pull up fix for kpasswd service ping-pong attackkrb5-1.10.2-12.fc17

- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443, #962531,#962534)
author: Nalin Dahyabhai <nalin@dahyabhai.net> 2013-05-13 18:43:22 -0400
committer: Nalin Dahyabhai <nalin@dahyabhai.net> 2013-05-13 18:43:22 -0400
commit: e215f64a732e421266582e49088bd1cfc3019e09 (patch)
tree: 8247a8e87ba62eb83a223c2053bb9720d46e350a
parent: 900d5ec360a0fb3398f59990351178f85f7fcaa7 (diff)
download: krb5-e215f64a732e421266582e49088bd1cfc3019e09.tar.gz
krb5-e215f64a732e421266582e49088bd1cfc3019e09.tar.xz
krb5-e215f64a732e421266582e49088bd1cfc3019e09.zip
2 files changed, 71 insertions, 1 deletions
diff --git a/krb5-1.11.2-kpasswd_pingpong.patch b/krb5-1.11.2-kpasswd_pingpong.patch
new file mode 100644
index 0000000..40a5abe
--- /dev/null
+++ b/krb5-1.11.2-kpasswd_pingpong.patch
@@ -0,0 +1,64 @@
+commit cf1a0c411b2668c57c41e9c4efd15ba17b6b322c
+Author: Tom Yu <tlyu@mit.edu>
+Date:   Fri May 3 16:26:46 2013 -0400
+
+    Fix kpasswd UDP ping-pong [CVE-2002-2443]
+    
+    The kpasswd service provided by kadmind was vulnerable to a UDP
+    "ping-pong" attack [CVE-2002-2443].  Don't respond to packets unless
+    they pass some basic validation, and don't respond to our own error
+    packets.
+    
+    Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
+    attack or UDP ping-pong attacks in general, but there is discussion
+    leading toward narrowing the definition of CVE-1999-0103 to the echo,
+    chargen, or other similar built-in inetd services.
+    
+    Thanks to Vincent Danen for alerting us to this issue.
+    
+    CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
+    
+    ticket: 7637 (new)
+    target_version: 1.11.3
+    tags: pullup
+
+diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
+index 15b0ab5..7f455d8 100644
+--- a/src/kadmin/server/schpw.c
++++ b/src/kadmin/server/schpw.c
+@@ -52,7 +52,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
+         ret = KRB5KRB_AP_ERR_MODIFIED;
+         numresult = KRB5_KPASSWD_MALFORMED;
+         strlcpy(strresult, "Request was truncated", sizeof(strresult));
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     ptr = req->data;
+@@ -67,7 +67,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
+         numresult = KRB5_KPASSWD_MALFORMED;
+         strlcpy(strresult, "Request length was inconsistent",
+                 sizeof(strresult));
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     /* verify version number */
+@@ -80,7 +80,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
+         numresult = KRB5_KPASSWD_BAD_VERSION;
+         snprintf(strresult, sizeof(strresult),
+                  "Request contained unknown protocol version number %d", vno);
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     /* read, check ap-req length */
+@@ -93,7 +93,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
+         numresult = KRB5_KPASSWD_MALFORMED;
+         strlcpy(strresult, "Request was truncated in AP-REQ",
+                 sizeof(strresult));
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     /* verify ap_req */
diff --git a/krb5.spec b/krb5.spec
index 62b1f73..6112b1c 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -20,7 +20,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.10.2
-Release: 11%{?dist}
+Release: 12%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -75,6 +75,7 @@ Patch110: krb5-lookup_etypes-leak.patch
 Patch111: krb5-1.10-pkinit-agility.patch
 Patch112: krb5-1.10-CVE-2013-1416.patch
 Patch113: krb5-fast-msg_type.patch
+Patch114: krb5-1.11.2-kpasswd_pingpong.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -259,6 +260,7 @@ ln -s NOTICE LICENSE
 %patch111 -p1 -b .pkinit-agility
 %patch112 -p1 -b .CVE-2013-1416
 %patch113 -p1 -b .fast-msg_type
+%patch114 -p1 -b .kpasswd_pingpong
 rm src/lib/krb5/krb/deltat.c
 
 gzip doc/*.ps
@@ -778,6 +780,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Mon May 13 2013 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-12
+- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443,
+  #962531,#962534)
+
 * Mon Apr 15 2013 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-11
 - pull fix for keeping track of the message type when parsing FAST requests in
   the KDC (RT#7605, #951964)
author	Nalin Dahyabhai <nalin@dahyabhai.net>	2013-05-13 18:43:22 -0400
committer	Nalin Dahyabhai <nalin@dahyabhai.net>	2013-05-13 18:43:22 -0400
commit	e215f64a732e421266582e49088bd1cfc3019e09 (patch)
tree	8247a8e87ba62eb83a223c2053bb9720d46e350a
parent	900d5ec360a0fb3398f59990351178f85f7fcaa7 (diff)
download	krb5-e215f64a732e421266582e49088bd1cfc3019e09.tar.gz krb5-e215f64a732e421266582e49088bd1cfc3019e09.tar.xz krb5-e215f64a732e421266582e49088bd1cfc3019e09.zip