rpm/krb5
SHA256
1
0
Fork 0
forked from pool/krb5
Code Pull Requests Activity

Accepting request 246966 from home:AndreasStieger:branches:network

Browse Source 
krb5 5.12.2

- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch
  from upstream
  See https://build.opensuse.org/request/show/246780

OBS-URL: https://build.opensuse.org/request/show/246966
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=128
This commit is contained in:
Marcus Meissner 2014-09-01 15:41:18 +00:00 committed by Git OBS Bridge
parent e1506944cc
commit 1e26a2fb1a
14 changed files with 128 additions and 443 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
View File

@ -1,168 +0,0 @@
From fb99962cbd063ac04c9a9d2cc7c75eab73f3533d Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 19 Jun 2014 13:49:16 -0400
Subject: [PATCH] Handle invalid RFC 1964 tokens [CVE-2014-4341...]
Detect the following cases which would otherwise cause invalid memory
accesses and/or integer underflow:
* An RFC 1964 token being processed by an RFC 4121-only context
[CVE-2014-4342]
* A header with fewer than 22 bytes after the token ID or an
incomplete checksum [CVE-2014-4341 CVE-2014-4342]
* A ciphertext shorter than the confounder [CVE-2014-4341]
* A declared padding length longer than the plaintext [CVE-2014-4341]
If we detect a bad pad byte, continue on to compute the checksum to
avoid creating a padding oracle, but treat the checksum as invalid
even if it compares equal.
CVE-2014-4341:
In MIT krb5, an unauthenticated remote attacker with the ability to
inject packets into a legitimately established GSSAPI application
session can cause a program crash due to invalid memory references
when attempting to read beyond the end of a buffer.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
CVE-2014-4342:
In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote
attacker with the ability to inject packets into a legitimately
established GSSAPI application session can cause a program crash due
to invalid memory references when reading beyond the end of a buffer
or by causing a null pointer dereference.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
[tlyu@mit.edu: CVE summaries, CVSS]
ticket: 7949 (new)
subject: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342]
taget_version: 1.12.2
tags: pullup
---
src/lib/gssapi/krb5/k5unseal.c | 41 +++++++++++++++++++++++++++++++--------
src/lib/gssapi/krb5/k5unsealiov.c | 9 ++++++++-
2 files changed, 41 insertions(+), 9 deletions(-)
diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
index 30c12b9..0573958 100644
--- a/src/lib/gssapi/krb5/k5unseal.c
+++ b/src/lib/gssapi/krb5/k5unseal.c
@@ -74,6 +74,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
int conflen = 0;
int signalg;
int sealalg;
+ int bad_pad = 0;
gss_buffer_desc token;
krb5_checksum cksum;
krb5_checksum md5cksum;
@@ -86,6 +87,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
krb5_ui_4 seqnum;
OM_uint32 retval;
size_t sumlen;
+ size_t padlen;
krb5_keyusage sign_usage = KG_USAGE_SIGN;
if (toktype == KG_TOK_SEAL_MSG) {
@@ -93,18 +95,23 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
message_buffer->value = NULL;
}
- /* get the sign and seal algorithms */
-
- signalg = ptr[0] + (ptr[1]<<8);
- sealalg = ptr[2] + (ptr[3]<<8);
-
/* Sanity checks */
- if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) {
+ if (ctx->seq == NULL) {
+ /* ctx was established using a newer enctype, and cannot process RFC
+ * 1964 tokens. */
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
+ if ((bodysize < 22) || (ptr[4] != 0xff) || (ptr[5] != 0xff)) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
+ signalg = ptr[0] + (ptr[1]<<8);
+ sealalg = ptr[2] + (ptr[3]<<8);
+
if ((toktype != KG_TOK_SEAL_MSG) &&
(sealalg != 0xffff)) {
*minor_status = 0;
@@ -153,6 +160,11 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
return GSS_S_DEFECTIVE_TOKEN;
}
+ if ((size_t)bodysize < 14 + cksum_len) {
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
/* get the token parameters */
if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction,
@@ -207,7 +219,20 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
plainlen = tmsglen;
conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
- token.length = tmsglen - conflen - plain[tmsglen-1];
+ if (tmsglen < conflen) {
+ if (sealalg != 0xffff)
+ xfree(plain);
+ *minor_status = 0;
+ return(GSS_S_DEFECTIVE_TOKEN);
+ }
+ padlen = plain[tmsglen - 1];
+ if (tmsglen - conflen < padlen) {
+ /* Don't error out yet, to avoid padding oracle attacks. We will
+ * treat this as a checksum failure later on. */
+ padlen = 0;
+ bad_pad = 1;
+ }
+ token.length = tmsglen - conflen - padlen;
if (token.length) {
if ((token.value = (void *) gssalloc_malloc(token.length)) == NULL) {
@@ -403,7 +428,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
/* compare the computed checksum against the transmitted checksum */
- if (code) {
+ if (code || bad_pad) {
if (toktype == KG_TOK_SEAL_MSG)
gssalloc_free(token.value);
*minor_status = 0;
diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
index f7828b8..b654c66 100644
--- a/src/lib/gssapi/krb5/k5unsealiov.c
+++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -69,7 +69,14 @@ kg_unseal_v1_iov(krb5_context context,
return GSS_S_DEFECTIVE_TOKEN;
}
- if (header->buffer.length < token_wrapper_len + 14) {
+ if (ctx->seq == NULL) {
+ /* ctx was established using a newer enctype, and cannot process RFC
+ * 1964 tokens. */
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
+ if (header->buffer.length < token_wrapper_len + 22) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
--
1.9.3

