[curl/f14] do not delegate GSSAPI credentials (CVE-2011-2192)

Thu Jun 23 14:50:26 UTC 2011

commit ece081a13fa7480e20901fabb6458255833d383b
Author: Kamil Dudka <kdudka at redhat.com>
Date:   Thu Jun 23 15:50:22 2011 +0200

    do not delegate GSSAPI credentials (CVE-2011-2192)

 0013-curl-7.21.0-5c314c6.patch |   30 ++++++++++++++++++++++++++++++
 curl.spec                      |   13 +++++++++----
 2 files changed, 39 insertions(+), 4 deletions(-)
---

diff --git a/0013-curl-7.21.0-5c314c6.patch b/0013-curl-7.21.0-5c314c6.patch
new file mode 100644
index 0000000..f98da1b
--- /dev/null
+++ b/0013-curl-7.21.0-5c314c6.patch
@@ -0,0 +1,30 @@
+From 5c314c6bb449bfca06c1cdc383c84e7661faf42c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Wed, 8 Jun 2011 00:10:26 +0200
+Subject: [PATCH] Curl_input_negotiate: do not delegate GSSAPI credentials
+
+This is a security flaw. See curl advisory 20110623 for details.
+
+Reported by: Richard Silverman
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/http_negotiate.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
+index 202d69e..5127e64 100644
+--- a/lib/http_negotiate.c
++++ b/lib/http_negotiate.c
+@@ -242,7 +242,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
+                                       &neg_ctx->context,
+                                       neg_ctx->server_name,
+                                       GSS_C_NO_OID,
+-                                      GSS_C_DELEG_FLAG,
++                                      0,
+                                       0,
+                                       GSS_C_NO_CHANNEL_BINDINGS,
+                                       &input_token,
+-- 
+1.7.4.4
+
diff --git a/curl.spec b/curl.spec
index 9cc348a..282fc8d 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.21.0
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -45,6 +45,9 @@ Patch11: 0011-curl-7.21.0-bz650255.patch
 # proxy tunnel support for LDAP requests (#655073)
 Patch12: 0012-curl-7.21.0-c59dba3.patch
 
+# CVE-2011-2192
+Patch13: 0013-curl-7.21.0-5c314c6.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.20.0-multilib.patch
 
@@ -147,10 +150,9 @@ done
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
-%patch12 -p1
-
-# upstream patches (not yet applied)
 %patch11 -p1
+%patch12 -p1
+%patch13 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -266,6 +268,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Thu Jun 23 2011 Kamil Dudka <kdudka at redhat.com> 7.21.0-8
+- do not delegate GSSAPI credentials (CVE-2011-2192)
+
 * Sat Apr 16 2011 Peter Robinson <pbrobinson at gmail.com> 7.21.0-7
 - no valgrind on SPARC or ARMv5 arches
 
