- proposed patch to fix receipt of delegated creds in mod_auth_kerb

krb5-trunk-server_delegation.patch

@@ -0,0 +1,45 @@
+If the application calling gss_accept_sec_context() doesn't pass a value
+for ret_flags, we'd never be able to check if credentials had been delegated.
+
+The passed-in ret_flags value is a pointer to a bitfield, so the comparision
+as-written was not likely to work as expected.
+
+Index: src/lib/gssapi/mechglue/g_accept_sec_context.c
+===================================================================
+--- src/lib/gssapi/mechglue/g_accept_sec_context.c	(revision 20038)
++++ src/lib/gssapi/mechglue/g_accept_sec_context.c	(working copy)
+@@ -112,6 +112,7 @@
+ 
+ {
+     OM_uint32		status, temp_status, temp_minor_status;
++    OM_uint32		temp_ret_flags = 0;
+     gss_union_ctx_id_t	union_ctx_id;
+     gss_union_cred_t	union_cred;
+     gss_cred_id_t	input_cred_handle = GSS_C_NO_CREDENTIAL;
+@@ -202,7 +203,7 @@
+ 						  &internal_name,
+ 						  mech_type,
+ 						  output_token,
+-						  ret_flags,
++						  &temp_ret_flags,
+ 						  time_rec,
+ 					d_cred ? &tmp_d_cred : NULL);
+ 
+@@ -248,7 +249,7 @@
+ 	    }
+ 
+ 	    /* Ensure we're returning correct creds format */
+-	    if ((ret_flags && GSS_C_DELEG_FLAG) &&
++	    if ((temp_ret_flags & GSS_C_DELEG_FLAG) &&
+ 		tmp_d_cred != GSS_C_NO_CREDENTIAL) {
+ 		gss_union_cred_t d_u_cred = NULL;
+ 
+@@ -335,6 +336,8 @@
+ 	    if (src_name == NULL && tmp_src_name != NULL)
+ 		(void) gss_release_name(&temp_minor_status,
+ 					&tmp_src_name);
++	    if (ret_flags != NULL)
++		*ret_flags = temp_ret_flags;
+ 	    return	(status);
+     } else {
+ 

krb5.spec

@@ -14,7 +14,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.6.2
-Release: 8%{?dist}
+Release: 9%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -92,6 +92,7 @@ Patch61: krb5-trunk-manpaths.patch
 Patch62: krb5-any-fixup-patch.txt
 Patch63: krb5-1.6.1-selinux-label.patch
 Patch64: krb5-ok-as-delegate.patch
+Patch67: krb5-trunk-server_delegation.patch
 
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
@@ -208,6 +209,10 @@ installed on systems which are meant provide these services.
 %endif
 
 %changelog
+* Mon Oct  1 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-9
+- apply the fix for CVE-2007-4000 instead of the experimental patch for
+  setting ok-as-delegate flags
+
 * Tue Sep 11 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-8
 - move the db2 kdb plugin from -server to -libs, because a multilib libkdb
   might need it
@@ -1226,14 +1231,15 @@ popd
 %patch51 -p0 -b .ldap_init
 %patch52 -p0 -b .ldap_man
 %patch53 -p1 -b .nodeplibs
-%patch64 -p0 -b .2007-3999-2
-%patch65 -p0 -b .2007-4000
+%patch65 -p0 -b .2007-3999-2
+%patch66 -p0 -b .2007-4000
 #%patch55 -p1 -b .empty
 #%patch56 -p1 -b .doublelog
 #%patch57 -p1 -b .login_chdir
 #%patch58 -p1 -b .key_exp
 #%patch59 -p0 -b .kpasswd_tcp
 #%patch64 -p0 -b .ok-as-delegate
+#%patch67 -p0 -b .server-delegation
 cp src/krb524/README README.krb524
 gzip doc/*.ps