66
krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
View File

@ -1,66 +0,0 @@
From f18ddf5d82de0ab7591a36e465bc24225776940f Mon Sep 17 00:00:00 2001
From: David Woodhouse <David.Woodhouse@intel.com>
Date: Tue, 15 Jul 2014 12:54:15 -0400
Subject: [PATCH] Fix double-free in SPNEGO [CVE-2014-4343]
In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
pointer sc->internal_mech became an alias into sc->mech_set->elements,
which should be considered constant for the duration of the SPNEGO
context. So don't free it.
CVE-2014-4343:
In MIT krb5 releases 1.10 and newer, an unauthenticated remote
attacker with the ability to spoof packets appearing to be from a
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
(clients) which are using the SPNEGO mechanism, by returning a
different underlying mechanism than was proposed by the initiator. At
this stage of the negotiation, the acceptor is unauthenticated, and
the acceptor's response could be spoofed by an attacker with the
ability to inject traffic to the initiator.
Historically, some double-free vulnerabilities can be translated into
remote code execution, though the necessary exploits must be tailored
to the individual application and are usually quite
complicated. Double-frees can also be exploited to cause an
application crash, for a denial of service. However, most GSSAPI
client applications are not vulnerable, as the SPNEGO mechanism is not
used by default (when GSS_C_NO_OID is passed as the mech_type argument
to gss_init_sec_context()). The most common use of SPNEGO is for
HTTP-Negotiate, used in web browsers and other web clients. Most such
clients are believed to not offer HTTP-Negotiate by default, instead
requiring a whitelist of sites for which it may be used to be
configured. If the whitelist is configured to only allow
HTTP-Negotiate over TLS connections ("https://"), a successful
attacker must also spoof the web server's SSL certificate, due to the
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
response message. Unfortunately, many instructions for enabling
HTTP-Negotiate in common web browsers do not include a TLS
requirement.
CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
[kaduk@mit.edu: CVE summary and CVSSv2 vector]
ticket: 7969 (new)
target_version: 1.12.2
tags: pullup
---
src/lib/gssapi/spnego/spnego_mech.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 173c6d2..8f829d8 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
OM_uint32 tmpmin;
size_t i;
- generic_gss_release_oid(&tmpmin, &sc->internal_mech);
gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
GSS_C_NO_BUFFER);
--
1.9.3

49
krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
View File

@ -1,49 +0,0 @@
From 524688ce87a15fc75f87efc8c039ba4c7d5c197b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 15 Jul 2014 12:56:01 -0400
Subject: [PATCH] Fix null deref in SPNEGO acceptor [CVE-2014-4344]
When processing a continuation token, acc_ctx_cont was dereferencing
the initial byte of the token without checking the length. This could
result in a null dereference.
CVE-2014-4344:
In MIT krb5 1.5 and newer, an unauthenticated or partially
authenticated remote attacker can cause a NULL dereference and
application crash during a SPNEGO negotiation by sending an empty
token as the second or later context token from initiator to acceptor.
The attacker must provide at least one valid context token in the
security context negotiation before sending the empty token. This can
be done by an unauthenticated attacker by forcing SPNEGO to
renegotiate the underlying mechanism, or by using IAKERB to wrap an
unauthenticated AS-REQ as the first token.
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
[kaduk@mit.edu: CVE summary, CVSSv2 vector]
ticket: 7970 (new)
subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344]
target_version: 1.12.2
tags: pullup
---
src/lib/gssapi/spnego/spnego_mech.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 8f829d8..2aa6810 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat,
ptr = bufstart = buf->value;
#define REMAIN (buf->length - (ptr - bufstart))
- if (REMAIN > INT_MAX)
+ if (REMAIN == 0 || REMAIN > INT_MAX)
return GSS_S_DEFECTIVE_TOKEN;
/*
--
1.9.3

14
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
View File

@ -1,14 +0,0 @@
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index ce851ea..df5934c 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
j++;
last = i + 1;
- currkvno = key_data[i].key_data_kvno;
+ if (i < n_key_data - 1)
+ currkvno = key_data[i + 1].key_data_kvno;
}
}
ret[num_versions] = NULL;

32
krb5-1.12-doxygen.patch Normal file
View File

@ -0,0 +1,32 @@
commit b7a4d695263f1a5b7fe72b1eadce4acdc3f0490b
From: Ben Kaduk <kaduk@mit.edu>
Date: Thu Aug 28 17:54:39 2014 -0400
Subject: Map .hin files to the C language for doxygen
Upstream: Committed
References: https://github.com/krb5/krb5/commit/b7a4d695263f1a5b7fe72b1eadce4acdc3f0490b https://github.com/krb5/krb5/pull/198
Doxygen 1.8.8 is unhappy with the generated Doxyfile, and does not
handle krb5.hin in the expected fashion (as a C header). Work
around this issue by explicitly specifying that files with the
.hin extension are to be treated as C language files.
Fixes the following build failure with doxygen 1.8.8:
[ 326s] cp rst_apiref/*.rst rst_composite/appdev/refs/api
[ 326s] cp: cannot stat 'rst_apiref/*.rst': No such file or directory
[ 326s] Makefile:692: recipe for target 'composite' failed
[ 326s] make: *** [composite] Error 1
diff --git a/src/doc/Doxyfile.in b/src/doc/Doxyfile.in
index 2082b6d..c225864 100644
--- a/src/doc/Doxyfile.in
+++ b/src/doc/Doxyfile.in
@@ -4,6 +4,7 @@ JAVADOC_AUTOBRIEF = YES
OPTIMIZE_OUTPUT_FOR_C = YES
WARN_IF_UNDOCUMENTED = NO
SHOW_FILES = NO
+EXTENSION_MAPPING = hin=C
INPUT = @SRC@/include/krb5/krb5.hin @DOC@/doxy_examples
EXAMPLE_PATH = @DOC@/doxy_examples
GENERATE_HTML = NO
lines 1-28/28 (END)

3
krb5-1.12.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:86f01c1aae54014fa91ad9a5a69558a6cbd821185528d627362b79b517b7b345
size 11938756

3
krb5-1.12.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b9229d0593ebd30ec0f845b449a83c20fec220bfa424b66f4a61850df34ce0a0
size 11981162

14
krb5-1.6.3-ktutil-manpage.dif
View File

@ -1,9 +1,13 @@
Index: krb5-1.11/src/man/ktutil.man
---
src/man/ktutil.man | 12 ++++++++++++
1 file changed, 12 insertions(+)
Index: krb5-1.12.2/src/man/ktutil.man
===================================================================
--- krb5-1.11.orig/src/man/ktutil.man
+++ krb5-1.11/src/man/ktutil.man
@@ -158,6 +158,18 @@ ktutil:
.fi
--- krb5-1.12.2.orig/src/man/ktutil.man 2014-08-30 23:06:53.000000000 +0100
+++ krb5-1.12.2/src/man/ktutil.man 2014-08-30 23:07:00.000000000 +0100
@@ -162,6 +162,18 @@ ktutil:
.UNINDENT
.UNINDENT
.UNINDENT
+.SH REMARKS

16
krb5-1.7-doublelog.patch
View File

@ -1,16 +1,20 @@
Don't double-log (actually, don't process /etc/krb5.conf twice) just
because we built with --sysconfdir=/etc. RT#3277
Index: krb5-1.10.2/src/include/Makefile.in
---
src/include/Makefile.in | 2 ++
1 file changed, 2 insertions(+)
Index: krb5-1.12.2/src/include/Makefile.in
===================================================================
--- krb5-1.10.2.orig/src/include/Makefile.in
+++ krb5-1.10.2/src/include/Makefile.in
@@ -67,6 +67,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
--- krb5-1.12.2.orig/src/include/Makefile.in 2014-08-30 23:08:41.000000000 +0100
+++ krb5-1.12.2/src/include/Makefile.in 2014-08-30 23:09:04.000000000 +0100
@@ -68,6 +68,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
-e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
-e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \
-e 's+@DYNOBJEXT+$(DYNOBJEXT)+'
-e 's+@DYNOBJEXT+$(DYNOBJEXT)+' \
-e 's+@SYSCONFCONF+$(SYSCONFCONF)+'
OSCONFSRC = $(srcdir)/osconf.hin

108
krb5-master-keyring-kdcsync.patch
View File

@ -1,108 +0,0 @@
commit e99c688913a7761c6adea9488ea9355f43539883
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Jan 16 17:48:54 2014 -0500
Get time offsets for all keyring ccaches
Move the time offset lookup from krb5_krcc_resolve to make_cache, so
that we fetch time offsets for caches created by
krb5_krcc_ptcursor_next.
ticket: 7820
target_version: 1.12.2
tags: pullup
diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
index a0c8035..27bad9d 100644
--- a/src/lib/krb5/ccache/cc_keyring.c
+++ b/src/lib/krb5/ccache/cc_keyring.c
@@ -1077,11 +1077,13 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id)
/* Create a cache handle for a cache ID. */
static krb5_error_code
-make_cache(key_serial_t collection_id, key_serial_t cache_id,
- const char *anchor_name, const char *collection_name,
- const char *subsidiary_name, krb5_ccache *cache_out)
+make_cache(krb5_context context, key_serial_t collection_id,
+ key_serial_t cache_id, const char *anchor_name,
+ const char *collection_name, const char *subsidiary_name,
+ krb5_ccache *cache_out)
{
krb5_error_code ret;
+ krb5_os_context os_ctx = &context->os_context;
krb5_ccache ccache = NULL;
krb5_krcc_data *d;
key_serial_t pkey = 0;
@@ -1108,6 +1110,18 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
ccache->data = d;
ccache->magic = KV5M_CCACHE;
*cache_out = ccache;
+
+ /* Lookup time offsets if necessary. */
+ if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
+ !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
+ if (krb5_krcc_get_time_offsets(context, ccache,
+ &os_ctx->time_offset,
+ &os_ctx->usec_offset) == 0) {
+ os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
+ os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
+ }
+ }
+
return 0;
}
@@ -1134,7 +1148,6 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
static krb5_error_code KRB5_CALLCONV
krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
{
- krb5_os_context os_ctx = &context->os_context;
krb5_error_code ret;
key_serial_t collection_id, cache_id;
char *anchor_name = NULL, *collection_name = NULL, *subsidiary_name = NULL;
@@ -1161,22 +1174,11 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
if (cache_id < 0)
cache_id = 0;
- ret = make_cache(collection_id, cache_id, anchor_name, collection_name,
- subsidiary_name, id);
+ ret = make_cache(context, collection_id, cache_id, anchor_name,
+ collection_name, subsidiary_name, id);
if (ret)
goto cleanup;
- /* Lookup time offsets if necessary. */
- if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
- !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
- if (krb5_krcc_get_time_offsets(context, *id,
- &os_ctx->time_offset,
- &os_ctx->usec_offset) == 0) {
- os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
- os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
- }
- }
-
cleanup:
free(anchor_name);
free(collection_name);
@@ -1928,8 +1930,9 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
cache_id = keyctl_search(data->collection_id, KRCC_KEY_TYPE_KEYRING,
first_name, 0);
if (cache_id != -1) {
- return make_cache(data->collection_id, cache_id, data->anchor_name,
- data->collection_name, first_name, cache_out);
+ return make_cache(context, data->collection_id, cache_id,
+ data->anchor_name, data->collection_name,
+ first_name, cache_out);
}
}
@@ -1967,7 +1970,7 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
/* We found a valid key */
data->next_key++;
- ret = make_cache(data->collection_id, key, data->anchor_name,
+ ret = make_cache(context, data->collection_id, key, data->anchor_name,
data->collection_name, subsidiary_name, cache_out);
free(description);
return ret;

