[pkgsrc/trunk]: pkgsrc/security/mit-krb5 Fix CVE-2009-4212 (MITKRB5-SA-2009-0...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/security/mit-krb5 Fix CVE-2009-4212 (MITKRB5-SA-2009-0...
From: tez <tez%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 09:06:01 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/eba48a56c669
branches:  trunk
changeset: 572357:eba48a56c669
user:      tez <tez%pkgsrc.org@localhost>
date:      Wed Feb 24 19:07:51 2010 +0000

description:
Fix CVE-2009-4212 (MITKRB5-SA-2009-004) using patches from
http://web.mit.edu/kerberos/advisories/2009-004-patch_1.6.3.txt
(slightly adjusted for older kerberos version)

diffstat:

 security/mit-krb5/Makefile         |    4 +-
 security/mit-krb5/distinfo         |    9 ++-
 security/mit-krb5/patches/patch-bq |   62 +++++++++++++++++++
 security/mit-krb5/patches/patch-br |   17 +++++
 security/mit-krb5/patches/patch-bs |   30 +++++++++
 security/mit-krb5/patches/patch-bt |   17 +++++
 security/mit-krb5/patches/patch-bu |   12 +++
 security/mit-krb5/patches/patch-bv |  117 +++++++++++++++++++++++++++++++++++++
 security/mit-krb5/patches/patch-bw |   16 +++++
 9 files changed, 281 insertions(+), 3 deletions(-)

diffs (truncated from 333 to 300 lines):

diff -r 86f97a641567 -r eba48a56c669 security/mit-krb5/Makefile
--- a/security/mit-krb5/Makefile        Wed Feb 24 18:47:07 2010 +0000
+++ b/security/mit-krb5/Makefile        Wed Feb 24 19:07:51 2010 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.46 2009/06/30 00:07:22 joerg Exp $
+# $NetBSD: Makefile,v 1.47 2010/02/24 19:07:51 tez Exp $
 
 DISTNAME=      krb5-1.4.2
 PKGNAME=       mit-${DISTNAME:S/-signed$//}
-PKGREVISION=   8
+PKGREVISION=   9
 CATEGORIES=    security
 MASTER_SITES=  http://web.mit.edu/kerberos/dist/krb5/1.4/
 DISTFILES=     ${DISTNAME}-signed${EXTRACT_SUFX}
diff -r 86f97a641567 -r eba48a56c669 security/mit-krb5/distinfo
--- a/security/mit-krb5/distinfo        Wed Feb 24 18:47:07 2010 +0000
+++ b/security/mit-krb5/distinfo        Wed Feb 24 19:07:51 2010 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.22 2009/04/21 18:58:17 tez Exp $
+$NetBSD: distinfo,v 1.23 2010/02/24 19:07:51 tez Exp $
 
