[krb5/f16] - correct a bug in the fix for #754001 so that the file creation context is consistently reset

Wed Nov 30 20:07:46 UTC 2011

commit d161b26c4183f46f10e84965511fc930a28caa56
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Wed Nov 30 15:03:53 2011 -0500

    - correct a bug in the fix for #754001 so that the file creation context is consistently reset

 krb5-1.9-aes-hmac.patch      |   12 ++++++++++++
 krb5-1.9-selinux-label.patch |    6 ++----
 krb5.spec                    |   12 +++++++++++-
 3 files changed, 25 insertions(+), 5 deletions(-)
---

diff --git a/krb5-1.9-aes-hmac.patch b/krb5-1.9-aes-hmac.patch
new file mode 100644
index 0000000..0ab33f3
--- /dev/null
+++ b/krb5-1.9-aes-hmac.patch
@@ -0,0 +1,12 @@
+Early pull of the patch for RT#6994.
+--- krb5/src/lib/crypto/krb/checksum/hmac_md5.c
++++ krb5/src/lib/crypto/krb/checksum/hmac_md5.c
+@@ -61,7 +61,7 @@ krb5_error_code krb5int_hmacmd5_checksum
+ 	ret = krb5int_hmac(ctp->hash, key, &iov, 1, &ds);
+ 	if (ret)
+ 	    goto cleanup;
+-	ks.length = key->keyblock.length;
++	ks.length = ds.length;
+ 	ks.contents = (krb5_octet *) ds.data;
+ 	keyblock = &ks;
+     } else  /* For md5-hmac, just use the key. */
diff --git a/krb5-1.9-selinux-label.patch b/krb5-1.9-selinux-label.patch
index 950254b..e149e93 100644
--- a/krb5-1.9-selinux-label.patch
+++ b/krb5-1.9-selinux-label.patch
@@ -501,7 +501,7 @@ diff -up krb5-1.8/src/util/support/Makefile.in.selinux-label krb5-1.8/src/util/s
 diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/support/selinux.c
 --- krb5-1.8/src/util/support/selinux.c.selinux-label	2010-03-05 10:57:23.000000000 -0500
 +++ krb5-1.8/src/util/support/selinux.c	2010-03-05 10:57:23.000000000 -0500
-@@ -0,0 +1,374 @@
+@@ -0,0 +1,372 @@
 +/*
 + * Copyright 2007,2008,2009,2011 Red Hat, Inc.  All Rights Reserved.
 + *
@@ -742,9 +742,7 @@ diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/sup
 +krb5int_pop_fscreatecon(void *con)
 +{
 +	if (con != NULL) {
-+		if (con != (void *) -1) {
-+			pop_fscreatecon(con);
-+		}
++		pop_fscreatecon((con == (void *) -1) ? NULL : con);
 +		k5_mutex_unlock(&labeled_mutex);
 +	}
 +}
diff --git a/krb5.spec b/krb5.spec
index 9304267..e2a0333 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -6,7 +6,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.9.2
-Release: 1%{?dist}
+Release: 3%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -59,6 +59,7 @@ Patch84: krb5-1.9.1-sendto_poll.patch
 Patch86: krb5-1.9-debuginfo.patch
 Patch87: krb5-1.9.1-sendto_poll2.patch
 Patch89: krb5-1.9.1-sendto_poll3.patch
+Patch90: krb5-1.9-aes-hmac.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -215,6 +216,7 @@ ln -s NOTICE LICENSE
 %patch86 -p0 -b .debuginfo
 %patch87 -p1 -b .sendto_poll2
 %patch89 -p1 -b .sendto_poll3
+%patch90 -p1 -b .aes-hmac
 gzip doc/*.ps
 
 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -693,6 +695,14 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Wed Nov 30 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.2-3
+- correct a bug in the fix for #754001 so that the file creation context is
+  consistently reset
+
+* Tue Nov 22 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.2-2
+- pull patch from trunk so that when computing an HMAC, we don't assume that
+  the HMAC output size is the same as the input key length (RT#6994, #756139)
+
 * Wed Nov 15 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.2-1
 - update to 1.9.2, incorporating the recent security update and some of the
   things we were previously backporting, among other fixes
