From f73cb2534dd998db954b142e0c8015a7b44c665033479144167a690bbd5d6c65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Fri, 29 Apr 2016 08:00:03 +0000 Subject: [PATCH] Accepting request 392049 from home:stroeder:branches:network Update to 1.14.2. Please review carefully. Especially from glancing over the upstream source krb5-mechglue_inqure_attrs.patch seems obsolete even though the solution in upstream code looks slightly different. OBS-URL: https://build.opensuse.org/request/show/392049 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=166 --- ...ull-deref-on-empty-arg-CVE-2016-3119.patch | 36 ------------ krb5-1.14.1.tar.gz | 3 - krb5-1.14.1.tar.gz.asc | 14 ----- krb5-1.14.2.tar.gz | 3 + krb5-1.14.2.tar.gz.asc | 14 +++++ krb5-mechglue_inqure_attrs.patch | 56 ------------------- krb5-mini.changes | 12 ++++ krb5-mini.spec | 6 +- krb5.changes | 12 ++++ krb5.spec | 6 +- 10 files changed, 44 insertions(+), 118 deletions(-) delete mode 100644 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch delete mode 100644 krb5-1.14.1.tar.gz delete mode 100644 krb5-1.14.1.tar.gz.asc create mode 100644 krb5-1.14.2.tar.gz create mode 100644 krb5-1.14.2.tar.gz.asc delete mode 100644 krb5-mechglue_inqure_attrs.patch diff --git a/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch b/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch deleted file mode 100644 index 28af68b..0000000 --- a/0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Mon, 14 Mar 2016 17:26:34 -0400 -Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119] - -In the LDAP KDB module's process_db_args(), strtok_r() may return NULL -if there is an empty string in the db_args array. Check for this case -and avoid dereferencing a null pointer. - -CVE-2016-3119: - -In MIT krb5 1.6 and later, an authenticated attacker with permission -to modify a principal entry can cause kadmind to dereference a null -pointer by supplying an empty DB argument to the modify_principal -command, if kadmind is configured to use the LDAP KDB module. - - CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND - -ticket: 8383 (new) -target_version: 1.14-next -target_version: 1.13-next -tags: pullup - -Line numbers are slightly adjusted by Howard Guo to fit into this older version of Kerberos. - -diff -rupN krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c ---- krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-03-23 14:00:44.669126353 +0100 -+++ krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-03-23 14:01:45.993680720 +0100 -@@ -267,6 +267,7 @@ process_db_args(krb5_context context, ch - if (db_args) { - for (i=0; db_args[i]; ++i) { - arg = strtok_r(db_args[i], "=", &arg_val); -+ arg = (arg != NULL) ? arg : ""; - if (strcmp(arg, TKTPOLICY_ARG) == 0) { - dptr = &xargs->tktpolicydn; - } else { diff --git a/krb5-1.14.1.tar.gz b/krb5-1.14.1.tar.gz deleted file mode 100644 index ad7bdf2..0000000 --- a/krb5-1.14.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c8faa44574246f5bd0ce5a3dedc48c32db48a74cc4323949bf70f0ac2d6f1a99 -size 12259025 diff --git a/krb5-1.14.1.tar.gz.asc b/krb5-1.14.1.tar.gz.asc deleted file mode 100644 index e6623fe..0000000 --- a/krb5-1.14.1.tar.gz.asc +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQGcBAABAgAGBQJW1KZzAAoJEKMvF/0AVcMF9cQMAKZNlrtrB6ZS6CLFqGpRPfG2 -T6WbhJ5GEYl4kmdINbJ/RQUMk2APwxMSmsl7q8VNM1JIxQVAL7cBZTu+7cfs3mZE -z9eCMmQsKdhZ3bnF52KB5LM2JfNUMidGEqzvOwK7mUgMXaPihiqYA0f2P10paOZl -cW1as0bvTbjWrnAO+jpW3AuW50h7zOpicX4F8gmD0gaqzcKZO9uZA3p6bjIgVRsO -XzofLkv0NxKWqcdLWocsVb2s4gezsQuRNIWmvpnR7ZFS2tfTuqrmdRNTm9t/yWMV -5YmTBKE0/R9JRRmqLm/IglIqrq7G/ZYRHSYpT5oSu72iZRrf5pKQ/jwB0jpFMN00 -7xORKTWNwiGmAvIBBZqH+3emyIrcIdIw/3MN+HEZaLisJ1K/4bWJLB+0ju9dEcU/ -naNhagonxFbVfE7SrlW/WflZpun2PVZ4c9WTG6z1OWPXZkXMLqdv+mNSoCHcvpOt -Z2+3HnWWanFncCn81oSLo/Zp3/0k7XBXtjp2Pb18CQ== -=Py+v ------END PGP SIGNATURE----- diff --git a/krb5-1.14.2.tar.gz b/krb5-1.14.2.tar.gz new file mode 100644 index 0000000..2adef80 --- /dev/null +++ b/krb5-1.14.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6bcad7e6778d1965e4ce4af21d2efdc15b274c5ce5c69031c58e4c954cda8b27 +size 12264762 diff --git a/krb5-1.14.2.tar.gz.asc b/krb5-1.14.2.tar.gz.asc new file mode 100644 index 0000000..53c2fc2 --- /dev/null +++ b/krb5-1.14.2.tar.gz.asc @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQGcBAABAgAGBQJXFWhhAAoJEKMvF/0AVcMFHHYL/iogtD4Zyp/Zu7nFjaqAOu75 +iR3bfrb2HkEYfS1JzKEszqXTZrBurG7++58x13KxtYW5QhnKIIISUUTura4zilO2 +rQtf8/KAzIUf7/ETkRz6cUM3eReUPw1Ua/fy3zpe7ZoTNxcaE6z1p8JL2RcjsMhm +gFa0luSXpXgvHGKc1YSDUP+LVCFFCGTr1bnix03o3VoDnYmQCMYAdSG119ao9Mlf +I1g0h/sg3dVbvpfAXozdYAmkoS1RtHXxb6hyn4FVx7niJ91yxm9df8UtLDB/q0Ak +am07TxJ+XqFW6GxNc85nC7hPnURgQxwk8KvrBU5+CdIx0ZeI3GOsTGKjDYJZHrzY +GI4LMi1Tq2GyiWGWe0RBI6JR/b7wQsyjFpniZM4vcIuTV7DzWchYlcRXAh8STWeM +w9DnzYR6GdXIRet4twjH5+OV5F066iQmqCP0YALZEtS3R5Nl+HGnJ5BknDBgX/DX +wEuXeFERgriQeu2Ye4djkN2aoAkVMw+epmdO6+I/gA== +=o3Qw +-----END PGP SIGNATURE----- diff --git a/krb5-mechglue_inqure_attrs.patch b/krb5-mechglue_inqure_attrs.patch deleted file mode 100644 index be994da..0000000 --- a/krb5-mechglue_inqure_attrs.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 26f94f6e8fd99ee0dfc2f71afb38c74a12482601 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Wed, 16 Dec 2015 19:31:22 -0500 -Subject: [PATCH] Fix mechglue on gss_inquire_attrs_for_mech() - -This includes proper mechanism selection in gss_inquire_attrs_for_mech() -itself as well as passing the correct mech down from gss_accept_sec_context() -through allow_mech_by_default(). - -Also-authored-by: Simo Sorce ---- - src/lib/gssapi/mechglue/g_accept_sec_context.c | 2 +- - src/lib/gssapi/mechglue/g_mechattr.c | 7 ++++++- - 2 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c -index 6c72d1f..4a86024 100644 ---- a/src/lib/gssapi/mechglue/g_accept_sec_context.c -+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c -@@ -245,7 +245,7 @@ gss_cred_id_t * d_cred; - status = GSS_S_NO_CRED; - goto error_out; - } -- } else if (!allow_mech_by_default(selected_mech)) { -+ } else if (!allow_mech_by_default(gssint_get_public_oid(selected_mech))) { - status = GSS_S_NO_CRED; - goto error_out; - } -diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c -index e9299f4..4bd44b5 100644 ---- a/src/lib/gssapi/mechglue/g_mechattr.c -+++ b/src/lib/gssapi/mechglue/g_mechattr.c -@@ -161,6 +161,7 @@ gss_inquire_attrs_for_mech( - { - OM_uint32 status, tmpMinor; - gss_mechanism mech; -+ gss_OID selected_mech; - - if (minor == NULL) - return GSS_S_CALL_INACCESSIBLE_WRITE; -@@ -173,7 +174,11 @@ gss_inquire_attrs_for_mech( - if (known_mech_attrs != NULL) - *known_mech_attrs = GSS_C_NO_OID_SET; - -- mech = gssint_get_mechanism((gss_OID)mech_oid); -+ status = gssint_select_mech_type(minor, mech_oid, &selected_mech); -+ if (status != GSS_S_COMPLETE) -+ return (status); -+ -+ mech = gssint_get_mechanism(selected_mech); - if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) { - status = mech->gss_inquire_attrs_for_mech(minor, - mech_oid, --- -2.6.4 - diff --git a/krb5-mini.changes b/krb5-mini.changes index ee18f7d..d8fb936 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Apr 28 20:27:37 UTC 2016 - michael@stroeder.com + +- removed obsolete patches: + * 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch + * krb5-mechglue_inqure_attrs.patch +- Upgrade from 1.14.1 to 1.14.2: + * Fix a moderate-severity vulnerability in the LDAP KDC back end that + could be exploited by a privileged kadmin user [CVE-2016-3119] + * Improve documentation + * Fix some interactions with GSSAPI interposer mechanisms + ------------------------------------------------------------------- Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com diff --git a/krb5-mini.spec b/krb5-mini.spec index 8c9ea3c..435558e 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -16,7 +16,7 @@ # -%define srcRoot krb5-1.14.1 +%define srcRoot krb5-1.14.2 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -29,7 +29,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.14.1 +Version: 1.14.2 Release: 0 Summary: MIT Kerberos5 implementation and libraries with minimal dependencies License: MIT @@ -65,7 +65,6 @@ Patch11: krb5-1.12-ksu-path.patch Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch Patch15: krb5-fix_interposer.patch -Patch16: krb5-mechglue_inqure_attrs.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %fillup_prereq @@ -111,7 +110,6 @@ Include Files for Development %patch12 -p1 %patch13 -p0 %patch15 -p1 -%patch16 -p1 %build # needs to be re-generated diff --git a/krb5.changes b/krb5.changes index 2f0fbe5..fd78872 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Apr 28 20:27:37 UTC 2016 - michael@stroeder.com + +- removed obsolete patches: + * 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch + * krb5-mechglue_inqure_attrs.patch +- Upgrade from 1.14.1 to 1.14.2: + * Fix a moderate-severity vulnerability in the LDAP KDC back end that + could be exploited by a privileged kadmin user [CVE-2016-3119] + * Improve documentation + * Fix some interactions with GSSAPI interposer mechanisms + ------------------------------------------------------------------- Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com diff --git a/krb5.spec b/krb5.spec index 20aed11..b39590d 100644 --- a/krb5.spec +++ b/krb5.spec @@ -25,7 +25,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.14.1 +Version: 1.14.2 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -65,8 +65,6 @@ Patch11: krb5-1.12-ksu-path.patch Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch Patch15: krb5-fix_interposer.patch -Patch16: krb5-mechglue_inqure_attrs.patch -Patch107: 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %fillup_prereq @@ -179,8 +177,6 @@ Include Files for Development %patch12 -p1 %patch13 -p0 %patch15 -p1 -%patch16 -p1 -%patch107 -p1 %build # needs to be re-generated