Update to 1.19.2
This commit is contained in:
yixiangzhike
parent
27f2561001
commit
c3d17f8035
@ -1,113 +0,0 @@
|
|||||||
From 791211b00a53b394376d096c881b725ee739a936 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
||||||
Date: Wed, 7 Jul 2021 11:47:44 +1200
|
|
||||||
Subject: [PATCH] Fix KDC null deref on bad encrypted challenge
|
|
||||||
|
|
||||||
The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
|
|
||||||
to avoid further processing if the armor key is NULL. However, this
|
|
||||||
check is bypassed by a call to k5memdup0() which overwrites retval
|
|
||||||
with 0 if the allocation succeeds. If the armor key is NULL, a call
|
|
||||||
to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
|
|
||||||
crash. Add a check before the k5memdup0() call to avoid overwriting
|
|
||||||
retval.
|
|
||||||
|
|
||||||
CVE-2021-36222:
|
|
||||||
|
|
||||||
In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
|
|
||||||
cause a null dereference in the KDC by sending a request containing a
|
|
||||||
PA-ENCRYPTED-CHALLENGE padata element without using FAST.
|
|
||||||
|
|
||||||
[ghudson@mit.edu: trimmed patch; added test case; edited commit
|
|
||||||
message]
|
|
||||||
|
|
||||||
ticket: 9007 (new)
|
|
||||||
tags: pullup
|
|
||||||
target_version: 1.19-next
|
|
||||||
target_version: 1.18-next
|
|
||||||
|
|
||||||
(cherry picked from commit fc98f520caefff2e5ee9a0026fdf5109944b3562)
|
|
||||||
---
|
|
||||||
src/kdc/kdc_preauth_ec.c | 3 ++-
|
|
||||||
src/tests/Makefile.in | 1 +
|
|
||||||
src/tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++
|
|
||||||
3 files changed, 49 insertions(+), 1 deletion(-)
|
|
||||||
create mode 100644 src/tests/t_cve-2021-36222.py
|
|
||||||
|
|
||||||
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
|
|
||||||
index 7e636b3f9..43a9902cc 100644
|
|
||||||
--- a/src/kdc/kdc_preauth_ec.c
|
|
||||||
+++ b/src/kdc/kdc_preauth_ec.c
|
|
||||||
@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check for a configured FAST ec auth indicator. */
|
|
||||||
- realmstr = k5memdup0(realm.data, realm.length, &retval);
|
|
||||||
+ if (retval == 0)
|
|
||||||
+ realmstr = k5memdup0(realm.data, realm.length, &retval);
|
|
||||||
if (realmstr != NULL)
|
|
||||||
retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
|
|
||||||
realmstr,
|
|
||||||
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
|
|
||||||
index ab416cc5f..20f27d748 100644
|
|
||||||
--- a/src/tests/Makefile.in
|
|
||||||
+++ b/src/tests/Makefile.in
|
|
||||||
@@ -159,6 +159,7 @@ check-pytests: unlockiter s4u2self
|
|
||||||
$(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
|
|
||||||
$(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
|
|
||||||
$(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS)
|
|
||||||
+ $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS)
|
|
||||||
$(RM) au.log
|
|
||||||
$(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
|
|
||||||
$(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
|
|
||||||
diff --git a/src/tests/t_cve-2021-36222.py b/src/tests/t_cve-2021-36222.py
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000..57e04993b
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/src/tests/t_cve-2021-36222.py
|
|
||||||
@@ -0,0 +1,46 @@
|
|
||||||
+import socket
|
|
||||||
+from k5test import *
|
|
||||||
+
|
|
||||||
+realm = K5Realm()
|
|
||||||
+
|
|
||||||
+# CVE-2021-36222 KDC null dereference on encrypted challenge preauth
|
|
||||||
+# without FAST
|
|
||||||
+
|
|
||||||
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
|
||||||
+a = (hostname, realm.portbase)
|
|
||||||
+
|
|
||||||
+m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE
|
|
||||||
+ 'A103' '0201' '05' # [1] pvno = 5
|
|
||||||
+ 'A203' '0201' '0A' # [2] msg-type = 10
|
|
||||||
+ 'A30E' '300C' # [3] padata = SEQUENCE OF
|
|
||||||
+ '300A' # SEQUENCE
|
|
||||||
+ 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE
|
|
||||||
+ 'A202' '0400' # [2] padata-value = ""
|
|
||||||
+ 'A48180' '307E' # [4] req-body = SEQUENCE
|
|
||||||
+ 'A007' '0305' '0000000000' # [0] kdc-options = 0
|
|
||||||
+ 'A120' '301E' # [1] cname = SEQUENCE
|
|
||||||
+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
|
|
||||||
+ 'A117' '3015' # [1] name-string = SEQUENCE-OF
|
|
||||||
+ '1B06' '6B7262746774' # krbtgt
|
|
||||||
+ '1B0B' '4B5242544553542E434F4D'
|
|
||||||
+ # KRBTEST.COM
|
|
||||||
+ 'A20D' '1B0B' '4B5242544553542E434F4D'
|
|
||||||
+ # [2] realm = KRBTEST.COM
|
|
||||||
+ 'A320' '301E' # [3] sname = SEQUENCE
|
|
||||||
+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
|
|
||||||
+ 'A117' '3015' # [1] name-string = SEQUENCE-OF
|
|
||||||
+ '1B06' '6B7262746774' # krbtgt
|
|
||||||
+ '1B0B' '4B5242544553542E434F4D'
|
|
||||||
+ # KRBTEST.COM
|
|
||||||
+ 'A511' '180F' '31393934303631303036303331375A'
|
|
||||||
+ # [5] till = 19940610060317Z
|
|
||||||
+ 'A703' '0201' '00' # [7] nonce = 0
|
|
||||||
+ 'A808' '3006' # [8] etype = SEQUENCE OF
|
|
||||||
+ '020112' '020111') # aes256-cts aes128-cts
|
|
||||||
+
|
|
||||||
+s.sendto(bytes.fromhex(m), a)
|
|
||||||
+
|
|
||||||
+# Make sure kinit still works.
|
|
||||||
+realm.kinit(realm.user_princ, password('user'))
|
|
||||||
+
|
|
||||||
+success('CVE-2021-36222 regression test')
|
|
||||||
2
kdc.conf
2
kdc.conf
@ -8,5 +8,5 @@
|
|||||||
acl_file = /var/kerberos/krb5kdc/kadm5.acl
|
acl_file = /var/kerberos/krb5kdc/kadm5.acl
|
||||||
dict_file = /usr/share/dict/words
|
dict_file = /usr/share/dict/words
|
||||||
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
|
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
|
||||||
permitted_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
|
supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmAuntAACgkQDLoIV1+D
|
|
||||||
ct8TIhAArFittFBcz4ZfMxqhHVGdK6kOeQXrrV27d3FW6y28BvS7yHJ8CkyK+I3g
|
|
||||||
4rsaaf7srkH8jaiCjmjHC2rWJIuceOwkD4GRqXtb2CiqKxXI9eZ+g9ipB7DGKixg
|
|
||||||
+1nki7mOhd3oaeUkCRFXgyiOqSE/ird7/itLYzEoAroLpTazNp6Kk4gXmhJIENlq
|
|
||||||
dj1God+JxhuwzzWZRdsy2SyvMQPQMOTIilsXRboObZFvPrhZKkJmgNm+RzU/YRSg
|
|
||||||
/1Po7takBXq8qhgnwPHTnTPb+BYRdrqQc/a2WcmEdgbzeMpijNmkFsgAFeKDijSz
|
|
||||||
1nmFO4SQd/rAfgUovkDd+GMAYZ6DCLFqoI/WeKOgCrRMxJMMRbLlr48bTvMwjuIl
|
|
||||||
xE5gy8h2Iju/UP1lxz8KheCm/FyNzNw4pe74zbGgK5fdiEQ8xNlKZOs9LRrtvyfL
|
|
||||||
j1G+IX6cK+5yTo/NceYjnHVAatbuW6C6xJmsIQ1GYdMPvto7Wctq/4/BmwxqgFAJ
|
|
||||||
HCPuQgAGi875JpPYvi/c3tioRiIPwOz54CXCrcFyKELvgHi6lGN6MRNSzAP4QdA0
|
|
||||||
HlXZQ4/4NFOJxjLGu9ZXKUbYPaGizhI+ayzg5/RJLHPIgW7yLvwFqkBIa1xs26bA
|
|
||||||
xiP5JKuDC4mqDPwVjwpufkUBH6SoBFnbiIWEYSKVPLJFw+Dbhv0=
|
|
||||||
=PP6r
|
|
||||||
-----END PGP SIGNATURE-----
|
|
||||||
Binary file not shown.
