The Samba-Bugzilla – Attachment 14679 Details for
Bug 13571
[SECURITY] CVE-2018-16853 S4U2Self crash with MIT KDC build
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.7
CVE-2018-16853_mit_krb5-v4-7.patch01.asn.txt (text/plain), 7.55 KB, created by
Andreas Schneider
on 2018-11-21 12:40:59 UTC
(
hide
)
Description:
patch for 4.7
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2018-11-21 12:40:59 UTC
Size:
7.55 KB
patch
obsolete
>From ce8d3e1a0fe1729e3a8f18d935166a0c67b281fe Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Sat, 18 Aug 2018 15:32:43 +0300 >Subject: [PATCH 1/5] CVE-2018-16853: Fix kinit test on system lacking > ldbsearch > >By fixing bindir variable name. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 > >Signed-off-by: Isaac Boukris <iboukris@gmail.com> >Reviewed-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >--- > testprogs/blackbox/test_kinit_mit.sh | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > >diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh >index 3e07281b8c7..35c08b0c866 100755 >--- a/testprogs/blackbox/test_kinit_mit.sh >+++ b/testprogs/blackbox/test_kinit_mit.sh >@@ -32,13 +32,13 @@ samba_enableaccount="$samba_tool user enable" > machineaccountccache="$samba_srcdir/scripting/bin/machineaccountccache" > > ldbmodify="ldbmodify" >-if [ -x "$samba4bindir/ldbmodify" ]; then >- ldbmodify="$samba4bindir/ldbmodify" >+if [ -x "$samba_bindir/ldbmodify" ]; then >+ ldbmodify="$samba_bindir/ldbmodify" > fi > > ldbsearch="ldbsearch" >-if [ -x "$samba4bindir/ldbsearch" ]; then >- ldbsearch="$samba4bindir/ldbsearch" >+if [ -x "$samba_bindir/ldbsearch" ]; then >+ ldbsearch="$samba_bindir/ldbsearch" > fi > > . `dirname $0`/subunit.sh >-- >2.19.1 > > >From 5fe3fb76ee87cb25a29ac02f1b0b50cc52b2aa10 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Sat, 18 Aug 2018 00:40:30 +0300 >Subject: [PATCH 2/5] CVE-2018-16853: The ticket in check_policy_as can > actually be a TGS > >This happens when we are called from S4U2Self flow, and in that case >kdcreq->client is NULL. Use the name from client entry instead. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 > >Signed-off-by: Isaac Boukris <iboukris@gmail.com> >Reviewed-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >--- > source4/kdc/mit-kdb/kdb_samba_policies.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > >diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c >index 81140abfd50..4364461302c 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_policies.c >+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c >@@ -81,6 +81,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, > char *netbios_name = NULL; > char *realm = NULL; > bool password_change = false; >+ krb5_const_principal client_princ; > DATA_BLOB int_data = { NULL, 0 }; > krb5_data d; > krb5_pa_data **e_data; >@@ -90,7 +91,10 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, > return KRB5_KDB_DBNOTINITED; > } > >- if (ks_is_kadmin(context, kdcreq->client)) { >+ /* Prefer canonicalised name from client entry */ >+ client_princ = client ? client->princ : kdcreq->client; >+ >+ if (client_princ == NULL || ks_is_kadmin(context, client_princ)) { > return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; > } > >@@ -111,7 +115,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, > goto done; > } > >- code = krb5_unparse_name(context, kdcreq->client, &client_name); >+ code = krb5_unparse_name(context, client_princ, &client_name); > if (code) { > goto done; > } >-- >2.19.1 > > >From 48cc952472a2043dd079b04d16b429536cc268ef Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Sat, 18 Aug 2018 16:01:59 +0300 >Subject: [PATCH 3/5] CVE-2018-16853: Add a test to verify s4u2self doesn't > crash > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 > >Signed-off-by: Isaac Boukris <iboukris@gmail.com> >Reviewed-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >--- > testprogs/blackbox/test_kinit_mit.sh | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > >diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh >index 35c08b0c866..f1567caa3a1 100755 >--- a/testprogs/blackbox/test_kinit_mit.sh >+++ b/testprogs/blackbox/test_kinit_mit.sh >@@ -24,6 +24,7 @@ samba_srcdir="$SRCDIR/source4" > samba_kinit=kinit > samba_kdestroy=kdestroy > samba_kpasswd=kpasswd >+samba_kvno=kvno > > samba_tool="$samba_bindir/samba-tool" > samba_texpect="$samba_bindir/texpect" >@@ -299,6 +300,17 @@ test_smbclient "Test machine account login with kerberos ccache" 'ls' -k yes || > > testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings $ADMIN_LDBMODIFY_CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1` > >+########################################################### >+### Test basic s4u2self request >+########################################################### >+ >+# Use previous acquired machine creds to request a ticket for self. >+# We expect it to fail for now. >+MACHINE_ACCOUNT="$(hostname -s | tr [a-z] [A-Z])\$@$REALM" >+$samba_kvno -U$MACHINE_ACCOUNT $MACHINE_ACCOUNT >+# But we expect the KDC to be up and running still >+testit "kinit with machineaccountccache after s4u2self" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=`expr $failed + 1` >+ > ### Cleanup > > $samba_kdestroy >-- >2.19.1 > > >From 4cc39d722e412b0266e38a36113269344d37de3c Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 28 Sep 2016 07:22:32 +0200 >Subject: [PATCH 4/5] CVE-2018-16853: Do not segfault if client is not set > >This can be triggered with FAST but we don't support this yet. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >--- > source4/kdc/mit-kdb/kdb_samba_policies.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > >diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c >index 4364461302c..0b1265980b1 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_policies.c >+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c >@@ -445,6 +445,14 @@ void kdb_samba_db_audit_as_req(krb5_context context, > { > struct mit_samba_context *mit_ctx; > >+ /* >+ * FIXME: This segfaulted with a FAST test >+ * FIND_FAST: <unknown client> for <unknown server>, Unknown FAST armor type 0 >+ */ >+ if (client == NULL) { >+ return; >+ } >+ > mit_ctx = ks_get_context(context); > if (mit_ctx == NULL) { > return; >-- >2.19.1 > > >From f45e4d87b3ce373be0136fe9f6a7f9ad761c545f Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Wed, 7 Nov 2018 22:53:35 +0200 >Subject: [PATCH 5/5] CVE-2018-16853: fix crash in expired passowrd case > >When calling encode_krb5_padata_sequence() make sure to >pass a null terminated array as required. > >Fixes expired passowrd case in samba4.blackbox.kinit test. > >Signed-off-by: Isaac Boukris <iboukris@gmail.com> >Reviewed-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >--- > source4/kdc/mit_samba.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > >diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c >index 1cd6750f5ab..8283c726487 100644 >--- a/source4/kdc/mit_samba.c >+++ b/source4/kdc/mit_samba.c >@@ -855,7 +855,7 @@ krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data > static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data) > { > krb5_error_code ret = 0; >- krb5_pa_data pa, *ppa = NULL; >+ krb5_pa_data pa, *ppa[2]; > krb5_data *d = NULL; > > if (!e_data) >@@ -876,9 +876,10 @@ static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data) > SIVAL(pa.contents, 4, 0); > SIVAL(pa.contents, 8, 1); > >- ppa = &pa; >+ ppa[0] = &pa; >+ ppa[1] = NULL; > >- ret = encode_krb5_padata_sequence(&ppa, &d); >+ ret = encode_krb5_padata_sequence(ppa, &d); > free(pa.contents); > if (ret) { > return; >-- >2.19.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14679">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 13571
:
14431
|
14432
|
14451
|
14626
|
14676
|
14677
|
14678
| 14679