From 1b086c4bc8414d48638cb7b5581f3a84c91a608a Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@fedoraproject.org>
Date: Sep 04 2007 18:10:20 +0000
Subject: - incorporate fixes for MITKRB5-SA-2007-006 (CVE-2007-3999, CVE-2007-4000)


---

diff --git a/CVE-2007-3999.patch b/CVE-2007-3999.patch
new file mode 100644
index 0000000..e8be46b
--- /dev/null
+++ b/CVE-2007-3999.patch
@@ -0,0 +1,19 @@
+*** src/lib/rpc/svc_auth_gss.c  (revision 20254)
+--- src/lib/rpc/svc_auth_gss.c  (local)
+***************
+*** 339,345 ****
+  	oa = &msg->rm_call.cb_cred;
+  	IXDR_PUT_ENUM(buf, oa->oa_flavor);
+  	IXDR_PUT_LONG(buf, oa->oa_length);
+! 	if (oa->oa_length) {
+  		memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
+  		buf += RNDUP(oa->oa_length) / sizeof(int32_t);
+  	}
+--- 339,345 ----
+  	oa = &msg->rm_call.cb_cred;
+  	IXDR_PUT_ENUM(buf, oa->oa_flavor);
+  	IXDR_PUT_LONG(buf, oa->oa_length);
+! 	if (oa->oa_length && oa->oa_length <= sizeof(rpchdr)) {
+  		memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
+  		buf += RNDUP(oa->oa_length) / sizeof(int32_t);
+  	}
diff --git a/CVE-2007-4000.patch b/CVE-2007-4000.patch
new file mode 100644
index 0000000..e01e4f8
--- /dev/null
+++ b/CVE-2007-4000.patch
@@ -0,0 +1,22 @@
+*** src/lib/kadm5/srv/svr_policy.c      (revision 20254)
+--- src/lib/kadm5/srv/svr_policy.c      (local)
+***************
+*** 211,218 ****
+      if((mask & KADM5_POLICY))
+  	return KADM5_BAD_MASK;
+  		
+!     ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt);
+!     if( ret && (cnt==0) )
+  	return KADM5_UNK_POLICY;
+
+      if ((mask & KADM5_PW_MAX_LIFE))
+--- 211,219 ----
+      if((mask & KADM5_POLICY))
+  	return KADM5_BAD_MASK;
+  		
+!     if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt)))
+!       return ret;
+!     if (cnt != 1)
+  	return KADM5_UNK_POLICY;
+
+      if ((mask & KADM5_PW_MAX_LIFE))
diff --git a/krb5.spec b/krb5.spec
index b23d042..50fd84e 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -11,7 +11,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.6.1
-Release: 2.1%{?dist}
+Release: 3%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.5/krb5-1.5-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -77,6 +77,8 @@ Patch53: krb5-1.6-nodeplibs.patch
 Patch55: krb5-1.6.1-empty.patch
 Patch56: krb5-1.6.1-get_opt_fixup.patch
 Patch57: krb5-1.6.1-ftp-nospew.patch
+Patch58: CVE-2007-3999.patch
+Patch59: CVE-2007-4000.patch
 
 Patch62: krb5-any-fixup-patch.txt
 
@@ -196,6 +198,9 @@ installed on systems which are meant provide these services.
 %endif
 
 %changelog
+* Tue Sep  4 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.1-3
+- incorporate fixes for MITKRB5-SA-2007-006 (CVE-2007-3999, CVE-2007-4000)
+
 * Wed Jun 27 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.1-2.1
 - incorporate fixes for MITKRB5-SA-2007-004 (CVE-2007-2442,CVE-2007-2443)
   and MITKRB5-SA-2007-005 (CVE-2007-2798)
@@ -1142,6 +1147,8 @@ popd
 #%patch55 -p1 -b .empty
 %patch56 -p0 -b .get_opt_fixup
 %patch57 -p1 -b .ftp-nospew
+%patch58 -p0 -b .2007-3999
+%patch59 -p0 -b .2007-4000
 %patch70 -p0 -b .2007-004
 %patch71 -p0 -b .2007-005
 cp src/krb524/README README.krb524