diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2022-11-17 01:49:28 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2022-11-17 13:30:31 +0100 |
commit | 45ec128defe50bcf5f3b67d607a7292fa44e78a2 (patch) | |
tree | 3257123a5c7e39987e3c836e6ff617e90231b637 /patches/source/krb5 | |
parent | 68513bbb1bc0621018d9cbbe21b6a5c87a7ab2dc (diff) | |
download | current-45ec128defe50bcf5f3b67d607a7292fa44e78a2.tar.gz current-45ec128defe50bcf5f3b67d607a7292fa44e78a2.tar.xz |
Thu Nov 17 01:49:28 UTC 202220221117014928_15.0
patches/packages/krb5-1.19.2-x86_64-3_slack15.0.txz: Rebuilt.
Fixed integer overflows in PAC parsing.
Fixed memory leak in OTP kdcpreauth module.
Fixed PKCS11 module path search.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-42898
(* Security fix *)
patches/packages/mozilla-firefox-102.5.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/102.5.0/releasenotes/
https://www.mozilla.org/security/advisories/mfsa2022-48/
https://www.cve.org/CVERecord?id=CVE-2022-45403
https://www.cve.org/CVERecord?id=CVE-2022-45404
https://www.cve.org/CVERecord?id=CVE-2022-45405
https://www.cve.org/CVERecord?id=CVE-2022-45406
https://www.cve.org/CVERecord?id=CVE-2022-45408
https://www.cve.org/CVERecord?id=CVE-2022-45409
https://www.cve.org/CVERecord?id=CVE-2022-45410
https://www.cve.org/CVERecord?id=CVE-2022-45411
https://www.cve.org/CVERecord?id=CVE-2022-45412
https://www.cve.org/CVERecord?id=CVE-2022-45416
https://www.cve.org/CVERecord?id=CVE-2022-45418
https://www.cve.org/CVERecord?id=CVE-2022-45420
https://www.cve.org/CVERecord?id=CVE-2022-45421
(* Security fix *)
patches/packages/mozilla-thunderbird-102.5.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.5.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/
https://www.cve.org/CVERecord?id=CVE-2022-45403
https://www.cve.org/CVERecord?id=CVE-2022-45404
https://www.cve.org/CVERecord?id=CVE-2022-45405
https://www.cve.org/CVERecord?id=CVE-2022-45406
https://www.cve.org/CVERecord?id=CVE-2022-45408
https://www.cve.org/CVERecord?id=CVE-2022-45409
https://www.cve.org/CVERecord?id=CVE-2022-45410
https://www.cve.org/CVERecord?id=CVE-2022-45411
https://www.cve.org/CVERecord?id=CVE-2022-45412
https://www.cve.org/CVERecord?id=CVE-2022-45416
https://www.cve.org/CVERecord?id=CVE-2022-45418
https://www.cve.org/CVERecord?id=CVE-2022-45420
https://www.cve.org/CVERecord?id=CVE-2022-45421
(* Security fix *)
patches/packages/samba-4.15.12-x86_64-1_slack15.0.txz: Upgraded.
Fixed a security issue where Samba's Kerberos libraries and AD DC failed
to guard against integer overflows when parsing a PAC on a 32-bit system,
which allowed an attacker with a forged PAC to corrupt the heap.
For more information, see:
https://www.samba.org/samba/security/CVE-2022-42898.html
https://www.cve.org/CVERecord?id=CVE-2022-42898
(* Security fix *)
patches/packages/xfce4-settings-4.16.5-x86_64-1_slack15.0.txz: Upgraded.
This update fixes regressions in the previous security fix:
mime-settings: Properly quote command parameters.
Revert "Escape characters which do not belong into an URI/URL (Issue #390)."
Diffstat (limited to 'patches/source/krb5')
-rw-r--r-- | patches/source/krb5/5ad465bc8e0d957a4945218bea487b77622bf433.patch | 48 | ||||
-rw-r--r-- | patches/source/krb5/conf/kadmind | 2 | ||||
-rw-r--r-- | patches/source/krb5/conf/kdc.conf.example | 35 | ||||
-rw-r--r-- | patches/source/krb5/conf/kpropd | 2 | ||||
-rw-r--r-- | patches/source/krb5/conf/krb5.conf.example | 29 | ||||
-rw-r--r-- | patches/source/krb5/conf/krb5kdc | 2 | ||||
-rw-r--r-- | patches/source/krb5/conf/rc.kadmind | 40 | ||||
-rw-r--r-- | patches/source/krb5/conf/rc.kpropd | 41 | ||||
-rw-r--r-- | patches/source/krb5/conf/rc.krb5kdc | 41 | ||||
-rw-r--r-- | patches/source/krb5/d775c95af7606a51bf79547a94fa52ddd1cb7f49.patch | 43 | ||||
-rw-r--r-- | patches/source/krb5/doinst.sh | 30 | ||||
-rw-r--r-- | patches/source/krb5/e134d9a6b6332bd085093e9075c949ece784fcd0.patch | 65 | ||||
-rw-r--r-- | patches/source/krb5/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583.patch | 103 | ||||
-rwxr-xr-x | patches/source/krb5/krb5.SlackBuild | 199 | ||||
-rw-r--r-- | patches/source/krb5/krb5.url | 1 | ||||
-rw-r--r-- | patches/source/krb5/slack-desc | 19 |
16 files changed, 700 insertions, 0 deletions
diff --git a/patches/source/krb5/5ad465bc8e0d957a4945218bea487b77622bf433.patch b/patches/source/krb5/5ad465bc8e0d957a4945218bea487b77622bf433.patch new file mode 100644 index 000000000..9819447e8 --- /dev/null +++ b/patches/source/krb5/5ad465bc8e0d957a4945218bea487b77622bf433.patch @@ -0,0 +1,48 @@ +From 5ad465bc8e0d957a4945218bea487b77622bf433 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Fri, 3 Jun 2022 14:30:42 -0400 +Subject: [PATCH] Fix memory leak in OTP kdcpreauth module + +In otp_edata(), free the generated nonce. + +ticket: 9063 (new) +tags: pullup +target_version: 1.20-next +target_version: 1.19-next +--- + src/plugins/preauth/otp/main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c +index 119714f994..0e682aae58 100644 +--- a/src/plugins/preauth/otp/main.c ++++ b/src/plugins/preauth/otp/main.c +@@ -228,7 +228,7 @@ otp_edata(krb5_context context, krb5_kdc_req *request, + krb5_pa_otp_challenge chl; + krb5_pa_data *pa = NULL; + krb5_error_code retval; +- krb5_data *encoding; ++ krb5_data *encoding, nonce = empty_data(); + char *config; + + /* Determine if otp is enabled for the user. */ +@@ -256,9 +256,10 @@ otp_edata(krb5_context context, krb5_kdc_req *request, + ti.iteration_count = -1; + + /* Generate the nonce. */ +- retval = nonce_generate(context, armor_key->length, &chl.nonce); ++ retval = nonce_generate(context, armor_key->length, &nonce); + if (retval != 0) + goto out; ++ chl.nonce = nonce; + + /* Build the output pa-data. */ + retval = encode_krb5_pa_otp_challenge(&chl, &encoding); +@@ -275,6 +276,7 @@ otp_edata(krb5_context context, krb5_kdc_req *request, + free(encoding); + + out: ++ krb5_free_data_contents(context, &nonce); + (*respond)(arg, retval, pa); + } + diff --git a/patches/source/krb5/conf/kadmind b/patches/source/krb5/conf/kadmind new file mode 100644 index 000000000..5913ac120 --- /dev/null +++ b/patches/source/krb5/conf/kadmind @@ -0,0 +1,2 @@ +# To set additional options for kadmind, add them in the variable below: +KADMIND_OPTIONS="" diff --git a/patches/source/krb5/conf/kdc.conf.example b/patches/source/krb5/conf/kdc.conf.example new file mode 100644 index 000000000..1c7cc3a94 --- /dev/null +++ b/patches/source/krb5/conf/kdc.conf.example @@ -0,0 +1,35 @@ +[kdcdefaults] + kdc_listen = 88 + kdc_tcp_listen = 88 + +[realms] + ATHENA.MIT.EDU = { + kadmind_port = 749 + max_life = 12h 0m 0s + max_renewable_life = 7d 0h 0m 0s + master_key_type = aes256-cts-hmac-sha1-96 + supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal + database_module = openldap_ldapconf + } + +[logging] + kdc = FILE:/var/kerberos/krb5kdc/kdc.log + admin_server = FILE:/var/kerberos/krb5kdc/kadmin.log + +[dbdefaults] + ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu + +[dbmodules] + openldap_ldapconf = { + db_library = kldap + disable_last_success = true + ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu" + # this object needs to have read rights on + # the realm container and principal subtrees + ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu" + # this object needs to have read and write rights on + # the realm container and principal subtrees + ldap_service_password_file = /etc/kerberos/service.keyfile + ldap_servers = ldaps://kerberos.mit.edu + ldap_conns_per_server = 5 + } diff --git a/patches/source/krb5/conf/kpropd b/patches/source/krb5/conf/kpropd new file mode 100644 index 000000000..cc65d10b4 --- /dev/null +++ b/patches/source/krb5/conf/kpropd @@ -0,0 +1,2 @@ +# To set additional options for kpropd, add them in the variable below: +KPROPD_OPTIONS="" diff --git a/patches/source/krb5/conf/krb5.conf.example b/patches/source/krb5/conf/krb5.conf.example new file mode 100644 index 000000000..705e7cf30 --- /dev/null +++ b/patches/source/krb5/conf/krb5.conf.example @@ -0,0 +1,29 @@ +[libdefaults] + default_realm = ATHENA.MIT.EDU + dns_lookup_kdc = true + dns_lookup_realm = false + +[realms] + ATHENA.MIT.EDU = { + kdc = kerberos.mit.edu + kdc = kerberos-1.mit.edu + kdc = kerberos-2.mit.edu + admin_server = kerberos.mit.edu + master_kdc = kerberos.mit.edu + } + EXAMPLE.COM = { + kdc = kerberos.example.com + kdc = kerberos-1.example.com + admin_server = kerberos.example.com + } + +[domain_realm] + mit.edu = ATHENA.MIT.EDU + +[capaths] + ATHENA.MIT.EDU = { + EXAMPLE.COM = . + } + EXAMPLE.COM = { + ATHENA.MIT.EDU = . + } diff --git a/patches/source/krb5/conf/krb5kdc b/patches/source/krb5/conf/krb5kdc new file mode 100644 index 000000000..6679d1b80 --- /dev/null +++ b/patches/source/krb5/conf/krb5kdc @@ -0,0 +1,2 @@ +# To set additional options for krb5kdc, add them in the variable below: +KRB5KDC_OPTIONS="" diff --git a/patches/source/krb5/conf/rc.kadmind b/patches/source/krb5/conf/rc.kadmind new file mode 100644 index 000000000..2f838a7c4 --- /dev/null +++ b/patches/source/krb5/conf/rc.kadmind @@ -0,0 +1,40 @@ +#!/bin/sh +# Start the Kerberos administration server. This typically runs on the +# master Kerberos server, which stores the KDC database. + +# To change the default options, edit /etc/default/kadmind. +if [ -r /etc/default/kadmind ]; then + . /etc/default/kadmind +fi + +start_atd() { + if ! /usr/bin/pgrep --ns $$ --euid root -f "^/usr/sbin/kadmind" 1> /dev/null 2> /dev/null ; then + echo "Starting kadmind: /usr/sbin/kadmind $KADMIND_OPTIONS" + /usr/sbin/kadmind $KADMIND_OPTIONS + fi +} + +stop_atd() { + echo "Stopping kadmind." + /usr/bin/pkill --ns $$ --euid root -f "^/usr/sbin/kadmind" 2> /dev/null +} + +restart_atd() { + stop_atd + sleep 1 + start_atd +} + +case "$1" in +'start') + start_atd + ;; +'stop') + stop_atd + ;; +'restart') + restart_atd + ;; +*) + echo "usage $0 start|stop|restart" +esac diff --git a/patches/source/krb5/conf/rc.kpropd b/patches/source/krb5/conf/rc.kpropd new file mode 100644 index 000000000..8dde85d87 --- /dev/null +++ b/patches/source/krb5/conf/rc.kpropd @@ -0,0 +1,41 @@ +#!/bin/sh +# Start the Kerberos V5 slave KDC update server. This runs on a slave +# (secondary) KDC server. It allows the master Kerberos server to use +# kprop(8) to propagate its database to the slave servers. + +# To change the default options, edit /etc/default/kpropd. +if [ -r /etc/default/kpropd ]; then + . /etc/default/kpropd +fi + +start_atd() { + if ! /usr/bin/pgrep --ns $$ --euid root -f "^/usr/sbin/kpropd" 1> /dev/null 2> /dev/null ; then + echo "Starting kpropd: /usr/sbin/kpropd $KPROPD_OPTIONS" + /usr/sbin/kpropd $KPROPD_OPTIONS + fi +} + +stop_atd() { + echo "Stopping kpropd." + /usr/bin/pkill --ns $$ --euid root -f "^/usr/sbin/kpropd" 2> /dev/null +} + +restart_atd() { + stop_atd + sleep 1 + start_atd +} + +case "$1" in +'start') + start_atd + ;; +'stop') + stop_atd + ;; +'restart') + restart_atd + ;; +*) + echo "usage $0 start|stop|restart" +esac diff --git a/patches/source/krb5/conf/rc.krb5kdc b/patches/source/krb5/conf/rc.krb5kdc new file mode 100644 index 000000000..5e9baef1a --- /dev/null +++ b/patches/source/krb5/conf/rc.krb5kdc @@ -0,0 +1,41 @@ +#!/bin/sh +# Start krb5kdc, which is the Kerberos version 5 Authentication Service +# and Key Distribution Center (AS/KDC). This needs to run first on both +# master and secondary KDCs. + +# To change the default options, edit /etc/default/krb5kdc. +if [ -r /etc/default/krb5kdc ]; then + . /etc/default/krb5kdc +fi + +start_atd() { + if ! /usr/bin/pgrep --ns $$ --euid root -f "^/usr/sbin/krb5kdc" 1> /dev/null 2> /dev/null ; then + echo "Starting krb5kdc: /usr/sbin/krb5kdc $KRB5KDC_OPTIONS" + /usr/sbin/krb5kdc $KRB5KDC_OPTIONS + fi +} + +stop_atd() { + echo "Stopping krb5kdc." + /usr/bin/pkill --ns $$ --euid root -f "^/usr/sbin/krb5kdc" 2> /dev/null +} + +restart_atd() { + stop_atd + sleep 1 + start_atd +} + +case "$1" in +'start') + start_atd + ;; +'stop') + stop_atd + ;; +'restart') + restart_atd + ;; +*) + echo "usage $0 start|stop|restart" +esac diff --git a/patches/source/krb5/d775c95af7606a51bf79547a94fa52ddd1cb7f49.patch b/patches/source/krb5/d775c95af7606a51bf79547a94fa52ddd1cb7f49.patch new file mode 100644 index 000000000..7623d8292 --- /dev/null +++ b/patches/source/krb5/d775c95af7606a51bf79547a94fa52ddd1cb7f49.patch @@ -0,0 +1,43 @@ +From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Tue, 3 Aug 2021 01:15:27 -0400 +Subject: [PATCH] Fix KDC null deref on TGS inner body null server + +After the KDC decodes a FAST inner body, it does not check for a null +server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this +would typically result in an error from krb5_unparse_name(), but with +the addition of get_local_tgt() it results in a null dereference. Add +a null check. + +Reported by Joseph Sutton of Catalyst. + +CVE-2021-37750: + +In MIT krb5 releases 1.14 and later, an authenticated attacker can +cause a null dereference in the KDC by sending a FAST TGS request with +no server field. + +ticket: 9008 (new) +tags: pullup +target_version: 1.19-next +target_version: 1.18-next +--- + src/kdc/do_tgs_req.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index 582e497cc9..32dc65fa8e 100644 +--- a/src/kdc/do_tgs_req.c ++++ b/src/kdc/do_tgs_req.c +@@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, + status = "FIND_FAST"; + goto cleanup; + } ++ if (sprinc == NULL) { ++ status = "NULL_SERVER"; ++ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; ++ goto cleanup; ++ } + + errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server, + &local_tgt, &local_tgt_storage, &local_tgt_key); diff --git a/patches/source/krb5/doinst.sh b/patches/source/krb5/doinst.sh new file mode 100644 index 000000000..8c0fa65e2 --- /dev/null +++ b/patches/source/krb5/doinst.sh @@ -0,0 +1,30 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then + # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +preserve_perms() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + if [ -e $OLD ]; then + cp -a $OLD ${NEW}.incoming + cat $NEW > ${NEW}.incoming + mv ${NEW}.incoming $NEW + fi + config $NEW +} + +preserve_perms etc/rc.d/rc.kadmind.new +preserve_perms etc/rc.d/rc.kpropd.new +preserve_perms etc/rc.d/rc.krb5kdc.new +config etc/default/kadmind.new +config etc/default/kpropd.new +config etc/default/krb5kdc.new diff --git a/patches/source/krb5/e134d9a6b6332bd085093e9075c949ece784fcd0.patch b/patches/source/krb5/e134d9a6b6332bd085093e9075c949ece784fcd0.patch new file mode 100644 index 000000000..6bf0b90a2 --- /dev/null +++ b/patches/source/krb5/e134d9a6b6332bd085093e9075c949ece784fcd0.patch @@ -0,0 +1,65 @@ +From e134d9a6b6332bd085093e9075c949ece784fcd0 Mon Sep 17 00:00:00 2001 +From: sashan <anedvedicky@gmail.com> +Date: Sat, 18 Jun 2022 00:05:32 +0200 +Subject: [PATCH] Fix PKCS11 module path search + +Commit c5c11839e02c7993eb78f2c94c75c10cf93f2195 switched the loading +of the PKCS#11 module from dlopen() to krb5int_open_plugin(). Because +krb5int_open_plugin() includes a stat() test, this change has the +unintended consequence of requiring the module name to be an absolute +or relative path to the library, not a filename within the dynamic +linker search path. + +Within krb5int_open_plugin(), only stat() the filename on the +platforms which will use the file type. + +[ghudson@mit.edu: adjusted conditionals to call stat() on Windows; +rewrote commit message] + +ticket: 9067 (new) +tags: pullup +target_version: 1.20-next +--- + src/util/support/plugins.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/util/support/plugins.c b/src/util/support/plugins.c +index 1ff10c354d0..c6a9a21d57c 100644 +--- a/src/util/support/plugins.c ++++ b/src/util/support/plugins.c +@@ -189,9 +189,10 @@ long KRB5_CALLCONV + krb5int_open_plugin (const char *filepath, struct plugin_file_handle **h, struct errinfo *ep) + { + long err = 0; +- struct stat statbuf; + struct plugin_file_handle *htmp = NULL; + int got_plugin = 0; ++#if defined(USE_CFBUNDLE) || defined(_WIN32) ++ struct stat statbuf; + + if (!err) { + if (stat (filepath, &statbuf) < 0) { +@@ -201,6 +202,7 @@ krb5int_open_plugin (const char *filepath, struct plugin_file_handle **h, struct + filepath, strerror(err)); + } + } ++#endif + + if (!err) { + htmp = calloc (1, sizeof (*htmp)); /* calloc initializes ptrs to NULL */ +@@ -208,11 +210,12 @@ krb5int_open_plugin (const char *filepath, struct plugin_file_handle **h, struct + } + + #if USE_DLOPEN +- if (!err && ((statbuf.st_mode & S_IFMT) == S_IFREG ++ if (!err + #if USE_CFBUNDLE +- || (statbuf.st_mode & S_IFMT) == S_IFDIR ++ && ((statbuf.st_mode & S_IFMT) == S_IFREG ++ || (statbuf.st_mode & S_IFMT) == S_IFDIR) + #endif /* USE_CFBUNDLE */ +- )) { ++ ) { + void *handle = NULL; + + #if USE_CFBUNDLE diff --git a/patches/source/krb5/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583.patch b/patches/source/krb5/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583.patch new file mode 100644 index 000000000..74c635f34 --- /dev/null +++ b/patches/source/krb5/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583.patch @@ -0,0 +1,103 @@ +From ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Mon, 17 Oct 2022 20:25:11 -0400 +Subject: [PATCH] Fix integer overflows in PAC parsing + +In krb5_parse_pac(), check for buffer counts large enough to threaten +integer overflow in the header length and memory length calculations. +Avoid potential integer overflows when checking the length of each +buffer. Credit to OSS-Fuzz for discovering one of the issues. + +CVE-2022-42898: + +In MIT krb5 releases 1.8 and later, an authenticated attacker may be +able to cause a KDC or kadmind process to crash by reading beyond the +bounds of allocated memory, creating a denial of service. A +privileged attacker may similarly be able to cause a Kerberos or GSS +application service to crash. On 32-bit platforms, an attacker can +also cause insufficient memory to be allocated for the result, +potentially leading to remote code execution in a KDC, kadmind, or GSS +or Kerberos application server process. An attacker with the +privileges of a cross-realm KDC may be able to extract secrets from a +KDC process's memory by having them copied into the PAC of a new +ticket. + +ticket: 9074 (new) +tags: pullup +target_version: 1.20-next +target_version: 1.19-next +--- + src/lib/krb5/krb/pac.c | 9 +++++++-- + src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++ + 2 files changed, 25 insertions(+), 2 deletions(-) + +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c +index 2f1df8d42b..f6c4373de0 100644 +--- a/src/lib/krb5/krb/pac.c ++++ b/src/lib/krb5/krb/pac.c +@@ -28,6 +28,8 @@ + #include "int-proto.h" + #include "authdata.h" + ++#define MAX_BUFFERS 4096 ++ + /* draft-brezak-win2k-krb-authz-00 */ + + /* +@@ -317,6 +319,9 @@ krb5_pac_parse(krb5_context context, + if (version != 0) + return EINVAL; + ++ if (cbuffers < 1 || cbuffers > MAX_BUFFERS) ++ return ERANGE; ++ + header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); + if (len < header_len) + return ERANGE; +@@ -349,8 +354,8 @@ krb5_pac_parse(krb5_context context, + krb5_pac_free(context, pac); + return EINVAL; + } +- if (buffer->Offset < header_len || +- buffer->Offset + buffer->cbBufferSize > len) { ++ if (buffer->Offset < header_len || buffer->Offset > len || ++ buffer->cbBufferSize > len - buffer->Offset) { + krb5_pac_free(context, pac); + return ERANGE; + } +diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c +index 0b1b1f0564..173bde7bab 100644 +--- a/src/lib/krb5/krb/t_pac.c ++++ b/src/lib/krb5/krb/t_pac.c +@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = { + 0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00 + }; + ++static const unsigned char fuzz1[] = { ++ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, ++ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5 ++}; ++ ++static const unsigned char fuzz2[] = { ++ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, ++ 0x20, 0x20 ++}; ++ + static const char *s4u_principal = "w2k8u@ACME.COM"; + static const char *s4u_enterprise = "w2k8u@abc@ACME.COM"; + +@@ -828,6 +838,14 @@ main(int argc, char **argv) + krb5_free_principal(context, sep); + } + ++ /* Check problematic PACs found by fuzzing. */ ++ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac); ++ if (!ret) ++ err(context, ret, "krb5_pac_parse should have failed"); ++ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac); ++ if (!ret) ++ err(context, ret, "krb5_pac_parse should have failed"); ++ + /* + * Test empty free + */ diff --git a/patches/source/krb5/krb5.SlackBuild b/patches/source/krb5/krb5.SlackBuild new file mode 100755 index 000000000..49ea6646d --- /dev/null +++ b/patches/source/krb5/krb5.SlackBuild @@ -0,0 +1,199 @@ +#!/bin/sh + +# Copyright 2009 Tom Canich, State College, Pennsylvania, USA +# Copyright 2015-2017 Willy Sudiarto Raharjo <willysr@slackbuilds.org> +# Copyright 2017, 2018, 2019, 2020, 2022 Patrick J. Volkerding, Sebeka, MN, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +cd $(dirname $0) ; CWD=$(pwd) + +PKGNAM=krb5 +VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} +BUILD=${BUILD:-3_slack15.0} + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i586 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +NUMJOBS=${NUMJOBS:-" -j7 "} + +TMP=${TMP:-/tmp} +PKG=$TMP/package-$PKGNAM + +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +# If the variable PRINT_PACKAGE_NAME is set, then this script will report what +# the name of the created package would be, and then exit. This information +# could be useful to other scripts. +if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then + echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz" + exit 0 +fi + +rm -rf $PKG +mkdir -p $TMP $PKG +cd $TMP +rm -rf $PKGNAM-$VERSION +tar xvf $CWD/$PKGNAM-$VERSION.tar.?z || exit 1 +cd $PKGNAM-$VERSION || exit 1 + +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \+ -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \+ + +sed -i "/KRB5ROOT=/s/\/local//" src/util/ac_check_krb5.m4 + +cat $CWD/d775c95af7606a51bf79547a94fa52ddd1cb7f49.patch | patch -p1 --verbose || exit 1 +cat $CWD/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583.patch | patch -p1 --verbose || exit 1 +cat $CWD/e134d9a6b6332bd085093e9075c949ece784fcd0.patch | patch -p1 --verbose || exit 1 +cat $CWD/5ad465bc8e0d957a4945218bea487b77622bf433.patch | patch -p1 --verbose || exit 1 + +cd src + +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +CPPFLAGS+=" -I/usr/include/et" \ +./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --sysconfdir=/etc \ + --localstatedir=/var/kerberos \ + --runstatedir=/var/run \ + --mandir=/usr/man \ + --enable-dns-for-realm \ + --with-ldap \ + --with-system-et \ + --with-system-ss \ + --enable-pkinit \ + --with-tls-impl=openssl \ + --with-system-verto=no \ + --with-prng-alg=os \ + --build=$ARCH-slackware-linux || exit 1 + +# Build: +make $NUMJOBS || make || exit 1 + +# Double check for proper runstatedir setting: +if ! grep -q /var/run/krb5kdc include/osconf.h ; then + echo "FATAL: runstatedir not set properly: $(grep KDC_RUN_DIR include/osconf.h)" + exit 1 +fi + +# Install: +make install DESTDIR=$PKG || exit 1 + +# Don't ship .la files: +rm -f $PKG/{,usr/}lib${LIBDIRSUFFIX}/*.la + +# Fix perms on shared objects: +find $PKG/usr/lib${LIBDIRSUFFIX} -name "*.so*" -exec chmod 755 "{}" \+ + +# Install init scripts: +mkdir -p $PKG/etc/rc.d +cp -a $CWD/conf/rc.kadmind $PKG/etc/rc.d/rc.kadmind.new +cp -a $CWD/conf/rc.kpropd $PKG/etc/rc.d/rc.kpropd.new +cp -a $CWD/conf/rc.krb5kdc $PKG/etc/rc.d/rc.krb5kdc.new +chown root:root $PKG/etc/rc.d/* +chmod 644 $PKG/etc/rc.d/* + +# Install default options: +mkdir -p $PKG/etc/default +cp -a $CWD/conf/kadmind $PKG/etc/default/kadmind.new +cp -a $CWD/conf/kpropd $PKG/etc/default/kpropd.new +cp -a $CWD/conf/krb5kdc $PKG/etc/default/krb5kdc.new +chown root:root $PKG/etc/default/* +chmod 644 $PKG/etc/default/* + +# Install example config files: +mkdir -p $PKG/etc +cp -a $CWD/conf/krb5.conf.example $PKG/etc/krb5.conf.example +chown root:root $PKG/etc/krb5.conf.example +chmod 644 $PKG/etc/krb5.conf.example +mkdir -p /var/kerberos/krb5kdc +cp -a $CWD/conf/kdc.conf.example $PKG/var/kerberos/krb5kdc/kdc.conf.example +chown root:root $PKG/var/kerberos/krb5kdc/kdc.conf.example +chmod 644 $PKG/var/kerberos/krb5kdc/kdc.conf.example + +# Move examples to the documentation directory: +mkdir -p $PKG/usr/doc/${PKGNAM}-${VERSION}/examples +mv $PKG/usr/share/examples/krb5/* $PKG/usr/doc/${PKGNAM}-${VERSION}/examples +rmdir $PKG/usr/share/examples/krb5 $PKG/usr/share/examples 2> /dev/null + +# Move some libraries to $PKG/lib${LIBDIRSUFFIX}: +mkdir -p $PKG/lib${LIBDIRSUFFIX} +( cd $PKG/usr/lib${LIBDIRSUFFIX} + for lib in libgssapi_krb5 libkrb5 libk5crypto libkrb5support ; do + mv ${lib}.so.?.* ../../lib${LIBDIRSUFFIX} + ln -sf ../../lib${LIBDIRSUFFIX}/${lib}.so.?.* . + cp -a ${lib}.so.? ../../lib${LIBDIRSUFFIX} + done +) + +find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true + +rm -rf $PKG/usr/man/cat{1,5,8} + +# Compress and link manpages, if any: +if [ -d $PKG/usr/man ]; then + ( cd $PKG/usr/man + for manpagedir in $(find . -type d -name "man*") ; do + ( cd $manpagedir + for eachpage in $( find . -type l -maxdepth 1 | grep -v '\.gz$') ; do + ln -s $( readlink $eachpage ).gz $eachpage.gz + rm $eachpage + done + gzip -9 *.? + ) + done + ) +fi + +# krb5 ships with a ton of docs, but for now we'll just include these: +mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION + cp -a \ + ../NOTICE* ../README* \ + $PKG/usr/doc/$PKGNAM-$VERSION + +mkdir -p $PKG/install +zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh +cat $CWD/slack-desc > $PKG/install/slack-desc + +cd $PKG +/sbin/makepkg -l y -c n $TMP/$PKGNAM-$VERSION-$ARCH-$BUILD.txz diff --git a/patches/source/krb5/krb5.url b/patches/source/krb5/krb5.url new file mode 100644 index 000000000..8f5e8ff86 --- /dev/null +++ b/patches/source/krb5/krb5.url @@ -0,0 +1 @@ +http://web.mit.edu/kerberos/dist/krb5/ diff --git a/patches/source/krb5/slack-desc b/patches/source/krb5/slack-desc new file mode 100644 index 000000000..6a41cbc34 --- /dev/null +++ b/patches/source/krb5/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +krb5: krb5 (Network authentication protocol) +krb5: +krb5: Kerberos is a network authentication protocol. It is designed to +krb5: provide strong authentication for client/server applications by using +krb5: secret-key cryptography. +krb5: +krb5: Homepage: http://web.mit.edu/kerberos/ +krb5: +krb5: +krb5: +krb5: |