New upstream version (1.19.2)
This commit is contained in:
Robbie Harwood
parent
2484569caa
commit
c4016b4e4c
@ -1,4 +1,4 @@
|
||||
From c1fe1c8fa3df7f50c7e28d52263d0d24afb4b3a1 Mon Sep 17 00:00:00 2001
|
||||
From 3a99832252755cf7e5fef2bd824459cea3eb823e Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 14 Jan 2021 18:13:09 -0500
|
||||
Subject: [PATCH] Add APIs for marshalling credentials
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From a0ee8b02e56c65e5dcd569caed0e151cef004ef4 Mon Sep 17 00:00:00 2001
|
||||
From 8772d8f47b7460a0eef48366881483fd9b3acfd3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Thu, 11 Feb 2021 15:33:10 +0100
|
||||
Subject: [PATCH] Add KCM_OP_GET_CRED_LIST for faster iteration
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 3e78bc5d48513fe38f3bc4228b12abcdc0733ee2 Mon Sep 17 00:00:00 2001
|
||||
From e88f0319427cee7245fb05c97a25473297c9d2d6 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri, 15 Jan 2021 14:43:34 -0500
|
||||
Subject: [PATCH] Add hostname canonicalization helper to k5test.py
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 090c7319652466339e3e6482bdd1b5a294638dff Mon Sep 17 00:00:00 2001
|
||||
From fb4d9fa851b1d0d3375556d1cdc1fce72176df1e Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 3 Jun 2021 16:03:07 -0400
|
||||
Subject: [PATCH] Allow kinit with keytab to defer canonicalization
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 78c03a9b5ef3e3f894bea11c89e575b9bb4d1b0f Mon Sep 17 00:00:00 2001
|
||||
From 95547c12b39e62df55cef05cae890302834b7f98 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 23 Jun 2021 16:57:39 -0400
|
||||
Subject: [PATCH] Clean up context after failed open in libkdb5
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 8285f21d40e30477436128ae2c28403cd5575074 Mon Sep 17 00:00:00 2001
|
||||
From 5e5ea8e8345c8b2f3254b0d346b8e0de0df3a696 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 26 May 2021 18:22:10 -0400
|
||||
Subject: [PATCH] Clean up gssapi_krb5 ccache name functions
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 04f0de4420508161ce439f262f2761ff51a07ab0 Mon Sep 17 00:00:00 2001
|
||||
From 1528c264d0e1eebff34132c01f4f770f01f1d1c2 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 29 Mar 2021 14:32:56 -0400
|
||||
Subject: [PATCH] Fix KCM flag transmission for remove_cred
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From a5b2cff51808cd86fe8195e7ac074ecd25c3344d Mon Sep 17 00:00:00 2001
|
||||
From 43be8fba5301d08fc4d5ddef14f8ae3d9655b0ba Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 11 May 2021 14:04:07 -0400
|
||||
Subject: [PATCH] Fix KCM retrieval support for sssd
|
||||
|
||||
@ -1,113 +0,0 @@
|
||||
From 791211b00a53b394376d096c881b725ee739a936 Mon Sep 17 00:00:00 2001
|
||||
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
||||
Date: Wed, 7 Jul 2021 11:47:44 +1200
|
||||
Subject: [PATCH] Fix KDC null deref on bad encrypted challenge
|
||||
|
||||
The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
|
||||
to avoid further processing if the armor key is NULL. However, this
|
||||
check is bypassed by a call to k5memdup0() which overwrites retval
|
||||
with 0 if the allocation succeeds. If the armor key is NULL, a call
|
||||
to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
|
||||
crash. Add a check before the k5memdup0() call to avoid overwriting
|
||||
retval.
|
||||
|
||||
CVE-2021-36222:
|
||||
|
||||
In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
|
||||
cause a null dereference in the KDC by sending a request containing a
|
||||
PA-ENCRYPTED-CHALLENGE padata element without using FAST.
|
||||
|
||||
[ghudson@mit.edu: trimmed patch; added test case; edited commit
|
||||
message]
|
||||
|
||||
ticket: 9007 (new)
|
||||
tags: pullup
|
||||
target_version: 1.19-next
|
||||
target_version: 1.18-next
|
||||
|
||||
(cherry picked from commit fc98f520caefff2e5ee9a0026fdf5109944b3562)
|
||||
---
|
||||
src/kdc/kdc_preauth_ec.c | 3 ++-
|
||||
src/tests/Makefile.in | 1 +
|
||||
src/tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 49 insertions(+), 1 deletion(-)
|
||||
create mode 100644 src/tests/t_cve-2021-36222.py
|
||||
|
||||
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
|
||||
index 7e636b3f9..43a9902cc 100644
|
||||
--- a/src/kdc/kdc_preauth_ec.c
|
||||
+++ b/src/kdc/kdc_preauth_ec.c
|
||||
@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
|
||||
}
|
||||
|
||||
/* Check for a configured FAST ec auth indicator. */
|
||||
- realmstr = k5memdup0(realm.data, realm.length, &retval);
|
||||
+ if (retval == 0)
|
||||
+ realmstr = k5memdup0(realm.data, realm.length, &retval);
|
||||
if (realmstr != NULL)
|
||||
retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
|
||||
realmstr,
|
||||
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
|
||||
index ab416cc5f..20f27d748 100644
|
||||
--- a/src/tests/Makefile.in
|
||||
+++ b/src/tests/Makefile.in
|
||||
@@ -159,6 +159,7 @@ check-pytests: unlockiter s4u2self
|
||||
$(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
|
||||
$(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
|
||||
$(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS)
|
||||
+ $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS)
|
||||
$(RM) au.log
|
||||
$(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
|
||||
$(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
|
||||
diff --git a/src/tests/t_cve-2021-36222.py b/src/tests/t_cve-2021-36222.py
|
||||
new file mode 100644
|
||||
index 000000000..57e04993b
|
||||
--- /dev/null
|
||||
+++ b/src/tests/t_cve-2021-36222.py
|
||||
@@ -0,0 +1,46 @@
|
||||
+import socket
|
||||
+from k5test import *
|
||||
+
|
||||
+realm = K5Realm()
|
||||
+
|
||||
+# CVE-2021-36222 KDC null dereference on encrypted challenge preauth
|
||||
+# without FAST
|
||||
+
|
||||
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
+a = (hostname, realm.portbase)
|
||||
+
|
||||
+m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE
|
||||
+ 'A103' '0201' '05' # [1] pvno = 5
|
||||
+ 'A203' '0201' '0A' # [2] msg-type = 10
|
||||
+ 'A30E' '300C' # [3] padata = SEQUENCE OF
|
||||
+ '300A' # SEQUENCE
|
||||
+ 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE
|
||||
+ 'A202' '0400' # [2] padata-value = ""
|
||||
+ 'A48180' '307E' # [4] req-body = SEQUENCE
|
||||
+ 'A007' '0305' '0000000000' # [0] kdc-options = 0
|
||||
+ 'A120' '301E' # [1] cname = SEQUENCE
|
||||
+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
|
||||
+ 'A117' '3015' # [1] name-string = SEQUENCE-OF
|
||||
+ '1B06' '6B7262746774' # krbtgt
|
||||
+ '1B0B' '4B5242544553542E434F4D'
|
||||
+ # KRBTEST.COM
|
||||
+ 'A20D' '1B0B' '4B5242544553542E434F4D'
|
||||
+ # [2] realm = KRBTEST.COM
|
||||
+ 'A320' '301E' # [3] sname = SEQUENCE
|
||||
+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
|
||||
+ 'A117' '3015' # [1] name-string = SEQUENCE-OF
|
||||
+ '1B06' '6B7262746774' # krbtgt
|
||||
+ '1B0B' '4B5242544553542E434F4D'
|
||||
+ # KRBTEST.COM
|
||||
+ 'A511' '180F' '31393934303631303036303331375A'
|
||||
+ # [5] till = 19940610060317Z
|
||||
+ 'A703' '0201' '00' # [7] nonce = 0
|
||||
+ 'A808' '3006' # [8] etype = SEQUENCE OF
|
||||
+ '020112' '020111') # aes256-cts aes128-cts
|
||||
+
|
||||
+s.sendto(bytes.fromhex(m), a)
|
||||
+
|
||||
+# Make sure kinit still works.
|
||||
+realm.kinit(realm.user_princ, password('user'))
|
||||
+
|
||||
+success('CVE-2021-36222 regression test')
|
||||
@ -1,85 +0,0 @@
|
||||
From 7e6cdffd47559be61a8c26c4ed3c500c536d5368 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri, 16 Jul 2021 13:39:39 -0400
|
||||
Subject: [PATCH] Fix defcred leak in krb5 gss_inquire_cred()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory
|
||||
management of krb5_gss_inquire_cred(), introducing defcred to act as
|
||||
an owner pointer when the function must acquire a default credential.
|
||||
The commit neglected to update the code to release the default cred
|
||||
along the successful path. The old code does not trigger because
|
||||
cred_handle is now reassigned, so the default credential is leaked.
|
||||
|
||||
Unify the success and failure cleanup for this function so that
|
||||
defcred is properly released on success.
|
||||
|
||||
Reported by Pavel Březina.
|
||||
|
||||
ticket: 9016
|
||||
tags: pullup
|
||||
target_version: 1.19-next
|
||||
target_version: 1.18-next
|
||||
|
||||
(cherry picked from commit 593e16448e1af23eef74689afe06a7bcc86e79c7)
|
||||
---
|
||||
src/lib/gssapi/krb5/inq_cred.c | 16 ++++++----------
|
||||
1 file changed, 6 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
|
||||
index a8f254110..bb63b726c 100644
|
||||
--- a/src/lib/gssapi/krb5/inq_cred.c
|
||||
+++ b/src/lib/gssapi/krb5/inq_cred.c
|
||||
@@ -127,7 +127,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
|
||||
if ((code = krb5_timeofday(context, &now))) {
|
||||
*minor_status = code;
|
||||
ret = GSS_S_FAILURE;
|
||||
- goto fail;
|
||||
+ goto cleanup;
|
||||
}
|
||||
|
||||
if (cred->expire != 0) {
|
||||
@@ -158,7 +158,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
|
||||
*minor_status = code;
|
||||
save_error_info(*minor_status, context);
|
||||
ret = GSS_S_FAILURE;
|
||||
- goto fail;
|
||||
+ goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -174,7 +174,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
|
||||
if (ret_name)
|
||||
kg_release_name(context, &ret_name);
|
||||
/* *minor_status set above */
|
||||
- goto fail;
|
||||
+ goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -190,20 +190,16 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
|
||||
|
||||
if (cred_usage)
|
||||
*cred_usage = cred->usage;
|
||||
- k5_mutex_unlock(&cred->lock);
|
||||
|
||||
if (mechanisms) {
|
||||
*mechanisms = mechs;
|
||||
mechs = GSS_C_NO_OID_SET;
|
||||
}
|
||||
|
||||
- if (cred_handle == GSS_C_NO_CREDENTIAL)
|
||||
- krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
|
||||
-
|
||||
- krb5_free_context(context);
|
||||
*minor_status = 0;
|
||||
- return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
|
||||
-fail:
|
||||
+ ret = (lifetime == 0) ? GSS_S_CREDENTIALS_EXPIRED : GSS_S_COMPLETE;
|
||||
+
|
||||
+cleanup:
|
||||
k5_mutex_unlock(&cred->lock);
|
||||
krb5_gss_release_cred(&tmpmin, &defcred);
|
||||
krb5_free_context(context);
|
||||
@ -1,152 +0,0 @@
|
||||
From 0bf023bdbb8335f48a6a4dcf8bd5dac9c2cd7fb6 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 26 May 2021 15:08:28 -0400
|
||||
Subject: [PATCH] Fix doc build for Sphinx 4.0
|
||||
|
||||
Use app.add_css_file() to register krb5.css if possible (it was added
|
||||
in Sphinx 1.8), since the old name app.add_stylesheet() was removed in
|
||||
Sphinx 4.0.
|
||||
|
||||
Use the highlight directive instead of the highlightlang directive,
|
||||
which was removed in Sphinx 4.0.
|
||||
|
||||
Remove two duplicate table of contents entries to fix warnings.
|
||||
|
||||
In the Github Actions configuration, add a second doc build using the
|
||||
newest version of Sphinx.
