* [meta-oe][PATCH 1/2] krb5: fix CVE-2017-11368
@ 2017-08-28 13:59 kai.kang
2017-08-28 13:59 ` [meta-oe][PATCH 2/2] mariadb: disable thumb on armv5 kai.kang
2017-08-30 9:30 ` [meta-oe][PATCH 1/2] krb5: fix CVE-2017-11368 Kang Kai
0 siblings, 2 replies; 7+ messages in thread
From: kai.kang @ 2017-08-28 13:59 UTC (permalink / raw)
To: martin.jansa; +Cc: openembedded-devel
From: Kai Kang <kai.kang@windriver.com>
Issue: CVE-2017-11368
Backport patch to fix CVE-2017-11368 for krb5.
(LOCAL REV: NOT UPSTREAM) -- Send to oe-devel on 20170828
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
.../krb5/krb5/fix-CVE-2017-11368.patch | 116 +++++++++++++++++++++
meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb | 1 +
2 files changed, 117 insertions(+)
create mode 100644 meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
new file mode 100644
index 000000000..a2eb7bc02
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
@@ -0,0 +1,116 @@
+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970]
+
+Backport patch to fix CVE-2017-11368.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From ffb35baac6981f9e8914f8f3bffd37f284b85970 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Thu, 13 Jul 2017 12:14:20 -0400
+Subject: [PATCH] Prevent KDC unset status assertion failures
+
+Assign status values if S4U2Self padata fails to decode, if an
+S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
+uses an evidence ticket which does not match the canonicalized request
+server principal name. Reported by Samuel Cabrero.
+
+If a status value is not assigned during KDC processing, default to
+"UNKNOWN_REASON" rather than failing an assertion. This change will
+prevent future denial of service bugs due to similar mistakes, and
+will allow us to omit assigning status values for unlikely errors such
+as small memory allocation failures.
+
+CVE-2017-11368:
+
+In MIT krb5 1.7 and later, an authenticated attacker can cause an
+assertion failure in krb5kdc by sending an invalid S4U2Self or
+S4U2Proxy request.
+
+ CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
+
+ticket: 8599 (new)
+target_version: 1.15-next
+target_version: 1.14-next
+tags: pullup
+---
+ src/kdc/do_as_req.c | 4 ++--
+ src/kdc/do_tgs_req.c | 3 ++-
+ src/kdc/kdc_util.c | 10 ++++++++--
+ 3 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 2d3ad13..9b256c8 100644
+--- a/src/kdc/do_as_req.c
++++ b/src/kdc/do_as_req.c
+@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
+ did_log = 1;
+
+ egress:
+- if (errcode != 0)
+- assert (state->status != 0);
++ if (errcode != 0 && state->status == NULL)
++ state->status = "UNKNOWN_REASON";
+
+ au_state->status = state->status;
+ au_state->reply = &state->reply;
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index cdc79ad..d8d6719 100644
+--- a/src/kdc/do_tgs_req.c
++++ b/src/kdc/do_tgs_req.c
+@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
+ free(reply.enc_part.ciphertext.data);
+
+ cleanup:
+- assert(status != NULL);
++ if (status == NULL)
++ status = "UNKNOWN_REASON";
+ if (reply_key)
+ krb5_free_keyblock(kdc_context, reply_key);
+ if (errcode)
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 778a629..b710aef 100644
+--- a/src/kdc/kdc_util.c
++++ b/src/kdc/kdc_util.c
+@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
+ req_data.data = (char *)pa_data->contents;
+
+ code = decode_krb5_pa_for_user(&req_data, &for_user);
+- if (code)
++ if (code) {
++ *status = "DECODE_PA_FOR_USER";
+ return code;
++ }
+
+ code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
+ if (code) {
+@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
+ req_data.data = (char *)pa_data->contents;
+
+ code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
+- if (code)
++ if (code) {
++ *status = "DECODE_PA_S4U_X509_USER";
+ return code;
++ }
+
+ code = verify_s4u_x509_user_checksum(context,
+ tgs_subkey ? tgs_subkey :
+@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
+ * that is validated previously in validate_tgs_request().
