } - - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1041,8 +1042,8 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1092,9 +1093,9 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) - } - - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1106,8 +1107,8 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) - krb5_keyblock *k; - int nkeys; - char *prime_arg, *funcname; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1164,9 +1165,9 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1178,8 +1179,8 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) - krb5_keyblock *k; - int nkeys; - char *prime_arg, *funcname; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1241,9 +1242,9 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1253,8 +1254,8 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1295,9 +1296,9 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1307,8 +1308,8 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1347,9 +1348,9 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1359,8 +1360,8 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1400,9 +1401,9 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1413,8 +1414,8 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) - static gpol_ret ret; - kadm5_ret_t ret2; - char *prime_arg, *funcname; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_principal_ent_rec caller_ent; - kadm5_server_handle_t handle; -@@ -1475,9 +1476,9 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) - log_unauth(funcname, prime_arg, - &client_name, &service_name, rqstp); - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - -@@ -1488,8 +1489,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) - { - static gpols_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1531,9 +1532,9 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - } -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1541,7 +1542,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) - getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) - { - static getprivs_ret ret; -- gss_buffer_desc client_name, service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1571,9 +1573,9 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1583,7 +1585,8 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg, *funcname; -- gss_buffer_desc client_name, service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - -@@ -1629,9 +1632,9 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1641,8 +1644,8 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) - { - static gstrings_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1688,9 +1691,9 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1700,8 +1703,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) - { - static generic_ret ret; - char *prime_arg; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; -@@ -1744,9 +1747,9 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) - krb5_free_error_message(handle->context, errmsg); - } - free(prime_arg); -+exit_func: - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); --exit_func: - free_server_handle(handle); - return &ret; - } -@@ -1754,8 +1757,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) - generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) - { - static generic_ret ret; -- gss_buffer_desc client_name, -- service_name; -+ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - kadm5_server_handle_t handle; - OM_uint32 minor_stat; - const char *errmsg = NULL; -@@ -1797,10 +1800,10 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) - rqstp->rq_cred.oa_flavor); - if (errmsg != NULL) - krb5_free_error_message(NULL, errmsg); -- gss_release_buffer(&minor_stat, &client_name); -- gss_release_buffer(&minor_stat, &service_name); - - exit_func: -+ gss_release_buffer(&minor_stat, &client_name); -+ gss_release_buffer(&minor_stat, &service_name); - return(&ret); - } - diff --git a/main/krb5/CVE-2016-3119.patch b/main/krb5/CVE-2016-3119.patch deleted file mode 100644 index 4e94534e98..0000000000 --- a/main/krb5/CVE-2016-3119.