[arch-commits] Commit in krb5/repos (18 files)
Eric Bélanger
eric at archlinux.org
Mon Aug 11 21:19:34 UTC 2014
Date: Monday, August 11, 2014 @ 23:19:33
Author: eric
Revision: 219583
archrelease: copy trunk to testing-i686, testing-x86_64
Added:
krb5/repos/testing-i686/
krb5/repos/testing-i686/PKGBUILD
(from rev 219582, krb5/trunk/PKGBUILD)
krb5/repos/testing-i686/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch
(from rev 219582, krb5/trunk/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch)
krb5/repos/testing-i686/krb5-config_LDFLAGS.patch
(from rev 219582, krb5/trunk/krb5-config_LDFLAGS.patch)
krb5/repos/testing-i686/krb5-kadmind.service
(from rev 219582, krb5/trunk/krb5-kadmind.service)
krb5/repos/testing-i686/krb5-kdc.service
(from rev 219582, krb5/trunk/krb5-kdc.service)
krb5/repos/testing-i686/krb5-kpropd.service
(from rev 219582, krb5/trunk/krb5-kpropd.service)
krb5/repos/testing-i686/krb5-kpropd.socket
(from rev 219582, krb5/trunk/krb5-kpropd.socket)
krb5/repos/testing-i686/krb5-kpropd at .service
(from rev 219582, krb5/trunk/krb5-kpropd at .service)
krb5/repos/testing-x86_64/
krb5/repos/testing-x86_64/PKGBUILD
(from rev 219582, krb5/trunk/PKGBUILD)
krb5/repos/testing-x86_64/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch
(from rev 219582, krb5/trunk/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch)
krb5/repos/testing-x86_64/krb5-config_LDFLAGS.patch
(from rev 219582, krb5/trunk/krb5-config_LDFLAGS.patch)
krb5/repos/testing-x86_64/krb5-kadmind.service
(from rev 219582, krb5/trunk/krb5-kadmind.service)
krb5/repos/testing-x86_64/krb5-kdc.service
(from rev 219582, krb5/trunk/krb5-kdc.service)
krb5/repos/testing-x86_64/krb5-kpropd.service
(from rev 219582, krb5/trunk/krb5-kpropd.service)
krb5/repos/testing-x86_64/krb5-kpropd.socket
(from rev 219582, krb5/trunk/krb5-kpropd.socket)
krb5/repos/testing-x86_64/krb5-kpropd at .service
(from rev 219582, krb5/trunk/krb5-kpropd at .service)
--------------------------------------------------------------------+
testing-i686/PKGBUILD | 142 ++++++++++
testing-i686/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch | 64 ++++
testing-i686/krb5-config_LDFLAGS.patch | 12
testing-i686/krb5-kadmind.service | 8
testing-i686/krb5-kdc.service | 9
testing-i686/krb5-kpropd.service | 8
testing-i686/krb5-kpropd.socket | 9
testing-i686/krb5-kpropd at .service | 8
testing-x86_64/PKGBUILD | 142 ++++++++++
testing-x86_64/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch | 64 ++++
testing-x86_64/krb5-config_LDFLAGS.patch | 12
testing-x86_64/krb5-kadmind.service | 8
testing-x86_64/krb5-kdc.service | 9
testing-x86_64/krb5-kpropd.service | 8
testing-x86_64/krb5-kpropd.socket | 9
testing-x86_64/krb5-kpropd at .service | 8
16 files changed, 520 insertions(+)
Copied: krb5/repos/testing-i686/PKGBUILD (from rev 219582, krb5/trunk/PKGBUILD)
===================================================================
--- testing-i686/PKGBUILD (rev 0)
+++ testing-i686/PKGBUILD 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,142 @@
+# $Id$
+# Maintainer: Stéphane Gaudreault <stephane at archlinux.org>
+
+pkgname=krb5
+pkgver=1.12.1
+pkgrel=2
+pkgdesc="The Kerberos network authentication system"
+arch=('i686' 'x86_64')
+url="http://web.mit.edu/kerberos/"
+license=('custom')
+depends=('e2fsprogs' 'libldap' 'keyutils')
+makedepends=('perl')
+backup=('etc/krb5.conf' 'var/lib/krb5kdc/kdc.conf')
+options=('!emptydirs')
+source=(http://web.mit.edu/kerberos/dist/krb5/${pkgver%.*}/${pkgname}-${pkgver}-signed.tar
+ krb5-config_LDFLAGS.patch
+ krb5-kadmind.service
+ krb5-kdc.service
+ krb5-kpropd.service
+ krb5-kpropd at .service
+ krb5-kpropd.socket
+ krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch)
+sha1sums=('d59e8dc0fc9e1890e109cd033756539984e3d3fe'
+ 'f125824ed37f31e6fd2fdb6a437be8ff1c3700ab'
+ '59bbc7e686cbb4bcefddf0f134d928d7bd5e7722'
+ '2ef2476a8673b3b702e829d8f451c839c2273b02'
+ '74d66aefd291f22dd80799f0437cc03d83083ed5'
+ '6787c6ce2783b3f980c423e2dd4abf5236af670b'
+ 'f3677d30dbbd7106c581379c2c6ebb1bf7738912'
+ '8273976824137df1d42a4f9c7bafdfbd92f27d0a')
+
+prepare() {
+ # the signature and source are bundled together, so signature check needs to be done here
+ _check_pgpsig
+
+ tar -xf ${pkgname}-${pkgver}.tar.gz
+ cd ${pkgname}-${pkgver}
+ # cf https://bugs.gentoo.org/show_bug.cgi?id=448778
+ patch -p1 -i "${srcdir}"/krb5-config_LDFLAGS.patch
+ patch -p1 -i "${srcdir}"/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch
+
+ # FS#25384
+ sed -i "/KRB5ROOT=/s/\/local//" src/util/ac_check_krb5.m4
+}
+
+build() {
+ cd ${pkgname}-${pkgver}/src
+ export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all"
+ export CPPFLAGS+=" -I/usr/include/et"
+ ./configure --prefix=/usr \
+ --sbindir=/usr/bin \
+ --sysconfdir=/etc \
+ --localstatedir=/var/lib \
+ --enable-shared \
+ --with-system-et \
+ --with-system-ss \
+ --disable-rpath \
+ --without-tcl \
+ --enable-dns-for-realm \
+ --with-ldap \
+ --without-system-verto
+ make
+}
+
+package() {
+ cd ${pkgname}-${pkgver}/src
+ make DESTDIR="${pkgdir}" EXAMPLEDIR=/usr/share/doc/${pkgname}/examples install
+
+ # Fix FS#29889
+ install -m 644 plugins/kdb/ldap/libkdb_ldap/kerberos.{ldif,schema} "${pkgdir}"/usr/share/doc/${pkgname}/examples
+
+ # Sample KDC config file
+ install -dm 755 "${pkgdir}"/var/lib/krb5kdc
+ install -pm 644 config-files/kdc.conf "${pkgdir}"/var/lib/krb5kdc/kdc.conf
+
+ # Default configuration file
+ install -dm 755 "${pkgdir}"/etc
+ install -pm 644 config-files/krb5.conf "${pkgdir}"/etc/krb5.conf
+
+ install -dm 755 "${pkgdir}"/usr/share/aclocal
+ install -m 644 util/ac_check_krb5.m4 "${pkgdir}"/usr/share/aclocal
+
+ install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE
+
+ # systemd stuff
+ install -dm 755 "${pkgdir}"/usr/lib/systemd/system
+ install -m 644 ../../krb5-{kadmind.service,kdc.service,kpropd.service,kpropd at .service,kpropd.socket} \
+ "${pkgdir}"/usr/lib/systemd/system
+}
+
+_check_pgpsig() {
+ (( SKIPPGPCHECK )) && return 0
+
+ msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
+
+ local file=${pkgname}-${pkgver}.tar.gz.asc
+ local sourcefile=${file%.*}
+ local pubkey
+ local warning=0
+ local errors=0
+ local statusfile=$(mktemp)
+
+ printf " %s ... " "${file%.*}" >&2
+
+ if ! gpg --quiet --batch --status-file "$statusfile" --verify "$file" "$sourcefile" 2> /dev/null; then
+ printf "FAILED" >&2
+ if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then
+ printf " (unknown public key $pubkey)" >&2
+ warnings=1
+ else
+ errors=1
+ fi
+ printf '\n' >&2
+ else
+ if grep -q "REVKEYSIG" "$statusfile"; then
+ printf "FAILED (the key has been revoked.)" >&2
+ errors=1
+ else
+ printf "Passed" >&2
+ if grep -q "EXPSIG" "$statusfile"; then
+ printf " (WARNING: the signature has expired.)" >&2
+ warnings=1
+ elif grep -q "EXPKEYSIG" "$statusfile"; then
+ printf " (WARNING: the key has expired.)" >&2
+ warnings=1
+ fi
+ fi
+ printf '\n' >&2
+ fi
+
+ rm -f "$statusfile"
+
+ if (( errors )); then
+ error "One or more PGP signatures could not be verified!"
