From 1a68279642c422898363e3a27672d8b3bd43eaf0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Mon, 14 Oct 2024 14:58:14 +0200 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 libheimdal revision 6c545f3eb69f6f265e5a1571d4a221d1 --- .gitattributes | 23 ++ heimdal-7.8.0-patched.tar.bz2 | 3 + heimdal-CVE-2022-45142.patch | 46 +++ heimdal-patch-source.sh | 46 +++ heimdal-patched.diff | 690 ++++++++++++++++++++++++++++++++++ libheimdal.changes | 382 +++++++++++++++++++ libheimdal.spec | 365 ++++++++++++++++++ reproducible.patch | 108 ++++++ 8 files changed, 1663 insertions(+) create mode 100644 .gitattributes create mode 100644 heimdal-7.8.0-patched.tar.bz2 create mode 100644 heimdal-CVE-2022-45142.patch create mode 100644 heimdal-patch-source.sh create mode 100644 heimdal-patched.diff create mode 100644 libheimdal.changes create mode 100644 libheimdal.spec create mode 100644 reproducible.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/heimdal-7.8.0-patched.tar.bz2 b/heimdal-7.8.0-patched.tar.bz2 new file mode 100644 index 0000000..aa82e0e --- /dev/null +++ b/heimdal-7.8.0-patched.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c2131e24f35f76ba1f8f588ecf8eedeb68e9589570966731d060da8adb7a4ca9 +size 7665354 diff --git a/heimdal-CVE-2022-45142.patch b/heimdal-CVE-2022-45142.patch new file mode 100644 index 0000000..4e2ecd9 --- /dev/null +++ b/heimdal-CVE-2022-45142.patch @@ -0,0 +1,46 @@ +From: Helmut Grohne +Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions + +The referenced commit attempted to fix miscompilations with gcc-9 and +gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately, +it also inverted the result of the comparison in two occasions. This +inversion happened during backporting the patch to 7.7.1 and 7.8.0. + +Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp() + for arcfour unwrap") +Signed-off-by: Helmut Grohne +--- + lib/gssapi/krb5/arcfour.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Changes since v1: + * Fix typo in commit message. + * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman. + +Changes since v2: + * Add CVE identifier. + +diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c +index e838d007a..eee6ad72f 100644 +--- a/lib/gssapi/krb5/arcfour.c ++++ b/lib/gssapi/krb5/arcfour.c +@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0); ++ cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0); + if (cmp) { + *minor_status = 0; + return GSS_S_BAD_MIC; +@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */ ++ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */ + if (cmp) { + _gsskrb5_release_buffer(minor_status, output_message_buffer); + *minor_status = 0; +-- +2.38.1 diff --git a/heimdal-patch-source.sh b/heimdal-patch-source.sh new file mode 100644 index 0000000..7b09271 --- /dev/null +++ b/heimdal-patch-source.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +REMOVE_DIRS=( +admin +appl +etc +kadmin +kcm +kpasswd +kuser +packages +po +tests +tools +windows +) + +set -o errexit + +CMDNAME=${0##*/} +SOURCEDIR=${0%$CMDNAME} + +BASENAME=${1%.tar.gz} + +trap "rm -rf \"$BASENAME-patched.tar\" \"$BASENAME-patched.tar.bz2\"" ERR + +for (( N=0; N<${#REMOVE_DIRS[@]}; N++ )) ; do + REMOVE_DIRS[N]="*/${REMOVE_DIRS[N]}" +done + +cd "$SOURCEDIR" > /dev/null + +if [ ! -f "$BASENAME.tar.gz" ]; then + exit 0 +fi + +if [ -f "$BASENAME-patched.tar.bz2" ] && [ "$BASENAME.tar.gz" -ot "$BASENAME-patched.tar.bz2" ]; then + if [ $CMDNAME -ot "$BASENAME-patched.tar.bz2" ]; then + exit 0 + fi +fi + +gzip -d "$BASENAME.tar.gz" +mv -f "$BASENAME.tar" "$BASENAME-patched.tar" +tar --wildcards --delete -f "$BASENAME-patched.tar" "${REMOVE_DIRS[@]}" +bzip2 "$BASENAME-patched.tar" diff --git a/heimdal-patched.diff b/heimdal-patched.diff new file mode 100644 index 0000000..f0b7df1 --- /dev/null +++ b/heimdal-patched.diff @@ -0,0 +1,690 @@ +diff -uNr heimdal-7.8.0/configure.ac heimdal-7.8.0-patched/configure.ac +--- heimdal-7.8.0/configure.ac 2022-11-15 19:56:25.000000000 +0100 ++++ heimdal-7.8.0-patched/configure.ac 2022-12-20 16:57:00.506113493 +0100 +@@ -3,7 +3,6 @@ + AC_PREREQ(2.62) + test -z "$CFLAGS" && CFLAGS="-g" + AC_INIT([Heimdal],[7.8.0],[https://github.com/heimdal/heimdal/issues]) +-AC_CONFIG_SRCDIR([kuser/kinit.c]) + AC_CONFIG_HEADERS(include/config.h) + AC_CONFIG_MACRO_DIR([cf]) + +@@ -594,7 +593,6 @@ + AM_CONDITIONAL(HEIMDAL_DOCUMENTATION, test "$enable_heimdal_documentation" != no) + + AC_CONFIG_FILES(Makefile \ +- etc/Makefile \ + include/Makefile \ + include/gssapi/Makefile \ + include/hcrypto/Makefile \ +@@ -619,35 +617,8 @@ + lib/sqlite/Makefile \ + lib/vers/Makefile \ + lib/wind/Makefile \ +- po/Makefile \ +- kuser/Makefile \ +- kpasswd/Makefile \ +- kadmin/Makefile \ +- admin/Makefile \ +- kcm/Makefile \ + kdc/Makefile \ +- appl/Makefile \ +- appl/afsutil/Makefile \ +- appl/dbutils/Makefile \ +- appl/gssmask/Makefile \ +- appl/otp/Makefile \ +- appl/su/Makefile \ +- appl/test/Makefile \ +- appl/kf/Makefile \ +- appl/dceutils/Makefile \ +- tests/Makefile \ +- tests/bin/Makefile \ +- tests/can/Makefile \ +- tests/db/Makefile \ +- tests/kdc/Makefile \ +- tests/ldap/Makefile \ +- tests/gss/Makefile \ +- tests/java/Makefile \ +- tests/plugin/Makefile \ +- packages/Makefile \ +- packages/mac/Makefile \ + doc/Makefile \ +- tools/Makefile \ + ) + + AC_OUTPUT +diff -uNr heimdal-7.8.0/doc/Makefile.am heimdal-7.8.0-patched/doc/Makefile.am +--- heimdal-7.8.0/doc/Makefile.am 2022-09-16 00:59:25.000000000 +0200 ++++ heimdal-7.8.0-patched/doc/Makefile.am 2022-12-20 17:02:32.781246824 +0100 +@@ -10,50 +10,6 @@ + + info_TEXINFOS = heimdal.texi hx509.texi + +-dxy_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \ +- -e 's,[@]objdir[@],.,g' \ +- -e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g' +- +-hcrypto.dxy: hcrypto.din Makefile +- $(dxy_subst) < $(srcdir)/hcrypto.din > hcrypto.dxy.tmp +- chmod +x hcrypto.dxy.tmp +- mv hcrypto.dxy.tmp hcrypto.dxy +- +-hdb.dxy: hdb.din Makefile +- $(dxy_subst) < $(srcdir)/hdb.din > hdb.dxy.tmp +- chmod +x hdb.dxy.tmp +- mv hdb.dxy.tmp hdb.dxy +- +-base.dxy: base.din Makefile +- $(dxy_subst) < $(srcdir)/base.din > base.dxy.tmp +- chmod +x base.dxy.tmp +- mv base.dxy.tmp base.dxy +- +-hx509.dxy: hx509.din Makefile +- $(dxy_subst) < $(srcdir)/hx509.din > hx509.dxy.tmp +- chmod +x hx509.dxy.tmp +- mv hx509.dxy.tmp hx509.dxy +- +-gssapi.dxy: gssapi.din Makefile +- $(dxy_subst) < $(srcdir)/gssapi.din > gssapi.dxy.tmp +- chmod +x gssapi.dxy.tmp +- mv gssapi.dxy.tmp gssapi.dxy +- +-krb5.dxy: krb5.din Makefile +- $(dxy_subst) < $(srcdir)/krb5.din > krb5.dxy.tmp +- chmod +x krb5.dxy.tmp +- mv krb5.dxy.tmp krb5.dxy +- +-ntlm.dxy: ntlm.din Makefile +- $(dxy_subst) < $(srcdir)/ntlm.din > ntlm.dxy.tmp +- chmod +x ntlm.dxy.tmp +- mv ntlm.dxy.tmp ntlm.dxy +- +-wind.dxy: wind.din Makefile +- $(dxy_subst) < $(srcdir)/wind.din > wind.dxy.tmp +- chmod +x wind.dxy.tmp +- mv wind.dxy.tmp wind.dxy +- + texi_subst = sed -e 's,[@]dbdir[@],$(localstatedir),g' \ + -e 's,[@]dbtype[@],$(db_type),g' \ + -e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g' +@@ -63,55 +19,6 @@ + chmod +x vars.texi.tmp + mv vars.texi.tmp vars.texi + +-PROJECTS = base hdb hx509 gssapi krb5 ntlm wind +- +-PROJECTS += hcrypto +- +-doxyout doxygen: base.dxy hdb.dxy hx509.dxy hcrypto.dxy gssapi.dxy krb5.dxy ntlm.dxy wind.dxy +- @test -d $(srcdir)/doxyout && \ +- find $(srcdir)/doxyout -type d ! -perm -200 -exec chmod u+w {} ';' ; \ +- rm -rf $(srcdir)/doxyout ; \ +- mkdir $(srcdir)/doxyout ; \ +- for a in $(PROJECTS) ; do \ +- echo $$a ; \ +- doxygen $$a.dxy; \ +- (cd $(srcdir)/doxyout && \ +- find $$a/man -name '_*' -type f -print | \ +- perl -lne unlink && \ +- find $$a/html -name 'dir_*.html' -type f -print | \ +- perl -lne unlink && \ +- find $$a/man -type f > $$a/manpages ) ; \ +- done +- +-install-data-hook: install-doxygen-manpage +-uninstall-hook: uninstall-doxygen-manpage +-dist-hook: doxygen +- +-install-doxygen-manpage: +- for a in $(PROJECTS) ; do \ +- f="$(srcdir)/doxyout/$$a/manpages" ; \ +- test -f $$f || continue ; \ +- echo "install $$a manual pages $$(wc -l < $$f)" ; \ +- while read x ; do \ +- section=`echo "$$x" | sed 's/.*\.\([0-9]\)/\1/'` ; \ +- $(mkinstalldirs) "$(DESTDIR)$(mandir)/man$$section" ; \ +- $(INSTALL_DATA) $(srcdir)/doxyout/$$x "$(DESTDIR)$(mandir)/man$$section" ; \ +- done < $$f ; \ +- done ; exit 0 +- +-uninstall-doxygen-manpage: +- @for a in $(PROJECTS) ; do \ +- f="$(srcdir)/doxyout/$$a/manpages" ; \ +- test -f $$f || continue ; \ +- echo "removing $$a manual pages" ; \ +- while read x ; do \ +- section=`echo "$$x" | sed 's/.*\.\([0-9]\)/\1/'` ; \ +- base=`basename $$x` ; \ +- rm "$(DESTDIR)$(mandir)/man$$section/$$base" ; \ +- done < $$f ; \ +- done +- +- + heimdal_TEXINFOS = \ + ack.texi \ + apps.texi \ +@@ -129,35 +36,6 @@ + win2k.texi + + EXTRA_DIST = \ +- NTMakefile \ +- doxyout \ +- footer.html \ +- gssapi.din \ +- hdb.din \ +- hcrypto.din \ +- header.html \ + heimdal.css \ +- base.din \ +- hx509.din \ +- krb5.din \ +- ntlm.din \ +- init-creds \ +- latin1.tex \ +- layman.asc \ +- doxytmpl.dxy \ +- wind.din \ +- base.hhp \ + heimdal.hhp \ +- hx509.hhp \ + vars.tin +- +-CLEANFILES = \ +- hcrypto.dxy* \ +- base.dxy* \ +- hx509.dxy* \ +- hdb.dxy* \ +- gssapi.dxy* \ +- krb5.dxy* \ +- ntlm.dxy* \ +- wind.dxy* \ +- vars.texi* +diff -uNr heimdal-7.8.0/kdc/Makefile.am heimdal-7.8.0-patched/kdc/Makefile.am +--- heimdal-7.8.0/kdc/Makefile.am 2022-09-16 01:54:19.000000000 +0200 ++++ heimdal-7.8.0-patched/kdc/Makefile.am 2022-12-20 17:07:05.344492344 +0100 +@@ -6,35 +6,6 @@ + + lib_LTLIBRARIES = libkdc.la + +-bin_PROGRAMS = string2key +- +-sbin_PROGRAMS = kstash +- +-libexec_PROGRAMS = hprop hpropd kdc digest-service +- +-noinst_PROGRAMS = kdc-replay kdc-tester +- +-man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8 string2key.8 +- +-hprop_SOURCES = hprop.c mit_dump.c hprop.h +-hpropd_SOURCES = hpropd.c hprop.h +- +-kstash_SOURCES = kstash.c headers.h +- +-string2key_SOURCES = string2key.c headers.h +- +-digest_service_SOURCES = \ +- digest-service.c +- +-kdc_SOURCES = connect.c \ +- config.c \ +- announce.c \ +- main.c +- +-kdc_tester_SOURCES = \ +- config.c \ +- kdc-tester.c +- + libkdc_la_SOURCES = \ + default_config.c \ + set_dbinfo.c \ +@@ -54,15 +25,7 @@ + + KDC_PROTOS = $(srcdir)/kdc-protos.h $(srcdir)/kdc-private.h + +-ALL_OBJECTS = $(kdc_OBJECTS) +-ALL_OBJECTS += $(kdc_replay_OBJECTS) +-ALL_OBJECTS += $(kdc_tester_OBJECTS) +-ALL_OBJECTS += $(libkdc_la_OBJECTS) +-ALL_OBJECTS += $(string2key_OBJECTS) +-ALL_OBJECTS += $(kstash_OBJECTS) +-ALL_OBJECTS += $(hprop_OBJECTS) +-ALL_OBJECTS += $(hpropd_OBJECTS) +-ALL_OBJECTS += $(digest_service_OBJECTS) ++ALL_OBJECTS = $(libkdc_la_OBJECTS) + + $(ALL_OBJECTS): $(KDC_PROTOS) + +@@ -80,24 +43,6 @@ + cd $(srcdir) && perl ../cf/make-proto.pl -q -P comment -p kdc-private.h $(libkdc_la_SOURCES) || rm -f kdc-private.h + + +-hprop_LDADD = \ +- $(top_builddir)/lib/hdb/libhdb.la \ +- $(top_builddir)/lib/krb5/libkrb5.la \ +- $(LIB_kdb) \ +- $(LIB_hcrypto) \ +- $(top_builddir)/lib/asn1/libasn1.la \ +- $(LIB_roken) \ +- $(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB) +- +-hpropd_LDADD = \ +- $(top_builddir)/lib/hdb/libhdb.la \ +- $(top_builddir)/lib/krb5/libkrb5.la \ +- $(LIB_kdb) \ +- $(LIB_hcrypto) \ +- $(top_builddir)/lib/asn1/libasn1.la \ +- $(LIB_roken) \ +- $(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB) +- + if PKINIT + LIB_pkinit = $(top_builddir)/lib/hx509/libhx509.la + endif +@@ -121,21 +66,6 @@ + $(LIB_roken) \ + $(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB) + +-kdc_LDADD = libkdc.la $(LDADD) $(LIB_pidfile) $(CAPNG_LIBS) +- +-if FRAMEWORK_SECURITY +-kdc_LDFLAGS = -framework SystemConfiguration -framework CoreFoundation +-endif +-kdc_CFLAGS = $(CAPNG_CFLAGS) +- +-digest_service_LDADD = \ +- libkdc.la \ +- $(top_builddir)/lib/ntlm/libheimntlm.la \ +- $(top_builddir)/lib/ipc/libheim-ipcs.la \ +- $(LDADD) $(LIB_pidfile) +-kdc_replay_LDADD = libkdc.la $(LDADD) $(LIB_pidfile) +-kdc_tester_LDADD = libkdc.la $(LDADD) $(LIB_pidfile) $(LIB_heimbase) +- + include_HEADERS = kdc.h $(srcdir)/kdc-protos.h + + noinst_HEADERS = $(srcdir)/kdc-private.h +@@ -146,11 +76,6 @@ + build_HEADERZ = $(krb5_HEADERS) # XXX + + EXTRA_DIST = \ +- hprop-version.rc \ +- hpropd-version.rc \ +- kdc-version.rc \ +- kstash-version.rc \ + libkdc-version.rc \ +- string2key-version.rc \ + libkdc-exports.def \ +- NTMakefile $(man_MANS) version-script.map ++ NTMakefile version-script.map +diff -uNr heimdal-7.8.0/lib/asn1/Makefile.am heimdal-7.8.0-patched/lib/asn1/Makefile.am +--- heimdal-7.8.0/lib/asn1/Makefile.am 2022-09-16 01:54:19.000000000 +0200 ++++ heimdal-7.8.0-patched/lib/asn1/Makefile.am 2022-12-20 17:08:36.808229786 +0100 +@@ -44,9 +44,7 @@ + gen_files_digest = asn1_digest_asn1.x + gen_files_kx509 = asn1_kx509_asn1.x + +-noinst_PROGRAMS = asn1_gen +- +-libexec_heimdal_PROGRAMS = asn1_compile asn1_print ++noinst_PROGRAMS = asn1_gen asn1_compile asn1_print + + TESTS = check-der check-gen check-timegm check-ber check-template + check_PROGRAMS = $(TESTS) +diff -uNr heimdal-7.8.0/lib/com_err/Makefile.am heimdal-7.8.0-patched/lib/com_err/Makefile.am +--- heimdal-7.8.0/lib/com_err/Makefile.am 2022-09-16 01:54:19.000000000 +0200 ++++ heimdal-7.8.0-patched/lib/com_err/Makefile.am 2022-12-20 17:14:40.343183718 +0100 +@@ -13,12 +13,8 @@ + + libcom_err_la_LIBADD = $(LIB_libintl) + +-noinst_PROGRAMS = compile_et +- + include_HEADERS = com_err.h com_right.h + +-compile_et_SOURCES = compile_et.c compile_et.h parse.y lex.l lex.h +- + libcom_err_la_CPPFLAGS = $(ROKEN_RENAME) $(INCLUDE_libintl) + dist_libcom_err_la_SOURCES = error.c com_err.c roken_rename.h + +@@ -43,7 +39,6 @@ + EXTRA_DIST = \ + NTMakefile \ + com_err.3 \ +- compile_et-version.rc \ + libcom_err-version.rc \ + libcom_err-exports.def \ + version-script.map +diff -uNr heimdal-7.8.0/lib/gssapi/Makefile.am heimdal-7.8.0-patched/lib/gssapi/Makefile.am +--- heimdal-7.8.0/lib/gssapi/Makefile.am 2022-09-16 01:54:19.000000000 +0200 ++++ heimdal-7.8.0-patched/lib/gssapi/Makefile.am 2022-12-20 17:16:41.706826603 +0100 +@@ -227,8 +227,6 @@ + $(LIB_hcrypto) \ + $(LIBADD_roken) + +-man_MANS = gssapi.3 gss_acquire_cred.3 mech/mech.5 +- + include_HEADERS = gssapi.h + noinst_HEADERS = \ + gssapi_mech.h \ +@@ -303,8 +301,7 @@ + + check_PROGRAMS = test_acquire_cred $(TESTS) + +-bin_PROGRAMS = gsstool +-noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm test_add_store_cred ++noinst_PROGRAMS = gsstool test_cred test_kcred test_context test_ntlm test_add_store_cred + + test_context_SOURCES = test_context.c test_common.c test_common.h + test_ntlm_SOURCES = test_ntlm.c test_common.c test_common.h +@@ -340,7 +337,6 @@ + NTMakefile \ + libgssapi-version.rc \ + libgssapi-exports.def \ +- $(man_MANS) \ + gen-oid.pl \ + gssapi/gssapi_netlogon.h \ + krb5/test_acquire_cred.c \ +diff -uNr heimdal-7.8.0/lib/hx509/Makefile.am heimdal-7.8.0-patched/lib/hx509/Makefile.am +--- heimdal-7.8.0/lib/hx509/Makefile.am 2022-11-15 18:24:40.000000000 +0100 ++++ heimdal-7.8.0-patched/lib/hx509/Makefile.am 2022-12-20 17:19:57.330257091 +0100 +@@ -141,7 +141,6 @@ + $(heim_verbose)$(ASN1_COMPILE) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1) + + ALL_OBJECTS = $(libhx509_la_OBJECTS) +-ALL_OBJECTS += $(hxtool_OBJECTS) + + HX509_PROTOS = $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h + +@@ -156,23 +155,6 @@ + $(srcdir)/hx509-private.h: $(dist_libhx509_la_SOURCES) + $(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p hx509-private.h $(dist_libhx509_la_SOURCES) || rm -f hx509-private.h + +-bin_PROGRAMS = hxtool +- +-hxtool-commands.c hxtool-commands.h: hxtool-commands.in $(SLC) +- $(heim_verbose)$(SLC) $(srcdir)/hxtool-commands.in +- +-dist_hxtool_SOURCES = hxtool.c +-nodist_hxtool_SOURCES = hxtool-commands.c hxtool-commands.h +- +-$(hxtool_OBJECTS): hxtool-commands.h $(nodist_include_HEADERS) +- +-hxtool_LDADD = \ +- libhx509.la \ +- $(top_builddir)/lib/asn1/libasn1.la \ +- $(LIB_hcrypto) \ +- $(LIB_roken) \ +- $(top_builddir)/lib/sl/libsl.la +- + CLEANFILES = $(BUILT_SOURCES) sel-gram.c sel-lex.c \ + $(gen_files_ocsp) ocsp_asn1_files ocsp_asn1{,-priv}.h* \ + ocsp_asn1-template.[chx]* \ +@@ -181,7 +163,7 @@ + $(gen_files_crmf) crmf_asn1_files crmf_asn1{,-priv}.h* \ + crmf_asn1-template.[chx]* \ + $(TESTS) \ +- hxtool-commands.c hxtool-commands.h *.tmp \ ++ *.tmp \ + request.out \ + out.pem out2.pem \ + sd sd.pem \ +@@ -311,12 +293,10 @@ + + EXTRA_DIST = \ + NTMakefile \ +- hxtool-version.rc \ + libhx509-exports.def \ + version-script.map \ + crmf.asn1 \ + hx509_err.et \ +- hxtool-commands.in \ + quote.py \ + ocsp.asn1 \ + ocsp.opt \ +diff -uNr heimdal-7.8.0/lib/kadm5/Makefile.am heimdal-7.8.0-patched/lib/kadm5/Makefile.am +--- heimdal-7.8.0/lib/kadm5/Makefile.am 2022-11-15 18:06:45.000000000 +0100 ++++ heimdal-7.8.0-patched/lib/kadm5/Makefile.am 2022-12-20 17:24:31.273484873 +0100 +@@ -14,10 +14,6 @@ + libkadm5srv_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map + endif + +-sbin_PROGRAMS = iprop-log +-check_PROGRAMS = default_keys +-noinst_PROGRAMS = test_pw_quality +- + noinst_LTLIBRARIES = sample_passwd_check.la + + sample_passwd_check_la_SOURCES = sample_passwd_check.c +@@ -29,8 +25,6 @@ + libkadm5clnt_la_LIBADD = \ + $(LIB_com_err) ../krb5/libkrb5.la $(LIBADD_roken) + +-libexec_PROGRAMS = ipropd-master ipropd-slave +- + default_keys_SOURCES = default_keys.c + default_keys_CPPFLAGS = -I$(srcdir)/../krb5 + +@@ -122,17 +116,6 @@ + libkadm5srv_la_DEPENDENCIES = \ + version-script.map + +-dist_iprop_log_SOURCES = iprop-log.c +-nodist_iprop_log_SOURCES = iprop-commands.c +- +-ipropd_master_SOURCES = ipropd_master.c ipropd_common.c iprop.h kadm5_locl.h +-ipropd_master_CPPFLAGS = -I$(srcdir)/../krb5 +- +-ipropd_slave_SOURCES = ipropd_slave.c ipropd_common.c iprop.h kadm5_locl.h +-ipropd_slave_CPPFLAGS = -I$(srcdir)/../krb5 +- +-man_MANS = kadm5_pwcheck.3 iprop.8 iprop-log.8 +- + LDADD = \ + libkadm5srv.la \ + $(top_builddir)/lib/hdb/libhdb.la \ +@@ -144,27 +127,8 @@ + $(LIB_dlopen) \ + $(LIB_pidfile) + +-iprop_log_LDADD = \ +- libkadm5srv.la \ +- $(top_builddir)/lib/hdb/libhdb.la \ +- $(top_builddir)/lib/krb5/libkrb5.la \ +- $(top_builddir)/lib/asn1/libasn1.la \ +- $(LIB_hcrypto) \ +- $(top_builddir)/lib/sl/libsl.la \ +- $(LIB_readline) \ +- $(LIB_roken) \ +- $(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB) \ +- $(LIB_dlopen) \ +- $(LIB_pidfile) +- +-iprop_log_CPPFLAGS = -I$(srcdir)/../krb5 +- +-iprop-commands.c iprop-commands.h: iprop-commands.in +- $(SLC) $(srcdir)/iprop-commands.in +- + $(libkadm5srv_la_OBJECTS): kadm5_err.h + $(libkadm5clnt_la_OBJECTS): kadm5_err.h +-$(iprop_log_OBJECTS): iprop-commands.h + + client_glue.lo server_glue.lo: $(srcdir)/common_glue.c + +@@ -176,12 +140,7 @@ + + ALL_OBJECTS = $(libkadm5clnt_la_OBJECTS) + ALL_OBJECTS += $(libkadm5srv_la_OBJECTS) +-ALL_OBJECTS += $(ipropd_master_OBJECTS) +-ALL_OBJECTS += $(ipropd_slave_OBJECTS) +-ALL_OBJECTS += $(iprop_log_OBJECTS) +-ALL_OBJECTS += $(test_pw_quality_OBJECTS) + ALL_OBJECTS += $(sample_passwd_check_la_OBJECTS) +-ALL_OBJECTS += $(default_keys_OBJECTS) + + $(ALL_OBJECTS): $(srcdir)/kadm5-protos.h $(srcdir)/kadm5-private.h + $(ALL_OBJECTS): kadm5_err.h +@@ -213,7 +172,6 @@ + libkadm5srv-exports.def \ + kadm5_err.et \ + iprop-commands.in \ +- $(man_MANS) \ + check-cracklib.pl \ + flush.c \ + sample_passwd_check.c \ +diff -uNr heimdal-7.8.0/lib/kafs/Makefile.am heimdal-7.8.0-patched/lib/kafs/Makefile.am +--- heimdal-7.8.0/lib/kafs/Makefile.am 2022-09-16 01:54:19.000000000 +0200 ++++ heimdal-7.8.0-patched/lib/kafs/Makefile.am 2022-12-20 17:25:26.133332421 +0100 +@@ -74,8 +74,6 @@ + + EXTRA_DIST = NTMakefile afsl.exp afslib.exp $(man_MANS) + +-man_MANS = kafs.3 +- + # AIX: this almost works with gcc, but somehow it fails to use the + # correct ld, use ld instead + afslib.so: afslib.o +diff -uNr heimdal-7.8.0/lib/krb5/Makefile.am heimdal-7.8.0-patched/lib/krb5/Makefile.am +--- heimdal-7.8.0/lib/krb5/Makefile.am 2022-09-16 01:54:19.000000000 +0200 ++++ heimdal-7.8.0-patched/lib/krb5/Makefile.am 2022-12-20 17:27:49.080935177 +0100 +@@ -4,8 +4,6 @@ + + AM_CPPFLAGS += -I../com_err -I$(srcdir)/../com_err $(INCLUDE_sqlite3) $(INCLUDE_libintl) $(INCLUDE_openssl_crypto) + +-bin_PROGRAMS = verify_krb5_conf +- + noinst_PROGRAMS = \ + krbhst-test \ + test_alname \ +@@ -258,7 +256,6 @@ + endif + + ALL_OBJECTS = $(libkrb5_la_OBJECTS) +-ALL_OBJECTS += $(verify_krb5_conf_OBJECTS) + ALL_OBJECTS += $(librfc3961_la_OBJECTS) + ALL_OBJECTS += $(librfc3961_la_OBJECTS) + ALL_OBJECTS += $(krbhst_test_OBJECTS) +@@ -322,52 +319,6 @@ + $(srcdir)/krb5-private.h: $(headerdeps) + @cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-private.h + +-man_MANS = \ +- kerberos.8 \ +- krb5.conf.5 \ +- krb5-plugin.7 \ +- krb524_convert_creds_kdc.3 \ +- krb5_425_conv_principal.3 \ +- krb5_acl_match_file.3 \ +- krb5_aname_to_localname.3 \ +- krb5_appdefault.3 \ +- krb5_auth_context.3 \ +- krb5_c_make_checksum.3 \ +- krb5_check_transited.3 \ +- krb5_create_checksum.3 \ +- krb5_creds.3 \ +- krb5_digest.3 \ +- krb5_eai_to_heim_errno.3 \ +- krb5_encrypt.3 \ +- krb5_find_padata.3 \ +- krb5_generate_random_block.3 \ +- krb5_get_all_client_addrs.3 \ +- krb5_get_credentials.3 \ +- krb5_get_creds.3 \ +- krb5_get_forwarded_creds.3 \ +- krb5_get_in_cred.3 \ +- krb5_get_init_creds.3 \ +- krb5_get_krbhst.3 \ +- krb5_getportbyname.3 \ +- krb5_init_context.3 \ +- krb5_is_thread_safe.3 \ +- krb5_krbhst_init.3 \ +- krb5_mk_req.3 \ +- krb5_mk_safe.3 \ +- krb5_openlog.3 \ +- krb5_parse_name.3 \ +- krb5_principal.3 \ +- krb5_rcache.3 \ +- krb5_rd_error.3 \ +- krb5_rd_safe.3 \ +- krb5_set_default_realm.3 \ +- krb5_set_password.3 \ +- krb5_string_to_key.3 \ +- krb5_timeofday.3 \ +- krb5_verify_init_creds.3 \ +- krb5_verify_user.3 \ +- verify_krb5_conf.8 +- + dist_include_HEADERS = \ + krb5.h \ + $(srcdir)/krb5-protos.h \ +@@ -409,7 +360,6 @@ + krb_err.et \ + heim_err.et \ + k524_err.et \ +- $(man_MANS) \ + version-script.map \ + test_config_strings.cfg \ + krb5.moduli +diff -uNr heimdal-7.8.0/lib/roken/Makefile.am heimdal-7.8.0-patched/lib/roken/Makefile.am +--- heimdal-7.8.0/lib/roken/Makefile.am 2022-09-16 01:54:19.000000000 +0200 ++++ heimdal-7.8.0-patched/lib/roken/Makefile.am 2022-12-20 17:28:54.084761232 +0100 +@@ -209,8 +209,6 @@ + rokenincludedir = $(includedir)/roken + nodist_rokeninclude_HEADERS = $(XHEADERS) + +-man_MANS = getarg.3 parse_time.3 rtbl.3 ecalloc.3 +- + SUFFIXES += .hin + .hin.h: + cp $< $@ +@@ -244,7 +242,6 @@ + EXTRA_DIST = \ + NTMakefile \ + roken.awk roken.h.in \ +- $(man_MANS) \ + dirent.c \ + dirent.hin \ + dirent-test.c \ +diff -uNr heimdal-7.8.0/lib/sl/Makefile.am heimdal-7.8.0-patched/lib/sl/Makefile.am +--- heimdal-7.8.0/lib/sl/Makefile.am 2022-09-16 01:54:19.000000000 +0200 ++++ heimdal-7.8.0-patched/lib/sl/Makefile.am 2022-12-20 17:30:00.352598492 +0100 +@@ -25,7 +25,7 @@ + + # install these? + +-libexec_heimdal_PROGRAMS = slc ++noinst_PROGRAMS = slc + + slc_SOURCES = slc-gram.y slc-lex.l slc.h + +diff -uNr heimdal-7.8.0/lib/wind/Makefile.am heimdal-7.8.0-patched/lib/wind/Makefile.am +--- heimdal-7.8.0/lib/wind/Makefile.am 2022-11-15 18:14:35.000000000 +0100 ++++ heimdal-7.8.0-patched/lib/wind/Makefile.am 2022-12-20 17:31:00.324451186 +0100 +@@ -83,12 +83,6 @@ + + $(test_punycode_OBJECTS): $(built_tests) + +-bin_PROGRAMS = idn-lookup +- +-idn_lookup_SOURCES = idn-lookup.c +- +-LDADD = libwind.la $(LIB_roken) +- + if !MAINTAINER_MODE + skip_python = test -f $@ || + endif +diff -uNr heimdal-7.8.0/Makefile.am heimdal-7.8.0-patched/Makefile.am +--- heimdal-7.8.0/Makefile.am 2022-09-16 01:54:19.000000000 +0200 ++++ heimdal-7.8.0-patched/Makefile.am 2022-12-20 17:32:16.540264008 +0100 +@@ -2,12 +2,7 @@ + + include $(top_srcdir)/Makefile.am.common + +-if KCM +-kcm_dir = kcm +-endif +- +-SUBDIRS= include lib kuser kdc admin kadmin kpasswd +-SUBDIRS+= $(kcm_dir) appl tools tests packages etc po ++SUBDIRS= include lib kdc + + if HEIMDAL_DOCUMENTATION + SUBDIRS+= doc diff --git a/libheimdal.changes b/libheimdal.changes new file mode 100644 index 0000000..a613fd2 --- /dev/null +++ b/libheimdal.changes @@ -0,0 +1,382 @@ +------------------------------------------------------------------- +Thu Apr 6 13:26:58 UTC 2023 - Dominique Leuenberger + +- Add heimdal-CVE-2022-45142.patch: Fix logic inversion introduced + when fixing/backporting CVE-2022-3437 (CVE-2022-45142, + boo#1208992). + +------------------------------------------------------------------- +Tue Jan 10 19:30:57 UTC 2023 - Marcus Meissner + +- replace libheimdal conflicts by obsoletes / provides to provide a + smooth update in the new libheimdal-devel. + +------------------------------------------------------------------- +Wed Dec 21 09:53:45 UTC 2022 - enzokiel@kabelmail.de + +- Update to version 7.8.0 + + This release includes both the Heimdal 7.7.1 Security + Vulnerability fixes and non-Security bug fixes/improvements. + + Security Vulnerabilities: + - CVE-2022-42898 PAC parse integer overflows + - CVE-2022-3437 Overflows and non-constant time leaks in + DES{,3} and arcfour + - CVE-2022-41916 Fix Unicode normalization read of 1 bytes past + end of array + - CVE-2021-44758 A null pointer de-reference DoS in SPNEGO + acceptors + - CVE-2021-3671 A null pointer de-reference when handling + missing sname in TGS-REQ + - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec + Note that CVE-2022-44640 is a severe vulnerability, + possibly a 10.0 on the Common Vulnerability Scoring + System (CVSS) v3, as we believe it should be possible to + get an RCE on a KDC, which means that credentials can be + compromised that can be used to impersonate anyone in a + realm or forest of realms. + Heimdal's ASN.1 compiler generates code that allows + specially crafted DER encodings of CHOICEs to invoke the + wrong free function on the decoded structure upon decode + error. This is known to impact the Heimdal KDC, leading to + an invalid free() of an address partly or wholly under the + control of the attacker, in turn leading to a potential + remote code execution (RCE) vulnerability. + This error affects the DER codec for all extensible CHOICE + types used in Heimdal, though not all cases will be + exploitable. We have not completed a thorough analysis of + all the Heimdal components affected, thus the Kerberos + client, the X.509 library, and other parts, may be affected + as well. + This bug has been in Heimdal's ASN.1 compiler since 2005, + but it may only affect Heimdal 1.6 and up. It was first + reported by Douglas Bagnall, though it had been found + independently by the Heimdal maintainers via fuzzing a few + weeks earlier. + While no zero-day exploit is known, such an exploit will + likely be available soon after public disclosure. + - CVE-2019-14870: Validate client attributes in + protocol-transition + - CVE-2019-14870: Apply forwardable policy in + protocol-transition + - CVE-2019-14870: Always lookup impersonate client in DB + + Other changes: + - Bugs found by UBSAN (including the incorrect encoding of + unconstrained INTEGER value -1). + - Errors found by the LLVM scan-build static analyzer. + - Errors found by the valgrind memory debugger. + - Work around GCC Bug 95189 (memcmp wrongly stripped like + strcmp). + - Correct ASN.1 OID typo for SHA-384 + - Fix a deadlock in in the MEMORY ccache type. + - TGS: strip forwardable and proxiable flags if the server is + disallowed. + - CVE-2019-14870: Validate client attributes in + protocol-transition + - CVE-2019-14870: Apply forwardable policy in + protocol-transition + - CVE-2019-14870: Always lookup impersonate client in DB + - Incremental HDB propagation improvements + Refactor send_diffs making it progressive + Handle partial writes on non-blocking sockets + Disable Nagle in iprop master and slave + Use async I/O + Don't send I_HAVE in response to AYT + Do not recover log in kadm5_get_principal() + Don't send diffs to slaves with not yet known version + Don't stutter in send_diffs + - Optional backwards-compatible anon-pkinit behavior +- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream. + +------------------------------------------------------------------- +Thu Jun 30 20:44:57 UTC 2022 - Antoine Belvire + +- Add ldconfig scriptlets. +- Fix 'Conflicts:' tags. +- Remove obsolete macros and conditionals. +- Ran spec-cleaner. + +------------------------------------------------------------------- +Tue Jun 28 18:47:19 UTC 2022 - Antoine Belvire + +- Add heimdal-7.7.0-autoconf-2.70.patch: Fix build with autoconf + 2.70 (gh#heimdal/heimdal#856). + +------------------------------------------------------------------- +Wed May 25 11:59:29 UTC 2022 - Jan Engelhardt + +- Apply Shared Library Packaging Policy and resolve rpmlint + errors like "libheimdal.x86_64: E: shlib-policy-name-error + SONAME: libasn1.so.8, expected package suffix: 8" + +------------------------------------------------------------------- +Sun Jun 23 00:50:31 UTC 2019 - enzokiel@kabelmail.de + +- Update to version 7.7.0 + + Bug fixes: + - PKCS#11 hcrypto back-end: + + initialize the p11_module_load function list + + verify that not only is a mechanism present but that its + mechanism info states that it offers the required + encryption, decryption or digest services + - krb5: + + Starting with 7.6, Heimdal permitted requesting + authenticated anonymous tickets. However, it did not + verify that a KDC in fact returned an anonymous ticket + when one was requested. + + Cease setting the KDCOption reaquest_anonymous flag when + issuing S4UProxy (constrained delegation) TGS requests. + + when the Win2K PKINIT compatibility option is set, do not + require krbtgt otherName to match when validating KDC + certificate. + + set PKINIT_BTMM flag per Apple implementation + + use memset_s() instead of memset() + - kdc: + + When generating KRB5SignedPath in the AS, use the reply + client name rather than the one from the request, so + validation will work correctly in the TGS. + + allow checksum of PA-FOR-USER to be HMAC_MD5. Even if TGT + used an enctype with a different checksum. Per [MS-SFU] + 2.2.1 PA-FOR-USER the checksum is always HMAC_MD5, and + that's what Windows and MIT clients send. + In Heimdal both the client and kdc use instead the + checksum of the TGT, and therefore work with each other + but Windows and MIT clients fail against Heimdal KDC. + Both Windows and MIT KDC would allow any keyed checksum + to be used so Heimdal client work fine against it. + Change Heimdal KDC to allow HMAC_MD5 even for non RC4 + based TGT in order to support per-spec clients. + + use memset_s() instead of memset() + + Detect Heimdal 1.0 through 7.6 clients that issue + S4UProxy (constrained delegation) TGS Requests with the + request anonymous flag set. These requests will be + treated as S4UProxy requests and not anonymous requests. + - HDB: + + Set SQLite3 backend default page size to 8KB. + + Add hdb_set_sync() method + - kadmind: + + disable HDB sync during database load avoiding + unnecessary disk i/o. + - ipropd: + + disable HDB sync during receive_everything. Doing an + fsync per-record when receiving the complete HDB is a + performance disaster. Among other things, if the HDB is + very large, then one slave receving a full HDB can cause + other slaves to timeout and, if HDB write activity is + high enough to cause iprop log truncation, then also need + full syncs, which leads to a cycle of full syncs for all + slaves until HDB write activity drops. + Allowing the iprop log to be larger helps, but improving + receive_everything() performance helps even more. + - kinit: + + Anonymous PKINIT tickets discard the realm information + used to locate the issuing AS. Store the issuing realm in + the credentials cache in order to locate a KDC which can + renew them. + + Do not leak the result of krb5_cc_get_config() when + determining anonymous PKINIT start realm. + - klist: + + Show transited-policy-checked, ok-as-delegate and + anonymous flags when listing credentials. + - tests: + + Regenerate certs so that they expire before the 2038 + armageddon so the test suite will pass on 32-bit + operating systems until the underlying issues can be + resolved. + - Solaris: + + Define _STDC_C11_BCI for memset_s prototype + - build tooling: + + Convert from python 2 to python 3 + - documentation: + + rename verify-password to verify-password-quality + + hprop default mode is encrypt + + kadmind "all" permission does not include "get-keys" + + verify-password-quality might not be stateless + +- Version 7.6.0 + + Security (#555): + - CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed + checksum + When the Heimdal KDC checks the checksum that is placed on + the S4U2Self packet by the server to protect the requested + principal against modification, it does not confirm that + the checksum algorithm that protects the user name + (principal) in the request is keyed. This allows a + man-in-the-middle attacker who can intercept the request to + the KDC to modify the packet by replacing the user name + (principal) in the request with any desired user name + (principal) that exists in the KDC and