diff options
| author | Nalin Dahyabhai <nalin@fedoraproject.org> | 2009-03-17 22:22:59 +0000 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@fedoraproject.org> | 2009-03-17 22:22:59 +0000 |
| commit | 85db43f655a4989e3fa6c498e02c13ecf608d09e (patch) | |
| tree | 65180168187ed72ec5dd03a5e8265235cda0faa9 | |
| parent | c2a33c3efdb425b7132c40244ba3d520f400e473 (diff) | |
| download | krb5-85db43f655a4989e3fa6c498e02c13ecf608d09e.tar.gz krb5-85db43f655a4989e3fa6c498e02c13ecf608d09e.tar.xz krb5-85db43f655a4989e3fa6c498e02c13ecf608d09e.zip | |
- libgssapi_krb5: backport fix for some errors which can occur when we failkrb5-1_6_3-17_fc10
to set up the server half of a context (CVE-2009-0845)
| -rw-r--r-- | krb5-1.6.3-spnego-crash.patch | 16 | ||||
| -rw-r--r-- | krb5.spec | 8 |
2 files changed, 23 insertions, 1 deletions
diff --git a/krb5-1.6.3-spnego-crash.patch b/krb5-1.6.3-spnego-crash.patch new file mode 100644 index 0000000..1b2c8ee --- /dev/null +++ b/krb5-1.6.3-spnego-crash.patch @@ -0,0 +1,16 @@ +Upstream change #22099, triggered by report from Marcus Granado, fix by Tom Yu. +In a nutshell, when return_token is neither NO_TOKEN_SEND nor CHECK_MIC, we +might still not want a reply token, for example if it's ERROR_TOKEN_SEND. +diff -up src/lib/gssapi/spnego/spnego_mech.c src/lib/gssapi/spnego/spnego_mech.c +--- src/lib/gssapi/spnego/spnego_mech.c 2009-03-17 16:47:10.000000000 -0400 ++++ src/lib/gssapi/spnego/spnego_mech.c 2009-03-17 16:47:14.000000000 -0400 +@@ -1248,7 +1248,8 @@ spnego_gss_accept_sec_context(void *ct, + &negState, &return_token); + } + cleanup: +- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { ++ if (return_token == INIT_TOKEN_SEND || ++ return_token == CONT_TOKEN_SEND) { + tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech, + &mechtok_out, mic_out, + return_token, @@ -16,7 +16,7 @@ Summary: The Kerberos network authentication system. Name: krb5 Version: 1.6.3 -Release: 16%{?dist} +Release: 17%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -102,6 +102,7 @@ Patch77: krb5-CVE-2007-5971.patch Patch78: krb5-1.6.3-lucid-acceptor.patch Patch79: krb5-trunk-ftp_mget_case.patch Patch80: krb5-trunk-preauth-master.patch +Patch81: krb5-1.6.3-spnego-crash.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -232,6 +233,10 @@ to obtain initial credentials from a KDC using a private key and a certificate. %changelog +* Tue Mar 17 2009 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-17 +- libgssapi_krb5: backport fix for some errors which can occur when + we fail to set up the server half of a context (CVE-2009-0845) + * Thu Sep 4 2008 Nalin Dahyabhai <nalin@redhat.com> - if we successfully change the user's password during an attempt to get initial credentials, but then fail to get initial creds from a non-master @@ -1390,6 +1395,7 @@ popd %patch78 -p0 -b .lucid_acceptor %patch79 -p0 -b .ftp_mget_case %patch80 -p0 -b .preauth_master +%patch81 -p0 -b .spnego-crash cp src/krb524/README README.krb524 gzip doc/*.ps |