+ exit 1
+ fi
+
+ if (( warnings )); then
+ warning "Warnings have occurred while verifying the signatures."
+ plain "Please make sure you really trust them."
+ fi
+}
Copied: krb5/repos/testing-i686/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch (from rev 219582, krb5/trunk/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch)
===================================================================
--- testing-i686/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch (rev 0)
+++ testing-i686/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,64 @@
+From 81c332e29f10887c6b9deb065f81ba259f4c7e03 Mon Sep 17 00:00:00 2001
+From: Tomas Kuthan <tkuthan at gmail.com>
+Date: Fri, 1 Aug 2014 15:25:50 +0200
+Subject: [PATCH] Fix LDAP key data segmentation [CVE-2014-4345]
+
+For principal entries having keys with multiple kvnos (due to use of
+-keepold), the LDAP KDB module makes an attempt to store all the keys
+having the same kvno into a single krbPrincipalKey attribute value.
+There is a fencepost error in the loop, causing currkvno to be set to
+the just-processed value instead of the next kvno. As a result, the
+second and all following groups of multiple keys by kvno are each
+stored in two krbPrincipalKey attribute values. Fix the loop to use
+the correct kvno value.
+
+CVE-2014-4345:
+
+In MIT krb5, when kadmind is configured to use LDAP for the KDC
+database, an authenticated remote attacker can cause it to perform an
+out-of-bounds write (buffer overrun) by performing multiple cpw
+-keepold operations. An off-by-one error while copying key
+information to the new database entry results in keys sharing a common
+kvno being written to different array buckets, in an array whose size
+is determined by the number of kvnos present. After sufficient
+iterations, the extra writes extend past the end of the
+(NULL-terminated) array. The NULL terminator is always written after
+the end of the loop, so no out-of-bounds data is read, it is only
+written.
+
+Historically, it has been possible to convert an out-of-bounds write
+into remote code execution in some cases, though the necessary
+exploits must be tailored to the individual application and are
+usually quite complicated. Depending on the allocated length of the
+array, an out-of-bounds write may also cause a segmentation fault
+and/or application crash.
+
+ CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
+
+[ghudson at mit.edu: clarified commit message]
+[kaduk at mit.edu: CVE summary, CVSSv2 vector]
+
+ticket: 7980 (new)
+target_version: 1.12.2
+tags: pullup
+---
+ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index ce851ea..df5934c 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
+ j++;
+ last = i + 1;
+
+- currkvno = key_data[i].key_data_kvno;
++ if (i < n_key_data - 1)
++ currkvno = key_data[i + 1].key_data_kvno;
+ }
+ }
+ ret[num_versions] = NULL;
+--
+2.0.3
+
Copied: krb5/repos/testing-i686/krb5-config_LDFLAGS.patch (from rev 219582, krb5/trunk/krb5-config_LDFLAGS.patch)
===================================================================
--- testing-i686/krb5-config_LDFLAGS.patch (rev 0)
+++ testing-i686/krb5-config_LDFLAGS.patch 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,12 @@
+Bug #448778
+--- krb5-1.11/src/build-tools/krb5-config.in 2012-12-18 02:47:04.000000000 +0000
++++ krb5-1.11/src/build-tools/krb5-config.in 2012-12-28 07:13:16.582693363 +0000
+@@ -217,7 +217,7 @@
+ -e 's#\$(PROG_RPATH)#'$libdir'#' \
+ -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \
+ -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
+- -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
++ -e 's#\$(LDFLAGS)##' \
+ -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
+ -e 's#\$(CFLAGS)##'`
+
Copied: krb5/repos/testing-i686/krb5-kadmind.service (from rev 219582, krb5/trunk/krb5-kadmind.service)
