diff --git a/2010-002-patch.txt b/2010-002-patch.txt new file mode 100644 index 0000000..325ba93 --- /dev/null +++ b/2010-002-patch.txt @@ -0,0 +1,73 @@ +Index: src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- src/lib/gssapi/spnego/spnego_mech.c (revision 23717) ++++ src/lib/gssapi/spnego/spnego_mech.c (working copy) +@@ -1570,7 +1570,7 @@ + spnego_gss_ctx_id_t sc = NULL; + spnego_gss_cred_id_t spcred = NULL; + OM_uint32 mechstat = GSS_S_FAILURE; +- int sendTokenInit = 0; ++ int sendTokenInit = 0, tmpret; + + mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER; + +@@ -1603,7 +1603,6 @@ + if (delegated_cred_handle != NULL) + *delegated_cred_handle = GSS_C_NO_CREDENTIAL; + if (input_token->length == 0) { +- sendTokenInit = 1; + ret = acc_ctx_hints(minor_status, + context_handle, spcred, + &mic_out, +@@ -1611,6 +1610,7 @@ + &return_token); + if (ret != GSS_S_COMPLETE) + goto cleanup; ++ sendTokenInit = 1; + ret = GSS_S_CONTINUE_NEEDED; + } else { + /* Can set negState to REQUEST_MIC */ +@@ -1658,29 +1658,23 @@ + &negState, &return_token); + } + cleanup: +- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { +- /* For acceptor-sends-first send a tokenInit */ +- int tmpret; +- ++ if (return_token == INIT_TOKEN_SEND && sendTokenInit) { + assert(sc != NULL); +- +- if (sendTokenInit) { +- tmpret = make_spnego_tokenInit_msg(sc, +- 1, +- mic_out, +- 0, +- GSS_C_NO_BUFFER, +- return_token, +- output_token); +- } else { +- tmpret = make_spnego_tokenTarg_msg(negState, +- sc ? sc->internal_mech : GSS_C_NO_OID, +- &mechtok_out, mic_out, +- return_token, +- output_token); +- } ++ tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0, ++ GSS_C_NO_BUFFER, ++ return_token, output_token); + if (tmpret < 0) + ret = GSS_S_FAILURE; ++ } else if (return_token != NO_TOKEN_SEND && ++ return_token != CHECK_MIC) { ++ tmpret = make_spnego_tokenTarg_msg(negState, ++ sc ? sc->internal_mech : ++ GSS_C_NO_OID, ++ &mechtok_out, mic_out, ++ return_token, ++ output_token); ++ if (tmpret < 0) ++ ret = GSS_S_FAILURE; + } + if (ret == GSS_S_COMPLETE) { + *context_handle = (gss_ctx_id_t)sc->ctx_handle; diff --git a/krb5.spec b/krb5.spec index d7bf34a..f2b2193 100644 --- a/krb5.spec +++ b/krb5.spec @@ -2,16 +2,10 @@ %global WITH_OPENSSL 1 %global WITH_DIRSRV 1 -# For consistency with regular login. -%global login_pam_service remote - -# Temporary bundling, pending package review #570951. -%global appl_version 1.0 - Summary: The Kerberos network authentication system Name: krb5 Version: 1.8 -Release: 4%{?dist} +Release: 5%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar Source0: krb5-%{version}.tar.gz @@ -56,6 +50,7 @@ Patch96: krb5-1.8-exp_warn.patch Patch98: krb5-1.8-kpasswd_ccache.patch Patch99: krb5-trunk-kpasswd_ipv6.patch Patch100: krb5-trunk-tktlifetime.patch +Patch101: http://web.mit.edu/kerberos/advisories/2010-002-patch.txt License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -195,6 +190,7 @@ ln -s NOTICE LICENSE %patch98 -p0 -b .kpasswd-ccache %patch99 -p0 -b .kpasswd-ipv6 %patch100 -p0 -b .tktlifetime +%patch101 -p0 -b .2010-002 gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -628,6 +624,9 @@ exit 0 %{_sbindir}/uuserver %changelog +* Tue Mar 23 2010 Nalin Dahyabhai - 1.8-5 +- add upstream fix for denial-of-service in SPNEGO (CVE-2010-0628) + * Fri Mar 19 2010 Nalin Dahyabhai - 1.8-4 - remove the krb5-appl bits (the -workstation-clients and -workstation-servers subpackages) now that krb5-appl is its own package