diff --git a/SOURCES/gssproxy-0.3.0-inquire-context.patch b/SOURCES/gssproxy-0.3.0-inquire-context.patch new file mode 100644 index 0000000..b119f7e --- /dev/null +++ b/SOURCES/gssproxy-0.3.0-inquire-context.patch @@ -0,0 +1,74 @@ +From c17f20b949d2e80e596ce21ecd944db80aaa80b1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 29 Jan 2014 17:59:03 +0100 +Subject: [PATCH] Fix potential segfault in gssi_inquire_context(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Günther Deschner +Reviewed-by: Simo Sorce +--- + proxy/src/mechglue/gpp_context.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/proxy/src/mechglue/gpp_context.c b/proxy/src/mechglue/gpp_context.c +index 6010724f8ece09413e85c8926303276b4dffe89b..bb16a93a39b5892388ba9e963fff9b0066283cf4 100644 +--- a/proxy/src/mechglue/gpp_context.c ++++ b/proxy/src/mechglue/gpp_context.c +@@ -223,7 +223,7 @@ OM_uint32 gssi_inquire_context(OM_uint32 *minor_status, + maj = gss_inquire_context(&min, + ctx_handle->local, + s_name ? &s_name->local : NULL, +- s_name ? &t_name->local : NULL, ++ t_name ? &t_name->local : NULL, + lifetime_rec, + &mech_oid, + ctx_flags, +@@ -233,7 +233,7 @@ OM_uint32 gssi_inquire_context(OM_uint32 *minor_status, + maj = gpm_inquire_context(&min, + ctx_handle->remote, + s_name ? &s_name->remote : NULL, +- s_name ? &t_name->remote : NULL, ++ t_name ? &t_name->remote : NULL, + lifetime_rec, + &mech_oid, + ctx_flags, +-- +2.1.0 + +From 9da1bc9dec8d228b35ef8639832cddc5e477ddf8 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 22 Jan 2015 14:26:23 -0500 +Subject: [PATCH] Zero out the outputs of display_name + +The mechglue expects the mechanism function to zero them in all cases. +Otherwise on error it will later try to free the output buffer value +which can be an arbitrary pointer. This will cause a segfault or +worse in glibc's free(). + +Signed-off-by: Simo Sorce +Reviewed-by: Roland Mainz +--- + proxy/src/mechglue/gpp_import_and_canon_name.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/proxy/src/mechglue/gpp_import_and_canon_name.c b/proxy/src/mechglue/gpp_import_and_canon_name.c +index 727823c383c32d4ab5ec8a41b034997f18e433f7..92e6e5dca522742c181900fdd43c66318695923e 100644 +--- a/proxy/src/mechglue/gpp_import_and_canon_name.c ++++ b/proxy/src/mechglue/gpp_import_and_canon_name.c +@@ -33,6 +33,11 @@ OM_uint32 gssi_display_name(OM_uint32 *minor_status, + struct gpp_name_handle *name; + OM_uint32 maj, min = 0; + ++ output_name_buffer->length = 0; ++ output_name_buffer->value = NULL; ++ if (output_name_type) ++ *output_name_type = GSS_C_NO_OID; ++ + GSSI_TRACE(); + + name = (struct gpp_name_handle *)input_name; +-- +2.1.0 + diff --git a/SPECS/gssproxy.spec b/SPECS/gssproxy.spec index db12cb9..a968f6e 100644 --- a/SPECS/gssproxy.spec +++ b/SPECS/gssproxy.spec @@ -1,6 +1,6 @@ Name: gssproxy Version: 0.3.0 -Release: 9%{?dist} +Release: 10%{?dist} Summary: GSSAPI Proxy Group: System Environment/Libraries @@ -16,6 +16,7 @@ Patch4: gssproxy-0.3.1-secure_getenv.patch Patch5: gssproxy-0.3.1-strerror_r.patch Patch6: gssproxy-0.3.1-nfsd_startup.patch Patch7: gssproxy-0.3.1-deadlock_fix.patch +Patch8: gssproxy-0.3.0-inquire-context.patch %global servicename gssproxy %global pubconfpath %{_sysconfdir}/gssproxy @@ -68,6 +69,7 @@ A proxy for GSSAPI credential handling %patch5 -p2 -b .strerror_r %patch6 -p2 -b .nfsd_startup %patch7 -p2 -b .deadlock_fix +%patch8 -p2 -b .inq_context %build autoreconf -f -i @@ -120,6 +122,10 @@ rm -rf %{buildroot} %systemd_postun_with_restart gssproxy.service %changelog +* Fri Jan 23 2015 Simo Sorce 0.3.0-10 +- Fix crash bug affecting updated rpc.gssd +- resolves: #1184531 + * Wed Mar 12 2014 Guenther Deschner 0.3.0-9 - Fix potential mutex deadlock - resolves: #1075268