- incorporate updated fix for CVE-2007-3999krb5-1_6_2-6_fc8

1 files changed, 30 insertions, 0 deletions

diff --git a/CVE-2007-3999-2.patch b/CVE-2007-3999-2.patch
new file mode 100644
index 0000000..3ef2e7e
--- /dev/null
+++ b/CVE-2007-3999-2.patch
@@ -0,0 +1,30 @@
+*** src/lib/rpc/svc_auth_gss.c	(revision 20474)
+--- src/lib/rpc/svc_auth_gss.c	(local)
+***************
+*** 355,360 ****
+--- 355,369 ----
+  	memset(rpchdr, 0, sizeof(rpchdr));
+  
+  	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
++ 	oa = &msg->rm_call.cb_cred;
++ 	if (oa->oa_length > MAX_AUTH_BYTES)
++ 		return (FALSE);
++ 
++ 	/* 8 XDR units from the IXDR macro calls. */
++ 	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
++ 			      RNDUP(oa->oa_length)))
++ 		return (FALSE);
++ 
+  	buf = (int32_t *)(void *)rpchdr;
+  	IXDR_PUT_LONG(buf, msg->rm_xid);
+  	IXDR_PUT_ENUM(buf, msg->rm_direction);
+***************
+*** 362,368 ****
+  	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
+  	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
+  	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
+- 	oa = &msg->rm_call.cb_cred;
+  	IXDR_PUT_ENUM(buf, oa->oa_flavor);
+  	IXDR_PUT_LONG(buf, oa->oa_length);
+  	if (oa->oa_length) {
+--- 371,376 ----