Accepting request 392049 from home:stroeder:branches:network

Update to 1.14.2. Please review carefully.

Especially from glancing over the upstream source krb5-mechglue_inqure_attrs.patch seems obsolete even though the solution in upstream code looks slightly different.

OBS-URL: https://build.opensuse.org/request/show/392049
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=166
This commit is contained in:
Ismail Dönmez 2016-04-29 08:00:03 +00:00 committed by Git OBS Bridge
parent 9f56699b06
commit f73cb2534d
10 changed files with 44 additions and 118 deletions

View File

@ -1,36 +0,0 @@
From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 14 Mar 2016 17:26:34 -0400
Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119]
In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
if there is an empty string in the db_args array. Check for this case
and avoid dereferencing a null pointer.
CVE-2016-3119:
In MIT krb5 1.6 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying an empty DB argument to the modify_principal
command, if kadmind is configured to use the LDAP KDB module.
CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
ticket: 8383 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
Line numbers are slightly adjusted by Howard Guo <hguo@suse.com> to fit into this older version of Kerberos.
diff -rupN krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
--- krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-03-23 14:00:44.669126353 +0100
+++ krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-03-23 14:01:45.993680720 +0100
@@ -267,6 +267,7 @@ process_db_args(krb5_context context, ch
if (db_args) {
for (i=0; db_args[i]; ++i) {
arg = strtok_r(db_args[i], "=", &arg_val);
+ arg = (arg != NULL) ? arg : "";
if (strcmp(arg, TKTPOLICY_ARG) == 0) {
dptr = &xargs->tktpolicydn;
} else {

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c8faa44574246f5bd0ce5a3dedc48c32db48a74cc4323949bf70f0ac2d6f1a99
size 12259025

View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJW1KZzAAoJEKMvF/0AVcMF9cQMAKZNlrtrB6ZS6CLFqGpRPfG2
T6WbhJ5GEYl4kmdINbJ/RQUMk2APwxMSmsl7q8VNM1JIxQVAL7cBZTu+7cfs3mZE
z9eCMmQsKdhZ3bnF52KB5LM2JfNUMidGEqzvOwK7mUgMXaPihiqYA0f2P10paOZl
cW1as0bvTbjWrnAO+jpW3AuW50h7zOpicX4F8gmD0gaqzcKZO9uZA3p6bjIgVRsO
XzofLkv0NxKWqcdLWocsVb2s4gezsQuRNIWmvpnR7ZFS2tfTuqrmdRNTm9t/yWMV
5YmTBKE0/R9JRRmqLm/IglIqrq7G/ZYRHSYpT5oSu72iZRrf5pKQ/jwB0jpFMN00
7xORKTWNwiGmAvIBBZqH+3emyIrcIdIw/3MN+HEZaLisJ1K/4bWJLB+0ju9dEcU/
naNhagonxFbVfE7SrlW/WflZpun2PVZ4c9WTG6z1OWPXZkXMLqdv+mNSoCHcvpOt
Z2+3HnWWanFncCn81oSLo/Zp3/0k7XBXtjp2Pb18CQ==
=Py+v
-----END PGP SIGNATURE-----

3
krb5-1.14.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6bcad7e6778d1965e4ce4af21d2efdc15b274c5ce5c69031c58e4c954cda8b27
size 12264762

14
krb5-1.14.2.tar.gz.asc Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJXFWhhAAoJEKMvF/0AVcMFHHYL/iogtD4Zyp/Zu7nFjaqAOu75
iR3bfrb2HkEYfS1JzKEszqXTZrBurG7++58x13KxtYW5QhnKIIISUUTura4zilO2
rQtf8/KAzIUf7/ETkRz6cUM3eReUPw1Ua/fy3zpe7ZoTNxcaE6z1p8JL2RcjsMhm
gFa0luSXpXgvHGKc1YSDUP+LVCFFCGTr1bnix03o3VoDnYmQCMYAdSG119ao9Mlf
I1g0h/sg3dVbvpfAXozdYAmkoS1RtHXxb6hyn4FVx7niJ91yxm9df8UtLDB/q0Ak
am07TxJ+XqFW6GxNc85nC7hPnURgQxwk8KvrBU5+CdIx0ZeI3GOsTGKjDYJZHrzY
GI4LMi1Tq2GyiWGWe0RBI6JR/b7wQsyjFpniZM4vcIuTV7DzWchYlcRXAh8STWeM
w9DnzYR6GdXIRet4twjH5+OV5F066iQmqCP0YALZEtS3R5Nl+HGnJ5BknDBgX/DX
wEuXeFERgriQeu2Ye4djkN2aoAkVMw+epmdO6+I/gA==
=o3Qw
-----END PGP SIGNATURE-----

View File

@ -1,56 +0,0 @@
From 26f94f6e8fd99ee0dfc2f71afb38c74a12482601 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 16 Dec 2015 19:31:22 -0500
Subject: [PATCH] Fix mechglue on gss_inquire_attrs_for_mech()
This includes proper mechanism selection in gss_inquire_attrs_for_mech()
itself as well as passing the correct mech down from gss_accept_sec_context()
through allow_mech_by_default().
Also-authored-by: Simo Sorce <simo@redhat.com>
---
src/lib/gssapi/mechglue/g_accept_sec_context.c | 2 +-
src/lib/gssapi/mechglue/g_mechattr.c | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index 6c72d1f..4a86024 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -245,7 +245,7 @@ gss_cred_id_t * d_cred;
status = GSS_S_NO_CRED;
goto error_out;
}
- } else if (!allow_mech_by_default(selected_mech)) {
+ } else if (!allow_mech_by_default(gssint_get_public_oid(selected_mech))) {
status = GSS_S_NO_CRED;
goto error_out;
}
diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c
index e9299f4..4bd44b5 100644
--- a/src/lib/gssapi/mechglue/g_mechattr.c
+++ b/src/lib/gssapi/mechglue/g_mechattr.c
@@ -161,6 +161,7 @@ gss_inquire_attrs_for_mech(
{
OM_uint32 status, tmpMinor;
gss_mechanism mech;
+ gss_OID selected_mech;
if (minor == NULL)
return GSS_S_CALL_INACCESSIBLE_WRITE;
@@ -173,7 +174,11 @@ gss_inquire_attrs_for_mech(
if (known_mech_attrs != NULL)
*known_mech_attrs = GSS_C_NO_OID_SET;
- mech = gssint_get_mechanism((gss_OID)mech_oid);
+ status = gssint_select_mech_type(minor, mech_oid, &selected_mech);
+ if (status != GSS_S_COMPLETE)
+ return (status);
+
+ mech = gssint_get_mechanism(selected_mech);
if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) {
status = mech->gss_inquire_attrs_for_mech(minor,
mech_oid,
--
2.6.4

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Thu Apr 28 20:27:37 UTC 2016 - michael@stroeder.com
- removed obsolete patches:
* 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
* krb5-mechglue_inqure_attrs.patch
- Upgrade from 1.14.1 to 1.14.2:
* Fix a moderate-severity vulnerability in the LDAP KDC back end that
could be exploited by a privileged kadmin user [CVE-2016-3119]
* Improve documentation
* Fix some interactions with GSSAPI interposer mechanisms
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com

View File

@ -16,7 +16,7 @@
# #
%define srcRoot krb5-1.14.1 %define srcRoot krb5-1.14.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5 %define krb5docdir %{_defaultdocdir}/krb5
@ -29,7 +29,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
BuildRequires: ncurses-devel BuildRequires: ncurses-devel
Version: 1.14.1 Version: 1.14.2
Release: 0 Release: 0
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
License: MIT License: MIT
@ -65,7 +65,6 @@ Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch Patch13: krb5-1.9-debuginfo.patch
Patch15: krb5-fix_interposer.patch Patch15: krb5-fix_interposer.patch
Patch16: krb5-mechglue_inqure_attrs.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq PreReq: %fillup_prereq
@ -111,7 +110,6 @@ Include Files for Development
%patch12 -p1 %patch12 -p1
%patch13 -p0 %patch13 -p0
%patch15 -p1 %patch15 -p1
%patch16 -p1
%build %build
# needs to be re-generated # needs to be re-generated

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Thu Apr 28 20:27:37 UTC 2016 - michael@stroeder.com
- removed obsolete patches:
* 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
* krb5-mechglue_inqure_attrs.patch
- Upgrade from 1.14.1 to 1.14.2:
* Fix a moderate-severity vulnerability in the LDAP KDC back end that
could be exploited by a privileged kadmin user [CVE-2016-3119]
* Improve documentation
* Fix some interactions with GSSAPI interposer mechanisms
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com

View File

@ -25,7 +25,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
BuildRequires: ncurses-devel BuildRequires: ncurses-devel
Version: 1.14.1 Version: 1.14.2
Release: 0 Release: 0
Summary: MIT Kerberos5 Implementation--Libraries Summary: MIT Kerberos5 Implementation--Libraries
License: MIT License: MIT
@ -65,8 +65,6 @@ Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch Patch13: krb5-1.9-debuginfo.patch
Patch15: krb5-fix_interposer.patch Patch15: krb5-fix_interposer.patch
Patch16: krb5-mechglue_inqure_attrs.patch
Patch107: 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq PreReq: %fillup_prereq
@ -179,8 +177,6 @@ Include Files for Development
%patch12 -p1 %patch12 -p1
%patch13 -p0 %patch13 -p0
%patch15 -p1 %patch15 -p1
%patch16 -p1
%patch107 -p1
%build %build
# needs to be re-generated # needs to be re-generated