- update to 1.6.3, dropping now-integrated patches for CVE-2007-3999 and

CVE-2007-4000 (the new pkinit module is built conditionally and goes into the -pkinit-openssl package, at least for now, to make a buildreq loop with openssl avoidable)
2007-10-23 19:40:45 +00:00 · 2007-10-23 19:40:45 +00:00 · 276a481e88
commit 276a481e88
parent a0f391756d
5 changed files with 49 additions and 57 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -22,3 +22,6 @@ krb5-1.6.1-pdf.tar.gz
 krb5-1.6.2.tar.gz
 krb5-1.6.2.tar.gz.asc
 krb5-1.6.2-pdf.tar.gz
+krb5-1.6.3.tar.gz
+krb5-1.6.3.tar.gz.asc
+krb5-1.6.3-pdf.tar.gz
--- a/krb5-kpasswd_tcp.patch
+++ b/krb5-kpasswd_tcp.patch
@ -102,10 +102,12 @@ diff -up src/lib/krb5/os/changepw.c src/lib/krb5/os/changepw.c
 	addrlen = sizeof(remote_addr);
 
 	callback_info.context = (void*) &callback_ctx;
-@@ -247,15 +287,8 @@ krb5_change_set_password(krb5_context co
+@@ -247,17 +287,10 @@ krb5_change_set_password(krb5_context co
 				   NULL,
 				   ss2sa(&remote_addr),
                                    &addrlen,
+ 				   NULL,
+ 				   NULL,
 -				   NULL
 -		 ))) {
 -
--- a/krb5-trunk-server_delegation.patch
+++ b/krb5-trunk-server_delegation.patch
@ -1,45 +0,0 @@
-If the application calling gss_accept_sec_context() doesn't pass a value
-for ret_flags, we'd never be able to check if credentials had been delegated.
-
-The passed-in ret_flags value is a pointer to a bitfield, so the comparision
-as-written was not likely to work as expected.
-
-Index: src/lib/gssapi/mechglue/g_accept_sec_context.c
-===================================================================
--- src/lib/gssapi/mechglue/g_accept_sec_context.c	(revision 20038)
-+++ src/lib/gssapi/mechglue/g_accept_sec_context.c	(working copy)
-@@ -112,6 +112,7 @@
- 
- {
-     OM_uint32		status, temp_status, temp_minor_status;
-+    OM_uint32		temp_ret_flags = 0;
-     gss_union_ctx_id_t	union_ctx_id;
-     gss_union_cred_t	union_cred;
-     gss_cred_id_t	input_cred_handle = GSS_C_NO_CREDENTIAL;
-@@ -202,7 +203,7 @@
- 						  &internal_name,
- 						  mech_type,
- 						  output_token,
-						  ret_flags,
-+						  &temp_ret_flags,
- 						  time_rec,
- 					d_cred ? &tmp_d_cred : NULL);
- 
-@@ -248,7 +249,7 @@
- 	    }
- 
- 	    /* Ensure we're returning correct creds format */
-	    if ((ret_flags && GSS_C_DELEG_FLAG) &&
-+	    if ((temp_ret_flags & GSS_C_DELEG_FLAG) &&
- 		tmp_d_cred != GSS_C_NO_CREDENTIAL) {
- 		gss_union_cred_t d_u_cred = NULL;
- 
-@@ -335,6 +336,8 @@
- 	    if (src_name == NULL && tmp_src_name != NULL)
- 		(void) gss_release_name(&temp_minor_status,
- 					&tmp_src_name);
-+	    if (ret_flags != NULL)
-+		*ret_flags = temp_ret_flags;
- 	    return	(status);
-     } else {
- 
--- a/krb5.spec
+++ b/krb5.spec
@ -1,4 +1,5 @@
 %define WITH_LDAP 1
+%define WITH_OPENSSL 1

 %define krb5prefix %{_prefix}/kerberos

@ -13,8 +14,8 @@

 Summary: The Kerberos network authentication system.
 Name: krb5
-Version: 1.6.2
-Release: 10%{?dist}
+Version: 1.6.3
+Release: 1%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -84,15 +85,12 @@ Patch56: krb5-1.6.2-doublelog.patch
 Patch57: krb5-1.6.2-login_chdir.patch
 Patch58: krb5-1.6.2-key_exp.patch
 Patch59: krb5-kpasswd_tcp.patch
-Patch65: CVE-2007-3999-2.patch
-Patch66: CVE-2007-4000.patch

