Accepting request 247118 from network
1 OBS-URL: https://build.opensuse.org/request/show/247118 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=104
This commit is contained in:
commit
f050792a44
@ -1,168 +0,0 @@
|
|||||||
From fb99962cbd063ac04c9a9d2cc7c75eab73f3533d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
|
||||||
Date: Thu, 19 Jun 2014 13:49:16 -0400
|
|
||||||
Subject: [PATCH] Handle invalid RFC 1964 tokens [CVE-2014-4341...]
|
|
||||||
|
|
||||||
Detect the following cases which would otherwise cause invalid memory
|
|
||||||
accesses and/or integer underflow:
|
|
||||||
|
|
||||||
* An RFC 1964 token being processed by an RFC 4121-only context
|
|
||||||
[CVE-2014-4342]
|
|
||||||
|
|
||||||
* A header with fewer than 22 bytes after the token ID or an
|
|
||||||
incomplete checksum [CVE-2014-4341 CVE-2014-4342]
|
|
||||||
|
|
||||||
* A ciphertext shorter than the confounder [CVE-2014-4341]
|
|
||||||
|
|
||||||
* A declared padding length longer than the plaintext [CVE-2014-4341]
|
|
||||||
|
|
||||||
If we detect a bad pad byte, continue on to compute the checksum to
|
|
||||||
avoid creating a padding oracle, but treat the checksum as invalid
|
|
||||||
even if it compares equal.
|
|
||||||
|
|
||||||
CVE-2014-4341:
|
|
||||||
|
|
||||||
In MIT krb5, an unauthenticated remote attacker with the ability to
|
|
||||||
inject packets into a legitimately established GSSAPI application
|
|
||||||
session can cause a program crash due to invalid memory references
|
|
||||||
when attempting to read beyond the end of a buffer.
|
|
||||||
|
|
||||||
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
|
|
||||||
|
|
||||||
CVE-2014-4342:
|
|
||||||
|
|
||||||
In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote
|
|
||||||
attacker with the ability to inject packets into a legitimately
|
|
||||||
established GSSAPI application session can cause a program crash due
|
|
||||||
to invalid memory references when reading beyond the end of a buffer
|
|
||||||
or by causing a null pointer dereference.
|
|
||||||
|
|
||||||
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
|
|
||||||
|
|
||||||
[tlyu@mit.edu: CVE summaries, CVSS]
|
|
||||||
|
|
||||||
ticket: 7949 (new)
|
|
||||||
subject: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342]
|
|
||||||
taget_version: 1.12.2
|
|
||||||
tags: pullup
|
|
||||||
---
|
|
||||||
src/lib/gssapi/krb5/k5unseal.c | 41 +++++++++++++++++++++++++++++++--------
|
|
||||||
src/lib/gssapi/krb5/k5unsealiov.c | 9 ++++++++-
|
|
||||||
2 files changed, 41 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
|
|
||||||
index 30c12b9..0573958 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/k5unseal.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/k5unseal.c
|
|
||||||
@@ -74,6 +74,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
|
|
||||||
int conflen = 0;
|
|
||||||
int signalg;
|
|
||||||
int sealalg;
|
|
||||||
+ int bad_pad = 0;
|
|
||||||
gss_buffer_desc token;
|
|
||||||
krb5_checksum cksum;
|
|
||||||
krb5_checksum md5cksum;
|
|
||||||
@@ -86,6 +87,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
|
|
||||||
krb5_ui_4 seqnum;
|
|
||||||
OM_uint32 retval;
|
|
||||||
size_t sumlen;
|
|
||||||
+ size_t padlen;
|
|
||||||
krb5_keyusage sign_usage = KG_USAGE_SIGN;
|
|
||||||
|
|
||||||
if (toktype == KG_TOK_SEAL_MSG) {
|
|
||||||
@@ -93,18 +95,23 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
|
|
||||||
message_buffer->value = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* get the sign and seal algorithms */
|
|
||||||
-
|
|
||||||
- signalg = ptr[0] + (ptr[1]<<8);
|
|
||||||
- sealalg = ptr[2] + (ptr[3]<<8);
|
|
||||||
-
|
|
||||||
/* Sanity checks */
|
|
||||||
|
|
||||||
- if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) {
|
|
||||||
+ if (ctx->seq == NULL) {
