From ecda7f786a7cb51fd4d0195495bfdf1fcda19344 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Thu, 24 Nov 2022 14:53:34 +0100 Subject: [PATCH] package/libkrb5: security bump to version 1.20.1 Fixes the following security issue: CVE-2022-42898: In MIT krb5 releases 1.8 and later, an authenticated attacker may be able to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service. A privileged attacker may similarly be able to cause a Kerberos or GSS application service to crash. On 32-bit platforms, an attacker can also cause insufficient memory to be allocated for the result, potentially leading to remote code execution in a KDC, kadmind, or GSS or Kerberos application server process. An attacker with the privileges of a cross-realm KDC may be able to extract secrets from a KDC process's memory by having them copied into the PAC of a new ticket. Bugfix tarballs are located in the same directory as the base version, so introduce LIBKRB5_VERSION_MAJOR. Signed-off-by: Peter Korsgaard Signed-off-by: Arnout Vandecappelle (cherry picked from commit f93c47fad847219e2d748570484ca800faa9d4eb) Signed-off-by: Peter Korsgaard --- package/libkrb5/libkrb5.hash | 2 +- package/libkrb5/libkrb5.mk | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/package/libkrb5/libkrb5.hash b/package/libkrb5/libkrb5.hash index 2fce24b45b..94dfa2ed6e 100644 --- a/package/libkrb5/libkrb5.hash +++ b/package/libkrb5/libkrb5.hash @@ -1,5 +1,5 @@ # Locally calculated after checking pgp signature -sha256 7e022bdd3c851830173f9faaa006a230a0e0fdad4c953e85bff4bf0da036e12f krb5-1.20.tar.gz +sha256 704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851 krb5-1.20.1.tar.gz # Hash for license file: sha256 cfadcf7b2ead2f3af793c25c00638c9908ac0023b101695f40cb9a03b16811dc NOTICE diff --git a/package/libkrb5/libkrb5.mk b/package/libkrb5/libkrb5.mk index 5e547470ed..9bacfaee58 100644 --- a/package/libkrb5/libkrb5.mk +++ b/package/libkrb5/libkrb5.mk @@ -4,8 +4,9 @@ # ################################################################################ -LIBKRB5_VERSION = 1.20 -LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION) +LIBKRB5_VERSION_MAJOR = 1.20 +LIBKRB5_VERSION = $(LIBKRB5_VERSION_MAJOR).1 +LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION_MAJOR) LIBKRB5_SOURCE = krb5-$(LIBKRB5_VERSION).tar.gz LIBKRB5_SUBDIR = src LIBKRB5_LICENSE = MIT, BSD-2-Clause, BSD-3-Clause, BSD-4-Clause, others