krb5: SECURITY_PATCH++

(cherry picked from commit a9a0dd16078ef576b8f301792bf707d9ea20c85b)

5 files changed, 495 insertions, 1 deletions

diff --git a/crypto/krb5/BUILD b/crypto/krb5/BUILD
index 14d12068f3..3730757dad 100755
--- a/crypto/krb5/BUILD
+++ b/crypto/krb5/BUILD
@@ -6,6 +6,10 @@ fi
 
 cd  $SPELL-$VERSION/src                 &&
 
+# Kerberos Security Advisories
+patch -p1 < $SCRIPT_DIRECTORY/MITKRB5-SA-2007-004.txt &&
+patch -p1 < $SCRIPT_DIRECTORY/MITKRB5-SA-2007-005.txt &&
+
 ./configure  --enable-dns-for-kdc       \
              --enable-dns-for-realm     \
              --infodir=/usr/share/info  \
diff --git a/crypto/krb5/DETAILS b/crypto/krb5/DETAILS
index 5ebfceb076..e8c04db545 100755
--- a/crypto/krb5/DETAILS
+++ b/crypto/krb5/DETAILS
@@ -9,7 +9,7 @@ SOURCE_DIRECTORY=$BUILD_DIRECTORY/$SPELL-$VERSION
          ENTERED=20020215
       LICENSE[0]=http://web.mit.edu/kerberos/www/krb5-1.6/krb5-1.6/doc/krb5-install.html#Copyright
       PATCHLEVEL=0
-  SECURITY_PATCH=3
+  SECURITY_PATCH=4
         KEYWORDS="security crypto"
            SHORT="Kerberos 5 network security protocol"
 cat << EOF
diff --git a/crypto/krb5/HISTORY b/crypto/krb5/HISTORY
index 6c9544469b..00832c3df5 100644
--- a/crypto/krb5/HISTORY
+++ b/crypto/krb5/HISTORY
@@ -1,3 +1,7 @@
+2007-07-03 Ladislav Hagara <hgr@vabo.cz>
+	* DETAILS: SECURITY_PATCH=4
+	* BUILD, MITKRB5-SA-2007-00[45].txt: added security patches
+
 2007-04-24 Ladislav Hagara <hgr@vabo.cz>
 	* DETAILS: 1.6.1
 	* BUILD, 2007-00[123]-patch.txt: removed patches
diff --git a/crypto/krb5/MITKRB5-SA-2007-004.txt b/crypto/krb5/MITKRB5-SA-2007-004.txt
new file mode 100644
index 0000000000..33051b7858
--- /dev/null
+++ b/crypto/krb5/MITKRB5-SA-2007-004.txt
@@ -0,0 +1,257 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+                 MIT krb5 Security Advisory 2007-004
+
+Original release: 2007-06-26
+Last update: 2007-06-26
+
+Topic: kadmind affected by multiple RPC library vulnerabilities
+
+Severity: CRITICAL
+
+CVE: CVE-2007-2442
+CERT: VU#356961
+
+CVE: CVE-2007-2443
+CERT: VU#365313
+
+SUMMARY
+=======
+
+The MIT krb5 Kerberos administration daemon (kadmind) is affected by
+multiple vulnerabilities in the RPC library shipped with MIT krb5.
+
+CVE-2007-2442/VU#356961: The RPC library can free an uninitialized
+pointer.  This may lead to execution of arbitrary code.
+
+CVE-2007-2443/VU#365313: The RPC library can write past the end of a
+stack buffer.  This may (but is unlikely to) lead to execution of
+arbitrary code.
+
+Third-party applications using the RPC library provided with MIT krb5
+may also be vulnerable.  Other RPC libraries derived from SunRPC may
+be vulnerable to CVE-2007-2443.
+
+Exploitation of these vulnerabilities is believed to be difficult.
+(See DETAILS.) Proof-of-concept exploits which do not cause execution
+of unintended code exist but are not known to be publicly circulated.
+
+This is a bug in the RPC library included with MIT krb5, which is used
+by kadmind and by some third-party applications.  It is not a bug in
+the Kerberos protocol.
+
+IMPACT
+======
+
+An unauthenticated remote user may be able to cause a host running
+kadmind to execute arbitrary code.  CVE-2007-2442 is more likely to
+lead to arbitrary code execution than CVE-2007-2443.
+
+Successful exploitation can compromise the Kerberos key database and
+host security on the host running these programs.  (kadmind typically
+runs as root.)  Unsuccessful exploitation attempts will likely result
+in the affected program crashing.
+
+Third-party applications calling the RPC library provided with MIT
+krb5 may be vulnerable.  Other RPC libraries derived from SunRPC may
+be vulnerable.
+
+AFFECTED SOFTWARE
+=================
+
+* kadmind from MIT releases up to and including krb5-1.6.1
+
+* third-party applications calling the RPC library included in MIT
+  releases up to and including krb5-1.6.1
+
+FIXES
+=====
+
+* The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4
+  maintenance release, will contain fixes for this vulnerability.
+
+Prior to that release you may:
+
+* apply the patch
+
+  This patch is also available at
+
+  http://web.mit.edu/kerberos/advisories/2007-004-patch.txt
+
+  A PGP-signed patch is available at
+
+  http://web.mit.edu/kerberos/advisories/2007-004-patch.txt.asc
+
+*** src/lib/rpc/svc_auth_gssapi.c	(revision 20015)
+- --- src/lib/rpc/svc_auth_gssapi.c	(local)
+***************
+*** 149,154 ****
+- --- 149,156 ----
+       rqst->rq_xprt->xp_auth = &svc_auth_none;
+       
+       memset((char *) &call_res, 0, sizeof(call_res));
++      creds.client_handle.length = 0;
++      creds.client_handle.value = NULL;
+       
+       cred = &msg->rm_call.cb_cred;
+       verf = &msg->rm_call.cb_verf;
+*** src/lib/rpc/svc_auth_unix.c	(revision 20015)
+- --- src/lib/rpc/svc_auth_unix.c	(local)
+***************
+*** 64,71 ****
+  		char area_machname[MAX_MACHINE_NAME+1];
+  		int area_gids[NGRPS];
+  	} *area;
+! 	u_int auth_len;
+! 	int str_len, gid_len;
+  	register int i;
+  
+  	rqst->rq_xprt->xp_auth = &svc_auth_none;
+- --- 64,70 ----
+  		char area_machname[MAX_MACHINE_NAME+1];
+  		int area_gids[NGRPS];
+  	} *area;
+! 	u_int auth_len, str_len, gid_len;
+  	register int i;
+  
+  	rqst->rq_xprt->xp_auth = &svc_auth_none;
+***************
+*** 74,80 ****
+  	aup = &area->area_aup;
+  	aup->aup_machname = area->area_machname;
+  	aup->aup_gids = area->area_gids;
+! 	auth_len = (u_int)msg->rm_call.cb_cred.oa_length;
+  	xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE);
+  	buf = XDR_INLINE(&xdrs, (int)auth_len);
+  	if (buf != NULL) {
+- --- 73,81 ----
+  	aup = &area->area_aup;
+  	aup->aup_machname = area->area_machname;
+  	aup->aup_gids = area->area_gids;
+! 	auth_len = msg->rm_call.cb_cred.oa_length;
+! 	if (auth_len > INT_MAX)
+! 		return AUTH_BADCRED;
+  	xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE);
+  	buf = XDR_INLINE(&xdrs, (int)auth_len);
+  	if (buf != NULL) {
+***************
+*** 84,90 ****
+  			stat = AUTH_BADCRED;
+  			goto done;
+  		}
+! 		memmove(aup->aup_machname, (caddr_t)buf, (u_int)str_len);
+  		aup->aup_machname[str_len] = 0;
+  		str_len = RNDUP(str_len);
+  		buf += str_len / BYTES_PER_XDR_UNIT;
+- --- 85,91 ----
+  			stat = AUTH_BADCRED;
+  			goto done;
+  		}
+! 		memmove(aup->aup_machname, buf, str_len);
+  		aup->aup_machname[str_len] = 0;
+  		str_len = RNDUP(str_len);
+  		buf += str_len / BYTES_PER_XDR_UNIT;
+***************
+*** 104,110 ****
+  		 * timestamp, hostname len (0), uid, gid, and gids len (0).
