pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/mit-krb5 Update to 1.14.5 and patch for CVE-2...
details: https://anonhg.NetBSD.org/pkgsrc/rev/500e2c83ee72
branches: trunk
changeset: 367012:500e2c83ee72
user: tez <tez%pkgsrc.org@localhost>
date: Mon Aug 21 22:19:26 2017 +0000
description:
Update to 1.14.5 and patch for CVE-2017-11368
diffstat:
security/mit-krb5/Makefile | 5 +-
security/mit-krb5/distinfo | 11 +-
security/mit-krb5/patches/patch-CVE-2017-11368 | 79 ++++++++++++++++++++++++++
3 files changed, 88 insertions(+), 7 deletions(-)
diffs (116 lines):
diff -r 9c1b51199414 -r 500e2c83ee72 security/mit-krb5/Makefile
--- a/security/mit-krb5/Makefile Mon Aug 21 18:49:39 2017 +0000
+++ b/security/mit-krb5/Makefile Mon Aug 21 22:19:26 2017 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.93 2016/10/28 20:56:14 tez Exp $
+# $NetBSD: Makefile,v 1.94 2017/08/21 22:19:26 tez Exp $
-DISTNAME= krb5-1.14.4
+DISTNAME= krb5-1.14.5
PKGNAME= mit-${DISTNAME}
+PKGREVISION= 1
CATEGORIES= security
MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/
EXTRACT_SUFX= .tar.gz
diff -r 9c1b51199414 -r 500e2c83ee72 security/mit-krb5/distinfo
--- a/security/mit-krb5/distinfo Mon Aug 21 18:49:39 2017 +0000
+++ b/security/mit-krb5/distinfo Mon Aug 21 22:19:26 2017 +0000
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.60 2016/10/28 20:56:14 tez Exp $
+$NetBSD: distinfo,v 1.61 2017/08/21 22:19:26 tez Exp $
-SHA1 (krb5-1.14.4.tar.gz) = b5b4a940934a5b708fbf30a1a1121439df6d5853
-RMD160 (krb5-1.14.4.tar.gz) = 12d788cca175bcf20e8497d30698a3244a7a6983
-SHA512 (krb5-1.14.4.tar.gz) = 5eb16b909d69143bfa8b2a7ba4c0deb74408462a5ec1241e97f37e30d29e259767be91a4533119e2c5e92d1fcbcab97038b2e45ad3361b5a61c3dc562c6d0d67
-Size (krb5-1.14.4.tar.gz) = 12283989 bytes
+SHA1 (krb5-1.14.5.tar.gz) = 3b8d8c4a09350f8807a8e6eb9971617755a4521f
+RMD160 (krb5-1.14.5.tar.gz) = 673087853a1ce9551d69516e01fbfd888feff717
+SHA512 (krb5-1.14.5.tar.gz) = 2484f9581b5e0b99cc49ba7f8770ea3a8751e756c98cc552d92ca223575eac58f6f1a9c268254ead4435d2d49b50ccf3181eb7bdbd56874c43f91bcfc2a66d3b
+Size (krb5-1.14.5.tar.gz) = 12322802 bytes
+SHA1 (patch-CVE-2017-11368) = 91551099d48690c051ada72889bc645706775eb1
SHA1 (patch-Makefile.in) = 11ead9de708f4da99233b66df2cf906b156faa87
SHA1 (patch-aa) = 941848a1773dfbe51dff3134d4b8504a850a958d
SHA1 (patch-ae) = c7395b9de5baf6612b8787fad55dbc051a680bfd
diff -r 9c1b51199414 -r 500e2c83ee72 security/mit-krb5/patches/patch-CVE-2017-11368
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-CVE-2017-11368 Mon Aug 21 22:19:26 2017 +0000
@@ -0,0 +1,79 @@
+$NetBSD: patch-CVE-2017-11368,v 1.1 2017/08/21 22:19:26 tez Exp $
+
+Patch for CVE-2017-11368 from:
+https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970.diff
+
+
+diff --git kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 2d3ad134d0..9b256c8764 100644
+--- kdc/do_as_req.c
++++ kdc/do_as_req.c
+@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
+ did_log = 1;
+
+ egress:
+- if (errcode != 0)
+- assert (state->status != 0);
++ if (errcode != 0 && state->status == NULL)
++ state->status = "UNKNOWN_REASON";
+
+ au_state->status = state->status;
+ au_state->reply = &state->reply;
+diff --git kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index cdc79ad2f1..d8d67199b9 100644
+--- kdc/do_tgs_req.c
++++ kdc/do_tgs_req.c
+@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
+ free(reply.enc_part.ciphertext.data);
+
+ cleanup:
+- assert(status != NULL);
++ if (status == NULL)
++ status = "UNKNOWN_REASON";
+ if (reply_key)
+ krb5_free_keyblock(kdc_context, reply_key);
+ if (errcode)
+diff --git kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 778a629e52..b710aefe4c 100644
+--- kdc/kdc_util.c
++++ kdc/kdc_util.c
+@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
+ req_data.data = (char *)pa_data->contents;
+
+ code = decode_krb5_pa_for_user(&req_data, &for_user);
+- if (code)
++ if (code) {
++ *status = "DECODE_PA_FOR_USER";
+ return code;
++ }
+
+ code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
+ if (code) {
+@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
+ req_data.data = (char *)pa_data->contents;
+
+ code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
+- if (code)
++ if (code) {
++ *status = "DECODE_PA_S4U_X509_USER";
+ return code;
++ }
+
+ code = verify_s4u_x509_user_checksum(context,
+ tgs_subkey ? tgs_subkey :
+@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
+ * that is validated previously in validate_tgs_request().
+ */
+ if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
++ *status = "INVALID_S4U2PROXY_OPTIONS";
+ return KRB5KDC_ERR_BADOPTION;
+ }
+
+@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
+ if (!krb5_principal_compare(kdc_context,
+ server->princ, /* after canon */
+ server_princ)) {
++ *status = "EVIDENCE_TICKET_MISMATCH";
+ return KRB5KDC_ERR_SERVER_NOMATCH;
+ }
+
Home |
Main Index |
Thread Index |
Old Index