From nobody Thu Aug 21 05:23:49 2025 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4c6sDj62k6z65p95; Thu, 21 Aug 2025 05:23:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4c6sDj5WqLz3gDY; Thu, 21 Aug 2025 05:23:49 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1755753829; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eO9A5pDhTbdSzTOg6/3dj/0qisJbPBKol/C/JQZyTVw=; b=V6G+lBP3Z6mgWLD1viqVisdvF32ltd0KPJVSqnylDSOeDPbfz/f/CiSCd1oioeymsqdITj PKnujTyd8QFKrV6pegUiWxpuhILGVr6BOF7IBRqu5z8LewHwE5ystpFNQowHQO09SSCkn6 rpshMGvWjI3rOBkmwDJ4Gmq72SkPfnLImHQ7BxaU1hvNfcZez5dkUl4a1zOxqdirlGPFxv f4cznLi+UlB5cFmKvYvF0d8hIZ7CWFcVhaGIQ4LHqwGEiMSP7dDZFo2ySz9YhxukGTaqsX FUIiXIdvtKSe2mYyFWHf9005cHJ4RhvYJgIoKCMwoGh4Rgbe5hajYqsaOIVzfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1755753829; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eO9A5pDhTbdSzTOg6/3dj/0qisJbPBKol/C/JQZyTVw=; b=Hzi8rl0eHvAsm0YTJUjF/3yJ9lK/6veOsqliJFsIBDIPwN1bCyAhMcCh7kbVap2oHBGq5G Lpu819KmxbASih73EvVSIf3H4KXG2kuefyMLOq2oFu1dJvc2fyypMABNrnfYQ6FlQQjE4+ ohE62aJN52Qr0GWnbFtOd+ajx1Yo+QCxVA/ymijZMTRFdw45ZptnDIdkQt0yYNZFfUZ9hl Z2BnqloX0c/hM8XoC+yhJDl3sM5Ij9OKcOFZzIbHqeImAxF7GX8ScILFAASnTN5bsilgh7 Vc5OqZqfARChRaXcXUm7Xn5HwMosfVRPaUzTo6LkQFkGQ91S45YR5k0qIPKzBg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1755753829; a=rsa-sha256; cv=none; b=pMf94DZAhyBEugo+4155WxfOPqzM9KzADKOZqOW9KelgXVf1poexxhJ2v8Ru3E7NupvI0v B839Pr6ZzFfPwdqapRlfE91xOaPaUn1rZ5NimBV0RaELePau2P+PT5JAHv8gDO6HSjmsom tdf5O7ilOkkWoyxUkP1my7Xdh6Xq8i99mMpy+7UG9AMykUrr0B7J97kjL1COMcYHKkE9Nc jVQeIYmI4PBk37I8ZV33gFV94xGo2DIo+StLKAN32XtLHZ006FYEd8K6DYV/jg8sQtpZxx CUI1sz6nLuWdfKIDNEEezQmaNMkxOVcUcnFGbsWaaFyDAZEvDAPtM3TC8uW60g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4c6sDj4qlxzmbF; Thu, 21 Aug 2025 05:23:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 57L5Nnfm069977; Thu, 21 Aug 2025 05:23:49 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 57L5Nn0p069974; Thu, 21 Aug 2025 05:23:49 GMT (envelope-from git) Date: Thu, 21 Aug 2025 05:23:49 GMT Message-Id: <202508210523.57L5Nn0p069974@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Cy Schubert Subject: git: 044964a9e0f3 - main - security/krb5-122: Update to 1.22.1 List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 044964a9e0f35fcf9f73f1f3887746f33907910d Auto-Submitted: auto-generated The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/ports/commit/?id=044964a9e0f35fcf9f73f1f3887746f33907910d commit 044964a9e0f35fcf9f73f1f3887746f33907910d Author: Cy Schubert AuthorDate: 2025-08-21 05:19:47 +0000 Commit: Cy Schubert CommitDate: 2025-08-21 05:23:43 +0000 security/krb5-122: Update to 1.22.1 Security: CVE-2025-57736 --- security/krb5-122/Makefile | 3 +- security/krb5-122/distinfo | 6 +-- .../files/patch-lib_gssapi_krb5_util__crypt.c | 22 ----------- .../files/patch-lib_gssapi_krb5_verify__mic.c | 27 ------------- .../krb5-122/files/patch-tests_gssapi_t__invalid.c | 45 ---------------------- 5 files changed, 4 insertions(+), 99 deletions(-) diff --git a/security/krb5-122/Makefile b/security/krb5-122/Makefile index 1d79f5620b68..de7531fc483a 100644 --- a/security/krb5-122/Makefile +++ b/security/krb5-122/Makefile @@ -1,6 +1,5 @@ PORTNAME= krb5 -PORTVERSION= 1.22 -PORTREVISION= 1 +PORTVERSION= 1.22.1 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/ .if !defined(MASTERDIR) diff --git a/security/krb5-122/distinfo b/security/krb5-122/distinfo index fba29315a391..63cbfb3d57cb 100644 --- a/security/krb5-122/distinfo +++ b/security/krb5-122/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1754462805 -SHA256 (krb5-1.22.tar.gz) = 652be617b4647f3c5dcac21547d47c7097101aad4e306f1778fb48e17b220ba3 -SIZE (krb5-1.22.tar.gz) = 8749616 +TIMESTAMP = 1755752451 +SHA256 (krb5-1.22.1.tar.gz) = 1a8832b8cad923ebbf1394f67e2efcf41e3a49f460285a66e35adec8fa0053af +SIZE (krb5-1.22.1.tar.gz) = 8747101 diff --git a/security/krb5-122/files/patch-lib_gssapi_krb5_util__crypt.c b/security/krb5-122/files/patch-lib_gssapi_krb5_util__crypt.c deleted file mode 100644 index 0a97d39c347a..000000000000 --- a/security/krb5-122/files/patch-lib_gssapi_krb5_util__crypt.c +++ /dev/null @@ -1,22 +0,0 @@ ---- lib/gssapi/krb5/util_crypt.c.orig 2025-08-05 14:15:15 UTC -+++ lib/gssapi/krb5/util_crypt.c -@@ -322,12 +322,16 @@ kg_verify_checksum_v3(krb5_context context, krb5_key k - uint8_t ckhdr[16]; - krb5_boolean valid; - -- /* Compose an RFC 4121 token header with EC and RRC set to 0. */ -+ /* -+ * Compose an RFC 4121 token header for the checksum. For a wrap token, -+ * the EC and RRC fields have the value 0 for the checksum operation, -+ * regardless of their values in the actual token (RFC 4121 section 4.2.4). -+ * For a MIC token, the corresponding four bytes have the value 0xFF. -+ */ - store_16_be(toktype, ckhdr); - ckhdr[2] = flags; - ckhdr[3] = 0xFF; -- store_16_be(0, ckhdr + 4); -- store_16_be(0, ckhdr + 6); -+ store_32_be((toktype == KG2_TOK_MIC_MSG) ? 0xFFFFFFFF : 0, ckhdr + 4); - store_64_be(seqnum, ckhdr + 8); - - /* Verify the checksum over the data and composed header. */ diff --git a/security/krb5-122/files/patch-lib_gssapi_krb5_verify__mic.c b/security/krb5-122/files/patch-lib_gssapi_krb5_verify__mic.c deleted file mode 100644 index 7afb9ea4ae34..000000000000 --- a/security/krb5-122/files/patch-lib_gssapi_krb5_verify__mic.c +++ /dev/null @@ -1,27 +0,0 @@ ---- lib/gssapi/krb5/verify_mic.c.orig 2025-08-05 14:15:15 UTC -+++ lib/gssapi/krb5/verify_mic.c -@@ -90,7 +90,6 @@ verify_mic_v3(krb5_context context, OM_uint32 *minor_s - krb5_gss_ctx_id_rec *ctx, struct k5input *in, - gss_buffer_t message) - { -- OM_uint32 status; - krb5_keyusage usage; - krb5_key key; - krb5_cksumtype cksumtype; -@@ -124,12 +123,10 @@ verify_mic_v3(krb5_context context, OM_uint32 *minor_s - } - assert(key != NULL); - -- status = kg_verify_checksum_v3(context, key, usage, cksumtype, -- KG2_TOK_MIC_MSG, flags, seqnum, -- message->value, message->length, -- in->ptr, in->len); -- if (status != GSS_S_COMPLETE) -- return status; -+ if (!kg_verify_checksum_v3(context, key, usage, cksumtype, KG2_TOK_MIC_MSG, -+ flags, seqnum, message->value, message->length, -+ in->ptr, in->len)) -+ return GSS_S_BAD_SIG; - - return g_seqstate_check(ctx->seqstate, seqnum); - } diff --git a/security/krb5-122/files/patch-tests_gssapi_t__invalid.c b/security/krb5-122/files/patch-tests_gssapi_t__invalid.c deleted file mode 100644 index 736d335ea4e3..000000000000 --- a/security/krb5-122/files/patch-tests_gssapi_t__invalid.c +++ /dev/null @@ -1,45 +0,0 @@ ---- tests/gssapi/t_invalid.c.orig 2025-08-05 14:15:15 UTC -+++ tests/gssapi/t_invalid.c -@@ -397,6 +397,34 @@ test_iov_large_asn1_wrapper(gss_ctx_id_t ctx) - free(iov[0].buffer.value); - } - -+static void -+test_cfx_verify_mic(gss_ctx_id_t ctx) -+{ -+ OM_uint32 major, minor; -+ gss_buffer_desc message, token; -+ uint8_t msg[] = "message"; -+ uint8_t mic[] = "\x04\x04\x00\xFF\xFF\xFF\xFF\xFF" -+ "\x00\x00\x00\x00\x00\x00\x00\x00\x97\xE9\x63\x3F\x9D\x82\x2B\x74" -+ "\x67\x94\x8A\xD0"; -+ size_t i; -+ -+ message.value = msg; -+ message.length = sizeof(msg) - 1; -+ token.value = mic; -+ token.length = sizeof(mic) - 1; -+ -+ major = gss_verify_mic(&minor, ctx, &message, &token, NULL); -+ check_gsserr("gss_verify_mic", major, minor); -+ -+ for (i = 0; i < token.length; i++) { -+ mic[i]++; -+ major = gss_verify_mic(&minor, ctx, &message, &token, NULL); -+ if (major != GSS_S_DEFECTIVE_TOKEN && major != GSS_S_BAD_SIG) -+ abort(); -+ mic[i]--; -+ } -+} -+ - /* Process wrap and MIC tokens with incomplete headers. */ - static void - test_short_header(gss_ctx_id_t ctx) -@@ -598,6 +626,7 @@ main(int argc, char **argv) - test_cfx_short_plaintext(ctx, cfx_subkey); - test_cfx_large_ec(ctx, cfx_subkey); - test_iov_large_asn1_wrapper(ctx); -+ test_cfx_verify_mic(ctx); - free_fake_context(ctx); - - for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {