From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 535DC1382C5 for ; Fri, 13 Apr 2018 07:02:31 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 71684E0980; Fri, 13 Apr 2018 07:02:30 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 36EC7E0980 for ; Fri, 13 Apr 2018 07:02:29 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 772B4335C2E for ; Fri, 13 Apr 2018 07:02:28 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id E362A281 for ; Fri, 13 Apr 2018 07:02:26 +0000 (UTC) From: "Eray Aslan" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Eray Aslan" Message-ID: <1523602937.95a08abb6dc4b1a0babe590527e19ce7a5c5bd10.eras@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/ X-VCS-Repository: repo/gentoo X-VCS-Files: app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild X-VCS-Directories: app-crypt/mit-krb5/files/ app-crypt/mit-krb5/ X-VCS-Committer: eras X-VCS-Committer-Name: Eray Aslan X-VCS-Revision: 95a08abb6dc4b1a0babe590527e19ce7a5c5bd10 X-VCS-Branch: master Date: Fri, 13 Apr 2018 07:02:26 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: e5bdb7a8-7de7-472a-94a6-9e66d411719f X-Archives-Hash: e393a79c2e1565ae8c06ac7e50c818f9 commit: 95a08abb6dc4b1a0babe590527e19ce7a5c5bd10 Author: Eray Aslan gentoo org> AuthorDate: Fri Apr 13 07:01:47 2018 +0000 Commit: Eray Aslan gentoo org> CommitDate: Fri Apr 13 07:02:17 2018 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=95a08abb app-crypt/mit-krb5: security bump - bug 649610 Also fix gettext dependency Closes: https://bugs.gentoo.org/652108 Package-Manager: Portage-2.3.28, Repoman-2.3.9 app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch | 297 ++++++++++++++++++++++ app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild | 158 ++++++++++++ 2 files changed, 455 insertions(+) diff --git a/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch new file mode 100644 index 00000000000..114cfe688e7 --- /dev/null +++ b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch @@ -0,0 +1,297 @@ +diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +index 2420f2c2be..a59a65e8f6 100644 +--- a/src/lib/kadm5/srv/svr_principal.c ++++ b/src/lib/kadm5/srv/svr_principal.c +@@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle, + return KADM5_BAD_MASK; + if((mask & ~ALL_PRINC_MASK)) + return KADM5_BAD_MASK; ++ if (mask & KADM5_TL_DATA) { ++ for (tl_data_tail = entry->tl_data; tl_data_tail != NULL; ++ tl_data_tail = tl_data_tail->tl_data_next) { ++ if (tl_data_tail->tl_data_type < 256) ++ return KADM5_BAD_TL_TYPE; ++ } ++ } + + /* + * Check to see if the principal exists +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +index 535a1f309e..8b8420faa9 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h ++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +@@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int op); + #define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr)) + #define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr)) + +-#define KDB_TL_USER_INFO 0x7ffe ++#define KDB_TL_USER_INFO 0xff + + #define KDB_TL_PRINCTYPE 0x01 + #define KDB_TL_PRINCCOUNT 0x02 +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +index 88a1704950..b7c9212cb2 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +@@ -651,6 +651,107 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry, + return ret; + } + ++static krb5_error_code ++check_dn_in_container(krb5_context context, const char *dn, ++ char *const *subtrees, unsigned int ntrees) ++{ ++ unsigned int i; ++ size_t dnlen = strlen(dn), stlen; ++ ++ for (i = 0; i < ntrees; i++) { ++ if (subtrees[i] == NULL || *subtrees[i] == '\0') ++ return 0; ++ stlen = strlen(subtrees[i]); ++ if (dnlen >= stlen && ++ strcasecmp(dn + dnlen - stlen, subtrees[i]) == 0 && ++ (dnlen == stlen || dn[dnlen - stlen - 1] == ',')) ++ return 0; ++ } ++ ++ k5_setmsg(context, EINVAL, _("DN is out of the realm subtree")); ++ return EINVAL; ++} ++ ++static krb5_error_code ++check_dn_exists(krb5_context context, ++ krb5_ldap_server_handle *ldap_server_handle, ++ const char *dn, krb5_boolean nonkrb_only) ++{ ++ krb5_error_code st = 0, tempst; ++ krb5_ldap_context *ldap_context = context->dal_handle->db_context; ++ LDAP *ld = ldap_server_handle->ldap_handle; ++ LDAPMessage *result = NULL, *ent; ++ char *attrs[] = { "krbticketpolicyreference", "krbprincipalname", NULL }; ++ char **values; ++ ++ LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attrs, IGNORE_STATUS); ++ if (st != LDAP_SUCCESS) ++ return set_ldap_error(context, st, OP_SEARCH); ++ ++ ent = ldap_first_entry(ld, result); ++ CHECK_NULL(ent); ++ ++ values = ldap_get_values(ld, ent, "krbticketpolicyreference"); ++ if (values != NULL) ++ ldap_value_free(values); ++ ++ values = ldap_get_values(ld, ent, "krbprincipalname"); ++ if (values != NULL) { ++ ldap_value_free(values); ++ if (nonkrb_only) { ++ st = EINVAL; ++ k5_setmsg(context, st, _("ldap object is already kerberized")); ++ goto cleanup; ++ } ++ } ++ ++cleanup: ++ ldap_msgfree(result); ++ return st; ++} ++ ++static krb5_error_code ++validate_xargs(krb5_context context, ++ krb5_ldap_server_handle *ldap_server_handle, ++ const xargs_t *xargs, const char *standalone_dn, ++ char *const *subtrees, unsigned int ntrees) ++{ ++ krb5_error_code st; ++ ++ if (xargs->dn != NULL) { ++ /* The supplied dn must be within a realm container. */ ++ st = check_dn_in_container(context, xargs->dn, subtrees, ntrees); ++ if (st) ++ return st; ++ /* The supplied dn must exist without Kerberos attributes. */ ++ st = check_dn_exists(context, ldap_server_handle, xargs->dn, TRUE); ++ if (st) ++ return st; ++ } ++ ++ if (xargs->linkdn != NULL) { ++ /* The supplied linkdn must be within a realm container. */ ++ st = check_dn_in_container(context, xargs->linkdn, subtrees, ntrees); ++ if (st) ++ return st; ++ /* The supplied linkdn must exist. */ ++ st = check_dn_exists(context, ldap_server_handle, xargs->linkdn, ++ FALSE); ++ if (st) ++ return st; ++ } ++ ++ if (xargs->containerdn != NULL && standalone_dn != NULL) { ++ /* standalone_dn (likely composed using containerdn) must be within a ++ * container. */ ++ st = check_dn_in_container(context, standalone_dn, subtrees, ntrees); ++ if (st) ++ return st; ++ } ++ ++ return 0; ++} ++ + krb5_error_code + krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, + char **db_args) +@@ -662,12 +763,12 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, + LDAPMessage *result=NULL, *ent=NULL; + char **subtreelist = NULL; + char *user=NULL, *subtree=NULL, *principal_dn=NULL; +- char **values=NULL, *strval[10]={NULL}, errbuf[1024]; ++ char *strval[10]={NULL}, errbuf[1024]; + char *filtuser=NULL; + struct berval **bersecretkey=NULL; + LDAPMod **mods=NULL; + krb5_boolean create_standalone=FALSE; +- krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE; ++ krb5_boolean establish_links=FALSE; + char *standalone_principal_dn=NULL; + krb5_tl_data *tl_data=NULL; + krb5_key_data **keys=NULL; +@@ -860,24 +961,6 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, + * any of the subtrees + */ + if (xargs.dn_from_kbd == TRUE) { +- /* make sure the DN falls in the subtree */ +- int dnlen=0, subtreelen=0; +- char *dn=NULL; +- krb5_boolean outofsubtree=TRUE; +- +- if (xargs.dn != NULL) { +- dn = xargs.dn; +- } else if (xargs.linkdn != NULL) { +- dn = xargs.linkdn; +- } else if (standalone_principal_dn != NULL) { +- /* +- * Even though the standalone_principal_dn is constructed +- * within this function, there is the containerdn input +- * from the user that can become part of the it. +- */ +- dn = standalone_principal_dn; +- } +- + /* Get the current subtree list if we haven't already done so. */ + if (subtreelist == NULL) { + st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees); +@@ -885,81 +968,10 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, + goto cleanup; + } + +- for (tre=0; tre= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) { +- outofsubtree = FALSE; +- break; +- } +- } +- } +- +- if (outofsubtree == TRUE) { +- st = EINVAL; +- k5_setmsg(context, st, _("DN is out of the realm subtree")); ++ st = validate_xargs(context, ldap_server_handle, &xargs, ++ standalone_principal_dn, subtreelist, ntrees); ++ if (st) + goto cleanup; +- } +- +- /* +- * dn value will be set either by dn, linkdn or the standalone_principal_dn +- * In the first 2 cases, the dn should be existing and in the last case we +- * are supposed to create the ldap object. so the below should not be +- * executed for the last case. +- */ +- +- if (standalone_principal_dn == NULL) { +- /* +- * If the ldap object is missing, this results in an error. +- */ +- +- /* +- * Search for krbprincipalname attribute here. +- * This is to find if a kerberos identity is already present +- * on the ldap object, in which case adding a kerberos identity +- * on the ldap object should result in an error. +- */ +- char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL}; +- +- ldap_msgfree(result); +- result = NULL; +- LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS); +- if (st == LDAP_SUCCESS) { +- ent = ldap_first_entry(ld, result); +- if (ent != NULL) { +- if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) { +- ldap_value_free(values); +- } +- +- if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { +- krb_identity_exists = TRUE; +- ldap_value_free(values); +- } +- } +- } else { +- st = set_ldap_error(context, st, OP_SEARCH); +- goto cleanup; +- } +- } +- } +- +- /* +- * If xargs.dn is set then the request is to add a +- * kerberos principal on a ldap object, but if +- * there is one already on the ldap object this +- * should result in an error. +- */ +- +- if (xargs.dn != NULL && krb_identity_exists == TRUE) { +- st = EINVAL; +- snprintf(errbuf, sizeof(errbuf), +- _("ldap object is already kerberized")); +- k5_setmsg(context, st, "%s", errbuf); +- goto cleanup; + } + + if (xargs.linkdn != NULL) { +diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py +index 217f2cdc3b..6e563b1032 100755 +--- a/src/tests/t_kdb.py ++++ b/src/tests/t_kdb.py +@@ -203,6 +203,12 @@ def ldap_add(dn, objectclass, attrs=[]): + # in the test LDAP server. + realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'], + expected_code=1, expected_msg='DN is out of the realm subtree') ++# Check that the DN container check is a hierarchy test, not a simple ++# suffix match (CVE-2018-5730). We expect this operation to fail ++# either way (because "xcn" isn't a valid DN tag) but the container ++# check should happen before the DN is parsed. ++realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=xcn=t1,cn=krb5', 'princ1'], ++ expected_code=1, expected_msg='DN is out of the realm subtree') + realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1']) + realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1') + realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'], +@@ -226,6 +232,11 @@ def ldap_add(dn, objectclass, attrs=[]): + 'princ3']) + realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'], + expected_code=1, expected_msg='containerdn option not supported') ++# Verify that containerdn is checked when linkdn is also supplied ++# (CVE-2018-5730). ++realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5', ++ '-x', 'linkdn=cn=t2,cn=krb5', 'princ4'], expected_code=1, ++ expected_msg='DN is out of the realm subtree') + + # Create and modify a ticket policy. + kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour', diff --git a/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild new file mode 100644 index 00000000000..feec00d8627 --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild @@ -0,0 +1,158 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +PYTHON_COMPAT=( python2_7 ) +inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd versionator + +MY_P="${P/mit-}" +P_DIR=$(get_version_component_range 1-2) +DESCRIPTION="MIT Kerberos V" +HOMEPAGE="https://web.mit.edu/kerberos/www/" +SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz" + +LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd" + +# Test suite require network access +RESTRICT="test" + +CDEPEND=" + !!app-crypt/heimdal + >=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}] + || ( + >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}] + >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}] + >=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}] + ) + keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] ) + nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] ) + openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] ) + pkinit? ( + !libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] ) + libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] ) + ) + xinetd? ( sys-apps/xinetd ) + abi_x86_32? ( + !<=app-emulation/emul-linux-x86-baselibs-20140508-r1 + !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)] + )" +DEPEND="${CDEPEND} + ${PYTHON_DEPS} + virtual/yacc + doc? ( virtual/latex-base ) + test? ( + ${PYTHON_DEPS} + dev-lang/tcl:0 + dev-util/dejagnu + )" +RDEPEND="${CDEPEND} + selinux? ( sec-policy/selinux-kerberos )" + +S=${WORKDIR}/${MY_P}/src + +MULTILIB_CHOST_TOOLS=( + /usr/bin/krb5-config +) + +src_prepare() { + eapply -p2 "${FILESDIR}/CVE-2018-5729-5730.patch" + eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch" + eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch" + eapply "${FILESDIR}/${PN}-libressl-version-check.patch" + + # Make sure we always use the system copies. + rm -rf util/{et,ss,verto} + sed -i 's:^[[:space:]]*util/verto$::' configure.in || die + + eapply_user + eautoreconf +} + +src_configure() { + # QA + append-flags -fno-strict-aliasing + append-flags -fno-strict-overflow + + multilib-minimal_src_configure +} + +multilib_src_configure() { + use keyutils || export ac_cv_header_keyutils_h=no + ECONF_SOURCE=${S} \ + WARN_CFLAGS="set" \ + econf \ + $(use_with openldap ldap) \ + "$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \ + $(use_enable nls) \ + $(use_enable pkinit) \ + $(use_enable threads thread-support) \ + --without-hesiod \ + --enable-shared \ + --with-system-et \ + --with-system-ss \ + --enable-dns-for-realm \ + --enable-kdc-lookaside-cache \ + --with-system-verto \ + --disable-rpath +} + +multilib_src_compile() { + emake -j1 +} + +multilib_src_test() { + multilib_is_native_abi && emake -j1 check +} + +multilib_src_install() { + emake \ + DESTDIR="${D}" \ + EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \ + install +} + +multilib_src_install_all() { + # default database dir + keepdir /var/lib/krb5kdc + + cd .. + dodoc README + + if use doc; then + dodoc -r doc/html + docinto pdf + dodoc doc/pdf/*.pdf + fi + + newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind + newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc + newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd + newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind + newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc + newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd + + systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service + systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service + systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service + systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service" + systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket + + insinto /etc + newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example + insinto /var/lib/krb5kdc + newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example + + if use openldap ; then + insinto /etc/openldap/schema + doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" + fi + + if use xinetd ; then + insinto /etc/xinetd.d + newins "${FILESDIR}/kpropd.xinetd" kpropd + fi +}