diff --git a/2010-004-patch.txt b/2010-004-patch.txt new file mode 100644 index 0000000..bb6261f --- /dev/null +++ b/2010-004-patch.txt @@ -0,0 +1,20 @@ +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index b2f0655..76ca94a 100644 +--- a/src/kdc/do_tgs_req.c ++++ b/src/kdc/do_tgs_req.c +@@ -543,6 +543,7 @@ tgt_again: + to the caller */ + ticket_reply = *(header_ticket); + enc_tkt_reply = *(header_ticket->enc_part2); ++ enc_tkt_reply.authorization_data = NULL; + clear(enc_tkt_reply.flags, TKT_FLG_INVALID); + } + +@@ -554,6 +555,7 @@ tgt_again: + to the caller */ + ticket_reply = *(header_ticket); + enc_tkt_reply = *(header_ticket->enc_part2); ++ enc_tkt_reply.authorization_data = NULL; + + old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime; + diff --git a/krb5.spec b/krb5.spec index 4ee2439..9fd3a28 100644 --- a/krb5.spec +++ b/krb5.spec @@ -5,7 +5,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.8.1 -Release: 2%{?dist} +Release: 3%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.8/krb5-1.8.1-signed.tar Source0: krb5-%{version}.tar.gz @@ -45,6 +45,7 @@ Patch61: krb5-1.8-manpaths.patch Patch63: krb5-1.8-selinux-label.patch Patch70: krb5-trunk-kpasswd_tcp2.patch Patch71: krb5-1.8-dirsrv-accountlock.patch +Patch72: http://web.mit.edu/kerberos/advisories/2010-004-patch.txt License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -179,6 +180,7 @@ ln -s NOTICE LICENSE %patch59 -p1 -b .kpasswd_tcp #%patch70 -p0 -b .kpasswd_tcp2 %patch71 -p1 -b .dirsrv-accountlock +%patch72 -p1 -b .2010-004 gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -620,6 +622,9 @@ exit 0 %{_sbindir}/uuserver %changelog +* Tue Apr 20 2010 Nalin Dahyabhai 1.8.1-3 +- incorporate patch to fix double-free in the KDC (CVE-2010-1320, #581922) + * Wed Apr 14 2010 Nalin Dahyabhai 1.8.1-2 - fix a typo in kerberos.ldif