Sync from SUSE:SLFO:Main krb5 revision e6f14fc5d12165e535e29f8ac840fbc5
This commit is contained in:
parent
7ef60b02c2
commit
07bc48df51
@ -1,67 +0,0 @@
|
||||
From c93242bd934a1e4b6f21aae08fbbbd1984d1c653 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 21 Jun 2023 10:57:39 -0400
|
||||
Subject: [PATCH] Ensure array count consistency in kadm5 RPC
|
||||
|
||||
In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
|
||||
key_data array count when decoding. Otherwise when the structure is
|
||||
later freed, xdr_array() could iterate over the wrong number of
|
||||
elements, either leaking some memory or freeing uninitialized
|
||||
pointers. Reported by Robert Morris.
|
||||
|
||||
CVE-2023-36054:
|
||||
|
||||
An authenticated attacker can cause a kadmind process to crash by
|
||||
freeing uninitialized pointers. Remote code execution is unlikely.
|
||||
An attacker with control of a kadmin server can cause a kadmin client
|
||||
to crash by freeing uninitialized pointers.
|
||||
|
||||
(cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd)
|
||||
|
||||
ticket: 9099
|
||||
version_fixed: 1.20.2
|
||||
|
||||
(cherry picked from commit c81ffb6c8578a9b55c9d0a10342b5bc1bc6ec4df)
|
||||
---
|
||||
src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
|
||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
|
||||
index 0411c3fd3..287cae750 100644
|
||||
--- a/src/lib/kadm5/kadm_rpc_xdr.c
|
||||
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
|
||||
@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
||||
int v)
|
||||
{
|
||||
unsigned int n;
|
||||
+ bool_t r;
|
||||
|
||||
if (!xdr_krb5_principal(xdrs, &objp->principal)) {
|
||||
return (FALSE);
|
||||
@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
||||
if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
|
||||
return (FALSE);
|
||||
}
|
||||
+ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
|
||||
+ return (FALSE);
|
||||
+ }
|
||||
if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
|
||||
return (FALSE);
|
||||
}
|
||||
@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
||||
return FALSE;
|
||||
}
|
||||
n = objp->n_key_data;
|
||||
- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
|
||||
- &n, ~0, sizeof(krb5_key_data),
|
||||
- xdr_krb5_key_data_nocontents)) {
|
||||
+ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
|
||||
+ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
|
||||
+ objp->n_key_data = n;
|
||||
+ if (!r) {
|
||||
return (FALSE);
|
||||
}
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
248
0009-Fix-three-memory-leaks.patch
Normal file
248
0009-Fix-three-memory-leaks.patch
Normal file
@ -0,0 +1,248 @@
|
||||
From 2aaffa96269b56fe09abf81851c40c9c4a3587f0 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 5 Mar 2024 17:38:49 -0500
|
||||
Subject: [PATCH 1/2] Fix leak in KDC NDR encoding
|
||||
|
||||
If the KDC tries to encode a principal containing encode invalid UTF-8
|
||||
sequences for inclusion in a PAC delegation info buffer, it will leak
|
||||
a small amount of memory in enc_wchar_pointer() before failing. Fix
|
||||
the leak.
|
||||
|
||||
ticket: 9115 (new)
|
||||
tags: pullup
|
||||
target_version: 1.21-next
|
||||
|
||||
(cherry picked from commit 7d0d85bf99caf60c0afd4dcf91b0c4c683b983fe)
|
||||
---
|
||||
src/kdc/ndr.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c
|
||||
index 48395abe52..d438408ee2 100644
|
||||
--- a/src/kdc/ndr.c
|
||||
+++ b/src/kdc/ndr.c
|
||||
@@ -96,14 +96,13 @@ enc_wchar_pointer(const char *utf8, struct encoded_wchars *encoded_out)
|
||||
size_t utf16len, num_wchars;
|
||||
uint8_t *utf16;
|
||||
|
||||
- k5_buf_init_dynamic(&b);
|
||||
-
|
||||
ret = k5_utf8_to_utf16le(utf8, &utf16, &utf16len);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
num_wchars = utf16len / 2;
|
||||
|
||||
+ k5_buf_init_dynamic(&b);
|
||||
k5_buf_add_uint32_le(&b, num_wchars + 1);
|
||||
k5_buf_add_uint32_le(&b, 0);
|
||||
k5_buf_add_uint32_le(&b, num_wchars);
|
||||
--
|
||||
2.44.0
|
||||
|
||||
|
||||
From 489deee29f427f22e2a26de729319bdb70819c37 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 5 Mar 2024 19:53:07 -0500
|
||||
Subject: [PATCH 2/2] Fix two unlikely memory leaks
|
||||
|
||||
In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
|
||||
could probably never be triggered) leaks plain.data. Fix this leak
|
||||
and use current practices for cleanup throughout the function.
|
||||
|
||||
In xmt_rmtcallres() (unused within the tree and likely elsewhere),
|
||||
store port_ptr into crp->port_ptr as soon as it is allocated;
|
||||
otherwise it could leak if the subsequent xdr_u_int32() operation
|
||||
fails.
|
||||
|
||||
(cherry picked from commit c5f9c816107f70139de11b38aa02db2f1774ee0d)
|
||||
---
|
||||
src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++-------------------
|
||||
src/lib/rpc/pmap_rmt.c | 9 +++---
|
||||
2 files changed, 29 insertions(+), 36 deletions(-)
|
||||
|
||||
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
|
||||
index 3b4f8cb837..e881eee835 100644
|
||||
--- a/src/lib/gssapi/krb5/k5sealv3.c
|
||||
+++ b/src/lib/gssapi/krb5/k5sealv3.c
|
||||
@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
int conf_req_flag, int toktype)
|
||||
{
|
||||
size_t bufsize = 16;
|
||||
- unsigned char *outbuf = 0;
|
||||
+ unsigned char *outbuf = NULL;
|
||||
krb5_error_code err;
|
||||
int key_usage;
|
||||
unsigned char acceptor_flag;
|
||||
@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
#endif
|
||||
size_t ec;
|
||||
unsigned short tok_id;
|
||||
- krb5_checksum sum;
|
||||
+ krb5_checksum sum = { 0 };
|
||||
krb5_key key;
|
||||
krb5_cksumtype cksumtype;
|
||||
+ krb5_data plain = empty_data();
|
||||
+
|
||||
+ token->value = NULL;
|
||||
+ token->length = 0;
|
||||
|
||||
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
|
||||
key_usage = (toktype == KG_TOK_WRAP_MSG
|
||||
@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
#endif
|
||||
|
||||
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
|
||||
- krb5_data plain;
|
||||
krb5_enc_data cipher;
|
||||
size_t ec_max;
|
||||
size_t encrypt_size;
|
||||
|
||||
/* 300: Adds some slop. */
|
||||
- if (SIZE_MAX - 300 < message->length)
|
||||
- return ENOMEM;
|
||||
+ if (SIZE_MAX - 300 < message->length) {
|
||||
+ err = ENOMEM;
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
ec_max = SIZE_MAX - message->length - 300;
|
||||
if (ec_max > 0xffff)
|
||||
ec_max = 0xffff;
|
||||
@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
#endif
|
||||
err = alloc_data(&plain, message->length + 16 + ec);
|
||||
if (err)
|
||||
- return err;
|
||||
+ goto cleanup;
|
||||
|
||||
/* Get size of ciphertext. */
|
||||
encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
|
||||
if (encrypt_size > SIZE_MAX / 2) {
|
||||
err = ENOMEM;
|
||||
- goto error;
|
||||
+ goto cleanup;
|
||||
}
|
||||
bufsize = 16 + encrypt_size;
|
||||
/* Allocate space for header plus encrypted data. */
|
||||
