CVS commit: pkgsrc/security/mit-krb5

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/mit-krb5
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Fri, 5 Jan 2024 23:46:29 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Fri Jan  5 23:46:29 UTC 2024

Modified Files:
        pkgsrc/security/mit-krb5: Makefile PLIST buildlink3.mk builtin.mk
            distinfo
        pkgsrc/security/mit-krb5/patches: patch-kprop_kproplog.c
Added Files:
        pkgsrc/security/mit-krb5/patches: patch-util_verto_verto-k5ev.c
Removed Files:
        pkgsrc/security/mit-krb5/patches: patch-util_k5ev_verto-k5ev.c

Log Message:
mit-krb5: updated to 1.21.2

Major changes in 1.21.2 (2023-08-14)

Fix double-free in KDC TGS processing [CVE-2023-39975].

Major changes in 1.21.1 (2023-07-10)

Fix potential uninitialized pointer free in kadm5 XDR parsing [CVE-2023-36054].

Major changes in 1.21 (2023-06-05)

User experience
Added a credential cache type providing compatibility with the macOS 11 native credential cache.
Developer experience
libkadm5 will use the provided krb5_context object to read configuration values, instead of creating its own.
Added an interface to retrieve the ticket session key from a GSS context.
Protocol evolution
The KDC will no longer issue tickets with RC4 or triple-DES session keys unless explicitly configured with the new allow_rc4 or allow_des3 variables respectively.
The KDC will assume that all services can handle aes256-sha1 session keys unless the service principal has a session_enctypes string attribute.
Support for PAC full KDC checksums has been added to mitigate an S4U2Proxy privilege escalation attack.
The PKINIT client will advertise a more modern set of supported CMS algorithms.
Code quality
Removed unused code in libkrb5, libkrb5support, and the PKINIT module.
Modernized the KDC code for processing TGS requests, the code for encrypting and decrypting key data, the PAC handling code, and the GSS library packet parsing and composition code.
Improved the test framework's detection of memory errors in daemon processes when used with asan.


To generate a diff of this commit:
cvs rdiff -u -r1.116 -r1.117 pkgsrc/security/mit-krb5/Makefile
cvs rdiff -u -r1.24 -r1.25 pkgsrc/security/mit-krb5/PLIST
cvs rdiff -u -r1.17 -r1.18 pkgsrc/security/mit-krb5/buildlink3.mk
cvs rdiff -u -r1.18 -r1.19 pkgsrc/security/mit-krb5/builtin.mk
cvs rdiff -u -r1.80 -r1.81 pkgsrc/security/mit-krb5/distinfo
cvs rdiff -u -r1.1 -r1.2 \
    pkgsrc/security/mit-krb5/patches/patch-kprop_kproplog.c
cvs rdiff -u -r1.4 -r0 \
    pkgsrc/security/mit-krb5/patches/patch-util_k5ev_verto-k5ev.c
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/security/mit-krb5/patches/patch-util_verto_verto-k5ev.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/mit-krb5/Makefile
diff -u pkgsrc/security/mit-krb5/Makefile:1.116 pkgsrc/security/mit-krb5/Makefile:1.117
--- pkgsrc/security/mit-krb5/Makefile:1.116     Tue Oct 24 22:10:52 2023
+++ pkgsrc/security/mit-krb5/Makefile   Fri Jan  5 23:46:29 2024
@@ -1,9 +1,8 @@
-# $NetBSD: Makefile,v 1.116 2023/10/24 22:10:52 wiz Exp $
+# $NetBSD: Makefile,v 1.117 2024/01/05 23:46:29 adam Exp $
 
-BRANCHNAME=    1.19
-DISTNAME=      krb5-${BRANCHNAME}.3
+BRANCHNAME=    1.21
+DISTNAME=      krb5-${BRANCHNAME}.2
 PKGNAME=       mit-${DISTNAME}
-PKGREVISION=   1
 CATEGORIES=    security
 # It is not clear how stable this URL scheme is.
 MASTER_SITES=  http://web.mit.edu/kerberos/dist/krb5/${BRANCHNAME}/

Index: pkgsrc/security/mit-krb5/PLIST
diff -u pkgsrc/security/mit-krb5/PLIST:1.24 pkgsrc/security/mit-krb5/PLIST:1.25
--- pkgsrc/security/mit-krb5/PLIST:1.24 Fri Jul  3 13:36:57 2020
+++ pkgsrc/security/mit-krb5/PLIST      Fri Jan  5 23:46:29 2024
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.24 2020/07/03 13:36:57 hauke Exp $
+@comment $NetBSD: PLIST,v 1.25 2024/01/05 23:46:29 adam Exp $
 bin/compile_et
 bin/gss-client
 bin/k5srvutil
@@ -62,9 +62,11 @@ include/krb5/pwqual_plugin.h
 include/profile.h
 include/verto-module.h
 include/verto.h
+@pkgdir lib/krb5/plugins/authdata
 lib/krb5/plugins/kdb/db2.la
 ${PLIST.ldap}lib/krb5/plugins/kdb/kldap.la
 lib/krb5/plugins/kdb/klmdb.la
+@pkgdir lib/krb5/plugins/libkrb5
 lib/krb5/plugins/preauth/otp.la
 lib/krb5/plugins/preauth/pkinit.la
 lib/krb5/plugins/preauth/spake.la
@@ -91,6 +93,10 @@ lib/pkgconfig/krb5-gssapi.pc
 lib/pkgconfig/krb5.pc
 lib/pkgconfig/mit-krb5-gssapi.pc
 lib/pkgconfig/mit-krb5.pc
+@pkgdir man/cat1
+@pkgdir man/cat5
+@pkgdir man/cat7
+@pkgdir man/cat8
 man/man1/compile_et.1
 man/man1/k5srvutil.1
 man/man1/kadmin.1
@@ -139,12 +145,7 @@ share/et/et_h.awk
 share/examples/krb5/kdc.conf
 share/examples/krb5/krb5.conf
 share/examples/krb5/services.append
+@pkgdir share/gnats
 share/locale/de/LC_MESSAGES/mit-krb5.mo
 share/locale/en_US/LC_MESSAGES/mit-krb5.mo
-@pkgdir share/gnats
-@pkgdir man/cat8
-@pkgdir man/cat7
-@pkgdir man/cat5
-@pkgdir man/cat1
-@pkgdir lib/krb5/plugins/libkrb5
-@pkgdir lib/krb5/plugins/authdata
+share/locale/ka/LC_MESSAGES/mit-krb5.mo

Index: pkgsrc/security/mit-krb5/buildlink3.mk
diff -u pkgsrc/security/mit-krb5/buildlink3.mk:1.17 pkgsrc/security/mit-krb5/buildlink3.mk:1.18
--- pkgsrc/security/mit-krb5/buildlink3.mk:1.17 Fri Jul 29 20:22:44 2022
+++ pkgsrc/security/mit-krb5/buildlink3.mk      Fri Jan  5 23:46:29 2024
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.17 2022/07/29 20:22:44 jperkin Exp $
+# $NetBSD: buildlink3.mk,v 1.18 2024/01/05 23:46:29 adam Exp $
 
 BUILDLINK_TREE+=       mit-krb5
 
@@ -6,7 +6,7 @@ BUILDLINK_TREE+=        mit-krb5
 MIT_KRB5_BUILDLINK3_MK:=
 
 BUILDLINK_API_DEPENDS.mit-krb5+=       mit-krb5>=1.4
-BUILDLINK_ABI_DEPENDS.mit-krb5?=       mit-krb5>=1.18.4nb1
+BUILDLINK_ABI_DEPENDS.mit-krb5+=       mit-krb5>=1.18.4nb1
 BUILDLINK_PKGSRCDIR.mit-krb5?=         ../../security/mit-krb5
 .endif # MIT_KRB5_BUILDLINK3_MK
 

Index: pkgsrc/security/mit-krb5/builtin.mk
diff -u pkgsrc/security/mit-krb5/builtin.mk:1.18 pkgsrc/security/mit-krb5/builtin.mk:1.19
--- pkgsrc/security/mit-krb5/builtin.mk:1.18    Fri Jul 29 20:22:44 2022
+++ pkgsrc/security/mit-krb5/builtin.mk Fri Jan  5 23:46:29 2024
@@ -1,16 +1,16 @@
-# $NetBSD: builtin.mk,v 1.18 2022/07/29 20:22:44 jperkin Exp $
+# $NetBSD: builtin.mk,v 1.19 2024/01/05 23:46:29 adam Exp $
 
 BUILTIN_PKG:=  mit-krb5
 
 .include "../../mk/bsd.fast.prefs.mk"
 
 BUILTIN_FIND_HEADERS_VAR:=             H_MIT_KRB5
-.if !(empty(MACHINE_PLATFORM:MDarwin-9.*-*) && \
+.if !(!${MACHINE_PLATFORM:MDarwin-9.*-*} && \
       empty(MACHINE_PLATFORM:MDarwin-1?.*-*))
 BUILTIN_FIND_HEADERS.H_MIT_KRB5=       krb5/krb5.h
-.elif !empty(MACHINE_PLATFORM:MSunOS-*-*)
+.elif ${MACHINE_PLATFORM:MSunOS-*-*}
 BUILTIN_FIND_HEADERS.H_MIT_KRB5=       kerberosv5/krb5.h
-.elif !empty(MACHINE_PLATFORM:MLinux-*)
+.elif ${MACHINE_PLATFORM:MLinux-*}
 # Assuming mit-krb5 >= 1.5 on GNU/Linux.
 BUILTIN_FIND_HEADERS.H_MIT_KRB5=       krb5/krb5.h
 .else
@@ -41,7 +41,7 @@ MAKEVARS+=            IS_BUILTIN.mit-krb5
 ### a package name to represent the built-in package.
 ###
 .if !defined(BUILTIN_PKG.mit-krb5) && \
-    !empty(IS_BUILTIN.mit-krb5:M[yY][eE][sS])
+    ${IS_BUILTIN.mit-krb5:tl} == yes
 .  if empty(SH_KRB5_CONFIG:M__nonexistent__)
 BUILTIN_VERSION.mit-krb5!=     ${SH_KRB5_CONFIG} --version | \
                                ${SED} -e 's/.*release //' -e 's/-.*//' -e 's/).*//'
@@ -61,12 +61,12 @@ USE_BUILTIN.mit-krb5=       no
 .  else
 USE_BUILTIN.mit-krb5=  ${IS_BUILTIN.mit-krb5}
 .    if defined(BUILTIN_PKG.mit-krb5) && \
-        !empty(IS_BUILTIN.mit-krb5:M[yY][eE][sS])
+        ${IS_BUILTIN.mit-krb5:tl} == yes
 USE_BUILTIN.mit-krb5=  yes
 .      for dep__ in ${BUILDLINK_API_DEPENDS.mit-krb5}
-.        if !empty(USE_BUILTIN.mit-krb5:M[yY][eE][sS])
+.        if ${USE_BUILTIN.mit-krb5:tl} == yes
 USE_BUILTIN.mit-krb5!=                                                 \
-       if ${PKG_ADMIN} pmatch ${dep__:Q} ${BUILTIN_PKG.mit-krb5:Q}; then \
+       if ${PKG_ADMIN} pmatch ${dep__:Q} ${BUILTIN_PKG.mit-krb5}; then \
                ${ECHO} "yes";                                          \
        else                                                            \
                ${ECHO} "no";                                           \
@@ -83,8 +83,8 @@ MAKEVARS+=            USE_BUILTIN.mit-krb5
 ### solely to determine whether a built-in implementation exists.
 ###
 CHECK_BUILTIN.mit-krb5?=       no
-.if !empty(CHECK_BUILTIN.mit-krb5:M[nN][oO])
-.  if !empty(USE_BUILTIN.mit-krb5:M[yY][eE][sS])
+.if ${CHECK_BUILTIN.mit-krb5:tl} == no
+.  if ${USE_BUILTIN.mit-krb5:tl} == yes
 KRB5_CONFIG?=  ${SH_KRB5_CONFIG}
 ALL_ENV+=      KRB5_CONFIG=${KRB5_CONFIG:Q}
 

Index: pkgsrc/security/mit-krb5/distinfo
diff -u pkgsrc/security/mit-krb5/distinfo:1.80 pkgsrc/security/mit-krb5/distinfo:1.81
--- pkgsrc/security/mit-krb5/distinfo:1.80      Fri Jul 29 20:22:44 2022
+++ pkgsrc/security/mit-krb5/distinfo   Fri Jan  5 23:46:29 2024
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.80 2022/07/29 20:22:44 jperkin Exp $
+$NetBSD: distinfo,v 1.81 2024/01/05 23:46:29 adam Exp $
 
-BLAKE2s (krb5-1.19.3.tar.gz) = 25b6d084dcc560252f6ee576da976a6f6a1972537eb355dc0aa240dcab4400d2
-SHA512 (krb5-1.19.3.tar.gz) = 18235440d6f7d8a72c5d7ca5cd8c6465e8adf091d85c483225c7b00d64b4688c1c7924cb800c2fc17e590b2709f1a9de48e6ec79f6debd11dcb7d6fa16c6f351
-Size (krb5-1.19.3.tar.gz) = 8741343 bytes
+BLAKE2s (krb5-1.21.2.tar.gz) = 409811ddde6dd93f489a655aa558e668af2a9fcf6768973d2109442feb828907
+SHA512 (krb5-1.21.2.tar.gz) = 4e09296b412383d53872661718dbfaa90201e0d85f69db48e57a8d4bd73c95a90c7ec7b6f0f325f6bc967f8d203b256b071c0191facf080aca0e2caec5d0ac49
+Size (krb5-1.21.2.tar.gz) = 8622513 bytes
 SHA1 (patch-Makefile.in) = 24f915d7a4340b9a4a454b9b67c94147fdc49c34
 SHA1 (patch-aclocal.m4) = 07b5d9ae38c74eaea6ba62aed9062dca1bf7f3fb
 SHA1 (patch-build-tools_krb5-config.in) = 4ab922df1d86d86f9ef043f2c5cdf048c0477d3a
@@ -15,7 +15,7 @@ SHA1 (patch-config_pre.in) = 255973132db
 SHA1 (patch-config_shlib.conf) = 74859f18c5bf7c723face05873a219a839b28942
 SHA1 (patch-include_osconf.hin) = d31a8164f417bc31a787c8e16d1bd24f27b7140d
 SHA1 (patch-kadmin_cli_ss_wrapper.c) = e32e6180f8d508cb2eb18489ce2fef0a1ad0f51d
-SHA1 (patch-kprop_kproplog.c) = 9b751de7eb70d026b54e15275bb878bdb0ce52eb
+SHA1 (patch-kprop_kproplog.c) = cbfd43495d40ecd9edf427c3dfb135b0fe2c9546
 SHA1 (patch-lib_apputils_Makefile.in) = 085004041a2bb8c4bb3074c2e71e71f22f4f06d7
 SHA1 (patch-lib_apputils_udppktinfo.c) = 47ac861181faebfe5f95c28be329ce917ece872c
 SHA1 (patch-lib_gssapi_Makefile.in) = 806b089d3b12ea9a17c6caab59cbdeb6ec17bbc3
@@ -28,5 +28,5 @@ SHA1 (patch-plugins_kdb_db2_libdb2_Makef
 SHA1 (patch-plugins_kdb_ldap_ldap__util_Makefile.in) = 7aa0f44cc02c523c837e7e3e1766624d2323deb9
 SHA1 (patch-plugins_preauth_otp_Makefile.in) = 8c779e3b37cab4138f300f4a09325387092c79f8
 SHA1 (patch-plugins_preauth_pkinit_Makefile.in) = 7d9e5429737536bf1577a41040e6587bb55d8142
-SHA1 (patch-util_k5ev_verto-k5ev.c) = 8f074ddccbaaa03576f0302437aed3aaad1b738d
 SHA1 (patch-util_ss_Makefile.in) = 5ca0bf7295a8f4c1d8e59097863940f88d224ee7
+SHA1 (patch-util_verto_verto-k5ev.c) = 8f074ddccbaaa03576f0302437aed3aaad1b738d

Index: pkgsrc/security/mit-krb5/patches/patch-kprop_kproplog.c
diff -u pkgsrc/security/mit-krb5/patches/patch-kprop_kproplog.c:1.1 pkgsrc/security/mit-krb5/patches/patch-kprop_kproplog.c:1.2
--- pkgsrc/security/mit-krb5/patches/patch-kprop_kproplog.c:1.1 Thu Apr  9 10:57:49 2020
+++ pkgsrc/security/mit-krb5/patches/patch-kprop_kproplog.c     Fri Jan  5 23:46:29 2024
@@ -1,15 +1,15 @@
-$NetBSD: patch-kprop_kproplog.c,v 1.1 2020/04/09 10:57:49 adam Exp $
+$NetBSD: patch-kprop_kproplog.c,v 1.2 2024/01/05 23:46:29 adam Exp $
 
 Fix mmap -Werror=incompatible-pointer-types.
 
---- kprop/kproplog.c.orig      2020-04-09 08:50:26.000000000 +0000
+--- kprop/kproplog.c.orig      2023-08-14 16:16:43.000000000 +0000
 +++ kprop/kproplog.c
-@@ -412,7 +412,7 @@ map_ulog(const char *filename)
-         return NULL;
-     if (fstat(fd, &st) < 0)
+@@ -415,7 +415,7 @@ map_ulog(const char *filename, int *fd_o
+         close(fd);
          return NULL;
+     }
 -    ulog = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
 +    ulog = (kdb_hlog_t *)mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-     return (ulog == MAP_FAILED) ? NULL : ulog;
- }
- 
+     if (ulog == MAP_FAILED) {
+         close(fd);
+         return NULL;

Added files:

Index: pkgsrc/security/mit-krb5/patches/patch-util_verto_verto-k5ev.c
diff -u /dev/null pkgsrc/security/mit-krb5/patches/patch-util_verto_verto-k5ev.c:1.1
--- /dev/null   Fri Jan  5 23:46:29 2024
+++ pkgsrc/security/mit-krb5/patches/patch-util_verto_verto-k5ev.c      Fri Jan  5 23:46:29 2024
@@ -0,0 +1,15 @@
+$NetBSD: patch-util_verto_verto-k5ev.c,v 1.1 2024/01/05 23:46:29 adam Exp $
+
+Fix include file path
+
+--- util/verto/verto-k5ev.c.orig       2018-05-03 14:34:47.000000000 +0000
++++ util/verto/verto-k5ev.c
+@@ -35,7 +35,7 @@
+ 
+ #include <verto.h>
+ #include <verto-module.h>
+-#include "rename.h"
++#include "gssrpc/rename.h"
+ 
+ /* Ignore some warnings generated by the libev code, which the libev maintainer
+  * isn't interested in avoiding. */

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/graphics/py-Pillow
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/graphics/py-Pillow
Indexes:

Home | Main Index | Thread Index | Old Index