diff --git a/.gitignore b/.gitignore index f2aef73..fb86978 100644 --- a/.gitignore +++ b/.gitignore @@ -133,3 +133,6 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.14.1-pdfs.tar /krb5-1.14.1.tar.gz /krb5-1.14.1.tar.gz.asc +/krb5-1.14.3.tar.gz +/krb5-1.14.3.tar.gz.asc +/krb5-1.14.3-pdfs.tar diff --git a/krb5-1.14.1-interpose-enable-inquire_attrs_for_mech.patch b/krb5-1.14.1-interpose-enable-inquire_attrs_for_mech.patch deleted file mode 100644 index c18765d..0000000 --- a/krb5-1.14.1-interpose-enable-inquire_attrs_for_mech.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 3be2b486058758cfcd16c8af0a8f560159e77cda Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Mon, 11 Jan 2016 17:50:39 -0500 -Subject: [PATCH] Enable interposing gss_inquire_attrs_for_mech() - -Use gssint_select_mech_type() to locate an interposer mechanism, and -pass the public mech OID to the mech. Also call map_error() on the -resulting minor code. - -ticket: 8330 (new) ---- - src/lib/gssapi/mechglue/g_mechattr.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c -index e9299f4..57c0e52 100644 ---- a/src/lib/gssapi/mechglue/g_mechattr.c -+++ b/src/lib/gssapi/mechglue/g_mechattr.c -@@ -160,6 +160,7 @@ gss_inquire_attrs_for_mech( - gss_OID_set *known_mech_attrs) - { - OM_uint32 status, tmpMinor; -+ gss_OID selected_mech, public_mech; - gss_mechanism mech; - - if (minor == NULL) -@@ -173,14 +174,20 @@ gss_inquire_attrs_for_mech( - if (known_mech_attrs != NULL) - *known_mech_attrs = GSS_C_NO_OID_SET; - -- mech = gssint_get_mechanism((gss_OID)mech_oid); -+ status = gssint_select_mech_type(minor, mech_oid, &selected_mech); -+ if (status != GSS_S_COMPLETE) -+ return status; -+ -+ mech = gssint_get_mechanism(selected_mech); - if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) { -- status = mech->gss_inquire_attrs_for_mech(minor, -- mech_oid, -+ public_mech = gssint_get_public_oid(selected_mech); -+ status = mech->gss_inquire_attrs_for_mech(minor, public_mech, - mech_attrs, - known_mech_attrs); -- if (GSS_ERROR(status)) -+ if (GSS_ERROR(status)) { -+ map_error(minor, mech); - return status; -+ } - } - - if (known_mech_attrs != NULL && *known_mech_attrs == GSS_C_NO_OID_SET) { --- -2.7.0 - diff --git a/krb5-1.14.1-interpose-fix-inquire_attrs_for_mech.patch b/krb5-1.14.1-interpose-fix-inquire_attrs_for_mech.patch deleted file mode 100644 index d23f45b..0000000 --- a/krb5-1.14.1-interpose-fix-inquire_attrs_for_mech.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 030a4a03a0480969d6acf1591f39fd194642805a Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Wed, 27 Jan 2016 18:48:04 -0500 -Subject: [PATCH] Report inquire_attrs_for_mech mech failures - -Previously, gss_inquire_attrs_for_mech() would return a list of mech -attributes that it knew about when given a bad mech oid or a mechanism -which did not provide a gss_inquire_attrs_for_mech() method. It seems -more useful to just report the failure to the application rather than -allowing it to continue with a faulty mechanism. - -ticket: 8358 (new) ---- - src/lib/gssapi/mechglue/g_mechattr.c | 19 ++++++++++--------- - 1 file changed, 10 insertions(+), 9 deletions(-) - -diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c -index 57c0e52..08a6008 100644 ---- a/src/lib/gssapi/mechglue/g_mechattr.c -+++ b/src/lib/gssapi/mechglue/g_mechattr.c -@@ -179,15 +179,16 @@ gss_inquire_attrs_for_mech( - return status; - - mech = gssint_get_mechanism(selected_mech); -- if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) { -- public_mech = gssint_get_public_oid(selected_mech); -- status = mech->gss_inquire_attrs_for_mech(minor, public_mech, -- mech_attrs, -- known_mech_attrs); -- if (GSS_ERROR(status)) { -- map_error(minor, mech); -- return status; -- } -+ if (mech == NULL) -+ return GSS_S_BAD_MECH; -+ else if (mech->gss_inquire_attrs_for_mech == NULL) -+ return GSS_S_UNAVAILABLE; -+ public_mech = gssint_get_public_oid(selected_mech); -+ status = mech->gss_inquire_attrs_for_mech(minor, public_mech, mech_attrs, -+ known_mech_attrs); -+ if (GSS_ERROR(status)) { -+ map_error(minor, mech); -+ return status; - } - - if (known_mech_attrs != NULL && *known_mech_attrs == GSS_C_NO_OID_SET) { --- -2.7.0 - diff --git a/krb5-1.14.1-interpose-inquire_saslname_for_mech.patch b/krb5-1.14.1-interpose-inquire_saslname_for_mech.patch deleted file mode 100644 index 417cd4d..0000000 --- a/krb5-1.14.1-interpose-inquire_saslname_for_mech.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 92dbcf2eb436933f769c17e6a10f671992636e5f Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 12 Jan 2016 11:13:09 -0500 -Subject: [PATCH] Enable interposing gss_inquire_saslname_for_mech - -The behavior of gss_inquire_saslname_for_mech() changes slightly, to -report GSS_S_BAD_MECH when an unsupported mech oid is given. Also -call map_error() on the minor code resulting from the mech. - -Note that gss_inquire_mech_for_saslname() cannot be interposed, as -mech_type is specified as output-only in RFC 5801. - -ticket: 8359 (new) ---- - src/lib/gssapi/mechglue/g_saslname.c | 27 ++++++++++++++++++++------- - 1 file changed, 20 insertions(+), 7 deletions(-) - -diff --git a/src/lib/gssapi/mechglue/g_saslname.c b/src/lib/gssapi/mechglue/g_saslname.c -index b025d9c..48060c3 100644 ---- a/src/lib/gssapi/mechglue/g_saslname.c -+++ b/src/lib/gssapi/mechglue/g_saslname.c -@@ -113,7 +113,8 @@ OM_uint32 KRB5_CALLCONV gss_inquire_saslname_for_mech( - gss_buffer_t mech_name, - gss_buffer_t mech_description) - { -- OM_uint32 status = GSS_S_BAD_MECH; -+ OM_uint32 status; -+ gss_OID selected_mech, public_mech; - gss_mechanism mech; - - if (minor_status == NULL) -@@ -136,15 +137,26 @@ OM_uint32 KRB5_CALLCONV gss_inquire_saslname_for_mech( - mech_description->value = NULL; - } - -+ status = gssint_select_mech_type(minor_status, desired_mech, -+ &selected_mech); -+ if (status != GSS_S_COMPLETE) -+ return status; -+ - mech = gssint_get_mechanism(desired_mech); -- if (mech != NULL && mech->gss_inquire_saslname_for_mech != NULL) { -- status = mech->gss_inquire_saslname_for_mech(minor_status, -- desired_mech, -- sasl_mech_name, -- mech_name, -+ if (mech == NULL) { -+ return GSS_S_BAD_MECH; -+ } else if (mech->gss_inquire_saslname_for_mech == NULL) { -+ status = GSS_S_UNAVAILABLE; -+ } else { -+ public_mech = gssint_get_public_oid(selected_mech); -+ status = mech->gss_inquire_saslname_for_mech(minor_status, public_mech, -+ sasl_mech_name, mech_name, - mech_description); -+ if (status != GSS_S_COMPLETE) -+ map_error(minor_status, mech); - } -- if (status == GSS_S_BAD_MECH) { -+ -+ if (status == GSS_S_UNAVAILABLE) { - if (sasl_mech_name != GSS_C_NO_BUFFER) - status = oidToSaslNameAlloc(minor_status, desired_mech, - sasl_mech_name); -@@ -155,6 +167,7 @@ OM_uint32 KRB5_CALLCONV gss_inquire_saslname_for_mech( - return status; - } - -+/* We cannot interpose this function as mech_type is an output parameter. */ - OM_uint32 KRB5_CALLCONV gss_inquire_mech_for_saslname( - OM_uint32 *minor_status, - const gss_buffer_t sasl_mech_name, --- -2.7.0 - diff --git a/krb5-1.14.1-interpose-public_oid_fixups.patch b/krb5-1.14.1-interpose-public_oid_fixups.patch deleted file mode 100644 index 82f63a2..0000000 --- a/krb5-1.14.1-interpose-public_oid_fixups.patch +++ /dev/null @@ -1,152 +0,0 @@ -From fe73f1130695880bd83cf811c37131b12711be23 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 12 Jan 2016 15:59:49 -0500 -Subject: [PATCH] Use public OID for interposing several functions - -This resolves an issue where an interposer would receive the private -OID, and be unable to call back into krb5 in the expected manner in -gss_inquire_names_for_mech(), gss_inquire_cred_by_mech(), -gss_localname(), gss_store_cred(), and gss_store_cred_into(). - -Also change the return code of gss_localname() to GSS_S_BAD_MECH -instead of GSS_S_UNAVAILABLE on mech lookup failure, for consistency -with other functions. - -ticket: 8360 (new) ---- - src/lib/gssapi/mechglue/g_inq_cred.c | 5 +++-- - src/lib/gssapi/mechglue/g_inq_names.c | 28 +++++++++++----------------- - src/lib/gssapi/mechglue/g_store_cred.c | 6 ++++-- - src/lib/gssapi/mechglue/gssd_pname_to_uid.c | 7 ++++--- - 4 files changed, 22 insertions(+), 24 deletions(-) - -diff --git a/src/lib/gssapi/mechglue/g_inq_cred.c b/src/lib/gssapi/mechglue/g_inq_cred.c -index c8e45fe..c5577d4 100644 ---- a/src/lib/gssapi/mechglue/g_inq_cred.c -+++ b/src/lib/gssapi/mechglue/g_inq_cred.c -@@ -169,7 +169,7 @@ gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type, name, - gss_mechanism mech; - OM_uint32 status, temp_minor_status; - gss_name_t internal_name; -- gss_OID selected_mech; -+ gss_OID selected_mech, public_mech; - - if (minor_status != NULL) - *minor_status = 0; -@@ -198,8 +198,9 @@ gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type, name, - return (GSS_S_DEFECTIVE_CREDENTIAL); - #endif - -+ public_mech = gssint_get_public_oid(selected_mech); - status = mech->gss_inquire_cred_by_mech(minor_status, -- mech_cred, selected_mech, -+ mech_cred, public_mech, - name ? &internal_name : NULL, - initiator_lifetime, - acceptor_lifetime, cred_usage); -diff --git a/src/lib/gssapi/mechglue/g_inq_names.c b/src/lib/gssapi/mechglue/g_inq_names.c -index b44fd6c..d22af8b 100644 ---- a/src/lib/gssapi/mechglue/g_inq_names.c -+++ b/src/lib/gssapi/mechglue/g_inq_names.c -@@ -40,7 +40,7 @@ gss_OID_set * name_types; - - { - OM_uint32 status; -- gss_OID selected_mech = GSS_C_NO_OID; -+ gss_OID selected_mech = GSS_C_NO_OID, public_mech; - gss_mechanism mech; - - /* Initialize outputs. */ -@@ -70,23 +70,17 @@ gss_OID_set * name_types; - return (status); - - mech = gssint_get_mechanism(selected_mech); -+ if (mech == NULL) -+ return GSS_S_BAD_MECH; -+ else if (mech->gss_inquire_names_for_mech == NULL) -+ return GSS_S_UNAVAILABLE; -+ public_mech = gssint_get_public_oid(selected_mech); -+ status = mech->gss_inquire_names_for_mech(minor_status, public_mech, -+ name_types); -+ if (status != GSS_S_COMPLETE) -+ map_error(minor_status, mech); - -- if (mech) { -- -- if (mech->gss_inquire_names_for_mech) { -- status = mech->gss_inquire_names_for_mech( -- minor_status, -- selected_mech, -- name_types); -- if (status != GSS_S_COMPLETE) -- map_error(minor_status, mech); -- } else -- status = GSS_S_UNAVAILABLE; -- -- return(status); -- } -- -- return (GSS_S_BAD_MECH); -+ return status; - } - - static OM_uint32 -diff --git a/src/lib/gssapi/mechglue/g_store_cred.c b/src/lib/gssapi/mechglue/g_store_cred.c -index 030c73f..c2b6ddf 100644 ---- a/src/lib/gssapi/mechglue/g_store_cred.c -+++ b/src/lib/gssapi/mechglue/g_store_cred.c -@@ -24,15 +24,17 @@ store_cred_fallback( - gss_OID_set *elements_stored, - gss_cred_usage_t *cred_usage_stored) - { -+ gss_OID public_mech = gssint_get_public_oid(desired_mech); -+ - if (mech->gss_store_cred_into != NULL) { - return mech->gss_store_cred_into(minor_status, mech_cred, -- cred_usage, desired_mech, -+ cred_usage, public_mech, - overwrite_cred, default_cred, - cred_store, elements_stored, - cred_usage_stored); - } else if (cred_store == GSS_C_NO_CRED_STORE) { - return mech->gss_store_cred(minor_status, mech_cred, -- cred_usage, desired_mech, -+ cred_usage, public_mech, - overwrite_cred, default_cred, - elements_stored, - cred_usage_stored); -diff --git a/src/lib/gssapi/mechglue/gssd_pname_to_uid.c b/src/lib/gssapi/mechglue/gssd_pname_to_uid.c -index 4e7b644..4caa751 100644 ---- a/src/lib/gssapi/mechglue/gssd_pname_to_uid.c -+++ b/src/lib/gssapi/mechglue/gssd_pname_to_uid.c -@@ -123,7 +123,7 @@ gss_localname(OM_uint32 *minor, - gss_mechanism mech; - gss_union_name_t unionName; - gss_name_t mechName = GSS_C_NO_NAME, mechNameP; -- gss_OID selected_mech = GSS_C_NO_OID; -+ gss_OID selected_mech = GSS_C_NO_OID, public_mech; - - if (localname != GSS_C_NO_BUFFER) { - localname->length = 0; -@@ -152,7 +152,7 @@ gss_localname(OM_uint32 *minor, - mech = gssint_get_mechanism(unionName->mech_type); - - if (mech == NULL) -- return GSS_S_UNAVAILABLE; -+ return GSS_S_BAD_MECH; - - /* may need to create a mechanism specific name */ - if (unionName->mech_type == GSS_C_NO_OID || -@@ -170,7 +170,8 @@ gss_localname(OM_uint32 *minor, - major = GSS_S_UNAVAILABLE; - - if (mech->gss_localname != NULL) { -- major = mech->gss_localname(minor, mechNameP, mech_type, localname); -+ public_mech = gssint_get_public_oid(selected_mech); -+ major = mech->gss_localname(minor, mechNameP, public_mech, localname); - if (GSS_ERROR(major)) - map_error(minor, mech); - } --- -2.7.0 - diff --git a/krb5-1.14.2-Revisit-inquire_attrs_for_mech-on-old-mechs.patch b/krb5-1.14.2-Revisit-inquire_attrs_for_mech-on-old-mechs.patch deleted file mode 100644 index 66dd166..0000000 --- a/krb5-1.14.2-Revisit-inquire_attrs_for_mech-on-old-mechs.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 89683d1f135765e91041f3a239af865b11aaf86b Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 15 Mar 2016 17:45:26 -0400 -Subject: [PATCH] Revisit inquire_attrs_for_mech on old mechs - -In gss_inquire_attrs_for_mech(), if the mech does not implement RFC -5587, return success with empty mech_attrs and known_mech_attrs sets -to indicate a lack of knowledge for all attributes. The previous -behavior of returning an error caused gss_indicate_mechs_by_attr() to -fail out in the presence of an old mechanism, in turn causing -gss_acquire_cred() and SPNEGO to break. - -ticket: 8358 ---- - src/lib/gssapi/mechglue/g_mechattr.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c -index 08a6008..e49651e 100644 ---- a/src/lib/gssapi/mechglue/g_mechattr.c -+++ b/src/lib/gssapi/mechglue/g_mechattr.c -@@ -181,8 +181,12 @@ gss_inquire_attrs_for_mech( - mech = gssint_get_mechanism(selected_mech); - if (mech == NULL) - return GSS_S_BAD_MECH; -- else if (mech->gss_inquire_attrs_for_mech == NULL) -- return GSS_S_UNAVAILABLE; -+ -+ /* If the mech does not implement RFC 5587, return success with an empty -+ * mech_attrs and known_mech_attrs. */ -+ if (mech->gss_inquire_attrs_for_mech == NULL) -+ return GSS_S_COMPLETE; -+ - public_mech = gssint_get_public_oid(selected_mech); - status = mech->gss_inquire_attrs_for_mech(minor, public_mech, mech_attrs, - known_mech_attrs); --- -2.7.0 - diff --git a/krb5-1.14.3-fix_otp_as_key.patch b/krb5-1.14.3-fix_otp_as_key.patch deleted file mode 100644 index 0a47bf0..0000000 --- a/krb5-1.14.3-fix_otp_as_key.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 9929130f03f6a7f8a5f1acc23e92a609c8f27938 Mon Sep 17 00:00:00 2001 -From: Nathaniel McCallum -Date: Thu, 26 May 2016 16:54:29 -0400 -Subject: [PATCH] Avoid setting AS key when OTP preauth fails - -In otp_client_process(), call cb->set_as_key() later in the function -after the OTP request has been created. The previous position of this -call caused the AS key to be replaced even when later code in the -function failed, preventing other preauth mechanisms from retrieving -the correct AS key. - -ticket: 8421 (new) -target_version: 1.14-new -target_version: 1.13-new -tags: pullup ---- - src/lib/krb5/krb/preauth_otp.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c -index d9ddc8b..3de528b 100644 ---- a/src/lib/krb5/krb/preauth_otp.c -+++ b/src/lib/krb5/krb/preauth_otp.c -@@ -1081,11 +1081,6 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata, - if (as_key == NULL) - return ENOENT; - -- /* Use FAST armor key as response key. */ -- retval = cb->set_as_key(context, rock, as_key); -- if (retval != 0) -- return retval; -- - /* Attempt to get token selection from the responder. */ - pin = empty_data(); - value = empty_data(); -@@ -1115,6 +1110,11 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata, - if (retval != 0) - goto error; - -+ /* Use FAST armor key as response key. */ -+ retval = cb->set_as_key(context, rock, as_key); -+ if (retval != 0) -+ goto error; -+ - /* Encode the request into the pa_data output. */ - retval = set_pa_data(req, pa_data_out); - error: --- -2.8.1 - diff --git a/krb5-1.14.3-krad-recv.patch b/krb5-1.14.3-krad-recv.patch deleted file mode 100644 index 9016c88..0000000 --- a/krb5-1.14.3-krad-recv.patch +++ /dev/null @@ -1,44 +0,0 @@ -From c969e8a37617e9c7743a28177dd3808f7d08cee9 Mon Sep 17 00:00:00 2001 -From: Nathaniel McCallum -Date: Tue, 21 Jun 2016 16:12:36 -0400 -Subject: [PATCH] Fix incorrect recv() size calculation in libkrad - -Before this patch libkrad would always subtract the existing buffer -length from pktlen before passing it to recv(). In the case of stream -sockets, this is incorrect since krad_packet_bytes_needed() already -performs this calculation. Subtracting the buffer length twice could -cause integer underflow on the len parameter to recv(). - -ticket: 8430 (new) -target_version: 1.14-next -target_version: 1.13-next -tags: pullup ---- - src/lib/krad/remote.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c -index aaabffd..df3de3a 100644 ---- a/src/lib/krad/remote.c -+++ b/src/lib/krad/remote.c -@@ -315,7 +315,7 @@ on_io_read(krad_remote *rr) - request *tmp, *r; - int i; - -- pktlen = sizeof(rr->buffer_); -+ pktlen = sizeof(rr->buffer_) - rr->buffer.length; - if (rr->info->ai_socktype == SOCK_STREAM) { - pktlen = krad_packet_bytes_needed(&rr->buffer); - if (pktlen < 0) { -@@ -328,7 +328,7 @@ on_io_read(krad_remote *rr) - - /* Read the packet. */ - i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length, -- pktlen - rr->buffer.length, 0); -+ pktlen, 0); - if (i < 0) { - /* Should we try again? */ - if (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR) --- -2.8.1 - diff --git a/krb5-1.14.4-CVE-2016-3120.patch b/krb5-1.14.4-CVE-2016-3120.patch deleted file mode 100644 index fa412aa..0000000 --- a/krb5-1.14.4-CVE-2016-3120.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 19 Jul 2016 11:00:28 -0400 -Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted - -In validate_as_request(), when enforcing restrict_anonymous_to_tgt, -use client.princ instead of request->client; the latter is NULL when -validating S4U2Self requests. - -CVE-2016-3120: - -In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc -to dereference a null pointer if the restrict_anonymous_to_tgt option -is set to true, by making an S4U2Self request. - - CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C - -ticket: 8458 (new) -target_version: 1.14-next -target_version: 1.13-next ---- - src/kdc/kdc_util.c | 2 +- - src/tests/t_pkinit.py | 5 +++++ - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index 776e130..29f9dbb 100644 ---- a/src/kdc/kdc_util.c -+++ b/src/kdc/kdc_util.c -@@ -739,7 +739,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm, - return(KDC_ERR_MUST_USE_USER2USER); - } - -- if (check_anon(kdc_active_realm, request->client, request->server) != 0) { -+ if (check_anon(kdc_active_realm, client.princ, request->server) != 0) { - *status = "ANONYMOUS NOT ALLOWED"; - return(KDC_ERR_POLICY); - } -diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py -index b66c458..f0214b6 100755 ---- a/src/tests/t_pkinit.py -+++ b/src/tests/t_pkinit.py -@@ -93,6 +93,11 @@ out = realm.run([kvno, realm.host_princ], expected_code=1) - if 'KDC policy rejects request' not in out: - fail('Wrong error for restricted anonymous PKINIT') - -+# Regression test for #8458: S4U2Self requests crash the KDC if -+# anonymous is restricted. -+realm.kinit(realm.host_princ, flags=['-k']) -+realm.run([kvno, '-U', 'user', realm.host_princ]) -+ - # Go back to a normal KDC and disable anonymous PKINIT. - realm.stop_kdc() - realm.start_kdc() --- -2.8.1 - diff --git a/krb5-CVE-2016-3119.patch b/krb5-CVE-2016-3119.patch deleted file mode 100644 index 15f2528..0000000 --- a/krb5-CVE-2016-3119.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Mon, 14 Mar 2016 17:26:34 -0400 -Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119] - -In the LDAP KDB module's process_db_args(), strtok_r() may return NULL -if there is an empty string in the db_args array. Check for this case -and avoid dereferencing a null pointer. - -CVE-2016-3119: - -In MIT krb5 1.6 and later, an authenticated attacker with permission -to modify a principal entry can cause kadmind to dereference a null -pointer by supplying an empty DB argument to the modify_principal -command, if kadmind is configured to use the LDAP KDB module. - - CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND - -ticket: 8383 (new) -target_version: 1.14-next -target_version: 1.13-next -tags: pullup ---- - src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index 6e591e1..79c4cf0 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -296,6 +296,7 @@ process_db_args(krb5_context context, char **db_args, xargs_t *xargs, - if (db_args) { - for (i=0; db_args[i]; ++i) { - arg = strtok_r(db_args[i], "=", &arg_val); -+ arg = (arg != NULL) ? arg : ""; - if (strcmp(arg, TKTPOLICY_ARG) == 0) { - dptr = &xargs->tktpolicydn; - } else { --- -2.7.0 - diff --git a/krb5.spec b/krb5.spec index b6ab77e..5f0e080 100644 --- a/krb5.spec +++ b/krb5.spec @@ -12,8 +12,8 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.14.1 -Release: 9%{?dist} +Version: 1.14.3 +Release: 1%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -60,21 +60,9 @@ Patch148: krb5-disable_ofd_locks.patch Patch150: krb5-acquire_cred_interposer.patch Patch153: krb5-1.14.1-log_file_permissions.patch -Patch158: krb5-1.14.1-interpose-enable-inquire_attrs_for_mech.patch -Patch159: krb5-1.14.1-interpose-fix-inquire_attrs_for_mech.patch -Patch160: krb5-1.14.1-interpose-inquire_saslname_for_mech.patch -Patch161: krb5-1.14.1-interpose-public_oid_fixups.patch -Patch162: krb5-1.14.2-Revisit-inquire_attrs_for_mech-on-old-mechs.patch - -Patch163: krb5-CVE-2016-3119.patch - Patch164: krb5-1.15-kdc_send_receive_hooks.patch Patch165: krb5-1.15-kdc_hooks_test.patch -Patch166: krb5-1.14.3-fix_otp_as_key.patch -Patch167: krb5-1.14.3-krad-recv.patch -Patch168: krb5-1.14.4-CVE-2016-3120.patch - License: MIT URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -83,9 +71,12 @@ BuildRequires: autoconf, bison, cmake, flex, gawk, gettext, pkgconfig, sed BuildRequires: libcom_err-devel, libedit-devel, libss-devel BuildRequires: gzip, ncurses-devel BuildRequires: python-sphinx, texlive-pdftex -# Taken from \usepackage directives produced by sphinx: + +# Originally from \usepackage directives produced by sphinx: BuildRequires: tex(babel.sty) BuildRequires: tex(bookmark.sty) +BuildRequires: tex(capt-of.sty) +BuildRequires: tex(eqparbox.sty) BuildRequires: tex(fancybox.sty) BuildRequires: tex(fncychap.sty) BuildRequires: tex(fontenc.sty) @@ -95,12 +86,13 @@ BuildRequires: tex(ifthen.sty) BuildRequires: tex(inputenc.sty) BuildRequires: tex(longtable.sty) BuildRequires: tex(multirow.sty) +BuildRequires: tex(report.cls) +BuildRequires: tex(threeparttable.sty) BuildRequires: tex(times.sty) BuildRequires: tex(titlesec.sty) -BuildRequires: tex(threeparttable.sty) -BuildRequires: tex(wrapfig.sty) -BuildRequires: tex(report.cls) BuildRequires: tex(upquote.sty) +BuildRequires: tex(wrapfig.sty) + # Typical fonts, and the commands which we need to have present. BuildRequires: texlive, texlive-latex, texlive-texmf-fonts BuildRequires: /usr/bin/pdflatex /usr/bin/makeindex @@ -108,6 +100,7 @@ BuildRequires: keyutils, keyutils-libs-devel >= 1.5.8 BuildRequires: libselinux-devel BuildRequires: pam-devel BuildRequires: systemd-units + # For the test framework. BuildRequires: perl, dejagnu, tcl-devel BuildRequires: net-tools, rpcbind @@ -261,21 +254,9 @@ ln NOTICE LICENSE %patch150 -p1 -b .fix_interposer %patch153 -p1 -b .log_file_permissions -%patch158 -p1 -b .interpose-enable-inquire_attrs_for_mech -%patch159 -p1 -b .interpose-fix-inquire_attrs_for_mech -%patch160 -p1 -b .interpose-inquire_saslname_for_mech -%patch161 -p1 -b .interpose-public_oid_fixups -%patch162 -p1 -b .inquire_attrs_for_mech-on-old-mechs - -%patch163 -p1 -b .CVE-2016-3119 - %patch164 -p1 -b .kdc_send_receive_hooks %patch165 -p1 -b .kdc_hooks_test -%patch166 -p1 -b .fix_otp_as_key -%patch167 -p1 -b .krad-recv -%patch168 -p1 -b .CVE-2016-3120 - # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -805,6 +786,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Mon Aug 01 2016 Robbie Harwood - 1.14.3-1 +- New upstream version 1.14.3 + * Thu Jul 28 2016 Robbie Harwood - 1.14.1-9 - Fix CVE-2016-3120 - Resolves: #1361051 diff --git a/sources b/sources index ce89c20..ed8a704 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -ac45469a7dc1aef4d03632dada893aca krb5-1.14.1-pdfs.tar -400de0cabbfbe85c2c36f60347bf7dc6 krb5-1.14.1.tar.gz -98a82e313a0f23498122eba3338f7576 krb5-1.14.1.tar.gz.asc +f76e4f8a3c95bb59980dd5ef4b48aea9 krb5-1.14.3.tar.gz +438c48157c7b7daf6f133ffe6369342e krb5-1.14.3.tar.gz.asc +c2385c39dfed8ecad41052abd09a49c9 krb5-1.14.3-pdfs.tar