pull up fix for kpasswd service ping-pong attackkrb5-1.11.2-5.fc20 krb5-1.11.2-5.fc19

- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443, #962531,#962534)
author: Nalin Dahyabhai <nalin@dahyabhai.net> 2013-05-13 18:32:51 -0400
committer: Nalin Dahyabhai <nalin@dahyabhai.net> 2013-05-13 18:32:51 -0400
commit: fbd06d348b0dbabac8f87ce502e0835a413ba287 (patch)
tree: 98e9dd97c13b0e72816df239da326a9c6538be2a
parent: c0d2f3b96d0d2eee428f588872e97d6a97ad82ec (diff)
download: krb5-fbd06d348b0dbabac8f87ce502e0835a413ba287.tar.gz
krb5-fbd06d348b0dbabac8f87ce502e0835a413ba287.tar.xz
krb5-fbd06d348b0dbabac8f87ce502e0835a413ba287.zip
2 files changed, 71 insertions, 1 deletions
diff --git a/krb5-1.11.2-kpasswd_pingpong.patch b/krb5-1.11.2-kpasswd_pingpong.patch
new file mode 100644
index 0000000..40a5abe
--- /dev/null
+++ b/krb5-1.11.2-kpasswd_pingpong.patch
@@ -0,0 +1,64 @@
+commit cf1a0c411b2668c57c41e9c4efd15ba17b6b322c
+Author: Tom Yu <tlyu@mit.edu>
+Date:   Fri May 3 16:26:46 2013 -0400
+
+    Fix kpasswd UDP ping-pong [CVE-2002-2443]
+    
+    The kpasswd service provided by kadmind was vulnerable to a UDP
+    "ping-pong" attack [CVE-2002-2443].  Don't respond to packets unless
+    they pass some basic validation, and don't respond to our own error
+    packets.
+    
+    Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
+    attack or UDP ping-pong attacks in general, but there is discussion
+    leading toward narrowing the definition of CVE-1999-0103 to the echo,
+    chargen, or other similar built-in inetd services.
+    
+    Thanks to Vincent Danen for alerting us to this issue.
+    
+    CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
+    
+    ticket: 7637 (new)
+    target_version: 1.11.3
+    tags: pullup
+
+diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
+index 15b0ab5..7f455d8 100644
+--- a/src/kadmin/server/schpw.c
++++ b/src/kadmin/server/schpw.c
+@@ -52,7 +52,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
+         ret = KRB5KRB_AP_ERR_MODIFIED;
+         numresult = KRB5_KPASSWD_MALFORMED;
+         strlcpy(strresult, "Request was truncated", sizeof(strresult));
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     ptr = req->data;
+@@ -67,7 +67,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
+         numresult = KRB5_KPASSWD_MALFORMED;
+         strlcpy(strresult, "Request length was inconsistent",
+                 sizeof(strresult));
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     /* verify version number */
+@@ -80,7 +80,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
+         numresult = KRB5_KPASSWD_BAD_VERSION;
+         snprintf(strresult, sizeof(strresult),
+                  "Request contained unknown protocol version number %d", vno);
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     /* read, check ap-req length */
+@@ -93,7 +93,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
+         numresult = KRB5_KPASSWD_MALFORMED;
+         strlcpy(strresult, "Request was truncated in AP-REQ",
+                 sizeof(strresult));
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     /* verify ap_req */
diff --git a/krb5.spec b/krb5.spec
index a600b79..0d0d5b5 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -30,7 +30,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.2
-Release: 4%{?dist}
+Release: 5%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -77,6 +77,7 @@ Patch116: http://ausil.fedorapeople.org/aarch64/krb5/krb5-aarch64.patch
 Patch117: krb5-1.11-gss-client-keytab.patch
 Patch118: krb5-1.11.1-rpcbind.patch
 Patch119: krb5-fast-msg_type.patch
+Patch120: krb5-1.11.2-kpasswd_pingpong.patch
 
 # Patches for otp plugin backport
 Patch201: krb5-1.11.2-keycheck.patch
@@ -296,6 +297,7 @@ ln -s NOTICE LICENSE
 %patch117 -p1 -b .gss-client-keytab
 %patch118 -p1 -b .rpcbind
 %patch119 -p1 -b .fast-msg_type
+%patch120 -p1 -b .kpasswd_pingpong
 
 %patch201 -p1 -b .keycheck
 %patch202 -p1 -b .otp
@@ -821,6 +823,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Mon May 13 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-5
+- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443,
+  #962531,#962534)
+
 * Mon Apr 29 2013 Nathaniel McCallum <npmccallum@redhat.com> 1.11.2-4
 - Update otp patches
 - Merge otp patches into a single patch
author	Nalin Dahyabhai <nalin@dahyabhai.net>	2013-05-13 18:32:51 -0400
committer	Nalin Dahyabhai <nalin@dahyabhai.net>	2013-05-13 18:32:51 -0400
commit	fbd06d348b0dbabac8f87ce502e0835a413ba287 (patch)
tree	98e9dd97c13b0e72816df239da326a9c6538be2a
parent	c0d2f3b96d0d2eee428f588872e97d6a97ad82ec (diff)
download	krb5-fbd06d348b0dbabac8f87ce502e0835a413ba287.tar.gz krb5-fbd06d348b0dbabac8f87ce502e0835a413ba287.tar.xz krb5-fbd06d348b0dbabac8f87ce502e0835a413ba287.zip