From: Roy Li <rongqing...@windriver.com> Upgrade to include the CVE fixes: [CVE-2014-5354] [CVE-2014-5353]... Remove the 0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch Regenerate the /var/run/krb5kdc dir
Signed-off-by: Roy Li <rongqing...@windriver.com> --- ...rn-only-new-keys-in-randkey-CVE-2014-5351.patch | 92 ---------------------- .../krb5/{krb5_1.12.2.bb => krb5_1.13.2.bb} | 28 ++++++- 2 files changed, 24 insertions(+), 96 deletions(-) delete mode 100644 meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch rename meta-oe/recipes-connectivity/krb5/{krb5_1.12.2.bb => krb5_1.13.2.bb} (75%) diff --git a/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch b/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch deleted file mode 100644 index 0852661..0000000 --- a/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch +++ /dev/null @@ -1,92 +0,0 @@ -From af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghud...@mit.edu> -Date: Thu, 21 Aug 2014 13:52:07 -0400 -Subject: [PATCH] Return only new keys in randkey [CVE-2014-5351] - -In kadmind's randkey operation, if a client specifies the keepold -flag, do not include the preserved old keys in the response. - -CVE-2014-5351: - -An authenticated remote attacker can retrieve the current keys for a -service principal when generating a new set of keys for that -principal. The attacker needs to be authenticated as a user who has -the elevated privilege for randomizing the keys of other principals. - -Normally, when a Kerberos administrator randomizes the keys of a -service principal, kadmind returns only the new keys. This prevents -an administrator who lacks legitimate privileged access to a service -from forging tickets to authenticate to that service. If the -"keepold" flag to the kadmin randkey RPC operation is true, kadmind -retains the old keys in the KDC database as intended, but also -unexpectedly returns the old keys to the client, which exposes the -service to ticket forgery attacks from the administrator. - -A mitigating factor is that legitimate clients of the affected service -will start failing to authenticate to the service once they begin to -receive service tickets encrypted in the new keys. The affected -service will be unable to decrypt the newly issued tickets, possibly -alerting the legitimate administrator of the affected service. - -CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C - -[t...@mit.edu: CVE description and CVSS score] - -ticket: 8018 (new) -target_version: 1.13 -tags: pullup - -Upstream-Status: Backport ---- - src/lib/kadm5/srv/svr_principal.c | 21 ++++++++++++++++++--- - 1 files changed, 18 insertions(+), 3 deletions(-) - -diff --git a/lib/kadm5/srv/svr_principal.c b/lib/kadm5/srv/svr_principal.c -index 5d358bd..d4e74cc 100644 ---- a/lib/kadm5/srv/svr_principal.c -+++ b/lib/kadm5/srv/svr_principal.c -@@ -344,6 +344,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask, - *passptr = NULL; - } - -+/* Return the number of keys with the newest kvno. Assumes that all key data -+ * with the newest kvno are at the front of the key data array. */ -+static int -+count_new_keys(int n_key_data, krb5_key_data *key_data) -+{ -+ int n; -+ -+ for (n = 1; n < n_key_data; n++) { -+ if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno) -+ return n; -+ } -+ return n_key_data; -+} -+ - kadm5_ret_t - kadm5_create_principal(void *server_handle, - kadm5_principal_ent_t entry, long mask, -@@ -1593,7 +1607,7 @@ kadm5_randkey_principal_3(void *server_handle, - osa_princ_ent_rec adb; - krb5_int32 now; - kadm5_policy_ent_rec pol; -- int ret, last_pwd; -+ int ret, last_pwd, n_new_keys; - krb5_boolean have_pol = FALSE; - kadm5_server_handle_t handle = server_handle; - krb5_keyblock *act_mkey; -@@ -1686,8 +1700,9 @@ kadm5_randkey_principal_3(void *server_handle, - kdb->fail_auth_count = 0; - - if (keyblocks) { -- ret = decrypt_key_data(handle->context, -- kdb->n_key_data, kdb->key_data, -+ /* Return only the new keys added by krb5_dbe_crk. */ -+ n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data); -+ ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data, - keyblocks, n_keys); - if (ret) - goto done; --- -1.7.4.1 - diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb similarity index 75% rename from meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb rename to meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb index c492496..ec88296 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb @@ -14,7 +14,7 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n HOMEPAGE = "http://web.mit.edu/Kerberos/" SECTION = "console/network" LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=450c80c6258ce03387bd09df37638ebc" +LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=f64248328d2d9928e1f04158b5243e7f" DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native" inherit autotools-brokensep binconfig perlnative @@ -22,7 +22,6 @@ inherit autotools-brokensep binconfig perlnative SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \ file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \ - file://0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch \ file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \ file://crosscompile_nm.patch \ file://etc/init.d/krb5-kdc \ @@ -30,8 +29,8 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar file://etc/default/krb5-kdc \ file://etc/default/krb5-admin-server \ " -SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe" -SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744" +SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189" +SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1" S = "${WORKDIR}/${BP}/src/" @@ -77,4 +76,25 @@ do_install_append() { mkdir -p ${D}/etc/init.d ${D}/etc/default install -m 0755 ${WORKDIR}/etc/init.d/* ${D}/etc/init.d install -m 0644 ${WORKDIR}/etc/default/* ${D}/etc/default + + rm -rf ${D}/var/run + mkdir -p ${D}/etc/default/volatiles + echo "d root root 0755 ${localstatedir}/run/krb5kdc none" \ + > ${D}${sysconfdir}/default/volatiles/87_krb5 + if ${@base_contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /run/krb5kdc - - - -" \ + > ${D}${sysconfdir}/tmpfiles.d/krb5.conf + fi + +} + +pkg_postinst_${PN} () { + if [ -z "$D" ]; then + if command -v systemd-tmpfiles >/dev/null; then + systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/krb5.conf + elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then + ${sysconfdir}/init.d/populate-volatile.sh update + fi + fi } -- 1.9.1 -- _______________________________________________ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel