rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- turn off NSS as the backend for libk5crypto for now to work around its

Browse Source 
DES string2key not working (#679012)
- add revised upstream patch to fix double-free in KDC while returning
  typed-data with errors (CVE-2011-0284, #674325)
This commit is contained in:
Nalin Dahyabhai 2011-03-15 14:25:01 -04:00
parent cbdf0e37a6
commit 41bc7a0e62
2 changed files with 23 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
2011-003-patch.txt Normal file
View File

@ -0,0 +1,13 @@
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 46b5fa1..464cb6e 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
pad->contents = td[size]->data;
pad->length = td[size]->length;
pa[size] = pad;
+ td[size]->data = NULL;
+ td[size]->length = 0;
}
krb5_free_typed_data(kdc_context, td);
}

12
krb5.spec
View File

@ -1,12 +1,12 @@
%global WITH_LDAP 1 %global WITH_LDAP 1
%global WITH_OPENSSL 1 %global WITH_OPENSSL 1
%global WITH_NSS 1 %global WITH_NSS 0
%global WITH_DIRSRV 1 %global WITH_DIRSRV 1
Summary: The Kerberos network authentication system Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.9 Version: 1.9
Release: 6%{?dist} Release: 7%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead? # Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9-signed.tar
Source0: krb5-%{version}.tar.gz Source0: krb5-%{version}.tar.gz
@ -52,6 +52,7 @@ Patch72: krb5-pkinit-cms2.patch
Patch73: http://web.mit.edu/kerberos/advisories/2011-001-patch.txt Patch73: http://web.mit.edu/kerberos/advisories/2011-001-patch.txt
Patch74: http://web.mit.edu/kerberos/advisories/2011-002-patch.txt Patch74: http://web.mit.edu/kerberos/advisories/2011-002-patch.txt
Patch75: krb5-pkinit-debug.patch Patch75: krb5-pkinit-debug.patch
Patch76: http://web.mit.edu/kerberos/advisories/2011-003-patch.txt
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
@ -195,6 +196,7 @@ ln -s NOTICE LICENSE
%patch73 -p1 -b .2011-001 %patch73 -p1 -b .2011-001
%patch74 -p1 -b .2011-002 %patch74 -p1 -b .2011-002
#%patch75 -p1 -b .pkinit-debug #%patch75 -p1 -b .pkinit-debug
%patch76 -p1 -b .2011-003
gzip doc/*.ps gzip doc/*.ps
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@ -653,6 +655,12 @@ exit 0
%{_sbindir}/uuserver %{_sbindir}/uuserver
%changelog %changelog
* Tue Mar 15 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-7
- turn off NSS as the backend for libk5crypto for now to work around its
DES string2key not working (#679012)
- add revised upstream patch to fix double-free in KDC while returning
typed-data with errors (CVE-2011-0284, #674325)
* Thu Feb 17 2011 Nalin Dahyabhai <nalin@redhat.com> * Thu Feb 17 2011 Nalin Dahyabhai <nalin@redhat.com>
- throw in a not-applied-by-default patch to try to make pkinit debugging - throw in a not-applied-by-default patch to try to make pkinit debugging
into a run-time boolean option named "pkinit_debug" into a run-time boolean option named "pkinit_debug"