|
|
||||||
+ /* ctx was established using a newer enctype, and cannot process RFC
|
|
||||||
+ * 1964 tokens. */
|
|
||||||
+ *minor_status = 0;
|
|
||||||
+ return GSS_S_DEFECTIVE_TOKEN;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ((bodysize < 22) || (ptr[4] != 0xff) || (ptr[5] != 0xff)) {
|
|
||||||
*minor_status = 0;
|
|
||||||
return GSS_S_DEFECTIVE_TOKEN;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ signalg = ptr[0] + (ptr[1]<<8);
|
|
||||||
+ sealalg = ptr[2] + (ptr[3]<<8);
|
|
||||||
+
|
|
||||||
if ((toktype != KG_TOK_SEAL_MSG) &&
|
|
||||||
(sealalg != 0xffff)) {
|
|
||||||
*minor_status = 0;
|
|
||||||
@@ -153,6 +160,11 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
|
|
||||||
return GSS_S_DEFECTIVE_TOKEN;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if ((size_t)bodysize < 14 + cksum_len) {
|
|
||||||
+ *minor_status = 0;
|
|
||||||
+ return GSS_S_DEFECTIVE_TOKEN;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* get the token parameters */
|
|
||||||
|
|
||||||
if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction,
|
|
||||||
@@ -207,7 +219,20 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
|
|
||||||
plainlen = tmsglen;
|
|
||||||
|
|
||||||
conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
|
|
||||||
- token.length = tmsglen - conflen - plain[tmsglen-1];
|
|
||||||
+ if (tmsglen < conflen) {
|
|
||||||
+ if (sealalg != 0xffff)
|
|
||||||
+ xfree(plain);
|
|
||||||
+ *minor_status = 0;
|
|
||||||
+ return(GSS_S_DEFECTIVE_TOKEN);
|
|
||||||
+ }
|
|
||||||
+ padlen = plain[tmsglen - 1];
|
|
||||||
+ if (tmsglen - conflen < padlen) {
|
|
||||||
+ /* Don't error out yet, to avoid padding oracle attacks. We will
|
|
||||||
+ * treat this as a checksum failure later on. */
|
|
||||||
+ padlen = 0;
|
|
||||||
+ bad_pad = 1;
|
|
||||||
+ }
|
|
||||||
+ token.length = tmsglen - conflen - padlen;
|
|
||||||
|
|
||||||
if (token.length) {
|
|
||||||
if ((token.value = (void *) gssalloc_malloc(token.length)) == NULL) {
|
|
||||||
@@ -403,7 +428,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
|
|
||||||
|
|
||||||
/* compare the computed checksum against the transmitted checksum */
|
|
||||||
|
|
||||||
- if (code) {
|
|
||||||
+ if (code || bad_pad) {
|
|
||||||
if (toktype == KG_TOK_SEAL_MSG)
|
|
||||||
gssalloc_free(token.value);
|
|
||||||
*minor_status = 0;
|
|
||||||
diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
|
|
||||||
index f7828b8..b654c66 100644
|
|
||||||
--- a/src/lib/gssapi/krb5/k5unsealiov.c
|
|
||||||
+++ b/src/lib/gssapi/krb5/k5unsealiov.c
|
|
||||||
@@ -69,7 +69,14 @@ kg_unseal_v1_iov(krb5_context context,
|
|
||||||
return GSS_S_DEFECTIVE_TOKEN;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (header->buffer.length < token_wrapper_len + 14) {
|
|
||||||
+ if (ctx->seq == NULL) {
|
|
||||||
+ /* ctx was established using a newer enctype, and cannot process RFC
|
|
||||||
+ * 1964 tokens. */
|
|
||||||
+ *minor_status = 0;
|
|
||||||
+ return GSS_S_DEFECTIVE_TOKEN;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (header->buffer.length < token_wrapper_len + 22) {
|
|
||||||
*minor_status = 0;
|
|
||||||
return GSS_S_DEFECTIVE_TOKEN;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
1.9.3
|
|
||||||
|
|
@ -1,66 +0,0 @@
|
|||||||
From f18ddf5d82de0ab7591a36e465bc24225776940f Mon Sep 17 00:00:00 2001
|
|
||||||
From: David Woodhouse <David.Woodhouse@intel.com>
|
|
||||||
Date: Tue, 15 Jul 2014 12:54:15 -0400
|
|
||||||
Subject: [PATCH] Fix double-free in SPNEGO [CVE-2014-4343]
|
|
||||||
|
|
||||||
In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
|
|
||||||
pointer sc->internal_mech became an alias into sc->mech_set->elements,
|
|
||||||
which should be considered constant for the duration of the SPNEGO
|
|
||||||
context. So don't free it.
|
|
||||||
|
|
||||||
CVE-2014-4343:
|
|
||||||
|
|
||||||
In MIT krb5 releases 1.10 and newer, an unauthenticated remote
|
|
||||||
attacker with the ability to spoof packets appearing to be from a
|
|
||||||
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
|
|
||||||
(clients) which are using the SPNEGO mechanism, by returning a
|
|
||||||
different underlying mechanism than was proposed by the initiator. At
|
|
||||||
this stage of the negotiation, the acceptor is unauthenticated, and
|
|
||||||
the acceptor's response could be spoofed by an attacker with the
|
|
||||||
ability to inject traffic to the initiator.
|
|
||||||
|
|
||||||
Historically, some double-free vulnerabilities can be translated into
|
|
||||||
remote code execution, though the necessary exploits must be tailored
|
|
||||||
to the individual application and are usually quite
|
|
||||||
complicated. Double-frees can also be exploited to cause an
|
|
||||||
application crash, for a denial of service. However, most GSSAPI
|
|
||||||
client applications are not vulnerable, as the SPNEGO mechanism is not
|
|
||||||
used by default (when GSS_C_NO_OID is passed as the mech_type argument
|
|
||||||
to gss_init_sec_context()). The most common use of SPNEGO is for
|
|
||||||
HTTP-Negotiate, used in web browsers and other web clients. Most such
|
|
||||||
clients are believed to not offer HTTP-Negotiate by default, instead
|
|
||||||
requiring a whitelist of sites for which it may be used to be
|
|
||||||
configured. If the whitelist is configured to only allow
|
|
||||||
HTTP-Negotiate over TLS connections ("https://"), a successful
|
|
||||||
attacker must also spoof the web server's SSL certificate, due to the
|
|
||||||
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
|
|
||||||
response message. Unfortunately, many instructions for enabling
|
|
||||||
HTTP-Negotiate in common web browsers do not include a TLS
|
|
||||||
requirement.
|
|
||||||
|
|
||||||
CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
|
|
||||||
|
|
||||||
[kaduk@mit.edu: CVE summary and CVSSv2 vector]
|
|
||||||
|
|
||||||
ticket: 7969 (new)
|
|
||||||
target_version: 1.12.2
|
|
||||||
tags: pullup
|
|
||||||
---
|
|
||||||
src/lib/gssapi/spnego/spnego_mech.c | 1 -
|
|
||||||
1 file changed, 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
|
||||||
index 173c6d2..8f829d8 100644
|
|
||||||
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
|
||||||
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
|
||||||
@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
|
|
||||||
OM_uint32 tmpmin;
|
|
||||||
size_t i;
|
|
||||||
|
|
||||||
- generic_gss_release_oid(&tmpmin, &sc->internal_mech);
|
|
||||||
gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
|
|
||||||
GSS_C_NO_BUFFER);
|
|
||||||
|
|
||||||
--
|
|
||||||
1.9.3
|
|
||||||
|
|
@ -1,49 +0,0 @@
|
|||||||
From 524688ce87a15fc75f87efc8c039ba4c7d5c197b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
|
||||||
Date: Tue, 15 Jul 2014 12:56:01 -0400
|
|
||||||
Subject: [PATCH] Fix null deref in SPNEGO acceptor [CVE-2014-4344]
|
|
||||||
|
|
||||||
When processing a continuation token, acc_ctx_cont was dereferencing
|
|
||||||
the initial byte of the token without checking the length. This could
|
|
||||||
result in a null dereference.
|
|
||||||
|
|
||||||
CVE-2014-4344:
|
|
||||||
|
|
||||||
In MIT krb5 1.5 and newer, an unauthenticated or partially
|
|
||||||
authenticated remote attacker can cause a NULL dereference and
|
|
||||||
application crash during a SPNEGO negotiation by sending an empty
|
|
||||||
token as the second or later context token from initiator to acceptor.
|
|
||||||
The attacker must provide at least one valid context token in the
|
|
||||||
security context negotiation before sending the empty token. This can
|
|
||||||
be done by an unauthenticated attacker by forcing SPNEGO to
|
|
||||||
renegotiate the underlying mechanism, or by using IAKERB to wrap an
|
|
||||||
unauthenticated AS-REQ as the first token.
|
|
||||||
|
|
||||||
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
|
|
||||||
|
|
||||||
[kaduk@mit.edu: CVE summary, CVSSv2 vector]
|
|
||||||
|
|
||||||
ticket: 7970 (new)
|
|
||||||
subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344]
|
|
||||||
target_version: 1.12.2
|
|
||||||
tags: pullup
|
|
||||||
---
|
|
||||||
src/lib/gssapi/spnego/spnego_mech.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
|
||||||
index 8f829d8..2aa6810 100644
|
|
||||||
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
|
||||||
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
|
||||||
@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat,
|
|
||||||
|
|
||||||
ptr = bufstart = buf->value;
|
|
||||||
#define REMAIN (buf->length - (ptr - bufstart))
|
|
||||||
- if (REMAIN > INT_MAX)
|
|
||||||
+ if (REMAIN == 0 || REMAIN > INT_MAX)
|
|
||||||
return GSS_S_DEFECTIVE_TOKEN;
|
|
||||||
|
|
||||||
/*
|
|
||||||
--
|
|
||||||
1.9.3
|
|
||||||
|
|
@ -1,14 +0,0 @@
|
|||||||
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
|
||||||
index ce851ea..df5934c 100644
|
|
||||||
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
|
||||||
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
|
||||||
@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
|
|
||||||
j++;
|
|
||||||
last = i + 1;
|
|
||||||
|
|
||||||
- currkvno = key_data[i].key_data_kvno;
|
|
||||||
+ if (i < n_key_data - 1)
|
|
||||||
+ currkvno = key_data[i + 1].key_data_kvno;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ret[num_versions] = NULL;
|
|
32
krb5-1.12-doxygen.patch
Normal file
32
krb5-1.12-doxygen.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
commit b7a4d695263f1a5b7fe72b1eadce4acdc3f0490b
|
||||||
|
From: Ben Kaduk <kaduk@mit.edu>
|
||||||
|
Date: Thu Aug 28 17:54:39 2014 -0400
|
||||||
|
Subject: Map .hin files to the C language for doxygen
|
||||||
|
Upstream: Committed
|
||||||
|
References: https://github.com/krb5/krb5/commit/b7a4d695263f1a5b7fe72b1eadce4acdc3f0490b https://github.com/krb5/krb5/pull/198
|
||||||
|
|
||||||
|
Doxygen 1.8.8 is unhappy with the generated Doxyfile, and does not
|
||||||
|
handle krb5.hin in the expected fashion (as a C header). Work
|
||||||
|
around this issue by explicitly specifying that files with the
|
||||||
|
.hin extension are to be treated as C language files.
|
||||||
|
|
||||||
|
Fixes the following build failure with doxygen 1.8.8:
|
||||||
|
|
||||||
|
[ 326s] cp rst_apiref/*.rst rst_composite/appdev/refs/api
|
||||||
|
[ 326s] cp: cannot stat 'rst_apiref/*.rst': No such file or directory
|
||||||
|
[ 326s] Makefile:692: recipe for target 'composite' failed
|
||||||
|
[ 326s] make: *** [composite] Error 1
|
||||||
|
|
||||||
|
diff --git a/src/doc/Doxyfile.in b/src/doc/Doxyfile.in
|
||||||
|
index 2082b6d..c225864 100644
|
||||||
|
--- a/src/doc/Doxyfile.in
|
||||||
|
+++ b/src/doc/Doxyfile.in
|
||||||
|
@@ -4,6 +4,7 @@ JAVADOC_AUTOBRIEF = YES
|
||||||
|
OPTIMIZE_OUTPUT_FOR_C = YES
|
||||||
|
WARN_IF_UNDOCUMENTED = NO
|
||||||
|
SHOW_FILES = NO
|
||||||
|
+EXTENSION_MAPPING = hin=C
|
||||||
|
INPUT = @SRC@/include/krb5/krb5.hin @DOC@/doxy_examples
|
||||||
|
EXAMPLE_PATH = @DOC@/doxy_examples
|
||||||
|
GENERATE_HTML = NO
|
||||||
|
lines 1-28/28 (END)
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:86f01c1aae54014fa91ad9a5a69558a6cbd821185528d627362b79b517b7b345
|
|
||||||
size 11938756
|
|
3
krb5-1.12.2.tar.gz
Normal file
3
krb5-1.12.2.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:b9229d0593ebd30ec0f845b449a83c20fec220bfa424b66f4a61850df34ce0a0
|
||||||
|
size 11981162
|
@ -1,9 +1,13 @@
|
|||||||
Index: krb5-1.11/src/man/ktutil.man
|
---
|
||||||
|
src/man/ktutil.man | 12 ++++++++++++
|
||||||
|
1 file changed, 12 insertions(+)
|
||||||
|
|
||||||
|
Index: krb5-1.12.2/src/man/ktutil.man
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.11.orig/src/man/ktutil.man
|
--- krb5-1.12.2.orig/src/man/ktutil.man 2014-08-30 23:06:53.000000000 +0100
|
||||||
+++ krb5-1.11/src/man/ktutil.man
|
+++ krb5-1.12.2/src/man/ktutil.man 2014-08-30 23:07:00.000000000 +0100
|
||||||
@@ -158,6 +158,18 @@ ktutil:
|
@@ -162,6 +162,18 @@ ktutil:
|
||||||
.fi
|
.UNINDENT
|
||||||
.UNINDENT
|
.UNINDENT
|
||||||
.UNINDENT
|
.UNINDENT
|
||||||
+.SH REMARKS
|
+.SH REMARKS
|
||||||
|
@ -1,16 +1,20 @@
|
|||||||
Don't double-log (actually, don't process /etc/krb5.conf twice) just
|
Don't double-log (actually, don't process /etc/krb5.conf twice) just
|
||||||
because we built with --sysconfdir=/etc. RT#3277
|
because we built with --sysconfdir=/etc. RT#3277
|
||||||
|
|
||||||
Index: krb5-1.10.2/src/include/Makefile.in
|
---
|
||||||
|
src/include/Makefile.in | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
Index: krb5-1.12.2/src/include/Makefile.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- krb5-1.10.2.orig/src/include/Makefile.in
|
--- krb5-1.12.2.orig/src/include/Makefile.in 2014-08-30 23:08:41.000000000 +0100
|
||||||
+++ krb5-1.10.2/src/include/Makefile.in
|
+++ krb5-1.12.2/src/include/Makefile.in 2014-08-30 23:09:04.000000000 +0100
|
||||||
@@ -67,6 +67,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
|
@@ -68,6 +68,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
|
||||||
-e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
|
-e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
|
||||||
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
|
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
|
||||||
-e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
|
-e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
|
||||||
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
|
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
|
||||||
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \
|
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \
|
||||||
-e 's+@DYNOBJEXT+$(DYNOBJEXT)+'
|
-e 's+@DYNOBJEXT+$(DYNOBJEXT)+' \
|
||||||
|
-e 's+@SYSCONFCONF+$(SYSCONFCONF)+'
|
||||||
|
|
||||||
OSCONFSRC = $(srcdir)/osconf.hin
|
|
||||||
|
@ -1,108 +0,0 @@
|
|||||||
commit e99c688913a7761c6adea9488ea9355f43539883
|
|
||||||
Author: Greg Hudson <ghudson@mit.edu>
|
|
||||||
Date: Thu Jan 16 17:48:54 2014 -0500
|
|
||||||
|
|
||||||
Get time offsets for all keyring ccaches
|
|
||||||
|
|
||||||
Move the time offset lookup from krb5_krcc_resolve to make_cache, so
|
|
||||||
that we fetch time offsets for caches created by
|
|
||||||
krb5_krcc_ptcursor_next.
