diff --git a/.gitignore b/.gitignore index df05a67..3cbaf2f 100644 --- a/.gitignore +++ b/.gitignore @@ -157,3 +157,6 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.16-beta1-pdfs.tar /krb5-1.16-beta1.tar.gz /krb5-1.16-beta1.tar.gz.asc +/krb5-1.16-beta2.tar.gz +/krb5-1.16-beta2.tar.gz.asc +/krb5-1.16-beta2-pdfs.tar diff --git a/Fix-PKINIT-cert-matching-data-construction.patch b/Fix-PKINIT-cert-matching-data-construction.patch deleted file mode 100644 index 577db58..0000000 --- a/Fix-PKINIT-cert-matching-data-construction.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 82854302309e2a513908cf85ed9321113ef26a08 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 24 Oct 2017 15:09:57 -0400 -Subject: [PATCH] Fix PKINIT cert matching data construction - -Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic -allocation and to perform proper error checking. - -(cherry picked from commit 5a2faf2802480548ff6a7261552ee17efaed7be1) ---- - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 61 +++++++--------------- - 1 file changed, 19 insertions(+), 42 deletions(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index f7640baf1..9fa20a8b2 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -5002,33 +5002,23 @@ out: - return retval; - } - --/* -- * Return a string format of an X509_NAME in buf where -- * size is an in/out parameter. On input it is the size -- * of the buffer, and on output it is the actual length -- * of the name. -- * If buf is NULL, returns the length req'd to hold name -- */ --static char * --X509_NAME_oneline_ex(X509_NAME * a, -- char *buf, -- unsigned int *size, -- unsigned long flag) -+static krb5_error_code -+rfc2253_name(X509_NAME *name, char **str_out) - { -- BIO *out = NULL; -+ BIO *b = NULL; -+ char *str; - -- out = BIO_new(BIO_s_mem ()); -- if (X509_NAME_print_ex(out, a, 0, flag) > 0) { -- if (buf != NULL && (*size) > (unsigned int) BIO_number_written(out)) { -- memset(buf, 0, *size); -- BIO_read(out, buf, (int) BIO_number_written(out)); -- } -- else { -- *size = BIO_number_written(out); -- } -- } -- BIO_free(out); -- return (buf); -+ *str_out = NULL; -+ b = BIO_new(BIO_s_mem()); -+ if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0) -+ return ENOMEM; -+ str = calloc(BIO_number_written(b) + 1, 1); -+ if (str == NULL) -+ return ENOMEM; -+ BIO_read(b, str, BIO_number_written(b)); -+ BIO_free(b); -+ *str_out = str; -+ return 0; - } - - /* -@@ -5094,8 +5084,6 @@ get_matching_data(krb5_context context, - pkinit_cert_matching_data *md = NULL; - krb5_principal *pkinit_sans = NULL, *upn_sans = NULL; - size_t i, j; -- char buf[DN_BUF_LEN]; -- unsigned int bufsize = sizeof(buf); - - *md_out = NULL; - -@@ -5103,23 +5091,12 @@ get_matching_data(krb5_context context, - if (md == NULL) - goto cleanup; - -- /* Get the subject name (in rfc2253 format). */ -- X509_NAME_oneline_ex(X509_get_subject_name(cert), buf, &bufsize, -- XN_FLAG_SEP_COMMA_PLUS); -- md->subject_dn = strdup(buf); -- if (md->subject_dn == NULL) { -- ret = ENOMEM; -+ ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn); -+ if (ret) - goto cleanup; -- } -- -- /* Get the issuer name (in rfc2253 format). */ -- X509_NAME_oneline_ex(X509_get_issuer_name(cert), buf, &bufsize, -- XN_FLAG_SEP_COMMA_PLUS); -- md->issuer_dn = strdup(buf); -- if (md->issuer_dn == NULL) { -- ret = ENOMEM; -+ ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn); -+ if (ret) - goto cleanup; -- } - - /* Get the SAN data. */ - ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx, diff --git a/Use-GSSAPI-fallback-skiptest.patch b/Use-GSSAPI-fallback-skiptest.patch deleted file mode 100644 index 14beb76..0000000 --- a/Use-GSSAPI-fallback-skiptest.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 697f19c5bfd4470c167d35c7af43c82a32660b82 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Wed, 1 Mar 2017 17:46:22 -0500 -Subject: [PATCH] Use GSSAPI fallback skiptest - -Also-authored-by: Matt Rogers -[rharwood@redhat.com: Adjusted patch to apply] ---- - src/appl/gss-sample/Makefile.in | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/appl/gss-sample/Makefile.in b/src/appl/gss-sample/Makefile.in -index 28e59f90f..9806fd327 100644 ---- a/src/appl/gss-sample/Makefile.in -+++ b/src/appl/gss-sample/Makefile.in -@@ -6,6 +6,8 @@ SRCS= $(srcdir)/gss-client.c $(srcdir)/gss-misc.c $(srcdir)/gss-server.c - - OBJS= gss-client.o gss-misc.o gss-server.o - -+LBITS = $(shell /usr/bin/getconf LONG_BIT) -+ - all-unix: gss-server gss-client - - ##WIN32##VERSIONRC = $(BUILDTOP)\windows\version.rc -@@ -43,7 +45,9 @@ clean-unix:: - $(RM) gss-server gss-client - - check-pytests: -- $(RUNPYTEST) $(srcdir)/t_gss_sample.py $(PYTESTFLAGS) -+ if ! [ $(LBITS) -eq 32 ]; then \ -+ $(RUNPYTEST) $(srcdir)/t_gss_sample.py $(PYTESTFLAGS); \ -+ fi - - install-unix: - $(INSTALL_PROGRAM) gss-client $(DESTDIR)$(CLIENT_BINDIR)/gss-client diff --git a/krb5-1.11-kpasswdtest.patch b/krb5-1.11-kpasswdtest.patch index 92f3dab..3932d5f 100644 --- a/krb5-1.11-kpasswdtest.patch +++ b/krb5-1.11-kpasswdtest.patch @@ -1,8 +1,9 @@ -From 3e94cf1accf2b33bd0c8cf54eb58b4777f411cc6 Mon Sep 17 00:00:00 2001 +From f92f616e67909fe76f7628fa0fd1e28320c7e4c3 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:52:01 -0400 Subject: [PATCH] krb5-1.11-kpasswdtest.patch +Signed-off-by: Robbie Harwood --- src/kadmin/testing/proto/krb5.conf.proto | 1 + 1 file changed, 1 insertion(+) diff --git a/krb5-1.11-run_user_0.patch b/krb5-1.11-run_user_0.patch index 9c4cf0e..83e5f9c 100644 --- a/krb5-1.11-run_user_0.patch +++ b/krb5-1.11-run_user_0.patch @@ -1,4 +1,4 @@ -From 9e7e92ae1dcd242044f2dfe3b89926ddddb6a221 Mon Sep 17 00:00:00 2001 +From 1940160be747f4c62ff00b95bc7d34301cf313d2 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:57 -0400 Subject: [PATCH] krb5-1.11-run_user_0.patch @@ -6,6 +6,8 @@ Subject: [PATCH] krb5-1.11-run_user_0.patch A hack: if we're looking at creating a ccache directory directly below the /run/user/0 directory, and /run/user/0 doesn't exist, try to create it, too. + +Signed-off-by: Robbie Harwood --- src/lib/krb5/ccache/cc_dir.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/krb5-1.12-api.patch b/krb5-1.12-api.patch index 0b8ec6f..6c588df 100644 --- a/krb5-1.12-api.patch +++ b/krb5-1.12-api.patch @@ -1,4 +1,4 @@ -From 9a6cfaaecd1a37e74dba285decd03bb4a3382f9a Mon Sep 17 00:00:00 2001 +From f872d1b9d44ae48846641dab97b546665fbc1c33 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:47:00 -0400 Subject: [PATCH] krb5-1.12-api.patch @@ -6,6 +6,8 @@ Subject: [PATCH] krb5-1.12-api.patch Reference docs don't define what happens if you call krb5_realm_compare() with malformed krb5_principal structures. Define a behavior which keeps it from crashing if applications don't check ahead of time. + +Signed-off-by: Robbie Harwood --- src/lib/krb5/krb/princ_comp.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/krb5-1.12-ksu-path.patch b/krb5-1.12-ksu-path.patch index 43178b9..8a46429 100644 --- a/krb5-1.12-ksu-path.patch +++ b/krb5-1.12-ksu-path.patch @@ -1,9 +1,11 @@ -From 7b3bdbc0ca882325291caad391c4d328f174a614 Mon Sep 17 00:00:00 2001 +From 5bcd5fc7c793f1345d8e052c9242a93e17562ad6 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:32:09 -0400 Subject: [PATCH] krb5-1.12-ksu-path.patch Set the default PATH to the one set by login. + +Signed-off-by: Robbie Harwood --- src/clients/ksu/Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krb5-1.12-ktany.patch b/krb5-1.12-ktany.patch index 24135fd..3fe3310 100644 --- a/krb5-1.12-ktany.patch +++ b/krb5-1.12-ktany.patch @@ -1,4 +1,4 @@ -From 1ede8564105568182e3cf6f273ab820453e2f025 Mon Sep 17 00:00:00 2001 +From 690b710e3cdf40cb9b9184ed6883f26c0d5d0d39 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:33:53 -0400 Subject: [PATCH] krb5-1.12-ktany.patch @@ -6,6 +6,8 @@ Subject: [PATCH] krb5-1.12-ktany.patch Adds an "ANY" keytab type which is a list of other keytab locations to search when searching for a specific entry. When iterated through, it only presents the contents of the first keytab. + +Signed-off-by: Robbie Harwood --- src/lib/krb5/keytab/Makefile.in | 3 + src/lib/krb5/keytab/kt_any.c | 292 ++++++++++++++++++++++++++++++++++++++++ diff --git a/krb5-1.12.1-pam.patch b/krb5-1.12.1-pam.patch index c56606f..9ae19e0 100644 --- a/krb5-1.12.1-pam.patch +++ b/krb5-1.12.1-pam.patch @@ -1,4 +1,4 @@ -From 385194db1a08c1b923f9eb75e9602b56720fd50e Mon Sep 17 00:00:00 2001 +From 42f20ac00a2f71dcef166b0cbf2db58d02f117c8 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH] krb5-1.12.1-pam.patch @@ -16,6 +16,8 @@ When enabled, ksu gains a dependency on libpam. Originally RT#5939, though it's changed since then to perform the account and session management before dropping privileges, and to apply on top of changes we're proposing for how it handles cache collections. + +Signed-off-by: Robbie Harwood --- src/aclocal.m4 | 67 ++++++++ src/clients/ksu/Makefile.in | 8 +- diff --git a/krb5-1.13-dirsrv-accountlock.patch b/krb5-1.13-dirsrv-accountlock.patch index 47716dc..cd40cbf 100644 --- a/krb5-1.13-dirsrv-accountlock.patch +++ b/krb5-1.13-dirsrv-accountlock.patch @@ -1,10 +1,12 @@ -From 850689009f9aeddc0b63051a3e2883d02b05387e Mon Sep 17 00:00:00 2001 +From fd3013f4dec1dfdfa40a8161cfdfea87aaac8e35 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:47:44 -0400 Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from original version filed as RT#5891. + +Signed-off-by: Robbie Harwood --- src/aclocal.m4 | 9 +++++++++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 17 +++++++++++++++++ diff --git a/krb5-1.15-beta1-buildconf.patch b/krb5-1.15-beta1-buildconf.patch index b0024ec..493c3fa 100644 --- a/krb5-1.15-beta1-buildconf.patch +++ b/krb5-1.15-beta1-buildconf.patch @@ -1,4 +1,4 @@ -From 285eaffa69e9c2ff7f0adf017d192b5e7afb7002 Mon Sep 17 00:00:00 2001 +From e4103ccd0ad37297c64440ce9153e3dd355e1d5a Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:45:26 -0400 Subject: [PATCH] krb5-1.15-beta1-buildconf.patch @@ -8,6 +8,8 @@ and install shared libraries with the execute bit set on them. Prune out the -L/usr/lib* and PIE flags where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. + +Signed-off-by: Robbie Harwood --- src/build-tools/krb5-config.in | 7 +++++++ src/config/pre.in | 2 +- diff --git a/krb5-1.15.1-selinux-label.patch b/krb5-1.15.1-selinux-label.patch index 475f74d..35b98e6 100644 --- a/krb5-1.15.1-selinux-label.patch +++ b/krb5-1.15.1-selinux-label.patch @@ -1,4 +1,4 @@ -From d38588a165302d915eb6b4da0c2755601547bcd1 Mon Sep 17 00:00:00 2001 +From 36874eb7b52ccc606f705029d6a5c83f77cea2c4 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:30:53 -0400 Subject: [PATCH] krb5-1.15.1-selinux-label.patch @@ -35,6 +35,8 @@ stomp all over us. The selabel APIs for looking up the context should be thread-safe (per Red Hat #273081), so switching to using them instead of matchpathcon(), which we used earlier, is some improvement. + +Signed-off-by: Robbie Harwood --- src/aclocal.m4 | 49 +++ src/build-tools/krb5-config.in | 3 +- diff --git a/krb5-1.3.1-dns.patch b/krb5-1.3.1-dns.patch index c50f1df..193fe8a 100644 --- a/krb5-1.3.1-dns.patch +++ b/krb5-1.3.1-dns.patch @@ -1,9 +1,11 @@ -From 4bc124bfff119d436eeb1af7b9d5726e17284d67 Mon Sep 17 00:00:00 2001 +From 5f9dccda2e9f4637732aa4071d37e76a3526fd6c Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:46:21 -0400 Subject: [PATCH] krb5-1.3.1-dns.patch We want to be able to use --with-netlib and --enable-dns at the same time. + +Signed-off-by: Robbie Harwood --- src/aclocal.m4 | 1 + 1 file changed, 1 insertion(+) diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch index 57a8b32..a5e4590 100644 --- a/krb5-1.9-debuginfo.patch +++ b/krb5-1.9-debuginfo.patch @@ -1,4 +1,4 @@ -From 82f8b63ae3955423456adf15790c10eb1145ec52 Mon Sep 17 00:00:00 2001 +From 1eeb1b3e0ceb5500e5c1102d2144203352f0d00f Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] krb5-1.9-debuginfo.patch @@ -6,6 +6,8 @@ Subject: [PATCH] krb5-1.9-debuginfo.patch We want to keep these y.tab.c files around because the debuginfo points to them. It would be more elegant at the end to use symbolic links, but that could mess up people working in the tree on other things. + +Signed-off-by: Robbie Harwood --- src/kadmin/cli/Makefile.in | 5 +++++ src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +- diff --git a/krb5.spec b/krb5.spec index cf24c0a..fb6da8c 100644 --- a/krb5.spec +++ b/krb5.spec @@ -9,7 +9,7 @@ %global configured_default_ccache_name KEYRING:persistent:%%{uid} # leave empty or set to e.g., -beta2 -%global prerelease -beta1 +%global prerelease -beta2 # Should be in form 5.0, 6.1, etc. %global kdbversion 7.0 @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.16 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 0.beta1.4%{?dist} +Release: 0.beta2.1%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz @@ -60,8 +60,6 @@ Patch33: krb5-1.13-dirsrv-accountlock.patch Patch34: krb5-1.9-debuginfo.patch Patch35: krb5-1.11-run_user_0.patch Patch36: krb5-1.11-kpasswdtest.patch -Patch43: Use-GSSAPI-fallback-skiptest.patch -Patch44: Fix-PKINIT-cert-matching-data-construction.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -714,6 +712,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Mon Nov 27 2017 Robbie Harwood - 1.16-0.beta2.1 +- New upstream prerelease (1.16-beta2) + * Tue Oct 24 2017 Robbie Harwood - 1.16-0.beta1.4 - Fix CVE-2017-15088 (Buffer overflow in get_matching_data()) diff --git a/sources b/sources index d5f6442..1def434 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (krb5-1.16-beta1-pdfs.tar) = 79329b7978101723a5c9f55773ac69bd1986c716e6d8b4cd42cbf17a8e85cd49f13b376e0b4b0ccca485b5a5a79d6bce8ace0c22df79b6f0a47a74c387f83ffd -SHA512 (krb5-1.16-beta1.tar.gz) = 68dba5212d2dd28ed0bc4961931af8d291bcdf2805baa4e930b0218f7749dc1e4dfe696aacca0529787f274b99fe5a8297f3e13877f724ee983483b399daf2c9 -SHA512 (krb5-1.16-beta1.tar.gz.asc) = 342272496897b4a4452d73186b7d19bbc3155e38fe39e0e852e03ce4757a3284baefbb1c49653e53d36e96ab587a7acb718e14c8281ccca85cb0de4c7d0b730e +SHA512 (krb5-1.16-beta2.tar.gz) = 12dfbac5357e1bfa6acce4ea8ee690015136c0297c08405ed8a77ba219ed1490cbf35eaa3d7ab3cd517cdfcd697dfa6c64efd6270f5419d7e2914ed562338ea7 +SHA512 (krb5-1.16-beta2.tar.gz.asc) = c653f7babc9baf58528fde523169e971aada520a606ade2afdb22d7aa9c513a7fec2662f6ba4b344bde0ad8ebc1ebd4e7fc90960c50b3ff44867a9c547749613 +SHA512 (krb5-1.16-beta2-pdfs.tar) = f3791cbe3b6cedbc07af70b2e6c87aabe921a637e419096fa37faff40538e0575237c006ee0df56e5c728988b0677faef41f26e61501e5ab8851591ea12faa3a