From 07bc48df5114c11bd074c32fbe67560d1c03055a0a4f03f1c89b6710f2c7395b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Wed, 12 Jun 2024 22:34:13 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main krb5 revision e6f14fc5d12165e535e29f8ac840fbc5 --- ...array-count-consistency-in-kadm5-RPC.patch | 67 ----- 0009-Fix-three-memory-leaks.patch | 248 ++++++++++++++++++ krb5-1.20.1.tar.gz | 3 - krb5-1.20.1.tar.gz.asc | 16 -- krb5-1.21.2.tar.gz | 3 + krb5-1.21.2.tar.gz.asc | 16 ++ krb5-mini.changes | 18 +- krb5-mini.spec | 23 +- krb5.changes | 65 ++++- krb5.spec | 28 +- vendor-files.tar.bz2 | 4 +- 11 files changed, 380 insertions(+), 111 deletions(-) delete mode 100644 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch create mode 100644 0009-Fix-three-memory-leaks.patch delete mode 100644 krb5-1.20.1.tar.gz delete mode 100644 krb5-1.20.1.tar.gz.asc create mode 100644 krb5-1.21.2.tar.gz create mode 100644 krb5-1.21.2.tar.gz.asc diff --git a/0009-Ensure-array-count-consistency-in-kadm5-RPC.patch b/0009-Ensure-array-count-consistency-in-kadm5-RPC.patch deleted file mode 100644 index b4dd7d6..0000000 --- a/0009-Ensure-array-count-consistency-in-kadm5-RPC.patch +++ /dev/null @@ -1,67 +0,0 @@ -From c93242bd934a1e4b6f21aae08fbbbd1984d1c653 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Wed, 21 Jun 2023 10:57:39 -0400 -Subject: [PATCH] Ensure array count consistency in kadm5 RPC - -In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the -key_data array count when decoding. Otherwise when the structure is -later freed, xdr_array() could iterate over the wrong number of -elements, either leaking some memory or freeing uninitialized -pointers. Reported by Robert Morris. - -CVE-2023-36054: - -An authenticated attacker can cause a kadmind process to crash by -freeing uninitialized pointers. Remote code execution is unlikely. -An attacker with control of a kadmin server can cause a kadmin client -to crash by freeing uninitialized pointers. - -(cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd) - -ticket: 9099 -version_fixed: 1.20.2 - -(cherry picked from commit c81ffb6c8578a9b55c9d0a10342b5bc1bc6ec4df) ---- - src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c -index 0411c3fd3..287cae750 100644 ---- a/src/lib/kadm5/kadm_rpc_xdr.c -+++ b/src/lib/kadm5/kadm_rpc_xdr.c -@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, - int v) - { - unsigned int n; -+ bool_t r; - - if (!xdr_krb5_principal(xdrs, &objp->principal)) { - return (FALSE); -@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, - if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) { - return (FALSE); - } -+ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) { -+ return (FALSE); -+ } - if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) { - return (FALSE); - } -@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, - return FALSE; - } - n = objp->n_key_data; -- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, -- &n, ~0, sizeof(krb5_key_data), -- xdr_krb5_key_data_nocontents)) { -+ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data, -+ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents); -+ objp->n_key_data = n; -+ if (!r) { - return (FALSE); - } - --- -2.41.0 - diff --git a/0009-Fix-three-memory-leaks.patch b/0009-Fix-three-memory-leaks.patch new file mode 100644 index 0000000..355cddc --- /dev/null +++ b/0009-Fix-three-memory-leaks.patch @@ -0,0 +1,248 @@ +From 2aaffa96269b56fe09abf81851c40c9c4a3587f0 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 5 Mar 2024 17:38:49 -0500 +Subject: [PATCH 1/2] Fix leak in KDC NDR encoding + +If the KDC tries to encode a principal containing encode invalid UTF-8 +sequences for inclusion in a PAC delegation info buffer, it will leak +a small amount of memory in enc_wchar_pointer() before failing. Fix +the leak. + +ticket: 9115 (new) +tags: pullup +target_version: 1.21-next + +(cherry picked from commit 7d0d85bf99caf60c0afd4dcf91b0c4c683b983fe) +--- + src/kdc/ndr.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c +index 48395abe52..d438408ee2 100644 +--- a/src/kdc/ndr.c ++++ b/src/kdc/ndr.c +@@ -96,14 +96,13 @@ enc_wchar_pointer(const char *utf8, struct encoded_wchars *encoded_out) + size_t utf16len, num_wchars; + uint8_t *utf16; + +- k5_buf_init_dynamic(&b); +- + ret = k5_utf8_to_utf16le(utf8, &utf16, &utf16len); + if (ret) + return ret; + + num_wchars = utf16len / 2; + ++ k5_buf_init_dynamic(&b); + k5_buf_add_uint32_le(&b, num_wchars + 1); + k5_buf_add_uint32_le(&b, 0); + k5_buf_add_uint32_le(&b, num_wchars); +-- +2.44.0 + + +From 489deee29f427f22e2a26de729319bdb70819c37 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 5 Mar 2024 19:53:07 -0500 +Subject: [PATCH 2/2] Fix two unlikely memory leaks + +In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which +could probably never be triggered) leaks plain.data. Fix this leak +and use current practices for cleanup throughout the function. + +In xmt_rmtcallres() (unused within the tree and likely elsewhere), +store port_ptr into crp->port_ptr as soon as it is allocated; +otherwise it could leak if the subsequent xdr_u_int32() operation +fails. + +(cherry picked from commit c5f9c816107f70139de11b38aa02db2f1774ee0d) +--- + src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++------------------- + src/lib/rpc/pmap_rmt.c | 9 +++--- + 2 files changed, 29 insertions(+), 36 deletions(-) + +diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c +index 3b4f8cb837..e881eee835 100644 +--- a/src/lib/gssapi/krb5/k5sealv3.c ++++ b/src/lib/gssapi/krb5/k5sealv3.c +@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + int conf_req_flag, int toktype) + { + size_t bufsize = 16; +- unsigned char *outbuf = 0; ++ unsigned char *outbuf = NULL; + krb5_error_code err; + int key_usage; + unsigned char acceptor_flag; +@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + #endif + size_t ec; + unsigned short tok_id; +- krb5_checksum sum; ++ krb5_checksum sum = { 0 }; + krb5_key key; + krb5_cksumtype cksumtype; ++ krb5_data plain = empty_data(); ++ ++ token->value = NULL; ++ token->length = 0; + + acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR; + key_usage = (toktype == KG_TOK_WRAP_MSG +@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + #endif + + if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) { +- krb5_data plain; + krb5_enc_data cipher; + size_t ec_max; + size_t encrypt_size; + + /* 300: Adds some slop. */ +- if (SIZE_MAX - 300 < message->length) +- return ENOMEM; ++ if (SIZE_MAX - 300 < message->length) { ++ err = ENOMEM; ++ goto cleanup; ++ } + ec_max = SIZE_MAX - message->length - 300; + if (ec_max > 0xffff) + ec_max = 0xffff; +@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + #endif + err = alloc_data(&plain, message->length + 16 + ec); + if (err) +- return err; ++ goto cleanup; + + /* Get size of ciphertext. */ + encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype); + if (encrypt_size > SIZE_MAX / 2) { + err = ENOMEM; +- goto error; ++ goto cleanup; + } + bufsize = 16 + encrypt_size; + /* Allocate space for header plus encrypted data. */ + outbuf = gssalloc_malloc(bufsize); + if (outbuf == NULL) { +- free(plain.data); +- return ENOMEM; ++ err = ENOMEM; ++ goto cleanup; + } + + /* TOK_ID */ +@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + cipher.ciphertext.length = bufsize - 16; + cipher.enctype = key->keyblock.enctype; + err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher); +- zap(plain.data, plain.length); +- free(plain.data); +- plain.data = 0; + if (err) +- goto error; ++ goto cleanup; + + /* Now that we know we're returning a valid token.... */ + ctx->seq_send++; +@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + /* If the rotate fails, don't worry about it. */ + #endif + } else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) { +- krb5_data plain; + size_t cksumsize; + + /* Here, message is the application-supplied data; message2 is +@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + wrap_with_checksum: + err = alloc_data(&plain, message->length + 16); + if (err) +- return err; ++ goto cleanup; + + err = krb5_c_checksum_length(context, cksumtype, &cksumsize); + if (err) +- goto error; ++ goto cleanup; + + assert(cksumsize <= 0xffff); + + bufsize = 16 + message2->length + cksumsize; + outbuf = gssalloc_malloc(bufsize); + if (outbuf == NULL) { +- free(plain.data); +- plain.data = 0; + err = ENOMEM; +- goto error; ++ goto cleanup; + } + + /* TOK_ID */ +@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + if (message2->length) + memcpy(outbuf + 16, message2->value, message2->length); + +- sum.contents = outbuf + 16 + message2->length; +- sum.length = cksumsize; +- + err = krb5_k_make_checksum(context, cksumtype, key, + key_usage, &plain, &sum); +- zap(plain.data, plain.length); +- free(plain.data); +- plain.data = 0; + if (err) { + zap(outbuf,bufsize); +- goto error; ++ goto cleanup; + } + if (sum.length != cksumsize) + abort(); + memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize); +- krb5_free_checksum_contents(context, &sum); +- sum.contents = 0; + /* Now that we know we're actually generating the token... */ + ctx->seq_send++; + +@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + + token->value = outbuf; + token->length = bufsize; +- return 0; ++ outbuf = NULL; ++ err = 0; + +-error: ++cleanup: ++ krb5_free_checksum_contents(context, &sum); ++ zapfree(plain.data, plain.length); + gssalloc_free(outbuf); +- token->value = NULL; +- token->length = 0; + return err; + } + +diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c +index 8c7e30c21a..0748af34a7 100644 +--- a/src/lib/rpc/pmap_rmt.c ++++ b/src/lib/rpc/pmap_rmt.c +@@ -160,11 +160,12 @@ xdr_rmtcallres( + caddr_t port_ptr; + + port_ptr = (caddr_t)(void *)crp->port_ptr; +- if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t), +- xdr_u_int32) && xdr_u_int32(xdrs, &crp->resultslen)) { +- crp->port_ptr = (uint32_t *)(void *)port_ptr; ++ if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t), ++ (xdrproc_t)xdr_u_int32)) ++ return (FALSE); ++ crp->port_ptr = (uint32_t *)(void *)port_ptr; ++ if (xdr_u_int32(xdrs, &crp->resultslen)) + return ((*(crp->xdr_results))(xdrs, crp->results_ptr)); +- } + return (FALSE); + } + +-- +2.44.0 + diff --git a/krb5-1.20.1.tar.gz b/krb5-1.20.1.tar.gz deleted file mode 100644 index aad5861..0000000 --- a/krb5-1.20.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851 -size 8661660 diff --git a/krb5-1.20.1.tar.gz.asc b/krb5-1.20.1.tar.gz.asc deleted file mode 100644 index 8f477a9..0000000 --- a/krb5-1.20.1.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmNvED8ACgkQDLoIV1+D -ct9uKw/8C5GS8mdh335lB+bkfjYYCZLD+oQToDAAbdCddrIcuLftvnTfXJ8cMtMc -UT2hsp8u7ZupjJRevdhaH7fFwomc0V8iSES5J2cQHTNd9aK93j/W6NaMoqWLrQWg -jx99oqLn7orvp8N5RufEQcNMNWhFIX4XSfrA3vPfHbbffA2vkjJzOGno4UHi8zUn -6nye7jbrBpiQIeFIJSS3VPsvGrKdRgb9BqGTUsqPIuFvr3Qvo42lKr5X8CWYSXjK -0aKlOpfbWdkteEe2o84/wyMpuGvmYkmOgaMB5xQ3jfEuvPNAWX2CWHNDamiqwBT/ -YxwhZimNa1B9r3P1yDHvpUu8cJaRzw2UDRi2f3Kztrmn2jlqzmoZ31WBALJA7lmL -SrVFdXi7AcWwppMp1kbe9SvurCXID8/Q4n+qAdzSvqrXbeWerVUkdYFvtxQ1bMJR -jnqN11iZFYaoCaaR2lFEhjoMdR80jUa2m6vdF7a7xhH1UvuPHDnzLT9X/TiPvx0R -Itrp5MMIrUQHcZUL9hM5hrg3nxEsGsSCnjB0zWDmgXdLGwd4CvcOF4HPQR3BBlEH -CLtAa27bBXMJTYVvmmKt06hw+U3ALDfUlFrV6ZNLr9ug69l29n7JoChAbZ97Hx1m -twPwJpKd8AiUz+j3KCfgGU21qMbHNP3jEn3q9tkq0qcs/z7RCmU= -=1WIq ------END PGP SIGNATURE----- diff --git a/krb5-1.21.2.tar.gz b/krb5-1.21.2.tar.gz new file mode 100644 index 0000000..b66c0e8 --- /dev/null +++ b/krb5-1.21.