replace the checksum + protecting that name with a CRC32 checksum (which requires + no prior knowledge to compute). + This would allow a S4U2Self ticket requested on behalf of + user name (principal) user@EXAMPLE.COM to any service to be + changed to a S4U2Self ticket with a user name (principal) of + Administrator@EXAMPLE.COM. This ticket would then contain + the PAC of the modified user name (principal). + + - CVE-2019-12098, client-only: + RFC8062 Section 7 requires verification of the PA-PKINIT-KX + key exchange when anonymous PKINIT is used. Failure to do + so can permit an active attacker to become a + man-in-the-middle. + + Bug fixes: + - Happy eyeballs: Don't wait for responses from + known-unreachable KDCs. + - kdc: + + check return copy_Realm, copy_PrincipalName, + copy_EncryptionKey + - kinit: + + cleanup temporary ccaches + + see man page for "kinit --anonymous" command line syntax + change + - kdc: + + Make anonymous AS-requests more RFC8062-compliant. + Updated expired test certificates + - Solaris: + + PKCS#11 hcrypto backend broken since 7.0.1 + + Building with Sun Pro C + + Features: + - kuser: support authenticated anonymous AS-REQs in kinit + - kdc: support for anonymous TGS-REQs + - kgetcred support for anonymous service tickets + - Support builds with OpenSSL 1.1.1 +- fixed heimdal-patched.diff and reproducible.patch + +------------------------------------------------------------------- +Tue Aug 7 06:22:33 UTC 2018 - bwiedemann@suse.com + +- Add reproducible.patch to override build date (boo#1047218) +- Use constant hostname (boo#1084909) + +------------------------------------------------------------------- +Fri Dec 29 13:16:21 UTC 2017 - joerg.lorenzen@ki.tng.de + +- Update to version 7.5.0 + - Security + - Fix CVE-2017-17439, which is a remote denial of service + vulnerability: + In Heimdal 7.1 through 7.4, remote unauthenticated attackers + are able to crash the KDC by sending a crafted UDP packet + containing empty data fields for client name or realm. + - Bug fixes + - Handle long input lines when reloading database dumps. + - In pre-forked mode (default on Unix), correctly clear the + process ids of exited children, allowing new child processes + to replace the old. + - Fixed incorrect KDC response when no-cross realm TGT exists, + allowing client requests to fail quickly rather than time + out after trying to get a correct answer from each KDC. +- Fixed heimdal-patched.diff. +- Removed Avoid_NULL_structure_pointer_member_dereference.patch, + fixed upstream. + +------------------------------------------------------------------- +Thu Dec 07 15:17:23 UTC 2017 - joerg.lorenzen@ki.tng.de + +- Added Avoid_NULL_structure_pointer_member_dereference.patch, + fixes (bsc#1071675). + +------------------------------------------------------------------- +Thu Aug 03 20:25:45 UTC 2017 - joerg.lorenzen@ki.tng.de + +- Update to version 7.4.0 + - Security + - Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name + validation. + This is a critical vulnerability. + In _krb5_extract_ticket() the KDC-REP service name must be + obtained from encrypted version stored in 'enc_part' instead + of the unencrypted version stored in 'ticket'. + Use of the unecrypted version provides an opportunity for + successful server impersonation and other attacks. + Identified by Jeffrey Altman, Viktor Duchovni and + Nico Williams. + See https://www.orpheus-lyre.info/ for more details. +- Fixed heimdal-patched.diff. + +------------------------------------------------------------------- +Thu Jun 15 20:52:17 UTC 2017 - joerg.lorenzen@ki.tng.de + +- Update to version 7.3.0 + - Security + + Fix transit path validation. Commit f469fc6 (2010-10-02) + inadvertently caused the previous hop realm to not be added + to the transit path of issued tickets. This may, in some + cases, enable bypass of capath policy in Heimdal versions 1.5 + through 7.2. + Note, this may break sites that rely on the bug. With the bug + some incomplete [capaths] worked, that should not have. + These may now break authentication in some cross-realm + configurations. (CVE-2017-6594) +- Version 7.2.0 + - Bug fixes + + Portability improvements. + + More strict parsing of encoded URI components in HTTP KDC. + + Fixed memory leak in malloc error recovery in NTLM GSSAPI + mechanism. + + Avoid overly specific CPU info in krb5-config in aid of + reproducible builds. + + Don't do AFS string-to-key tests when feature is disabled. + + Skip mdb_stat test when the command is not available. + + Windows: update SHA2 timestamp server. + + hdb: add missing export + hdb_generate_key_set_password_with_ks_tuple. + + Fix signature of hdb_generate_key_set_password(). + + Windows: enable KX509 support in the KDC. + + kdc: fix kx509 service principal match. + + iprop: handle case where master sends nothing new. + + ipropd-slave: fix incorrect error codes. + + Allow choice of sqlite for HDB pref. + + check-iprop: don't fail to kill daemons. + + roken: pidfile -> rk_pidfile. + + kdc: _kdc_do_kx509 fix use after free error. + + Do not detect x32 as 64-bit platform. + + No sys/ttydefaults.h on CYGWIN. + + Fix check-iprop races. + + roken_detach_prep() close pipe. +- Fixed heimdal-patched.diff. + +------------------------------------------------------------------- +Thu Feb 2 01:44:35 UTC 2017 - jengelh@inai.de + +- Summary and RPM group update. Do a direct call to ldconfig + where possible. + +------------------------------------------------------------------- +Sat Jan 07 22:57:23 UTC 2017 - joerg.lorenzen@ki.tng.de + +- Update to version 7.1.0 +- Removed heimdal-version-script-client.map.patch, fixed upstream. +- Fixed heimdal-patched.diff. +- Unfortunately there is no updated changelog file in tarball, + changes can be seen in source code version control systems + history log. + +------------------------------------------------------------------- +Sat Sep 05 07:57:33 UTC 2015 - joerg.lorenzen@ki.tng.de + +- Added a patched instead of the original tarball because only + shared libraries will be build and source files of these (not to + be build) programs have problematic licenses. +- Added script heimdal-patch-source.sh to sources. +- Added patch heimdal-patched.diff that fixes configure.ac and + several Makefile.am files to successfully build patched source. +- Removed unneeded dependencies in spec file for build. + +------------------------------------------------------------------- +Wed Sep 02 08:04:33 UTC 2015 - joerg.lorenzen@ki.tng.de + +- Added Conflicts tags to spec file because devel package conflicts + with krb5-devel and krb5-mini-devel. + +------------------------------------------------------------------- +Tue Sep 01 21:03:13 UTC 2015 - joerg.lorenzen@ki.tng.de + +- Some changes in spec file to enable build for SLES. + +------------------------------------------------------------------- +Sun Aug 30 11:20:03 UTC 2015 - joerg.lorenzen@ki.tng.de + +- Initial package, version 1.6rc2 +- Added patch heimdal-version-script-client.map.patch to add file + version-script-client.map (File is present in git for tag 1.6rc2 + but missing in tarball). diff --git a/libheimdal.spec b/libheimdal.spec new file mode 100644 index 0000000..72d3c41 --- /dev/null +++ b/libheimdal.spec @@ -0,0 +1,365 @@ +# +# spec file for package libheimdal +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: libheimdal +Version: 7.8.0 +Release: 0 +Summary: The Heimdal implementation of the Kerberos 5 protocol +License: BSD-3-Clause +Group: Productivity/Networking/Security +URL: https://www.h5l.org +# patched source can be created with script heimdal-patch-source.sh: +# ./heimdal-patch-source.sh heimdal-%{version}.tar.gz +Source0: heimdal-%{version}-patched.tar.bz2 +Source2: heimdal-patch-source.sh +Patch0: heimdal-patched.diff +# PATCH-FIX-UPSTREAM bmwiedemann -- make build reproducible (boo#1047218) +Patch1: reproducible.patch +# PATCH-FIX-UPSTREAM https://www.openwall.com/lists/oss-security/2023/02/08/1 +Patch2: heimdal-CVE-2022-45142.patch +BuildRequires: automake >= 1.11 +BuildRequires: bison +BuildRequires: db-devel >= 4.8 +BuildRequires: flex +BuildRequires: libtool +BuildRequires: pam-devel +BuildRequires: pkgconfig +BuildRequires: readline-devel +BuildRequires: texinfo +BuildRequires: perl(JSON) +BuildRequires: pkgconfig(com_err) +BuildRequires: pkgconfig(ncurses) >= 5.3 +BuildRequires: pkgconfig(sqlite3) + +%description +Heimdal is an implementation of Kerberos 5 (and some more stuff) largely written +in Sweden (which was important when we started writing it, less so now). +It is freely available under a three clause BSD style license. + +Other free implementations include the one from MIT, and Shishi. +Also Microsoft Windows and Sun's Java come with implementations of Kerberos. + +This package only provides libraries and devel files (binaries have been removed), +libraries are required by 64-bit package of ICAClient version 13.2. + +%package -n libasn1-8 +Summary: ASN.1 implementation from Heimdal Kerberos +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libasn1-8 +This package contains the ASN.1 parser required for Heimdal. + +%package -n libgssapi3 +Summary: GSSAPI implementation from Heimdal Kerberos +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libgssapi3 +GSSAPI implementation from Heimdal. + +%package -n libhcrypto4 +Summary: Cryptographic library from Heimdal Kerberos +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libhcrypto4 +This package contains the cryptographic library required for Heimdal. + +%package -n libhdb9 +Summary: Heimdal database backend library +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libhdb9 +libhdb provides the backend support for Heimdal kdc and kadmind. Its +here where plugins for diffrent database engines can be pluged in and +extend support for here Heimdal get the principal and policy data +from. + +Example of Heimdal backend are: Berkeley DB (BDB), NDB, LDAP. + +%package -n libheimbase1 +Summary: Base library for Heimdal Kerberos +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libheimbase1 +This package contains the base library for Heimdal Kerberos. + +%package -n libheimedit0 +Summary: libedit fork of the Heimdal Kerberos project +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libheimedit0 +libedit is a command line editing and history library. It is +designed to be used by interactive programs that allow the user +to type commands at a terminal prompt. + +%package -n libheimntlm0 +Summary: NTLM implementation from Heimdal Kerberos +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libheimntlm0 +This package contains the NTLM support library from and for Heimdal Kerberos. + +%package -n libhx509-5 +Summary: X.509 implementation from Heimdal Kerberos +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libhx509-5 +This package contains the X.509 support library from and for Heimdal Kerberos. + +%package -n libkadm5clnt7 +Summary: Client library for Heimdal Kerberos +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libkadm5clnt7 +This package contains the client library for Heimdal's kadmin program. + +%package -n libkadm5srv8 +Summary: Server library for Heimdal Kerberos +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libkadm5srv8 +This package contains the server library for Heimdal's kadmin program. + +%package -n libkafs0 +Summary: KAFS support for Heimdal Kerberos +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libkafs0 +This package contains the library for supporting the in-kernel Andrew File System. + +%package -n libkdc2 +Summary: Key Distribution Center library for Heimdal Kerberos +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libkdc2 +This package contains the KDC support library. + +%package -n libkrb5-26 +Summary: Kerberos 5 API for Heimdal Kerberos +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libkrb5-26 +This package contains the Kerberos 5 library. + +%package -n libotp0 +Summary: One Time Password library for Heimdal Kerberos +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libotp0 +This package contains the library for One Time Password support. + +%package -n libroken18 +Summary: OS abstraction library for Heimdal Kerberos +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libroken18 +This package contains a library that wraps or adds utility functions +missing from certain operating systems. + +%package -n libsl0 +Summary: Implementation of a suggestion lister +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libsl0 +This package contains a library that suggests commands in a "did you +mean" fashion. + +%package -n libwind0 +Summary: An implementation of RFC 3454 (stringprep) +Group: System/Libraries +Conflicts: libheimdal < %{version}-%{release} + +%description -n libwind0 +This package contains an implementation of the stringprep library. + +%package devel +Summary: The Heimdal implementation of the Kerberos 5 protocol +Group: Development/Libraries/C and C++ +Requires: db-devel >= 4.8 +Requires: glibc-devel +Requires: libasn1-8 = %{version}-%{release} +Requires: libgssapi3 = %{version}-%{release} +Requires: libhcrypto4 = %{version}-%{release} +Requires: libhdb9 = %{version}-%{release} +Requires: libheimbase1 = %{version}-%{release} +Requires: libheimedit0 = %{version}-%{release} +Requires: libheimntlm0 = %{version}-%{release} +Requires: libhx509-5 = %{version}-%{release} +Requires: libkadm5clnt7 = %{version}-%{release} +Requires: libkadm5srv8 = %{version}-%{release} +Requires: libkafs0 = %{version}-%{release} +Requires: libkdc2 = %{version}-%{release} +Requires: libkrb5-26 = %{version}-%{release} +Requires: libotp0 = %{version}-%{release} +Requires: libroken18 = %{version}-%{release} +Requires: libsl0 = %{version}-%{release} +Requires: libwind0 = %{version}-%{release} +Requires: pkgconfig(com_err) +Requires: pkgconfig(ncurses) >= 5.3 +Requires: pkgconfig(sqlite3) +Conflicts: krb5-devel +Conflicts: krb5-mini-devel +Provides: libheimdal = %{version}-%{release} +Obsoletes: libheimdal < %{version}-%{release} + +%description devel +Heimdal is an implementation of Kerberos 5 (and some more stuff) largely written +in Sweden (which was important when we started writing it, less so now). +It is freely available under a three clause BSD style license. + +Other free implementations include the one from MIT, and Shishi. +Also Microsoft Windows and Sun's Java come with implementations of Kerberos. + +This package only provides libraries and devel files (binaries have been removed), +libraries are required by 64-bit package of ICAClient version 13.2. + +%prep +%autosetup -p1 -n heimdal-%{version} + +%build +export SOURCE_HOST=OBS # for reproducible builds (boo#1084909) +autoreconf -fi +%configure \ + --with-sqlite3=%{_prefix} +%make_build + +%install +%make_install + +rm -rf %{buildroot}%{_libdir}/*.a +find %{buildroot} -type f -name "*.la" -delete -print + +%post -p /sbin/ldconfig -n libasn1-8 +%postun -p /sbin/ldconfig -n libasn1-8 +%post -p /sbin/ldconfig -n libgssapi3 +%postun -p /sbin/ldconfig -n libgssapi3 +%post -p /sbin/ldconfig -n libhcrypto4 +%postun -p /sbin/ldconfig -n libhcrypto4 +%post -p /sbin/ldconfig -n libhdb9 +%postun -p /sbin/ldconfig -n libhdb9 +%post -p /sbin/ldconfig -n libheimbase1 +%postun -p /sbin/ldconfig -n libheimbase1 +%post -p /sbin/ldconfig -n libheimedit0 +%postun -p /sbin/ldconfig -n libheimedit0 +%post -p /sbin/ldconfig -n libheimntlm0 +%postun -p /sbin/ldconfig -n libheimntlm0 +%post -p /sbin/ldconfig -n libhx509-5 +%postun -p /sbin/ldconfig -n libhx509-5 +%post -p /sbin/ldconfig -n libkadm5clnt7 +%postun -p /sbin/ldconfig -n libkadm5clnt7 +%post -p /sbin/ldconfig -n libkadm5srv8 +%postun -p /sbin/ldconfig -n libkadm5srv8 +%post -p /sbin/ldconfig -n libkafs0 +%postun -p /sbin/ldconfig -n libkafs0 +%post -p /sbin/ldconfig -n libkdc2 +%postun -p /sbin/ldconfig -n libkdc2 +%post -p /sbin/ldconfig -n libkrb5-26 +%postun -p /sbin/ldconfig -n libkrb5-26 +%post -p /sbin/ldconfig -n libotp0 +%postun -p /sbin/ldconfig -n libotp0 +%post -p /sbin/ldconfig -n libroken18 +%postun -p /sbin/ldconfig -n libroken18 +%post -p /sbin/ldconfig -n libsl0 +%postun -p /sbin/ldconfig -n libsl0 +%post -p /sbin/ldconfig -n libwind0 +%postun -p /sbin/ldconfig -n libwind0 + +%files -n libasn1-8 +%{_libdir}/libasn1.so.8* + +%files -n libgssapi3 +%{_libdir}/libgssapi.so.3* + +%files -n libhcrypto4 +%{_libdir}/libhcrypto.so.4* + +%files -n libhdb9 +%{_libdir}/libhdb.so.9* + +%files -n libheimbase1 +%{_libdir}/libheimbase.so.1* + +%files -n libheimedit0 +%{_libdir}/libheimedit.so.0* + +%files -n libheimntlm0 +%{_libdir}/libheimntlm.so.0* + +%files -n libhx509-5 +%{_libdir}/libhx509.so.5* + +%files -n libkadm5clnt7 +%{_libdir}/libkadm5clnt.so.7* + +%files -n libkadm5srv8 +%{_libdir}/libkadm5srv.so.8* + +%files -n libkafs0 +%{_libdir}/libkafs.so.0* + +%files -n libkdc2 +%{_libdir}/libkdc.so.2* + +%files -n libkrb5-26 +%{_libdir}/libkrb5.so.26* + +%files -n libotp0 +%{_libdir}/libotp.so.0* + +%files -n libroken18 +%{_libdir}/libroken.so.18* + +%files -n libsl0 +%{_libdir}/libsl.so.0* + +%files -n libwind0 +%{_libdir}/libwind.so.0* + +%files devel +%license LICENSE +%doc NEWS README TODO +%{_includedir}/*.h +%dir %{_includedir}/gssapi +%{_includedir}/gssapi/*.h +%dir %{_includedir}/hcrypto +%{_includedir}/hcrypto/*.h +%dir %{_includedir}/kadm5 +%{_includedir}/kadm5/*.h +%dir %{_includedir}/krb5 +%{_includedir}/krb5/*.h +%dir %{_includedir}/roken +%{_includedir}/roken/*.h +%{_libdir}/*.so +%{_infodir}/*.info%{?ext_info} + +%changelog diff --git a/reproducible.patch b/reproducible.patch new file mode 100644 index 0000000..f143cf1 --- /dev/null +++ b/reproducible.patch @@ -0,0 +1,108 @@ +--- heimdal-7.8.0-patched/Makefile.am.orig 2022-12-20 17:40:01.919051445 +0100 ++++ heimdal-7.8.0-patched/Makefile.am 2022-12-20 17:40:01.927051422 +0100 +@@ -45,7 +45,6 @@ + cf/krb-prog-yacc.m4 \ + cf/krb-sys-aix.m4 \ + cf/krb-sys-nextstep.m4 \ +- cf/krb-version.m4 \ + cf/roken.m4 \ + cf/valgrind-suppressions \ + cf/maybe-valgrind.sh \ +--- heimdal-7.8.0-patched/cf/krb-version.m4 2022-09-16 01:54:19.000000000 +0200 ++++ /dev/null 2022-12-20 16:43:58.646784977 +0100 +@@ -1,24 +0,0 @@ +-dnl $Id$ +-dnl +-dnl +-dnl output a C header-file with some version strings +-dnl +- +-AC_DEFUN([AC_KRB_VERSION],[ +-cat > include/newversion.h.in </dev/null | sed 1q` +- Date=`date` +- mv -f include/newversion.h.in include/version.h.in +- sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h +-fi +-]) +--- heimdal-7.8.0-patched/configure.ac.orig 2022-12-20 17:47:29.421826289 +0100 ++++ heimdal-7.8.0-patched/configure.ac 2022-12-20 17:47:29.437826248 +0100 +@@ -627,22 +627,63 @@ + dnl This is the release version name-number[beta] + dnl + +-cat > include/newversion.h.in < include/newversion.h.in < include/newversion.h.in </dev/null | sed 1q` +- Date=`date` ++ if test -n "$SOURCE_DATE_EPOCH"; then ++ Date=`date -u -d "@$SOURCE_DATE_EPOCH" "+%Y-%m-%dT%H:%M:%SZ"` ++ else ++ Date=`date -u "+%Y-%m-%dT%H:%M:%SZ"` ++ fi ++ if test -n "$SOURCE_HOST"; then ++ Host=$SOURCE_HOST ++ else ++ Host=`uname -n` ++ fi ++ if test -n "$SOURCE_USER"; then ++ User=$SOURCE_USER ++ else ++ User=${USER:-${LOGNAME:-`id -nu`}} ++ fi ++ if test -d "$srcdir/.git"; then ++ GitCommit=`git rev-parse HEAD` ++ GitBranch=`git rev-parse --abbrev-ref HEAD` ++ if test "x$GitBranch" = master; then ++ GitDesc=`git describe --all --dirty` ++ else ++ GitDesc=`git describe --tags --match 'heimdal-*' --dirty` ++ fi ++ else ++ GitCommit='' ++ GitBranch='' ++ GitDesc='' ++ fi + mv -f include/newversion.h.in include/version.h.in +- sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h ++ sed -e "s/@HOST@/$Host/" \ ++ -e "s;@USER@;$User;" \ ++ -e "s;@DATE@;$Date;" \ ++ -e "s;@BRANCH@;$GitBranch;" \ ++ -e "s;@TAG@;$GitDesc;" \ ++ -e "s;@COMMIT@;$GitCommit;" \ ++ include/version.h.in > include/version.h + fi