outbuf = gssalloc_malloc(bufsize);
|
||||
if (outbuf == NULL) {
|
||||
- free(plain.data);
|
||||
- return ENOMEM;
|
||||
+ err = ENOMEM;
|
||||
+ goto cleanup;
|
||||
}
|
||||
|
||||
/* TOK_ID */
|
||||
@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
cipher.ciphertext.length = bufsize - 16;
|
||||
cipher.enctype = key->keyblock.enctype;
|
||||
err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
|
||||
- zap(plain.data, plain.length);
|
||||
- free(plain.data);
|
||||
- plain.data = 0;
|
||||
if (err)
|
||||
- goto error;
|
||||
+ goto cleanup;
|
||||
|
||||
/* Now that we know we're returning a valid token.... */
|
||||
ctx->seq_send++;
|
||||
@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
/* If the rotate fails, don't worry about it. */
|
||||
#endif
|
||||
} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
|
||||
- krb5_data plain;
|
||||
size_t cksumsize;
|
||||
|
||||
/* Here, message is the application-supplied data; message2 is
|
||||
@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
wrap_with_checksum:
|
||||
err = alloc_data(&plain, message->length + 16);
|
||||
if (err)
|
||||
- return err;
|
||||
+ goto cleanup;
|
||||
|
||||
err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
|
||||
if (err)
|
||||
- goto error;
|
||||
+ goto cleanup;
|
||||
|
||||
assert(cksumsize <= 0xffff);
|
||||
|
||||
bufsize = 16 + message2->length + cksumsize;
|
||||
outbuf = gssalloc_malloc(bufsize);
|
||||
if (outbuf == NULL) {
|
||||
- free(plain.data);
|
||||
- plain.data = 0;
|
||||
err = ENOMEM;
|
||||
- goto error;
|
||||
+ goto cleanup;
|
||||
}
|
||||
|
||||
/* TOK_ID */
|
||||
@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
if (message2->length)
|
||||
memcpy(outbuf + 16, message2->value, message2->length);
|
||||
|
||||
- sum.contents = outbuf + 16 + message2->length;
|
||||
- sum.length = cksumsize;
|
||||
-
|
||||
err = krb5_k_make_checksum(context, cksumtype, key,
|
||||
key_usage, &plain, &sum);
|
||||
- zap(plain.data, plain.length);
|
||||
- free(plain.data);
|
||||
- plain.data = 0;
|
||||
if (err) {
|
||||
zap(outbuf,bufsize);
|
||||
- goto error;
|
||||
+ goto cleanup;
|
||||
}
|
||||
if (sum.length != cksumsize)
|
||||
abort();
|
||||
memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
|
||||
- krb5_free_checksum_contents(context, &sum);
|
||||
- sum.contents = 0;
|
||||
/* Now that we know we're actually generating the token... */
|
||||
ctx->seq_send++;
|
||||
|
||||
@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||
|
||||
token->value = outbuf;
|
||||
token->length = bufsize;
|
||||
- return 0;
|
||||
+ outbuf = NULL;
|
||||
+ err = 0;
|
||||
|
||||
-error:
|
||||
+cleanup:
|
||||
+ krb5_free_checksum_contents(context, &sum);
|
||||
+ zapfree(plain.data, plain.length);
|
||||
gssalloc_free(outbuf);
|
||||
- token->value = NULL;
|
||||
- token->length = 0;
|
||||
return err;
|
||||
}
|
||||
|
||||
diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
|
||||
index 8c7e30c21a..0748af34a7 100644
|
||||
--- a/src/lib/rpc/pmap_rmt.c
|
||||
+++ b/src/lib/rpc/pmap_rmt.c
|
||||
@@ -160,11 +160,12 @@ xdr_rmtcallres(
|
||||
caddr_t port_ptr;
|
||||
|
||||
port_ptr = (caddr_t)(void *)crp->port_ptr;
|
||||
- if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
|
||||
- xdr_u_int32) && xdr_u_int32(xdrs, &crp->resultslen)) {
|
||||
- crp->port_ptr = (uint32_t *)(void *)port_ptr;
|
||||
+ if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
|
||||
+ (xdrproc_t)xdr_u_int32))
|
||||
+ return (FALSE);
|
||||
+ crp->port_ptr = (uint32_t *)(void *)port_ptr;
|
||||
+ if (xdr_u_int32(xdrs, &crp->resultslen))
|
||||
return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
|
||||
- }
|
||||
return (FALSE);
|
||||
}
|
||||
|
||||
--
|
||||
2.44.0
|
||||
|
BIN
krb5-1.20.1.tar.gz
(Stored with Git LFS)
BIN
krb5-1.20.1.tar.gz
(Stored with Git LFS)
Binary file not shown.
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmNvED8ACgkQDLoIV1+D
|
||||
ct9uKw/8C5GS8mdh335lB+bkfjYYCZLD+oQToDAAbdCddrIcuLftvnTfXJ8cMtMc
|
||||
UT2hsp8u7ZupjJRevdhaH7fFwomc0V8iSES5J2cQHTNd9aK93j/W6NaMoqWLrQWg
|
||||
jx99oqLn7orvp8N5RufEQcNMNWhFIX4XSfrA3vPfHbbffA2vkjJzOGno4UHi8zUn
|
||||
6nye7jbrBpiQIeFIJSS3VPsvGrKdRgb9BqGTUsqPIuFvr3Qvo42lKr5X8CWYSXjK
|
||||
0aKlOpfbWdkteEe2o84/wyMpuGvmYkmOgaMB5xQ3jfEuvPNAWX2CWHNDamiqwBT/
|
||||
YxwhZimNa1B9r3P1yDHvpUu8cJaRzw2UDRi2f3Kztrmn2jlqzmoZ31WBALJA7lmL
|
||||
SrVFdXi7AcWwppMp1kbe9SvurCXID8/Q4n+qAdzSvqrXbeWerVUkdYFvtxQ1bMJR
|
||||
jnqN11iZFYaoCaaR2lFEhjoMdR80jUa2m6vdF7a7xhH1UvuPHDnzLT9X/TiPvx0R
|
||||
Itrp5MMIrUQHcZUL9hM5hrg3nxEsGsSCnjB0zWDmgXdLGwd4CvcOF4HPQR3BBlEH
|
||||
CLtAa27bBXMJTYVvmmKt06hw+U3ALDfUlFrV6ZNLr9ug69l29n7JoChAbZ97Hx1m
|
||||
twPwJpKd8AiUz+j3KCfgGU21qMbHNP3jEn3q9tkq0qcs/z7RCmU=
|
||||
=1WIq
|
||||
-----END PGP SIGNATURE-----
|
BIN
krb5-1.21.2.tar.gz
(Stored with Git LFS)
Normal file
BIN
krb5-1.21.2.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
krb5-1.21.2.tar.gz.asc
Normal file
16
krb5-1.21.2.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmTbET4ACgkQDLoIV1+D
|
||||
ct8zBQ/+LugwKy9Y9b3lVaLxPM/qxntLi4Bq5C2GVQ+bED7YCvUiL8aIzJbuTVpf
|
||||
GLWLtVuf6vxKz2V17JKOluVMqRDBZDexHZv9EvVjhanqMpvV32tSa60HF4e7lER+
|
||||
3iP/bIjSi2U9ixOcNICNnK2DeFGY601C1KT4cLs3H76pfb1miPItm7p79UNicz1o
|
||||
V6KgG0J5F4ktYiTonb0TXYdCAvY/3ROEYwmmRpCjtkBCzTdr9tVXU0n6Yc0wsfBD
|
||||
AXkyqlUhisMWxqGrLZMnkIx3LA83nMHG8nY/doqOYzKuE9a4cBe69+Bl6e9NRY7G
|
||||
ysD2J1cZ2imCYoalUcxrLfnd3fwPpcrlnuwH5DKJtcJGEUNwydjyWZeMl87pbhb1
|
||||
lOggcn8DL6l3vqBpkTBE4IQw3s+B1+BylpjXBsvzxGYHerpffIqsHzHywguiJutT
|
||||
bkP5ktjZ0QHAZ6PYA6NleGjPbBg/Jeywg1Mjrx+2IdBAYnS0KtTSa72Zqqb8eGmQ
|
||||
iCVpy9gK7zX7UCLm33M6HVtC9ffJ4vajcShk25u8uKuomTQgK3lGoN0wX55OE+sO
|
||||
AkMSuFxPNsNheMI53Zjutc4NzEscy09G8VxHwGqcEwD+NF7+2GpPuOq9ot9nH+Jd
|
||||
xoVYjhqxeb5Uq6lgp0B8sILLqwg1+gEXWdA+rR5Tx+ykv8HESxg=
|
||||
=aMVp
|
||||
-----END PGP SIGNATURE-----
|
@ -1,10 +1,18 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 8 11:17:33 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
||||
Thu Feb 29 10:07:57 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
- Ensure array count consistency in kadm5 RPC; (bsc#1214054);
|
||||
(CVE-2023-36054);
|
||||
- Added patches:
|
||||
* 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch
|
||||
- Add crypto-policies support [bsc#1211301]
|
||||
* Update krb5.conf in vendor-files.tar.bz2
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 3 11:29:23 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||
|
||||
- Add explicit this-is-only-for-build-envs requires to krb5-mini
|
||||
and krb5-mini-devel: the mini flavors are currently excluded
|
||||
using special hacks from the FTP Tree. In order to eliminate this
|
||||
hack, we need to ensure the packages are not viable for real
|
||||
installations. We achieve this with a dep that is never provided,
|
||||
but ignored by OBS.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 4 13:42:23 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package krb5-mini
|
||||
#
|
||||
# Copyright (c) 2023 SUSE LLC
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -24,13 +24,13 @@
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: krb5-mini
|
||||
Version: 1.20.1
|
||||
Version: 1.21.2
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
|
||||
License: MIT
|
||||
URL: https://kerberos.org/dist/
|
||||
Source0: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz
|
||||
Source1: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc
|
||||
Source0: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz
|
||||
Source1: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc
|
||||
Source2: krb5.keyring
|
||||
Source3: vendor-files.tar.bz2
|
||||
Source4: baselibs.conf
|
||||
@ -44,7 +44,6 @@ Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
|
||||
Patch6: 0006-krb5-1.12-api.patch
|
||||
Patch7: 0007-SELinux-integration.patch
|
||||
Patch8: 0008-krb5-1.9-debuginfo.patch
|
||||
Patch9: 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: bison
|
||||
BuildRequires: pkgconfig
|
||||
@ -52,7 +51,12 @@ BuildRequires: pkgconfig(com_err)
|
||||
BuildRequires: pkgconfig(libselinux)
|
||||
BuildRequires: pkgconfig(libverto)
|
||||
BuildRequires: pkgconfig(ncurses)
|
||||
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||
BuildRequires: crypto-policies
|
||||
Requires: crypto-policies
|
||||
%endif
|
||||
Requires(post): %fillup_prereq
|
||||
Requires: this-is-only-for-build-envs
|
||||
Conflicts: krb5
|
||||
Conflicts: krb5-client
|
||||
Conflicts: krb5-mini
|
||||
@ -77,6 +81,7 @@ Requires: pkgconfig(libverto)
|
||||
Requires: pkgconfig(ss)
|
||||
Conflicts: krb5-devel
|
||||
Provides: krb5-devel = %{version}
|
||||
Requires: this-is-only-for-build-envs
|
||||
|
||||
%description devel
|
||||
Kerberos V5 is a trusted-third-party network authentication system,
|
||||
@ -157,6 +162,11 @@ install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
|
||||
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||
# Default include on this directory
|
||||
ln -sv %{_sysconfdir}/crypto-policies/back-ends/krb5.config %{buildroot}%{_sysconfdir}/krb5.conf.d/crypto-policies
|
||||
%endif
|
||||
|
||||
# all libs must have permissions 0755
|
||||
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
|
||||
do
|
||||
@ -268,6 +278,9 @@ sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config
|
||||
%doc %{krb5docdir}/README
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
|
||||
%dir %{_sysconfdir}/krb5.conf.d
|
||||
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||
%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/crypto-policies
|
||||
%endif
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
|
||||
%{_fillupdir}/sysconfig.*
|
||||
%{_unitdir}/kadmind.service
|
||||
|
65
krb5.changes
65
krb5.changes
@ -1,10 +1,63 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 8 11:17:33 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
||||
Mon May 13 14:06:29 UTC 2024 - Andreas Schneider <asn@cryptomilk.org>
|
||||
|
||||
- Ensure array count consistency in kadm5 RPC; (bsc#1214054);
|
||||
(CVE-2023-36054);
|
||||
- Added patches:
|
||||
* 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch
|
||||
- Enable the LMDB backend for KDB
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 2 11:57:25 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
|
||||
|
||||
- Remove requires for not used cron
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 22 09:19:41 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
|
||||
|
||||
- Fix memory leaks, add patch 0009-Fix-three-memory-leaks.patch
|
||||
* CVE-2024-26458, bsc#1220770
|
||||
* CVE-2024-26461, bsc#1220771
|
||||
* CVE-2024-26462, bsc#1220772
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 29 10:07:57 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
- Add crypto-policies support [bsc#1211301]
|
||||
* Update krb5.conf in vendor-files.tar.bz2
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 20 23:18:05 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
- update to 1.21.2 (bsc#1218211, CVE-2023-39975):
|
||||
* Fix double-free in KDC TGS processing [CVE-2023-39975].
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Jul 15 18:19:32 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
- update to 1.21.1 (CVE-2023-36054):
|
||||
* Fix potential uninitialized pointer free in kadm5 XDR parsing
|
||||
[CVE-2023-36054]; (bsc#1214054).
|
||||
* Added a credential cache type providing compatibility with
|
||||
the macOS 11 native credential cache.
|
||||
* libkadm5 will use the provided krb5_context object to read
|
||||
configuration values, instead of creating its own.
|
||||
* Added an interface to retrieve the ticket session key
|
||||
from a GSS context.
|
||||
* The KDC will no longer issue tickets with RC4 or triple-DES
|
||||
session keys unless explicitly configured with the new
|
||||
allow_rc4 or allow_des3 variables respectively.
|
||||
* The KDC will assume that all services can handle aes256-sha1
|
||||
session keys unless the service principal has a
|
||||
session_enctypes string attribute.
|
||||
* Support for PAC full KDC checksums has been added to
|
||||
mitigate an S4U2Proxy privilege escalation attack.
|
||||
* The PKINIT client will advertise a more modern set
|
||||
of supported CMS algorithms.
|
||||
* Removed unused code in libkrb5, libkrb5support,
|
||||
and the PKINIT module.
|
||||
* Modernized the KDC code for processing TGS requests,
|
||||
the code for encrypting and decrypting key data,
|
||||
the PAC handling code, and the GSS library packet
|
||||
parsing and composition code.
|
||||
* Improved the test framework's detection of memory
|
||||
errors in daemon processes when used with asan.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 4 13:42:23 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
|
||||
@ -234,7 +287,7 @@ Mon May 4 09:24:21 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
||||
* Fix a compile error when building with musl libc on Linux.
|
||||
* Fix a compile error when building with gcc 4.x.
|
||||
* Change the KDC constrained delegation precedence order for consistency
|
||||
with Windows KDCs.
|
||||
with Windows KDCs.
