diff --git a/backport-0001-fix-CVE-2025-3576.patch b/backport-0001-fix-CVE-2025-3576.patch new file mode 100644 index 0000000000000000000000000000000000000000..6014784f8fc6c7e3051229a5bc3a91cff1e738dc --- /dev/null +++ b/backport-0001-fix-CVE-2025-3576.patch @@ -0,0 +1,53 @@ +From 2cbd847e0e92bc4e219b65c770ae33f851b22afc Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 14 Dec 2022 13:20:46 -0500 +Subject: [PATCH] In KDC, assume all services support aes256-sha1 + +To facilitate negotiating session keys with acceptable security, +assume that services support aes256-cts-hmac-sha1 unless a +session_enctypes string attribute says otherwise. + +ticket: 9075 + +Reference:https://github.com/krb5/krb5/commit/2cbd847e0e92bc4e219b65c770ae33f851b22afc +Conflict:src/kdc/kdc_util.c + +--- + src/kdc/kdc_util.c | 4 ++++ + src/tests/t_keyrollover.py | 6 +++--- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index c65375a..4bffb26 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -929,6 +929,10 @@ dbentry_supports_enctype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, + free(etypes_str); + free(etypes); + ++ /* Assume every server without a session_enctypes attribute supports ++ * aes256-cts-hmac-sha1-96. */ ++ if (enctype == ENCTYPE_AES256_CTS_HMAC_SHA1_96) ++ return TRUE; + /* Assume the server supports any enctype it has a long-term key for. */ + return !krb5_dbe_find_enctype(kdc_context, server, enctype, -1, 0, &datap); + } +diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py +index f29e0d5..583c2fa 100755 +--- a/src/tests/t_keyrollover.py ++++ b/src/tests/t_keyrollover.py +@@ -22,9 +22,9 @@ realm.run([kvno, princ1]) + realm.run([kadminl, 'purgekeys', realm.krbtgt_princ]) + # Make sure an old TGT fails after purging old TGS key. + realm.run([kvno, princ2], expected_code=1) +-et = "aes128-cts-hmac-sha256-128" +-msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \ +- (realm.realm, realm.realm, et, et) ++msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ ++ 'aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha256-128' % \ ++ (realm.realm, realm.realm) + realm.run([klist, '-e'], expected_msg=msg) + + # Check that new key actually works. +-- +2.33.0 diff --git a/backport-0002-fix-CVE-2025-3576.patch b/backport-0002-fix-CVE-2025-3576.patch new file mode 100644 index 0000000000000000000000000000000000000000..f501d91ec0ce62f9c39878ab5876200f8b5956ae --- /dev/null +++ b/backport-0002-fix-CVE-2025-3576.patch @@ -0,0 +1,232 @@ +From 1b57a4d134bbd0e7c52d5885a92eccc815726463 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 16 Dec 2022 18:31:07 -0500 +Subject: [PATCH] Don't issue session keys with deprecated enctypes + +A paper by Tom Tervoort noted that rc4-hmac pre-hashes the input for +its checksum and GSS operations before applying HMAC, and is therefore +potentially vulnerable to hash collision attacks if a protocol +contains a restricted signing oracle. + +In light of these potential attacks, begin the functional deprecation +of DES3 and RC4 by disallowing their use as session key enctypes by +default. Add the variables allow_des3 and allow_rc4 in case +negotiability of these enctypes for session keys needs to be turned +back on, with the expectation that in future releases the enctypes +will be more comprehensively deprecated. + +ticket: 9081 + +Reference:https://github.com/krb5/krb5/commit/1b57a4d134bbd0e7c52d5885a92eccc815726463 +Conflict:doc/admin/conf_files/krb5_conf.rst,doc/admin/enctypes.rst,src/include/k5-int.h,src/kdc/kdc_util.c, + src/lib/krb5/krb/init_ctx.c,src/tests/t_sesskeynego.py,src/util/k5test.py, + src/lib/krb5/krb/get_in_tkt.c +--- + doc/admin/conf_files/krb5_conf.rst | 6 ++++++ + doc/admin/enctypes.rst | 16 +++++++++++++--- + src/include/k5-int.h | 2 ++ + src/kdc/kdc_util.c | 8 ++++++++ + src/lib/krb5/krb/init_ctx.c | 5 +++++ + src/tests/gssapi/t_enctypes.py | 3 ++- + src/tests/t_etype_info.py | 2 +- + src/tests/t_sesskeynego.py | 20 ++++++++++++++++++-- + src/util/k5test.py | 2 +- + 9 files changed, 56 insertions(+), 8 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index 1d2aa7f..8429e0e 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -95,6 +95,12 @@ Additionally, krb5.conf may include any of the relations described in + + The libdefaults section may contain any of the following relations: + ++**allow_rc4** ++ Permit the KDC to issue tickets