summaryrefslogtreecommitdiff
path: root/repo/heimdal
diff options
context:
space:
mode:
Diffstat (limited to 'repo/heimdal')
-rw-r--r--repo/heimdal/005_all_heimdal-suid_fix.patch20
-rw-r--r--repo/heimdal/CVE-2018-16860.patch147
-rw-r--r--repo/heimdal/autoconf-270.patch27
-rwxr-xr-xrepo/heimdal/heimdal-kadmind.initd24
-rwxr-xr-xrepo/heimdal/heimdal-kdc.initd23
-rwxr-xr-xrepo/heimdal/heimdal-kpasswdd.initd24
-rw-r--r--repo/heimdal/heimdal.xibuild82
-rw-r--r--repo/heimdal/heimdal_missing-include.patch11
-rw-r--r--repo/heimdal/silence-include-headers-redirect-warnings.patch80
9 files changed, 438 insertions, 0 deletions
diff --git a/repo/heimdal/005_all_heimdal-suid_fix.patch b/repo/heimdal/005_all_heimdal-suid_fix.patch
new file mode 100644
index 0000000..0524db6
--- /dev/null
+++ b/repo/heimdal/005_all_heimdal-suid_fix.patch
@@ -0,0 +1,20 @@
+--- appl/su/Makefile.am 2005-06-16 18:27:46.000000000 +0200
++++ b/appl/su/Makefile.am 2005-06-27 23:25:21.000000000 +0200
+@@ -7,6 +7,7 @@
+ bin_PROGRAMS = su
+ bin_SUIDS = su
+ su_SOURCES = su.c supaths.h
++su_LDFLAGS = -Wl,-z,now
+ man_MANS = su.1
+
+ LDADD = $(LIB_kafs) \
+--- appl/otp/Makefile.am 2005-06-16 18:28:46.000000000 +0200
++++ b/appl/otp/Makefile.am 2005-06-27 23:25:40.000000000 +0200
+@@ -8,6 +8,7 @@
+ bin_SUIDS = otp
+ otp_SOURCES = otp.c otp_locl.h
+ otpprint_SOURCES = otpprint.c otp_locl.h
++otp_LDFLAGS = -Wl,-z,now
+
+ man_MANS = otp.1 otpprint.1
+
diff --git a/repo/heimdal/CVE-2018-16860.patch b/repo/heimdal/CVE-2018-16860.patch
new file mode 100644
index 0000000..6424b9e
--- /dev/null
+++ b/repo/heimdal/CVE-2018-16860.patch
@@ -0,0 +1,147 @@
+From c6257cc2c842c0faaeb4ef34e33890ee88c4cbba Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Tue, 14 May 2019 09:03:18 -0400
+Subject: [PATCH] CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed
+ checksum
+
+S4U2Self is an extension to Kerberos used in Active Directory to allow
+a service to request a kerberos ticket to itself from the Kerberos Key
+Distribution Center (KDC) for a non-Kerberos authenticated user
+(principal in Kerboros parlance). This is useful to allow internal
+code paths to be standardized around Kerberos.
+
+S4U2Proxy (constrained-delegation) is an extension of this mechanism
+allowing this impersonation to a second service over the network. It
+allows a privileged server that obtained a S4U2Self ticket to itself
+to then assert the identity of that principal to a second service and
+present itself as that principal to get services from the second
+service.
+
+There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
+KDC checks the checksum that is placed on the S4U2Self packet by the
+server to protect the requested principal against modification, it
+does not confirm that the checksum algorithm that protects the user
+name (principal) in the request is keyed. This allows a
+man-in-the-middle attacker who can intercept the request to the KDC to
+modify the packet by replacing the user name (principal) in the
+request with any desired user name (principal) that exists in the KDC
+and replace the checksum protecting that name with a CRC32 checksum
+(which requires no prior knowledge to compute).
+
+This would allow a S4U2Self ticket requested on behalf of user name
+(principal) user@EXAMPLE.COM to any service to be changed to a
+S4U2Self ticket with a user name (principal) of
+Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
+the modified user name (principal).
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
+
+=========================
+Workaround and Mitigation
+=========================
+
+If server does not take privileged actions based on Kerberos tickets
+obtained by S4U2Self nor obtains Kerberos tickets via further
+S4U2Proxy requests then this issue cannot be exploited.
+
+Note that the path to an exploit is not generic, the KDC is not harmed
+by the malicious checksum, it is the client service requesting the
+ticket being mislead, because it trusted the KDC to return the correct
+ticket and PAC.
+
+It is out of scope for Samba to describe all of the possible tool
+chains that might be vulnerable. Here are two examples of possible
+exploits in order to explain the issue more clearly.
