[krb5/f18] keep track of the message type of FAST requests
Nalin Dahyabhai
nalin at fedoraproject.org
Mon Apr 15 14:41:45 UTC 2013
commit 3e24d2995e0044799296e905f6669f4909fc884f
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Mon Apr 15 10:40:48 2013 -0400
keep track of the message type of FAST requests
- pull fix for keeping track of the message type when parsing FAST requests in
the KDC (RT#7605, #951964)
krb5-fast-msg_type.patch | 30 ++++++++++++++++++++++++++++++
krb5.spec | 8 +++++++-
2 files changed, 37 insertions(+), 1 deletions(-)
---
diff --git a/krb5-fast-msg_type.patch b/krb5-fast-msg_type.patch
new file mode 100644
index 0000000..392860f
--- /dev/null
+++ b/krb5-fast-msg_type.patch
@@ -0,0 +1,30 @@
+Modified to apply to 1.10.3.
+
+commit 3fbdcd0965180b46c545187e7784350340ae88ee
+Author: Greg Hudson <ghudson at mit.edu>
+Date: Fri Apr 12 16:28:14 2013 -0400
+
+ Set msg_type when decoding FAST requests
+
+ An RFC 6113 KrbFastReq contains a padata sequence and a KDC-REQ-BODY,
+ neither of which contain the msg-type field found in a KDC-REQ. So
+ when we decode the FAST request, the resulting krb5_kdc_req structure
+ has a msg_type of 0. Copy msg_type from the outer body, since we make
+ use of it in further KDC processing.
+
+ ticket: 7605 (new)
+ target_version: 1.11.3
+ tags: pullup
+
+diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
+index 40c5783..4fa36c6 100644
+--- a/src/kdc/fast_util.c
++++ b/src/kdc/fast_util.c
+@@ -239,6 +239,7 @@ kdc_find_fast(krb5_kdc_req **requestptr,
+ KRB5_PADATA_FX_COOKIE);
+ if (retval == 0) {
+ state->fast_options = fast_req->fast_options;
++ fast_req->req_body->msg_type = request->msg_type;
+ krb5_free_kdc_req( kdc_context, request);
+ *requestptr = fast_req->req_body;
+ fast_req->req_body = NULL;
diff --git a/krb5.spec b/krb5.spec
index 722ab4c..384444e 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -29,7 +29,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.10.3
-Release: 15%{?dist}
+Release: 16%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.3-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -91,6 +91,7 @@ Patch114: krb5-1.10-pkinit-null.patch
Patch115: krb5-lookup_etypes-leak.patch
Patch116: krb5-1.10-pkinit-agility.patch
Patch117: krb5-1.10-CVE-2013-1416.patch
+Patch118: krb5-fast-msg_type.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -296,6 +297,7 @@ ln -s NOTICE LICENSE
%patch115 -p1 -b .lookup_etypes-leak
%patch116 -p1 -b .pkinit-agility
%patch117 -p1 -b .CVE-2013-1416
+%patch118 -p1 -b .fast-msg_type
rm src/lib/krb5/krb/deltat.c
gzip doc/*.ps
@@ -862,6 +864,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Mon Apr 15 2013 Nalin Dahyabhai <nalin at redhat.com> 1.10.3-16
+- pull fix for keeping track of the message type when parsing FAST requests in
+ the KDC (RT#7605, #951964)
+
* Tue Apr 9 2013 Nalin Dahyabhai <nalin at redhat.com> 1.10.3-15
- incorporate upstream patch to fix a NULL pointer dereference while processing
certain TGS requests (CVE-2013-1416, #949984/#949987)
More information about the scm-commits
mailing list