Home | Content | Search | Navigation | Indexes
 

Mailinglist Archive: opensuse-commit (1069 mails)

< Previous Next >
commit krb5 for openSUSE:Factory
  • From: root@xxxxxxxxxxxxxxx (h_root)
  • Date: Wed, 01 Dec 2010 17:37:29 +0100
  • Message-id: <20101201163729.A9A6D202B5@xxxxxxxxxxxxxxx>

Hello community,

here is the log from the commit of package krb5 for openSUSE:Factory
checked in at Wed Dec 1 17:37:29 CET 2010.



--------
--- krb5/krb5-mini.changes 2010-10-28 15:41:09.000000000 +0200
+++ krb5/krb5-mini.changes 2010-12-01 17:34:52.774439000 +0100
@@ -1,0 +2,17 @@
+Wed Dec 1 11:44:15 CET 2010 - mc@xxxxxxx
+
+- Fix multiple checksum handling vulnerabilities
+ (MITKRB5-SA-2010-007, bnc#650650)
+ CVE-2010-1324
+ * krb5 GSS-API applications may accept unkeyed checksums
+ * krb5 application services may accept unkeyed PAC checksums
+ * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums
+ CVE-2010-1323
+ * krb5 clients may accept unkeyed SAM-2 challenge checksums
+ * krb5 may accept KRB-SAFE checksums with low-entropy derived keys
+ CVE-2010-4020
+ * krb5 may accept authdata checksums with low-entropy derived keys
+ CVE-2010-4021
+ * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery
+
+-------------------------------------------------------------------
krb5.changes: same change

calling whatdependson for head-i586


New:
----
MITKRB5-SA-2010-007-1.8.dif

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ krb5-doc.spec ++++++
--- /var/tmp/diff_new_pack.kYUV8b/_old 2010-12-01 17:35:07.000000000 +0100
+++ /var/tmp/diff_new_pack.kYUV8b/_new 2010-12-01 17:35:07.000000000 +0100
@@ -21,7 +21,7 @@
Name: krb5-doc
BuildRequires: ghostscript-library latex2html texlive
Version: 1.8.3
-Release: 2
+Release: 3
%define srcRoot krb5-1.8.3
Summary: MIT Kerberos5 Implementation--Documentation
License: MIT License (or similar)

++++++ krb5-mini.spec ++++++
--- /var/tmp/diff_new_pack.kYUV8b/_old 2010-12-01 17:35:07.000000000 +0100
+++ /var/tmp/diff_new_pack.kYUV8b/_new 2010-12-01 17:35:07.000000000 +0100
@@ -28,7 +28,7 @@
BuildRequires: bison libcom_err-devel ncurses-devel
BuildRequires: keyutils keyutils-devel
Version: 1.8.3
-Release: 2
+Release: 3
%if ! 0%{?build_mini}
BuildRequires: libopenssl-devel openldap2-devel
# bug437293
@@ -56,6 +56,7 @@
Patch7: krb5-1.6.3-ktutil-manpage.dif
Patch8: krb5-1.6.3-fix-ipv6-query.dif
Patch12: krb5-1.8-MITKRB5-SA-2010-006.dif
+Patch13: MITKRB5-SA-2010-007-1.8.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@@ -204,6 +205,7 @@
%patch7 -p1
%patch8 -p1
%patch12 -p1
+%patch13 -p1
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do

krb5.spec: same change
++++++ MITKRB5-SA-2010-007-1.8.dif ++++++
Index: krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c
===================================================================
--- krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (revision 24455)
+++ krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (working copy)
@@ -691,8 +691,7 @@
krb5_reply_key_pack *key_pack = NULL;
krb5_reply_key_pack_draft9 *key_pack9 = NULL;
krb5_data *encoded_key_pack = NULL;
- unsigned int num_types;
- krb5_cksumtype *cksum_types = NULL;
+ krb5_cksumtype cksum_type;

pkinit_kdc_context plgctx;
pkinit_kdc_req_context reqctx;
@@ -882,14 +881,25 @@
retval = ENOMEM;
goto cleanup;
}
- /* retrieve checksums for a given enctype of the reply key */
- retval = krb5_c_keyed_checksum_types(context,
- encrypting_key->enctype,
&num_types, &cksum_types);
- if (retval)
- goto cleanup;

- /* pick the first of acceptable enctypes for the checksum */
- retval = krb5_c_make_checksum(context, cksum_types[0],
+ switch (encrypting_key->enctype) {
+ case ENCTYPE_DES_CBC_MD4:
+ cksum_type = CKSUMTYPE_RSA_MD4_DES;
+ break;
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES_CBC_CRC:
+ cksum_type = CKSUMTYPE_RSA_MD5_DES;
+ break;
+ default:
+ retval = krb5int_c_mandatory_cksumtype(context,
+ encrypting_key->enctype,
+ &cksum_type);
+ if (retval)
+ goto cleanup;
+ break;
+ }
+
+ retval = krb5_c_make_checksum(context, cksum_type,
encrypting_key,
KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
req_pkt, &key_pack->asChecksum);
if (retval) {
@@ -1033,7 +1043,6 @@
krb5_free_data(context, encoded_key_pack);
free(dh_pubkey);
free(server_key);
- free(cksum_types);

switch ((int)padata->pa_type) {
case KRB5_PADATA_PK_AS_REQ:
Index: krb5-1.8/src/lib/crypto/krb/cksumtypes.c
===================================================================
--- krb5-1.8/src/lib/crypto/krb/cksumtypes.c (revision 24455)
+++ krb5-1.8/src/lib/crypto/krb/cksumtypes.c (working copy)
@@ -101,7 +101,7 @@

