Apply vendor patch for CVE-2015-2694 (changeset

b0c571e709c72da799ccc15fb5755f7910170e33) to prevent requires_preauth bypass. Approved by: so Obtained from: b0c571e709.diff Security: CVE-2015-2694 Security: 0b040e24-f751-11e4-b24d-5453ed2e2b49 MFH: 2015Q2
svn path=/head/; revision=387747
2024-11-27 00:57:50 +00:00 · 2015-05-28 17:48:17 +00:00 · 2015-05-28 17:48:17 +00:00 · 78feb50be8 · 2021-03-31 03:12:20 +00:00
commit 78feb50be8
parent 59eb6493d2
2 changed files with 66 additions and 1 deletions
--- a/security/krb5-112/Makefile
+++ b/security/krb5-112/Makefile
@ -3,7 +3,7 @@

 PORTNAME=		krb5
 PORTVERSION=		1.12.3
-PORTREVISION=		1
+PORTREVISION=		2
 CATEGORIES=		security
 MASTER_SITES=		http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
 PKGNAMESUFFIX=		-112
--- a/security/krb5-112/files/patch-CVE-2015-2694
+++ b/security/krb5-112/files/patch-CVE-2015-2694
@ -0,0 +1,65 @@
+--- plugins/preauth/otp/main.c.orig	2015-02-18 22:31:13 UTC
+++ plugins/preauth/otp/main.c
+@@ -42,6 +42,7 @@ static krb5_preauthtype otp_pa_type_list
+ struct request_state {
+     krb5_kdcpreauth_verify_respond_fn respond;
+     void *arg;
+    krb5_enc_tkt_part *enc_tkt_reply;
+ };
+ 
+ static krb5_error_code
+@@ -159,6 +160,9 @@ on_response(void *data, krb5_error_code 
+     if (retval == 0 && response != otp_response_success)
+         retval = KRB5_PREAUTH_FAILED;
+ 
+    if (retval == 0)
+        rs.enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
+
+     rs.respond(rs.arg, retval, NULL, NULL, NULL);
+ }
+ 
+@@ -263,8 +267,6 @@ otp_verify(krb5_context context, krb5_da
+     krb5_data d, plaintext;
+     char *config;
+ 
+-    enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
+-
+     /* Get the FAST armor key. */
+     armor_key = cb->fast_armor(context, rock);
+     if (armor_key == NULL) {
+@@ -298,12 +300,14 @@ otp_verify(krb5_context context, krb5_da
+         goto error;
+     }
+ 
+-    /* Create the request state. */
+    /* Create the request state.  Save the response callback, and the
+     * enc_tkt_reply pointer so we can set the TKT_FLG_PRE_AUTH flag later. */
+     rs = k5alloc(sizeof(struct request_state), &retval);
+     if (rs == NULL)
+         goto error;
+     rs->arg = arg;
+     rs->respond = respond;
+    rs->enc_tkt_reply = enc_tkt_reply;
+ 
+     /* Get the principal's OTP configuration string. */
+     retval = cb->get_string(context, rock, "otp", &config);
+--- plugins/preauth/pkinit/pkinit_srv.c.orig	2015-02-18 22:31:13 UTC
+++ plugins/preauth/pkinit/pkinit_srv.c
+@@ -306,7 +306,7 @@ pkinit_server_verify_padata(krb5_context
+ 
+     pkiDebug("pkinit_verify_padata: entered!\n");
+     if (data == NULL || data->length <= 0 || data->contents == NULL) {
+-        (*respond)(arg, 0, NULL, NULL, NULL);
+        (*respond)(arg, EINVAL, NULL, NULL, NULL);
+         return;
+     }
+ 
+@@ -318,7 +318,7 @@ pkinit_server_verify_padata(krb5_context
+ 
+     plgctx = pkinit_find_realm_context(context, moddata, request->server);
+     if (plgctx == NULL) {
+-        (*respond)(arg, 0, NULL, NULL, NULL);
+        (*respond)(arg, EINVAL, NULL, NULL, NULL);
+         return;
+     }
+