From 4b363ba3e488c64336482f98ab7dcd6460cf8406 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Thu, 9 Apr 2015 09:16:43 +0000 Subject: main/krb5: upgrade to 1.13.1 --- main/krb5/APKBUILD | 18 ++----- main/krb5/CVE-2014-5353.patch | 63 ----------------------- main/krb5/CVE-2014-5354.patch | 113 ------------------------------------------ 3 files changed, 5 insertions(+), 189 deletions(-) delete mode 100644 main/krb5/CVE-2014-5353.patch delete mode 100644 main/krb5/CVE-2014-5354.patch (limited to 'main') diff --git a/main/krb5/APKBUILD b/main/krb5/APKBUILD index 7c8a9827e6..0f672d791a 100644 --- a/main/krb5/APKBUILD +++ b/main/krb5/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=krb5 -pkgver=1.13 -pkgrel=1 +pkgver=1.13.1 +pkgrel=0 case $pkgver in *.*.*) _ver=${pkgver%.*};; @@ -22,8 +22,6 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-server $pkgname-server-ldap:ldap $pkgname-pkinit $pkgname-libs" source="http://web.mit.edu/kerberos/dist/krb5/${_ver}/krb5-$pkgver-signed.tar mit-krb5_krb5-config_LDFLAGS.patch - CVE-2014-5353.patch - CVE-2014-5354.patch krb5kadmind.initd krb5kdc.initd @@ -120,24 +118,18 @@ libs() { mv "$pkgdir"/usr/lib "$subpkgdir"/usr/ || return 1 } -md5sums="fa5d4dcd7b79e2165d0ec4affa0956ea krb5-1.13-signed.tar +md5sums="567586cdf02aa8c842c2fab7a94f3c1f krb5-1.13.1-signed.tar c84a0c7d8014e3528524956ffdd1c3e9 mit-krb5_krb5-config_LDFLAGS.patch -491f8cdf54124ab52eb414b8075c6be7 CVE-2014-5353.patch -ec1e83cc8fd39af0a0e47041d21998d1 CVE-2014-5354.patch 29906e70e15025dda8b315d8209cab4c krb5kadmind.initd 47efe7f24c98316d38ea46ad629b3517 krb5kdc.initd 3e0b8313c1e5bfb7625f35e76a5e53f1 krb5kpropd.initd" -sha256sums="dc8f79ae9ab777d0f815e84ed02ac4ccfe3d5826eb4947a195dfce9fd95a9582 krb5-1.13-signed.tar +sha256sums="4df629fdf97f362cf81edbf38d613b32b492dd88c876cf3aa1c66562f296663e krb5-1.13.1-signed.tar 84007c7423f67db7a8b248b9643c49ef25f2d56ce15c2574eb41ecbf51bcd3f2 mit-krb5_krb5-config_LDFLAGS.patch -fcdfd81dc63abbdeaca4eb5bbcd3c3088c44e3a96aa7fe191f82c341d38f360c CVE-2014-5353.patch -616362df107bb63fd060ed3084e98d3523bbea245ff1cef6bd2074a27838ae61 CVE-2014-5354.patch c7a1ec03472996daaaaf1a4703566113c80f72ee8605d247098a25a13dad1f5f krb5kadmind.initd 709309dea043aa306c2fcf0960e0993a6db540c220de64cf92d6b85f1cca23c5 krb5kdc.initd 86b15d691e32b331ac756ee368b7364de6ab238dcae5adfed2a00b57d1b64ef4 krb5kpropd.initd" -sha512sums="99cf647ab39f5a34acaf2049908f91d3f3822f4afd3b9dad1630b31c72518398069f4f3d3840168122cb12aa5e5540466729bc714fbda96eb9403e635f88d244 krb5-1.13-signed.tar +sha512sums="f26dce8f682bd3fbf38a15df5f91722b573d4df4cc193f7ba8dc369cbbee8f4bc2a72f56513d2cf27697ce8baaf954afe04e3eefc15c2883fa1d5260145aef6e krb5-1.13.1-signed.tar 5a3782ff17b383f8cd0415fd13538ab56afd788130d6ad640e9f2682b7deaae7f25713ce358058ed771091040dccf62a3bc87e6fd473d505ec189a95debcc801 mit-krb5_krb5-config_LDFLAGS.patch -736753afb36bc494bc42f3cd33fc013ad49625e8d90672b85784f9f4fe96ff8d3f8c014aa1678d8892cb4204243369ee583232047fa9178fcdff03ab4087b171 CVE-2014-5353.patch -e795258f958cd5ce86ff9930bdb7b119253d694bff32c0e4a9a414f184678d52f556a1f24af8032e447a2ecb24de24a50e8590d33019be2028ce452c8915daa9 CVE-2014-5354.patch 561af06b4e0f0e130dda345ad934bcdb9984ec00cc38d871df1d3bb3f9e1c7d86f06db5b03229707c88b96ad324e3a2222420f8494aa431002cacea0246b1153 krb5kadmind.initd d6d0076886ce284fc395fafc2dc253b4b3ee97b2986dea51388d96a1e1294680fb171f475efc7844559e2c6aac44b26678a9255921db9a58dcf2e7164f0aeec5 krb5kdc.initd f97d33fa977c132a470d95fd539d8e8db018e03f28dbc9d3e04faf78ebb7392196e7d5135f138c2390979bf37b3ae0265e6827f0c17b44b277eb2dfff0a96f77 krb5kpropd.initd" diff --git a/main/krb5/CVE-2014-5353.patch b/main/krb5/CVE-2014-5353.patch deleted file mode 100644 index e96c36092b..0000000000 --- a/main/krb5/CVE-2014-5353.patch +++ /dev/null @@ -1,63 +0,0 @@ -From d1f707024f1d0af6e54a18885322d70fa15ec4d3 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Fri, 5 Dec 2014 14:01:39 -0500 -Subject: [PATCH] Fix LDAP misused policy name crash [CVE-2014-5353] - -In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns -successfully with no results, return KRB5_KDB_NOENTRY instead of -returning success with a zeroed-out policy object. This fixes a null -dereference when an admin attempts to use an LDAP ticket policy name -as a password policy name. - -CVE-2014-5353: - -In MIT krb5, when kadmind is configured to use LDAP for the KDC -database, an authenticated remote attacker can cause a NULL dereference -by attempting to use a named ticket policy object as a password policy -for a principal. The attacker needs to be authenticated as a user who -has the elevated privilege for setting password policy by adding or -modifying principals. - -Queries to LDAP scoped to the krbPwdPolicy object class will correctly -not return entries of other classes, such as ticket policy objects, but -may return success with no returned elements if an object with the -requested DN exists in a different object class. In this case, the -routine to retrieve a password policy returned success with a password -policy object that consisted entirely of zeroed memory. In particular, -accesses to the policy name will dereference a NULL pointer. KDC -operation does not access the policy name field, but most kadmin -operations involving the principal with incorrect password policy -will trigger the crash. - -Thanks to Patrik Kis for reporting this problem. - -CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C - -[kaduk@mit.edu: CVE description and CVSS score] - -ticket: 8051 (new) -target_version: 1.13.1 -tags: pullup ---- - src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -index 522773e..6779f51 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -@@ -314,10 +314,11 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name, - LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes); - - ent=ldap_first_entry(ld, result); -- if (ent != NULL) { -- if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0) -- goto cleanup; -+ if (ent == NULL) { -+ st = KRB5_KDB_NOENTRY; -+ goto cleanup; - } -+ st = populate_policy(context, ld, ent, pol_name, *policy); - - cleanup: - ldap_msgfree(result); diff --git a/main/krb5/CVE-2014-5354.patch b/main/krb5/CVE-2014-5354.patch deleted file mode 100644 index 01aef2c0ed..0000000000 --- a/main/krb5/CVE-2014-5354.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 04038bf3633c4b909b5ded3072dc88c8c419bf16 Mon Sep 17 00:00:00 2001 -From: Ben Kaduk -Date: Wed, 19 Nov 2014 12:04:46 -0500 -Subject: [PATCH] Support keyless principals in LDAP [CVE-2014-5354] - -Operations like "kadmin -q 'addprinc -nokey foo'" or -"kadmin -q 'purgekeys -all foo'" result in principal entries with -no keys present, so krb5_encode_krbsecretkey() would just return -NULL, which then got unconditionally dereferenced in -krb5_add_ber_mem_ldap_mod(). - -Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key -principals better, correct the test for an allocation failure, and -slightly restructure the cleanup handler to be shorter and more -appropriate for the usage. Once it no longer short-circuits when -n_key_data is zero, it will produce an array of length