16
krb5-1.19.2.tar.gz.asc
Normal file
16
krb5-1.19.2.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmD5qLoACgkQDLoIV1+D
|
||||||
|
ct9NEw//XhDJPE38UzvURT/RsuL3TQZoHGHtRA/seXcKkrX1wFLUjnOUK39RxzkS
|
||||||
|
5y0BGOBoByGlqMxcpBlQv3mdtOAkdbgUtb9sT90eUObsG3cqa/0ou3Nm2ta+UNb7
|
||||||
|
UC72UC9ZCXzUEl3be2/q/geHHE69e62t4YGcnwZ4koI3b/cZU6xL3N0ox9Gxdi37
|
||||||
|
+rUe7i5TZAKvKo+eKhLpC/k1F0HSvLzxcPyRlfpAYb607lvc4MYNvbOZZUk8aNEt
|
||||||
|
0OhoSak1mXSdYwt4HHTj2NY1q5d+wviGOYby/Q1Wv7qVZHLFvCCr7Lr7ba0bIWas
|
||||||
|
cYl13OgLq2uwA85k9/BzAxIgPVpMpt0aRaoTeiH2fKm8kNA9YfIagyRgX4vNfFWp
|
||||||
|
RKXpVu5SFNMgFVAHJu/QID8Lf8YV/PU4H7kdMyFy9gA66nTN4KvdeoRyrHgv2r1c
|
||||||
|
c5MhV9bJDDFalC1VLYTJ3iSZFy5Y95wrr59KI2OTQKgQxsylfGXW+OR1hWKua5Y5
|
||||||
|
nqF0b/TKiryrdah3aw2Ac78MggC+3RDHQ8yHG4tC0/nJzbf4WnP6lqUJhQIat+lE
|
||||||
|
g62Kh+fAUjuYw/8tuxVUFlMMa9cDHV7XGGYQS/JoUq/BaGWheNYrvPXxr4u0oSOa
|
||||||
|
kJyOUfZuJvgiDakbEAuVNm8Gr6lKDH/omn8dl9r/CHdyEANqvi0=
|
||||||
|
=QM0F
|
||||||
|
-----END PGP SIGNATURE-----
|
||||||
10
krb5.spec
10
krb5.spec
@ -2,8 +2,8 @@
|
|||||||
%global WITH_DIRSRV 1
|
%global WITH_DIRSRV 1
|
||||||
|
|
||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.19.1
|
Version: 1.19.2
|
||||||
Release: 3
|
Release: 1
|
||||||
Summary: The Kerberos network authentication protocol
|
Summary: The Kerberos network authentication protocol
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://web.mit.edu/kerberos/www/
|
URL: http://web.mit.edu/kerberos/www/
|
||||||
@ -26,8 +26,7 @@ Patch3: netlib-and-dns.patch
|
|||||||
Patch4: fix-debuginfo-with-y.tab.c.patch
|
Patch4: fix-debuginfo-with-y.tab.c.patch
|
||||||
Patch5: Remove-3des-support.patch
|
Patch5: Remove-3des-support.patch
|
||||||
Patch6: FIPS-with-PRNG-and-RADIUS-and-MD4.patch
|
Patch6: FIPS-with-PRNG-and-RADIUS-and-MD4.patch
|
||||||
Patch7: backport-CVE-2021-36222.patch
|
Patch7: backport-CVE-2021-37750.patch
|
||||||
Patch8: backport-CVE-2021-37750.patch
|
|
||||||
|
|
||||||
BuildRequires: gettext
|
BuildRequires: gettext
|
||||||
BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
|
BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
|
||||||
@ -319,6 +318,9 @@ make -C src check || :
|
|||||||
%{_mandir}/man8/*
|
%{_mandir}/man8/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Dec 24 2021 yixiangzhike <yixiangzhike007@163.com> - 1.19.2-1
|
||||||
|
- Update to 1.19.2
|
||||||
|
|
||||||
* Tue Aug 24 2021 gaoyusong <gaoyusong1@huawei.com> - 1.19.1-3
|
* Tue Aug 24 2021 gaoyusong <gaoyusong1@huawei.com> - 1.19.1-3
|
||||||
- Fix CVE-2021-37750
|
- Fix CVE-2021-37750
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user