New upstream prerelease (1.16-beta2)

This commit is contained in:
Robbie Harwood 2017-11-27 22:15:25 +00:00
parent 17620d4f26
commit 6f4f842e5f
16 changed files with 43 additions and 156 deletions

3
.gitignore vendored
View File

@ -157,3 +157,6 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.16-beta1-pdfs.tar
/krb5-1.16-beta1.tar.gz
/krb5-1.16-beta1.tar.gz.asc
/krb5-1.16-beta2.tar.gz
/krb5-1.16-beta2.tar.gz.asc
/krb5-1.16-beta2-pdfs.tar

View File

@ -1,103 +0,0 @@
From 82854302309e2a513908cf85ed9321113ef26a08 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 24 Oct 2017 15:09:57 -0400
Subject: [PATCH] Fix PKINIT cert matching data construction
Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
allocation and to perform proper error checking.
(cherry picked from commit 5a2faf2802480548ff6a7261552ee17efaed7be1)
---
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 61 +++++++---------------
1 file changed, 19 insertions(+), 42 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index f7640baf1..9fa20a8b2 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -5002,33 +5002,23 @@ out:
return retval;
}
-/*
- * Return a string format of an X509_NAME in buf where
- * size is an in/out parameter. On input it is the size
- * of the buffer, and on output it is the actual length
- * of the name.
- * If buf is NULL, returns the length req'd to hold name
- */
-static char *
-X509_NAME_oneline_ex(X509_NAME * a,
- char *buf,
- unsigned int *size,
- unsigned long flag)
+static krb5_error_code
+rfc2253_name(X509_NAME *name, char **str_out)
{
- BIO *out = NULL;
+ BIO *b = NULL;
+ char *str;
- out = BIO_new(BIO_s_mem ());
- if (X509_NAME_print_ex(out, a, 0, flag) > 0) {
- if (buf != NULL && (*size) > (unsigned int) BIO_number_written(out)) {
- memset(buf, 0, *size);
- BIO_read(out, buf, (int) BIO_number_written(out));
- }
- else {
- *size = BIO_number_written(out);
- }
- }
- BIO_free(out);
- return (buf);
+ *str_out = NULL;
+ b = BIO_new(BIO_s_mem());
+ if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0)
+ return ENOMEM;
+ str = calloc(BIO_number_written(b) + 1, 1);
+ if (str == NULL)
+ return ENOMEM;
+ BIO_read(b, str, BIO_number_written(b));
+ BIO_free(b);
+ *str_out = str;
+ return 0;
}
/*
@@ -5094,8 +5084,6 @@ get_matching_data(krb5_context context,
pkinit_cert_matching_data *md = NULL;
krb5_principal *pkinit_sans = NULL, *upn_sans = NULL;
size_t i, j;
- char buf[DN_BUF_LEN];
- unsigned int bufsize = sizeof(buf);
*md_out = NULL;
@@ -5103,23 +5091,12 @@ get_matching_data(krb5_context context,
if (md == NULL)
goto cleanup;
- /* Get the subject name (in rfc2253 format). */
- X509_NAME_oneline_ex(X509_get_subject_name(cert), buf, &bufsize,
- XN_FLAG_SEP_COMMA_PLUS);
- md->subject_dn = strdup(buf);
- if (md->subject_dn == NULL) {
- ret = ENOMEM;
+ ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn);
+ if (ret)
goto cleanup;
- }
-
- /* Get the issuer name (in rfc2253 format). */
- X509_NAME_oneline_ex(X509_get_issuer_name(cert), buf, &bufsize,
- XN_FLAG_SEP_COMMA_PLUS);
- md->issuer_dn = strdup(buf);
- if (md->issuer_dn == NULL) {
- ret = ENOMEM;
+ ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn);
+ if (ret)
goto cleanup;
- }
/* Get the SAN data. */
ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx,

View File

@ -1,35 +0,0 @@
From 697f19c5bfd4470c167d35c7af43c82a32660b82 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 1 Mar 2017 17:46:22 -0500
Subject: [PATCH] Use GSSAPI fallback skiptest
Also-authored-by: Matt Rogers <mrogers@redhat.com>
[rharwood@redhat.com: Adjusted patch to apply]
---
src/appl/gss-sample/Makefile.in | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/appl/gss-sample/Makefile.in b/src/appl/gss-sample/Makefile.in
index 28e59f90f..9806fd327 100644
--- a/src/appl/gss-sample/Makefile.in
+++ b/src/appl/gss-sample/Makefile.in
@@ -6,6 +6,8 @@ SRCS= $(srcdir)/gss-client.c $(srcdir)/gss-misc.c $(srcdir)/gss-server.c
OBJS= gss-client.o gss-misc.o gss-server.o
+LBITS = $(shell /usr/bin/getconf LONG_BIT)
+
all-unix: gss-server gss-client
##WIN32##VERSIONRC = $(BUILDTOP)\windows\version.rc
@@ -43,7 +45,9 @@ clean-unix::
$(RM) gss-server gss-client
check-pytests:
- $(RUNPYTEST) $(srcdir)/t_gss_sample.py $(PYTESTFLAGS)
+ if ! [ $(LBITS) -eq 32 ]; then \
+ $(RUNPYTEST) $(srcdir)/t_gss_sample.py $(PYTESTFLAGS); \
+ fi
install-unix:
$(INSTALL_PROGRAM) gss-client $(DESTDIR)$(CLIENT_BINDIR)/gss-client

View File

@ -1,8 +1,9 @@
From 3e94cf1accf2b33bd0c8cf54eb58b4777f411cc6 Mon Sep 17 00:00:00 2001
From f92f616e67909fe76f7628fa0fd1e28320c7e4c3 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:52:01 -0400
Subject: [PATCH] krb5-1.11-kpasswdtest.patch
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kadmin/testing/proto/krb5.conf.proto | 1 +
1 file changed, 1 insertion(+)

View File

@ -1,4 +1,4 @@
From 9e7e92ae1dcd242044f2dfe3b89926ddddb6a221 Mon Sep 17 00:00:00 2001
From 1940160be747f4c62ff00b95bc7d34301cf313d2 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:57 -0400
Subject: [PATCH] krb5-1.11-run_user_0.patch
@ -6,6 +6,8 @@ Subject: [PATCH] krb5-1.11-run_user_0.patch
A hack: if we're looking at creating a ccache directory directly below
the /run/user/0 directory, and /run/user/0 doesn't exist, try to create
it, too.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/lib/krb5/ccache/cc_dir.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)

View File

@ -1,4 +1,4 @@
From 9a6cfaaecd1a37e74dba285decd03bb4a3382f9a Mon Sep 17 00:00:00 2001
From f872d1b9d44ae48846641dab97b546665fbc1c33 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:00 -0400
Subject: [PATCH] krb5-1.12-api.patch
@ -6,6 +6,8 @@ Subject: [PATCH] krb5-1.12-api.patch
Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/lib/krb5/krb/princ_comp.c | 7 +++++++
1 file changed, 7 insertions(+)

View File

@ -1,9 +1,11 @@
From 7b3bdbc0ca882325291caad391c4d328f174a614 Mon Sep 17 00:00:00 2001
From 5bcd5fc7c793f1345d8e052c9242a93e17562ad6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:32:09 -0400
Subject: [PATCH] krb5-1.12-ksu-path.patch
Set the default PATH to the one set by login.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/clients/ksu/Makefile.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

View File

@ -1,4 +1,4 @@
From 1ede8564105568182e3cf6f273ab820453e2f025 Mon Sep 17 00:00:00 2001
From 690b710e3cdf40cb9b9184ed6883f26c0d5d0d39 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:33:53 -0400
Subject: [PATCH] krb5-1.12-ktany.patch
@ -6,6 +6,8 @@ Subject: [PATCH] krb5-1.12-ktany.patch
Adds an "ANY" keytab type which is a list of other keytab locations to search
when searching for a specific entry. When iterated through, it only presents
the contents of the first keytab.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/lib/krb5/keytab/Makefile.in | 3 +
src/lib/krb5/keytab/kt_any.c | 292 ++++++++++++++++++++++++++++++++++++++++

View File

@ -1,4 +1,4 @@
From 385194db1a08c1b923f9eb75e9602b56720fd50e Mon Sep 17 00:00:00 2001
From 42f20ac00a2f71dcef166b0cbf2db58d02f117c8 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] krb5-1.12.1-pam.patch
@ -16,6 +16,8 @@ When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges, and to apply on top of
changes we're proposing for how it handles cache collections.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/aclocal.m4 | 67 ++++++++
src/clients/ksu/Makefile.in | 8 +-

View File

@ -1,10 +1,12 @@
From 850689009f9aeddc0b63051a3e2883d02b05387e Mon Sep 17 00:00:00 2001
From fd3013f4dec1dfdfa40a8161cfdfea87aaac8e35 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:44 -0400
Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch
Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from
original version filed as RT#5891.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/aclocal.m4 | 9 +++++++++
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 17 +++++++++++++++++

View File

@ -1,4 +1,4 @@
From 285eaffa69e9c2ff7f0adf017d192b5e7afb7002 Mon Sep 17 00:00:00 2001
From e4103ccd0ad37297c64440ce9153e3dd355e1d5a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:45:26 -0400
Subject: [PATCH] krb5-1.15-beta1-buildconf.patch
@ -8,6 +8,8 @@ and install shared libraries with the execute bit set on them. Prune out
the -L/usr/lib* and PIE flags where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/build-tools/krb5-config.in | 7 +++++++
src/config/pre.in | 2 +-

View File

@ -1,4 +1,4 @@
From d38588a165302d915eb6b4da0c2755601547bcd1 Mon Sep 17 00:00:00 2001
From 36874eb7b52ccc606f705029d6a5c83f77cea2c4 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] krb5-1.15.1-selinux-label.patch
@ -35,6 +35,8 @@ stomp all over us.
The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/aclocal.m4 | 49 +++
src/build-tools/krb5-config.in | 3 +-

View File

@ -1,9 +1,11 @@
From 4bc124bfff119d436eeb1af7b9d5726e17284d67 Mon Sep 17 00:00:00 2001
From 5f9dccda2e9f4637732aa4071d37e76a3526fd6c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:46:21 -0400
Subject: [PATCH] krb5-1.3.1-dns.patch
We want to be able to use --with-netlib and --enable-dns at the same time.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/aclocal.m4 | 1 +
1 file changed, 1 insertion(+)

View File

@ -1,4 +1,4 @@
From 82f8b63ae3955423456adf15790c10eb1145ec52 Mon Sep 17 00:00:00 2001
From 1eeb1b3e0ceb5500e5c1102d2144203352f0d00f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH] krb5-1.9-debuginfo.patch
@ -6,6 +6,8 @@ Subject: [PATCH] krb5-1.9-debuginfo.patch
We want to keep these y.tab.c files around because the debuginfo points to
them. It would be more elegant at the end to use symbolic links, but that
could mess up people working in the tree on other things.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kadmin/cli/Makefile.in | 5 +++++
src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-

View File

@ -9,7 +9,7 @@
%global configured_default_ccache_name KEYRING:persistent:%%{uid}
# leave empty or set to e.g., -beta2
%global prerelease -beta1
%global prerelease -beta2
# Should be in form 5.0, 6.1, etc.
%global kdbversion 7.0
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.16
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 0.beta1.4%{?dist}
Release: 0.beta2.1%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
@ -60,8 +60,6 @@ Patch33: krb5-1.13-dirsrv-accountlock.patch
Patch34: krb5-1.9-debuginfo.patch
Patch35: krb5-1.11-run_user_0.patch
Patch36: krb5-1.11-kpasswdtest.patch
Patch43: Use-GSSAPI-fallback-skiptest.patch
Patch44: Fix-PKINIT-cert-matching-data-construction.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -714,6 +712,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Mon Nov 27 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-0.beta2.1
- New upstream prerelease (1.16-beta2)
* Tue Oct 24 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-0.beta1.4
- Fix CVE-2017-15088 (Buffer overflow in get_matching_data())

View File

@ -1,3 +1,3 @@
SHA512 (krb5-1.16-beta1-pdfs.tar) = 79329b7978101723a5c9f55773ac69bd1986c716e6d8b4cd42cbf17a8e85cd49f13b376e0b4b0ccca485b5a5a79d6bce8ace0c22df79b6f0a47a74c387f83ffd
SHA512 (krb5-1.16-beta1.tar.gz) = 68dba5212d2dd28ed0bc4961931af8d291bcdf2805baa4e930b0218f7749dc1e4dfe696aacca0529787f274b99fe5a8297f3e13877f724ee983483b399daf2c9
SHA512 (krb5-1.16-beta1.tar.gz.asc) = 342272496897b4a4452d73186b7d19bbc3155e38fe39e0e852e03ce4757a3284baefbb1c49653e53d36e96ab587a7acb718e14c8281ccca85cb0de4c7d0b730e
SHA512 (krb5-1.16-beta2.tar.gz) = 12dfbac5357e1bfa6acce4ea8ee690015136c0297c08405ed8a77ba219ed1490cbf35eaa3d7ab3cd517cdfcd697dfa6c64efd6270f5419d7e2914ed562338ea7
SHA512 (krb5-1.16-beta2.tar.gz.asc) = c653f7babc9baf58528fde523169e971aada520a606ade2afdb22d7aa9c513a7fec2662f6ba4b344bde0ad8ebc1ebd4e7fc90960c50b3ff44867a9c547749613
SHA512 (krb5-1.16-beta2-pdfs.tar) = f3791cbe3b6cedbc07af70b2e6c87aabe921a637e419096fa37faff40538e0575237c006ee0df56e5c728988b0677faef41f26e61501e5ab8851591ea12faa3a