 SHA1 (krb5-1.4.2-signed.tar) = bbc03bd319d539fb9523c2545d80ba0784522e88
 RMD160 (krb5-1.4.2-signed.tar) = 44500f5fab8e5959cf43f17f5f52f68e2dc73a1f
@@ -45,3 +45,10 @@
 SHA1 (patch-bn) = 82c6f98474f31e1e231d3e89d6a24e20ec7fd123
 SHA1 (patch-bo) = dcfeab32537f8b89e3ed6a52a69601e3e7822e35
 SHA1 (patch-bp) = 5308176a1229b5ac0d0f24eb2f657fdf48935f80
+SHA1 (patch-bq) = 546e2b0260e4197b44f1f5a6f7a03f72125c768b
+SHA1 (patch-br) = da7884aa9a1ba79e7e31416bf06f74bcc71b2c01
+SHA1 (patch-bs) = b652562c4e545d41fbbfa6676b10b68823ebfbd8
+SHA1 (patch-bt) = 1398369698cc9c029957723c25dbdf53754cf373
+SHA1 (patch-bu) = bf0688bd703c3dcfa27934e0a6bc43230251512e
+SHA1 (patch-bv) = b07fc44dcc577bffece1eb85f5f93e4c10a58e00
+SHA1 (patch-bw) = ffdf13931306b15b9282863926f769f079ffe8f9
diff -r 86f97a641567 -r eba48a56c669 security/mit-krb5/patches/patch-bq
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-bq        Wed Feb 24 19:07:51 2010 +0000
@@ -0,0 +1,62 @@
+$NetBSD: patch-bq,v 1.1 2010/02/24 19:07:51 tez Exp $
+
+--- lib/crypto/Makefile.in.orig        2004-06-16 20:56:28.000000000 -0500
++++ lib/crypto/Makefile.in     2010-02-23 17:33:02.605810700 -0600
+@@ -20,6 +20,7 @@
+       $(srcdir)/t_hmac.c      \
+       $(srcdir)/t_pkcs5.c     \
+       $(srcdir)/t_cts.c       \
++      $(srcdir)/t_short.c     \
+       $(srcdir)/vectors.c
+ 
+ ##DOSBUILDTOP = ..\..
+@@ -170,12 +171,13 @@
+ 
+ clean-unix:: clean-liblinks clean-libs clean-libobjs
+ 
+-check-unix:: t_nfold t_encrypt t_prng t_hmac t_pkcs5
++check-unix:: t_nfold t_encrypt t_prng t_hmac t_pkcs5 t_short
+       $(RUN_SETUP) ./t_nfold
+       $(RUN_SETUP) ./t_encrypt
+       $(RUN_SETUP) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \
+       diff t_prng.output $(srcdir)/t_prng.expected
+       $(RUN_SETUP) ./t_hmac
++      $(RUN_SETUP) ./t_short
+ 
+ #     $(RUN_SETUP) ./t_pkcs5
+ 
+@@ -201,10 +203,14 @@
+       $(CC_LINK) -o $@ t_cts.$(OBJEXT) \
+               $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB)
+ 
++t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB)
++      $(CC_LINK) -o $@ t_short.$(OBJEXT) \
++              $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB)
++
+ 
+ clean::
+       $(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \
+-              t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o
++              t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_short t_short.o
+       -$(RM) t_prng.output
+ 
+ all-windows::
+@@ -595,6 +601,13 @@
+   $(SRCTOP)/include/k5-thread.h $(BUILDTOP)/include/profile.h \
+   $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+   $(SRCTOP)/include/krb5/kdb.h
++t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): t_short.c $(BUILDTOP)/include/krb5.h \
++  $(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \
++  $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
++  $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
++  $(SRCTOP)/include/k5-thread.h $(BUILDTOP)/include/profile.h \
++  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
++  $(SRCTOP)/include/krb5/kdb.h
+ vectors.so vectors.po $(OUTPRE)vectors.$(OBJEXT): vectors.c $(BUILDTOP)/include/krb5.h \
+   $(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \
+   $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+@@ -602,4 +615,3 @@
+   $(SRCTOP)/include/k5-thread.h $(BUILDTOP)/include/profile.h \
+   $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+   $(SRCTOP)/include/krb5/kdb.h
+-
diff -r 86f97a641567 -r eba48a56c669 security/mit-krb5/patches/patch-br
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-br        Wed Feb 24 19:07:51 2010 +0000
@@ -0,0 +1,17 @@
+$NetBSD: patch-br,v 1.1 2010/02/24 19:07:51 tez Exp $
+
+--- lib/crypto/arcfour/arcfour.c.orig  2004-02-18 20:46:26.000000000 -0600
++++ lib/crypto/arcfour/arcfour.c       2010-02-23 17:43:53.543585400 -0600
+@@ -203,6 +203,12 @@
+   keylength = enc->keylength;
+   hashsize = hash->hashsize;
+ 
++  /* Verify input and output lengths. */
++  if (input->length < hashsize + CONFOUNDERLENGTH)
++    return KRB5_BAD_MSIZE;
++  if (output->length < input->length - hashsize - CONFOUNDERLENGTH)
++    return KRB5_BAD_MSIZE;
++
+   d1.length=keybytes;
+   d1.data=malloc(d1.length);
+   if (d1.data == NULL)
diff -r 86f97a641567 -r eba48a56c669 security/mit-krb5/patches/patch-bs
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-bs        Wed Feb 24 19:07:51 2010 +0000
@@ -0,0 +1,30 @@
+$NetBSD: patch-bs,v 1.1 2010/02/24 19:07:51 tez Exp $
+
+--- lib/crypto/enc_provider/aes.c.orig 2004-05-25 13:06:13.000000000 -0500
++++ lib/crypto/enc_provider/aes.c      2010-02-23 17:43:53.574980200 -0600
+@@ -68,9 +68,11 @@
+     nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+ 
+     if (nblocks == 1) {
+-      /* XXX Used for DK function.  */
++      /* Used when deriving keys. */
++      if (input->length < BLOCK_SIZE)
++          return KRB5_BAD_MSIZE;
+       enc(output->data, input->data, &ctx);
+-    } else {
++    } else if (nblocks > 1) {
+       unsigned int nleft;
+ 
+       for (blockno = 0; blockno < nblocks - 2; blockno++) {
+@@ -123,9 +125,9 @@
+ 
+     if (nblocks == 1) {
+       if (input->length < BLOCK_SIZE)
+-          abort();
++          return KRB5_BAD_MSIZE;
+       dec(output->data, input->data, &ctx);
+-    } else {
++    } else if (nblocks > 1) {
+ 
+       for (blockno = 0; blockno < nblocks - 2; blockno++) {
+           dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx);
diff -r 86f97a641567 -r eba48a56c669 security/mit-krb5/patches/patch-bt
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-bt        Wed Feb 24 19:07:51 2010 +0000
@@ -0,0 +1,17 @@
+$NetBSD: patch-bt,v 1.1 2010/02/24 19:07:51 tez Exp $
+
+--- lib/crypto/dk/dk_decrypt.c.orig    2004-02-24 15:07:21.000000000 -0600
++++ lib/crypto/dk/dk_decrypt.c 2010-02-23 17:43:53.607557500 -0600
+@@ -89,6 +89,12 @@
+     else if (hmacsize > hashsize)
+       return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ 
++    /* Verify input and output lengths. */
++    if (input->length < blocksize + hmacsize)
++      return KRB5_BAD_MSIZE;
++    if (output->length < input->length - blocksize - hmacsize)
++      return KRB5_BAD_MSIZE;
++
+     enclen = input->length - hmacsize;
+ 
+     if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
diff -r 86f97a641567 -r eba48a56c669 security/mit-krb5/patches/patch-bu
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-bu        Wed Feb 24 19:07:51 2010 +0000
@@ -0,0 +1,12 @@
+$NetBSD: patch-bu,v 1.1 2010/02/24 19:07:51 tez Exp $
+
+--- lib/crypto/raw/raw_decrypt.c.orig  2004-02-18 20:46:30.000000000 -0600
++++ lib/crypto/raw/raw_decrypt.c       2010-02-23 17:43:53.638863200 -0600
+@@ -34,5 +34,7 @@
+                const krb5_data *ivec, const krb5_data *input,
+                krb5_data *output)
+ {
++    if (output->length < input->length)
++      return KRB5_BAD_MSIZE;
+     return((*(enc->decrypt))(key, ivec, input, output));
+ }
diff -r 86f97a641567 -r eba48a56c669 security/mit-krb5/patches/patch-bv
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-bv        Wed Feb 24 19:07:51 2010 +0000
@@ -0,0 +1,117 @@
+$NetBSD: patch-bv,v 1.1 2010/02/24 19:07:51 tez Exp $
+
+--- lib/crypto/t_short.c.orig  2010-02-23 17:43:53.669981000 -0600
++++ lib/crypto/t_short.c       2010-02-23 17:43:53.670274200 -0600
+@@ -0,0 +1,112 @@
++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
++/*
++ * lib/crypto/crypto_tests/t_short.c
++ *
++ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
