[curl/f14] do not delegate GSSAPI credentials (CVE-2011-2192)
Kamil Dudka
kdudka at fedoraproject.org
Thu Jun 23 14:50:26 UTC 2011
commit ece081a13fa7480e20901fabb6458255833d383b
Author: Kamil Dudka <kdudka at redhat.com>
Date: Thu Jun 23 15:50:22 2011 +0200
do not delegate GSSAPI credentials (CVE-2011-2192)
0013-curl-7.21.0-5c314c6.patch | 30 ++++++++++++++++++++++++++++++
curl.spec | 13 +++++++++----
2 files changed, 39 insertions(+), 4 deletions(-)
---
diff --git a/0013-curl-7.21.0-5c314c6.patch b/0013-curl-7.21.0-5c314c6.patch
new file mode 100644
index 0000000..f98da1b
--- /dev/null
+++ b/0013-curl-7.21.0-5c314c6.patch
@@ -0,0 +1,30 @@
+From 5c314c6bb449bfca06c1cdc383c84e7661faf42c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Wed, 8 Jun 2011 00:10:26 +0200
+Subject: [PATCH] Curl_input_negotiate: do not delegate GSSAPI credentials
+
+This is a security flaw. See curl advisory 20110623 for details.
+
+Reported by: Richard Silverman
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/http_negotiate.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
+index 202d69e..5127e64 100644
+--- a/lib/http_negotiate.c
++++ b/lib/http_negotiate.c
+@@ -242,7 +242,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
+ &neg_ctx->context,
+ neg_ctx->server_name,
+ GSS_C_NO_OID,
+- GSS_C_DELEG_FLAG,
++ 0,
+ 0,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ &input_token,
+--
+1.7.4.4
+
diff --git a/curl.spec b/curl.spec
index 9cc348a..282fc8d 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.21.0
-Release: 7%{?dist}
+Release: 8%{?dist}
License: MIT
Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -45,6 +45,9 @@ Patch11: 0011-curl-7.21.0-bz650255.patch
# proxy tunnel support for LDAP requests (#655073)
Patch12: 0012-curl-7.21.0-c59dba3.patch
+# CVE-2011-2192
+Patch13: 0013-curl-7.21.0-5c314c6.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.20.0-multilib.patch
@@ -147,10 +150,9 @@ done
%patch8 -p1
%patch9 -p1
%patch10 -p1
-%patch12 -p1
-
-# upstream patches (not yet applied)
%patch11 -p1
+%patch12 -p1
+%patch13 -p1
# Fedora patches
%patch101 -p1
@@ -266,6 +268,9 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4
%changelog
+* Thu Jun 23 2011 Kamil Dudka <kdudka at redhat.com> 7.21.0-8
+- do not delegate GSSAPI credentials (CVE-2011-2192)
+
* Sat Apr 16 2011 Peter Robinson <pbrobinson at gmail.com> 7.21.0-7
- no valgrind on SPARC or ARMv5 arches
More information about the scm-commits
mailing list