diff options
Diffstat (limited to 'core/krb5')
| -rw-r--r-- | core/krb5/CVE-2002-2443.patch | 69 | ||||
| -rw-r--r-- | core/krb5/PKGBUILD | 9 |
2 files changed, 76 insertions, 2 deletions
diff --git a/core/krb5/CVE-2002-2443.patch b/core/krb5/CVE-2002-2443.patch new file mode 100644 index 000000000..3ef88155c --- /dev/null +++ b/core/krb5/CVE-2002-2443.patch @@ -0,0 +1,69 @@ +From cf1a0c411b2668c57c41e9c4efd15ba17b6b322c Mon Sep 17 00:00:00 2001 +From: Tom Yu <tlyu@mit.edu> +Date: Fri, 3 May 2013 16:26:46 -0400 +Subject: [PATCH] Fix kpasswd UDP ping-pong [CVE-2002-2443] + +The kpasswd service provided by kadmind was vulnerable to a UDP +"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless +they pass some basic validation, and don't respond to our own error +packets. + +Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong +attack or UDP ping-pong attacks in general, but there is discussion +leading toward narrowing the definition of CVE-1999-0103 to the echo, +chargen, or other similar built-in inetd services. + +Thanks to Vincent Danen for alerting us to this issue. + +CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C + +ticket: 7637 (new) +target_version: 1.11.3 +tags: pullup +--- + src/kadmin/server/schpw.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c +index 15b0ab5..7f455d8 100644 +--- a/src/kadmin/server/schpw.c ++++ b/src/kadmin/server/schpw.c +@@ -52,7 +52,7 @@ + ret = KRB5KRB_AP_ERR_MODIFIED; + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated", sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + ptr = req->data; +@@ -67,7 +67,7 @@ + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request length was inconsistent", + sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + /* verify version number */ +@@ -80,7 +80,7 @@ + numresult = KRB5_KPASSWD_BAD_VERSION; + snprintf(strresult, sizeof(strresult), + "Request contained unknown protocol version number %d", vno); +- goto chpwfail; ++ goto bailout; + } + + /* read, check ap-req length */ +@@ -93,7 +93,7 @@ + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated in AP-REQ", + sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + /* verify ap_req */ +-- +1.8.1.6 + diff --git a/core/krb5/PKGBUILD b/core/krb5/PKGBUILD index 9872d3d5b..a813c14aa 100644 --- a/core/krb5/PKGBUILD +++ b/core/krb5/PKGBUILD @@ -1,9 +1,9 @@ -# $Id: PKGBUILD 185696 2013-05-17 11:13:34Z stephane $ +# $Id: PKGBUILD 186200 2013-05-22 00:37:41Z stephane $ # Maintainer: Stéphane Gaudreault <stephane@archlinux.org> pkgname=krb5 pkgver=1.11.2 -pkgrel=3 +pkgrel=4 pkgdesc="The Kerberos network authentication system" arch=('i686' 'x86_64') url="http://web.mit.edu/kerberos/" @@ -12,6 +12,7 @@ depends=('e2fsprogs' 'libldap' 'keyutils') makedepends=('perl') backup=('etc/krb5.conf' 'var/lib/krb5kdc/kdc.conf') source=(http://web.mit.edu/kerberos/dist/${pkgname}/1.11/${pkgname}-${pkgver}-signed.tar + CVE-2002-2443.patch krb5-config_LDFLAGS.patch krb5-kadmind.service krb5-kdc.service @@ -19,6 +20,7 @@ source=(http://web.mit.edu/kerberos/dist/${pkgname}/1.11/${pkgname}-${pkgver}-si krb5-kpropd@.service krb5-kpropd.socket) sha1sums=('3863f7bdb2d8fc3e50484fb566124373c4b0a250' + '78ec307c2b5e32481a6da401013c428e0b867f36' '09e478cddfb9d46d2981dd25ef96b8c3fd91e1aa' 'a2a01e7077d9e89cda3457ea0e216debb3dc353c' 'f5e4fa073e11b0fcb4e3098a5d58a4f791ec841e' @@ -34,6 +36,9 @@ build() { # cf https://bugs.gentoo.org/show_bug.cgi?id=448778 patch -Np2 -i "${srcdir}"/krb5-config_LDFLAGS.patch + # Fix kpasswd UDP ping-pong (CVE-2002-2443) + patch -Np2 -i "${srcdir}"/CVE-2002-2443.patch + rm lib/krb5/krb/deltat.c # FS#25384 |