rpms/mod_auth_kerb/devel mod_auth_kerb-5.3-cache.patch, NONE, 1.1 mod_auth_kerb-5.0-exports.patch, 1.2, 1.3 mod_auth_kerb-5.1-fixes.patch, 1.1, 1.2 mod_auth_kerb.spec, 1.16, 1.17 sources, 1.4, 1.5 mod_auth_kerb-5.0-cache.patch, 1.3, NONE mod_auth_kerb-5.0-gcc4.patch, 1.1, NONE
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Nov 29 12:36:05 UTC 2006
- Previous message (by thread): rpms/kdeutils/devel kdeutils.spec,1.78,1.79
- Next message (by thread): rpms/tcpdump/devel tcpdump-3.9.5-man.patch, NONE, 1.1 tcpdump-3.9.5-nolocalpcap.patch, NONE, 1.1 .cvsignore, 1.12, 1.13 sources, 1.12, 1.13 tcpdump.spec, 1.56, 1.57 arpwatch-2.1a10-man.patch, 1.1, NONE arpwatch-2.1a4-fhs.patch, 1.1, NONE arpwatch-addr.patch, 1.3, NONE arpwatch-arp2ethers.patch, 1.1, NONE arpwatch-dir-man.patch, 1.1, NONE arpwatch-drop-man.patch, 1.1, NONE arpwatch-drop.patch, 1.2, NONE arpwatch.init, 1.7, NONE arpwatch.sysconfig, 1.2, NONE libpcap-0.8.3-ppp.patch, 1.1, NONE libpcap-0.9.4-off_ll.patch, 1.1, NONE libpcap-shared.patch, 1.4, NONE tcpdump-3.6.2-ip6opts.patch, 1.1, NONE tcpdump-3.7.2-s390.patch, 1.1, NONE tcpdump-3.7.2-sctpdef.patch, 1.1, NONE tcpdump-3.8.1-sctp.patch, 1.1, NONE tcpdump-3.8.2-isis-dos.patch, 1.1, NONE tcpdump-3.8.2-rsvp-dos.patch, 1.1, NONE tcpdump-3.9.1-redhat.patch, 1.3, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jorton
Update of /cvs/dist/rpms/mod_auth_kerb/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv31659
Modified Files:
mod_auth_kerb-5.0-exports.patch mod_auth_kerb-5.1-fixes.patch
mod_auth_kerb.spec sources
Added Files:
mod_auth_kerb-5.3-cache.patch
Removed Files:
mod_auth_kerb-5.0-cache.patch mod_auth_kerb-5.0-gcc4.patch
Log Message:
* Wed Nov 29 2006 Joe Orton <jorton at redhat.com> 5.3-3
- fix r->user caching (Enrico Scholz, #214207)
- update to 5.3 (CVE-2006-5989, #215443)
mod_auth_kerb-5.3-cache.patch:
mod_auth_kerb.c | 47 ++++++++++++++++++++++++++++++-----------------
1 files changed, 30 insertions(+), 17 deletions(-)
--- NEW FILE mod_auth_kerb-5.3-cache.patch ---
--- mod_auth_kerb-5.3/src/mod_auth_kerb.c.cache
+++ mod_auth_kerb-5.3/src/mod_auth_kerb.c
@@ -85,6 +85,8 @@
#define snprintf _snprintf
#endif
+#include <unistd.h>
+
#ifdef KRB5
#include <krb5.h>
#ifdef HEIMDAL
@@ -1239,6 +1241,8 @@
return memcmp(p, oid->elements, oid->length);
}
+#define NAMEKEY "mod_auth_kerb:client_name"
+
static int
authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
const char *auth_line, char **negotiate_ret_value)
@@ -1389,7 +1393,15 @@
}
MK_AUTH_TYPE = MECH_NEGOTIATE;
- MK_USER = apr_pstrdup(r->pool, output_token.value);
+ MK_USER = apr_pstrdup(r->connection->pool, output_token.value);
+#ifndef APXS1
+ {
+ apr_status_t rv;
+ rv = apr_pool_userdata_set(r->user, NAMEKEY, NULL, r->connection->pool);
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
+ "set cached name %s for connection", r->user);
+ }
+#endif
if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
@@ -1418,17 +1430,6 @@
}
#endif /* KRB5 */
-static int
-already_succeeded(request_rec *r)
-{
- if (ap_is_initial_req(r) || MK_AUTH_TYPE == NULL)
- return 0;
- if (strcmp(MK_AUTH_TYPE, MECH_NEGOTIATE) ||
- (strcmp(MK_AUTH_TYPE, "Basic") && strchr(MK_USER, '@')))
- return 1;
- return 0;
-}
-
static void
set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
int use_krb4, int use_krb5pwd, char *negotiate_ret_value)
@@ -1476,7 +1477,6 @@
const char *type = NULL;
int use_krb5 = 0, use_krb4 = 0;
int ret;
- static int last_return = HTTP_UNAUTHORIZED;
char *negotiate_ret_value = NULL;
/* get the type specified in .htaccess */
@@ -1505,6 +1505,23 @@
}
#endif
+#ifndef APXS1
+ if (use_krb5 && conf->krb_method_gssapi) {
+ void *data = NULL;
+ const char *name;
+
+ if (apr_pool_userdata_get(&data, NAMEKEY, r->connection->pool) == APR_SUCCESS
+ && data != NULL) {
+ name = data;
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "using cached name %s", name);
+ r->user = apr_pstrdup(r->pool, name);
+ r->ap_auth_type = "Negotiate";
+ return OK;
+ }
+ }
+#endif
+
/* get what the user sent us in the HTTP header */
auth_line = MK_TABLE_GET(r->headers_in, (r->proxyreq == PROXYREQ_PROXY)
? "Proxy-Authorization"
@@ -1527,9 +1544,6 @@
(strcasecmp(auth_type, "Basic") == 0))
return DECLINED;
- if (already_succeeded(r))
- return last_return;
-
ret = HTTP_UNAUTHORIZED;
#ifdef KRB5
@@ -1553,7 +1567,6 @@
/* XXX log_debug: if ret==OK, log(user XY authenticated) */
- last_return = ret;
return ret;
}
mod_auth_kerb-5.0-exports.patch:
Makefile.in | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
Index: mod_auth_kerb-5.0-exports.patch
===================================================================
RCS file: /cvs/dist/rpms/mod_auth_kerb/devel/mod_auth_kerb-5.0-exports.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- mod_auth_kerb-5.0-exports.patch 19 Sep 2006 14:00:17 -0000 1.2
+++ mod_auth_kerb-5.0-exports.patch 29 Nov 2006 12:36:03 -0000 1.3
@@ -1,6 +1,6 @@
---- mod_auth_kerb-5.1/Makefile.in.exports
-+++ mod_auth_kerb-5.1/Makefile.in
-@@ -7,11 +7,11 @@
+--- mod_auth_kerb-5.3/Makefile.in.exports
++++ mod_auth_kerb-5.3/Makefile.in
+@@ -7,7 +7,7 @@
SPNEGO_SRCS = @SPNEGO_SRCS@
CPPFLAGS = -I. -Ispnegokrb5 $(KRB5_CPPFLAGS) $(KRB4_CPPFLAGS) $(DEFS)
@@ -8,10 +8,13 @@
+LDFLAGS = $(KRB5_LDFLAGS) $(KRB4_LDFLAGS) $(LIB_resolv) -Wl,-export-symbols-regex -Wl,auth_kerb_module
CFLAGS =
--APXS_CPPFLAGS = ${shell [ -n "${CPPFLAGS}" ] && echo ${CPPFLAGS} | sed -e 's/\([^ ]*\)/-Wc,\1/g'}
--APXS_LDFLAGS = ${shell [ -n "${LDFLAGS}" ] && echo ${LDFLAGS} | sed -e 's/\([^ ]*\)/-Wl,\1/g'}
-+APXS_CPPFLAGS = $(CPPFLAGS)
-+APXS_LDFLAGS = $(LDFLAGS)
-
+ # Use these assignements instead of the default ones if your're building on BSD
+@@ -20,7 +20,7 @@
all: src/mod_auth_kerb.so
+ src/mod_auth_kerb.so: src/mod_auth_kerb.c $(SPNEGO_SRCS)
+- $(APXS) -c $(APXS_CPPFLAGS) $(APXS_CFLAGS) $(APXS_LDFLAGS) src/mod_auth_kerb.c $(SPNEGO_SRCS)
++ $(APXS) -c $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) src/mod_auth_kerb.c $(SPNEGO_SRCS)
+
+ install:
+ $(APXS) -c -i $(APXS_CPPFLAGS) $(APXS_CFLAGS) $(APXS_LDFLAGS) src/mod_auth_kerb.c $(SPNEGO_SRCS)
mod_auth_kerb-5.1-fixes.patch:
mod_auth_kerb.c | 61 ++++----------------------------------------------------
1 files changed, 5 insertions(+), 56 deletions(-)
Index: mod_auth_kerb-5.1-fixes.patch
===================================================================
RCS file: /cvs/dist/rpms/mod_auth_kerb/devel/mod_auth_kerb-5.1-fixes.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- mod_auth_kerb-5.1-fixes.patch 19 Sep 2006 14:00:17 -0000 1.1
+++ mod_auth_kerb-5.1-fixes.patch 29 Nov 2006 12:36:03 -0000 1.2
@@ -1,25 +1,36 @@
---- mod_auth_kerb-5.1/src/mod_auth_kerb.c.fixes
-+++ mod_auth_kerb-5.1/src/mod_auth_kerb.c
-@@ -440,7 +440,7 @@
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
-- tkt_file_p = ap_pstrdup(r->pool, tkt_file);
-+ tkt_file_p = apr_pstrdup(r->pool, tkt_file);
- ap_register_cleanup(r->pool, tkt_file_p,
- krb4_cache_cleanup, ap_null_cleanup);
-
-@@ -486,7 +486,7 @@
- goto end;
- }
-
-- user = ap_pstrdup(r->pool, sent_name);
-+ user = apr_pstrdup(r->pool, sent_name);
- if (sent_instance)
- user = ap_pstrcat(r->pool, user, ".", sent_instance, NULL);
- user = ap_pstrcat(r->pool, user, "@", realm, NULL);
-@@ -1191,6 +1191,8 @@
+--- mod_auth_kerb-5.3/src/mod_auth_kerb.c.fixes
++++ mod_auth_kerb-5.3/src/mod_auth_kerb.c
+@@ -1163,35 +1163,10 @@
+ return 0;
+ }
+-static int
+-cmp_gss_type(gss_buffer_t token, gss_OID oid)
+-{
+- unsigned char *p;
+- size_t len;
+-
+- if (token->length == 0)
+- return GSS_S_DEFECTIVE_TOKEN;
+-
+- p = token->value;
+- if (*p++ != 0x60)
+- return GSS_S_DEFECTIVE_TOKEN;
+- len = *p++;
+- if (len & 0x80) {
+- if ((len & 0x7f) > 4)
+- return GSS_S_DEFECTIVE_TOKEN;
+- p += len & 0x7f;
+- }
+- if (*p++ != 0x06)
+- return GSS_S_DEFECTIVE_TOKEN;
+-
+- if (((OM_uint32) *p++) != oid->length)
+- return GSS_S_DEFECTIVE_TOKEN;
+-
+- return memcmp(p, oid->elements, oid->length);
+-}
+-
#define NAMEKEY "mod_auth_kerb:client_name"
+typedef typeof(gss_accept_sec_context) gss_asc_t;
@@ -27,7 +38,7 @@
static int
authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
const char *auth_line, char **negotiate_ret_value)
-@@ -1202,11 +1204,7 @@
+@@ -1203,11 +1178,7 @@
int ret;
gss_name_t client_name = GSS_C_NO_NAME;
gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
@@ -40,7 +51,7 @@
gss_OID_desc spnego_oid;
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
-@@ -1519,28 +1517,6 @@
+@@ -1519,28 +1490,6 @@
return ret;
}
@@ -49,18 +60,18 @@
-{
- krb5_error_code ret;
- krb5_context context;
-- krb5_rcache id;
+- krb5_rcache id = NULL;
- int found;
-
-- memset(&id, 0, sizeof(id));
--
- ret = krb5_init_context(&context);
- if (ret)
- return 0;
-
-- ret = krb5_rc_resolve_type(context, &id, type);
+- ret = krb5_rc_resolve_full(context, &id, "none:");
- found = (ret == 0);
-
+- if (ret == 0)
+- krb5_rc_destroy(context, id);
- krb5_free_context(context);
-
- return found;
@@ -69,7 +80,7 @@
/***************************************************************************
Module Setup/Configuration
***************************************************************************/
-@@ -1551,7 +1527,7 @@
+@@ -1551,7 +1500,7 @@
#ifndef HEIMDAL
/* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
1.3.x are covered by the hack overiding the replay calls */