33
krb5-mini.changes
View File

@ -1,3 +1,36 @@
-------------------------------------------------------------------
Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de
- krb5 5.12.2:
* Work around a gcc optimizer bug that could cause DB2 KDC
database operations to spin in an infinite loop
* Fix a backward compatibility problem with the LDAP KDB schema
that could prevent krb5-1.11 and later from decoding entries
created by krb5-1.6.
* Avoid an infinite loop under some circumstances when the GSS
mechglue loads a dynamic mechanism.
* Fix krb5kdc argument parsing so "-w" and "-r" options work
togetherreliably.
- Vulnerability fixes previously fixed in package via patches:
* Handle certain invalid RFC 1964 GSS tokens correctly to avoid
invalid memory reference vulnerabilities. [CVE-2014-4341
CVE-2014-4342]
* Fix memory management vulnerabilities in GSSAPI SPNEGO.
[CVE-2014-4343 CVE-2014-4344]
* Fix buffer overflow vulnerability in LDAP KDB back end.
[CVE-2014-4345]
- updated patches:
* krb5-1.7-doublelog.patch for context change
* krb5-1.6.3-ktutil-manpage.dif, same
- removed patches, in upstream:
* krb5-master-keyring-kdcsync.patch
* krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
* krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
* krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
* krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch
from upstream
-------------------------------------------------------------------
Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com

16
krb5-mini.spec
View File

@ -17,7 +17,7 @@
%define build_mini 1
%define srcRoot krb5-1.12.1
%define srcRoot krb5-1.12.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.12.1
Version: 1.12.2
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
@ -82,11 +82,7 @@ Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Patch14: krb5-kvno-230379.patch
Patch15: krb5-master-keyring-kdcsync.patch
Patch16: krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
Patch17: krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
Patch18: krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
Patch19: krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
Patch20: krb5-1.12-doxygen.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@ -206,11 +202,7 @@ Include Files for Development
%patch12 -p1
%patch13 -p0
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%build
# needs to be re-generated

33
krb5.changes
View File

@ -1,3 +1,36 @@
-------------------------------------------------------------------
Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de
- krb5 5.12.2:
* Work around a gcc optimizer bug that could cause DB2 KDC
database operations to spin in an infinite loop
* Fix a backward compatibility problem with the LDAP KDB schema
that could prevent krb5-1.11 and later from decoding entries
created by krb5-1.6.
* Avoid an infinite loop under some circumstances when the GSS
mechglue loads a dynamic mechanism.
* Fix krb5kdc argument parsing so "-w" and "-r" options work
togetherreliably.
- Vulnerability fixes previously fixed in package via patches:
* Handle certain invalid RFC 1964 GSS tokens correctly to avoid
invalid memory reference vulnerabilities. [CVE-2014-4341
CVE-2014-4342]
* Fix memory management vulnerabilities in GSSAPI SPNEGO.
[CVE-2014-4343 CVE-2014-4344]
* Fix buffer overflow vulnerability in LDAP KDB back end.
[CVE-2014-4345]
- updated patches:
* krb5-1.7-doublelog.patch for context change
* krb5-1.6.3-ktutil-manpage.dif, same
- removed patches, in upstream:
* krb5-master-keyring-kdcsync.patch
* krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
* krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
* krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
* krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch
from upstream
-------------------------------------------------------------------
Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com

16
krb5.spec
View File

@ -17,7 +17,7 @@
%define build_mini 0
%define srcRoot krb5-1.12.1
%define srcRoot krb5-1.12.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.12.1
Version: 1.12.2
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
@ -82,11 +82,7 @@ Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Patch14: krb5-kvno-230379.patch
Patch15: krb5-master-keyring-kdcsync.patch
Patch16: krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
Patch17: krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
Patch18: krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
Patch19: krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
Patch20: krb5-1.12-doxygen.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@ -206,11 +202,7 @@ Include Files for Development
%patch12 -p1
%patch13 -p0
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%build
# needs to be re-generated