 @@ -1,25 +1,25 @@
-# $NetBSD: Makefile,v 1.75 2014/05/29 23:37:20 wiz Exp $
+# $NetBSD: Makefile,v 1.76 2014/08/28 22:23:05 tez Exp $
 DISTNAME=	krb5-1.10.7
 PKGNAME=	mit-${DISTNAME}
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	security
 MASTER_SITES=	http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/
 EXTRACT_SUFX=	.tar
 DISTFILES=	${DISTNAME}-signed${EXTRACT_SUFX}
-#PATCH_SITES=	http://web.mit.edu/kerberos/advisories/
+PATCH_SITES=	http://web.mit.edu/kerberos/advisories/
-#PATCHFILES=	2011-006-patch-r18.txt
+PATCHFILES=	2014-001-patch.txt
 MAINTAINER=	tez@NetBSD.org
 HOMEPAGE=	http://web.mit.edu/kerberos/
 COMMENT=	MIT Kerberos 5 authentication system
 MAKE_JOBS_SAFE=		no
 WRKSRC=		${WRKDIR}/${DISTNAME}/src
 BUILD_TARGET=	generate-files-mac all
 .include "../../mk/bsd.prefs.mk"

 @@ -1,18 +1,24 @@
-$NetBSD: distinfo,v 1.47 2013/12/03 14:08:53 adam Exp $
+$NetBSD: distinfo,v 1.48 2014/08/28 22:23:05 tez Exp $
 SHA1 (2014-001-patch.txt) = 919402bf3b7c289e847e9adc03a7c30f26966769
 RMD160 (2014-001-patch.txt) = a39c8e12e79ab273d562b04c1e7811c414dd70e8
 Size (2014-001-patch.txt) = 592 bytes
 SHA1 (krb5-1.10.7-signed.tar) = 982087d617d0b038676bbe8030047421683d508b
 RMD160 (krb5-1.10.7-signed.tar) = 16e3a2cdeb410d84d055431679eb81851ae685e9
 Size (krb5-1.10.7-signed.tar) = 11632640 bytes
 SHA1 (patch-CVE-2014-4341) = 97b316fb3c5dfc626827a13baa5dcf623d67da3c
 SHA1 (patch-CVE-2014-4343) = e7d4604d81671f71c9cd9461b65a9e87b5982baa
 SHA1 (patch-CVE-2014-4344) = b7ae530beaffcf1c095e6f94bdf608b7a140b064
 SHA1 (patch-aa) = 941848a1773dfbe51dff3134d4b8504a850a958d
 SHA1 (patch-ad) = b56a7218007560470179dd811c84b8c690c966ac
 SHA1 (patch-ae) = c7395b9de5baf6612b8787fad55dbc051a680bfd
 SHA1 (patch-af) = 1edab3a5f7eb6a7c5dc287e94ae4401c389dbabf
 SHA1 (patch-ag) = 69daa2cf6b231eeb7c9ed57a41bb7b800f6b926f
 SHA1 (patch-ah) = 4e40f36e8969974b3c2f68b2e3636921133c57ba
 SHA1 (patch-aj) = 8a00ca30db3c9c3c9a2f7506cdc4c5b20f7f42c6
 SHA1 (patch-ak) = 19d9b15048a5920ee15c82b33da50c40cf400e46
 SHA1 (patch-al) = 7445639b82eadf9b1feb1448c1654fa6ddc937aa
 SHA1 (patch-cf) = 806b089d3b12ea9a17c6caab59cbdeb6ec17bbc3
 SHA1 (patch-cg) = 30b1e8943b0cbe67f37bac6883f4bdd82776e6d1
 SHA1 (patch-ch) = 0f7f45aeb52907b52a2b143c3a2e36a7656c68c5
 SHA1 (patch-ci) = 4e310f0a4dfe27cf94d0e63d623590691b6c5970

