diff --git a/SOURCES/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch b/SOURCES/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch new file mode 100644 index 0000000..5e7fc6c --- /dev/null +++ b/SOURCES/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch @@ -0,0 +1,38 @@ +From e339ad300caafc2a98e86ab48a9ac278cfe3bb85 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 15 Jul 2020 15:42:20 -0400 +Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts() + +Fixes a problem where the presence of legacy/unrecognized keysalts in +supported_enctypes would prevent the kadmin programs from starting. + +[ghudson@mit.edu: ideally we would put a warning in the kadmind log, +but that is difficult to do when the parsing is done inside a library. +Even adding a trace log is difficult because the kadm5 str_conv +functions do not accept contexts.] + +ticket: 8929 (new) +(cherry picked from commit be5396ada0e8dabd68bd0aceb733cfca39a609bc) +(cherry picked from commit 3f873868fb08b77da2d30e164a0ef6c71c17c607) +--- + src/lib/kadm5/str_conv.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/lib/kadm5/str_conv.c b/src/lib/kadm5/str_conv.c +index 7cf51d316..798295606 100644 +--- a/src/lib/kadm5/str_conv.c ++++ b/src/lib/kadm5/str_conv.c +@@ -340,9 +340,10 @@ krb5_string_to_keysalts(const char *string, const char *tupleseps, + while ((ksp = strtok_r(p, tseps, &tlasts)) != NULL) { + /* Pass a null pointer to subsequent calls to strtok_r(). */ + p = NULL; +- ret = string_to_keysalt(ksp, ksaltseps, &etype, &stype); +- if (ret) +- goto cleanup; ++ ++ /* Discard unrecognized keysalts. */ ++ if (string_to_keysalt(ksp, ksaltseps, &etype, &stype) != 0) ++ continue; + + /* Ignore duplicate keysalts if caller asks. */ + if (!dups && krb5_keysalt_is_present(ksalts, nksalts, etype, stype)) diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index 3f0049c..d154ab4 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 3%{?dist} +Release: 4%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz @@ -71,6 +71,7 @@ Patch125: Implement-KERB_AP_OPTIONS_CBT-server-side.patch Patch126: Add-client_aware_channel_bindings-option.patch Patch127: Pass-channel-bindings-through-SPNEGO.patch Patch128: Add-channel-bindings-tests.patch +Patch129: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -681,6 +682,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Jul 28 2020 Robbie Harwood - 1.18.2-4 +- Ignore bad enctypes in krb5_string_to_keysalts() +- Resolves: #1858322 + * Mon Jun 15 2020 Robbie Harwood - 1.18.2-3 - Match Heimdal behavior for channel bindings - Code hygiene + test stability fix included