Accepting request 560558 from home:enzokiel:branches:network

- Update to version 7.5.0 - Security - Fix CVE-2017-17439, which is a remote denial of service vulnerability: In Heimdal 7.1 through 7.4, remote unauthenticated attackers are able to crash the KDC by sending a crafted UDP packet containing empty data fields for client name or realm. - Bug fixes - Handle long input lines when reloading database dumps. - In pre-forked mode (default on Unix), correctly clear the process ids of exited children, allowing new child processes to replace the old. - Fixed incorrect KDC response when no-cross realm TGT exists, allowing client requests to fail quickly rather than time out after trying to get a correct answer from each KDC. - Fixed heimdal-patched.diff. - Removed Avoid_NULL_structure_pointer_member_dereference.patch, fixed upstream. OBS-URL: https://build.opensuse.org/request/show/560558 OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=19
2017-12-29 13:46:40 +00:00 · 2017-12-29 13:46:40 +00:00 · 544cfdcdbc
commit 544cfdcdbc
parent c581032039
6 changed files with 27 additions and 30 deletions
--- a/Avoid_NULL_structure_pointer_member_dereference.patch
+++ b/Avoid_NULL_structure_pointer_member_dereference.patch
@ -1,23 +0,0 @@
--- kdc/kerberos5.c.orig
-+++ kdc/kerberos5.c
-@@ -2226,15 +2226,17 @@
-     /*
-      * In case of a non proxy error, build an error message.
-      */
-    if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) {
-+    if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) {
- 	ret = _kdc_fast_mk_error(context, r,
- 				 &error_method,
- 				 r->armor_crypto,
- 				 &req->req_body,
- 				 ret, r->e_text,
- 				 r->server_princ,
-				 &r->client_princ->name,
-				 &r->client_princ->realm,
-+				 r->client_princ ?
-+                                     &r->client_princ->name : NULL,
-+				 r->client_princ ?
-+                                     &r->client_princ->realm : NULL,
- 				 NULL, NULL,
- 				 reply);
- 	if (ret)
--- a/heimdal-7.4.0-patched.tar.bz2
+++ b/heimdal-7.4.0-patched.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f49a302ab803b536dbc2c1c0e33d9b35ab859fc8e8785908d7e1cb1a78afabe0
-size 7457572
--- a/heimdal-7.5.0-patched.tar.bz2
+++ b/heimdal-7.5.0-patched.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2a77570b72566f4dcc67c6d159017eb2baf927995441fea3a872f527e8089328
+size 7632037
--- a/heimdal-patched.diff
+++ b/heimdal-patched.diff
@ -4,7 +4,7 @@ diff -uNr heimdal-7.3.0/configure.ac heimdal-7.3.0-patched/configure.ac
@@ -3,7 +3,6 @@
 AC_PREREQ(2.62)
 test -z "$CFLAGS" && CFLAGS="-g"
- AC_INIT([Heimdal],[7.4.0],[https://github.com/heimdal/heimdal/issues])
+ AC_INIT([Heimdal],[7.5.0],[https://github.com/heimdal/heimdal/issues])
 -AC_CONFIG_SRCDIR([kuser/kinit.c])
 AC_CONFIG_HEADERS(include/config.h)
 AC_CONFIG_MACRO_DIR([cf])
--- a/libheimdal.changes
+++ b/libheimdal.changes
@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Fri Dec 29 13:16:21 UTC 2017 - joerg.lorenzen@ki.tng.de
+
+- Update to version 7.5.0
+  - Security
+    - Fix CVE-2017-17439, which is a remote denial of service
+      vulnerability:
+      In Heimdal 7.1 through 7.4, remote unauthenticated attackers
+      are able to crash the KDC by sending a crafted UDP packet
+      containing empty data fields for client name or realm.
+  - Bug fixes
+    - Handle long input lines when reloading database dumps.
+    - In pre-forked mode (default on Unix), correctly clear the
+      process ids of exited children, allowing new child processes
+      to replace the old.
+    - Fixed incorrect KDC response when no-cross realm TGT exists,
+      allowing client requests to fail quickly rather than time
+      out after trying to get a correct answer from each KDC.
+- Fixed heimdal-patched.diff.
+- Removed Avoid_NULL_structure_pointer_member_dereference.patch,
+  fixed upstream.
+
 -------------------------------------------------------------------
 Thu Dec 07 15:17:23 UTC 2017 - joerg.lorenzen@ki.tng.de

--- a/libheimdal.spec
+++ b/libheimdal.spec
@ -20,7 +20,7 @@ Name:           libheimdal
 Summary:        The Heimdal implementation of the Kerberos 5 protocol
 License:        BSD-3-Clause
 Group:          Productivity/Networking/Security
-Version:        7.4.0
+Version:        7.5.0
 Release:        0
 Url:            http://www.h5l.org
 # patched source can be created with script heimdal-patch-source.sh:
@ -28,7 +28,6 @@ Url:            http://www.h5l.org
 Source0:        heimdal-%{version}-patched.tar.bz2
 Source2:        heimdal-patch-source.sh
 Patch0:         heimdal-patched.diff
-Patch1:         Avoid_NULL_structure_pointer_member_dereference.patch
 %if 0%{?sles_version} == 11
 BuildRequires:  libcom_err-devel
 BuildRequires:  sqlite3-devel
@ -99,7 +98,6 @@ libraries are required by 64-bit package of ICAClient version 13.2.
 %prep
 %setup -q -n heimdal-%{version}
 %patch0 -p1
-%patch1 -p0

 %build
 autoreconf -fi