===================================================================
--- testing-i686/krb5-kadmind.service (rev 0)
+++ testing-i686/krb5-kadmind.service 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 administration server
+
+[Service]
+ExecStart=/usr/bin/kadmind -nofork
+
+[Install]
+WantedBy=multi-user.target
Copied: krb5/repos/testing-i686/krb5-kdc.service (from rev 219582, krb5/trunk/krb5-kdc.service)
===================================================================
--- testing-i686/krb5-kdc.service (rev 0)
+++ testing-i686/krb5-kdc.service 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,9 @@
+[Unit]
+Description=Kerberos 5 KDC
+
+[Service]
+ExecStart=/usr/bin/krb5kdc -n
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
Copied: krb5/repos/testing-i686/krb5-kpropd.service (from rev 219582, krb5/trunk/krb5-kpropd.service)
===================================================================
--- testing-i686/krb5-kpropd.service (rev 0)
+++ testing-i686/krb5-kpropd.service 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 propagation server
+
+[Service]
+ExecStart=/usr/bin/kpropd -S
+
+[Install]
+WantedBy=multi-user.target
Copied: krb5/repos/testing-i686/krb5-kpropd.socket (from rev 219582, krb5/trunk/krb5-kpropd.socket)
===================================================================
--- testing-i686/krb5-kpropd.socket (rev 0)
+++ testing-i686/krb5-kpropd.socket 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,9 @@
+[Unit]
+Description=Kerberos 5 propagation server
+
+[Socket]
+ListenStream=754
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
Copied: krb5/repos/testing-i686/krb5-kpropd at .service (from rev 219582, krb5/trunk/krb5-kpropd at .service)
===================================================================
--- testing-i686/krb5-kpropd at .service (rev 0)
+++ testing-i686/krb5-kpropd at .service 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 propagation server
+Conflicts=krb5-kpropd.service
+
+[Service]
+ExecStart=/usr/bin/kpropd
+StandardInput=socket
+StandardError=syslog
Copied: krb5/repos/testing-x86_64/PKGBUILD (from rev 219582, krb5/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD (rev 0)
+++ testing-x86_64/PKGBUILD 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,142 @@
+# $Id$
+# Maintainer: Stéphane Gaudreault <stephane at archlinux.org>
+
+pkgname=krb5
+pkgver=1.12.1
+pkgrel=2
+pkgdesc="The Kerberos network authentication system"
+arch=('i686' 'x86_64')
+url="http://web.mit.edu/kerberos/"
+license=('custom')
+depends=('e2fsprogs' 'libldap' 'keyutils')
+makedepends=('perl')
+backup=('etc/krb5.conf' 'var/lib/krb5kdc/kdc.conf')
+options=('!emptydirs')
+source=(http://web.mit.edu/kerberos/dist/krb5/${pkgver%.*}/${pkgname}-${pkgver}-signed.tar
+ krb5-config_LDFLAGS.patch
+ krb5-kadmind.service
+ krb5-kdc.service
+ krb5-kpropd.service
+ krb5-kpropd at .service
+ krb5-kpropd.socket
+ krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch)
+sha1sums=('d59e8dc0fc9e1890e109cd033756539984e3d3fe'
+ 'f125824ed37f31e6fd2fdb6a437be8ff1c3700ab'
+ '59bbc7e686cbb4bcefddf0f134d928d7bd5e7722'
+ '2ef2476a8673b3b702e829d8f451c839c2273b02'
+ '74d66aefd291f22dd80799f0437cc03d83083ed5'
+ '6787c6ce2783b3f980c423e2dd4abf5236af670b'
+ 'f3677d30dbbd7106c581379c2c6ebb1bf7738912'
+ '8273976824137df1d42a4f9c7bafdfbd92f27d0a')
+
+prepare() {
+ # the signature and source are bundled together, so signature check needs to be done here
+ _check_pgpsig
+
+ tar -xf ${pkgname}-${pkgver}.tar.gz
+ cd ${pkgname}-${pkgver}
+ # cf https://bugs.gentoo.org/show_bug.cgi?id=448778
+ patch -p1 -i "${srcdir}"/krb5-config_LDFLAGS.patch
+ patch -p1 -i "${srcdir}"/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch
+
+ # FS#25384
+ sed -i "/KRB5ROOT=/s/\/local//" src/util/ac_check_krb5.m4
