commit krb5 for openSUSE:12.2

Thu, 09 Aug 2012 08:56:30 -0700 

Hello community,

here is the log from the commit of package krb5 for openSUSE:12.2 checked in at 
2012-08-09 17:55:38
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2/krb5 (Old)
 and      /work/SRC/openSUSE:12.2/.krb5.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "krb5", Maintainer is "[email protected]"

Changes:
--------
--- /work/SRC/openSUSE:12.2/krb5/krb5-mini.changes      2012-06-25 
15:37:58.000000000 +0200
+++ /work/SRC/openSUSE:12.2/.krb5.new/krb5-mini.changes 2012-08-09 
17:55:59.000000000 +0200
@@ -1,0 +2,6 @@
+Wed Aug  1 09:57:01 CEST 2012 - [email protected]
+
+- fix potentially execute code flaws
+  CVE-2012-1015, CVE-2012-1014 (bnc#770172)
+
+-------------------------------------------------------------------
krb5.changes: same change

New:
----
  MITKRB5-SA-2012-001.dif

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ krb5-mini.spec ++++++
--- /var/tmp/diff_new_pack.CYnaJF/_old  2012-08-09 17:56:00.000000000 +0200
+++ /var/tmp/diff_new_pack.CYnaJF/_new  2012-08-09 17:56:00.000000000 +0200
@@ -50,18 +50,20 @@
 Source2:        baselibs.conf
 Source5:        krb5-rpmlintrc
 Source10:       krb5-1.8-manpaths.txt
-Patch1:         krb5-1.10-buildconf.patch
-Patch3:         krb5-1.9-manpaths.dif
+
+Patch1:         krb5-1.8-pam.patch
+Patch2:         krb5-1.9-manpaths.dif
+Patch3:         krb5-1.10-selinux-label.patch
+Patch4:         krb5-1.10-buildconf.patch
 Patch5:         krb5-1.6.3-gssapi_improve_errormessages.dif
 Patch6:         krb5-1.10-kpasswd_tcp.patch
 Patch7:         krb5-1.6.3-ktutil-manpage.dif
-Patch10:        krb5-1.7-doublelog.patch
-Patch12:        krb5-1.8-api.patch
-Patch13:        krb5-1.8-pam.patch
-Patch18:        krb5-1.9-kprop-mktemp.patch
-Patch19:        krb5-1.9-ksu-path.patch
-Patch20:        krb5-1.10-gcc47.patch
-Patch21:        krb5-1.10-selinux-label.patch
+Patch8:         krb5-1.7-doublelog.patch
+Patch9:         krb5-1.8-api.patch
+Patch10:        krb5-1.9-kprop-mktemp.patch
+Patch11:        krb5-1.9-ksu-path.patch
+Patch12:        krb5-1.10-gcc47.patch
+Patch13:        MITKRB5-SA-2012-001.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@@ -143,18 +145,19 @@
 %prep
 %setup -q -n %{srcRoot}
 %setup -a 1 -T -D -n %{srcRoot}
-%patch13 -p1
-%patch3 -p1
-%patch21 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
+%patch9 -p1
 %patch10 -p1
-%patch12 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20
+%patch11 -p1
+%patch12
+%patch13 -p1
 # Rename the man pages so that they'll get generated correctly.
 pushd src
 cat %{SOURCE10} | while read manpage ; do

++++++ krb5.spec ++++++
--- /var/tmp/diff_new_pack.CYnaJF/_old  2012-08-09 17:56:00.000000000 +0200
+++ /var/tmp/diff_new_pack.CYnaJF/_new  2012-08-09 17:56:00.000000000 +0200
@@ -50,18 +50,20 @@
 Source2:        baselibs.conf
 Source5:        krb5-rpmlintrc
 Source10:       krb5-1.8-manpaths.txt
-Patch1:         krb5-1.10-buildconf.patch
-Patch3:         krb5-1.9-manpaths.dif
+
+Patch1:         krb5-1.8-pam.patch
+Patch2:         krb5-1.9-manpaths.dif
+Patch3:         krb5-1.10-selinux-label.patch
+Patch4:         krb5-1.10-buildconf.patch
 Patch5:         krb5-1.6.3-gssapi_improve_errormessages.dif
 Patch6:         krb5-1.10-kpasswd_tcp.patch
 Patch7:         krb5-1.6.3-ktutil-manpage.dif
-Patch10:        krb5-1.7-doublelog.patch
-Patch12:        krb5-1.8-api.patch
-Patch13:        krb5-1.8-pam.patch
-Patch18:        krb5-1.9-kprop-mktemp.patch
-Patch19:        krb5-1.9-ksu-path.patch
-Patch20:        krb5-1.10-gcc47.patch
-Patch21:        krb5-1.10-selinux-label.patch
+Patch8:         krb5-1.7-doublelog.patch
+Patch9:         krb5-1.8-api.patch
+Patch10:        krb5-1.9-kprop-mktemp.patch
+Patch11:        krb5-1.9-ksu-path.patch
+Patch12:        krb5-1.10-gcc47.patch
+Patch13:        MITKRB5-SA-2012-001.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@@ -143,18 +145,19 @@
 %prep
 %setup -q -n %{srcRoot}
 %setup -a 1 -T -D -n %{srcRoot}
-%patch13 -p1
-%patch3 -p1
-%patch21 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
+%patch9 -p1
 %patch10 -p1
-%patch12 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20
+%patch11 -p1
+%patch12
+%patch13 -p1
 # Rename the man pages so that they'll get generated correctly.
 pushd src
 cat %{SOURCE10} | while read manpage ; do

++++++ MITKRB5-SA-2012-001.dif ++++++
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 23623fe..8ada9d0 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -463,7 +463,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     krb5_enctype useenctype;
     struct as_req_state *state;
 
-    state = malloc(sizeof(*state));
+    state = calloc(sizeof(*state), 1);
     if (!state) {
         (*respond)(arg, ENOMEM, NULL);
         return;
@@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     state->authtime = 0;
     state->c_flags = 0;
     state->req_pkt = req_pkt;
+    state->inner_body = NULL;
     state->rstate = NULL;
     state->sname = 0;
     state->cname = 0;
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 9d8cb34..d4ece3f 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1438,7 +1438,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req 
*request,
                 continue;
 
             }
-            if (request_contains_enctype(context, request, db_etype)) {
+            if (krb5_is_permitted_enctype(context, db_etype) &&
+                request_contains_enctype(context, request, db_etype)) {
                 retval = _make_etype_info_entry(context, client->princ,
                                                 client_key, db_etype,
                                                 &entry[i], etype_info2);
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index a43b291..94dad3a 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -2461,6 +2461,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, 
krb5_kdc_req *request,
         return 0;
     pa.magic = KV5M_PA_DATA;
     pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
+    memset(&checksum, 0, sizeof(checksum));
     retval = krb5_c_make_checksum(kdc_context,0, reply_key,
                                   KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
     if (retval != 0)
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index c4bf92e..367c894 100644
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, 
stype, kvno, kdatap)
     krb5_boolean        saw_non_permitted = FALSE;
 
     ret = 0;
+    if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
+        return KRB5_KDB_NO_PERMITTED_KEY;
+
     if (kvno == -1 && stype == -1 && ktype == -1)
         kvno = 0;
 

-- 
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to