Accepting request 392049 from home:stroeder:branches:network
Update to 1.14.2. Please review carefully. Especially from glancing over the upstream source krb5-mechglue_inqure_attrs.patch seems obsolete even though the solution in upstream code looks slightly different. OBS-URL: https://build.opensuse.org/request/show/392049 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=166
This commit is contained in:
parent
9f56699b06
commit
f73cb2534d
@ -1,36 +0,0 @@
|
|||||||
From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
|
||||||
Date: Mon, 14 Mar 2016 17:26:34 -0400
|
|
||||||
Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119]
|
|
||||||
|
|
||||||
In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
|
|
||||||
if there is an empty string in the db_args array. Check for this case
|
|
||||||
and avoid dereferencing a null pointer.
|
|
||||||
|
|
||||||
CVE-2016-3119:
|
|
||||||
|
|
||||||
In MIT krb5 1.6 and later, an authenticated attacker with permission
|
|
||||||
to modify a principal entry can cause kadmind to dereference a null
|
|
||||||
pointer by supplying an empty DB argument to the modify_principal
|
|
||||||
command, if kadmind is configured to use the LDAP KDB module.
|
|
||||||
|
|
||||||
CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
|
|
||||||
|
|
||||||
ticket: 8383 (new)
|
|
||||||
target_version: 1.14-next
|
|
||||||
target_version: 1.13-next
|
|
||||||
tags: pullup
|
|
||||||
|
|
||||||
Line numbers are slightly adjusted by Howard Guo <hguo@suse.com> to fit into this older version of Kerberos.
|
|
||||||
|
|
||||||
diff -rupN krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
|
||||||
--- krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-03-23 14:00:44.669126353 +0100
|
|
||||||
+++ krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-03-23 14:01:45.993680720 +0100
|
|
||||||
@@ -267,6 +267,7 @@ process_db_args(krb5_context context, ch
|
|
||||||
if (db_args) {
|
|
||||||
for (i=0; db_args[i]; ++i) {
|
|
||||||
arg = strtok_r(db_args[i], "=", &arg_val);
|
|
||||||
+ arg = (arg != NULL) ? arg : "";
|
|
||||||
if (strcmp(arg, TKTPOLICY_ARG) == 0) {
|
|
||||||
dptr = &xargs->tktpolicydn;
|
|
||||||
} else {
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:c8faa44574246f5bd0ce5a3dedc48c32db48a74cc4323949bf70f0ac2d6f1a99
|
|
||||||
size 12259025
|
|
@ -1,14 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
Version: GnuPG v1
|
|
||||||
|
|
||||||
iQGcBAABAgAGBQJW1KZzAAoJEKMvF/0AVcMF9cQMAKZNlrtrB6ZS6CLFqGpRPfG2
|
|
||||||
T6WbhJ5GEYl4kmdINbJ/RQUMk2APwxMSmsl7q8VNM1JIxQVAL7cBZTu+7cfs3mZE
|
|
||||||
z9eCMmQsKdhZ3bnF52KB5LM2JfNUMidGEqzvOwK7mUgMXaPihiqYA0f2P10paOZl
|
|
||||||
cW1as0bvTbjWrnAO+jpW3AuW50h7zOpicX4F8gmD0gaqzcKZO9uZA3p6bjIgVRsO
|
|
||||||
XzofLkv0NxKWqcdLWocsVb2s4gezsQuRNIWmvpnR7ZFS2tfTuqrmdRNTm9t/yWMV
|
|
||||||
5YmTBKE0/R9JRRmqLm/IglIqrq7G/ZYRHSYpT5oSu72iZRrf5pKQ/jwB0jpFMN00
|
|
||||||
7xORKTWNwiGmAvIBBZqH+3emyIrcIdIw/3MN+HEZaLisJ1K/4bWJLB+0ju9dEcU/
|
|
||||||
naNhagonxFbVfE7SrlW/WflZpun2PVZ4c9WTG6z1OWPXZkXMLqdv+mNSoCHcvpOt
|
|
||||||
Z2+3HnWWanFncCn81oSLo/Zp3/0k7XBXtjp2Pb18CQ==
|
|
||||||
=Py+v
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
krb5-1.14.2.tar.gz
Normal file
3
krb5-1.14.2.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:6bcad7e6778d1965e4ce4af21d2efdc15b274c5ce5c69031c58e4c954cda8b27
|
||||||
|
size 12264762
|
14
krb5-1.14.2.tar.gz.asc
Normal file
14
krb5-1.14.2.tar.gz.asc
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v1
|
||||||
|
|
||||||
|
iQGcBAABAgAGBQJXFWhhAAoJEKMvF/0AVcMFHHYL/iogtD4Zyp/Zu7nFjaqAOu75
|
||||||
|
iR3bfrb2HkEYfS1JzKEszqXTZrBurG7++58x13KxtYW5QhnKIIISUUTura4zilO2
|
||||||
|
rQtf8/KAzIUf7/ETkRz6cUM3eReUPw1Ua/fy3zpe7ZoTNxcaE6z1p8JL2RcjsMhm
|
||||||
|
gFa0luSXpXgvHGKc1YSDUP+LVCFFCGTr1bnix03o3VoDnYmQCMYAdSG119ao9Mlf
|
||||||
|
I1g0h/sg3dVbvpfAXozdYAmkoS1RtHXxb6hyn4FVx7niJ91yxm9df8UtLDB/q0Ak
|
||||||
|
am07TxJ+XqFW6GxNc85nC7hPnURgQxwk8KvrBU5+CdIx0ZeI3GOsTGKjDYJZHrzY
|
||||||
|
GI4LMi1Tq2GyiWGWe0RBI6JR/b7wQsyjFpniZM4vcIuTV7DzWchYlcRXAh8STWeM
|
||||||
|
w9DnzYR6GdXIRet4twjH5+OV5F066iQmqCP0YALZEtS3R5Nl+HGnJ5BknDBgX/DX
|
||||||
|
wEuXeFERgriQeu2Ye4djkN2aoAkVMw+epmdO6+I/gA==
|
||||||
|
=o3Qw
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,56 +0,0 @@
|
|||||||
From 26f94f6e8fd99ee0dfc2f71afb38c74a12482601 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Date: Wed, 16 Dec 2015 19:31:22 -0500
|
|
||||||
Subject: [PATCH] Fix mechglue on gss_inquire_attrs_for_mech()
|
|
||||||
|
|
||||||
This includes proper mechanism selection in gss_inquire_attrs_for_mech()
|
|
||||||
itself as well as passing the correct mech down from gss_accept_sec_context()
|
|
||||||
through allow_mech_by_default().
|
|
||||||
|
|
||||||
Also-authored-by: Simo Sorce <simo@redhat.com>
|
|
||||||
---
|
|
||||||
src/lib/gssapi/mechglue/g_accept_sec_context.c | 2 +-
|
|
||||||
src/lib/gssapi/mechglue/g_mechattr.c | 7 ++++++-
|
|
||||||
2 files changed, 7 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
|
|
||||||
index 6c72d1f..4a86024 100644
|
|
||||||
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
|
|
||||||
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
|
|
||||||
@@ -245,7 +245,7 @@ gss_cred_id_t * d_cred;
|
|
||||||
status = GSS_S_NO_CRED;
|
|
||||||
goto error_out;
|
|
||||||
}
|
|
||||||
- } else if (!allow_mech_by_default(selected_mech)) {
|
|
||||||
+ } else if (!allow_mech_by_default(gssint_get_public_oid(selected_mech))) {
|
|
||||||
status = GSS_S_NO_CRED;
|
|
||||||
goto error_out;
|
|
||||||
}
|
|
||||||
diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c
|
|
||||||
index e9299f4..4bd44b5 100644
|
|
||||||
--- a/src/lib/gssapi/mechglue/g_mechattr.c
|
|
||||||
+++ b/src/lib/gssapi/mechglue/g_mechattr.c
|
|
||||||
@@ -161,6 +161,7 @@ gss_inquire_attrs_for_mech(
|
|
||||||
{
|
|
||||||
OM_uint32 status, tmpMinor;
|
|
||||||
gss_mechanism mech;
|
|
||||||
+ gss_OID selected_mech;
|
|
||||||
|
|
||||||
if (minor == NULL)
|
|
||||||
return GSS_S_CALL_INACCESSIBLE_WRITE;
|
|
||||||
@@ -173,7 +174,11 @@ gss_inquire_attrs_for_mech(
|
|
||||||
if (known_mech_attrs != NULL)
|
|
||||||
*known_mech_attrs = GSS_C_NO_OID_SET;
|
|
||||||
|
|
||||||
- mech = gssint_get_mechanism((gss_OID)mech_oid);
|
|
||||||
+ status = gssint_select_mech_type(minor, mech_oid, &selected_mech);
|
|
||||||
+ if (status != GSS_S_COMPLETE)
|
|
||||||
+ return (status);
|
|
||||||
+
|
|
||||||
+ mech = gssint_get_mechanism(selected_mech);
|
|
||||||
if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) {
|
|
||||||
status = mech->gss_inquire_attrs_for_mech(minor,
|
|
||||||
mech_oid,
|
|
||||||
--
|
|
||||||
2.6.4
|
|
||||||
|
|
@ -1,3 +1,15 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 28 20:27:37 UTC 2016 - michael@stroeder.com
|
||||||
|
|
||||||
|
- removed obsolete patches:
|
||||||
|
* 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
|
||||||
|
* krb5-mechglue_inqure_attrs.patch
|
||||||
|
- Upgrade from 1.14.1 to 1.14.2:
|
||||||
|
* Fix a moderate-severity vulnerability in the LDAP KDC back end that
|
||||||
|
could be exploited by a privileged kadmin user [CVE-2016-3119]
|
||||||
|
* Improve documentation
|
||||||
|
* Fix some interactions with GSSAPI interposer mechanisms
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com
|
Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com
|
||||||
|
|
||||||
|
@ -16,7 +16,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
%define srcRoot krb5-1.14.1
|
%define srcRoot krb5-1.14.2
|
||||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||||
%define krb5docdir %{_defaultdocdir}/krb5
|
%define krb5docdir %{_defaultdocdir}/krb5
|
||||||
|
|
||||||
@ -29,7 +29,7 @@ BuildRequires: keyutils-devel
|
|||||||
BuildRequires: libcom_err-devel
|
BuildRequires: libcom_err-devel
|
||||||
BuildRequires: libselinux-devel
|
BuildRequires: libselinux-devel
|
||||||
BuildRequires: ncurses-devel
|
BuildRequires: ncurses-devel
|
||||||
Version: 1.14.1
|
Version: 1.14.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
|
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -65,7 +65,6 @@ Patch11: krb5-1.12-ksu-path.patch
|
|||||||
Patch12: krb5-1.12-selinux-label.patch
|
Patch12: krb5-1.12-selinux-label.patch
|
||||||
Patch13: krb5-1.9-debuginfo.patch
|
Patch13: krb5-1.9-debuginfo.patch
|
||||||
Patch15: krb5-fix_interposer.patch
|
Patch15: krb5-fix_interposer.patch
|
||||||
Patch16: krb5-mechglue_inqure_attrs.patch
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||||
PreReq: %fillup_prereq
|
PreReq: %fillup_prereq
|
||||||
@ -111,7 +110,6 @@ Include Files for Development
|
|||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
%patch13 -p0
|
%patch13 -p0
|
||||||
%patch15 -p1
|
%patch15 -p1
|
||||||
%patch16 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# needs to be re-generated
|
# needs to be re-generated
|
||||||
|
12
krb5.changes
12
krb5.changes
@ -1,3 +1,15 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 28 20:27:37 UTC 2016 - michael@stroeder.com
|
||||||
|
|
||||||
|
- removed obsolete patches:
|
||||||
|
* 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
|
||||||
|
* krb5-mechglue_inqure_attrs.patch
|
||||||
|
- Upgrade from 1.14.1 to 1.14.2:
|
||||||
|
* Fix a moderate-severity vulnerability in the LDAP KDC back end that
|
||||||
|
could be exploited by a privileged kadmin user [CVE-2016-3119]
|
||||||
|
* Improve documentation
|
||||||
|
* Fix some interactions with GSSAPI interposer mechanisms
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com
|
Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com
|
||||||
|
|
||||||
|
@ -25,7 +25,7 @@ BuildRequires: keyutils-devel
|
|||||||
BuildRequires: libcom_err-devel
|
BuildRequires: libcom_err-devel
|
||||||
BuildRequires: libselinux-devel
|
BuildRequires: libselinux-devel
|
||||||
BuildRequires: ncurses-devel
|
BuildRequires: ncurses-devel
|
||||||
Version: 1.14.1
|
Version: 1.14.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: MIT Kerberos5 Implementation--Libraries
|
Summary: MIT Kerberos5 Implementation--Libraries
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -65,8 +65,6 @@ Patch11: krb5-1.12-ksu-path.patch
|
|||||||
Patch12: krb5-1.12-selinux-label.patch
|
Patch12: krb5-1.12-selinux-label.patch
|
||||||
Patch13: krb5-1.9-debuginfo.patch
|
Patch13: krb5-1.9-debuginfo.patch
|
||||||
Patch15: krb5-fix_interposer.patch
|
Patch15: krb5-fix_interposer.patch
|
||||||
Patch16: krb5-mechglue_inqure_attrs.patch
|
|
||||||
Patch107: 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||||
PreReq: %fillup_prereq
|
PreReq: %fillup_prereq
|
||||||
@ -179,8 +177,6 @@ Include Files for Development
|
|||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
%patch13 -p0
|
%patch13 -p0
|
||||||
%patch15 -p1
|
%patch15 -p1
|
||||||
%patch16 -p1
|
|
||||||
%patch107 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# needs to be re-generated
|
# needs to be re-generated
|
||||||
|
Loading…
Reference in New Issue
Block a user