Accepting request 35618 from home:mcalmer:branches:network

Copy from home:mcalmer:branches:network/krb5 via accept of submit request 35618 revision 2. Request was accepted with message: OBS-URL: https://build.opensuse.org/request/show/35618 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=14
2010-03-24 09:00:53 +00:00 · 2010-03-24 09:00:53 +00:00 · 28dc0dd056
commit 28dc0dd056
parent f9e6d882fd
6 changed files with 93 additions and 2 deletions
--- a/krb5-1.7-MITKRB5-SA-2010-002.dif
+++ b/krb5-1.7-MITKRB5-SA-2010-002.dif
@ -0,0 +1,71 @@
+Index: src/lib/gssapi/spnego/spnego_mech.c
+===================================================================
+--- src/lib/gssapi/spnego/spnego_mech.c.orig
+++ src/lib/gssapi/spnego/spnego_mech.c
+@@ -1576,7 +1576,7 @@ spnego_gss_accept_sec_context(
+ 	spnego_gss_ctx_id_t sc = NULL;
+ 	spnego_gss_cred_id_t spcred = NULL;
+ 	OM_uint32 mechstat = GSS_S_FAILURE;
+-	int sendTokenInit = 0;
+	int sendTokenInit = 0, tmpret;
+ 
+ 	mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER;
+ 
+@@ -1609,7 +1609,6 @@ spnego_gss_accept_sec_context(
+ 		if (delegated_cred_handle != NULL)
+ 			*delegated_cred_handle = GSS_C_NO_CREDENTIAL;
+ 		if (input_token->length == 0) {
+-			sendTokenInit = 1;
+ 			ret = acc_ctx_hints(minor_status,
+ 					    context_handle, spcred,
+ 					    &mic_out,
+@@ -1617,6 +1616,7 @@ spnego_gss_accept_sec_context(
+ 					    &return_token);
+ 			if (ret != GSS_S_COMPLETE)
+ 				goto cleanup;
+			sendTokenInit = 1;
+ 			ret = GSS_S_CONTINUE_NEEDED;
+ 		} else {
+ 			/* Can set negState to REQUEST_MIC */
+@@ -1664,27 +1664,21 @@ spnego_gss_accept_sec_context(
+ 				 &negState, &return_token);
+ 	}
+ cleanup:
+-	if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
+-		/* For acceptor-sends-first send a tokenInit */
+-		int tmpret;
+-
+	if (return_token == INIT_TOKEN_SEND && sendTokenInit) {
+ 		assert(sc != NULL);
+-
+-		if (sendTokenInit) {
+-			tmpret = make_spnego_tokenInit_msg(sc,
+-							   1,
+-							   mic_out,
+-							   0,
+-							   GSS_C_NO_BUFFER,
+-							   return_token,
+-							   output_token);
+-		} else {
+-			tmpret = make_spnego_tokenTarg_msg(negState,
+-							   sc ? sc->internal_mech : GSS_C_NO_OID,
+-							   &mechtok_out, mic_out,
+-							   return_token,
+-							   output_token);
+-		}
+		tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0,
+						   GSS_C_NO_BUFFER,
+						   return_token, output_token);
+		if (tmpret < 0)
+			ret = GSS_S_FAILURE;
+	} else if (return_token != NO_TOKEN_SEND &&
+		   return_token != CHECK_MIC) {
+		tmpret = make_spnego_tokenTarg_msg(negState,
+						   sc ? sc->internal_mech :
+						   GSS_C_NO_OID,
+						   &mechtok_out, mic_out,
+						   return_token,
+						   output_token);
+ 		if (tmpret < 0)
+ 			ret = GSS_S_FAILURE;
+ 	}
--- a/krb5-1.8-POST.dif
+++ b/krb5-1.8-POST.dif
@ -179,7 +179,7 @@ Index: src/lib/gssapi/spnego/spnego_mech.c
 ===================================================================
 --- src/lib/gssapi/spnego/spnego_mech.c.orig
 +++ src/lib/gssapi/spnego/spnego_mech.c
-@@ -1693,6 +1693,7 @@ cleanup:
+@@ -1687,6 +1687,7 @@ cleanup:
 		if (sc->internal_name != GSS_C_NO_NAME &&
 		    src_name != NULL) {
 			*src_name = sc->internal_name;
@ -187,7 +187,7 @@ Index: src/lib/gssapi/spnego/spnego_mech.c
 		}
 		release_spnego_ctx(&sc);
 	} else if (ret != GSS_S_CONTINUE_NEEDED) {
-@@ -2578,6 +2579,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t *
+@@ -2572,6 +2573,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t *
 		(void) generic_gss_release_oid(&minor_stat,
 				&context->internal_mech);
 
--- a/krb5-mini.changes
+++ b/krb5-mini.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Mar 23 14:32:41 CET 2010 - mc@suse.de
+
+- fix a bug where an unauthenticated remote attacker could cause
+  a GSS-API application including the Kerberos administration
+  daemon (kadmind) to crash.
+  CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) 
+
 -------------------------------------------------------------------
 Tue Mar 23 12:33:26 CET 2010 - mc@suse.de

--- a/krb5-mini.spec
+++ b/krb5-mini.spec
@ -55,6 +55,7 @@ Patch34:        krb5-1.6.3-gssapi_improve_errormessages.dif
 Patch41:        krb5-1.6.3-kpasswd_tcp.patch
 Patch44:        krb5-1.6.3-ktutil-manpage.dif
 Patch46:        krb5-1.6.3-fix-ipv6-query.dif
+Patch47:        krb5-1.7-MITKRB5-SA-2010-002.dif
 Patch50:        krb5-1.8-POST.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
@ -203,6 +204,7 @@ Authors:
 %patch41 
 %patch44 -p1
 %patch46 -p1
+%patch47
 %patch50
 # Rename the man pages so that they'll get generated correctly.
 pushd src
--- a/krb5.changes
+++ b/krb5.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Mar 23 14:32:41 CET 2010 - mc@suse.de
+
+- fix a bug where an unauthenticated remote attacker could cause
+  a GSS-API application including the Kerberos administration
+  daemon (kadmind) to crash.
+  CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) 
+
 -------------------------------------------------------------------
 Tue Mar 23 12:33:26 CET 2010 - mc@suse.de

--- a/krb5.spec
+++ b/krb5.spec
@ -55,6 +55,7 @@ Patch34:        krb5-1.6.3-gssapi_improve_errormessages.dif
 Patch41:        krb5-1.6.3-kpasswd_tcp.patch
 Patch44:        krb5-1.6.3-ktutil-manpage.dif
 Patch46:        krb5-1.6.3-fix-ipv6-query.dif
+Patch47:        krb5-1.7-MITKRB5-SA-2010-002.dif
 Patch50:        krb5-1.8-POST.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
@ -203,6 +204,7 @@ Authors:
 %patch41 
 %patch44 -p1
 %patch46 -p1
+%patch47
 %patch50
 # Rename the man pages so that they'll get generated correctly.
 pushd src