From 60f5ea8eaf84b58be2a254683c87377154e8051e Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Tue, 5 Oct 2010 15:29:32 -0400
Subject: [PATCH] - incorporate upstream patch to fix uninitialized pointer
 crash in the KDC's authorization data handling (CVE-2010-1322, #636335)

---
 krb5-1.8.x-authdata.patch | 34 ++++++++++++++++++++++++++++++++++
 krb5.spec                 |  8 +++++++-
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 krb5-1.8.x-authdata.patch

diff --git a/krb5-1.8.x-authdata.patch b/krb5-1.8.x-authdata.patch
new file mode 100644
index 0000000..a5bce28
--- /dev/null
+++ b/krb5-1.8.x-authdata.patch
@@ -0,0 +1,34 @@
+Candidate fix for CVE-2010-1322.
+
+diff -up krb5/src/kdc/kdc_authdata.c krb5/src/kdc/kdc_authdata.c
+--- krb5/src/kdc/kdc_authdata.c	2010-09-22 16:01:55.196827943 -0400
++++ krb5/src/kdc/kdc_authdata.c	2010-09-22 16:01:58.282828001 -0400
+@@ -495,7 +495,7 @@ merge_authdata (krb5_context context,
+                 krb5_boolean copy,
+                 krb5_boolean ignore_kdc_issued)
+ {
+-    size_t i, nadata = 0;
++    size_t i, j, nadata = 0;
+     krb5_authdata **authdata = *out_authdata;
+ 
+     if (in_authdata == NULL || in_authdata[0] == NULL)
+@@ -529,16 +529,16 @@ merge_authdata (krb5_context context,
+         in_authdata = tmp;
+     }
+ 
+-    for (i = 0; in_authdata[i] != NULL; i++) {
++    for (i = 0, j = 0; in_authdata[i] != NULL; i++) {
+         if (ignore_kdc_issued &&
+             is_kdc_issued_authdatum(context, in_authdata[i], 0)) {
+             free(in_authdata[i]->contents);
+             free(in_authdata[i]);
+         } else
+-            authdata[nadata + i] = in_authdata[i];
++            authdata[nadata + j++] = in_authdata[i];
+     }
+ 
+-    authdata[nadata + i] = NULL;
++    authdata[nadata + j] = NULL;
+ 
+     free(in_authdata);
+ 
diff --git a/krb5.spec b/krb5.spec
index f21268e..fd52c5c 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -5,7 +5,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.8.3
-Release: 7%{?dist}
+Release: 8%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.8/krb5-1.8.3-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -51,6 +51,7 @@ Patch72: krb5-trunk-explife.patch
 Patch73: krb5-trunk-key_usage.patch
 Patch74: krb5-trunk-signed.patch
 Patch75: krb5-trunk-k5login.patch
+Patch76: krb5-1.8.x-authdata.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -192,6 +193,7 @@ ln -s NOTICE LICENSE
 %patch73 -p0 -b .key_usage
 %patch74 -p0 -b .signed
 %patch75 -p1 -b .k5login
+%patch76 -p1 -b .authdata
 gzip doc/*.ps
 
 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -643,6 +645,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Tue Oct  5 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.3-8
+- incorporate upstream patch to fix uninitialized pointer crash in the KDC's
+  authorization data handling (CVE-2010-1322, #636335)
+
 * Mon Oct  4 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.3-7
 - rebuild