[arch-commits] Commit in krb5/trunk (3 files)

Eric Bélanger eric at archlinux.org
Mon Aug 11 21:14:36 UTC 2014 

    Date: Monday, August 11, 2014 @ 23:14:36
  Author: eric
Revision: 219582

upgpkg: krb5 1.12.1-2

Fix for CVE-2014-4345

Added:
  krb5/trunk/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch
Modified:
  krb5/trunk/PKGBUILD
  krb5/trunk/krb5-config_LDFLAGS.patch

-----------------------------------------------------+
 PKGBUILD                                            |   19 +++--
 krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch |   64 ++++++++++++++++++
 krb5-config_LDFLAGS.patch                           |    4 -
 3 files changed, 77 insertions(+), 10 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2014-08-11 20:36:43 UTC (rev 219581)
+++ PKGBUILD	2014-08-11 21:14:36 UTC (rev 219582)
@@ -3,7 +3,7 @@
 
 pkgname=krb5
 pkgver=1.12.1
-pkgrel=1
+pkgrel=2
 pkgdesc="The Kerberos network authentication system"
 arch=('i686' 'x86_64')
 url="http://web.mit.edu/kerberos/"
@@ -12,20 +12,22 @@
 makedepends=('perl')
 backup=('etc/krb5.conf' 'var/lib/krb5kdc/kdc.conf')
 options=('!emptydirs')
-source=(http://web.mit.edu/kerberos/dist/${pkgname}/${pkgver%.*}/${pkgname}-${pkgver}-signed.tar
+source=(http://web.mit.edu/kerberos/dist/krb5/${pkgver%.*}/${pkgname}-${pkgver}-signed.tar
         krb5-config_LDFLAGS.patch
         krb5-kadmind.service
         krb5-kdc.service
         krb5-kpropd.service
         krb5-kpropd at .service
-        krb5-kpropd.socket)
+        krb5-kpropd.socket
+	krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch)
 sha1sums=('d59e8dc0fc9e1890e109cd033756539984e3d3fe'
-          '09e478cddfb9d46d2981dd25ef96b8c3fd91e1aa'
+          'f125824ed37f31e6fd2fdb6a437be8ff1c3700ab'
           '59bbc7e686cbb4bcefddf0f134d928d7bd5e7722'
           '2ef2476a8673b3b702e829d8f451c839c2273b02'
           '74d66aefd291f22dd80799f0437cc03d83083ed5'
           '6787c6ce2783b3f980c423e2dd4abf5236af670b'
-          'f3677d30dbbd7106c581379c2c6ebb1bf7738912')
+          'f3677d30dbbd7106c581379c2c6ebb1bf7738912'
+          '8273976824137df1d42a4f9c7bafdfbd92f27d0a')
 
 prepare() {
   # the signature and source are bundled together, so signature check needs to be done here
@@ -32,12 +34,13 @@
   _check_pgpsig
 
   tar -xf ${pkgname}-${pkgver}.tar.gz
-  cd ${pkgname}-${pkgver}/src
+  cd ${pkgname}-${pkgver}
   # cf https://bugs.gentoo.org/show_bug.cgi?id=448778
-  (cd build-tools;  patch -Np2 -i "${srcdir}"/krb5-config_LDFLAGS.patch; cd ..)
+  patch -p1 -i "${srcdir}"/krb5-config_LDFLAGS.patch
+  patch -p1 -i "${srcdir}"/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch
 
    # FS#25384
-   sed -i "/KRB5ROOT=/s/\/local//" util/ac_check_krb5.m4
+   sed -i "/KRB5ROOT=/s/\/local//" src/util/ac_check_krb5.m4
 }
 
 build() {

Added: krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch
===================================================================
--- krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch	                        (rev 0)
+++ krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch	2014-08-11 21:14:36 UTC (rev 219582)
@@ -0,0 +1,64 @@
+From 81c332e29f10887c6b9deb065f81ba259f4c7e03 Mon Sep 17 00:00:00 2001
+From: Tomas Kuthan <tkuthan at gmail.com>
+Date: Fri, 1 Aug 2014 15:25:50 +0200
+Subject: [PATCH] Fix LDAP key data segmentation [CVE-2014-4345]
+
+For principal entries having keys with multiple kvnos (due to use of
+-keepold), the LDAP KDB module makes an attempt to store all the keys
+having the same kvno into a single krbPrincipalKey attribute value.
+There is a fencepost error in the loop, causing currkvno to be set to
+the just-processed value instead of the next kvno.  As a result, the
+second and all following groups of multiple keys by kvno are each
+stored in two krbPrincipalKey attribute values.  Fix the loop to use
+the correct kvno value.
+
+CVE-2014-4345:
+
+In MIT krb5, when kadmind is configured to use LDAP for the KDC
+database, an authenticated remote attacker can cause it to perform an
+out-of-bounds write (buffer overrun) by performing multiple cpw
+-keepold operations.  An off-by-one error while copying key
+information to the new database entry results in keys sharing a common
+kvno being written to different array buckets, in an array whose size
+is determined by the number of kvnos present.  After sufficient
+iterations, the extra writes extend past the end of the
+(NULL-terminated) array.  The NULL terminator is always written after
+the end of the loop, so no out-of-bounds data is read, it is only
+written.
+
+Historically, it has been possible to convert an out-of-bounds write
+into remote code execution in some cases, though the necessary
+exploits must be tailored to the individual application and are
+usually quite complicated.  Depending on the allocated length of the
+array, an out-of-bounds write may also cause a segmentation fault
+and/or application crash.
+
+    CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
+
+[ghudson at mit.edu: clarified commit message]
+[kaduk at mit.edu: CVE summary, CVSSv2 vector]
+
+ticket: 7980 (new)
+target_version: 1.12.2
+tags: pullup
+---
+ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index ce851ea..df5934c 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
+             j++;
+             last = i + 1;
+ 
+-            currkvno = key_data[i].key_data_kvno;
++            if (i < n_key_data - 1)
++                currkvno = key_data[i + 1].key_data_kvno;
+         }
+     }
+     ret[num_versions] = NULL;
+-- 
+2.0.3
+

Modified: krb5-config_LDFLAGS.patch
===================================================================
--- krb5-config_LDFLAGS.patch	2014-08-11 20:36:43 UTC (rev 219581)
+++ krb5-config_LDFLAGS.patch	2014-08-11 21:14:36 UTC (rev 219582)
@@ -1,6 +1,6 @@
 Bug #448778
---- krb5-1.11/src/krb5-config.in	2012-12-18 02:47:04.000000000 +0000
-+++ krb5-1.11/src/krb5-config.in	2012-12-28 07:13:16.582693363 +0000
+--- krb5-1.11/src/build-tools/krb5-config.in	2012-12-18 02:47:04.000000000 +0000
++++ krb5-1.11/src/build-tools/krb5-config.in	2012-12-28 07:13:16.582693363 +0000
 @@ -217,7 +217,7 @@
  	    -e 's#\$(PROG_RPATH)#'$libdir'#' \
  	    -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \

More information about the arch-commits mailing list