Accepting request 967999 from home:dirkmueller:Factory

- update to 1.19.3 (bsc#1189929, CVE-2021-37750):
  * Fix a denial of service attack against the KDC [CVE-2021-37750].
  * Fix KDC null deref on TGS inner body null server
  * Fix conformance issue in GSSAPI tests

OBS-URL: https://build.opensuse.org/request/show/967999
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=257

0002-krb5-1.9-manpaths.patch

@@ -13,11 +13,11 @@ configure scripts should be rebuilt.  Originally RT#6525
  src/man/kpropd.man | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/src/man/kpropd.man b/src/man/kpropd.man
-index 66de36813..9988dcdf3 100644
---- a/src/man/kpropd.man
-+++ b/src/man/kpropd.man
-@@ -67,7 +67,7 @@ the \fB/etc/inetd.conf\fP file which looks like this:
+Index: krb5-1.19.3/src/man/kpropd.man
+===================================================================
+--- krb5-1.19.3.orig/src/man/kpropd.man
++++ krb5-1.19.3/src/man/kpropd.man
+@@ -68,7 +68,7 @@ the \fB/etc/inetd.conf\fP file which loo
  .sp
  .nf
  .ft C
@@ -26,6 +26,3 @@ index 66de36813..9988dcdf3 100644
  .ft P
  .fi
  .UNINDENT
--- 
-2.25.0
-

0003-Adjust-build-configuration.patch

@@ -16,11 +16,11 @@ Last-updated: krb5-1.15-beta1
  src/config/shlib.conf          | 5 +++--
  3 files changed, 11 insertions(+), 3 deletions(-)
 
-diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
-index f6184da3f..0edf6a1a5 100755
---- a/src/build-tools/krb5-config.in
-+++ b/src/build-tools/krb5-config.in
-@@ -225,6 +225,13 @@ if test -n "$do_libs"; then
+Index: krb5-1.19.3/src/build-tools/krb5-config.in
+===================================================================
+--- krb5-1.19.3.orig/src/build-tools/krb5-config.in
++++ krb5-1.19.3/src/build-tools/krb5-config.in
+@@ -224,6 +224,13 @@ if test -n "$do_libs"; then
  	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
  	    -e 's#\$(CFLAGS)##'`
  
@@ -34,11 +34,11 @@ index f6184da3f..0edf6a1a5 100755
      if test $library = 'kdb'; then
  	lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
  	library=krb5
-diff --git a/src/config/pre.in b/src/config/pre.in
-index ce87e21ca..164bf8301 100644
---- a/src/config/pre.in
-+++ b/src/config/pre.in
-@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
+Index: krb5-1.19.3/src/config/pre.in
+===================================================================
+--- krb5-1.19.3.orig/src/config/pre.in
++++ krb5-1.19.3/src/config/pre.in
+@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
  INSTALL_SCRIPT=@INSTALL_PROGRAM@
  INSTALL_DATA=@INSTALL_DATA@
  INSTALL_SHLIB=@INSTALL_SHLIB@
@@ -47,11 +47,11 @@ index ce87e21ca..164bf8301 100644
  ## This is needed because autoconf will sometimes define @exec_prefix@ to be
  ## ${prefix}.
  prefix=@prefix@
-diff --git a/src/config/shlib.conf b/src/config/shlib.conf
-index 3e4af6c02..2b20c3fda 100644
---- a/src/config/shlib.conf
-+++ b/src/config/shlib.conf
-@@ -423,7 +423,7 @@ mips-*-netbsd*)
+Index: krb5-1.19.3/src/config/shlib.conf
+===================================================================
+--- krb5-1.19.3.orig/src/config/shlib.conf
++++ krb5-1.19.3/src/config/shlib.conf
+@@ -424,7 +424,7 @@ mips-*-netbsd*)
  	# Linux ld doesn't default to stuffing the SONAME field...
  	# Use objdump -x to examine the fields of the library
  	# UNDEF_CHECK is suppressed by --enable-asan
@@ -60,7 +60,7 @@ index 3e4af6c02..2b20c3fda 100644
  	UNDEF_CHECK='-Wl,--no-undefined'
  	# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
  	LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
-@@ -435,7 +435,8 @@ mips-*-netbsd*)
+@@ -436,7 +436,8 @@ mips-*-netbsd*)
  	SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
  	PROFFLAGS=-pg
  	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
@@ -70,6 +70,3 @@ index 3e4af6c02..2b20c3fda 100644
  	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
  	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
  	CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
--- 
-2.25.0
-

0005-krb5-1.6.3-ktutil-manpage.patch

@@ -8,11 +8,11 @@ Import krb5-1.6.3-ktutil-manpage.dif
  src/man/ktutil.man | 12 ++++++++++++
  1 file changed, 12 insertions(+)
 
-diff --git a/src/man/ktutil.man b/src/man/ktutil.man
-index 233329468..915b41c6e 100644
---- a/src/man/ktutil.man
-+++ b/src/man/ktutil.man
-@@ -151,6 +151,18 @@ ktutil:
+Index: krb5-1.19.3/src/man/ktutil.man
+===================================================================
+--- krb5-1.19.3.orig/src/man/ktutil.man
++++ krb5-1.19.3/src/man/ktutil.man
+@@ -153,6 +153,18 @@ ktutil:
  .sp
  See kerberos(7) for a description of Kerberos environment
  variables.
@@ -31,6 +31,3 @@ index 233329468..915b41c6e 100644
  .SH SEE ALSO
  .sp
  kadmin(1), kdb5_util(8), kerberos(7)
--- 
-2.25.0
-

0007-SELinux-integration.patch

@@ -66,11 +66,11 @@ Last-updated: krb5-1.18-beta1
  create mode 100644 src/include/k5-label.h
  create mode 100644 src/util/support/selinux.c
 
-diff --git a/src/aclocal.m4 b/src/aclocal.m4
-index 53f8b6fb7..b0d1a5337 100644
---- a/src/aclocal.m4
-+++ b/src/aclocal.m4
-@@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag)
+Index: krb5-1.19.3/src/aclocal.m4
+===================================================================
+--- krb5-1.19.3.orig/src/aclocal.m4
++++ krb5-1.19.3/src/aclocal.m4
+@@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag)
  dnl
  KRB5_AC_PRAGMA_WEAK_REF
  WITH_LDAP
@@ -78,7 +78,7 @@ index 53f8b6fb7..b0d1a5337 100644
  KRB5_LIB_PARAMS
  KRB5_AC_INITFINI
  KRB5_AC_ENABLE_THREADS
-@@ -1743,3 +1744,51 @@ AC_SUBST(PAM_LIBS)
+@@ -1745,3 +1746,51 @@ AC_SUBST(PAM_LIBS)
  AC_SUBST(PAM_MAN)
  AC_SUBST(NON_PAM_MAN)
  ])dnl
@@ -130,10 +130,10 @@ index 53f8b6fb7..b0d1a5337 100644
 +LIBS="$old_LIBS"
 +AC_SUBST(SELINUX_LIBS)
 +])dnl
-diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
-index 0edf6a1a5..1891dea99 100755
---- a/src/build-tools/krb5-config.in
-+++ b/src/build-tools/krb5-config.in
+Index: krb5-1.19.3/src/build-tools/krb5-config.in
+===================================================================
+--- krb5-1.19.3.orig/src/build-tools/krb5-config.in
++++ krb5-1.19.3/src/build-tools/krb5-config.in
 @@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
  DEFCCNAME='@DEFCCNAME@'
  DEFKTNAME='@DEFKTNAME@'
@@ -142,7 +142,7 @@ index 0edf6a1a5..1891dea99 100755
  
  LIBS='@LIBS@'
  GEN_LIB=@GEN_LIB@
-@@ -262,7 +263,7 @@ if test -n "$do_libs"; then
+@@ -261,7 +262,7 @@ if test -n "$do_libs"; then
      fi
  
      # If we ever support a flag to generate output suitable for static
@@ -151,10 +151,10 @@ index 0edf6a1a5..1891dea99 100755
      # here.
  
      echo $lib_flags
-diff --git a/src/config/pre.in b/src/config/pre.in
-index 164bf8301..a8540ae2a 100644
---- a/src/config/pre.in
-+++ b/src/config/pre.in
+Index: krb5-1.19.3/src/config/pre.in
+===================================================================
+--- krb5-1.19.3.orig/src/config/pre.in
++++ krb5-1.19.3/src/config/pre.in
 @@ -177,6 +177,7 @@ LD = $(PURE) @LD@
  KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
  LDFLAGS = @LDFLAGS@
@@ -163,7 +163,7 @@ index 164bf8301..a8540ae2a 100644
  
  INSTALL=@INSTALL@
  INSTALL_STRIP=
-@@ -402,7 +403,7 @@ SUPPORT_LIB			= -l$(SUPPORT_LIBNAME)
+@@ -403,7 +404,7 @@ SUPPORT_LIB			= -l$(SUPPORT_LIBNAME)
  # HESIOD_LIBS is -lhesiod...
  HESIOD_LIBS	= @HESIOD_LIBS@
  
@@ -172,11 +172,11 @@ index 164bf8301..a8540ae2a 100644
  KDB5_LIBS	= $(KDB5_LIB) $(GSSRPC_LIBS)
  GSS_LIBS	= $(GSS_KRB5_LIB)
  # needs fixing if ever used on macOS!
-diff --git a/src/configure.ac b/src/configure.ac
-index d1f576124..440a22bd9 100644
---- a/src/configure.ac
-+++ b/src/configure.ac
-@@ -1392,6 +1392,8 @@ AC_PATH_PROG(GROFF, groff)
+Index: krb5-1.19.3/src/configure.ac
+===================================================================
+--- krb5-1.19.3.orig/src/configure.ac
++++ krb5-1.19.3/src/configure.ac
+@@ -1391,6 +1391,8 @@ AC_PATH_PROG(GROFF, groff)
  
  KRB5_WITH_PAM
  
@@ -185,10 +185,10 @@ index d1f576124..440a22bd9 100644
  # Make localedir work in autoconf 2.5x.
  if test "${localedir+set}" != set; then
      localedir='$(datadir)/locale'
-diff --git a/src/include/k5-int.h b/src/include/k5-int.h
-index 9616b24bf..0d9af3d95 100644
---- a/src/include/k5-int.h
-+++ b/src/include/k5-int.h
+Index: krb5-1.19.3/src/include/k5-int.h
+===================================================================
+--- krb5-1.19.3.orig/src/include/k5-int.h
++++ krb5-1.19.3/src/include/k5-int.h
 @@ -128,6 +128,7 @@ typedef unsigned char   u_char;
  
  
@@ -197,11 +197,10 @@ index 9616b24bf..0d9af3d95 100644
  
  #define KRB5_KDB_MAX_LIFE       (60*60*24) /* one day */
  #define KRB5_KDB_MAX_RLIFE      (60*60*24*7) /* one week */
-diff --git a/src/include/k5-label.h b/src/include/k5-label.h
-new file mode 100644
-index 000000000..dfaaa847c
+Index: krb5-1.19.3/src/include/k5-label.h
+===================================================================
 --- /dev/null
-+++ b/src/include/k5-label.h
++++ krb5-1.19.3/src/include/k5-label.h
 @@ -0,0 +1,32 @@
 +#ifndef _KRB5_LABEL_H
 +#define _KRB5_LABEL_H
@@ -235,10 +234,10 @@ index 000000000..dfaaa847c
 +#define THREEPARAMOPEN(x,y,z) open(x,y,z)
 +#endif
 +#endif
-diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
-index d48685357..d1f5661bf 100644
---- a/src/include/krb5/krb5.hin
-+++ b/src/include/krb5/krb5.hin
+Index: krb5-1.19.3/src/include/krb5/krb5.hin
+===================================================================
+--- krb5-1.19.3.orig/src/include/krb5/krb5.hin
++++ krb5-1.19.3/src/include/krb5/krb5.hin
 @@ -87,6 +87,12 @@
  #define THREEPARAMOPEN(x,y,z) open(x,y,z)
  #endif
@@ -252,11 +251,11 @@ index d48685357..d1f5661bf 100644
  #define KRB5_OLD_CRYPTO
  
  #include <stdlib.h>
-diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
-index 301e3476d..19f2cc230 100644
---- a/src/kadmin/dbutil/dump.c
-+++ b/src/kadmin/dbutil/dump.c
-@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
+Index: krb5-1.19.3/src/kadmin/dbutil/dump.c
+===================================================================
+--- krb5-1.19.3.orig/src/kadmin/dbutil/dump.c
++++ krb5-1.19.3/src/kadmin/dbutil/dump.c
+@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname
  {
      int fd = -1;
      FILE *f;
@@ -278,7 +277,7 @@ index 301e3476d..19f2cc230 100644
      if (fd == -1)
          goto error;
  
-@@ -197,7 +206,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd_out)
+@@ -197,7 +206,7 @@ prep_ok_file(krb5_context context, char
          goto cleanup;
      }
  
@@ -287,10 +286,10 @@ index 301e3476d..19f2cc230 100644
      if (fd == -1) {
          com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
          goto cleanup;
-diff --git a/src/kdc/main.c b/src/kdc/main.c
-index fdcd694d7..1ede4bf2f 100644
---- a/src/kdc/main.c
-+++ b/src/kdc/main.c
+Index: krb5-1.19.3/src/kdc/main.c
+===================================================================
+--- krb5-1.19.3.orig/src/kdc/main.c
++++ krb5-1.19.3/src/kdc/main.c
 @@ -872,7 +872,7 @@ write_pid_file(const char *path)
      FILE *file;
      unsigned long pid;
@@ -300,10 +299,10 @@ index fdcd694d7..1ede4bf2f 100644
      if (file == NULL)
          return errno;
      pid = (unsigned long) getpid();
-diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
-index 5622d56e1..356e3e0e6 100644
---- a/src/kprop/kpropd.c
-+++ b/src/kprop/kpropd.c
+Index: krb5-1.19.3/src/kprop/kpropd.c
+===================================================================
+--- krb5-1.19.3.orig/src/kprop/kpropd.c
++++ krb5-1.19.3/src/kprop/kpropd.c
 @@ -487,6 +487,9 @@ doit(int fd)
      krb5_enctype etype;
      int database_fd;
@@ -330,11 +329,11 @@ index 5622d56e1..356e3e0e6 100644
      retval = krb5_lock_file(kpropd_context, lock_fd,
                              KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
      if (retval) {
-diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
-index c6885edf2..9aec3c05e 100644
---- a/src/lib/kadm5/logger.c
-+++ b/src/lib/kadm5/logger.c
-@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
+Index: krb5-1.19.3/src/lib/kadm5/logger.c
+===================================================================
+--- krb5-1.19.3.orig/src/lib/kadm5/logger.c
++++ krb5-1.19.3/src/lib/kadm5/logger.c
+@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, ch
                       */
                      append = (cp[4] == ':') ? O_APPEND : 0;
                      if (append || cp[4] == '=') {
@@ -352,11 +351,11 @@ index c6885edf2..9aec3c05e 100644
              if (f) {
                  set_cloexec_file(f);
                  log_control.log_entries[lindex].lfu_filep = f;
-diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
-index 2659a2501..e9b95fce5 100644
---- a/src/lib/kdb/kdb_log.c
-+++ b/src/lib/kdb/kdb_log.c
-@@ -480,7 +480,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)
+Index: krb5-1.19.3/src/lib/kdb/kdb_log.c
+===================================================================
+--- krb5-1.19.3.orig/src/lib/kdb/kdb_log.c
++++ krb5-1.19.3/src/lib/kdb/kdb_log.c
+@@ -480,7 +480,7 @@ ulog_map(krb5_context context, const cha
          return ENOMEM;
  
      if (stat(logname, &st) == -1) {
@@ -365,11 +364,11 @@ index 2659a2501..e9b95fce5 100644
          if (log_ctx->ulogfd == -1) {
              retval = errno;
              goto cleanup;
-diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
-index 7b100a0ec..5683a0433 100644
---- a/src/lib/krb5/ccache/cc_dir.c
-+++ b/src/lib/krb5/ccache/cc_dir.c
-@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents)
+Index: krb5-1.19.3/src/lib/krb5/ccache/cc_dir.c
+===================================================================
+--- krb5-1.19.3.orig/src/lib/krb5/ccache/cc_dir.c
++++ krb5-1.19.3/src/lib/krb5/ccache/cc_dir.c
+@@ -183,10 +183,19 @@ write_primary_file(const char *primary_p
      char *newpath = NULL;
      FILE *fp = NULL;
      int fd = -1, status;
@@ -415,11 +414,11 @@ index 7b100a0ec..5683a0433 100644
          k5_setmsg(context, KRB5_FCC_NOFILE,
                    _("Credential cache directory %s does not exist"),
                    dirname);
-diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
-index 021c94398..aaf573439 100644
---- a/src/lib/krb5/keytab/kt_file.c
-+++ b/src/lib/krb5/keytab/kt_file.c
-@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
+Index: krb5-1.19.3/src/lib/krb5/keytab/kt_file.c
+===================================================================
+--- krb5-1.19.3.orig/src/lib/krb5/keytab/kt_file.c
++++ krb5-1.19.3/src/lib/krb5/keytab/kt_file.c
+@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context
  
      KTCHECKLOCK(id);
      errno = 0;
@@ -436,11 +435,11 @@ index 021c94398..aaf573439 100644
              if (!KTFILEP(id))
                  goto report_errno;
              writevno = 1;
-diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
-index 2a03ae980..85dbfeb47 100644
---- a/src/lib/krb5/os/trace.c
-+++ b/src/lib/krb5/os/trace.c
-@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
+Index: krb5-1.19.3/src/lib/krb5/os/trace.c
+===================================================================
+--- krb5-1.19.3.orig/src/lib/krb5/os/trace.c
++++ krb5-1.19.3/src/lib/krb5/os/trace.c
+@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context con
      fd = malloc(sizeof(*fd));
      if (fd == NULL)
          return ENOMEM;
@@ -449,11 +448,11 @@ index 2a03ae980..85dbfeb47 100644
      if (*fd == -1) {
          free(fd);
          return errno;
-diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
-index 7db30a33b..2b9d01921 100644
---- a/src/plugins/kdb/db2/adb_openclose.c
-+++ b/src/plugins/kdb/db2/adb_openclose.c
-@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
+Index: krb5-1.19.3/src/plugins/kdb/db2/adb_openclose.c
+===================================================================
+--- krb5-1.19.3.orig/src/plugins/kdb/db2/adb_openclose.c
++++ krb5-1.19.3/src/plugins/kdb/db2/adb_openclose.c
+@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
           * needs be open read/write so that write locking can work with
           * POSIX systems
           */
@@ -462,11 +461,11 @@ index 7db30a33b..2b9d01921 100644
              /*
               * maybe someone took away write permission so we could only
               * get shared locks?
-diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
-index 5106a5c99..e481e8121 100644
---- a/src/plugins/kdb/db2/kdb_db2.c
-+++ b/src/plugins/kdb/db2/kdb_db2.c
-@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc)
+Index: krb5-1.19.3/src/plugins/kdb/db2/kdb_db2.c
+===================================================================
+--- krb5-1.19.3.orig/src/plugins/kdb/db2/kdb_db2.c
++++ krb5-1.19.3/src/plugins/kdb/db2/kdb_db2.c
+@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5
      if (retval)
          return retval;
  
@@ -477,11 +476,11 @@ index 5106a5c99..e481e8121 100644
      if (dbc->db_lf_file < 0) {
          retval = errno;
          goto cleanup;
-diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
-index 2977b17f3..d5809a5a9 100644
---- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c
-+++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
-@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c	8.11 (Berkeley) 11/2/95";
+Index: krb5-1.19.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+===================================================================
+--- krb5-1.19.3.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
++++ krb5-1.19.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c	8.
  #include <string.h>
  #include <unistd.h>
  
@@ -489,7 +488,7 @@ index 2977b17f3..d5809a5a9 100644
  #include "db-int.h"
  #include "btree.h"
  
-@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags)
+@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo,
  			goto einval;
  		}
  
@@ -498,11 +497,11 @@ index 2977b17f3..d5809a5a9 100644
  			goto err;
  
  	} else {
-diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
-index 862dbb164..686a960c9 100644
---- a/src/plugins/kdb/db2/libdb2/hash/hash.c
-+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
-@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c	8.12 (Berkeley) 11/7/95";
+Index: krb5-1.19.3/src/plugins/kdb/db2/libdb2/hash/hash.c
+===================================================================
+--- krb5-1.19.3.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
++++ krb5-1.19.3/src/plugins/kdb/db2/libdb2/hash/hash.c
+@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c	8.12
  #include <assert.h>
  #endif
  
@@ -510,7 +509,7 @@ index 862dbb164..686a960c9 100644
  #include "db-int.h"
  #include "hash.h"
  #include "page.h"
-@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags)
+@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info
  		new_table = 1;
  	}
  	if (file) {
@@ -519,11 +518,11 @@ index 862dbb164..686a960c9 100644
  			RETURN_ERROR(errno, error0);
  		(void)fcntl(hashp->fp, F_SETFD, 1);
  	}
-diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
-index d8b26e701..b0daa7c02 100644
---- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c
-+++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
-@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c	8.12 (Berkeley) 11/18/94";
+Index: krb5-1.19.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+===================================================================
+--- krb5-1.19.3.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
++++ krb5-1.19.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c	8
  #include <stdio.h>
  #include <unistd.h>
  
@@ -531,7 +530,7 @@ index d8b26e701..b0daa7c02 100644
  #include "db-int.h"
  #include "recno.h"
  
-@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags)
+@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo,
  	int rfd = -1, sverrno;
  
  	/* Open the user's file -- if this fails, we're done. */
@@ -541,11 +540,11 @@ index d8b26e701..b0daa7c02 100644
  		return (NULL);
  
  	if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
-diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
-index b92cb58c7..0a95101ad 100644
---- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
-+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
-@@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
+Index: krb5-1.19.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+===================================================================
+--- krb5-1.19.3.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
++++ krb5-1.19.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+@@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int arg
  
      /* set password in the file */
      old_mode = umask(0177);
@@ -554,7 +553,7 @@ index b92cb58c7..0a95101ad 100644
      if (pfile == NULL) {
          com_err(me, errno, _("Failed to open file %s: %s"), file_name,
                  strerror (errno));
-@@ -231,6 +231,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
+@@ -231,6 +231,9 @@ kdb5_ldap_stash_service_password(int arg
           * Delete the existing entry and add the new entry
           */
          FILE *newfile;
@@ -564,7 +563,7 @@ index b92cb58c7..0a95101ad 100644
  
          mode_t omask;
  
-@@ -242,7 +245,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
+@@ -242,7 +245,13 @@ kdb5_ldap_stash_service_password(int arg
          }
  
          omask = umask(077);
@@ -578,10 +577,10 @@ index b92cb58c7..0a95101ad 100644
          umask (omask);
          if (newfile == NULL) {
              com_err(me, errno, _("Error creating file %s"), tmp_file);
-diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
-index aa951df05..79f9500f6 100644
---- a/src/util/profile/prof_file.c
-+++ b/src/util/profile/prof_file.c
+Index: krb5-1.19.3/src/util/profile/prof_file.c
+===================================================================
+--- krb5-1.19.3.orig/src/util/profile/prof_file.c
++++ krb5-1.19.3/src/util/profile/prof_file.c
 @@ -33,6 +33,7 @@
  #endif
  
@@ -590,7 +589,7 @@ index aa951df05..79f9500f6 100644
  
  struct global_shared_profile_data {
      /* This is the head of the global list of shared trees */
-@@ -391,7 +392,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile,
+@@ -391,7 +392,7 @@ static errcode_t write_data_to_file(prf_
  
      errno = 0;
  
@@ -599,10 +598,10 @@ index aa951df05..79f9500f6 100644
      if (!f) {
          retval = errno;
          if (retval == 0)
-diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
-index 86d5a950a..1052d53a1 100644
---- a/src/util/support/Makefile.in
-+++ b/src/util/support/Makefile.in
+Index: krb5-1.19.3/src/util/support/Makefile.in
+===================================================================
+--- krb5-1.19.3.orig/src/util/support/Makefile.in
++++ krb5-1.19.3/src/util/support/Makefile.in
 @@ -74,6 +74,7 @@ IPC_SYMS= \
  
  STLIBOBJS= \
@@ -620,11 +619,10 @@ index 86d5a950a..1052d53a1 100644
  
  DEPLIBS=
  
-diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c
-new file mode 100644
-index 000000000..6d41f3244
+Index: krb5-1.19.3/src/util/support/selinux.c
+===================================================================
 --- /dev/null
-+++ b/src/util/support/selinux.c
++++ krb5-1.19.3/src/util/support/selinux.c
 @@ -0,0 +1,406 @@
 +/*
 + * Copyright 2007,2008,2009,2011,2012,2013,2016 Red Hat, Inc.  All Rights Reserved.
@@ -1032,6 +1030,3 @@ index 000000000..6d41f3244
 +}
 +
 +#endif /* USE_SELINUX */
--- 
-2.25.0
-

0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch

@@ -27,12 +27,12 @@ target_version: 1.18-next
  src/kdc/do_tgs_req.c | 5 +++++
  1 file changed, 5 insertions(+)
 
-diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
-index 6d244ffd4..39a504ca1 100644
---- a/src/kdc/do_tgs_req.c
-+++ b/src/kdc/do_tgs_req.c
-@@ -207,6 +207,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
-         status = "FIND_FAST";
+Index: krb5-1.19.3/src/kdc/do_tgs_req.c
+===================================================================
+--- krb5-1.19.3.orig/src/kdc/do_tgs_req.c
++++ krb5-1.19.3/src/kdc/do_tgs_req.c
+@@ -212,6 +212,11 @@ process_tgs_req(krb5_kdc_req *request, k
+         errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
          goto cleanup;
      }
 +    if (sprinc == NULL) {
@@ -43,6 +43,3 @@ index 6d244ffd4..39a504ca1 100644
  
      errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
                              &local_tgt, &local_tgt_storage, &local_tgt_key);
--- 
-2.33.0
-

krb5-1.19.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:10453fee4e3a8f8ce6129059e5c050b8a65dab1c257df68b99b3112eaa0cdf6a
-size 8741053

krb5-1.19.2.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmD5qLoACgkQDLoIV1+D
-ct9NEw//XhDJPE38UzvURT/RsuL3TQZoHGHtRA/seXcKkrX1wFLUjnOUK39RxzkS
-5y0BGOBoByGlqMxcpBlQv3mdtOAkdbgUtb9sT90eUObsG3cqa/0ou3Nm2ta+UNb7
-UC72UC9ZCXzUEl3be2/q/geHHE69e62t4YGcnwZ4koI3b/cZU6xL3N0ox9Gxdi37
-+rUe7i5TZAKvKo+eKhLpC/k1F0HSvLzxcPyRlfpAYb607lvc4MYNvbOZZUk8aNEt
-0OhoSak1mXSdYwt4HHTj2NY1q5d+wviGOYby/Q1Wv7qVZHLFvCCr7Lr7ba0bIWas
-cYl13OgLq2uwA85k9/BzAxIgPVpMpt0aRaoTeiH2fKm8kNA9YfIagyRgX4vNfFWp
-RKXpVu5SFNMgFVAHJu/QID8Lf8YV/PU4H7kdMyFy9gA66nTN4KvdeoRyrHgv2r1c
-c5MhV9bJDDFalC1VLYTJ3iSZFy5Y95wrr59KI2OTQKgQxsylfGXW+OR1hWKua5Y5
-nqF0b/TKiryrdah3aw2Ac78MggC+3RDHQ8yHG4tC0/nJzbf4WnP6lqUJhQIat+lE
-g62Kh+fAUjuYw/8tuxVUFlMMa9cDHV7XGGYQS/JoUq/BaGWheNYrvPXxr4u0oSOa
-kJyOUfZuJvgiDakbEAuVNm8Gr6lKDH/omn8dl9r/CHdyEANqvi0=
-=QM0F
------END PGP SIGNATURE-----

krb5-1.19.3.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:56d04863cfddc9d9eb7af17556e043e3537d41c6e545610778676cf551b9dcd0
+size 8741343

krb5-1.19.3.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmIrr24ACgkQDLoIV1+D
+ct+h+A//W9AfniKl4SAZ5OWmn+B/1ge7U7KWxVdn8yJtUTfKzBujPe6LLCMpsn/F
++ddq2Powml+lEQHhAJBgGogPJ6Fs+/Y7jmhskz/d2dU1lTWEAoTGxz6fGZnx4kei
+yciPWYnQrvPLdgh2I3rQyt5VDe6pEo5xvFhzEDpQPkXXQGAXVVokcSz5tvoRI8xF
+V/oKIXJ7iSpc/prcrirdC+vKe04E3PmX1Cjd5dAH97gzYGJMsouB3/8/PxzLBb3y
+be4XeLLJA9FwjBeEx68nBal2o3p1Xkq24v3XMI62xqBZDrWtwJ5NkR1GZje2X00H
+SAd1xI6ye+f+6mxje/hen7cqfN53/7l2j3fayoT+35F6OzmiXSf9TKO6P1HElA0t
+qXOm5oMi9GK1mVRwek15pxCcLEFWrUGNGnILFrep4exxIAOPjgyVN1DolK6c3V3t
+yCsRGwhZaN6rNuaHEibVpL4JG+3fEy8Ovb02pqqPP6LXc9/1b+EIAufWTpJtbQSy
+3JvSmzFYHVJjaS+n0vsbMJtDsf+uuYy77liIh0LblId1xpU5pdLd7jy8qZ6jEt/J
+8PX3C5oc4iKq8Z7epd8T3itD3ECPG5g+A7GU8kApAfgpY/GP1rvg1RSaalWRQP+x
+dKY7eMHSHHhBjuC7EdzNIJWo8v311KWogcHkVfzmbx+6HT/iAgM=
+=D86e
+-----END PGP SIGNATURE-----

krb5-mini.spec

@@ -24,7 +24,7 @@
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           krb5-mini
-Version:        1.19.2
+Version:        1.19.3
 Release:        0
 Summary:        MIT Kerberos5 implementation and libraries with minimal dependencies
 License:        MIT

krb5.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Sat Apr  9 11:31:42 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.19.3 (bsc#1189929, CVE-2021-37750):
+  * Fix a denial of service attack against the KDC [CVE-2021-37750].
+  * Fix KDC null deref on TGS inner body null server
+  * Fix conformance issue in GSSAPI tests
+
 -------------------------------------------------------------------
 Thu Jan 27 22:21:52 UTC 2022 - David Mulder <dmulder@suse.com>
 

krb5.spec

@@ -21,7 +21,7 @@
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           krb5
-Version:        1.19.2
+Version:        1.19.3
 Release:        0
 Summary:        MIT Kerberos5 implementation
 License:        MIT