 Patch60: krb5-1.6.1-pam.patch
 Patch61: krb5-trunk-manpaths.patch
 Patch62: krb5-any-fixup-patch.txt
 Patch63: krb5-1.6.1-selinux-label.patch
 Patch64: krb5-ok-as-delegate.patch
-Patch67: krb5-trunk-server_delegation.patch
 Patch68: krb5-trunk-spnego_delegation.patch

 License: MIT, freely distributable.
@ -110,6 +108,9 @@ BuildRequires: pam-devel
 %if %{WITH_LDAP}
 BuildRequires: openldap-devel
 %endif
+%if %{WITH_OPENSSL}
+BuildRequires: openssl-devel >= 0.9.8
+%endif

 %description
 Kerberos V5 is a trusted-third-party network authentication system,
@ -209,7 +210,24 @@ servers. If your network uses Kerberos, this package should be
 installed on systems which are meant provide these services.
 %endif

+%package pkinit-openssl
+Summary: The PKINIT module for Kerberos 5.
+Group: System Environment/Libraries
+Requires: %{name}-libs = %{version}-%{release}
+
+%description pkinit-openssl
+Kerberos is a network authentication system. The krb5-pkinit-openssl
+package contains the PKINIT plugin, which uses OpenSSL to allow clients
+to obtain initial credentials from a KDC using a private key and a
+certificate.
+
 %changelog
+* Tue Oct 23 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-1
+- update to 1.6.3, dropping now-integrated patches for CVE-2007-3999
+  and CVE-2007-4000 (the new pkinit module is built conditionally and goes
+  into the -pkinit-openssl package, at least for now, to make a buildreq
+  loop with openssl avoidable)
+
 * Wed Oct 17 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-10
 - make proper use of pam_loginuid and pam_selinux in rshd and ftpd

@ -1239,15 +1257,12 @@ popd
 %patch51 -p0 -b .ldap_init
 %patch52 -p0 -b .ldap_man
 %patch53 -p1 -b .nodeplibs
-%patch65 -p0 -b .2007-3999-2
-%patch66 -p0 -b .2007-4000
 #%patch55 -p1 -b .empty
 #%patch56 -p1 -b .doublelog
 #%patch57 -p1 -b .login_chdir
 #%patch58 -p1 -b .key_exp
 #%patch59 -p0 -b .kpasswd_tcp
 #%patch64 -p0 -b .ok-as-delegate
-#%patch67 -p0 -b .server-delegation
 #%patch68 -p0 -b .spnego_delegation
 cp src/krb524/README README.krb524
 gzip doc/*.ps
@ -1310,6 +1325,14 @@ OPENLDAP_PLUGIN=yes
 %else
 OPENLDAP_PLUGIN=""
 %endif
+# Enable or disable the PKINIT plugin.  The configure script only checks for
+# the version of OpenSSL being okay, so for now we have to use that to control
+# whether or not it tries to build the module.
+%if %{WITH_OPENSSL}
+k5_cv_openssl_version_okay=
+%else
+k5_cv_openssl_version_okay=no ; export k5_cv_openssl_version_okay
+%endif
 # Work out the CFLAGS and CPPFLAGS which we intend to use.
 CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC`"
 CPPFLAGS="`echo $DEFINES $INCLUDES`"
@ -1750,6 +1773,15 @@ exit 0
 %{_libdir}/krb5/plugins/kdb/db2.so
 %{krb5prefix}/share

+%if %{WITH_OPENSSL}
+%files pkinit-openssl
+%defattr(-,root,root)
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/preauth
+%{_libdir}/krb5/plugins/preauth/pkinit.so
+%endif
+
 %files devel
 %defattr(-,root,root)

--- a/6
+++ b/6
@ -1,3 +1,3 @@
-41d8c0cdb6c3e59171234b0464ec3c47  krb5-1.6.2.tar.gz
-8a5c577ea2907ecebdc03b7ccbf4d534  krb5-1.6.2.tar.gz.asc
-c6c5380e4bfdb787f3b196b66cd96bed  krb5-1.6.2-pdf.tar.gz
+f32a9647deed175dd6bcc5e22d907541  krb5-1.6.3.tar.gz
+992f23ef516c1e3d406896ac835e4b68  krb5-1.6.3.tar.gz.asc
+5153f5c7773228bf3e295750e885dd04  krb5-1.6.3-pdf.tar.gz