Date: Thursday, August 9, 2012 @ 05:25:17 Author: stephane Revision: 165033
upgpkg: krb5 1.10.3-1 upstream update Modified: krb5/trunk/PKGBUILD Deleted: krb5/trunk/MITKRB5-SA-2012-001.patch ---------------------------+ MITKRB5-SA-2012-001.patch | 61 -------------------------------------------- PKGBUILD | 15 +++------- 2 files changed, 5 insertions(+), 71 deletions(-) Deleted: MITKRB5-SA-2012-001.patch =================================================================== --- MITKRB5-SA-2012-001.patch 2012-08-09 08:16:32 UTC (rev 165032) +++ MITKRB5-SA-2012-001.patch 2012-08-09 09:25:17 UTC (rev 165033) @@ -1,61 +0,0 @@ -diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c -index 23623fe..8ada9d0 100644 ---- a/src/kdc/do_as_req.c -+++ b/src/kdc/do_as_req.c -@@ -463,7 +463,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, - krb5_enctype useenctype; - struct as_req_state *state; - -- state = malloc(sizeof(*state)); -+ state = calloc(sizeof(*state), 1); - if (!state) { - (*respond)(arg, ENOMEM, NULL); - return; -@@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, - state->authtime = 0; - state->c_flags = 0; - state->req_pkt = req_pkt; -+ state->inner_body = NULL; - state->rstate = NULL; - state->sname = 0; - state->cname = 0; -diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c -index 9d8cb34..d4ece3f 100644 ---- a/src/kdc/kdc_preauth.c -+++ b/src/kdc/kdc_preauth.c -@@ -1438,7 +1438,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request, - continue; - - } -- if (request_contains_enctype(context, request, db_etype)) { -+ if (krb5_is_permitted_enctype(context, db_etype) && -+ request_contains_enctype(context, request, db_etype)) { - retval = _make_etype_info_entry(context, client->princ, - client_key, db_etype, - &entry[i], etype_info2); -diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index a43b291..94dad3a 100644 ---- a/src/kdc/kdc_util.c -+++ b/src/kdc/kdc_util.c -@@ -2461,6 +2461,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request, - return 0; - pa.magic = KV5M_PA_DATA; - pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP; -+ memset(&checksum, 0, sizeof(checksum)); - retval = krb5_c_make_checksum(kdc_context,0, reply_key, - KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum); - if (retval != 0) -diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c -index c4bf92e..367c894 100644 ---- a/src/lib/kdb/kdb_default.c -+++ b/src/lib/kdb/kdb_default.c -@@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) - krb5_boolean saw_non_permitted = FALSE; - - ret = 0; -+ if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype)) -+ return KRB5_KDB_NO_PERMITTED_KEY; -+ - if (kvno == -1 && stype == -1 && ktype == -1) - kvno = 0; - Modified: PKGBUILD =================================================================== --- PKGBUILD 2012-08-09 08:16:32 UTC (rev 165032) +++ PKGBUILD 2012-08-09 09:25:17 UTC (rev 165033) @@ -2,8 +2,8 @@ # Maintainer: Stéphane Gaudreault <steph...@archlinux.org> pkgname=krb5 -pkgver=1.10.2 -pkgrel=3 +pkgver=1.10.3 +pkgrel=1 pkgdesc="The Kerberos network authentication system" arch=('i686' 'x86_64') url="http://web.mit.edu/kerberos/" @@ -20,9 +20,8 @@ krb5-kpropd krb5-kpropd.service krb5-kpropd@.service - krb5-kpropd.socket - MITKRB5-SA-2012-001.patch) -sha1sums=('8b6e2c5bf0c65aacd368b3698add7888f2a7332d' + krb5-kpropd.socket) +sha1sums=('04ab9837e5d1958158bcb30bd6480201089a0cbb' '78b759d566b1fdefd9bbcd06df14f07f12effe96' '2aa229369079ed1bbb201a1ef72c47bf143f4dbe' 'a2a01e7077d9e89cda3457ea0e216debb3dc353c' @@ -31,8 +30,7 @@ '7f402078fa65bb9ff1beb6cbbbb017450df78560' '614401dd4ac18e310153240bb26eb32ff1e8cf5b' '023a8164f8ee7066ac814486a68bc605e79f6101' - 'f3677d30dbbd7106c581379c2c6ebb1bf7738912' - '7b32dd24e68dc801efb8be280083e4d8067e392a') + 'f3677d30dbbd7106c581379c2c6ebb1bf7738912') options=('!emptydirs') build() { @@ -48,9 +46,6 @@ # FS#25384 sed -i "/KRB5ROOT=/s/\/local//" util/ac_check_krb5.m4 - # Fix KDC heap corruption and crash vulnerabilities - patch -Np2 -i ../../MITKRB5-SA-2012-001.patch - export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all" export CPPFLAGS+=" -I/usr/include/et" ./configure --prefix=/usr \