summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEray Aslan <eras@gentoo.org>2012-08-01 16:38:00 +0000
committerEray Aslan <eras@gentoo.org>2012-08-01 16:38:00 +0000
commit140f77da5ec3dca1a7c0dc247a1a4011336c8f52 (patch)
treef0d9f1a4206b43a4749b9dda527d59af905b594a /app-crypt/mit-krb5
parentsci-geosciences/gebabbel: Respect CFLAGS, #429356; use eclass functions, inst... (diff)
downloadgentoo-2-140f77da5ec3dca1a7c0dc247a1a4011336c8f52.tar.gz
gentoo-2-140f77da5ec3dca1a7c0dc247a1a4011336c8f52.tar.bz2
gentoo-2-140f77da5ec3dca1a7c0dc247a1a4011336c8f52.zip
Security bump - bug #429324
(Portage version: 2.1.11.9/cvs/Linux x86_64)
Diffstat (limited to 'app-crypt/mit-krb5')
-rw-r--r--app-crypt/mit-krb5/ChangeLog10
-rw-r--r--app-crypt/mit-krb5/files/CVE-2012-1014.patch21
-rw-r--r--app-crypt/mit-krb5/files/CVE-2012-1015.patch40
-rw-r--r--app-crypt/mit-krb5/mit-krb5-1.10.2-r1.ebuild127
-rw-r--r--app-crypt/mit-krb5/mit-krb5-1.9.4-r1.ebuild119
5 files changed, 316 insertions, 1 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog
index 01541f25ce8a..e6fdecea27b2 100644
--- a/app-crypt/mit-krb5/ChangeLog
+++ b/app-crypt/mit-krb5/ChangeLog
@@ -1,6 +1,14 @@
# ChangeLog for app-crypt/mit-krb5
# Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.329 2012/07/09 05:18:26 xmw Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.330 2012/08/01 16:38:00 eras Exp $
+
+*mit-krb5-1.10.2-r1 (01 Aug 2012)
+*mit-krb5-1.9.4-r1 (01 Aug 2012)
+
+ 01 Aug 2012; Eray Aslan <eras@gentoo.org> +mit-krb5-1.9.4-r1.ebuild,
+ +mit-krb5-1.10.2-r1.ebuild, +files/CVE-2012-1014.patch,
+ +files/CVE-2012-1015.patch:
+ Security bump - bug #429324
09 Jul 2012; Michael Weber <xmw@gentoo.org> mit-krb5-1.9.4.ebuild:
ppc stable (bug 419765)
diff --git a/app-crypt/mit-krb5/files/CVE-2012-1014.patch b/app-crypt/mit-krb5/files/CVE-2012-1014.patch
new file mode 100644
index 000000000000..c7da7171959f
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2012-1014.patch
@@ -0,0 +1,21 @@
+diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 23623fe..8ada9d0 100644
+--- a/src/kdc/do_as_req.c
++++ b/src/kdc/do_as_req.c
+@@ -463,7 +463,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
+ krb5_enctype useenctype;
+ struct as_req_state *state;
+
+- state = malloc(sizeof(*state));
++ state = calloc(sizeof(*state), 1);
+ if (!state) {
+ (*respond)(arg, ENOMEM, NULL);
+ return;
+@@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
+ state->authtime = 0;
+ state->c_flags = 0;
+ state->req_pkt = req_pkt;
++ state->inner_body = NULL;
+ state->rstate = NULL;
+ state->sname = 0;
+ state->cname = 0;
diff --git a/app-crypt/mit-krb5/files/CVE-2012-1015.patch b/app-crypt/mit-krb5/files/CVE-2012-1015.patch
new file mode 100644
index 000000000000..60f2b38a2ffa
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2012-1015.patch
@@ -0,0 +1,40 @@
+diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
+index 9d8cb34..d4ece3f 100644
+--- a/src/kdc/kdc_preauth.c
++++ b/src/kdc/kdc_preauth.c
+@@ -1438,7 +1438,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
+ continue;
+
+ }
+- if (request_contains_enctype(context, request, db_etype)) {
++ if (krb5_is_permitted_enctype(context, db_etype) &&
++ request_contains_enctype(context, request, db_etype)) {
+ retval = _make_etype_info_entry(context, client->princ,
+ client_key, db_etype,
+ &entry[i], etype_info2);
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index a43b291..94dad3a 100644
+--- a/src/kdc/kdc_util.c
++++ b/src/kdc/kdc_util.c
+@@ -2461,6 +2461,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request,
+ return 0;
+ pa.magic = KV5M_PA_DATA;
+ pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
++ memset(&checksum, 0, sizeof(checksum));
+ retval = krb5_c_make_checksum(kdc_context,0, reply_key,
+ KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
+ if (retval != 0)
+diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
+index c4bf92e..367c894 100644
+--- a/src/lib/kdb/kdb_default.c
++++ b/src/lib/kdb/kdb_default.c
+@@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
+ krb5_boolean saw_non_permitted = FALSE;
+
+ ret = 0;
++ if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
++ return KRB5_KDB_NO_PERMITTED_KEY;
++
+ if (kvno == -1 && stype == -1 && ktype == -1)
+ kvno = 0;
+
diff --git a/app-crypt/mit-krb5/mit-krb5-1.10.2-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.10.2-r1.ebuild
new file mode 100644
index 000000000000..33c3a05d36d9
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.10.2-r1.ebuild
@@ -0,0 +1,127 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.10.2-r1.ebuild,v 1.1 2012/08/01 16:38:00 eras Exp $
+
+EAPI=4
+inherit eutils flag-o-matic versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~hppa ~ppc ~x86"
+IUSE="doc +keyutils openldap +pkinit +threads test xinetd"
+
+RDEPEND="!!app-crypt/heimdal
+ >=sys-libs/e2fsprogs-libs-1.41.0
+ dev-libs/libverto
+ keyutils? ( sys-apps/keyutils )
+ openldap? ( net-nds/openldap )
+ xinetd? ( sys-apps/xinetd )"
+DEPEND="${RDEPEND}
+ virtual/yacc
+ doc? ( virtual/latex-base )
+ test? ( dev-lang/tcl
+ dev-lang/python
+ dev-util/dejagnu )"
+
+S=${WORKDIR}/${MY_P}/src
+
+src_unpack() {
+ unpack ${A}
+ unpack ./"${MY_P}".tar.gz
+}
+
+src_prepare() {
+ epatch "${FILESDIR}/${PN}-1.10.1_uninitialized_extra.patch"
+ epatch "${FILESDIR}/${PN}-1.10.1_uninitialized_extra-2.patch"
+ epatch "${FILESDIR}/${PN}-1.10.1_gcc470.patch"
+ epatch "${FILESDIR}"/CVE-2012-1014.patch
+ epatch "${FILESDIR}"/CVE-2012-1015.patch
+}
+
+src_configure() {
+ append-cppflags "-I${EPREFIX}/usr/include/et"
+ # QA
+ append-flags -fno-strict-aliasing
+ append-flags -fno-strict-overflow
+ [[ $(gcc-version) == "4.7" ]] && replace-flags -O? -O0
+
+ use keyutils || export ac_cv_header_keyutils_h=no
+ econf \
+ $(use_with openldap ldap) \
+ "$(use_with test tcl "${EPREFIX}/usr")" \
+ $(use_enable pkinit) \
+ $(use_enable threads thread-support) \
+ --without-hesiod \
+ --enable-shared \
+ --with-system-et \
+ --with-system-ss \
+ --enable-dns-for-realm \
+ --enable-kdc-lookaside-cache \
+ --with-system-verto \
+ --disable-rpath
+}
+
+src_compile() {
+ emake -j1
+
+ if use doc ; then
+ cd ../doc
+ for dir in api implement ; do
+ emake -C "${dir}"
+ done
+ fi
+}
+
+src_install() {
+ emake \
+ DESTDIR="${D}" \
+ EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+ install
+
+ # default database dir
+ keepdir /var/lib/krb5kdc
+
+ cd ..
+ dodoc NOTICE README
+ dodoc doc/*.{ps,txt}
+ doinfo doc/*.info*
+ dohtml -r doc/*.html
+
+ if use doc ; then
+ dodoc doc/{api,implement}/*.ps
+ fi
+
+ newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind
+ newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc
+ newinitd "${FILESDIR}"/mit-krb5kpropd.initd mit-krb5kpropd
+
+ insinto /etc
+ newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+ insinto /var/lib/krb5kdc
+ newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+ if use openldap ; then
+ insinto /etc/openldap/schema
+ doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+ fi
+
+ if use xinetd ; then
+ insinto /etc/xinetd.d
+ newins "${FILESDIR}/kpropd.xinetd" kpropd
+ fi
+}
+
+pkg_preinst() {
+ if has_version "<${CATEGORY}/${PN}-1.8.0" ; then
+ elog "MIT split the Kerberos applications from the base Kerberos"
+ elog "distribution. Kerberized versions of telnet, rlogin, rsh, rcp,"
+ elog "ftp clients and telnet, ftp deamons now live in"
+ elog "\"app-crypt/mit-krb5-appl\" package."
+ fi
+}
diff --git a/app-crypt/mit-krb5/mit-krb5-1.9.4-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.9.4-r1.ebuild
new file mode 100644
index 000000000000..de09a2fea359
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.9.4-r1.ebuild
@@ -0,0 +1,119 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.9.4-r1.ebuild,v 1.1 2012/08/01 16:38:00 eras Exp $
+
+EAPI=4
+inherit eutils flag-o-matic versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos"
+IUSE="doc +keyutils openldap +pkinit +threads test xinetd"
+
+RDEPEND="!!app-crypt/heimdal
+ >=sys-libs/e2fsprogs-libs-1.41.0
+ keyutils? ( sys-apps/keyutils )
+ openldap? ( net-nds/openldap )
+ xinetd? ( sys-apps/xinetd )"
+DEPEND="${RDEPEND}
+ virtual/yacc
+ doc? ( virtual/latex-base )
+ test? ( dev-lang/tcl
+ dev-lang/python
+ dev-util/dejagnu )"
+
+S=${WORKDIR}/${MY_P}/src
+
+src_unpack() {
+ unpack ${A}
+ unpack ./"${MY_P}".tar.gz
+}
+
+src_prepare() {
+ epatch "${FILESDIR}"/CVE-2012-1015.patch
+}
+
+src_configure() {
+ # QA
+ append-flags -fno-strict-aliasing
+ append-flags -fno-strict-overflow
+ use keyutils || export ac_cv_header_keyutils_h=no
+ econf \
+ $(use_with openldap ldap) \
+ "$(use_with test tcl "${EPREFIX}/usr")" \
+ $(use_enable pkinit) \
+ $(use_enable threads thread-support) \
+ --without-hesiod \
+ --enable-shared \
+ --with-system-et \
+ --with-system-ss \
+ --enable-dns-for-realm \
+ --enable-kdc-lookaside-cache \
+ --disable-rpath
+}
+
+src_compile() {
+ emake -j1
+
+ if use doc ; then
+ cd ../doc
+ for dir in api implement ; do
+ emake -C "${dir}" || die "doc emake failed"
+ done
+ fi
+}
+
+src_install() {
+ emake \
+ DESTDIR="${D}" \
+ EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+ install
+
+ # default database dir
+ keepdir /var/lib/krb5kdc
+
+ cd ..
+ dodoc NOTICE README
+ dodoc doc/*.{ps,txt}
+ doinfo doc/*.info*
+ dohtml -r doc/*.html
+
+ # die if we cannot respect a USE flag
+ if use doc ; then
+ dodoc doc/{api,implement}/*.ps
+ fi
+
+ newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind
+ newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc
+ newinitd "${FILESDIR}"/mit-krb5kpropd.initd mit-krb5kpropd
+
+ insinto /etc
+ newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+ insinto /var/lib/krb5kdc
+ newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+ if use openldap ; then
+ insinto /etc/openldap/schema
+ doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+ fi
+
+ if use xinetd ; then
+ insinto /etc/xinetd.d
+ newins "${FILESDIR}/kpropd.xinetd" kpropd
+ fi
+}
+
+pkg_preinst() {
+ if has_version "<${CATEGORY}/${PN}-1.8.0" ; then
+ elog "MIT split the Kerberos applications from the base Kerberos"
+ elog "distribution. Kerberized versions of telnet, rlogin, rsh, rcp,"
+ elog "ftp clients and telnet, ftp deamons now live in"
+ elog "\"app-crypt/mit-krb5-appl\" package."
+ fi
+}