packages/krb5
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
krb5/krb5.spec
Funda Wang 8f344f6b5c fix CVE-2024-3596 
(cherry picked from commit 1b3a300e110c88e3f91c0ab3324c858329f0654d)
2024-11-07 16:36:57 +08:00

432 lines
13 KiB
RPMSpec
Raw Blame History

%global _hardening_ldflags %{nil}
%global WITH_DIRSRV 1
Name: krb5
Version: 1.21.2
Release: 11
Summary: The Kerberos network authentication protocol
License: MIT
URL: http://web.mit.edu/kerberos/www/
Source0: https://web.mit.edu/kerberos/dist/krb5/1.21/%{name}-%{version}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/1.21/%{name}-%{version}.tar.gz.asc
Source2: kprop.service
Source3: kadmin.service
Source4: krb5kdc.service
Source5: krb5.conf
Source6: kdc.conf
Source7: kadm5.acl
Source11: ksu.pamd
Source12: krb5kdc.logrotate
Source13: kadmind.logrotate
Source100: noport.c
Patch0: ksu-pam-integration.patch
Patch1: SELinux-integration.patch
Patch2: Adjust-build-configuration.patch
Patch3: netlib-and-dns.patch
Patch4: fix-debuginfo-with-y.tab.c.patch
Patch5: Remove-3des-support.patch
Patch6: Fix-krb5_cccol_have_content-bad-pointer-free.patch
Patch7: Do-not-reload-a-modified-profile-data-object.patch
Patch8: backport-Fix-unimportant-memory-leaks.patch
Patch9: backport-Remove-klist-s-defname-global-variable.patch
Patch10: backport-Fix-two-unlikely-memory-leaks.patch
Patch11: backport-Allow-modifications-of-empty-profiles.patch
Patch12: fix-leak-in-KDC-NDR-encoding.patch
Patch13: backport-Fix-more-non-prototype-functions.patch
Patch14: backport-Fix-Python-regexp-literals.patch
Patch15: backport-Handle-empty-initial-buffer-in-IAKERB-initiator.patch
Patch16: backport-CVE-2024-37370-CVE-2024-37371-Fix-vulnerabilities-in-GSS-message-token-handling.patch
Patch17: backport-Change-krb5_get_credentials-endtime-behavior.patch
Patch18: backport-Fix-memory-leak-in-PAC-checksum-verification.patch
Patch19: fix-libkadm5-parameter-leak.patch
Patch20: backport-CVE-2024-3596.patch
BuildRequires: gettext
BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
BuildRequires: libcom_err-devel openssl-devel openldap-devel libss-devel libverto-module-base
# tests
BuildRequires: perl-interpreter dejagnu python3 tcl-devel
BuildRequires: net-tools rpcbind hostname iproute libverto-devel
BuildRequires: nss_wrapper socket_wrapper keyutils, keyutils-libs-devel
BuildRequires: lmdb-devel
Obsoletes: libkadm5 < %{version}-%{release}
Provides: libkadm5 = %{version}-%{release}
%description
Kerberos is a network authentication protocol.
It is designed to provide strong authentication
for client/server applications by using secret-key
cryptography.
%package server
Summary: krb5 server
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: logrotate libverto systemd words crypto-policies
Obsoletes: krb5-pkinit < %{version}-%{release}
Obsoletes: krb5-server-ldap < %{version}-%{release}
Provides: krb5-pkinit = %{version}-%{release}
Provides: krb5-server-ldap = %{version}-%{release}
Obsoletes: krb5-pkinit-openssl < %{version}-%{release}
Provides: krb5-pkinit-openssl = %{version}-%{release}
%{?systemd_requires}
%description server
This package provides krb5 server programs.
%package client
Summary: krb5 client
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-workstation < %{version}-%{release}
Provides: %{name}-workstation = %{version}-%{release}
%description client
This package provides krb5 client programs.
%package devel
Summary: Development files for compiling with krb5
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: e2fsprogs-devel keyutils-libs-devel libselinux-devel libverto-devel
Provides: krb5-kdb-version = 7.0
%description devel
%{summary}.
%package libs
Summary: The non-admin shared libraries used by Kerberos 5
Requires: coreutils gawk grep sed keyutils-libs
Requires: /etc/crypto-policies/back-ends/krb5.config
%description libs
This package contains the shared libraries needed by Kerberos 5.
%package_help
%prep
%autosetup -n %{name}-%{version} -p1
pushd src
autoreconf -fiv
popd
%build
source %{_libdir}/tclConfig.sh
pushd src
# Set this so that configure will have a value even if the current version of
# autoconf doesn't set one.
export runstatedir=%{_localstatedir}/run
# Work out the CFLAGS and CPPFLAGS which we intend to use.
INCLUDES=-I%{_includedir}/et
CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC -fno-strict-aliasing -fstack-protector-all`"
CPPFLAGS="`echo $DEFINES $INCLUDES`"
%configure \
CC="%{__cc}" \
CFLAGS="$CFLAGS" \
CPPFLAGS="$CPPFLAGS" \
SS_LIB="-lss" \
--enable-shared \
--localstatedir=%{_var}/kerberos \
--disable-rpath \
--without-krb5-config \
--with-system-et \
--with-system-ss \
--with-netlib=-lresolv \
--with-tcl \
--enable-dns-for-realm \
--with-ldap \
%if %{WITH_DIRSRV}
--with-dirsrv-account-locking \
%endif
--enable-pkinit \
--with-crypto-impl=openssl \
--with-tls-impl=openssl \
--with-system-verto \
--with-pam \
--with-selinux \
--with-prng-alg=os \
--with-lmdb \
|| (cat config.log; exit 1)
%make_build
popd
# We need to cut off any access to locally-running nameservers, too.
%{__cc} -fPIC -shared -o noport.so -Wall -Wextra %{SOURCE100}
%install
pushd src
%make_install
popd
mkdir -p $RPM_BUILD_ROOT/etc
install -pm 644 %{SOURCE5} $RPM_BUILD_ROOT/etc/krb5.conf
mkdir -p $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc
install -pm 600 %{SOURCE6} $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/
install -pm 600 %{SOURCE7} $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/
mkdir -p $RPM_BUILD_ROOT%{_var}/kerberos/krb5/user
mkdir -p $RPM_BUILD_ROOT/etc/krb5.conf.d
ln -sv /etc/crypto-policies/back-ends/krb5.config $RPM_BUILD_ROOT/etc/krb5.conf.d/crypto-policies
mkdir -m 755 -p $RPM_BUILD_ROOT/etc/gss
mkdir -m 755 -p $RPM_BUILD_ROOT/etc/gss/mech.d
mkdir -p $RPM_BUILD_ROOT%{_unitdir}
install -pm 644 %{SOURCE2} $RPM_BUILD_ROOT%{_unitdir}
install -pm 644 %{SOURCE3} $RPM_BUILD_ROOT%{_unitdir}
install -pm 644 %{SOURCE4} $RPM_BUILD_ROOT%{_unitdir}
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/run/krb5kdc
# install logrotate config files for server
mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d/
install -pm 644 %{SOURCE12} $RPM_BUILD_ROOT/etc/logrotate.d/`basename %{SOURCE12} .logrotate`
install -pm 644 %{SOURCE13} $RPM_BUILD_ROOT/etc/logrotate.d/`basename %{SOURCE13} .logrotate`
# PAM configuration files.
mkdir -p $RPM_BUILD_ROOT/etc/pam.d/
install -pm 644 %{SOURCE11} $RPM_BUILD_ROOT/etc/pam.d/`basename %{SOURCE11} .pamd`
install -d -m 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth
install -d -m 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/kdb
install -d -m 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/authdata
# install ldap data file
install -d -m 755 $RPM_BUILD_ROOT/%{_datadir}/kerberos/ldap
install -m 644 src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema $RPM_BUILD_ROOT/%{_datadir}/kerberos/ldap/kerberos.schema
install -m 644 src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif $RPM_BUILD_ROOT/%{_datadir}/kerberos/ldap/kerberos.ldif
rm -vf %{buildroot}/%{_sbindir}/krb5-send-pr
rm -vrf %{buildroot}/%{_datadir}/examples
rm -vf %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
find %buildroot -type f \( -name '*.so' -o -name '*.so.*' \) -exec chmod 755 {} +
%find_lang mit-krb5
%check
make -C src runenv.py
make -C src check || :
%post server
%systemd_post krb5kdc.service kadmin.service kprop.service
/bin/systemctl daemon-reload
%preun server
%systemd_preun krb5kdc.service kadmin.service kprop.service
%postun server
%systemd_postun_with_restart krb5kdc.service kadmin.service kprop.service
%files
%doc NOTICE README
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*
%files libs -f mit-krb5.lang
%dir /etc/gss
%dir /etc/gss/mech.d
%dir /etc/krb5.conf.d
%config(noreplace) /etc/krb5.conf
%config(noreplace) /etc/krb5.conf.d/crypto-policies
%{_libdir}/libgssapi_krb5.so.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
%{_libdir}/libkdb5.so.*
%{_libdir}/libkrad.so.*
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/*
%{_libdir}/krb5/plugins/preauth/spake.so
%{_libdir}/krb5/plugins/tls/k5tls.so
%dir %{_var}/kerberos
%dir %{_var}/kerberos/krb5
%dir %{_var}/kerberos/krb5/user
%files server
%{_unitdir}/krb5kdc.service
%{_unitdir}/kadmin.service
%{_unitdir}/kprop.service
%dir %{_localstatedir}/run/krb5kdc
%config(noreplace) /etc/logrotate.d/krb5kdc
%config(noreplace) /etc/logrotate.d/kadmind
%dir %{_var}/kerberos
%dir %{_var}/kerberos/krb5kdc
%config(noreplace) %{_var}/kerberos/krb5kdc/kdc.conf
%config(noreplace) %{_var}/kerberos/krb5kdc/kadm5.acl
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/authdata
%{_libdir}/krb5/plugins/preauth/otp.so
%{_libdir}/krb5/plugins/preauth/pkinit.so
%{_libdir}/krb5/plugins/kdb/db2.so
%{_libdir}/krb5/plugins/kdb/kldap.so
%{_libdir}/krb5/plugins/kdb/klmdb.so
%{_libdir}/libkdb_ldap.so
%{_libdir}/libkdb_ldap.so.*
%{_sbindir}/kdb5_ldap_util
%{_sbindir}/kadmin.local
%{_sbindir}/kadmind
%{_sbindir}/kdb5_util
%{_sbindir}/kprop
%{_sbindir}/kpropd
%{_sbindir}/kproplog
%{_sbindir}/krb5kdc
%{_bindir}/sclient
%{_sbindir}/sserver
%{_datadir}/kerberos/ldap/kerberos.schema
%{_datadir}/kerberos/ldap/kerberos.ldif
%files client
%config(noreplace) /etc/pam.d/ksu
%{_bindir}/kdestroy
%{_bindir}/kinit
%{_bindir}/klist
%{_bindir}/kpasswd
%{_bindir}/kswitch
%{_bindir}/kvno
%{_bindir}/kadmin
%{_bindir}/k5srvutil
%{_bindir}/ktutil
%attr(4755,root,root) %{_bindir}/ksu
%files devel
%{_includedir}/*
%{_libdir}/{libgssapi_krb5.so,libgssrpc.so,libk5crypto.so,libkdb5.so,libkrad.so,libkrb5.so,libkrb5support.so}
%{_libdir}/pkgconfig/*
%{_libdir}/libkadm5clnt.so
%{_libdir}/libkadm5clnt_mit.so
%{_libdir}/libkadm5srv.so
%{_libdir}/libkadm5srv_mit.so
%{_bindir}/krb5-config
%{_bindir}/sim_client
%{_bindir}/gss-client
%{_bindir}/uuclient
%{_sbindir}/sim_server
%{_sbindir}/gss-server
%{_sbindir}/uuserver
%files help
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_mandir}/man5/{.k5identity.5.*,.k5login.5.*}
%{_mandir}/man7/*
%{_mandir}/man8/*
%changelog
* Thu Nov 07 2024 Funda Wang <fundawang@yeah.net> - 1.21.2-11
- fix CVE-2024-3596
* Wed Oct 30 2024 yanshuai <yanshuai@kylinos.cn> - 1.21.2-10
- Fix libkadm5 parameter leak
* Sun Oct 27 2024 zhangyaqi <zhangyaqi@kylinos.cn> - 1.21.2-9
- Fix memory leak in PAC checksum verification
* Tue Jul 23 2024 zhangxingrong <zhangxingrong@uniontech.cn> - 1.21.2-8
- Change krb5_get_credentials() endtime behavior
* Thu Jul 4 2024 xuraoqing <xuraoqing@huawei.com> - 1.21.2-7
- backport patches to fix bugs and CVE-2024-37370 CVE-2024-37371
* Thu Jun 27 2024 yanshuai <yanshuai@kylinos.cn> - 1.21.2-6
- Fix leak in KDC NDR encoding
* Tue Jun 18 2024 gengqihu <gengqihu2@h-partners.com> - 1.21.2-5
- backport patches from upstream
* Fri Jun 07 2024 yanglongkang <yanglongkang@h-partners.com> - 1.21.2-4
- backport patches from upstream
* Thu Jun 06 2024 fuanan <fuanan3@h-partners.com> - 1.21.2-3
- backport patch to fix unimportant memory leaks
* Tue Apr 30 2024 yanshuai <yanshuai@kylinos.cn> - 1.21.2-2
- Do not reload a modified profile data object
* Tue Jan 2 2024 xuraoqing<xuraoqing@huawei.com> - 1.21.2-1
- update to 1.21.2
* Tue Sep 19 2023 xuraoqing<xuraoqing@huawei.com> - 1.21.1-3
- Fix krb5_cccol_have_content() bad pointer free
* Tue Aug 29 2023 wangyunjia <yunjia.wang@huawei.com> - 1.21.1-2
- fix CVE-2023-39975
* Sat Jul 22 2023 wangyunjia <yunjia.wang@huawei.com> - 1.21.1-1
- Update to 1.21.1
* Thu Jun 15 2023 yixiangzhike <yixiangzhike007@163.com> - 1.20.1-2
- Add kerberos.schema and kerberos.ldif for plugin ldap
* Wed Feb 1 2023 zhouchenchen123 <zhouchenchen@huawei.com> - 1.20.1-1
- update to 1.20.1
* Tue Mar 8 2022 yixiangzhike <yixiangzhike007@163.com> - 1.19.2-2
- Add ExecStartPost option to krb5kdc.service for solving error message when krb5kdc starting
* Fri Dec 24 2021 yixiangzhike <yixiangzhike007@163.com> - 1.19.2-1
- Update to 1.19.2
* Tue Aug 24 2021 gaoyusong <gaoyusong1@huawei.com> - 1.19.1-3
- Fix CVE-2021-37750
* Wed Jul 21 2021 yixiangzhike <zhangxingliang3@huawei.com> - 1.19.1-2
- Fix CVE-2021-36222
* Sat Jun 26 2021 yixiangzhike <zhangxingliang3@huawei.com> - 1.19.1-1
- Upgrade upstream to 1.19.1
* Wed May 26 2021 yixiangzhike <zhangxingliang3@huawei.com> - 1.18.2-3
- Add gettext to BuildRequires
* Thu Jan 7 2021 yixiangzhike <zhangxingliang3@huawei.com> - 1.18.2-2
- Fix CVE-2020-28196
* Fri Jun 19 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.18.2-1
- Upgrade upstream to 1.18.2
* Wed Apr 29 2020 steven<steven_ygui@163.com> - 1.18-2
- Fix parameters in kdc.conf of version 1.18
* Fri Apr 24 2020 steven<steven_ygui@163.com> - 1.18-1
- Upgrade upstream to 1.18
* Mon Feb 17 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.17-9
- add krb5-libs containing some commands and dynamic library
* Fri Feb 14 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.17-8
- fix several problems of version 1.17
* Tue Jan 14 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.17-7
- fix the permission problem
* Wed Jan 8 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.17-6
- simplify functions
* Fri Nov 15 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.17-5
- delete unused patch
* Fri Nov 15 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.17-4
- change LDFLAGS in building environment to solve build failure of pam_krb5
* Thu Oct 31 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.17-3
- Add BuildRequires: byacc
* Tue Sep 24 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.17-2
- Adjust requires
* Thu Sep 19 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.17-1
- Package init
Reference in New Issue View Git Blame Copy Permalink