rpms/krb5/devel krb5-trunk-server_delegation.patch, NONE, 1.1 krb5.spec, 1.137, 1.138
Nalin Somabhai Dahyabhai (nalin)
fedora-extras-commits at redhat.com
Mon Oct 1 19:41:22 UTC 2007
Author: nalin
Update of /cvs/pkgs/rpms/krb5/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28827
Modified Files:
krb5.spec
Added Files:
krb5-trunk-server_delegation.patch
Log Message:
- proposed patch to fix receipt of delegated creds in mod_auth_kerb
krb5-trunk-server_delegation.patch:
--- NEW FILE krb5-trunk-server_delegation.patch ---
If the application calling gss_accept_sec_context() doesn't pass a value
for ret_flags, we'd never be able to check if credentials had been delegated.
The passed-in ret_flags value is a pointer to a bitfield, so the comparision
as-written was not likely to work as expected.
Index: src/lib/gssapi/mechglue/g_accept_sec_context.c
===================================================================
--- src/lib/gssapi/mechglue/g_accept_sec_context.c (revision 20038)
+++ src/lib/gssapi/mechglue/g_accept_sec_context.c (working copy)
@@ -112,6 +112,7 @@
{
OM_uint32 status, temp_status, temp_minor_status;
+ OM_uint32 temp_ret_flags = 0;
gss_union_ctx_id_t union_ctx_id;
gss_union_cred_t union_cred;
gss_cred_id_t input_cred_handle = GSS_C_NO_CREDENTIAL;
@@ -202,7 +203,7 @@
&internal_name,
mech_type,
output_token,
- ret_flags,
+ &temp_ret_flags,
time_rec,
d_cred ? &tmp_d_cred : NULL);
@@ -248,7 +249,7 @@
}
/* Ensure we're returning correct creds format */
- if ((ret_flags && GSS_C_DELEG_FLAG) &&
+ if ((temp_ret_flags & GSS_C_DELEG_FLAG) &&
tmp_d_cred != GSS_C_NO_CREDENTIAL) {
gss_union_cred_t d_u_cred = NULL;
@@ -335,6 +336,8 @@
if (src_name == NULL && tmp_src_name != NULL)
(void) gss_release_name(&temp_minor_status,
&tmp_src_name);
+ if (ret_flags != NULL)
+ *ret_flags = temp_ret_flags;
return (status);
} else {
Index: krb5.spec
===================================================================
RCS file: /cvs/pkgs/rpms/krb5/devel/krb5.spec,v
retrieving revision 1.137
retrieving revision 1.138
diff -u -r1.137 -r1.138
--- krb5.spec 17 Sep 2007 20:47:02 -0000 1.137
+++ krb5.spec 1 Oct 2007 19:40:47 -0000 1.138
@@ -14,7 +14,7 @@
Summary: The Kerberos network authentication system.
Name: krb5
Version: 1.6.2
-Release: 8%{?dist}
+Release: 9%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -92,6 +92,7 @@
Patch62: krb5-any-fixup-patch.txt
Patch63: krb5-1.6.1-selinux-label.patch
Patch64: krb5-ok-as-delegate.patch
+Patch67: krb5-trunk-server_delegation.patch
License: MIT, freely distributable.
URL: http://web.mit.edu/kerberos/www/
@@ -208,6 +209,10 @@
%endif
%changelog
+* Mon Oct 1 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.2-9
+- apply the fix for CVE-2007-4000 instead of the experimental patch for
+ setting ok-as-delegate flags
+
* Tue Sep 11 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.2-8
- move the db2 kdb plugin from -server to -libs, because a multilib libkdb
might need it
@@ -1226,14 +1231,15 @@
%patch51 -p0 -b .ldap_init
%patch52 -p0 -b .ldap_man
%patch53 -p1 -b .nodeplibs
-%patch64 -p0 -b .2007-3999-2
-%patch65 -p0 -b .2007-4000
+%patch65 -p0 -b .2007-3999-2
+%patch66 -p0 -b .2007-4000
#%patch55 -p1 -b .empty
#%patch56 -p1 -b .doublelog
#%patch57 -p1 -b .login_chdir
#%patch58 -p1 -b .key_exp
#%patch59 -p0 -b .kpasswd_tcp
#%patch64 -p0 -b .ok-as-delegate
+#%patch67 -p0 -b .server-delegation
cp src/krb524/README README.krb524
gzip doc/*.ps
More information about the fedora-extras-commits
mailing list