From fbd06d348b0dbabac8f87ce502e0835a413ba287 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: May 13 2013 22:32:51 +0000 Subject: pull up fix for kpasswd service ping-pong attack - pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443, #962531,#962534) --- diff --git a/krb5-1.11.2-kpasswd_pingpong.patch b/krb5-1.11.2-kpasswd_pingpong.patch new file mode 100644 index 0000000..40a5abe --- /dev/null +++ b/krb5-1.11.2-kpasswd_pingpong.patch @@ -0,0 +1,64 @@ +commit cf1a0c411b2668c57c41e9c4efd15ba17b6b322c +Author: Tom Yu +Date: Fri May 3 16:26:46 2013 -0400 + + Fix kpasswd UDP ping-pong [CVE-2002-2443] + + The kpasswd service provided by kadmind was vulnerable to a UDP + "ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless + they pass some basic validation, and don't respond to our own error + packets. + + Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong + attack or UDP ping-pong attacks in general, but there is discussion + leading toward narrowing the definition of CVE-1999-0103 to the echo, + chargen, or other similar built-in inetd services. + + Thanks to Vincent Danen for alerting us to this issue. + + CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C + + ticket: 7637 (new) + target_version: 1.11.3 + tags: pullup + +diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c +index 15b0ab5..7f455d8 100644 +--- a/src/kadmin/server/schpw.c ++++ b/src/kadmin/server/schpw.c +@@ -52,7 +52,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, + ret = KRB5KRB_AP_ERR_MODIFIED; + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated", sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + ptr = req->data; +@@ -67,7 +67,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request length was inconsistent", + sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + /* verify version number */ +@@ -80,7 +80,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, + numresult = KRB5_KPASSWD_BAD_VERSION; + snprintf(strresult, sizeof(strresult), + "Request contained unknown protocol version number %d", vno); +- goto chpwfail; ++ goto bailout; + } + + /* read, check ap-req length */ +@@ -93,7 +93,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated in AP-REQ", + sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + /* verify ap_req */ diff --git a/krb5.spec b/krb5.spec index a600b79..0d0d5b5 100644 --- a/krb5.spec +++ b/krb5.spec @@ -30,7 +30,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.11.2 -Release: 4%{?dist} +Release: 5%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -77,6 +77,7 @@ Patch116: http://ausil.fedorapeople.org/aarch64/krb5/krb5-aarch64.patch Patch117: krb5-1.11-gss-client-keytab.patch Patch118: krb5-1.11.1-rpcbind.patch Patch119: krb5-fast-msg_type.patch +Patch120: krb5-1.11.2-kpasswd_pingpong.patch # Patches for otp plugin backport Patch201: krb5-1.11.2-keycheck.patch @@ -296,6 +297,7 @@ ln -s NOTICE LICENSE %patch117 -p1 -b .gss-client-keytab %patch118 -p1 -b .rpcbind %patch119 -p1 -b .fast-msg_type +%patch120 -p1 -b .kpasswd_pingpong %patch201 -p1 -b .keycheck %patch202 -p1 -b .otp @@ -821,6 +823,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Mon May 13 2013 Nalin Dahyabhai 1.11.2-5 +- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443, + #962531,#962534) + * Mon Apr 29 2013 Nathaniel McCallum 1.11.2-4 - Update otp patches - Merge otp patches into a single patch