rpms/krb5/F-8 krb5-CVE-2007-5901.patch, NONE, 1.1 krb5-CVE-2007-5971.patch, NONE, 1.1 krb5-CVE-2008-0062, 0063.patch, NONE, 1.1 krb5-CVE-2008-0947.patch, NONE, 1.1 krb5.spec, 1.152, 1.153

Tue Mar 18 18:13:51 UTC 2008

Author: nalin

Update of /cvs/pkgs/rpms/krb5/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29556/F-8

Modified Files:
	krb5.spec 
Added Files:
	krb5-CVE-2007-5901.patch krb5-CVE-2007-5971.patch 
	krb5-CVE-2008-0062,0063.patch krb5-CVE-2008-0947.patch 
Log Message:
- add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer
  when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063,
  #432620, #432621)
- add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when
  high-numbered descriptors are used (CVE-2008-0947, #433596)
- add backport bug fix for an attempt to free non-heap memory in
  libgssapi_krb5 (CVE-2007-5901, #415321)
- add backport bug fix for a double-free in out-of-memory situations in
  libgssapi_krb5 (CVE-2007-5971, #415351)


krb5-CVE-2007-5901.patch:

--- NEW FILE krb5-CVE-2007-5901.patch ---
Patch for CVE-2007-5901, pulled from SVN per #415321.
diff -up src/lib/gssapi/mechglue/g_initialize.c src/lib/gssapi/mechglue/g_initialize.c
--- src/lib/gssapi/mechglue/g_initialize.c	2008-03-04 16:29:13.000000000 -0500
+++ src/lib/gssapi/mechglue/g_initialize.c	2008-03-04 16:29:16.000000000 -0500
@@ -210,7 +210,7 @@ gss_OID_set *mechSet;
 				free((*mechSet)->elements[j].elements);
 			}
 			free((*mechSet)->elements);
-			free(mechSet);
+			free(*mechSet);
 			*mechSet = NULL;
 			return (GSS_S_FAILURE);
 		}

krb5-CVE-2007-5971.patch:

--- NEW FILE krb5-CVE-2007-5971.patch ---
Patch for CVE-2007-5971, pulled from SVN per #415351.
diff -up src/lib/gssapi/krb5/k5sealv3.c src/lib/gssapi/krb5/k5sealv3.c
--- src/lib/gssapi/krb5/k5sealv3.c	2008-03-04 16:22:29.000000000 -0500
+++ src/lib/gssapi/krb5/k5sealv3.c	2008-03-04 16:22:22.000000000 -0500
@@ -248,7 +248,6 @@ gss_krb5int_make_seal_token_v3 (krb5_con
 	plain.data = 0;
 	if (err) {
 	    zap(outbuf,bufsize);
-	    free(outbuf);
 	    goto error;
 	}
 	if (sum.length != ctx->cksum_size)

***** Not enough context to create diffstat for file: krb5-CVE-2008-0062,0063.patch,NONE,1.1
***** Not enough context to create diff for file: krb5-CVE-2008-0062,0063.patch,NONE,1.1
krb5-CVE-2008-0947.patch:

--- NEW FILE krb5-CVE-2008-0947.patch ---
Patch from MITKRB5-SA-2008-002.
=== src/lib/rpc/svc.c
==================================================================
--- src/lib/rpc/svc.c   (revision 1666)
+++ src/lib/rpc/svc.c   (local)
@@ -109,15 +109,17 @@
 	if (sock < FD_SETSIZE) {
 		xports[sock] = xprt;
 		FD_SET(sock, &svc_fdset);
+		if (sock > svc_maxfd)
+			svc_maxfd = sock;
 	}
 #else
 	if (sock < NOFILE) {
 		xports[sock] = xprt;
 		svc_fds |= (1 << sock);
+		if (sock > svc_maxfd)
+			svc_maxfd = sock;
 	}
 #endif /* def FD_SETSIZE */
-	if (sock > svc_maxfd)
-		svc_maxfd = sock;
 }
  
 /*
=== src/lib/rpc/svc_tcp.c
==================================================================
--- src/lib/rpc/svc_tcp.c       (revision 1666)
+++ src/lib/rpc/svc_tcp.c       (local)
@@ -54,6 +54,14 @@
 extern errno;
 */
 
+#ifndef FD_SETSIZE
+#ifdef NBBY
+#define NOFILE (sizeof(int) * NBBY)
+#else
+#define NOFILE (sizeof(int) * 8)
+#endif
+#endif
+
 /*
  * Ops vector for TCP/IP based rpc service handle
  */
@@ -215,6 +223,19 @@
 	register SVCXPRT *xprt;
 	register struct tcp_conn *cd;
  
+#ifdef FD_SETSIZE
+	if (fd >= FD_SETSIZE) {
+		(void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
+		xprt = NULL;
+		goto done;
+	}
+#else
+	if (fd >= NOFILE) {
+		(void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
+		xprt = NULL;
+		goto done;
+	}
+#endif
 	xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT));
 	if (xprt == (SVCXPRT *)NULL) {
 		(void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n");
@@ -271,6 +292,10 @@
 	 * make a new transporter (re-uses xprt)
 	 */
 	xprt = makefd_xprt(sock, r->sendsize, r->recvsize);
+	if (xprt == NULL) {
+		close(sock);
+		return (FALSE);
+	}
 	xprt->xp_raddr = addr;
 	xprt->xp_addrlen = len;
 	xprt->xp_laddr = laddr;


Index: krb5.spec
===================================================================
RCS file: /cvs/pkgs/rpms/krb5/F-8/krb5.spec,v
retrieving revision 1.152
retrieving revision 1.153
diff -u -r1.152 -r1.153
--- krb5.spec	18 Mar 2008 18:11:41 -0000	1.152
+++ krb5.spec	18 Mar 2008 18:13:07 -0000	1.153
@@ -96,6 +96,11 @@
 Patch69: krb5-1.6.1-gic_opt_chg_pwd_prmpt.patch
 Patch70: krb5-1.6.2-dirsrv-accountlock.patch
 
+Patch73: krb5-CVE-2008-0062,0063.patch
+Patch74: krb5-CVE-2008-0947.patch
+Patch75: krb5-CVE-2007-5901.patch
+Patch76: krb5-CVE-2007-5971.patch
+
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@@ -212,6 +217,15 @@
 
 %changelog
 * Tue Mar 18 2008 Nalin Dahyabhai <nalin at redhat.com> 1.6.2-14
+- add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer
+  when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063,
+  #432620, #432621)
+- add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when
+  high-numbered descriptors are used (CVE-2008-0947, #433596)
+- add backport bug fix for an attempt to free non-heap memory in
+  libgssapi_krb5 (CVE-2007-5901, #415321)
+- add backport bug fix for a double-free in out-of-memory situations in
+  libgssapi_krb5 (CVE-2007-5971, #415351)
 - fix calculation of the length of relative filenames when looking up the
   SELinux labels they should be given (Pawel Salek, #436345)
 
@@ -1284,6 +1298,10 @@
 %patch68 -p0 -b .spnego_delegation
 %patch69 -p1 -b .gic_opt_chg_pwd_prmpt
 %patch70 -p1 -b .dirsrv_accountlock
+%patch73 -p0 -b .2008-0062,0063
+%patch74 -p0 -b .2008-0947
+%patch75 -p0 -b .2007-5901
+%patch76 -p0 -b .2007-5971
 cp src/krb524/README README.krb524
 gzip doc/*.ps
 


