aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWenzong Fan <wenzong.fan@windriver.com>2016-09-12 04:55:16 -0400
committerAndreas Oberritter <obi@opendreambox.org>2017-02-16 11:29:17 +0100
commitfc8fd16b8187f01afee708408c2788316a2a07e0 (patch)
treefe552b8ed189dd9bc778c81bca1ebc39ecf119f3
parentf09c42da28f023b42f8aba0a7c618fe842a9998c (diff)
downloadmeta-openembedded-contrib-fc8fd16b8187f01afee708408c2788316a2a07e0.tar.gz
meta-openembedded-contrib-fc8fd16b8187f01afee708408c2788316a2a07e0.tar.bz2
meta-openembedded-contrib-fc8fd16b8187f01afee708408c2788316a2a07e0.zip
krb5: upgrade to 1.13.6
* fix CVEs: CVE-2015-8629, CVE-2015-8630, CVE-2015-8631 * update LIC_FILES_CHKSUM, only Copyright changed in NOTICE file: -Copyright (C) 1985-2015 by the Massachusetts Institute of Technology. +Copyright (C) 1985-2016 by the Massachusetts Institute of Technology. * remove useless functions: krb5_do_unpack(), do_unpack() * remove patches that included by new release: - 0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch - Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch - Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch - Fix-build_principal-memory-bug-CVE-2015-2697.patch - Fix-IAKERB-context-export-import-CVE-2015-2698.patch - krb5-CVE-2016-3119.patch - krb5-CVE-2016-3120.patch Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> (cherry picked from commit 2ed5ad2e40ea29b549c1d39aad70e2e4f7d57b28) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch37
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch739
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-export-import-CVE-2015-2698.patch134
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch572
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch58
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch36
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch63
-rw-r--r--meta-oe/recipes-connectivity/krb5/krb5_1.13.6.bb (renamed from meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb)25
8 files changed, 4 insertions, 1660 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch b/meta-oe/recipes-connectivity/krb5/krb5/0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch
deleted file mode 100644
index c6731a9002..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From f1b681a44d28946e6d8fc0080f3efe94228d7dfe Mon Sep 17 00:00:00 2001
-From: Tom Yu <tlyu@mit.edu>
-Date: Wed, 6 Jan 2016 15:24:16 -0500
-Subject: [PATCH] Work around uninitialized warning in cc_kcm.c
-
-Some versions of clang erroneously detect use of an uninitialized
-variable reply_len in kcmio_call() when building on non-Mac platforms.
-Initialize it to work around this warning.
-
-(cherry picked from commit 40b007c0d8e2a12c6f4205ac111dee731c9d970c)
-
-ticket: 8335
-version_fixed: 1.13.4
-tags: -pullup
-status: resolved
-
-Upstream-Status: backport
----
- src/lib/krb5/ccache/cc_kcm.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
-index b763ea4..6337b57 100644
---- a/src/lib/krb5/ccache/cc_kcm.c
-+++ b/src/lib/krb5/ccache/cc_kcm.c
-@@ -377,7 +377,7 @@ static krb5_error_code
- kcmio_call(krb5_context context, struct kcmio *io, struct kcmreq *req)
- {
- krb5_error_code ret;
-- size_t reply_len;
-+ size_t reply_len = 0;
-
- if (k5_buf_status(&req->reqbuf) != 0)
- return ENOMEM;
---
-2.8.2
-
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch b/meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
deleted file mode 100644
index b771b41466..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
+++ /dev/null
@@ -1,739 +0,0 @@
-From f6e57c402688f4bc386d1a39512657a30f0bafd3 Mon Sep 17 00:00:00 2001
-From: Nicolas Williams <nico@twosigma.com>
-Date: Mon, 14 Sep 2015 12:28:36 -0400
-Subject: [PATCH 2/4] Fix IAKERB context aliasing bugs [CVE-2015-2696]
-
-The IAKERB mechanism currently replaces its context handle with the
-krb5 mechanism handle upon establishment, under the assumption that
-most GSS functions are only called after context establishment. This
-assumption is incorrect, and can lead to aliasing violations for some
-programs. Maintain the IAKERB context structure after context
-establishment and add new IAKERB entry points to refer to it with that
-type. Add initiate and established flags to the IAKERB context
-structure for use in gss_inquire_context() prior to context
-establishment.
-
-CVE-2015-2696:
-
-In MIT krb5 1.9 and later, applications which call
-gss_inquire_context() on a partially-established IAKERB context can
-cause the GSS-API library to read from a pointer using the wrong type,
-generally causing a process crash. Java server applications using the
-native JGSS provider are vulnerable to this bug. A carefully crafted
-IAKERB packet might allow the gss_inquire_context() call to succeed
-with attacker-determined results, but applications should not make
-access control decisions based on gss_inquire_context() results prior
-to context establishment.
-
- CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
-
-[ghudson@mit.edu: several bugfixes, style changes, and edge-case
-behavior changes; commit message and CVE description]
-
-ticket: 8244
-target_version: 1.14
-tags: pullup
-
-Backport upstream commit:
-https://github.com/krb5/krb5/commit/e04f0283516e80d2f93366e0d479d13c9b5c8c2a
-
-Upstream-Status: Backport
----
- src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++
- src/lib/gssapi/krb5/gssapi_krb5.c | 105 +++++++++--
- src/lib/gssapi/krb5/iakerb.c | 351 +++++++++++++++++++++++++++++++++----
- 3 files changed, 529 insertions(+), 41 deletions(-)
-
-diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
-index a0e8625..05dc321 100644
---- a/src/lib/gssapi/krb5/gssapiP_krb5.h
-+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
-@@ -620,6 +620,21 @@ OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext
- );
- #endif /* LEAN_CLIENT */
-
-+OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid
-+(OM_uint32*, /* minor_status */
-+ const gss_ctx_id_t,
-+ /* context_handle */
-+ const gss_OID, /* desired_object */
-+ gss_buffer_set_t* /* data_set */
-+);
-+
-+OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option
-+(OM_uint32*, /* minor_status */
-+ gss_ctx_id_t*, /* context_handle */
-+ const gss_OID, /* desired_object */
-+ const gss_buffer_t/* value */
-+);
-+
- OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token
