mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-05-07 05:10:20 +00:00
Code Issues Projects Releases Wiki Activity

krb5: upgrade to 1.13.2

Browse Source 
Upgrade to include the CVE fixes: [CVE-2014-5354] [CVE-2014-5353]...
Remove the 0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch
Regenerate the /var/run/krb5kdc dir

Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This commit is contained in:
Roy Li
2015-05-13 14:14:48 +08:00
committed by Martin Jansa
parent 45b0b62b76
commit adf34d4b13
2 changed files with 24 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch
-92
View File
@@ -1,92 +0,0 @@
From af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 21 Aug 2014 13:52:07 -0400
Subject: [PATCH] Return only new keys in randkey [CVE-2014-5351]
In kadmind's randkey operation, if a client specifies the keepold
flag, do not include the preserved old keys in the response.
CVE-2014-5351:
An authenticated remote attacker can retrieve the current keys for a
service principal when generating a new set of keys for that
principal. The attacker needs to be authenticated as a user who has
the elevated privilege for randomizing the keys of other principals.
Normally, when a Kerberos administrator randomizes the keys of a
service principal, kadmind returns only the new keys. This prevents
an administrator who lacks legitimate privileged access to a service
from forging tickets to authenticate to that service. If the
"keepold" flag to the kadmin randkey RPC operation is true, kadmind
retains the old keys in the KDC database as intended, but also
unexpectedly returns the old keys to the client, which exposes the
service to ticket forgery attacks from the administrator.
A mitigating factor is that legitimate clients of the affected service
will start failing to authenticate to the service once they begin to
receive service tickets encrypted in the new keys. The affected
service will be unable to decrypt the newly issued tickets, possibly
alerting the legitimate administrator of the affected service.
CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
[tlyu@mit.edu: CVE description and CVSS score]
ticket: 8018 (new)
target_version: 1.13
tags: pullup
Upstream-Status: Backport
---
src/lib/kadm5/srv/svr_principal.c | 21 ++++++++++++++++++---
1 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/lib/kadm5/srv/svr_principal.c b/lib/kadm5/srv/svr_principal.c
index 5d358bd..d4e74cc 100644
--- a/lib/kadm5/srv/svr_principal.c
+++ b/lib/kadm5/srv/svr_principal.c
@@ -344,6 +344,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
*passptr = NULL;
}
+/* Return the number of keys with the newest kvno. Assumes that all key data
+ * with the newest kvno are at the front of the key data array. */
+static int
+count_new_keys(int n_key_data, krb5_key_data *key_data)
+{
+ int n;
+
+ for (n = 1; n < n_key_data; n++) {
+ if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno)
+ return n;
+ }
+ return n_key_data;
+}
+
kadm5_ret_t
kadm5_create_principal(void *server_handle,
kadm5_principal_ent_t entry, long mask,
@@ -1593,7 +1607,7 @@ kadm5_randkey_principal_3(void *server_handle,
osa_princ_ent_rec adb;
krb5_int32 now;
kadm5_policy_ent_rec pol;
- int ret, last_pwd;
+ int ret, last_pwd, n_new_keys;
krb5_boolean have_pol = FALSE;
kadm5_server_handle_t handle = server_handle;
krb5_keyblock *act_mkey;
@@ -1686,8 +1700,9 @@ kadm5_randkey_principal_3(void *server_handle,
kdb->fail_auth_count = 0;
if (keyblocks) {
- ret = decrypt_key_data(handle->context,
- kdb->n_key_data, kdb->key_data,
+ /* Return only the new keys added by krb5_dbe_crk. */
+ n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data);
+ ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data,
keyblocks, n_keys);
if (ret)
goto done;
--
1.7.4.1
meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb → meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
+24 -4
View File
@@ -14,7 +14,7 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n
HOMEPAGE = "http://web.mit.edu/Kerberos/" HOMEPAGE = "http://web.mit.edu/Kerberos/"
SECTION = "console/network" SECTION = "console/network"
LICENSE = "MIT" LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=450c80c6258ce03387bd09df37638ebc" LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=f64248328d2d9928e1f04158b5243e7f"
DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native" DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native"
inherit autotools-brokensep binconfig perlnative inherit autotools-brokensep binconfig perlnative
@@ -22,7 +22,6 @@ inherit autotools-brokensep binconfig perlnative
SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \
file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \ file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \
file://0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch \
file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \ file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \
file://crosscompile_nm.patch \ file://crosscompile_nm.patch \
file://etc/init.d/krb5-kdc \ file://etc/init.d/krb5-kdc \
@@ -30,8 +29,8 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
file://etc/default/krb5-kdc \ file://etc/default/krb5-kdc \
file://etc/default/krb5-admin-server \ file://etc/default/krb5-admin-server \
" "
SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe" SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189"
SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744" SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1"
S = "${WORKDIR}/${BP}/src/" S = "${WORKDIR}/${BP}/src/"
@@ -77,4 +76,25 @@ do_install_append() {
mkdir -p ${D}/etc/init.d ${D}/etc/default mkdir -p ${D}/etc/init.d ${D}/etc/default
install -m 0755 ${WORKDIR}/etc/init.d/* ${D}/etc/init.d install -m 0755 ${WORKDIR}/etc/init.d/* ${D}/etc/init.d
install -m 0644 ${WORKDIR}/etc/default/* ${D}/etc/default install -m 0644 ${WORKDIR}/etc/default/* ${D}/etc/default
rm -rf ${D}/var/run
mkdir -p ${D}/etc/default/volatiles
echo "d root root 0755 ${localstatedir}/run/krb5kdc none" \
> ${D}${sysconfdir}/default/volatiles/87_krb5
if ${@base_contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/tmpfiles.d
echo "d /run/krb5kdc - - - -" \
> ${D}${sysconfdir}/tmpfiles.d/krb5.conf
fi
}
pkg_postinst_${PN} () {
if [ -z "$D" ]; then
if command -v systemd-tmpfiles >/dev/null; then
systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/krb5.conf
elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
${sysconfdir}/init.d/populate-volatile.sh update
fi
fi
} }