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9560941a9d843c0243a71b17a7ac6fe31c7cebb5bce3983db79e52ae7e850491 +size 8622513 diff --git a/krb5-1.21.2.tar.gz.asc b/krb5-1.21.2.tar.gz.asc new file mode 100644 index 0000000..a3d76fd --- /dev/null +++ b/krb5-1.21.2.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmTbET4ACgkQDLoIV1+D +ct8zBQ/+LugwKy9Y9b3lVaLxPM/qxntLi4Bq5C2GVQ+bED7YCvUiL8aIzJbuTVpf +GLWLtVuf6vxKz2V17JKOluVMqRDBZDexHZv9EvVjhanqMpvV32tSa60HF4e7lER+ +3iP/bIjSi2U9ixOcNICNnK2DeFGY601C1KT4cLs3H76pfb1miPItm7p79UNicz1o +V6KgG0J5F4ktYiTonb0TXYdCAvY/3ROEYwmmRpCjtkBCzTdr9tVXU0n6Yc0wsfBD +AXkyqlUhisMWxqGrLZMnkIx3LA83nMHG8nY/doqOYzKuE9a4cBe69+Bl6e9NRY7G +ysD2J1cZ2imCYoalUcxrLfnd3fwPpcrlnuwH5DKJtcJGEUNwydjyWZeMl87pbhb1 +lOggcn8DL6l3vqBpkTBE4IQw3s+B1+BylpjXBsvzxGYHerpffIqsHzHywguiJutT +bkP5ktjZ0QHAZ6PYA6NleGjPbBg/Jeywg1Mjrx+2IdBAYnS0KtTSa72Zqqb8eGmQ +iCVpy9gK7zX7UCLm33M6HVtC9ffJ4vajcShk25u8uKuomTQgK3lGoN0wX55OE+sO +AkMSuFxPNsNheMI53Zjutc4NzEscy09G8VxHwGqcEwD+NF7+2GpPuOq9ot9nH+Jd +xoVYjhqxeb5Uq6lgp0B8sILLqwg1+gEXWdA+rR5Tx+ykv8HESxg= +=aMVp +-----END PGP SIGNATURE----- diff --git a/krb5-mini.changes b/krb5-mini.changes index 9649b28..851675e 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,10 +1,18 @@ ------------------------------------------------------------------- -Tue Aug 8 11:17:33 UTC 2023 - Samuel Cabrero +Thu Feb 29 10:07:57 UTC 2024 - Pedro Monreal -- Ensure array count consistency in kadm5 RPC; (bsc#1214054); - (CVE-2023-36054); -- Added patches: - * 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch +- Add crypto-policies support [bsc#1211301] + * Update krb5.conf in vendor-files.tar.bz2 + +------------------------------------------------------------------- +Tue Oct 3 11:29:23 UTC 2023 - Dominique Leuenberger + +- Add explicit this-is-only-for-build-envs requires to krb5-mini + and krb5-mini-devel: the mini flavors are currently excluded + using special hacks from the FTP Tree. In order to eliminate this + hack, we need to ensure the packages are not viable for real + installations. We achieve this with a dep that is never provided, + but ignored by OBS. ------------------------------------------------------------------- Thu May 4 13:42:23 UTC 2023 - Frederic Crozat diff --git a/krb5-mini.spec b/krb5-mini.spec index 85f4c5a..043f32b 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,7 +1,7 @@ # # spec file for package krb5-mini # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,13 +24,13 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: krb5-mini -Version: 1.20.1 +Version: 1.21.2 Release: 0 Summary: MIT Kerberos5 implementation and libraries with minimal dependencies License: MIT URL: https://kerberos.org/dist/ -Source0: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz -Source1: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc +Source0: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz +Source1: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc Source2: krb5.keyring Source3: vendor-files.tar.bz2 Source4: baselibs.conf @@ -44,7 +44,6 @@ Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch Patch6: 0006-krb5-1.12-api.patch Patch7: 0007-SELinux-integration.patch Patch8: 0008-krb5-1.9-debuginfo.patch -Patch9: 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch BuildRequires: autoconf BuildRequires: bison BuildRequires: pkgconfig @@ -52,7 +51,12 @@ BuildRequires: pkgconfig(com_err) BuildRequires: pkgconfig(libselinux) BuildRequires: pkgconfig(libverto) BuildRequires: pkgconfig(ncurses) +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +BuildRequires: crypto-policies +Requires: crypto-policies +%endif Requires(post): %fillup_prereq +Requires: this-is-only-for-build-envs Conflicts: krb5 Conflicts: krb5-client Conflicts: krb5-mini @@ -77,6 +81,7 @@ Requires: pkgconfig(libverto) Requires: pkgconfig(ss) Conflicts: krb5-devel Provides: krb5-devel = %{version} +Requires: this-is-only-for-build-envs %description devel Kerberos V5 is a trusted-third-party network authentication system, @@ -157,6 +162,11 @@ install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/ install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/ install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/ +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +# Default include on this directory +ln -sv %{_sysconfdir}/crypto-policies/back-ends/krb5.config %{buildroot}%{_sysconfdir}/krb5.conf.d/crypto-policies +%endif + # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -268,6 +278,9 @@ sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config %doc %{krb5docdir}/README %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf %dir %{_sysconfdir}/krb5.conf.d +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/crypto-policies +%endif %config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server %{_fillupdir}/sysconfig.* %{_unitdir}/kadmind.service diff --git a/krb5.changes b/krb5.changes index 2f561fc..3c61f2b 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,10 +1,63 @@ ------------------------------------------------------------------- -Tue Aug 8 11:17:33 UTC 2023 - Samuel Cabrero +Mon May 13 14:06:29 UTC 2024 - Andreas Schneider -- Ensure array count consistency in kadm5 RPC; (bsc#1214054); - (CVE-2023-36054); -- Added patches: - * 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch +- Enable the LMDB backend for KDB + +------------------------------------------------------------------- +Thu May 2 11:57:25 UTC 2024 - Thorsten Kukuk + +- Remove requires for not used cron + +------------------------------------------------------------------- +Fri Mar 22 09:19:41 UTC 2024 - Samuel Cabrero + +- Fix memory leaks, add patch 0009-Fix-three-memory-leaks.patch + * CVE-2024-26458, bsc#1220770 + * CVE-2024-26461, bsc#1220771 + * CVE-2024-26462, bsc#1220772 + +------------------------------------------------------------------- +Thu Feb 29 10:07:57 UTC 2024 - Pedro Monreal + +- Add crypto-policies support [bsc#1211301] + * Update krb5.conf in vendor-files.tar.bz2 + +------------------------------------------------------------------- +Wed Dec 20 23:18:05 UTC 2023 - Dirk Müller + +- update to 1.21.2 (bsc#1218211, CVE-2023-39975): + * Fix double-free in KDC TGS processing [CVE-2023-39975]. + +------------------------------------------------------------------- +Sat Jul 15 18:19:32 UTC 2023 - Dirk Müller + +- update to 1.21.1 (CVE-2023-36054): + * Fix potential uninitialized pointer free in kadm5 XDR parsing + [CVE-2023-36054]; (bsc#1214054). + * Added a credential cache type providing compatibility with + the macOS 11 native credential cache. + * libkadm5 will use the provided krb5_context object to read + configuration values, instead of creating its own. + * Added an interface to retrieve the ticket session key + from a GSS context. + * The KDC will no longer issue tickets with RC4 or triple-DES + session keys unless explicitly configured with the new + allow_rc4 or allow_des3 variables respectively. + * The KDC will assume that all services can handle aes256-sha1 + session keys unless the service principal has a + session_enctypes string attribute. + * Support for PAC full KDC checksums has been added to + mitigate an S4U2Proxy privilege escalation attack. + * The PKINIT client will advertise a more modern set + of supported CMS algorithms. + * Removed unused code in libkrb5, libkrb5support, + and the PKINIT module. + * Modernized the KDC code for processing TGS requests, + the code for encrypting and decrypting key data, + the PAC handling code, and the GSS library packet + parsing and composition code. + * Improved the test framework's detection of memory + errors in daemon processes when used with asan. ------------------------------------------------------------------- Thu May 4 13:42:23 UTC 2023 - Frederic Crozat @@ -234,7 +287,7 @@ Mon May 4 09:24:21 UTC 2020 - Samuel Cabrero * Fix a compile error when building with musl libc on Linux. * Fix a compile error when building with gcc 4.x. * Change the KDC constrained delegation precedence order for consistency - with Windows KDCs. + with Windows KDCs. - Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch ------------------------------------------------------------------- diff --git a/krb5.spec b/krb5.spec index a431bfa..9fa1974 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,7 +1,7 @@ # # spec file for package krb5 # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,13 +21,13 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: krb5 -Version: 1.20.1 +Version: 1.21.2 Release: 0 Summary: MIT Kerberos5 implementation License: MIT URL: https://kerberos.org/dist/ -Source0: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz -Source1: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc +Source0: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz +Source1: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc Source2: krb5.keyring Source3: vendor-files.tar.bz2 Source4: baselibs.conf @@ -42,7 +42,7 @@ Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch Patch6: 0006-krb5-1.12-api.patch Patch7: 0007-SELinux-integration.patch Patch8: 0008-krb5-1.9-debuginfo.patch -Patch9: 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch +Patch9: 0009-Fix-three-memory-leaks.patch BuildRequires: autoconf BuildRequires: bison BuildRequires: cyrus-sasl-devel @@ -55,9 +55,14 @@ BuildRequires: pkgconfig(com_err) BuildRequires: pkgconfig(libselinux) BuildRequires: pkgconfig(libssl) BuildRequires: pkgconfig(libverto) +BuildRequires: pkgconfig(lmdb) BuildRequires: pkgconfig(ncurses) BuildRequires: pkgconfig(ss) BuildRequires: pkgconfig(systemd) +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +BuildRequires: crypto-policies +Requires: crypto-policies +%endif Conflicts: krb5-mini Obsoletes: krb5-plugin-preauth-pkinit-nss @@ -78,7 +83,6 @@ client programs, like kinit, kadmin, ... %package server Summary: Server program of the MIT Kerberos5 implementation -Requires: cron Requires: libverto-libev1 Requires: logrotate Requires: perl-Date-Calc @@ -186,7 +190,8 @@ DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME --with-selinux \ --with-system-et \ --with-system-ss \ - --with-system-verto + --with-system-verto \ + --with-lmdb %make_build @@ -227,6 +232,11 @@ install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/ install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/ install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/ +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +# Default include on this directory +ln -sv %{_sysconfdir}/crypto-policies/back-ends/krb5.config %{buildroot}%{_sysconfdir}/krb5.conf.d/crypto-policies +%endif + # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -366,6 +376,9 @@ done %doc %{krb5docdir}/README %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf %dir %{_sysconfdir}/krb5.conf.d +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/crypto-policies +%endif %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* @@ -417,6 +430,7 @@ done %{_sbindir}/sserver %{_sbindir}/uuserver %{_libdir}/krb5/plugins/kdb/db2.so +%{_libdir}/krb5/plugins/kdb/klmdb.so %{_mandir}/man5/kdc.conf.5%{?ext_man} %{_mandir}/man5/kadm5.acl.5%{?ext_man} %{_mandir}/man8/kadmind.8%{?ext_man} diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2 index c9dcba2..b40eaad 100644 --- a/vendor-files.tar.bz2 +++ b/vendor-files.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:3353e03f3789a78e8fcc3f9e6b85c5f343330c385516eb2e32736fa8e7a51013 -size 182614 +oid sha256:d43b6e3c03d7c739ef9effae47c1ad0f1e63577db3472496fc93762a54b9e546 +size 182932