diff options
| author | Nalin Dahyabhai <nalin@redhat.com> | 2014-08-07 19:31:18 -0400 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@redhat.com> | 2014-08-07 19:31:18 -0400 |
| commit | b9fa911b355ec0791d17d50dd84d933d6135e760 (patch) | |
| tree | 2481bc29c81db5ca7b3e3d4d77df11efa88cf865 | |
| parent | a6185d31c7c58cfcfc5f85a355be752af33cd32d (diff) | |
| download | krb5-b9fa911b355ec0791d17d50dd84d933d6135e760.tar.gz krb5-b9fa911b355ec0791d17d50dd84d933d6135e760.tar.xz krb5-b9fa911b355ec0791d17d50dd84d933d6135e760.zip | |
fix MITKRB5-SA-2014-001 (CVE-2014-4345)krb5-1.12.1-14.fc21
- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345)
| -rw-r--r-- | 2014-001-patch.txt | 14 | ||||
| -rw-r--r-- | 2014-001-patch.txt.asc | bin | 0 -> 419 bytes | |||
| -rw-r--r-- | krb5.spec | 8 |
3 files changed, 21 insertions, 1 deletions
diff --git a/2014-001-patch.txt b/2014-001-patch.txt new file mode 100644 index 0000000..19ea866 --- /dev/null +++ b/2014-001-patch.txt @@ -0,0 +1,14 @@ +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +index ce851ea..df5934c 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data, + j++; + last = i + 1; + +- currkvno = key_data[i].key_data_kvno; ++ if (i < n_key_data - 1) ++ currkvno = key_data[i + 1].key_data_kvno; + } + } + ret[num_versions] = NULL; diff --git a/2014-001-patch.txt.asc b/2014-001-patch.txt.asc Binary files differnew file mode 100644 index 0000000..adefc75 --- /dev/null +++ b/2014-001-patch.txt.asc @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.12.1 -Release: 13%{?dist} +Release: 14%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar Source0: krb5-%{version}.tar.gz @@ -108,6 +108,8 @@ Patch146: krb5-1.12-CVE-2014-4341_4342.patch Patch147: krb5-1.12-CVE-2014-4341_4342-tests.patch Patch148: krb5-gssapi-mech-doublefree.patch Patch149: krb5-gssapi-spnego-deref.patch +Patch150: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt +Patch151: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt.asc Patch201: 0001-Don-t-try-to-stat-not-on-disk-ccache-residuals.patch Patch202: 0002-Use-an-in-memory-cache-until-we-need-the-target-s.patch Patch203: 0003-Learn-to-destroy-the-ccache-we-re-copying-from.patch @@ -364,6 +366,7 @@ ln -s NOTICE LICENSE %patch147 -p1 -b .CVE-2014-4341_4342 %patch148 -p1 -b .gssapi-mech-doublefree %patch149 -p1 -b .gssapi-spnego-deref +%patch150 -p1 -b .2014-001 # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -1040,6 +1043,9 @@ exit 0 %{_sbindir}/uuserver %changelog +* Thu Aug 7 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-14 +- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345) + * Mon Jul 21 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-13 - gssapi: pull in upstream fix for a possible NULL dereference in spnego (CVE-2014-4344) |