diff --git a/krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch b/krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch deleted file mode 100644 index 8ede5f3..0000000 --- a/krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch +++ /dev/null @@ -1,168 +0,0 @@ -From fb99962cbd063ac04c9a9d2cc7c75eab73f3533d Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 19 Jun 2014 13:49:16 -0400 -Subject: [PATCH] Handle invalid RFC 1964 tokens [CVE-2014-4341...] - -Detect the following cases which would otherwise cause invalid memory -accesses and/or integer underflow: - -* An RFC 1964 token being processed by an RFC 4121-only context - [CVE-2014-4342] - -* A header with fewer than 22 bytes after the token ID or an - incomplete checksum [CVE-2014-4341 CVE-2014-4342] - -* A ciphertext shorter than the confounder [CVE-2014-4341] - -* A declared padding length longer than the plaintext [CVE-2014-4341] - -If we detect a bad pad byte, continue on to compute the checksum to -avoid creating a padding oracle, but treat the checksum as invalid -even if it compares equal. - -CVE-2014-4341: - -In MIT krb5, an unauthenticated remote attacker with the ability to -inject packets into a legitimately established GSSAPI application -session can cause a program crash due to invalid memory references -when attempting to read beyond the end of a buffer. - - CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C - -CVE-2014-4342: - -In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote -attacker with the ability to inject packets into a legitimately -established GSSAPI application session can cause a program crash due -to invalid memory references when reading beyond the end of a buffer -or by causing a null pointer dereference. - - CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C - -[tlyu@mit.edu: CVE summaries, CVSS] - -ticket: 7949 (new) -subject: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342] -taget_version: 1.12.2 -tags: pullup ---- - src/lib/gssapi/krb5/k5unseal.c | 41 +++++++++++++++++++++++++++++++-------- - src/lib/gssapi/krb5/k5unsealiov.c | 9 ++++++++- - 2 files changed, 41 insertions(+), 9 deletions(-) - -diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c -index 30c12b9..0573958 100644 ---- a/src/lib/gssapi/krb5/k5unseal.c -+++ b/src/lib/gssapi/krb5/k5unseal.c -@@ -74,6 +74,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, - int conflen = 0; - int signalg; - int sealalg; -+ int bad_pad = 0; - gss_buffer_desc token; - krb5_checksum cksum; - krb5_checksum md5cksum; -@@ -86,6 +87,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, - krb5_ui_4 seqnum; - OM_uint32 retval; - size_t sumlen; -+ size_t padlen; - krb5_keyusage sign_usage = KG_USAGE_SIGN; - - if (toktype == KG_TOK_SEAL_MSG) { -@@ -93,18 +95,23 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, - message_buffer->value = NULL; - } - -- /* get the sign and seal algorithms */ -- -- signalg = ptr[0] + (ptr[1]<<8); -- sealalg = ptr[2] + (ptr[3]<<8); -- - /* Sanity checks */ - -- if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) { -+ if (ctx->seq == NULL) { -+ /* ctx was established using a newer enctype, and cannot process RFC -+ * 1964 tokens. */ -+ *minor_status = 0; -+ return GSS_S_DEFECTIVE_TOKEN; -+ } -+ -+ if ((bodysize < 22) || (ptr[4] != 0xff) || (ptr[5] != 0xff)) { - *minor_status = 0; - return GSS_S_DEFECTIVE_TOKEN; - } - -+ signalg = ptr[0] + (ptr[1]<<8); -+ sealalg = ptr[2] + (ptr[3]<<8); -+ - if ((toktype != KG_TOK_SEAL_MSG) && - (sealalg != 0xffff)) { - *minor_status = 0; -@@ -153,6 +160,11 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, - return GSS_S_DEFECTIVE_TOKEN; - } - -+ if ((size_t)bodysize < 14 + cksum_len) { -+ *minor_status = 0; -+ return GSS_S_DEFECTIVE_TOKEN; -+ } -+ - /* get the token parameters */ - - if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction, -@@ -207,7 +219,20 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, - plainlen = tmsglen; - - conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype); -- token.length = tmsglen - conflen - plain[tmsglen-1]; -+ if (tmsglen < conflen) { -+ if (sealalg != 0xffff) -+ xfree(plain); -+ *minor_status = 0; -+ return(GSS_S_DEFECTIVE_TOKEN); -+ } -+ padlen = plain[tmsglen - 1]; -+ if (tmsglen - conflen < padlen) { -+ /* Don't error out yet, to avoid padding oracle attacks. We will -+ * treat this as a checksum failure later on. */ -+ padlen = 0; -+ bad_pad = 1; -+ } -+ token.length = tmsglen - conflen - padlen; - - if (token.length) { - if ((token.value = (void *) gssalloc_malloc(token.length)) == NULL) { -@@ -403,7 +428,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, - - /* compare the computed checksum against the transmitted checksum */ - -- if (code) { -+ if (code || bad_pad) { - if (toktype == KG_TOK_SEAL_MSG) - gssalloc_free(token.value); - *minor_status = 0; -diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c -index f7828b8..b654c66 100644 ---- a/src/lib/gssapi/krb5/k5unsealiov.c -+++ b/src/lib/gssapi/krb5/k5unsealiov.c -@@ -69,7 +69,14 @@ kg_unseal_v1_iov(krb5_context context, - return GSS_S_DEFECTIVE_TOKEN; - } - -- if (header->buffer.length < token_wrapper_len + 14) { -+ if (ctx->seq == NULL) { -+ /* ctx was established using a newer enctype, and cannot process RFC -+ * 1964 tokens. */ -+ *minor_status = 0; -+ return GSS_S_DEFECTIVE_TOKEN; -+ } -+ -+ if (header->buffer.length < token_wrapper_len + 22) { - *minor_status = 0; - return GSS_S_DEFECTIVE_TOKEN; - } --- -1.9.3 - diff --git a/krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch b/krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch deleted file mode 100644 index fb68383..0000000 --- a/krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch +++ /dev/null @@ -1,66 +0,0 @@ -From f18ddf5d82de0ab7591a36e465bc24225776940f Mon Sep 17 00:00:00 2001 -From: David Woodhouse -Date: Tue, 15 Jul 2014 12:54:15 -0400 -Subject: [PATCH] Fix double-free in SPNEGO [CVE-2014-4343] - -In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the -pointer sc->internal_mech became an alias into sc->mech_set->elements, -which should be considered constant for the duration of the SPNEGO -context. So don't free it. - -CVE-2014-4343: - -In MIT krb5 releases 1.10 and newer, an unauthenticated remote -attacker with the ability to spoof packets appearing to be from a -GSSAPI acceptor can cause a double-free condition in GSSAPI initiators -(clients) which are using the SPNEGO mechanism, by returning a -different underlying mechanism than was proposed by the initiator. At -this stage of the negotiation, the acceptor is unauthenticated, and -the acceptor's response could be spoofed by an attacker with the -ability to inject traffic to the initiator. - -Historically, some double-free vulnerabilities can be translated into -remote code execution, though the necessary exploits must be tailored -to the individual application and are usually quite -complicated. Double-frees can also be exploited to cause an -application crash, for a denial of service. However, most GSSAPI -client applications are not vulnerable, as the SPNEGO mechanism is not -used by default (when GSS_C_NO_OID is passed as the mech_type argument -to gss_init_sec_context()). The most common use of SPNEGO is for -HTTP-Negotiate, used in web browsers and other web clients. Most such -clients are believed to not offer HTTP-Negotiate by default, instead -requiring a whitelist of sites for which it may be used to be -configured. If the whitelist is configured to only allow -HTTP-Negotiate over TLS connections ("https://"), a successful -attacker must also spoof the web server's SSL certificate, due to the -way the WWW-Authenticate header is sent in a 401 (Unauthorized) -response message. Unfortunately, many instructions for enabling -HTTP-Negotiate in common web browsers do not include a TLS -requirement. - - CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C - -[kaduk@mit.edu: CVE summary and CVSSv2 vector] - -ticket: 7969 (new) -target_version: 1.12.2 -tags: pullup ---- - src/lib/gssapi/spnego/spnego_mech.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 173c6d2..8f829d8 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, - OM_uint32 tmpmin; - size_t i; - -- generic_gss_release_oid(&tmpmin, &sc->internal_mech); - gss_delete_sec_context(&tmpmin, &sc->ctx_handle, - GSS_C_NO_BUFFER); - --- -1.9.3 - diff --git a/krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch b/krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch deleted file mode 100644 index 272ae59..0000000 --- a/krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 524688ce87a15fc75f87efc8c039ba4c7d5c197b Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 15 Jul 2014 12:56:01 -0400 -Subject: [PATCH] Fix null deref in SPNEGO acceptor [CVE-2014-4344] - -When processing a continuation token, acc_ctx_cont was dereferencing -the initial byte of the token without checking the length. This could -result in a null dereference. - -CVE-2014-4344: - -In MIT krb5 1.5 and newer, an unauthenticated or partially -authenticated remote attacker can cause a NULL dereference and -application crash during a SPNEGO negotiation by sending an empty -token as the second or later context token from initiator to acceptor. -The attacker must provide at least one valid context token in the -security context negotiation before sending the empty token. This can -be done by an unauthenticated attacker by forcing SPNEGO to -renegotiate the underlying mechanism, or by using IAKERB to wrap an -unauthenticated AS-REQ as the first token. - - CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C - -[kaduk@mit.edu: CVE summary, CVSSv2 vector] - -ticket: 7970 (new) -subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344] -target_version: 1.12.2 -tags: pullup ---- - src/lib/gssapi/spnego/spnego_mech.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 8f829d8..2aa6810 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat, - - ptr = bufstart = buf->value; - #define REMAIN (buf->length - (ptr - bufstart)) -- if (REMAIN > INT_MAX) -+ if (REMAIN == 0 || REMAIN > INT_MAX) - return GSS_S_DEFECTIVE_TOKEN; - - /* --- -1.9.3 - diff --git a/krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch b/krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch deleted file mode 100644 index 6507492..0000000 --- a/krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index ce851ea..df5934c 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data, - j++; - last = i + 1; - -- currkvno = key_data[i].key_data_kvno; -+ if (i < n_key_data - 1) -+ currkvno = key_data[i + 1].key_data_kvno; - } - } - ret[num_versions] = NULL; diff --git a/krb5-1.12-doxygen.patch b/krb5-1.12-doxygen.patch new file mode 100644 index 0000000..642f882 --- /dev/null +++ b/krb5-1.12-doxygen.patch @@ -0,0 +1,32 @@ +commit b7a4d695263f1a5b7fe72b1eadce4acdc3f0490b +From: Ben Kaduk +Date: Thu Aug 28 17:54:39 2014 -0400 +Subject: Map .hin files to the C language for doxygen +Upstream: Committed +References: https://github.com/krb5/krb5/commit/b7a4d695263f1a5b7fe72b1eadce4acdc3f0490b https://github.com/krb5/krb5/pull/198 + +Doxygen 1.8.8 is unhappy with the generated Doxyfile, and does not +handle krb5.hin in the expected fashion (as a C header). Work +around this issue by explicitly specifying that files with the + .hin extension are to be treated as C language files. + +Fixes the following build failure with doxygen 1.8.8: + +[ 326s] cp rst_apiref/*.rst rst_composite/appdev/refs/api +[ 326s] cp: cannot stat 'rst_apiref/*.rst': No such file or directory +[ 326s] Makefile:692: recipe for target 'composite' failed +[ 326s] make: *** [composite] Error 1 + +diff --git a/src/doc/Doxyfile.in b/src/doc/Doxyfile.in +index 2082b6d..c225864 100644 +--- a/src/doc/Doxyfile.in ++++ b/src/doc/Doxyfile.in +@@ -4,6 +4,7 @@ JAVADOC_AUTOBRIEF = YES + OPTIMIZE_OUTPUT_FOR_C = YES + WARN_IF_UNDOCUMENTED = NO + SHOW_FILES = NO ++EXTENSION_MAPPING = hin=C + INPUT = @SRC@/include/krb5/krb5.hin @DOC@/doxy_examples + EXAMPLE_PATH = @DOC@/doxy_examples + GENERATE_HTML = NO +lines 1-28/28 (END) diff --git a/krb5-1.12.1.tar.gz b/krb5-1.12.1.tar.gz deleted file mode 100644 index f24d5ad..0000000 --- a/krb5-1.12.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:86f01c1aae54014fa91ad9a5a69558a6cbd821185528d627362b79b517b7b345 -size 11938756 diff --git a/krb5-1.12.2.tar.gz b/krb5-1.12.2.tar.gz new file mode 100644 index 0000000..f393040 --- /dev/null +++ b/krb5-1.12.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b9229d0593ebd30ec0f845b449a83c20fec220bfa424b66f4a61850df34ce0a0 +size 11981162 diff --git a/krb5-1.6.3-ktutil-manpage.dif b/krb5-1.6.3-ktutil-manpage.dif index 956b816..82f1583 100644 --- a/krb5-1.6.3-ktutil-manpage.dif +++ b/krb5-1.6.3-ktutil-manpage.dif @@ -1,9 +1,13 @@ -Index: krb5-1.11/src/man/ktutil.man +--- + src/man/ktutil.man | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +Index: krb5-1.12.2/src/man/ktutil.man =================================================================== ---- krb5-1.11.orig/src/man/ktutil.man -+++ krb5-1.11/src/man/ktutil.man -@@ -158,6 +158,18 @@ ktutil: - .fi +--- krb5-1.12.2.orig/src/man/ktutil.man 2014-08-30 23:06:53.000000000 +0100 ++++ krb5-1.12.2/src/man/ktutil.man 2014-08-30 23:07:00.000000000 +0100 +@@ -162,6 +162,18 @@ ktutil: + .UNINDENT .UNINDENT .UNINDENT +.SH REMARKS diff --git a/krb5-1.7-doublelog.patch b/krb5-1.7-doublelog.patch index 1c948bd..d22f9bb 100644 --- a/krb5-1.7-doublelog.patch +++ b/krb5-1.7-doublelog.patch @@ -1,16 +1,20 @@ Don't double-log (actually, don't process /etc/krb5.conf twice) just because we built with --sysconfdir=/etc. RT#3277 -Index: krb5-1.10.2/src/include/Makefile.in +--- + src/include/Makefile.in | 2 ++ + 1 file changed, 2 insertions(+) + +Index: krb5-1.12.2/src/include/Makefile.in =================================================================== ---- krb5-1.10.2.orig/src/include/Makefile.in -+++ krb5-1.10.2/src/include/Makefile.in -@@ -67,6 +67,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$( +--- krb5-1.12.2.orig/src/include/Makefile.in 2014-08-30 23:08:41.000000000 +0100 ++++ krb5-1.12.2/src/include/Makefile.in 2014-08-30 23:09:04.000000000 +0100 +@@ -68,6 +68,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$( -e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \ -e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \ -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \ + -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \ + -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \ - -e 's+@DYNOBJEXT+$(DYNOBJEXT)+' + -e 's+@DYNOBJEXT+$(DYNOBJEXT)+' \ + -e 's+@SYSCONFCONF+$(SYSCONFCONF)+' - OSCONFSRC = $(srcdir)/osconf.hin diff --git a/krb5-master-keyring-kdcsync.patch b/krb5-master-keyring-kdcsync.patch deleted file mode 100644 index b095814..0000000 --- a/krb5-master-keyring-kdcsync.patch +++ /dev/null @@ -1,108 +0,0 @@ -commit e99c688913a7761c6adea9488ea9355f43539883 -Author: Greg Hudson -Date: Thu Jan 16 17:48:54 2014 -0500 - - Get time offsets for all keyring ccaches - - Move the time offset lookup from krb5_krcc_resolve to make_cache, so - that we fetch time offsets for caches created by - krb5_krcc_ptcursor_next. - - ticket: 7820 - target_version: 1.12.2 - tags: pullup - -diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c -index a0c8035..27bad9d 100644 ---- a/src/lib/krb5/ccache/cc_keyring.c -+++ b/src/lib/krb5/ccache/cc_keyring.c -@@ -1077,11 +1077,13 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id) - - /* Create a cache handle for a cache ID. */ - static krb5_error_code --make_cache(key_serial_t collection_id, key_serial_t cache_id, -- const char *anchor_name, const char *collection_name, -- const char *subsidiary_name, krb5_ccache *cache_out) -+make_cache(krb5_context context, key_serial_t collection_id, -+ key_serial_t cache_id, const char *anchor_name, -+ const char *collection_name, const char *subsidiary_name, -+ krb5_ccache *cache_out) - { - krb5_error_code ret; -+ krb5_os_context os_ctx = &context->os_context; - krb5_ccache ccache = NULL; - krb5_krcc_data *d; - key_serial_t pkey = 0; -@@ -1108,6 +1110,18 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id, - ccache->data = d; - ccache->magic = KV5M_CCACHE; - *cache_out = ccache; -+ -+ /* Lookup time offsets if necessary. */ -+ if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) && -+ !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) { -+ if (krb5_krcc_get_time_offsets(context, ccache, -+ &os_ctx->time_offset, -+ &os_ctx->usec_offset) == 0) { -+ os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME; -+ os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID; -+ } -+ } -+ - return 0; - } - -@@ -1134,7 +1148,6 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id, - static krb5_error_code KRB5_CALLCONV - krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual) - { -- krb5_os_context os_ctx = &context->os_context; - krb5_error_code ret; - key_serial_t collection_id, cache_id; - char *anchor_name = NULL, *collection_name = NULL, *subsidiary_name = NULL; -@@ -1161,22 +1174,11 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual) - if (cache_id < 0) - cache_id = 0; - -- ret = make_cache(collection_id, cache_id, anchor_name, collection_name, -- subsidiary_name, id); -+ ret = make_cache(context, collection_id, cache_id, anchor_name, -+ collection_name, subsidiary_name, id); - if (ret) - goto cleanup; - -- /* Lookup time offsets if necessary. */ -- if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) && -- !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) { -- if (krb5_krcc_get_time_offsets(context, *id, -- &os_ctx->time_offset, -- &os_ctx->usec_offset) == 0) { -- os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME; -- os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID; -- } -- } -- - cleanup: - free(anchor_name); - free(collection_name); -@@ -1928,8 +1930,9 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor, - cache_id = keyctl_search(data->collection_id, KRCC_KEY_TYPE_KEYRING, - first_name, 0); - if (cache_id != -1) { -- return make_cache(data->collection_id, cache_id, data->anchor_name, -- data->collection_name, first_name, cache_out); -+ return make_cache(context, data->collection_id, cache_id, -+ data->anchor_name, data->collection_name, -+ first_name, cache_out); - } - } - -@@ -1967,7 +1970,7 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor, - - /* We found a valid key */ - data->next_key++; -- ret = make_cache(data->collection_id, key, data->anchor_name, -+ ret = make_cache(context, data->collection_id, key, data->anchor_name, - data->collection_name, subsidiary_name, cache_out); - free(description); - return ret; diff --git a/krb5-mini.changes b/krb5-mini.changes index 8634f46..d272f7f 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,36 @@ +------------------------------------------------------------------- +Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de + +- krb5 5.12.2: + * Work around a gcc optimizer bug that could cause DB2 KDC + database operations to spin in an infinite loop + * Fix a backward compatibility problem with the LDAP KDB schema + that could prevent krb5-1.11 and later from decoding entries + created by krb5-1.6. + * Avoid an infinite loop under some circumstances when the GSS + mechglue loads a dynamic mechanism. + * Fix krb5kdc argument parsing so "-w" and "-r" options work + togetherreliably. +- Vulnerability fixes previously fixed in package via patches: + * Handle certain invalid RFC 1964 GSS tokens correctly to avoid + invalid memory reference vulnerabilities. [CVE-2014-4341 + CVE-2014-4342] + * Fix memory management vulnerabilities in GSSAPI SPNEGO. + [CVE-2014-4343 CVE-2014-4344] + * Fix buffer overflow vulnerability in LDAP KDB back end. + [CVE-2014-4345] +- updated patches: + * krb5-1.7-doublelog.patch for context change + * krb5-1.6.3-ktutil-manpage.dif, same +- removed patches, in upstream: + * krb5-master-keyring-kdcsync.patch + * krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch + * krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch + * krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch + * krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch +- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch + from upstream + ------------------------------------------------------------------- Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com diff --git a/krb5-mini.spec b/krb5-mini.spec index 033de82..ce53be6 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -17,7 +17,7 @@ %define build_mini 1 -%define srcRoot krb5-1.12.1 +%define srcRoot krb5-1.12.2 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -30,7 +30,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.12.1 +Version: 1.12.2 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -82,11 +82,7 @@ Patch11: krb5-1.12-ksu-path.patch Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch Patch14: krb5-kvno-230379.patch -Patch15: krb5-master-keyring-kdcsync.patch -Patch16: krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch -Patch17: krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch -Patch18: krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch -Patch19: krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch +Patch20: krb5-1.12-doxygen.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %fillup_prereq @@ -206,11 +202,7 @@ Include Files for Development %patch12 -p1 %patch13 -p0 %patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 +%patch20 -p1 %build # needs to be re-generated diff --git a/krb5.changes b/krb5.changes index 8634f46..d272f7f 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,36 @@ +------------------------------------------------------------------- +Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de + +- krb5 5.12.2: + * Work around a gcc optimizer bug that could cause DB2 KDC + database operations to spin in an infinite loop + * Fix a backward compatibility problem with the LDAP KDB schema + that could prevent krb5-1.11 and later from decoding entries + created by krb5-1.6. + * Avoid an infinite loop under some circumstances when the GSS + mechglue loads a dynamic mechanism. + * Fix krb5kdc argument parsing so "-w" and "-r" options work + togetherreliably. +- Vulnerability fixes previously fixed in package via patches: + * Handle certain invalid RFC 1964 GSS tokens correctly to avoid + invalid memory reference vulnerabilities. [CVE-2014-4341 + CVE-2014-4342] + * Fix memory management vulnerabilities in GSSAPI SPNEGO. + [CVE-2014-4343 CVE-2014-4344] + * Fix buffer overflow vulnerability in LDAP KDB back end. + [CVE-2014-4345] +- updated patches: + * krb5-1.7-doublelog.patch for context change + * krb5-1.6.3-ktutil-manpage.dif, same +- removed patches, in upstream: + * krb5-master-keyring-kdcsync.patch + * krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch + * krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch + * krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch + * krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch +- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch + from upstream + ------------------------------------------------------------------- Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com diff --git a/krb5.spec b/krb5.spec index 9ba9a10..080863a 100644 --- a/krb5.spec +++ b/krb5.spec @@ -17,7 +17,7 @@ %define build_mini 0 -%define srcRoot krb5-1.12.1 +%define srcRoot krb5-1.12.2 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -30,7 +30,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.12.1 +Version: 1.12.2 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -82,11 +82,7 @@ Patch11: krb5-1.12-ksu-path.patch Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch Patch14: krb5-kvno-230379.patch -Patch15: krb5-master-keyring-kdcsync.patch -Patch16: krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch -Patch17: krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch -Patch18: krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch -Patch19: krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch +Patch20: krb5-1.12-doxygen.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %fillup_prereq @@ -206,11 +202,7 @@ Include Files for Development %patch12 -p1 %patch13 -p0 %patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 +%patch20 -p1 %build # needs to be re-generated