rpms/krb5
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- update to 1.6.3, dropping now-integrated patches for CVE-2007-3999 and

Browse Source 
CVE-2007-4000 (the new pkinit module is built conditionally and goes
    into the -pkinit-openssl package, at least for now, to make a buildreq
    loop with openssl avoidable)
This commit is contained in:
Nalin Dahyabhai 2007-10-23 19:40:45 +00:00
parent a0f391756d
commit 276a481e88
5 changed files with 49 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.cvsignore
View File

@ -22,3 +22,6 @@ krb5-1.6.1-pdf.tar.gz
krb5-1.6.2.tar.gz krb5-1.6.2.tar.gz
krb5-1.6.2.tar.gz.asc krb5-1.6.2.tar.gz.asc
krb5-1.6.2-pdf.tar.gz krb5-1.6.2-pdf.tar.gz
krb5-1.6.3.tar.gz
krb5-1.6.3.tar.gz.asc
krb5-1.6.3-pdf.tar.gz

4
krb5-kpasswd_tcp.patch
View File

@ -102,10 +102,12 @@ diff -up src/lib/krb5/os/changepw.c src/lib/krb5/os/changepw.c
addrlen = sizeof(remote_addr); addrlen = sizeof(remote_addr);
callback_info.context = (void*) &callback_ctx; callback_info.context = (void*) &callback_ctx;
@@ -247,15 +287,8 @@ krb5_change_set_password(krb5_context co @@ -247,17 +287,10 @@ krb5_change_set_password(krb5_context co
NULL, NULL,
ss2sa(&remote_addr), ss2sa(&remote_addr),
&addrlen, &addrlen,
NULL,
NULL,
- NULL - NULL
- ))) { - ))) {
- -

45
krb5-trunk-server_delegation.patch
View File

@ -1,45 +0,0 @@
If the application calling gss_accept_sec_context() doesn't pass a value
for ret_flags, we'd never be able to check if credentials had been delegated.
The passed-in ret_flags value is a pointer to a bitfield, so the comparision
as-written was not likely to work as expected.
Index: src/lib/gssapi/mechglue/g_accept_sec_context.c
===================================================================
--- src/lib/gssapi/mechglue/g_accept_sec_context.c (revision 20038)
+++ src/lib/gssapi/mechglue/g_accept_sec_context.c (working copy)
@@ -112,6 +112,7 @@
{
OM_uint32 status, temp_status, temp_minor_status;
+ OM_uint32 temp_ret_flags = 0;
gss_union_ctx_id_t union_ctx_id;
gss_union_cred_t union_cred;
gss_cred_id_t input_cred_handle = GSS_C_NO_CREDENTIAL;
@@ -202,7 +203,7 @@
&internal_name,
mech_type,
output_token,
- ret_flags,
+ &temp_ret_flags,
time_rec,
d_cred ? &tmp_d_cred : NULL);
@@ -248,7 +249,7 @@
}
/* Ensure we're returning correct creds format */
- if ((ret_flags && GSS_C_DELEG_FLAG) &&
+ if ((temp_ret_flags & GSS_C_DELEG_FLAG) &&
tmp_d_cred != GSS_C_NO_CREDENTIAL) {
gss_union_cred_t d_u_cred = NULL;
@@ -335,6 +336,8 @@
if (src_name == NULL && tmp_src_name != NULL)
(void) gss_release_name(&temp_minor_status,
&tmp_src_name);
+ if (ret_flags != NULL)
+ *ret_flags = temp_ret_flags;
return (status);
} else {

48
krb5.spec
View File

@ -1,4 +1,5 @@
%define WITH_LDAP 1 %define WITH_LDAP 1
%define WITH_OPENSSL 1
%define krb5prefix %{_prefix}/kerberos %define krb5prefix %{_prefix}/kerberos
@ -13,8 +14,8 @@
Summary: The Kerberos network authentication system. Summary: The Kerberos network authentication system.
Name: krb5 Name: krb5
Version: 1.6.2 Version: 1.6.3
Release: 10%{?dist} Release: 1%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead? # Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
Source0: krb5-%{version}.tar.gz Source0: krb5-%{version}.tar.gz
@ -84,15 +85,12 @@ Patch56: krb5-1.6.2-doublelog.patch
Patch57: krb5-1.6.2-login_chdir.patch Patch57: krb5-1.6.2-login_chdir.patch
Patch58: krb5-1.6.2-key_exp.patch Patch58: krb5-1.6.2-key_exp.patch
Patch59: krb5-kpasswd_tcp.patch Patch59: krb5-kpasswd_tcp.patch
Patch65: CVE-2007-3999-2.patch
Patch66: CVE-2007-4000.patch
Patch60: krb5-1.6.1-pam.patch Patch60: krb5-1.6.1-pam.patch
Patch61: krb5-trunk-manpaths.patch Patch61: krb5-trunk-manpaths.patch
Patch62: krb5-any-fixup-patch.txt Patch62: krb5-any-fixup-patch.txt
Patch63: krb5-1.6.1-selinux-label.patch Patch63: krb5-1.6.1-selinux-label.patch
Patch64: krb5-ok-as-delegate.patch Patch64: krb5-ok-as-delegate.patch
Patch67: krb5-trunk-server_delegation.patch
Patch68: krb5-trunk-spnego_delegation.patch Patch68: krb5-trunk-spnego_delegation.patch
License: MIT, freely distributable. License: MIT, freely distributable.
@ -110,6 +108,9 @@ BuildRequires: pam-devel
%if %{WITH_LDAP} %if %{WITH_LDAP}
BuildRequires: openldap-devel BuildRequires: openldap-devel
%endif %endif
%if %{WITH_OPENSSL}
BuildRequires: openssl-devel >= 0.9.8
%endif
%description %description
Kerberos V5 is a trusted-third-party network authentication system, Kerberos V5 is a trusted-third-party network authentication system,
@ -209,7 +210,24 @@ servers. If your network uses Kerberos, this package should be
installed on systems which are meant provide these services. installed on systems which are meant provide these services.
%endif %endif
%package pkinit-openssl
Summary: The PKINIT module for Kerberos 5.
Group: System Environment/Libraries
Requires: %{name}-libs = %{version}-%{release}
%description pkinit-openssl
Kerberos is a network authentication system. The krb5-pkinit-openssl
package contains the PKINIT plugin, which uses OpenSSL to allow clients
to obtain initial credentials from a KDC using a private key and a
certificate.
%changelog %changelog
* Tue Oct 23 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-1
- update to 1.6.3, dropping now-integrated patches for CVE-2007-3999
and CVE-2007-4000 (the new pkinit module is built conditionally and goes
into the -pkinit-openssl package, at least for now, to make a buildreq
loop with openssl avoidable)
* Wed Oct 17 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-10 * Wed Oct 17 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-10
- make proper use of pam_loginuid and pam_selinux in rshd and ftpd - make proper use of pam_loginuid and pam_selinux in rshd and ftpd
@ -1239,15 +1257,12 @@ popd
%patch51 -p0 -b .ldap_init %patch51 -p0 -b .ldap_init
%patch52 -p0 -b .ldap_man %patch52 -p0 -b .ldap_man
%patch53 -p1 -b .nodeplibs %patch53 -p1 -b .nodeplibs
%patch65 -p0 -b .2007-3999-2
%patch66 -p0 -b .2007-4000
#%patch55 -p1 -b .empty #%patch55 -p1 -b .empty
#%patch56 -p1 -b .doublelog #%patch56 -p1 -b .doublelog
#%patch57 -p1 -b .login_chdir #%patch57 -p1 -b .login_chdir
#%patch58 -p1 -b .key_exp #%patch58 -p1 -b .key_exp
#%patch59 -p0 -b .kpasswd_tcp #%patch59 -p0 -b .kpasswd_tcp
#%patch64 -p0 -b .ok-as-delegate #%patch64 -p0 -b .ok-as-delegate
#%patch67 -p0 -b .server-delegation
#%patch68 -p0 -b .spnego_delegation #%patch68 -p0 -b .spnego_delegation
cp src/krb524/README README.krb524 cp src/krb524/README README.krb524
gzip doc/*.ps gzip doc/*.ps
@ -1310,6 +1325,14 @@ OPENLDAP_PLUGIN=yes
%else %else
OPENLDAP_PLUGIN="" OPENLDAP_PLUGIN=""
%endif %endif
# Enable or disable the PKINIT plugin. The configure script only checks for
# the version of OpenSSL being okay, so for now we have to use that to control
# whether or not it tries to build the module.
%if %{WITH_OPENSSL}
k5_cv_openssl_version_okay=
%else
k5_cv_openssl_version_okay=no ; export k5_cv_openssl_version_okay
%endif
# Work out the CFLAGS and CPPFLAGS which we intend to use. # Work out the CFLAGS and CPPFLAGS which we intend to use.
CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC`" CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC`"
CPPFLAGS="`echo $DEFINES $INCLUDES`" CPPFLAGS="`echo $DEFINES $INCLUDES`"
@ -1750,6 +1773,15 @@ exit 0
%{_libdir}/krb5/plugins/kdb/db2.so %{_libdir}/krb5/plugins/kdb/db2.so
%{krb5prefix}/share %{krb5prefix}/share
%if %{WITH_OPENSSL}
%files pkinit-openssl
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so
%endif
%files devel %files devel
%defattr(-,root,root) %defattr(-,root,root)

6
sources
View File

@ -1,3 +1,3 @@
41d8c0cdb6c3e59171234b0464ec3c47 krb5-1.6.2.tar.gz f32a9647deed175dd6bcc5e22d907541 krb5-1.6.3.tar.gz
8a5c577ea2907ecebdc03b7ccbf4d534 krb5-1.6.2.tar.gz.asc 992f23ef516c1e3d406896ac835e4b68 krb5-1.6.3.tar.gz.asc
c6c5380e4bfdb787f3b196b66cd96bed krb5-1.6.2-pdf.tar.gz 5153f5c7773228bf3e295750e885dd04 krb5-1.6.3-pdf.tar.gz