rpms/krb5/F-11 krb5.spec,1.191,1.192 krb5-1.6.1-pam.patch,1.7,1.8

Wed Mar 3 16:09:48 UTC 2010

Author: nalin

Update of /cvs/extras/rpms/krb5/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29800/F-11

Modified Files:
	krb5.spec krb5-1.6.1-pam.patch 
Log Message:
- fix a null pointer dereference and crash introduced in our PAM patch that
  would happen if ftpd was given the name of a user who wasn't known to the
  local system, limited to being triggerable by gssapi-authenticated clients by
  the default xinetd config (Olivier Fourdan, #569472)



Index: krb5.spec
===================================================================
RCS file: /cvs/extras/rpms/krb5/F-11/krb5.spec,v
retrieving revision 1.191
retrieving revision 1.192
diff -u -p -r1.191 -r1.192

--- krb5.spec	2 Mar 2010 23:02:44 -0000	1.191
+++ krb5.spec	3 Mar 2010 16:09:47 -0000	1.192
@@ -16,7 +16,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.6.3
-Release: 26%{?dist}
+Release: 27%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -242,6 +242,12 @@ to obtain initial credentials from a KDC
 certificate.
 
 %changelog
+* Wed Mar  3 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.6.3-27
+- fix a null pointer dereference and crash introduced in our PAM patch that
+  would happen if ftpd was given the name of a user who wasn't known to the
+  local system, limited to being triggerable by gssapi-authenticated clients by
+  the default xinetd config (Olivier Fourdan, #569472)
+
 * Tue Mar  2 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.6.3-26
 - fix a regression (not labeling a kdb database lock file correctly, #569902)
 - add a workaround to build with OpenSSL 1.0, which changed the signature

krb5-1.6.1-pam.patch:
 aclocal.m4                   |   79 ++++++++
 appl/bsd/Makefile.in         |   11 -
 appl/bsd/configure.in        |    1 
 appl/bsd/krshd.c             |   62 +++++-
 appl/bsd/login.c             |   58 ++++++
 appl/bsd/pam.c               |  414 +++++++++++++++++++++++++++++++++++++++++++
 appl/bsd/pam.h               |   61 ++++++
 appl/gssftp/configure.in     |    1 
 appl/gssftp/ftpd/Makefile.in |    8 
 appl/gssftp/ftpd/ftpd.c      |   58 +++++-
 config/pre.in                |    1 
 configure.in                 |    2 
 12 files changed, 737 insertions(+), 19 deletions(-)

Index: krb5-1.6.1-pam.patch
===================================================================
RCS file: /cvs/extras/rpms/krb5/F-11/krb5-1.6.1-pam.patch,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -p -r1.7 -r1.8
--- krb5-1.6.1-pam.patch	16 Jul 2008 18:09:47 -0000	1.7
+++ krb5-1.6.1-pam.patch	3 Mar 2010 16:09:48 -0000	1.8
@@ -832,7 +832,7 @@ When enabled, ftpd, krshd, and login.krb
 +#ifdef USE_PAM
 +		if (appl_pam_enabled(kcontext, "ftpd")) {
 +			if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0,
-+					       pw->pw_name, "",
++					       name, "",
 +					       FTP_PAM_SERVICE) != 0) {
 +				reply(530, "Login incorrect.");
 +				return;
@@ -860,7 +860,7 @@ When enabled, ftpd, krshd, and login.krb
 -		if (pw == NULL || (!kpass(pw->pw_name, passwd) &&
 -				   (want_creds || !*pw->pw_passwd ||
 -				    strcmp(xpasswd, pw->pw_passwd)))) {
-+		if ((pw == NULL) ||
++		if ((pw == NULL) || (
 +#ifdef USE_PAM
 +		    appl_pam_enabled(kcontext, "ftpd") ?
 +		    (appl_pam_authenticate(FTP_PAM_SERVICE, 0,
@@ -870,7 +870,7 @@ When enabled, ftpd, krshd, and login.krb
 +		    (!kpass(pw->pw_name, passwd) &&
 +		     (want_creds ||
 +		      !*pw->pw_passwd ||
-+		      strcmp(xpasswd, pw->pw_passwd)))) {
++		      strcmp(xpasswd, pw->pw_passwd))))) {
  			pw = NULL;
  			sleep(5);
  			if (++login_attempts >= 3) {