+  		 */
+  		if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) {
+! 			(void) printf("bad auth_len gid %d str %d auth %d\n",
+  			    gid_len, str_len, auth_len);
+  			stat = AUTH_BADCRED;
+  			goto done;
+- --- 105,111 ----
+  		 * timestamp, hostname len (0), uid, gid, and gids len (0).
+  		 */
+  		if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) {
+! 			(void) printf("bad auth_len gid %u str %u auth %u\n",
+  			    gid_len, str_len, auth_len);
+  			stat = AUTH_BADCRED;
+  			goto done;
+
+REFERENCES
+==========
+
+This announcement is posted at:
+
+  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-004.txt
+
+This announcement and related security advisories may be found on the
+MIT Kerberos security advisory page at:
+
+        http://web.mit.edu/kerberos/advisories/index.html
+
+The main MIT Kerberos web page is at:
+
+        http://web.mit.edu/kerberos/index.html
+
+CVE: CVE-2007-2442
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442
+
+CVE: CVE-2007-2443
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2443
+
+CERT: VU#356961
+http://www.kb.cert.org/vuls/id/356961
+
+CERT: VU#365313
+http://www.kb.cert.org/vuls/id/365313
+
+ACKNOWLEDGMENTS
+===============
+
+We thank McAfee, Inc. for the initial notification.  Wei Wang of
+McAfee Avert Labs discovered these vulnerabilities.
+
+DETAILS
+=======
+
+CVE-2007-2442: The function gssrpc__svcauth_gssapi() in
+src/lib/rpc/svc_auth_gssapi.c declares an automatic variable "creds"
+of type auth_gssapi_creds.  This type includes a gss_buffer_desc
+(which includes a pointer to void used as a pointer to a buffer of
+bytes).  If gssrpc__svcauth_gssapi() receives an RPC credential with a
+length of zero, it jumps to the label "error", which executes some
+cleanup code.  At this point, the gss_buffer_desc in "creds" is not
+yet initialized, and the cleanup code calls xdr_free() on "creds",
+which then attempts to free the memory pointed to by the uninitialized
+"value" member of the gss_buffer_desc.
+
+Exploitation of freeing of invalid pointers is believed to be
+difficult, and depends on a variety of factors specific to a given
+malloc implementation.
+
+CVE-2007-2443: The function gssrpc__svcauth_unix() in
+src/lib/rpc/svc_auth_unix.c stores an unsigned integer obtained from
+IXDR_GET_U_LONG into a signed integer variable "str_len".
+Subsequently, it checks that "str_len" is less than MAX_MACHINE_NAME,
+which will always be true of "str_len" is negative, which can happen
+when a large unsigned integer is converted to a signed integer.  Once
+the length check succeeds, gssrpc__svcauth_unix() calls memmove() with
+a length of "str_len" with the target in a stack buffer.
+
+This vulnerability is believed to be difficult to exploit because the
+memmove() implementation receives a very large number (a negative
+integer converted to a large unsigned value), which will almost
+certainly cause some sort of memory access fault prior to returning.
+This probably avoids any usage of the corrupted return address in the
+overwritten stack frame.  Note that some (perhaps unlikely) memmove()
+implementations may call other procedures and thus may be vulnerable
+to corrupted return addresses.
+
+REVISION HISTORY
+================
+
+2007-06-26      original release
+
+Copyright (C) 2007 Massachusetts Institute of Technology
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.6 (SunOS)
+
+iQCVAwUBRoFJz6bDgE/zdoE9AQL7gAP9E854ZZEi6Vk4sl0CbNYW3UifSZd4MQy2
+djW5S/sO93k0Tji/+VQwyG5iIiWIsfotaS66ZuU80K8YTiEfXmyDp81uUUvRMJFT
+8i4/L1yf43gA49GF8PV3QqS5QmzMoz8x0vp9OyUq4S/Yh4MpkcnTHW9xU1Fxdhe/
+ZJxXE06kRIU=
+=Fcvv
+-----END PGP SIGNATURE-----
diff --git a/crypto/krb5/MITKRB5-SA-2007-005.txt b/crypto/krb5/MITKRB5-SA-2007-005.txt
new file mode 100644
index 0000000000..3c578240c2
--- /dev/null
+++ b/crypto/krb5/MITKRB5-SA-2007-005.txt
@@ -0,0 +1,229 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+                 MIT krb5 Security Advisory 2007-005
+
+Original release: 2007-06-26
+Last update: 2007-06-26
+
+Topic: kadmind vulnerable to buffer overflow
+
+Severity: CRITICAL
+
+CVE: CVE-2007-2798
+CERT: VU#554257
+
+SUMMARY
+=======
+
+The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to
+a stack buffer overflow.
+
+Exploitation of overflows of stack buffers is known to be simple.  We
+have received a proof-of-concept exploit which may invoke a shell, but
+we believe that this exploit is not publicly circulated.
+
+This is a bug in kadmind in MIT krb5.  It is not a bug in the Kerberos
+protocol.
+
+IMPACT
+======
+
+An authenticated remote user may be able to cause a host running
+kadmind to execute arbitrary code.
+
+Successful exploitation can compromise the Kerberos key database and
+host security on the KDC host.  (kadmind typically runs as root.)
+Unsuccessful exploitation attempts will likely result in kadmind
+crashing.
+
+AFFECTED SOFTWARE
+=================
+
+* kadmind from MIT releases up to and including krb5-1.6.1
+
+FIXES
+=====
+
+* The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4
+  maintenance release, will contain fixes for this vulnerability.
+
+Prior to that release you may:
+
+* apply the patch
+
+This patch has the patch in MITKRB5-SA-2007-002 as a prerequisite.
+The krb5-1.6.1 and krb5-1.5.3 releases already contains the
+prerequisite patch.
+
+  This patch is also available at
+
+  http://web.mit.edu/kerberos/advisories/2007-005-patch.txt
+
+  A PGP-signed patch is available at
+
+  http://web.mit.edu/kerberos/advisories/2007-005-patch.txt.asc
+
+*** src/kadmin/server/server_stubs.c	(revision 20024)
+- --- src/kadmin/server/server_stubs.c	(local)
+***************
+*** 545,557 ****
+      static generic_ret		ret;
+      char			*prime_arg1,
+  				*prime_arg2;
+- -     char			prime_arg[BUFSIZ];
+      gss_buffer_desc		client_name,
+  				service_name;
+      OM_uint32			minor_stat;
+      kadm5_server_handle_t	handle;
+      restriction_t		*rp;
+      char                        *errmsg;
+  
+      xdr_free(xdr_generic_ret, &ret);
+  
+- --- 545,558 ----
+      static generic_ret		ret;
+      char			*prime_arg1,
+  				*prime_arg2;
+      gss_buffer_desc		client_name,
+  				service_name;
+      OM_uint32			minor_stat;
+      kadm5_server_handle_t	handle;
+      restriction_t		*rp;
+      char                        *errmsg;
++     size_t			tlen1, tlen2, clen, slen;
++     char			*tdots1, *tdots2, *cdots, *sdots;
+  
+      xdr_free(xdr_generic_ret, &ret);
+  
+***************
+*** 572,578 ****
+  	 ret.code = KADM5_BAD_PRINCIPAL;
+  	 goto exit_func;
+      }
+!     sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
+  
+      ret.code = KADM5_OK;
+      if (! CHANGEPW_SERVICE(rqstp)) {
+- --- 573,586 ----
+  	 ret.code = KADM5_BAD_PRINCIPAL;
+  	 goto exit_func;
+      }
+!     tlen1 = strlen(prime_arg1);
