Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch297
-rw-r--r--app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild158
2 files changed, 455 insertions, 0 deletions
diff --git a/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch
new file mode 100644
index 000000000000..114cfe688e73
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch
@@ -0,0 +1,297 @@
+diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
+index 2420f2c2be..a59a65e8f6 100644
+--- a/src/lib/kadm5/srv/svr_principal.c
++++ b/src/lib/kadm5/srv/svr_principal.c
+@@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle,
+ return KADM5_BAD_MASK;
+ if((mask & ~ALL_PRINC_MASK))
+ return KADM5_BAD_MASK;
++ if (mask & KADM5_TL_DATA) {
++ for (tl_data_tail = entry->tl_data; tl_data_tail != NULL;
++ tl_data_tail = tl_data_tail->tl_data_next) {
++ if (tl_data_tail->tl_data_type < 256)
++ return KADM5_BAD_TL_TYPE;
++ }
++ }
+
+ /*
+ * Check to see if the principal exists
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+index 535a1f309e..8b8420faa9 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+@@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int op);
+ #define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr))
+ #define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr))
+
+-#define KDB_TL_USER_INFO 0x7ffe
++#define KDB_TL_USER_INFO 0xff
+
+ #define KDB_TL_PRINCTYPE 0x01
+ #define KDB_TL_PRINCCOUNT 0x02
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index 88a1704950..b7c9212cb2 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -651,6 +651,107 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry,
+ return ret;
+ }
+
++static krb5_error_code
++check_dn_in_container(krb5_context context, const char *dn,
++ char *const *subtrees, unsigned int ntrees)
++{
++ unsigned int i;
++ size_t dnlen = strlen(dn), stlen;
++
++ for (i = 0; i < ntrees; i++) {
++ if (subtrees[i] == NULL || *subtrees[i] == '\0')
++ return 0;
++ stlen = strlen(subtrees[i]);
++ if (dnlen >= stlen &&
++ strcasecmp(dn + dnlen - stlen, subtrees[i]) == 0 &&
++ (dnlen == stlen || dn[dnlen - stlen - 1] == ','))
++ return 0;
++ }
++
++ k5_setmsg(context, EINVAL, _("DN is out of the realm subtree"));
++ return EINVAL;
++}
++
++static krb5_error_code
++check_dn_exists(krb5_context context,
++ krb5_ldap_server_handle *ldap_server_handle,
++ const char *dn, krb5_boolean nonkrb_only)
++{
++ krb5_error_code st = 0, tempst;
++ krb5_ldap_context *ldap_context = context->dal_handle->db_context;
++ LDAP *ld = ldap_server_handle->ldap_handle;
++ LDAPMessage *result = NULL, *ent;
++ char *attrs[] = { "krbticketpolicyreference", "krbprincipalname", NULL };
++ char **values;
++
++ LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attrs, IGNORE_STATUS);
++ if (st != LDAP_SUCCESS)
++ return set_ldap_error(context, st, OP_SEARCH);
++
++ ent = ldap_first_entry(ld, result);
++ CHECK_NULL(ent);
++
++ values = ldap_get_values(ld, ent, "krbticketpolicyreference");
++ if (values != NULL)
++ ldap_value_free(values);
++
++ values = ldap_get_values(ld, ent, "krbprincipalname");
++ if (values != NULL) {
++ ldap_value_free(values);
++ if (nonkrb_only) {
++ st = EINVAL;
++ k5_setmsg(context, st, _("ldap object is already kerberized"));
++ goto cleanup;
++ }
++ }
++
++cleanup:
++ ldap_msgfree(result);
++ return st;
++}
++
++static krb5_error_code
++validate_xargs(krb5_context context,
++ krb5_ldap_server_handle *ldap_server_handle,
++ const xargs_t *xargs, const char *standalone_dn,
++ char *const *subtrees, unsigned int ntrees)
++{
++ krb5_error_code st;
++
++ if (xargs->dn != NULL) {
++ /* The supplied dn must be within a realm container. */
++ st = check_dn_in_container(context, xargs->dn, subtrees, ntrees);
++ if (st)
++ return st;
++ /* The supplied dn must exist without Kerberos attributes. */
++ st = check_dn_exists(context, ldap_server_handle, xargs->dn, TRUE);
++ if (st)
++ return st;
++ }
++
++ if (xargs->linkdn != NULL) {
++ /* The supplied linkdn must be within a realm container. */
++ st = check_dn_in_container(context, xargs->linkdn, subtrees, ntrees);
++ if (st)
++ return st;
++ /* The supplied linkdn must exist. */
++ st = check_dn_exists(context, ldap_server_handle, xargs->linkdn,
++ FALSE);
++ if (st)
++ return st;
++ }
++
++ if (xargs->containerdn != NULL && standalone_dn != NULL) {
++ /* standalone_dn (likely composed using containerdn) must be within a
++ * container. */
++ st = check_dn_in_container(context, standalone_dn, subtrees, ntrees);
++ if (st)
++ return st;
++ }
++
++ return 0;
++}
++
+ krb5_error_code
+ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+ char **db_args)
+@@ -662,12 +763,12 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+ LDAPMessage *result=NULL, *ent=NULL;
+ char **subtreelist = NULL;
+ char *user=NULL, *subtree=NULL, *principal_dn=NULL;
+- char **values=NULL, *strval[10]={NULL}, errbuf[1024];
++ char *strval[10]={NULL}, errbuf[1024];
+ char *filtuser=NULL;
+ struct berval **bersecretkey=NULL;
+ LDAPMod **mods=NULL;
+ krb5_boolean create_standalone=FALSE;
+- krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE;
++ krb5_boolean establish_links=FALSE;
+ char *standalone_principal_dn=NULL;
+ krb5_tl_data *tl_data=NULL;
+ krb5_key_data **keys=NULL;
+@@ -860,24 +961,6 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+ * any of the subtrees
+ */
+ if (xargs.dn_from_kbd == TRUE) {
+- /* make sure the DN falls in the subtree */
+- int dnlen=0, subtreelen=0;
+- char *dn=NULL;
+- krb5_boolean outofsubtree=TRUE;
+-
+- if (xargs.dn != NULL) {
+- dn = xargs.dn;
+- } else if (xargs.linkdn != NULL) {
+- dn = xargs.linkdn;
+- } else if (standalone_principal_dn != NULL) {
+- /*
+- * Even though the standalone_principal_dn is constructed
+- * within this function, there is the containerdn input
+- * from the user that can become part of the it.
+- */
+- dn = standalone_principal_dn;
+- }
+-
+ /* Get the current subtree list if we haven't already done so. */
+ if (subtreelist == NULL) {
+ st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees);
+@@ -885,81 +968,10 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+ goto cleanup;
+ }
+
+- for (tre=0; tre<ntrees; ++tre) {
+- if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
+- outofsubtree = FALSE;
+- break;
+- } else {
+- dnlen = strlen (dn);
+- subtreelen = strlen(subtreelist[tre]);
+- if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
+- outofsubtree = FALSE;
+- break;
+- }
+- }
+- }
+-
+- if (outofsubtree == TRUE) {
+- st = EINVAL;
+- k5_setmsg(context, st, _("DN is out of the realm subtree"));
++ st = validate_xargs(context, ldap_server_handle, &xargs,
++ standalone_principal_dn, subtreelist, ntrees);
++ if (st)
+ goto cleanup;
+- }
+-
+- /*
+- * dn value will be set either by dn, linkdn or the standalone_principal_dn
+- * In the first 2 cases, the dn should be existing and in the last case we
+- * are supposed to create the ldap object. so the below should not be
+- * executed for the last case.
+- */
+-
+- if (standalone_principal_dn == NULL) {
+- /*
+- * If the ldap object is missing, this results in an error.
+- */
+-
+- /*
+- * Search for krbprincipalname attribute here.
+- * This is to find if a kerberos identity is already present
+- * on the ldap object, in which case adding a kerberos identity
+- * on the ldap object should result in an error.
+- */
+- char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL};
+-
+- ldap_msgfree(result);
+- result = NULL;
+- LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
+- if (st == LDAP_SUCCESS) {
+- ent = ldap_first_entry(ld, result);
+- if (ent != NULL) {
+- if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
+- ldap_value_free(values);
+- }
+-
+- if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
+- krb_identity_exists = TRUE;
+- ldap_value_free(values);
+- }
+- }
+- } else {
+- st = set_ldap_error(context, st, OP_SEARCH);
+- goto cleanup;
+- }
+- }
+- }
+-
+- /*
+- * If xargs.dn is set then the request is to add a
+- * kerberos principal on a ldap object, but if
+- * there is one already on the ldap object this
+- * should result in an error.
+- */
+-
+- if (xargs.dn != NULL && krb_identity_exists == TRUE) {
+- st = EINVAL;
+- snprintf(errbuf, sizeof(errbuf),
+- _("ldap object is already kerberized"));
+- k5_setmsg(context, st, "%s", errbuf);
+- goto cleanup;
+ }
+
+ if (xargs.linkdn != NULL) {
+diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
+index 217f2cdc3b..6e563b1032 100755
+--- a/src/tests/t_kdb.py
++++ b/src/tests/t_kdb.py
+@@ -203,6 +203,12 @@ def ldap_add(dn, objectclass, attrs=[]):
+ # in the test LDAP server.
+ realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'],
+ expected_code=1, expected_msg='DN is out of the realm subtree')
++# Check that the DN container check is a hierarchy test, not a simple
++# suffix match (CVE-2018-5730). We expect this operation to fail
++# either way (because "xcn" isn't a valid DN tag) but the container
++# check should happen before the DN is parsed.
++realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=xcn=t1,cn=krb5', 'princ1'],
++ expected_code=1, expected_msg='DN is out of the realm subtree')
+ realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1'])
+ realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1')
+ realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'],
+@@ -226,6 +232,11 @@ def ldap_add(dn, objectclass, attrs=[]):
+ 'princ3'])
+ realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'],
+ expected_code=1, expected_msg='containerdn option not supported')
++# Verify that containerdn is checked when linkdn is also supplied
++# (CVE-2018-5730).
++realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5',
++ '-x', 'linkdn=cn=t2,cn=krb5', 'princ4'], expected_code=1,
++ expected_msg='DN is out of the realm subtree')
+
+ # Create and modify a ticket policy.
+ kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour',
diff --git a/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild
new file mode 100644
index 000000000000..feec00d8627d
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild
@@ -0,0 +1,158 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/"
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
+
+# Test suite require network access
+RESTRICT="test"
+
+CDEPEND="
+ !!app-crypt/heimdal
+ >=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+ || (
+ >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+ >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+ >=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+ )
+ keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
+ nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
+ openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+ pkinit? (
+ !libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+ libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
+ )
+ xinetd? ( sys-apps/xinetd )
+ abi_x86_32? (
+ !<=app-emulation/emul-linux-x86-baselibs-20140508-r1
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+ )"
+DEPEND="${CDEPEND}
+ ${PYTHON_DEPS}
+ virtual/yacc
+ doc? ( virtual/latex-base )
+ test? (
+ ${PYTHON_DEPS}
+ dev-lang/tcl:0
+ dev-util/dejagnu
+ )"
+RDEPEND="${CDEPEND}
+ selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+MULTILIB_CHOST_TOOLS=(
+ /usr/bin/krb5-config
+)
+
+src_prepare() {
+ eapply -p2 "${FILESDIR}/CVE-2018-5729-5730.patch"
+ eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+ eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+ eapply "${FILESDIR}/${PN}-libressl-version-check.patch"
+
+ # Make sure we always use the system copies.
+ rm -rf util/{et,ss,verto}
+ sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
+
+ eapply_user
+ eautoreconf
+}
+
+src_configure() {
+ # QA
+ append-flags -fno-strict-aliasing
+ append-flags -fno-strict-overflow
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+ use keyutils || export ac_cv_header_keyutils_h=no
+ ECONF_SOURCE=${S} \
+ WARN_CFLAGS="set" \
+ econf \
+ $(use_with openldap ldap) \
+ "$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+ $(use_enable nls) \
+ $(use_enable pkinit) \
+ $(use_enable threads thread-support) \
+ --without-hesiod \
+ --enable-shared \
+ --with-system-et \
+ --with-system-ss \
+ --enable-dns-for-realm \
+ --enable-kdc-lookaside-cache \
+ --with-system-verto \
+ --disable-rpath
+}
+
+multilib_src_compile() {
+ emake -j1
+}
+
+multilib_src_test() {
+ multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+ emake \
+ DESTDIR="${D}" \
+ EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+ install
+}
+
+multilib_src_install_all() {
+ # default database dir
+ keepdir /var/lib/krb5kdc
+
+ cd ..
+ dodoc README
+
+ if use doc; then
+ dodoc -r doc/html
+ docinto pdf
+ dodoc doc/pdf/*.pdf
+ fi
+
+ newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+ newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+ newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+ newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+ newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+ newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+ systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
+ systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
+ systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
+ systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
+ systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
+
+ insinto /etc
+ newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+ insinto /var/lib/krb5kdc
+ newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+ if use openldap ; then
+ insinto /etc/openldap/schema
+ doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+ fi
+
+ if use xinetd ; then
+ insinto /etc/xinetd.d
+ newins "${FILESDIR}/kpropd.xinetd" kpropd
+ fi
+}