[krb5/f21] * Thu Mar 19 2015 Roland Mainz <rmainz at redhat.com> - 1.13.1-2 - fix for CVE-2014-5355 (#1193939) "kr

Roland Mainz gisburn at fedoraproject.org
Fri Mar 20 13:23:29 UTC 2015 

commit de691aed633c64667cc03a8805bfaca43f0c593d
Author: Roland Mainz <rmainz at redhat.com>
Date:   Fri Mar 20 14:23:05 2015 +0100

    * Thu Mar 19 2015 Roland Mainz <rmainz at redhat.com> - 1.13.1-2
    - fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated
      denial of service in recvauth_common() and others"

 ..._2014_5355_fix_krb5_read_message_handling.patch | 110 +++++++++++++++++++++
 krb5.spec                                          |   8 +-
 2 files changed, 117 insertions(+), 1 deletion(-)
---
diff --git a/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch b/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch
new file mode 100644
index 0000000..c90a4dd
--- /dev/null
+++ b/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch
@@ -0,0 +1,110 @@
+From 21e4e653d8258d525f4b6ca87797d42a8bccc282 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson at mit.edu>
+Date: Tue, 9 Dec 2014 12:37:44 -0500
+Subject: [PATCH] Fix krb5_read_message handling [CVE-2014-5355]
+
+In recvauth_common, do not use strcmp against the data fields of
+krb5_data objects populated by krb5_read_message(), as there is no
+guarantee that they are C strings.  Instead, create an expected
+krb5_data value and use data_eq().
+
+In the sample user-to-user server application, check that the received
+client principal name is null-terminated before using it with printf
+and krb5_parse_name.
+
+CVE-2014-5355:
+
+In MIT krb5, when a server process uses the krb5_recvauth function, an
+unauthenticated remote attacker can cause a NULL dereference by
+sending a zero-byte version string, or a read beyond the end of
+allocated storage by sending a non-null-terminated version string.
+The example user-to-user server application (uuserver) is similarly
+vulnerable to a zero-length or non-null-terminated principal name
+string.
+
+The krb5_recvauth function reads two version strings from the client
+using krb5_read_message(), which produces a krb5_data structure
+containing a length and a pointer to an octet sequence.  krb5_recvauth
+assumes that the data pointer is a valid C string and passes it to
+strcmp() to verify the versions.  If the client sends an empty octet
+sequence, the data pointer will be NULL and strcmp() will dereference
+a NULL pointer, causing the process to crash.  If the client sends a
+non-null-terminated octet sequence, strcmp() will read beyond the end
+of the allocated storage, possibly causing the process to crash.
+
+uuserver similarly uses krb5_read_message() to read a client principal
+name, and then passes it to printf() and krb5_parse_name() without
+verifying that it is a valid C string.
+
+The krb5_recvauth function is used by kpropd and the Kerberized
+versions of the BSD rlogin and rsh daemons.  These daemons are usually
+run out of inetd or in a mode which forks before processing incoming
+connections, so a process crash will generally not result in a
+complete denial of service.
+
+Thanks to Tim Uglow for discovering this issue.
+
+CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
+
+[tlyu at mit.edu: CVSS score]
+
+(cherry picked from commit 102bb6ebf20f9174130c85c3b052ae104e5073ec)
+
+ticket: 8050
+version_fixed: 1.13.2
+status: resolved
+---
+ src/appl/user_user/server.c | 4 +++-
+ src/lib/krb5/krb/recvauth.c | 9 ++++++---
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/appl/user_user/server.c b/src/appl/user_user/server.c
+index 09ea4e0..f2b5b61 100644
+--- a/src/appl/user_user/server.c
++++ b/src/appl/user_user/server.c
+@@ -111,8 +111,10 @@ int main(argc, argv)
+     }
+ #endif
+ 
++    /* principal name must be sent null-terminated. */
+     retval = krb5_read_message(context, (krb5_pointer) &sock, &pname_data);
+-    if (retval) {
++    if (retval || pname_data.length == 0 ||
++        pname_data.data[pname_data.length - 1] != '\0') {
+         com_err ("uu-server", retval, "reading pname");
+         return 2;
+     }
+diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c
+index da836283..5adc6dd 100644
+--- a/src/lib/krb5/krb/recvauth.c
++++ b/src/lib/krb5/krb/recvauth.c
+@@ -59,6 +59,7 @@ recvauth_common(krb5_context context,
+     krb5_rcache           rcache = 0;
+     krb5_octet            response;
+     krb5_data             null_server;
++    krb5_data             d;
+     int                   need_error_free = 0;
+     int                   local_rcache = 0, local_authcon = 0;
+ 
+@@ -77,7 +78,8 @@ recvauth_common(krb5_context context,
+          */
+         if ((retval = krb5_read_message(context, fd, &inbuf)))
+             return(retval);
+-        if (strcmp(inbuf.data, sendauth_version)) {
++        d = make_data((char *)sendauth_version, strlen(sendauth_version) + 1);
++        if (!data_eq(inbuf, d)) {
+             problem = KRB5_SENDAUTH_BADAUTHVERS;
+             response = 1;
+         }
+@@ -93,8 +95,9 @@ recvauth_common(krb5_context context,
+      */
+     if ((retval = krb5_read_message(context, fd, &inbuf)))
+         return(retval);
+-    if (appl_version && strcmp(inbuf.data, appl_version)) {
+-        if (!problem) {
++    if (appl_version != NULL && !problem) {
++        d = make_data(appl_version, strlen(appl_version) + 1);
++        if (!data_eq(inbuf, d)) {
+             problem = KRB5_SENDAUTH_BADAPPLVERS;
+             response = 2;
+         }
diff --git a/krb5.spec b/krb5.spec
index 6e88030..d05785f 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.12.2
-Release: 15%{?dist}
+Release: 16%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -134,6 +134,7 @@ Patch322: krb5-1.13_kinit_C_loop_krb5bug243.patch
 Patch323: krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch
 Patch324: krb5_cve_2014_9421_2014_9422_2014_9423_2014_5352_krb5-1.12.2-final.patch
 Patch325: 0001-Allow-SPNEGO-fallback-to-NTLM-without-mechlistMIC.patch
+Patch326: krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -406,6 +407,7 @@ chmod u+x src/util/paste-kdcproxy.py
 %patch323 -p1 -b .krb5-1.14-support-kdc_err_more_preauth_data_required
 %patch324 -p1 -b .krb5_cve_2014_9421_2014_9422_2014_9423_2014_5352_krb5-1.12.2-final
 %patch325 -p1 -b .NTLMSSP-fallback
+%patch326 -p1 -b .krb5-1.12.1-cve_2014_5355_fix_krb5_read_message_handling
 
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@@ -1085,6 +1087,10 @@ exit 0
 
 
 %changelog
+* Thu Mar 19 2015 Roland Mainz <rmainz at redhat.com> - 1.12.2-16
+- fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated
+  denial of service in recvauth_common() and others"  
+
 * Tue Mar 17 2015 David Woodhouse <dwmw2 at infradead.org> - 1.12.2-15
 - Fix NTLMSSP fallback (#1122324)

More information about the scm-commits mailing list