rpms/krb5/devel krb5-trunk-server_delegation.patch, NONE, 1.1 krb5.spec, 1.137, 1.138

Nalin Somabhai Dahyabhai (nalin) fedora-extras-commits at redhat.com
Mon Oct 1 19:41:22 UTC 2007 

Author: nalin

Update of /cvs/pkgs/rpms/krb5/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28827

Modified Files:
	krb5.spec 
Added Files:
	krb5-trunk-server_delegation.patch 
Log Message:
- proposed patch to fix receipt of delegated creds in mod_auth_kerb


krb5-trunk-server_delegation.patch:

--- NEW FILE krb5-trunk-server_delegation.patch ---
If the application calling gss_accept_sec_context() doesn't pass a value
for ret_flags, we'd never be able to check if credentials had been delegated.

The passed-in ret_flags value is a pointer to a bitfield, so the comparision
as-written was not likely to work as expected.

Index: src/lib/gssapi/mechglue/g_accept_sec_context.c
===================================================================
--- src/lib/gssapi/mechglue/g_accept_sec_context.c	(revision 20038)
+++ src/lib/gssapi/mechglue/g_accept_sec_context.c	(working copy)
@@ -112,6 +112,7 @@
 
 {
     OM_uint32		status, temp_status, temp_minor_status;
+    OM_uint32		temp_ret_flags = 0;
     gss_union_ctx_id_t	union_ctx_id;
     gss_union_cred_t	union_cred;
     gss_cred_id_t	input_cred_handle = GSS_C_NO_CREDENTIAL;
@@ -202,7 +203,7 @@
 						  &internal_name,
 						  mech_type,
 						  output_token,
-						  ret_flags,
+						  &temp_ret_flags,
 						  time_rec,
 					d_cred ? &tmp_d_cred : NULL);
 
@@ -248,7 +249,7 @@
 	    }
 
 	    /* Ensure we're returning correct creds format */
-	    if ((ret_flags && GSS_C_DELEG_FLAG) &&
+	    if ((temp_ret_flags & GSS_C_DELEG_FLAG) &&
 		tmp_d_cred != GSS_C_NO_CREDENTIAL) {
 		gss_union_cred_t d_u_cred = NULL;
 
@@ -335,6 +336,8 @@
 	    if (src_name == NULL && tmp_src_name != NULL)
 		(void) gss_release_name(&temp_minor_status,
 					&tmp_src_name);
+	    if (ret_flags != NULL)
+		*ret_flags = temp_ret_flags;
 	    return	(status);
     } else {
 


Index: krb5.spec
===================================================================
RCS file: /cvs/pkgs/rpms/krb5/devel/krb5.spec,v
retrieving revision 1.137
retrieving revision 1.138
diff -u -r1.137 -r1.138
--- krb5.spec	17 Sep 2007 20:47:02 -0000	1.137
+++ krb5.spec	1 Oct 2007 19:40:47 -0000	1.138
@@ -14,7 +14,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.6.2
-Release: 8%{?dist}
+Release: 9%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -92,6 +92,7 @@
 Patch62: krb5-any-fixup-patch.txt
 Patch63: krb5-1.6.1-selinux-label.patch
 Patch64: krb5-ok-as-delegate.patch
+Patch67: krb5-trunk-server_delegation.patch
 
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
@@ -208,6 +209,10 @@
 %endif
 
 %changelog
+* Mon Oct  1 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.2-9
+- apply the fix for CVE-2007-4000 instead of the experimental patch for
+  setting ok-as-delegate flags
+
 * Tue Sep 11 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.2-8
 - move the db2 kdb plugin from -server to -libs, because a multilib libkdb
   might need it
@@ -1226,14 +1231,15 @@
 %patch51 -p0 -b .ldap_init
 %patch52 -p0 -b .ldap_man
 %patch53 -p1 -b .nodeplibs
-%patch64 -p0 -b .2007-3999-2
-%patch65 -p0 -b .2007-4000
+%patch65 -p0 -b .2007-3999-2
+%patch66 -p0 -b .2007-4000
 #%patch55 -p1 -b .empty
 #%patch56 -p1 -b .doublelog
 #%patch57 -p1 -b .login_chdir
 #%patch58 -p1 -b .key_exp
 #%patch59 -p0 -b .kpasswd_tcp
 #%patch64 -p0 -b .ok-as-delegate
+#%patch67 -p0 -b .server-delegation
 cp src/krb524/README README.krb524
 gzip doc/*.ps

More information about the fedora-extras-commits mailing list