pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/security/mit-krb5



Module Name:    pkgsrc
Committed By:   tez
Date:           Mon Aug 21 22:19:26 UTC 2017

Modified Files:
        pkgsrc/security/mit-krb5: Makefile distinfo
Added Files:
        pkgsrc/security/mit-krb5/patches: patch-CVE-2017-11368

Log Message:
Update to 1.14.5 and patch for CVE-2017-11368


To generate a diff of this commit:
cvs rdiff -u -r1.93 -r1.94 pkgsrc/security/mit-krb5/Makefile
cvs rdiff -u -r1.60 -r1.61 pkgsrc/security/mit-krb5/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-CVE-2017-11368

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/mit-krb5/Makefile
diff -u pkgsrc/security/mit-krb5/Makefile:1.93 pkgsrc/security/mit-krb5/Makefile:1.94
--- pkgsrc/security/mit-krb5/Makefile:1.93      Fri Oct 28 20:56:14 2016
+++ pkgsrc/security/mit-krb5/Makefile   Mon Aug 21 22:19:26 2017
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.93 2016/10/28 20:56:14 tez Exp $
+# $NetBSD: Makefile,v 1.94 2017/08/21 22:19:26 tez Exp $
 
-DISTNAME=      krb5-1.14.4
+DISTNAME=      krb5-1.14.5
 PKGNAME=       mit-${DISTNAME}
+PKGREVISION=   1
 CATEGORIES=    security
 MASTER_SITES=  http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/
 EXTRACT_SUFX=  .tar.gz

Index: pkgsrc/security/mit-krb5/distinfo
diff -u pkgsrc/security/mit-krb5/distinfo:1.60 pkgsrc/security/mit-krb5/distinfo:1.61
--- pkgsrc/security/mit-krb5/distinfo:1.60      Fri Oct 28 20:56:14 2016
+++ pkgsrc/security/mit-krb5/distinfo   Mon Aug 21 22:19:26 2017
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.60 2016/10/28 20:56:14 tez Exp $
+$NetBSD: distinfo,v 1.61 2017/08/21 22:19:26 tez Exp $
 
-SHA1 (krb5-1.14.4.tar.gz) = b5b4a940934a5b708fbf30a1a1121439df6d5853
-RMD160 (krb5-1.14.4.tar.gz) = 12d788cca175bcf20e8497d30698a3244a7a6983
-SHA512 (krb5-1.14.4.tar.gz) = 5eb16b909d69143bfa8b2a7ba4c0deb74408462a5ec1241e97f37e30d29e259767be91a4533119e2c5e92d1fcbcab97038b2e45ad3361b5a61c3dc562c6d0d67
-Size (krb5-1.14.4.tar.gz) = 12283989 bytes
+SHA1 (krb5-1.14.5.tar.gz) = 3b8d8c4a09350f8807a8e6eb9971617755a4521f
+RMD160 (krb5-1.14.5.tar.gz) = 673087853a1ce9551d69516e01fbfd888feff717
+SHA512 (krb5-1.14.5.tar.gz) = 2484f9581b5e0b99cc49ba7f8770ea3a8751e756c98cc552d92ca223575eac58f6f1a9c268254ead4435d2d49b50ccf3181eb7bdbd56874c43f91bcfc2a66d3b
+Size (krb5-1.14.5.tar.gz) = 12322802 bytes
+SHA1 (patch-CVE-2017-11368) = 91551099d48690c051ada72889bc645706775eb1
 SHA1 (patch-Makefile.in) = 11ead9de708f4da99233b66df2cf906b156faa87
 SHA1 (patch-aa) = 941848a1773dfbe51dff3134d4b8504a850a958d
 SHA1 (patch-ae) = c7395b9de5baf6612b8787fad55dbc051a680bfd

Added files:

Index: pkgsrc/security/mit-krb5/patches/patch-CVE-2017-11368
diff -u /dev/null pkgsrc/security/mit-krb5/patches/patch-CVE-2017-11368:1.1
--- /dev/null   Mon Aug 21 22:19:26 2017
+++ pkgsrc/security/mit-krb5/patches/patch-CVE-2017-11368       Mon Aug 21 22:19:26 2017
@@ -0,0 +1,79 @@
+$NetBSD: patch-CVE-2017-11368,v 1.1 2017/08/21 22:19:26 tez Exp $
+
+Patch for CVE-2017-11368 from:
+https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970.diff
+
+
+diff --git kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 2d3ad134d0..9b256c8764 100644
+--- kdc/do_as_req.c
++++ kdc/do_as_req.c
+@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
+     did_log = 1;
+ 
+ egress:
+-    if (errcode != 0)
+-        assert (state->status != 0);
++    if (errcode != 0 && state->status == NULL)
++        state->status = "UNKNOWN_REASON";
+ 
+     au_state->status = state->status;
+     au_state->reply = &state->reply;
+diff --git kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index cdc79ad2f1..d8d67199b9 100644
+--- kdc/do_tgs_req.c
++++ kdc/do_tgs_req.c
+@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
+     free(reply.enc_part.ciphertext.data);
+ 
+ cleanup:
+-    assert(status != NULL);
++    if (status == NULL)
++        status = "UNKNOWN_REASON";
+     if (reply_key)
+         krb5_free_keyblock(kdc_context, reply_key);
+     if (errcode)
+diff --git kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 778a629e52..b710aefe4c 100644
+--- kdc/kdc_util.c
++++ kdc/kdc_util.c
+@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
+     req_data.data = (char *)pa_data->contents;
+ 
+     code = decode_krb5_pa_for_user(&req_data, &for_user);
+-    if (code)
++    if (code) {
++        *status = "DECODE_PA_FOR_USER";
+         return code;
++    }
+ 
+     code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
+     if (code) {
+@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
+     req_data.data = (char *)pa_data->contents;
+ 
+     code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
+-    if (code)
++    if (code) {
++        *status = "DECODE_PA_S4U_X509_USER";
+         return code;
++    }
+ 
+     code = verify_s4u_x509_user_checksum(context,
+                                          tgs_subkey ? tgs_subkey :
+@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
+      * that is validated previously in validate_tgs_request().
+      */
+     if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
++        *status = "INVALID_S4U2PROXY_OPTIONS";
+         return KRB5KDC_ERR_BADOPTION;
+     }
+ 
+@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
+     if (!krb5_principal_compare(kdc_context,
+                                 server->princ, /* after canon */
+                                 server_princ)) {
++        *status = "EVIDENCE_TICKET_MISMATCH";
+         return KRB5KDC_ERR_SERVER_NOMATCH;
+     }
+ 



Home | Main Index | Thread Index | Old Index