Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
diff -uNr heimdal-7.8.0/configure.ac heimdal-7.8.0-patched/configure.ac
|
|
|
|
|
--- heimdal-7.8.0/configure.ac 2022-11-15 19:56:25.000000000 +0100
|
|
|
|
|
+++ heimdal-7.8.0-patched/configure.ac 2022-12-20 16:57:00.506113493 +0100
|
2015-09-05 13:04:36 +02:00
|
|
|
@@ -3,7 +3,6 @@
|
|
|
|
|
AC_PREREQ(2.62)
|
|
|
|
|
test -z "$CFLAGS" && CFLAGS="-g"
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
AC_INIT([Heimdal],[7.8.0],[https://github.com/heimdal/heimdal/issues])
|
2015-09-05 13:04:36 +02:00
|
|
|
-AC_CONFIG_SRCDIR([kuser/kinit.c])
|
|
|
|
|
AC_CONFIG_HEADERS(include/config.h)
|
|
|
|
|
AC_CONFIG_MACRO_DIR([cf])
|
|
|
|
|
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
@@ -594,7 +593,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
AM_CONDITIONAL(HEIMDAL_DOCUMENTATION, test "$enable_heimdal_documentation" != no)
|
|
|
|
|
|
|
|
|
|
AC_CONFIG_FILES(Makefile \
|
|
|
|
|
- etc/Makefile \
|
|
|
|
|
include/Makefile \
|
|
|
|
|
include/gssapi/Makefile \
|
|
|
|
|
include/hcrypto/Makefile \
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
@@ -619,35 +617,8 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
lib/sqlite/Makefile \
|
|
|
|
|
lib/vers/Makefile \
|
|
|
|
|
lib/wind/Makefile \
|
|
|
|
|
- po/Makefile \
|
|
|
|
|
- kuser/Makefile \
|
|
|
|
|
- kpasswd/Makefile \
|
|
|
|
|
- kadmin/Makefile \
|
|
|
|
|
- admin/Makefile \
|
|
|
|
|
- kcm/Makefile \
|
|
|
|
|
kdc/Makefile \
|
|
|
|
|
- appl/Makefile \
|
|
|
|
|
- appl/afsutil/Makefile \
|
|
|
|
|
- appl/dbutils/Makefile \
|
|
|
|
|
- appl/gssmask/Makefile \
|
|
|
|
|
- appl/otp/Makefile \
|
|
|
|
|
- appl/su/Makefile \
|
|
|
|
|
- appl/test/Makefile \
|
|
|
|
|
- appl/kf/Makefile \
|
|
|
|
|
- appl/dceutils/Makefile \
|
|
|
|
|
- tests/Makefile \
|
|
|
|
|
- tests/bin/Makefile \
|
|
|
|
|
- tests/can/Makefile \
|
|
|
|
|
- tests/db/Makefile \
|
|
|
|
|
- tests/kdc/Makefile \
|
|
|
|
|
- tests/ldap/Makefile \
|
|
|
|
|
- tests/gss/Makefile \
|
|
|
|
|
- tests/java/Makefile \
|
|
|
|
|
- tests/plugin/Makefile \
|
|
|
|
|
- packages/Makefile \
|
|
|
|
|
- packages/mac/Makefile \
|
|
|
|
|
doc/Makefile \
|
|
|
|
|
- tools/Makefile \
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
AC_OUTPUT
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
diff -uNr heimdal-7.8.0/doc/Makefile.am heimdal-7.8.0-patched/doc/Makefile.am
|
|
|
|
|
--- heimdal-7.8.0/doc/Makefile.am 2022-09-16 00:59:25.000000000 +0200
|
|
|
|
|
+++ heimdal-7.8.0-patched/doc/Makefile.am 2022-12-20 17:02:32.781246824 +0100
|
2015-09-05 13:04:36 +02:00
|
|
|
@@ -10,50 +10,6 @@
|
|
|
|
|
|
|
|
|
|
info_TEXINFOS = heimdal.texi hx509.texi
|
|
|
|
|
|
|
|
|
|
-dxy_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
|
|
|
|
|
- -e 's,[@]objdir[@],.,g' \
|
|
|
|
|
- -e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g'
|
|
|
|
|
-
|
|
|
|
|
-hcrypto.dxy: hcrypto.din Makefile
|
|
|
|
|
- $(dxy_subst) < $(srcdir)/hcrypto.din > hcrypto.dxy.tmp
|
|
|
|
|
- chmod +x hcrypto.dxy.tmp
|
|
|
|
|
- mv hcrypto.dxy.tmp hcrypto.dxy
|
|
|
|
|
-
|
|
|
|
|
-hdb.dxy: hdb.din Makefile
|
|
|
|
|
- $(dxy_subst) < $(srcdir)/hdb.din > hdb.dxy.tmp
|
|
|
|
|
- chmod +x hdb.dxy.tmp
|
|
|
|
|
- mv hdb.dxy.tmp hdb.dxy
|
|
|
|
|
-
|
|
|
|
|
-base.dxy: base.din Makefile
|
|
|
|
|
- $(dxy_subst) < $(srcdir)/base.din > base.dxy.tmp
|
|
|
|
|
- chmod +x base.dxy.tmp
|
|
|
|
|
- mv base.dxy.tmp base.dxy
|
|
|
|
|
-
|
|
|
|
|
-hx509.dxy: hx509.din Makefile
|
|
|
|
|
- $(dxy_subst) < $(srcdir)/hx509.din > hx509.dxy.tmp
|
|
|
|
|
- chmod +x hx509.dxy.tmp
|
|
|
|
|
- mv hx509.dxy.tmp hx509.dxy
|
|
|
|
|
-
|
|
|
|
|
-gssapi.dxy: gssapi.din Makefile
|
|
|
|
|
- $(dxy_subst) < $(srcdir)/gssapi.din > gssapi.dxy.tmp
|
|
|
|
|
- chmod +x gssapi.dxy.tmp
|
|
|
|
|
- mv gssapi.dxy.tmp gssapi.dxy
|
|
|
|
|
-
|
|
|
|
|
-krb5.dxy: krb5.din Makefile
|
|
|
|
|
- $(dxy_subst) < $(srcdir)/krb5.din > krb5.dxy.tmp
|
|
|
|
|
- chmod +x krb5.dxy.tmp
|
|
|
|
|
- mv krb5.dxy.tmp krb5.dxy
|
|
|
|
|
-
|
|
|
|
|
-ntlm.dxy: ntlm.din Makefile
|
|
|
|
|
- $(dxy_subst) < $(srcdir)/ntlm.din > ntlm.dxy.tmp
|
|
|
|
|
- chmod +x ntlm.dxy.tmp
|
|
|
|
|
- mv ntlm.dxy.tmp ntlm.dxy
|
|
|
|
|
-
|
|
|
|
|
-wind.dxy: wind.din Makefile
|
|
|
|
|
- $(dxy_subst) < $(srcdir)/wind.din > wind.dxy.tmp
|
|
|
|
|
- chmod +x wind.dxy.tmp
|
|
|
|
|
- mv wind.dxy.tmp wind.dxy
|
|
|
|
|
-
|
|
|
|
|
texi_subst = sed -e 's,[@]dbdir[@],$(localstatedir),g' \
|
2017-01-08 00:58:55 +01:00
|
|
|
-e 's,[@]dbtype[@],$(db_type),g' \
|
2015-09-05 13:04:36 +02:00
|
|
|
-e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g'
|
2017-06-15 23:06:08 +02:00
|
|
|
@@ -63,55 +19,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
chmod +x vars.texi.tmp
|
|
|
|
|
mv vars.texi.tmp vars.texi
|
|
|
|
|
|
|
|
|
|
-PROJECTS = base hdb hx509 gssapi krb5 ntlm wind
|
|
|
|
|
-
|
|
|
|
|
-PROJECTS += hcrypto
|
|
|
|
|
-
|
|
|
|
|
-doxyout doxygen: base.dxy hdb.dxy hx509.dxy hcrypto.dxy gssapi.dxy krb5.dxy ntlm.dxy wind.dxy
|
2017-06-15 23:06:08 +02:00
|
|
|
- @test -d $(srcdir)/doxyout && \
|
|
|
|
|
- find $(srcdir)/doxyout -type d ! -perm -200 -exec chmod u+w {} ';' ; \
|
2015-09-05 13:04:36 +02:00
|
|
|
- rm -rf $(srcdir)/doxyout ; \
|
|
|
|
|
- mkdir $(srcdir)/doxyout ; \
|
|
|
|
|
- for a in $(PROJECTS) ; do \
|
|
|
|
|
- echo $$a ; \
|
|
|
|
|
- doxygen $$a.dxy; \
|
2017-01-08 00:58:55 +01:00
|
|
|
- (cd $(srcdir)/doxyout && \
|
|
|
|
|
- find $$a/man -name '_*' -type f -print | \
|
|
|
|
|
- perl -lne unlink && \
|
|
|
|
|
- find $$a/html -name 'dir_*.html' -type f -print | \
|
|
|
|
|
- perl -lne unlink && \
|
|
|
|
|
- find $$a/man -type f > $$a/manpages ) ; \
|
2015-09-05 13:04:36 +02:00
|
|
|
- done
|
|
|
|
|
-
|
|
|
|
|
-install-data-hook: install-doxygen-manpage
|
|
|
|
|
-uninstall-hook: uninstall-doxygen-manpage
|
|
|
|
|
-dist-hook: doxygen
|
|
|
|
|
-
|
|
|
|
|
-install-doxygen-manpage:
|
|
|
|
|
- for a in $(PROJECTS) ; do \
|
|
|
|
|
- f="$(srcdir)/doxyout/$$a/manpages" ; \
|
|
|
|
|
- test -f $$f || continue ; \
|
|
|
|
|
- echo "install $$a manual pages $$(wc -l < $$f)" ; \
|
|
|
|
|
- while read x ; do \
|
|
|
|
|
- section=`echo "$$x" | sed 's/.*\.\([0-9]\)/\1/'` ; \
|
|
|
|
|
- $(mkinstalldirs) "$(DESTDIR)$(mandir)/man$$section" ; \
|
|
|
|
|
- $(INSTALL_DATA) $(srcdir)/doxyout/$$x "$(DESTDIR)$(mandir)/man$$section" ; \
|
|
|
|
|
- done < $$f ; \
|
|
|
|
|
- done ; exit 0
|
|
|
|
|
-
|
|
|
|
|
-uninstall-doxygen-manpage:
|
|
|
|
|
- @for a in $(PROJECTS) ; do \
|
|
|
|
|
- f="$(srcdir)/doxyout/$$a/manpages" ; \
|
|
|
|
|
- test -f $$f || continue ; \
|
|
|
|
|
- echo "removing $$a manual pages" ; \
|
|
|
|
|
- while read x ; do \
|
|
|
|
|
- section=`echo "$$x" | sed 's/.*\.\([0-9]\)/\1/'` ; \
|
|
|
|
|
- base=`basename $$x` ; \
|
|
|
|
|
- rm "$(DESTDIR)$(mandir)/man$$section/$$base" ; \
|
|
|
|
|
- done < $$f ; \
|
|
|
|
|
- done
|
|
|
|
|
-
|
|
|
|
|
-
|
|
|
|
|
heimdal_TEXINFOS = \
|
|
|
|
|
ack.texi \
|
|
|
|
|
apps.texi \
|
2017-06-15 23:06:08 +02:00
|
|
|
@@ -129,35 +36,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
win2k.texi
|
|
|
|
|
|
|
|
|
|
EXTRA_DIST = \
|
|
|
|
|
- NTMakefile \
|
|
|
|
|
- doxyout \
|
|
|
|
|
- footer.html \
|
|
|
|
|
- gssapi.din \
|
|
|
|
|
- hdb.din \
|
|
|
|
|
- hcrypto.din \
|
|
|
|
|
- header.html \
|
|
|
|
|
heimdal.css \
|
|
|
|
|
- base.din \
|
|
|
|
|
- hx509.din \
|
|
|
|
|
- krb5.din \
|
|
|
|
|
- ntlm.din \
|
|
|
|
|
- init-creds \
|
|
|
|
|
- latin1.tex \
|
|
|
|
|
- layman.asc \
|
|
|
|
|
- doxytmpl.dxy \
|
|
|
|
|
- wind.din \
|
2017-01-08 00:58:55 +01:00
|
|
|
- base.hhp \
|
|
|
|
|
heimdal.hhp \
|
|
|
|
|
- hx509.hhp \
|
2015-09-05 13:04:36 +02:00
|
|
|
vars.tin
|
|
|
|
|
-
|
|
|
|
|
-CLEANFILES = \
|
|
|
|
|
- hcrypto.dxy* \
|
|
|
|
|
- base.dxy* \
|
|
|
|
|
- hx509.dxy* \
|
|
|
|
|
- hdb.dxy* \
|
|
|
|
|
- gssapi.dxy* \
|
|
|
|
|
- krb5.dxy* \
|
|
|
|
|
- ntlm.dxy* \
|
|
|
|
|
- wind.dxy* \
|
|
|
|
|
- vars.texi*
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
diff -uNr heimdal-7.8.0/kdc/Makefile.am heimdal-7.8.0-patched/kdc/Makefile.am
|
|
|
|
|
--- heimdal-7.8.0/kdc/Makefile.am 2022-09-16 01:54:19.000000000 +0200
|
|
|
|
|
+++ heimdal-7.8.0-patched/kdc/Makefile.am 2022-12-20 17:07:05.344492344 +0100
|
2015-09-05 13:04:36 +02:00
|
|
|
@@ -6,35 +6,6 @@
|
|
|
|
|
|
|
|
|
|
lib_LTLIBRARIES = libkdc.la
|
|
|
|
|
|
|
|
|
|
-bin_PROGRAMS = string2key
|
|
|
|
|
-
|
|
|
|
|
-sbin_PROGRAMS = kstash
|
|
|
|
|
-
|
|
|
|
|
-libexec_PROGRAMS = hprop hpropd kdc digest-service
|
|
|
|
|
-
|
|
|
|
|
-noinst_PROGRAMS = kdc-replay kdc-tester
|
|
|
|
|
-
|
|
|
|
|
-man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8 string2key.8
|
|
|
|
|
-
|
|
|
|
|
-hprop_SOURCES = hprop.c mit_dump.c hprop.h
|
|
|
|
|
-hpropd_SOURCES = hpropd.c hprop.h
|
|
|
|
|
-
|
|
|
|
|
-kstash_SOURCES = kstash.c headers.h
|
|
|
|
|
-
|
|
|
|
|
-string2key_SOURCES = string2key.c headers.h
|
|
|
|
|
-
|
|
|
|
|
-digest_service_SOURCES = \
|
|
|
|
|
- digest-service.c
|
|
|
|
|
-
|
|
|
|
|
-kdc_SOURCES = connect.c \
|
|
|
|
|
- config.c \
|
|
|
|
|
- announce.c \
|
|
|
|
|
- main.c
|
|
|
|
|
-
|
|
|
|
|
-kdc_tester_SOURCES = \
|
|
|
|
|
- config.c \
|
|
|
|
|
- kdc-tester.c
|
|
|
|
|
-
|
|
|
|
|
libkdc_la_SOURCES = \
|
|
|
|
|
default_config.c \
|
|
|
|
|
set_dbinfo.c \
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -54,15 +25,7 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
|
|
|
|
|
KDC_PROTOS = $(srcdir)/kdc-protos.h $(srcdir)/kdc-private.h
|
|
|
|
|
|
|
|
|
|
-ALL_OBJECTS = $(kdc_OBJECTS)
|
|
|
|
|
-ALL_OBJECTS += $(kdc_replay_OBJECTS)
|
|
|
|
|
-ALL_OBJECTS += $(kdc_tester_OBJECTS)
|
|
|
|
|
-ALL_OBJECTS += $(libkdc_la_OBJECTS)
|
2017-01-08 00:58:55 +01:00
|
|
|
-ALL_OBJECTS += $(string2key_OBJECTS)
|
2015-09-05 13:04:36 +02:00
|
|
|
-ALL_OBJECTS += $(kstash_OBJECTS)
|
|
|
|
|
-ALL_OBJECTS += $(hprop_OBJECTS)
|
|
|
|
|
-ALL_OBJECTS += $(hpropd_OBJECTS)
|
|
|
|
|
-ALL_OBJECTS += $(digest_service_OBJECTS)
|
|
|
|
|
+ALL_OBJECTS = $(libkdc_la_OBJECTS)
|
|
|
|
|
|
|
|
|
|
$(ALL_OBJECTS): $(KDC_PROTOS)
|
|
|
|
|
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -80,24 +43,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
cd $(srcdir) && perl ../cf/make-proto.pl -q -P comment -p kdc-private.h $(libkdc_la_SOURCES) || rm -f kdc-private.h
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-hprop_LDADD = \
|
|
|
|
|
- $(top_builddir)/lib/hdb/libhdb.la \
|
|
|
|
|
- $(top_builddir)/lib/krb5/libkrb5.la \
|
|
|
|
|
- $(LIB_kdb) \
|
|
|
|
|
- $(LIB_hcrypto) \
|
|
|
|
|
- $(top_builddir)/lib/asn1/libasn1.la \
|
|
|
|
|
- $(LIB_roken) \
|
2017-01-08 00:58:55 +01:00
|
|
|
- $(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB)
|
2015-09-05 13:04:36 +02:00
|
|
|
-
|
|
|
|
|
-hpropd_LDADD = \
|
|
|
|
|
- $(top_builddir)/lib/hdb/libhdb.la \
|
|
|
|
|
- $(top_builddir)/lib/krb5/libkrb5.la \
|
|
|
|
|
- $(LIB_kdb) \
|
|
|
|
|
- $(LIB_hcrypto) \
|
|
|
|
|
- $(top_builddir)/lib/asn1/libasn1.la \
|
|
|
|
|
- $(LIB_roken) \
|
2017-01-08 00:58:55 +01:00
|
|
|
- $(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB)
|
2015-09-05 13:04:36 +02:00
|
|
|
-
|
|
|
|
|
if PKINIT
|
|
|
|
|
LIB_pkinit = $(top_builddir)/lib/hx509/libhx509.la
|
|
|
|
|
endif
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -121,21 +66,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
$(LIB_roken) \
|
2017-01-08 00:58:55 +01:00
|
|
|
$(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB)
|
2015-09-05 13:04:36 +02:00
|
|
|
|
|
|
|
|
-kdc_LDADD = libkdc.la $(LDADD) $(LIB_pidfile) $(CAPNG_LIBS)
|
|
|
|
|
-
|
|
|
|
|
-if FRAMEWORK_SECURITY
|
|
|
|
|
-kdc_LDFLAGS = -framework SystemConfiguration -framework CoreFoundation
|
|
|
|
|
-endif
|
|
|
|
|
-kdc_CFLAGS = $(CAPNG_CFLAGS)
|
|
|
|
|
-
|
|
|
|
|
-digest_service_LDADD = \
|
|
|
|
|
- libkdc.la \
|
|
|
|
|
- $(top_builddir)/lib/ntlm/libheimntlm.la \
|
|
|
|
|
- $(top_builddir)/lib/ipc/libheim-ipcs.la \
|
|
|
|
|
- $(LDADD) $(LIB_pidfile)
|
|
|
|
|
-kdc_replay_LDADD = libkdc.la $(LDADD) $(LIB_pidfile)
|
|
|
|
|
-kdc_tester_LDADD = libkdc.la $(LDADD) $(LIB_pidfile) $(LIB_heimbase)
|
|
|
|
|
-
|
|
|
|
|
include_HEADERS = kdc.h $(srcdir)/kdc-protos.h
|
|
|
|
|
|
|
|
|
|
noinst_HEADERS = $(srcdir)/kdc-private.h
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -146,11 +76,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
build_HEADERZ = $(krb5_HEADERS) # XXX
|
|
|
|
|
|
|
|
|
|
EXTRA_DIST = \
|
|
|
|
|
- hprop-version.rc \
|
|
|
|
|
- hpropd-version.rc \
|
|
|
|
|
- kdc-version.rc \
|
|
|
|
|
- kstash-version.rc \
|
|
|
|
|
libkdc-version.rc \
|
|
|
|
|
- string2key-version.rc \
|
|
|
|
|
libkdc-exports.def \
|
|
|
|
|
- NTMakefile $(man_MANS) version-script.map
|
|
|
|
|
+ NTMakefile version-script.map
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
diff -uNr heimdal-7.8.0/lib/asn1/Makefile.am heimdal-7.8.0-patched/lib/asn1/Makefile.am
|
|
|
|
|
--- heimdal-7.8.0/lib/asn1/Makefile.am 2022-09-16 01:54:19.000000000 +0200
|
|
|
|
|
+++ heimdal-7.8.0-patched/lib/asn1/Makefile.am 2022-12-20 17:08:36.808229786 +0100
|
2015-09-05 13:04:36 +02:00
|
|
|
@@ -44,9 +44,7 @@
|
|
|
|
|
gen_files_digest = asn1_digest_asn1.x
|
|
|
|
|
gen_files_kx509 = asn1_kx509_asn1.x
|
|
|
|
|
|
|
|
|
|
-noinst_PROGRAMS = asn1_gen
|
|
|
|
|
-
|
|
|
|
|
-libexec_heimdal_PROGRAMS = asn1_compile asn1_print
|
|
|
|
|
+noinst_PROGRAMS = asn1_gen asn1_compile asn1_print
|
|
|
|
|
|
|
|
|
|
TESTS = check-der check-gen check-timegm check-ber check-template
|
|
|
|
|
check_PROGRAMS = $(TESTS)
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
diff -uNr heimdal-7.8.0/lib/com_err/Makefile.am heimdal-7.8.0-patched/lib/com_err/Makefile.am
|
|
|
|
|
--- heimdal-7.8.0/lib/com_err/Makefile.am 2022-09-16 01:54:19.000000000 +0200
|
|
|
|
|
+++ heimdal-7.8.0-patched/lib/com_err/Makefile.am 2022-12-20 17:14:40.343183718 +0100
|
2015-09-05 13:04:36 +02:00
|
|
|
@@ -13,12 +13,8 @@
|
|
|
|
|
|
|
|
|
|
libcom_err_la_LIBADD = $(LIB_libintl)
|
|
|
|
|
|
2017-01-08 00:58:55 +01:00
|
|
|
-noinst_PROGRAMS = compile_et
|
2015-09-05 13:04:36 +02:00
|
|
|
-
|
|
|
|
|
include_HEADERS = com_err.h com_right.h
|
|
|
|
|
|
|
|
|
|
-compile_et_SOURCES = compile_et.c compile_et.h parse.y lex.l lex.h
|
|
|
|
|
-
|
|
|
|
|
libcom_err_la_CPPFLAGS = $(ROKEN_RENAME) $(INCLUDE_libintl)
|
|
|
|
|
dist_libcom_err_la_SOURCES = error.c com_err.c roken_rename.h
|
|
|
|
|
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -43,7 +39,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
EXTRA_DIST = \
|
|
|
|
|
NTMakefile \
|
2017-01-08 00:58:55 +01:00
|
|
|
com_err.3 \
|
2015-09-05 13:04:36 +02:00
|
|
|
- compile_et-version.rc \
|
|
|
|
|
libcom_err-version.rc \
|
|
|
|
|
libcom_err-exports.def \
|
|
|
|
|
version-script.map
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
diff -uNr heimdal-7.8.0/lib/gssapi/Makefile.am heimdal-7.8.0-patched/lib/gssapi/Makefile.am
|
|
|
|
|
--- heimdal-7.8.0/lib/gssapi/Makefile.am 2022-09-16 01:54:19.000000000 +0200
|
|
|
|
|
+++ heimdal-7.8.0-patched/lib/gssapi/Makefile.am 2022-12-20 17:16:41.706826603 +0100
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -227,8 +227,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
$(LIB_hcrypto) \
|
|
|
|
|
$(LIBADD_roken)
|
|
|
|
|
|
|
|
|
|
-man_MANS = gssapi.3 gss_acquire_cred.3 mech/mech.5
|
|
|
|
|
-
|
|
|
|
|
include_HEADERS = gssapi.h
|
|
|
|
|
noinst_HEADERS = \
|
|
|
|
|
gssapi_mech.h \
|
2017-06-15 23:06:08 +02:00
|
|
|
@@ -303,8 +301,7 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
|
|
|
|
|
check_PROGRAMS = test_acquire_cred $(TESTS)
|
|
|
|
|
|
|
|
|
|
-bin_PROGRAMS = gsstool
|
2017-06-15 23:06:08 +02:00
|
|
|
-noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm test_add_store_cred
|
|
|
|
|
+noinst_PROGRAMS = gsstool test_cred test_kcred test_context test_ntlm test_add_store_cred
|
2015-09-05 13:04:36 +02:00
|
|
|
|
|
|
|
|
test_context_SOURCES = test_context.c test_common.c test_common.h
|
2017-06-15 23:06:08 +02:00
|
|
|
test_ntlm_SOURCES = test_ntlm.c test_common.c test_common.h
|
|
|
|
|
@@ -340,7 +337,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
NTMakefile \
|
|
|
|
|
libgssapi-version.rc \
|
|
|
|
|
libgssapi-exports.def \
|
|
|
|
|
- $(man_MANS) \
|
2017-01-08 00:58:55 +01:00
|
|
|
gen-oid.pl \
|
|
|
|
|
gssapi/gssapi_netlogon.h \
|
|
|
|
|
krb5/test_acquire_cred.c \
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
diff -uNr heimdal-7.8.0/lib/hx509/Makefile.am heimdal-7.8.0-patched/lib/hx509/Makefile.am
|
|
|
|
|
--- heimdal-7.8.0/lib/hx509/Makefile.am 2022-11-15 18:24:40.000000000 +0100
|
|
|
|
|
+++ heimdal-7.8.0-patched/lib/hx509/Makefile.am 2022-12-20 17:19:57.330257091 +0100
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -141,7 +141,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
$(heim_verbose)$(ASN1_COMPILE) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
|
|
|
|
|
|
|
|
|
|
ALL_OBJECTS = $(libhx509_la_OBJECTS)
|
|
|
|
|
-ALL_OBJECTS += $(hxtool_OBJECTS)
|
|
|
|
|
|
|
|
|
|
HX509_PROTOS = $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h
|
|
|
|
|
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -156,23 +155,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
$(srcdir)/hx509-private.h: $(dist_libhx509_la_SOURCES)
|
|
|
|
|
$(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p hx509-private.h $(dist_libhx509_la_SOURCES) || rm -f hx509-private.h
|
|
|
|
|
|
|
|
|
|
-bin_PROGRAMS = hxtool
|
|
|
|
|
-
|
|
|
|
|
-hxtool-commands.c hxtool-commands.h: hxtool-commands.in $(SLC)
|
|
|
|
|
- $(heim_verbose)$(SLC) $(srcdir)/hxtool-commands.in
|
|
|
|
|
-
|
|
|
|
|
-dist_hxtool_SOURCES = hxtool.c
|
|
|
|
|
-nodist_hxtool_SOURCES = hxtool-commands.c hxtool-commands.h
|
|
|
|
|
-
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
-$(hxtool_OBJECTS): hxtool-commands.h $(nodist_include_HEADERS)
|
2015-09-05 13:04:36 +02:00
|
|
|
-
|
|
|
|
|
-hxtool_LDADD = \
|
|
|
|
|
- libhx509.la \
|
|
|
|
|
- $(top_builddir)/lib/asn1/libasn1.la \
|
|
|
|
|
- $(LIB_hcrypto) \
|
|
|
|
|
- $(LIB_roken) \
|
|
|
|
|
- $(top_builddir)/lib/sl/libsl.la
|
|
|
|
|
-
|
|
|
|
|
CLEANFILES = $(BUILT_SOURCES) sel-gram.c sel-lex.c \
|
|
|
|
|
$(gen_files_ocsp) ocsp_asn1_files ocsp_asn1{,-priv}.h* \
|
|
|
|
|
ocsp_asn1-template.[chx]* \
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -181,7 +163,7 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
$(gen_files_crmf) crmf_asn1_files crmf_asn1{,-priv}.h* \
|
|
|
|
|
crmf_asn1-template.[chx]* \
|
|
|
|
|
$(TESTS) \
|
|
|
|
|
- hxtool-commands.c hxtool-commands.h *.tmp \
|
|
|
|
|
+ *.tmp \
|
|
|
|
|
request.out \
|
|
|
|
|
out.pem out2.pem \
|
|
|
|
|
sd sd.pem \
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -311,12 +293,10 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
|
|
|
|
|
EXTRA_DIST = \
|
|
|
|
|
NTMakefile \
|
|
|
|
|
- hxtool-version.rc \
|
|
|
|
|
libhx509-exports.def \
|
|
|
|
|
version-script.map \
|
|
|
|
|
crmf.asn1 \
|
|
|
|
|
hx509_err.et \
|
|
|
|
|
- hxtool-commands.in \
|
|
|
|
|
quote.py \
|
|
|
|
|
ocsp.asn1 \
|
|
|
|
|
ocsp.opt \
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
diff -uNr heimdal-7.8.0/lib/kadm5/Makefile.am heimdal-7.8.0-patched/lib/kadm5/Makefile.am
|
|
|
|
|
--- heimdal-7.8.0/lib/kadm5/Makefile.am 2022-11-15 18:06:45.000000000 +0100
|
|
|
|
|
+++ heimdal-7.8.0-patched/lib/kadm5/Makefile.am 2022-12-20 17:24:31.273484873 +0100
|
|
|
|
|
@@ -14,10 +14,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
libkadm5srv_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
|
|
|
|
|
endif
|
|
|
|
|
|
|
|
|
|
-sbin_PROGRAMS = iprop-log
|
|
|
|
|
-check_PROGRAMS = default_keys
|
|
|
|
|
-noinst_PROGRAMS = test_pw_quality
|
|
|
|
|
-
|
|
|
|
|
noinst_LTLIBRARIES = sample_passwd_check.la
|
|
|
|
|
|
|
|
|
|
sample_passwd_check_la_SOURCES = sample_passwd_check.c
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
@@ -29,8 +25,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
libkadm5clnt_la_LIBADD = \
|
|
|
|
|
$(LIB_com_err) ../krb5/libkrb5.la $(LIBADD_roken)
|
|
|
|
|
|
|
|
|
|
-libexec_PROGRAMS = ipropd-master ipropd-slave
|
|
|
|
|
-
|
|
|
|
|
default_keys_SOURCES = default_keys.c
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
default_keys_CPPFLAGS = -I$(srcdir)/../krb5
|
2015-09-05 13:04:36 +02:00
|
|
|
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
@@ -122,17 +116,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
libkadm5srv_la_DEPENDENCIES = \
|
|
|
|
|
version-script.map
|
|
|
|
|
|
|
|
|
|
-dist_iprop_log_SOURCES = iprop-log.c
|
|
|
|
|
-nodist_iprop_log_SOURCES = iprop-commands.c
|
|
|
|
|
-
|
|
|
|
|
-ipropd_master_SOURCES = ipropd_master.c ipropd_common.c iprop.h kadm5_locl.h
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
-ipropd_master_CPPFLAGS = -I$(srcdir)/../krb5
|
2015-09-05 13:04:36 +02:00
|
|
|
-
|
|
|
|
|
-ipropd_slave_SOURCES = ipropd_slave.c ipropd_common.c iprop.h kadm5_locl.h
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
-ipropd_slave_CPPFLAGS = -I$(srcdir)/../krb5
|
2015-09-05 13:04:36 +02:00
|
|
|
-
|
|
|
|
|
-man_MANS = kadm5_pwcheck.3 iprop.8 iprop-log.8
|
|
|
|
|
-
|
|
|
|
|
LDADD = \
|
|
|
|
|
libkadm5srv.la \
|
|
|
|
|
$(top_builddir)/lib/hdb/libhdb.la \
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
@@ -144,27 +127,8 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
$(LIB_dlopen) \
|
|
|
|
|
$(LIB_pidfile)
|
|
|
|
|
|
|
|
|
|
-iprop_log_LDADD = \
|
|
|
|
|
- libkadm5srv.la \
|
|
|
|
|
- $(top_builddir)/lib/hdb/libhdb.la \
|
|
|
|
|
- $(top_builddir)/lib/krb5/libkrb5.la \
|
|
|
|
|
- $(top_builddir)/lib/asn1/libasn1.la \
|
|
|
|
|
- $(LIB_hcrypto) \
|
|
|
|
|
- $(top_builddir)/lib/sl/libsl.la \
|
|
|
|
|
- $(LIB_readline) \
|
|
|
|
|
- $(LIB_roken) \
|
2017-01-08 00:58:55 +01:00
|
|
|
- $(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB) \
|
2015-09-05 13:04:36 +02:00
|
|
|
- $(LIB_dlopen) \
|
|
|
|
|
- $(LIB_pidfile)
|
|
|
|
|
-
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
-iprop_log_CPPFLAGS = -I$(srcdir)/../krb5
|
2015-09-05 13:04:36 +02:00
|
|
|
-
|
|
|
|
|
-iprop-commands.c iprop-commands.h: iprop-commands.in
|
|
|
|
|
- $(SLC) $(srcdir)/iprop-commands.in
|
2017-01-08 00:58:55 +01:00
|
|
|
-
|
2015-09-05 13:04:36 +02:00
|
|
|
$(libkadm5srv_la_OBJECTS): kadm5_err.h
|
2017-01-08 00:58:55 +01:00
|
|
|
$(libkadm5clnt_la_OBJECTS): kadm5_err.h
|
2015-09-05 13:04:36 +02:00
|
|
|
-$(iprop_log_OBJECTS): iprop-commands.h
|
|
|
|
|
|
|
|
|
|
client_glue.lo server_glue.lo: $(srcdir)/common_glue.c
|
|
|
|
|
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
@@ -176,12 +140,7 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
|
|
|
|
|
ALL_OBJECTS = $(libkadm5clnt_la_OBJECTS)
|
|
|
|
|
ALL_OBJECTS += $(libkadm5srv_la_OBJECTS)
|
|
|
|
|
-ALL_OBJECTS += $(ipropd_master_OBJECTS)
|
|
|
|
|
-ALL_OBJECTS += $(ipropd_slave_OBJECTS)
|
|
|
|
|
-ALL_OBJECTS += $(iprop_log_OBJECTS)
|
|
|
|
|
-ALL_OBJECTS += $(test_pw_quality_OBJECTS)
|
|
|
|
|
ALL_OBJECTS += $(sample_passwd_check_la_OBJECTS)
|
|
|
|
|
-ALL_OBJECTS += $(default_keys_OBJECTS)
|
|
|
|
|
|
|
|
|
|
$(ALL_OBJECTS): $(srcdir)/kadm5-protos.h $(srcdir)/kadm5-private.h
|
2017-01-08 00:58:55 +01:00
|
|
|
$(ALL_OBJECTS): kadm5_err.h
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
@@ -213,7 +172,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
libkadm5srv-exports.def \
|
|
|
|
|
kadm5_err.et \
|
|
|
|
|
iprop-commands.in \
|
|
|
|
|
- $(man_MANS) \
|
|
|
|
|
check-cracklib.pl \
|
|
|
|
|
flush.c \
|
|
|
|
|
sample_passwd_check.c \
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
diff -uNr heimdal-7.8.0/lib/kafs/Makefile.am heimdal-7.8.0-patched/lib/kafs/Makefile.am
|
|
|
|
|
--- heimdal-7.8.0/lib/kafs/Makefile.am 2022-09-16 01:54:19.000000000 +0200
|
|
|
|
|
+++ heimdal-7.8.0-patched/lib/kafs/Makefile.am 2022-12-20 17:25:26.133332421 +0100
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -74,8 +74,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
|
|
|
|
|
EXTRA_DIST = NTMakefile afsl.exp afslib.exp $(man_MANS)
|
|
|
|
|
|
|
|
|
|
-man_MANS = kafs.3
|
|
|
|
|
-
|
|
|
|
|
# AIX: this almost works with gcc, but somehow it fails to use the
|
|
|
|
|
# correct ld, use ld instead
|
|
|
|
|
afslib.so: afslib.o
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
diff -uNr heimdal-7.8.0/lib/krb5/Makefile.am heimdal-7.8.0-patched/lib/krb5/Makefile.am
|
|
|
|
|
--- heimdal-7.8.0/lib/krb5/Makefile.am 2022-09-16 01:54:19.000000000 +0200
|
|
|
|
|
+++ heimdal-7.8.0-patched/lib/krb5/Makefile.am 2022-12-20 17:27:49.080935177 +0100
|
2015-09-05 13:04:36 +02:00
|
|
|
@@ -4,8 +4,6 @@
|
|
|
|
|
|
2017-01-08 00:58:55 +01:00
|
|
|
AM_CPPFLAGS += -I../com_err -I$(srcdir)/../com_err $(INCLUDE_sqlite3) $(INCLUDE_libintl) $(INCLUDE_openssl_crypto)
|
2015-09-05 13:04:36 +02:00
|
|
|
|
|
|
|
|
-bin_PROGRAMS = verify_krb5_conf
|
|
|
|
|
-
|
|
|
|
|
noinst_PROGRAMS = \
|
|
|
|
|
krbhst-test \
|
|
|
|
|
test_alname \
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -258,7 +256,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
endif
|
|
|
|
|
|
|
|
|
|
ALL_OBJECTS = $(libkrb5_la_OBJECTS)
|
|
|
|
|
-ALL_OBJECTS += $(verify_krb5_conf_OBJECTS)
|
|
|
|
|
ALL_OBJECTS += $(librfc3961_la_OBJECTS)
|
|
|
|
|
ALL_OBJECTS += $(librfc3961_la_OBJECTS)
|
|
|
|
|
ALL_OBJECTS += $(krbhst_test_OBJECTS)
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -322,52 +319,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
$(srcdir)/krb5-private.h: $(headerdeps)
|
|
|
|
|
@cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-private.h
|
|
|
|
|
|
|
|
|
|
-man_MANS = \
|
|
|
|
|
- kerberos.8 \
|
|
|
|
|
- krb5.conf.5 \
|
|
|
|
|
- krb5-plugin.7 \
|
|
|
|
|
- krb524_convert_creds_kdc.3 \
|
|
|
|
|
- krb5_425_conv_principal.3 \
|
|
|
|
|
- krb5_acl_match_file.3 \
|
|
|
|
|
- krb5_aname_to_localname.3 \
|
|
|
|
|
- krb5_appdefault.3 \
|
|
|
|
|
- krb5_auth_context.3 \
|
|
|
|
|
- krb5_c_make_checksum.3 \
|
|
|
|
|
- krb5_check_transited.3 \
|
|
|
|
|
- krb5_create_checksum.3 \
|
|
|
|
|
- krb5_creds.3 \
|
|
|
|
|
- krb5_digest.3 \
|
|
|
|
|
- krb5_eai_to_heim_errno.3 \
|
|
|
|
|
- krb5_encrypt.3 \
|
|
|
|
|
- krb5_find_padata.3 \
|
|
|
|
|
- krb5_generate_random_block.3 \
|
|
|
|
|
- krb5_get_all_client_addrs.3 \
|
|
|
|
|
- krb5_get_credentials.3 \
|
|
|
|
|
- krb5_get_creds.3 \
|
|
|
|
|
- krb5_get_forwarded_creds.3 \
|
|
|
|
|
- krb5_get_in_cred.3 \
|
|
|
|
|
- krb5_get_init_creds.3 \
|
|
|
|
|
- krb5_get_krbhst.3 \
|
|
|
|
|
- krb5_getportbyname.3 \
|
|
|
|
|
- krb5_init_context.3 \
|
|
|
|
|
- krb5_is_thread_safe.3 \
|
|
|
|
|
- krb5_krbhst_init.3 \
|
|
|
|
|
- krb5_mk_req.3 \
|
|
|
|
|
- krb5_mk_safe.3 \
|
|
|
|
|
- krb5_openlog.3 \
|
|
|
|
|
- krb5_parse_name.3 \
|
|
|
|
|
- krb5_principal.3 \
|
|
|
|
|
- krb5_rcache.3 \
|
|
|
|
|
- krb5_rd_error.3 \
|
|
|
|
|
- krb5_rd_safe.3 \
|
|
|
|
|
- krb5_set_default_realm.3 \
|
|
|
|
|
- krb5_set_password.3 \
|
|
|
|
|
- krb5_string_to_key.3 \
|
|
|
|
|
- krb5_timeofday.3 \
|
|
|
|
|
- krb5_verify_init_creds.3 \
|
|
|
|
|
- krb5_verify_user.3 \
|
|
|
|
|
- verify_krb5_conf.8
|
|
|
|
|
-
|
|
|
|
|
dist_include_HEADERS = \
|
|
|
|
|
krb5.h \
|
|
|
|
|
$(srcdir)/krb5-protos.h \
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -409,7 +360,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
krb_err.et \
|
|
|
|
|
heim_err.et \
|
|
|
|
|
k524_err.et \
|
|
|
|
|
- $(man_MANS) \
|
|
|
|
|
version-script.map \
|
|
|
|
|
test_config_strings.cfg \
|
|
|
|
|
krb5.moduli
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
diff -uNr heimdal-7.8.0/lib/roken/Makefile.am heimdal-7.8.0-patched/lib/roken/Makefile.am
|
|
|
|
|
--- heimdal-7.8.0/lib/roken/Makefile.am 2022-09-16 01:54:19.000000000 +0200
|
|
|
|
|
+++ heimdal-7.8.0-patched/lib/roken/Makefile.am 2022-12-20 17:28:54.084761232 +0100
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -209,8 +209,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
rokenincludedir = $(includedir)/roken
|
|
|
|
|
nodist_rokeninclude_HEADERS = $(XHEADERS)
|
|
|
|
|
|
|
|
|
|
-man_MANS = getarg.3 parse_time.3 rtbl.3 ecalloc.3
|
|
|
|
|
-
|
|
|
|
|
SUFFIXES += .hin
|
|
|
|
|
.hin.h:
|
|
|
|
|
cp $< $@
|
2017-01-08 00:58:55 +01:00
|
|
|
@@ -244,7 +242,6 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
EXTRA_DIST = \
|
|
|
|
|
NTMakefile \
|
|
|
|
|
roken.awk roken.h.in \
|
|
|
|
|
- $(man_MANS) \
|
2017-01-08 00:58:55 +01:00
|
|
|
dirent.c \
|
|
|
|
|
dirent.hin \
|
|
|
|
|
dirent-test.c \
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
diff -uNr heimdal-7.8.0/lib/sl/Makefile.am heimdal-7.8.0-patched/lib/sl/Makefile.am
|
|
|
|
|
--- heimdal-7.8.0/lib/sl/Makefile.am 2022-09-16 01:54:19.000000000 +0200
|
|
|
|
|
+++ heimdal-7.8.0-patched/lib/sl/Makefile.am 2022-12-20 17:30:00.352598492 +0100
|
2017-06-15 23:06:08 +02:00
|
|
|
@@ -25,7 +25,7 @@
|
2015-09-05 13:04:36 +02:00
|
|
|
|
|
|
|
|
# install these?
|
|
|
|
|
|
|
|
|
|
-libexec_heimdal_PROGRAMS = slc
|
2017-06-15 23:06:08 +02:00
|
|
|
+noinst_PROGRAMS = slc
|
2015-09-05 13:04:36 +02:00
|
|
|
|
2017-06-15 23:06:08 +02:00
|
|
|
slc_SOURCES = slc-gram.y slc-lex.l slc.h
|
|
|
|
|
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
diff -uNr heimdal-7.8.0/lib/wind/Makefile.am heimdal-7.8.0-patched/lib/wind/Makefile.am
|
|
|
|
|
--- heimdal-7.8.0/lib/wind/Makefile.am 2022-11-15 18:14:35.000000000 +0100
|
|
|
|
|
+++ heimdal-7.8.0-patched/lib/wind/Makefile.am 2022-12-20 17:31:00.324451186 +0100
|
2015-09-05 13:04:36 +02:00
|
|
|
@@ -83,12 +83,6 @@
|
|
|
|
|
|
|
|
|
|
$(test_punycode_OBJECTS): $(built_tests)
|
|
|
|
|
|
|
|
|
|
-bin_PROGRAMS = idn-lookup
|
|
|
|
|
-
|
|
|
|
|
-idn_lookup_SOURCES = idn-lookup.c
|
|
|
|
|
-
|
|
|
|
|
-LDADD = libwind.la $(LIB_roken)
|
|
|
|
|
-
|
|
|
|
|
if !MAINTAINER_MODE
|
Accepting request 1044076 from home:enzokiel:branches:network
- Update to version 7.8.0
+ This release includes both the Heimdal 7.7.1 Security
Vulnerability fixes and non-Security bug fixes/improvements.
+ Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
end of array
- CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
acceptors
- CVE-2021-3671 A null pointer de-reference when handling
missing sname in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability,
possibly a 10.0 on the Common Vulnerability Scoring
System (CVSS) v3, as we believe it should be possible to
get an RCE on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a
realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows
specially crafted DER encodings of CHOICEs to invoke the
wrong free function on the decoded structure upon decode
error. This is known to impact the Heimdal KDC, leading to
an invalid free() of an address partly or wholly under the
control of the attacker, in turn leading to a potential
remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE
types used in Heimdal, though not all cases will be
exploitable. We have not completed a thorough analysis of
all the Heimdal components affected, thus the Kerberos
client, the X.509 library, and other parts, may be affected
as well.
This bug has been in Heimdal's ASN.1 compiler since 2005,
but it may only affect Heimdal 1.6 and up. It was first
reported by Douglas Bagnall, though it had been found
independently by the Heimdal maintainers via fuzzing a few
weeks earlier.
While no zero-day exploit is known, such an exploit will
likely be available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
+ Other changes:
- Bugs found by UBSAN (including the incorrect encoding of
unconstrained INTEGER value -1).
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like
strcmp).
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in
protocol-transition
- CVE-2019-14870: Apply forwardable policy in
protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
Refactor send_diffs making it progressive
Handle partial writes on non-blocking sockets
Disable Nagle in iprop master and slave
Use async I/O
Don't send I_HAVE in response to AYT
Do not recover log in kadm5_get_principal()
Don't send diffs to slaves with not yet known version
Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 17:08:09 +01:00
|
|
|
skip_python = test -f $@ ||
|
|
|
|
|
endif
|
|
|
|
|
diff -uNr heimdal-7.8.0/Makefile.am heimdal-7.8.0-patched/Makefile.am
|
|
|
|
|
--- heimdal-7.8.0/Makefile.am 2022-09-16 01:54:19.000000000 +0200
|
|
|
|
|
+++ heimdal-7.8.0-patched/Makefile.am 2022-12-20 17:32:16.540264008 +0100
|
2015-09-05 13:04:36 +02:00
|
|
|
@@ -2,12 +2,7 @@
|
|
|
|
|
|
|
|
|
|
include $(top_srcdir)/Makefile.am.common
|
|
|
|
|
|
|
|
|
|
-if KCM
|
|
|
|
|
-kcm_dir = kcm
|
|
|
|
|
-endif
|
|
|
|
|
-
|
|
|
|
|
-SUBDIRS= include lib kuser kdc admin kadmin kpasswd
|
|
|
|
|
-SUBDIRS+= $(kcm_dir) appl tools tests packages etc po
|
|
|
|
|
+SUBDIRS= include lib kdc
|
|
|
|
|
|
|
|
|
|
if HEIMDAL_DOCUMENTATION
|
|
|
|
|
SUBDIRS+= doc
|
