diff --git a/2010-002-1.7-patch.txt b/2010-002-1.7-patch.txt new file mode 100644 index 0000000..a212165 --- /dev/null +++ b/2010-002-1.7-patch.txt @@ -0,0 +1,76 @@ +Tweaked copy of the 1.8-specific version at +http://web.mit.edu/kerberos/advisories/2010-002-patch.txt + +Index: src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- src/lib/gssapi/spnego/spnego_mech.c (revision 23717) ++++ src/lib/gssapi/spnego/spnego_mech.c (working copy) +@@ -1570,7 +1570,7 @@ + gss_buffer_desc mechtok_out = GSS_C_EMPTY_BUFFER; + spnego_gss_ctx_id_t sc = NULL; + OM_uint32 mechstat = GSS_S_FAILURE; +- int sendTokenInit = 0; ++ int sendTokenInit = 0, tmpret; + + mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER; + +@@ -1603,7 +1603,6 @@ + if (delegated_cred_handle != NULL) + *delegated_cred_handle = GSS_C_NO_CREDENTIAL; + if (input_token->length == 0) { +- sendTokenInit = 1; + ret = acc_ctx_hints(minor_status, + context_handle, + verifier_cred_handle, +@@ -1611,6 +1610,7 @@ + &return_token); + if (ret != GSS_S_COMPLETE) + goto cleanup; ++ sendTokenInit = 1; + ret = GSS_S_CONTINUE_NEEDED; + } else { + /* Can set negState to REQUEST_MIC */ +@@ -1658,29 +1658,23 @@ + &negState, &return_token); + } + cleanup: +- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { +- /* For acceptor-sends-first send a tokenInit */ +- int tmpret; +- ++ if (return_token == INIT_TOKEN_SEND && sendTokenInit) { + assert(sc != NULL); +- +- if (sendTokenInit) { +- tmpret = make_spnego_tokenInit_msg(sc, +- 1, +- mic_out, +- 0, +- GSS_C_NO_BUFFER, +- return_token, +- output_token); +- } else { +- tmpret = make_spnego_tokenTarg_msg(negState, +- sc ? sc->internal_mech : GSS_C_NO_OID, +- &mechtok_out, mic_out, +- return_token, +- output_token); +- } ++ tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0, ++ GSS_C_NO_BUFFER, ++ return_token, output_token); + if (tmpret < 0) + ret = GSS_S_FAILURE; ++ } else if (return_token != NO_TOKEN_SEND && ++ return_token != CHECK_MIC) { ++ tmpret = make_spnego_tokenTarg_msg(negState, ++ sc ? sc->internal_mech : ++ GSS_C_NO_OID, ++ &mechtok_out, mic_out, ++ return_token, ++ output_token); ++ if (tmpret < 0) ++ ret = GSS_S_FAILURE; + } + if (ret == GSS_S_COMPLETE) { + *context_handle = (gss_ctx_id_t)sc->ctx_handle; diff --git a/krb5.spec b/krb5.spec index c3c540c..2677e2e 100644 --- a/krb5.spec +++ b/krb5.spec @@ -10,7 +10,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.7.1 -Release: 6%{?dist} +Release: 7%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar Source0: krb5-%{version}.tar.gz @@ -87,6 +87,7 @@ Patch96: krb5-1.7-exp_warn.patch Patch97: http://web.mit.edu/kerberos/advisories/2010-001-patch.txt Patch98: krb5-1.7.1-kpasswd_ccache.patch Patch99: krb5-1.7.1-kpasswd_ipv6.patch +Patch100: 2010-002-1.7-patch.txt License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -225,6 +226,9 @@ to obtain initial credentials from a KDC using a private key and a certificate. %changelog +* Tue Mar 23 2010 Nalin Dahyabhai - 1.7.1-7 +- add fix for denial-of-service in SPNEGO (CVE-2010-0628) + * Mon Mar 8 2010 Nalin Dahyabhai - 1.7.1-6 - pull up patch to get the client libraries to correctly perform password changes over IPv6 (Sumit Bose, RT#6661) @@ -1609,6 +1613,7 @@ popd %patch97 -p1 -b .2010-001 %patch98 -p1 -b .kpasswd-ccache %patch99 -p0 -b .kpasswd-ipv6 +%patch100 -p0 -b .2010-002 gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex