Sync from SUSE:SLFO:Main krb5 revision e6f14fc5d12165e535e29f8ac840fbc5
This commit is contained in:
parent
7ef60b02c2
commit
07bc48df51
@ -1,67 +0,0 @@
|
|||||||
From c93242bd934a1e4b6f21aae08fbbbd1984d1c653 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
|
||||||
Date: Wed, 21 Jun 2023 10:57:39 -0400
|
|
||||||
Subject: [PATCH] Ensure array count consistency in kadm5 RPC
|
|
||||||
|
|
||||||
In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
|
|
||||||
key_data array count when decoding. Otherwise when the structure is
|
|
||||||
later freed, xdr_array() could iterate over the wrong number of
|
|
||||||
elements, either leaking some memory or freeing uninitialized
|
|
||||||
pointers. Reported by Robert Morris.
|
|
||||||
|
|
||||||
CVE-2023-36054:
|
|
||||||
|
|
||||||
An authenticated attacker can cause a kadmind process to crash by
|
|
||||||
freeing uninitialized pointers. Remote code execution is unlikely.
|
|
||||||
An attacker with control of a kadmin server can cause a kadmin client
|
|
||||||
to crash by freeing uninitialized pointers.
|
|
||||||
|
|
||||||
(cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd)
|
|
||||||
|
|
||||||
ticket: 9099
|
|
||||||
version_fixed: 1.20.2
|
|
||||||
|
|
||||||
(cherry picked from commit c81ffb6c8578a9b55c9d0a10342b5bc1bc6ec4df)
|
|
||||||
---
|
|
||||||
src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
|
|
||||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
|
|
||||||
index 0411c3fd3..287cae750 100644
|
|
||||||
--- a/src/lib/kadm5/kadm_rpc_xdr.c
|
|
||||||
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
|
|
||||||
@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
|
||||||
int v)
|
|
||||||
{
|
|
||||||
unsigned int n;
|
|
||||||
+ bool_t r;
|
|
||||||
|
|
||||||
if (!xdr_krb5_principal(xdrs, &objp->principal)) {
|
|
||||||
return (FALSE);
|
|
||||||
@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
|
||||||
if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
|
|
||||||
return (FALSE);
|
|
||||||
}
|
|
||||||
+ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
|
|
||||||
+ return (FALSE);
|
|
||||||
+ }
|
|
||||||
if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
|
|
||||||
return (FALSE);
|
|
||||||
}
|
|
||||||
@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
|
||||||
return FALSE;
|
|
||||||
}
|
|
||||||
n = objp->n_key_data;
|
|
||||||
- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
|
|
||||||
- &n, ~0, sizeof(krb5_key_data),
|
|
||||||
- xdr_krb5_key_data_nocontents)) {
|
|
||||||
+ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
|
|
||||||
+ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
|
|
||||||
+ objp->n_key_data = n;
|
|
||||||
+ if (!r) {
|
|
||||||
return (FALSE);
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
248
0009-Fix-three-memory-leaks.patch
Normal file
248
0009-Fix-three-memory-leaks.patch
Normal file
@ -0,0 +1,248 @@
|
|||||||
|
From 2aaffa96269b56fe09abf81851c40c9c4a3587f0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Tue, 5 Mar 2024 17:38:49 -0500
|
||||||
|
Subject: [PATCH 1/2] Fix leak in KDC NDR encoding
|
||||||
|
|
||||||
|
If the KDC tries to encode a principal containing encode invalid UTF-8
|
||||||
|
sequences for inclusion in a PAC delegation info buffer, it will leak
|
||||||
|
a small amount of memory in enc_wchar_pointer() before failing. Fix
|
||||||
|
the leak.
|
||||||
|
|
||||||
|
ticket: 9115 (new)
|
||||||
|
tags: pullup
|
||||||
|
target_version: 1.21-next
|
||||||
|
|
||||||
|
(cherry picked from commit 7d0d85bf99caf60c0afd4dcf91b0c4c683b983fe)
|
||||||
|
---
|
||||||
|
src/kdc/ndr.c | 3 +--
|
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c
|
||||||
|
index 48395abe52..d438408ee2 100644
|
||||||
|
--- a/src/kdc/ndr.c
|
||||||
|
+++ b/src/kdc/ndr.c
|
||||||
|
@@ -96,14 +96,13 @@ enc_wchar_pointer(const char *utf8, struct encoded_wchars *encoded_out)
|
||||||
|
size_t utf16len, num_wchars;
|
||||||
|
uint8_t *utf16;
|
||||||
|
|
||||||
|
- k5_buf_init_dynamic(&b);
|
||||||
|
-
|
||||||
|
ret = k5_utf8_to_utf16le(utf8, &utf16, &utf16len);
|
||||||
|
if (ret)
|
||||||
|
return ret;
|
||||||
|
|
||||||
|
num_wchars = utf16len / 2;
|
||||||
|
|
||||||
|
+ k5_buf_init_dynamic(&b);
|
||||||
|
k5_buf_add_uint32_le(&b, num_wchars + 1);
|
||||||
|
k5_buf_add_uint32_le(&b, 0);
|
||||||
|
k5_buf_add_uint32_le(&b, num_wchars);
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
||||||
|
|
||||||
|
From 489deee29f427f22e2a26de729319bdb70819c37 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Tue, 5 Mar 2024 19:53:07 -0500
|
||||||
|
Subject: [PATCH 2/2] Fix two unlikely memory leaks
|
||||||
|
|
||||||
|
In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
|
||||||
|
could probably never be triggered) leaks plain.data. Fix this leak
|
||||||
|
and use current practices for cleanup throughout the function.
|
||||||
|
|
||||||
|
In xmt_rmtcallres() (unused within the tree and likely elsewhere),
|
||||||
|
store port_ptr into crp->port_ptr as soon as it is allocated;
|
||||||
|
otherwise it could leak if the subsequent xdr_u_int32() operation
|
||||||
|
fails.
|
||||||
|
|
||||||
|
(cherry picked from commit c5f9c816107f70139de11b38aa02db2f1774ee0d)
|
||||||
|
---
|
||||||
|
src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++-------------------
|
||||||
|
src/lib/rpc/pmap_rmt.c | 9 +++---
|
||||||
|
2 files changed, 29 insertions(+), 36 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
|
||||||
|
index 3b4f8cb837..e881eee835 100644
|
||||||
|
--- a/src/lib/gssapi/krb5/k5sealv3.c
|
||||||
|
+++ b/src/lib/gssapi/krb5/k5sealv3.c
|
||||||
|
@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
int conf_req_flag, int toktype)
|
||||||
|
{
|
||||||
|
size_t bufsize = 16;
|
||||||
|
- unsigned char *outbuf = 0;
|
||||||
|
+ unsigned char *outbuf = NULL;
|
||||||
|
krb5_error_code err;
|
||||||
|
int key_usage;
|
||||||
|
unsigned char acceptor_flag;
|
||||||
|
@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
#endif
|
||||||
|
size_t ec;
|
||||||
|
unsigned short tok_id;
|
||||||
|
- krb5_checksum sum;
|
||||||
|
+ krb5_checksum sum = { 0 };
|
||||||
|
krb5_key key;
|
||||||
|
krb5_cksumtype cksumtype;
|
||||||
|
+ krb5_data plain = empty_data();
|
||||||
|
+
|
||||||
|
+ token->value = NULL;
|
||||||
|
+ token->length = 0;
|
||||||
|
|
||||||
|
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
|
||||||
|
key_usage = (toktype == KG_TOK_WRAP_MSG
|
||||||
|
@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
|
||||||
|
- krb5_data plain;
|
||||||
|
krb5_enc_data cipher;
|
||||||
|
size_t ec_max;
|
||||||
|
size_t encrypt_size;
|
||||||
|
|
||||||
|
/* 300: Adds some slop. */
|
||||||
|
- if (SIZE_MAX - 300 < message->length)
|
||||||
|
- return ENOMEM;
|
||||||
|
+ if (SIZE_MAX - 300 < message->length) {
|
||||||
|
+ err = ENOMEM;
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
ec_max = SIZE_MAX - message->length - 300;
|
||||||
|
if (ec_max > 0xffff)
|
||||||
|
ec_max = 0xffff;
|
||||||
|
@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
#endif
|
||||||
|
err = alloc_data(&plain, message->length + 16 + ec);
|
||||||
|
if (err)
|
||||||
|
- return err;
|
||||||
|
+ goto cleanup;
|
||||||
|
|
||||||
|
/* Get size of ciphertext. */
|
||||||
|
encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
|
||||||
|
if (encrypt_size > SIZE_MAX / 2) {
|
||||||
|
err = ENOMEM;
|
||||||
|
- goto error;
|
||||||
|
+ goto cleanup;
|
||||||
|
}
|
||||||
|
bufsize = 16 + encrypt_size;
|
||||||
|
/* Allocate space for header plus encrypted data. */
|
||||||
|
outbuf = gssalloc_malloc(bufsize);
|
||||||
|
if (outbuf == NULL) {
|
||||||
|
- free(plain.data);
|
||||||
|
- return ENOMEM;
|
||||||
|
+ err = ENOMEM;
|
||||||
|
+ goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* TOK_ID */
|
||||||
|
@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
cipher.ciphertext.length = bufsize - 16;
|
||||||
|
cipher.enctype = key->keyblock.enctype;
|
||||||
|
err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
|
||||||
|
- zap(plain.data, plain.length);
|
||||||
|
- free(plain.data);
|
||||||
|
- plain.data = 0;
|
||||||
|
if (err)
|
||||||
|
- goto error;
|
||||||
|
+ goto cleanup;
|
||||||
|
|
||||||
|
/* Now that we know we're returning a valid token.... */
|
||||||
|
ctx->seq_send++;
|
||||||
|
@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
/* If the rotate fails, don't worry about it. */
|
||||||
|
#endif
|
||||||
|
} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
|
||||||
|
- krb5_data plain;
|
||||||
|
size_t cksumsize;
|
||||||
|
|
||||||
|
/* Here, message is the application-supplied data; message2 is
|
||||||
|
@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
wrap_with_checksum:
|
||||||
|
err = alloc_data(&plain, message->length + 16);
|
||||||
|
if (err)
|
||||||
|
- return err;
|
||||||
|
+ goto cleanup;
|
||||||
|
|
||||||
|
err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
|
||||||
|
if (err)
|
||||||
|
- goto error;
|
||||||
|
+ goto cleanup;
|
||||||
|
|
||||||
|
assert(cksumsize <= 0xffff);
|
||||||
|
|
||||||
|
bufsize = 16 + message2->length + cksumsize;
|
||||||
|
outbuf = gssalloc_malloc(bufsize);
|
||||||
|
if (outbuf == NULL) {
|
||||||
|
- free(plain.data);
|
||||||
|
- plain.data = 0;
|
||||||
|
err = ENOMEM;
|
||||||
|
- goto error;
|
||||||
|
+ goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* TOK_ID */
|
||||||
|
@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
if (message2->length)
|
||||||
|
memcpy(outbuf + 16, message2->value, message2->length);
|
||||||
|
|
||||||
|
- sum.contents = outbuf + 16 + message2->length;
|
||||||
|
- sum.length = cksumsize;
|
||||||
|
-
|
||||||
|
err = krb5_k_make_checksum(context, cksumtype, key,
|
||||||
|
key_usage, &plain, &sum);
|
||||||
|
- zap(plain.data, plain.length);
|
||||||
|
- free(plain.data);
|
||||||
|
- plain.data = 0;
|
||||||
|
if (err) {
|
||||||
|
zap(outbuf,bufsize);
|
||||||
|
- goto error;
|
||||||
|
+ goto cleanup;
|
||||||
|
}
|
||||||
|
if (sum.length != cksumsize)
|
||||||
|
abort();
|
||||||
|
memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
|
||||||
|
- krb5_free_checksum_contents(context, &sum);
|
||||||
|
- sum.contents = 0;
|
||||||
|
/* Now that we know we're actually generating the token... */
|
||||||
|
ctx->seq_send++;
|
||||||
|
|
||||||
|
@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
|
||||||
|
token->value = outbuf;
|
||||||
|
token->length = bufsize;
|
||||||
|
- return 0;
|
||||||
|
+ outbuf = NULL;
|
||||||
|
+ err = 0;
|
||||||
|
|
||||||
|
-error:
|
||||||
|
+cleanup:
|
||||||
|
+ krb5_free_checksum_contents(context, &sum);
|
||||||
|
+ zapfree(plain.data, plain.length);
|
||||||
|
gssalloc_free(outbuf);
|
||||||
|
- token->value = NULL;
|
||||||
|
- token->length = 0;
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
|
||||||
|
index 8c7e30c21a..0748af34a7 100644
|
||||||
|
--- a/src/lib/rpc/pmap_rmt.c
|
||||||
|
+++ b/src/lib/rpc/pmap_rmt.c
|
||||||
|
@@ -160,11 +160,12 @@ xdr_rmtcallres(
|
||||||
|
caddr_t port_ptr;
|
||||||
|
|
||||||
|
port_ptr = (caddr_t)(void *)crp->port_ptr;
|
||||||
|
- if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
|
||||||
|
- xdr_u_int32) && xdr_u_int32(xdrs, &crp->resultslen)) {
|
||||||
|
- crp->port_ptr = (uint32_t *)(void *)port_ptr;
|
||||||
|
+ if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
|
||||||
|
+ (xdrproc_t)xdr_u_int32))
|
||||||
|
+ return (FALSE);
|
||||||
|
+ crp->port_ptr = (uint32_t *)(void *)port_ptr;
|
||||||
|
+ if (xdr_u_int32(xdrs, &crp->resultslen))
|
||||||
|
return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
|
||||||
|
- }
|
||||||
|
return (FALSE);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
BIN
krb5-1.20.1.tar.gz
(Stored with Git LFS)
BIN
krb5-1.20.1.tar.gz
(Stored with Git LFS)
Binary file not shown.
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmNvED8ACgkQDLoIV1+D
|
|
||||||
ct9uKw/8C5GS8mdh335lB+bkfjYYCZLD+oQToDAAbdCddrIcuLftvnTfXJ8cMtMc
|
|
||||||
UT2hsp8u7ZupjJRevdhaH7fFwomc0V8iSES5J2cQHTNd9aK93j/W6NaMoqWLrQWg
|
|
||||||
jx99oqLn7orvp8N5RufEQcNMNWhFIX4XSfrA3vPfHbbffA2vkjJzOGno4UHi8zUn
|
|
||||||
6nye7jbrBpiQIeFIJSS3VPsvGrKdRgb9BqGTUsqPIuFvr3Qvo42lKr5X8CWYSXjK
|
|
||||||
0aKlOpfbWdkteEe2o84/wyMpuGvmYkmOgaMB5xQ3jfEuvPNAWX2CWHNDamiqwBT/
|
|
||||||
YxwhZimNa1B9r3P1yDHvpUu8cJaRzw2UDRi2f3Kztrmn2jlqzmoZ31WBALJA7lmL
|
|
||||||
SrVFdXi7AcWwppMp1kbe9SvurCXID8/Q4n+qAdzSvqrXbeWerVUkdYFvtxQ1bMJR
|
|
||||||
jnqN11iZFYaoCaaR2lFEhjoMdR80jUa2m6vdF7a7xhH1UvuPHDnzLT9X/TiPvx0R
|
|
||||||
Itrp5MMIrUQHcZUL9hM5hrg3nxEsGsSCnjB0zWDmgXdLGwd4CvcOF4HPQR3BBlEH
|
|
||||||
CLtAa27bBXMJTYVvmmKt06hw+U3ALDfUlFrV6ZNLr9ug69l29n7JoChAbZ97Hx1m
|
|
||||||
twPwJpKd8AiUz+j3KCfgGU21qMbHNP3jEn3q9tkq0qcs/z7RCmU=
|
|
||||||
=1WIq
|
|
||||||
-----END PGP SIGNATURE-----
|
|
BIN
krb5-1.21.2.tar.gz
(Stored with Git LFS)
Normal file
BIN
krb5-1.21.2.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
krb5-1.21.2.tar.gz.asc
Normal file
16
krb5-1.21.2.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmTbET4ACgkQDLoIV1+D
|
||||||
|
ct8zBQ/+LugwKy9Y9b3lVaLxPM/qxntLi4Bq5C2GVQ+bED7YCvUiL8aIzJbuTVpf
|
||||||
|
GLWLtVuf6vxKz2V17JKOluVMqRDBZDexHZv9EvVjhanqMpvV32tSa60HF4e7lER+
|
||||||
|
3iP/bIjSi2U9ixOcNICNnK2DeFGY601C1KT4cLs3H76pfb1miPItm7p79UNicz1o
|
||||||
|
V6KgG0J5F4ktYiTonb0TXYdCAvY/3ROEYwmmRpCjtkBCzTdr9tVXU0n6Yc0wsfBD
|
||||||
|
AXkyqlUhisMWxqGrLZMnkIx3LA83nMHG8nY/doqOYzKuE9a4cBe69+Bl6e9NRY7G
|
||||||
|
ysD2J1cZ2imCYoalUcxrLfnd3fwPpcrlnuwH5DKJtcJGEUNwydjyWZeMl87pbhb1
|
||||||
|
lOggcn8DL6l3vqBpkTBE4IQw3s+B1+BylpjXBsvzxGYHerpffIqsHzHywguiJutT
|
||||||
|
bkP5ktjZ0QHAZ6PYA6NleGjPbBg/Jeywg1Mjrx+2IdBAYnS0KtTSa72Zqqb8eGmQ
|
||||||
|
iCVpy9gK7zX7UCLm33M6HVtC9ffJ4vajcShk25u8uKuomTQgK3lGoN0wX55OE+sO
|
||||||
|
AkMSuFxPNsNheMI53Zjutc4NzEscy09G8VxHwGqcEwD+NF7+2GpPuOq9ot9nH+Jd
|
||||||
|
xoVYjhqxeb5Uq6lgp0B8sILLqwg1+gEXWdA+rR5Tx+ykv8HESxg=
|
||||||
|
=aMVp
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,10 +1,18 @@
|
|||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Aug 8 11:17:33 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
Thu Feb 29 10:07:57 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
- Ensure array count consistency in kadm5 RPC; (bsc#1214054);
|
- Add crypto-policies support [bsc#1211301]
|
||||||
(CVE-2023-36054);
|
* Update krb5.conf in vendor-files.tar.bz2
|
||||||
- Added patches:
|
|
||||||
* 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch
|
-------------------------------------------------------------------
|
||||||
|
Tue Oct 3 11:29:23 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||||
|
|
||||||
|
- Add explicit this-is-only-for-build-envs requires to krb5-mini
|
||||||
|
and krb5-mini-devel: the mini flavors are currently excluded
|
||||||
|
using special hacks from the FTP Tree. In order to eliminate this
|
||||||
|
hack, we need to ensure the packages are not viable for real
|
||||||
|
installations. We achieve this with a dep that is never provided,
|
||||||
|
but ignored by OBS.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu May 4 13:42:23 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
|
Thu May 4 13:42:23 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package krb5-mini
|
# spec file for package krb5-mini
|
||||||
#
|
#
|
||||||
# Copyright (c) 2023 SUSE LLC
|
# Copyright (c) 2024 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -24,13 +24,13 @@
|
|||||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||||
%endif
|
%endif
|
||||||
Name: krb5-mini
|
Name: krb5-mini
|
||||||
Version: 1.20.1
|
Version: 1.21.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
|
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: https://kerberos.org/dist/
|
URL: https://kerberos.org/dist/
|
||||||
Source0: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz
|
Source0: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz
|
||||||
Source1: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc
|
Source1: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc
|
||||||
Source2: krb5.keyring
|
Source2: krb5.keyring
|
||||||
Source3: vendor-files.tar.bz2
|
Source3: vendor-files.tar.bz2
|
||||||
Source4: baselibs.conf
|
Source4: baselibs.conf
|
||||||
@ -44,7 +44,6 @@ Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
|
|||||||
Patch6: 0006-krb5-1.12-api.patch
|
Patch6: 0006-krb5-1.12-api.patch
|
||||||
Patch7: 0007-SELinux-integration.patch
|
Patch7: 0007-SELinux-integration.patch
|
||||||
Patch8: 0008-krb5-1.9-debuginfo.patch
|
Patch8: 0008-krb5-1.9-debuginfo.patch
|
||||||
Patch9: 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch
|
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
@ -52,7 +51,12 @@ BuildRequires: pkgconfig(com_err)
|
|||||||
BuildRequires: pkgconfig(libselinux)
|
BuildRequires: pkgconfig(libselinux)
|
||||||
BuildRequires: pkgconfig(libverto)
|
BuildRequires: pkgconfig(libverto)
|
||||||
BuildRequires: pkgconfig(ncurses)
|
BuildRequires: pkgconfig(ncurses)
|
||||||
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||||
|
BuildRequires: crypto-policies
|
||||||
|
Requires: crypto-policies
|
||||||
|
%endif
|
||||||
Requires(post): %fillup_prereq
|
Requires(post): %fillup_prereq
|
||||||
|
Requires: this-is-only-for-build-envs
|
||||||
Conflicts: krb5
|
Conflicts: krb5
|
||||||
Conflicts: krb5-client
|
Conflicts: krb5-client
|
||||||
Conflicts: krb5-mini
|
Conflicts: krb5-mini
|
||||||
@ -77,6 +81,7 @@ Requires: pkgconfig(libverto)
|
|||||||
Requires: pkgconfig(ss)
|
Requires: pkgconfig(ss)
|
||||||
Conflicts: krb5-devel
|
Conflicts: krb5-devel
|
||||||
Provides: krb5-devel = %{version}
|
Provides: krb5-devel = %{version}
|
||||||
|
Requires: this-is-only-for-build-envs
|
||||||
|
|
||||||
%description devel
|
%description devel
|
||||||
Kerberos V5 is a trusted-third-party network authentication system,
|
Kerberos V5 is a trusted-third-party network authentication system,
|
||||||
@ -157,6 +162,11 @@ install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
|||||||
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||||
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||||
|
|
||||||
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||||
|
# Default include on this directory
|
||||||
|
ln -sv %{_sysconfdir}/crypto-policies/back-ends/krb5.config %{buildroot}%{_sysconfdir}/krb5.conf.d/crypto-policies
|
||||||
|
%endif
|
||||||
|
|
||||||
# all libs must have permissions 0755
|
# all libs must have permissions 0755
|
||||||
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
|
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
|
||||||
do
|
do
|
||||||
@ -268,6 +278,9 @@ sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config
|
|||||||
%doc %{krb5docdir}/README
|
%doc %{krb5docdir}/README
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
|
||||||
%dir %{_sysconfdir}/krb5.conf.d
|
%dir %{_sysconfdir}/krb5.conf.d
|
||||||
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||||
|
%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/crypto-policies
|
||||||
|
%endif
|
||||||
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
|
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
|
||||||
%{_fillupdir}/sysconfig.*
|
%{_fillupdir}/sysconfig.*
|
||||||
%{_unitdir}/kadmind.service
|
%{_unitdir}/kadmind.service
|
||||||
|
63
krb5.changes
63
krb5.changes
@ -1,10 +1,63 @@
|
|||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Aug 8 11:17:33 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
Mon May 13 14:06:29 UTC 2024 - Andreas Schneider <asn@cryptomilk.org>
|
||||||
|
|
||||||
- Ensure array count consistency in kadm5 RPC; (bsc#1214054);
|
- Enable the LMDB backend for KDB
|
||||||
(CVE-2023-36054);
|
|
||||||
- Added patches:
|
-------------------------------------------------------------------
|
||||||
* 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch
|
Thu May 2 11:57:25 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
|
||||||
|
|
||||||
|
- Remove requires for not used cron
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Mar 22 09:19:41 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
|
||||||
|
|
||||||
|
- Fix memory leaks, add patch 0009-Fix-three-memory-leaks.patch
|
||||||
|
* CVE-2024-26458, bsc#1220770
|
||||||
|
* CVE-2024-26461, bsc#1220771
|
||||||
|
* CVE-2024-26462, bsc#1220772
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Feb 29 10:07:57 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
- Add crypto-policies support [bsc#1211301]
|
||||||
|
* Update krb5.conf in vendor-files.tar.bz2
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Dec 20 23:18:05 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
||||||
|
|
||||||
|
- update to 1.21.2 (bsc#1218211, CVE-2023-39975):
|
||||||
|
* Fix double-free in KDC TGS processing [CVE-2023-39975].
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Jul 15 18:19:32 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
||||||
|
|
||||||
|
- update to 1.21.1 (CVE-2023-36054):
|
||||||
|
* Fix potential uninitialized pointer free in kadm5 XDR parsing
|
||||||
|
[CVE-2023-36054]; (bsc#1214054).
|
||||||
|
* Added a credential cache type providing compatibility with
|
||||||
|
the macOS 11 native credential cache.
|
||||||
|
* libkadm5 will use the provided krb5_context object to read
|
||||||
|
configuration values, instead of creating its own.
|
||||||
|
* Added an interface to retrieve the ticket session key
|
||||||
|
from a GSS context.
|
||||||
|
* The KDC will no longer issue tickets with RC4 or triple-DES
|
||||||
|
session keys unless explicitly configured with the new
|
||||||
|
allow_rc4 or allow_des3 variables respectively.
|
||||||
|
* The KDC will assume that all services can handle aes256-sha1
|
||||||
|
session keys unless the service principal has a
|
||||||
|
session_enctypes string attribute.
|
||||||
|
* Support for PAC full KDC checksums has been added to
|
||||||
|
mitigate an S4U2Proxy privilege escalation attack.
|
||||||
|
* The PKINIT client will advertise a more modern set
|
||||||
|
of supported CMS algorithms.
|
||||||
|
* Removed unused code in libkrb5, libkrb5support,
|
||||||
|
and the PKINIT module.
|
||||||
|
* Modernized the KDC code for processing TGS requests,
|
||||||
|
the code for encrypting and decrypting key data,
|
||||||
|
the PAC handling code, and the GSS library packet
|
||||||
|
parsing and composition code.
|
||||||
|
* Improved the test framework's detection of memory
|
||||||
|
errors in daemon processes when used with asan.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu May 4 13:42:23 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
|
Thu May 4 13:42:23 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
|
||||||
|
28
krb5.spec
28
krb5.spec
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package krb5
|
# spec file for package krb5
|
||||||
#
|
#
|
||||||
# Copyright (c) 2023 SUSE LLC
|
# Copyright (c) 2024 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -21,13 +21,13 @@
|
|||||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||||
%endif
|
%endif
|
||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.20.1
|
Version: 1.21.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: MIT Kerberos5 implementation
|
Summary: MIT Kerberos5 implementation
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: https://kerberos.org/dist/
|
URL: https://kerberos.org/dist/
|
||||||
Source0: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz
|
Source0: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz
|
||||||
Source1: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc
|
Source1: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc
|
||||||
Source2: krb5.keyring
|
Source2: krb5.keyring
|
||||||
Source3: vendor-files.tar.bz2
|
Source3: vendor-files.tar.bz2
|
||||||
Source4: baselibs.conf
|
Source4: baselibs.conf
|
||||||
@ -42,7 +42,7 @@ Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
|
|||||||
Patch6: 0006-krb5-1.12-api.patch
|
Patch6: 0006-krb5-1.12-api.patch
|
||||||
Patch7: 0007-SELinux-integration.patch
|
Patch7: 0007-SELinux-integration.patch
|
||||||
Patch8: 0008-krb5-1.9-debuginfo.patch
|
Patch8: 0008-krb5-1.9-debuginfo.patch
|
||||||
Patch9: 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch
|
Patch9: 0009-Fix-three-memory-leaks.patch
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
BuildRequires: cyrus-sasl-devel
|
BuildRequires: cyrus-sasl-devel
|
||||||
@ -55,9 +55,14 @@ BuildRequires: pkgconfig(com_err)
|
|||||||
BuildRequires: pkgconfig(libselinux)
|
BuildRequires: pkgconfig(libselinux)
|
||||||
BuildRequires: pkgconfig(libssl)
|
BuildRequires: pkgconfig(libssl)
|
||||||
BuildRequires: pkgconfig(libverto)
|
BuildRequires: pkgconfig(libverto)
|
||||||
|
BuildRequires: pkgconfig(lmdb)
|
||||||
BuildRequires: pkgconfig(ncurses)
|
BuildRequires: pkgconfig(ncurses)
|
||||||
BuildRequires: pkgconfig(ss)
|
BuildRequires: pkgconfig(ss)
|
||||||
BuildRequires: pkgconfig(systemd)
|
BuildRequires: pkgconfig(systemd)
|
||||||
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||||
|
BuildRequires: crypto-policies
|
||||||
|
Requires: crypto-policies
|
||||||
|
%endif
|
||||||
Conflicts: krb5-mini
|
Conflicts: krb5-mini
|
||||||
Obsoletes: krb5-plugin-preauth-pkinit-nss
|
Obsoletes: krb5-plugin-preauth-pkinit-nss
|
||||||
|
|
||||||
@ -78,7 +83,6 @@ client programs, like kinit, kadmin, ...
|
|||||||
|
|
||||||
%package server
|
%package server
|
||||||
Summary: Server program of the MIT Kerberos5 implementation
|
Summary: Server program of the MIT Kerberos5 implementation
|
||||||
Requires: cron
|
|
||||||
Requires: libverto-libev1
|
Requires: libverto-libev1
|
||||||
Requires: logrotate
|
Requires: logrotate
|
||||||
Requires: perl-Date-Calc
|
Requires: perl-Date-Calc
|
||||||
@ -186,7 +190,8 @@ DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
|
|||||||
--with-selinux \
|
--with-selinux \
|
||||||
--with-system-et \
|
--with-system-et \
|
||||||
--with-system-ss \
|
--with-system-ss \
|
||||||
--with-system-verto
|
--with-system-verto \
|
||||||
|
--with-lmdb
|
||||||
|
|
||||||
%make_build
|
%make_build
|
||||||
|
|
||||||
@ -227,6 +232,11 @@ install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
|||||||
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||||
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||||
|
|
||||||
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||||
|
# Default include on this directory
|
||||||
|
ln -sv %{_sysconfdir}/crypto-policies/back-ends/krb5.config %{buildroot}%{_sysconfdir}/krb5.conf.d/crypto-policies
|
||||||
|
%endif
|
||||||
|
|
||||||
# all libs must have permissions 0755
|
# all libs must have permissions 0755
|
||||||
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
|
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
|
||||||
do
|
do
|
||||||
@ -366,6 +376,9 @@ done
|
|||||||
%doc %{krb5docdir}/README
|
%doc %{krb5docdir}/README
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
|
||||||
%dir %{_sysconfdir}/krb5.conf.d
|
%dir %{_sysconfdir}/krb5.conf.d
|
||||||
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||||
|
%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/crypto-policies
|
||||||
|
%endif
|
||||||
%{_libdir}/libgssapi_krb5.*
|
%{_libdir}/libgssapi_krb5.*
|
||||||
%{_libdir}/libgssrpc.so.*
|
%{_libdir}/libgssrpc.so.*
|
||||||
%{_libdir}/libk5crypto.so.*
|
%{_libdir}/libk5crypto.so.*
|
||||||
@ -417,6 +430,7 @@ done
|
|||||||
%{_sbindir}/sserver
|
%{_sbindir}/sserver
|
||||||
%{_sbindir}/uuserver
|
%{_sbindir}/uuserver
|
||||||
%{_libdir}/krb5/plugins/kdb/db2.so
|
%{_libdir}/krb5/plugins/kdb/db2.so
|
||||||
|
%{_libdir}/krb5/plugins/kdb/klmdb.so
|
||||||
%{_mandir}/man5/kdc.conf.5%{?ext_man}
|
%{_mandir}/man5/kdc.conf.5%{?ext_man}
|
||||||
%{_mandir}/man5/kadm5.acl.5%{?ext_man}
|
%{_mandir}/man5/kadm5.acl.5%{?ext_man}
|
||||||
%{_mandir}/man8/kadmind.8%{?ext_man}
|
%{_mandir}/man8/kadmind.8%{?ext_man}
|
||||||
|
BIN
vendor-files.tar.bz2
(Stored with Git LFS)
BIN
vendor-files.tar.bz2
(Stored with Git LFS)
Binary file not shown.
Loading…
Reference in New Issue
Block a user