[curl/f15] do not delegate GSSAPI credentials (CVE-2011-2192)

[Kamil Dudka]

commit 27ea4112a8d2896058e5b0f3bf098992b485fc37
Author: Kamil Dudka <kdudka at redhat.com>
Date:   Thu Jun 23 15:50:22 2011 +0200

    do not delegate GSSAPI credentials (CVE-2011-2192)

 0004-curl-7.21.3-5c314c6.patch |   30 ++++++++++++++++++++++++++++++
 curl.spec                      |    9 ++++++++-
 2 files changed, 38 insertions(+), 1 deletions(-)
---
diff --git a/0004-curl-7.21.3-5c314c6.patch b/0004-curl-7.21.3-5c314c6.patch
new file mode 100644
index 0000000..f98da1b
--- /dev/null
+++ b/0004-curl-7.21.3-5c314c6.patch
@@ -0,0 +1,30 @@
+From 5c314c6bb449bfca06c1cdc383c84e7661faf42c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Wed, 8 Jun 2011 00:10:26 +0200
+Subject: [PATCH] Curl_input_negotiate: do not delegate GSSAPI credentials
+
+This is a security flaw. See curl advisory 20110623 for details.
+
+Reported by: Richard Silverman
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/http_negotiate.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
+index 202d69e..5127e64 100644
+--- a/lib/http_negotiate.c
++++ b/lib/http_negotiate.c
+@@ -242,7 +242,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
+                                       &neg_ctx->context,
+                                       neg_ctx->server_name,
+                                       GSS_C_NO_OID,
+-                                      GSS_C_DELEG_FLAG,
++                                      0,
+                                       0,
+                                       GSS_C_NO_CHANNEL_BINDINGS,
+                                       &input_token,
+-- 
+1.7.4.4
+
diff --git a/curl.spec b/curl.spec
index a348e85..0ca9eca 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.21.3
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -17,6 +17,9 @@ Patch2: 0002-curl-7.21.3-nss.patch
 # sync the code of curl-multi with upstream f551aa5 (several bug fixes)
 Patch3: 0003-curl-7.21.3-multi.patch
 
+# CVE-2011-2192
+Patch4: 0004-curl-7.21.3-5c314c6.patch
+
 # Avoid buffer overflow report from glibc with FORTIFY_SOURCE
 Patch5: 0005-curl-7.21.3-tftpd-buffer-overflow.patch
 
@@ -122,6 +125,7 @@ done
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 %patch5 -p1
 
 # Fedora patches
@@ -236,6 +240,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Thu Jun 23 2011 Kamil Dudka <kdudka at redhat.com> 7.21.3-8
+- do not delegate GSSAPI credentials (CVE-2011-2192)
+
 * Wed Jun 08 2011 Kamil Dudka <kdudka at redhat.com> 7.21.3-7
 - avoid an invalid timeout event on a reused handle (#679709)
 - sync the NSS code with upstream f551aa5 (several bug fixes)