diff options
Diffstat (limited to 'meta-openembedded/meta-oe/recipes-connectivity')
-rw-r--r-- | meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch | 121 | ||||
-rw-r--r-- | meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-37750.patch | 53 | ||||
-rw-r--r-- | meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb | 2 | ||||
-rw-r--r-- | meta-openembedded/meta-oe/recipes-connectivity/libqmi/libqmi_1.30.2.bb (renamed from meta-openembedded/meta-oe/recipes-connectivity/libqmi/libqmi_1.30.0.bb) | 2 | ||||
-rw-r--r-- | meta-openembedded/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.2.2.bb (renamed from meta-openembedded/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.2.1.bb) | 2 | ||||
-rw-r--r-- | meta-openembedded/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb | 6 |
6 files changed, 181 insertions, 5 deletions
diff --git a/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch new file mode 100644 index 000000000..fee6e64c1 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch @@ -0,0 +1,121 @@ +From fc98f520caefff2e5ee9a0026fdf5109944b3562 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Wed, 7 Jul 2021 11:47:44 +1200 +Subject: [PATCH] Fix KDC null deref on bad encrypted challenge + +The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check +to avoid further processing if the armor key is NULL. However, this +check is bypassed by a call to k5memdup0() which overwrites retval +with 0 if the allocation succeeds. If the armor key is NULL, a call +to krb5_c_fx_cf2_simple() will then dereference it, resulting in a +crash. Add a check before the k5memdup0() call to avoid overwriting +retval. + +CVE-2021-36222: + +In MIT krb5 releases 1.16 and later, an unauthenticated attacker can +cause a null dereference in the KDC by sending a request containing a +PA-ENCRYPTED-CHALLENGE padata element without using FAST. + +[ghudson@mit.edu: trimmed patch; added test case; edited commit +message] + +ticket: 9007 (new) +tags: pullup +target_version: 1.19-next +target_version: 1.18-next + +CVE: CVE-2021-36222 + +Upstream-Status: Backport +[https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + src/kdc/kdc_preauth_ec.c | 3 ++- + src/tests/Makefile.in | 1 + + src/tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++ + 3 files changed, 49 insertions(+), 1 deletion(-) + create mode 100644 src/tests/t_cve-2021-36222.py + +diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c +index 7e636b3f9..43a9902cc 100644 +--- a/src/kdc/kdc_preauth_ec.c ++++ b/src/kdc/kdc_preauth_ec.c +@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + } + + /* Check for a configured FAST ec auth indicator. */ +- realmstr = k5memdup0(realm.data, realm.length, &retval); ++ if (retval == 0) ++ realmstr = k5memdup0(realm.data, realm.length, &retval); + if (realmstr != NULL) + retval = profile_get_string(context->profile, KRB5_CONF_REALMS, + realmstr, +diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in +index fc6fcc0c3..1a1938306 100644 +--- a/src/tests/Makefile.in ++++ b/src/tests/Makefile.in +@@ -166,6 +166,7 @@ check-pytests: unlockiter s4u2self + $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS) ++ $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS) + $(RM) au.log + $(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \ +diff --git a/src/tests/t_cve-2021-36222.py b/src/tests/t_cve-2021-36222.py +new file mode 100644 +index 000000000..57e04993b +--- /dev/null ++++ b/src/tests/t_cve-2021-36222.py +@@ -0,0 +1,46 @@ ++import socket ++from k5test import * ++ ++realm = K5Realm() ++ ++# CVE-2021-36222 KDC null dereference on encrypted challenge preauth ++# without FAST ++ ++s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) ++a = (hostname, realm.portbase) ++ ++m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE ++ 'A103' '0201' '05' # [1] pvno = 5 ++ 'A203' '0201' '0A' # [2] msg-type = 10 ++ 'A30E' '300C' # [3] padata = SEQUENCE OF ++ '300A' # SEQUENCE ++ 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE ++ 'A202' '0400' # [2] padata-value = "" ++ 'A48180' '307E' # [4] req-body = SEQUENCE ++ 'A007' '0305' '0000000000' # [0] kdc-options = 0 ++ 'A120' '301E' # [1] cname = SEQUENCE ++ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL ++ 'A117' '3015' # [1] name-string = SEQUENCE-OF ++ '1B06' '6B7262746774' # krbtgt ++ '1B0B' '4B5242544553542E434F4D' ++ # KRBTEST.COM ++ 'A20D' '1B0B' '4B5242544553542E434F4D' ++ # [2] realm = KRBTEST.COM ++ 'A320' '301E' # [3] sname = SEQUENCE ++ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL ++ 'A117' '3015' # [1] name-string = SEQUENCE-OF ++ '1B06' '6B7262746774' # krbtgt ++ '1B0B' '4B5242544553542E434F4D' ++ # KRBTEST.COM ++ 'A511' '180F' '31393934303631303036303331375A' ++ # [5] till = 19940610060317Z ++ 'A703' '0201' '00' # [7] nonce = 0 ++ 'A808' '3006' # [8] etype = SEQUENCE OF ++ '020112' '020111') # aes256-cts aes128-cts ++ ++s.sendto(bytes.fromhex(m), a) ++ ++# Make sure kinit still works. ++realm.kinit(realm.user_princ, password('user')) ++ ++success('CVE-2021-36222 regression test') +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-37750.patch b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-37750.patch new file mode 100644 index 000000000..c67bca32e --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-37750.patch @@ -0,0 +1,53 @@ +From b3999be7ab59a5af4b2f1042ce0d6b03ecb17d4e Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Tue, 3 Aug 2021 01:15:27 -0400 +Subject: [PATCH] Fix KDC null deref on TGS inner body null server + +After the KDC decodes a FAST inner body, it does not check for a null +server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this +would typically result in an error from krb5_unparse_name(), but with +the addition of get_local_tgt() it results in a null dereference. Add +a null check. + +Reported by Joseph Sutton of Catalyst. + +CVE-2021-37750: + +In MIT krb5 releases 1.14 and later, an authenticated attacker can +cause a null dereference in the KDC by sending a FAST TGS request with +no server field. + +ticket: 9008 (new) +tags: pullup +target_version: 1.19-next +target_version: 1.18-next + +CVE: CVE-2021-37750 + +Upstream-Status: Backport +[https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + src/kdc/do_tgs_req.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index 587342a..622b48f 100644 +--- a/src/kdc/do_tgs_req.c ++++ b/src/kdc/do_tgs_req.c +@@ -201,6 +201,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, + status = "FIND_FAST"; + goto cleanup; + } ++ if (sprinc == NULL) { ++ status = "NULL_SERVER"; ++ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; ++ goto cleanup; ++ } + + errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server, + &local_tgt, &local_tgt_storage); +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb index 6c4b4575e..6e0b2fdac 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb @@ -30,6 +30,8 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \ file://etc/default/krb5-admin-server \ file://krb5-kdc.service \ file://krb5-admin-server.service \ + file://CVE-2021-36222.patch;striplevel=2 \ + file://CVE-2021-37750.patch;striplevel=2 \ " SRC_URI[md5sum] = "aa4337fffa3b61f22dbd0167f708818f" SRC_URI[sha256sum] = "1a4bba94df92f6d39a197a10687653e8bfbc9a2076e129f6eb92766974f86134" diff --git a/meta-openembedded/meta-oe/recipes-connectivity/libqmi/libqmi_1.30.0.bb b/meta-openembedded/meta-oe/recipes-connectivity/libqmi/libqmi_1.30.2.bb index 61fe0eef8..c337abde3 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/libqmi/libqmi_1.30.0.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/libqmi/libqmi_1.30.2.bb @@ -14,7 +14,7 @@ inherit autotools pkgconfig bash-completion gobject-introspection SRC_URI = "http://www.freedesktop.org/software/${BPN}/${BPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "c039cdb5d3522b45a50d2287ab6311cdc9f99d46a719a1ea4beb7591787b8a1b" +SRC_URI[sha256sum] = "be01ece0ea2c2194cbea5744bf5aaf06c04ba5fb7ec7887a13116c76d114fedd" PACKAGECONFIG ??= "udev mbim" PACKAGECONFIG[udev] = ",--without-udev,libgudev" diff --git a/meta-openembedded/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.2.1.bb b/meta-openembedded/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.2.2.bb index 8601a2c04..a5fcb8d72 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.2.1.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.2.2.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c8bea43a2eb5d713c338819a0be07797" DEPENDS = "zlib" S = "${WORKDIR}/git" -SRCREV = "8a580b59b23d204ca72028370e97a8f6aa0c9202" +SRCREV = "8d605f0649ed1ab6d27a443c7688598ea21fdb75" SRC_URI = "git://github.com/warmcat/libwebsockets.git;protocol=https;branch=v4.2-stable" UPSTREAM_CHECK_URI = "https://github.com/warmcat/${BPN}/releases" diff --git a/meta-openembedded/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb b/meta-openembedded/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb index 61ea68a60..270df6f0e 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb @@ -4,10 +4,10 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=db174eaf7b55a34a7c89551197f66e94" DEPENDS = "zeromq" -SRCREV = "76bf169fd67b8e99c1b0e6490029d9cd5ef97666" -PV = "4.7.1" +SRCREV = "267d300d1c99381a0fbc7e060ae2899e51f5e425" +PV = "4.8.0" -SRC_URI = "git://github.com/zeromq/cppzmq.git;branch=bugfix-4-7-1" +SRC_URI = "git://github.com/zeromq/cppzmq.git;branch=master" S = "${WORKDIR}/git" |