rpms/krb5/devel krb5-CVE-2007-5901.patch, NONE, 1.1 krb5-CVE-2007-5971.patch, NONE, 1.1 krb5-CVE-2008-0062, 0063.patch, NONE, 1.1 krb5-CVE-2008-0947.patch, NONE, 1.1 krb5.spec, 1.163, 1.164

Nalin Somabhai Dahyabhai (nalin) fedora-extras-commits at redhat.com
Tue Mar 18 18:14:04 UTC 2008 

Author: nalin

Update of /cvs/pkgs/rpms/krb5/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29556/devel

Modified Files:
	krb5.spec 
Added Files:
	krb5-CVE-2007-5901.patch krb5-CVE-2007-5971.patch 
	krb5-CVE-2008-0062,0063.patch krb5-CVE-2008-0947.patch 
Log Message:
- add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer
  when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063,
  #432620, #432621)
- add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when
  high-numbered descriptors are used (CVE-2008-0947, #433596)
- add backport bug fix for an attempt to free non-heap memory in
  libgssapi_krb5 (CVE-2007-5901, #415321)
- add backport bug fix for a double-free in out-of-memory situations in
  libgssapi_krb5 (CVE-2007-5971, #415351)


krb5-CVE-2007-5901.patch:

--- NEW FILE krb5-CVE-2007-5901.patch ---
Patch for CVE-2007-5901, pulled from SVN per #415321.
diff -up src/lib/gssapi/mechglue/g_initialize.c src/lib/gssapi/mechglue/g_initialize.c
--- src/lib/gssapi/mechglue/g_initialize.c	2008-03-04 16:29:13.000000000 -0500
+++ src/lib/gssapi/mechglue/g_initialize.c	2008-03-04 16:29:16.000000000 -0500
@@ -210,7 +210,7 @@ gss_OID_set *mechSet;
 				free((*mechSet)->elements[j].elements);
 			}
 			free((*mechSet)->elements);
-			free(mechSet);
+			free(*mechSet);
 			*mechSet = NULL;
 			return (GSS_S_FAILURE);
 		}

krb5-CVE-2007-5971.patch:

--- NEW FILE krb5-CVE-2007-5971.patch ---
Patch for CVE-2007-5971, pulled from SVN per #415351.
diff -up src/lib/gssapi/krb5/k5sealv3.c src/lib/gssapi/krb5/k5sealv3.c
--- src/lib/gssapi/krb5/k5sealv3.c	2008-03-04 16:22:29.000000000 -0500
+++ src/lib/gssapi/krb5/k5sealv3.c	2008-03-04 16:22:22.000000000 -0500
@@ -248,7 +248,6 @@ gss_krb5int_make_seal_token_v3 (krb5_con
 	plain.data = 0;
 	if (err) {
 	    zap(outbuf,bufsize);
-	    free(outbuf);
 	    goto error;
 	}
 	if (sum.length != ctx->cksum_size)

***** Not enough context to create diffstat for file: krb5-CVE-2008-0062,0063.patch,NONE,1.1
***** Not enough context to create diff for file: krb5-CVE-2008-0062,0063.patch,NONE,1.1
krb5-CVE-2008-0947.patch:

--- NEW FILE krb5-CVE-2008-0947.patch ---
Patch from MITKRB5-SA-2008-002.
=== src/lib/rpc/svc.c
==================================================================
--- src/lib/rpc/svc.c   (revision 1666)
+++ src/lib/rpc/svc.c   (local)
@@ -109,15 +109,17 @@
 	if (sock < FD_SETSIZE) {
 		xports[sock] = xprt;
 		FD_SET(sock, &svc_fdset);
+		if (sock > svc_maxfd)
+			svc_maxfd = sock;
 	}
 #else
 	if (sock < NOFILE) {
 		xports[sock] = xprt;
 		svc_fds |= (1 << sock);
+		if (sock > svc_maxfd)
+			svc_maxfd = sock;
 	}
 #endif /* def FD_SETSIZE */
-	if (sock > svc_maxfd)
-		svc_maxfd = sock;
 }
  
