From fbb0669ff0ad2e597135814bdd1d52663a553eac Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Dec 06 2016 15:40:28 +0000 Subject: import krb5-1.14.1-27.el7_3 --- diff --git a/SOURCES/krb5-1.15-krad-eof.patch b/SOURCES/krb5-1.15-krad-eof.patch new file mode 100644 index 0000000..6ed72ea --- /dev/null +++ b/SOURCES/krb5-1.15-krad-eof.patch @@ -0,0 +1,49 @@ +From 7fd9fc07cbccef7a6e682057e1560e5b343cb9ff Mon Sep 17 00:00:00 2001 +From: Nathaniel McCallum +Date: Fri, 30 Sep 2016 10:03:33 -0400 +Subject: [PATCH] Properly handle EOF condition on libkrad sockets + +In the previous code, when the remote peer performed an orderly shutdown +on the socket, libkrad would enter a state in which all future requests +timed out. Instead, if the peer shuts down its socket, we need to +attempt to reopen it. + +ticket: 8504 (new) +target_version: 1.14-next +tags: pullup + +(cherry picked from commit 248497427d5a45225817b6c22e9224e8ad969872) +--- + src/lib/krad/remote.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c +index df3de3a..68cd16f 100644 +--- a/src/lib/krad/remote.c ++++ b/src/lib/krad/remote.c +@@ -329,16 +329,15 @@ on_io_read(krad_remote *rr) + /* Read the packet. */ + i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length, + pktlen, 0); +- if (i < 0) { +- /* Should we try again? */ +- if (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR) +- return; + +- /* The socket is unrecoverable. */ ++ /* On these errors, try again. */ ++ if (i < 0 && (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR)) ++ return; ++ ++ /* On any other errors or on EOF, the socket is unrecoverable. */ ++ if (i <= 0) { + remote_shutdown(rr); + return; +- } else if (i == 0) { +- remote_del_flags(rr, FLAGS_READ); + } + + /* If we have a partial read or just the header, try again. */ +-- +2.10.1 + diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index 36ac156..1351a7e 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14.1 -Release: 26%{?dist} +Release: 27%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar @@ -80,6 +80,7 @@ Patch150: krb5-1.15-kadmin-kprop-port-test.patch Patch151: krb5-1.14.4-CVE-2016-3120.patch Patch152: krb5-1.14.4-SNI-HTTP-Host.patch Patch153: krb5-1.14.4-Fix-responder-without-preauth.patch +Patch154: krb5-1.15-krad-eof.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -304,6 +305,7 @@ chmod u+x src/util/paste-kdcproxy.py %patch151 -p1 -b .CVE-2016-3120 %patch152 -p1 -b .SNI-HTTP-Host %patch153 -p1 -b .Fix-responder-without-preauth +%patch154 -p1 -b .krad-eof # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -853,6 +855,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Wed Nov 02 2016 Robbie Harwood - 1.14.1-27 +- Properly handle EOF on libkrad sockets +- Resolves: #1382449 + * Wed Aug 17 2016 Robbie Harwood - 1.14.1-26 - Use responder in non-preauth AS reqs - Resolves: #1363690