Accepting request 392049 from home:stroeder:branches:network

Update to 1.14.2. Please review carefully. Especially from glancing over the upstream source krb5-mechglue_inqure_attrs.patch seems obsolete even though the solution in upstream code looks slightly different. OBS-URL: https://build.opensuse.org/request/show/392049 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=166
2016-04-29 08:00:03 +00:00 · 2016-04-29 08:00:03 +00:00 · f73cb2534d
commit f73cb2534d
parent 9f56699b06
10 changed files with 44 additions and 118 deletions
--- a/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
+++ b/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
@ -1,36 +0,0 @@
-From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Mon, 14 Mar 2016 17:26:34 -0400
-Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119]
-
-In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
-if there is an empty string in the db_args array.  Check for this case
-and avoid dereferencing a null pointer.
-
-CVE-2016-3119:
-
-In MIT krb5 1.6 and later, an authenticated attacker with permission
-to modify a principal entry can cause kadmind to dereference a null
-pointer by supplying an empty DB argument to the modify_principal
-command, if kadmind is configured to use the LDAP KDB module.
-
-    CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
-
-ticket: 8383 (new)
-target_version: 1.14-next
-target_version: 1.13-next
-tags: pullup
-
-Line numbers are slightly adjusted by Howard Guo <hguo@suse.com> to fit into this older version of Kerberos.
-
-diff -rupN krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
--- krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2016-03-23 14:00:44.669126353 +0100
-+++ krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2016-03-23 14:01:45.993680720 +0100
-@@ -267,6 +267,7 @@ process_db_args(krb5_context context, ch
-     if (db_args) {
-         for (i=0; db_args[i]; ++i) {
-             arg = strtok_r(db_args[i], "=", &arg_val);
-+            arg = (arg != NULL) ? arg : "";
-             if (strcmp(arg, TKTPOLICY_ARG) == 0) {
-                 dptr = &xargs->tktpolicydn;
-             } else {
--- a/krb5-1.14.1.tar.gz
+++ b/krb5-1.14.1.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c8faa44574246f5bd0ce5a3dedc48c32db48a74cc4323949bf70f0ac2d6f1a99
-size 12259025
--- a/krb5-1.14.1.tar.gz.asc
+++ b/krb5-1.14.1.tar.gz.asc
@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQGcBAABAgAGBQJW1KZzAAoJEKMvF/0AVcMF9cQMAKZNlrtrB6ZS6CLFqGpRPfG2
-T6WbhJ5GEYl4kmdINbJ/RQUMk2APwxMSmsl7q8VNM1JIxQVAL7cBZTu+7cfs3mZE
-z9eCMmQsKdhZ3bnF52KB5LM2JfNUMidGEqzvOwK7mUgMXaPihiqYA0f2P10paOZl
-cW1as0bvTbjWrnAO+jpW3AuW50h7zOpicX4F8gmD0gaqzcKZO9uZA3p6bjIgVRsO
-XzofLkv0NxKWqcdLWocsVb2s4gezsQuRNIWmvpnR7ZFS2tfTuqrmdRNTm9t/yWMV
-5YmTBKE0/R9JRRmqLm/IglIqrq7G/ZYRHSYpT5oSu72iZRrf5pKQ/jwB0jpFMN00
-7xORKTWNwiGmAvIBBZqH+3emyIrcIdIw/3MN+HEZaLisJ1K/4bWJLB+0ju9dEcU/
-naNhagonxFbVfE7SrlW/WflZpun2PVZ4c9WTG6z1OWPXZkXMLqdv+mNSoCHcvpOt
-Z2+3HnWWanFncCn81oSLo/Zp3/0k7XBXtjp2Pb18CQ==
-=Py+v
-----END PGP SIGNATURE-----
--- a/krb5-1.14.2.tar.gz
+++ b/krb5-1.14.2.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6bcad7e6778d1965e4ce4af21d2efdc15b274c5ce5c69031c58e4c954cda8b27
+size 12264762
--- a/krb5-1.14.2.tar.gz.asc
+++ b/krb5-1.14.2.tar.gz.asc
@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQGcBAABAgAGBQJXFWhhAAoJEKMvF/0AVcMFHHYL/iogtD4Zyp/Zu7nFjaqAOu75
+iR3bfrb2HkEYfS1JzKEszqXTZrBurG7++58x13KxtYW5QhnKIIISUUTura4zilO2
+rQtf8/KAzIUf7/ETkRz6cUM3eReUPw1Ua/fy3zpe7ZoTNxcaE6z1p8JL2RcjsMhm
+gFa0luSXpXgvHGKc1YSDUP+LVCFFCGTr1bnix03o3VoDnYmQCMYAdSG119ao9Mlf
+I1g0h/sg3dVbvpfAXozdYAmkoS1RtHXxb6hyn4FVx7niJ91yxm9df8UtLDB/q0Ak
+am07TxJ+XqFW6GxNc85nC7hPnURgQxwk8KvrBU5+CdIx0ZeI3GOsTGKjDYJZHrzY
+GI4LMi1Tq2GyiWGWe0RBI6JR/b7wQsyjFpniZM4vcIuTV7DzWchYlcRXAh8STWeM
+w9DnzYR6GdXIRet4twjH5+OV5F066iQmqCP0YALZEtS3R5Nl+HGnJ5BknDBgX/DX
+wEuXeFERgriQeu2Ye4djkN2aoAkVMw+epmdO6+I/gA==
+=o3Qw
+-----END PGP SIGNATURE-----
--- a/krb5-mechglue_inqure_attrs.patch
+++ b/krb5-mechglue_inqure_attrs.patch
@ -1,56 +0,0 @@
-From 26f94f6e8fd99ee0dfc2f71afb38c74a12482601 Mon Sep 17 00:00:00 2001
-From: Robbie Harwood <rharwood@redhat.com>
-Date: Wed, 16 Dec 2015 19:31:22 -0500
-Subject: [PATCH] Fix mechglue on gss_inquire_attrs_for_mech()
-
-This includes proper mechanism selection in gss_inquire_attrs_for_mech()
-itself as well as passing the correct mech down from gss_accept_sec_context()
-through allow_mech_by_default().
-
-Also-authored-by: Simo Sorce <simo@redhat.com>
---
- src/lib/gssapi/mechglue/g_accept_sec_context.c | 2 +-
- src/lib/gssapi/mechglue/g_mechattr.c           | 7 ++++++-
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
-index 6c72d1f..4a86024 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
-+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
-@@ -245,7 +245,7 @@ gss_cred_id_t *		d_cred;
- 	    status = GSS_S_NO_CRED;
- 	    goto error_out;
- 	}
-    } else if (!allow_mech_by_default(selected_mech)) {
-+    } else if (!allow_mech_by_default(gssint_get_public_oid(selected_mech))) {
- 	status = GSS_S_NO_CRED;
- 	goto error_out;
-     }
-diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c
-index e9299f4..4bd44b5 100644
--- a/src/lib/gssapi/mechglue/g_mechattr.c
-+++ b/src/lib/gssapi/mechglue/g_mechattr.c
-@@ -161,6 +161,7 @@ gss_inquire_attrs_for_mech(
- {
-     OM_uint32       status, tmpMinor;
-     gss_mechanism   mech;
-+    gss_OID         selected_mech;
- 
-     if (minor == NULL)
-         return GSS_S_CALL_INACCESSIBLE_WRITE;
-@@ -173,7 +174,11 @@ gss_inquire_attrs_for_mech(
-     if (known_mech_attrs != NULL)
-         *known_mech_attrs = GSS_C_NO_OID_SET;
- 
-    mech = gssint_get_mechanism((gss_OID)mech_oid);
-+    status = gssint_select_mech_type(minor, mech_oid, &selected_mech);
-+    if (status != GSS_S_COMPLETE)
-+        return (status);
-+
-+    mech = gssint_get_mechanism(selected_mech);
-     if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) {
-         status = mech->gss_inquire_attrs_for_mech(minor,
-                                                   mech_oid,
-- 
-2.6.4
-
--- a/krb5-mini.changes
+++ b/krb5-mini.changes
@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Thu Apr 28 20:27:37 UTC 2016 - michael@stroeder.com
+
+- removed obsolete patches:
+  * 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
+  * krb5-mechglue_inqure_attrs.patch
+- Upgrade from 1.14.1 to 1.14.2:
+  * Fix a moderate-severity vulnerability in the LDAP KDC back end that
+    could be exploited by a privileged kadmin user [CVE-2016-3119]
+  * Improve documentation
+  * Fix some interactions with GSSAPI interposer mechanisms
+
 -------------------------------------------------------------------
 Fri Apr  1 07:45:13 UTC 2016 - hguo@suse.com

--- a/krb5-mini.spec
+++ b/krb5-mini.spec
@ -16,7 +16,7 @@
 #


-%define srcRoot krb5-1.14.1
+%define srcRoot krb5-1.14.2
 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
 %define krb5docdir  %{_defaultdocdir}/krb5

@ -29,7 +29,7 @@ BuildRequires:  keyutils-devel
 BuildRequires:  libcom_err-devel
 BuildRequires:  libselinux-devel
 BuildRequires:  ncurses-devel
-Version:        1.14.1
+Version:        1.14.2
 Release:        0
 Summary:        MIT Kerberos5 implementation and libraries with minimal dependencies
 License:        MIT
@ -65,7 +65,6 @@ Patch11:        krb5-1.12-ksu-path.patch
 Patch12:        krb5-1.12-selinux-label.patch
 Patch13:        krb5-1.9-debuginfo.patch
 Patch15:        krb5-fix_interposer.patch
-Patch16:        krb5-mechglue_inqure_attrs.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@ -111,7 +110,6 @@ Include Files for Development
 %patch12 -p1
 %patch13 -p0
 %patch15 -p1
-%patch16 -p1

 %build
 # needs to be re-generated
--- a/krb5.changes
+++ b/krb5.changes
@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Thu Apr 28 20:27:37 UTC 2016 - michael@stroeder.com
+
+- removed obsolete patches:
+  * 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
+  * krb5-mechglue_inqure_attrs.patch
+- Upgrade from 1.14.1 to 1.14.2:
+  * Fix a moderate-severity vulnerability in the LDAP KDC back end that
+    could be exploited by a privileged kadmin user [CVE-2016-3119]
+  * Improve documentation
+  * Fix some interactions with GSSAPI interposer mechanisms
+
 -------------------------------------------------------------------
 Fri Apr  1 07:45:13 UTC 2016 - hguo@suse.com

--- a/krb5.spec
+++ b/krb5.spec
@ -25,7 +25,7 @@ BuildRequires:  keyutils-devel
 BuildRequires:  libcom_err-devel
 BuildRequires:  libselinux-devel
 BuildRequires:  ncurses-devel
-Version:        1.14.1
+Version:        1.14.2
 Release:        0
 Summary:        MIT Kerberos5 Implementation--Libraries
 License:        MIT
@ -65,8 +65,6 @@ Patch11:        krb5-1.12-ksu-path.patch
 Patch12:        krb5-1.12-selinux-label.patch
 Patch13:        krb5-1.9-debuginfo.patch
 Patch15:        krb5-fix_interposer.patch
-Patch16:        krb5-mechglue_inqure_attrs.patch
-Patch107:       0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@ -179,8 +177,6 @@ Include Files for Development
 %patch12 -p1
 %patch13 -p0
 %patch15 -p1
-%patch16 -p1
-%patch107 -p1

 %build
 # needs to be re-generated