summaryrefslogtreecommitdiffstats
path: root/import-layers/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
diff options
context:
space:
mode:
Diffstat (limited to 'import-layers/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch')
-rw-r--r--import-layers/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch116
1 files changed, 0 insertions, 116 deletions
diff --git a/import-layers/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch b/import-layers/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
deleted file mode 100644
index a2eb7bc02..000000000
--- a/import-layers/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970]
-
-Backport patch to fix CVE-2017-11368.
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
----
-From ffb35baac6981f9e8914f8f3bffd37f284b85970 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Thu, 13 Jul 2017 12:14:20 -0400
-Subject: [PATCH] Prevent KDC unset status assertion failures
-
-Assign status values if S4U2Self padata fails to decode, if an
-S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
-uses an evidence ticket which does not match the canonicalized request
-server principal name. Reported by Samuel Cabrero.
-
-If a status value is not assigned during KDC processing, default to
-"UNKNOWN_REASON" rather than failing an assertion. This change will
-prevent future denial of service bugs due to similar mistakes, and
-will allow us to omit assigning status values for unlikely errors such
-as small memory allocation failures.
-
-CVE-2017-11368:
-
-In MIT krb5 1.7 and later, an authenticated attacker can cause an
-assertion failure in krb5kdc by sending an invalid S4U2Self or
-S4U2Proxy request.
-
- CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
-
-ticket: 8599 (new)
-target_version: 1.15-next
-target_version: 1.14-next
-tags: pullup
----
- src/kdc/do_as_req.c | 4 ++--
- src/kdc/do_tgs_req.c | 3 ++-
- src/kdc/kdc_util.c | 10 ++++++++--
- 3 files changed, 12 insertions(+), 5 deletions(-)
-
-diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
-index 2d3ad13..9b256c8 100644
---- a/src/kdc/do_as_req.c
-+++ b/src/kdc/do_as_req.c
-@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
- did_log = 1;
-
- egress:
-- if (errcode != 0)
-- assert (state->status != 0);
-+ if (errcode != 0 && state->status == NULL)
-+ state->status = "UNKNOWN_REASON";
-
- au_state->status = state->status;
- au_state->reply = &state->reply;
-diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
-index cdc79ad..d8d6719 100644
---- a/src/kdc/do_tgs_req.c
-+++ b/src/kdc/do_tgs_req.c
-@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
- free(reply.enc_part.ciphertext.data);
-
- cleanup:
-- assert(status != NULL);
-+ if (status == NULL)
-+ status = "UNKNOWN_REASON";
- if (reply_key)
- krb5_free_keyblock(kdc_context, reply_key);
- if (errcode)
-diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
-index 778a629..b710aef 100644
---- a/src/kdc/kdc_util.c
-+++ b/src/kdc/kdc_util.c
-@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
- req_data.data = (char *)pa_data->contents;
-
- code = decode_krb5_pa_for_user(&req_data, &for_user);
-- if (code)
-+ if (code) {
-+ *status = "DECODE_PA_FOR_USER";
- return code;
-+ }
-
- code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
- if (code) {
-@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
- req_data.data = (char *)pa_data->contents;
-
- code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
-- if (code)
-+ if (code) {
-+ *status = "DECODE_PA_S4U_X509_USER";
- return code;
-+ }
-
- code = verify_s4u_x509_user_checksum(context,
- tgs_subkey ? tgs_subkey :
-@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
- * that is validated previously in validate_tgs_request().
- */
- if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
-+ *status = "INVALID_S4U2PROXY_OPTIONS";
- return KRB5KDC_ERR_BADOPTION;
- }
-
-@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
- if (!krb5_principal_compare(kdc_context,
- server->princ, /* after canon */
- server_princ)) {
-+ *status = "EVIDENCE_TICKET_MISMATCH";
- return KRB5KDC_ERR_SERVER_NOMATCH;
- }
-
---
-2.10.1
-
OpenPOWER on IntegriCloud