gnu: mit-krb5: Add fixes for CVE-2015-{2695,2696,2697,2698}.

* gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch, gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch, gnu/packages/patches/mit-krb5-CVE-2015-2696.patch, gnu/packages/patches/mit-krb5-CVE-2015-2697.patch, gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch, gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/mit-krb5.scm (mit-krb5)[native-inputs]: Add patches.
author: Mark H Weaver <mhw@netris.org> 2015-11-08 23:05:11 -0500
committer: Mark H Weaver <mhw@netris.org> 2015-11-13 12:42:47 -0500
commit: ff45a00e798350676ca7a4cf1cac349cc0b4c1f6 (patch)
tree: 516c980bab196807f9e1dc97a88db273796a62d4 /gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch
parent: 4d53c29e6ca0fb432e92c298f9537c688fbbc10e (diff)
download: guix-ff45a00e798350676ca7a4cf1cac349cc0b4c1f6.tar.gz
1 files changed, 43 insertions, 0 deletions
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch
new file mode 100644
index 0000000000..67545e4c16
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch
@@ -0,0 +1,43 @@
+Copied from Debian.
+
+From 1a8bdc6d81dcd7dd8a4d42e8de6d2cacf1dd4408 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 27 Oct 2015 00:44:24 -0400
+Subject: Fix two IAKERB comments
+
+The comment explaining why there is no iakerb_gss_import_sec_context()
+erroneously referenced SPNEGO instead of IAKERB (noticed by Ben
+Kaduk).  The comment above iakerb_gss_delete_sec_context() is out of
+date after the last commit.
+
+(cherry picked from commit 92d6dd045dfc06cc03d20b327a6ee7a71e6bc24d)
+
+Patch-Category: upstream
+---
+ src/lib/gssapi/krb5/iakerb.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
+index 4662bd9..e25862d 100644
+--- a/src/lib/gssapi/krb5/iakerb.c
++++ b/src/lib/gssapi/krb5/iakerb.c
+@@ -727,10 +727,6 @@ cleanup:
+     return code;
+ }
+ 
+-/*
+- * Delete an IAKERB context. This can also accept Kerberos context
+- * handles. The heuristic is similar to SPNEGO's delete_sec_context.
+- */
+ OM_uint32 KRB5_CALLCONV
+ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
+                               gss_ctx_id_t *context_handle,
+@@ -1077,7 +1073,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+ }
+ 
+ /*
+- * Until we implement partial context exports, there are no SPNEGO exported
++ * Until we implement partial context exports, there are no IAKERB exported
+  * context tokens, only tokens for the underlying krb5 context.  So we do not
+  * need to implement an iakerb_gss_import_sec_context() yet; it would be
+  * unreachable except via a manually constructed token.
author	Mark H Weaver <mhw@netris.org>	2015-11-08 23:05:11 -0500
committer	Mark H Weaver <mhw@netris.org>	2015-11-13 12:42:47 -0500
commit	ff45a00e798350676ca7a4cf1cac349cc0b4c1f6 (patch)
tree	516c980bab196807f9e1dc97a88db273796a62d4 /gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch
parent	4d53c29e6ca0fb432e92c298f9537c688fbbc10e (diff)
download	guix-ff45a00e798350676ca7a4cf1cac349cc0b4c1f6.tar.gz