From 6130f43a4614dd3f9b1bec4db32d9db6e3ffb1c2 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 24 Aug 2010 18:29:42 -0400 Subject: [PATCH] - fix a logic bug in computing key expiration times (RT#6762, #627022) --- krb5-trunk-explife.patch | 28 ++++++++++++++++++++++++++++ krb5.spec | 7 ++++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 krb5-trunk-explife.patch diff --git a/krb5-trunk-explife.patch b/krb5-trunk-explife.patch new file mode 100644 index 0000000..ddcf143 --- /dev/null +++ b/krb5-trunk-explife.patch @@ -0,0 +1,28 @@ +Rob Crittenden noticed that, in populate_krb5_db_entry(), key +expirations weren't being computed as expected. It turns out +that neither KDB_PRINC_EXPIRE_TIME_ATTR nor KDB_PWD_EXPIRE_TIME_ATTR +is defined to 1, so the check for their bits could never succeed as +written. RT#6762. + +Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +=================================================================== +--- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (revision 24252) ++++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (working copy) +@@ -2087,7 +2087,7 @@ + goto cleanup; + + if (attr_present == TRUE) { +- if ((mask & KDB_PRINC_EXPIRE_TIME_ATTR) == 1) { ++ if (mask & KDB_PRINC_EXPIRE_TIME_ATTR) { + if (expiretime < entry->expiration) + entry->expiration = expiretime; + } else { +@@ -2127,7 +2127,7 @@ + if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0) + goto cleanup; + +- if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) { ++ if (mask & KDB_PWD_EXPIRE_TIME_ATTR) { + if ((last_pw_changed + pw_max_life) < entry->pw_expiration) + entry->pw_expiration = last_pw_changed + pw_max_life; + } else diff --git a/krb5.spec b/krb5.spec index e19d34c..4dd8e6a 100644 --- a/krb5.spec +++ b/krb5.spec @@ -5,7 +5,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.8.3 -Release: 1%{?dist} +Release: 2%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.8/krb5-1.8.3-signed.tar Source0: krb5-%{version}.tar.gz @@ -47,6 +47,7 @@ Patch61: krb5-1.8-manpaths.patch Patch63: krb5-1.8-selinux-label.patch Patch70: krb5-trunk-kpasswd_tcp2.patch Patch71: krb5-1.8-dirsrv-accountlock.patch +Patch72: krb5-trunk-explife.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -184,6 +185,7 @@ ln -s NOTICE LICENSE %patch59 -p1 -b .kpasswd_tcp #%patch70 -p0 -b .kpasswd_tcp2 %patch71 -p1 -b .dirsrv-accountlock +%patch72 -p0 -b .explife gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -635,6 +637,9 @@ exit 0 %{_sbindir}/uuserver %changelog +* Tue Aug 24 2010 Nalin Dahyabhai 1.8.3-2 +- fix a logic bug in computing key expiration times (RT#6762, #627022) + * Wed Aug 4 2010 Nalin Dahyabhai 1.8.3-1 - update to 1.8.3 - drop backports of fixes for gss context expiration and error table