From: Rongqing Li <rongqing.li@windriver.com>
To: <openembedded-devel@lists.openembedded.org>
Subject: Re: [PATCH][meta-oe] krb5: upgrade to 1.13.1
Date: Tue, 12 May 2015 16:32:56 +0800 [thread overview]
Message-ID: <5551BAB8.8090801@windriver.com> (raw)
In-Reply-To: <1430113846-7107-1-git-send-email-rongqing.li@windriver.com>
ping
-Roy
在 2015年04月27日 13:50, rongqing.li@windriver.com 写道:
> From: Roy Li <rongqing.li@windriver.com>
>
> Remove a CVE patch which krb5 1.13.1 has merged.
> Update the checksum, include License file checksum, since
> the date in it is updated
>
> Signed-off-by: Roy Li <rongqing.li@windriver.com>
> ---
> ...rn-only-new-keys-in-randkey-CVE-2014-5351.patch | 92 ----------------------
> .../krb5/{krb5_1.12.2.bb => krb5_1.13.1.bb} | 7 +-
> 2 files changed, 3 insertions(+), 96 deletions(-)
> delete mode 100644 meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch
> rename meta-oe/recipes-connectivity/krb5/{krb5_1.12.2.bb => krb5_1.13.1.bb} (90%)
>
> diff --git a/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch b/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch
> deleted file mode 100644
> index 0852661..0000000
> --- a/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch
> +++ /dev/null
> @@ -1,92 +0,0 @@
> -From af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca Mon Sep 17 00:00:00 2001
> -From: Greg Hudson <ghudson@mit.edu>
> -Date: Thu, 21 Aug 2014 13:52:07 -0400
> -Subject: [PATCH] Return only new keys in randkey [CVE-2014-5351]
> -
> -In kadmind's randkey operation, if a client specifies the keepold
> -flag, do not include the preserved old keys in the response.
> -
> -CVE-2014-5351:
> -
> -An authenticated remote attacker can retrieve the current keys for a
> -service principal when generating a new set of keys for that
> -principal. The attacker needs to be authenticated as a user who has
> -the elevated privilege for randomizing the keys of other principals.
> -
> -Normally, when a Kerberos administrator randomizes the keys of a
> -service principal, kadmind returns only the new keys. This prevents
> -an administrator who lacks legitimate privileged access to a service
> -from forging tickets to authenticate to that service. If the
> -"keepold" flag to the kadmin randkey RPC operation is true, kadmind
> -retains the old keys in the KDC database as intended, but also
> -unexpectedly returns the old keys to the client, which exposes the
> -service to ticket forgery attacks from the administrator.
> -
> -A mitigating factor is that legitimate clients of the affected service
> -will start failing to authenticate to the service once they begin to
> -receive service tickets encrypted in the new keys. The affected
> -service will be unable to decrypt the newly issued tickets, possibly
> -alerting the legitimate administrator of the affected service.
> -
> -CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
> -
> -[tlyu@mit.edu: CVE description and CVSS score]
> -
> -ticket: 8018 (new)
> -target_version: 1.13
> -tags: pullup
> -
> -Upstream-Status: Backport
> ----
> - src/lib/kadm5/srv/svr_principal.c | 21 ++++++++++++++++++---
> - 1 files changed, 18 insertions(+), 3 deletions(-)
> -
> -diff --git a/lib/kadm5/srv/svr_principal.c b/lib/kadm5/srv/svr_principal.c
> -index 5d358bd..d4e74cc 100644
> ---- a/lib/kadm5/srv/svr_principal.c
> -+++ b/lib/kadm5/srv/svr_principal.c
> -@@ -344,6 +344,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
> - *passptr = NULL;
> - }
> -
> -+/* Return the number of keys with the newest kvno. Assumes that all key data
> -+ * with the newest kvno are at the front of the key data array. */
> -+static int
> -+count_new_keys(int n_key_data, krb5_key_data *key_data)
> -+{
> -+ int n;
> -+
> -+ for (n = 1; n < n_key_data; n++) {
> -+ if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno)
> -+ return n;
> -+ }
> -+ return n_key_data;
> -+}
> -+
> - kadm5_ret_t
> - kadm5_create_principal(void *server_handle,
> - kadm5_principal_ent_t entry, long mask,
> -@@ -1593,7 +1607,7 @@ kadm5_randkey_principal_3(void *server_handle,
> - osa_princ_ent_rec adb;
> - krb5_int32 now;
> - kadm5_policy_ent_rec pol;
> -- int ret, last_pwd;
> -+ int ret, last_pwd, n_new_keys;
> - krb5_boolean have_pol = FALSE;
> - kadm5_server_handle_t handle = server_handle;
> - krb5_keyblock *act_mkey;
> -@@ -1686,8 +1700,9 @@ kadm5_randkey_principal_3(void *server_handle,
> - kdb->fail_auth_count = 0;
> -
> - if (keyblocks) {
> -- ret = decrypt_key_data(handle->context,
> -- kdb->n_key_data, kdb->key_data,
> -+ /* Return only the new keys added by krb5_dbe_crk. */
> -+ n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data);
> -+ ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data,
> - keyblocks, n_keys);
> - if (ret)
> - goto done;
> ---
> -1.7.4.1
> -
> diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.1.bb
> similarity index 90%
> rename from meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
> rename to meta-oe/recipes-connectivity/krb5/krb5_1.13.1.bb
> index c492496..b266450 100644
> --- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
> +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.1.bb
> @@ -14,7 +14,7 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n
> HOMEPAGE = "http://web.mit.edu/Kerberos/"
> SECTION = "console/network"
> LICENSE = "MIT"
> -LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=450c80c6258ce03387bd09df37638ebc"
> +LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=f64248328d2d9928e1f04158b5243e7f"
> DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native"
>
> inherit autotools-brokensep binconfig perlnative
> @@ -22,7 +22,6 @@ inherit autotools-brokensep binconfig perlnative
> SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
> SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \
> file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \
> - file://0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch \
> file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \
> file://crosscompile_nm.patch \
> file://etc/init.d/krb5-kdc \
> @@ -30,8 +29,8 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
> file://etc/default/krb5-kdc \
> file://etc/default/krb5-admin-server \
> "
> -SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe"
> -SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744"
> +SRC_URI[md5sum] = "567586cdf02aa8c842c2fab7a94f3c1f"
> +SRC_URI[sha256sum] = "4df629fdf97f362cf81edbf38d613b32b492dd88c876cf3aa1c66562f296663e"
>
> S = "${WORKDIR}/${BP}/src/"
>
>
--
Best Reagrds,
Roy | RongQing Li
prev parent reply other threads:[~2015-05-12 8:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-27 5:50 [PATCH][meta-oe] krb5: upgrade to 1.13.1 rongqing.li
2015-05-12 8:32 ` Rongqing Li [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5551BAB8.8090801@windriver.com \
--to=rongqing.li@windriver.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.