Bug#773240: unblock: krb5/1.12.1+dfsg-16

Mon, 15 Dec 2014 13:40:20 -0800 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package krb5

I request pre-approval of krb5 to apply upstream patches for
CVE-2014-5353 and CVE-2014-5354, tracked as debian bugs
#773226 and #773228.

The attached debdiff is between the -15 in testing and the -16 I
wish to upload to sid.

unblock krb5/1.12.1+dfsg-16

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru krb5-1.12.1+dfsg/debian/changelog krb5-1.12.1+dfsg/debian/changelog
--- krb5-1.12.1+dfsg/debian/changelog	2014-11-21 12:36:17.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/changelog	2014-12-15 16:20:33.000000000 -0500
@@ -1,3 +1,10 @@
+krb5 (1.12.1+dfsg-16) unstable; urgency=medium
+
+  * Import upstream patches for CVE-2014-5353 and CVE-2014-5354,
+    Closes: #773226, Closes: #773228
+
+ -- Benjamin Kaduk <ka...@mit.edu>  Mon, 15 Dec 2014 16:18:26 -0500
+
 krb5 (1.12.1+dfsg-15) unstable; urgency=medium
 
   * Also apply slapd-before-kdc.conf to krb5-admin-server.service.d,
diff -Nru krb5-1.12.1+dfsg/debian/.git-dpm krb5-1.12.1+dfsg/debian/.git-dpm
--- krb5-1.12.1+dfsg/debian/.git-dpm	2014-11-07 13:15:18.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/.git-dpm	2014-12-15 16:18:26.000000000 -0500
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-69fa1fe36396c1f370c0dd91ca6de5ebd92c8601
-69fa1fe36396c1f370c0dd91ca6de5ebd92c8601
+877ad027ca2103f3ac2f581451fdd347a76b8981
+877ad027ca2103f3ac2f581451fdd347a76b8981
 00dec38e79dd6436e9efed873df00e6ea11fdd0e
 00dec38e79dd6436e9efed873df00e6ea11fdd0e
 krb5_1.12.1+dfsg.orig.tar.gz
diff -Nru krb5-1.12.1+dfsg/debian/patches/0028-Support-keyless-principals-in-LDAP-CVE-2014-5354.patch krb5-1.12.1+dfsg/debian/patches/0028-Support-keyless-principals-in-LDAP-CVE-2014-5354.patch
--- krb5-1.12.1+dfsg/debian/patches/0028-Support-keyless-principals-in-LDAP-CVE-2014-5354.patch	1969-12-31 19:00:00.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/patches/0028-Support-keyless-principals-in-LDAP-CVE-2014-5354.patch	2014-12-15 16:18:26.000000000 -0500
@@ -0,0 +1,123 @@
+From 877ad027ca2103f3ac2f581451fdd347a76b8981 Mon Sep 17 00:00:00 2001
+From: Ben Kaduk <ka...@mit.edu>
+Date: Wed, 19 Nov 2014 12:04:46 -0500
+Subject: Support keyless principals in LDAP [CVE-2014-5354]
+
+Operations like "kadmin -q 'addprinc -nokey foo'" or
+"kadmin -q 'purgekeys -all foo'" result in principal entries with
+no keys present, so krb5_encode_krbsecretkey() would just return
+NULL, which then got unconditionally dereferenced in
+krb5_add_ber_mem_ldap_mod().
+
+Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key
+principals better, correct the test for an allocation failure, and
+slightly restructure the cleanup handler to be shorter and more
+appropriate for the usage.  Once it no longer short-circuits when
+n_key_data is zero, it will produce an array of length two with both
+entries NULL, which is treated as an empty list by the LDAP library,
+the correct behavior for a keyless principal.
+
+However, attributes with empty values are only handled by the LDAP
+library for Modify operations, not Add operations (which only get
+a sequence of Attribute, with no operation field).  Therefore, only
+add an empty krbprincipalkey to the modlist when we will be performing a
+Modify, and not when we will be performing an Add, which is conditional
+on the (misspelled) create_standalone_prinicipal boolean.
+
+CVE-2014-5354:
+
+In MIT krb5, when kadmind is configured to use LDAP for the KDC
+database, an authenticated remote attacker can cause a NULL
+dereference by inserting into the database a principal entry which
+contains no long-term keys.
+
+In order for the LDAP KDC backend to translate a principal entry
+from the database abstraction layer into the form expected by the
+LDAP schema, the principal's keys are encoded into a
+NULL-terminated array of length-value entries to be stored in the
+LDAP database.  However, the subroutine which produced this array
+did not correctly handle the case where no keys were present,
+returning NULL instead of an empty array, and the array was
+unconditionally dereferenced while adding to the list of LDAP
+operations to perform.
+
+Versions of MIT krb5 prior to 1.12 did not expose a way for
+principal entries to have no long-term key material, and
+therefore are not vulnerable.
+
+    CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C
+
+ticket: 8041 (new)
+tags: pullup
+target_version: 1.13.1
+subject: kadmind with ldap backend crashes when putting keyless entries
+
+(cherry picked from commit 04038bf3633c4b909b5ded3072dc88c8c419bf16)
+Some of the "other fixes" to krb5_encode_krbsecretkey() do not apply on
+the 1.12 branch.  The patch needed to be modified slightly to account
+for the absence of commit 1825455ede7e61ab934b16262fb5b12b78a52f1a
+on the 1.12 branch upon which this branch is based.  The tests added
+to exercise this fuctionality do pass, even with the modified form
+of the commit.
+
+Patch-category: upstream
+---
+ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 23 ++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index e2320ab..c9a3ecf 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -412,7 +412,7 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data,
+     int i, j, last;
+     krb5_error_code err = 0;
+ 
+-    if (n_key_data <= 0)
++    if (n_key_data < 0)
+         return NULL;
+ 
+     /* Find the number of key versions */
+@@ -425,6 +425,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data,
+         err = ENOMEM;
+         goto cleanup;
+     }
++    if (n_key_data == 0)
++        return ret;
+     for (i = 0, last = 0, j = 0, currkvno = key_data[0].key_data_kvno; i < n_key_data; i++) {
+         krb5_data *code;
+         if (i == n_key_data - 1 || key_data[i + 1].key_data_kvno != currkvno) {
+@@ -453,9 +455,8 @@ cleanup:
+ 
+     if (err != 0) {
+         if (ret != NULL) {
+-            for (i = 0; i <= num_versions; i++)
+-                if (ret[i] != NULL)
+-                    free (ret[i]);
++            for (i = 0; ret[i] != NULL; i++)
++                free (ret[i]);
+             free (ret);
+             ret = NULL;
+         }
+@@ -1028,9 +1029,19 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+         bersecretkey = krb5_encode_krbsecretkey (entry->key_data,
+                                                  entry->n_key_data, mkvno);
+ 
+-        if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
+-                                          LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
++        if (bersecretkey == NULL) {
++            st = ENOMEM;
+             goto cleanup;
++        }
++        /* An empty list of bervals is only accepted for modify operations,
++         * not add operations. */
++        if (bersecretkey[0] != NULL || !create_standalone_prinicipal) {
++            st = krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
++                                           LDAP_MOD_REPLACE | LDAP_MOD_BVALUES,
++                                           bersecretkey);
++            if (st != 0)
++                goto cleanup;
++        }
+ 
+         if (!(entry->mask & KADM5_PRINCIPAL)) {
+             memset(strval, 0, sizeof(strval));
diff -Nru krb5-1.12.1+dfsg/debian/patches/series krb5-1.12.1+dfsg/debian/patches/series
--- krb5-1.12.1+dfsg/debian/patches/series	2014-11-07 13:15:18.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/patches/series	2014-12-15 16:18:26.000000000 -0500
@@ -24,3 +24,5 @@
 upstream/0024-Return-only-new-keys-in-randkey-CVE-2014-5351.patch
 upstream/0025-Fix-build-on-systems-without-RTM_OLD.patch
 upstream/0026-Remove-rtm_type_name.patch
+upstream/0027-Fix-LDAP-misused-policy-name-crash-CVE-2014-5353.patch
+0028-Support-keyless-principals-in-LDAP-CVE-2014-5354.patch
diff -Nru krb5-1.12.1+dfsg/debian/patches/upstream/0027-Fix-LDAP-misused-policy-name-crash-CVE-2014-5353.patch krb5-1.12.1+dfsg/debian/patches/upstream/0027-Fix-LDAP-misused-policy-name-crash-CVE-2014-5353.patch
--- krb5-1.12.1+dfsg/debian/patches/upstream/0027-Fix-LDAP-misused-policy-name-crash-CVE-2014-5353.patch	1969-12-31 19:00:00.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/patches/upstream/0027-Fix-LDAP-misused-policy-name-crash-CVE-2014-5353.patch	2014-12-15 16:18:26.000000000 -0500
@@ -0,0 +1,66 @@
+From c9be64440cd7c5676ad7beb044deafcba58b5912 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghud...@mit.edu>
+Date: Fri, 5 Dec 2014 14:01:39 -0500
+Subject: Fix LDAP misused policy name crash [CVE-2014-5353]
+
+In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
+successfully with no results, return KRB5_KDB_NOENTRY instead of
+returning success with a zeroed-out policy object.  This fixes a null
+dereference when an admin attempts to use an LDAP ticket policy name
+as a password policy name.
+
+CVE-2014-5353:
+
+In MIT krb5, when kadmind is configured to use LDAP for the KDC
+database, an authenticated remote attacker can cause a NULL dereference
+by attempting to use a named ticket policy object as a password policy
+for a principal.  The attacker needs to be authenticated as a user who
+has the elevated privilege for setting password policy by adding or
+modifying principals.
+
+Queries to LDAP scoped to the krbPwdPolicy object class will correctly
+not return entries of other classes, such as ticket policy objects, but
+may return success with no returned elements if an object with the
+requested DN exists in a different object class.  In this case, the
+routine to retrieve a password policy returned success with a password
+policy object that consisted entirely of zeroed memory.  In particular,
+accesses to the policy name will dereference a NULL pointer.  KDC
+operation does not access the policy name field, but most kadmin
+operations involving the principal with incorrect password policy
+will trigger the crash.
+
+Thanks to Patrik Kis for reporting this problem.
+
+CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
+
+[ka...@mit.edu: CVE description and CVSS score]
+
+ticket: 8051 (new)
+target_version: 1.13.1
+tags: pullup
+
+(cherry picked from commit d1f707024f1d0af6e54a18885322d70fa15ec4d3)
+Patch-Category: upstream
+---
+ src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+index 4d7d673..97f43dc 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+@@ -314,10 +314,11 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,
+     LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes);
+ 
+     ent=ldap_first_entry(ld, result);
+-    if (ent != NULL) {
+-        if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0)
+-            goto cleanup;
++    if (ent == NULL) {
++        st = KRB5_KDB_NOENTRY;
++        goto cleanup;
+     }
++    st = populate_policy(context, ld, ent, pol_name, *policy);
+ 
+ cleanup:
+     ldap_msgfree(result);

Reply via email to