+
+1). SFU2Self might be used by a web service authenticating an end user
+via OAuth, Shibboleth, or other protocols to obtain a S4U2Self
+Kerberos service ticket for use by any Kerberos service principal the
+web service has a keytab for. One example is acquiring an AFS token
+by requesting an afs/cell@REALM service ticket for a client via
+SFU2Self. With this exploit an organization that deploys a KDC built
+from Heimdal (be it Heimdal directly or vendor versions such as found
+in Samba) is vulnerable to privilege escalation attacks.
+
+2). If a server authenticates users using X509 certificates, and then
+uses S4U2Self to obtain a Kerberos service ticket on behalf of the
+user (principal) in order to authorize access to local resources, a
+man-in-the-middle attacker could allow a non-privilaged user to access
+privilaged resources being protected by the server, or privilaged
+resources being protected by a second server, if the first server uses
+the S4U2Proxy extension in order to get a new Kerberos service ticket
+to obtain access to the second server.
+
+In both these scenarios under conditions allowing man-in-the-middle
+active network protocol manipulation, a malicious user could
+authenticate using the non-Kerborized credentials of an unprivileged
+user, and then elevate its privileges by intercepting the packet from
+the server to the KDC and changing the requested user name (principal).
+
+The only Samba clients that use S4U2Self are:
+
+- the "net ads kerberos pac dump" (debugging) tool.
+
+- the CIFS proxy in the deprecated/developer-only NTVFS file
+server. Note this code is not compiled or enabled by default.
+
+In particular, winbindd does *not* use S4U2Self.
+
+Finally, MIT Kerberos and so therefore the experimental MIT KDC backend
+for Samba AD is understood not to be impacted.
+
+===============
+Further Reading
+===============
+
+There is more detail on and a description of the protocols in
+
+[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained
+Delegation Protocol
+https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
+
+=======
+Credits
+=======
+
+Originally reported by Isaac Boukris and Andrew Bartlett of the Samba
+Team and Catalyst.
+
+Patches provided by Isaac Boukris.
+
+Advisory written by Andrew Bartlett of the Samba Team and Catalyst,
+with contributions from Isaac Boukris, Jeffrey Altman and Jeremy
+Allison.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685
+Change-Id: I4ac69ebf0503eb999a7d497a2c30fe4d293a8cc8
+Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
+---
+ kdc/krb5tgs.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
+index 8318bc0025..14943077a4 100644
+--- a/kdc/krb5tgs.c
++++ b/kdc/krb5tgs.c
+@@ -2031,6 +2031,13 @@ tgs_build_reply(krb5_context context,
+ goto out;
+ }
+
++ if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
++ free_PA_S4U2Self(&self);
++ kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed checksum");
++ ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
++ goto out;
++ }
++
+ ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
+ if (ret)
+ goto out;
diff --git a/repo/heimdal/autoconf-270.patch b/repo/heimdal/autoconf-270.patch
new file mode 100644
index 0000000..05cdc09
--- /dev/null
+++ b/repo/heimdal/autoconf-270.patch
@@ -0,0 +1,27 @@
+commit 22352b90e78e2d162b98b5ef6c84672c397be40a
+Author: Lars Wendler <polynomial-c@gentoo.org>
+Date: Wed Mar 17 17:49:18 2021 +0100
+
+ autoconf-2.70 fix
+
+ autoconf-2.70 and newer are more strict with quoting etc. and thus generate
+ a broken configure file:
+
+ configure: 20855: Syntax error: ")" unexpected (expecting "fi")
+
+ Gentoo-bug: https://bugs.gentoo.org/776241
+ Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
+
+diff --git a/cf/check-var.m4 b/cf/check-var.m4
+index 2fd7bca6f..71d6f70ca 100644
+--- a/cf/check-var.m4
++++ b/cf/check-var.m4
+@@ -20,7 +20,7 @@ AC_MSG_RESULT($ac_foo)
+ if test "$ac_foo" = yes; then
+ AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1,
+ [Define if you have the `]$1[' variable.])
+- m4_ifval([$2], AC_CHECK_DECLS([$1],[],[],[$2]))
++ m4_ifval([$2], [AC_CHECK_DECLS([$1],[],[],[$2])])
+ fi
+ ])
+
diff --git a/repo/heimdal/heimdal-kadmind.initd b/repo/heimdal/heimdal-kadmind.initd
new file mode 100755
index 0000000..73f2381
--- /dev/null
+++ b/repo/heimdal/heimdal-kadmind.initd
@@ -0,0 +1,24 @@
+#!/sbin/openrc-run
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kadmind,v 1.3 2004/09/13 22:44:54 solar Exp $
+
+depend() {
+ need net
+ use heimdal-kdc
+ after logger
+}
+
+start() {
+ ebegin "Starting heimdal kadmind"
+ /usr/sbin/kadmind &
+ echo $! > /var/run/heimdal-kadmind.pid
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping heimdal kadmind"
+ start-stop-daemon --stop --quiet --exec \
+ /usr/sbin/kadmind
+ eend $?
+}
diff --git a/repo/heimdal/heimdal-kdc.initd b/repo/heimdal/heimdal-kdc.initd
new file mode 100755
index 0000000..32288c4
--- /dev/null
+++ b/repo/heimdal/heimdal-kdc.initd
@@ -0,0 +1,23 @@
+#!/sbin/openrc-run
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kdc,v 1.2 2004/09/13 15:40:34 dragonheart Exp $
+
+depend() {
+ need net
+ after logger
+}
+
+start() {
+ ebegin "Starting heimdal kdc"
+ start-stop-daemon --start --quiet --exec \
+ /usr/sbin/kdc -- --detach
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping heimdal kdc"
+ start-stop-daemon --stop --quiet --exec \
+ /usr/sbin/kdc
+ eend $?
+}
diff --git a/repo/heimdal/heimdal-kpasswdd.initd b/repo/heimdal/heimdal-kpasswdd.initd
new file mode 100755
index 0000000..5fc21e0
--- /dev/null
+++ b/repo/heimdal/heimdal-kpasswdd.initd
@@ -0,0 +1,24 @@
+#!/sbin/openrc-run
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kpasswdd,v 1.3 2004/09/13 22:44:54 solar Exp $
+
+depend() {
+ need net
+ use heimdal-kdc
+ after logger
+}
+
+start() {
+ ebegin "Starting heimdal kpasswdd"
+ start-stop-daemon --background --start --quiet --exec \
+ /usr/sbin/kpasswdd
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping heimdal kpasswdd"
+ start-stop-daemon --stop --quiet --exec \
+ /usr/sbin/kpasswdd
+ eend $?
+}
diff --git a/repo/heimdal/heimdal.xibuild b/repo/heimdal/heimdal.xibuild
new file mode 100644
index 0000000..6d0e31c
--- /dev/null
+++ b/repo/heimdal/heimdal.xibuild
@@ -0,0 +1,82 @@
+#!/bin/sh
+
+NAME="heimdal"
+DESC="Iplementation of Kerberos 5"
+
+MAKEDEPS="xipkg openssl e2fsprogs autoconf automake bash gawk libtool ncurses perl readline sqlite3 texinfo perl-json gdbm "
+
+PKG_VER=7.7.0
+SOURCE="https://github.com/heimdal/heimdal/releases/download/heimdal-$PKG_VER/heimdal-$PKG_VER.tar.gz"
+
+ADDITIONAL="
+005_all_heimdal-suid_fix.patch
+CVE-2018-16860.patch
+autoconf-270.patch
+heimdal-kadmind.initd
+heimdal-kdc.initd
+heimdal-kpasswdd.initd
+heimdal_missing-include.patch
+silence-include-headers-redirect-warnings.patch
+"
+
+prepare() {
+ [ -e /usr/lib/libasn1.so ] && xi -yl remove heimdal
+ apply_patches
+ sh ./autogen.sh
+}
+
+build() {
+ export LDFLAGS="$LDFLAGS -Wl,--as-needed"
+
+ ./configure \
+ --build=$CBUILD \
+ --host=$CHOST \
+ --prefix=/usr \
+ --enable-shared=yes \
+ --without-x \
+ --without-berkeley-db \
+ --with-readline-lib=/usr/lib \
+ --with-readline-include=/usr/include/readline \
+ --with-sqlite3=/usr \
+ --without-openssl \
+ --with-db-type-preference=
+
+ # make sure we use system version
+ rm -r lib/sqlite lib/com_err
+
+ # workarount a parallell build issue
+ make -C lib/asn1 der-protos.h der-private.h
+ make -C lib/kadm5 kadm5-protos.h kadm5-private.h kadm5_err.h
+ make -C lib/krb5 krb5-protos.h krb5-private.h krb5_err.h krb_err.h \
+ heim_err.h k524_err.h
+ make -C lib/hx509 hx509-private.h hx509-protos.h
+ make
+}
+
+package() {
+ make DESTDIR="$PKG_DEST" exec_prefix=/usr sysconfdir=/etc \
+ mandir=/usr/share/man infodir=/usr/share/info datadir=/var/lib/heimdal \
+ localstatedir=/var/lib/heimdal libexecdir=/usr/sbin install
+
+
+ install -m755 -D "$BUILD_ROOT"/heimdal-kadmind.initd \
+ "$PKG_DEST"/etc/init.d/heimdal-kadmind
+ install -m755 -D "$BUILD_ROOT"/heimdal-kdc.initd \
+ "$PKG_DEST"/etc/init.d/heimdal-kdc
+ install -m755 -D "$BUILD_ROOT"/heimdal-kpasswdd.initd \
+ "$PKG_DEST"/etc/init.d/heimdal-kpasswdd
+
+ for i in 1 3 5 8; do
+ rm -rf "$PKG_DEST"/usr/share/man/cat$i
+ done
+
+ # Remove conflicts
+ # e2fsprogs
+ rm -f "$PKG_DEST"/usr/bin/compile_et \
+ "$PKG_DEST"/usr/share/man/man1/compile_et.1
+
+ # Compress info pages
+ for page in heimdal hx509; do
+ gzip -9 "$PKG_DEST"/usr/share/info/$page.info
+ done
+}
diff --git a/repo/heimdal/heimdal_missing-include.patch b/repo/heimdal/heimdal_missing-include.patch
new file mode 100644
index 0000000..8cca906
--- /dev/null
+++ b/repo/heimdal/heimdal_missing-include.patch
@@ -0,0 +1,11 @@
+--- lib/base/test_base.c 2011-09-30 15:58:45.000000000 +0300
++++ b/lib/base/test_base.c 2011-12-27 23:04:50.482955923 +0200
+@@ -39,6 +39,8 @@
+ #include "heimbase.h"
+ #include "heimbasepriv.h"
+
++#include <stdlib.h>
++
+ static void
+ memory_free(heim_object_t obj)
+ {
diff --git a/repo/heimdal/silence-include-headers-redirect-warnings.patch b/repo/heimdal/silence-include-headers-redirect-warnings.patch
new file mode 100644
index 0000000..4505096
--- /dev/null
+++ b/repo/heimdal/silence-include-headers-redirect-warnings.patch
@@ -0,0 +1,80 @@
+From 2eb67c91834a21e68c90380254c7c10ffe03a7ca Mon Sep 17 00:00:00 2001
+From: Leonardo Arena <rnalrd@alpinelinux.org>
+Date: Thu, 14 Apr 2022 08:47:15 +0000
+Subject: [PATCH] silence include header warnings
+
+---
+ cf/roken-frag.m4 | 1 -
+ configure | 2 +-
+ lib/ipc/hi_locl.h | 2 +-
+ lib/krb5/krb5_locl.h | 2 +-
+ lib/roken/getifaddrs.c | 2 +-
+ 5 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/cf/roken-frag.m4 b/cf/roken-frag.m4
+index f22b43a..589b2cc 100644
+--- a/cf/roken-frag.m4
++++ b/cf/roken-frag.m4
+@@ -73,7 +73,6 @@ AC_CHECK_HEADERS([\
+ stdint.h \
+ sys/auxv.h \
+ sys/bswap.h \
+- sys/errno.h \
+ sys/ioctl.h \
+ sys/mman.h \
+ sys/param.h \
+diff --git a/configure b/configure
+index 4cefc43..bc3bf78 100755
+--- a/configure
++++ b/configure
+@@ -17965,7 +17965,7 @@ for ac_header in \
+ stdint.h \
+ sys/auxv.h \
+ sys/bswap.h \
+- sys/errno.h \
++ errno.h \
+ sys/ioctl.h \
+ sys/mman.h \
+ sys/param.h \
+diff --git a/lib/ipc/hi_locl.h b/lib/ipc/hi_locl.h
+index 7efe6ca..3195b44 100644
+--- a/lib/ipc/hi_locl.h
++++ b/lib/ipc/hi_locl.h
+@@ -41,7 +41,7 @@
+ #include <sys/un.h>
+ #endif
+
+-#include <sys/poll.h>
++#include <poll.h>
+
+ #include <ctype.h>
+ #include <stdio.h>
+diff --git a/lib/krb5/krb5_locl.h b/lib/krb5/krb5_locl.h
+index b64f3a9..f62c40d 100644
+--- a/lib/krb5/krb5_locl.h
++++ b/lib/krb5/krb5_locl.h
+@@ -44,7 +44,7 @@
+ #include <ctype.h>
+
+ #ifdef HAVE_POLL_H
+-#include <sys/poll.h>
++#include <poll.h>
+ #endif
+
+ #include <krb5-types.h>
+diff --git a/lib/roken/getifaddrs.c b/lib/roken/getifaddrs.c
+index cc949b0..a82adc5 100644
+--- a/lib/roken/getifaddrs.c
++++ b/lib/roken/getifaddrs.c
+@@ -120,7 +120,7 @@ struct mbuf;
+ #include <linux/rtnetlink.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+-#include <sys/poll.h>
++#include <poll.h>
+ #include <netpacket/packet.h>
+ #include <net/ethernet.h> /* the L2 protocols */
+ #include <sys/uio.h>
+--
+2.35.1
+