|
||||
|
||||
ticket: 9006
|
||||
tags: pullup
|
||||
target_version: 1.19-next
|
||||
|
||||
(cherry picked from commit 3fa40a32e22cb9de91fa1d18deddcba446515855)
|
||||
---
|
||||
.github/workflows/doc.yml | 16 +++++++++++++++-
|
||||
doc/appdev/refs/macros/index.rst | 1 -
|
||||
doc/appdev/refs/types/index.rst | 1 -
|
||||
doc/appdev/refs/types/krb5_int32.rst | 2 +-
|
||||
doc/appdev/refs/types/krb5_ui_4.rst | 2 +-
|
||||
doc/conf.py | 9 ++++++++-
|
||||
doc/tools/define_document.tmpl | 2 +-
|
||||
doc/tools/type_document.tmpl | 2 +-
|
||||
8 files changed, 27 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml
|
||||
index 292df4cfe..75f467cde 100644
|
||||
--- a/.github/workflows/doc.yml
|
||||
+++ b/.github/workflows/doc.yml
|
||||
@@ -5,7 +5,7 @@ on:
|
||||
pull_request: {paths: [doc/**, src/doc/*, src/include/krb5/krb5.hin, .github/workflows/doc.yml]}
|
||||
|
||||
jobs:
|
||||
- doc:
|
||||
+ doc-older-sphinx:
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
@@ -19,6 +19,20 @@ jobs:
|
||||
run: |
|
||||
cd src/doc
|
||||
make -f Makefile.in SPHINX_ARGS=-W htmlsrc
|
||||
+ doc-newest-sphinx:
|
||||
+ runs-on: ubuntu-18.04
|
||||
+ steps:
|
||||
+ - name: Checkout repository
|
||||
+ uses: actions/checkout@v1
|
||||
+ - name: Linux setup
|
||||
+ run: |
|
||||
+ sudo apt-get update -qq
|
||||
+ sudo apt-get install -y doxygen python3-lxml python3-pip
|
||||
+ pip3 install Cheetah3 sphinx
|
||||
+ - name: Build documentation
|
||||
+ run: |
|
||||
+ cd src/doc
|
||||
+ make -f Makefile.in SPHINX_ARGS=-W htmlsrc
|
||||
- name: Upload HTML
|
||||
uses: actions/upload-artifact@v2
|
||||
with:
|
||||
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
|
||||
index 4d51e795c..0cb2e81bd 100644
|
||||
--- a/doc/appdev/refs/macros/index.rst
|
||||
+++ b/doc/appdev/refs/macros/index.rst
|
||||
@@ -54,7 +54,6 @@ Public
|
||||
ENCTYPE_DES3_CBC_RAW.rst
|
||||
ENCTYPE_DES3_CBC_SHA.rst
|
||||
ENCTYPE_DES3_CBC_SHA1.rst
|
||||
- ENCTYPE_DES3_CBC_SHA1.rst
|
||||
ENCTYPE_DES_CBC_CRC.rst
|
||||
ENCTYPE_DES_CBC_MD4.rst
|
||||
ENCTYPE_DES_CBC_MD5.rst
|
||||
diff --git a/doc/appdev/refs/types/index.rst b/doc/appdev/refs/types/index.rst
|
||||
index dc414cfde..d8d2a8f3c 100644
|
||||
--- a/doc/appdev/refs/types/index.rst
|
||||
+++ b/doc/appdev/refs/types/index.rst
|
||||
@@ -62,7 +62,6 @@ Public
|
||||
krb5_preauthtype.rst
|
||||
krb5_principal.rst
|
||||
krb5_principal_data.rst
|
||||
- krb5_const_principal.rst
|
||||
krb5_prompt.rst
|
||||
krb5_prompt_type.rst
|
||||
krb5_prompter_fct.rst
|
||||
diff --git a/doc/appdev/refs/types/krb5_int32.rst b/doc/appdev/refs/types/krb5_int32.rst
|
||||
index 2bc914b3c..28baafa38 100644
|
||||
--- a/doc/appdev/refs/types/krb5_int32.rst
|
||||
+++ b/doc/appdev/refs/types/krb5_int32.rst
|
||||
@@ -1,4 +1,4 @@
|
||||
-.. highlightlang:: c
|
||||
+.. highlight:: c
|
||||
|
||||
.. _krb5-int32-struct:
|
||||
|
||||
diff --git a/doc/appdev/refs/types/krb5_ui_4.rst b/doc/appdev/refs/types/krb5_ui_4.rst
|
||||
index de79bafe1..73eb38cf4 100644
|
||||
--- a/doc/appdev/refs/types/krb5_ui_4.rst
|
||||
+++ b/doc/appdev/refs/types/krb5_ui_4.rst
|
||||
@@ -1,4 +1,4 @@
|
||||
-.. highlightlang:: c
|
||||
+.. highlight:: c
|
||||
|
||||
.. _krb5-ui4-struct:
|
||||
|
||||
diff --git a/doc/conf.py b/doc/conf.py
|
||||
index 4fb6aae14..a876fd633 100644
|
||||
--- a/doc/conf.py
|
||||
+++ b/doc/conf.py
|
||||
@@ -98,8 +98,15 @@ pygments_style = 'sphinx'
|
||||
|
||||
# -- Options for HTML output ---------------------------------------------------
|
||||
|
||||
+# When we can rely on Sphinx 1.8 (released Sep 2018) we can just set:
|
||||
+# html_css_files = ['kerb.css']
|
||||
+# But in the meantime, we add this file using either a way that works
|
||||
+# after 1.8 or a way that works before 4.0.
|
||||
def setup(app):
|
||||
- app.add_stylesheet('kerb.css')
|
||||
+ if callable(getattr(app, 'add_css_file', None)):
|
||||
+ app.add_css_file('kerb.css')
|
||||
+ else:
|
||||
+ app.add_stylesheet('kerb.css')
|
||||
|
||||
# The theme to use for HTML and HTML Help pages. See the documentation for
|
||||
# a list of builtin themes.
|
||||
diff --git a/doc/tools/define_document.tmpl b/doc/tools/define_document.tmpl
|
||||
index ca56d866c..8e74dc302 100644
|
||||
--- a/doc/tools/define_document.tmpl
|
||||
+++ b/doc/tools/define_document.tmpl
|
||||
@@ -1,4 +1,4 @@
|
||||
-.. highlightlang:: c
|
||||
+.. highlight:: c
|
||||
|
||||
.. $composite.macro_reference($composite.name):
|
||||
|
||||
diff --git a/doc/tools/type_document.tmpl b/doc/tools/type_document.tmpl
|
||||
index 5987fa762..11aafb818 100644
|
||||
--- a/doc/tools/type_document.tmpl
|
||||
+++ b/doc/tools/type_document.tmpl
|
||||
@@ -1,4 +1,4 @@
|
||||
-.. highlightlang:: c
|
||||
+.. highlight:: c
|
||||
|
||||
.. $composite.struct_reference($composite.name):
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 201e38845e9f70234bcaa9ba7c25b28e38169b0a Mon Sep 17 00:00:00 2001
|
||||
From 7e4429640f69acdd5d4f9caa655c011d8bd736f0 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Sat, 29 May 2021 12:05:49 -0400
|
||||
Subject: [PATCH] Fix k5tls module for OpenSSL 3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From cd8ff035f5b4720a8fc457355726f7bd0eab5eaa Mon Sep 17 00:00:00 2001
|
||||
From 2d2bb9a14613b3283dabdd40c3ee28e5b680cf93 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 7 Jun 2021 15:00:41 -0400
|
||||
Subject: [PATCH] Fix kadmin -k with fallback or referral realm
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 6b2f7995ab23cffcababe537d57540236f99f0e3 Mon Sep 17 00:00:00 2001
|
||||
From a14e0fd3c1d00ba625e6d9eb72829f31527c6ad8 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 23 Jun 2021 16:53:16 -0400
|
||||
Subject: [PATCH] Fix leaks on error in kadm5 init functions
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From a86b780ef275b35e8dc1e6d1886ec8e8d941f7c4 Mon Sep 17 00:00:00 2001
|
||||
From 391379bff864751262dbcedb897f2c2dd394345f Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Sat, 15 May 2021 17:35:25 -0400
|
||||
Subject: [PATCH] Fix softpkcs11 build issues with openssl 3.0
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 5ae9bc98f23aeaa2ce17debe5a9b0cf1130e54ed Mon Sep 17 00:00:00 2001
|
||||
From 0779309f52f4c05bb1f01f638261ef1b8ca82488 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 7 Jun 2021 13:27:29 -0400
|
||||
Subject: [PATCH] Fix some principal realm canonicalization cases
|
||||
|
||||
@ -1,38 +0,0 @@
|
||||
From bcd7b5e8aa0d325e9b178d9be3459759d39b631e Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Sat, 29 May 2021 13:25:59 -0400
|
||||
Subject: [PATCH] Fix use-after-free during krad remote_shutdown()
|
||||
|
||||
Since elements of the queue can be removed on out-of-memory errors,
|
||||
the correct call is K5_TAILQ_FOREACH_SAFE, not K5_TAILQ_FOREACH.
|
||||
Reported by Coverity.
|
||||
|
||||
ticket: 9015 (new)
|
||||
tags: pullup
|
||||
target_version: 1.19-next
|
||||
target_version: 1.18-next
|
||||
|
||||
(cherry picked from commit 8c88defb16b34937d5b72b4832c854ce2dbe32d1)
|
||||
---
|
||||
src/lib/krad/remote.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
|
||||
index eca432424..7b5804b1d 100644
|
||||
--- a/src/lib/krad/remote.c
|
||||
+++ b/src/lib/krad/remote.c
|
||||
@@ -220,12 +220,12 @@ static void
|
||||
remote_shutdown(krad_remote *rr)
|
||||
{
|
||||
krb5_error_code retval;
|
||||
- request *r;
|
||||
+ request *r, *next;
|
||||
|
||||
remote_disconnect(rr);
|
||||
|
||||
/* Start timers for all unsent packets. */
|
||||
- K5_TAILQ_FOREACH(r, &rr->list, list) {
|
||||
+ K5_TAILQ_FOREACH_SAFE(r, &rr->list, list, next) {
|
||||
if (r->timer == NULL) {
|
||||
retval = request_start_timer(r, rr->vctx);
|
||||
if (retval != 0)
|
||||
@ -1,4 +1,4 @@
|
||||
From 2dbca7e14c945d6394e0e05f285a068dcd541295 Mon Sep 17 00:00:00 2001
|
||||
From 32ee800fa31d3bbda660bb9270f9aa20718ab202 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 30 Mar 2021 14:35:28 +0200
|
||||
Subject: [PATCH] Make KCM iteration fallback work with sssd-kcm
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 9b3d8b9c395bf1a889ea6d6439dc3543c680480d Mon Sep 17 00:00:00 2001
|
||||
From 2fd38805a159020722395e79213540d9bcfa6c71 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 22 Apr 2021 15:51:36 -0400
|
||||
Subject: [PATCH] Move some dejagnu kadmin tests to Python tests
|
||||
@ -32,7 +32,7 @@ and the ticket 2841 regression tests from pwhist.exp.
|
||||
create mode 100644 src/tests/t_kadmin.py
|
||||
|
||||
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
|
||||
index 6b7749129..ab416cc5f 100644
|
||||
index fd714eedb..20f27d748 100644
|
||||
--- a/src/tests/Makefile.in
|
||||
+++ b/src/tests/Makefile.in
|
||||
@@ -147,6 +147,7 @@ check-pytests: unlockiter s4u2self
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 5072bfdfaddae762680d0f9d97afa6dbf8274760 Mon Sep 17 00:00:00 2001
|
||||
From 0a2778833d2f04a29fe9d7122913abe42299044a Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Sat, 15 May 2021 18:04:58 -0400
|
||||
Subject: [PATCH] Remove deprecated OpenSSL calls from softpkcs11
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 3133e5e24e94bf060e23a4d97cbdf74e934d010f Mon Sep 17 00:00:00 2001
|
||||
From 818a777822658d44ce647fe975011a5ea25e8250 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri, 15 Jan 2021 13:51:34 -0500
|
||||
Subject: [PATCH] Support host-based GSS initiator names
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From c56d4b87de0f30a38dc61d374ad225d02d581eb3 Mon Sep 17 00:00:00 2001
|
||||
From 336f744403baa5dfaffcc5bd226fdd8f14a0200b Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri, 26 Mar 2021 23:38:54 -0400
|
||||
Subject: [PATCH] Use KCM_OP_RETRIEVE in KCM client
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 5457242ca6742ace42f1f7dbe37208752c6f26f4 Mon Sep 17 00:00:00 2001
|
||||
From 37e1fe755c6e976253a7f40ec7a9e740e4329789 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 21 Jun 2021 19:15:26 -0400
|
||||
Subject: [PATCH] Use asan in one of the CI builds
|
||||
|
||||
@ -1,47 +0,0 @@
|
||||
From d9a6607d47ff6449d1cad2a9a5b4d3b9b2768ddd Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sun, 20 Jun 2021 19:24:07 -0400
|
||||
Subject: [PATCH] Using locking in MEMORY krb5_cc_get_principal()
|
||||
|
||||
Without locking, the principal pointer could be freed out from under
|
||||
krb5_copy_principal() by another thread calling krb5_cc_initialize()
|
||||
or krb5_cc_destroy().
|
||||
|
||||
ticket: 9014 (new)
|
||||
tags: pullup
|
||||
target_version: 1.19-next
|
||||
target_version: 1.18-next
|
||||
|
||||
(cherry picked from commit 1848447291c68e21311f441b0458ae53471d00d3)
|
||||
---
|
||||
src/lib/krb5/ccache/cc_memory.c | 17 +++++++++++------
|
||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c
|
||||
index 610091a25..e4c795d25 100644
|
||||
--- a/src/lib/krb5/ccache/cc_memory.c
|
||||
+++ b/src/lib/krb5/ccache/cc_memory.c
|
||||
@@ -575,12 +575,17 @@ krb5_mcc_get_name (krb5_context context, krb5_ccache id)
|
||||
krb5_error_code KRB5_CALLCONV
|
||||
krb5_mcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *princ)
|
||||
{
|
||||
- krb5_mcc_data *ptr = (krb5_mcc_data *)id->data;
|
||||
- if (!ptr->prin) {
|
||||
- *princ = 0L;
|
||||
- return KRB5_FCC_NOFILE;
|
||||
- }
|
||||
- return krb5_copy_principal(context, ptr->prin, princ);
|
||||
+ krb5_error_code ret;
|
||||
+ krb5_mcc_data *d = id->data;
|
||||
+
|
||||
+ *princ = NULL;
|
||||
+ k5_cc_mutex_lock(context, &d->lock);
|
||||
+ if (d->prin == NULL)
|
||||
+ ret = KRB5_FCC_NOFILE;
|
||||
+ else
|
||||
+ ret = krb5_copy_principal(context, d->prin, princ);
|
||||
+ k5_cc_mutex_unlock(context, &d->lock);
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
krb5_error_code KRB5_CALLCONV
|
||||
@ -1,4 +1,4 @@
|
||||
From 852e9efad17e3ef6ea54f91044a279bb34020ecf Mon Sep 17 00:00:00 2001
|
||||
From 91e1d43858d90f59f5d9f45987cfca02c3175feb Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 9 Nov 2018 15:12:21 -0500
|
||||
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
|
||||
@ -477,7 +477,7 @@ index c597174b6..fc2d24800 100644
|
||||
}
|
||||
|
||||
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
|
||||
index c96a9b4ee..eca432424 100644
|
||||
index a938665f6..7b5804b1d 100644
|
||||
--- a/src/lib/krad/remote.c
|
||||
+++ b/src/lib/krad/remote.c
|
||||
@@ -263,7 +263,7 @@ on_io_write(krad_remote *rr)
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From fef4e551d3d2dcb55e58cc182304254c36aa8949 Mon Sep 17 00:00:00 2001
|
||||
From defa8816e26ab9f5a8f0b61e7bebad67175c433e Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 26 Mar 2019 18:51:10 -0400
|
||||
Subject: [PATCH] [downstream] Remove 3des support
|
||||
@ -195,7 +195,7 @@ index 1dc958d62..3a72aabef 100644
|
||||
|
||||
While **aes128-cts** and **aes256-cts** are supported for all Kerberos
|
||||
diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
|
||||
index 047185afb..b08d954d9 100644
|
||||
index 694922c0d..c4d5499d3 100644
|
||||
--- a/doc/admin/enctypes.rst
|
||||
+++ b/doc/admin/enctypes.rst
|
||||
@@ -129,7 +129,7 @@ enctype weak? krb5 Windows
|
||||
@ -243,7 +243,7 @@ index ade5e1f87..e4dc54f7e 100644
|
||||
|
||||
.. _err_cert_chain_cert_expired:
|
||||
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
|
||||
index cebb6644c..4d51e795c 100644
|
||||
index 5542d9850..0cb2e81bd 100644
|
||||
--- a/doc/appdev/refs/macros/index.rst
|
||||
+++ b/doc/appdev/refs/macros/index.rst
|
||||
@@ -36,7 +36,6 @@ Public
|
||||
@ -255,10 +255,10 @@ index cebb6644c..4d51e795c 100644
|
||||
CKSUMTYPE_NIST_SHA.rst
|
||||
CKSUMTYPE_RSA_MD4.rst
|
||||
diff --git a/doc/conf.py b/doc/conf.py
|
||||
index 543202bf4..4fb6aae14 100644
|
||||
index 14158ae81..a876fd633 100644
|
||||
--- a/doc/conf.py
|
||||
+++ b/doc/conf.py
|
||||
@@ -271,7 +271,7 @@ else:
|
||||
@@ -278,7 +278,7 @@ else:
|
||||
rst_epilog += '''
|
||||
.. |krb5conf| replace:: ``/etc/krb5.conf``
|
||||
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From e787771b618a344d45ac515927e914602f48946f Mon Sep 17 00:00:00 2001
|
||||
From 97966ffaac6bf9f2e09ac33a16b15794b31d51de Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:30:53 -0400
|
||||
Subject: [PATCH] [downstream] SELinux integration
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 687bb26cb0877fa5497e90f7d325de42b456da2a Mon Sep 17 00:00:00 2001
|
||||
From 86d606e33439fd0511c5154be7f32b0df2c72e54 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 15 Nov 2019 20:05:16 +0000
|
||||
Subject: [PATCH] [downstream] Use backported version of OpenSSL-3 KDF
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From d5ea86ef491feb38f12e6aa53b7579ac02675df6 Mon Sep 17 00:00:00 2001
|
||||
From 98b50683165089bf7bd9d91f953abbd79a8b1b08 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:49:25 -0400
|
||||
Subject: [PATCH] [downstream] fix debuginfo with y.tab.c
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 90ba715be48c2e1b6c7ca53cb1d75f3af2c388d6 Mon Sep 17 00:00:00 2001
|
||||
From 659b3b4a654b879ce84ad8fb4621dde5ae693385 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:29:58 -0400
|
||||
Subject: [PATCH] [downstream] ksu pam integration
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From ad123366e5fb2694cf6d9f4f292a001a761b78fa Mon Sep 17 00:00:00 2001
|
||||
From 2d7e197fa88dccd3ca051f9f7cb97937c35c55a8 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:46:21 -0400
|
||||
Subject: [PATCH] [downstream] netlib and dns
|
||||
|
||||
12
krb5.spec
12
krb5.spec
@ -41,8 +41,8 @@
|
||||
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.19.1
|
||||
Release: %{?zdpd}15%{?dist}
|
||||
Version: 1.19.2
|
||||
Release: %{?zdpd}1%{?dist}
|
||||
|
||||
# rharwood has trust path to signing key and verifies on check-in
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
|
||||
@ -78,7 +78,6 @@ Patch12: Fix-KCM-flag-transmission-for-remove_cred.patch
|
||||
Patch13: Make-KCM-iteration-fallback-work-with-sssd-kcm.patch
|
||||
Patch14: Use-KCM_OP_RETRIEVE-in-KCM-client.patch
|
||||
Patch15: Fix-KCM-retrieval-support-for-sssd.patch
|
||||
Patch16: Fix-doc-build-for-Sphinx-4.0.patch
|
||||
Patch17: Move-some-dejagnu-kadmin-tests-to-Python-tests.patch
|
||||
Patch18: Fix-some-principal-realm-canonicalization-cases.patch
|
||||
Patch19: Allow-kinit-with-keytab-to-defer-canonicalization.patch
|
||||
@ -89,11 +88,7 @@ Patch23: Fix-k5tls-module-for-OpenSSL-3.patch
|
||||
Patch24: Fix-leaks-on-error-in-kadm5-init-functions.patch
|
||||
Patch25: Clean-up-context-after-failed-open-in-libkdb5.patch
|
||||
Patch26: Use-asan-in-one-of-the-CI-builds.patch
|
||||
Patch27: Using-locking-in-MEMORY-krb5_cc_get_principal.patch
|
||||
Patch28: Fix-use-after-free-during-krad-remote_shutdown.patch
|
||||
Patch29: Clean-up-gssapi_krb5-ccache-name-functions.patch
|
||||
Patch30: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
|
||||
Patch31: Fix-defcred-leak-in-krb5-gss_inquire_cred.patch
|
||||
|
||||
License: MIT
|
||||
URL: https://web.mit.edu/kerberos/www/
|
||||
@ -656,6 +651,9 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Mon Jul 26 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.2-1
|
||||
- New upstream version (1.19.2)
|
||||
|
||||
* Wed Jul 21 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-15
|
||||
- Fix defcred leak in krb5 gss_inquire_cred()
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user