+ */
+ if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
++ *status = "INVALID_S4U2PROXY_OPTIONS";
+ return KRB5KDC_ERR_BADOPTION;
+ }
+
+@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
+ if (!krb5_principal_compare(kdc_context,
+ server->princ, /* after canon */
+ server_princ)) {
++ *status = "EVIDENCE_TICKET_MISMATCH";
+ return KRB5KDC_ERR_SERVER_NOMATCH;
+ }
+
+--
+2.10.1
+
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
index 1de884d03..b515eb5dc 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
file://etc/default/krb5-admin-server \
file://krb5-kdc.service \
file://krb5-admin-server.service \
+ file://fix-CVE-2017-11368.patch;striplevel=2 \
"
SRC_URI[md5sum] = "8022f3a1cde8463e44fd35ef42731f85"
SRC_URI[sha256sum] = "437c8831ddd5fde2a993fef425dedb48468109bb3d3261ef838295045a89eb45"
--
2.14.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [meta-oe][PATCH 2/2] mariadb: disable thumb on armv5
2017-08-28 13:59 [meta-oe][PATCH 1/2] krb5: fix CVE-2017-11368 kai.kang
@ 2017-08-28 13:59 ` kai.kang
2017-08-28 18:17 ` Andre McCurdy
2017-08-30 9:30 ` [meta-oe][PATCH 1/2] krb5: fix CVE-2017-11368 Kang Kai
1 sibling, 1 reply; 7+ messages in thread
From: kai.kang @ 2017-08-28 13:59 UTC (permalink / raw)
To: martin.jansa; +Cc: openembedded-devel
From: Kai Kang <kai.kang@windriver.com>
Disable thumb on armv5 for mariadb which causes link error:
| libsql.a(mysqld.cc.o): In function `test_if_case_insensitive(char const*) [clone .constprop.28]':
| /usr/src/debug/mariadb/5.5.57-r0/mariadb-5.5.57/sql/mysqld.cc:8276:(.text.unlikely+0xbe):
| relocation truncated to fit: R_ARM_THM_CALL against symbol `fn_format' defined
| in .glue_7 section in linker stubs
| /usr/src/debug/mariadb/5.5.57-r0/mariadb-5.5.57/sql/mysqld.cc:8278:(.text.unlikely+0xd0):
| relocation truncated to fit: R_ARM_THM_CALL against symbol `fn_format' defined
| in .glue_7 section in linker stubs
| /usr/src/debug/mariadb/5.5.57-r0/mariadb-5.5.57/sql/mysqld.cc:8285:(.text.unlikely+0x150):
| relocation truncated to fit: R_ARM_THM_CALL against symbol
| `sql_print_warning(char const*, ...)' defined in .glue_7 section in linker stubs
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
meta-oe/recipes-support/mysql/mariadb.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta-oe/recipes-support/mysql/mariadb.inc b/meta-oe/recipes-support/mysql/mariadb.inc
index 32e3eaa6d..03cded637 100644
--- a/meta-oe/recipes-support/mysql/mariadb.inc
+++ b/meta-oe/recipes-support/mysql/mariadb.inc
@@ -82,6 +82,8 @@ EXTRA_OECMAKE = "-DWITH_EMBEDDED_SERVER=ON \
-DCAT_EXECUTABLE=`which cat` \
-DCMAKE_AR:FILEPATH=${AR}"
+ARM_INSTRUCTION_SET_armv5 = "arm"
+
do_configure_append() {
# handle distros with different values of ${libexecdir}
libexecdir2=`echo ${libexecdir} | sed -e 's+/usr/++g'`
--
2.14.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [meta-oe][PATCH 2/2] mariadb: disable thumb on armv5
2017-08-28 13:59 ` [meta-oe][PATCH 2/2] mariadb: disable thumb on armv5 kai.kang
@ 2017-08-28 18:17 ` Andre McCurdy
2017-08-29 3:00 ` Kang Kai
0 siblings, 1 reply; 7+ messages in thread
From: Andre McCurdy @ 2017-08-28 18:17 UTC (permalink / raw)
To: Kang Kai; +Cc: openembeded-devel
On Mon, Aug 28, 2017 at 6:59 AM, <kai.kang@windriver.com> wrote:
> From: Kai Kang <kai.kang@windriver.com>
>
> Disable thumb on armv5 for mariadb which causes link error:
>
> | libsql.a(mysqld.cc.o): In function `test_if_case_insensitive(char const*) [clone .constprop.28]':
> | /usr/src/debug/mariadb/5.5.57-r0/mariadb-5.5.57/sql/mysqld.cc:8276:(.text.unlikely+0xbe):
> | relocation truncated to fit: R_ARM_THM_CALL against symbol `fn_format' defined
> | in .glue_7 section in linker stubs
> | /usr/src/debug/mariadb/5.5.57-r0/mariadb-5.5.57/sql/mysqld.cc:8278:(.text.unlikely+0xd0):
> | relocation truncated to fit: R_ARM_THM_CALL against symbol `fn_format' defined
> | in .glue_7 section in linker stubs
> | /usr/src/debug/mariadb/5.5.57-r0/mariadb-5.5.57/sql/mysqld.cc:8285:(.text.unlikely+0x150):
> | relocation truncated to fit: R_ARM_THM_CALL against symbol
> | `sql_print_warning(char const*, ...)' defined in .glue_7 section in linker stubs
>
> Signed-off-by: Kai Kang <kai.kang@windriver.com>
> ---
> meta-oe/recipes-support/mysql/mariadb.inc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/meta-oe/recipes-support/mysql/mariadb.inc b/meta-oe/recipes-support/mysql/mariadb.inc
> index 32e3eaa6d..03cded637 100644
> --- a/meta-oe/recipes-support/mysql/mariadb.inc
> +++ b/meta-oe/recipes-support/mysql/mariadb.inc
> @@ -82,6 +82,8 @@ EXTRA_OECMAKE = "-DWITH_EMBEDDED_SERVER=ON \
> -DCAT_EXECUTABLE=`which cat` \
> -DCMAKE_AR:FILEPATH=${AR}"
>
> +ARM_INSTRUCTION_SET_armv5 = "arm"
For Thumb1 build issues, normal approach is to over-ride
ARM_INSTRUCTION_SET for both armv4 and armv5. Even though you may not
be able to test armv4 it's almost certain to hit the same issue.
> do_configure_append() {
> # handle distros with different values of ${libexecdir}
> libexecdir2=`echo ${libexecdir} | sed -e 's+/usr/++g'`
> --
> 2.14.1
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [meta-oe][PATCH 2/2] mariadb: disable thumb on armv5
2017-08-28 18:17 ` Andre McCurdy
@ 2017-08-29 3:00 ` Kang Kai
0 siblings, 0 replies; 7+ messages in thread
From: Kang Kai @ 2017-08-29 3:00 UTC (permalink / raw)
To: Andre McCurdy; +Cc: openembeded-devel
On 2017年08月29日 02:17, Andre McCurdy wrote:
> On Mon, Aug 28, 2017 at 6:59 AM, <kai.kang@windriver.com> wrote:
>> From: Kai Kang <kai.kang@windriver.com>
>>
>> Disable thumb on armv5 for mariadb which causes link error:
>>
>> | libsql.a(mysqld.cc.o): In function `test_if_case_insensitive(char const*) [clone .constprop.28]':
>> | /usr/src/debug/mariadb/5.5.57-r0/mariadb-5.5.57/sql/mysqld.cc:8276:(.text.unlikely+0xbe):
>> | relocation truncated to fit: R_ARM_THM_CALL against symbol `fn_format' defined
>> | in .glue_7 section in linker stubs
>> | /usr/src/debug/mariadb/5.5.57-r0/mariadb-5.5.57/sql/mysqld.cc:8278:(.text.unlikely+0xd0):
>> | relocation truncated to fit: R_ARM_THM_CALL against symbol `fn_format' defined
>> | in .glue_7 section in linker stubs
>> | /usr/src/debug/mariadb/5.5.57-r0/mariadb-5.5.57/sql/mysqld.cc:8285:(.text.unlikely+0x150):
>> | relocation truncated to fit: R_ARM_THM_CALL against symbol
>> | `sql_print_warning(char const*, ...)' defined in .glue_7 section in linker stubs
>>
>> Signed-off-by: Kai Kang <kai.kang@windriver.com>
>> ---
>> meta-oe/recipes-support/mysql/mariadb.inc | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/meta-oe/recipes-support/mysql/mariadb.inc b/meta-oe/recipes-support/mysql/mariadb.inc
>> index 32e3eaa6d..03cded637 100644
>> --- a/meta-oe/recipes-support/mysql/mariadb.inc
>> +++ b/meta-oe/recipes-support/mysql/mariadb.inc
>> @@ -82,6 +82,8 @@ EXTRA_OECMAKE = "-DWITH_EMBEDDED_SERVER=ON \
>> -DCAT_EXECUTABLE=`which cat` \
>> -DCMAKE_AR:FILEPATH=${AR}"
>>
>> +ARM_INSTRUCTION_SET_armv5 = "arm"
> For Thumb1 build issues, normal approach is to over-ride
> ARM_INSTRUCTION_SET for both armv4 and armv5. Even though you may not
> be able to test armv4 it's almost certain to hit the same issue.
OK. Thanks. V2 will be sent.
