[Buildroot] [PATCH] package/libkrb5: bump to 1.20

[Buildroot] [PATCH] package/libkrb5: bump to 1.20

[André Zwing]

Signed-off-by: André Zwing <nerv@dawncrow.de>
---
 ...-deref-on-TGS-inner-body-null-server.patch | 47 -------------------
 package/libkrb5/libkrb5.hash                  |  4 +-
 package/libkrb5/libkrb5.mk                    |  8 +---
 3 files changed, 4 insertions(+), 55 deletions(-)
 delete mode 100644 package/libkrb5/0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch

diff --git a/package/libkrb5/0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch b/package/libkrb5/0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
deleted file mode 100644
index ec6f623380..0000000000
--- a/package/libkrb5/0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Tue, 3 Aug 2021 01:15:27 -0400
-Subject: [PATCH] Fix KDC null deref on TGS inner body null server
-
-After the KDC decodes a FAST inner body, it does not check for a null
-server.  Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
-would typically result in an error from krb5_unparse_name(), but with
-the addition of get_local_tgt() it results in a null dereference.  Add
-a null check.
-
-Reported by Joseph Sutton of Catalyst.
-
-CVE-2021-37750:
-
-In MIT krb5 releases 1.14 and later, an authenticated attacker can
-cause a null dereference in the KDC by sending a FAST TGS request with
-no server field.
-
-ticket: 9008 (new)
-tags: pullup
-target_version: 1.19-next
-target_version: 1.18-next
-
-[Retrieved from:
-https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- src/kdc/do_tgs_req.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
-index 582e497cc9..32dc65fa8e 100644
---- a/src/kdc/do_tgs_req.c
-+++ b/src/kdc/do_tgs_req.c
-@@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
-         status = "FIND_FAST";
-         goto cleanup;
-     }
-+    if (sprinc == NULL) {
-+        status = "NULL_SERVER";
-+        errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
-+        goto cleanup;
-+    }
- 
-     errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
-                             &local_tgt, &local_tgt_storage, &local_tgt_key);
diff --git a/package/libkrb5/libkrb5.hash b/package/libkrb5/libkrb5.hash
index 860f828793..2fce24b45b 100644
--- a/package/libkrb5/libkrb5.hash
+++ b/package/libkrb5/libkrb5.hash
@@ -1,5 +1,5 @@
 # Locally calculated after checking pgp signature
-sha256  66085e2f594751e77e82e0dbf7bbc344320fb48a9df2a633cfdd8f7d6da99fc8  krb5-1.18.4.tar.gz
+sha256  7e022bdd3c851830173f9faaa006a230a0e0fdad4c953e85bff4bf0da036e12f  krb5-1.20.tar.gz
 
 # Hash for license file:
-sha256  7fba8b076bdc2cfef1d0813c5d4067d76d5be60c32d84de22d5d1cf451744feb  NOTICE
+sha256  cfadcf7b2ead2f3af793c25c00638c9908ac0023b101695f40cb9a03b16811dc  NOTICE
diff --git a/package/libkrb5/libkrb5.mk b/package/libkrb5/libkrb5.mk
index bd751d9c77..c0d3269960 100644
--- a/package/libkrb5/libkrb5.mk
+++ b/package/libkrb5/libkrb5.mk
@@ -4,9 +4,8 @@
 #
 ################################################################################
 
-LIBKRB5_VERSION_MAJOR = 1.18
-LIBKRB5_VERSION = $(LIBKRB5_VERSION_MAJOR).4
-LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION_MAJOR)
+LIBKRB5_VERSION = 1.20
+LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION)
 LIBKRB5_SOURCE = krb5-$(LIBKRB5_VERSION).tar.gz
 LIBKRB5_SUBDIR = src
 LIBKRB5_LICENSE = MIT
@@ -16,9 +15,6 @@ LIBKRB5_CPE_ID_PRODUCT = kerberos_5
 LIBKRB5_DEPENDENCIES = host-bison $(TARGET_NLS_DEPENDENCIES)
 LIBKRB5_INSTALL_STAGING = YES
 
-# 0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
-LIBKRB5_IGNORE_CVES += CVE-2021-37750
-
 # The configure script uses AC_TRY_RUN tests to check for those values,
 # which doesn't work in a cross-compilation scenario. Therefore,
 # we feed the configure script with the correct answer for those tests
-- 
2.25.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/libkrb5: bump to 1.20

[Arnout Vandecappelle]

On 07/06/2022 16:22, André Zwing wrote:
> Signed-off-by: André Zwing <nerv@dawncrow.de>
> ---
>   ...-deref-on-TGS-inner-body-null-server.patch | 47 -------------------
>   package/libkrb5/libkrb5.hash                  |  4 +-
>   package/libkrb5/libkrb5.mk                    |  8 +---
>   3 files changed, 4 insertions(+), 55 deletions(-)
>   delete mode 100644 package/libkrb5/0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
> 
> diff --git a/package/libkrb5/0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch b/package/libkrb5/0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
> deleted file mode 100644
> index ec6f623380..0000000000
> --- a/package/libkrb5/0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
> +++ /dev/null
> @@ -1,47 +0,0 @@
> -From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001
> -From: Greg Hudson <ghudson@mit.edu>
> -Date: Tue, 3 Aug 2021 01:15:27 -0400
> -Subject: [PATCH] Fix KDC null deref on TGS inner body null server
> -
> -After the KDC decodes a FAST inner body, it does not check for a null
> -server.  Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
> -would typically result in an error from krb5_unparse_name(), but with
> -the addition of get_local_tgt() it results in a null dereference.  Add
> -a null check.
> -
> -Reported by Joseph Sutton of Catalyst.
> -
> -CVE-2021-37750:
> -
> -In MIT krb5 releases 1.14 and later, an authenticated attacker can
> -cause a null dereference in the KDC by sending a FAST TGS request with
> -no server field.
> -
> -ticket: 9008 (new)
> -tags: pullup
> -target_version: 1.19-next
> -target_version: 1.18-next
> -
> -[Retrieved from:
> -https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49]
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ----
> - src/kdc/do_tgs_req.c | 5 +++++
> - 1 file changed, 5 insertions(+)
> -
> -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
> -index 582e497cc9..32dc65fa8e 100644
> ---- a/src/kdc/do_tgs_req.c
> -+++ b/src/kdc/do_tgs_req.c
> -@@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
> -         status = "FIND_FAST";
> -         goto cleanup;
> -     }
> -+    if (sprinc == NULL) {
> -+        status = "NULL_SERVER";
> -+        errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
> -+        goto cleanup;
> -+    }
> -
> -     errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
> -                             &local_tgt, &local_tgt_storage, &local_tgt_key);
> diff --git a/package/libkrb5/libkrb5.hash b/package/libkrb5/libkrb5.hash
> index 860f828793..2fce24b45b 100644
> --- a/package/libkrb5/libkrb5.hash
> +++ b/package/libkrb5/libkrb5.hash
> @@ -1,5 +1,5 @@
>   # Locally calculated after checking pgp signature
> -sha256  66085e2f594751e77e82e0dbf7bbc344320fb48a9df2a633cfdd8f7d6da99fc8  krb5-1.18.4.tar.gz
> +sha256  7e022bdd3c851830173f9faaa006a230a0e0fdad4c953e85bff4bf0da036e12f  krb5-1.20.tar.gz
>   
>   # Hash for license file:
> -sha256  7fba8b076bdc2cfef1d0813c5d4067d76d5be60c32d84de22d5d1cf451744feb  NOTICE
> +sha256  cfadcf7b2ead2f3af793c25c00638c9908ac0023b101695f40cb9a03b16811dc  NOTICE

  In this case, the hash changes because one of the licenses has actually changed!

  Which lead me to discover that our LICENSE variable is in fact incorrect, 
since krb5 contains a lot of pieces with different licenses than MIT. So I 
pushed a separate commit to add some of them. Unfortunately, many of them are 
non-standard licenses that vaguely resemble either MIT or one of the BSD 
variants - the changed one is in fact one of those...

  Anyway, applied to master with a short summary of the above in the commit 
message, thanks.

  Regards,
  Arnout

> diff --git a/package/libkrb5/libkrb5.mk b/package/libkrb5/libkrb5.mk
> index bd751d9c77..c0d3269960 100644
> --- a/package/libkrb5/libkrb5.mk
> +++ b/package/libkrb5/libkrb5.mk
> @@ -4,9 +4,8 @@
>   #
>   ################################################################################
>   
> -LIBKRB5_VERSION_MAJOR = 1.18
> -LIBKRB5_VERSION = $(LIBKRB5_VERSION_MAJOR).4
> -LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION_MAJOR)
> +LIBKRB5_VERSION = 1.20
> +LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION)
>   LIBKRB5_SOURCE = krb5-$(LIBKRB5_VERSION).tar.gz
>   LIBKRB5_SUBDIR = src
>   LIBKRB5_LICENSE = MIT
> @@ -16,9 +15,6 @@ LIBKRB5_CPE_ID_PRODUCT = kerberos_5
>   LIBKRB5_DEPENDENCIES = host-bison $(TARGET_NLS_DEPENDENCIES)
>   LIBKRB5_INSTALL_STAGING = YES
>   
> -# 0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
> -LIBKRB5_IGNORE_CVES += CVE-2021-37750
> -
>   # The configure script uses AC_TRY_RUN tests to check for those values,
>   # which doesn't work in a cross-compilation scenario. Therefore,
>   # we feed the configure script with the correct answer for those tests
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot