diff --git a/krb5-1.13.3.tar.gz b/krb5-1.13.3.tar.gz deleted file mode 100644 index b278aa9..0000000 --- a/krb5-1.13.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5d4af08ead9b7a1e9493cfd65e821234f151a46736e1ce586f886c8a8e65fabe -size 12133347 diff --git a/krb5-1.13.3.tar.gz.asc b/krb5-1.13.3.tar.gz.asc deleted file mode 100644 index 1d79d36..0000000 --- a/krb5-1.13.3.tar.gz.asc +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQGcBAABAgAGBQJWYePPAAoJEKMvF/0AVcMFExYMAIJ4l6N0p00Gsh2smjTCrGcr -4ZemT6ovZW1bYhqKjnfeN1Csg0OEUKHUN20NRUuLhqOfDSU9UxJHXJ8azLTjopQr -yqe5teby2ki+cOcfcYbDUkRmLaG9wkrDiTIPV9SIObJCwuQfEhB4MMAw6hhMzLWZ -ENKqsGOxXrCCuDlcmHYgc7kRV2oa7ko72Lti70PpM3/mENGUHURz9tu/c8cratv8 -cJYLQibi7w1lA8qg2tKjqzwXJTLRfxm44cUOBWmD3Ph3XtfME7qmo56tYiiD2LIB -LiYBjipxWwK5LCTYb+2v1WMUcRamZ1J2JhzkNAwetocduuM3DRLCFcFlgTZS39n4 -AqIX7vmpbHljFY8IJ0UBfYTuR9+McfkXSKZN+QiQKr0BMNJbFPhjonSWkotXS39S -zyX2jDzBj5zXaBQ0aTL4w82XqIalIDWR9NXOPWggfSRcxMSiMSywl19eBAXk5Qfm -VGCb4CRB7CKBIsQbq2El5c2gTJP/lh/fnOqRfsvQXA== -=UvFL ------END PGP SIGNATURE----- diff --git a/krb5-1.14.tar.gz b/krb5-1.14.tar.gz new file mode 100644 index 0000000..65e86f0 --- /dev/null +++ b/krb5-1.14.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cedb07fad8331e3ff2983d26e977a2ddba622f379c2b19bfea85bd695930f9e9 +size 12255176 diff --git a/krb5-1.14.tar.gz.asc b/krb5-1.14.tar.gz.asc new file mode 100644 index 0000000..c05b461 --- /dev/null +++ b/krb5-1.14.tar.gz.asc @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQGcBAABAgAGBQJWT4hUAAoJEKMvF/0AVcMFE44L/iuBH47TzpEn9RudgxMvxp7L +rREaBF/sIdMg0I8aUONtxw7nvh091s8SXus8UZiRYqPO+trB2pB52P1iQ4G9TBPX +IOkAEtxu/Sojfp2BxRd6NCBw+n90axNQDWogSN8U6XmK1szpiQz2KdaxfNTv5Lzm +Jtx/6p39DM7M72gkrFl8ZDEi2xKqyA1+fcCti3Q/Wdwx73HqWctHYNcjUtJH5bvN +GlTQq1PynPoHf8LqxVz6jquhuBgb2d2z8Q4hhQKlJF8x131vppeiWuDv3ExkcWKP +cvssUz8C1Ty7LF0ax0fwzQo22yEeTIHayvpbVidSiW8RUGUEiMzhaHcD3BTsQ5WF +X+l+xKqvZniB9Vs6KtbP4ErM6Rj+tNQJy8iMzEyDFTIuEFjK0497XGgBIp9FpgOl +6Rh9EXY66GUuU5FTnmGpmm3HxnhYWFDdj/vxj8DKTr5EmxAoc4j0fUp/ze4ZMZ02 +P14WS5B4DSfqZO+vaOKHmtmZH0J/ZS/8x7JIuz4cQA== +=xlir +-----END PGP SIGNATURE----- diff --git a/krb5-fix_interposer.patch b/krb5-fix_interposer.patch new file mode 100644 index 0000000..5c01616 --- /dev/null +++ b/krb5-fix_interposer.patch @@ -0,0 +1,222 @@ +From b3901af6970fb7bde88eb16d51c8d05db6f37746 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 13 Nov 2015 14:54:11 -0500 +Subject: [PATCH] Fix impersonate_name to work with interposers + +This follows the same modifications applied to +gss_acquire_cred_with_password() when interposer plugins were +introduced. + +[ghudson@mit.edu: minor whitespace changes; initialize out_mcred in +spnego_gss_acquire_cred_impersonate_name() since it is released in the +cleanup handler] + +ticket: 8280 (new) +--- + src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c | 58 +++++++++++++++-------- + src/lib/gssapi/spnego/spnego_mech.c | 35 +++++++------- + 2 files changed, 54 insertions(+), 39 deletions(-) + +diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c +index 0dd4f87..9eab25e 100644 +--- a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c ++++ b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c +@@ -334,6 +334,8 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + gss_cred_id_t cred = NULL; + gss_OID new_mechs_array = NULL; + gss_cred_id_t * new_cred_array = NULL; ++ gss_OID_set target_mechs = GSS_C_NO_OID_SET; ++ gss_OID selected_mech = GSS_C_NO_OID; + + status = val_add_cred_impersonate_name_args(minor_status, + input_cred_handle, +@@ -350,7 +352,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + if (status != GSS_S_COMPLETE) + return (status); + +- mech = gssint_get_mechanism(desired_mech); ++ status = gssint_select_mech_type(minor_status, desired_mech, ++ &selected_mech); ++ if (status != GSS_S_COMPLETE) ++ return status; ++ ++ mech = gssint_get_mechanism(selected_mech); + if (!mech) + return GSS_S_BAD_MECH; + else if (!mech->gss_acquire_cred) +@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + internal_name = GSS_C_NO_NAME; + } else { + union_cred = (gss_union_cred_t)input_cred_handle; +- if (gssint_get_mechanism_cred(union_cred, desired_mech) != ++ if (gssint_get_mechanism_cred(union_cred, selected_mech) != + GSS_C_NO_CREDENTIAL) + return (GSS_S_DUPLICATE_ELEMENT); + } + + mech_impersonator_cred = + gssint_get_mechanism_cred((gss_union_cred_t)impersonator_cred_handle, +- desired_mech); ++ selected_mech); + if (mech_impersonator_cred == GSS_C_NO_CREDENTIAL) + return (GSS_S_NO_CRED); + + /* may need to create a mechanism specific name */ + union_name = (gss_union_name_t)desired_name; + if (union_name->mech_type && +- g_OID_equal(union_name->mech_type, +- &mech->mech_type)) ++ g_OID_equal(union_name->mech_type, selected_mech)) + internal_name = union_name->mech_name; + else { + if (gssint_import_internal_name(minor_status, +- &mech->mech_type, union_name, +- &allocated_name) != GSS_S_COMPLETE) ++ selected_mech, union_name, ++ &allocated_name) != GSS_S_COMPLETE) + return (GSS_S_BAD_NAME); + internal_name = allocated_name; + } +@@ -402,11 +408,21 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + else + time_req = 0; + ++ status = gss_create_empty_oid_set(minor_status, &target_mechs); ++ if (status != GSS_S_COMPLETE) ++ goto errout; ++ ++ status = gss_add_oid_set_member(minor_status, ++ gssint_get_public_oid(selected_mech), ++ &target_mechs); ++ if (status != GSS_S_COMPLETE) ++ goto errout; ++ + status = mech->gss_acquire_cred_impersonate_name(minor_status, + mech_impersonator_cred, + internal_name, + time_req, +- GSS_C_NULL_OID_SET, ++ target_mechs, + cred_usage, + &cred, + NULL, +@@ -445,19 +461,15 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + + new_cred_array[union_cred->count] = cred; + if ((new_mechs_array[union_cred->count].elements = +- malloc(mech->mech_type.length)) == NULL) ++ malloc(selected_mech->length)) == NULL) + goto errout; + +- g_OID_copy(&new_mechs_array[union_cred->count], +- &mech->mech_type); ++ g_OID_copy(&new_mechs_array[union_cred->count], selected_mech); + + if (actual_mechs != NULL) { +- gss_OID_set_desc oids; +- +- oids.count = union_cred->count + 1; +- oids.elements = new_mechs_array; +- +- status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs); ++ status = gssint_make_public_oid_set(minor_status, new_mechs_array, ++ union_cred->count + 1, ++ actual_mechs); + if (GSS_ERROR(status)) { + free(new_mechs_array[union_cred->count].elements); + goto errout; +@@ -486,10 +498,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + /* We're done with the internal name. Free it if we allocated it. */ + + if (allocated_name) +- (void) gssint_release_internal_name(&temp_minor_status, +- &mech->mech_type, ++ (void) gssint_release_internal_name(&temp_minor_status, selected_mech, + &allocated_name); + ++ if (target_mechs) ++ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); ++ + return (GSS_S_COMPLETE); + + errout: +@@ -503,8 +517,10 @@ errout: + + if (allocated_name) + (void) gssint_release_internal_name(&temp_minor_status, +- &mech->mech_type, +- &allocated_name); ++ selected_mech, &allocated_name); ++ ++ if (target_mechs) ++ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); + + if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred) + free(union_cred); +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index e6703eb..28fb9b1 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -2619,10 +2619,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, + gss_OID_set *actual_mechs, + OM_uint32 *time_rec) + { +- OM_uint32 status; ++ OM_uint32 status, tmpmin; + gss_OID_set amechs = GSS_C_NULL_OID_SET; + spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL; +- gss_cred_id_t imp_mcred, out_mcred; ++ gss_cred_id_t imp_mcred, out_mcred = GSS_C_NO_CREDENTIAL; + + dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n"); + +@@ -2634,31 +2634,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, + + imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle; + imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL; +- if (desired_mechs == GSS_C_NO_OID_SET) { +- status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, +- NULL, &amechs); +- if (status != GSS_S_COMPLETE) +- return status; +- +- desired_mechs = amechs; +- } ++ status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, ++ NULL, &amechs); ++ if (status != GSS_S_COMPLETE) ++ return status; + + status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred, + desired_name, time_req, +- desired_mechs, cred_usage, ++ amechs, cred_usage, + &out_mcred, actual_mechs, + time_rec); +- +- if (amechs != GSS_C_NULL_OID_SET) +- (void) gss_release_oid_set(minor_status, &amechs); ++ if (status != GSS_S_COMPLETE) ++ goto cleanup; + + status = create_spnego_cred(minor_status, out_mcred, &out_spcred); +- if (status != GSS_S_COMPLETE) { +- gss_release_cred(minor_status, &out_mcred); +- return (status); +- } ++ if (status != GSS_S_COMPLETE) ++ goto cleanup; ++ ++ out_mcred = GSS_C_NO_CREDENTIAL; + *output_cred_handle = (gss_cred_id_t)out_spcred; + ++cleanup: ++ (void) gss_release_oid_set(&tmpmin, &amechs); ++ (void) gss_release_cred(&tmpmin, &out_mcred); ++ + dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n"); + return (status); + } +-- +2.6.2 + diff --git a/krb5-kvno-230379.patch b/krb5-kvno-230379.patch deleted file mode 100644 index d3dbceb..0000000 --- a/krb5-kvno-230379.patch +++ /dev/null @@ -1,53 +0,0 @@ -From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349, -at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted -as needed to apply to 1.10. FIXME: I'd like to better handle cases where we -have a new key with the right version stored later in the keytab file. -Currently, we're setting up to overlook that possibility. - -Note that this only affects the path taken when krb5_rd_rep() is passed a -server principal name, as without a server principal name it already tries -all of the keys it finds in the keytab, regardless of version numbers. - -Index: krb5-1.11.1/src/kadmin/ktutil/ktutil.c -=================================================================== ---- krb5-1.11.1.orig/src/kadmin/ktutil/ktutil.c -+++ krb5-1.11.1/src/kadmin/ktutil/ktutil.c -@@ -155,7 +155,7 @@ void ktutil_add_entry(argc, argv) - char *princ = NULL; - char *enctype = NULL; - krb5_kvno kvno = 0; -- int use_pass = 0, use_key = 0, i; -+ int use_pass = 0, use_key = 0, use_kvno = 0, i; - - for (i = 1; i < argc; i++) { - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) { -@@ -164,6 +164,7 @@ void ktutil_add_entry(argc, argv) - } - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) { - kvno = (krb5_kvno) atoi(argv[++i]); -+ use_kvno++; - continue; - } - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) { -@@ -180,7 +181,7 @@ void ktutil_add_entry(argc, argv) - } - } - -- if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) { -+ if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) { - fprintf(stderr, _("usage: %s (-key | -password) -p principal " - "-k kvno -e enctype\n"), argv[0]); - return; -Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c -=================================================================== ---- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c -+++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c -@@ -349,7 +349,7 @@ krb5_ktfile_get_entry(krb5_context conte - higher than that. Short-term workaround: only compare - the low 8 bits. */ - -- if (new_entry.vno == (kvno & 0xff)) { -+ if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) { - krb5_kt_free_entry(context, &cur_entry); - cur_entry = new_entry; - break; diff --git a/krb5-mechglue_inqure_attrs.patch b/krb5-mechglue_inqure_attrs.patch new file mode 100644 index 0000000..be994da --- /dev/null +++ b/krb5-mechglue_inqure_attrs.patch @@ -0,0 +1,56 @@ +From 26f94f6e8fd99ee0dfc2f71afb38c74a12482601 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 16 Dec 2015 19:31:22 -0500 +Subject: [PATCH] Fix mechglue on gss_inquire_attrs_for_mech() + +This includes proper mechanism selection in gss_inquire_attrs_for_mech() +itself as well as passing the correct mech down from gss_accept_sec_context() +through allow_mech_by_default(). + +Also-authored-by: Simo Sorce +--- + src/lib/gssapi/mechglue/g_accept_sec_context.c | 2 +- + src/lib/gssapi/mechglue/g_mechattr.c | 7 ++++++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c +index 6c72d1f..4a86024 100644 +--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c ++++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c +@@ -245,7 +245,7 @@ gss_cred_id_t * d_cred; + status = GSS_S_NO_CRED; + goto error_out; + } +- } else if (!allow_mech_by_default(selected_mech)) { ++ } else if (!allow_mech_by_default(gssint_get_public_oid(selected_mech))) { + status = GSS_S_NO_CRED; + goto error_out; + } +diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c +index e9299f4..4bd44b5 100644 +--- a/src/lib/gssapi/mechglue/g_mechattr.c ++++ b/src/lib/gssapi/mechglue/g_mechattr.c +@@ -161,6 +161,7 @@ gss_inquire_attrs_for_mech( + { + OM_uint32 status, tmpMinor; + gss_mechanism mech; ++ gss_OID selected_mech; + + if (minor == NULL) + return GSS_S_CALL_INACCESSIBLE_WRITE; +@@ -173,7 +174,11 @@ gss_inquire_attrs_for_mech( + if (known_mech_attrs != NULL) + *known_mech_attrs = GSS_C_NO_OID_SET; + +- mech = gssint_get_mechanism((gss_OID)mech_oid); ++ status = gssint_select_mech_type(minor, mech_oid, &selected_mech); ++ if (status != GSS_S_COMPLETE) ++ return (status); ++ ++ mech = gssint_get_mechanism(selected_mech); + if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) { + status = mech->gss_inquire_attrs_for_mech(minor, + mech_oid, +-- +2.6.4 + diff --git a/krb5-mini.changes b/krb5-mini.changes index a91e30f..56f5148 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,7 +1,131 @@ +------------------------------------------------------------------- +Mon Jan 11 12:33:54 UTC 2016 - idonmez@suse.com + +- Add two patches from Fedora, fixing two crashes: + * krb5-fix_interposer.patch + * krb5-mechglue_inqure_attrs.patch + +------------------------------------------------------------------- +Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com + +- Update to 1.14 +- dropped krb5-kvno-230379.patch +- added krbdev.mit.edu-8301.patch fixing wrong function call + +Major changes in 1.14 (2015-11-20) +================================== + +Administrator experience: + +* Add a new kdb5_util tabdump command to provide reporting-friendly + tabular dump formats (tab-separated or CSV) for the KDC database. + Unlike the normal dump format, each output table has a fixed number + of fields. Some tables include human-readable forms of data that + are opaque in ordinary dump files. This format is also suitable for + importing into relational databases for complex queries. +* Add support to kadmin and kadmin.local for specifying a single + command line following any global options, where the command + arguments are split by the shell--for example, "kadmin getprinc + principalname". Commands issued this way do not prompt for + confirmation or display warning messages, and exit with non-zero + status if the operation fails. +* Accept the same principal flag names in kadmin as we do for the + default_principal_flags kdc.conf variable, and vice versa. Also + accept flag specifiers in the form that kadmin prints, as well as + hexadecimal numbers. +* Remove the triple-DES and RC4 encryption types from the default + value of supported_enctypes, which determines the default key and + salt types for new password-derived keys. By default, keys will + only created only for AES128 and AES256. This mitigates some types + of password guessing attacks. +* Add support for directory names in the KRB5_CONFIG and + KRB5_KDC_PROFILE environment variables. +* Add support for authentication indicators, which are ticket + annotations to indicate the strength of the initial authentication. + Add support for the "require_auth" string attribute, which can be + set on server principal entries to require an indicator when + authenticating to the server. +* Add support for key version numbers larger than 255 in keytab files, + and for version numbers up to 65535 in KDC databases. +* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC + during pre-authentication, corresponding to the client's most + preferred encryption type. +* Add support for server name identification (SNI) when proxying KDC + requests over HTTPS. +* Add support for the err_fmt profile parameter, which can be used to + generate custom-formatted error messages. + +Code quality: + +* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that + could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] + [CVE-2015-2698] +* Fix build_principal memory bug that could cause a KDC + crash. [CVE-2015-2697] + +Developer experience: + +* Change gss_acquire_cred_with_password() to acquire credentials into + a private memory credential cache. Applications can use + gss_store_cred() to make the resulting credentials visible to other + processes. +* Change gss_acquire_cred() and SPNEGO not to acquire credentials for + IAKERB or for non-standard variants of the krb5 mechanism OID unless + explicitly requested. (SPNEGO will still accept the Microsoft + variant of the krb5 mechanism OID during negotiation.) +* Change gss_accept_sec_context() not to accept tokens for IAKERB or + for non-standard variants of the krb5 mechanism OID unless an + acceptor credential is acquired for those mechanisms. +* Change gss_acquire_cred() to immediately resolve credentials if the + time_rec parameter is not NULL, so that a correct expiration time + can be returned. Normally credential resolution is delayed until + the target name is known. +* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, + which can be used by plugin modules or applications to add prefixes + to existing detailed error messages. +* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which + implement the RFC 6113 PRF+ operation and key derivation using PRF+. +* Add support for pre-authentication mechanisms which use multiple + round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error + code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth + interface; these callbacks can be used to save marshalled state + information in an encrypted cookie for the next request. +* Add a client_key() callback to the kdcpreauth interface to retrieve + the chosen client key, corresponding to the ETYPE-INFO2 entry sent + by the KDC. +* Add an add_auth_indicator() callback to the kdcpreauth interface, + allowing pre-authentication modules to assert authentication + indicators. +* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to + suppress sending the confidentiality and integrity flags in GSS + initiator tokens unless they are requested by the caller. These + flags control the negotiated SASL security layer for the Microsoft + GSS-SPNEGO SASL mechanism. +* Make the FILE credential cache implementation less prone to + corruption issues in multi-threaded programs, especially on + platforms with support for open file description locks. + +Performance: + +* On slave KDCs, poll the master KDC immediately after processing a + full resync, and do not require two full resyncs after the master + KDC's log file is reset. + +User experience: + +* Make gss_accept_sec_context() accept tickets near their expiration + but within clock skew tolerances, rather than rejecting them + immediately after the server's view of the ticket expiration time. + ------------------------------------------------------------------- Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com -- Udapte to 1.13.3 +- Update to 1.13.3 +- removed patches for security fixes now in upstream source: + 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch + 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch + 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch + 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch Major changes in 1.13.3 (2015-12-04) ==================================== @@ -19,10 +143,28 @@ krb5-1.14 release series or later. krb5-1.10 or earlier. ------------------------------------------------------------------- -Mon Jun 1 07:38:15 UTC 2015 - hguo@suse.com +Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com + +- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch + to fix a memory corruption regression introduced by resolution of + CVE-2015-2698. bsc#954204 + +------------------------------------------------------------------- +Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com + +- Make kadmin.local man page available without having to install krb5-client. bsc#948011 +- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch + to fix build_principal memory bug [CVE-2015-2697] bsc#952190 +- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch + to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189 +- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch + to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188 + +------------------------------------------------------------------- +Mon Jun 1 07:31:52 UTC 2015 - hguo@suse.com - Let server depend on libev (module of libverto). This was the - embedded implementation before the seperation of libverto from krb. + preferred implementation before the seperation of libverto from krb. ------------------------------------------------------------------- Thu May 28 08:01:00 UTC 2015 - dimstar@opensuse.org diff --git a/krb5-mini.spec b/krb5-mini.spec index cabfd91..da1083a 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,7 +1,7 @@ # # spec file for package krb5-mini # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ %define build_mini 1 -%define srcRoot krb5-1.13.3 +%define srcRoot krb5-1.14 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -30,7 +30,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.13.3 +Version: 1.14 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -82,7 +82,10 @@ Patch8: krb5-1.12-api.patch Patch11: krb5-1.12-ksu-path.patch Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch -Patch14: krb5-kvno-230379.patch +# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301 +Patch14: krbdev.mit.edu-8301.patch +Patch15: krb5-fix_interposer.patch +Patch16: krb5-mechglue_inqure_attrs.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %fillup_prereq @@ -201,6 +204,8 @@ Include Files for Development %patch12 -p1 %patch13 -p0 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 %build # needs to be re-generated @@ -247,6 +252,9 @@ cp -a html_subst ../../html cd .. %endif +# Copy kadmin manual page into kadmin.local's due to the split between client and server package +cp man/kadmin.man man/kadmin.local.8 + %install # Where per-user keytabs live by default. @@ -349,6 +357,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples # doesn't support disabling it at build time rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so %endif +# manually remove test plugin since configure doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %find_lang mit-krb5 diff --git a/krb5.changes b/krb5.changes index 94ec734..56f5148 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,7 +1,126 @@ +------------------------------------------------------------------- +Mon Jan 11 12:33:54 UTC 2016 - idonmez@suse.com + +- Add two patches from Fedora, fixing two crashes: + * krb5-fix_interposer.patch + * krb5-mechglue_inqure_attrs.patch + +------------------------------------------------------------------- +Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com + +- Update to 1.14 +- dropped krb5-kvno-230379.patch +- added krbdev.mit.edu-8301.patch fixing wrong function call + +Major changes in 1.14 (2015-11-20) +================================== + +Administrator experience: + +* Add a new kdb5_util tabdump command to provide reporting-friendly + tabular dump formats (tab-separated or CSV) for the KDC database. + Unlike the normal dump format, each output table has a fixed number + of fields. Some tables include human-readable forms of data that + are opaque in ordinary dump files. This format is also suitable for + importing into relational databases for complex queries. +* Add support to kadmin and kadmin.local for specifying a single + command line following any global options, where the command + arguments are split by the shell--for example, "kadmin getprinc + principalname". Commands issued this way do not prompt for + confirmation or display warning messages, and exit with non-zero + status if the operation fails. +* Accept the same principal flag names in kadmin as we do for the + default_principal_flags kdc.conf variable, and vice versa. Also + accept flag specifiers in the form that kadmin prints, as well as + hexadecimal numbers. +* Remove the triple-DES and RC4 encryption types from the default + value of supported_enctypes, which determines the default key and + salt types for new password-derived keys. By default, keys will + only created only for AES128 and AES256. This mitigates some types + of password guessing attacks. +* Add support for directory names in the KRB5_CONFIG and + KRB5_KDC_PROFILE environment variables. +* Add support for authentication indicators, which are ticket + annotations to indicate the strength of the initial authentication. + Add support for the "require_auth" string attribute, which can be + set on server principal entries to require an indicator when + authenticating to the server. +* Add support for key version numbers larger than 255 in keytab files, + and for version numbers up to 65535 in KDC databases. +* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC + during pre-authentication, corresponding to the client's most + preferred encryption type. +* Add support for server name identification (SNI) when proxying KDC + requests over HTTPS. +* Add support for the err_fmt profile parameter, which can be used to + generate custom-formatted error messages. + +Code quality: + +* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that + could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] + [CVE-2015-2698] +* Fix build_principal memory bug that could cause a KDC + crash. [CVE-2015-2697] + +Developer experience: + +* Change gss_acquire_cred_with_password() to acquire credentials into + a private memory credential cache. Applications can use + gss_store_cred() to make the resulting credentials visible to other + processes. +* Change gss_acquire_cred() and SPNEGO not to acquire credentials for + IAKERB or for non-standard variants of the krb5 mechanism OID unless + explicitly requested. (SPNEGO will still accept the Microsoft + variant of the krb5 mechanism OID during negotiation.) +* Change gss_accept_sec_context() not to accept tokens for IAKERB or + for non-standard variants of the krb5 mechanism OID unless an + acceptor credential is acquired for those mechanisms. +* Change gss_acquire_cred() to immediately resolve credentials if the + time_rec parameter is not NULL, so that a correct expiration time + can be returned. Normally credential resolution is delayed until + the target name is known. +* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, + which can be used by plugin modules or applications to add prefixes + to existing detailed error messages. +* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which + implement the RFC 6113 PRF+ operation and key derivation using PRF+. +* Add support for pre-authentication mechanisms which use multiple + round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error + code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth + interface; these callbacks can be used to save marshalled state + information in an encrypted cookie for the next request. +* Add a client_key() callback to the kdcpreauth interface to retrieve + the chosen client key, corresponding to the ETYPE-INFO2 entry sent + by the KDC. +* Add an add_auth_indicator() callback to the kdcpreauth interface, + allowing pre-authentication modules to assert authentication + indicators. +* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to + suppress sending the confidentiality and integrity flags in GSS + initiator tokens unless they are requested by the caller. These + flags control the negotiated SASL security layer for the Microsoft + GSS-SPNEGO SASL mechanism. +* Make the FILE credential cache implementation less prone to + corruption issues in multi-threaded programs, especially on + platforms with support for open file description locks. + +Performance: + +* On slave KDCs, poll the master KDC immediately after processing a + full resync, and do not require two full resyncs after the master + KDC's log file is reset. + +User experience: + +* Make gss_accept_sec_context() accept tickets near their expiration + but within clock skew tolerances, rather than rejecting them + immediately after the server's view of the ticket expiration time. + ------------------------------------------------------------------- Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com -- Udapte to 1.13.3 +- Update to 1.13.3 - removed patches for security fixes now in upstream source: 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch diff --git a/krb5.spec b/krb5.spec index 065286f..f5326dc 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,7 +1,7 @@ # # spec file for package krb5 # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ %define build_mini 0 -%define srcRoot krb5-1.13.3 +%define srcRoot krb5-1.14 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -30,7 +30,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.13.3 +Version: 1.14 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -82,7 +82,10 @@ Patch8: krb5-1.12-api.patch Patch11: krb5-1.12-ksu-path.patch Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch -Patch14: krb5-kvno-230379.patch +# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301 +Patch14: krbdev.mit.edu-8301.patch +Patch15: krb5-fix_interposer.patch +Patch16: krb5-mechglue_inqure_attrs.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %fillup_prereq @@ -201,6 +204,8 @@ Include Files for Development %patch12 -p1 %patch13 -p0 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 %build # needs to be re-generated @@ -352,6 +357,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples # doesn't support disabling it at build time rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so %endif +# manually remove test plugin since configure doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %find_lang mit-krb5 diff --git a/krbdev.mit.edu-8301.patch b/krbdev.mit.edu-8301.patch new file mode 100644 index 0000000..fa03b0e --- /dev/null +++ b/krbdev.mit.edu-8301.patch @@ -0,0 +1,11 @@ +--- krb5-1.14.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-11-20 21:28:42.000000000 +0100 ++++ krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-12-09 20:17:00.465765527 +0100 +@@ -684,7 +684,7 @@ + if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) { + int ost = st; + st = EINVAL; +- k5_prependmsg(context, ost, st, _("'%s' not found"), ++ k5_wrapmsg(context, ost, st, _("'%s' not found"), + xargs.containerdn); + } + goto cleanup;