gisburn pushed to krb5 (f22). "* Thu May 14 2015 Roland Mainz <rmainz at redhat.com> - 1.13.2-0 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Fri May 15 01:03:57 UTC 2015
From 7b2604b0da80195a6130a33fb82599f1b3dd5a69 Mon Sep 17 00:00:00 2001
From: Roland Mainz <rmainz at redhat.com>
Date: Fri, 15 May 2015 03:03:26 +0200
Subject: * Thu May 14 2015 Roland Mainz <rmainz at redhat.com> - 1.13.2-0 -
Update to krb5-1.13.2 - drop patch for
krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC,
fixed in krb5-1.13.2 - drop patch for
krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in
krb5-1.13.2 - Add script processing for upcoming Zanata l10n support - Minor
spec cleanup
diff --git a/.gitignore b/.gitignore
index 29f1d02..b3e441e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -119,3 +119,6 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.13.1.tar.gz
/krb5-1.13.1.tar.gz.asc
/krb5-1.13.1-pdf.pax.xz
+/krb5-1.13.2.tar.gz
+/krb5-1.13.2.tar.gz.asc
+/krb5-1.13.2-pdf.pax.xz
diff --git a/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch b/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch
deleted file mode 100644
index c90a4dd..0000000
--- a/krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From 21e4e653d8258d525f4b6ca87797d42a8bccc282 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson at mit.edu>
-Date: Tue, 9 Dec 2014 12:37:44 -0500
-Subject: [PATCH] Fix krb5_read_message handling [CVE-2014-5355]
-
-In recvauth_common, do not use strcmp against the data fields of
-krb5_data objects populated by krb5_read_message(), as there is no
-guarantee that they are C strings. Instead, create an expected
-krb5_data value and use data_eq().
-
-In the sample user-to-user server application, check that the received
-client principal name is null-terminated before using it with printf
-and krb5_parse_name.
-
-CVE-2014-5355:
-
-In MIT krb5, when a server process uses the krb5_recvauth function, an
-unauthenticated remote attacker can cause a NULL dereference by
-sending a zero-byte version string, or a read beyond the end of
-allocated storage by sending a non-null-terminated version string.
-The example user-to-user server application (uuserver) is similarly
-vulnerable to a zero-length or non-null-terminated principal name
-string.
-
-The krb5_recvauth function reads two version strings from the client
-using krb5_read_message(), which produces a krb5_data structure
-containing a length and a pointer to an octet sequence. krb5_recvauth
-assumes that the data pointer is a valid C string and passes it to
-strcmp() to verify the versions. If the client sends an empty octet
-sequence, the data pointer will be NULL and strcmp() will dereference
-a NULL pointer, causing the process to crash. If the client sends a
-non-null-terminated octet sequence, strcmp() will read beyond the end
-of the allocated storage, possibly causing the process to crash.
-
-uuserver similarly uses krb5_read_message() to read a client principal
-name, and then passes it to printf() and krb5_parse_name() without
-verifying that it is a valid C string.
-
-The krb5_recvauth function is used by kpropd and the Kerberized
-versions of the BSD rlogin and rsh daemons. These daemons are usually
-run out of inetd or in a mode which forks before processing incoming
-connections, so a process crash will generally not result in a
-complete denial of service.
-
-Thanks to Tim Uglow for discovering this issue.
-
-CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
-
-[tlyu at mit.edu: CVSS score]
-
-(cherry picked from commit 102bb6ebf20f9174130c85c3b052ae104e5073ec)
-
-ticket: 8050
-version_fixed: 1.13.2
-status: resolved
----
- src/appl/user_user/server.c | 4 +++-
- src/lib/krb5/krb/recvauth.c | 9 ++++++---
- 2 files changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/src/appl/user_user/server.c b/src/appl/user_user/server.c
-index 09ea4e0..f2b5b61 100644
---- a/src/appl/user_user/server.c
-+++ b/src/appl/user_user/server.c
-@@ -111,8 +111,10 @@ int main(argc, argv)
- }
- #endif
-
-+ /* principal name must be sent null-terminated. */
- retval = krb5_read_message(context, (krb5_pointer) &sock, &pname_data);
-- if (retval) {
-+ if (retval || pname_data.length == 0 ||
-+ pname_data.data[pname_data.length - 1] != '\0') {
- com_err ("uu-server", retval, "reading pname");
- return 2;
- }
-diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c
-index da836283..5adc6dd 100644
---- a/src/lib/krb5/krb/recvauth.c
-+++ b/src/lib/krb5/krb/recvauth.c
-@@ -59,6 +59,7 @@ recvauth_common(krb5_context context,
- krb5_rcache rcache = 0;
- krb5_octet response;
- krb5_data null_server;
-+ krb5_data d;
- int need_error_free = 0;
- int local_rcache = 0, local_authcon = 0;
-
-@@ -77,7 +78,8 @@ recvauth_common(krb5_context context,
- */
- if ((retval = krb5_read_message(context, fd, &inbuf)))
- return(retval);
-- if (strcmp(inbuf.data, sendauth_version)) {
-+ d = make_data((char *)sendauth_version, strlen(sendauth_version) + 1);
-+ if (!data_eq(inbuf, d)) {
- problem = KRB5_SENDAUTH_BADAUTHVERS;
- response = 1;
- }
-@@ -93,8 +95,9 @@ recvauth_common(krb5_context context,
- */
- if ((retval = krb5_read_message(context, fd, &inbuf)))
- return(retval);
-- if (appl_version && strcmp(inbuf.data, appl_version)) {
-- if (!problem) {
-+ if (appl_version != NULL && !problem) {
-+ d = make_data(appl_version, strlen(appl_version) + 1);
-+ if (!data_eq(inbuf, d)) {
- problem = KRB5_SENDAUTH_BADAPPLVERS;
- response = 2;
- }
diff --git a/krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC.patch b/krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC.patch
deleted file mode 100644
index 153566b..0000000
--- a/krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From e3b5a5e5267818c97750b266df50b6a3d4649604 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson at mit.edu>
-Date: Tue, 24 Mar 2015 12:02:37 -0400
-Subject: [PATCH] Prevent requires_preauth bypass [CVE-2015-2694]
-
-In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until
-the request is successfully verified. In the PKINIT kdcpreauth
-module, don't respond with code 0 on empty input or an unconfigured
-realm. Together these bugs could cause the KDC preauth framework to
-erroneously treat a request as pre-authenticated.
-
-CVE-2015-2694:
-
-In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
-support, an unauthenticated remote attacker can bypass the
-requires_preauth flag on a client principal and obtain a ciphertext
-encrypted in the principal's long-term key. This ciphertext could be
-used to conduct an off-line dictionary attack against the user's
-password.
-
- CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C
-
-ticket: 8160 (new)
-target_version: 1.13.2
-tags: pullup
-subject: requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694]
----
- src/plugins/preauth/otp/main.c | 10 +++++++---
- src/plugins/preauth/pkinit/pkinit_srv.c | 4 ++--
- 2 files changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c
-index bf9c6a8..7941b4a 100644
---- a/src/plugins/preauth/otp/main.c
-+++ b/src/plugins/preauth/otp/main.c
-@@ -42,6 +42,7 @@ static krb5_preauthtype otp_pa_type_list[] =
- struct request_state {
- krb5_kdcpreauth_verify_respond_fn respond;
- void *arg;
-+ krb5_enc_tkt_part *enc_tkt_reply;
- };
-
- static krb5_error_code
-@@ -159,6 +160,9 @@ on_response(void *data, krb5_error_code retval, otp_response response)
- if (retval == 0 && response != otp_response_success)
- retval = KRB5_PREAUTH_FAILED;
-
-+ if (retval == 0)
-+ rs.enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
-+
- rs.respond(rs.arg, retval, NULL, NULL, NULL);
- }
-
-@@ -263,8 +267,6 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
- krb5_data d, plaintext;
- char *config;
-
-- enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
--
- /* Get the FAST armor key. */
- armor_key = cb->fast_armor(context, rock);
- if (armor_key == NULL) {
-@@ -298,12 +300,14 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
- goto error;
- }
-
-- /* Create the request state. */
-+ /* Create the request state. Save the response callback, and the
-+ * enc_tkt_reply pointer so we can set the TKT_FLG_PRE_AUTH flag later. */
- rs = k5alloc(sizeof(struct request_state), &retval);
- if (rs == NULL)
- goto error;
- rs->arg = arg;
- rs->respond = respond;
-+ rs->enc_tkt_reply = enc_tkt_reply;
-
- /* Get the principal's OTP configuration string. */
- retval = cb->get_string(context, rock, "otp", &config);
-diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
-index b472741..5b1d73e 100644
---- a/src/plugins/preauth/pkinit/pkinit_srv.c
-+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
-@@ -301,7 +301,7 @@ pkinit_server_verify_padata(krb5_context context,
-
- pkiDebug("pkinit_verify_padata: entered!\n");
- if (data == NULL || data->length <= 0 || data->contents == NULL) {
-- (*respond)(arg, 0, NULL, NULL, NULL);
-+ (*respond)(arg, EINVAL, NULL, NULL, NULL);
- return;
- }
-
-@@ -313,7 +313,7 @@ pkinit_server_verify_padata(krb5_context context,
-
- plgctx = pkinit_find_realm_context(context, moddata, request->server);
- if (plgctx == NULL) {
-- (*respond)(arg, 0, NULL, NULL, NULL);
-+ (*respond)(arg, EINVAL, NULL, NULL, NULL);
- return;
- }
-
diff --git a/krb5.spec b/krb5.spec
index 62f539a..33f73ab 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -42,12 +42,12 @@
Summary: The Kerberos network authentication system
Name: krb5
-Version: 1.13.1
-Release: 3%{?dist}
+Version: 1.13.2
+Release: 0%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead?
-# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.1-signed.tar
+# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with
-# $ fedpkg upload krb5-1.13.1.tar.gz krb5-1.13.1.tar.gz.asc # (and don't
+# $ fedpkg upload krb5-1.13.2.tar.gz krb5-1.13.2.tar.gz.asc # (and don't
# remove, otherwise you can't go back or branch from a previous point)
Source0: krb5-%{version}%{prerelease}.tar.gz
Source1: krb5-%{version}%{prerelease}.tar.gz.asc
@@ -75,7 +75,6 @@ Source37: kadmind.init
Source38: krb5kdc.init
Source39: krb5-krb5kdc.conf
-BuildRequires: cmake pax xz
# Carry this locally until it's available in a packaged form.
Source100: nss_wrapper-0.0-20140204195100.git3d58327.tar.xz
Source101: noport.c
@@ -95,14 +94,12 @@ Patch129: krb5-1.11-run_user_0.patch
Patch134: krb5-1.11-kpasswdtest.patch
Patch136: krb5-socket_wrapper_eventfd_prototype_mismatch.patch
Patch140: krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch
-Patch141: krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling.patch
-Patch142: krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
Group: System Environment/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: autoconf, bison, flex, gawk, gettext, pkgconfig, sed
+BuildRequires: autoconf, bison, cmake, flex, gawk, gettext, ksh, pax, pkgconfig, sed, xz
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
BuildRequires: libcom_err-devel, libedit-devel, libss-devel
%endif
@@ -231,6 +228,8 @@ Requires: logrotate
Requires(preun): initscripts
# we specify /usr/share/dict/words as the default dict_file in kdc.conf
Requires: /usr/share/dict/words
+# we need this for zanata since this is the only working way to localise scripts
+Requires: ksh
%if %{WITH_SYSVERTO}
# for run-time, and for parts of the test suite
BuildRequires: libverto-module-base
@@ -319,8 +318,6 @@ ln NOTICE LICENSE
%endif
%patch140 -p1 -b .krb5-1.14-support-kdc_err_more_preauth_data_required
-%patch141 -p1 -b .krb5-1.12.1-cve_2014_5355_fix_krb5_read_message_handling
-%patch142 -p1 -b .krb5-1.13.2-cve_2015_2694_requires_preauth_bypass_in_pkinit_enabled_kdc
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@@ -493,7 +490,7 @@ make -C src/clients check TMPDIR=%{_tmppath}
keyctl session - make -C src/util check TMPDIR=%{_tmppath}
%install
-[ "$RPM_BUILD_ROOT" != '/' ] && rm -rf -- $RPM_BUILD_ROOT
+[ "$RPM_BUILD_ROOT" != '/' ] && rm -rf -- "$RPM_BUILD_ROOT"
# Sample KDC config files (bundled kdc.conf and kadm5.acl).
mkdir -p $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc
@@ -615,7 +612,7 @@ rellibdir=..
while ! test -r $RPM_BUILD_ROOT/%{_libdir}/${rellibdir}/rootfile ; do
rellibdir=../${rellibdir}
done
-rm -f $RPM_BUILD_ROOT/rootfile
+rm -f -- "$RPM_BUILD_ROOT/rootfile"
mkdir -p $RPM_BUILD_ROOT/%{_lib}
for library in libgssapi_krb5 libgssrpc libk5crypto libkrb5 libkrb5support ; do
mv $RPM_BUILD_ROOT/%{_libdir}/${library}.so.* $RPM_BUILD_ROOT/%{_lib}/
@@ -631,14 +628,22 @@ for section in 1 5 8 ; do
$RPM_BUILD_ROOT/%{_mandir}/man${section}/
done
+# Process shell scripts (needed later for zanata)
+for i in $(LC_ALL='C' file $RPM_BUILD_ROOT/%{_sbindir}/* | fgrep "POSIX shell script" | sed -r 's/(.+):[[:space:]].*/\1/') ; do
+ # todo: Add /usr/ast/bin/msgcvt to compile l10n catalog
+ shcomp "$i" "${i}.shbin"
+ rm "$i" ; mv "${i}.shbin" "${i}"
+done
+
+
# This script just tells you to send bug reports to krb5-bugs at mit.edu, but
# since we don't have a man page for it, just drop it.
-rm $RPM_BUILD_ROOT/%{_sbindir}/krb5-send-pr
+rm -- "$RPM_BUILD_ROOT/%{_sbindir}/krb5-send-pr"
%find_lang %{gettext_domain}
%clean
-[ "$RPM_BUILD_ROOT" != '/' ] && rm -rf -- $RPM_BUILD_ROOT
+[ "$RPM_BUILD_ROOT" != '/' ] && rm -rf -- "$RPM_BUILD_ROOT"
%post libs -p /sbin/ldconfig
@@ -648,7 +653,7 @@ rm $RPM_BUILD_ROOT/%{_sbindir}/krb5-send-pr
# Try to add a default_ccache_name to /etc/krb5.conf, removing the previous
# default which we configured, if we find it.
export DEFCCNAME="%{configured_default_ccache_name}"
-tmpfile=`mktemp /etc/krb5.conf.XXXXXX`
+tmpfile="$(mktemp /etc/krb5.conf.XXXXXX)"
if test -z "$tmpfile" ; then
# Give up.
exit 0
@@ -684,7 +689,7 @@ if ! grep -q default_ccache_name /etc/krb5.conf ; then
fi
fi
if test -n "$tmpfile" ; then
- rm -f "$tmpfile"
+ rm -f -- "$tmpfile"
fi
%endif
@@ -698,7 +703,7 @@ fi
# Remove the init script for older servers.
[ -x /etc/rc.d/init.d/krb5server ] && /sbin/chkconfig --del krb5server
%if %{WITH_SYSTEMD}
-if [ $1 -eq 1 ] ; then
+if (( $1 == 1 )) ; then
# Initial installation
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
fi
@@ -711,7 +716,7 @@ fi
exit 0
%preun server
-if [ "$1" -eq "0" ] ; then
+if (( "$1" == 0 )) ; then
%if %{WITH_SYSTEMD}
/bin/systemctl --no-reload disable krb5kdc.service > /dev/null 2>&1 || :
/bin/systemctl --no-reload disable kadmin.service > /dev/null 2>&1 || :
@@ -733,13 +738,13 @@ exit 0
%postun server
%if %{WITH_SYSTEMD}
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
-if [ "$1" -ge 1 ] ; then
+if (( $1 >= 1 )) ; then
/bin/systemctl try-restart krb5kdc.service >/dev/null 2>&1 || :
/bin/systemctl try-restart kadmin.service >/dev/null 2>&1 || :
/bin/systemctl try-restart kprop.service >/dev/null 2>&1 || :
fi
%else
-if [ "$1" -ge 1 ] ; then
+if (( $1 >= 1 )) ; then
/sbin/service krb5kdc condrestart > /dev/null 2>&1 || :
/sbin/service kadmin condrestart > /dev/null 2>&1 || :
/sbin/service kprop condrestart > /dev/null 2>&1 || :
@@ -769,7 +774,7 @@ exit 0
%endif
%triggerun server -- krb5-server < 1.6.3-100
-if [ "$2" -eq "0" ] ; then
+if (( $2 == 0 )) ; then
/sbin/install-info --delete %{_infodir}/krb425.info.gz %{_infodir}/dir
/sbin/service krb524 stop > /dev/null 2>&1 || :
/sbin/chkconfig --del krb524 > /dev/null 2>&1 || :
@@ -993,6 +998,13 @@ exit 0
%changelog
+* Thu May 14 2015 Roland Mainz <rmainz at redhat.com> - 1.13.2-0
+- Update to krb5-1.13.2
+ - drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2
+ - drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2
+- Add script processing for upcoming Zanata l10n support
+- Minor spec cleanup
+
* Mon May 4 2015 Roland Mainz <rmainz at redhat.com> - 1.13.1-3
- fix for CVE-2015-2694 (#1216133) "requires_preauth bypass
in PKINIT-enabled KDC".
diff --git a/sources b/sources
index 394d382..1865940 100644
--- a/sources
+++ b/sources
@@ -1,5 +1,5 @@
142c7f3f8d2b08936d2cee3de743133e nss_wrapper-0.0-20140204195100.git3d58327.tar.xz
d8e42cf537192765463c3f1bad870250 socket_wrapper-0.0-20140204194748.gitf3b2ece.tar.xz
-317dc7db815f1e4ad611c6a519589edd krb5-1.13.1.tar.gz
-3e0bf019e16039302447ba39730eaaeb krb5-1.13.1.tar.gz.asc
-d3c480887984f14ecd8d93fd30a11896 krb5-1.13.1-pdf.pax.xz
+f9b9275c6ceb9e6c39fabecc00c6a059 krb5-1.13.2.tar.gz
+b62135d2089349b571479feb39f049c9 krb5-1.13.2.tar.gz.asc
+d3c480887984f14ecd8d93fd30a11896 krb5-1.13.2-pdf.pax.xz
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/krb5.git/commit/?h=f22&id=7b2604b0da80195a6130a33fb82599f1b3dd5a69
More information about the scm-commits
mailing list