 /*
=== src/lib/rpc/svc_tcp.c
==================================================================
--- src/lib/rpc/svc_tcp.c       (revision 1666)
+++ src/lib/rpc/svc_tcp.c       (local)
@@ -54,6 +54,14 @@
 extern errno;
 */
 
+#ifndef FD_SETSIZE
+#ifdef NBBY
+#define NOFILE (sizeof(int) * NBBY)
+#else
+#define NOFILE (sizeof(int) * 8)
+#endif
+#endif
+
 /*
  * Ops vector for TCP/IP based rpc service handle
  */
@@ -215,6 +223,19 @@
 	register SVCXPRT *xprt;
 	register struct tcp_conn *cd;
  
+#ifdef FD_SETSIZE
+	if (fd >= FD_SETSIZE) {
+		(void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
+		xprt = NULL;
+		goto done;
+	}
+#else
+	if (fd >= NOFILE) {
+		(void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
+		xprt = NULL;
+		goto done;
+	}
+#endif
 	xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT));
 	if (xprt == (SVCXPRT *)NULL) {
 		(void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n");
@@ -271,6 +292,10 @@
 	 * make a new transporter (re-uses xprt)
 	 */
 	xprt = makefd_xprt(sock, r->sendsize, r->recvsize);
+	if (xprt == NULL) {
+		close(sock);
+		return (FALSE);
+	}
 	xprt->xp_raddr = addr;
 	xprt->xp_addrlen = len;
 	xprt->xp_laddr = laddr;


Index: krb5.spec
===================================================================
RCS file: /cvs/pkgs/rpms/krb5/devel/krb5.spec,v
retrieving revision 1.163
retrieving revision 1.164
diff -u -r1.163 -r1.164
--- krb5.spec	18 Mar 2008 15:35:39 -0000	1.163
+++ krb5.spec	18 Mar 2008 18:13:22 -0000	1.164
@@ -16,7 +16,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.6.3
-Release: 9%{?dist}
+Release: 10%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -96,6 +96,10 @@
 Patch71: krb5-1.6.2-dirsrv-accountlock.patch
 Patch72: krb5-1.6.3-ftp_fdleak.patch
 Patch73: krb5-1.6.3-ftp_glob_runique.patch
+Patch74: krb5-CVE-2008-0062,0063.patch
+Patch75: krb5-CVE-2008-0947.patch
+Patch76: krb5-CVE-2007-5901.patch
+Patch77: krb5-CVE-2007-5971.patch
 
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
@@ -226,6 +230,17 @@
 certificate.
 
 %changelog
+* Tue Mar 18 2008 Nalin Dahyabhai <nalin at redhat.com> 1.6.3-10
+- add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer
+  when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063,
+  #432620, #432621)
+- add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when
+  high-numbered descriptors are used (CVE-2008-0947, #433596)
+- add backport bug fix for an attempt to free non-heap memory in
+  libgssapi_krb5 (CVE-2007-5901, #415321)
+- add backport bug fix for a double-free in out-of-memory situations in
+  libgssapi_krb5 (CVE-2007-5971, #415351)
+
 * Tue Mar 18 2008 Nalin Dahyabhai <nalin at redhat.com> 1.6.3-9
 - rework file labeling patch to not depend on fragile preprocessor trickery,
   in another attempt at fixing #428355 and friends
@@ -1330,6 +1345,10 @@
 %patch71 -p1 -b .dirsrv-accountlock
 %patch72 -p1 -b .ftp_fdleak
 %patch73 -p1 -b .ftp_glob_runique
+%patch74 -p0 -b .2008-0062,0063
+%patch75 -p0 -b .2008-0947
+%patch76 -p0 -b .2007-5901
+%patch77 -p0 -b .2007-5971
 cp src/krb524/README README.krb524
 gzip doc/*.ps

More information about the fedora-extras-commits mailing list