diff --git a/fix-CVE-2023-39975-Fix-double-free-in-KDC-TGS-processing.patch b/fix-CVE-2023-39975-Fix-double-free-in-KDC-TGS-processing.patch deleted file mode 100644 index f553ea06e46cdfc8b6f909d7a329c91f5a74063a..0000000000000000000000000000000000000000 --- a/fix-CVE-2023-39975-Fix-double-free-in-KDC-TGS-processing.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 88a1701b423c13991a8064feeb26952d3641d840 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 4 Aug 2023 09:54:06 +0200 -Subject: [PATCH] Fix double-free in KDC TGS processing - -When issuing a ticket for a TGS renew or validate request, copy only -the server field from the outer part of the header ticket to the new -ticket. Copying the whole structure causes the enc_part pointer to be -aliased to the header ticket until krb5_encrypt_tkt_part() is called, -resulting in a double-free if handle_authdata() fails. - -[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather -than check for aliasing before freeing; rewrote commit message] - -CVE-2023-39975: - -In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to -free the same pointer twice if it can induce a failure in -authorization data handling. - -ticket: 9101 (new) -tags: pullup -target_version: 1.21-next ---- - src/kdc/do_tgs_req.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index 6e4c8fa9f..0acc45850 100644 ---- a/src/kdc/do_tgs_req.c -+++ b/src/kdc/do_tgs_req.c -@@ -1010,8 +1010,9 @@ tgs_issue_ticket(kdc_realm_t *realm, struct tgs_req_info *t, - } - - if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) { -- /* Copy the whole header ticket except for authorization data. */ -- ticket_reply = *t->header_tkt; -+ /* Copy the header ticket server and all enc-part fields except for -+ * authorization data. */ -+ ticket_reply.server = t->header_tkt->server; - enc_tkt_reply = *t->header_tkt->enc_part2; - enc_tkt_reply.authorization_data = NULL; - } else { --- -2.33.0 - diff --git a/krb5-1.21.1.tar.gz.asc b/krb5-1.21.1.tar.gz.asc deleted file mode 100644 index e137e353eea77b9e97651379454c62c75fd40a68..0000000000000000000000000000000000000000 --- a/krb5-1.21.1.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmSsc/kACgkQDLoIV1+D -ct+wPxAArlkJs5WpFIm2JDJXGF82BNw/FEhg+OkWcPHeLMWJF8qO0AxVp8Yq4g1g -qFpTABwY8V2tfr84XQJ6rw7Qq93NjRjFHr1z1tDmCceLisXof6Tu7/RKjHwNmJt8 -M3srmsXPlmx/7cXuaYIljJfftun3D/iuEaydWluGb1DZicaU/OsofGhKE8/YEZrN -H0XdIC45raG4O9t6CGjQRcAIv5Z4afCtXH4aaEmLg6E2+aTUyx+czu7nBASCaTyv -s4df8fhbVpdBi6iA6BQJC296Rc1gyDnuxnjyCH8Rj2gTuiI4Oa2dxRPGT3mjksz3 -OheYcXK9XGCtUbG22zrxqUuHDA3jF6KKmsVSXnbygB6XSS/c0bqmeDRTQGPksWH6 -RJbmlKG9PQ0BavlXRa7Nupaa7f0jblFiduScYujRsyWxi/8YkckedugYyuww59gV -piUwGGRDWldy+JIAYtvzirsfe6Oum0/SKY5wYXyKv0flM95pbfBEw+TzRxmlCQ5J -+i8L9Frr4gTmT576GHB6WzBlOEPf6mRc8jg0DyyUOoDHXyj4MCyJGEJxvcyVV1WX -tJlu0uH1f8pMZx4IQ279PsNFimO/NsdSTefqiVGXA7FWK1EPLc+l9ZBcrLi9KEmJ -7TfVq9cAg6+m2tql+gjAQrfXHUU1mNdPLFMnShYlqHjTle4cQKE= -=AIvQ ------END PGP SIGNATURE----- diff --git a/krb5-1.21.1.tar.gz b/krb5-1.21.2.tar.gz similarity index 53% rename from krb5-1.21.1.tar.gz rename to krb5-1.21.2.tar.gz index 8620787b8e42879a3544b642bd83bab38448b117..e454cd55a1a0d154c572e12e3a3b4f83015f0f97 100644 Binary files a/krb5-1.21.1.tar.gz and b/krb5-1.21.2.tar.gz differ diff --git a/krb5-1.21.2.tar.gz.asc b/krb5-1.21.2.tar.gz.asc new file mode 100644 index 0000000000000000000000000000000000000000..e4a3f6dd527540fcc429c2eba8990892f5f4ee5b --- /dev/null +++ b/krb5-1.21.2.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmTbET4ACgkQDLoIV1+D +ct8zBQ/+LugwKy9Y9b3lVaLxPM/qxntLi4Bq5C2GVQ+bED7YCvUiL8aIzJbuTVpf +GLWLtVuf6vxKz2V17JKOluVMqRDBZDexHZv9EvVjhanqMpvV32tSa60HF4e7lER+ +3iP/bIjSi2U9ixOcNICNnK2DeFGY601C1KT4cLs3H76pfb1miPItm7p79UNicz1o +V6KgG0J5F4ktYiTonb0TXYdCAvY/3ROEYwmmRpCjtkBCzTdr9tVXU0n6Yc0wsfBD +AXkyqlUhisMWxqGrLZMnkIx3LA83nMHG8nY/doqOYzKuE9a4cBe69+Bl6e9NRY7G +ysD2J1cZ2imCYoalUcxrLfnd3fwPpcrlnuwH5DKJtcJGEUNwydjyWZeMl87pbhb1 +lOggcn8DL6l3vqBpkTBE4IQw3s+B1+BylpjXBsvzxGYHerpffIqsHzHywguiJutT +bkP5ktjZ0QHAZ6PYA6NleGjPbBg/Jeywg1Mjrx+2IdBAYnS0KtTSa72Zqqb8eGmQ +iCVpy9gK7zX7UCLm33M6HVtC9ffJ4vajcShk25u8uKuomTQgK3lGoN0wX55OE+sO +AkMSuFxPNsNheMI53Zjutc4NzEscy09G8VxHwGqcEwD+NF7+2GpPuOq9ot9nH+Jd +xoVYjhqxeb5Uq6lgp0B8sILLqwg1+gEXWdA+rR5Tx+ykv8HESxg= +=aMVp +-----END PGP SIGNATURE----- diff --git a/krb5.spec b/krb5.spec index e83165197939574dc56c0938fe44589325d16810..45c50d89251bc78bd3d949bef8e00795044fc9d8 100644 --- a/krb5.spec +++ b/krb5.spec @@ -2,8 +2,8 @@ %global WITH_DIRSRV 1 Name: krb5 -Version: 1.21.1 -Release: 3 +Version: 1.21.2 +Release: 1 Summary: The Kerberos network authentication protocol License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -26,8 +26,7 @@ Patch2: Adjust-build-configuration.patch Patch3: netlib-and-dns.patch Patch4: fix-debuginfo-with-y.tab.c.patch Patch5: Remove-3des-support.patch -Patch6: fix-CVE-2023-39975-Fix-double-free-in-KDC-TGS-processing.patch -Patch7: Fix-krb5_cccol_have_content-bad-pointer-free.patch +Patch6: Fix-krb5_cccol_have_content-bad-pointer-free.patch BuildRequires: gettext BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc @@ -326,6 +325,9 @@ make -C src check || : %{_mandir}/man8/* %changelog +* Tue Jan 2 2024 xuraoqing - 1.21.2-1 +- update to 1.21.2 + * Tue Sep 19 2023 xuraoqing - 1.21.1-3 - Fix krb5_cccol_have_content() bad pointer free