|
||||
- Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
|
28
krb5.spec
28
krb5.spec
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package krb5
|
||||
#
|
||||
# Copyright (c) 2023 SUSE LLC
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -21,13 +21,13 @@
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: krb5
|
||||
Version: 1.20.1
|
||||
Version: 1.21.2
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 implementation
|
||||
License: MIT
|
||||
URL: https://kerberos.org/dist/
|
||||
Source0: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz
|
||||
Source1: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc
|
||||
Source0: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz
|
||||
Source1: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc
|
||||
Source2: krb5.keyring
|
||||
Source3: vendor-files.tar.bz2
|
||||
Source4: baselibs.conf
|
||||
@ -42,7 +42,7 @@ Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
|
||||
Patch6: 0006-krb5-1.12-api.patch
|
||||
Patch7: 0007-SELinux-integration.patch
|
||||
Patch8: 0008-krb5-1.9-debuginfo.patch
|
||||
Patch9: 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch
|
||||
Patch9: 0009-Fix-three-memory-leaks.patch
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: bison
|
||||
BuildRequires: cyrus-sasl-devel
|
||||
@ -55,9 +55,14 @@ BuildRequires: pkgconfig(com_err)
|
||||
BuildRequires: pkgconfig(libselinux)
|
||||
BuildRequires: pkgconfig(libssl)
|
||||
BuildRequires: pkgconfig(libverto)
|
||||
BuildRequires: pkgconfig(lmdb)
|
||||
BuildRequires: pkgconfig(ncurses)
|
||||
BuildRequires: pkgconfig(ss)
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||
BuildRequires: crypto-policies
|
||||
Requires: crypto-policies
|
||||
%endif
|
||||
Conflicts: krb5-mini
|
||||
Obsoletes: krb5-plugin-preauth-pkinit-nss
|
||||
|
||||
@ -78,7 +83,6 @@ client programs, like kinit, kadmin, ...
|
||||
|
||||
%package server
|
||||
Summary: Server program of the MIT Kerberos5 implementation
|
||||
Requires: cron
|
||||
Requires: libverto-libev1
|
||||
Requires: logrotate
|
||||
Requires: perl-Date-Calc
|
||||
@ -186,7 +190,8 @@ DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
|
||||
--with-selinux \
|
||||
--with-system-et \
|
||||
--with-system-ss \
|
||||
--with-system-verto
|
||||
--with-system-verto \
|
||||
--with-lmdb
|
||||
|
||||
%make_build
|
||||
|
||||
@ -227,6 +232,11 @@ install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
|
||||
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||
# Default include on this directory
|
||||
ln -sv %{_sysconfdir}/crypto-policies/back-ends/krb5.config %{buildroot}%{_sysconfdir}/krb5.conf.d/crypto-policies
|
||||
%endif
|
||||
|
||||
# all libs must have permissions 0755
|
||||
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
|
||||
do
|
||||
@ -366,6 +376,9 @@ done
|
||||
%doc %{krb5docdir}/README
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
|
||||
%dir %{_sysconfdir}/krb5.conf.d
|
||||
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||
%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/crypto-policies
|
||||
%endif
|
||||
%{_libdir}/libgssapi_krb5.*
|
||||
%{_libdir}/libgssrpc.so.*
|
||||
%{_libdir}/libk5crypto.so.*
|
||||
@ -417,6 +430,7 @@ done
|
||||
%{_sbindir}/sserver
|
||||
%{_sbindir}/uuserver
|
||||
%{_libdir}/krb5/plugins/kdb/db2.so
|
||||
%{_libdir}/krb5/plugins/kdb/klmdb.so
|
||||
%{_mandir}/man5/kdc.conf.5%{?ext_man}
|
||||
%{_mandir}/man5/kadm5.acl.5%{?ext_man}
|
||||
%{_mandir}/man8/kadmind.8%{?ext_man}
|
||||
|
BIN
vendor-files.tar.bz2
(Stored with Git LFS)
BIN
vendor-files.tar.bz2
(Stored with Git LFS)
Binary file not shown.
Loading…
Reference in New Issue
Block a user