From 82af55bf0aa59dbde120f86f90affdf8d61f71e5 Mon Sep 17 00:00:00 2001 From: Xu Raoqing Date: Tue, 12 Aug 2025 16:00:29 +0800 Subject: [PATCH] fix CVE-2025-3576 Signed-off-by: Xu Raoqing --- backport-0001-fix-CVE-2025-3576.patch | 53 +++++ backport-0002-fix-CVE-2025-3576.patch | 287 ++++++++++++++++++++++++++ krb5.spec | 7 +- 3 files changed, 346 insertions(+), 1 deletion(-) create mode 100644 backport-0001-fix-CVE-2025-3576.patch create mode 100644 backport-0002-fix-CVE-2025-3576.patch diff --git a/backport-0001-fix-CVE-2025-3576.patch b/backport-0001-fix-CVE-2025-3576.patch new file mode 100644 index 0000000..6014784 --- /dev/null +++ b/backport-0001-fix-CVE-2025-3576.patch @@ -0,0 +1,53 @@ +From 2cbd847e0e92bc4e219b65c770ae33f851b22afc Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 14 Dec 2022 13:20:46 -0500 +Subject: [PATCH] In KDC, assume all services support aes256-sha1 + +To facilitate negotiating session keys with acceptable security, +assume that services support aes256-cts-hmac-sha1 unless a +session_enctypes string attribute says otherwise. + +ticket: 9075 + +Reference:https://github.com/krb5/krb5/commit/2cbd847e0e92bc4e219b65c770ae33f851b22afc +Conflict:src/kdc/kdc_util.c + +--- + src/kdc/kdc_util.c | 4 ++++ + src/tests/t_keyrollover.py | 6 +++--- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index c65375a..4bffb26 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -929,6 +929,10 @@ dbentry_supports_enctype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, + free(etypes_str); + free(etypes); + ++ /* Assume every server without a session_enctypes attribute supports ++ * aes256-cts-hmac-sha1-96. */ ++ if (enctype == ENCTYPE_AES256_CTS_HMAC_SHA1_96) ++ return TRUE; + /* Assume the server supports any enctype it has a long-term key for. */ + return !krb5_dbe_find_enctype(kdc_context, server, enctype, -1, 0, &datap); + } +diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py +index f29e0d5..583c2fa 100755 +--- a/src/tests/t_keyrollover.py ++++ b/src/tests/t_keyrollover.py +@@ -22,9 +22,9 @@ realm.run([kvno, princ1]) + realm.run([kadminl, 'purgekeys', realm.krbtgt_princ]) + # Make sure an old TGT fails after purging old TGS key. + realm.run([kvno, princ2], expected_code=1) +-et = "aes128-cts-hmac-sha256-128" +-msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \ +- (realm.realm, realm.realm, et, et) ++msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ ++ 'aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha256-128' % \ ++ (realm.realm, realm.realm) + realm.run([klist, '-e'], expected_msg=msg) + + # Check that new key actually works. +-- +2.33.0 diff --git a/backport-0002-fix-CVE-2025-3576.patch b/backport-0002-fix-CVE-2025-3576.patch new file mode 100644 index 0000000..2dacd64 --- /dev/null +++ b/backport-0002-fix-CVE-2025-3576.patch @@ -0,0 +1,287 @@ +From 1b57a4d134bbd0e7c52d5885a92eccc815726463 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 16 Dec 2022 18:31:07 -0500 +Subject: [PATCH] Don't issue session keys with deprecated enctypes + +A paper by Tom Tervoort noted that rc4-hmac pre-hashes the input for +its checksum and GSS operations before applying HMAC, and is therefore +potentially vulnerable to hash collision attacks if a protocol +contains a restricted signing oracle. + +In light of these potential attacks, begin the functional deprecation +of DES3 and RC4 by disallowing their use as session key enctypes by +default. Add the variables allow_des3 and allow_rc4 in case +negotiability of these enctypes for session keys needs to be turned +back on, with the expectation that in future releases the enctypes +will be more comprehensively deprecated. + +ticket: 9081 + +Reference:https://github.com/krb5/krb5/commit/1b57a4d134bbd0e7c52d5885a92eccc815726463 +Conflict:doc/admin/conf_files/krb5_conf.rst, doc/admin/enctypes.rst src/include/k5-int.h, src/kdc/kdc_util.c + src/lib/krb5/krb/init_ctx.c,src/tests/t_sesskeynego.py,src/util/k5test.py + +--- + doc/admin/conf_files/krb5_conf.rst | 6 ++++++ + doc/admin/enctypes.rst | 16 ++++++++++++--- + src/include/k5-int.h | 2 ++ + src/kdc/kdc_util.c | 8 ++++++++ + src/lib/krb5/krb/get_in_tkt.c | 31 +++++++++++++++++++----------- + src/lib/krb5/krb/init_ctx.c | 5 +++++ + src/tests/gssapi/t_enctypes.py | 3 ++- + src/tests/t_etype_info.py | 2 +- + src/tests/t_sesskeynego.py | 20 +++++++++++++++++-- + src/util/k5test.py | 2 +- + 10 files changed, 76 insertions(+), 19 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index 6751759..11b2026 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -95,6 +95,12 @@ Additionally, krb5.conf may include any of the relations described in + + The libdefaults section may contain any of the following relations: + ++**allow_rc4** ++ Permit the KDC to issue tickets with arcfour-hmac session keys. ++ In future releases, this flag will allow arcfour-hmac to be used ++ at all. The default value for this tag is false. (Added in ++ release 1.21.) ++ + **allow_weak_crypto** + If this flag is set to false, then weak encryption types (as noted + in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered +diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst +index c4d5499..b79c457 100644 +--- a/doc/admin/enctypes.rst ++++ b/doc/admin/enctypes.rst +@@ -48,12 +48,15 @@ Session key selection + The KDC chooses the session key enctype by taking the intersection of + its **permitted_enctypes** list, the list of long-term keys for the + most recent kvno of the service, and the client's requested list of +-enctypes. ++enctypes. Starting in krb5-1.21, all services are assumed to support ++aes256-cts-hmac-sha1-96; also arcfour-hmac session keys will not be ++issued by default. + + Starting in krb5-1.11, it is possible to set a string attribute on a + service principal to control what session key enctypes the KDC may +-issue for service tickets for that principal. See :ref:`set_string` +-in :ref:`kadmin(1)` for details. ++issue for service tickets for that principal, overriding the service's ++long-term keys and the assumption of aes256-cts-hmac-sha1-96 support. ++See :ref:`set_string` in :ref:`kadmin(1)` for details. + + + Choosing enctypes for a service +@@ -87,6 +90,13 @@ affect how enctypes are chosen. + acceptable risk for your environment and the weak enctypes are + required for backward compatibility. + ++**allow_rc4** ++ was added in release 1.21 and defaults to *false*. Unless this ++ flag is set to *true*, the KDC will not issue tickets with ++ arcfour-hmac session keys. In a future release, this flag will ++ control whether arcfour-hmac is permitted in similar fashion to ++ weak enctypes. ++ + **permitted_enctypes** + controls the set of enctypes that a service will permit for + session keys and for ticket and authenticator encryption. The KDC +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 0f99136..64698b5 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -181,6 +181,7 @@ typedef unsigned char u_char; + * matches the variable name. Keep these alphabetized. */ + #define KRB5_CONF_ACL_FILE "acl_file" + #define KRB5_CONF_ADMIN_SERVER "admin_server" ++#define KRB5_CONF_ALLOW_RC4 "allow_rc4" + #define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto" + #define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local" + #define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names" +@@ -1258,6 +1259,7 @@ struct _krb5_context { + struct _kdb_log_context *kdblog_context; + + krb5_boolean allow_weak_crypto; ++ krb5_boolean allow_rc4; + krb5_boolean ignore_acceptor_hostname; + krb5_boolean enforce_ok_as_delegate; + enum dns_canonhost dns_canonicalize_hostname; +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index 4bffb26..49a050d 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -955,6 +955,14 @@ select_session_keytype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, + if (!krb5_is_permitted_enctype(kdc_context, ktype[i])) + continue; + ++ /* ++ * Prevent these deprecated enctypes from being used as session keys ++ * unless they are explicitly allowed. In the future they will be more ++ * comprehensively disabled and eventually removed. ++ */ ++ if (ktype[i] == ENCTYPE_ARCFOUR_HMAC && !kdc_context->allow_rc4) ++ continue; ++ + if (dbentry_supports_enctype(kdc_active_realm, server, ktype[i])) + return ktype[i]; + } +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index 7e0b788..1ee3d1e 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1588,22 +1588,31 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, + (*prompter)(context, data, 0, banner, 0, 0); + } + +-/* Display a warning via the prompter if des3-cbc-sha1 was used for either the +- * reply key or the session key. */ ++/* Display a warning via the prompter if a deprecated enctype was used for ++ * either the reply key or the session key. */ + static void +-warn_des3(krb5_context context, krb5_init_creds_context ctx, +- krb5_enctype as_key_enctype) ++warn_deprecated(krb5_context context, krb5_init_creds_context ctx, ++ krb5_enctype as_key_enctype) + { +- const char *banner; ++ krb5_enctype etype; ++ char encbuf[128], banner[256]; + +- if (as_key_enctype != ENCTYPE_DES3_CBC_SHA1 && +- ctx->cred.keyblock.enctype != ENCTYPE_DES3_CBC_SHA1) +- return; + if (ctx->prompter == NULL) + return; + +- banner = _("Warning: encryption type des3-cbc-sha1 used for " +- "authentication is weak and will be disabled"); ++ if (krb5int_c_deprecated_enctype(as_key_enctype)) ++ etype = as_key_enctype; ++ else if (krb5int_c_deprecated_enctype(ctx->cred.keyblock.enctype)) ++ etype = ctx->cred.keyblock.enctype; ++ else ++ return; ++ ++ if (krb5_enctype_to_name(etype, FALSE, encbuf, sizeof(encbuf)) != 0) ++ return; ++ snprintf(banner, sizeof(banner), ++ _("Warning: encryption type %s used for authentication is " ++ "deprecated and will be disabled"), encbuf); ++ + /* PROMPTER_INVOCATION */ + (*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL); + } +@@ -1821,7 +1830,7 @@ init_creds_step_reply(krb5_context context, + ctx->complete = TRUE; + warn_pw_expiry(context, ctx->opt, ctx->prompter, ctx->prompter_data, + ctx->in_tkt_service, ctx->reply); +- warn_des3(context, ctx, encrypting_key.enctype); ++ warn_deprecated(context, ctx, encrypting_key.enctype); + + cleanup: + krb5_free_pa_data(context, kdc_padata); +diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c +index 272015a..9c0d45b 100644 +--- a/src/lib/krb5/krb/init_ctx.c ++++ b/src/lib/krb5/krb/init_ctx.c +@@ -226,6 +226,11 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + goto cleanup; + ctx->allow_weak_crypto = tmp; + ++ retval = get_boolean(ctx, KRB5_CONF_ALLOW_RC4, 0, &tmp); ++ if (retval) ++ goto cleanup; ++ ctx->allow_rc4 = tmp; ++ + retval = get_boolean(ctx, KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME, 0, &tmp); + if (retval) + goto cleanup; +diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py +index 2f95d89..77069d2 100755 +--- a/src/tests/gssapi/t_enctypes.py ++++ b/src/tests/gssapi/t_enctypes.py +@@ -11,7 +11,8 @@ d_rc4 = 'DEPRECATED:arcfour-hmac' + # These tests make assumptions about the default enctype lists, so set + # them explicitly rather than relying on the library defaults. + supp='aes256-cts:normal aes128-cts:normal rc4-hmac:normal' +-conf = {'libdefaults': {'permitted_enctypes': 'aes rc4'}, ++conf = {'libdefaults': {'permitted_enctypes': 'aes rc4', ++ 'allow_rc4': 'true'}, + 'realms': {'$realm': {'supported_enctypes': supp}}} + realm = K5Realm(krb5_conf=conf) + shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save')) +diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py +index 96e90a6..e82ff7f 100644 +--- a/src/tests/t_etype_info.py ++++ b/src/tests/t_etype_info.py +@@ -1,7 +1,7 @@ + from k5test import * + + supported_enctypes = 'aes128-cts rc4-hmac' +-conf = {'libdefaults': {'allow_weak_crypto': 'true'}, ++conf = {'libdefaults': {'allow_rc4': 'true'}, + 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} + realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) + +diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py +index 9024aee..c7dba0f 100755 +--- a/src/tests/t_sesskeynego.py ++++ b/src/tests/t_sesskeynego.py +@@ -25,6 +25,7 @@ conf3 = {'libdefaults': { + 'default_tkt_enctypes': 'aes128-cts', + 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}} + conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}} ++conf5 = {'libdefaults': {'allow_rc4': 'true'}} + # Test with client request and session_enctypes preferring aes128, but + # aes256 long-term key. + realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False) +@@ -54,10 +55,12 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'aes128-cts,aes256-cts']) + test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') + +-# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term. ++# 3b: Skip RC4 (as the KDC does not allow it for session keys by ++# default) and negotiate aes128-cts session key, with only an aes256 ++# long-term service key. + realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'rc4-hmac,aes128-cts,aes256-cts']) +-test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') ++test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') + realm.stop() + + # 4: Check that permitted_enctypes is a default for session key enctypes. +@@ -67,4 +70,17 @@ realm.run([kvno, 'user'], + expected_trace=('etypes requested in TGS request: aes256-cts',)) + realm.stop() + ++# 5: allow_rc4 permits negotiation of rc4-hmac session key. ++realm = K5Realm(krb5_conf=conf5, create_host=False, get_creds=False) ++realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) ++realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac']) ++test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') ++realm.stop() ++ ++# 7: default config negotiates aes256-sha1 session key for RC4-only service. ++realm = K5Realm(create_host=False, get_creds=False) ++realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server']) ++test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'DEPRECATED:arcfour-hmac') ++realm.stop() ++ + success('sesskeynego') +diff --git a/src/util/k5test.py b/src/util/k5test.py +index 789b0f4..e571705 100644 +--- a/src/util/k5test.py ++++ b/src/util/k5test.py +@@ -1280,7 +1280,7 @@ _passes = [ + + # Exercise the arcfour enctype. + ('arcfour', None, +- {'libdefaults': {'permitted_enctypes': 'rc4'}}, ++ {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'arcfour-hmac:normal', + 'master_key_type': 'arcfour-hmac'}}}), +-- +2.33.0 diff --git a/krb5.spec b/krb5.spec index fa35c94..be19578 100644 --- a/krb5.spec +++ b/krb5.spec @@ -3,7 +3,7 @@ Name: krb5 Version: 1.19.2 -Release: 25 +Release: 26 Summary: The Kerberos network authentication protocol License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -77,6 +77,8 @@ Patch53: backport-Fix-conditional-in-kadm5_chpass_principal_3.patch Patch54: backport-Fix-correctness-in-LDAP-delegation-ACL-checking.patch Patch55: backport-Fix-kdb5_util-ark-with-no-e-option.patch Patch56: backport-Fix-typo-in-AS-REQ-client-code.patch +Patch57: backport-0001-fix-CVE-2025-3576.patch +Patch58: backport-0002-fix-CVE-2025-3576.patch BuildRequires: gettext BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc @@ -369,6 +371,9 @@ make -C src check || : %changelog +* Tue Aug 12 2025 XuRaoqing - 1.19.2-26 +- fix CVE-2025-3576 + * Mon Aug 11 2025 Linux_zhang - 1.19.2-25 - backport upstream patches -- Gitee