[30411] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit [krb5-1.17]: Remove incorrect KDC assertion

daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jan 7 11:19:24 2019

Date: Mon, 7 Jan 2019 11:19:17 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <201901071619.x07GJHP8027988@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/b3d99446275374970d1816c4cd1eb16a0a905373
commit b3d99446275374970d1816c4cd1eb16a0a905373
Author: Isaac Boukris <iboukris@gmail.com>
Date:   Sat Dec 15 11:56:36 2018 +0200

    Remove incorrect KDC assertion
    
    The assertion in return_enc_padata() is reachable because
    kdc_make_s4u2self_rep() may have previously added encrypted padata.
    It is no longer necessary because the code uses add_pa_data_element()
    instead of allocating a new list.
    
    CVE-2018-20217:
    
    In MIT krb5 1.8 or later, an authenticated user who can obtain a TGT
    using an older encryption type (DES, DES3, or RC4) can cause an
    assertion failure in the KDC by sending an S4U2Self request.
    
    [ghudson@mit.edu: rewrote commit message with CVE description]
    
    (cherry picked from commit 94e5eda5bb94d1d44733a49c3d9b6d1e42c74def)
    
    ticket: 8767
    version_fixed: 1.17

 src/kdc/kdc_preauth.c     |    1 -
 src/tests/gssapi/t_s4u.py |    8 ++++++++
 2 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 74953c9..caf133c 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1683,7 +1683,6 @@ return_enc_padata(krb5_context context, krb5_data *req_pkt,
     krb5_error_code code = 0;
     /* This should be initialized and only used for Win2K compat and other
      * specific standardized uses such as FAST negotiation. */
-    assert(reply_encpart->enc_padata == NULL);
     if (is_referral) {
         code = return_referral_enc_padata(context, reply_encpart, server);
         if (code)
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index 84f3fbd..164fec8 100755
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -147,6 +147,14 @@ if 'auth1: user@' not in out or 'auth2: user@' not in out:
 
 realm.stop()
 
+mark('S4U2Self with various enctypes')
+for realm in multipass_realms(create_host=False, get_creds=False):
+    service1 = 'service/1@%s' % realm.realm
+    realm.addprinc(service1)
+    realm.extract_keytab(service1, realm.keytab)
+    realm.kinit(service1, None, ['-k'])
+    realm.run(['./t_s4u', 'e:user', '-'])
+
 # Test cross realm S4U2Self using server referrals.
 mark('cross-realm S4U2Self')
 testprincs = {'krbtgt/SREALM': {'keys': 'aes128-cts'},
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post