Thu Aug 28 22:23:05 2014 UTC ()
Add fixes for CVE-2014-4341, CVE-2014-4342 (same patch as CVE-2014-4341)
CVE-2014-4343, CVE-2014-4344 & MITKRB5-SA-2014-001 (CVE-2014-4345).
(tez)
diff -r1.75 -r1.76 pkgsrc/security/mit-krb5/Makefile
diff -r1.47 -r1.48 pkgsrc/security/mit-krb5/distinfo
diff -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-CVE-2014-4341
diff -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-CVE-2014-4343
diff -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-CVE-2014-4344
--- pkgsrc/security/mit-krb5/Makefile 2014/05/29 23:37:20 1.75
+++ pkgsrc/security/mit-krb5/Makefile 2014/08/28 22:23:05 1.76
| @@ -1,25 +1,25 @@ | | | @@ -1,25 +1,25 @@ |
1 | # $NetBSD: Makefile,v 1.75 2014/05/29 23:37:20 wiz Exp $ | | 1 | # $NetBSD: Makefile,v 1.76 2014/08/28 22:23:05 tez Exp $ |
2 | | | 2 | |
3 | DISTNAME= krb5-1.10.7 | | 3 | DISTNAME= krb5-1.10.7 |
4 | PKGNAME= mit-${DISTNAME} | | 4 | PKGNAME= mit-${DISTNAME} |
5 | PKGREVISION= 2 | | 5 | PKGREVISION= 3 |
6 | CATEGORIES= security | | 6 | CATEGORIES= security |
7 | MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/ | | 7 | MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/ |
8 | EXTRACT_SUFX= .tar | | 8 | EXTRACT_SUFX= .tar |
9 | DISTFILES= ${DISTNAME}-signed${EXTRACT_SUFX} | | 9 | DISTFILES= ${DISTNAME}-signed${EXTRACT_SUFX} |
10 | | | 10 | |
11 | #PATCH_SITES= http://web.mit.edu/kerberos/advisories/ | | 11 | PATCH_SITES= http://web.mit.edu/kerberos/advisories/ |
12 | #PATCHFILES= 2011-006-patch-r18.txt | | 12 | PATCHFILES= 2014-001-patch.txt |
13 | | | 13 | |
14 | MAINTAINER= tez@NetBSD.org | | 14 | MAINTAINER= tez@NetBSD.org |
15 | HOMEPAGE= http://web.mit.edu/kerberos/ | | 15 | HOMEPAGE= http://web.mit.edu/kerberos/ |
16 | COMMENT= MIT Kerberos 5 authentication system | | 16 | COMMENT= MIT Kerberos 5 authentication system |
17 | | | 17 | |
18 | MAKE_JOBS_SAFE= no | | 18 | MAKE_JOBS_SAFE= no |
19 | | | 19 | |
20 | WRKSRC= ${WRKDIR}/${DISTNAME}/src | | 20 | WRKSRC= ${WRKDIR}/${DISTNAME}/src |
21 | | | 21 | |
22 | BUILD_TARGET= generate-files-mac all | | 22 | BUILD_TARGET= generate-files-mac all |
23 | | | 23 | |
24 | .include "../../mk/bsd.prefs.mk" | | 24 | .include "../../mk/bsd.prefs.mk" |
25 | | | 25 | |
--- pkgsrc/security/mit-krb5/distinfo 2013/12/03 14:08:53 1.47
+++ pkgsrc/security/mit-krb5/distinfo 2014/08/28 22:23:05 1.48
| @@ -1,18 +1,24 @@ | | | @@ -1,18 +1,24 @@ |
1 | $NetBSD: distinfo,v 1.47 2013/12/03 14:08:53 adam Exp $ | | 1 | $NetBSD: distinfo,v 1.48 2014/08/28 22:23:05 tez Exp $ |
2 | | | 2 | |
| | | 3 | SHA1 (2014-001-patch.txt) = 919402bf3b7c289e847e9adc03a7c30f26966769 |
| | | 4 | RMD160 (2014-001-patch.txt) = a39c8e12e79ab273d562b04c1e7811c414dd70e8 |
| | | 5 | Size (2014-001-patch.txt) = 592 bytes |
3 | SHA1 (krb5-1.10.7-signed.tar) = 982087d617d0b038676bbe8030047421683d508b | | 6 | SHA1 (krb5-1.10.7-signed.tar) = 982087d617d0b038676bbe8030047421683d508b |