+!     trunc_name(&tlen1, &tdots1);
+!     tlen2 = strlen(prime_arg2);
+!     trunc_name(&tlen2, &tdots2);
+!     clen = client_name.length;
+!     trunc_name(&clen, &cdots);
+!     slen = service_name.length;
+!     trunc_name(&slen, &sdots);
+  
+      ret.code = KADM5_OK;
+      if (! CHANGEPW_SERVICE(rqstp)) {
+***************
+*** 590,597 ****
+      } else
+  	 ret.code = KADM5_AUTH_INSUFFICIENT;
+      if (ret.code != KADM5_OK) {
+! 	 log_unauth("kadm5_rename_principal", prime_arg,
+! 		    &client_name, &service_name, rqstp);
+      } else {
+  	 ret.code = kadm5_rename_principal((void *)handle, arg->src,
+  						arg->dest);
+- --- 598,612 ----
+      } else
+  	 ret.code = KADM5_AUTH_INSUFFICIENT;
+      if (ret.code != KADM5_OK) {
+! 	 krb5_klog_syslog(LOG_NOTICE,
+! 			  "Unauthorized request: kadm5_rename_principal, "
+! 			  "%.*s%s to %.*s%s, "
+! 			  "client=%.*s%s, service=%.*s%s, addr=%s",
+! 			  tlen1, prime_arg1, tdots1,
+! 			  tlen2, prime_arg2, tdots2,
+! 			  clen, client_name.value, cdots,
+! 			  slen, service_name.value, sdots,
+! 			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+      } else {
+  	 ret.code = kadm5_rename_principal((void *)handle, arg->src,
+  						arg->dest);
+***************
+*** 600,607 ****
+  	 else
+  	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+  
+! 	 log_done("kadm5_rename_principal", prime_arg, errmsg,
+! 		  &client_name, &service_name, rqstp);
+      }
+      free_server_handle(handle);
+      free(prime_arg1);
+- --- 615,629 ----
+  	 else
+  	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+  
+! 	 krb5_klog_syslog(LOG_NOTICE,
+! 			  "Request: kadm5_rename_principal, "
+! 			  "%.*s%s to %.*s%s, %s, "
+! 			  "client=%.*s%s, service=%.*s%s, addr=%s",
+! 			  tlen1, prime_arg1, tdots1,
+! 			  tlen2, prime_arg2, tdots2, errmsg,
+! 			  clen, client_name.value, cdots,
+! 			  slen, service_name.value, sdots,
+! 			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+      }
+      free_server_handle(handle);
+      free(prime_arg1);
+
+REFERENCES
+==========
+
+This announcement is posted at:
+
+  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt
+
+This announcement and related security advisories may be found on the
+MIT Kerberos security advisory page at:
+
+        http://web.mit.edu/kerberos/advisories/index.html
+
+The main MIT Kerberos web page is at:
+
+        http://web.mit.edu/kerberos/index.html
+
+CVE: CVE-2007-2798
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798
+
+CERT: VU#554257
+http://www.kb.cert.org/vuls/id/554257
+
+ACKNOWLEDGMENTS
+===============
+
+We thank iDefense for the initial notification.  iDefense credits an
+anonymous discoverer.
+
+DETAILS
+=======
+
+The kadmind code which performs the principal renaming operation
+passes unchecked string arguments to a sprintf() call which has a
+fixed-size stack buffer as its destination.  These strings are the old
+and new principal names passed to the rename operation.  The attacker
+needs to authenticate to kadmind to perform this attack, but no
+administrative privileges are required because the vulnerable code
+executes prior to privilege verification.
+
+REVISION HISTORY
+================
+
+2007-06-26      original release
+
+Copyright (C) 2007 Massachusetts Institute of Technology
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.6 (SunOS)
+
+iQCVAwUBRoFJ16bDgE/zdoE9AQJKkQP/V95mZTlvUeuc1+Pw6m3vx+0jd2yGdR9Y
+NiM1Kfe80u4TjvXIkCLLrIwE2E8+xSjEpGsG0EBqlRpAKOMtXyfzySYF4RdQl8QI
+42joEAhYO4sk4xueb9ZC/GW1BCOobkvH+Apq1mXEndfeM/7QHRo/MJRZry8aek8r
+Xfd3cRNQogQ=
+=JE8k
+-----END PGP SIGNATURE-----