From f51ed46fff6299a429187b622d3b1b2dc43934be Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 7 Apr 2009 18:16:28 +0000 Subject: [PATCH] - remove obsolete patch for CVE-2009-0845 - add patches for read overflow and null pointer dereference in the implementation of the SPNEGO mechanism (CVE-2009-0844, CVE-2009-0845) - add patch for attempt to free uninitialized pointer in libkrb5 (CVE-2009-0846) - add patch to fix length validation bug in libkrb5 (CVE-2009-0847) --- krb5-1.6.3-spnego-crash.patch | 16 ---------------- krb5.spec | 24 ++++++++++++++++++------ 2 files changed, 18 insertions(+), 22 deletions(-) delete mode 100644 krb5-1.6.3-spnego-crash.patch diff --git a/krb5-1.6.3-spnego-crash.patch b/krb5-1.6.3-spnego-crash.patch deleted file mode 100644 index 1b2c8ee..0000000 --- a/krb5-1.6.3-spnego-crash.patch +++ /dev/null @@ -1,16 +0,0 @@ -Upstream change #22099, triggered by report from Marcus Granado, fix by Tom Yu. -In a nutshell, when return_token is neither NO_TOKEN_SEND nor CHECK_MIC, we -might still not want a reply token, for example if it's ERROR_TOKEN_SEND. -diff -up src/lib/gssapi/spnego/spnego_mech.c src/lib/gssapi/spnego/spnego_mech.c ---- src/lib/gssapi/spnego/spnego_mech.c 2009-03-17 16:47:10.000000000 -0400 -+++ src/lib/gssapi/spnego/spnego_mech.c 2009-03-17 16:47:14.000000000 -0400 -@@ -1248,7 +1248,8 @@ spnego_gss_accept_sec_context(void *ct, - &negState, &return_token); - } - cleanup: -- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { -+ if (return_token == INIT_TOKEN_SEND || -+ return_token == CONT_TOKEN_SEND) { - tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech, - &mechtok_out, mic_out, - return_token, diff --git a/krb5.spec b/krb5.spec index 0d32436..daa101b 100644 --- a/krb5.spec +++ b/krb5.spec @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.6.3 -Release: 100%{?dist} +Release: 101%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -97,7 +97,9 @@ Patch77: krb5-CVE-2007-5971.patch Patch78: krb5-1.6.3-lucid-acceptor.patch Patch79: krb5-trunk-ftp_mget_case.patch Patch80: krb5-trunk-preauth-master.patch -Patch81: krb5-1.6.3-spnego-crash.patch +Patch82: krb5-CVE-2009-0844-0845-2.patch +Patch83: krb5-CVE-2009-0846.patch +Patch84: krb5-CVE-2009-0847.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -226,6 +228,15 @@ to obtain initial credentials from a KDC using a private key and a certificate. %changelog +* Tue Apr 7 2009 Nalin Dahyabhai 1.6.3-101 +- add patches for read overflow and null pointer dereference in the + implementation of the SPNEGO mechanism (CVE-2009-0844, CVE-2009-0845) +- add patch for attempt to free uninitialized pointer in libkrb5 + (CVE-2009-0846) +- add patch to fix length validation bug in libkrb5 (CVE-2009-0847) +- put the krb5-user .info file into just -workstation and not also + -workstation-clients + * Mon Apr 6 2009 Nalin Dahyabhai 1.6.3-100 - turn off krb4 support (it won't be part of the 1.7 release, but do it now) - use triggeruns to properly shut down and disable krb524d when -server and @@ -1212,7 +1223,7 @@ certificate. - apply second set of buffer overflow fixes from Tom Yu - fix from Dirk Husung for a bug in buffer cleanups in the test suite - work around possibly broken rev binary in running test suite -- move default realm configs from /var/kerberos to %{_var}/kerberos +- move default realm configs from /var/kerberos to %%{_var}/kerberos * Tue Jun 6 2000 Nalin Dahyabhai - make ksu and v4rcp owned by root @@ -1408,7 +1419,9 @@ popd %patch78 -p0 -b .lucid_acceptor %patch79 -p0 -b .ftp_mget_case %patch80 -p0 -b .preauth_master -%patch81 -p0 -b .spnego-crash +%patch82 -p1 -b .CVE-2009-0844-0845-2 +%patch83 -p1 -b .CVE-2009-0846 +%patch84 -p1 -b .CVE-2009-0847 gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -1674,7 +1687,7 @@ exit 0 /sbin/install-info %{_infodir}/krb5-user.info %{_infodir}/dir exit 0 -%preun workstation +%postun workstation if [ "$1" -eq "0" ] ; then /sbin/install-info --delete %{_infodir}/krb5-user.info %{_infodir}/dir fi @@ -1730,7 +1743,6 @@ exit 0 %docdir %{krb5prefix}/man %doc doc/{ftp,rcp,rlogin,rsh,telnet}.html %attr(0755,root,root) %doc src/config-files/convert-config-files -%{_infodir}/krb5-user.info* %dir %{krb5prefix} %dir %{krb5prefix}/bin