main/heimdal: security fix (CVE-2018-16860)

Fixes #10511

Remove unused patch, clarify license

3 files changed, 154 insertions, 48 deletions

diff --git a/main/heimdal/APKBUILD b/main/heimdal/APKBUILD
index d989e31049..30922a26e1 100644
--- a/main/heimdal/APKBUILD
+++ b/main/heimdal/APKBUILD
@@ -3,11 +3,11 @@
 pkgname=heimdal
 pkgver=7.5.0
 _ver=${pkgver/_rc/rc}
-pkgrel=3
+pkgrel=4
 pkgdesc="An implementation of Kerberos 5"
 arch="all"
 url="http://www.h5l.org/"
-license="BSD"
+license="BSD-3-Clause"
 depends="krb5-conf"
 depends_dev="openssl-dev e2fsprogs-dev db-dev"
 makedepends="$depends_dev autoconf automake bash gawk libtool
@@ -22,10 +22,13 @@ source="https://github.com/heimdal/heimdal/releases/download/heimdal-$pkgver/hei
 
 	005_all_heimdal-suid_fix.patch
 	heimdal_missing-include.patch
+	CVE-2018-16860.patch
 	"
 builddir="$srcdir/$pkgname-$_ver"
 
 # secfixes:
+#   7.5.3-r2:
+#     - CVE-2018-16860
 #   7.4.0-r2:
 #     - CVE-2017-17439
 #   7.4.0-r0:
@@ -128,4 +131,5 @@ sha512sums="6d1ad77e795df786680b5e68e2bfefee27bd0207eab507295d7af7053135de9c9ebb
 4dca69bb1c1c6dfce8c0fc1da84855e4549be478ab09511fa5143ee61d1609fed7f3303179bc1e499b0f20445e04c41eda132dd1c5f72e2fea4fcf60a35ad2a9  heimdal-kdc.initd
 abee8390632fa775e74900d09e5c72b02fe4f9616b43cc8d0a76175486ed6d4707fb3ce4d06ceb09b0e8d1384e037c3cff6525e11def0122c35c32eebd0d196f  heimdal-kpasswdd.initd
 2a6b20588a86a9ea3c35209b96ef2da0b39bc3112aec1505e69a60efc9ffb9ddc1d0dbdfaf864142e9d2f81da3d2653de56d6ffa01871c20fde17e4642625c56  005_all_heimdal-suid_fix.patch
-e89efdc942c512363aac1d9797c6bf622324e9200e282bc5ed680300b9e1b39a4ea20f059cdac8f22f972eb0af0e625fd41f267ebcafcfec0aaa81192aff79c1  heimdal_missing-include.patch"
+e89efdc942c512363aac1d9797c6bf622324e9200e282bc5ed680300b9e1b39a4ea20f059cdac8f22f972eb0af0e625fd41f267ebcafcfec0aaa81192aff79c1  heimdal_missing-include.patch
+36738795eb3478b55790bf1927f85a421b13b6b47dcc273daeb6630c39a4e1c1258148fa0e9f004ae59a9ac89caf54cb25efedb417e852e42a2c32d02e43fd56  CVE-2018-16860.patch"
diff --git a/main/heimdal/CVE-2017-17439.patch b/main/heimdal/CVE-2017-17439.patch
deleted file mode 100644
index 8c3273971e..0000000000
--- a/main/heimdal/CVE-2017-17439.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 749d377fa357351a7bbba51f8aae72cdf0629592 Mon Sep 17 00:00:00 2001
-From: Viktor Dukhovni <viktor@twosigma.com>
-Date: Tue, 5 Dec 2017 18:49:50 -0500
-Subject: [PATCH] Security: Avoid NULL structure pointer member dereference
-
-This can happen in the error path when processing malformed AS
-requests with a NULL client name.  Bug originally introduced on
-Fri Feb 13 09:26:01 2015 +0100 in commit:
-
-    a873e21d7c06f22943a90a41dc733ae76799390d
-
-    kdc: base _kdc_fast_mk_error() on krb5_mk_error_ext()
-
-Original patch by Jeffrey Altman <jaltman@secure-endpoints.com>
-
-(cherry picked from commit 1a6a6e462dc2ac6111f9e02c6852ddec4849b887)
----
- kdc/kerberos5.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
-index 95a74927f7..675b406b82 100644
---- a/kdc/kerberos5.c
-+++ b/kdc/kerberos5.c
-@@ -2226,15 +2226,17 @@ _kdc_as_rep(kdc_request_t r,
-     /*
-      * In case of a non proxy error, build an error message.
-      */
--    if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) {
-+    if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) {
- 	ret = _kdc_fast_mk_error(context, r,
- 				 &error_method,
- 				 r->armor_crypto,
- 				 &req->req_body,
- 				 ret, r->e_text,
- 				 r->server_princ,
--				 &r->client_princ->name,
--				 &r->client_princ->realm,
-+				 r->client_princ ?
-+                                     &r->client_princ->name : NULL,
-+				 r->client_princ ?
-+                                     &r->client_princ->realm : NULL,
- 				 NULL, NULL,
- 				 reply);
- 	if (ret)
diff --git a/main/heimdal/CVE-2018-16860.patch b/main/heimdal/CVE-2018-16860.patch
new file mode 100644
index 0000000000..6424b9ec18
--- /dev/null
+++ b/main/heimdal/CVE-2018-16860.patch
@@ -0,0 +1,147 @@
+From c6257cc2c842c0faaeb4ef34e33890ee88c4cbba Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Tue, 14 May 2019 09:03:18 -0400
+Subject: [PATCH] CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed
+ checksum
+
+S4U2Self is an extension to Kerberos used in Active Directory to allow
+a service to request a kerberos ticket to itself from the Kerberos Key
+Distribution Center (KDC) for a non-Kerberos authenticated user
+(principal in Kerboros parlance). This is useful to allow internal
+code paths to be standardized around Kerberos.
+
+S4U2Proxy (constrained-delegation) is an extension of this mechanism
+allowing this impersonation to a second service over the network. It
+allows a privileged server that obtained a S4U2Self ticket to itself
+to then assert the identity of that principal to a second service and
+present itself as that principal to get services from the second