- (OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
-@@ -1301,6 +1316,105 @@ OM_uint32 KRB5_CALLCONV
- krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token,
- gss_cred_id_t *cred_handle);
-
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_process_context_token(OM_uint32 *minor_status,
-+ const gss_ctx_id_t context_handle,
-+ const gss_buffer_t token_buffer);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ OM_uint32 *time_rec);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_inquire_context(OM_uint32 *minor_status,
-+ gss_ctx_id_t context_handle, gss_name_t *src_name,
-+ gss_name_t *targ_name, OM_uint32 *lifetime_rec,
-+ gss_OID *mech_type, OM_uint32 *ctx_flags,
-+ int *locally_initiated, int *opened);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ gss_qop_t qop_req, gss_buffer_t message_buffer,
-+ gss_buffer_t message_token);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ gss_qop_t qop_req, gss_iov_buffer_desc *iov,
-+ int iov_count);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
-+ gss_ctx_id_t context_handle, gss_qop_t qop_req,
-+ gss_iov_buffer_desc *iov, int iov_count);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
-+ gss_qop_t *qop_state);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
-+ int iov_count);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ int conf_req_flag, gss_qop_t qop_req,
-+ gss_buffer_t input_message_buffer, int *conf_state,
-+ gss_buffer_t output_message_buffer);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ int conf_req_flag, gss_qop_t qop_req, int *conf_state,
-+ gss_iov_buffer_desc *iov, int iov_count);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
-+ gss_ctx_id_t context_handle, int conf_req_flag,
-+ gss_qop_t qop_req, int *conf_state,
-+ gss_iov_buffer_desc *iov, int iov_count);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ gss_buffer_t input_message_buffer,
-+ gss_buffer_t output_message_buffer, int *conf_state,
-+ gss_qop_t *qop_state);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ int *conf_state, gss_qop_t *qop_state,
-+ gss_iov_buffer_desc *iov, int iov_count);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
-+ gss_ctx_id_t context_handle, int conf_req_flag,
-+ gss_qop_t qop_req, OM_uint32 req_output_size,
-+ OM_uint32 *max_input_size);
-+
-+#ifndef LEAN_CLIENT
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_export_sec_context(OM_uint32 *minor_status,
-+ gss_ctx_id_t *context_handle,
-+ gss_buffer_t interprocess_token);
-+#endif /* LEAN_CLIENT */
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
-+ const gss_ctx_id_t context_handle,
-+ const gss_OID desired_object,
-+ gss_buffer_set_t *data_set);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
-+ gss_ctx_id_t *context_handle,
-+ const gss_OID desired_object,
-+ const gss_buffer_t value);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ int prf_key, const gss_buffer_t prf_in,
-+ ssize_t desired_output_len, gss_buffer_t prf_out);
-+
- /* Magic string to identify exported krb5 GSS credentials. Increment this if
- * the format changes. */
- #define CRED_EXPORT_MAGIC "K5C1"
-diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
-index 77b7fff..9a23656 100644
---- a/src/lib/gssapi/krb5/gssapi_krb5.c
-+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
-@@ -345,7 +345,7 @@ static struct {
- }
- };
-
--static OM_uint32 KRB5_CALLCONV
-+OM_uint32 KRB5_CALLCONV
- krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
- const gss_ctx_id_t context_handle,
- const gss_OID desired_object,
-@@ -459,7 +459,7 @@ static struct {
- };
- #endif
-
--static OM_uint32 KRB5_CALLCONV
-+OM_uint32 KRB5_CALLCONV
- krb5_gss_set_sec_context_option (OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- const gss_OID desired_object,
-@@ -904,20 +904,103 @@ static struct gss_config krb5_mechanism = {
- krb5_gss_get_mic_iov_length,
- };
-
-+/* Functions which use security contexts or acquire creds are IAKERB-specific;
-+ * other functions can borrow from the krb5 mech. */
-+static struct gss_config iakerb_mechanism = {
-+ { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID },
-+ NULL,
-+ iakerb_gss_acquire_cred,
-+ krb5_gss_release_cred,
-+ iakerb_gss_init_sec_context,
-+#ifdef LEAN_CLIENT
-+ NULL,
-+#else
-+ iakerb_gss_accept_sec_context,
-+#endif
-+ iakerb_gss_process_context_token,
-+ iakerb_gss_delete_sec_context,
-+ iakerb_gss_context_time,
-+ iakerb_gss_get_mic,
-+ iakerb_gss_verify_mic,
-+#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE)
-+ NULL,
-+#else
-+ iakerb_gss_wrap,
-+#endif
-+#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE)
-+ NULL,
-+#else
-+ iakerb_gss_unwrap,
-+#endif
-+ krb5_gss_display_status,
-+ krb5_gss_indicate_mechs,
-+ krb5_gss_compare_name,
-+ krb5_gss_display_name,
-+ krb5_gss_import_name,
-+ krb5_gss_release_name,
-+ krb5_gss_inquire_cred,
-+ NULL, /* add_cred */
-+#ifdef LEAN_CLIENT
-+ NULL,
-+ NULL,
-+#else
-+ iakerb_gss_export_sec_context,
-+ NULL,
-+#endif
-+ krb5_gss_inquire_cred_by_mech,
-+ krb5_gss_inquire_names_for_mech,
-+ iakerb_gss_inquire_context,
-+ krb5_gss_internal_release_oid,
-+ iakerb_gss_wrap_size_limit,
-+ krb5_gss_localname,
-+ krb5_gss_authorize_localname,
-+ krb5_gss_export_name,
-+ krb5_gss_duplicate_name,
-+ krb5_gss_store_cred,
-+ iakerb_gss_inquire_sec_context_by_oid,
-+ krb5_gss_inquire_cred_by_oid,
-+ iakerb_gss_set_sec_context_option,
-+ krb5_gssspi_set_cred_option,
-+ krb5_gssspi_mech_invoke,
-+ NULL, /* wrap_aead */
-+ NULL, /* unwrap_aead */
-+ iakerb_gss_wrap_iov,
-+ iakerb_gss_unwrap_iov,
-+ iakerb_gss_wrap_iov_length,
-+ NULL, /* complete_auth_token */
-+ NULL, /* acquire_cred_impersonate_name */
-+ NULL, /* add_cred_impersonate_name */
-+ NULL, /* display_name_ext */
-+ krb5_gss_inquire_name,
-+ krb5_gss_get_name_attribute,
-+ krb5_gss_set_name_attribute,
-+ krb5_gss_delete_name_attribute,
-+ krb5_gss_export_name_composite,
-+ krb5_gss_map_name_to_any,
-+ krb5_gss_release_any_name_mapping,
-+ iakerb_gss_pseudo_random,
-+ NULL, /* set_neg_mechs */
-+ krb5_gss_inquire_saslname_for_mech,
-+ krb5_gss_inquire_mech_for_saslname,
-+ krb5_gss_inquire_attrs_for_mech,
-+ krb5_gss_acquire_cred_from,
-+ krb5_gss_store_cred_into,
-+ iakerb_gss_acquire_cred_with_password,
-+ krb5_gss_export_cred,
-+ krb5_gss_import_cred,
-+ NULL, /* import_sec_context_by_mech */
-+ NULL, /* import_name_by_mech */
-+ NULL, /* import_cred_by_mech */
-+ iakerb_gss_get_mic_iov,
-+ iakerb_gss_verify_mic_iov,
-+ iakerb_gss_get_mic_iov_length,
-+};
-+
- #ifdef _GSS_STATIC_LINK
- #include "mglueP.h"
- static int gss_iakerbmechglue_init(void)
- {
- struct gss_mech_config mech_iakerb;
-- struct gss_config iakerb_mechanism = krb5_mechanism;
--
-- /* IAKERB mechanism mirrors krb5, but with different context SPIs */
-- iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context;
-- iakerb_mechanism.gss_init_sec_context = iakerb_gss_init_sec_context;
-- iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context;
-- iakerb_mechanism.gss_acquire_cred = iakerb_gss_acquire_cred;
-- iakerb_mechanism.gssspi_acquire_cred_with_password
-- = iakerb_gss_acquire_cred_with_password;
-
- memset(&mech_iakerb, 0, sizeof(mech_iakerb));
- mech_iakerb.mech = &iakerb_mechanism;
-diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
-index f30de32..4662bd9 100644
---- a/src/lib/gssapi/krb5/iakerb.c
-+++ b/src/lib/gssapi/krb5/iakerb.c
-@@ -47,6 +47,8 @@ struct _iakerb_ctx_id_rec {
- gss_ctx_id_t gssc;
- krb5_data conv; /* conversation for checksumming */
- unsigned int count; /* number of round trips */
-+ int initiate;
-+ int established;
- krb5_get_init_creds_opt *gic_opts;
- };
-
-@@ -695,7 +697,7 @@ cleanup:
- * Allocate and initialise an IAKERB context
- */
- static krb5_error_code
--iakerb_alloc_context(iakerb_ctx_id_t *pctx)
-+iakerb_alloc_context(iakerb_ctx_id_t *pctx, int initiate)
- {
- iakerb_ctx_id_t ctx;
- krb5_error_code code;
-@@ -709,6 +711,8 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx)
- ctx->magic = KG_IAKERB_CONTEXT;
- ctx->state = IAKERB_AS_REQ;
- ctx->count = 0;
-+ ctx->initiate = initiate;
-+ ctx->established = 0;
-
- code = krb5_gss_init_context(&ctx->k5c);
- if (code != 0)
-@@ -732,7 +736,7 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- gss_buffer_t output_token)
- {
-- OM_uint32 major_status = GSS_S_COMPLETE;
-+ iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
-
- if (output_token != GSS_C_NO_BUFFER) {
- output_token->length = 0;
-@@ -740,23 +744,10 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
- }
-
- *minor_status = 0;
-+ *context_handle = GSS_C_NO_CONTEXT;
-+ iakerb_release_context(iakerb_ctx);
-
-- if (*context_handle != GSS_C_NO_CONTEXT) {
-- iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
--
-- if (iakerb_ctx->magic == KG_IAKERB_CONTEXT) {
-- iakerb_release_context(iakerb_ctx);
-- *context_handle = GSS_C_NO_CONTEXT;
-- } else {
-- assert(iakerb_ctx->magic == KG_CONTEXT);
--
-- major_status = krb5_gss_delete_sec_context(minor_status,
-- context_handle,
-- output_token);
-- }
-- }
--
-- return major_status;
-+ return GSS_S_COMPLETE;
- }
-
- static krb5_boolean
-@@ -802,7 +793,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
- int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
-
- if (initialContextToken) {
-- code = iakerb_alloc_context(&ctx);
-+ code = iakerb_alloc_context(&ctx, 0);
- if (code != 0)
- goto cleanup;
-
-@@ -854,11 +845,8 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
- time_rec,
- delegated_cred_handle,
- &exts);
-- if (major_status == GSS_S_COMPLETE) {
-- *context_handle = ctx->gssc;
-- ctx->gssc = NULL;
-- iakerb_release_context(ctx);
-- }
-+ if (major_status == GSS_S_COMPLETE)
-+ ctx->established = 1;
- if (mech_type != NULL)
- *mech_type = (gss_OID)gss_mech_krb5;
- }
-@@ -897,7 +885,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
- int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
-
- if (initialContextToken) {
-- code = iakerb_alloc_context(&ctx);
-+ code = iakerb_alloc_context(&ctx, 1);
- if (code != 0) {
- *minor_status = code;
- goto cleanup;
-@@ -983,11 +971,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
- ret_flags,
- time_rec,
- &exts);
-- if (major_status == GSS_S_COMPLETE) {
-- *context_handle = ctx->gssc;
-- ctx->gssc = GSS_C_NO_CONTEXT;
-- iakerb_release_context(ctx);
-- }
-+ if (major_status == GSS_S_COMPLETE)
-+ ctx->established = 1;
- if (actual_mech_type != NULL)
- *actual_mech_type = (gss_OID)gss_mech_krb5;
- } else {
-@@ -1010,3 +995,309 @@ cleanup:
-
- return major_status;
- }
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ gss_buffer_t input_message_buffer,
-+ gss_buffer_t output_message_buffer, int *conf_state,
-+ gss_qop_t *qop_state)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
-+
-+ return krb5_gss_unwrap(minor_status, ctx->gssc, input_message_buffer,
-+ output_message_buffer, conf_state, qop_state);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ int conf_req_flag, gss_qop_t qop_req,
-+ gss_buffer_t input_message_buffer, int *conf_state,
-+ gss_buffer_t output_message_buffer)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
-+
-+ return krb5_gss_wrap(minor_status, ctx->gssc, conf_req_flag, qop_req,
-+ input_message_buffer, conf_state,
-+ output_message_buffer);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_process_context_token(OM_uint32 *minor_status,
-+ const gss_ctx_id_t context_handle,
-+ const gss_buffer_t token_buffer)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_DEFECTIVE_TOKEN;
-+
-+ return krb5_gss_process_context_token(minor_status, ctx->gssc,
-+ token_buffer);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ OM_uint32 *time_rec)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
-+
-+ return krb5_gss_context_time(minor_status, ctx->gssc, time_rec);
-+}
-+
-+#ifndef LEAN_CLIENT
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_export_sec_context(OM_uint32 *minor_status,
-+ gss_ctx_id_t *context_handle,
-+ gss_buffer_t interprocess_token)
-+{
-+ OM_uint32 maj;
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ /* We don't currently support exporting partially established contexts. */
-+ if (!ctx->established)
-+ return GSS_S_UNAVAILABLE;
-+
-+ maj = krb5_gss_export_sec_context(minor_status, &ctx->gssc,
-+ interprocess_token);
-+ if (ctx->gssc == GSS_C_NO_CONTEXT) {
-+ iakerb_release_context(ctx);
-+ *context_handle = GSS_C_NO_CONTEXT;
-+ }
-+ return maj;
-+}
-+
-+/*
-+ * Until we implement partial context exports, there are no SPNEGO exported
-+ * context tokens, only tokens for the underlying krb5 context. So we do not
-+ * need to implement an iakerb_gss_import_sec_context() yet; it would be
-+ * unreachable except via a manually constructed token.
-+ */
-+
-+#endif /* LEAN_CLIENT */
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_inquire_context(OM_uint32 *minor_status,
-+ gss_ctx_id_t context_handle, gss_name_t *src_name,
-+ gss_name_t *targ_name, OM_uint32 *lifetime_rec,
-+ gss_OID *mech_type, OM_uint32 *ctx_flags,
-+ int *initiate, int *opened)
-+{
-+ OM_uint32 ret;
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (src_name != NULL)
-+ *src_name = GSS_C_NO_NAME;
-+ if (targ_name != NULL)
-+ *targ_name = GSS_C_NO_NAME;
-+ if (lifetime_rec != NULL)
-+ *lifetime_rec = 0;
-+ if (mech_type != NULL)
-+ *mech_type = (gss_OID)gss_mech_iakerb;
-+ if (ctx_flags != NULL)
-+ *ctx_flags = 0;
-+ if (initiate != NULL)
-+ *initiate = ctx->initiate;
-+ if (opened != NULL)
-+ *opened = ctx->established;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_COMPLETE;
-+
-+ ret = krb5_gss_inquire_context(minor_status, ctx->gssc, src_name,
-+ targ_name, lifetime_rec, mech_type,
-+ ctx_flags, initiate, opened);
-+
-+ if (!ctx->established) {
-+ /* Report IAKERB as the mech OID until the context is established. */
-+ if (mech_type != NULL)
-+ *mech_type = (gss_OID)gss_mech_iakerb;
-+
-+ /* We don't support exporting partially-established contexts. */
-+ if (ctx_flags != NULL)
-+ *ctx_flags &= ~GSS_C_TRANS_FLAG;
-+ }
-+
-+ return ret;
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
-+ gss_ctx_id_t context_handle, int conf_req_flag,
-+ gss_qop_t qop_req, OM_uint32 req_output_size,
-+ OM_uint32 *max_input_size)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
-+
-+ return krb5_gss_wrap_size_limit(minor_status, ctx->gssc, conf_req_flag,
-+ qop_req, req_output_size, max_input_size);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ gss_qop_t qop_req, gss_buffer_t message_buffer,
-+ gss_buffer_t message_token)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
-+
-+ return krb5_gss_get_mic(minor_status, ctx->gssc, qop_req, message_buffer,
-+ message_token);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
-+ gss_qop_t *qop_state)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
-+
-+ return krb5_gss_verify_mic(minor_status, ctx->gssc, msg_buffer,
-+ token_buffer, qop_state);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
-+ const gss_ctx_id_t context_handle,
-+ const gss_OID desired_object,
-+ gss_buffer_set_t *data_set)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_UNAVAILABLE;
-+
-+ return krb5_gss_inquire_sec_context_by_oid(minor_status, ctx->gssc,
-+ desired_object, data_set);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
-+ gss_ctx_id_t *context_handle,
-+ const gss_OID desired_object,
-+ const gss_buffer_t value)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
-+
-+ if (ctx == NULL || ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_UNAVAILABLE;
-+
-+ return krb5_gss_set_sec_context_option(minor_status, &ctx->gssc,
-+ desired_object, value);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ int conf_req_flag, gss_qop_t qop_req, int *conf_state,
-+ gss_iov_buffer_desc *iov, int iov_count)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
-+
-+ return krb5_gss_wrap_iov(minor_status, ctx->gssc, conf_req_flag, qop_req,
-+ conf_state, iov, iov_count);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ int *conf_state, gss_qop_t *qop_state,
-+ gss_iov_buffer_desc *iov, int iov_count)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
-+
-+ return krb5_gss_unwrap_iov(minor_status, ctx->gssc, conf_state, qop_state,
-+ iov, iov_count);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
-+ gss_ctx_id_t context_handle, int conf_req_flag,
-+ gss_qop_t qop_req, int *conf_state,
-+ gss_iov_buffer_desc *iov, int iov_count)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
-+
-+ return krb5_gss_wrap_iov_length(minor_status, ctx->gssc, conf_req_flag,
-+ qop_req, conf_state, iov, iov_count);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ int prf_key, const gss_buffer_t prf_in,
-+ ssize_t desired_output_len, gss_buffer_t prf_out)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
-+
-+ return krb5_gss_pseudo_random(minor_status, ctx->gssc, prf_key, prf_in,
-+ desired_output_len, prf_out);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ gss_qop_t qop_req, gss_iov_buffer_desc *iov,
-+ int iov_count)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
-+
-+ return krb5_gss_get_mic_iov(minor_status, ctx->gssc, qop_req, iov,
-+ iov_count);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+ gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
-+ int iov_count)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
-+
-+ return krb5_gss_verify_mic_iov(minor_status, ctx->gssc, qop_state, iov,
-+ iov_count);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
-+ gss_ctx_id_t context_handle, gss_qop_t qop_req,
-+ gss_iov_buffer_desc *iov, int iov_count)
-+{
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+ if (ctx->gssc == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
-+
-+ return krb5_gss_get_mic_iov_length(minor_status, ctx->gssc, qop_req, iov,
-+ iov_count);
-+}
---
-1.9.1
-
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-export-import-CVE-2015-2698.patch b/meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-export-import-CVE-2015-2698.patch
deleted file mode 100644
index 2f45d306b8..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/Fix-IAKERB-context-export-import-CVE-2015-2698.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From aa769c8c6905d1abfac66d4d1b0fc73740ccbe7d Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Sat, 14 Nov 2015 02:47:04 -0500
-Subject: [PATCH 4/4] Fix IAKERB context export/import [CVE-2015-2698]
-
-The patches for CVE-2015-2696 contained a regression in the newly
-added IAKERB iakerb_gss_export_sec_context() function, which could
-cause it to corrupt memory. Fix the regression by properly
-dereferencing the context_handle pointer before casting it.
-
-Also, the patches did not implement an IAKERB gss_import_sec_context()
-function, under the erroneous belief that an exported IAKERB context
-would be tagged as a krb5 context. Implement it now to allow IAKERB
-contexts to be successfully exported and imported after establishment.
-
-CVE-2015-2698:
-
-In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
-application which calls gss_export_sec_context() may experience memory
-corruption if the context was established using the IAKERB mechanism.
-Historically, some vulnerabilities of this nature can be translated
-into remote code execution, though the necessary exploits must be
-tailored to the individual application and are usually quite
-complicated.
-
- CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
-
-ticket: 8273 (new)
-target_version: 1.14
-tags: pullup
-
-Backport upstream commit:
-https://github.com/krb5/krb5/commit/3db8dfec1ef50ddd78d6ba9503185995876a39fd
-
-Upstream-Status: Backport
----
- src/lib/gssapi/krb5/gssapiP_krb5.h | 5 +++++
- src/lib/gssapi/krb5/gssapi_krb5.c | 2 +-
- src/lib/gssapi/krb5/iakerb.c | 42 +++++++++++++++++++++++++++++++-------
- 3 files changed, 41 insertions(+), 8 deletions(-)
-
-diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
-index 05dc321..ac53662 100644
---- a/src/lib/gssapi/krb5/gssapiP_krb5.h
-+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
-@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV
- iakerb_gss_export_sec_context(OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- gss_buffer_t interprocess_token);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_import_sec_context(OM_uint32 *minor_status,
-+ const gss_buffer_t interprocess_token,
-+ gss_ctx_id_t *context_handle);
- #endif /* LEAN_CLIENT */
-
- OM_uint32 KRB5_CALLCONV
-diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
-index 9a23656..d7ba279 100644
---- a/src/lib/gssapi/krb5/gssapi_krb5.c
-+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
-@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = {
- NULL,
- #else
- iakerb_gss_export_sec_context,
-- NULL,
-+ iakerb_gss_import_sec_context,
- #endif
- krb5_gss_inquire_cred_by_mech,
- krb5_gss_inquire_names_for_mech,
-diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
-index 4662bd9..48beaee 100644
---- a/src/lib/gssapi/krb5/iakerb.c
-+++ b/src/lib/gssapi/krb5/iakerb.c
-@@ -1061,7 +1061,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
- gss_buffer_t interprocess_token)
- {
- OM_uint32 maj;
-- iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
-
- /* We don't currently support exporting partially established contexts. */
- if (!ctx->established)
-@@ -1076,13 +1076,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
- return maj;
- }
-
--/*
-- * Until we implement partial context exports, there are no SPNEGO exported
-- * context tokens, only tokens for the underlying krb5 context. So we do not
-- * need to implement an iakerb_gss_import_sec_context() yet; it would be
-- * unreachable except via a manually constructed token.
-- */
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_import_sec_context(OM_uint32 *minor_status,
-+ gss_buffer_t interprocess_token,
-+ gss_ctx_id_t *context_handle)
-+{
-+ OM_uint32 maj, tmpmin;
-+ krb5_error_code code;
-+ gss_ctx_id_t gssc;
-+ krb5_gss_ctx_id_t kctx;
-+ iakerb_ctx_id_t ctx;
-+
-+ maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc);
-+ if (maj != GSS_S_COMPLETE)
-+ return maj;
-+ kctx = (krb5_gss_ctx_id_t)gssc;
-+
-+ if (!kctx->established) {
-+ /* We don't currently support importing partially established
-+ * contexts. */
-+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
-+ return GSS_S_FAILURE;
-+ }
-
-+ code = iakerb_alloc_context(&ctx, kctx->initiate);
-+ if (code != 0) {
-+ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
-+ *minor_status = code;
-+ return GSS_S_FAILURE;
-+ }
-+
-+ ctx->gssc = gssc;
-+ ctx->established = 1;
-+ *context_handle = (gss_ctx_id_t)ctx;
-+ return GSS_S_COMPLETE;
-+}
- #endif /* LEAN_CLIENT */
-
- OM_uint32 KRB5_CALLCONV
---
-1.9.1
-
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch b/meta-oe/recipes-connectivity/krb5/krb5/Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
deleted file mode 100644
index 227e6c614f..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
+++ /dev/null
@@ -1,572 +0,0 @@
-From 884913e807414a1e06245918dea71243c5fdd0e6 Mon Sep 17 00:00:00 2001
-From: Nicolas Williams <nico@twosigma.com>
-Date: Mon, 14 Sep 2015 12:27:52 -0400
-Subject: [PATCH 1/4] Fix SPNEGO context aliasing bugs [CVE-2015-2695]
-
-The SPNEGO mechanism currently replaces its context handle with the
-mechanism context handle upon establishment, under the assumption that
-most GSS functions are only called after context establishment. This
-assumption is incorrect, and can lead to aliasing violations for some
-programs. Maintain the SPNEGO context structure after context
-establishment and refer to it in all GSS methods. Add initiate and
-opened flags to the SPNEGO context structure for use in
-gss_inquire_context() prior to context establishment.
-
-CVE-2015-2695:
-
-In MIT krb5 1.5 and later, applications which call
-gss_inquire_context() on a partially-established SPNEGO context can
-cause the GSS-API library to read from a pointer using the wrong type,
-generally causing a process crash. This bug may go unnoticed, because
-the most common SPNEGO authentication scenario establishes the context
-after just one call to gss_accept_sec_context(). Java server
-applications using the native JGSS provider are vulnerable to this
-bug. A carefully crafted SPNEGO packet might allow the
-gss_inquire_context() call to succeed with attacker-determined
-results, but applications should not make access control decisions
-based on gss_inquire_context() results prior to context establishment.
-
- CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
-
-[ghudson@mit.edu: several bugfixes, style changes, and edge-case
-behavior changes; commit message and CVE description]
-
-ticket: 8244
-target_version: 1.14
-tags: pullup
-
-Backport upstream commit:
-https://github.com/krb5/krb5/commit/b51b33f2bc5d1497ddf5bd107f791c101695000d
-
-Upstream-Status: Backport
----
- src/lib/gssapi/spnego/gssapiP_spnego.h | 2 +
- src/lib/gssapi/spnego/spnego_mech.c | 254 ++++++++++++++++++++++++---------
- 2 files changed, 192 insertions(+), 64 deletions(-)
-
-diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h
-index bc23f56..8e05736 100644
---- a/src/lib/gssapi/spnego/gssapiP_spnego.h
-+++ b/src/lib/gssapi/spnego/gssapiP_spnego.h
-@@ -102,6 +102,8 @@ typedef struct {
- int firstpass;
- int mech_complete;
- int nego_done;
-+ int initiate;
-+ int opened;
- OM_uint32 ctx_flags;
- gss_name_t internal_name;
- gss_OID actual_mech;
-diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
-index f9248ab..3423f22 100644
---- a/src/lib/gssapi/spnego/spnego_mech.c
-+++ b/src/lib/gssapi/spnego/spnego_mech.c
-@@ -101,7 +101,7 @@ static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t,
- gss_cred_usage_t, gss_OID_set *);
- static void release_spnego_ctx(spnego_gss_ctx_id_t *);
- static void check_spnego_options(spnego_gss_ctx_id_t);
--static spnego_gss_ctx_id_t create_spnego_ctx(void);
-+static spnego_gss_ctx_id_t create_spnego_ctx(int);
- static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf);
- static int put_input_token(unsigned char **, gss_buffer_t, unsigned int);
- static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int);
-@@ -439,7 +439,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx)
- }
-
- static spnego_gss_ctx_id_t
--create_spnego_ctx(void)
-+create_spnego_ctx(int initiate)
- {
- spnego_gss_ctx_id_t spnego_ctx = NULL;
- spnego_ctx = (spnego_gss_ctx_id_t)
-@@ -462,6 +462,8 @@ create_spnego_ctx(void)
- spnego_ctx->mic_rcvd = 0;
- spnego_ctx->mech_complete = 0;
- spnego_ctx->nego_done = 0;
-+ spnego_ctx->opened = 0;
-+ spnego_ctx->initiate = initiate;
- spnego_ctx->internal_name = GSS_C_NO_NAME;
- spnego_ctx->actual_mech = GSS_C_NO_OID;
-
-@@ -627,7 +629,7 @@ init_ctx_new(OM_uint32 *minor_status,
- OM_uint32 ret;
- spnego_gss_ctx_id_t sc = NULL;
-
-- sc = create_spnego_ctx();
-+ sc = create_spnego_ctx(1);
- if (sc == NULL)
- return GSS_S_FAILURE;
-
-@@ -644,10 +646,7 @@ init_ctx_new(OM_uint32 *minor_status,
- ret = GSS_S_FAILURE;
- goto cleanup;
- }
-- /*
-- * The actual context is not yet determined, set the output
-- * context handle to refer to the spnego context itself.
-- */
-+
- sc->ctx_handle = GSS_C_NO_CONTEXT;
- *ctx = (gss_ctx_id_t)sc;
- sc = NULL;
-@@ -1088,16 +1087,11 @@ cleanup:
- }
- gss_release_buffer(&tmpmin, &mechtok_out);
- if (ret == GSS_S_COMPLETE) {
-- /*
-- * Now, switch the output context to refer to the
-- * negotiated mechanism's context.
-- */
-- *context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle;
-+ spnego_ctx->opened = 1;
- if (actual_mech != NULL)
- *actual_mech = spnego_ctx->actual_mech;
- if (ret_flags != NULL)
- *ret_flags = spnego_ctx->ctx_flags;
-- release_spnego_ctx(&spnego_ctx);
- } else if (ret != GSS_S_CONTINUE_NEEDED) {
- if (spnego_ctx != NULL) {
- gss_delete_sec_context(&tmpmin,
-@@ -1341,7 +1335,7 @@ acc_ctx_hints(OM_uint32 *minor_status,
- if (ret != GSS_S_COMPLETE)
- goto cleanup;
-
-- sc = create_spnego_ctx();
-+ sc = create_spnego_ctx(0);
- if (sc == NULL) {
- ret = GSS_S_FAILURE;
- goto cleanup;
-@@ -1423,7 +1417,7 @@ acc_ctx_new(OM_uint32 *minor_status,
- gss_release_buffer(&tmpmin, &sc->DER_mechTypes);
- assert(mech_wanted != GSS_C_NO_OID);
- } else
-- sc = create_spnego_ctx();
-+ sc = create_spnego_ctx(0);
- if (sc == NULL) {
- ret = GSS_S_FAILURE;
- *return_token = NO_TOKEN_SEND;
-@@ -1806,13 +1800,12 @@ cleanup:
- ret = GSS_S_FAILURE;
- }
- if (ret == GSS_S_COMPLETE) {
-- *context_handle = (gss_ctx_id_t)sc->ctx_handle;
-+ sc->opened = 1;
- if (sc->internal_name != GSS_C_NO_NAME &&
- src_name != NULL) {
- *src_name = sc->internal_name;
- sc->internal_name = GSS_C_NO_NAME;
- }
-- release_spnego_ctx(&sc);
- } else if (ret != GSS_S_CONTINUE_NEEDED) {
- if (sc != NULL) {
- gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
-@@ -2125,8 +2118,13 @@ spnego_gss_unwrap(
- gss_qop_t *qop_state)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
-+
- ret = gss_unwrap(minor_status,
-- context_handle,
-+ sc->ctx_handle,
- input_message_buffer,
- output_message_buffer,
- conf_state,
-@@ -2146,8 +2144,13 @@ spnego_gss_wrap(
- gss_buffer_t output_message_buffer)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
-+
- ret = gss_wrap(minor_status,
-- context_handle,
-+ sc->ctx_handle,
- conf_req_flag,
- qop_req,
- input_message_buffer,
-@@ -2164,8 +2167,14 @@ spnego_gss_process_context_token(
- const gss_buffer_t token_buffer)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ /* SPNEGO doesn't have its own context tokens. */
-+ if (!sc->opened)
-+ return (GSS_S_DEFECTIVE_TOKEN);
-+
- ret = gss_process_context_token(minor_status,
-- context_handle,
-+ sc->ctx_handle,
- token_buffer);
-
- return (ret);
-@@ -2189,19 +2198,9 @@ spnego_gss_delete_sec_context(
- if (*ctx == NULL)
- return (GSS_S_COMPLETE);
-
-- /*
-- * If this is still an SPNEGO mech, release it locally.
-- */
-- if ((*ctx)->magic_num == SPNEGO_MAGIC_ID) {
-- (void) gss_delete_sec_context(minor_status,
-- &(*ctx)->ctx_handle,
-- output_token);
-- (void) release_spnego_ctx(ctx);
-- } else {
-- ret = gss_delete_sec_context(minor_status,
-- context_handle,
-- output_token);
-- }
-+ (void) gss_delete_sec_context(minor_status, &(*ctx)->ctx_handle,
-+ output_token);
-+ (void) release_spnego_ctx(ctx);
-
- return (ret);
- }
-@@ -2213,8 +2212,13 @@ spnego_gss_context_time(
- OM_uint32 *time_rec)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
-+
- ret = gss_context_time(minor_status,
-- context_handle,
-+ sc->ctx_handle,
- time_rec);
- return (ret);
- }
-@@ -2226,9 +2230,20 @@ spnego_gss_export_sec_context(
- gss_buffer_t interprocess_token)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = *(spnego_gss_ctx_id_t *)context_handle;
-+
-+ /* We don't currently support exporting partially established
-+ * contexts. */
-+ if (!sc->opened)
-+ return GSS_S_UNAVAILABLE;
-+
- ret = gss_export_sec_context(minor_status,
-- context_handle,
-+ &sc->ctx_handle,
- interprocess_token);
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT) {
-+ release_spnego_ctx(&sc);
-+ *context_handle = GSS_C_NO_CONTEXT;
-+ }
- return (ret);
- }
-
-@@ -2238,11 +2253,12 @@ spnego_gss_import_sec_context(
- const gss_buffer_t interprocess_token,
- gss_ctx_id_t *context_handle)
- {
-- OM_uint32 ret;
-- ret = gss_import_sec_context(minor_status,
-- interprocess_token,
-- context_handle);
-- return (ret);
-+ /*
-+ * Until we implement partial context exports, there are no SPNEGO
-+ * exported context tokens, only tokens for underlying mechs. So just
-+ * return an error for now.
-+ */
-+ return GSS_S_UNAVAILABLE;
- }
- #endif /* LEAN_CLIENT */
-
-@@ -2259,16 +2275,48 @@ spnego_gss_inquire_context(
- int *opened)
- {
- OM_uint32 ret = GSS_S_COMPLETE;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (src_name != NULL)
-+ *src_name = GSS_C_NO_NAME;
-+ if (targ_name != NULL)
-+ *targ_name = GSS_C_NO_NAME;
-+ if (lifetime_rec != NULL)
-+ *lifetime_rec = 0;
-+ if (mech_type != NULL)
-+ *mech_type = (gss_OID)gss_mech_spnego;
-+ if (ctx_flags != NULL)
-+ *ctx_flags = 0;
-+ if (locally_initiated != NULL)
-+ *locally_initiated = sc->initiate;
-+ if (opened != NULL)
-+ *opened = sc->opened;
-+
-+ if (sc->ctx_handle != GSS_C_NO_CONTEXT) {
-+ ret = gss_inquire_context(minor_status, sc->ctx_handle,
-+ src_name, targ_name, lifetime_rec,
-+ mech_type, ctx_flags, NULL, NULL);
-+ }
-
-- ret = gss_inquire_context(minor_status,
-- context_handle,
-- src_name,
-- targ_name,
-- lifetime_rec,
-- mech_type,
-- ctx_flags,
-- locally_initiated,
-- opened);
-+ if (!sc->opened) {
-+ /*
-+ * We are still doing SPNEGO negotiation, so report SPNEGO as
-+ * the OID. After negotiation is complete we will report the
-+ * underlying mechanism OID.
-+ */
-+ if (mech_type != NULL)
-+ *mech_type = (gss_OID)gss_mech_spnego;
-+
-+ /*
-+ * Remove flags we don't support with partially-established
-+ * contexts. (Change this to keep GSS_C_TRANS_FLAG if we add
-+ * support for exporting partial SPNEGO contexts.)
-+ */
-+ if (ctx_flags != NULL) {
-+ *ctx_flags &= ~GSS_C_PROT_READY_FLAG;
-+ *ctx_flags &= ~GSS_C_TRANS_FLAG;
-+ }
-+ }
-
- return (ret);
- }
-@@ -2283,8 +2331,13 @@ spnego_gss_wrap_size_limit(
- OM_uint32 *max_input_size)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
-+
- ret = gss_wrap_size_limit(minor_status,
-- context_handle,
-+ sc->ctx_handle,
- conf_req_flag,
- qop_req,
- req_output_size,
-@@ -2301,8 +2354,13 @@ spnego_gss_get_mic(
- gss_buffer_t message_token)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
-+
- ret = gss_get_mic(minor_status,
-- context_handle,
-+ sc->ctx_handle,
- qop_req,
- message_buffer,
- message_token);
-@@ -2318,8 +2376,13 @@ spnego_gss_verify_mic(
- gss_qop_t *qop_state)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
-+
- ret = gss_verify_mic(minor_status,
-- context_handle,
-+ sc->ctx_handle,
- msg_buffer,
- token_buffer,
- qop_state);
-@@ -2334,8 +2397,14 @@ spnego_gss_inquire_sec_context_by_oid(
- gss_buffer_set_t *data_set)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ /* There are no SPNEGO-specific OIDs for this function. */
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_UNAVAILABLE);
-+
- ret = gss_inquire_sec_context_by_oid(minor_status,
-- context_handle,
-+ sc->ctx_handle,
- desired_object,
- data_set);
- return (ret);
-@@ -2404,8 +2473,15 @@ spnego_gss_set_sec_context_option(
- const gss_buffer_t value)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)*context_handle;
-+
-+ /* There are no SPNEGO-specific OIDs for this function, and we cannot
-+ * construct an empty SPNEGO context with it. */
-+ if (sc == NULL || sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_UNAVAILABLE);
-+
- ret = gss_set_sec_context_option(minor_status,
-- context_handle,
-+ &sc->ctx_handle,
- desired_object,
- value);
- return (ret);
-@@ -2422,8 +2498,13 @@ spnego_gss_wrap_aead(OM_uint32 *minor_status,
- gss_buffer_t output_message_buffer)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
-+
- ret = gss_wrap_aead(minor_status,
-- context_handle,
-+ sc->ctx_handle,
- conf_req_flag,
- qop_req,
- input_assoc_buffer,
-@@ -2444,8 +2525,13 @@ spnego_gss_unwrap_aead(OM_uint32 *minor_status,
- gss_qop_t *qop_state)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
-+
- ret = gss_unwrap_aead(minor_status,
-- context_handle,
-+ sc->ctx_handle,
- input_message_buffer,
- input_assoc_buffer,
- output_payload_buffer,
-@@ -2464,8 +2550,13 @@ spnego_gss_wrap_iov(OM_uint32 *minor_status,
- int iov_count)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
-+
- ret = gss_wrap_iov(minor_status,
-- context_handle,
-+ sc->ctx_handle,
- conf_req_flag,
- qop_req,
- conf_state,
-@@ -2483,8 +2574,13 @@ spnego_gss_unwrap_iov(OM_uint32 *minor_status,
- int iov_count)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
-+
- ret = gss_unwrap_iov(minor_status,
-- context_handle,
-+ sc->ctx_handle,
- conf_state,
- qop_state,
- iov,
-@@ -2502,8 +2598,13 @@ spnego_gss_wrap_iov_length(OM_uint32 *minor_status,
- int iov_count)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
-+
- ret = gss_wrap_iov_length(minor_status,
-- context_handle,
-+ sc->ctx_handle,
- conf_req_flag,
- qop_req,
- conf_state,
-@@ -2520,8 +2621,13 @@ spnego_gss_complete_auth_token(
- gss_buffer_t input_message_buffer)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_UNAVAILABLE);
-+
- ret = gss_complete_auth_token(minor_status,
-- context_handle,
-+ sc->ctx_handle,
- input_message_buffer);
- return (ret);
- }
-@@ -2773,8 +2879,13 @@ spnego_gss_pseudo_random(OM_uint32 *minor_status,
- gss_buffer_t prf_out)
- {
- OM_uint32 ret;
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
-+
- ret = gss_pseudo_random(minor_status,
-- context,
-+ sc->ctx_handle,
- prf_key,
- prf_in,
- desired_output_len,
-@@ -2915,7 +3026,12 @@ spnego_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
- gss_qop_t qop_req, gss_iov_buffer_desc *iov,
- int iov_count)
- {
-- return gss_get_mic_iov(minor_status, context_handle, qop_req, iov,
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
-+
-+ return gss_get_mic_iov(minor_status, sc->ctx_handle, qop_req, iov,
- iov_count);
- }
-
-@@ -2924,7 +3040,12 @@ spnego_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
- gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
- int iov_count)
- {
-- return gss_verify_mic_iov(minor_status, context_handle, qop_state, iov,
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
-+
-+ return gss_verify_mic_iov(minor_status, sc->ctx_handle, qop_state, iov,
- iov_count);
- }
-
-@@ -2933,7 +3054,12 @@ spnego_gss_get_mic_iov_length(OM_uint32 *minor_status,
- gss_ctx_id_t context_handle, gss_qop_t qop_req,
- gss_iov_buffer_desc *iov, int iov_count)
- {
-- return gss_get_mic_iov_length(minor_status, context_handle, qop_req, iov,
-+ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+ if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
-+
-+ return gss_get_mic_iov_length(minor_status, sc->ctx_handle, qop_req, iov,
- iov_count);
- }
-
---
-1.9.1
-
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch b/meta-oe/recipes-connectivity/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch
deleted file mode 100644
index 9b0c18b75f..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 9cb63711e63042f22da914ba039c4537b22e8fb0 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Fri, 25 Sep 2015 12:51:47 -0400
-Subject: [PATCH 3/4] Fix build_principal memory bug [CVE-2015-2697]
-
-In build_principal_va(), use k5memdup0() instead of strdup() to make a
-copy of the realm, to ensure that we allocate the correct number of
-bytes and do not read past the end of the input string. This bug
-affects krb5_build_principal(), krb5_build_principal_va(), and
-krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not
-affected.
-
-CVE-2015-2697:
-
-In MIT krb5 1.7 and later, an authenticated attacker may be able to
-cause a KDC to crash using a TGS request with a large realm field
-beginning with a null byte. If the KDC attempts to find a referral to
-answer the request, it constructs a principal name for lookup using
-krb5_build_principal() with the requested realm. Due to a bug in this
-function, the null byte causes only one byte be allocated for the
-realm field of the constructed principal, far less than its length.
-Subsequent operations on the lookup principal may cause a read beyond
-the end of the mapped memory region, causing the KDC process to crash.
-
-CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
-
-ticket: 8252 (new)
-target_version: 1.14
-tags: pullup
-
-Backport upstream commit:
-https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789
-
-Upstream-Status: Backport
----
- src/lib/krb5/krb/bld_princ.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
-index ab6fed8..8604268 100644
---- a/src/lib/krb5/krb/bld_princ.c
-+++ b/src/lib/krb5/krb/bld_princ.c
-@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ,
- data = malloc(size * sizeof(krb5_data));
- if (!data) { retval = ENOMEM; }
-
-- if (!retval) {
-- r = strdup(realm);
-- if (!r) { retval = ENOMEM; }
-- }
-+ if (!retval)
-+ r = k5memdup0(realm, rlen, &retval);
-
- while (!retval && (component = va_arg(ap, char *))) {
- if (count == size) {
---
-1.9.1
-
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch
deleted file mode 100644
index 67fefed898..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3119.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Subject: kerb: Fix LDAP null deref on empty arg [CVE-2016-3119]
-From: Greg Hudson
-
-In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
-if there is an empty string in the db_args array. Check for this case
-and avoid dereferencing a null pointer.
-
-CVE-2016-3119:
-
-In MIT krb5 1.6 and later, an authenticated attacker with permission
-to modify a principal entry can cause kadmind to dereference a null
-pointer by supplying an empty DB argument to the modify_principal
-command, if kadmind is configured to use the LDAP KDB module.
-
- CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
-
-ticket: 8383 (new)
-target_version: 1.14-next
-target_version: 1.13-next
-tags: pullup
-
-Upstream-Status: Backport
-
-Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
-Index: krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-===================================================================
---- krb5-1.13.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-05-09 07:27:02.000000000 +0800
-+++ krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-04-11 15:17:12.874140518 +0800
-@@ -267,6 +267,7 @@
- if (db_args) {
- for (i=0; db_args[i]; ++i) {
- arg = strtok_r(db_args[i], "=", &arg_val);
-+ arg = (arg != NULL) ? arg : "";
- if (strcmp(arg, TKTPOLICY_ARG) == 0) {
- dptr = &xargs->tktpolicydn;
- } else {
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch
deleted file mode 100644
index dbc46bb79d..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 5b9b82d0696f1ffd4e693c1f8eafc0915b15e85b Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Tue, 19 Jul 2016 11:00:28 -0400
-Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted
-
-cherry-picked from 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 upstream
-
-In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
-use client.princ instead of request->client; the latter is NULL when
-validating S4U2Self requests.
-
-CVE-2016-3120:
-
-In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
-to dereference a null pointer if the restrict_anonymous_to_tgt option
-is set to true, by making an S4U2Self request.
-
- CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
-
-ticket: 8458 (new)
-target_version: 1.14-next
-target_version: 1.13-next
-
-Upstream-Status: Backport
-
-Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
----
- src/kdc/kdc_util.c | 2 +-
- src/tests/t_pkinit.py | 5 +++++
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
-index 48be1ae..10daec4 100644
---- a/src/kdc/kdc_util.c
-+++ b/src/kdc/kdc_util.c
-@@ -700,7 +700,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
- return(KDC_ERR_MUST_USE_USER2USER);
- }
-
-- if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
-+ if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
- *status = "ANONYMOUS NOT ALLOWED";
- return(KDC_ERR_POLICY);
- }
-diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
-index 762e322..d27d05b 100644
---- a/src/tests/t_pkinit.py
-+++ b/src/tests/t_pkinit.py
-@@ -94,6 +94,11 @@ out = realm.run([kvno, realm.host_princ], expected_code=1)
- if 'KDC policy rejects request' not in out:
- fail('Wrong error for restricted anonymous PKINIT')
-
-+# Regression test for #8458: S4U2Self requests crash the KDC if
-+# anonymous is restricted.
-+realm.kinit(realm.host_princ, flags=['-k'])
-+realm.run([kvno, '-U', 'user', realm.host_princ])
-+
- # Go back to a normal KDC and disable anonymous PKINIT.
- realm.stop_kdc()
- realm.start_kdc()
---
-2.5.0
-
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.6.bb
index 776eed409c..990e9df391 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.6.bb
@@ -14,19 +14,15 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n
HOMEPAGE = "http://web.mit.edu/Kerberos/"
SECTION = "console/network"
LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=f64248328d2d9928e1f04158b5243e7f"
+LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=c6f37efad53b098e420f45e7ab6807dc"
DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native"
inherit autotools-brokensep binconfig perlnative systemd
SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
-SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \
+SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \
file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \
- file://Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch;striplevel=2 \
- file://Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch;striplevel=2 \
- file://Fix-build_principal-memory-bug-CVE-2015-2697.patch;striplevel=2 \
- file://Fix-IAKERB-context-export-import-CVE-2015-2698.patch;striplevel=2 \
file://crosscompile_nm.patch \
file://etc/init.d/krb5-kdc \
file://etc/init.d/krb5-admin-server \
@@ -34,12 +30,9 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
file://etc/default/krb5-admin-server \
file://krb5-kdc.service \
file://krb5-admin-server.service \
- file://krb5-CVE-2016-3119.patch;striplevel=2 \
- file://0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch;striplevel=2 \
- file://krb5-CVE-2016-3120.patch;striplevel=2 \
"
-SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189"
-SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1"
+SRC_URI[md5sum] = "6164ca9c075b4ecc68eadd6d13040417"
+SRC_URI[sha256sum] = "9c0a46b8918237a53916370d2e02298c2b294f55f0351f9404e18930bc26badc"
S = "${WORKDIR}/${BP}/src"
@@ -68,16 +61,6 @@ FILES_${PN}-dbg += "${libdir}/krb5/plugins/*/.debug"
# As this recipe doesn't inherit update-rc.d, we need to add this dependency here
RDEPENDS_${PN}_class-target += "initscripts-functions"
-krb5_do_unpack() {
- # ${P}-signed.tar contains ${P}.tar.gz.asc and ${P}.tar.gz
- tar xzf ${WORKDIR}/${BP}.tar.gz -C ${WORKDIR}/
-}
-
-python do_unpack() {
- bb.build.exec_func('base_do_unpack', d)
- bb.build.exec_func('krb5_do_unpack', d)
-}
-
do_configure() {
gnu-configize --force
autoreconf