--Kai
>
>> do_configure_append() {
>> # handle distros with different values of ${libexecdir}
>> libexecdir2=`echo ${libexecdir} | sed -e 's+/usr/++g'`
>> --
>> 2.14.1
>>
>> --
>> _______________________________________________
>> Openembedded-devel mailing list
>> Openembedded-devel@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
--
Regards,
Neil | Kai Kang
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [meta-oe][PATCH 1/2] krb5: fix CVE-2017-11368
2017-08-28 13:59 [meta-oe][PATCH 1/2] krb5: fix CVE-2017-11368 kai.kang
2017-08-28 13:59 ` [meta-oe][PATCH 2/2] mariadb: disable thumb on armv5 kai.kang
@ 2017-08-30 9:30 ` Kang Kai
2017-08-30 9:40 ` Martin Jansa
1 sibling, 1 reply; 7+ messages in thread
From: Kang Kai @ 2017-08-30 9:30 UTC (permalink / raw)
To: Martin Jansa; +Cc: openembedded-devel
On 2017年08月28日 21:59, kai.kang@windriver.com wrote:
> From: Kai Kang <kai.kang@windriver.com>
>
> Issue: CVE-2017-11368
>
> Backport patch to fix CVE-2017-11368 for krb5.
>
> (LOCAL REV: NOT UPSTREAM) -- Send to oe-devel on 20170828
Hi Martin,
Ooops. I forgot to remove inner informations in the commit message.
Should I send V2 to remove the following 2 lines?
Issue: CVE-2017-11368
(LOCAL REV: NOT UPSTREAM) -- Send to oe-devel on 20170828
Sorry for the inconvenience.
--Kai
>
> Signed-off-by: Kai Kang <kai.kang@windriver.com>
> ---
> .../krb5/krb5/fix-CVE-2017-11368.patch | 116 +++++++++++++++++++++
> meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb | 1 +
> 2 files changed, 117 insertions(+)
> create mode 100644 meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
>
> diff --git a/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
> new file mode 100644
> index 000000000..a2eb7bc02
> --- /dev/null
> +++ b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
> @@ -0,0 +1,116 @@
> +Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970]
> +
> +Backport patch to fix CVE-2017-11368.
> +
> +Signed-off-by: Kai Kang <kai.kang@windriver.com>
> +---
> +From ffb35baac6981f9e8914f8f3bffd37f284b85970 Mon Sep 17 00:00:00 2001
> +From: Greg Hudson <ghudson@mit.edu>
> +Date: Thu, 13 Jul 2017 12:14:20 -0400
> +Subject: [PATCH] Prevent KDC unset status assertion failures
> +
> +Assign status values if S4U2Self padata fails to decode, if an
> +S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
> +uses an evidence ticket which does not match the canonicalized request
> +server principal name. Reported by Samuel Cabrero.
> +
> +If a status value is not assigned during KDC processing, default to
> +"UNKNOWN_REASON" rather than failing an assertion. This change will
> +prevent future denial of service bugs due to similar mistakes, and
> +will allow us to omit assigning status values for unlikely errors such
> +as small memory allocation failures.
> +
> +CVE-2017-11368:
> +
> +In MIT krb5 1.7 and later, an authenticated attacker can cause an
> +assertion failure in krb5kdc by sending an invalid S4U2Self or
> +S4U2Proxy request.
> +
> + CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
> +
> +ticket: 8599 (new)
> +target_version: 1.15-next
> +target_version: 1.14-next
> +tags: pullup
> +---
> + src/kdc/do_as_req.c | 4 ++--
> + src/kdc/do_tgs_req.c | 3 ++-
> + src/kdc/kdc_util.c | 10 ++++++++--
> + 3 files changed, 12 insertions(+), 5 deletions(-)
> +
> +diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
> +index 2d3ad13..9b256c8 100644
> +--- a/src/kdc/do_as_req.c
> ++++ b/src/kdc/do_as_req.c
> +@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
> + did_log = 1;
> +
> + egress:
> +- if (errcode != 0)
> +- assert (state->status != 0);
> ++ if (errcode != 0 && state->status == NULL)
> ++ state->status = "UNKNOWN_REASON";
> +
> + au_state->status = state->status;
> + au_state->reply = &state->reply;
> +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
> +index cdc79ad..d8d6719 100644
> +--- a/src/kdc/do_tgs_req.c
> ++++ b/src/kdc/do_tgs_req.c
> +@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
> + free(reply.enc_part.ciphertext.data);
> +
> + cleanup:
> +- assert(status != NULL);
> ++ if (status == NULL)
> ++ status = "UNKNOWN_REASON";
> + if (reply_key)
> + krb5_free_keyblock(kdc_context, reply_key);
> + if (errcode)
> +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
> +index 778a629..b710aef 100644
> +--- a/src/kdc/kdc_util.c
> ++++ b/src/kdc/kdc_util.c
> +@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
> + req_data.data = (char *)pa_data->contents;
> +
> + code = decode_krb5_pa_for_user(&req_data, &for_user);
> +- if (code)
> ++ if (code) {
> ++ *status = "DECODE_PA_FOR_USER";
> + return code;
> ++ }
> +
> + code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
> + if (code) {
> +@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
> + req_data.data = (char *)pa_data->contents;
> +
> + code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
> +- if (code)
> ++ if (code) {
> ++ *status = "DECODE_PA_S4U_X509_USER";
> + return code;
> ++ }
> +
> + code = verify_s4u_x509_user_checksum(context,
> + tgs_subkey ? tgs_subkey :
> +@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
> + * that is validated previously in validate_tgs_request().
