- remove obsolete patch for CVE-2009-0845

- add patches for read overflow and null pointer dereference in the
    implementation of the SPNEGO mechanism (CVE-2009-0844, CVE-2009-0845)
- add patch for attempt to free uninitialized pointer in libkrb5
    (CVE-2009-0846)
- add patch to fix length validation bug in libkrb5 (CVE-2009-0847)
This commit is contained in:
Nalin Dahyabhai 2009-04-07 18:16:28 +00:00
parent ebb2e9030e
commit f51ed46fff
2 changed files with 18 additions and 22 deletions

View File

@ -1,16 +0,0 @@
Upstream change #22099, triggered by report from Marcus Granado, fix by Tom Yu.
In a nutshell, when return_token is neither NO_TOKEN_SEND nor CHECK_MIC, we
might still not want a reply token, for example if it's ERROR_TOKEN_SEND.
diff -up src/lib/gssapi/spnego/spnego_mech.c src/lib/gssapi/spnego/spnego_mech.c
--- src/lib/gssapi/spnego/spnego_mech.c 2009-03-17 16:47:10.000000000 -0400
+++ src/lib/gssapi/spnego/spnego_mech.c 2009-03-17 16:47:14.000000000 -0400
@@ -1248,7 +1248,8 @@ spnego_gss_accept_sec_context(void *ct,
&negState, &return_token);
}
cleanup:
- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
+ if (return_token == INIT_TOKEN_SEND ||
+ return_token == CONT_TOKEN_SEND) {
tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech,
&mechtok_out, mic_out,
return_token,

View File

@ -13,7 +13,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.6.3
Release: 100%{?dist}
Release: 101%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
Source0: krb5-%{version}.tar.gz
@ -97,7 +97,9 @@ Patch77: krb5-CVE-2007-5971.patch
Patch78: krb5-1.6.3-lucid-acceptor.patch
Patch79: krb5-trunk-ftp_mget_case.patch
Patch80: krb5-trunk-preauth-master.patch
Patch81: krb5-1.6.3-spnego-crash.patch
Patch82: krb5-CVE-2009-0844-0845-2.patch
Patch83: krb5-CVE-2009-0846.patch
Patch84: krb5-CVE-2009-0847.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -226,6 +228,15 @@ to obtain initial credentials from a KDC using a private key and a
certificate.
%changelog
* Tue Apr 7 2009 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-101
- add patches for read overflow and null pointer dereference in the
implementation of the SPNEGO mechanism (CVE-2009-0844, CVE-2009-0845)
- add patch for attempt to free uninitialized pointer in libkrb5
(CVE-2009-0846)
- add patch to fix length validation bug in libkrb5 (CVE-2009-0847)
- put the krb5-user .info file into just -workstation and not also
-workstation-clients
* Mon Apr 6 2009 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-100
- turn off krb4 support (it won't be part of the 1.7 release, but do it now)
- use triggeruns to properly shut down and disable krb524d when -server and
@ -1212,7 +1223,7 @@ certificate.
- apply second set of buffer overflow fixes from Tom Yu
- fix from Dirk Husung for a bug in buffer cleanups in the test suite
- work around possibly broken rev binary in running test suite
- move default realm configs from /var/kerberos to %{_var}/kerberos
- move default realm configs from /var/kerberos to %%{_var}/kerberos
* Tue Jun 6 2000 Nalin Dahyabhai <nalin@redhat.com>
- make ksu and v4rcp owned by root
@ -1408,7 +1419,9 @@ popd
%patch78 -p0 -b .lucid_acceptor
%patch79 -p0 -b .ftp_mget_case
%patch80 -p0 -b .preauth_master
%patch81 -p0 -b .spnego-crash
%patch82 -p1 -b .CVE-2009-0844-0845-2
%patch83 -p1 -b .CVE-2009-0846
%patch84 -p1 -b .CVE-2009-0847
gzip doc/*.ps
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@ -1674,7 +1687,7 @@ exit 0
/sbin/install-info %{_infodir}/krb5-user.info %{_infodir}/dir
exit 0
%preun workstation
%postun workstation
if [ "$1" -eq "0" ] ; then
/sbin/install-info --delete %{_infodir}/krb5-user.info %{_infodir}/dir
fi
@ -1730,7 +1743,6 @@ exit 0
%docdir %{krb5prefix}/man
%doc doc/{ftp,rcp,rlogin,rsh,telnet}.html
%attr(0755,root,root) %doc src/config-files/convert-config-files
%{_infodir}/krb5-user.info*
%dir %{krb5prefix}
%dir %{krb5prefix}/bin