Bug 154276
Summary: | krb5 CAN-2005-046{8,9] - buffer overflows | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | Michal Jaegermann <michal> | ||||||||
Component: | krb5 | Assignee: | Fedora Legacy Bugs <bugs> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | unspecified | CC: | dkl, jimpop, mattdm, pekkas | ||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | 1, LEGACY, rhl73, rhl9 | ||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2005-07-24 14:53:56 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description of problem: https://rhn.redhat.com/errata/RHSA-2005-330.html describes two buffer overflows in sources which are rather close to those in the current Legacy-testing. It appears that some other issues are also fixed. The following patches show up there on the top what is present in, say, krb5-1.2.4-16.legacy: krb5-1.2.7-gss-ccache-free.patch krb5-1.2.7-tcp3.patch krb5-1.2.7-stdarg.patch krb5-1.2-MITKRB5SA-2005-001.patch krb5-1.2.7-endiansize.patch A patch krb5-1.2.7-tcp3.patch applies with sizeable offsets and krb5-1.2-MITKRB5SA-2005-001.patch is in a form (probably mangled a bit by mail) which is not acceptable to 'patch' utility from at least RH7.3. Therefore attaches are reworked versions of these two patches and a diff to a spec from krb5-1.2.4-16.legacy. Some modification to make that closer to a spec file from RHEL are also included. The remaining three patches do not need any adjustments before application. Created attachment 112884 [details]
krb5-1.2.7-tcp3.patch adjusted for 1.2.4
Created attachment 112885 [details]
krb5-1.2-MITKRB5SA-2005-001.patch in a unified diff format
*** Bug 152585 has been marked as a duplicate of this bug. *** Fedora Core 2 was already updated for this, by the way. ftp://ftp.harddata.com/pub/Legacy_srpms/krb5-1.2.4-16.mj.src.rpm is a srpm for RH7.3 patched in a way described in this report. I guess this applies to RHL9 and FC1 as well.. I didn't include the other patches, because they seemed more like bugfixes/enhancements (like the tcp3 one), rather than security fixes. If there is consensus to include them (in the interest of getting closer to RHEL versions), that would be OK by me. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 No discussion seems to have taken place, so here are new RPMs which fix CAN-2005-0468 & CAN-2005-0469. These do not include any other (non-security) patches from RHEL. FC2 was already fixed. http://staff.csc.fi/psavola/fl/krb5-1.2.4-16.1.legacy.src.rpm (RHL73) http://staff.csc.fi/psavola/fl/krb5-1.2.7-38.3.legacy.src.rpm (RHL9) http://staff.csc.fi/psavola/fl/krb5-1.3.4-5.3.legacy.src.rpm (FC1) fc5363d0cf47f379c4df032871d6fca09db51cbf krb5-1.2.4-16.1.legacy.src.rpm dd2bb6e3c1e2c45631b59bd294fc25e2e1e044c7 krb5-1.2.7-38.3.legacy.src.rpm 3fc1e78ea65c0100c05ee1340faf80eb04b190a5 krb5-1.3.4-5.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCpVCpGHbTkzxSL7QRAneWAKCd8RGk0Ku8W10DpR+stiBV55avpACgingD 4ipRXswSZ8VqxsP/nNd1+aE= =3eYF -----END PGP SIGNATURE----- Was there an earlier legacy krb5 release for rhl9? The latest I can find in the mirror is krb5-1.2.7-14, with no post-RH changes. Nothing has been officially released by FL, but my updates are based on those in updates-testing, developed in PR 152773. Okay, thanks. Will look at bug #152773 again. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the RHL73, RH9, and FC1 packages. fc5363d0cf47f379c4df032871d6fca09db51cbf krb5-1.2.4-16.1.legacy.src.rpm dd2bb6e3c1e2c45631b59bd294fc25e2e1e044c7 krb5-1.2.7-38.3.legacy.src.rpm 3fc1e78ea65c0100c05ee1340faf80eb04b190a5 krb5-1.3.4-5.3.legacy.src.rpm I compared sha1sums of the individual files in each .src.rpm to the prevously released FedoraLegacy update, and they all match. Patch is as expected. Specfile changes are to package version, addition of new patch, and changelog. +PUBLISH RH73,RH9,FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCsj+hTnwK660bsQMRAjKHAJ4w7A6N26djaFqXD+9l06D6rATkrwCgoa2S Vg/VgP8gVVSrGm7nMhj/Guo= =Zl3L -----END PGP SIGNATURE----- *** Bug 152773 has been marked as a duplicate of this bug. *** Packages were pushed to updates-testing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 9 ++VERIFY for RHL 7.3 RHL 9 Packages: krb5-devel-1.2.7-38.3.legacy.i386.rpm krb5-libs-1.2.7-38.3.legacy.i386.rpm krb5-server-1.2.7-38.3.legacy.i386.rpm krb5-workstation-1.2.7-38.3.legacy.i386.rpm RHL 7.3 Packages: krb5-devel-1.2.4-16.1.legacy.i386.rpm krb5-libs-1.2.4-16.1.legacy.i386.rpm krb5-server-1.2.4-16.1.legacy.i386.rpm krb5-workstation-1.2.4-16.1.legacy.i386.rpm SHA1 checksums all match test update advisory. Signatures verify okay. I installed, removed (except for krb5-libs), and re-installed all the updates on a RHL 9 machine and a RHL 7.3 machine without problem. Did not notice any problems or issues on either machine. NOTE: I did not test any kerberos functionality as I don't use kerberos here. I only tested that installing, removing, and re-installing all worked without any noticed problems or issues. Vote for release for RHL 9 and RHL 7.3. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFCzZj44jZRbknHoPIRAmEwAJ9F0k84bFcpTy4PfINqTJQ3p7wioACgtYSh jlnTyQbllPx/jOXx5v1VROA= =Ol3V -----END PGP SIGNATURE----- Thanks. Timeouts in two weeks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY RHL 7.3 5b8e4296a97f8ac0b5fb38fb634226216fc7a7bc krb5-libs-1.2.4-16.legacy.i386.rpm - -Jim P. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC0Z83MyG7U7lo69MRAsXRAJoCWKzwcK2CMUAJ9z9mcUugtfrJZwCghD0h 0VyEy2tQT0Za42GHJdXWsH0= =UILR Timeout over. These have been officially released. |
Created attachment 112883 [details] spec file modifications