> + */
> + if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
> ++ *status = "INVALID_S4U2PROXY_OPTIONS";
> + return KRB5KDC_ERR_BADOPTION;
> + }
> +
> +@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
> + if (!krb5_principal_compare(kdc_context,
> + server->princ, /* after canon */
> + server_princ)) {
> ++ *status = "EVIDENCE_TICKET_MISMATCH";
> + return KRB5KDC_ERR_SERVER_NOMATCH;
> + }
> +
> +--
> +2.10.1
> +
> diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
> index 1de884d03..b515eb5dc 100644
> --- a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
> +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
> @@ -30,6 +30,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
> file://etc/default/krb5-admin-server \
> file://krb5-kdc.service \
> file://krb5-admin-server.service \
> + file://fix-CVE-2017-11368.patch;striplevel=2 \
> "
> SRC_URI[md5sum] = "8022f3a1cde8463e44fd35ef42731f85"
> SRC_URI[sha256sum] = "437c8831ddd5fde2a993fef425dedb48468109bb3d3261ef838295045a89eb45"
--
Regards,
Neil | Kai Kang
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [meta-oe][PATCH 1/2] krb5: fix CVE-2017-11368
2017-08-30 9:30 ` [meta-oe][PATCH 1/2] krb5: fix CVE-2017-11368 Kang Kai
@ 2017-08-30 9:40 ` Martin Jansa
2017-08-30 9:53 ` Kang Kai
0 siblings, 1 reply; 7+ messages in thread
From: Martin Jansa @ 2017-08-30 9:40 UTC (permalink / raw)
To: Kang Kai; +Cc: openembedded-devel
done
On Wed, Aug 30, 2017 at 11:30 AM, Kang Kai <Kai.Kang@windriver.com> wrote:
> On 2017年08月28日 21:59, kai.kang@windriver.com wrote:
>
>> From: Kai Kang <kai.kang@windriver.com>
>>
>> Issue: CVE-2017-11368
>>
>> Backport patch to fix CVE-2017-11368 for krb5.
>>
>> (LOCAL REV: NOT UPSTREAM) -- Send to oe-devel on 20170828
>>
>
> Hi Martin,
>
> Ooops. I forgot to remove inner informations in the commit message.
>
> Should I send V2 to remove the following 2 lines?
>
> Issue: CVE-2017-11368
>
> (LOCAL REV: NOT UPSTREAM) -- Send to oe-devel on 20170828
>
>
> Sorry for the inconvenience.
>
>
> --Kai
>
>
>
>> Signed-off-by: Kai Kang <kai.kang@windriver.com>
>> ---
>> .../krb5/krb5/fix-CVE-2017-11368.patch | 116
>> +++++++++++++++++++++
>> meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb | 1 +
>> 2 files changed, 117 insertions(+)
>> create mode 100644 meta-oe/recipes-connectivity/k
>> rb5/krb5/fix-CVE-2017-11368.patch
>>
>> diff --git a/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
>> b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
>> new file mode 100644
>> index 000000000..a2eb7bc02
>> --- /dev/null
>> +++ b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
>> @@ -0,0 +1,116 @@
>> +Upstream-Status: Backport [https://github.com/krb5/krb5/
>> commit/ffb35baac6981f9e8914f8f3bffd37f284b85970]
>> +
>> +Backport patch to fix CVE-2017-11368.
