rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

krb5 1.21.2-3

Browse Source 
- Fix double free in klist's show_ccache()
  Resolves: rhbz#2257301
- Store krb5-tests files in architecture-specific directories
  Resolves: rhbz#2244601

Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
Julien Rische 2024-01-17 11:32:17 +01:00
parent 0fe5c327ec
commit 1ed0e3a2d8
4 changed files with 100 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
0017-Remove-klist-s-defname-global-variable.patch Normal file
View File

@ -0,0 +1,69 @@
From c5cdf6f71621569c6c389be720937ac97ace988f Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Mon, 8 Jan 2024 16:52:27 +0100
Subject: [PATCH] Remove klist's defname global variable
Addition of a "cleanup" section in kinit's show_ccache() function as
part of commit 6c5471176f5266564fbc8a7e02f03b4b042202f8 introduced a
double-free bug, because defname is a global variable. After the
first call, successive calls may take place with a dangling pointer in
defname, which will be freed if krb5_cc_get_principal() fails.
Convert "defname" to a local variable initialized at the beginning of
show_ccache().
[ghudson@mit.edu: edited commit message]
---
src/clients/klist/klist.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index 43392d2337..394c75b6b7 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -53,7 +53,6 @@ int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0;
int show_etype = 0, show_addresses = 0, no_resolve = 0, print_version = 0;
int show_adtype = 0, show_all = 0, list_all = 0, use_client_keytab = 0;
int show_config = 0;
-char *defname;
char *progname;
krb5_timestamp now;
unsigned int timestamp_width;
@@ -62,7 +61,7 @@ krb5_context context;
static krb5_boolean is_local_tgt(krb5_principal princ, krb5_data *realm);
static char *etype_string(krb5_enctype );
-static void show_credential(krb5_creds *);
+static void show_credential(krb5_creds *, const char *);
static void list_all_ccaches(void);
static int list_ccache(krb5_ccache);
@@ -473,6 +472,7 @@ show_ccache(krb5_ccache cache)
krb5_creds creds;
krb5_principal princ = NULL;
krb5_error_code ret;
+ char *defname = NULL;
int status = 1;
ret = krb5_cc_get_principal(context, cache, &princ);
@@ -503,7 +503,7 @@ show_ccache(krb5_ccache cache)
}
while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
if (show_config || !krb5_is_config_principal(context, creds.server))
- show_credential(&creds);
+ show_credential(&creds, defname);
krb5_free_cred_contents(context, &creds);
}
if (ret == KRB5_CC_END) {
@@ -676,7 +676,7 @@ print_config_data(int col, krb5_data *data)
}
static void
-show_credential(krb5_creds *cred)
+show_credential(krb5_creds *cred, const char *defname)
{
krb5_error_code ret;
krb5_ticket *tkt = NULL;
--
2.41.0

7
krb5-tests
View File

@ -12,6 +12,7 @@ trap "rm -rf ${testdir}" EXIT
build_flags="$(eval "echo $(rpm --eval '%{_smp_mflags}')")" build_flags="$(eval "echo $(rpm --eval '%{_smp_mflags}')")"
cp -rp /usr/share/{{ name }}-tests "${testdir}/" mkdir "${testdir}/{{ name }}-tests"
make -C "${testdir}/{{ name }}-tests" $build_flags cp -rp /usr/share/{{ name }}-tests/{{ arch }} "${testdir}/{{ name }}-tests/"
keyctl session - make -C "${testdir}/{{ name }}-tests" check make -C "${testdir}/{{ name }}-tests/{{ arch }}/" $build_flags
keyctl session - make -C "${testdir}/{{ name }}-tests/{{ arch }}/" check

36
krb5.spec
View File

@ -10,7 +10,7 @@
# #
# baserelease is what we have standardized across Fedora and what # baserelease is what we have standardized across Fedora and what
# rpmdev-bumpspec knows how to handle. # rpmdev-bumpspec knows how to handle.
%global baserelease 2 %global baserelease 3
# This should be e.g. beta1 or %%nil # This should be e.g. beta1 or %%nil
%global pre_release %nil %global pre_release %nil
@ -489,37 +489,37 @@ rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/services.append"
rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so" rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so"
# Generate tests launching script # Generate tests launching script
sed -e 's/{{ name }}/%{name}/' \ sed -e 's/{{ name }}/%{name}/g' \
-e 's/{{ version }}/%{krb5_version}/' \ -e 's/{{ version }}/%{krb5_version}/g' \
-e 's/{{ release }}/%{krb5_release}/' \ -e 's/{{ release }}/%{krb5_release}/g' \
-e 's/{{ arch }}/%{_arch}/' \ -e 's/{{ arch }}/%{_arch}/g' \
-i %{SOURCE15} -i %{SOURCE15}
mkdir -p $RPM_BUILD_ROOT%{_libexecdir} mkdir -p $RPM_BUILD_ROOT%{_libexecdir}
install -pm 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/ install -pm 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/%{name}-tests-%{_arch}
# Copy source files from build folder to system data folder # Copy source files from build folder to system data folder
install -pdm 755 $RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests install -pdm 755 $RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}
pushd src pushd src
cp -p --parents -t "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/" \ cp -p --parents -t "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/" \
$(find . -type f -exec file -i "{}" + \ $(find . -type f -exec file -i "{}" + \
| sed -ne 's|^\./\([^:]\+\): \+text/.\+$|\1|p') | sed -ne 's|^\./\([^:]\+\): \+text/.\+$|\1|p')
popd popd
# Copy binary test files # Copy binary test files
install -pm 644 src/tests/pkinit-certs/*.p12 \ install -pm 644 src/tests/pkinit-certs/*.p12 \
"$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/tests/pkinit-certs/" "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/tests/pkinit-certs/"
install -pm 644 src/tests/au_dict.json \ install -pm 644 src/tests/au_dict.json \
"$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/tests/" "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/tests/"
# Unset executable bit if no shebang in script # Unset executable bit if no shebang in script
for f in $(find "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/" -type f -executable) for f in $(find "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/" -type f -executable)
do do
head -n1 "$f" | grep -Eq '^#!' || chmod a-x "$f" head -n1 "$f" | grep -Eq '^#!' || chmod a-x "$f"
done done
# Remove broken shebang Perl scripts # Remove broken shebang Perl scripts
rm -- "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/config/wconfig.pl" rm -- "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/config/wconfig.pl"
rm -- "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/kadmin/kdbkeys/do-test.pl" rm -- "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/kadmin/kdbkeys/do-test.pl"
%find_lang %{gettext_domain} %find_lang %{gettext_domain}
@ -707,10 +707,16 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkadm5srv_mit.so.*
%files tests %files tests
%{_libexecdir}/%{name}-tests %{_libexecdir}/%{name}-tests-%{_arch}
%{_datarootdir}/%{name}-tests/ %{_datarootdir}/%{name}-tests/%{_arch}
%changelog %changelog
* Wed Jan 17 2024 Julien Rische <jrische@redhat.com> - 1.21.2-3
- Fix double free in klist's show_ccache()
Resolves: rhbz#2257301
- Store krb5-tests files in architecture-specific directories
Resolves: rhbz#2244601
* Tue Oct 10 2023 Julien Rische <jrische@redhat.com> - 1.21.2-2 * Tue Oct 10 2023 Julien Rische <jrische@redhat.com> - 1.21.2-2
- Use SPDX expression for license tag - Use SPDX expression for license tag
- Fix unimportant memory leaks - Fix unimportant memory leaks

7
tests/upstream/test.sh
View File

@ -1,2 +1,7 @@
#!/bin/sh -eux #!/bin/sh -eux
/usr/libexec/krb5-tests rc=0
for test_exec in /usr/libexec/krb5-tests-*
do
"$test_exec" || rc=1
done
exit $rc