4 | RMD160 (krb5-1.10.7-signed.tar) = 16e3a2cdeb410d84d055431679eb81851ae685e9 | | 7 | RMD160 (krb5-1.10.7-signed.tar) = 16e3a2cdeb410d84d055431679eb81851ae685e9 |
5 | Size (krb5-1.10.7-signed.tar) = 11632640 bytes | | 8 | Size (krb5-1.10.7-signed.tar) = 11632640 bytes |
| | | 9 | SHA1 (patch-CVE-2014-4341) = 97b316fb3c5dfc626827a13baa5dcf623d67da3c |
| | | 10 | SHA1 (patch-CVE-2014-4343) = e7d4604d81671f71c9cd9461b65a9e87b5982baa |
| | | 11 | SHA1 (patch-CVE-2014-4344) = b7ae530beaffcf1c095e6f94bdf608b7a140b064 |
6 | SHA1 (patch-aa) = 941848a1773dfbe51dff3134d4b8504a850a958d | | 12 | SHA1 (patch-aa) = 941848a1773dfbe51dff3134d4b8504a850a958d |
7 | SHA1 (patch-ad) = b56a7218007560470179dd811c84b8c690c966ac | | 13 | SHA1 (patch-ad) = b56a7218007560470179dd811c84b8c690c966ac |
8 | SHA1 (patch-ae) = c7395b9de5baf6612b8787fad55dbc051a680bfd | | 14 | SHA1 (patch-ae) = c7395b9de5baf6612b8787fad55dbc051a680bfd |
9 | SHA1 (patch-af) = 1edab3a5f7eb6a7c5dc287e94ae4401c389dbabf | | 15 | SHA1 (patch-af) = 1edab3a5f7eb6a7c5dc287e94ae4401c389dbabf |
10 | SHA1 (patch-ag) = 69daa2cf6b231eeb7c9ed57a41bb7b800f6b926f | | 16 | SHA1 (patch-ag) = 69daa2cf6b231eeb7c9ed57a41bb7b800f6b926f |
11 | SHA1 (patch-ah) = 4e40f36e8969974b3c2f68b2e3636921133c57ba | | 17 | SHA1 (patch-ah) = 4e40f36e8969974b3c2f68b2e3636921133c57ba |
12 | SHA1 (patch-aj) = 8a00ca30db3c9c3c9a2f7506cdc4c5b20f7f42c6 | | 18 | SHA1 (patch-aj) = 8a00ca30db3c9c3c9a2f7506cdc4c5b20f7f42c6 |
13 | SHA1 (patch-ak) = 19d9b15048a5920ee15c82b33da50c40cf400e46 | | 19 | SHA1 (patch-ak) = 19d9b15048a5920ee15c82b33da50c40cf400e46 |
14 | SHA1 (patch-al) = 7445639b82eadf9b1feb1448c1654fa6ddc937aa | | 20 | SHA1 (patch-al) = 7445639b82eadf9b1feb1448c1654fa6ddc937aa |
15 | SHA1 (patch-cf) = 806b089d3b12ea9a17c6caab59cbdeb6ec17bbc3 | | 21 | SHA1 (patch-cf) = 806b089d3b12ea9a17c6caab59cbdeb6ec17bbc3 |
16 | SHA1 (patch-cg) = 30b1e8943b0cbe67f37bac6883f4bdd82776e6d1 | | 22 | SHA1 (patch-cg) = 30b1e8943b0cbe67f37bac6883f4bdd82776e6d1 |
17 | SHA1 (patch-ch) = 0f7f45aeb52907b52a2b143c3a2e36a7656c68c5 | | 23 | SHA1 (patch-ch) = 0f7f45aeb52907b52a2b143c3a2e36a7656c68c5 |
18 | SHA1 (patch-ci) = 4e310f0a4dfe27cf94d0e63d623590691b6c5970 | | 24 | SHA1 (patch-ci) = 4e310f0a4dfe27cf94d0e63d623590691b6c5970 |
$NetBSD: patch-CVE-2014-4341,v 1.1 2014/08/28 22:23:05 tez Exp $
Fix for CVE-2014-4341 & CVE-2014-4342 from:
https://github.com/krb5/krb5/commit/e6ae703ae597d798e310368d52b8f38ee11c6a73
--- lib/gssapi/krb5/k5unseal.c
+++ lib/gssapi/krb5/k5unseal.c
@@ -74,6 +74,7 @@
int conflen = 0;
int signalg;
int sealalg;
+ int bad_pad = 0;
gss_buffer_desc token;
krb5_checksum cksum;
krb5_checksum md5cksum;
@@ -86,6 +87,7 @@
krb5_ui_4 seqnum;
OM_uint32 retval;
size_t sumlen;
+ size_t padlen;
krb5_keyusage sign_usage = KG_USAGE_SIGN;
if (toktype == KG_TOK_SEAL_MSG) {
@@ -93,18 +95,23 @@
message_buffer->value = NULL;
}
- /* get the sign and seal algorithms */
-
- signalg = ptr[0] + (ptr[1]<<8);
- sealalg = ptr[2] + (ptr[3]<<8);
-