{ CKSUMTYPE_MD5_HMAC_ARCFOUR,
"md5-hmac-rc4", { 0 }, "Microsoft MD5 HMAC",
- NULL, &krb5int_hash_md5,
+ &krb5int_enc_arcfour, &krb5int_hash_md5,
krb5int_hmacmd5_checksum, NULL,
16, 16, 0 },
};
Index: krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c
===================================================================
--- krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (revision 24455)
+++ krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (working copy)
@@ -35,6 +35,13 @@
{
if (ctp->flags & CKSUM_UNKEYED)
return FALSE;
+ /* Stream ciphers do not play well with RFC 3961 key derivation, so be
+ * conservative with RC4. */
+ if ((ktp->etype == ENCTYPE_ARCFOUR_HMAC ||
+ ktp->etype == ENCTYPE_ARCFOUR_HMAC_EXP) &&
+ ctp->ctype != CKSUMTYPE_HMAC_MD5_ARCFOUR &&
+ ctp->ctype != CKSUMTYPE_MD5_HMAC_ARCFOUR)
+ return FALSE;
return (!ctp->enc || ktp->enc == ctp->enc);
}

Index: krb5-1.8/src/lib/crypto/krb/dk/derive.c
===================================================================
--- krb5-1.8/src/lib/crypto/krb/dk/derive.c (revision 24455)
+++ krb5-1.8/src/lib/crypto/krb/dk/derive.c (working copy)
@@ -91,6 +91,8 @@
blocksize = enc->block_size;
keybytes = enc->keybytes;

+ if (blocksize == 1)
+ return KRB5_BAD_ENCTYPE;
if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes)
return KRB5_CRYPTO_INTERNAL;

Index: krb5-1.8/src/lib/gssapi/krb5/util_crypt.c
===================================================================
--- krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (revision 24455)
+++ krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (working copy)
@@ -119,10 +119,22 @@
if (code != 0)
return code;

- code = (*kaccess.mandatory_cksumtype)(context, subkey->keyblock.enctype,
- cksumtype);
- if (code != 0)
- return code;
+ switch (subkey->keyblock.enctype) {
+ case ENCTYPE_DES_CBC_MD4:
+ *cksumtype = CKSUMTYPE_RSA_MD4_DES;
+ break;
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES_CBC_CRC:
+ *cksumtype = CKSUMTYPE_RSA_MD5_DES;
+ break;
+ default:
+ code = (*kaccess.mandatory_cksumtype)(context,
+ subkey->keyblock.enctype,
+ cksumtype);
+ if (code != 0)
+ return code;
+ break;
+ }

switch (subkey->keyblock.enctype) {
case ENCTYPE_DES_CBC_MD5:
Index: krb5-1.8/src/lib/krb5/krb/pac.c
===================================================================
--- krb5-1.8/src/lib/krb5/krb/pac.c (revision 24455)
+++ krb5-1.8/src/lib/krb5/krb/pac.c (working copy)
@@ -582,6 +582,8 @@
checksum.checksum_type = load_32_le(p);
checksum.length = checksum_data.length - PAC_SIGNATURE_DATA_LENGTH;
checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH;
+ if (!krb5_c_is_keyed_cksum(checksum.checksum_type))
+ return KRB5KRB_AP_ERR_INAPP_CKSUM;

pac_data.length = pac->data.length;
pac_data.data = malloc(pac->data.length);
Index: krb5-1.8/src/lib/krb5/krb/preauth2.c
===================================================================
--- krb5-1.8/src/lib/krb5/krb/preauth2.c (revision 24455)
+++ krb5-1.8/src/lib/krb5/krb/preauth2.c (working copy)
@@ -1578,7 +1578,9 @@

cksum = sc2->sam_cksum;

- while (*cksum) {
+ for (; *cksum; cksum++) {
+ if (!krb5_c_is_keyed_cksum((*cksum)->checksum_type))
+ continue;
/* Check this cksum */
retval = krb5_c_verify_checksum(context, as_key,
KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM,
@@ -1592,7 +1594,6 @@
}
if (valid_cksum)
break;
- cksum++;
}

if (!valid_cksum) {
Index: krb5-1.8/src/lib/krb5/krb/mk_safe.c
===================================================================
--- krb5-1.8/src/lib/krb5/krb/mk_safe.c (revision 24455)
+++ krb5-1.8/src/lib/krb5/krb/mk_safe.c (working copy)
@@ -215,10 +215,28 @@
for (i = 0; i < nsumtypes; i++)
if (auth_context->safe_cksumtype == sumtypes[i])
break;
- if (i == nsumtypes)
- i = 0;
- sumtype = sumtypes[i];
krb5_free_cksumtypes (context, sumtypes);
+ if (i < nsumtypes)
+ sumtype = auth_context->safe_cksumtype;
+ else {
+ switch (enctype) {
+ case ENCTYPE_DES_CBC_MD4:
+ sumtype = CKSUMTYPE_RSA_MD4_DES;
+ break;
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES_CBC_CRC:
+ sumtype = CKSUMTYPE_RSA_MD5_DES;
+ break;
+ default:
+ retval = krb5int_c_mandatory_cksumtype(context, enctype,
+ &sumtype);
+ if (retval) {
+ CLEANUP_DONE();
+ goto error;
+ }
+ break;
+ }
+ }
}
if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata,
plocal_fulladdr, premote_fulladdr,



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-commit+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages