diff options
Diffstat (limited to 'repo/heimdal')
-rw-r--r-- | repo/heimdal/005_all_heimdal-suid_fix.patch | 20 | ||||
-rw-r--r-- | repo/heimdal/CVE-2018-16860.patch | 147 | ||||
-rw-r--r-- | repo/heimdal/autoconf-270.patch | 27 | ||||
-rwxr-xr-x | repo/heimdal/heimdal-kadmind.initd | 24 | ||||
-rwxr-xr-x | repo/heimdal/heimdal-kdc.initd | 23 | ||||
-rwxr-xr-x | repo/heimdal/heimdal-kpasswdd.initd | 24 | ||||
-rw-r--r-- | repo/heimdal/heimdal.xibuild | 82 | ||||
-rw-r--r-- | repo/heimdal/heimdal_missing-include.patch | 11 | ||||
-rw-r--r-- | repo/heimdal/silence-include-headers-redirect-warnings.patch | 80 |
9 files changed, 0 insertions, 438 deletions
diff --git a/repo/heimdal/005_all_heimdal-suid_fix.patch b/repo/heimdal/005_all_heimdal-suid_fix.patch deleted file mode 100644 index 0524db6..0000000 --- a/repo/heimdal/005_all_heimdal-suid_fix.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- appl/su/Makefile.am 2005-06-16 18:27:46.000000000 +0200 -+++ b/appl/su/Makefile.am 2005-06-27 23:25:21.000000000 +0200 -@@ -7,6 +7,7 @@ - bin_PROGRAMS = su - bin_SUIDS = su - su_SOURCES = su.c supaths.h -+su_LDFLAGS = -Wl,-z,now - man_MANS = su.1 - - LDADD = $(LIB_kafs) \ ---- appl/otp/Makefile.am 2005-06-16 18:28:46.000000000 +0200 -+++ b/appl/otp/Makefile.am 2005-06-27 23:25:40.000000000 +0200 -@@ -8,6 +8,7 @@ - bin_SUIDS = otp - otp_SOURCES = otp.c otp_locl.h - otpprint_SOURCES = otpprint.c otp_locl.h -+otp_LDFLAGS = -Wl,-z,now - - man_MANS = otp.1 otpprint.1 - diff --git a/repo/heimdal/CVE-2018-16860.patch b/repo/heimdal/CVE-2018-16860.patch deleted file mode 100644 index 6424b9e..0000000 --- a/repo/heimdal/CVE-2018-16860.patch +++ /dev/null @@ -1,147 +0,0 @@ -From c6257cc2c842c0faaeb4ef34e33890ee88c4cbba Mon Sep 17 00:00:00 2001 -From: Isaac Boukris <iboukris@gmail.com> -Date: Tue, 14 May 2019 09:03:18 -0400 -Subject: [PATCH] CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed - checksum - -S4U2Self is an extension to Kerberos used in Active Directory to allow -a service to request a kerberos ticket to itself from the Kerberos Key -Distribution Center (KDC) for a non-Kerberos authenticated user -(principal in Kerboros parlance). This is useful to allow internal -code paths to be standardized around Kerberos. - -S4U2Proxy (constrained-delegation) is an extension of this mechanism -allowing this impersonation to a second service over the network. It -allows a privileged server that obtained a S4U2Self ticket to itself -to then assert the identity of that principal to a second service and -present itself as that principal to get services from the second -service. - -There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal -KDC checks the checksum that is placed on the S4U2Self packet by the -server to protect the requested principal against modification, it -does not confirm that the checksum algorithm that protects the user -name (principal) in the request is keyed. This allows a -man-in-the-middle attacker who can intercept the request to the KDC to -modify the packet by replacing the user name (principal) in the -request with any desired user name (principal) that exists in the KDC -and replace the checksum protecting that name with a CRC32 checksum -(which requires no prior knowledge to compute). - -This would allow a S4U2Self ticket requested on behalf of user name -(principal) user@EXAMPLE.COM to any service to be changed to a -S4U2Self ticket with a user name (principal) of -Administrator@EXAMPLE.COM. This ticket would then contain the PAC of -the modified user name (principal). - -================== -CVSSv3 calculation -================== - -CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5) - -========================= -Workaround and Mitigation -========================= - -If server does not take privileged actions based on Kerberos tickets -obtained by S4U2Self nor obtains Kerberos tickets via further -S4U2Proxy requests then this issue cannot be exploited. - -Note that the path to an exploit is not generic, the KDC is not harmed -by the malicious checksum, it is the client service requesting the -ticket being mislead, because it trusted the KDC to return the correct -ticket and PAC. - -It is out of scope for Samba to describe all of the possible tool -chains that might be vulnerable. Here are two examples of possible -exploits in order to explain the issue more clearly. - -1). SFU2Self might be used by a web service authenticating an end user -via OAuth, Shibboleth, or other protocols to obtain a S4U2Self -Kerberos service ticket for use by any Kerberos service principal the -web service has a keytab for. One example is acquiring an AFS token -by requesting an afs/cell@REALM service ticket for a client via -SFU2Self. With this exploit an organization that deploys a KDC built -from Heimdal (be it Heimdal directly or vendor versions such as found -in Samba) is vulnerable to privilege escalation attacks. - -2). If a server authenticates users using X509 certificates, and then -uses S4U2Self to obtain a Kerberos service ticket on behalf of the -user (principal) in order to authorize access to local resources, a -man-in-the-middle attacker could allow a non-privilaged user to access -privilaged resources being protected by the server, or privilaged -resources being protected by a second server, if the first server uses -the S4U2Proxy extension in order to get a new Kerberos service ticket -to obtain access to the second server. - -In both these scenarios under conditions allowing man-in-the-middle -active network protocol manipulation, a malicious user could -authenticate using the non-Kerborized credentials of an unprivileged -user, and then elevate its privileges by intercepting the packet from -the server to the KDC and changing the requested user name (principal). - -The only Samba clients that use S4U2Self are: - -- the "net ads kerberos pac dump" (debugging) tool. - -- the CIFS proxy in the deprecated/developer-only NTVFS file -server. Note this code is not compiled or enabled by default. - -In particular, winbindd does *not* use S4U2Self. - -Finally, MIT Kerberos and so therefore the experimental MIT KDC backend -for Samba AD is understood not to be impacted. - -=============== -Further Reading -=============== - -There is more detail on and a description of the protocols in - -[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained -Delegation Protocol -https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ - -======= -Credits -======= - -Originally reported by Isaac Boukris and Andrew Bartlett of the Samba -Team and Catalyst. - -Patches provided by Isaac Boukris. - -Advisory written by Andrew Bartlett of the Samba Team and Catalyst, -with contributions from Isaac Boukris, Jeffrey Altman and Jeremy -Allison. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685 -Change-Id: I4ac69ebf0503eb999a7d497a2c30fe4d293a8cc8 -Signed-off-by: Isaac Boukris <iboukris@gmail.com> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -Signed-off-by: Andrew Bartlett <abartlet@samba.org> -Reviewed-by: Jeffrey Altman <jaltman@auristor.com> -Signed-off-by: Jeffrey Altman <jaltman@auristor.com> ---- - kdc/krb5tgs.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c -index 8318bc0025..14943077a4 100644 ---- a/kdc/krb5tgs.c -+++ b/kdc/krb5tgs.c -@@ -2031,6 +2031,13 @@ tgs_build_reply(krb5_context context, - goto out; - } - -+ if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) { -+ free_PA_S4U2Self(&self); -+ kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed checksum"); -+ ret = KRB5KRB_AP_ERR_INAPP_CKSUM; -+ goto out; -+ } -+ - ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack); - if (ret) - goto out; diff --git a/repo/heimdal/autoconf-270.patch b/repo/heimdal/autoconf-270.patch deleted file mode 100644 index 05cdc09..0000000 --- a/repo/heimdal/autoconf-270.patch +++ /dev/null @@ -1,27 +0,0 @@ -commit 22352b90e78e2d162b98b5ef6c84672c397be40a -Author: Lars Wendler <polynomial-c@gentoo.org> -Date: Wed Mar 17 17:49:18 2021 +0100 - - autoconf-2.70 fix - - autoconf-2.70 and newer are more strict with quoting etc. and thus generate - a broken configure file: - - configure: 20855: Syntax error: ")" unexpected (expecting "fi") - - Gentoo-bug: https://bugs.gentoo.org/776241 - Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> - -diff --git a/cf/check-var.m4 b/cf/check-var.m4 -index 2fd7bca6f..71d6f70ca 100644 ---- a/cf/check-var.m4 -+++ b/cf/check-var.m4 -@@ -20,7 +20,7 @@ AC_MSG_RESULT($ac_foo) - if test "$ac_foo" = yes; then - AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1, - [Define if you have the `]$1[' variable.]) -- m4_ifval([$2], AC_CHECK_DECLS([$1],[],[],[$2])) -+ m4_ifval([$2], [AC_CHECK_DECLS([$1],[],[],[$2])]) - fi - ]) - diff --git a/repo/heimdal/heimdal-kadmind.initd b/repo/heimdal/heimdal-kadmind.initd deleted file mode 100755 index 73f2381..0000000 --- a/repo/heimdal/heimdal-kadmind.initd +++ /dev/null @@ -1,24 +0,0 @@ -#!/sbin/openrc-run -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kadmind,v 1.3 2004/09/13 22:44:54 solar Exp $ - -depend() { - need net - use heimdal-kdc - after logger -} - -start() { - ebegin "Starting heimdal kadmind" - /usr/sbin/kadmind & - echo $! > /var/run/heimdal-kadmind.pid - eend $? -} - -stop() { - ebegin "Stopping heimdal kadmind" - start-stop-daemon --stop --quiet --exec \ - /usr/sbin/kadmind - eend $? -} diff --git a/repo/heimdal/heimdal-kdc.initd b/repo/heimdal/heimdal-kdc.initd deleted file mode 100755 index 32288c4..0000000 --- a/repo/heimdal/heimdal-kdc.initd +++ /dev/null @@ -1,23 +0,0 @@ -#!/sbin/openrc-run -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kdc,v 1.2 2004/09/13 15:40:34 dragonheart Exp $ - -depend() { - need net - after logger -} - -start() { - ebegin "Starting heimdal kdc" - start-stop-daemon --start --quiet --exec \ - /usr/sbin/kdc -- --detach - eend $? -} - -stop() { - ebegin "Stopping heimdal kdc" - start-stop-daemon --stop --quiet --exec \ - /usr/sbin/kdc - eend $? -} diff --git a/repo/heimdal/heimdal-kpasswdd.initd b/repo/heimdal/heimdal-kpasswdd.initd deleted file mode 100755 index 5fc21e0..0000000 --- a/repo/heimdal/heimdal-kpasswdd.initd +++ /dev/null @@ -1,24 +0,0 @@ -#!/sbin/openrc-run -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kpasswdd,v 1.3 2004/09/13 22:44:54 solar Exp $ - -depend() { - need net - use heimdal-kdc - after logger -} - -start() { - ebegin "Starting heimdal kpasswdd" - start-stop-daemon --background --start --quiet --exec \ - /usr/sbin/kpasswdd - eend $? -} - -stop() { - ebegin "Stopping heimdal kpasswdd" - start-stop-daemon --stop --quiet --exec \ - /usr/sbin/kpasswdd - eend $? -} diff --git a/repo/heimdal/heimdal.xibuild b/repo/heimdal/heimdal.xibuild deleted file mode 100644 index 6d0e31c..0000000 --- a/repo/heimdal/heimdal.xibuild +++ /dev/null @@ -1,82 +0,0 @@ -#!/bin/sh - -NAME="heimdal" -DESC="Iplementation of Kerberos 5" - -MAKEDEPS="xipkg openssl e2fsprogs autoconf automake bash gawk libtool ncurses perl readline sqlite3 texinfo perl-json gdbm " - -PKG_VER=7.7.0 -SOURCE="https://github.com/heimdal/heimdal/releases/download/heimdal-$PKG_VER/heimdal-$PKG_VER.tar.gz" - -ADDITIONAL=" -005_all_heimdal-suid_fix.patch -CVE-2018-16860.patch -autoconf-270.patch -heimdal-kadmind.initd -heimdal-kdc.initd -heimdal-kpasswdd.initd -heimdal_missing-include.patch -silence-include-headers-redirect-warnings.patch -" - -prepare() { - [ -e /usr/lib/libasn1.so ] && xi -yl remove heimdal - apply_patches - sh ./autogen.sh -} - -build() { - export LDFLAGS="$LDFLAGS -Wl,--as-needed" - - ./configure \ - --build=$CBUILD \ - --host=$CHOST \ - --prefix=/usr \ - --enable-shared=yes \ - --without-x \ - --without-berkeley-db \ - --with-readline-lib=/usr/lib \ - --with-readline-include=/usr/include/readline \ - --with-sqlite3=/usr \ - --without-openssl \ - --with-db-type-preference= - - # make sure we use system version - rm -r lib/sqlite lib/com_err - - # workarount a parallell build issue - make -C lib/asn1 der-protos.h der-private.h - make -C lib/kadm5 kadm5-protos.h kadm5-private.h kadm5_err.h - make -C lib/krb5 krb5-protos.h krb5-private.h krb5_err.h krb_err.h \ - heim_err.h k524_err.h - make -C lib/hx509 hx509-private.h hx509-protos.h - make -} - -package() { - make DESTDIR="$PKG_DEST" exec_prefix=/usr sysconfdir=/etc \ - mandir=/usr/share/man infodir=/usr/share/info datadir=/var/lib/heimdal \ - localstatedir=/var/lib/heimdal libexecdir=/usr/sbin install - - - install -m755 -D "$BUILD_ROOT"/heimdal-kadmind.initd \ - "$PKG_DEST"/etc/init.d/heimdal-kadmind - install -m755 -D "$BUILD_ROOT"/heimdal-kdc.initd \ - "$PKG_DEST"/etc/init.d/heimdal-kdc - install -m755 -D "$BUILD_ROOT"/heimdal-kpasswdd.initd \ - "$PKG_DEST"/etc/init.d/heimdal-kpasswdd - - for i in 1 3 5 8; do - rm -rf "$PKG_DEST"/usr/share/man/cat$i - done - - # Remove conflicts - # e2fsprogs - rm -f "$PKG_DEST"/usr/bin/compile_et \ - "$PKG_DEST"/usr/share/man/man1/compile_et.1 - - # Compress info pages - for page in heimdal hx509; do - gzip -9 "$PKG_DEST"/usr/share/info/$page.info - done -} diff --git a/repo/heimdal/heimdal_missing-include.patch b/repo/heimdal/heimdal_missing-include.patch deleted file mode 100644 index 8cca906..0000000 --- a/repo/heimdal/heimdal_missing-include.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- lib/base/test_base.c 2011-09-30 15:58:45.000000000 +0300 -+++ b/lib/base/test_base.c 2011-12-27 23:04:50.482955923 +0200 -@@ -39,6 +39,8 @@ - #include "heimbase.h" - #include "heimbasepriv.h" - -+#include <stdlib.h> -+ - static void - memory_free(heim_object_t obj) - { diff --git a/repo/heimdal/silence-include-headers-redirect-warnings.patch b/repo/heimdal/silence-include-headers-redirect-warnings.patch deleted file mode 100644 index 4505096..0000000 --- a/repo/heimdal/silence-include-headers-redirect-warnings.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 2eb67c91834a21e68c90380254c7c10ffe03a7ca Mon Sep 17 00:00:00 2001 -From: Leonardo Arena <rnalrd@alpinelinux.org> -Date: Thu, 14 Apr 2022 08:47:15 +0000 -Subject: [PATCH] silence include header warnings - ---- - cf/roken-frag.m4 | 1 - - configure | 2 +- - lib/ipc/hi_locl.h | 2 +- - lib/krb5/krb5_locl.h | 2 +- - lib/roken/getifaddrs.c | 2 +- - 5 files changed, 4 insertions(+), 5 deletions(-) - -diff --git a/cf/roken-frag.m4 b/cf/roken-frag.m4 -index f22b43a..589b2cc 100644 ---- a/cf/roken-frag.m4 -+++ b/cf/roken-frag.m4 -@@ -73,7 +73,6 @@ AC_CHECK_HEADERS([\ - stdint.h \ - sys/auxv.h \ - sys/bswap.h \ -- sys/errno.h \ - sys/ioctl.h \ - sys/mman.h \ - sys/param.h \ -diff --git a/configure b/configure -index 4cefc43..bc3bf78 100755 ---- a/configure -+++ b/configure -@@ -17965,7 +17965,7 @@ for ac_header in \ - stdint.h \ - sys/auxv.h \ - sys/bswap.h \ -- sys/errno.h \ -+ errno.h \ - sys/ioctl.h \ - sys/mman.h \ - sys/param.h \ -diff --git a/lib/ipc/hi_locl.h b/lib/ipc/hi_locl.h -index 7efe6ca..3195b44 100644 ---- a/lib/ipc/hi_locl.h -+++ b/lib/ipc/hi_locl.h -@@ -41,7 +41,7 @@ - #include <sys/un.h> - #endif - --#include <sys/poll.h> -+#include <poll.h> - - #include <ctype.h> - #include <stdio.h> -diff --git a/lib/krb5/krb5_locl.h b/lib/krb5/krb5_locl.h -index b64f3a9..f62c40d 100644 ---- a/lib/krb5/krb5_locl.h -+++ b/lib/krb5/krb5_locl.h -@@ -44,7 +44,7 @@ - #include <ctype.h> - - #ifdef HAVE_POLL_H --#include <sys/poll.h> -+#include <poll.h> - #endif - - #include <krb5-types.h> -diff --git a/lib/roken/getifaddrs.c b/lib/roken/getifaddrs.c -index cc949b0..a82adc5 100644 ---- a/lib/roken/getifaddrs.c -+++ b/lib/roken/getifaddrs.c -@@ -120,7 +120,7 @@ struct mbuf; - #include <linux/rtnetlink.h> - #include <sys/types.h> - #include <sys/socket.h> --#include <sys/poll.h> -+#include <poll.h> - #include <netpacket/packet.h> - #include <net/ethernet.h> /* the L2 protocols */ - #include <sys/uio.h> --- -2.35.1 - |