- update to 1.10.3, rolling in MITKRB5-SA-2012-001

.gitignore

@@ -72,3 +72,6 @@ krb5-1.8.3-pdf.tar.gz
 /krb5-1.10.2.tar.gz
 /krb5-1.10.2.tar.gz.asc
 /krb5-1.10.2-pdf.tar.xz
+/krb5-1.10.3.tar.gz
+/krb5-1.10.3.tar.gz.asc
+/krb5-1.10.3-pdf.tar.xz

2012-001-patch.txt

@@ -1,61 +0,0 @@
-diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
-index 23623fe..8ada9d0 100644
---- a/src/kdc/do_as_req.c
-+++ b/src/kdc/do_as_req.c
-@@ -463,7 +463,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
-     krb5_enctype useenctype;
-     struct as_req_state *state;
- 
--    state = malloc(sizeof(*state));
-+    state = calloc(sizeof(*state), 1);
-     if (!state) {
-         (*respond)(arg, ENOMEM, NULL);
-         return;
-@@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
-     state->authtime = 0;
-     state->c_flags = 0;
-     state->req_pkt = req_pkt;
-+    state->inner_body = NULL;
-     state->rstate = NULL;
-     state->sname = 0;
-     state->cname = 0;
-diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
-index 9d8cb34..d4ece3f 100644
---- a/src/kdc/kdc_preauth.c
-+++ b/src/kdc/kdc_preauth.c
-@@ -1438,7 +1438,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
-                 continue;
- 
-             }
--            if (request_contains_enctype(context, request, db_etype)) {
-+            if (krb5_is_permitted_enctype(context, db_etype) &&
-+                request_contains_enctype(context, request, db_etype)) {
-                 retval = _make_etype_info_entry(context, client->princ,
-                                                 client_key, db_etype,
-                                                 &entry[i], etype_info2);
-diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
-index a43b291..94dad3a 100644
---- a/src/kdc/kdc_util.c
-+++ b/src/kdc/kdc_util.c
-@@ -2461,6 +2461,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request,
-         return 0;
-     pa.magic = KV5M_PA_DATA;
-     pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
-+    memset(&checksum, 0, sizeof(checksum));
-     retval = krb5_c_make_checksum(kdc_context,0, reply_key,
-                                   KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
-     if (retval != 0)
-diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
-index c4bf92e..367c894 100644
---- a/src/lib/kdb/kdb_default.c
-+++ b/src/lib/kdb/kdb_default.c
-@@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
-     krb5_boolean        saw_non_permitted = FALSE;
- 
-     ret = 0;
-+    if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
-+        return KRB5_KDB_NO_PERMITTED_KEY;
-+
-     if (kvno == -1 && stype == -1 && ktype == -1)
-         kvno = 0;
- 

krb5.spec

@@ -19,10 +19,10 @@
 
 Summary: The Kerberos network authentication system
 Name: krb5
-Version: 1.10.2
+Version: 1.10.3
-Release: 7%{?dist}
+Release: 1%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
-# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar
+# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.3-signed.tar
 Source0: krb5-%{version}.tar.gz
 Source1: krb5-%{version}.tar.gz.asc
 Source2: kprop.service
@@ -69,7 +69,6 @@ Patch103: krb5-1.10-gcc47.patch
 Patch105: krb5-kvno-230379.patch
 Patch106: krb5-1.10.2-keytab-etype.patch
 Patch107: krb5-trunk-pkinit-anchorsign.patch
-Patch108: http://web.mit.edu/kerberos/advisories/2012-001-patch.txt
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -248,7 +247,6 @@ ln -s NOTICE LICENSE
 %patch105 -p1 -b .kvno
 %patch106 -p1 -b .keytab-etype
 %patch107 -p1 -b .pkinit-anchorsign
-%patch108 -p1 -b .2012-001
 rm src/lib/krb5/krb/deltat.c
 
 gzip doc/*.ps
@@ -768,6 +766,9 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Thu Aug  9 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.3-1
+- update to 1.10.3, rolling in the fixes from MITKRB5-SA-2012-001
+
 * Thu Aug  2 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-7
 - selinux: hang on to the list of selinux contexts, freeing and reloading
   it only when the file we read it from is modified, freeing it when the

sources

@@ -1,3 +1,3 @@
-73c89ed430f92df7d10c49167eec889b  krb5-1.10.2.tar.gz
+c6b949ce23768b4b8533b33c3343b1d1  krb5-1.10.3.tar.gz
-53994fb4ccbeaf6d017d657942093502  krb5-1.10.2.tar.gz.asc
+4862ae1729ec2b762de0ae47a4db1240  krb5-1.10.3.tar.gz.asc
-ddebe423b4d60fe957ab7c22dbc8a7ea  krb5-1.10.2-pdf.tar.xz
+1756846900b598ed4544d22491952f41  krb5-1.10.3-pdf.tar.xz