| Message ID | 20221124135334.158081-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/libkrb5: security bump to version 1.20.1 | expand |
On 24/11/2022 14:53, Peter Korsgaard wrote: > Fixes the following security issue: > > CVE-2022-42898: In MIT krb5 releases 1.8 and later, an authenticated > attacker may be able to cause a KDC or kadmind process to crash by reading > beyond the bounds of allocated memory, creating a denial of service. A > privileged attacker may similarly be able to cause a Kerberos or GSS > application service to crash. On 32-bit platforms, an attacker can also > cause insufficient memory to be allocated for the result, potentially > leading to remote code execution in a KDC, kadmind, or GSS or Kerberos > application server process. An attacker with the privileges of a > cross-realm KDC may be able to extract secrets from a KDC process's memory > by having them copied into the PAC of a new ticket. > > Bugfix tarballs are located in the same directory as the base version, so > introduce LIBKRB5_VERSION_MAJOR. > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. Regards, Arnout > --- > package/libkrb5/libkrb5.hash | 2 +- > package/libkrb5/libkrb5.mk | 5 +++-- > 2 files changed, 4 insertions(+), 3 deletions(-) > > diff --git a/package/libkrb5/libkrb5.hash b/package/libkrb5/libkrb5.hash > index 2fce24b45b..94dfa2ed6e 100644 > --- a/package/libkrb5/libkrb5.hash > +++ b/package/libkrb5/libkrb5.hash > @@ -1,5 +1,5 @@ > # Locally calculated after checking pgp signature > -sha256 7e022bdd3c851830173f9faaa006a230a0e0fdad4c953e85bff4bf0da036e12f krb5-1.20.tar.gz > +sha256 704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851 krb5-1.20.1.tar.gz > > # Hash for license file: > sha256 cfadcf7b2ead2f3af793c25c00638c9908ac0023b101695f40cb9a03b16811dc NOTICE > diff --git a/package/libkrb5/libkrb5.mk b/package/libkrb5/libkrb5.mk > index 5e547470ed..9bacfaee58 100644 > --- a/package/libkrb5/libkrb5.mk > +++ b/package/libkrb5/libkrb5.mk > @@ -4,8 +4,9 @@ > # > ################################################################################ > > -LIBKRB5_VERSION = 1.20 > -LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION) > +LIBKRB5_VERSION_MAJOR = 1.20 > +LIBKRB5_VERSION = $(LIBKRB5_VERSION_MAJOR).1 > +LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION_MAJOR) > LIBKRB5_SOURCE = krb5-$(LIBKRB5_VERSION).tar.gz > LIBKRB5_SUBDIR = src > LIBKRB5_LICENSE = MIT, BSD-2-Clause, BSD-3-Clause, BSD-4-Clause, others
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issue: > CVE-2022-42898: In MIT krb5 releases 1.8 and later, an authenticated > attacker may be able to cause a KDC or kadmind process to crash by reading > beyond the bounds of allocated memory, creating a denial of service. A > privileged attacker may similarly be able to cause a Kerberos or GSS > application service to crash. On 32-bit platforms, an attacker can also > cause insufficient memory to be allocated for the result, potentially > leading to remote code execution in a KDC, kadmind, or GSS or Kerberos > application server process. An attacker with the privileges of a > cross-realm KDC may be able to extract secrets from a KDC process's memory > by having them copied into the PAC of a new ticket. > Bugfix tarballs are located in the same directory as the base version, so > introduce LIBKRB5_VERSION_MAJOR. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2022.08.x and 2022.02.x, thanks.
diff --git a/package/libkrb5/libkrb5.hash b/package/libkrb5/libkrb5.hash index 2fce24b45b..94dfa2ed6e 100644 --- a/package/libkrb5/libkrb5.hash +++ b/package/libkrb5/libkrb5.hash @@ -1,5 +1,5 @@ # Locally calculated after checking pgp signature -sha256 7e022bdd3c851830173f9faaa006a230a0e0fdad4c953e85bff4bf0da036e12f krb5-1.20.tar.gz +sha256 704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851 krb5-1.20.1.tar.gz # Hash for license file: sha256 cfadcf7b2ead2f3af793c25c00638c9908ac0023b101695f40cb9a03b16811dc NOTICE diff --git a/package/libkrb5/libkrb5.mk b/package/libkrb5/libkrb5.mk index 5e547470ed..9bacfaee58 100644 --- a/package/libkrb5/libkrb5.mk +++ b/package/libkrb5/libkrb5.mk @@ -4,8 +4,9 @@ # ################################################################################ -LIBKRB5_VERSION = 1.20 -LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION) +LIBKRB5_VERSION_MAJOR = 1.20 +LIBKRB5_VERSION = $(LIBKRB5_VERSION_MAJOR).1 +LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION_MAJOR) LIBKRB5_SOURCE = krb5-$(LIBKRB5_VERSION).tar.gz LIBKRB5_SUBDIR = src LIBKRB5_LICENSE = MIT, BSD-2-Clause, BSD-3-Clause, BSD-4-Clause, others
Fixes the following security issue: CVE-2022-42898: In MIT krb5 releases 1.8 and later, an authenticated attacker may be able to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service. A privileged attacker may similarly be able to cause a Kerberos or GSS application service to crash. On 32-bit platforms, an attacker can also cause insufficient memory to be allocated for the result, potentially leading to remote code execution in a KDC, kadmind, or GSS or Kerberos application server process. An attacker with the privileges of a cross-realm KDC may be able to extract secrets from a KDC process's memory by having them copied into the PAC of a new ticket. Bugfix tarballs are located in the same directory as the base version, so introduce LIBKRB5_VERSION_MAJOR. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/libkrb5/libkrb5.hash | 2 +- package/libkrb5/libkrb5.mk | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-)