Commit 5cfdd452 authored by Leonardo Arena's avatar Leonardo Arena

main/krb5: upgrade to 1.15.4, security fix for CVE-2018-20217

Fixes #9804
parent 27c4e5a6
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=krb5
pkgver=1.15.3
pkgver=1.15.4
pkgrel=0
case $pkgver in
......@@ -22,19 +22,21 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-server
source="http://web.mit.edu/kerberos/dist/krb5/${_ver}/krb5-$pkgver.tar.gz
mit-krb5_krb5-config_LDFLAGS.patch
libressl.patch
CVE-2018-20217.patch
krb5kadmind.initd
krb5kdc.initd
krb5kpropd.initd
"
_builddir="$srcdir"/krb5-$pkgver
builddir="$srcdir"/krb5-$pkgver
# secfixes:
# 1.15.4-r0:
# - CVE-2018-20217
# 1.15.3-r0:
# - CVE-2017-15088
# - CVE-2018-5709
# - CVE-2018-5710
# - CVE-2017-15088
# - CVE-2018-5709
# - CVE-2018-5710
unpack() {
default_unpack
......@@ -43,7 +45,7 @@ unpack() {
}
build() {
cd "$_builddir"/src
cd "$builddir"/src
./configure \
CPPFLAGS="$CPPFLAGS -fPIC -I/usr/include/et" \
WARN_CFLAGS= \
......@@ -63,7 +65,7 @@ build() {
}
package() {
cd "$_builddir"/src
cd "$builddir"/src
make install DESTDIR="$pkgdir"
mkdir -p "$pkgdir"/usr/share/doc/$pkgname
mv "$pkgdir"/usr/share/examples "$pkgdir"/usr/share/doc/$pkgname/
......@@ -112,9 +114,10 @@ libs() {
mkdir -p "$subpkgdir"/usr/
mv "$pkgdir"/usr/lib "$subpkgdir"/usr/
}
sha512sums="68ef90ffe96392a4957747d99b880f17b23f66c7b6c4c66b0b321af08f7f54645a17d6e70f533e8681132b565f72f36fefde4fb1dcd48fb663a9feb1af697637 krb5-1.15.3.tar.gz
sha512sums="b15885595a50d01b85d27c7084a43de905d0f891cc280aca58f437d69da07181687f06041a686b68c77a48be55247418e49a15b8371a87e0947139bf06bef4a6 krb5-1.15.4.tar.gz
5a3782ff17b383f8cd0415fd13538ab56afd788130d6ad640e9f2682b7deaae7f25713ce358058ed771091040dccf62a3bc87e6fd473d505ec189a95debcc801 mit-krb5_krb5-config_LDFLAGS.patch
1bcfd92f610ccee6edeb22d3cfef1388ed52f999eb976f158e7be3e4d65394ceb82d915f232e4fa1f365cd35814e4a97a657d70b6d9d64c1f8c08541adcdcc23 libressl.patch
30891c26b191ced94956bea869996a78147f4b87fb9bb511790bf20ff9a04fe5075e3584e03b19206327b954a2ad630b4f90cd443d5855481d521c640fe9d125 CVE-2018-20217.patch
43b9885b7eb8d0d60920def688de482f2b1701288f9acb1bb21dc76b2395428ff304961959eb04ba5eafd0412bae35668d6d2c8223424b9337bc051eadf51682 krb5kadmind.initd
ede15f15bbbc9d0227235067abe15245bb9713aea260d397379c63275ce74aea0db6c91c15d599e40c6e89612d76f3a0f8fdd21cbafa3f30d426d4310d3e2cec krb5kdc.initd
45be0d421efd41e9dd056125a750c90856586e990317456b68170d733b03cba9ecd18ab87603b20e49575e7839fb4a6d628255533f2631f9e8ddb7f3cc493a90 krb5kpropd.initd"
From 5e6d1796106df8ba6bc1973ee0917c170d929086 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 3 Dec 2018 02:33:07 +0200
Subject: [PATCH] Ignore password attributes for S4U2Self requests
For consistency with Windows KDCs, allow protocol transition to work
even if the password has expired or needs changing.
Also, when looking up an enterprise principal with an AS request,
treat ERR_KEY_EXP as confirmation that the client is present in the
realm.
[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited
commit message]
ticket: 8763 (new)
tags: pullup
target_version: 1.17
---
src/kdc/kdc_util.c | 5 +++++
src/lib/krb5/krb/s4u_creds.c | 2 +-
src/tests/gssapi/t_s4u.py | 8 ++++++++
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 6d53173fb0..6517a213cd 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1607,6 +1607,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
memset(&no_server, 0, sizeof(no_server));
+ /* Ignore password expiration and needchange attributes (as Windows
+ * does), since S4U2Self is not password authentication. */
+ princ->pw_expiration = 0;
+ clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE);
+
code = validate_as_request(kdc_active_realm, request, *princ,
no_server, kdc_time, status, &e_data);
if (code) {
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index d2fdcb3f16..614ed41908 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -116,7 +116,7 @@ s4u_identify_user(krb5_context context,
code = k5_get_init_creds(context, &creds, &client, NULL, NULL, 0, NULL,
opts, krb5_get_as_key_noop, &userid, &use_master,
NULL);
- if (code == 0 || code == KRB5_PREAUTH_FAILED) {
+ if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) {
*canon_user = userid.user;
userid.user = NULL;
code = 0;
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index fd29e1a270..84f3fbd752 100755
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -19,6 +19,14 @@
# Get forwardable creds for service1 in the default cache.
realm.kinit(service1, None, ['-f', '-k'])
+# Try S4U2Self for user with a restricted password.
+realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ])
+realm.run(['./t_s4u', 'e:user', '-'])
+realm.run([kadminl, 'modprinc', '-needchange',
+ '-pwexpire', '1/1/2000', realm.user_princ])
+realm.run(['./t_s4u', 'e:user', '-'])
+realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ])
+
# Try krb5 -> S4U2Proxy with forwardable user creds. This should fail
# at the S4U2Proxy step since the DB2 back end currently has no
# support for allowing it.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment