From ff3493d16baecfd60979a832cfc261a48bd3d0a35dde1f70ef28a83a0a48a40a Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Tue, 19 Apr 2022 12:10:56 +0000 Subject: [PATCH] Accepting request 967999 from home:dirkmueller:Factory - update to 1.19.3 (bsc#1189929, CVE-2021-37750): * Fix a denial of service attack against the KDC [CVE-2021-37750]. * Fix KDC null deref on TGS inner body null server * Fix conformance issue in GSSAPI tests OBS-URL: https://build.opensuse.org/request/show/967999 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=257 --- 0002-krb5-1.9-manpaths.patch | 13 +- 0003-Adjust-build-configuration.patch | 35 ++- 0005-krb5-1.6.3-ktutil-manpage.patch | 13 +- 0007-SELinux-integration.patch | 241 +++++++++--------- ...-deref-on-TGS-inner-body-null-server.patch | 15 +- krb5-1.19.2.tar.gz | 3 - krb5-1.19.2.tar.gz.asc | 16 -- krb5-1.19.3.tar.gz | 3 + krb5-1.19.3.tar.gz.asc | 16 ++ krb5-mini.spec | 2 +- krb5.changes | 8 + krb5.spec | 2 +- 12 files changed, 179 insertions(+), 188 deletions(-) delete mode 100644 krb5-1.19.2.tar.gz delete mode 100644 krb5-1.19.2.tar.gz.asc create mode 100644 krb5-1.19.3.tar.gz create mode 100644 krb5-1.19.3.tar.gz.asc diff --git a/0002-krb5-1.9-manpaths.patch b/0002-krb5-1.9-manpaths.patch index 75652a2..add8196 100644 --- a/0002-krb5-1.9-manpaths.patch +++ b/0002-krb5-1.9-manpaths.patch @@ -13,11 +13,11 @@ configure scripts should be rebuilt. Originally RT#6525 src/man/kpropd.man | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/src/man/kpropd.man b/src/man/kpropd.man -index 66de36813..9988dcdf3 100644 ---- a/src/man/kpropd.man -+++ b/src/man/kpropd.man -@@ -67,7 +67,7 @@ the \fB/etc/inetd.conf\fP file which looks like this: +Index: krb5-1.19.3/src/man/kpropd.man +=================================================================== +--- krb5-1.19.3.orig/src/man/kpropd.man ++++ krb5-1.19.3/src/man/kpropd.man +@@ -68,7 +68,7 @@ the \fB/etc/inetd.conf\fP file which loo .sp .nf .ft C @@ -26,6 +26,3 @@ index 66de36813..9988dcdf3 100644 .ft P .fi .UNINDENT --- -2.25.0 - diff --git a/0003-Adjust-build-configuration.patch b/0003-Adjust-build-configuration.patch index 11dfe46..e78a59b 100644 --- a/0003-Adjust-build-configuration.patch +++ b/0003-Adjust-build-configuration.patch @@ -16,11 +16,11 @@ Last-updated: krb5-1.15-beta1 src/config/shlib.conf | 5 +++-- 3 files changed, 11 insertions(+), 3 deletions(-) -diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in -index f6184da3f..0edf6a1a5 100755 ---- a/src/build-tools/krb5-config.in -+++ b/src/build-tools/krb5-config.in -@@ -225,6 +225,13 @@ if test -n "$do_libs"; then +Index: krb5-1.19.3/src/build-tools/krb5-config.in +=================================================================== +--- krb5-1.19.3.orig/src/build-tools/krb5-config.in ++++ krb5-1.19.3/src/build-tools/krb5-config.in +@@ -224,6 +224,13 @@ if test -n "$do_libs"; then -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ -e 's#\$(CFLAGS)##'` @@ -34,11 +34,11 @@ index f6184da3f..0edf6a1a5 100755 if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 -diff --git a/src/config/pre.in b/src/config/pre.in -index ce87e21ca..164bf8301 100644 ---- a/src/config/pre.in -+++ b/src/config/pre.in -@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP) +Index: krb5-1.19.3/src/config/pre.in +=================================================================== +--- krb5-1.19.3.orig/src/config/pre.in ++++ krb5-1.19.3/src/config/pre.in +@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST INSTALL_SCRIPT=@INSTALL_PROGRAM@ INSTALL_DATA=@INSTALL_DATA@ INSTALL_SHLIB=@INSTALL_SHLIB@ @@ -47,11 +47,11 @@ index ce87e21ca..164bf8301 100644 ## This is needed because autoconf will sometimes define @exec_prefix@ to be ## ${prefix}. prefix=@prefix@ -diff --git a/src/config/shlib.conf b/src/config/shlib.conf -index 3e4af6c02..2b20c3fda 100644 ---- a/src/config/shlib.conf -+++ b/src/config/shlib.conf -@@ -423,7 +423,7 @@ mips-*-netbsd*) +Index: krb5-1.19.3/src/config/shlib.conf +=================================================================== +--- krb5-1.19.3.orig/src/config/shlib.conf ++++ krb5-1.19.3/src/config/shlib.conf +@@ -424,7 +424,7 @@ mips-*-netbsd*) # Linux ld doesn't default to stuffing the SONAME field... # Use objdump -x to examine the fields of the library # UNDEF_CHECK is suppressed by --enable-asan @@ -60,7 +60,7 @@ index 3e4af6c02..2b20c3fda 100644 UNDEF_CHECK='-Wl,--no-undefined' # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode. LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)' -@@ -435,7 +435,8 @@ mips-*-netbsd*) +@@ -436,7 +436,8 @@ mips-*-netbsd*) SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' PROFFLAGS=-pg PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' @@ -70,6 +70,3 @@ index 3e4af6c02..2b20c3fda 100644 CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' --- -2.25.0 - diff --git a/0005-krb5-1.6.3-ktutil-manpage.patch b/0005-krb5-1.6.3-ktutil-manpage.patch index 65d839f..bfca999 100644 --- a/0005-krb5-1.6.3-ktutil-manpage.patch +++ b/0005-krb5-1.6.3-ktutil-manpage.patch @@ -8,11 +8,11 @@ Import krb5-1.6.3-ktutil-manpage.dif src/man/ktutil.man | 12 ++++++++++++ 1 file changed, 12 insertions(+) -diff --git a/src/man/ktutil.man b/src/man/ktutil.man -index 233329468..915b41c6e 100644 ---- a/src/man/ktutil.man -+++ b/src/man/ktutil.man -@@ -151,6 +151,18 @@ ktutil: +Index: krb5-1.19.3/src/man/ktutil.man +=================================================================== +--- krb5-1.19.3.orig/src/man/ktutil.man ++++ krb5-1.19.3/src/man/ktutil.man +@@ -153,6 +153,18 @@ ktutil: .sp See kerberos(7) for a description of Kerberos environment variables. @@ -31,6 +31,3 @@ index 233329468..915b41c6e 100644 .SH SEE ALSO .sp kadmin(1), kdb5_util(8), kerberos(7) --- -2.25.0 - diff --git a/0007-SELinux-integration.patch b/0007-SELinux-integration.patch index e85e31f..798e201 100644 --- a/0007-SELinux-integration.patch +++ b/0007-SELinux-integration.patch @@ -66,11 +66,11 @@ Last-updated: krb5-1.18-beta1 create mode 100644 src/include/k5-label.h create mode 100644 src/util/support/selinux.c -diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 53f8b6fb7..b0d1a5337 100644 ---- a/src/aclocal.m4 -+++ b/src/aclocal.m4 -@@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag) +Index: krb5-1.19.3/src/aclocal.m4 +=================================================================== +--- krb5-1.19.3.orig/src/aclocal.m4 ++++ krb5-1.19.3/src/aclocal.m4 +@@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag) dnl KRB5_AC_PRAGMA_WEAK_REF WITH_LDAP @@ -78,7 +78,7 @@ index 53f8b6fb7..b0d1a5337 100644 KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1743,3 +1744,51 @@ AC_SUBST(PAM_LIBS) +@@ -1745,3 +1746,51 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl @@ -130,10 +130,10 @@ index 53f8b6fb7..b0d1a5337 100644 +LIBS="$old_LIBS" +AC_SUBST(SELINUX_LIBS) +])dnl -diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in -index 0edf6a1a5..1891dea99 100755 ---- a/src/build-tools/krb5-config.in -+++ b/src/build-tools/krb5-config.in +Index: krb5-1.19.3/src/build-tools/krb5-config.in +=================================================================== +--- krb5-1.19.3.orig/src/build-tools/krb5-config.in ++++ krb5-1.19.3/src/build-tools/krb5-config.in @@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' DEFCCNAME='@DEFCCNAME@' DEFKTNAME='@DEFKTNAME@' @@ -142,7 +142,7 @@ index 0edf6a1a5..1891dea99 100755 LIBS='@LIBS@' GEN_LIB=@GEN_LIB@ -@@ -262,7 +263,7 @@ if test -n "$do_libs"; then +@@ -261,7 +262,7 @@ if test -n "$do_libs"; then fi # If we ever support a flag to generate output suitable for static @@ -151,10 +151,10 @@ index 0edf6a1a5..1891dea99 100755 # here. echo $lib_flags -diff --git a/src/config/pre.in b/src/config/pre.in -index 164bf8301..a8540ae2a 100644 ---- a/src/config/pre.in -+++ b/src/config/pre.in +Index: krb5-1.19.3/src/config/pre.in +=================================================================== +--- krb5-1.19.3.orig/src/config/pre.in ++++ krb5-1.19.3/src/config/pre.in @@ -177,6 +177,7 @@ LD = $(PURE) @LD@ KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include LDFLAGS = @LDFLAGS@ @@ -163,7 +163,7 @@ index 164bf8301..a8540ae2a 100644 INSTALL=@INSTALL@ INSTALL_STRIP= -@@ -402,7 +403,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) +@@ -403,7 +404,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) # HESIOD_LIBS is -lhesiod... HESIOD_LIBS = @HESIOD_LIBS@ @@ -172,11 +172,11 @@ index 164bf8301..a8540ae2a 100644 KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on macOS! -diff --git a/src/configure.ac b/src/configure.ac -index d1f576124..440a22bd9 100644 ---- a/src/configure.ac -+++ b/src/configure.ac -@@ -1392,6 +1392,8 @@ AC_PATH_PROG(GROFF, groff) +Index: krb5-1.19.3/src/configure.ac +=================================================================== +--- krb5-1.19.3.orig/src/configure.ac ++++ krb5-1.19.3/src/configure.ac +@@ -1391,6 +1391,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -185,10 +185,10 @@ index d1f576124..440a22bd9 100644 # Make localedir work in autoconf 2.5x. if test "${localedir+set}" != set; then localedir='$(datadir)/locale' -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 9616b24bf..0d9af3d95 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h +Index: krb5-1.19.3/src/include/k5-int.h +=================================================================== +--- krb5-1.19.3.orig/src/include/k5-int.h ++++ krb5-1.19.3/src/include/k5-int.h @@ -128,6 +128,7 @@ typedef unsigned char u_char; @@ -197,11 +197,10 @@ index 9616b24bf..0d9af3d95 100644 #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */ -diff --git a/src/include/k5-label.h b/src/include/k5-label.h -new file mode 100644 -index 000000000..dfaaa847c +Index: krb5-1.19.3/src/include/k5-label.h +=================================================================== --- /dev/null -+++ b/src/include/k5-label.h ++++ krb5-1.19.3/src/include/k5-label.h @@ -0,0 +1,32 @@ +#ifndef _KRB5_LABEL_H +#define _KRB5_LABEL_H @@ -235,10 +234,10 @@ index 000000000..dfaaa847c +#define THREEPARAMOPEN(x,y,z) open(x,y,z) +#endif +#endif -diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index d48685357..d1f5661bf 100644 ---- a/src/include/krb5/krb5.hin -+++ b/src/include/krb5/krb5.hin +Index: krb5-1.19.3/src/include/krb5/krb5.hin +=================================================================== +--- krb5-1.19.3.orig/src/include/krb5/krb5.hin ++++ krb5-1.19.3/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ #define THREEPARAMOPEN(x,y,z) open(x,y,z) #endif @@ -252,11 +251,11 @@ index d48685357..d1f5661bf 100644 #define KRB5_OLD_CRYPTO #include -diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c -index 301e3476d..19f2cc230 100644 ---- a/src/kadmin/dbutil/dump.c -+++ b/src/kadmin/dbutil/dump.c -@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) +Index: krb5-1.19.3/src/kadmin/dbutil/dump.c +=================================================================== +--- krb5-1.19.3.orig/src/kadmin/dbutil/dump.c ++++ krb5-1.19.3/src/kadmin/dbutil/dump.c +@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname { int fd = -1; FILE *f; @@ -278,7 +277,7 @@ index 301e3476d..19f2cc230 100644 if (fd == -1) goto error; -@@ -197,7 +206,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd_out) +@@ -197,7 +206,7 @@ prep_ok_file(krb5_context context, char goto cleanup; } @@ -287,10 +286,10 @@ index 301e3476d..19f2cc230 100644 if (fd == -1) { com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); goto cleanup; -diff --git a/src/kdc/main.c b/src/kdc/main.c -index fdcd694d7..1ede4bf2f 100644 ---- a/src/kdc/main.c -+++ b/src/kdc/main.c +Index: krb5-1.19.3/src/kdc/main.c +=================================================================== +--- krb5-1.19.3.orig/src/kdc/main.c ++++ krb5-1.19.3/src/kdc/main.c @@ -872,7 +872,7 @@ write_pid_file(const char *path) FILE *file; unsigned long pid; @@ -300,10 +299,10 @@ index fdcd694d7..1ede4bf2f 100644 if (file == NULL) return errno; pid = (unsigned long) getpid(); -diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c -index 5622d56e1..356e3e0e6 100644 ---- a/src/kprop/kpropd.c -+++ b/src/kprop/kpropd.c +Index: krb5-1.19.3/src/kprop/kpropd.c +=================================================================== +--- krb5-1.19.3.orig/src/kprop/kpropd.c ++++ krb5-1.19.3/src/kprop/kpropd.c @@ -487,6 +487,9 @@ doit(int fd) krb5_enctype etype; int database_fd; @@ -330,11 +329,11 @@ index 5622d56e1..356e3e0e6 100644 retval = krb5_lock_file(kpropd_context, lock_fd, KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); if (retval) { -diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c -index c6885edf2..9aec3c05e 100644 ---- a/src/lib/kadm5/logger.c -+++ b/src/lib/kadm5/logger.c -@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do +Index: krb5-1.19.3/src/lib/kadm5/logger.c +=================================================================== +--- krb5-1.19.3.orig/src/lib/kadm5/logger.c ++++ krb5-1.19.3/src/lib/kadm5/logger.c +@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, ch */ append = (cp[4] == ':') ? O_APPEND : 0; if (append || cp[4] == '=') { @@ -352,11 +351,11 @@ index c6885edf2..9aec3c05e 100644 if (f) { set_cloexec_file(f); log_control.log_entries[lindex].lfu_filep = f; -diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c -index 2659a2501..e9b95fce5 100644 ---- a/src/lib/kdb/kdb_log.c -+++ b/src/lib/kdb/kdb_log.c -@@ -480,7 +480,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) +Index: krb5-1.19.3/src/lib/kdb/kdb_log.c +=================================================================== +--- krb5-1.19.3.orig/src/lib/kdb/kdb_log.c ++++ krb5-1.19.3/src/lib/kdb/kdb_log.c +@@ -480,7 +480,7 @@ ulog_map(krb5_context context, const cha return ENOMEM; if (stat(logname, &st) == -1) { @@ -365,11 +364,11 @@ index 2659a2501..e9b95fce5 100644 if (log_ctx->ulogfd == -1) { retval = errno; goto cleanup; -diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c -index 7b100a0ec..5683a0433 100644 ---- a/src/lib/krb5/ccache/cc_dir.c -+++ b/src/lib/krb5/ccache/cc_dir.c -@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents) +Index: krb5-1.19.3/src/lib/krb5/ccache/cc_dir.c +=================================================================== +--- krb5-1.19.3.orig/src/lib/krb5/ccache/cc_dir.c ++++ krb5-1.19.3/src/lib/krb5/ccache/cc_dir.c +@@ -183,10 +183,19 @@ write_primary_file(const char *primary_p char *newpath = NULL; FILE *fp = NULL; int fd = -1, status; @@ -415,11 +414,11 @@ index 7b100a0ec..5683a0433 100644 k5_setmsg(context, KRB5_FCC_NOFILE, _("Credential cache directory %s does not exist"), dirname); -diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c -index 021c94398..aaf573439 100644 ---- a/src/lib/krb5/keytab/kt_file.c -+++ b/src/lib/krb5/keytab/kt_file.c -@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) +Index: krb5-1.19.3/src/lib/krb5/keytab/kt_file.c +=================================================================== +--- krb5-1.19.3.orig/src/lib/krb5/keytab/kt_file.c ++++ krb5-1.19.3/src/lib/krb5/keytab/kt_file.c +@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context KTCHECKLOCK(id); errno = 0; @@ -436,11 +435,11 @@ index 021c94398..aaf573439 100644 if (!KTFILEP(id)) goto report_errno; writevno = 1; -diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c -index 2a03ae980..85dbfeb47 100644 ---- a/src/lib/krb5/os/trace.c -+++ b/src/lib/krb5/os/trace.c -@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) +Index: krb5-1.19.3/src/lib/krb5/os/trace.c +=================================================================== +--- krb5-1.19.3.orig/src/lib/krb5/os/trace.c ++++ krb5-1.19.3/src/lib/krb5/os/trace.c +@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context con fd = malloc(sizeof(*fd)); if (fd == NULL) return ENOMEM; @@ -449,11 +448,11 @@ index 2a03ae980..85dbfeb47 100644 if (*fd == -1) { free(fd); return errno; -diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c -index 7db30a33b..2b9d01921 100644 ---- a/src/plugins/kdb/db2/adb_openclose.c -+++ b/src/plugins/kdb/db2/adb_openclose.c -@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, +Index: krb5-1.19.3/src/plugins/kdb/db2/adb_openclose.c +=================================================================== +--- krb5-1.19.3.orig/src/plugins/kdb/db2/adb_openclose.c ++++ krb5-1.19.3/src/plugins/kdb/db2/adb_openclose.c +@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char * needs be open read/write so that write locking can work with * POSIX systems */ @@ -462,11 +461,11 @@ index 7db30a33b..2b9d01921 100644 /* * maybe someone took away write permission so we could only * get shared locks? -diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c -index 5106a5c99..e481e8121 100644 ---- a/src/plugins/kdb/db2/kdb_db2.c -+++ b/src/plugins/kdb/db2/kdb_db2.c -@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) +Index: krb5-1.19.3/src/plugins/kdb/db2/kdb_db2.c +=================================================================== +--- krb5-1.19.3.orig/src/plugins/kdb/db2/kdb_db2.c ++++ krb5-1.19.3/src/plugins/kdb/db2/kdb_db2.c +@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5 if (retval) return retval; @@ -477,11 +476,11 @@ index 5106a5c99..e481e8121 100644 if (dbc->db_lf_file < 0) { retval = errno; goto cleanup; -diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c -index 2977b17f3..d5809a5a9 100644 ---- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c -+++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c -@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95"; +Index: krb5-1.19.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c +=================================================================== +--- krb5-1.19.3.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ krb5-1.19.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c +@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. #include #include @@ -489,7 +488,7 @@ index 2977b17f3..d5809a5a9 100644 #include "db-int.h" #include "btree.h" -@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags) +@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, goto einval; } @@ -498,11 +497,11 @@ index 2977b17f3..d5809a5a9 100644 goto err; } else { -diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c -index 862dbb164..686a960c9 100644 ---- a/src/plugins/kdb/db2/libdb2/hash/hash.c -+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95"; +Index: krb5-1.19.3/src/plugins/kdb/db2/libdb2/hash/hash.c +=================================================================== +--- krb5-1.19.3.orig/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ krb5-1.19.3/src/plugins/kdb/db2/libdb2/hash/hash.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 #include #endif @@ -510,7 +509,7 @@ index 862dbb164..686a960c9 100644 #include "db-int.h" #include "hash.h" #include "page.h" -@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags) +@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info new_table = 1; } if (file) { @@ -519,11 +518,11 @@ index 862dbb164..686a960c9 100644 RETURN_ERROR(errno, error0); (void)fcntl(hashp->fp, F_SETFD, 1); } -diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c -index d8b26e701..b0daa7c02 100644 ---- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c -+++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94"; +Index: krb5-1.19.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c +=================================================================== +--- krb5-1.19.3.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ krb5-1.19.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8 #include #include @@ -531,7 +530,7 @@ index d8b26e701..b0daa7c02 100644 #include "db-int.h" #include "recno.h" -@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags) +@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, int rfd = -1, sverrno; /* Open the user's file -- if this fails, we're done. */ @@ -541,11 +540,11 @@ index d8b26e701..b0daa7c02 100644 return (NULL); if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { -diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -index b92cb58c7..0a95101ad 100644 ---- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -@@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) +Index: krb5-1.19.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +=================================================================== +--- krb5-1.19.3.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ krb5-1.19.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +@@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int arg /* set password in the file */ old_mode = umask(0177); @@ -554,7 +553,7 @@ index b92cb58c7..0a95101ad 100644 if (pfile == NULL) { com_err(me, errno, _("Failed to open file %s: %s"), file_name, strerror (errno)); -@@ -231,6 +231,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv) +@@ -231,6 +231,9 @@ kdb5_ldap_stash_service_password(int arg * Delete the existing entry and add the new entry */ FILE *newfile; @@ -564,7 +563,7 @@ index b92cb58c7..0a95101ad 100644 mode_t omask; -@@ -242,7 +245,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv) +@@ -242,7 +245,13 @@ kdb5_ldap_stash_service_password(int arg } omask = umask(077); @@ -578,10 +577,10 @@ index b92cb58c7..0a95101ad 100644 umask (omask); if (newfile == NULL) { com_err(me, errno, _("Error creating file %s"), tmp_file); -diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c -index aa951df05..79f9500f6 100644 ---- a/src/util/profile/prof_file.c -+++ b/src/util/profile/prof_file.c +Index: krb5-1.19.3/src/util/profile/prof_file.c +=================================================================== +--- krb5-1.19.3.orig/src/util/profile/prof_file.c ++++ krb5-1.19.3/src/util/profile/prof_file.c @@ -33,6 +33,7 @@ #endif @@ -590,7 +589,7 @@ index aa951df05..79f9500f6 100644 struct global_shared_profile_data { /* This is the head of the global list of shared trees */ -@@ -391,7 +392,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile, +@@ -391,7 +392,7 @@ static errcode_t write_data_to_file(prf_ errno = 0; @@ -599,10 +598,10 @@ index aa951df05..79f9500f6 100644 if (!f) { retval = errno; if (retval == 0) -diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in -index 86d5a950a..1052d53a1 100644 ---- a/src/util/support/Makefile.in -+++ b/src/util/support/Makefile.in +Index: krb5-1.19.3/src/util/support/Makefile.in +=================================================================== +--- krb5-1.19.3.orig/src/util/support/Makefile.in ++++ krb5-1.19.3/src/util/support/Makefile.in @@ -74,6 +74,7 @@ IPC_SYMS= \ STLIBOBJS= \ @@ -620,11 +619,10 @@ index 86d5a950a..1052d53a1 100644 DEPLIBS= -diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c -new file mode 100644 -index 000000000..6d41f3244 +Index: krb5-1.19.3/src/util/support/selinux.c +=================================================================== --- /dev/null -+++ b/src/util/support/selinux.c ++++ krb5-1.19.3/src/util/support/selinux.c @@ -0,0 +1,406 @@ +/* + * Copyright 2007,2008,2009,2011,2012,2013,2016 Red Hat, Inc. All Rights Reserved. @@ -1032,6 +1030,3 @@ index 000000000..6d41f3244 +} + +#endif /* USE_SELINUX */ --- -2.25.0 - diff --git a/0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch b/0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch index 818d556..25a168e 100644 --- a/0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch +++ b/0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch @@ -27,12 +27,12 @@ target_version: 1.18-next src/kdc/do_tgs_req.c | 5 +++++ 1 file changed, 5 insertions(+) -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index 6d244ffd4..39a504ca1 100644 ---- a/src/kdc/do_tgs_req.c -+++ b/src/kdc/do_tgs_req.c -@@ -207,6 +207,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, - status = "FIND_FAST"; +Index: krb5-1.19.3/src/kdc/do_tgs_req.c +=================================================================== +--- krb5-1.19.3.orig/src/kdc/do_tgs_req.c ++++ krb5-1.19.3/src/kdc/do_tgs_req.c +@@ -212,6 +212,11 @@ process_tgs_req(krb5_kdc_req *request, k + errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto cleanup; } + if (sprinc == NULL) { @@ -43,6 +43,3 @@ index 6d244ffd4..39a504ca1 100644 errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server, &local_tgt, &local_tgt_storage, &local_tgt_key); --- -2.33.0 - diff --git a/krb5-1.19.2.tar.gz b/krb5-1.19.2.tar.gz deleted file mode 100644 index 2957518..0000000 --- a/krb5-1.19.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:10453fee4e3a8f8ce6129059e5c050b8a65dab1c257df68b99b3112eaa0cdf6a -size 8741053 diff --git a/krb5-1.19.2.tar.gz.asc b/krb5-1.19.2.tar.gz.asc deleted file mode 100644 index 0c38c44..0000000 --- a/krb5-1.19.2.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmD5qLoACgkQDLoIV1+D -ct9NEw//XhDJPE38UzvURT/RsuL3TQZoHGHtRA/seXcKkrX1wFLUjnOUK39RxzkS -5y0BGOBoByGlqMxcpBlQv3mdtOAkdbgUtb9sT90eUObsG3cqa/0ou3Nm2ta+UNb7 -UC72UC9ZCXzUEl3be2/q/geHHE69e62t4YGcnwZ4koI3b/cZU6xL3N0ox9Gxdi37 -+rUe7i5TZAKvKo+eKhLpC/k1F0HSvLzxcPyRlfpAYb607lvc4MYNvbOZZUk8aNEt -0OhoSak1mXSdYwt4HHTj2NY1q5d+wviGOYby/Q1Wv7qVZHLFvCCr7Lr7ba0bIWas -cYl13OgLq2uwA85k9/BzAxIgPVpMpt0aRaoTeiH2fKm8kNA9YfIagyRgX4vNfFWp -RKXpVu5SFNMgFVAHJu/QID8Lf8YV/PU4H7kdMyFy9gA66nTN4KvdeoRyrHgv2r1c -c5MhV9bJDDFalC1VLYTJ3iSZFy5Y95wrr59KI2OTQKgQxsylfGXW+OR1hWKua5Y5 -nqF0b/TKiryrdah3aw2Ac78MggC+3RDHQ8yHG4tC0/nJzbf4WnP6lqUJhQIat+lE -g62Kh+fAUjuYw/8tuxVUFlMMa9cDHV7XGGYQS/JoUq/BaGWheNYrvPXxr4u0oSOa -kJyOUfZuJvgiDakbEAuVNm8Gr6lKDH/omn8dl9r/CHdyEANqvi0= -=QM0F ------END PGP SIGNATURE----- diff --git a/krb5-1.19.3.tar.gz b/krb5-1.19.3.tar.gz new file mode 100644 index 0000000..fc23db2 --- /dev/null +++ b/krb5-1.19.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:56d04863cfddc9d9eb7af17556e043e3537d41c6e545610778676cf551b9dcd0 +size 8741343 diff --git a/krb5-1.19.3.tar.gz.asc b/krb5-1.19.3.tar.gz.asc new file mode 100644 index 0000000..b40bfcb --- /dev/null +++ b/krb5-1.19.3.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmIrr24ACgkQDLoIV1+D +ct+h+A//W9AfniKl4SAZ5OWmn+B/1ge7U7KWxVdn8yJtUTfKzBujPe6LLCMpsn/F ++ddq2Powml+lEQHhAJBgGogPJ6Fs+/Y7jmhskz/d2dU1lTWEAoTGxz6fGZnx4kei +yciPWYnQrvPLdgh2I3rQyt5VDe6pEo5xvFhzEDpQPkXXQGAXVVokcSz5tvoRI8xF +V/oKIXJ7iSpc/prcrirdC+vKe04E3PmX1Cjd5dAH97gzYGJMsouB3/8/PxzLBb3y +be4XeLLJA9FwjBeEx68nBal2o3p1Xkq24v3XMI62xqBZDrWtwJ5NkR1GZje2X00H +SAd1xI6ye+f+6mxje/hen7cqfN53/7l2j3fayoT+35F6OzmiXSf9TKO6P1HElA0t +qXOm5oMi9GK1mVRwek15pxCcLEFWrUGNGnILFrep4exxIAOPjgyVN1DolK6c3V3t +yCsRGwhZaN6rNuaHEibVpL4JG+3fEy8Ovb02pqqPP6LXc9/1b+EIAufWTpJtbQSy +3JvSmzFYHVJjaS+n0vsbMJtDsf+uuYy77liIh0LblId1xpU5pdLd7jy8qZ6jEt/J +8PX3C5oc4iKq8Z7epd8T3itD3ECPG5g+A7GU8kApAfgpY/GP1rvg1RSaalWRQP+x +dKY7eMHSHHhBjuC7EdzNIJWo8v311KWogcHkVfzmbx+6HT/iAgM= +=D86e +-----END PGP SIGNATURE----- diff --git a/krb5-mini.spec b/krb5-mini.spec index 6cbd251..409c8c8 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -24,7 +24,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: krb5-mini -Version: 1.19.2 +Version: 1.19.3 Release: 0 Summary: MIT Kerberos5 implementation and libraries with minimal dependencies License: MIT diff --git a/krb5.changes b/krb5.changes index dbc3478..6e56f61 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sat Apr 9 11:31:42 UTC 2022 - Dirk Müller + +- update to 1.19.3 (bsc#1189929, CVE-2021-37750): + * Fix a denial of service attack against the KDC [CVE-2021-37750]. + * Fix KDC null deref on TGS inner body null server + * Fix conformance issue in GSSAPI tests + ------------------------------------------------------------------- Thu Jan 27 22:21:52 UTC 2022 - David Mulder diff --git a/krb5.spec b/krb5.spec index 40e451a..ad2c75d 100644 --- a/krb5.spec +++ b/krb5.spec @@ -21,7 +21,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: krb5 -Version: 1.19.2 +Version: 1.19.3 Release: 0 Summary: MIT Kerberos5 implementation License: MIT