diff --git a/krb5-1.8.x-authdata.patch b/krb5-1.8.x-authdata.patch new file mode 100644 index 0000000..a5bce28 --- /dev/null +++ b/krb5-1.8.x-authdata.patch @@ -0,0 +1,34 @@ +Candidate fix for CVE-2010-1322. + +diff -up krb5/src/kdc/kdc_authdata.c krb5/src/kdc/kdc_authdata.c +--- krb5/src/kdc/kdc_authdata.c 2010-09-22 16:01:55.196827943 -0400 ++++ krb5/src/kdc/kdc_authdata.c 2010-09-22 16:01:58.282828001 -0400 +@@ -495,7 +495,7 @@ merge_authdata (krb5_context context, + krb5_boolean copy, + krb5_boolean ignore_kdc_issued) + { +- size_t i, nadata = 0; ++ size_t i, j, nadata = 0; + krb5_authdata **authdata = *out_authdata; + + if (in_authdata == NULL || in_authdata[0] == NULL) +@@ -529,16 +529,16 @@ merge_authdata (krb5_context context, + in_authdata = tmp; + } + +- for (i = 0; in_authdata[i] != NULL; i++) { ++ for (i = 0, j = 0; in_authdata[i] != NULL; i++) { + if (ignore_kdc_issued && + is_kdc_issued_authdatum(context, in_authdata[i], 0)) { + free(in_authdata[i]->contents); + free(in_authdata[i]); + } else +- authdata[nadata + i] = in_authdata[i]; ++ authdata[nadata + j++] = in_authdata[i]; + } + +- authdata[nadata + i] = NULL; ++ authdata[nadata + j] = NULL; + + free(in_authdata); + diff --git a/krb5.spec b/krb5.spec index f21268e..fd52c5c 100644 --- a/krb5.spec +++ b/krb5.spec @@ -5,7 +5,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.8.3 -Release: 7%{?dist} +Release: 8%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.8/krb5-1.8.3-signed.tar Source0: krb5-%{version}.tar.gz @@ -51,6 +51,7 @@ Patch72: krb5-trunk-explife.patch Patch73: krb5-trunk-key_usage.patch Patch74: krb5-trunk-signed.patch Patch75: krb5-trunk-k5login.patch +Patch76: krb5-1.8.x-authdata.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -192,6 +193,7 @@ ln -s NOTICE LICENSE %patch73 -p0 -b .key_usage %patch74 -p0 -b .signed %patch75 -p1 -b .k5login +%patch76 -p1 -b .authdata gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -643,6 +645,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Tue Oct 5 2010 Nalin Dahyabhai 1.8.3-8 +- incorporate upstream patch to fix uninitialized pointer crash in the KDC's + authorization data handling (CVE-2010-1322, #636335) + * Mon Oct 4 2010 Nalin Dahyabhai 1.8.3-7 - rebuild