- add upstream fix for denial-of-service in SPNEGO (CVE-2010-0628)

2010-002-patch.txt

@@ -0,0 +1,73 @@
+Index: src/lib/gssapi/spnego/spnego_mech.c
+===================================================================
+--- src/lib/gssapi/spnego/spnego_mech.c	(revision 23717)
++++ src/lib/gssapi/spnego/spnego_mech.c	(working copy)
+@@ -1570,7 +1570,7 @@
+ 	spnego_gss_ctx_id_t sc = NULL;
+ 	spnego_gss_cred_id_t spcred = NULL;
+ 	OM_uint32 mechstat = GSS_S_FAILURE;
+-	int sendTokenInit = 0;
++	int sendTokenInit = 0, tmpret;
+ 
+ 	mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER;
+ 
+@@ -1603,7 +1603,6 @@
+ 		if (delegated_cred_handle != NULL)
+ 			*delegated_cred_handle = GSS_C_NO_CREDENTIAL;
+ 		if (input_token->length == 0) {
+-			sendTokenInit = 1;
+ 			ret = acc_ctx_hints(minor_status,
+ 					    context_handle, spcred,
+ 					    &mic_out,
+@@ -1611,6 +1610,7 @@
+ 					    &return_token);
+ 			if (ret != GSS_S_COMPLETE)
+ 				goto cleanup;
++			sendTokenInit = 1;
+ 			ret = GSS_S_CONTINUE_NEEDED;
+ 		} else {
+ 			/* Can set negState to REQUEST_MIC */
+@@ -1658,29 +1658,23 @@
+ 				 &negState, &return_token);
+ 	}
+ cleanup:
+-	if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
+-		/* For acceptor-sends-first send a tokenInit */
+-		int tmpret;
+-
++	if (return_token == INIT_TOKEN_SEND && sendTokenInit) {
+ 		assert(sc != NULL);
+-
+-		if (sendTokenInit) {
+-			tmpret = make_spnego_tokenInit_msg(sc,
+-							   1,
+-							   mic_out,
+-							   0,
+-							   GSS_C_NO_BUFFER,
+-							   return_token,
+-							   output_token);
+-		} else {
+-			tmpret = make_spnego_tokenTarg_msg(negState,
+-							   sc ? sc->internal_mech : GSS_C_NO_OID,
+-							   &mechtok_out, mic_out,
+-							   return_token,
+-							   output_token);
+-		}
++		tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0,
++						   GSS_C_NO_BUFFER,
++						   return_token, output_token);
+ 		if (tmpret < 0)
+ 			ret = GSS_S_FAILURE;
++	} else if (return_token != NO_TOKEN_SEND &&
++		   return_token != CHECK_MIC) {
++		tmpret = make_spnego_tokenTarg_msg(negState,
++						   sc ? sc->internal_mech :
++						   GSS_C_NO_OID,
++						   &mechtok_out, mic_out,
++						   return_token,
++						   output_token);
++		if (tmpret < 0)
++			ret = GSS_S_FAILURE;
+ 	}
+ 	if (ret == GSS_S_COMPLETE) {
+ 		*context_handle = (gss_ctx_id_t)sc->ctx_handle;

krb5.spec

@@ -2,16 +2,10 @@
 %global WITH_OPENSSL 1
 %global WITH_DIRSRV 1
 
-# For consistency with regular login.
-%global login_pam_service remote
-
-# Temporary bundling, pending package review #570951.
-%global appl_version 1.0
-
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.8
-Release: 4%{?dist}
+Release: 5%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -56,6 +50,7 @@ Patch96: krb5-1.8-exp_warn.patch
 Patch98: krb5-1.8-kpasswd_ccache.patch
 Patch99: krb5-trunk-kpasswd_ipv6.patch
 Patch100: krb5-trunk-tktlifetime.patch
+Patch101: http://web.mit.edu/kerberos/advisories/2010-002-patch.txt
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -195,6 +190,7 @@ ln -s NOTICE LICENSE
 %patch98 -p0 -b .kpasswd-ccache
 %patch99 -p0 -b .kpasswd-ipv6
 %patch100 -p0 -b .tktlifetime
+%patch101 -p0 -b .2010-002
 gzip doc/*.ps
 
 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -628,6 +624,9 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Tue Mar 23 2010 Nalin Dahyabhai <nalin@redhat.com> - 1.8-5
+- add upstream fix for denial-of-service in SPNEGO (CVE-2010-0628)
+
 * Fri Mar 19 2010 Nalin Dahyabhai <nalin@redhat.com> - 1.8-4
 - remove the krb5-appl bits (the -workstation-clients and -workstation-servers
   subpackages) now that krb5-appl is its own package