--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package krb5/1.12.1+dfsg-19+deb8u2
- From: Sam Hartman <hartmans@debian.org>
- Date: Sun, 13 Aug 2017 18:24:12 -0400
- Message-id: <150266305248.22848.9486349194308462337.reportbug@permutation-city>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi. I'd like to get some security updates that were not serious enough
for a DSA into jessie. The security team encouraged me to make this
request, so they are in the loop, but have not reviewed the diff or the specific set of cves fixed.
Diff produced with git diff dgit/dgit/jessie debian after looking at
git diff --numstat dgit/dgit/jessie to make sure that all the changes
outside of debian were because of new applied patches. Also confirmed
that dgit quilt-fixup shows no changes between the produced source
package and my tree.
I've confirmed this builds, but have not reviewed the diffs
line-by-line (although all these changes are shipping in stretch or
sid now) and have not finished my testing.
I'll do both of those things before uploading.
diff --git a/debian/changelog b/debian/changelog
index d90f21581b..6aa052a1c5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+krb5 (1.12.1+dfsg-19+deb8u3) jessie; urgency=high
+
+ * CVE-2017-11368: Remote authenticated attackers can crash the KDC,
+ Closes: #869260
+ * fix for CVE-2016-3120 (kdc crash on restrict_anon_to_tgt), , Closes:
+ #832572
+ * fix for CVE-2016-3119: remote DOS with ldap for authenticated
+ attackers, Closes: #819468
+ * Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557
+
+ -- Sam Hartman <hartmans@debian.org> Sun, 13 Aug 2017 18:02:34 -0400
+
krb5 (1.12.1+dfsg-19+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
diff --git a/debian/patches/fix-ldap-null-deref-on-empty-arg-cve-201.patch b/debian/patches/fix-ldap-null-deref-on-empty-arg-cve-201.patch
new file mode 100644
index 0000000000..f1f5ff13a8
--- /dev/null
+++ b/debian/patches/fix-ldap-null-deref-on-empty-arg-cve-201.patch
@@ -0,0 +1,37 @@
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 14 Mar 2016 17:26:34 -0400
+X-Dgit-Generated: 1.12.1+dfsg-19+deb8u3 f7e4ca67d86a5a5b280b859072bbc5015a2ddd27
+Subject: Fix LDAP null deref on empty arg [CVE-2016-3119]
+
+In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
+if there is an empty string in the db_args array. Check for this case
+and avoid dereferencing a null pointer.
+
+CVE-2016-3119:
+
+In MIT krb5 1.6 and later, an authenticated attacker with permission
+to modify a principal entry can cause kadmind to dereference a null
+pointer by supplying an empty DB argument to the modify_principal
+command, if kadmind is configured to use the LDAP KDB module.
+
+ CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
+
+(cherry picked from commit 08c642c09c38a9c6454ab43a9b53b2a89b9eef99)
+
+ticket: 8383
+version_fixed: 1.14.2
+
+(cherry picked from commit b5abd8c4872d7a024d49439342a6643f774afb1c)
+
+---
+
+--- krb5-1.12.1+dfsg.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ krb5-1.12.1+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -268,6 +268,7 @@ process_db_args(krb5_context context, ch
+ if (db_args) {
+ for (i=0; db_args[i]; ++i) {
+ arg = strtok_r(db_args[i], "=", &arg_val);
++ arg = (arg != NULL) ? arg : "";
+ if (strcmp(arg, TKTPOLICY_ARG) == 0) {
+ dptr = &xargs->tktpolicydn;
+ } else {
diff --git a/debian/patches/fix-s4u2self-kdc-crash-when-anon-is-rest.patch b/debian/patches/fix-s4u2self-kdc-crash-when-anon-is-rest.patch
new file mode 100644
index 0000000000..4b63bd8ee0
--- /dev/null
+++ b/debian/patches/fix-s4u2self-kdc-crash-when-anon-is-rest.patch
@@ -0,0 +1,51 @@
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 19 Jul 2016 11:00:28 -0400
+X-Dgit-Generated: 1.12.1+dfsg-19+deb8u3 862d5e532d03db566ee2955f69e008a253d39dec
+Subject: Fix S4U2Self KDC crash when anon is restricted
+
+In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
+use client.princ instead of request->client; the latter is NULL when
+validating S4U2Self requests.
+
+CVE-2016-3120:
+
+In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
+to dereference a null pointer if the restrict_anonymous_to_tgt option
+is set to true, by making an S4U2Self request.
+
+ CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
+
+(cherry picked from commit 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7)
+
+ticket: 8458
+version_fixed: 1.14.3
+
+(cherry picked from commit 85c3046d42eeb821967ad5625fcb08e8c6177b1a)
+
+---
+
+--- krb5-1.12.1+dfsg.orig/src/kdc/kdc_util.c
++++ krb5-1.12.1+dfsg/src/kdc/kdc_util.c
+@@ -688,7 +688,7 @@ validate_as_request(kdc_realm_t *kdc_act
+ return(KDC_ERR_MUST_USE_USER2USER);
+ }
+
+- if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
++ if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
+ *status = "ANONYMOUS NOT ALLOWED";
+ return(KDC_ERR_POLICY);
+ }
+--- krb5-1.12.1+dfsg.orig/src/tests/t_pkinit.py
++++ krb5-1.12.1+dfsg/src/tests/t_pkinit.py
+@@ -81,6 +81,11 @@ out = realm.run([kvno, realm.host_princ]
+ if 'KDC policy rejects request' not in out:
+ fail('Wrong error for restricted anonymous PKINIT')
+
++# Regression test for #8458: S4U2Self requests crash the KDC if
++# anonymous is restricted.
++realm.kinit(realm.host_princ, flags=['-k'])
++realm.run([kvno, '-U', 'user', realm.host_princ])
++
+ # Go back to a normal KDC and disable anonymous PKINIT.
+ realm.stop_kdc()
+ realm.start_kdc()
diff --git a/debian/patches/prevent-kdc-unset-status-assertion-failu.patch b/debian/patches/prevent-kdc-unset-status-assertion-failu.patch
new file mode 100644
index 0000000000..aef3b40616
--- /dev/null
+++ b/debian/patches/prevent-kdc-unset-status-assertion-failu.patch
@@ -0,0 +1,101 @@
+From: Greg Hudson <ghudson@mit.edu>
+Date: Thu, 13 Jul 2017 12:14:20 -0400
+X-Dgit-Generated: 1.12.1+dfsg-19+deb8u3 b90fe523a8aa9b4b6059d1a39eaea373ceeda37b
+Subject: Prevent KDC unset status assertion failures
+
+Assign status values if S4U2Self padata fails to decode, if an
+S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
+uses an evidence ticket which does not match the canonicalized request
+server principal name. Reported by Samuel Cabrero.
+
+If a status value is not assigned during KDC processing, default to
+"UNKNOWN_REASON" rather than failing an assertion. This change will
+prevent future denial of service bugs due to similar mistakes, and
+will allow us to omit assigning status values for unlikely errors such
+as small memory allocation failures.
+
+CVE-2017-11368:
+
+In MIT krb5 1.7 and later, an authenticated attacker can cause an
+assertion failure in krb5kdc by sending an invalid S4U2Self or
+S4U2Proxy request.
+
+ CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
+
+ticket: 8599 (new)
+target_version: 1.15-next
+target_version: 1.14-next
+tags: pullup
+
+Patch-Category: upstream
+(cherry picked from commit 38903df0ecd26089efefd0cd52cf4ebe8e3e1dd3)
+
+---
+
+--- krb5-1.12.1+dfsg.orig/src/kdc/do_as_req.c
++++ krb5-1.12.1+dfsg/src/kdc/do_as_req.c
+@@ -343,8 +343,8 @@ finish_process_as_req(struct as_req_stat
+ did_log = 1;
+
+ egress:
+- if (errcode != 0)
+- assert (state->status != 0);
++ if (errcode != 0 && state->status == NULL)
++ state->status = "UNKNOWN_REASON";
+
+ au_state->status = state->status;
+ au_state->reply = &state->reply;
+--- krb5-1.12.1+dfsg.orig/src/kdc/do_tgs_req.c
++++ krb5-1.12.1+dfsg/src/kdc/do_tgs_req.c
+@@ -826,7 +826,8 @@ process_tgs_req(struct server_handle *ha
+ free(reply.enc_part.ciphertext.data);
+
+ cleanup:
+- assert(status != NULL);
++ if (status == NULL)
++ status = "UNKNOWN_REASON";
+ if (reply_key)
+ krb5_free_keyblock(kdc_context, reply_key);
+ if (errcode)
+--- krb5-1.12.1+dfsg.orig/src/kdc/kdc_util.c
++++ krb5-1.12.1+dfsg/src/kdc/kdc_util.c
+@@ -1133,8 +1133,10 @@ kdc_process_for_user(kdc_realm_t *kdc_ac
+ req_data.data = (char *)pa_data->contents;
+
+ code = decode_krb5_pa_for_user(&req_data, &for_user);
+- if (code)
++ if (code) {
++ *status = "DECODE_PA_FOR_USER";
+ return code;
++ }
+
+ code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
+ if (code) {
+@@ -1233,8 +1235,10 @@ kdc_process_s4u_x509_user(krb5_context c
+ req_data.data = (char *)pa_data->contents;
+
+ code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
+- if (code)
++ if (code) {
++ *status = "DECODE_PA_S4U_X509_USER";
+ return code;
++ }
+
+ code = verify_s4u_x509_user_checksum(context,
+ tgs_subkey ? tgs_subkey :
+@@ -1537,6 +1541,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *k
+ * that is validated previously in validate_tgs_request().
