1 files changed, 43 insertions, 0 deletions

diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch
new file mode 100644
index 0000000000..67545e4c16
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch
@@ -0,0 +1,43 @@
+Copied from Debian.
+
+From 1a8bdc6d81dcd7dd8a4d42e8de6d2cacf1dd4408 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 27 Oct 2015 00:44:24 -0400
+Subject: Fix two IAKERB comments
+
+The comment explaining why there is no iakerb_gss_import_sec_context()
+erroneously referenced SPNEGO instead of IAKERB (noticed by Ben
+Kaduk).  The comment above iakerb_gss_delete_sec_context() is out of
+date after the last commit.
+
+(cherry picked from commit 92d6dd045dfc06cc03d20b327a6ee7a71e6bc24d)
+
+Patch-Category: upstream
+---
+ src/lib/gssapi/krb5/iakerb.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
+index 4662bd9..e25862d 100644
+--- a/src/lib/gssapi/krb5/iakerb.c
++++ b/src/lib/gssapi/krb5/iakerb.c
+@@ -727,10 +727,6 @@ cleanup:
+     return code;
+ }
+ 
+-/*
+- * Delete an IAKERB context. This can also accept Kerberos context
+- * handles. The heuristic is similar to SPNEGO's delete_sec_context.
+- */
+ OM_uint32 KRB5_CALLCONV
+ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
+                               gss_ctx_id_t *context_handle,
+@@ -1077,7 +1073,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+ }
+ 
+ /*
+- * Until we implement partial context exports, there are no SPNEGO exported
++ * Until we implement partial context exports, there are no IAKERB exported
+  * context tokens, only tokens for the underlying krb5 context.  So we do not
+  * need to implement an iakerb_gss_import_sec_context() yet; it would be
+  * unreachable except via a manually constructed token.