|
 |
dad97c |
From cf528eaa89db56d5825f2b04e8d46b50bd52bd08 Mon Sep 17 00:00:00 2001
|
|
|
dad97c |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
dad97c |
Date: Sat, 15 Dec 2018 11:56:36 +0200
|
|
|
dad97c |
Subject: [PATCH] Remove incorrect KDC assertion
|
|
|
dad97c |
|
|
|
dad97c |
The assertion in return_enc_padata() is reachable because
|
|
|
dad97c |
kdc_make_s4u2self_rep() may have previously added encrypted padata.
|
|
|
dad97c |
It is no longer necessary because the code uses add_pa_data_element()
|
|
|
dad97c |
instead of allocating a new list.
|
|
|
dad97c |
|
|
|
dad97c |
CVE-2018-20217:
|
|
|
dad97c |
|
|
|
dad97c |
In MIT krb5 1.8 or later, an authenticated user who can obtain a TGT
|
|
|
dad97c |
using an older encryption type (DES, DES3, or RC4) can cause an
|
|
|
dad97c |
assertion failure in the KDC by sending an S4U2Self request.
|
|
|
dad97c |
|
|
|
dad97c |
[ghudson@mit.edu: rewrote commit message with CVE description]
|
|
|
dad97c |
|
|
|
dad97c |
(cherry picked from commit 94e5eda5bb94d1d44733a49c3d9b6d1e42c74def)
|
|
|
dad97c |
|
|
|
dad97c |
ticket: 8767
|
|
|
dad97c |
version_fixed: 1.16.3
|
|
|
dad97c |
|
|
|
dad97c |
(cherry picked from commit 56870f9456da78d77a667dfc03a6d90f948dc3a5)
|
|
|
dad97c |
(cherry picked from commit 2a96564f6fd53f2e1e8424d865c02349bfe5b818)
|
|
|
dad97c |
(cherry picked from commit a2749226a5930d15a1e31a4a4f3d9ecfb4cb250e)
|
|
|
dad97c |
---
|
|
|
dad97c |
src/kdc/kdc_preauth.c | 1 -
|
|
|
dad97c |
src/tests/gssapi/t_s4u.py | 7 +++++++
|
|
|
dad97c |
2 files changed, 7 insertions(+), 1 deletion(-)
|
|
|
dad97c |
|
|
|
dad97c |
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
|
|
|
dad97c |
index 81d0b8cff..787a09684 100644
|
|
|
dad97c |
--- a/src/kdc/kdc_preauth.c
|
|
|
dad97c |
+++ b/src/kdc/kdc_preauth.c
|
|
|
dad97c |
@@ -1640,7 +1640,6 @@ return_enc_padata(krb5_context context, krb5_data *req_pkt,
|
|
|
dad97c |
krb5_error_code code = 0;
|
|
|
dad97c |
/* This should be initialized and only used for Win2K compat and other
|
|
|
dad97c |
* specific standardized uses such as FAST negotiation. */
|
|
|
dad97c |
- assert(reply_encpart->enc_padata == NULL);
|
|
|
dad97c |
if (is_referral) {
|
|
|
dad97c |
code = return_referral_enc_padata(context, reply_encpart, server);
|
|
|
dad97c |
if (code)
|
|
|
dad97c |
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
|
|
|
dad97c |
index 7366e3915..9f8591f6c 100755
|
|
|
dad97c |
--- a/src/tests/gssapi/t_s4u.py
|
|
|
dad97c |
+++ b/src/tests/gssapi/t_s4u.py
|
|
|
dad97c |
@@ -144,6 +144,13 @@ if 'auth1: user@' not in out or 'auth2: user@' not in out:
|
|
|
dad97c |
|
|
|
dad97c |
realm.stop()
|
|
|
dad97c |
|
|
|
dad97c |
+for realm in multipass_realms(create_host=False, get_creds=False):
|
|
|
dad97c |
+ service1 = 'service/1@%s' % realm.realm
|
|
|
dad97c |
+ realm.addprinc(service1)
|
|
|
dad97c |
+ realm.extract_keytab(service1, realm.keytab)
|
|
|
dad97c |
+ realm.kinit(service1, None, ['-k'])
|
|
|
dad97c |
+ realm.run(['./t_s4u', 'p:user', '-'])
|
|
|
dad97c |
+
|
|
|
dad97c |
# Exercise cross-realm S4U2Self. The query in the foreign realm will
|
|
|
dad97c |
# fail, but we can check that the right server principal was used.
|
|
|
dad97c |
r1, r2 = cross_realms(2, create_user=False)
|