diff options
| author | Alex Vong <alexvong1995@gmail.com> | 2017-07-18 06:36:48 +0800 |
|---|---|---|
| committer | 宋文武 <iyzsong@member.fsf.org> | 2018-06-10 16:00:45 +0800 |
| commit | 09b21b77ccff2603a8145a2eace1e2162db2adc6 (patch) | |
| tree | 61791c4aca3979e346bc6c8f014c8eb29f7afe95 /gnu/packages/patches | |
| parent | b7e2fcf05e34324b3dad35c8b0a300612689272d (diff) | |
gnu: heimdal: Update to 7.5.0.
* gnu/packages/kerberos.scm (heimdal): Update to 7.5.0.
[source]: Update source uri. Remove patches.
[arguments]: Adjust #:configure-flags and build phases accordingly.
[inputs]: Add sqlite.
[native-inputs]: Add texinfo and unzip.
* gnu/packages/patches/heimdal-CVE-2017-6594.patch,
gnu/packages/patches/heimdal-CVE-2017-11103.patch: Remove files.
* gnu/local.mk (dist_patch_DATA): Remove them.
Co-authored-by: 宋文武 <iyzsong@member.fsf.org>
Diffstat (limited to 'gnu/packages/patches')
| -rw-r--r-- | gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 | ||||
| -rw-r--r-- | gnu/packages/patches/heimdal-CVE-2017-6594.patch | 85 |
2 files changed, 0 insertions, 130 deletions
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch deleted file mode 100644 index d76f0df369..0000000000 --- a/gnu/packages/patches/heimdal-CVE-2017-11103.patch +++ /dev/null @@ -1,45 +0,0 @@ -Fix CVE-2017-11103: - -https://orpheus-lyre.info/ -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103 -https://security-tracker.debian.org/tracker/CVE-2017-11103 - -Patch lifted from upstream source repository: - -https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea - -From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001 -From: Jeffrey Altman <jaltman@secure-endpoints.com> -Date: Wed, 12 Apr 2017 15:40:42 -0400 -Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation - -In _krb5_extract_ticket() the KDC-REP service name must be obtained from -encrypted version stored in 'enc_part' instead of the unencrypted version -stored in 'ticket'. Use of the unecrypted version provides an -opportunity for successful server impersonation and other attacks. - -Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. - -Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c ---- - lib/krb5/ticket.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c -index d95d96d1b..b8d81c6ad 100644 ---- a/lib/krb5/ticket.c -+++ b/lib/krb5/ticket.c -@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context, - /* check server referral and save principal */ - ret = _krb5_principalname2krb5_principal (context, - &tmp_principal, -- rep->kdc_rep.ticket.sname, -- rep->kdc_rep.ticket.realm); -+ rep->enc_part.sname, -+ rep->enc_part.srealm); - if (ret) - goto out; - if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ --- -2.13.3 - diff --git a/gnu/packages/patches/heimdal-CVE-2017-6594.patch b/gnu/packages/patches/heimdal-CVE-2017-6594.patch deleted file mode 100644 index 714af60304..0000000000 --- a/gnu/packages/patches/heimdal-CVE-2017-6594.patch +++ /dev/null @@ -1,85 +0,0 @@ -Fix CVE-2017-6594: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6594 -https://security-tracker.debian.org/tracker/CVE-2017-6594 - -Patch lifted from upstream source repository: - -https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837 - -To apply the patch to Heimdal 1.5.3 release tarball, the changes to 'NEWS' and -files in 'tests/' are removed, and hunk #4 of 'kdc/krb5tgs.c' is modified. - -From b1e699103f08d6a0ca46a122193c9da65f6cf837 Mon Sep 17 00:00:00 2001 -From: Viktor Dukhovni <viktor@twosigma.com> -Date: Wed, 10 Aug 2016 23:31:14 +0000 -Subject: [PATCH] Fix transit path validation CVE-2017-6594 - -Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm -to not be added to the transit path of issued tickets. This may, in -some cases, enable bypass of capath policy in Heimdal versions 1.5 -through 7.2. - -Note, this may break sites that rely on the bug. With the bug some -incomplete [capaths] worked, that should not have. These may now break -authentication in some cross-realm configurations. ---- - NEWS | 14 ++++++++++++++ - kdc/krb5tgs.c | 12 ++++++++++-- - tests/kdc/check-kdc.in | 17 +++++++++++++++++ - tests/kdc/krb5.conf.in | 4 ++++ - 4 files changed, 45 insertions(+), 2 deletions(-) - -diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c -index 6048b9c55..98503812f 100644 ---- a/kdc/krb5tgs.c -+++ b/kdc/krb5tgs.c -@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context, - "Decoding transited encoding"); - return ret; - } -+ -+ /* -+ * If the realm of the presented tgt is neither the client nor the server -+ * realm, it is a transit realm and must be added to transited set. -+ */ - if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { -- /* not us, so add the previous realm to transited set */ - if (num_realms + 1 > UINT_MAX/sizeof(*realms)) { - ret = ERANGE; - goto free_realms; -@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context, - const char *server_name, - hdb_entry_ex *client, - krb5_principal client_principal, -+ const char *tgt_realm, - hdb_entry_ex *krbtgt, - krb5_enctype krbtgt_etype, - krb5_principals spp, -@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context, - &tgt->transited, &et, - krb5_principal_get_realm(context, client_principal), - krb5_principal_get_realm(context, server->entry.principal), -- krb5_principal_get_realm(context, krbtgt->entry.principal)); -+ tgt_realm); - if(ret) - goto out; - -@@ -1519,4 +1524,6 @@ tgs_build_reply(krb5_context context, - krb5_keyblock sessionkey; - krb5_kvno kvno; - krb5_data rspac; -+ const char *tgt_realm = /* Realm of TGT issuer */ -+ krb5_principal_get_realm(context, krbtgt->entry.principal); - -@@ -2324,6 +2331,7 @@ server_lookup: - spn, - client, - cp, -+ tgt_realm, - krbtgt_out, - tkey_sign->key.keytype, - spp, --- -2.13.3 - |