+ */
+ if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
++ *status = "INVALID_S4U2PROXY_OPTIONS";
+ return KRB5KDC_ERR_BADOPTION;
+ }
+
+@@ -1544,6 +1549,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *k
+ if (!krb5_principal_compare(kdc_context,
+ server->princ, /* after canon */
+ server_princ)) {
++ *status = "EVIDENCE_TICKET_MISMATCH";
+ return KRB5KDC_ERR_SERVER_NOMATCH;
+ }
+
diff --git a/debian/patches/prevent-requires_preauth-bypass-cve-2015.patch b/debian/patches/prevent-requires_preauth-bypass-cve-2015.patch
new file mode 100644
index 0000000000..030bb0d134
--- /dev/null
+++ b/debian/patches/prevent-requires_preauth-bypass-cve-2015.patch
@@ -0,0 +1,99 @@
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 24 Mar 2015 12:02:37 -0400
+X-Dgit-Generated: 1.12.1+dfsg-19+deb8u3 666b6ee77073326e44625c3e24a5710ebef5ad56
+Subject: Prevent requires_preauth bypass [CVE-2015-2694]
+
+In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until
+the request is successfully verified. In the PKINIT kdcpreauth
+module, don't respond with code 0 on empty input or an unconfigured
+realm. Together these bugs could cause the KDC preauth framework to
+erroneously treat a request as pre-authenticated.
+
+CVE-2015-2694:
+
+In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
+support, an unauthenticated remote attacker can bypass the
+requires_preauth flag on a client principal and obtain a ciphertext
+encrypted in the principal's long-term key. This ciphertext could be
+used to conduct an off-line dictionary attack against the user's
+password.
+
+ CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C
+
+(cherry picked from commit e3b5a5e5267818c97750b266df50b6a3d4649604)
+
+ticket: 8160
+version_fixed: 1.13.2
+status: resolved
+
+(cherry picked from commit df8afc60d970a7176a55ffe7ce21cfd57ba423cd)
+patch-category: upstream
+(cherry picked from commit 8159057a3dfa382ffd6c1cceaab436011e92f435)
+
+---
+
+--- krb5-1.12.1+dfsg.orig/src/plugins/preauth/otp/main.c
++++ krb5-1.12.1+dfsg/src/plugins/preauth/otp/main.c
+@@ -42,6 +42,7 @@ static krb5_preauthtype otp_pa_type_list
+ struct request_state {
+ krb5_kdcpreauth_verify_respond_fn respond;
+ void *arg;
++ krb5_enc_tkt_part *enc_tkt_reply;
+ };
+
+ static krb5_error_code
+@@ -159,6 +160,9 @@ on_response(void *data, krb5_error_code
+ if (retval == 0 && response != otp_response_success)
+ retval = KRB5_PREAUTH_FAILED;
+
++ if (retval == 0)
++ rs.enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
++
+ rs.respond(rs.arg, retval, NULL, NULL, NULL);
+ }
+
+@@ -263,8 +267,6 @@ otp_verify(krb5_context context, krb5_da
+ krb5_data d, plaintext;
+ char *config;
+
+- enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
+-
+ /* Get the FAST armor key. */
+ armor_key = cb->fast_armor(context, rock);
+ if (armor_key == NULL) {
+@@ -298,12 +300,14 @@ otp_verify(krb5_context context, krb5_da
+ goto error;
+ }
+
+- /* Create the request state. */
++ /* Create the request state. Save the response callback, and the
++ * enc_tkt_reply pointer so we can set the TKT_FLG_PRE_AUTH flag later. */
+ rs = k5alloc(sizeof(struct request_state), &retval);
+ if (rs == NULL)
+ goto error;
+ rs->arg = arg;
+ rs->respond = respond;
++ rs->enc_tkt_reply = enc_tkt_reply;
+
+ /* Get the principal's OTP configuration string. */
+ retval = cb->get_string(context, rock, "otp", &config);
+--- krb5-1.12.1+dfsg.orig/src/plugins/preauth/pkinit/pkinit_srv.c
++++ krb5-1.12.1+dfsg/src/plugins/preauth/pkinit/pkinit_srv.c
+@@ -306,7 +306,7 @@ pkinit_server_verify_padata(krb5_context
+
+ pkiDebug("pkinit_verify_padata: entered!\n");
+ if (data == NULL || data->length <= 0 || data->contents == NULL) {
+- (*respond)(arg, 0, NULL, NULL, NULL);
++ (*respond)(arg, EINVAL, NULL, NULL, NULL);
+ return;
+ }
+
+@@ -318,7 +318,7 @@ pkinit_server_verify_padata(krb5_context
+
+ plgctx = pkinit_find_realm_context(context, moddata, request->server);
+ if (plgctx == NULL) {
+- (*respond)(arg, 0, NULL, NULL, NULL);
++ (*respond)(arg, EINVAL, NULL, NULL, NULL);
+ return;
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 5415bf63dc..2acf434253 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -37,3 +37,7 @@ upstream/0036-Fix-SPNEGO-context-import.patch
upstream/0037-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
upstream/0038-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
upstream/0039-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
+prevent-requires_preauth-bypass-cve-2015.patch
+fix-s4u2self-kdc-crash-when-anon-is-rest.patch
+fix-ldap-null-deref-on-empty-arg-cve-201.patch
+prevent-kdc-unset-status-assertion-failu.patch
--- End Message ---