@@ -78,7 +89,7 @@
putenv(strdup("KRB5RCACHETYPE=none"));
#endif
}
-@@ -1592,7 +1568,7 @@
+@@ -1592,7 +1541,7 @@
#ifndef HEIMDAL
/* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
1.3.x are covered by the hack overiding the replay calls */
Index: mod_auth_kerb.spec
===================================================================
RCS file: /cvs/dist/rpms/mod_auth_kerb/devel/mod_auth_kerb.spec,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- mod_auth_kerb.spec 1 Oct 2006 20:20:33 -0000 1.16
+++ mod_auth_kerb.spec 29 Nov 2006 12:36:03 -0000 1.17
@@ -1,15 +1,14 @@
Summary: Kerberos authentication module for HTTP
Name: mod_auth_kerb
-Version: 5.1
+Version: 5.3
Release: 3
License: Apache
Group: System Environment/Daemons
URL: http://modauthkerb.sourceforge.net/
Source0: %{name}-%{version}.tar.gz
Source1: auth_kerb.conf
-Patch2: mod_auth_kerb-5.0-cache.patch
-Patch4: mod_auth_kerb-5.0-gcc4.patch
+Patch2: mod_auth_kerb-5.3-cache.patch
Patch5: mod_auth_kerb-5.0-exports.patch
Patch7: mod_auth_kerb-5.1-krb15.patch
Patch8: mod_auth_kerb-5.1-fixes.patch
@@ -26,7 +25,6 @@
%prep
%setup -q -n %{name}-%{version}
%patch2 -p1 -b .cache
-%patch4 -p1 -b .gcc4
%patch5 -p1 -b .exports
%patch7 -p1 -b .krb15
%patch8 -p1 -b .fixes
@@ -54,6 +52,10 @@
%{_libdir}/httpd/modules/*.so
%changelog
+* Wed Nov 29 2006 Joe Orton <jorton at redhat.com> 5.3-3
+- fix r->user caching (Enrico Scholz, #214207)
+- update to 5.3 (CVE-2006-5989, #215443)
+
* Sun Oct 01 2006 Jesse Keating <jkeating at redhat.com> - 5.1-3
- rebuilt for unwind info generation, broken in gcc-4.1.1-21
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/mod_auth_kerb/devel/sources,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- sources 19 Sep 2006 16:03:11 -0000 1.4
+++ sources 29 Nov 2006 12:36:03 -0000 1.5
@@ -1,2 +1,2 @@
274edfb950af20ce6ef0ddcb7c20263a mod_auth_kerb-5.0-rc6.tar.gz
-b6a0c44b572c6e67ea7191999844aff6 mod_auth_kerb-5.1.tar.gz
+a363588578050b3d320a2ceccf3ed666 mod_auth_kerb-5.3.tar.gz
--- mod_auth_kerb-5.0-cache.patch DELETED ---
--- mod_auth_kerb-5.0-gcc4.patch DELETED ---
- Previous message (by thread): rpms/kdeutils/devel kdeutils.spec,1.78,1.79
- Next message (by thread): rpms/tcpdump/devel tcpdump-3.9.5-man.patch, NONE, 1.1 tcpdump-3.9.5-nolocalpcap.patch, NONE, 1.1 .cvsignore, 1.12, 1.13 sources, 1.12, 1.13 tcpdump.spec, 1.56, 1.57 arpwatch-2.1a10-man.patch, 1.1, NONE arpwatch-2.1a4-fhs.patch, 1.1, NONE arpwatch-addr.patch, 1.3, NONE arpwatch-arp2ethers.patch, 1.1, NONE arpwatch-dir-man.patch, 1.1, NONE arpwatch-drop-man.patch, 1.1, NONE arpwatch-drop.patch, 1.2, NONE arpwatch.init, 1.7, NONE arpwatch.sysconfig, 1.2, NONE libpcap-0.8.3-ppp.patch, 1.1, NONE libpcap-0.9.4-off_ll.patch, 1.1, NONE libpcap-shared.patch, 1.4, NONE tcpdump-3.6.2-ip6opts.patch, 1.1, NONE tcpdump-3.7.2-s390.patch, 1.1, NONE tcpdump-3.7.2-sctpdef.patch, 1.1, NONE tcpdump-3.8.1-sctp.patch, 1.1, NONE tcpdump-3.8.2-isis-dos.patch, 1.1, NONE tcpdump-3.8.2-rsvp-dos.patch, 1.1, NONE tcpdump-3.9.1-redhat.patch, 1.3, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list