$NetBSD: patch-CVE-2014-4341,v 1.1 2014/08/28 22:23:05 tez Exp $ Fix for CVE-2014-4341 & CVE-2014-4342 from: https://github.com/krb5/krb5/commit/e6ae703ae597d798e310368d52b8f38ee11c6a73 --- lib/gssapi/krb5/k5unseal.c +++ lib/gssapi/krb5/k5unseal.c @@ -74,6 +74,7 @@ int conflen = 0; int signalg; int sealalg; + int bad_pad = 0; gss_buffer_desc token; krb5_checksum cksum; krb5_checksum md5cksum; @@ -86,6 +87,7 @@ krb5_ui_4 seqnum; OM_uint32 retval; size_t sumlen; + size_t padlen; krb5_keyusage sign_usage = KG_USAGE_SIGN; if (toktype == KG_TOK_SEAL_MSG) { @@ -93,18 +95,23 @@ message_buffer->value = NULL; } - /* get the sign and seal algorithms */ - - signalg = ptr[0] + (ptr[1]<<8); - sealalg = ptr[2] + (ptr[3]<<8); - /* Sanity checks */ - if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) { + if (ctx->seq == NULL) { + /* ctx was established using a newer enctype, and cannot process RFC + * 1964 tokens. */ *minor_status = 0; return GSS_S_DEFECTIVE_TOKEN; } + if ((bodysize < 22) || (ptr[4] != 0xff) || (ptr[5] != 0xff)) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + + signalg = ptr[0] + (ptr[1]<<8); + sealalg = ptr[2] + (ptr[3]<<8); + if ((toktype != KG_TOK_SEAL_MSG) && (sealalg != 0xffff)) { *minor_status = 0; @@ -153,6 +160,11 @@ return GSS_S_DEFECTIVE_TOKEN; } + if ((size_t)bodysize < 14 + cksum_len) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + /* get the token parameters */ if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction, @@ -210,7 +222,20 @@ token.length = tmsglen; } else { conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype); - token.length = tmsglen - conflen - plain[tmsglen-1]; + if (tmsglen < conflen) { + if (sealalg != 0xffff) + xfree(plain); + *minor_status = 0; + return(GSS_S_DEFECTIVE_TOKEN); + } + padlen = plain[tmsglen - 1]; + if (tmsglen - conflen < padlen) { + /* Don't error out yet, to avoid padding oracle attacks. We will + * treat this as a checksum failure later on. */ + padlen = 0; + bad_pad = 1; + } + token.length = tmsglen - conflen - padlen; } if (token.length) { @@ -423,7 +448,7 @@ /* compare the computed checksum against the transmitted checksum */ - if (code) { + if (code || bad_pad) { if (toktype == KG_TOK_SEAL_MSG) gssalloc_free(token.value); *minor_status = 0; --- lib/gssapi/krb5/k5unsealiov.c +++ lib/gssapi/krb5/k5unsealiov.c @@ -69,7 +69,14 @@ kg_unseal_v1_iov(krb5_context context, return GSS_S_DEFECTIVE_TOKEN; } - if (header->buffer.length < token_wrapper_len + 14) { + if (ctx->seq == NULL) { + /* ctx was established using a newer enctype, and cannot process RFC + * 1964 tokens. */ + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + + if (header->buffer.length < token_wrapper_len + 22) { *minor_status = 0; return GSS_S_DEFECTIVE_TOKEN; }

$NetBSD: patch-CVE-2014-4343,v 1.1 2014/08/28 22:23:05 tez Exp $ fix for cve-2014-4343 from: https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f --- lib/gssapi/spnego/spnego_mech.c +++ lib/gssapi/spnego/spnego_mech.c @@ -796,7 +796,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, OM_uint32 tmpmin; size_t i; - generic_gss_release_oid(&tmpmin, &sc->internal_mech); gss_delete_sec_context(&tmpmin, &sc->ctx_handle, GSS_C_NO_BUFFER);

$NetBSD: patch-CVE-2014-4344,v 1.1 2014/08/28 22:23:05 tez Exp $ fix for CVE-2014-4344 from: https://github.com/krb5/krb5/commit/a7886f0ed1277c69142b14a2c6629175a6331edc --- lib/gssapi/spnego/spnego_mech.c +++ lib/gssapi/spnego/spnego_mech.c @@ -1442,7 +1442,7 @@ acc_ctx_cont(OM_uint32 *minstat, ptr = bufstart = buf->value; #define REMAIN (buf->length - (ptr - bufstart)) - if (REMAIN > INT_MAX) + if (REMAIN == 0 || REMAIN > INT_MAX) return GSS_S_DEFECTIVE_TOKEN; /*