From 03e76d78321aacb7fac5c54a766bdde2d5591eb2 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Dec 06 2011 19:12:15 +0000
Subject: - apply upstream patch to fix a null pointer dereference when processing TGS requests (CVE-2011-1530, #753748)


---

diff --git a/2011-007-patch.txt b/2011-007-patch.txt
new file mode 100644
index 0000000..336a4ad
--- /dev/null
+++ b/2011-007-patch.txt
@@ -0,0 +1,40 @@
+diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
+index f46cad3..102fbaa 100644
+--- a/src/kdc/Makefile.in
++++ b/src/kdc/Makefile.in
+@@ -67,6 +67,7 @@ check-unix:: rtest
+ 
+ check-pytests::
+ 	$(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
++	$(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
+ 
+ install::
+ 	$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index c169c54..840a2ef 100644
+--- a/src/kdc/do_tgs_req.c
++++ b/src/kdc/do_tgs_req.c
+@@ -243,7 +243,8 @@ tgt_again:
+                     if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
+                         errcode = find_alternate_tgs(request, &server);
+                         firstpass = 0;
+-                        goto tgt_again;
++                        if (errcode == 0)
++                            goto tgt_again;
+                     }
+                 }
+                 status = "UNKNOWN_SERVER";
+diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
+new file mode 100644
+index 0000000..1760bcd
+--- /dev/null
++++ b/src/kdc/t_emptytgt.py
+@@ -0,0 +1,8 @@
++#!/usr/bin/python
++from k5test import *
++
++realm = K5Realm(start_kadmind=False, create_host=False)
++output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
++if 'not found in Kerberos database' not in output:
++    fail('TGT lookup for empty realm failed in unexpected way')
++success('Empty tgt lookup.')
diff --git a/krb5.spec b/krb5.spec
index a05a096..c60393f 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -15,7 +15,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.10
-Release: 0%{?dist}.alpha1.1
+Release: 0%{?dist}.alpha1.2
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-alpha1-signed.tar
 Source0: krb5-%{version}-alpha1.tar.gz
@@ -58,6 +58,7 @@ Patch71: krb5-1.9-dirsrv-accountlock.patch
 Patch75: krb5-pkinit-debug.patch
 Patch86: krb5-1.9-debuginfo.patch
 Patch92: krb5-1.10-alpha1-uninit.patch
+Patch93: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -223,6 +224,7 @@ ln -s NOTICE LICENSE
 %patch71 -p1 -b .dirsrv-accountlock
 #%patch75 -p1 -b .pkinit-debug
 %patch86 -p0 -b .debuginfo
+%patch93 -p1 -b .2011-007
 # XXX Temporary, backported from trunk.
 %patch92 -p1 -b .uninit
 # XXX Temporary, fixed properly in trunk.
@@ -737,6 +739,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Tue Dec  6 2011 Nalin Dahyabhai <nalin@redhat.com> 1.10-0.alpha1.2
+- apply upstream patch to fix a null pointer dereference when processing
+  TGS requests (CVE-2011-1530, #753748)
+
 * Wed Nov 30 2011 Nalin Dahyabhai <nalin@redhat.com> 1.10-0.alpha1.1
 - correct a bug in the fix for #754001 so that the file creation context is
   consistently reset