diff options
| -rw-r--r-- | krb5-1.12-nodelete-plugins.patch | 59 | ||||
| -rw-r--r-- | krb5.spec | 12 |
2 files changed, 68 insertions, 3 deletions
diff --git a/krb5-1.12-nodelete-plugins.patch b/krb5-1.12-nodelete-plugins.patch new file mode 100644 index 0000000..88fb8c6 --- /dev/null +++ b/krb5-1.12-nodelete-plugins.patch @@ -0,0 +1,59 @@ +commit 0f46175d632ae03ab7d4cfba5e62534d31e128e0 +Author: Greg Hudson <ghudson@mit.edu> +Date: Wed Jun 25 11:41:54 2014 -0400 + + Load plugins with RTLD_NODELETE if possible + + On platforms which support RTLD_NODELETE, use it to load plugin + modules. While using this flag makes plugins stay in the process map + after libkrb5/libgssapi_krb5 are unloaded, it solves several problems: + + 1. It prevents plugin modules which link against OpenSSL (PKINIT and + k5tls) from repeatedly initializing instances of libssl or libcrypto, + leaking heap memory each time. This is only an issue because we + cannot safely uninitialize OpenSSL. + + 2. It prevents finalization ordering issues from causing a process + crash when unloading libgssapi_krb5 (issue #7135). + + 3. It makes memory leak tracing with valgrind easier. + + ticket: 7947 (new) + +diff --git a/src/util/support/plugins.c b/src/util/support/plugins.c +index a04dfc3..ca4b128 100644 +--- a/src/util/support/plugins.c ++++ b/src/util/support/plugins.c +@@ -45,6 +45,20 @@ + + #include "k5-platform.h" + ++#if USE_DLOPEN ++#ifdef RTLD_GROUP ++#define GROUP RTLD_GROUP ++#else ++#define GROUP 0 ++#endif ++#ifdef RTLD_NODELETE ++#define NODELETE RTLD_NODELETE ++#else ++#define NODELETE 0 ++#endif ++#define PLUGIN_DLOPEN_FLAGS (RTLD_NOW | RTLD_LOCAL | GROUP | NODELETE) ++#endif ++ + #if USE_DLOPEN && USE_CFBUNDLE + #include <CoreFoundation/CoreFoundation.h> + +@@ -257,11 +271,6 @@ krb5int_open_plugin (const char *filepath, struct plugin_file_handle **h, struct + } + #endif /* USE_CFBUNDLE */ + +-#ifdef RTLD_GROUP +-#define PLUGIN_DLOPEN_FLAGS (RTLD_NOW | RTLD_LOCAL | RTLD_GROUP) +-#else +-#define PLUGIN_DLOPEN_FLAGS (RTLD_NOW | RTLD_LOCAL) +-#endif + if (!err) { + handle = dlopen(filepath, PLUGIN_DLOPEN_FLAGS); + if (handle == NULL) { @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.12.2 -Release: 6%{?dist} +Release: 7%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -124,6 +124,7 @@ Patch312: 0011-Have-k5test.py-provide-runenv-to-python-tests.patch Patch313: 0012-Add-a-simple-KDC-proxy-test-server.patch Patch314: 0013-Add-tests-for-MS-KKDCP-client-support.patch Patch315: krb5-1.12ish-tls-plugins.patch +Patch316: krb5-1.12-nodelete-plugins.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -350,6 +351,7 @@ ln -s NOTICE LICENSE %patch313 -p1 -b .Add-a-simple-KDC-proxy-test-server %patch314 -p1 -b .Add-tests-for-MS-KKDCP-client-support %patch315 -p1 -b .tls-plugins +%patch316 -p1 -b .nodelete-plugins chmod u+x src/util/paste-kdcproxy.py %patch1 -p1 -b .pwdch-fast @@ -1063,16 +1065,20 @@ exit 0 %{_sbindir}/uuserver %changelog +* Sat Sep 6 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.2-7 +- pull in patch from master to load plugins with RTLD_NODELETE, when + defined (RT#7947) + * Fri Sep 5 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.2-6 - backport patch to make the client skip checking the server's reply address when processing responses to password-change requests, which between NAT and upcoming HTTPS support, can cause us to erroneously report an error to the user when the server actually reported success - (RT #7886) + (RT#7886) - backport support for accessing KDCs and kpasswd services via HTTPS proxies (marked by being specified as https URIs instead as hostnames or hostname-and-port), such as the one implemented in python-kdcproxy - (RT #7929, #109919), and pick up a subsequent patch to build HTTPS + (RT#7929, #109919), and pick up a subsequent patch to build HTTPS as a plugin * Thu Aug 28 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.2-5 |