svn commit: r387747 - in head/security/krb5-112: . files
Xin LI
delphij at FreeBSD.org
Thu May 28 17:48:19 UTC 2015
Author: delphij
Date: Thu May 28 17:48:17 2015
New Revision: 387747
URL: https://svnweb.freebsd.org/changeset/ports/387747
Log:
Apply vendor patch for CVE-2015-2694 (changeset
b0c571e709c72da799ccc15fb5755f7910170e33) to prevent requires_preauth
bypass.
Approved by: so
Obtained from: https://github.com/krb5/krb5/commit/b0c571e709c72da799ccc15fb5755f7910170e33.diff
Security: CVE-2015-2694
Security: 0b040e24-f751-11e4-b24d-5453ed2e2b49
MFH: 2015Q2
Added:
head/security/krb5-112/files/patch-CVE-2015-2694 (contents, props changed)
Modified:
head/security/krb5-112/Makefile
Modified: head/security/krb5-112/Makefile
==============================================================================
--- head/security/krb5-112/Makefile Thu May 28 17:46:26 2015 (r387746)
+++ head/security/krb5-112/Makefile Thu May 28 17:48:17 2015 (r387747)
@@ -3,7 +3,7 @@
PORTNAME= krb5
PORTVERSION= 1.12.3
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= security
MASTER_SITES= http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
PKGNAMESUFFIX= -112
Added: head/security/krb5-112/files/patch-CVE-2015-2694
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/krb5-112/files/patch-CVE-2015-2694 Thu May 28 17:48:17 2015 (r387747)
@@ -0,0 +1,65 @@
+--- plugins/preauth/otp/main.c.orig 2015-02-18 22:31:13 UTC
++++ plugins/preauth/otp/main.c
+@@ -42,6 +42,7 @@ static krb5_preauthtype otp_pa_type_list
+ struct request_state {
+ krb5_kdcpreauth_verify_respond_fn respond;
+ void *arg;
++ krb5_enc_tkt_part *enc_tkt_reply;
+ };
+
+ static krb5_error_code
+@@ -159,6 +160,9 @@ on_response(void *data, krb5_error_code
+ if (retval == 0 && response != otp_response_success)
+ retval = KRB5_PREAUTH_FAILED;
+
++ if (retval == 0)
++ rs.enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
++
+ rs.respond(rs.arg, retval, NULL, NULL, NULL);
+ }
+
+@@ -263,8 +267,6 @@ otp_verify(krb5_context context, krb5_da
+ krb5_data d, plaintext;
+ char *config;
+
+- enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
+-
+ /* Get the FAST armor key. */
+ armor_key = cb->fast_armor(context, rock);
+ if (armor_key == NULL) {
+@@ -298,12 +300,14 @@ otp_verify(krb5_context context, krb5_da
+ goto error;
+ }
+
+- /* Create the request state. */
++ /* Create the request state. Save the response callback, and the
++ * enc_tkt_reply pointer so we can set the TKT_FLG_PRE_AUTH flag later. */
+ rs = k5alloc(sizeof(struct request_state), &retval);
+ if (rs == NULL)
+ goto error;
+ rs->arg = arg;
+ rs->respond = respond;
++ rs->enc_tkt_reply = enc_tkt_reply;
+
+ /* Get the principal's OTP configuration string. */
+ retval = cb->get_string(context, rock, "otp", &config);
+--- plugins/preauth/pkinit/pkinit_srv.c.orig 2015-02-18 22:31:13 UTC
++++ plugins/preauth/pkinit/pkinit_srv.c
+@@ -306,7 +306,7 @@ pkinit_server_verify_padata(krb5_context
+
+ pkiDebug("pkinit_verify_padata: entered!\n");
+ if (data == NULL || data->length <= 0 || data->contents == NULL) {
+- (*respond)(arg, 0, NULL, NULL, NULL);
++ (*respond)(arg, EINVAL, NULL, NULL, NULL);
+ return;
+ }
+
+@@ -318,7 +318,7 @@ pkinit_server_verify_padata(krb5_context
+
+ plgctx = pkinit_find_realm_context(context, moddata, request->server);
+ if (plgctx == NULL) {
+- (*respond)(arg, 0, NULL, NULL, NULL);
++ (*respond)(arg, EINVAL, NULL, NULL, NULL);
+ return;
+ }
+
More information about the svn-ports-all
mailing list