+service.
+
+There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
+KDC checks the checksum that is placed on the S4U2Self packet by the
+server to protect the requested principal against modification, it
+does not confirm that the checksum algorithm that protects the user
+name (principal) in the request is keyed.  This allows a
+man-in-the-middle attacker who can intercept the request to the KDC to
+modify the packet by replacing the user name (principal) in the
+request with any desired user name (principal) that exists in the KDC
+and replace the checksum protecting that name with a CRC32 checksum
+(which requires no prior knowledge to compute).
+
+This would allow a S4U2Self ticket requested on behalf of user name
+(principal) user@EXAMPLE.COM to any service to be changed to a
+S4U2Self ticket with a user name (principal) of
+Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
+the modified user name (principal).
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
+
+=========================
+Workaround and Mitigation
+=========================
+
+If server does not take privileged actions based on Kerberos tickets
+obtained by S4U2Self nor obtains Kerberos tickets via further
+S4U2Proxy requests then this issue cannot be exploited.
+
+Note that the path to an exploit is not generic, the KDC is not harmed
+by the malicious checksum, it is the client service requesting the
+ticket being mislead, because it trusted the KDC to return the correct
+ticket and PAC.
+
+It is out of scope for Samba to describe all of the possible tool
+chains that might be vulnerable. Here are two examples of possible
+exploits in order to explain the issue more clearly.
+
+1). SFU2Self might be used by a web service authenticating an end user
+via OAuth, Shibboleth, or other protocols to obtain a S4U2Self
+Kerberos service ticket for use by any Kerberos service principal the
+web service has a keytab for.  One example is acquiring an AFS token
+by requesting an afs/cell@REALM service ticket for a client via
+SFU2Self.  With this exploit an organization that deploys a KDC built
+from Heimdal (be it Heimdal directly or vendor versions such as found
+in Samba) is vulnerable to privilege escalation attacks.
+
+2). If a server authenticates users using X509 certificates, and then
+uses S4U2Self to obtain a Kerberos service ticket on behalf of the
+user (principal) in order to authorize access to local resources, a
+man-in-the-middle attacker could allow a non-privilaged user to access
+privilaged resources being protected by the server, or privilaged
+resources being protected by a second server, if the first server uses
+the S4U2Proxy extension in order to get a new Kerberos service ticket
+to obtain access to the second server.
+
+In both these scenarios under conditions allowing man-in-the-middle
+active network protocol manipulation, a malicious user could
+authenticate using the non-Kerborized credentials of an unprivileged
+user, and then elevate its privileges by intercepting the packet from
+the server to the KDC and changing the requested user name (principal).
+
+The only Samba clients that use S4U2Self are:
+
+- the "net ads kerberos pac dump" (debugging) tool.
+
+- the CIFS proxy in the deprecated/developer-only NTVFS file
+server. Note this code is not compiled or enabled by default.
+
+In particular, winbindd does *not* use S4U2Self.
+
+Finally, MIT Kerberos and so therefore the experimental MIT KDC backend
+for Samba AD is understood not to be impacted.
+
+===============
+Further Reading
+===============
+
+There is more detail on and a description of the protocols in
+
+[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained
+Delegation Protocol
+https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
+
+=======
+Credits
+=======
+
+Originally reported by Isaac Boukris and Andrew Bartlett of the Samba
+Team and Catalyst.
+
+Patches provided by Isaac Boukris.
+
+Advisory written by Andrew Bartlett of the Samba Team and Catalyst,
+with contributions from Isaac Boukris, Jeffrey Altman and Jeremy
+Allison.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685
+Change-Id: I4ac69ebf0503eb999a7d497a2c30fe4d293a8cc8
+Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
+---
+ kdc/krb5tgs.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
+index 8318bc0025..14943077a4 100644
+--- a/kdc/krb5tgs.c
++++ b/kdc/krb5tgs.c
+@@ -2031,6 +2031,13 @@ tgs_build_reply(krb5_context context,
+ 		goto out;
+ 	    }
+ 
++	    if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
++		free_PA_S4U2Self(&self);
++		kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed checksum");
++		ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
++		goto out;
++	    }
++
+ 	    ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
+ 	    if (ret)
+ 		goto out;