+}
+
+build() {
+ cd ${pkgname}-${pkgver}/src
+ export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all"
+ export CPPFLAGS+=" -I/usr/include/et"
+ ./configure --prefix=/usr \
+ --sbindir=/usr/bin \
+ --sysconfdir=/etc \
+ --localstatedir=/var/lib \
+ --enable-shared \
+ --with-system-et \
+ --with-system-ss \
+ --disable-rpath \
+ --without-tcl \
+ --enable-dns-for-realm \
+ --with-ldap \
+ --without-system-verto
+ make
+}
+
+package() {
+ cd ${pkgname}-${pkgver}/src
+ make DESTDIR="${pkgdir}" EXAMPLEDIR=/usr/share/doc/${pkgname}/examples install
+
+ # Fix FS#29889
+ install -m 644 plugins/kdb/ldap/libkdb_ldap/kerberos.{ldif,schema} "${pkgdir}"/usr/share/doc/${pkgname}/examples
+
+ # Sample KDC config file
+ install -dm 755 "${pkgdir}"/var/lib/krb5kdc
+ install -pm 644 config-files/kdc.conf "${pkgdir}"/var/lib/krb5kdc/kdc.conf
+
+ # Default configuration file
+ install -dm 755 "${pkgdir}"/etc
+ install -pm 644 config-files/krb5.conf "${pkgdir}"/etc/krb5.conf
+
+ install -dm 755 "${pkgdir}"/usr/share/aclocal
+ install -m 644 util/ac_check_krb5.m4 "${pkgdir}"/usr/share/aclocal
+
+ install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE
+
+ # systemd stuff
+ install -dm 755 "${pkgdir}"/usr/lib/systemd/system
+ install -m 644 ../../krb5-{kadmind.service,kdc.service,kpropd.service,kpropd at .service,kpropd.socket} \
+ "${pkgdir}"/usr/lib/systemd/system
+}
+
+_check_pgpsig() {
+ (( SKIPPGPCHECK )) && return 0
+
+ msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
+
+ local file=${pkgname}-${pkgver}.tar.gz.asc
+ local sourcefile=${file%.*}
+ local pubkey
+ local warning=0
+ local errors=0
+ local statusfile=$(mktemp)
+
+ printf " %s ... " "${file%.*}" >&2
+
+ if ! gpg --quiet --batch --status-file "$statusfile" --verify "$file" "$sourcefile" 2> /dev/null; then
+ printf "FAILED" >&2
+ if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then
+ printf " (unknown public key $pubkey)" >&2
+ warnings=1
+ else
+ errors=1
+ fi
+ printf '\n' >&2
+ else
+ if grep -q "REVKEYSIG" "$statusfile"; then
+ printf "FAILED (the key has been revoked.)" >&2
+ errors=1
+ else
+ printf "Passed" >&2
+ if grep -q "EXPSIG" "$statusfile"; then
+ printf " (WARNING: the signature has expired.)" >&2
+ warnings=1
+ elif grep -q "EXPKEYSIG" "$statusfile"; then
+ printf " (WARNING: the key has expired.)" >&2
+ warnings=1
+ fi
+ fi
+ printf '\n' >&2
+ fi
+
+ rm -f "$statusfile"
+
+ if (( errors )); then
+ error "One or more PGP signatures could not be verified!"
+ exit 1
+ fi
+
+ if (( warnings )); then
+ warning "Warnings have occurred while verifying the signatures."
+ plain "Please make sure you really trust them."
+ fi
+}
Copied: krb5/repos/testing-x86_64/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch (from rev 219582, krb5/trunk/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch)
===================================================================
--- testing-x86_64/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch (rev 0)
+++ testing-x86_64/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,64 @@
+From 81c332e29f10887c6b9deb065f81ba259f4c7e03 Mon Sep 17 00:00:00 2001
+From: Tomas Kuthan <tkuthan at gmail.com>
+Date: Fri, 1 Aug 2014 15:25:50 +0200
+Subject: [PATCH] Fix LDAP key data segmentation [CVE-2014-4345]
+
+For principal entries having keys with multiple kvnos (due to use of
+-keepold), the LDAP KDB module makes an attempt to store all the keys
+having the same kvno into a single krbPrincipalKey attribute value.
+There is a fencepost error in the loop, causing currkvno to be set to
+the just-processed value instead of the next kvno. As a result, the
+second and all following groups of multiple keys by kvno are each
+stored in two krbPrincipalKey attribute values. Fix the loop to use
+the correct kvno value.
