diff options
author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-05-13 18:43:22 -0400 |
---|---|---|
committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-05-13 18:43:22 -0400 |
commit | e215f64a732e421266582e49088bd1cfc3019e09 (patch) | |
tree | 8247a8e87ba62eb83a223c2053bb9720d46e350a | |
parent | 900d5ec360a0fb3398f59990351178f85f7fcaa7 (diff) | |
download | krb5-e215f64a732e421266582e49088bd1cfc3019e09.tar.gz krb5-e215f64a732e421266582e49088bd1cfc3019e09.tar.xz krb5-e215f64a732e421266582e49088bd1cfc3019e09.zip |
pull up fix for kpasswd service ping-pong attackkrb5-1.10.2-12.fc17
- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443,
#962531,#962534)
-rw-r--r-- | krb5-1.11.2-kpasswd_pingpong.patch | 64 | ||||
-rw-r--r-- | krb5.spec | 8 |
2 files changed, 71 insertions, 1 deletions
diff --git a/krb5-1.11.2-kpasswd_pingpong.patch b/krb5-1.11.2-kpasswd_pingpong.patch new file mode 100644 index 0000000..40a5abe --- /dev/null +++ b/krb5-1.11.2-kpasswd_pingpong.patch @@ -0,0 +1,64 @@ +commit cf1a0c411b2668c57c41e9c4efd15ba17b6b322c +Author: Tom Yu <tlyu@mit.edu> +Date: Fri May 3 16:26:46 2013 -0400 + + Fix kpasswd UDP ping-pong [CVE-2002-2443] + + The kpasswd service provided by kadmind was vulnerable to a UDP + "ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless + they pass some basic validation, and don't respond to our own error + packets. + + Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong + attack or UDP ping-pong attacks in general, but there is discussion + leading toward narrowing the definition of CVE-1999-0103 to the echo, + chargen, or other similar built-in inetd services. + + Thanks to Vincent Danen for alerting us to this issue. + + CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C + + ticket: 7637 (new) + target_version: 1.11.3 + tags: pullup + +diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c +index 15b0ab5..7f455d8 100644 +--- a/src/kadmin/server/schpw.c ++++ b/src/kadmin/server/schpw.c +@@ -52,7 +52,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, + ret = KRB5KRB_AP_ERR_MODIFIED; + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated", sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + ptr = req->data; +@@ -67,7 +67,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request length was inconsistent", + sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + /* verify version number */ +@@ -80,7 +80,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, + numresult = KRB5_KPASSWD_BAD_VERSION; + snprintf(strresult, sizeof(strresult), + "Request contained unknown protocol version number %d", vno); +- goto chpwfail; ++ goto bailout; + } + + /* read, check ap-req length */ +@@ -93,7 +93,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated in AP-REQ", + sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + /* verify ap_req */ @@ -20,7 +20,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.10.2 -Release: 11%{?dist} +Release: 12%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -75,6 +75,7 @@ Patch110: krb5-lookup_etypes-leak.patch Patch111: krb5-1.10-pkinit-agility.patch Patch112: krb5-1.10-CVE-2013-1416.patch Patch113: krb5-fast-msg_type.patch +Patch114: krb5-1.11.2-kpasswd_pingpong.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -259,6 +260,7 @@ ln -s NOTICE LICENSE %patch111 -p1 -b .pkinit-agility %patch112 -p1 -b .CVE-2013-1416 %patch113 -p1 -b .fast-msg_type +%patch114 -p1 -b .kpasswd_pingpong rm src/lib/krb5/krb/deltat.c gzip doc/*.ps @@ -778,6 +780,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Mon May 13 2013 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-12 +- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443, + #962531,#962534) + * Mon Apr 15 2013 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-11 - pull fix for keeping track of the message type when parsing FAST requests in the KDC (RT#7605, #951964) |