Sync from SUSE:SLFO:Main krb5 revision e6f14fc5d12165e535e29f8ac840fbc5

This commit is contained in:
Adrian Schröter 2024-06-12 22:34:13 +02:00
parent 7ef60b02c2
commit 07bc48df51
11 changed files with 380 additions and 111 deletions

View File

@ -1,67 +0,0 @@
From c93242bd934a1e4b6f21aae08fbbbd1984d1c653 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 21 Jun 2023 10:57:39 -0400
Subject: [PATCH] Ensure array count consistency in kadm5 RPC
In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
key_data array count when decoding. Otherwise when the structure is
later freed, xdr_array() could iterate over the wrong number of
elements, either leaking some memory or freeing uninitialized
pointers. Reported by Robert Morris.
CVE-2023-36054:
An authenticated attacker can cause a kadmind process to crash by
freeing uninitialized pointers. Remote code execution is unlikely.
An attacker with control of a kadmin server can cause a kadmin client
to crash by freeing uninitialized pointers.
(cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd)
ticket: 9099
version_fixed: 1.20.2
(cherry picked from commit c81ffb6c8578a9b55c9d0a10342b5bc1bc6ec4df)
---
src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
index 0411c3fd3..287cae750 100644
--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
int v)
{
unsigned int n;
+ bool_t r;
if (!xdr_krb5_principal(xdrs, &objp->principal)) {
return (FALSE);
@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
return (FALSE);
}
+ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
+ return (FALSE);
+ }
if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
return (FALSE);
}
@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
return FALSE;
}
n = objp->n_key_data;
- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
- &n, ~0, sizeof(krb5_key_data),
- xdr_krb5_key_data_nocontents)) {
+ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
+ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
+ objp->n_key_data = n;
+ if (!r) {
return (FALSE);
}
--
2.41.0

View File

@ -0,0 +1,248 @@
From 2aaffa96269b56fe09abf81851c40c9c4a3587f0 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 5 Mar 2024 17:38:49 -0500
Subject: [PATCH 1/2] Fix leak in KDC NDR encoding
If the KDC tries to encode a principal containing encode invalid UTF-8
sequences for inclusion in a PAC delegation info buffer, it will leak
a small amount of memory in enc_wchar_pointer() before failing. Fix
the leak.
ticket: 9115 (new)
tags: pullup
target_version: 1.21-next
(cherry picked from commit 7d0d85bf99caf60c0afd4dcf91b0c4c683b983fe)
---
src/kdc/ndr.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c
index 48395abe52..d438408ee2 100644
--- a/src/kdc/ndr.c
+++ b/src/kdc/ndr.c
@@ -96,14 +96,13 @@ enc_wchar_pointer(const char *utf8, struct encoded_wchars *encoded_out)
size_t utf16len, num_wchars;
uint8_t *utf16;
- k5_buf_init_dynamic(&b);
-
ret = k5_utf8_to_utf16le(utf8, &utf16, &utf16len);
if (ret)
return ret;
num_wchars = utf16len / 2;
+ k5_buf_init_dynamic(&b);
k5_buf_add_uint32_le(&b, num_wchars + 1);
k5_buf_add_uint32_le(&b, 0);
k5_buf_add_uint32_le(&b, num_wchars);
--
2.44.0
From 489deee29f427f22e2a26de729319bdb70819c37 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 5 Mar 2024 19:53:07 -0500
Subject: [PATCH 2/2] Fix two unlikely memory leaks
In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
could probably never be triggered) leaks plain.data. Fix this leak
and use current practices for cleanup throughout the function.
In xmt_rmtcallres() (unused within the tree and likely elsewhere),
store port_ptr into crp->port_ptr as soon as it is allocated;
otherwise it could leak if the subsequent xdr_u_int32() operation
fails.
(cherry picked from commit c5f9c816107f70139de11b38aa02db2f1774ee0d)
---
src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++-------------------
src/lib/rpc/pmap_rmt.c | 9 +++---
2 files changed, 29 insertions(+), 36 deletions(-)
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
index 3b4f8cb837..e881eee835 100644
--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
int conf_req_flag, int toktype)
{
size_t bufsize = 16;
- unsigned char *outbuf = 0;
+ unsigned char *outbuf = NULL;
krb5_error_code err;
int key_usage;
unsigned char acceptor_flag;
@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
#endif
size_t ec;
unsigned short tok_id;
- krb5_checksum sum;
+ krb5_checksum sum = { 0 };
krb5_key key;
krb5_cksumtype cksumtype;
+ krb5_data plain = empty_data();
+
+ token->value = NULL;
+ token->length = 0;
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
key_usage = (toktype == KG_TOK_WRAP_MSG
@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
#endif
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
- krb5_data plain;
krb5_enc_data cipher;
size_t ec_max;
size_t encrypt_size;
/* 300: Adds some slop. */
- if (SIZE_MAX - 300 < message->length)
- return ENOMEM;
+ if (SIZE_MAX - 300 < message->length) {
+ err = ENOMEM;
+ goto cleanup;
+ }
ec_max = SIZE_MAX - message->length - 300;
if (ec_max > 0xffff)
ec_max = 0xffff;
@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
#endif
err = alloc_data(&plain, message->length + 16 + ec);
if (err)
- return err;
+ goto cleanup;
/* Get size of ciphertext. */
encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
if (encrypt_size > SIZE_MAX / 2) {
err = ENOMEM;
- goto error;
+ goto cleanup;
}
bufsize = 16 + encrypt_size;
/* Allocate space for header plus encrypted data. */
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
- free(plain.data);
- return ENOMEM;
+ err = ENOMEM;
+ goto cleanup;
}
/* TOK_ID */
@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
cipher.ciphertext.length = bufsize - 16;
cipher.enctype = key->keyblock.enctype;
err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
- zap(plain.data, plain.length);
- free(plain.data);
- plain.data = 0;
if (err)
- goto error;
+ goto cleanup;
/* Now that we know we're returning a valid token.... */
ctx->seq_send++;
@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
/* If the rotate fails, don't worry about it. */
#endif
} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
- krb5_data plain;
size_t cksumsize;
/* Here, message is the application-supplied data; message2 is
@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
wrap_with_checksum:
err = alloc_data(&plain, message->length + 16);
if (err)
- return err;
+ goto cleanup;
err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
if (err)
- goto error;
+ goto cleanup;
assert(cksumsize <= 0xffff);
bufsize = 16 + message2->length + cksumsize;
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
- free(plain.data);
- plain.data = 0;
err = ENOMEM;
- goto error;
+ goto cleanup;
}
/* TOK_ID */
@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
if (message2->length)
memcpy(outbuf + 16, message2->value, message2->length);
- sum.contents = outbuf + 16 + message2->length;
- sum.length = cksumsize;
-
err = krb5_k_make_checksum(context, cksumtype, key,
key_usage, &plain, &sum);
- zap(plain.data, plain.length);
- free(plain.data);
- plain.data = 0;
if (err) {
zap(outbuf,bufsize);
- goto error;
+ goto cleanup;
}
if (sum.length != cksumsize)
abort();
memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
- krb5_free_checksum_contents(context, &sum);
- sum.contents = 0;
/* Now that we know we're actually generating the token... */
ctx->seq_send++;
@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
token->value = outbuf;
token->length = bufsize;
- return 0;
+ outbuf = NULL;
+ err = 0;
-error:
+cleanup:
+ krb5_free_checksum_contents(context, &sum);
+ zapfree(plain.data, plain.length);
gssalloc_free(outbuf);
- token->value = NULL;
- token->length = 0;
return err;
}
diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
index 8c7e30c21a..0748af34a7 100644
--- a/src/lib/rpc/pmap_rmt.c
+++ b/src/lib/rpc/pmap_rmt.c
@@ -160,11 +160,12 @@ xdr_rmtcallres(
caddr_t port_ptr;
port_ptr = (caddr_t)(void *)crp->port_ptr;
- if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
- xdr_u_int32) && xdr_u_int32(xdrs, &crp->resultslen)) {
- crp->port_ptr = (uint32_t *)(void *)port_ptr;
+ if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
+ (xdrproc_t)xdr_u_int32))
+ return (FALSE);
+ crp->port_ptr = (uint32_t *)(void *)port_ptr;
+ if (xdr_u_int32(xdrs, &crp->resultslen))
return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
- }
return (FALSE);
}
--
2.44.0

BIN
krb5-1.20.1.tar.gz (Stored with Git LFS)

Binary file not shown.

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmNvED8ACgkQDLoIV1+D
ct9uKw/8C5GS8mdh335lB+bkfjYYCZLD+oQToDAAbdCddrIcuLftvnTfXJ8cMtMc
UT2hsp8u7ZupjJRevdhaH7fFwomc0V8iSES5J2cQHTNd9aK93j/W6NaMoqWLrQWg
jx99oqLn7orvp8N5RufEQcNMNWhFIX4XSfrA3vPfHbbffA2vkjJzOGno4UHi8zUn
6nye7jbrBpiQIeFIJSS3VPsvGrKdRgb9BqGTUsqPIuFvr3Qvo42lKr5X8CWYSXjK
0aKlOpfbWdkteEe2o84/wyMpuGvmYkmOgaMB5xQ3jfEuvPNAWX2CWHNDamiqwBT/
YxwhZimNa1B9r3P1yDHvpUu8cJaRzw2UDRi2f3Kztrmn2jlqzmoZ31WBALJA7lmL
SrVFdXi7AcWwppMp1kbe9SvurCXID8/Q4n+qAdzSvqrXbeWerVUkdYFvtxQ1bMJR
jnqN11iZFYaoCaaR2lFEhjoMdR80jUa2m6vdF7a7xhH1UvuPHDnzLT9X/TiPvx0R
Itrp5MMIrUQHcZUL9hM5hrg3nxEsGsSCnjB0zWDmgXdLGwd4CvcOF4HPQR3BBlEH
CLtAa27bBXMJTYVvmmKt06hw+U3ALDfUlFrV6ZNLr9ug69l29n7JoChAbZ97Hx1m
twPwJpKd8AiUz+j3KCfgGU21qMbHNP3jEn3q9tkq0qcs/z7RCmU=
=1WIq
-----END PGP SIGNATURE-----

BIN
krb5-1.21.2.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

16
krb5-1.21.2.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmTbET4ACgkQDLoIV1+D
ct8zBQ/+LugwKy9Y9b3lVaLxPM/qxntLi4Bq5C2GVQ+bED7YCvUiL8aIzJbuTVpf
GLWLtVuf6vxKz2V17JKOluVMqRDBZDexHZv9EvVjhanqMpvV32tSa60HF4e7lER+
3iP/bIjSi2U9ixOcNICNnK2DeFGY601C1KT4cLs3H76pfb1miPItm7p79UNicz1o
V6KgG0J5F4ktYiTonb0TXYdCAvY/3ROEYwmmRpCjtkBCzTdr9tVXU0n6Yc0wsfBD
AXkyqlUhisMWxqGrLZMnkIx3LA83nMHG8nY/doqOYzKuE9a4cBe69+Bl6e9NRY7G
ysD2J1cZ2imCYoalUcxrLfnd3fwPpcrlnuwH5DKJtcJGEUNwydjyWZeMl87pbhb1
lOggcn8DL6l3vqBpkTBE4IQw3s+B1+BylpjXBsvzxGYHerpffIqsHzHywguiJutT
bkP5ktjZ0QHAZ6PYA6NleGjPbBg/Jeywg1Mjrx+2IdBAYnS0KtTSa72Zqqb8eGmQ
iCVpy9gK7zX7UCLm33M6HVtC9ffJ4vajcShk25u8uKuomTQgK3lGoN0wX55OE+sO
AkMSuFxPNsNheMI53Zjutc4NzEscy09G8VxHwGqcEwD+NF7+2GpPuOq9ot9nH+Jd
xoVYjhqxeb5Uq6lgp0B8sILLqwg1+gEXWdA+rR5Tx+ykv8HESxg=
=aMVp
-----END PGP SIGNATURE-----

View File

@ -1,10 +1,18 @@
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Aug 8 11:17:33 UTC 2023 - Samuel Cabrero <scabrero@suse.de> Thu Feb 29 10:07:57 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Ensure array count consistency in kadm5 RPC; (bsc#1214054); - Add crypto-policies support [bsc#1211301]
(CVE-2023-36054); * Update krb5.conf in vendor-files.tar.bz2
- Added patches:
* 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch -------------------------------------------------------------------
Tue Oct 3 11:29:23 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
- Add explicit this-is-only-for-build-envs requires to krb5-mini
and krb5-mini-devel: the mini flavors are currently excluded
using special hacks from the FTP Tree. In order to eliminate this
hack, we need to ensure the packages are not viable for real
installations. We achieve this with a dep that is never provided,
but ignored by OBS.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu May 4 13:42:23 UTC 2023 - Frederic Crozat <fcrozat@suse.com> Thu May 4 13:42:23 UTC 2023 - Frederic Crozat <fcrozat@suse.com>

View File

@ -1,7 +1,7 @@
# #
# spec file for package krb5-mini # spec file for package krb5-mini
# #
# Copyright (c) 2023 SUSE LLC # Copyright (c) 2024 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -24,13 +24,13 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates %define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif %endif
Name: krb5-mini Name: krb5-mini
Version: 1.20.1 Version: 1.21.2
Release: 0 Release: 0
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
License: MIT License: MIT
URL: https://kerberos.org/dist/ URL: https://kerberos.org/dist/
Source0: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz Source0: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz
Source1: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc Source1: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc
Source2: krb5.keyring Source2: krb5.keyring
Source3: vendor-files.tar.bz2 Source3: vendor-files.tar.bz2
Source4: baselibs.conf Source4: baselibs.conf
@ -44,7 +44,6 @@ Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
Patch6: 0006-krb5-1.12-api.patch Patch6: 0006-krb5-1.12-api.patch
Patch7: 0007-SELinux-integration.patch Patch7: 0007-SELinux-integration.patch
Patch8: 0008-krb5-1.9-debuginfo.patch Patch8: 0008-krb5-1.9-debuginfo.patch
Patch9: 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: bison BuildRequires: bison
BuildRequires: pkgconfig BuildRequires: pkgconfig
@ -52,7 +51,12 @@ BuildRequires: pkgconfig(com_err)
BuildRequires: pkgconfig(libselinux) BuildRequires: pkgconfig(libselinux)
BuildRequires: pkgconfig(libverto) BuildRequires: pkgconfig(libverto)
BuildRequires: pkgconfig(ncurses) BuildRequires: pkgconfig(ncurses)
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
BuildRequires: crypto-policies
Requires: crypto-policies
%endif
Requires(post): %fillup_prereq Requires(post): %fillup_prereq
Requires: this-is-only-for-build-envs
Conflicts: krb5 Conflicts: krb5
Conflicts: krb5-client Conflicts: krb5-client
Conflicts: krb5-mini Conflicts: krb5-mini
@ -77,6 +81,7 @@ Requires: pkgconfig(libverto)
Requires: pkgconfig(ss) Requires: pkgconfig(ss)
Conflicts: krb5-devel Conflicts: krb5-devel
Provides: krb5-devel = %{version} Provides: krb5-devel = %{version}
Requires: this-is-only-for-build-envs
%description devel %description devel
Kerberos V5 is a trusted-third-party network authentication system, Kerberos V5 is a trusted-third-party network authentication system,
@ -157,6 +162,11 @@ install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/ install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/ install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
# Default include on this directory
ln -sv %{_sysconfdir}/crypto-policies/back-ends/krb5.config %{buildroot}%{_sysconfdir}/krb5.conf.d/crypto-policies
%endif
# all libs must have permissions 0755 # all libs must have permissions 0755
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
do do
@ -268,6 +278,9 @@ sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config
%doc %{krb5docdir}/README %doc %{krb5docdir}/README
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
%dir %{_sysconfdir}/krb5.conf.d %dir %{_sysconfdir}/krb5.conf.d
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/crypto-policies
%endif
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server %config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
%{_fillupdir}/sysconfig.* %{_fillupdir}/sysconfig.*
%{_unitdir}/kadmind.service %{_unitdir}/kadmind.service

View File

@ -1,10 +1,63 @@
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Aug 8 11:17:33 UTC 2023 - Samuel Cabrero <scabrero@suse.de> Mon May 13 14:06:29 UTC 2024 - Andreas Schneider <asn@cryptomilk.org>
- Ensure array count consistency in kadm5 RPC; (bsc#1214054); - Enable the LMDB backend for KDB
(CVE-2023-36054);
- Added patches: -------------------------------------------------------------------
* 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch Thu May 2 11:57:25 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
- Remove requires for not used cron
-------------------------------------------------------------------
Fri Mar 22 09:19:41 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
- Fix memory leaks, add patch 0009-Fix-three-memory-leaks.patch
* CVE-2024-26458, bsc#1220770
* CVE-2024-26461, bsc#1220771
* CVE-2024-26462, bsc#1220772
-------------------------------------------------------------------
Thu Feb 29 10:07:57 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Add crypto-policies support [bsc#1211301]
* Update krb5.conf in vendor-files.tar.bz2
-------------------------------------------------------------------
Wed Dec 20 23:18:05 UTC 2023 - Dirk Müller <dmueller@suse.com>
- update to 1.21.2 (bsc#1218211, CVE-2023-39975):
* Fix double-free in KDC TGS processing [CVE-2023-39975].
-------------------------------------------------------------------
Sat Jul 15 18:19:32 UTC 2023 - Dirk Müller <dmueller@suse.com>
- update to 1.21.1 (CVE-2023-36054):
* Fix potential uninitialized pointer free in kadm5 XDR parsing
[CVE-2023-36054]; (bsc#1214054).
* Added a credential cache type providing compatibility with
the macOS 11 native credential cache.
* libkadm5 will use the provided krb5_context object to read
configuration values, instead of creating its own.
* Added an interface to retrieve the ticket session key
from a GSS context.
* The KDC will no longer issue tickets with RC4 or triple-DES
session keys unless explicitly configured with the new
allow_rc4 or allow_des3 variables respectively.
* The KDC will assume that all services can handle aes256-sha1
session keys unless the service principal has a
session_enctypes string attribute.
* Support for PAC full KDC checksums has been added to
mitigate an S4U2Proxy privilege escalation attack.
* The PKINIT client will advertise a more modern set
of supported CMS algorithms.
* Removed unused code in libkrb5, libkrb5support,
and the PKINIT module.
* Modernized the KDC code for processing TGS requests,
the code for encrypting and decrypting key data,
the PAC handling code, and the GSS library packet
parsing and composition code.
* Improved the test framework's detection of memory
errors in daemon processes when used with asan.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu May 4 13:42:23 UTC 2023 - Frederic Crozat <fcrozat@suse.com> Thu May 4 13:42:23 UTC 2023 - Frederic Crozat <fcrozat@suse.com>

View File

@ -1,7 +1,7 @@
# #
# spec file for package krb5 # spec file for package krb5
# #
# Copyright (c) 2023 SUSE LLC # Copyright (c) 2024 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -21,13 +21,13 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates %define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif %endif
Name: krb5 Name: krb5
Version: 1.20.1 Version: 1.21.2
Release: 0 Release: 0
Summary: MIT Kerberos5 implementation Summary: MIT Kerberos5 implementation
License: MIT License: MIT
URL: https://kerberos.org/dist/ URL: https://kerberos.org/dist/
Source0: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz Source0: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz
Source1: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc Source1: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc
Source2: krb5.keyring Source2: krb5.keyring
Source3: vendor-files.tar.bz2 Source3: vendor-files.tar.bz2
Source4: baselibs.conf Source4: baselibs.conf
@ -42,7 +42,7 @@ Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
Patch6: 0006-krb5-1.12-api.patch Patch6: 0006-krb5-1.12-api.patch
Patch7: 0007-SELinux-integration.patch Patch7: 0007-SELinux-integration.patch
Patch8: 0008-krb5-1.9-debuginfo.patch Patch8: 0008-krb5-1.9-debuginfo.patch
Patch9: 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch Patch9: 0009-Fix-three-memory-leaks.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: bison BuildRequires: bison
BuildRequires: cyrus-sasl-devel BuildRequires: cyrus-sasl-devel
@ -55,9 +55,14 @@ BuildRequires: pkgconfig(com_err)
BuildRequires: pkgconfig(libselinux) BuildRequires: pkgconfig(libselinux)
BuildRequires: pkgconfig(libssl) BuildRequires: pkgconfig(libssl)
BuildRequires: pkgconfig(libverto) BuildRequires: pkgconfig(libverto)
BuildRequires: pkgconfig(lmdb)
BuildRequires: pkgconfig(ncurses) BuildRequires: pkgconfig(ncurses)
BuildRequires: pkgconfig(ss) BuildRequires: pkgconfig(ss)
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
BuildRequires: crypto-policies
Requires: crypto-policies
%endif
Conflicts: krb5-mini Conflicts: krb5-mini
Obsoletes: krb5-plugin-preauth-pkinit-nss Obsoletes: krb5-plugin-preauth-pkinit-nss
@ -78,7 +83,6 @@ client programs, like kinit, kadmin, ...
%package server %package server
Summary: Server program of the MIT Kerberos5 implementation Summary: Server program of the MIT Kerberos5 implementation
Requires: cron
Requires: libverto-libev1 Requires: libverto-libev1
Requires: logrotate Requires: logrotate
Requires: perl-Date-Calc Requires: perl-Date-Calc
@ -186,7 +190,8 @@ DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
--with-selinux \ --with-selinux \
--with-system-et \ --with-system-et \
--with-system-ss \ --with-system-ss \
--with-system-verto --with-system-verto \
--with-lmdb
%make_build %make_build
@ -227,6 +232,11 @@ install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/ install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/ install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
# Default include on this directory
ln -sv %{_sysconfdir}/crypto-policies/back-ends/krb5.config %{buildroot}%{_sysconfdir}/krb5.conf.d/crypto-policies
%endif
# all libs must have permissions 0755 # all libs must have permissions 0755
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
do do
@ -366,6 +376,9 @@ done
%doc %{krb5docdir}/README %doc %{krb5docdir}/README
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
%dir %{_sysconfdir}/krb5.conf.d %dir %{_sysconfdir}/krb5.conf.d
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/crypto-policies
%endif
%{_libdir}/libgssapi_krb5.* %{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.* %{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.* %{_libdir}/libk5crypto.so.*
@ -417,6 +430,7 @@ done
%{_sbindir}/sserver %{_sbindir}/sserver
%{_sbindir}/uuserver %{_sbindir}/uuserver
%{_libdir}/krb5/plugins/kdb/db2.so %{_libdir}/krb5/plugins/kdb/db2.so
%{_libdir}/krb5/plugins/kdb/klmdb.so
%{_mandir}/man5/kdc.conf.5%{?ext_man} %{_mandir}/man5/kdc.conf.5%{?ext_man}
%{_mandir}/man5/kadm5.acl.5%{?ext_man} %{_mandir}/man5/kadm5.acl.5%{?ext_man}
%{_mandir}/man8/kadmind.8%{?ext_man} %{_mandir}/man8/kadmind.8%{?ext_man}

BIN
vendor-files.tar.bz2 (Stored with Git LFS)

Binary file not shown.