+
+CVE-2014-4345:
+
+In MIT krb5, when kadmind is configured to use LDAP for the KDC
+database, an authenticated remote attacker can cause it to perform an
+out-of-bounds write (buffer overrun) by performing multiple cpw
+-keepold operations. An off-by-one error while copying key
+information to the new database entry results in keys sharing a common
+kvno being written to different array buckets, in an array whose size
+is determined by the number of kvnos present. After sufficient
+iterations, the extra writes extend past the end of the
+(NULL-terminated) array. The NULL terminator is always written after
+the end of the loop, so no out-of-bounds data is read, it is only
+written.
+
+Historically, it has been possible to convert an out-of-bounds write
+into remote code execution in some cases, though the necessary
+exploits must be tailored to the individual application and are
+usually quite complicated. Depending on the allocated length of the
+array, an out-of-bounds write may also cause a segmentation fault
+and/or application crash.
+
+ CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
+
+[ghudson at mit.edu: clarified commit message]
+[kaduk at mit.edu: CVE summary, CVSSv2 vector]
+
+ticket: 7980 (new)
+target_version: 1.12.2
+tags: pullup
+---
+ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index ce851ea..df5934c 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
+ j++;
+ last = i + 1;
+
+- currkvno = key_data[i].key_data_kvno;
++ if (i < n_key_data - 1)
++ currkvno = key_data[i + 1].key_data_kvno;
+ }
+ }
+ ret[num_versions] = NULL;
+--
+2.0.3
+
Copied: krb5/repos/testing-x86_64/krb5-config_LDFLAGS.patch (from rev 219582, krb5/trunk/krb5-config_LDFLAGS.patch)
===================================================================
--- testing-x86_64/krb5-config_LDFLAGS.patch (rev 0)
+++ testing-x86_64/krb5-config_LDFLAGS.patch 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,12 @@
+Bug #448778
+--- krb5-1.11/src/build-tools/krb5-config.in 2012-12-18 02:47:04.000000000 +0000
++++ krb5-1.11/src/build-tools/krb5-config.in 2012-12-28 07:13:16.582693363 +0000
+@@ -217,7 +217,7 @@
+ -e 's#\$(PROG_RPATH)#'$libdir'#' \
+ -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \
+ -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
+- -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
++ -e 's#\$(LDFLAGS)##' \
+ -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
+ -e 's#\$(CFLAGS)##'`
+
Copied: krb5/repos/testing-x86_64/krb5-kadmind.service (from rev 219582, krb5/trunk/krb5-kadmind.service)
===================================================================
--- testing-x86_64/krb5-kadmind.service (rev 0)
+++ testing-x86_64/krb5-kadmind.service 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 administration server
+
+[Service]
+ExecStart=/usr/bin/kadmind -nofork
+
+[Install]
+WantedBy=multi-user.target
Copied: krb5/repos/testing-x86_64/krb5-kdc.service (from rev 219582, krb5/trunk/krb5-kdc.service)
===================================================================
--- testing-x86_64/krb5-kdc.service (rev 0)
+++ testing-x86_64/krb5-kdc.service 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,9 @@
+[Unit]
+Description=Kerberos 5 KDC
+
+[Service]
+ExecStart=/usr/bin/krb5kdc -n
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
Copied: krb5/repos/testing-x86_64/krb5-kpropd.service (from rev 219582, krb5/trunk/krb5-kpropd.service)
===================================================================
--- testing-x86_64/krb5-kpropd.service (rev 0)
+++ testing-x86_64/krb5-kpropd.service 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 propagation server
+
+[Service]
+ExecStart=/usr/bin/kpropd -S
+
+[Install]
+WantedBy=multi-user.target
Copied: krb5/repos/testing-x86_64/krb5-kpropd.socket (from rev 219582, krb5/trunk/krb5-kpropd.socket)
===================================================================
--- testing-x86_64/krb5-kpropd.socket (rev 0)
+++ testing-x86_64/krb5-kpropd.socket 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,9 @@
+[Unit]
+Description=Kerberos 5 propagation server
+
+[Socket]
+ListenStream=754
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
Copied: krb5/repos/testing-x86_64/krb5-kpropd at .service (from rev 219582, krb5/trunk/krb5-kpropd at .service)
===================================================================
--- testing-x86_64/krb5-kpropd at .service (rev 0)
+++ testing-x86_64/krb5-kpropd at .service 2014-08-11 21:19:33 UTC (rev 219583)
@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 propagation server
+Conflicts=krb5-kpropd.service
+
+[Service]
+ExecStart=/usr/bin/kpropd
+StandardInput=socket
+StandardError=syslog
More information about the arch-commits
mailing list