[Buildroot] [PATCH] package/libkrb5: security bump to version 1.20.1
Arnout Vandecappelle
arnout at mind.be
Thu Nov 24 14:38:07 UTC 2022
On 24/11/2022 14:53, Peter Korsgaard wrote:
> Fixes the following security issue:
>
> CVE-2022-42898: In MIT krb5 releases 1.8 and later, an authenticated
> attacker may be able to cause a KDC or kadmind process to crash by reading
> beyond the bounds of allocated memory, creating a denial of service. A
> privileged attacker may similarly be able to cause a Kerberos or GSS
> application service to crash. On 32-bit platforms, an attacker can also
> cause insufficient memory to be allocated for the result, potentially
> leading to remote code execution in a KDC, kadmind, or GSS or Kerberos
> application server process. An attacker with the privileges of a
> cross-realm KDC may be able to extract secrets from a KDC process's memory
> by having them copied into the PAC of a new ticket.
>
> Bugfix tarballs are located in the same directory as the base version, so
> introduce LIBKRB5_VERSION_MAJOR.
>
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Applied to master, thanks.
Regards,
Arnout
> ---
> package/libkrb5/libkrb5.hash | 2 +-
> package/libkrb5/libkrb5.mk | 5 +++--
> 2 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/package/libkrb5/libkrb5.hash b/package/libkrb5/libkrb5.hash
> index 2fce24b45b..94dfa2ed6e 100644
> --- a/package/libkrb5/libkrb5.hash
> +++ b/package/libkrb5/libkrb5.hash
> @@ -1,5 +1,5 @@
> # Locally calculated after checking pgp signature
> -sha256 7e022bdd3c851830173f9faaa006a230a0e0fdad4c953e85bff4bf0da036e12f krb5-1.20.tar.gz
> +sha256 704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851 krb5-1.20.1.tar.gz
>
> # Hash for license file:
> sha256 cfadcf7b2ead2f3af793c25c00638c9908ac0023b101695f40cb9a03b16811dc NOTICE
> diff --git a/package/libkrb5/libkrb5.mk b/package/libkrb5/libkrb5.mk
> index 5e547470ed..9bacfaee58 100644
> --- a/package/libkrb5/libkrb5.mk
> +++ b/package/libkrb5/libkrb5.mk
> @@ -4,8 +4,9 @@
> #
> ################################################################################
>
> -LIBKRB5_VERSION = 1.20
> -LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION)
> +LIBKRB5_VERSION_MAJOR = 1.20
> +LIBKRB5_VERSION = $(LIBKRB5_VERSION_MAJOR).1
> +LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION_MAJOR)
> LIBKRB5_SOURCE = krb5-$(LIBKRB5_VERSION).tar.gz
> LIBKRB5_SUBDIR = src
> LIBKRB5_LICENSE = MIT, BSD-2-Clause, BSD-3-Clause, BSD-4-Clause, others
More information about the buildroot
mailing list