From f29d569cd33a73da5ad675f43a34ad53c5cc9bc6 Mon Sep 17 00:00:00 2001 From: davidovski Date: Thu, 2 Feb 2023 14:10:02 +0000 Subject: Work --- skip/heimdal/005_all_heimdal-suid_fix.patch | 20 +++ skip/heimdal/CVE-2018-16860.patch | 147 +++++++++++++++++++++ skip/heimdal/autoconf-270.patch | 27 ++++ skip/heimdal/heimdal-kadmind.initd | 24 ++++ skip/heimdal/heimdal-kdc.initd | 23 ++++ skip/heimdal/heimdal-kpasswdd.initd | 24 ++++ skip/heimdal/heimdal.xibuild | 82 ++++++++++++ skip/heimdal/heimdal_missing-include.patch | 11 ++ ...silence-include-headers-redirect-warnings.patch | 80 +++++++++++ 9 files changed, 438 insertions(+) create mode 100644 skip/heimdal/005_all_heimdal-suid_fix.patch create mode 100644 skip/heimdal/CVE-2018-16860.patch create mode 100644 skip/heimdal/autoconf-270.patch create mode 100755 skip/heimdal/heimdal-kadmind.initd create mode 100755 skip/heimdal/heimdal-kdc.initd create mode 100755 skip/heimdal/heimdal-kpasswdd.initd create mode 100644 skip/heimdal/heimdal.xibuild create mode 100644 skip/heimdal/heimdal_missing-include.patch create mode 100644 skip/heimdal/silence-include-headers-redirect-warnings.patch (limited to 'skip/heimdal') diff --git a/skip/heimdal/005_all_heimdal-suid_fix.patch b/skip/heimdal/005_all_heimdal-suid_fix.patch new file mode 100644 index 0000000..0524db6 --- /dev/null +++ b/skip/heimdal/005_all_heimdal-suid_fix.patch @@ -0,0 +1,20 @@ +--- appl/su/Makefile.am 2005-06-16 18:27:46.000000000 +0200 ++++ b/appl/su/Makefile.am 2005-06-27 23:25:21.000000000 +0200 +@@ -7,6 +7,7 @@ + bin_PROGRAMS = su + bin_SUIDS = su + su_SOURCES = su.c supaths.h ++su_LDFLAGS = -Wl,-z,now + man_MANS = su.1 + + LDADD = $(LIB_kafs) \ +--- appl/otp/Makefile.am 2005-06-16 18:28:46.000000000 +0200 ++++ b/appl/otp/Makefile.am 2005-06-27 23:25:40.000000000 +0200 +@@ -8,6 +8,7 @@ + bin_SUIDS = otp + otp_SOURCES = otp.c otp_locl.h + otpprint_SOURCES = otpprint.c otp_locl.h ++otp_LDFLAGS = -Wl,-z,now + + man_MANS = otp.1 otpprint.1 + diff --git a/skip/heimdal/CVE-2018-16860.patch b/skip/heimdal/CVE-2018-16860.patch new file mode 100644 index 0000000..6424b9e --- /dev/null +++ b/skip/heimdal/CVE-2018-16860.patch @@ -0,0 +1,147 @@ +From c6257cc2c842c0faaeb4ef34e33890ee88c4cbba Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Tue, 14 May 2019 09:03:18 -0400 +Subject: [PATCH] CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed + checksum + +S4U2Self is an extension to Kerberos used in Active Directory to allow +a service to request a kerberos ticket to itself from the Kerberos Key +Distribution Center (KDC) for a non-Kerberos authenticated user +(principal in Kerboros parlance). This is useful to allow internal +code paths to be standardized around Kerberos. + +S4U2Proxy (constrained-delegation) is an extension of this mechanism +allowing this impersonation to a second service over the network. It +allows a privileged server that obtained a S4U2Self ticket to itself +to then assert the identity of that principal to a second service and +present itself as that principal to get services from the second +service. + +There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal +KDC checks the checksum that is placed on the S4U2Self packet by the +server to protect the requested principal against modification, it +does not confirm that the checksum algorithm that protects the user +name (principal) in the request is keyed. This allows a +man-in-the-middle attacker who can intercept the request to the KDC to +modify the packet by replacing the user name (principal) in the +request with any desired user name (principal) that exists in the KDC +and replace the checksum protecting that name with a CRC32 checksum +(which requires no prior knowledge to compute). + +This would allow a S4U2Self ticket requested on behalf of user name +(principal) user@EXAMPLE.COM to any service to be changed to a +S4U2Self ticket with a user name (principal) of +Administrator@EXAMPLE.COM. This ticket would then contain the PAC of +the modified user name (principal). + +================== +CVSSv3 calculation +================== + +CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5) + +========================= +Workaround and Mitigation +========================= + +If server does not take privileged actions based on Kerberos tickets +obtained by S4U2Self nor obtains Kerberos tickets via further +S4U2Proxy requests then this issue cannot be exploited. + +Note that the path to an exploit is not generic, the KDC is not harmed +by the malicious checksum, it is the client service requesting the +ticket being mislead, because it trusted the KDC to return the correct +ticket and PAC. + +It is out of scope for Samba to describe all of the possible tool +chains that might be vulnerable. Here are two examples of possible +exploits in order to explain the issue more clearly. + +1). SFU2Self might be used by a web service authenticating an end user +via OAuth, Shibboleth, or other protocols to obtain a S4U2Self +Kerberos service ticket for use by any Kerberos service principal the +web service has a keytab for. One example is acquiring an AFS token +by requesting an afs/cell@REALM service ticket for a client via +SFU2Self. With this exploit an organization that deploys a KDC built +from Heimdal (be it Heimdal directly or vendor versions such as found +in Samba) is vulnerable to privilege escalation attacks. + +2). If a server authenticates users using X509 certificates, and then +uses S4U2Self to obtain a Kerberos service ticket on behalf of the +user (principal) in order to authorize access to local resources, a +man-in-the-middle attacker could allow a non-privilaged user to access +privilaged resources being protected by the server, or privilaged +resources being protected by a second server, if the first server uses +the S4U2Proxy extension in order to get a new Kerberos service ticket +to obtain access to the second server. + +In both these scenarios under conditions allowing man-in-the-middle +active network protocol manipulation, a malicious user could +authenticate using the non-Kerborized credentials of an unprivileged +user, and then elevate its privileges by intercepting the packet from +the server to the KDC and changing the requested user name (principal). + +The only Samba clients that use S4U2Self are: + +- the "net ads kerberos pac dump" (debugging) tool. + +- the CIFS proxy in the deprecated/developer-only NTVFS file +server. Note this code is not compiled or enabled by default. + +In particular, winbindd does *not* use S4U2Self. + +Finally, MIT Kerberos and so therefore the experimental MIT KDC backend +for Samba AD is understood not to be impacted. + +=============== +Further Reading +=============== + +There is more detail on and a description of the protocols in + +[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained +Delegation Protocol +https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ + +======= +Credits +======= + +Originally reported by Isaac Boukris and Andrew Bartlett of the Samba +Team and Catalyst. + +Patches provided by Isaac Boukris. + +Advisory written by Andrew Bartlett of the Samba Team and Catalyst, +with contributions from Isaac Boukris, Jeffrey Altman and Jeremy +Allison. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685 +Change-Id: I4ac69ebf0503eb999a7d497a2c30fe4d293a8cc8 +Signed-off-by: Isaac Boukris +Reviewed-by: Andrew Bartlett +Signed-off-by: Andrew Bartlett +Reviewed-by: Jeffrey Altman +Signed-off-by: Jeffrey Altman +--- + kdc/krb5tgs.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c +index 8318bc0025..14943077a4 100644 +--- a/kdc/krb5tgs.c ++++ b/kdc/krb5tgs.c +@@ -2031,6 +2031,13 @@ tgs_build_reply(krb5_context context, + goto out; + } + ++ if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) { ++ free_PA_S4U2Self(&self); ++ kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed checksum"); ++ ret = KRB5KRB_AP_ERR_INAPP_CKSUM; ++ goto out; ++ } ++ + ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack); + if (ret) + goto out; diff --git a/skip/heimdal/autoconf-270.patch b/skip/heimdal/autoconf-270.patch new file mode 100644 index 0000000..05cdc09 --- /dev/null +++ b/skip/heimdal/autoconf-270.patch @@ -0,0 +1,27 @@ +commit 22352b90e78e2d162b98b5ef6c84672c397be40a +Author: Lars Wendler +Date: Wed Mar 17 17:49:18 2021 +0100 + + autoconf-2.70 fix + + autoconf-2.70 and newer are more strict with quoting etc. and thus generate + a broken configure file: + + configure: 20855: Syntax error: ")" unexpected (expecting "fi") + + Gentoo-bug: https://bugs.gentoo.org/776241 + Signed-off-by: Lars Wendler + +diff --git a/cf/check-var.m4 b/cf/check-var.m4 +index 2fd7bca6f..71d6f70ca 100644 +--- a/cf/check-var.m4 ++++ b/cf/check-var.m4 +@@ -20,7 +20,7 @@ AC_MSG_RESULT($ac_foo) + if test "$ac_foo" = yes; then + AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1, + [Define if you have the `]$1[' variable.]) +- m4_ifval([$2], AC_CHECK_DECLS([$1],[],[],[$2])) ++ m4_ifval([$2], [AC_CHECK_DECLS([$1],[],[],[$2])]) + fi + ]) + diff --git a/skip/heimdal/heimdal-kadmind.initd b/skip/heimdal/heimdal-kadmind.initd new file mode 100755 index 0000000..73f2381 --- /dev/null +++ b/skip/heimdal/heimdal-kadmind.initd @@ -0,0 +1,24 @@ +#!/sbin/openrc-run +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kadmind,v 1.3 2004/09/13 22:44:54 solar Exp $ + +depend() { + need net + use heimdal-kdc + after logger +} + +start() { + ebegin "Starting heimdal kadmind" + /usr/sbin/kadmind & + echo $! > /var/run/heimdal-kadmind.pid + eend $? +} + +stop() { + ebegin "Stopping heimdal kadmind" + start-stop-daemon --stop --quiet --exec \ + /usr/sbin/kadmind + eend $? +} diff --git a/skip/heimdal/heimdal-kdc.initd b/skip/heimdal/heimdal-kdc.initd new file mode 100755 index 0000000..32288c4 --- /dev/null +++ b/skip/heimdal/heimdal-kdc.initd @@ -0,0 +1,23 @@ +#!/sbin/openrc-run +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kdc,v 1.2 2004/09/13 15:40:34 dragonheart Exp $ + +depend() { + need net + after logger +} + +start() { + ebegin "Starting heimdal kdc" + start-stop-daemon --start --quiet --exec \ + /usr/sbin/kdc -- --detach + eend $? +} + +stop() { + ebegin "Stopping heimdal kdc" + start-stop-daemon --stop --quiet --exec \ + /usr/sbin/kdc + eend $? +} diff --git a/skip/heimdal/heimdal-kpasswdd.initd b/skip/heimdal/heimdal-kpasswdd.initd new file mode 100755 index 0000000..5fc21e0 --- /dev/null +++ b/skip/heimdal/heimdal-kpasswdd.initd @@ -0,0 +1,24 @@ +#!/sbin/openrc-run +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kpasswdd,v 1.3 2004/09/13 22:44:54 solar Exp $ + +depend() { + need net + use heimdal-kdc + after logger +} + +start() { + ebegin "Starting heimdal kpasswdd" + start-stop-daemon --background --start --quiet --exec \ + /usr/sbin/kpasswdd + eend $? +} + +stop() { + ebegin "Stopping heimdal kpasswdd" + start-stop-daemon --stop --quiet --exec \ + /usr/sbin/kpasswdd + eend $? +} diff --git a/skip/heimdal/heimdal.xibuild b/skip/heimdal/heimdal.xibuild new file mode 100644 index 0000000..0fcba4b --- /dev/null +++ b/skip/heimdal/heimdal.xibuild @@ -0,0 +1,82 @@ +#!/bin/sh + +NAME="heimdal" +DESC="Implementation of Kerberos 5" + +MAKEDEPS="xipkg openssl e2fsprogs autoconf automake bash gawk libtool ncurses perl readline sqlite3 texinfo perl-json gdbm " + +PKG_VER=7.7.0 +SOURCE="https://github.com/heimdal/heimdal/releases/download/heimdal-$PKG_VER/heimdal-$PKG_VER.tar.gz" + +ADDITIONAL=" +005_all_heimdal-suid_fix.patch +CVE-2018-16860.patch +autoconf-270.patch +heimdal-kadmind.initd +heimdal-kdc.initd +heimdal-kpasswdd.initd +heimdal_missing-include.patch +silence-include-headers-redirect-warnings.patch +" + +prepare() { + [ -e /usr/lib/libasn1.so ] && xi -yl remove heimdal + apply_patches + sh ./autogen.sh +} + +build() { + export LDFLAGS="$LDFLAGS -Wl,--as-needed" + + ./configure \ + --build=$CBUILD \ + --host=$CHOST \ + --prefix=/usr \ + --enable-shared=yes \ + --without-x \ + --without-berkeley-db \ + --with-readline-lib=/usr/lib \ + --with-readline-include=/usr/include/readline \ + --with-sqlite3=/usr \ + --without-openssl \ + --with-db-type-preference= + + # make sure we use system version + rm -r lib/sqlite lib/com_err + + # workarount a parallell build issue + make -C lib/asn1 der-protos.h der-private.h + make -C lib/kadm5 kadm5-protos.h kadm5-private.h kadm5_err.h + make -C lib/krb5 krb5-protos.h krb5-private.h krb5_err.h krb_err.h \ + heim_err.h k524_err.h + make -C lib/hx509 hx509-private.h hx509-protos.h + make +} + +package() { + make DESTDIR="$PKG_DEST" exec_prefix=/usr sysconfdir=/etc \ + mandir=/usr/share/man infodir=/usr/share/info datadir=/var/lib/heimdal \ + localstatedir=/var/lib/heimdal libexecdir=/usr/sbin install + + + install -m755 -D "$BUILD_ROOT"/heimdal-kadmind.initd \ + "$PKG_DEST"/etc/init.d/heimdal-kadmind + install -m755 -D "$BUILD_ROOT"/heimdal-kdc.initd \ + "$PKG_DEST"/etc/init.d/heimdal-kdc + install -m755 -D "$BUILD_ROOT"/heimdal-kpasswdd.initd \ + "$PKG_DEST"/etc/init.d/heimdal-kpasswdd + + for i in 1 3 5 8; do + rm -rf "$PKG_DEST"/usr/share/man/cat$i + done + + # Remove conflicts + # e2fsprogs + rm -f "$PKG_DEST"/usr/bin/compile_et \ + "$PKG_DEST"/usr/share/man/man1/compile_et.1 + + # Compress info pages + for page in heimdal hx509; do + gzip -9 "$PKG_DEST"/usr/share/info/$page.info + done +} diff --git a/skip/heimdal/heimdal_missing-include.patch b/skip/heimdal/heimdal_missing-include.patch new file mode 100644 index 0000000..8cca906 --- /dev/null +++ b/skip/heimdal/heimdal_missing-include.patch @@ -0,0 +1,11 @@ +--- lib/base/test_base.c 2011-09-30 15:58:45.000000000 +0300 ++++ b/lib/base/test_base.c 2011-12-27 23:04:50.482955923 +0200 +@@ -39,6 +39,8 @@ + #include "heimbase.h" + #include "heimbasepriv.h" + ++#include ++ + static void + memory_free(heim_object_t obj) + { diff --git a/skip/heimdal/silence-include-headers-redirect-warnings.patch b/skip/heimdal/silence-include-headers-redirect-warnings.patch new file mode 100644 index 0000000..4505096 --- /dev/null +++ b/skip/heimdal/silence-include-headers-redirect-warnings.patch @@ -0,0 +1,80 @@ +From 2eb67c91834a21e68c90380254c7c10ffe03a7ca Mon Sep 17 00:00:00 2001 +From: Leonardo Arena +Date: Thu, 14 Apr 2022 08:47:15 +0000 +Subject: [PATCH] silence include header warnings + +--- + cf/roken-frag.m4 | 1 - + configure | 2 +- + lib/ipc/hi_locl.h | 2 +- + lib/krb5/krb5_locl.h | 2 +- + lib/roken/getifaddrs.c | 2 +- + 5 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/cf/roken-frag.m4 b/cf/roken-frag.m4 +index f22b43a..589b2cc 100644 +--- a/cf/roken-frag.m4 ++++ b/cf/roken-frag.m4 +@@ -73,7 +73,6 @@ AC_CHECK_HEADERS([\ + stdint.h \ + sys/auxv.h \ + sys/bswap.h \ +- sys/errno.h \ + sys/ioctl.h \ + sys/mman.h \ + sys/param.h \ +diff --git a/configure b/configure +index 4cefc43..bc3bf78 100755 +--- a/configure ++++ b/configure +@@ -17965,7 +17965,7 @@ for ac_header in \ + stdint.h \ + sys/auxv.h \ + sys/bswap.h \ +- sys/errno.h \ ++ errno.h \ + sys/ioctl.h \ + sys/mman.h \ + sys/param.h \ +diff --git a/lib/ipc/hi_locl.h b/lib/ipc/hi_locl.h +index 7efe6ca..3195b44 100644 +--- a/lib/ipc/hi_locl.h ++++ b/lib/ipc/hi_locl.h +@@ -41,7 +41,7 @@ + #include + #endif + +-#include ++#include + + #include + #include +diff --git a/lib/krb5/krb5_locl.h b/lib/krb5/krb5_locl.h +index b64f3a9..f62c40d 100644 +--- a/lib/krb5/krb5_locl.h ++++ b/lib/krb5/krb5_locl.h +@@ -44,7 +44,7 @@ + #include + + #ifdef HAVE_POLL_H +-#include ++#include + #endif + + #include +diff --git a/lib/roken/getifaddrs.c b/lib/roken/getifaddrs.c +index cc949b0..a82adc5 100644 +--- a/lib/roken/getifaddrs.c ++++ b/lib/roken/getifaddrs.c +@@ -120,7 +120,7 @@ struct mbuf; + #include + #include + #include +-#include ++#include + #include + #include /* the L2 protocols */ + #include +-- +2.35.1 + -- cgit v1.2.1