with arcfour-hmac session keys. ++ In future releases, this flag will allow arcfour-hmac to be used ++ at all. The default value for this tag is false. (Added in ++ release 1.21.) ++ + **allow_weak_crypto** + If this flag is set to false, then weak encryption types (as noted + in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered +diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst +index 65b55cd..6db1820 100644 +--- a/doc/admin/enctypes.rst ++++ b/doc/admin/enctypes.rst +@@ -48,12 +48,15 @@ Session key selection + The KDC chooses the session key enctype by taking the intersection of + its **permitted_enctypes** list, the list of long-term keys for the + most recent kvno of the service, and the client's requested list of +-enctypes. ++enctypes. Starting in krb5-1.21, all services are assumed to support ++aes256-cts-hmac-sha1-96; also arcfour-hmac session keys will not be ++issued by default. + + Starting in krb5-1.11, it is possible to set a string attribute on a + service principal to control what session key enctypes the KDC may +-issue for service tickets for that principal. See :ref:`set_string` +-in :ref:`kadmin(1)` for details. ++issue for service tickets for that principal, overriding the service's ++long-term keys and the assumption of aes256-cts-hmac-sha1-96 support. ++See :ref:`set_string` in :ref:`kadmin(1)` for details. + + + Choosing enctypes for a service +@@ -87,6 +90,13 @@ affect how enctypes are chosen. + acceptable risk for your environment and the weak enctypes are + required for backward compatibility. + ++**allow_rc4** ++ was added in release 1.21 and defaults to *false*. Unless this ++ flag is set to *true*, the KDC will not issue tickets with ++ arcfour-hmac session keys. In a future release, this flag will ++ control whether arcfour-hmac is permitted in similar fashion to ++ weak enctypes. ++ + **permitted_enctypes** + controls the set of enctypes that a service will permit for + session keys and for ticket and authenticator encryption. The KDC +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 1afaa51..cb08d08 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -181,6 +181,7 @@ typedef unsigned char u_char; + * matches the variable name. Keep these alphabetized. */ + #define KRB5_CONF_ACL_FILE "acl_file" + #define KRB5_CONF_ADMIN_SERVER "admin_server" ++#define KRB5_CONF_ALLOW_RC4 "allow_rc4" + #define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto" + #define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local" + #define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names" +@@ -1256,6 +1257,7 @@ struct _krb5_context { + struct _kdb_log_context *kdblog_context; + + krb5_boolean allow_weak_crypto; ++ krb5_boolean allow_rc4; + krb5_boolean ignore_acceptor_hostname; + krb5_boolean enforce_ok_as_delegate; + enum dns_canonhost dns_canonicalize_hostname; +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index 23aadb8..5a2589b 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1041,6 +1041,14 @@ select_session_keytype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, + if (!krb5_is_permitted_enctype(kdc_context, ktype[i])) + continue; + ++ /* ++ * Prevent these deprecated enctypes from being used as session keys ++ * unless they are explicitly allowed. In the future they will be more ++ * comprehensively disabled and eventually removed. ++ */ ++ if (ktype[i] == ENCTYPE_ARCFOUR_HMAC && !kdc_context->allow_rc4) ++ continue; ++ + if (dbentry_supports_enctype(kdc_active_realm, server, ktype[i])) + return ktype[i]; + } +diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c +index 9be3daf..81915b5 100644 +--- a/src/lib/krb5/krb/init_ctx.c ++++ b/src/lib/krb5/krb/init_ctx.c +@@ -226,6 +226,11 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + goto cleanup; + ctx->allow_weak_crypto = tmp; + ++ retval = get_boolean(ctx, KRB5_CONF_ALLOW_RC4, 0, &tmp); ++ if (retval) ++ goto cleanup; ++ ctx->allow_rc4 = tmp; ++ + retval = get_boolean(ctx, KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME, 0, &tmp); + if (retval) + goto cleanup; +diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py +index 2f95d89..77069d2 100755 +--- a/src/tests/gssapi/t_enctypes.py ++++ b/src/tests/gssapi/t_enctypes.py +@@ -11,7 +11,8 @@ d_rc4 = 'DEPRECATED:arcfour-hmac' + # These tests make assumptions about the default enctype lists, so set + # them