/* Sanity checks */
- if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) {
+ if (ctx->seq == NULL) {
+ /* ctx was established using a newer enctype, and cannot process RFC
+ * 1964 tokens. */
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
+ if ((bodysize < 22) || (ptr[4] != 0xff) || (ptr[5] != 0xff)) {
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
+ signalg = ptr[0] + (ptr[1]<<8);
+ sealalg = ptr[2] + (ptr[3]<<8);
+
if ((toktype != KG_TOK_SEAL_MSG) &&
(sealalg != 0xffff)) {
*minor_status = 0;
@@ -153,6 +160,11 @@
return GSS_S_DEFECTIVE_TOKEN;
}
+ if ((size_t)bodysize < 14 + cksum_len) {
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
/* get the token parameters */
if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction,
@@ -210,7 +222,20 @@
token.length = tmsglen;
} else {
conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
- token.length = tmsglen - conflen - plain[tmsglen-1];
+ if (tmsglen < conflen) {
+ if (sealalg != 0xffff)
+ xfree(plain);
+ *minor_status = 0;
+ return(GSS_S_DEFECTIVE_TOKEN);
+ }
+ padlen = plain[tmsglen - 1];
+ if (tmsglen - conflen < padlen) {
+ /* Don't error out yet, to avoid padding oracle attacks. We will
+ * treat this as a checksum failure later on. */
+ padlen = 0;
+ bad_pad = 1;
+ }
+ token.length = tmsglen - conflen - padlen;
}
if (token.length) {
@@ -423,7 +448,7 @@
/* compare the computed checksum against the transmitted checksum */
- if (code) {
+ if (code || bad_pad) {
if (toktype == KG_TOK_SEAL_MSG)
gssalloc_free(token.value);
*minor_status = 0;
--- lib/gssapi/krb5/k5unsealiov.c
+++ lib/gssapi/krb5/k5unsealiov.c
@@ -69,7 +69,14 @@ kg_unseal_v1_iov(krb5_context context,
return GSS_S_DEFECTIVE_TOKEN;
}
- if (header->buffer.length < token_wrapper_len + 14) {
+ if (ctx->seq == NULL) {
+ /* ctx was established using a newer enctype, and cannot process RFC
+ * 1964 tokens. */
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
+ if (header->buffer.length < token_wrapper_len + 22) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
$NetBSD: patch-CVE-2014-4343,v 1.1 2014/08/28 22:23:05 tez Exp $
fix for cve-2014-4343 from:
https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f
--- lib/gssapi/spnego/spnego_mech.c
+++ lib/gssapi/spnego/spnego_mech.c
@@ -796,7 +796,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
OM_uint32 tmpmin;
size_t i;
- generic_gss_release_oid(&tmpmin, &sc->internal_mech);
gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
GSS_C_NO_BUFFER);
$NetBSD: patch-CVE-2014-4344,v 1.1 2014/08/28 22:23:05 tez Exp $
fix for CVE-2014-4344 from:
https://github.com/krb5/krb5/commit/a7886f0ed1277c69142b14a2c6629175a6331edc
--- lib/gssapi/spnego/spnego_mech.c
+++ lib/gssapi/spnego/spnego_mech.c
@@ -1442,7 +1442,7 @@ acc_ctx_cont(OM_uint32 *minstat,
ptr = bufstart = buf->value;
#define REMAIN (buf->length - (ptr - bufstart))
- if (REMAIN > INT_MAX)
+ if (REMAIN == 0 || REMAIN > INT_MAX)
return GSS_S_DEFECTIVE_TOKEN;
/*