[krb5] - turn off NSS as the backend for libk5crypto for now to work around its DES string2key not workin
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Mar 15 18:24:45 UTC 2011
commit 41bc7a0e629d558fe3f7957fa29ec9e7f9c1463a
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Tue Mar 15 14:25:01 2011 -0400
- turn off NSS as the backend for libk5crypto for now to work around its
DES string2key not working (#679012)
- add revised upstream patch to fix double-free in KDC while returning
typed-data with errors (CVE-2011-0284, #674325)
2011-003-patch.txt | 13 +++++++++++++
krb5.spec | 12 ++++++++++--
2 files changed, 23 insertions(+), 2 deletions(-)
---
diff --git a/2011-003-patch.txt b/2011-003-patch.txt
new file mode 100644
index 0000000..c977275
--- /dev/null
+++ b/2011-003-patch.txt
@@ -0,0 +1,13 @@
+diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 46b5fa1..464cb6e 100644
+--- a/src/kdc/do_as_req.c
++++ b/src/kdc/do_as_req.c
+@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
+ pad->contents = td[size]->data;
+ pad->length = td[size]->length;
+ pa[size] = pad;
++ td[size]->data = NULL;
++ td[size]->length = 0;
+ }
+ krb5_free_typed_data(kdc_context, td);
+ }
diff --git a/krb5.spec b/krb5.spec
index df2beaa..705d149 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -1,12 +1,12 @@
%global WITH_LDAP 1
%global WITH_OPENSSL 1
-%global WITH_NSS 1
+%global WITH_NSS 0
%global WITH_DIRSRV 1
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.9
-Release: 6%{?dist}
+Release: 7%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -52,6 +52,7 @@ Patch72: krb5-pkinit-cms2.patch
Patch73: http://web.mit.edu/kerberos/advisories/2011-001-patch.txt
Patch74: http://web.mit.edu/kerberos/advisories/2011-002-patch.txt
Patch75: krb5-pkinit-debug.patch
+Patch76: http://web.mit.edu/kerberos/advisories/2011-003-patch.txt
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -195,6 +196,7 @@ ln -s NOTICE LICENSE
%patch73 -p1 -b .2011-001
%patch74 -p1 -b .2011-002
#%patch75 -p1 -b .pkinit-debug
+%patch76 -p1 -b .2011-003
gzip doc/*.ps
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -653,6 +655,12 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Tue Mar 15 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9-7
+- turn off NSS as the backend for libk5crypto for now to work around its
+ DES string2key not working (#679012)
+- add revised upstream patch to fix double-free in KDC while returning
+ typed-data with errors (CVE-2011-0284, #674325)
+
* Thu Feb 17 2011 Nalin Dahyabhai <nalin at redhat.com>
- throw in a not-applied-by-default patch to try to make pkinit debugging
into a run-time boolean option named "pkinit_debug"
More information about the scm-commits
mailing list