Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
aports
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
651
Issues
651
List
Boards
Labels
Service Desk
Milestones
Merge Requests
216
Merge Requests
216
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
alpine
aports
Commits
5cfdd452
Commit
5cfdd452
authored
Jan 07, 2019
by
Leonardo Arena
1
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
main/krb5: upgrade to 1.15.4, security fix for CVE-2018-20217
Fixes
#9804
parent
27c4e5a6
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
84 additions
and
9 deletions
+84
-9
main/krb5/APKBUILD
main/krb5/APKBUILD
+12
-9
main/krb5/CVE-2018-20217.patch
main/krb5/CVE-2018-20217.patch
+72
-0
No files found.
main/krb5/APKBUILD
View file @
5cfdd452
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname
=
krb5
pkgver
=
1.15.
3
pkgver
=
1.15.
4
pkgrel
=
0
case
$pkgver
in
...
...
@@ -22,19 +22,21 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-server
source
=
"http://web.mit.edu/kerberos/dist/krb5/
${
_ver
}
/krb5-
$pkgver
.tar.gz
mit-krb5_krb5-config_LDFLAGS.patch
libressl.patch
CVE-2018-20217.patch
krb5kadmind.initd
krb5kdc.initd
krb5kpropd.initd
"
_builddir
=
"
$srcdir
"
/krb5-
$pkgver
builddir
=
"
$srcdir
"
/krb5-
$pkgver
# secfixes:
# 1.15.4-r0:
# - CVE-2018-20217
# 1.15.3-r0:
# - CVE-2017-15088
# - CVE-2018-5709
# - CVE-2018-5710
#
- CVE-2017-15088
#
- CVE-2018-5709
#
- CVE-2018-5710
unpack
()
{
default_unpack
...
...
@@ -43,7 +45,7 @@ unpack() {
}
build
()
{
cd
"
$
_
builddir
"
/src
cd
"
$builddir
"
/src
./configure
\
CPPFLAGS
=
"
$CPPFLAGS
-fPIC -I/usr/include/et"
\
WARN_CFLAGS
=
\
...
...
@@ -63,7 +65,7 @@ build() {
}
package
()
{
cd
"
$
_
builddir
"
/src
cd
"
$builddir
"
/src
make
install
DESTDIR
=
"
$pkgdir
"
mkdir
-p
"
$pkgdir
"
/usr/share/doc/
$pkgname
mv
"
$pkgdir
"
/usr/share/examples
"
$pkgdir
"
/usr/share/doc/
$pkgname
/
...
...
@@ -112,9 +114,10 @@ libs() {
mkdir
-p
"
$subpkgdir
"
/usr/
mv
"
$pkgdir
"
/usr/lib
"
$subpkgdir
"
/usr/
}
sha512sums
=
"
68ef90ffe96392a4957747d99b880f17b23f66c7b6c4c66b0b321af08f7f54645a17d6e70f533e8681132b565f72f36fefde4fb1dcd48fb663a9feb1af697637 krb5-1.15.3
.tar.gz
sha512sums
=
"
b15885595a50d01b85d27c7084a43de905d0f891cc280aca58f437d69da07181687f06041a686b68c77a48be55247418e49a15b8371a87e0947139bf06bef4a6 krb5-1.15.4
.tar.gz
5a3782ff17b383f8cd0415fd13538ab56afd788130d6ad640e9f2682b7deaae7f25713ce358058ed771091040dccf62a3bc87e6fd473d505ec189a95debcc801 mit-krb5_krb5-config_LDFLAGS.patch
1bcfd92f610ccee6edeb22d3cfef1388ed52f999eb976f158e7be3e4d65394ceb82d915f232e4fa1f365cd35814e4a97a657d70b6d9d64c1f8c08541adcdcc23 libressl.patch
30891c26b191ced94956bea869996a78147f4b87fb9bb511790bf20ff9a04fe5075e3584e03b19206327b954a2ad630b4f90cd443d5855481d521c640fe9d125 CVE-2018-20217.patch
43b9885b7eb8d0d60920def688de482f2b1701288f9acb1bb21dc76b2395428ff304961959eb04ba5eafd0412bae35668d6d2c8223424b9337bc051eadf51682 krb5kadmind.initd
ede15f15bbbc9d0227235067abe15245bb9713aea260d397379c63275ce74aea0db6c91c15d599e40c6e89612d76f3a0f8fdd21cbafa3f30d426d4310d3e2cec krb5kdc.initd
45be0d421efd41e9dd056125a750c90856586e990317456b68170d733b03cba9ecd18ab87603b20e49575e7839fb4a6d628255533f2631f9e8ddb7f3cc493a90 krb5kpropd.initd"
main/krb5/CVE-2018-20217.patch
0 → 100644
View file @
5cfdd452
From 5e6d1796106df8ba6bc1973ee0917c170d929086 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 3 Dec 2018 02:33:07 +0200
Subject: [PATCH] Ignore password attributes for S4U2Self requests
For consistency with Windows KDCs, allow protocol transition to work
even if the password has expired or needs changing.
Also, when looking up an enterprise principal with an AS request,
treat ERR_KEY_EXP as confirmation that the client is present in the
realm.
[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited
commit message]
ticket: 8763 (new)
tags: pullup
target_version: 1.17
---
src/kdc/kdc_util.c | 5 +++++
src/lib/krb5/krb/s4u_creds.c | 2 +-
src/tests/gssapi/t_s4u.py | 8 ++++++++
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 6d53173fb0..6517a213cd 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1607,6 +1607,11 @@
kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
memset(&no_server, 0, sizeof(no_server));
+ /* Ignore password expiration and needchange attributes (as Windows
+ * does), since S4U2Self is not password authentication. */
+ princ->pw_expiration = 0;
+ clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE);
+
code = validate_as_request(kdc_active_realm, request, *princ,
no_server, kdc_time, status, &e_data);
if (code) {
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index d2fdcb3f16..614ed41908 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -116,7 +116,7 @@
s4u_identify_user(krb5_context context,
code = k5_get_init_creds(context, &creds, &client, NULL, NULL, 0, NULL,
opts, krb5_get_as_key_noop, &userid, &use_master,
NULL);
- if (code == 0 || code == KRB5_PREAUTH_FAILED) {
+ if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) {
*canon_user = userid.user;
userid.user = NULL;
code = 0;
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index fd29e1a270..84f3fbd752 100755
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -19,6 +19,14 @@
# Get forwardable creds for service1 in the default cache.
realm.kinit(service1, None, ['-f', '-k'])
+# Try S4U2Self for user with a restricted password.
+realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ])
+realm.run(['./t_s4u', 'e:user', '-'])
+realm.run([kadminl, 'modprinc', '-needchange',
+ '-pwexpire', '1/1/2000', realm.user_princ])
+realm.run(['./t_s4u', 'e:user', '-'])
+realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ])
+
# Try krb5 -> S4U2Proxy with forwardable user creds. This should fail
# at the S4U2Proxy step since the DB2 back end currently has no
# support for allowing it.
algitbot
@root
mentioned in issue
#9804 (closed)
·
Jul 12, 2019
mentioned in issue
#9804 (closed)
mentioned in issue #9804
Toggle commit list
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment