rpms / krb5

Clone
Source Code
GIT

Blame SOURCES/Remove-incorrect-KDC-assertion.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   c41359895e7874e715419cabbee3937a49a4011d
  2.   SOURCES
  3.   Remove-incorrect-KDC-assertion.patch
Blob History Raw
c41359 
From 2a96564f6fd53f2e1e8424d865c02349bfe5b818 Mon Sep 17 00:00:00 2001
c41359 
From: Isaac Boukris <iboukris@gmail.com>
c41359 
Date: Sat, 15 Dec 2018 11:56:36 +0200
c41359 
Subject: [PATCH] Remove incorrect KDC assertion
c41359
c41359 
The assertion in return_enc_padata() is reachable because
c41359 
kdc_make_s4u2self_rep() may have previously added encrypted padata.
c41359 
It is no longer necessary because the code uses add_pa_data_element()
c41359 
instead of allocating a new list.
c41359
c41359 
CVE-2018-20217:
c41359
c41359 
In MIT krb5 1.8 or later, an authenticated user who can obtain a TGT
c41359 
using an older encryption type (DES, DES3, or RC4) can cause an
c41359 
assertion failure in the KDC by sending an S4U2Self request.
c41359
c41359 
[ghudson@mit.edu: rewrote commit message with CVE description]
c41359
c41359 
(cherry picked from commit 94e5eda5bb94d1d44733a49c3d9b6d1e42c74def)
c41359
c41359 
ticket: 8767
c41359 
version_fixed: 1.16.3
c41359
c41359 
(cherry picked from commit 56870f9456da78d77a667dfc03a6d90f948dc3a5)
c41359 
---
c41359 
 src/kdc/kdc_preauth.c     | 1 -
c41359 
 src/tests/gssapi/t_s4u.py | 7 +++++++
c41359 
 2 files changed, 7 insertions(+), 1 deletion(-)
c41359
c41359 
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
c41359 
index 811c16368..6f0cf68d9 100644
c41359 
--- a/src/kdc/kdc_preauth.c
c41359 
+++ b/src/kdc/kdc_preauth.c
c41359 
@@ -1666,7 +1666,6 @@ return_enc_padata(krb5_context context, krb5_data *req_pkt,
c41359 
     krb5_error_code code = 0;
c41359 
     /* This should be initialized and only used for Win2K compat and other
c41359 
      * specific standardized uses such as FAST negotiation. */
c41359 
-    assert(reply_encpart->enc_padata == NULL);
c41359 
     if (is_referral) {
c41359 
         code = return_referral_enc_padata(context, reply_encpart, server);
c41359 
         if (code)
c41359 
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
c41359 
index fc9d9e8a4..f65000453 100755
c41359 
--- a/src/tests/gssapi/t_s4u.py
c41359 
+++ b/src/tests/gssapi/t_s4u.py
c41359 
@@ -139,6 +139,13 @@ if 'auth1: user@' not in out or 'auth2: user@' not in out:
c41359
c41359 
 realm.stop()
c41359
c41359 
+for realm in multipass_realms(create_host=False, get_creds=False):
c41359 
+    service1 = 'service/1@%s' % realm.realm
c41359 
+    realm.addprinc(service1)
c41359 
+    realm.extract_keytab(service1, realm.keytab)
c41359 
+    realm.kinit(service1, None, ['-k'])
c41359 
+    realm.run(['./t_s4u', 'p:user', '-'])
c41359 
+
c41359 
 # Exercise cross-realm S4U2Self.  The query in the foreign realm will
c41359 
 # fail, but we can check that the right server principal was used.
c41359 
 r1, r2 = cross_realms(2, create_user=False)

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation