pool/libheimdal
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
649b0fa38d
libheimdal/reproducible.patch
Dirk Mueller 0c16052a9f Accepting request 1044076 from home:enzokiel:branches:network 
- Update to version 7.8.0
  + This release includes both the Heimdal 7.7.1 Security
    Vulnerability fixes and non-Security bug fixes/improvements.
  + Security Vulnerabilities:
    - CVE-2022-42898 PAC parse integer overflows
    - CVE-2022-3437 Overflows and non-constant time leaks in
      DES{,3} and arcfour
    - CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
      end of array
    - CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
      acceptors
    - CVE-2021-3671 A null pointer de-reference when handling
      missing sname in TGS-REQ
    - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
        Note that CVE-2022-44640 is a severe vulnerability,
        possibly a 10.0 on the Common Vulnerability Scoring
        System (CVSS) v3, as we believe it should be possible to
        get an RCE on a KDC, which means that credentials can be
        compromised that can be used to impersonate anyone in a
        realm or forest of realms.
        Heimdal's ASN.1 compiler generates code that allows
        specially crafted DER encodings of CHOICEs to invoke the
        wrong free function on the decoded structure upon decode
        error. This is known to impact the Heimdal KDC, leading to
        an invalid free() of an address partly or wholly under the
        control of the attacker, in turn leading to a potential
        remote code execution (RCE) vulnerability.
        This error affects the DER codec for all extensible CHOICE
        types used in Heimdal, though not all cases will be
        exploitable. We have not completed a thorough analysis of
        all the Heimdal components affected, thus the Kerberos
        client, the X.509 library, and other parts, may be affected
        as well.
        This bug has been in Heimdal's ASN.1 compiler since 2005,
        but it may only affect Heimdal 1.6 and up. It was first
        reported by Douglas Bagnall, though it had been found
        independently by the Heimdal maintainers via fuzzing a few
        weeks earlier.
        While no zero-day exploit is known, such an exploit will
        likely be available soon after public disclosure.
    - CVE-2019-14870: Validate client attributes in
      protocol-transition
    - CVE-2019-14870: Apply forwardable policy in
      protocol-transition
    - CVE-2019-14870: Always lookup impersonate client in DB
  + Other changes:
    - Bugs found by UBSAN (including the incorrect encoding of
      unconstrained INTEGER value -1).
    - Errors found by the LLVM scan-build static analyzer.
    - Errors found by the valgrind memory debugger.
    - Work around GCC Bug 95189 (memcmp wrongly stripped like
      strcmp).
    - Correct ASN.1 OID typo for SHA-384
    - Fix a deadlock in in the MEMORY ccache type.
    - TGS: strip forwardable and proxiable flags if the server is
      disallowed.
    - CVE-2019-14870: Validate client attributes in
      protocol-transition
    - CVE-2019-14870: Apply forwardable policy in
      protocol-transition
    - CVE-2019-14870: Always lookup impersonate client in DB
    - Incremental HDB propagation improvements
        Refactor send_diffs making it progressive
        Handle partial writes on non-blocking sockets
        Disable Nagle in iprop master and slave
        Use async I/O
        Don't send I_HAVE in response to AYT
        Do not recover log in kadm5_get_principal()
        Don't send diffs to slaves with not yet known version
        Don't stutter in send_diffs
    - Optional backwards-compatible anon-pkinit behavior
- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.

OBS-URL: https://build.opensuse.org/request/show/1044076
OBS-URL: https://build.opensuse.org/package/show/network/libheimdal?expand=0&rev=29
2022-12-21 16:08:09 +00:00

109 lines
3.9 KiB
Diff
Raw Blame History

--- heimdal-7.8.0-patched/Makefile.am.orig 2022-12-20 17:40:01.919051445 +0100
+++ heimdal-7.8.0-patched/Makefile.am 2022-12-20 17:40:01.927051422 +0100
@@ -45,7 +45,6 @@
cf/krb-prog-yacc.m4 \
cf/krb-sys-aix.m4 \
cf/krb-sys-nextstep.m4 \
- cf/krb-version.m4 \
cf/roken.m4 \
cf/valgrind-suppressions \
cf/maybe-valgrind.sh \
--- heimdal-7.8.0-patched/cf/krb-version.m4 2022-09-16 01:54:19.000000000 +0200
+++ /dev/null 2022-12-20 16:43:58.646784977 +0100
@@ -1,24 +0,0 @@
-dnl $Id$
-dnl
-dnl
-dnl output a C header-file with some version strings
-dnl
-
-AC_DEFUN([AC_KRB_VERSION],[
-cat > include/newversion.h.in <<FOOBAR
-const char *${PACKAGE_TARNAME}_long_version = "@(#)\$Version: $PACKAGE_STRING by @USER@ on @HOST@ ($host) @DATE@ \$";
-const char *${PACKAGE_TARNAME}_version = "$PACKAGE_STRING";
-FOOBAR
-
-if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
- echo "include/version.h is unchanged"
- rm -f include/newversion.h.in
-else
- echo "creating include/version.h"
- User=${USER-${LOGNAME}}
- Host=`(hostname || uname -n) 2>/dev/null | sed 1q`
- Date=`date`
- mv -f include/newversion.h.in include/version.h.in
- sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h
-fi
-])
--- heimdal-7.8.0-patched/configure.ac.orig 2022-12-20 17:47:29.421826289 +0100
+++ heimdal-7.8.0-patched/configure.ac 2022-12-20 17:47:29.437826248 +0100
@@ -627,22 +627,63 @@
dnl This is the release version name-number[beta]
dnl
-cat > include/newversion.h.in <<EOF
+if test -d "$srcdir/.git"; then
+ cat > include/newversion.h.in <<EOF
+#ifndef VERSION_HIDDEN
+#define VERSION_HIDDEN
+#endif
+VERSION_HIDDEN const char *heimdal_long_version = "@([#])\$Version: $PACKAGE_STRING by @USER@ on @HOST@ @BRANCH@ @TAG@ ($host) @COMMIT@ @DATE@ \$";
+VERSION_HIDDEN const char *heimdal_version = "AC_PACKAGE_STRING";
+EOF
+else
+ cat > include/newversion.h.in <<EOF
#ifndef VERSION_HIDDEN
#define VERSION_HIDDEN
#endif
VERSION_HIDDEN const char *heimdal_long_version = "@([#])\$Version: $PACKAGE_STRING by @USER@ on @HOST@ ($host) @DATE@ \$";
VERSION_HIDDEN const char *heimdal_version = "AC_PACKAGE_STRING";
EOF
+fi
if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
echo "include/version.h is unchanged"
rm -f include/newversion.h.in
else
echo "creating include/version.h"
- User=${USER-${LOGNAME}}
- Host=`(hostname || uname -n || echo unknown) 2>/dev/null | sed 1q`
- Date=`date`
+ if test -n "$SOURCE_DATE_EPOCH"; then
+ Date=`date -u -d "@$SOURCE_DATE_EPOCH" "+%Y-%m-%dT%H:%M:%SZ"`
+ else
+ Date=`date -u "+%Y-%m-%dT%H:%M:%SZ"`
+ fi
+ if test -n "$SOURCE_HOST"; then
+ Host=$SOURCE_HOST
+ else
+ Host=`uname -n`
+ fi
+ if test -n "$SOURCE_USER"; then
+ User=$SOURCE_USER
+ else
+ User=${USER:-${LOGNAME:-`id -nu`}}
+ fi
+ if test -d "$srcdir/.git"; then
+ GitCommit=`git rev-parse HEAD`
+ GitBranch=`git rev-parse --abbrev-ref HEAD`
+ if test "x$GitBranch" = master; then
+ GitDesc=`git describe --all --dirty`
+ else
+ GitDesc=`git describe --tags --match 'heimdal-*' --dirty`
+ fi
+ else
+ GitCommit='<commit-unknown>'
+ GitBranch='<branch-unknown>'
+ GitDesc='<tag-unknown>'
+ fi
mv -f include/newversion.h.in include/version.h.in
- sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h
+ sed -e "s/@HOST@/$Host/" \
+ -e "s;@USER@;$User;" \
+ -e "s;@DATE@;$Date;" \
+ -e "s;@BRANCH@;$GitBranch;" \
+ -e "s;@TAG@;$GitDesc;" \
+ -e "s;@COMMIT@;$GitCommit;" \
+ include/version.h.in > include/version.h
fi
Reference in New Issue View Git Blame Copy Permalink