++ * All rights reserved.
++ *
++ * Export of this software from the United States of America may
++ *   require a specific license from the United States Government.
++ *   It is the responsibility of any person or organization contemplating
++ *   export to obtain such a license before exporting.
++ *
++ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
++ * distribute this software and its documentation for any purpose and
++ * without fee is hereby granted, provided that the above copyright
++ * notice appear in all copies and that both that copyright notice and
++ * this permission notice appear in supporting documentation, and that
++ * the name of M.I.T. not be used in advertising or publicity pertaining
++ * to distribution of the software without specific, written prior
++ * permission.  Furthermore if you modify this software you must label
++ * your software as modified software and not distribute it in such a
++ * fashion that it might be confused with the original M.I.T. software.
++ * M.I.T. makes no representations about the suitability of
++ * this software for any purpose.  It is provided "as is" without express
++ * or implied warranty.
++ *
++ * Tests the outcome of decrypting overly short tokens.  This program can be
++ * run under a tool like valgrind to detect bad memory accesses; when run
++ * normally by the test suite, it verifies that each operation returns
++ * KRB5_BAD_MSIZE.
++ */
++
++#include "k5-int.h"
++
++krb5_enctype interesting_enctypes[] = {
++    ENCTYPE_DES_CBC_CRC,
++    ENCTYPE_DES_CBC_MD4,
++    ENCTYPE_DES_CBC_MD5,
++    ENCTYPE_DES3_CBC_SHA1,
++    ENCTYPE_ARCFOUR_HMAC,
++    ENCTYPE_ARCFOUR_HMAC_EXP,
++    ENCTYPE_AES256_CTS_HMAC_SHA1_96,
++    ENCTYPE_AES128_CTS_HMAC_SHA1_96,
++    0
++};
++
++/* Abort if an operation unexpectedly fails. */
++static void
++x(krb5_error_code code)
++{
++    if (code != 0)
++        abort();
++}
++
++/* Abort if a decrypt operation doesn't have the expected result. */
++static void
++check_decrypt_result(krb5_error_code code, size_t len, size_t min_len)
++{
++    if (len < min_len) {
++        /* Undersized tokens should always result in BAD_MSIZE. */
++        if (code != KRB5_BAD_MSIZE)
++            abort();
++    } else {
++        /* Min-size tokens should succeed or fail the integrity check. */
++        if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY)
++            abort();
++    }
++}
++
++static void
++test_enctype(krb5_enctype enctype)
++{
++    krb5_error_code ret;
++    krb5_keyblock keyblock;
++    krb5_enc_data input;
++    krb5_data output;
++    size_t min_len, len;
++
++    printf("Testing enctype %d\n", (int) enctype);
++    x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len));
++    x(krb5_c_make_random_key(NULL, enctype, &keyblock));
++    input.enctype = enctype;
++
++    /* Try each length up to the minimum length. */
++    for (len = 0; len <= min_len; len++) {
++        input.ciphertext.data = calloc(len, 1);
++        input.ciphertext.length = len;
++        output.data = calloc(len, 1);
++        output.length = len;
++
++        /* Attempt a normal decryption. */
++        ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output);
++        check_decrypt_result(ret, len, min_len);
++
++        free(input.ciphertext.data);
++        free(output.data);
++    }
++}
++
Prev by Date: [pkgsrc/trunk]: pkgsrc/x11/xterm update to 255
Next by Date: [pkgsrc/trunk]: pkgsrc/pkgtools/pkg_install/files/delete Improve wording, rem...
Previous by Thread: [pkgsrc/trunk]: pkgsrc/x11/xterm update to 255
Next by Thread: [pkgsrc/trunk]: pkgsrc/pkgtools/pkg_install/files/delete Improve wording, rem...
Indexes:
Home | Main Index | Thread Index | Old Index