From 35a1c496ac8469e47f164d632ff798f9093667be Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Nov 30 2011 20:03:56 +0000 Subject: - correct a bug in the fix for #754001 so that the file creation context is consistently reset --- diff --git a/krb5-1.9-aes-hmac.patch b/krb5-1.9-aes-hmac.patch new file mode 100644 index 0000000..0ab33f3 --- /dev/null +++ b/krb5-1.9-aes-hmac.patch @@ -0,0 +1,12 @@ +Early pull of the patch for RT#6994. +--- krb5/src/lib/crypto/krb/checksum/hmac_md5.c ++++ krb5/src/lib/crypto/krb/checksum/hmac_md5.c +@@ -61,7 +61,7 @@ krb5_error_code krb5int_hmacmd5_checksum + ret = krb5int_hmac(ctp->hash, key, &iov, 1, &ds); + if (ret) + goto cleanup; +- ks.length = key->keyblock.length; ++ ks.length = ds.length; + ks.contents = (krb5_octet *) ds.data; + keyblock = &ks; + } else /* For md5-hmac, just use the key. */ diff --git a/krb5-1.9-selinux-label.patch b/krb5-1.9-selinux-label.patch index 950254b..e149e93 100644 --- a/krb5-1.9-selinux-label.patch +++ b/krb5-1.9-selinux-label.patch @@ -501,7 +501,7 @@ diff -up krb5-1.8/src/util/support/Makefile.in.selinux-label krb5-1.8/src/util/s diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/support/selinux.c --- krb5-1.8/src/util/support/selinux.c.selinux-label 2010-03-05 10:57:23.000000000 -0500 +++ krb5-1.8/src/util/support/selinux.c 2010-03-05 10:57:23.000000000 -0500 -@@ -0,0 +1,374 @@ +@@ -0,0 +1,372 @@ +/* + * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved. + * @@ -742,9 +742,7 @@ diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/sup +krb5int_pop_fscreatecon(void *con) +{ + if (con != NULL) { -+ if (con != (void *) -1) { -+ pop_fscreatecon(con); -+ } ++ pop_fscreatecon((con == (void *) -1) ? NULL : con); + k5_mutex_unlock(&labeled_mutex); + } +} diff --git a/krb5.spec b/krb5.spec index 5f09492..8913f08 100644 --- a/krb5.spec +++ b/krb5.spec @@ -6,7 +6,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.9.2 -Release: 1%{?dist} +Release: 3%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar Source0: krb5-%{version}.tar.gz @@ -59,6 +59,7 @@ Patch84: krb5-1.9.1-sendto_poll.patch Patch86: krb5-1.9-debuginfo.patch Patch87: krb5-1.9.1-sendto_poll2.patch Patch89: krb5-1.9.1-sendto_poll3.patch +Patch90: krb5-1.9-aes-hmac.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -211,6 +212,7 @@ ln -s NOTICE LICENSE %patch86 -p0 -b .debuginfo %patch87 -p1 -b .sendto_poll2 %patch89 -p1 -b .sendto_poll3 +%patch90 -p1 -b .aes-hmac gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -672,6 +674,14 @@ exit 0 %{_sbindir}/uuserver %changelog +* Wed Nov 30 2011 Nalin Dahyabhai 1.9.2-3 +- correct a bug in the fix for #754001 so that the file creation context is + consistently reset + +* Tue Nov 22 2011 Nalin Dahyabhai 1.9.2-2 +- pull patch from trunk so that when computing an HMAC, we don't assume that + the HMAC output size is the same as the input key length (RT#6994, #756139) + * Wed Nov 15 2011 Nalin Dahyabhai 1.9.2-1 - update to 1.9.2, incorporating the recent security update and some of the things we were previously backporting, among other fixes