[oe-commits] Roy Li : krb5: upgrade to 1.13.2

git at git.openembedded.org git at git.openembedded.org
Wed May 13 12:44:38 UTC 2015 

Module: meta-openembedded.git
Branch: master-next
Commit: dac4f2c82631f29b28faa47553d9a0bb68cea131
URL:    http://git.openembedded.org/?p=meta-openembedded.git&a=commit;h=dac4f2c82631f29b28faa47553d9a0bb68cea131

Author: Roy Li <rongqing.li at windriver.com>
Date:   Wed May 13 14:14:48 2015 +0800

krb5: upgrade to 1.13.2

Upgrade to include the CVE fixes: [CVE-2014-5354] [CVE-2014-5353]...
Remove the 0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch
Regenerate the /var/run/krb5kdc dir

Signed-off-by: Roy Li <rongqing.li at windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa at gmail.com>

---

 ...rn-only-new-keys-in-randkey-CVE-2014-5351.patch | 92 ----------------------
 .../krb5/{krb5_1.12.2.bb => krb5_1.13.2.bb}        | 28 ++++++-
 2 files changed, 24 insertions(+), 96 deletions(-)

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch b/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch
deleted file mode 100644
index 0852661..0000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson at mit.edu>
-Date: Thu, 21 Aug 2014 13:52:07 -0400
-Subject: [PATCH] Return only new keys in randkey [CVE-2014-5351]
-
-In kadmind's randkey operation, if a client specifies the keepold
-flag, do not include the preserved old keys in the response.
-
-CVE-2014-5351:
-
-An authenticated remote attacker can retrieve the current keys for a
-service principal when generating a new set of keys for that
-principal.  The attacker needs to be authenticated as a user who has
-the elevated privilege for randomizing the keys of other principals.
-
-Normally, when a Kerberos administrator randomizes the keys of a
-service principal, kadmind returns only the new keys.  This prevents
-an administrator who lacks legitimate privileged access to a service
-from forging tickets to authenticate to that service.  If the
-"keepold" flag to the kadmin randkey RPC operation is true, kadmind
-retains the old keys in the KDC database as intended, but also
-unexpectedly returns the old keys to the client, which exposes the
-service to ticket forgery attacks from the administrator.
-
-A mitigating factor is that legitimate clients of the affected service
-will start failing to authenticate to the service once they begin to
-receive service tickets encrypted in the new keys.  The affected
-service will be unable to decrypt the newly issued tickets, possibly
-alerting the legitimate administrator of the affected service.
-
-CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
-
-[tlyu at mit.edu: CVE description and CVSS score]
-
-ticket: 8018 (new)
-target_version: 1.13
-tags: pullup
-
-Upstream-Status: Backport
----
- src/lib/kadm5/srv/svr_principal.c |   21 ++++++++++++++++++---
- 1 files changed, 18 insertions(+), 3 deletions(-)
-
-diff --git a/lib/kadm5/srv/svr_principal.c b/lib/kadm5/srv/svr_principal.c
-index 5d358bd..d4e74cc 100644
---- a/lib/kadm5/srv/svr_principal.c
-+++ b/lib/kadm5/srv/svr_principal.c
-@@ -344,6 +344,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
-     *passptr = NULL;
- }
- 
-+/* Return the number of keys with the newest kvno.  Assumes that all key data
-+ * with the newest kvno are at the front of the key data array. */
-+static int
-+count_new_keys(int n_key_data, krb5_key_data *key_data)
-+{
-+    int n;
-+
-+    for (n = 1; n < n_key_data; n++) {
-+        if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno)
-+            return n;
-+    }
-+    return n_key_data;
-+}
-+
- kadm5_ret_t
- kadm5_create_principal(void *server_handle,
-                        kadm5_principal_ent_t entry, long mask,
-@@ -1593,7 +1607,7 @@ kadm5_randkey_principal_3(void *server_handle,
-     osa_princ_ent_rec           adb;
-     krb5_int32                  now;
-     kadm5_policy_ent_rec        pol;
--    int                         ret, last_pwd;
-+    int                         ret, last_pwd, n_new_keys;
-     krb5_boolean                have_pol = FALSE;
-     kadm5_server_handle_t       handle = server_handle;
-     krb5_keyblock               *act_mkey;
-@@ -1686,8 +1700,9 @@ kadm5_randkey_principal_3(void *server_handle,
-     kdb->fail_auth_count = 0;
- 
-     if (keyblocks) {
--        ret = decrypt_key_data(handle->context,
--                               kdb->n_key_data, kdb->key_data,
-+        /* Return only the new keys added by krb5_dbe_crk. */
-+        n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data);
-+        ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data,
-                                keyblocks, n_keys);
-         if (ret)
-             goto done;
--- 
-1.7.4.1
-
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
similarity index 75%
rename from meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
rename to meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
index c492496..ec88296 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
@@ -14,7 +14,7 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n
 HOMEPAGE = "http://web.mit.edu/Kerberos/"
 SECTION = "console/network"
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=450c80c6258ce03387bd09df37638ebc"
+LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=f64248328d2d9928e1f04158b5243e7f"
 DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native"
 
 inherit autotools-brokensep binconfig perlnative
@@ -22,7 +22,6 @@ inherit autotools-brokensep binconfig perlnative
 SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
 SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \
            file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \
-           file://0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch \
            file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \
            file://crosscompile_nm.patch \
            file://etc/init.d/krb5-kdc \
@@ -30,8 +29,8 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
            file://etc/default/krb5-kdc \
            file://etc/default/krb5-admin-server \
 "
-SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe"
-SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744"
+SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189"
+SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1"
 
 S = "${WORKDIR}/${BP}/src/"
 
@@ -77,4 +76,25 @@ do_install_append() {
     mkdir -p ${D}/etc/init.d ${D}/etc/default
     install -m 0755 ${WORKDIR}/etc/init.d/* ${D}/etc/init.d
     install -m 0644 ${WORKDIR}/etc/default/* ${D}/etc/default
+
+    rm -rf ${D}/var/run
+    mkdir -p ${D}/etc/default/volatiles
+    echo "d root root 0755 ${localstatedir}/run/krb5kdc none" \
+           > ${D}${sysconfdir}/default/volatiles/87_krb5
+    if ${@base_contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+        install -d ${D}${sysconfdir}/tmpfiles.d
+        echo "d /run/krb5kdc - - - -" \
+              > ${D}${sysconfdir}/tmpfiles.d/krb5.conf
+    fi
+
+}
+
+pkg_postinst_${PN} () {
+    if [ -z "$D" ]; then
+        if command -v systemd-tmpfiles >/dev/null; then
+            systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/krb5.conf
+        elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
+            ${sysconfdir}/init.d/populate-volatile.sh update
+        fi
+    fi
 }

More information about the Openembedded-commits mailing list