[krb5] * Thu Dec 19 2014 Roland Mainz <rmainz at redhat.com> - 1.13-4 - fix for CVE-2014-5354 (#1174546) "krb5

Roland Mainz gisburn at fedoraproject.org
Thu Dec 18 16:58:05 UTC 2014 

commit 6baee3e65672f75a053831f8d693a77c6dffad9b
Author: Roland Mainz <rmainz at redhat.com>
Date:   Thu Dec 18 17:57:19 2014 +0100

    * Thu Dec 19 2014 Roland Mainz <rmainz at redhat.com> - 1.13-4
    - fix for CVE-2014-5354 (#1174546) "krb5: NULL pointer
      dereference when using keyless entries"

 ...4_5354_support_keyless_principals_in_LDAP.patch |  113 ++++++++++++++++++++
 krb5.spec                                          |    8 ++-
 2 files changed, 120 insertions(+), 1 deletions(-)
---
diff --git a/krb5-CVE_2014_5354_support_keyless_principals_in_LDAP.patch b/krb5-CVE_2014_5354_support_keyless_principals_in_LDAP.patch
new file mode 100644
index 0000000..01aef2c
--- /dev/null
+++ b/krb5-CVE_2014_5354_support_keyless_principals_in_LDAP.patch
@@ -0,0 +1,113 @@
+From 04038bf3633c4b909b5ded3072dc88c8c419bf16 Mon Sep 17 00:00:00 2001
+From: Ben Kaduk <kaduk at mit.edu>
+Date: Wed, 19 Nov 2014 12:04:46 -0500
+Subject: [PATCH] Support keyless principals in LDAP [CVE-2014-5354]
+
+Operations like "kadmin -q 'addprinc -nokey foo'" or
+"kadmin -q 'purgekeys -all foo'" result in principal entries with
+no keys present, so krb5_encode_krbsecretkey() would just return
+NULL, which then got unconditionally dereferenced in
+krb5_add_ber_mem_ldap_mod().
+
+Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key
+principals better, correct the test for an allocation failure, and
+slightly restructure the cleanup handler to be shorter and more
+appropriate for the usage.  Once it no longer short-circuits when
+n_key_data is zero, it will produce an array of length two with both
+entries NULL, which is treated as an empty list by the LDAP library,
+the correct behavior for a keyless principal.
+
+However, attributes with empty values are only handled by the LDAP
+library for Modify operations, not Add operations (which only get
+a sequence of Attribute, with no operation field).  Therefore, only
+add an empty krbprincipalkey to the modlist when we will be performing a
+Modify, and not when we will be performing an Add, which is conditional
+on the (misspelled) create_standalone_prinicipal boolean.
+
+CVE-2014-5354:
+
+In MIT krb5, when kadmind is configured to use LDAP for the KDC
+database, an authenticated remote attacker can cause a NULL
+dereference by inserting into the database a principal entry which
+contains no long-term keys.
+
+In order for the LDAP KDC backend to translate a principal entry
+from the database abstraction layer into the form expected by the
+LDAP schema, the principal's keys are encoded into a
+NULL-terminated array of length-value entries to be stored in the
+LDAP database.  However, the subroutine which produced this array
+did not correctly handle the case where no keys were present,
+returning NULL instead of an empty array, and the array was
+unconditionally dereferenced while adding to the list of LDAP
+operations to perform.
+
+Versions of MIT krb5 prior to 1.12 did not expose a way for
+principal entries to have no long-term key material, and
+therefore are not vulnerable.
+
+    CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C
+
+ticket: 8041 (new)
+tags: pullup
+target_version: 1.13.1
+subject: kadmind with ldap backend crashes when putting keyless entries
+---
+ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 25 +++++++++++++++-------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index 3e560d9..10b5982 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -406,14 +406,14 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
+     int num_versions = 1;
+     int i, j, last;
+     krb5_error_code err = 0;
+-    krb5_key_data *key_data;
++    krb5_key_data *key_data = NULL;
+ 
+-    if (n_key_data <= 0)
++    if (n_key_data < 0)
+         return NULL;
+ 
+     /* Make a shallow copy of the key data so we can alter it. */
+     key_data = k5calloc(n_key_data, sizeof(*key_data), &err);
+-    if (key_data_in == NULL)
++    if (key_data == NULL)
+         goto cleanup;
+     memcpy(key_data, key_data_in, n_key_data * sizeof(*key_data));
+ 
+@@ -467,9 +467,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
+     free(key_data);
+     if (err != 0) {
+         if (ret != NULL) {
+-            for (i = 0; i <= num_versions; i++)
+-                if (ret[i] != NULL)
+-                    free (ret[i]);
++            for (i = 0; ret[i] != NULL; i++)
++                free (ret[i]);
+             free (ret);
+             ret = NULL;
+         }
+@@ -1036,9 +1035,19 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+         bersecretkey = krb5_encode_krbsecretkey (entry->key_data,
+                                                  entry->n_key_data, mkvno);
+ 
+-        if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
+-                                          LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
++        if (bersecretkey == NULL) {
++            st = ENOMEM;
+             goto cleanup;
++        }
++        /* An empty list of bervals is only accepted for modify operations,
++         * not add operations. */
++        if (bersecretkey[0] != NULL || !create_standalone_prinicipal) {
++            st = krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
++                                           LDAP_MOD_REPLACE | LDAP_MOD_BVALUES,
++                                           bersecretkey);
++            if (st != 0)
++                goto cleanup;
++        }
+ 
+         if (!(entry->mask & KADM5_PRINCIPAL)) {
+             memset(strval, 0, sizeof(strval));
diff --git a/krb5.spec b/krb5.spec
index 5fec982..3c45341 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -43,7 +43,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.13
-Release: 3%{?dist}
+Release: 4%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@@ -95,6 +95,7 @@ Patch129: krb5-1.11-run_user_0.patch
 Patch134: krb5-1.11-kpasswdtest.patch
 Patch136: krb5-socket_wrapper_eventfd_prototype_mismatch.patch
 Patch137: krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch
+Patch138: krb5-CVE_2014_5354_support_keyless_principals_in_LDAP.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -317,6 +318,7 @@ ln NOTICE LICENSE
 %endif
 
 %patch137 -p1
+%patch138 -p1
 
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@@ -988,6 +990,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Thu Dec 19 2014 Roland Mainz <rmainz at redhat.com> - 1.13-4
+- fix for CVE-2014-5354 (#1174546) "krb5: NULL pointer
+  dereference when using keyless entries"  
+
 * Wed Dec 17 2014 Roland Mainz <rmainz at redhat.com> - 1.13-3
 - fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy
   name crash"

More information about the scm-commits mailing list