main/krb5: security fixes for CVE-2014-5353, CVE-2014-5354

ref #3799
author: Natanael Copa <ncopa@alpinelinux.org> 2015-01-30 09:39:05 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2015-01-30 09:39:05 +0000
commit: 6c0f5b1515a834e3b68f2e199ccce1148f6c8054 (patch)
tree: 780ace4e1939c124df34b8b8aa5a143dbf06cdd4 /main/krb5
parent: b53e06d83f6743f8a5b6a7bac9893af4033d27be (diff)
download: aports-6c0f5b1515a834e3b68f2e199ccce1148f6c8054.tar.bz2
aports-6c0f5b1515a834e3b68f2e199ccce1148f6c8054.tar.xz
3 files changed, 185 insertions, 1 deletions
diff --git a/main/krb5/APKBUILD b/main/krb5/APKBUILD
index d77754fc3e..7c8a9827e6 100644
--- a/main/krb5/APKBUILD
+++ b/main/krb5/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=krb5
 pkgver=1.13
-pkgrel=0
+pkgrel=1
 
 case $pkgver in
 *.*.*) _ver=${pkgver%.*};;
@@ -22,6 +22,8 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-server
 	$pkgname-server-ldap:ldap $pkgname-pkinit $pkgname-libs"
 source="http://web.mit.edu/kerberos/dist/krb5/${_ver}/krb5-$pkgver-signed.tar
 	mit-krb5_krb5-config_LDFLAGS.patch
+	CVE-2014-5353.patch
+	CVE-2014-5354.patch
 
 	krb5kadmind.initd
 	krb5kdc.initd
@@ -120,16 +122,22 @@ libs() {
 
 md5sums="fa5d4dcd7b79e2165d0ec4affa0956ea  krb5-1.13-signed.tar
 c84a0c7d8014e3528524956ffdd1c3e9  mit-krb5_krb5-config_LDFLAGS.patch
+491f8cdf54124ab52eb414b8075c6be7  CVE-2014-5353.patch
+ec1e83cc8fd39af0a0e47041d21998d1  CVE-2014-5354.patch
 29906e70e15025dda8b315d8209cab4c  krb5kadmind.initd
 47efe7f24c98316d38ea46ad629b3517  krb5kdc.initd
 3e0b8313c1e5bfb7625f35e76a5e53f1  krb5kpropd.initd"
 sha256sums="dc8f79ae9ab777d0f815e84ed02ac4ccfe3d5826eb4947a195dfce9fd95a9582  krb5-1.13-signed.tar
 84007c7423f67db7a8b248b9643c49ef25f2d56ce15c2574eb41ecbf51bcd3f2  mit-krb5_krb5-config_LDFLAGS.patch
+fcdfd81dc63abbdeaca4eb5bbcd3c3088c44e3a96aa7fe191f82c341d38f360c  CVE-2014-5353.patch
+616362df107bb63fd060ed3084e98d3523bbea245ff1cef6bd2074a27838ae61  CVE-2014-5354.patch
 c7a1ec03472996daaaaf1a4703566113c80f72ee8605d247098a25a13dad1f5f  krb5kadmind.initd
 709309dea043aa306c2fcf0960e0993a6db540c220de64cf92d6b85f1cca23c5  krb5kdc.initd
 86b15d691e32b331ac756ee368b7364de6ab238dcae5adfed2a00b57d1b64ef4  krb5kpropd.initd"
 sha512sums="99cf647ab39f5a34acaf2049908f91d3f3822f4afd3b9dad1630b31c72518398069f4f3d3840168122cb12aa5e5540466729bc714fbda96eb9403e635f88d244  krb5-1.13-signed.tar
 5a3782ff17b383f8cd0415fd13538ab56afd788130d6ad640e9f2682b7deaae7f25713ce358058ed771091040dccf62a3bc87e6fd473d505ec189a95debcc801  mit-krb5_krb5-config_LDFLAGS.patch
+736753afb36bc494bc42f3cd33fc013ad49625e8d90672b85784f9f4fe96ff8d3f8c014aa1678d8892cb4204243369ee583232047fa9178fcdff03ab4087b171  CVE-2014-5353.patch
+e795258f958cd5ce86ff9930bdb7b119253d694bff32c0e4a9a414f184678d52f556a1f24af8032e447a2ecb24de24a50e8590d33019be2028ce452c8915daa9  CVE-2014-5354.patch
 561af06b4e0f0e130dda345ad934bcdb9984ec00cc38d871df1d3bb3f9e1c7d86f06db5b03229707c88b96ad324e3a2222420f8494aa431002cacea0246b1153  krb5kadmind.initd
 d6d0076886ce284fc395fafc2dc253b4b3ee97b2986dea51388d96a1e1294680fb171f475efc7844559e2c6aac44b26678a9255921db9a58dcf2e7164f0aeec5  krb5kdc.initd
 f97d33fa977c132a470d95fd539d8e8db018e03f28dbc9d3e04faf78ebb7392196e7d5135f138c2390979bf37b3ae0265e6827f0c17b44b277eb2dfff0a96f77  krb5kpropd.initd"
diff --git a/main/krb5/CVE-2014-5353.patch b/main/krb5/CVE-2014-5353.patch
new file mode 100644
index 0000000000..e96c36092b
--- /dev/null
+++ b/main/krb5/CVE-2014-5353.patch
@@ -0,0 +1,63 @@
+From d1f707024f1d0af6e54a18885322d70fa15ec4d3 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 5 Dec 2014 14:01:39 -0500
+Subject: [PATCH] Fix LDAP misused policy name crash [CVE-2014-5353]
+
+In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
+successfully with no results, return KRB5_KDB_NOENTRY instead of
+returning success with a zeroed-out policy object.  This fixes a null
+dereference when an admin attempts to use an LDAP ticket policy name
+as a password policy name.
+
+CVE-2014-5353:
+
+In MIT krb5, when kadmind is configured to use LDAP for the KDC
+database, an authenticated remote attacker can cause a NULL dereference
+by attempting to use a named ticket policy object as a password policy
+for a principal.  The attacker needs to be authenticated as a user who
+has the elevated privilege for setting password policy by adding or
+modifying principals.
+
+Queries to LDAP scoped to the krbPwdPolicy object class will correctly
+not return entries of other classes, such as ticket policy objects, but
+may return success with no returned elements if an object with the
+requested DN exists in a different object class.  In this case, the
+routine to retrieve a password policy returned success with a password
+policy object that consisted entirely of zeroed memory.  In particular,
+accesses to the policy name will dereference a NULL pointer.  KDC
+operation does not access the policy name field, but most kadmin
+operations involving the principal with incorrect password policy
+will trigger the crash.
+
+Thanks to Patrik Kis for reporting this problem.
+
+CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
+
+[kaduk@mit.edu: CVE description and CVSS score]
+
+ticket: 8051 (new)
+target_version: 1.13.1
+tags: pullup
+---
+ src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+index 522773e..6779f51 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+@@ -314,10 +314,11 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,
+     LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes);
+ 
+     ent=ldap_first_entry(ld, result);
+-    if (ent != NULL) {
+-        if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0)
+-            goto cleanup;
++    if (ent == NULL) {
++        st = KRB5_KDB_NOENTRY;
++        goto cleanup;
+     }
++    st = populate_policy(context, ld, ent, pol_name, *policy);
+ 
+ cleanup:
+     ldap_msgfree(result);
diff --git a/main/krb5/CVE-2014-5354.patch b/main/krb5/CVE-2014-5354.patch
new file mode 100644
index 0000000000..01aef2c0ed
--- /dev/null
+++ b/main/krb5/CVE-2014-5354.patch
@@ -0,0 +1,113 @@
+From 04038bf3633c4b909b5ded3072dc88c8c419bf16 Mon Sep 17 00:00:00 2001
+From: Ben Kaduk <kaduk@mit.edu>
+Date: Wed, 19 Nov 2014 12:04:46 -0500
+Subject: [PATCH] Support keyless principals in LDAP [CVE-2014-5354]
+
+Operations like "kadmin -q 'addprinc -nokey foo'" or
+"kadmin -q 'purgekeys -all foo'" result in principal entries with
+no keys present, so krb5_encode_krbsecretkey() would just return
+NULL, which then got unconditionally dereferenced in
+krb5_add_ber_mem_ldap_mod().
+
+Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key
+principals better, correct the test for an allocation failure, and
+slightly restructure the cleanup handler to be shorter and more
+appropriate for the usage.  Once it no longer short-circuits when
+n_key_data is zero, it will produce an array of length two with both
+entries NULL, which is treated as an empty list by the LDAP library,
+the correct behavior for a keyless principal.
+
+However, attributes with empty values are only handled by the LDAP
+library for Modify operations, not Add operations (which only get
+a sequence of Attribute, with no operation field).  Therefore, only
+add an empty krbprincipalkey to the modlist when we will be performing a
+Modify, and not when we will be performing an Add, which is conditional
+on the (misspelled) create_standalone_prinicipal boolean.
+
+CVE-2014-5354:
+
+In MIT krb5, when kadmind is configured to use LDAP for the KDC
+database, an authenticated remote attacker can cause a NULL
+dereference by inserting into the database a principal entry which
+contains no long-term keys.
+
+In order for the LDAP KDC backend to translate a principal entry
+from the database abstraction layer into the form expected by the
+LDAP schema, the principal's keys are encoded into a
+NULL-terminated array of length-value entries to be stored in the
+LDAP database.  However, the subroutine which produced this array
+did not correctly handle the case where no keys were present,
+returning NULL instead of an empty array, and the array was
+unconditionally dereferenced while adding to the list of LDAP
+operations to perform.
+
+Versions of MIT krb5 prior to 1.12 did not expose a way for
+principal entries to have no long-term key material, and
+therefore are not vulnerable.
+
+    CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C
+
+ticket: 8041 (new)
+tags: pullup
+target_version: 1.13.1
+subject: kadmind with ldap backend crashes when putting keyless entries
+---
+ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 25 +++++++++++++++-------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index 3e560d9..10b5982 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -406,14 +406,14 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
+     int num_versions = 1;
+     int i, j, last;
+     krb5_error_code err = 0;
+-    krb5_key_data *key_data;
++    krb5_key_data *key_data = NULL;
+ 
+-    if (n_key_data <= 0)
++    if (n_key_data < 0)
+         return NULL;
+ 
+     /* Make a shallow copy of the key data so we can alter it. */
+     key_data = k5calloc(n_key_data, sizeof(*key_data), &err);
+-    if (key_data_in == NULL)
++    if (key_data == NULL)
+         goto cleanup;
+     memcpy(key_data, key_data_in, n_key_data * sizeof(*key_data));
+ 
+@@ -467,9 +467,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
+     free(key_data);
+     if (err != 0) {
+         if (ret != NULL) {
+-            for (i = 0; i <= num_versions; i++)
+-                if (ret[i] != NULL)
+-                    free (ret[i]);
++            for (i = 0; ret[i] != NULL; i++)
++                free (ret[i]);
+             free (ret);
+             ret = NULL;
+         }
+@@ -1036,9 +1035,19 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+         bersecretkey = krb5_encode_krbsecretkey (entry->key_data,
+                                                  entry->n_key_data, mkvno);
+ 
+-        if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
+-                                          LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
++        if (bersecretkey == NULL) {
++            st = ENOMEM;
+             goto cleanup;
++        }
++        /* An empty list of bervals is only accepted for modify operations,
++         * not add operations. */
++        if (bersecretkey[0] != NULL || !create_standalone_prinicipal) {
++            st = krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
++                                           LDAP_MOD_REPLACE | LDAP_MOD_BVALUES,
++                                           bersecretkey);
++            if (st != 0)
++                goto cleanup;
++        }
+ 
+         if (!(entry->mask & KADM5_PRINCIPAL)) {
+             memset(strval, 0, sizeof(strval));
author	Natanael Copa <ncopa@alpinelinux.org>	2015-01-30 09:39:05 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2015-01-30 09:39:05 +0000
commit	6c0f5b1515a834e3b68f2e199ccce1148f6c8054 (patch)
tree	780ace4e1939c124df34b8b8aa5a143dbf06cdd4 /main/krb5
parent	b53e06d83f6743f8a5b6a7bac9893af4033d27be (diff)
download	aports-6c0f5b1515a834e3b68f2e199ccce1148f6c8054.tar.bz2 aports-6c0f5b1515a834e3b68f2e199ccce1148f6c8054.tar.xz