two with both -entries NULL, which is treated as an empty list by the LDAP library, -the correct behavior for a keyless principal. - -However, attributes with empty values are only handled by the LDAP -library for Modify operations, not Add operations (which only get -a sequence of Attribute, with no operation field). Therefore, only -add an empty krbprincipalkey to the modlist when we will be performing a -Modify, and not when we will be performing an Add, which is conditional -on the (misspelled) create_standalone_prinicipal boolean. - -CVE-2014-5354: - -In MIT krb5, when kadmind is configured to use LDAP for the KDC -database, an authenticated remote attacker can cause a NULL -dereference by inserting into the database a principal entry which -contains no long-term keys. - -In order for the LDAP KDC backend to translate a principal entry -from the database abstraction layer into the form expected by the -LDAP schema, the principal's keys are encoded into a -NULL-terminated array of length-value entries to be stored in the -LDAP database. However, the subroutine which produced this array -did not correctly handle the case where no keys were present, -returning NULL instead of an empty array, and the array was -unconditionally dereferenced while adding to the list of LDAP -operations to perform. - -Versions of MIT krb5 prior to 1.12 did not expose a way for -principal entries to have no long-term key material, and -therefore are not vulnerable. - - CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C - -ticket: 8041 (new) -tags: pullup -target_version: 1.13.1 -subject: kadmind with ldap backend crashes when putting keyless entries ---- - src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 25 +++++++++++++++------- - 1 file changed, 17 insertions(+), 8 deletions(-) - -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index 3e560d9..10b5982 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -406,14 +406,14 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data, - int num_versions = 1; - int i, j, last; - krb5_error_code err = 0; -- krb5_key_data *key_data; -+ krb5_key_data *key_data = NULL; - -- if (n_key_data <= 0) -+ if (n_key_data < 0) - return NULL; - - /* Make a shallow copy of the key data so we can alter it. */ - key_data = k5calloc(n_key_data, sizeof(*key_data), &err); -- if (key_data_in == NULL) -+ if (key_data == NULL) - goto cleanup; - memcpy(key_data, key_data_in, n_key_data * sizeof(*key_data)); - -@@ -467,9 +467,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data, - free(key_data); - if (err != 0) { - if (ret != NULL) { -- for (i = 0; i <= num_versions; i++) -- if (ret[i] != NULL) -- free (ret[i]); -+ for (i = 0; ret[i] != NULL; i++) -+ free (ret[i]); - free (ret); - ret = NULL; - } -@@ -1036,9 +1035,19 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, - bersecretkey = krb5_encode_krbsecretkey (entry->key_data, - entry->n_key_data, mkvno); - -- if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", -- LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0) -+ if (bersecretkey == NULL) { -+ st = ENOMEM; - goto cleanup; -+ } -+ /* An empty list of bervals is only accepted for modify operations, -+ * not add operations. */ -+ if (bersecretkey[0] != NULL || !create_standalone_prinicipal) { -+ st = krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", -+ LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, -+ bersecretkey); -+ if (st != 0) -+ goto cleanup; -+ } - - if (!(entry->mask & KADM5_PRINCIPAL)) { - memset(strval, 0, sizeof(strval)); -- cgit v1.2.3