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Mon, 14 Mar 2016 17:26:34 -0400 -Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119] - -In the LDAP KDB module's process_db_args(), strtok_r() may return NULL -if there is an empty string in the db_args array. Check for this case -and avoid dereferencing a null pointer. - -CVE-2016-3119: - -In MIT krb5 1.6 and later, an authenticated attacker with permission -to modify a principal entry can cause kadmind to dereference a null -pointer by supplying an empty DB argument to the modify_principal -command, if kadmind is configured to use the LDAP KDB module. - - CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND - -ticket: 8383 (new) -target_version: 1.14-next -target_version: 1.13-next -tags: pullup ---- - src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index 6e591e1..79c4cf0 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -296,6 +296,7 @@ process_db_args(krb5_context context, char **db_args, xargs_t *xargs, - if (db_args) { - for (i=0; db_args[i]; ++i) { - arg = strtok_r(db_args[i], "=", &arg_val); -+ arg = (arg != NULL) ? arg : ""; - if (strcmp(arg, TKTPOLICY_ARG) == 0) { - dptr = &xargs->tktpolicydn; - } else { diff --git a/main/krb5/Fix-SPNEGO-context-import.patch b/main/krb5/Fix-SPNEGO-context-import.patch deleted file mode 100644 index cafbc321f7..0000000000 --- a/main/krb5/Fix-SPNEGO-context-import.patch +++ /dev/null @@ -1,65 +0,0 @@ -From aae39008de0402cc516150225de4d8feef62b2da Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Sun, 1 Nov 2015 22:46:56 -0500 -Subject: [PATCH] Fix SPNEGO context import - -The patches for CVE-2015-2695 did not implement a SPNEGO -gss_import_sec_context() function, under the erroneous belief that an -exported SPNEGO context would be tagged with the underlying context -mechanism. Implement it now to allow SPNEGO contexts to be -successfully exported and imported after establishment. - -(cherry picked from commit 222b09f6e2f536354555f2a0dedfe29fc10c01d6) -(cherry picked from commit 8e10a780fd3bfefd1ba08ca1552e8d0677917454) - -ticket: 8284 -version_fixed: 1.13.3 -status: resolved ---- - src/lib/gssapi/spnego/spnego_mech.c | 33 +++++++++++++++++++++++++++------ - 1 file changed, 27 insertions(+), 6 deletions(-) - -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 3423f22..ec38eea 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -2253,12 +2253,33 @@ spnego_gss_import_sec_context( - const gss_buffer_t interprocess_token, - gss_ctx_id_t *context_handle) - { -- /* -- * Until we implement partial context exports, there are no SPNEGO -- * exported context tokens, only tokens for underlying mechs. So just -- * return an error for now. -- */ -- return GSS_S_UNAVAILABLE; -+ OM_uint32 ret, tmpmin; -+ gss_ctx_id_t mctx; -+ spnego_gss_ctx_id_t sc; -+ int initiate, opened; -+ -+ ret = gss_import_sec_context(minor_status, interprocess_token, &mctx); -+ if (ret != GSS_S_COMPLETE) -+ return ret; -+ -+ ret = gss_inquire_context(&tmpmin, mctx, NULL, NULL, NULL, NULL, NULL, -+ &initiate, &opened); -+ if (ret != GSS_S_COMPLETE || !opened) { -+ /* We don't currently support importing partially established -+ * contexts. */ -+ (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER); -+ return GSS_S_FAILURE; -+ } -+ -+ sc = create_spnego_ctx(initiate); -+ if (sc == NULL) { -+ (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER); -+ return GSS_S_FAILURE; -+ } -+ sc->ctx_handle = mctx; -+ sc->opened = 1; -+ *context_handle = (gss_ctx_id_t)sc; -+ return GSS_S_COMPLETE; - } - #endif /* LEAN_CLIENT */ - diff --git a/main/krb5/Fix-two-IAKERB-comments.patch b/main/krb5/Fix-two-IAKERB-comments.patch deleted file mode 100644 index b72c319dfb..0000000000 --- a/main/krb5/Fix-two-IAKERB-comments.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 491d7d5182458fcf4025aa43a89462119d8df7f1 Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Tue, 27 Oct 2015 00:44:24 -0400 -Subject: [PATCH] Fix two IAKERB comments - -The comment explaining why there is no iakerb_gss_import_sec_context() -erroneously referenced SPNEGO instead of IAKERB (noticed by Ben -Kaduk). The comment above iakerb_gss_delete_sec_context() is out of -date after the last commit. - -(cherry picked from commit 92d6dd045dfc06cc03d20b327a6ee7a71e6bc24d) -(cherry picked from commit 1be18763f94dc519da9b9928e82566558c8748c2) ---- - src/lib/gssapi/krb5/iakerb.c | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - -diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c -index 4662bd9..e25862d 100644 ---- a/src/lib/gssapi/krb5/iakerb.c -+++ b/src/lib/gssapi/krb5/iakerb.c -@@ -727,10 +727,6 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx, int initiate) - return code; - } - --/* -- * Delete an IAKERB context. This can also accept Kerberos context -- * handles. The heuristic is similar to SPNEGO's delete_sec_context. -- */ - OM_uint32 KRB5_CALLCONV - iakerb_gss_delete_sec_context(OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, -@@ -1077,7 +1073,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, - } - - /* -- * Until we implement partial context exports, there are no SPNEGO exported -+ * Until we implement partial context exports, there are no IAKERB exported - * context tokens, only tokens for the underlying krb5 context. So we do not - * need to implement an iakerb_gss_import_sec_context() yet; it would be - * unreachable except via a manually constructed token. |