>> +
>> +Signed-off-by: Kai Kang <kai.kang@windriver.com>
>> +---
>> +From ffb35baac6981f9e8914f8f3bffd37f284b85970 Mon Sep 17 00:00:00 2001
>> +From: Greg Hudson <ghudson@mit.edu>
>> +Date: Thu, 13 Jul 2017 12:14:20 -0400
>> +Subject: [PATCH] Prevent KDC unset status assertion failures
>> +
>> +Assign status values if S4U2Self padata fails to decode, if an
>> +S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
>> +uses an evidence ticket which does not match the canonicalized request
>> +server principal name. Reported by Samuel Cabrero.
>> +
>> +If a status value is not assigned during KDC processing, default to
>> +"UNKNOWN_REASON" rather than failing an assertion. This change will
>> +prevent future denial of service bugs due to similar mistakes, and
>> +will allow us to omit assigning status values for unlikely errors such
>> +as small memory allocation failures.
>> +
>> +CVE-2017-11368:
>> +
>> +In MIT krb5 1.7 and later, an authenticated attacker can cause an
>> +assertion failure in krb5kdc by sending an invalid S4U2Self or
>> +S4U2Proxy request.
>> +
>> + CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
>> +
>> +ticket: 8599 (new)
>> +target_version: 1.15-next
>> +target_version: 1.14-next
>> +tags: pullup
>> +---
>> + src/kdc/do_as_req.c | 4 ++--
>> + src/kdc/do_tgs_req.c | 3 ++-
>> + src/kdc/kdc_util.c | 10 ++++++++--
>> + 3 files changed, 12 insertions(+), 5 deletions(-)
>> +
>> +diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
>> +index 2d3ad13..9b256c8 100644
>> +--- a/src/kdc/do_as_req.c
>> ++++ b/src/kdc/do_as_req.c
>> +@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state,
>> krb5_error_code errcode)
>> + did_log = 1;
>> +
>> + egress:
>> +- if (errcode != 0)
>> +- assert (state->status != 0);
>> ++ if (errcode != 0 && state->status == NULL)
>> ++ state->status = "UNKNOWN_REASON";
>> +
>> + au_state->status = state->status;
>> + au_state->reply = &state->reply;
>> +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
>> +index cdc79ad..d8d6719 100644
>> +--- a/src/kdc/do_tgs_req.c
>> ++++ b/src/kdc/do_tgs_req.c
>> +@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle,
>> krb5_data *pkt,
>> + free(reply.enc_part.ciphertext.data);
>> +
>> + cleanup:
>> +- assert(status != NULL);
>> ++ if (status == NULL)
>> ++ status = "UNKNOWN_REASON";
>> + if (reply_key)
>> + krb5_free_keyblock(kdc_context, reply_key);
>> + if (errcode)
>> +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
>> +index 778a629..b710aef 100644
>> +--- a/src/kdc/kdc_util.c
>> ++++ b/src/kdc/kdc_util.c
>> +@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t
>> *kdc_active_realm,
>> + req_data.data = (char *)pa_data->contents;
>> +
>> + code = decode_krb5_pa_for_user(&req_data, &for_user);
>> +- if (code)
>> ++ if (code) {
>> ++ *status = "DECODE_PA_FOR_USER";
>> + return code;
>> ++ }
>> +
>> + code = verify_for_user_checksum(kdc_context, tgs_session,
>> for_user);
>> + if (code) {
>> +@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
>> + req_data.data = (char *)pa_data->contents;
>> +
>> + code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
>> +- if (code)
>> ++ if (code) {
>> ++ *status = "DECODE_PA_S4U_X509_USER";
>> + return code;
>> ++ }
>> +
>> + code = verify_s4u_x509_user_checksum(context,
>> + tgs_subkey ? tgs_subkey :
>> +@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t
>> *kdc_active_realm,
>> + * that is validated previously in validate_tgs_request().
>> + */
>> + if (request->kdc_options & (NON_TGT_OPTION |
>> KDC_OPT_ENC_TKT_IN_SKEY)) {
>> ++ *status = "INVALID_S4U2PROXY_OPTIONS";
>> + return KRB5KDC_ERR_BADOPTION;
>> + }
>> +
>> +@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t
>> *kdc_active_realm,
>> + if (!krb5_principal_compare(kdc_context,
>> + server->princ, /* after canon */
>> + server_princ)) {
>> ++ *status = "EVIDENCE_TICKET_MISMATCH";
>> + return KRB5KDC_ERR_SERVER_NOMATCH;
>> + }
>> +
>> +--
>> +2.10.1
>> +
>> diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
>> b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
>> index 1de884d03..b515eb5dc 100644
>> --- a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
>> +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
>> @@ -30,6 +30,7 @@ SRC_URI = "http://web.mit.edu/kerberos/d
>> ist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
>> file://etc/default/krb5-admin-server \
>> file://krb5-kdc.service \
>> file://krb5-admin-server.service \
>> + file://fix-CVE-2017-11368.patch;striplevel=2 \
>> "
>> SRC_URI[md5sum] = "8022f3a1cde8463e44fd35ef42731f85"
>> SRC_URI[sha256sum] = "437c8831ddd5fde2a993fef425ded
>> b48468109bb3d3261ef838295045a89eb45"
>>
>
>
> --
> Regards,
> Neil | Kai Kang
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [meta-oe][PATCH 1/2] krb5: fix CVE-2017-11368
2017-08-30 9:40 ` Martin Jansa
@ 2017-08-30 9:53 ` Kang Kai
0 siblings, 0 replies; 7+ messages in thread
From: Kang Kai @ 2017-08-30 9:53 UTC (permalink / raw)
To: Martin Jansa; +Cc: openembedded-devel
On 2017年08月30日 17:40, Martin Jansa wrote:
> done
Thanks.
--Kai
>
> On Wed, Aug 30, 2017 at 11:30 AM, Kang Kai <Kai.Kang@windriver.com
> <mailto:Kai.Kang@windriver.com>> wrote:
>
> On 2017年08月28日 21:59, kai.kang@windriver.com
> <mailto:kai.kang@windriver.com> wrote:
>
> From: Kai Kang <kai.kang@windriver.com
> <mailto:kai.kang@windriver.com>>
>
> Issue: CVE-2017-11368
>
> Backport patch to fix CVE-2017-11368 for krb5.
>
> (LOCAL REV: NOT UPSTREAM) -- Send to oe-devel on 20170828
>
>
> Hi Martin,
>
> Ooops. I forgot to remove inner informations in the commit message.
>
> Should I send V2 to remove the following 2 lines?
>
> Issue: CVE-2017-11368
>
> (LOCAL REV: NOT UPSTREAM) -- Send to oe-devel on 20170828
>
>
> Sorry for the inconvenience.
>
>
> --Kai
>
>
>
> Signed-off-by: Kai Kang <kai.kang@windriver.com
> <mailto:kai.kang@windriver.com>>
> ---
> .../krb5/krb5/fix-CVE-2017-11368.patch | 116
> +++++++++++++++++++++
> meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
> <http://krb5_1.15.1.bb> | 1 +
> 2 files changed, 117 insertions(+)
> create mode 100644
> meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
>
> diff --git
> a/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
> b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
> new file mode 100644
> index 000000000..a2eb7bc02
> --- /dev/null
> +++
> b/meta-oe/recipes-connectivity/krb5/krb5/fix-CVE-2017-11368.patch
> @@ -0,0 +1,116 @@
> +Upstream-Status: Backport
> [https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970
> <https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970>]
> +
> +Backport patch to fix CVE-2017-11368.
> +
> +Signed-off-by: Kai Kang <kai.kang@windriver.com
> <mailto:kai.kang@windriver.com>>
> +---
> +From ffb35baac6981f9e8914f8f3bffd37f284b85970 Mon Sep 17
> 00:00:00 2001
> +From: Greg Hudson <ghudson@mit.edu <mailto:ghudson@mit.edu>>
> +Date: Thu, 13 Jul 2017 12:14:20 -0400
> +Subject: [PATCH] Prevent KDC unset status assertion failures
> +
> +Assign status values if S4U2Self padata fails to decode, if an
> +S4U2Proxy request uses invalid KDC options, or if an
> S4U2Proxy request
> +uses an evidence ticket which does not match the
> canonicalized request
> +server principal name. Reported by Samuel Cabrero.
> +
> +If a status value is not assigned during KDC processing,
> default to
> +"UNKNOWN_REASON" rather than failing an assertion. This
> change will
> +prevent future denial of service bugs due to similar
> mistakes, and
> +will allow us to omit assigning status values for unlikely
> errors such
> +as small memory allocation failures.
> +
> +CVE-2017-11368:
> +
> +In MIT krb5 1.7 and later, an authenticated attacker can cause an
> +assertion failure in krb5kdc by sending an invalid S4U2Self or
> +S4U2Proxy request.
