- libgssapi_krb5: backport fix for some errors which can occur when we fail
to set up the server half of a context (CVE-2009-0845)
This commit is contained in:
Nalin Dahyabhai
parent
78b02cd911
commit
434cefd85a
16
krb5-1.6.3-spnego-crash.patch
Normal file
16
krb5-1.6.3-spnego-crash.patch
Normal file
@ -0,0 +1,16 @@
|
||||
Upstream change #22099, triggered by report from Marcus Granado, fix by Tom Yu.
|
||||
In a nutshell, when return_token is neither NO_TOKEN_SEND nor CHECK_MIC, we
|
||||
might still not want a reply token, for example if it's ERROR_TOKEN_SEND.
|
||||
diff -up src/lib/gssapi/spnego/spnego_mech.c src/lib/gssapi/spnego/spnego_mech.c
|
||||
--- src/lib/gssapi/spnego/spnego_mech.c 2009-03-17 16:47:10.000000000 -0400
|
||||
+++ src/lib/gssapi/spnego/spnego_mech.c 2009-03-17 16:47:14.000000000 -0400
|
||||
@@ -1248,7 +1248,8 @@ spnego_gss_accept_sec_context(void *ct,
|
||||
&negState, &return_token);
|
||||
}
|
||||
cleanup:
|
||||
- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
|
||||
+ if (return_token == INIT_TOKEN_SEND ||
|
||||
+ return_token == CONT_TOKEN_SEND) {
|
||||
tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech,
|
||||
&mechtok_out, mic_out,
|
||||
return_token,
|
||||
@ -16,7 +16,7 @@
|
||||
Summary: The Kerberos network authentication system.
|
||||
Name: krb5
|
||||
Version: 1.6.3
|
||||
Release: 18%{?dist}
|
||||
Release: 19%{?dist}
|
||||
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
|
||||
Source0: krb5-%{version}.tar.gz
|
||||
@ -102,6 +102,7 @@ Patch77: krb5-CVE-2007-5971.patch
|
||||
Patch78: krb5-1.6.3-lucid-acceptor.patch
|
||||
Patch79: krb5-trunk-ftp_mget_case.patch
|
||||
Patch80: krb5-trunk-preauth-master.patch
|
||||
Patch81: krb5-1.6.3-spnego-crash.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -232,6 +233,10 @@ to obtain initial credentials from a KDC using a private key and a
|
||||
certificate.
|
||||
|
||||
%changelog
|
||||
* Tue Mar 17 2009 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-19
|
||||
- libgssapi_krb5: backport fix for some errors which can occur when
|
||||
we fail to set up the server half of a context (CVE-2009-0845)
|
||||
|
||||
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.3-18
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
|
||||
|
||||
@ -1396,6 +1401,7 @@ popd
|
||||
%patch78 -p0 -b .lucid_acceptor
|
||||
%patch79 -p0 -b .ftp_mget_case
|
||||
%patch80 -p0 -b .preauth_master
|
||||
%patch81 -p0 -b .spnego-crash
|
||||
cp src/krb524/README README.krb524
|
||||
gzip doc/*.ps
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user