|
|
||||||
|
|
||||||
ticket: 7820
|
|
||||||
target_version: 1.12.2
|
|
||||||
tags: pullup
|
|
||||||
|
|
||||||
diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
|
|
||||||
index a0c8035..27bad9d 100644
|
|
||||||
--- a/src/lib/krb5/ccache/cc_keyring.c
|
|
||||||
+++ b/src/lib/krb5/ccache/cc_keyring.c
|
|
||||||
@@ -1077,11 +1077,13 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id)
|
|
||||||
|
|
||||||
/* Create a cache handle for a cache ID. */
|
|
||||||
static krb5_error_code
|
|
||||||
-make_cache(key_serial_t collection_id, key_serial_t cache_id,
|
|
||||||
- const char *anchor_name, const char *collection_name,
|
|
||||||
- const char *subsidiary_name, krb5_ccache *cache_out)
|
|
||||||
+make_cache(krb5_context context, key_serial_t collection_id,
|
|
||||||
+ key_serial_t cache_id, const char *anchor_name,
|
|
||||||
+ const char *collection_name, const char *subsidiary_name,
|
|
||||||
+ krb5_ccache *cache_out)
|
|
||||||
{
|
|
||||||
krb5_error_code ret;
|
|
||||||
+ krb5_os_context os_ctx = &context->os_context;
|
|
||||||
krb5_ccache ccache = NULL;
|
|
||||||
krb5_krcc_data *d;
|
|
||||||
key_serial_t pkey = 0;
|
|
||||||
@@ -1108,6 +1110,18 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
|
|
||||||
ccache->data = d;
|
|
||||||
ccache->magic = KV5M_CCACHE;
|
|
||||||
*cache_out = ccache;
|
|
||||||
+
|
|
||||||
+ /* Lookup time offsets if necessary. */
|
|
||||||
+ if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
|
|
||||||
+ !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
|
|
||||||
+ if (krb5_krcc_get_time_offsets(context, ccache,
|
|
||||||
+ &os_ctx->time_offset,
|
|
||||||
+ &os_ctx->usec_offset) == 0) {
|
|
||||||
+ os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
|
|
||||||
+ os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1134,7 +1148,6 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
|
|
||||||
static krb5_error_code KRB5_CALLCONV
|
|
||||||
krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
|
|
||||||
{
|
|
||||||
- krb5_os_context os_ctx = &context->os_context;
|
|
||||||
krb5_error_code ret;
|
|
||||||
key_serial_t collection_id, cache_id;
|
|
||||||
char *anchor_name = NULL, *collection_name = NULL, *subsidiary_name = NULL;
|
|
||||||
@@ -1161,22 +1174,11 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
|
|
||||||
if (cache_id < 0)
|
|
||||||
cache_id = 0;
|
|
||||||
|
|
||||||
- ret = make_cache(collection_id, cache_id, anchor_name, collection_name,
|
|
||||||
- subsidiary_name, id);
|
|
||||||
+ ret = make_cache(context, collection_id, cache_id, anchor_name,
|
|
||||||
+ collection_name, subsidiary_name, id);
|
|
||||||
if (ret)
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
- /* Lookup time offsets if necessary. */
|
|
||||||
- if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
|
|
||||||
- !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
|
|
||||||
- if (krb5_krcc_get_time_offsets(context, *id,
|
|
||||||
- &os_ctx->time_offset,
|
|
||||||
- &os_ctx->usec_offset) == 0) {
|
|
||||||
- os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
|
|
||||||
- os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
cleanup:
|
|
||||||
free(anchor_name);
|
|
||||||
free(collection_name);
|
|
||||||
@@ -1928,8 +1930,9 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
|
|
||||||
cache_id = keyctl_search(data->collection_id, KRCC_KEY_TYPE_KEYRING,
|
|
||||||
first_name, 0);
|
|
||||||
if (cache_id != -1) {
|
|
||||||
- return make_cache(data->collection_id, cache_id, data->anchor_name,
|
|
||||||
- data->collection_name, first_name, cache_out);
|
|
||||||
+ return make_cache(context, data->collection_id, cache_id,
|
|
||||||
+ data->anchor_name, data->collection_name,
|
|
||||||
+ first_name, cache_out);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1967,7 +1970,7 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
|
|
||||||
|
|
||||||
/* We found a valid key */
|
|
||||||
data->next_key++;
|
|
||||||
- ret = make_cache(data->collection_id, key, data->anchor_name,
|
|
||||||
+ ret = make_cache(context, data->collection_id, key, data->anchor_name,
|
|
||||||
data->collection_name, subsidiary_name, cache_out);
|
|
||||||
free(description);
|
|
||||||
return ret;
|
|
@ -1,3 +1,36 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de
|
||||||
|
|
||||||
|
- krb5 5.12.2:
|
||||||
|
* Work around a gcc optimizer bug that could cause DB2 KDC
|
||||||
|
database operations to spin in an infinite loop
|
||||||
|
* Fix a backward compatibility problem with the LDAP KDB schema
|
||||||
|
that could prevent krb5-1.11 and later from decoding entries
|
||||||
|
created by krb5-1.6.
|
||||||
|
* Avoid an infinite loop under some circumstances when the GSS
|
||||||
|
mechglue loads a dynamic mechanism.
|
||||||
|
* Fix krb5kdc argument parsing so "-w" and "-r" options work
|
||||||
|
togetherreliably.
|
||||||
|
- Vulnerability fixes previously fixed in package via patches:
|
||||||
|
* Handle certain invalid RFC 1964 GSS tokens correctly to avoid
|
||||||
|
invalid memory reference vulnerabilities. [CVE-2014-4341
|
||||||
|
CVE-2014-4342]
|
||||||
|
* Fix memory management vulnerabilities in GSSAPI SPNEGO.
|
||||||
|
[CVE-2014-4343 CVE-2014-4344]
|
||||||
|
* Fix buffer overflow vulnerability in LDAP KDB back end.
|
||||||
|
[CVE-2014-4345]
|
||||||
|
- updated patches:
|
||||||
|
* krb5-1.7-doublelog.patch for context change
|
||||||
|
* krb5-1.6.3-ktutil-manpage.dif, same
|
||||||
|
- removed patches, in upstream:
|
||||||
|
* krb5-master-keyring-kdcsync.patch
|
||||||
|
* krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
|
||||||
|
* krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
|
||||||
|
* krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
|
||||||
|
* krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
|
||||||
|
- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch
|
||||||
|
from upstream
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com
|
Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
%define build_mini 1
|
%define build_mini 1
|
||||||
%define srcRoot krb5-1.12.1
|
%define srcRoot krb5-1.12.2
|
||||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||||
%define krb5docdir %{_defaultdocdir}/krb5
|
%define krb5docdir %{_defaultdocdir}/krb5
|
||||||
|
|
||||||
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
|
|||||||
BuildRequires: libcom_err-devel
|
BuildRequires: libcom_err-devel
|
||||||
BuildRequires: libselinux-devel
|
BuildRequires: libselinux-devel
|
||||||
BuildRequires: ncurses-devel
|
BuildRequires: ncurses-devel
|
||||||
Version: 1.12.1
|
Version: 1.12.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: MIT Kerberos5 Implementation--Libraries
|
Summary: MIT Kerberos5 Implementation--Libraries
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -82,11 +82,7 @@ Patch11: krb5-1.12-ksu-path.patch
|
|||||||
Patch12: krb5-1.12-selinux-label.patch
|
Patch12: krb5-1.12-selinux-label.patch
|
||||||
Patch13: krb5-1.9-debuginfo.patch
|
Patch13: krb5-1.9-debuginfo.patch
|
||||||
Patch14: krb5-kvno-230379.patch
|
Patch14: krb5-kvno-230379.patch
|
||||||
Patch15: krb5-master-keyring-kdcsync.patch
|
Patch20: krb5-1.12-doxygen.patch
|
||||||
Patch16: krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
|
|
||||||
Patch17: krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
|
|
||||||
Patch18: krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
|
|
||||||
Patch19: krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||||
PreReq: %fillup_prereq
|
PreReq: %fillup_prereq
|
||||||
@ -206,11 +202,7 @@ Include Files for Development
|
|||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
%patch13 -p0
|
%patch13 -p0
|
||||||
%patch14 -p1
|
%patch14 -p1
|
||||||
%patch15 -p1
|
%patch20 -p1
|
||||||
%patch16 -p1
|
|
||||||
%patch17 -p1
|
|
||||||
%patch18 -p1
|
|
||||||
%patch19 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# needs to be re-generated
|
# needs to be re-generated
|
||||||
|
33
krb5.changes
33
krb5.changes
@ -1,3 +1,36 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de
|
||||||
|
|
||||||
|
- krb5 5.12.2:
|
||||||
|
* Work around a gcc optimizer bug that could cause DB2 KDC
|
||||||
|
database operations to spin in an infinite loop
|
||||||
|
* Fix a backward compatibility problem with the LDAP KDB schema
|
||||||
|
that could prevent krb5-1.11 and later from decoding entries
|
||||||
|
created by krb5-1.6.
|
||||||
|
* Avoid an infinite loop under some circumstances when the GSS
|
||||||
|
mechglue loads a dynamic mechanism.
|
||||||
|
* Fix krb5kdc argument parsing so "-w" and "-r" options work
|
||||||
|
togetherreliably.
|
||||||
|
- Vulnerability fixes previously fixed in package via patches:
|
||||||
|
* Handle certain invalid RFC 1964 GSS tokens correctly to avoid
|
||||||
|
invalid memory reference vulnerabilities. [CVE-2014-4341
|
||||||
|
CVE-2014-4342]
|
||||||
|
* Fix memory management vulnerabilities in GSSAPI SPNEGO.
|
||||||
|
[CVE-2014-4343 CVE-2014-4344]
|
||||||
|
* Fix buffer overflow vulnerability in LDAP KDB back end.
|
||||||
|
[CVE-2014-4345]
|
||||||
|
- updated patches:
|
||||||
|
* krb5-1.7-doublelog.patch for context change
|
||||||
|
* krb5-1.6.3-ktutil-manpage.dif, same
|
||||||
|
- removed patches, in upstream:
|
||||||
|
* krb5-master-keyring-kdcsync.patch
|
||||||
|
* krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
|
||||||
|
* krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
|
||||||
|
* krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
|
||||||
|
* krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
|
||||||
|
- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch
|
||||||
|
from upstream
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com
|
Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com
|
||||||
|
|
||||||
|
16
krb5.spec
16
krb5.spec
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
%define build_mini 0
|
%define build_mini 0
|
||||||
%define srcRoot krb5-1.12.1
|
%define srcRoot krb5-1.12.2
|
||||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||||
%define krb5docdir %{_defaultdocdir}/krb5
|
%define krb5docdir %{_defaultdocdir}/krb5
|
||||||
|
|
||||||
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
|
|||||||
BuildRequires: libcom_err-devel
|
BuildRequires: libcom_err-devel
|
||||||
BuildRequires: libselinux-devel
|
BuildRequires: libselinux-devel
|
||||||
BuildRequires: ncurses-devel
|
BuildRequires: ncurses-devel
|
||||||
Version: 1.12.1
|
Version: 1.12.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: MIT Kerberos5 Implementation--Libraries
|
Summary: MIT Kerberos5 Implementation--Libraries
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -82,11 +82,7 @@ Patch11: krb5-1.12-ksu-path.patch
|
|||||||
Patch12: krb5-1.12-selinux-label.patch
|
Patch12: krb5-1.12-selinux-label.patch
|
||||||
Patch13: krb5-1.9-debuginfo.patch
|
Patch13: krb5-1.9-debuginfo.patch
|
||||||
Patch14: krb5-kvno-230379.patch
|
Patch14: krb5-kvno-230379.patch
|
||||||
Patch15: krb5-master-keyring-kdcsync.patch
|
Patch20: krb5-1.12-doxygen.patch
|
||||||
Patch16: krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
|
|
||||||
Patch17: krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
|
|
||||||
Patch18: krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
|
|
||||||
Patch19: krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||||
PreReq: %fillup_prereq
|
PreReq: %fillup_prereq
|
||||||
@ -206,11 +202,7 @@ Include Files for Development
|
|||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
%patch13 -p0
|
%patch13 -p0
|
||||||
%patch14 -p1
|
%patch14 -p1
|
||||||
%patch15 -p1
|
%patch20 -p1
|
||||||
%patch16 -p1
|
|
||||||
%patch17 -p1
|
|
||||||
%patch18 -p1
|
|
||||||
%patch19 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# needs to be re-generated
|
# needs to be re-generated
|
||||||
|
Loading…
Reference in New Issue
Block a user