explicitly rather than relying on the library defaults. + supp='aes256-cts:normal aes128-cts:normal rc4-hmac:normal' +-conf = {'libdefaults': {'permitted_enctypes': 'aes rc4'}, ++conf = {'libdefaults': {'permitted_enctypes': 'aes rc4', ++ 'allow_rc4': 'true'}, + 'realms': {'$realm': {'supported_enctypes': supp}}} + realm = K5Realm(krb5_conf=conf) + shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save')) +diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py +index ace0edc..cfdd6ab 100644 +--- a/src/tests/t_etype_info.py ++++ b/src/tests/t_etype_info.py +@@ -1,7 +1,7 @@ + from k5test import * + + supported_enctypes = 'aes128-cts rc4-hmac' +-conf = {'libdefaults': {'allow_weak_crypto': 'true'}, ++conf = {'libdefaults': {'allow_rc4': 'true'}, + 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} + realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) + +diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py +index 73a5536..43bdcd5 100755 +--- a/src/tests/t_sesskeynego.py ++++ b/src/tests/t_sesskeynego.py +@@ -25,6 +25,7 @@ conf3 = {'libdefaults': { + 'default_tkt_enctypes': 'aes128-cts', + 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}} + conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}} ++conf5 = {'libdefaults': {'allow_rc4': 'true'}} + # Test with client request and session_enctypes preferring aes128, but + # aes256 long-term key. + realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False) +@@ -54,10 +55,12 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'aes128-cts,aes256-cts']) + test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') + +-# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term. ++# 3b: Skip RC4 (as the KDC does not allow it for session keys by ++# default) and negotiate aes128-cts session key, with only an aes256 ++# long-term service key. + realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'rc4-hmac,aes128-cts,aes256-cts']) +-test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') ++test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') + realm.stop() + + # 4: Check that permitted_enctypes is a default for session key enctypes. +@@ -67,4 +70,17 @@ realm.run([kvno, 'user'], + expected_trace=('etypes requested in TGS request: aes256-cts',)) + realm.stop() + ++# 5: allow_rc4 permits negotiation of rc4-hmac session key. ++realm = K5Realm(krb5_conf=conf5, create_host=False, get_creds=False) ++realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) ++realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac']) ++test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') ++realm.stop() ++ ++# 7: default config negotiates aes256-sha1 session key for RC4-only service. ++realm = K5Realm(create_host=False, get_creds=False) ++realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server']) ++test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'DEPRECATED:arcfour-hmac') ++realm.stop() ++ + success('sesskeynego') +diff --git a/src/util/k5test.py b/src/util/k5test.py +index eea9227..c3ab63f 100644 +--- a/src/util/k5test.py ++++ b/src/util/k5test.py +@@ -1301,7 +1301,7 @@ _passes = [ + + # Exercise the arcfour enctype. + ('arcfour', None, +- {'libdefaults': {'permitted_enctypes': 'rc4'}}, ++ {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'arcfour-hmac:normal', + 'master_key_type': 'arcfour-hmac'}}}), +-- +2.43.0 + diff --git a/krb5.spec b/krb5.spec index 242a94c0f687f5288cdd951e7c126a4a74be3eab..b3116a1e68ae93fe67adcdebd32007d741cc64be 100644 --- a/krb5.spec +++ b/krb5.spec @@ -3,7 +3,7 @@ Name: krb5 Version: 1.18.2 -Release: 18 +Release: 19 Summary: The Kerberos network authentication protocol License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -60,6 +60,8 @@ Patch37: backport-Fix-conditional-in-kadm5_chpass_principal_3.patch Patch38: backport-Fix-correctness-in-LDAP-delegation-ACL-checking.patch Patch39: backport-Fix-kdb5_util-ark-with-no-e-option.patch Patch40: backport-Fix-typo-in-AS-REQ-client-code.patch +Patch41: backport-0001-fix-CVE-2025-3576.patch +Patch42: backport-0002-fix-CVE-2025-3576.patch BuildRequires: gettext BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc @@ -351,6 +353,9 @@ make -C src check || : %{_mandir}/man8/* %changelog +* Tue Aug 12 2025 Xu Raoqing - 1.18.2-19 +- backport upstream patches + * Mon Aug 11 2025 Linux_zhang - 1.18.2-18 - backport upstream patches