diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-01-07 08:16:59 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-01-07 08:17:08 +0000 |
commit | 72c41026c0aed3a784192e5ab43ef9d2c7a38ced (patch) | |
tree | feb743342e1bbec23307e3a86aa5d44c02baa230 | |
parent | 91728ec7bae0fc5f0a2669ad3d8edcdb8f37e4ac (diff) | |
download | aports-72c41026c0aed3a784192e5ab43ef9d2c7a38ced.tar.bz2 aports-72c41026c0aed3a784192e5ab43ef9d2c7a38ced.tar.xz |
main/krb5: security fix (CVE-2018-20217)
Fixes #9805
-rw-r--r-- | main/krb5/APKBUILD | 18 | ||||
-rw-r--r-- | main/krb5/CVE-2018-20217.patch | 72 |
2 files changed, 79 insertions, 11 deletions
diff --git a/main/krb5/APKBUILD b/main/krb5/APKBUILD index a6f8c2af2a..3c96964968 100644 --- a/main/krb5/APKBUILD +++ b/main/krb5/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=krb5 pkgver=1.14.3 -pkgrel=2 +pkgrel=3 case $pkgver in *.*.*) _ver=${pkgver%.*};; @@ -22,12 +22,17 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-server $pkgname-server-ldap:ldap $pkgname-pkinit $pkgname-libs" source="http://web.mit.edu/kerberos/dist/krb5/${_ver}/krb5-$pkgver.tar.gz mit-krb5_krb5-config_LDFLAGS.patch + CVE-2018-20217.patch krb5kadmind.initd krb5kdc.initd krb5kpropd.initd " +# secfixes: +# 1.14.3-r3: +# - CVE-2018-20217 + _builddir="$srcdir"/krb5-$pkgver unpack() { default_unpack @@ -117,18 +122,9 @@ libs() { mkdir -p "$subpkgdir"/usr/ mv "$pkgdir"/usr/lib "$subpkgdir"/usr/ || return 1 } -md5sums="f76e4f8a3c95bb59980dd5ef4b48aea9 krb5-1.14.3.tar.gz -c84a0c7d8014e3528524956ffdd1c3e9 mit-krb5_krb5-config_LDFLAGS.patch -9c0e3bac122326cdbbbac068056ee8af krb5kadmind.initd -71131479c07a2d89b30a2ea18dd64e74 krb5kdc.initd -d94873a6a1ac6277adf2d25458eda9e5 krb5kpropd.initd" -sha256sums="cd4620d520cf0df0dd8791309912df2bb20fcba76790b9fba4e25c1da08ff2c9 krb5-1.14.3.tar.gz -84007c7423f67db7a8b248b9643c49ef25f2d56ce15c2574eb41ecbf51bcd3f2 mit-krb5_krb5-config_LDFLAGS.patch -213a5b04f091e4644e856aabc38da586bd86c4616ab15f00eefca52fca7137d6 krb5kadmind.initd -577842c7fe4639a8e9dd349da40e514284dd53440bb71be58283faaf18508f9a krb5kdc.initd -1644639d83791bd871f3c89a53a7052ab52994d3ef03d1d675d4217130c1fa94 krb5kpropd.initd" sha512sums="97f42bb7e0f69e337b949b451bf925f604e7ef9336c32bd4d62224a8c4a37e631f5a6fc01016bbdf268bbb60fa58712e244e00a1ab5a8bceede6a676482235aa krb5-1.14.3.tar.gz 5a3782ff17b383f8cd0415fd13538ab56afd788130d6ad640e9f2682b7deaae7f25713ce358058ed771091040dccf62a3bc87e6fd473d505ec189a95debcc801 mit-krb5_krb5-config_LDFLAGS.patch +30891c26b191ced94956bea869996a78147f4b87fb9bb511790bf20ff9a04fe5075e3584e03b19206327b954a2ad630b4f90cd443d5855481d521c640fe9d125 CVE-2018-20217.patch 43b9885b7eb8d0d60920def688de482f2b1701288f9acb1bb21dc76b2395428ff304961959eb04ba5eafd0412bae35668d6d2c8223424b9337bc051eadf51682 krb5kadmind.initd ede15f15bbbc9d0227235067abe15245bb9713aea260d397379c63275ce74aea0db6c91c15d599e40c6e89612d76f3a0f8fdd21cbafa3f30d426d4310d3e2cec krb5kdc.initd 45be0d421efd41e9dd056125a750c90856586e990317456b68170d733b03cba9ecd18ab87603b20e49575e7839fb4a6d628255533f2631f9e8ddb7f3cc493a90 krb5kpropd.initd" diff --git a/main/krb5/CVE-2018-20217.patch b/main/krb5/CVE-2018-20217.patch new file mode 100644 index 0000000000..80f2d55058 --- /dev/null +++ b/main/krb5/CVE-2018-20217.patch @@ -0,0 +1,72 @@ +From 5e6d1796106df8ba6bc1973ee0917c170d929086 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris <iboukris@gmail.com> +Date: Mon, 3 Dec 2018 02:33:07 +0200 +Subject: [PATCH] Ignore password attributes for S4U2Self requests + +For consistency with Windows KDCs, allow protocol transition to work +even if the password has expired or needs changing. + +Also, when looking up an enterprise principal with an AS request, +treat ERR_KEY_EXP as confirmation that the client is present in the +realm. + +[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited +commit message] + +ticket: 8763 (new) +tags: pullup +target_version: 1.17 +--- + src/kdc/kdc_util.c | 5 +++++ + src/lib/krb5/krb/s4u_creds.c | 2 +- + src/tests/gssapi/t_s4u.py | 8 ++++++++ + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index 6d53173fb0..6517a213cd 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1607,6 +1607,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, + + memset(&no_server, 0, sizeof(no_server)); + ++ /* Ignore password expiration and needchange attributes (as Windows ++ * does), since S4U2Self is not password authentication. */ ++ princ->pw_expiration = 0; ++ clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE); ++ + code = validate_as_request(kdc_active_realm, request, *princ, + no_server, kdc_time, status, &e_data); + if (code) { +diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c +index d2fdcb3f16..614ed41908 100644 +--- a/src/lib/krb5/krb/s4u_creds.c ++++ b/src/lib/krb5/krb/s4u_creds.c +@@ -116,7 +116,7 @@ s4u_identify_user(krb5_context context, + code = k5_get_init_creds(context, &creds, &client, NULL, NULL, 0, NULL, + opts, krb5_get_as_key_noop, &userid, &use_master, + NULL); +- if (code == 0 || code == KRB5_PREAUTH_FAILED) { ++ if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) { + *canon_user = userid.user; + userid.user = NULL; + code = 0; +diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py +index fd29e1a270..84f3fbd752 100755 +--- a/src/tests/gssapi/t_s4u.py ++++ b/src/tests/gssapi/t_s4u.py +@@ -19,6 +19,14 @@ + # Get forwardable creds for service1 in the default cache. + realm.kinit(service1, None, ['-f', '-k']) + ++# Try S4U2Self for user with a restricted password. ++realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ]) ++realm.run(['./t_s4u', 'e:user', '-']) ++realm.run([kadminl, 'modprinc', '-needchange', ++ '-pwexpire', '1/1/2000', realm.user_princ]) ++realm.run(['./t_s4u', 'e:user', '-']) ++realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ]) ++ + # Try krb5 -> S4U2Proxy with forwardable user creds. This should fail + # at the S4U2Proxy step since the DB2 back end currently has no + # support for allowing it. |