initial buildroot for linux 5.15

This commit is contained in:
Huan.Feng
2021-12-06 14:12:13 +08:00
parent d7767d594e
commit 7b6fc358fa
12736 changed files with 508822 additions and 0 deletions
@@ -0,0 +1,47 @@
From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 3 Aug 2021 01:15:27 -0400
Subject: [PATCH] Fix KDC null deref on TGS inner body null server
After the KDC decodes a FAST inner body, it does not check for a null
server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
would typically result in an error from krb5_unparse_name(), but with
the addition of get_local_tgt() it results in a null dereference. Add
a null check.
Reported by Joseph Sutton of Catalyst.
CVE-2021-37750:
In MIT krb5 releases 1.14 and later, an authenticated attacker can
cause a null dereference in the KDC by sending a FAST TGS request with
no server field.
ticket: 9008 (new)
tags: pullup
target_version: 1.19-next
target_version: 1.18-next
[Retrieved from:
https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
src/kdc/do_tgs_req.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 582e497cc9..32dc65fa8e 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
status = "FIND_FAST";
goto cleanup;
}
+ if (sprinc == NULL) {
+ status = "NULL_SERVER";
+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ goto cleanup;
+ }
errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
&local_tgt, &local_tgt_storage, &local_tgt_key);
+21
View File
@@ -0,0 +1,21 @@
config BR2_PACKAGE_LIBKRB5
bool "libkrb5"
# needs fork()
depends on BR2_USE_MMU
depends on !BR2_STATIC_LIBS
select BR2_PACKAGE_LIBOPENSSL_ENABLE_DES if BR2_PACKAGE_LIBOPENSSL
select BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4 if BR2_PACKAGE_LIBOPENSSL
select BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4 if BR2_PACKAGE_LIBOPENSSL
help
Kerberos is a system for authenticating users and services
on a network. Kerberos is a trusted third-party service.
That means that there is a third party (the Kerberos server)
that is trusted by all the entities on the network (users
and services, usually called "principals"). This is the MIT
reference implementation of Kerberos V5.
https://web.mit.edu/kerberos/
comment "libkrb5 needs a toolchain w/ dynamic library"
depends on BR2_USE_MMU
depends on BR2_STATIC_LIBS
+5
View File
@@ -0,0 +1,5 @@
# Locally calculated after checking pgp signature
sha256 66085e2f594751e77e82e0dbf7bbc344320fb48a9df2a633cfdd8f7d6da99fc8 krb5-1.18.4.tar.gz
# Hash for license file:
sha256 7fba8b076bdc2cfef1d0813c5d4067d76d5be60c32d84de22d5d1cf451744feb NOTICE
+80
View File
@@ -0,0 +1,80 @@
################################################################################
#
# libkrb5
#
################################################################################
LIBKRB5_VERSION_MAJOR = 1.18
LIBKRB5_VERSION = $(LIBKRB5_VERSION_MAJOR).4
LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION_MAJOR)
LIBKRB5_SOURCE = krb5-$(LIBKRB5_VERSION).tar.gz
LIBKRB5_SUBDIR = src
LIBKRB5_LICENSE = MIT
LIBKRB5_LICENSE_FILES = NOTICE
LIBKRB5_CPE_ID_VENDOR = mit
LIBKRB5_CPE_ID_PRODUCT = kerberos_5
LIBKRB5_DEPENDENCIES = host-bison $(TARGET_NLS_DEPENDENCIES)
LIBKRB5_INSTALL_STAGING = YES
# 0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
LIBKRB5_IGNORE_CVES += CVE-2021-37750
# The configure script uses AC_TRY_RUN tests to check for those values,
# which doesn't work in a cross-compilation scenario. Therefore,
# we feed the configure script with the correct answer for those tests
LIBKRB5_CONF_ENV = \
ac_cv_printf_positional=yes \
ac_cv_func_regcomp=yes \
krb5_cv_attr_constructor_destructor=yes,yes \
LIBS=$(TARGET_NLS_LIBS)
# Never use the host packages
LIBKRB5_CONF_OPTS = \
--without-system-db \
--without-system-et \
--without-system-ss \
--without-system-verto \
--without-tcl \
--disable-rpath
ifeq ($(BR2_PACKAGE_OPENLDAP),y)
LIBKRB5_CONF_OPTS += --with-ldap
LIBKRB5_DEPENDENCIES += openldap
else
LIBKRB5_CONF_OPTS += --without-ldap
endif
ifeq ($(BR2_PACKAGE_OPENSSL),y)
LIBKRB5_CONF_OPTS += \
--enable-pkinit \
--with-crypto-impl=openssl \
--with-spake-openssl \
--with-tls-impl=openssl
LIBKRB5_DEPENDENCIES += openssl
else
LIBKRB5_CONF_OPTS += \
--disable-pkinit \
--with-crypto-impl=builtin \
--without-spake-openssl \
--without-tls-impl
endif
ifeq ($(BR2_PACKAGE_LIBEDIT),y)
LIBKRB5_CONF_OPTS += --with-libedit
LIBKRB5_DEPENDENCIES += host-pkgconf libedit
else
LIBKRB5_CONF_OPTS += --without-libedit
endif
ifeq ($(BR2_PACKAGE_READLINE),y)
LIBKRB5_CONF_OPTS += --with-readline
LIBKRB5_DEPENDENCIES += readline
else
LIBKRB5_CONF_OPTS += --without-readline
endif
ifneq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
LIBKRB5_CONF_OPTS += --disable-thread-support
endif
$(eval $(autotools-package))