> +
> + CVSSv3 Vector:
> AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
> +
> +ticket: 8599 (new)
> +target_version: 1.15-next
> +target_version: 1.14-next
> +tags: pullup
> +---
> + src/kdc/do_as_req.c | 4 ++--
> + src/kdc/do_tgs_req.c | 3 ++-
> + src/kdc/kdc_util.c | 10 ++++++++--
> + 3 files changed, 12 insertions(+), 5 deletions(-)
> +
> +diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
> +index 2d3ad13..9b256c8 100644
> +--- a/src/kdc/do_as_req.c
> ++++ b/src/kdc/do_as_req.c
> +@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state
> *state, krb5_error_code errcode)
> + did_log = 1;
> +
> + egress:
> +- if (errcode != 0)
> +- assert (state->status != 0);
> ++ if (errcode != 0 && state->status == NULL)
> ++ state->status = "UNKNOWN_REASON";
> +
> + au_state->status = state->status;
> + au_state->reply = &state->reply;
> +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
> +index cdc79ad..d8d6719 100644
> +--- a/src/kdc/do_tgs_req.c
> ++++ b/src/kdc/do_tgs_req.c
> +@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle
> *handle, krb5_data *pkt,
> + free(reply.enc_part.ciphertext.data);
> +
> + cleanup:
> +- assert(status != NULL);
> ++ if (status == NULL)
> ++ status = "UNKNOWN_REASON";
> + if (reply_key)
> + krb5_free_keyblock(kdc_context, reply_key);
> + if (errcode)
> +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
> +index 778a629..b710aef 100644
> +--- a/src/kdc/kdc_util.c
> ++++ b/src/kdc/kdc_util.c
> +@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t
> *kdc_active_realm,
> + req_data.data = (char *)pa_data->contents;
> +
> + code = decode_krb5_pa_for_user(&req_data, &for_user);
> +- if (code)
> ++ if (code) {
> ++ *status = "DECODE_PA_FOR_USER";
> + return code;
> ++ }
> +
> + code = verify_for_user_checksum(kdc_context,
> tgs_session, for_user);
> + if (code) {
> +@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context
> context,
> + req_data.data = (char *)pa_data->contents;
> +
> + code = decode_krb5_pa_s4u_x509_user(&req_data,
> s4u_x509_user);
> +- if (code)
> ++ if (code) {
> ++ *status = "DECODE_PA_S4U_X509_USER";
> + return code;
> ++ }
> +
> + code = verify_s4u_x509_user_checksum(context,
> + tgs_subkey ?
> tgs_subkey :
> +@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t
> *kdc_active_realm,
> + * that is validated previously in validate_tgs_request().
> + */
> + if (request->kdc_options & (NON_TGT_OPTION |
> KDC_OPT_ENC_TKT_IN_SKEY)) {
> ++ *status = "INVALID_S4U2PROXY_OPTIONS";
> + return KRB5KDC_ERR_BADOPTION;
> + }
> +
> +@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t
> *kdc_active_realm,
> + if (!krb5_principal_compare(kdc_context,
> + server->princ, /* after canon */
> + server_princ)) {
> ++ *status = "EVIDENCE_TICKET_MISMATCH";
> + return KRB5KDC_ERR_SERVER_NOMATCH;
> + }
> +
> +--
> +2.10.1
> +
> diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
> <http://krb5_1.15.1.bb>
> b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
> <http://krb5_1.15.1.bb>
> index 1de884d03..b515eb5dc 100644
> --- a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
> <http://krb5_1.15.1.bb>
> +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
> <http://krb5_1.15.1.bb>
> @@ -30,6 +30,7 @@ SRC_URI =
> "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz
> <http://web.mit.edu/kerberos/dist/$%7BBPN%7D/$%7BSHRT_VER%7D/$%7BBP%7D.tar.gz>
> \
> file://etc/default/krb5-admin-server \
> file://krb5-kdc.service \
> file://krb5-admin-server.service \
> + file://fix-CVE-2017-11368.patch;striplevel=2 \
> "
> SRC_URI[md5sum] = "8022f3a1cde8463e44fd35ef42731f85"
> SRC_URI[sha256sum] =
> "437c8831ddd5fde2a993fef425dedb48468109bb3d3261ef838295045a89eb45"
>
>
>
> --
> Regards,
> Neil | Kai Kang
>
>
--
Regards,
Neil | Kai Kang
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-08-30 9:52 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-28 13:59 [meta-oe][PATCH 1/2] krb5: fix CVE-2017-11368 kai.kang
2017-08-28 13:59 ` [meta-oe][PATCH 2/2] mariadb: disable thumb on armv5 kai.kang
2017-08-28 18:17 ` Andre McCurdy
2017-08-29 3:00 ` Kang Kai
2017-08-30 9:30 ` [meta-oe][PATCH 1/2] krb5: fix CVE-2017-11368 Kang Kai
2017-08-30 9:40 ` Martin Jansa
2017-08-30 9:53 ` Kang Kai
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.