From nobody Tue Nov 15 16:37:15 2022 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NBWzv3x2mz4hBKq; Tue, 15 Nov 2022 16:37:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NBWzv3RBVz3tsx; Tue, 15 Nov 2022 16:37:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668530235; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AJ5JFAvMKd1/WNImqyl2M+lNDXtc0dNz1p7UPW8CSG4=; b=T1M9EgxFtKv7i9QqLbmiCKc7+Ct8Tab5ViG+yCq0zZNAB8627DPuqNoLQOFXvY4fpr/JRA 2DHjTMQOL8ozueAKzd8EQFntkPlIpnjhlD1dZYiiA297HsJjRYtWQz1+0J4uhchetzJCdH t4kQMEpGJZqjdpKF41YW+iLA5AK6j1p0iQz33GqXrELhw+ctFZVv1D8bkvQH40oREKPEWS ei6LqNs6kIkjvgQU0ETfmAIx4HPd2oaTpPBrxgc2Jr26xsujHN+cNhdD9jhWugJN0ZXBi5 hbmY6GHo0/MnxYFCIql7ks3XzTPG/3mDKnDHpzfFL3aqdxbIgw2oWkWSK4N7tA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668530235; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AJ5JFAvMKd1/WNImqyl2M+lNDXtc0dNz1p7UPW8CSG4=; b=XK8alZrZJDvTcK/wna+ads+XF7LJhsMuRusQTPIz97SxByJNxQoq0yREBwHoGe0qdzELGl rMG8iNLogbkKpO/5HjzMjn9i1LVGb4eAhEzNx3tBXco/ZNWfdeJ6/wj4fx6bH2SlzLbN4O yfviWm9WEi0FPnwSnq1AK/FcgQpy25nFr06NviwVCUB6Ui91DAnqFVkfvnC0sY6SsUnfkg HXV2C3+h/h8UGA+gw+ypzCNEfSCPz6oQhdughF2lpYgAl+LzAyLQyM7SsjAmy+Aas4Ne3I Lpp7gZDVXy2xkztviqsBe2W/Us6aOpH/ool5Pmu3w/fZP4k5CoALkuJJ6ZCY/w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1668530235; a=rsa-sha256; cv=none; b=UpPjb636I/TMn2j8BL/7AY/3T3FfoR38QvOYgyS39fN+5qqF2UDTmpawpPq0MnbuZ0csiF cz7MAq9q9LvqoYpTk5IJjvLO05C41rFgoNek+tjbeL5a0gTpWkjGUZEmLLhxAkx3dx3ZZA 1e3WTdYCw3wJk38U76bli+CEvYc1Yrq8gEAS1PEWCXAkH9G/RHCHNsOyN3aBykDpGs+KXc Bvhcf5L+b0YPSJ0zHqDDssT91fvLcnkz9H897yE7f3wZQyvbjAompObZMzwlJVDZTIJ3Ko AD/DDBoNuskUyzJASzChfg0Y/BlM41uzL6coune9Y8PJ7xw6RbbdywSccem/CQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NBWzv2VVCzV4W; Tue, 15 Nov 2022 16:37:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2AFGbFtG029141; Tue, 15 Nov 2022 16:37:15 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2AFGbFfm029140; Tue, 15 Nov 2022 16:37:15 GMT (envelope-from git) Date: Tue, 15 Nov 2022 16:37:15 GMT Message-Id: <202211151637.2AFGbFfm029140@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Cy Schubert Subject: git: de40003bfd69 - main - security/krb5-*: Address CVE-2022-42898 List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: de40003bfd697e98cdd342e253699e83e1040961 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/ports/commit/?id=de40003bfd697e98cdd342e253699e83e1040961 commit de40003bfd697e98cdd342e253699e83e1040961 Author: Cy Schubert AuthorDate: 2022-11-15 16:27:50 +0000 Commit: Cy Schubert CommitDate: 2022-11-15 16:37:02 +0000 security/krb5-*: Address CVE-2022-42898 Topic: Vulnerabilities in PAC parsing CVE-2022-42898: integer overflow vulnerabilities in PAC parsing SUMMARY ======= Three integer overflow vulnerabilities have been discovered in the MIT krb5 library function krb5_parse_pac(). IMPACT ====== An authenticated attacker may be able to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service. A privileged attacker may similarly be able to cause a Kerberos or GSS application service to crash. On a 32-bit platform, an authenticated attacker may be able to cause heap corruption in a KDC or kadmind process, possibly leading to remote code execution. A privileged attacker may similarly be able to cause heap corruption in a Kerberos or GSS application service running on a 32-bit platform. An attacker with the privileges of a cross-realm KDC may be able to extract secrets from a KDC process's memory by having them copied into the PAC of a new ticket. AFFECTED SOFTWARE ================= Kerberos and GSS application services using krb5-1.8 or later are affected. kadmind in krb5-1.8 or later is affected. The krb5-1.20 KDC is affected. The krb5-1.8 through krb5-1.19 KDC is affected when using the Samba or FreeIPA KDB modules. REFERENCES ========== This announcement is posted at: https://web.mit.edu/kerberos/advisories/MITKRB5-SA-2022-001.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: https://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: https://web.mit.edu/kerberos/index.html CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42898 MFH: 2022Q4 Security: CVE-2022-42898 --- security/krb5-119/Makefile | 2 ++ security/krb5-119/distinfo | 4 +++- security/krb5-120/Makefile | 2 ++ security/krb5-120/distinfo | 4 +++- 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/security/krb5-119/Makefile b/security/krb5-119/Makefile index e0668fe68b6b..a598987a8290 100644 --- a/security/krb5-119/Makefile +++ b/security/krb5-119/Makefile @@ -1,5 +1,6 @@ PORTNAME= krb5 PORTVERSION= 1.19.3 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/ .if !defined(MASTERDIR) @@ -8,6 +9,7 @@ PKGNAMESUFFIX= -119 PATCH_SITES= http://web.mit.edu/kerberos/advisories/ PATCH_DIST_STRIP= -p2 +PATCHFILES= 2022-001-patch-r119.txt MAINTAINER= cy@FreeBSD.org COMMENT= MIT implementation of RFC 4120 network authentication service diff --git a/security/krb5-119/distinfo b/security/krb5-119/distinfo index a5f3bcd0c84b..aee7180b8355 100644 --- a/security/krb5-119/distinfo +++ b/security/krb5-119/distinfo @@ -1,3 +1,5 @@ -TIMESTAMP = 1647101273 +TIMESTAMP = 1668529517 SHA256 (krb5-1.19.3.tar.gz) = 56d04863cfddc9d9eb7af17556e043e3537d41c6e545610778676cf551b9dcd0 SIZE (krb5-1.19.3.tar.gz) = 8741343 +SHA256 (2022-001-patch-r119.txt) = e6e50807528cdda07fe8d946b0b417403168ff1e442ed4dbf099f20262c25867 +SIZE (2022-001-patch-r119.txt) = 3536 diff --git a/security/krb5-120/Makefile b/security/krb5-120/Makefile index 71b22f51b4fc..236ffb297c67 100644 --- a/security/krb5-120/Makefile +++ b/security/krb5-120/Makefile @@ -1,5 +1,6 @@ PORTNAME= krb5 PORTVERSION= 1.20 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/ .if !defined(MASTERDIR) @@ -8,6 +9,7 @@ PKGNAMESUFFIX= -120 PATCH_SITES= http://web.mit.edu/kerberos/advisories/ PATCH_DIST_STRIP= -p2 +PATCHFILES= 2022-001-patch-r120.txt MAINTAINER= cy@FreeBSD.org COMMENT= MIT implementation of RFC 4120 network authentication service diff --git a/security/krb5-120/distinfo b/security/krb5-120/distinfo index a6aaac17bfbc..bd9dce75f180 100644 --- a/security/krb5-120/distinfo +++ b/security/krb5-120/distinfo @@ -1,3 +1,5 @@ -TIMESTAMP = 1653608400 +TIMESTAMP = 1668529430 SHA256 (krb5-1.20.tar.gz) = 7e022bdd3c851830173f9faaa006a230a0e0fdad4c953e85bff4bf0da036e12f SIZE (krb5-1.20.tar.gz) = 8660756 +SHA256 (2022-001-patch-r120.txt) = 7e4589910db665142ba04b45eb8f64d0a3dd30e67c0010e449048600ece0bcc9 +SIZE (2022-001-patch-r120.txt) = 3539