Date: Mon, 08 Jun 2026 15:03:34 +0000 From: Cy Schubert <cy@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: git: 87e1c4bcf24c - 2026Q2 - security/krb5-12?: Fix reachable assert when importing krb5 names Message-ID: <6a26d9c6.46efb.49a769e5@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch 2026Q2 has been updated by cy: URL: https://cgit.FreeBSD.org/ports/commit/?id=87e1c4bcf24cc6f1b3e63f6a3d916ef32f39734f commit 87e1c4bcf24cc6f1b3e63f6a3d916ef32f39734f Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2026-06-08 14:55:03 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2026-06-08 15:03:20 +0000 security/krb5-12?: Fix reachable assert when importing krb5 names If a name token contains trailing garbage, error out from krb5_gss_import_name() instead of crashing the process with an assertion failure. Commit message details obtained from upstream commit. Obtained from: upstream commit 07818f1fd Reported by: Aisle Research (Ze Sheng, Dmitrijs Trizna, Luigino Camastra, Guido Vranken) to krb5-bugs (cherry picked from commit 8854e0201abe6c8292d0360c23a8be7201240016) --- security/krb5-121/Makefile | 2 +- security/krb5-121/files/patch-lib_gssapi_krb5_import__name.c | 12 ++++++++++++ security/krb5-122/Makefile | 2 +- security/krb5-122/files/patch-lib_gssapi_krb5_import__name.c | 12 ++++++++++++ 4 files changed, 26 insertions(+), 2 deletions(-) diff --git a/security/krb5-121/Makefile b/security/krb5-121/Makefile index 3fd6a66b5c37..c394fa174c4b 100644 --- a/security/krb5-121/Makefile +++ b/security/krb5-121/Makefile @@ -1,6 +1,6 @@ PORTNAME= krb5 PORTVERSION= 1.21.3 -PORTREVISION= 1 +PORTREVISION= 3 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/ .if !defined(MASTERDIR) diff --git a/security/krb5-121/files/patch-lib_gssapi_krb5_import__name.c b/security/krb5-121/files/patch-lib_gssapi_krb5_import__name.c new file mode 100644 index 000000000000..fc99a2ad893f --- /dev/null +++ b/security/krb5-121/files/patch-lib_gssapi_krb5_import__name.c @@ -0,0 +1,12 @@ +--- lib/gssapi/krb5/import_name.c.orig 2026-06-08 07:48:11.489573000 -0700 ++++ lib/gssapi/krb5/import_name.c 2026-06-08 07:49:18.639094000 -0700 +@@ -302,7 +302,8 @@ + goto fail_name; + cp += length; + } +- assert(cp == end); ++ if (cp != end) ++ goto fail_name; + } else { + status = GSS_S_BAD_NAMETYPE; + goto cleanup; diff --git a/security/krb5-122/Makefile b/security/krb5-122/Makefile index ba1c1c249666..ea9d71fa098a 100644 --- a/security/krb5-122/Makefile +++ b/security/krb5-122/Makefile @@ -1,6 +1,6 @@ PORTNAME= krb5 PORTVERSION= 1.22.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/ .if !defined(MASTERDIR) diff --git a/security/krb5-122/files/patch-lib_gssapi_krb5_import__name.c b/security/krb5-122/files/patch-lib_gssapi_krb5_import__name.c new file mode 100644 index 000000000000..fc99a2ad893f --- /dev/null +++ b/security/krb5-122/files/patch-lib_gssapi_krb5_import__name.c @@ -0,0 +1,12 @@ +--- lib/gssapi/krb5/import_name.c.orig 2026-06-08 07:48:11.489573000 -0700 ++++ lib/gssapi/krb5/import_name.c 2026-06-08 07:49:18.639094000 -0700 +@@ -302,7 +302,8 @@ + goto fail_name; + cp += length; + } +- assert(cp == end); ++ if (cp != end) ++ goto fail_name; + } else { + status = GSS_S_BAD_NAMETYPE; + goto cleanup;home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a26d9c6.46efb.49a769e5>