krb5: upgrade 1.17.2 -> 1.20.1

Release Notes: https://web.mit.edu/kerberos/krb5-1.20/krb5-1.20.1.html License-Update: Update AES algorithm copyright [1] Update copyright years [2] [1] https://github.com/krb5/krb5/commit/cb5f190056ef4d123c5fe5d4923982b830288438 [2] https://github.com/krb5/krb5/commit/f1535bf6b47e8dc03d69fcfb98e798546ff7c272 * Update PACKAGECONFIG[keyutils] and drop the local patch. * Drop backport CVE patches. * Inherit pkgconfig bbclass to find com_err library correctly. * Drop --without-tcl option as it has been removed upstream. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Yi Zhao <yi.zhao@windriver.com> 2022-12-30 09:46:07 +0800
committer: Khem Raj <raj.khem@gmail.com> 2023-01-01 02:23:29 -0800
commit: 18a9d6d38615e298f41dc8f44da4bada9858801e (patch)
tree: 8c26e769ed93918c42ab821dc8c223fb19b00a31
parent: 5494dc9ff377a8c102d862bf0db896341aae3ac8 (diff)
download: meta-openembedded-18a9d6d38615e298f41dc8f44da4bada9858801e.tar.gz
4 files changed, 9 insertions, 216 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch b/meta-oe/recipes-connectivity/krb5/krb5/0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch
deleted file mode 100644
index cbd5d71fdf..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From a9e4057bfda190ad365b503af058b460ab8c7616 Mon Sep 17 00:00:00 2001
-From: Martin Jansa <Martin.Jansa@gmail.com>
-Date: Tue, 1 Oct 2013 22:22:57 +0200
-Subject: [PATCH] aclocal: Add parameter to disable keyutils detection
-Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
---
- aclocal.m4 | 4 ++++
- 1 file changed, 4 insertions(+)
-diff --git a/aclocal.m4 b/aclocal.m4
-index d6d1279..80ce604 100644
--- a/aclocal.m4
-+++ b/aclocal.m4
-@@ -1679,12 +1679,16 @@ fi
- dnl
- dnl If libkeyutils exists (on Linux) include it and use keyring ccache
- AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
-+AC_ARG_ENABLE([keyutils],
-+AC_HELP_STRING([--disable-keyutils],don't enable using keyutils for keyring ccache @<:@enabled@:>@), , enable_keyutils=yes)
-+if test "$enable_keyutils" = yes; then
-   AC_CHECK_HEADERS([keyutils.h],
-     AC_CHECK_LIB(keyutils, add_key, 
-       [dnl Pre-reqs were found
-        AC_DEFINE(USE_KEYRING_CCACHE, 1, [Define if the keyring ccache should be enabled])
-        LIBS="-lkeyutils $LIBS"
-       ]))
-+fi
- ])dnl
- dnl
- dnl If libkeyutils supports persistent keyrings, use them
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch
deleted file mode 100644
index fee6e64c15..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From fc98f520caefff2e5ee9a0026fdf5109944b3562 Mon Sep 17 00:00:00 2001
-From: Joseph Sutton <josephsutton@catalyst.net.nz>
-Date: Wed, 7 Jul 2021 11:47:44 +1200
-Subject: [PATCH] Fix KDC null deref on bad encrypted challenge
-The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
-to avoid further processing if the armor key is NULL.  However, this
-check is bypassed by a call to k5memdup0() which overwrites retval
-with 0 if the allocation succeeds.  If the armor key is NULL, a call
-to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
-crash.  Add a check before the k5memdup0() call to avoid overwriting
-retval.
-CVE-2021-36222:
-In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
-cause a null dereference in the KDC by sending a request containing a
-PA-ENCRYPTED-CHALLENGE padata element without using FAST.
-[ghudson@mit.edu: trimmed patch; added test case; edited commit
-message]
-ticket: 9007 (new)
-tags: pullup
-target_version: 1.19-next
-target_version: 1.18-next
-CVE: CVE-2021-36222
-Upstream-Status: Backport
-[https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562]
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- src/kdc/kdc_preauth_ec.c      |  3 ++-
- src/tests/Makefile.in         |  1 +
- src/tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++
- 3 files changed, 49 insertions(+), 1 deletion(-)
- create mode 100644 src/tests/t_cve-2021-36222.py
-diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
-index 7e636b3f9..43a9902cc 100644
--- a/src/kdc/kdc_preauth_ec.c
-+++ b/src/kdc/kdc_preauth_ec.c
-@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
-     }
- 
-     /* Check for a configured FAST ec auth indicator. */
-    realmstr = k5memdup0(realm.data, realm.length, &retval);
-+    if (retval == 0)
-+        realmstr = k5memdup0(realm.data, realm.length, &retval);
-     if (realmstr != NULL)
-         retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
-                                     realmstr,
-diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
-index fc6fcc0c3..1a1938306 100644
--- a/src/tests/Makefile.in
-+++ b/src/tests/Makefile.in
-@@ -166,6 +166,7 @@ check-pytests: unlockiter s4u2self
-        $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
-        $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
-        $(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS)
-+       $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS)
-        $(RM) au.log
-        $(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
-        $(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
-diff --git a/src/tests/t_cve-2021-36222.py b/src/tests/t_cve-2021-36222.py
-new file mode 100644
-index 000000000..57e04993b
--- /dev/null
-+++ b/src/tests/t_cve-2021-36222.py
-@@ -0,0 +1,46 @@
-+import socket
-+from k5test import *
-+
-+realm = K5Realm()
-+
-+# CVE-2021-36222 KDC null dereference on encrypted challenge preauth
-+# without FAST
-+
-+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-+a = (hostname, realm.portbase)
-+
-+m = ('6A81A0' '30819D'          # [APPLICATION 10] SEQUENCE
-+     'A103' '0201' '05'         #  [1] pvno = 5
-+     'A203' '0201' '0A'         #  [2] msg-type = 10
-+     'A30E' '300C'              #  [3] padata = SEQUENCE OF
-+     '300A'                     #   SEQUENCE
-+     'A104' '0202' '008A'       #    [1] padata-type = PA-ENCRYPTED-CHALLENGE
-+     'A202' '0400'              #    [2] padata-value = ""
-+     'A48180' '307E'            #  [4] req-body = SEQUENCE
-+     'A007' '0305' '0000000000' #   [0] kdc-options = 0
-+     'A120' '301E'              #   [1] cname = SEQUENCE
-+     'A003' '0201' '01'         #    [0] name-type = NT-PRINCIPAL
-+     'A117' '3015'              #    [1] name-string = SEQUENCE-OF
-+     '1B06' '6B7262746774'      #     krbtgt
-+     '1B0B' '4B5242544553542E434F4D'
-+                                #     KRBTEST.COM
-+     'A20D' '1B0B' '4B5242544553542E434F4D'
-+                                #   [2] realm = KRBTEST.COM
-+     'A320' '301E'              #   [3] sname = SEQUENCE
-+     'A003' '0201' '01'         #    [0] name-type = NT-PRINCIPAL
-+     'A117' '3015'              #    [1] name-string = SEQUENCE-OF
-+     '1B06' '6B7262746774'      #     krbtgt
-+     '1B0B' '4B5242544553542E434F4D'
-+                                #     KRBTEST.COM
-+     'A511' '180F' '31393934303631303036303331375A'
-+                                #   [5] till = 19940610060317Z
-+     'A703' '0201' '00'         #   [7] nonce = 0
-+     'A808' '3006'              #   [8] etype = SEQUENCE OF
-+     '020112' '020111')         #    aes256-cts aes128-cts
-+
-+s.sendto(bytes.fromhex(m), a)
-+
-+# Make sure kinit still works.
-+realm.kinit(realm.user_princ, password('user'))
-+
-+success('CVE-2021-36222 regression test')
-- 
-2.25.1
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-37750.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-37750.patch
deleted file mode 100644
index c67bca32e7..0000000000
--- a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-37750.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From b3999be7ab59a5af4b2f1042ce0d6b03ecb17d4e Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Tue, 3 Aug 2021 01:15:27 -0400
-Subject: [PATCH] Fix KDC null deref on TGS inner body null server
-After the KDC decodes a FAST inner body, it does not check for a null
-server.  Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
-would typically result in an error from krb5_unparse_name(), but with
-the addition of get_local_tgt() it results in a null dereference.  Add
-a null check.
-Reported by Joseph Sutton of Catalyst.
-CVE-2021-37750:
-In MIT krb5 releases 1.14 and later, an authenticated attacker can
-cause a null dereference in the KDC by sending a FAST TGS request with
-no server field.
-ticket: 9008 (new)
-tags: pullup
-target_version: 1.19-next
-target_version: 1.18-next
-CVE: CVE-2021-37750
-Upstream-Status: Backport
-[https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49]
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- src/kdc/do_tgs_req.c | 5 +++++
- 1 file changed, 5 insertions(+)
-diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
-index 587342a..622b48f 100644
--- a/src/kdc/do_tgs_req.c
-+++ b/src/kdc/do_tgs_req.c
-@@ -201,6 +201,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
-         status = "FIND_FAST";
-         goto cleanup;
-     }
-+    if (sprinc == NULL) {
-+        status = "NULL_SERVER";
-+        errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
-+        goto cleanup;
-+    }
- 
-     errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
-                             &local_tgt, &local_tgt_storage);
-- 
-2.17.1
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb
index 6e0b2fdacb..2221000e3b 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb
@@ -14,14 +14,12 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n
 HOMEPAGE = "http://web.mit.edu/Kerberos/"
 SECTION = "console/network"
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=dd4d0ad4c5e98abb58aa0d312f276791"
+LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=1d31018dba5a0ef195eb426a1e61f02e"
-DEPENDS = "bison-native ncurses util-linux e2fsprogs e2fsprogs-native openssl"
-inherit autotools-brokensep binconfig perlnative systemd update-rc.d
+inherit autotools-brokensep binconfig perlnative systemd update-rc.d pkgconfig
 SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
 SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
-           file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \
           file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \
           file://crosscompile_nm.patch \
           file://etc/init.d/krb5-kdc \
@@ -30,26 +28,26 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
           file://etc/default/krb5-admin-server \
           file://krb5-kdc.service \
           file://krb5-admin-server.service \
-           file://CVE-2021-36222.patch;striplevel=2 \
-           file://CVE-2021-37750.patch;striplevel=2 \
 "
-SRC_URI[md5sum] = "aa4337fffa3b61f22dbd0167f708818f"
+SRC_URI[md5sum] = "73f5780e7b587ccd8b8cfc10c965a686"
-SRC_URI[sha256sum] = "1a4bba94df92f6d39a197a10687653e8bfbc9a2076e129f6eb92766974f86134"
+SRC_URI[sha256sum] = "704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851"
 CVE_PRODUCT = "kerberos"
 CVE_VERSION = "5-${PV}"
 S = "${WORKDIR}/${BP}/src"
+DEPENDS = "bison-native ncurses util-linux e2fsprogs e2fsprogs-native openssl"
 PACKAGECONFIG ??= "pkinit"
 PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
 PACKAGECONFIG[openssl] = "--with-crypto-impl=openssl,,openssl"
-PACKAGECONFIG[keyutils] = "--enable-keyutils,--disable-keyutils,keyutils"
+PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils"
 PACKAGECONFIG[ldap] = "--with-ldap,--without-ldap,openldap"
 PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline"
 PACKAGECONFIG[pkinit] = "--enable-pkinit, --disable-pkinit"
-EXTRA_OECONF += " --without-tcl --with-system-et --disable-rpath"
+EXTRA_OECONF += "--with-system-et --disable-rpath"
 CACHED_CONFIGUREVARS += "krb5_cv_attr_constructor_destructor=yes ac_cv_func_regcomp=yes \
                  ac_cv_printf_positional=yes ac_cv_file__etc_environment=yes \
                  ac_cv_file__etc_TIMEZONE=no"
@@ -85,6 +83,7 @@ do_install:append() {
        echo "RUN_KADMIND=true" >> ${D}/${sysconfdir}/default/krb5-admin-server
    fi
    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
        install -d ${D}${sysconfdir}/tmpfiles.d
        echo "d /run/krb5kdc - - - -" \
author	Yi Zhao <yi.zhao@windriver.com>	2022-12-30 09:46:07 +0800
committer	Khem Raj <raj.khem@gmail.com>	2023-01-01 02:23:29 -0800
commit	18a9d6d38615e298f41dc8f44da4bada9858801e (patch)
tree	8c26e769ed93918c42ab821dc8c223fb19b00a31
parent	5494dc9ff377a8c102d862bf0db896341aae3ac8 (diff)
download	meta-openembedded-18a9d6d38615e298f41dc8f44da4bada9858801e.tar.gz

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch b/meta-oe/recipes-connectivity/krb5/krb5/0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch deleted file mode 100644 index cbd5d71fdf..0000000000 --- a/meta-oe/recipes-connectivity/krb5/krb5/0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch +++ /dev/null
@@ -1,32 +0,0 @@
1	From a9e4057bfda190ad365b503af058b460ab8c7616 Mon Sep 17 00:00:00 2001
2	From: Martin Jansa <Martin.Jansa@gmail.com>
3	Date: Tue, 1 Oct 2013 22:22:57 +0200
4	Subject: [PATCH] aclocal: Add parameter to disable keyutils detection
5
6	Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
7
8	---
9	aclocal.m4 \| 4 ++++
10	1 file changed, 4 insertions(+)
11
12	diff --git a/aclocal.m4 b/aclocal.m4
13	index d6d1279..80ce604 100644
14	--- a/aclocal.m4
15	+++ b/aclocal.m4
16	@@ -1679,12 +1679,16 @@ fi
17	dnl
18	dnl If libkeyutils exists (on Linux) include it and use keyring ccache
19	AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
20	+AC_ARG_ENABLE([keyutils],
21	+AC_HELP_STRING([--disable-keyutils],don't enable using keyutils for keyring ccache @<:@enabled@:>@), , enable_keyutils=yes)
22	+if test "$enable_keyutils" = yes; then
23	AC_CHECK_HEADERS([keyutils.h],
24	AC_CHECK_LIB(keyutils, add_key,
25	[dnl Pre-reqs were found
26	AC_DEFINE(USE_KEYRING_CCACHE, 1, [Define if the keyring ccache should be enabled])
27	LIBS="-lkeyutils $LIBS"
28	]))
29	+fi
30	])dnl
31	dnl
32	dnl If libkeyutils supports persistent keyrings, use them


diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch deleted file mode 100644 index fee6e64c15..0000000000 --- a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch +++ /dev/null
@@ -1,121 +0,0 @@
1	From fc98f520caefff2e5ee9a0026fdf5109944b3562 Mon Sep 17 00:00:00 2001
2	From: Joseph Sutton <josephsutton@catalyst.net.nz>
3	Date: Wed, 7 Jul 2021 11:47:44 +1200
4	Subject: [PATCH] Fix KDC null deref on bad encrypted challenge
5
6	The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
7	to avoid further processing if the armor key is NULL. However, this
8	check is bypassed by a call to k5memdup0() which overwrites retval
9	with 0 if the allocation succeeds. If the armor key is NULL, a call
10	to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
11	crash. Add a check before the k5memdup0() call to avoid overwriting
12	retval.
13
14	CVE-2021-36222:
15
16	In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
17	cause a null dereference in the KDC by sending a request containing a
18	PA-ENCRYPTED-CHALLENGE padata element without using FAST.
19
20	[ghudson@mit.edu: trimmed patch; added test case; edited commit
21	message]
22
23	ticket: 9007 (new)
24	tags: pullup
25	target_version: 1.19-next
26	target_version: 1.18-next
27
28	CVE: CVE-2021-36222
29
30	Upstream-Status: Backport
31	[https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562]
32
33	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
34	---
35	src/kdc/kdc_preauth_ec.c \| 3 ++-
36	src/tests/Makefile.in \| 1 +
37	src/tests/t_cve-2021-36222.py \| 46 +++++++++++++++++++++++++++++++++++
38	3 files changed, 49 insertions(+), 1 deletion(-)
39	create mode 100644 src/tests/t_cve-2021-36222.py
40
41	diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
42	index 7e636b3f9..43a9902cc 100644
43	--- a/src/kdc/kdc_preauth_ec.c
44	+++ b/src/kdc/kdc_preauth_ec.c
45	@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data req_pkt, krb5_kdc_req request,
46	}
47
48	/* Check for a configured FAST ec auth indicator. */
49	- realmstr = k5memdup0(realm.data, realm.length, &retval);
50	+ if (retval == 0)
51	+ realmstr = k5memdup0(realm.data, realm.length, &retval);
52	if (realmstr != NULL)
53	retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
54	realmstr,
55	diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
56	index fc6fcc0c3..1a1938306 100644
57	--- a/src/tests/Makefile.in
58	+++ b/src/tests/Makefile.in
59	@@ -166,6 +166,7 @@ check-pytests: unlockiter s4u2self
60	$(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
61	$(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
62	$(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS)
63	+ $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS)
64	$(RM) au.log
65	$(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
66	$(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
67	diff --git a/src/tests/t_cve-2021-36222.py b/src/tests/t_cve-2021-36222.py
68	new file mode 100644
69	index 000000000..57e04993b
70	--- /dev/null
71	+++ b/src/tests/t_cve-2021-36222.py
72	@@ -0,0 +1,46 @@
73	+import socket
74	+from k5test import *
75	+
76	+realm = K5Realm()
77	+
78	+# CVE-2021-36222 KDC null dereference on encrypted challenge preauth
79	+# without FAST
80	+
81	+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
82	+a = (hostname, realm.portbase)
83	+
84	+m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE
85	+ 'A103' '0201' '05' # [1] pvno = 5
86	+ 'A203' '0201' '0A' # [2] msg-type = 10
87	+ 'A30E' '300C' # [3] padata = SEQUENCE OF
88	+ '300A' # SEQUENCE
89	+ 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE
90	+ 'A202' '0400' # [2] padata-value = ""
91	+ 'A48180' '307E' # [4] req-body = SEQUENCE
92	+ 'A007' '0305' '0000000000' # [0] kdc-options = 0
93	+ 'A120' '301E' # [1] cname = SEQUENCE
94	+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
95	+ 'A117' '3015' # [1] name-string = SEQUENCE-OF
96	+ '1B06' '6B7262746774' # krbtgt
97	+ '1B0B' '4B5242544553542E434F4D'
98	+ # KRBTEST.COM
99	+ 'A20D' '1B0B' '4B5242544553542E434F4D'
100	+ # [2] realm = KRBTEST.COM
101	+ 'A320' '301E' # [3] sname = SEQUENCE
102	+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
103	+ 'A117' '3015' # [1] name-string = SEQUENCE-OF
104	+ '1B06' '6B7262746774' # krbtgt
105	+ '1B0B' '4B5242544553542E434F4D'
106	+ # KRBTEST.COM
107	+ 'A511' '180F' '31393934303631303036303331375A'
108	+ # [5] till = 19940610060317Z
109	+ 'A703' '0201' '00' # [7] nonce = 0
110	+ 'A808' '3006' # [8] etype = SEQUENCE OF
111	+ '020112' '020111') # aes256-cts aes128-cts
112	+
113	+s.sendto(bytes.fromhex(m), a)
114	+
115	+# Make sure kinit still works.
116	+realm.kinit(realm.user_princ, password('user'))
117	+
118	+success('CVE-2021-36222 regression test')
119	--
120	2.25.1
121


diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-37750.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-37750.patch deleted file mode 100644 index c67bca32e7..0000000000 --- a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-37750.patch +++ /dev/null
@@ -1,53 +0,0 @@
1	From b3999be7ab59a5af4b2f1042ce0d6b03ecb17d4e Mon Sep 17 00:00:00 2001
2	From: Greg Hudson <ghudson@mit.edu>
3	Date: Tue, 3 Aug 2021 01:15:27 -0400
4	Subject: [PATCH] Fix KDC null deref on TGS inner body null server
5
6	After the KDC decodes a FAST inner body, it does not check for a null
7	server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
8	would typically result in an error from krb5_unparse_name(), but with
9	the addition of get_local_tgt() it results in a null dereference. Add
10	a null check.
11
12	Reported by Joseph Sutton of Catalyst.
13
14	CVE-2021-37750:
15
16	In MIT krb5 releases 1.14 and later, an authenticated attacker can
17	cause a null dereference in the KDC by sending a FAST TGS request with
18	no server field.
19
20	ticket: 9008 (new)
21	tags: pullup
22	target_version: 1.19-next
23	target_version: 1.18-next
24
25	CVE: CVE-2021-37750
26
27	Upstream-Status: Backport
28	[https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49]
29
30	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
31	---
32	src/kdc/do_tgs_req.c \| 5 +++++
33	1 file changed, 5 insertions(+)
34
35	diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
36	index 587342a..622b48f 100644
37	--- a/src/kdc/do_tgs_req.c
38	+++ b/src/kdc/do_tgs_req.c
39	@@ -201,6 +201,11 @@ process_tgs_req(krb5_kdc_req request, krb5_data pkt,
40	status = "FIND_FAST";
41	goto cleanup;
42	}
43	+ if (sprinc == NULL) {
44	+ status = "NULL_SERVER";
45	+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
46	+ goto cleanup;
47	+ }
48
49	errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
50	&local_tgt, &local_tgt_storage);
51	--
52	2.17.1
53


diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb index 6e0b2fdacb..2221000e3b 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb
@@ -14,14 +14,12 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n
14	HOMEPAGE = "http://web.mit.edu/Kerberos/"	14	HOMEPAGE = "http://web.mit.edu/Kerberos/"
15	SECTION = "console/network"	15	SECTION = "console/network"
16	LICENSE = "MIT"	16	LICENSE = "MIT"
17	LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=dd4d0ad4c5e98abb58aa0d312f276791"	17	LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=1d31018dba5a0ef195eb426a1e61f02e"
18	DEPENDS = "bison-native ncurses util-linux e2fsprogs e2fsprogs-native openssl"
19		18
20	inherit autotools-brokensep binconfig perlnative systemd update-rc.d	19	inherit autotools-brokensep binconfig perlnative systemd update-rc.d pkgconfig
21		20
22	SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"	21	SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
23	SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \	22	SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
24	file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \
25	file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \	23	file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \
26	file://crosscompile_nm.patch \	24	file://crosscompile_nm.patch \
27	file://etc/init.d/krb5-kdc \	25	file://etc/init.d/krb5-kdc \
@@ -30,26 +28,26 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
30	file://etc/default/krb5-admin-server \	28	file://etc/default/krb5-admin-server \
31	file://krb5-kdc.service \	29	file://krb5-kdc.service \
32	file://krb5-admin-server.service \	30	file://krb5-admin-server.service \
33	file://CVE-2021-36222.patch;striplevel=2 \
34	file://CVE-2021-37750.patch;striplevel=2 \
35	"	31	"
36	SRC_URI[md5sum] = "aa4337fffa3b61f22dbd0167f708818f"	32	SRC_URI[md5sum] = "73f5780e7b587ccd8b8cfc10c965a686"
37	SRC_URI[sha256sum] = "1a4bba94df92f6d39a197a10687653e8bfbc9a2076e129f6eb92766974f86134"	33	SRC_URI[sha256sum] = "704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851"
38		34
39	CVE_PRODUCT = "kerberos"	35	CVE_PRODUCT = "kerberos"
40	CVE_VERSION = "5-${PV}"	36	CVE_VERSION = "5-${PV}"
41		37
42	S = "${WORKDIR}/${BP}/src"	38	S = "${WORKDIR}/${BP}/src"
43		39
		40	DEPENDS = "bison-native ncurses util-linux e2fsprogs e2fsprogs-native openssl"
		41
44	PACKAGECONFIG ??= "pkinit"	42	PACKAGECONFIG ??= "pkinit"
45	PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"	43	PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
46	PACKAGECONFIG[openssl] = "--with-crypto-impl=openssl,,openssl"	44	PACKAGECONFIG[openssl] = "--with-crypto-impl=openssl,,openssl"
47	PACKAGECONFIG[keyutils] = "--enable-keyutils,--disable-keyutils,keyutils"	45	PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils"
48	PACKAGECONFIG[ldap] = "--with-ldap,--without-ldap,openldap"	46	PACKAGECONFIG[ldap] = "--with-ldap,--without-ldap,openldap"
49	PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline"	47	PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline"
50	PACKAGECONFIG[pkinit] = "--enable-pkinit, --disable-pkinit"	48	PACKAGECONFIG[pkinit] = "--enable-pkinit, --disable-pkinit"
51		49
52	EXTRA_OECONF += " --without-tcl --with-system-et --disable-rpath"	50	EXTRA_OECONF += "--with-system-et --disable-rpath"
53	CACHED_CONFIGUREVARS += "krb5_cv_attr_constructor_destructor=yes ac_cv_func_regcomp=yes \	51	CACHED_CONFIGUREVARS += "krb5_cv_attr_constructor_destructor=yes ac_cv_func_regcomp=yes \
54	ac_cv_printf_positional=yes ac_cv_file__etc_environment=yes \	52	ac_cv_printf_positional=yes ac_cv_file__etc_environment=yes \
55	ac_cv_file__etc_TIMEZONE=no"	53	ac_cv_file__etc_TIMEZONE=no"
@@ -85,6 +83,7 @@ do_install:append() {
85		83
86	echo "RUN_KADMIND=true" >> ${D}/${sysconfdir}/default/krb5-admin-server	84	echo "RUN_KADMIND=true" >> ${D}/${sysconfdir}/default/krb5-admin-server
87	fi	85	fi
		86
88	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then	87	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
89	install -d ${D}${sysconfdir}/tmpfiles.d	88	install -d ${D}${sysconfdir}/tmpfiles.d
90	echo "d /run/krb5kdc - - - -" \	89	echo "d /run/krb5kdc - - - -" \