git: 044964a9e0f3 - main - security/krb5-122: Update to 1.22.1
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 21 Aug 2025 05:23:49 UTC
The branch main has been updated by cy:
URL: https://cgit.FreeBSD.org/ports/commit/?id=044964a9e0f35fcf9f73f1f3887746f33907910d
commit 044964a9e0f35fcf9f73f1f3887746f33907910d
Author: Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-08-21 05:19:47 +0000
Commit: Cy Schubert <cy@FreeBSD.org>
CommitDate: 2025-08-21 05:23:43 +0000
security/krb5-122: Update to 1.22.1
Security: CVE-2025-57736
---
security/krb5-122/Makefile | 3 +-
security/krb5-122/distinfo | 6 +--
.../files/patch-lib_gssapi_krb5_util__crypt.c | 22 -----------
.../files/patch-lib_gssapi_krb5_verify__mic.c | 27 -------------
.../krb5-122/files/patch-tests_gssapi_t__invalid.c | 45 ----------------------
5 files changed, 4 insertions(+), 99 deletions(-)
diff --git a/security/krb5-122/Makefile b/security/krb5-122/Makefile
index 1d79f5620b68..de7531fc483a 100644
--- a/security/krb5-122/Makefile
+++ b/security/krb5-122/Makefile
@@ -1,6 +1,5 @@
PORTNAME= krb5
-PORTVERSION= 1.22
-PORTREVISION= 1
+PORTVERSION= 1.22.1
CATEGORIES= security
MASTER_SITES= http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
.if !defined(MASTERDIR)
diff --git a/security/krb5-122/distinfo b/security/krb5-122/distinfo
index fba29315a391..63cbfb3d57cb 100644
--- a/security/krb5-122/distinfo
+++ b/security/krb5-122/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1754462805
-SHA256 (krb5-1.22.tar.gz) = 652be617b4647f3c5dcac21547d47c7097101aad4e306f1778fb48e17b220ba3
-SIZE (krb5-1.22.tar.gz) = 8749616
+TIMESTAMP = 1755752451
+SHA256 (krb5-1.22.1.tar.gz) = 1a8832b8cad923ebbf1394f67e2efcf41e3a49f460285a66e35adec8fa0053af
+SIZE (krb5-1.22.1.tar.gz) = 8747101
diff --git a/security/krb5-122/files/patch-lib_gssapi_krb5_util__crypt.c b/security/krb5-122/files/patch-lib_gssapi_krb5_util__crypt.c
deleted file mode 100644
index 0a97d39c347a..000000000000
--- a/security/krb5-122/files/patch-lib_gssapi_krb5_util__crypt.c
+++ /dev/null
@@ -1,22 +0,0 @@
---- lib/gssapi/krb5/util_crypt.c.orig 2025-08-05 14:15:15 UTC
-+++ lib/gssapi/krb5/util_crypt.c
-@@ -322,12 +322,16 @@ kg_verify_checksum_v3(krb5_context context, krb5_key k
- uint8_t ckhdr[16];
- krb5_boolean valid;
-
-- /* Compose an RFC 4121 token header with EC and RRC set to 0. */
-+ /*
-+ * Compose an RFC 4121 token header for the checksum. For a wrap token,
-+ * the EC and RRC fields have the value 0 for the checksum operation,
-+ * regardless of their values in the actual token (RFC 4121 section 4.2.4).
-+ * For a MIC token, the corresponding four bytes have the value 0xFF.
-+ */
- store_16_be(toktype, ckhdr);
- ckhdr[2] = flags;
- ckhdr[3] = 0xFF;
-- store_16_be(0, ckhdr + 4);
-- store_16_be(0, ckhdr + 6);
-+ store_32_be((toktype == KG2_TOK_MIC_MSG) ? 0xFFFFFFFF : 0, ckhdr + 4);
- store_64_be(seqnum, ckhdr + 8);
-
- /* Verify the checksum over the data and composed header. */
diff --git a/security/krb5-122/files/patch-lib_gssapi_krb5_verify__mic.c b/security/krb5-122/files/patch-lib_gssapi_krb5_verify__mic.c
deleted file mode 100644
index 7afb9ea4ae34..000000000000
--- a/security/krb5-122/files/patch-lib_gssapi_krb5_verify__mic.c
+++ /dev/null
@@ -1,27 +0,0 @@
---- lib/gssapi/krb5/verify_mic.c.orig 2025-08-05 14:15:15 UTC
-+++ lib/gssapi/krb5/verify_mic.c
-@@ -90,7 +90,6 @@ verify_mic_v3(krb5_context context, OM_uint32 *minor_s
- krb5_gss_ctx_id_rec *ctx, struct k5input *in,
- gss_buffer_t message)
- {
-- OM_uint32 status;
- krb5_keyusage usage;
- krb5_key key;
- krb5_cksumtype cksumtype;
-@@ -124,12 +123,10 @@ verify_mic_v3(krb5_context context, OM_uint32 *minor_s
- }
- assert(key != NULL);
-
-- status = kg_verify_checksum_v3(context, key, usage, cksumtype,
-- KG2_TOK_MIC_MSG, flags, seqnum,
-- message->value, message->length,
-- in->ptr, in->len);
-- if (status != GSS_S_COMPLETE)
-- return status;
-+ if (!kg_verify_checksum_v3(context, key, usage, cksumtype, KG2_TOK_MIC_MSG,
-+ flags, seqnum, message->value, message->length,
-+ in->ptr, in->len))
-+ return GSS_S_BAD_SIG;
-
- return g_seqstate_check(ctx->seqstate, seqnum);
- }
diff --git a/security/krb5-122/files/patch-tests_gssapi_t__invalid.c b/security/krb5-122/files/patch-tests_gssapi_t__invalid.c
deleted file mode 100644
index 736d335ea4e3..000000000000
--- a/security/krb5-122/files/patch-tests_gssapi_t__invalid.c
+++ /dev/null
@@ -1,45 +0,0 @@
---- tests/gssapi/t_invalid.c.orig 2025-08-05 14:15:15 UTC
-+++ tests/gssapi/t_invalid.c
-@@ -397,6 +397,34 @@ test_iov_large_asn1_wrapper(gss_ctx_id_t ctx)
- free(iov[0].buffer.value);
- }
-
-+static void
-+test_cfx_verify_mic(gss_ctx_id_t ctx)
-+{
-+ OM_uint32 major, minor;
-+ gss_buffer_desc message, token;
-+ uint8_t msg[] = "message";
-+ uint8_t mic[] = "\x04\x04\x00\xFF\xFF\xFF\xFF\xFF"
-+ "\x00\x00\x00\x00\x00\x00\x00\x00\x97\xE9\x63\x3F\x9D\x82\x2B\x74"
-+ "\x67\x94\x8A\xD0";
-+ size_t i;
-+
-+ message.value = msg;
-+ message.length = sizeof(msg) - 1;
-+ token.value = mic;
-+ token.length = sizeof(mic) - 1;
-+
-+ major = gss_verify_mic(&minor, ctx, &message, &token, NULL);
-+ check_gsserr("gss_verify_mic", major, minor);
-+
-+ for (i = 0; i < token.length; i++) {
-+ mic[i]++;
-+ major = gss_verify_mic(&minor, ctx, &message, &token, NULL);
-+ if (major != GSS_S_DEFECTIVE_TOKEN && major != GSS_S_BAD_SIG)
-+ abort();
-+ mic[i]--;
-+ }
-+}
-+
- /* Process wrap and MIC tokens with incomplete headers. */
- static void
- test_short_header(gss_ctx_id_t ctx)
-@@ -598,6 +626,7 @@ main(int argc, char **argv)
- test_cfx_short_plaintext(ctx, cfx_subkey);
- test_cfx_large_ec(ctx, cfx_subkey);
- test_iov_large_asn1_wrapper(ctx);
-+ test_cfx_verify_mic(ctx);
- free_fake_context(ctx);
-
- for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {