2 files changed, 64 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch
new file mode 100644
index 0000000000..dbc46bb79d
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch
@@ -0,0 +1,63 @@
+From 5b9b82d0696f1ffd4e693c1f8eafc0915b15e85b Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 19 Jul 2016 11:00:28 -0400
+Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted
+cherry-picked from 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 upstream
+In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
+use client.princ instead of request->client; the latter is NULL when
+validating S4U2Self requests.
+CVE-2016-3120:
+In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
+to dereference a null pointer if the restrict_anonymous_to_tgt option
+is set to true, by making an S4U2Self request.
+  CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
+ticket: 8458 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+Upstream-Status: Backport
+Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
+---
+ src/kdc/kdc_util.c    | 2 +-
+ src/tests/t_pkinit.py | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 48be1ae..10daec4 100644
+--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
+@@ -700,7 +700,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
+         return(KDC_ERR_MUST_USE_USER2USER);
+     }
+ 
+-    if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
+    if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
+         *status = "ANONYMOUS NOT ALLOWED";
+         return(KDC_ERR_POLICY);
+     }
+diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
+index 762e322..d27d05b 100644
+--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
+@@ -94,6 +94,11 @@ out = realm.run([kvno, realm.host_princ], expected_code=1)
+ if 'KDC policy rejects request' not in out:
+     fail('Wrong error for restricted anonymous PKINIT')
+ 
+# Regression test for #8458: S4U2Self requests crash the KDC if
+# anonymous is restricted.
+realm.kinit(realm.host_princ, flags=['-k'])
+realm.run([kvno, '-U', 'user', realm.host_princ])
+
+ # Go back to a normal KDC and disable anonymous PKINIT.
+ realm.stop_kdc()
+ realm.start_kdc()
+-- 
+2.5.0
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
index 3a3886bce0..12d35319c8 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
           file://krb5-admin-server.service \
           file://krb5-CVE-2016-3119.patch;striplevel=2 \
           file://0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch;striplevel=2 \
+           file://krb5-CVE-2016-3120.patch;striplevel=2 \
 "
 SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189"
 SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1"

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch new file mode 100644 index 0000000000..dbc46bb79d --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch
@@ -0,0 +1,63 @@
		1	From 5b9b82d0696f1ffd4e693c1f8eafc0915b15e85b Mon Sep 17 00:00:00 2001
		2	From: Greg Hudson <ghudson@mit.edu>
		3	Date: Tue, 19 Jul 2016 11:00:28 -0400
		4	Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted
		5
		6	cherry-picked from 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 upstream
		7
		8	In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
		9	use client.princ instead of request->client; the latter is NULL when
		10	validating S4U2Self requests.
		11
		12	CVE-2016-3120:
		13
		14	In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
		15	to dereference a null pointer if the restrict_anonymous_to_tgt option
		16	is set to true, by making an S4U2Self request.
		17
		18	CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
		19
		20	ticket: 8458 (new)
		21	target_version: 1.14-next
		22	target_version: 1.13-next
		23
		24	Upstream-Status: Backport
		25
		26	Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
		27	---
		28	src/kdc/kdc_util.c \| 2 +-
		29	src/tests/t_pkinit.py \| 5 +++++
		30	2 files changed, 6 insertions(+), 1 deletion(-)
		31
		32	diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
		33	index 48be1ae..10daec4 100644
		34	--- a/src/kdc/kdc_util.c
		35	+++ b/src/kdc/kdc_util.c
		36	@@ -700,7 +700,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
		37	return(KDC_ERR_MUST_USE_USER2USER);
		38	}
		39
		40	- if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
		41	+ if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
		42	*status = "ANONYMOUS NOT ALLOWED";
		43	return(KDC_ERR_POLICY);
		44	}
		45	diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
		46	index 762e322..d27d05b 100644
		47	--- a/src/tests/t_pkinit.py
		48	+++ b/src/tests/t_pkinit.py
		49	@@ -94,6 +94,11 @@ out = realm.run([kvno, realm.host_princ], expected_code=1)
		50	if 'KDC policy rejects request' not in out:
		51	fail('Wrong error for restricted anonymous PKINIT')
		52
		53	+# Regression test for #8458: S4U2Self requests crash the KDC if
		54	+# anonymous is restricted.
		55	+realm.kinit(realm.host_princ, flags=['-k'])
		56	+realm.run([kvno, '-U', 'user', realm.host_princ])
		57	+
		58	# Go back to a normal KDC and disable anonymous PKINIT.
		59	realm.stop_kdc()
		60	realm.start_kdc()
		61	--
		62	2.5.0
		63


diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb index 3a3886bce0..12d35319c8 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
36	file://krb5-admin-server.service \	36	file://krb5-admin-server.service \
37	file://krb5-CVE-2016-3119.patch;striplevel=2 \	37	file://krb5-CVE-2016-3119.patch;striplevel=2 \
38	file://0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch;striplevel=2 \	38	file://0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch;striplevel=2 \
		39	file://krb5-CVE-2016-3120.patch;striplevel=2 \
39	"	40	"
40	SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189"	41	SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189"
41	SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1"	42	SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1"