Revision bump for bug 155782 (CVE-2006-5989), also fixing compilation with gcc4.

(Portage version: 2.1.2_rc4-r6)

7 files changed, 211 insertions, 0 deletions

diff --git a/net-www/mod_auth_kerb/files/digest-mod_auth_kerb-5.0_rc6-r1 b/net-www/mod_auth_kerb/files/digest-mod_auth_kerb-5.0_rc6-r1
new file mode 100644
index 000000000000..f2c5c3caa645
--- /dev/null
+++ b/net-www/mod_auth_kerb/files/digest-mod_auth_kerb-5.0_rc6-r1
@@ -0,0 +1,3 @@
+MD5 274edfb950af20ce6ef0ddcb7c20263a mod_auth_kerb-5.0-rc6.tar.gz 68761
+RMD160 a9a277c532e7f72b3a649346e88db7aea1889036 mod_auth_kerb-5.0-rc6.tar.gz 68761
+SHA256 ae33ab3ae5b419819725091d154add1a1d1a5d6d97e31e9f327f71a0b6370d3e mod_auth_kerb-5.0-rc6.tar.gz 68761
diff --git a/net-www/mod_auth_kerb/files/digest-mod_auth_kerb-5.0_rc7-r1 b/net-www/mod_auth_kerb/files/digest-mod_auth_kerb-5.0_rc7-r1
new file mode 100644
index 000000000000..6b594c76c730
--- /dev/null
+++ b/net-www/mod_auth_kerb/files/digest-mod_auth_kerb-5.0_rc7-r1
@@ -0,0 +1,3 @@
+MD5 139b63c98333682e611515b225b5222d mod_auth_kerb-5.0rc7.tar.gz 72272
+RMD160 f336f1c9c4b67a88fd162395ec1299f73c5e89c4 mod_auth_kerb-5.0rc7.tar.gz 72272
+SHA256 8cd4cdcc635ad153c82041d2256b17566bc74618ee79336f432e74b1d5a0930a mod_auth_kerb-5.0rc7.tar.gz 72272
diff --git a/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-CVE-2006-5989.patch b/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-CVE-2006-5989.patch
new file mode 100644
index 000000000000..db64f8831f23
--- /dev/null
+++ b/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-CVE-2006-5989.patch
@@ -0,0 +1,13 @@
+Index: mod_auth_kerb-5.0-rc6/spnegokrb5/der_get.c
+===================================================================
+--- mod_auth_kerb-5.0-rc6.orig/spnegokrb5/der_get.c
++++ mod_auth_kerb-5.0-rc6/spnegokrb5/der_get.c
+@@ -151,7 +151,7 @@ der_get_oid (const unsigned char *p, siz
+     if (len < 1)
+ 	return ASN1_OVERRUN;
+ 
+-    data->components = malloc(len * sizeof(*data->components));
++    data->components = malloc((len + 1) * sizeof(*data->components));
+     if (data->components == NULL && len != 0)
+ 	return ENOMEM;
+     data->components[0] = (*p) / 40;
diff --git a/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-axps1.patch b/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-axps1.patch
new file mode 100644
index 000000000000..8b40aa7ddee1
--- /dev/null
+++ b/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-axps1.patch
@@ -0,0 +1,38 @@
+Index: mod_auth_kerb-5.0-rc6/src/mod_auth_kerb.c
+===================================================================
+--- mod_auth_kerb-5.0-rc6.orig/src/mod_auth_kerb.c
++++ mod_auth_kerb-5.0-rc6/src/mod_auth_kerb.c
+@@ -56,7 +56,7 @@
+ #include <http_request.h>
+ 
+ #ifdef STANDARD20_MODULE_STUFF
+-#include <ap_compat.h>
++#include <ap_mmn.h>
+ #include <apr_strings.h>
+ #include <apr_base64.h>
+ #endif
+@@ -105,6 +105,24 @@ module auth_kerb_module;
+ #define MK_TABLE_GET apr_table_get
+ #define MK_USER r->user
+ #define MK_AUTH_TYPE r->ap_auth_type
++
++#if AP_MODULE_MAGIC_AT_LEAST(20051115, 0)
++/* APR 1.x compatibility */
++#define ap_pstrdup apr_pstrdup
++#define ap_psprintf apr_psprintf
++#define ap_pcalloc apr_pcalloc
++#define ap_table_setn apr_table_setn
++#define ap_register_cleanup apr_pool_cleanup_register
++#define APR_XtOffsetOf APR_OFFSETOF
++#define ap_pstrcat apr_pstrcat
++#define ap_null_cleanup apr_pool_cleanup_null
++#define ap_base64decode apr_base64_decode
++#define ap_base64decode_len apr_base64_decode_len
++#define ap_base64encode apr_base64_encode
++#define ap_base64encode_len apr_base64_encode_len
++#define ap_table_add apr_table_add
++#endif
++
+ #else
+ #define MK_POOL pool
+ #define MK_TABLE_GET ap_table_get
diff --git a/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-cache.patch b/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-cache.patch
new file mode 100644
index 000000000000..d3260c925bbf
--- /dev/null
+++ b/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-cache.patch
@@ -0,0 +1,128 @@
+Index: mod_auth_kerb-5.0-rc6/src/mod_auth_kerb.c
+===================================================================
+--- mod_auth_kerb-5.0-rc6.orig/src/mod_auth_kerb.c
++++ mod_auth_kerb-5.0-rc6/src/mod_auth_kerb.c
+@@ -61,6 +61,8 @@
+ #include <apr_base64.h>
+ #endif
+ 
++#include <unistd.h>
++
+ #ifdef KRB5
+ #include <krb5.h>
+ #ifdef HEIMDAL
+@@ -137,7 +139,7 @@ set_kerb_auth_headers(request_rec *r, co
+                       int use_krb4, int use_krb5pwd, char *negotiate_ret_value);
+ 
+ static const char*
+-krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg);
++krb5_save_realms(cmd_parms *cmd, void *config, const char *arg);
+ 
+ #ifdef STANDARD20_MODULE_STUFF
+ #define command(name, func, var, type, usage)           \
+@@ -247,8 +249,9 @@ static void *kerb_dir_create_config(MK_P
+ }
+ 
+ static const char*
+-krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg)
++krb5_save_realms(cmd_parms *cmd, void *config, const char *arg)
+ {
++   kerb_auth_config *sec = config;
+    sec->krb_auth_realms= ap_pstrdup(cmd->pool, arg);
+    return NULL;
+ }
+@@ -1086,6 +1089,8 @@ cmp_gss_type(gss_buffer_t token, gss_OID
+    return memcmp(p, oid->elements, oid->length);
+ }
+ 
++#define NAMEKEY "mod_auth_kerb:client_name"
++
+ static int
+ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+ 		      const char *auth_line, char **negotiate_ret_value)
+@@ -1224,7 +1229,16 @@ authenticate_user_gss(request_rec *r, ke
+   }
+ 
+   MK_AUTH_TYPE = "Negotiate";
+-  MK_USER = ap_pstrdup(r->pool, output_token.value);
++  MK_USER = ap_pstrdup(r->connection->pool, output_token.value);
++
++#ifndef APXS1
++  {
++      apr_status_t rv;
++      rv = apr_pool_userdata_set(r->user, NAMEKEY, NULL, r->connection->pool);
++      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, 
++                    "set cached name %s for connection", r->user);
++  }
++#endif
+ 
+   if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
+      store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
+@@ -1256,17 +1270,6 @@ end:
+ }
+ #endif /* KRB5 */
+ 
+-static int
+-already_succeeded(request_rec *r)
+-{
+-   if (ap_is_initial_req(r) || MK_AUTH_TYPE == NULL)
+-      return 0;
+-   if (strcmp(MK_AUTH_TYPE, "Negotiate") ||
+-       (strcmp(MK_AUTH_TYPE, "Basic") && strchr(MK_USER, '@')))
+-      return 1;
+-   return 0;
+-}
+-
+ static void
+ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
+       		      int use_krb4, int use_krb5pwd, char *negotiate_ret_value)
+@@ -1313,7 +1316,6 @@ int kerb_authenticate_user(request_rec *
+    const char *type = NULL;
+    int use_krb5 = 0, use_krb4 = 0;
+    int ret;
+-   static int last_return = HTTP_UNAUTHORIZED;
+    char *negotiate_ret_value = NULL;
+ 
+    /* get the type specified in .htaccess */
+@@ -1332,6 +1334,23 @@ int kerb_authenticate_user(request_rec *
+    else
+       return DECLINED;
+ 
++#ifndef APXS1
++   if (use_krb5 && conf->krb_method_gssapi) {
++       void *data = NULL;
++       const char *name;
++      
++       if (apr_pool_userdata_get(&data, NAMEKEY, r->connection->pool) == APR_SUCCESS
++           && data != NULL) {
++           name = data;
++           ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                         "using cached name %s", name);
++           r->user = ap_pstrdup(r->pool, name);
++           r->ap_auth_type = "Negotiate";
++           return OK;
++       } 
++   }
++#endif      
++
+    /* get what the user sent us in the HTTP header */
+    auth_line = MK_TABLE_GET(r->headers_in, (r->proxyreq == PROXYREQ_PROXY)
+ 	                                    ? "Proxy-Authorization"
+@@ -1354,9 +1373,6 @@ int kerb_authenticate_user(request_rec *
+        (strcasecmp(auth_type, "Basic") == 0))
+        return DECLINED;
+ 
+-   if (already_succeeded(r))
+-      return last_return;
+-
+    ret = HTTP_UNAUTHORIZED;
+ 
+ #ifdef KRB5
+@@ -1380,7 +1396,6 @@ int kerb_authenticate_user(request_rec *
+ 
+    /* XXX log_debug: if ret==OK, log(user XY authenticated) */
+ 
+-   last_return = ret;
+    return ret;
+ }
+ 
diff --git a/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-exports.patch b/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-exports.patch
new file mode 100644
index 000000000000..3df03c9e698a
--- /dev/null
+++ b/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-exports.patch
@@ -0,0 +1,13 @@
+Index: mod_auth_kerb-5.0-rc6/Makefile.in
+===================================================================
+--- mod_auth_kerb-5.0-rc6.orig/Makefile.in
++++ mod_auth_kerb-5.0-rc6/Makefile.in
+@@ -7,7 +7,7 @@ LIB_resolv = @LIB_resolv@
+ SPNEGO_SRCS = @SPNEGO_SRCS@
+ 
+ CPPFLAGS = -I. -Ispnegokrb5 $(KRB5_CPPFLAGS) $(KRB4_CPPFLAGS) $(DEFS)
+-LDFLAGS = $(KRB5_LDFLAGS) $(KRB4_LDFLAGS) $(LIB_resolv)
++LDFLAGS = $(KRB5_LDFLAGS) $(KRB4_LDFLAGS) $(LIB_resolv) -Wl,-export-symbols-regex -Wl,auth_kerb_module
+ CFLAGS =
+ 
+ all: src/mod_auth_kerb.so
diff --git a/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-gcc4.patch b/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-gcc4.patch
new file mode 100644
index 000000000000..8d563739e0a7
--- /dev/null
+++ b/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-gcc4.patch
@@ -0,0 +1,13 @@
+Index: mod_auth_kerb-5.0-rc6/spnegokrb5/spnego_asn1.h
+===================================================================
+--- mod_auth_kerb-5.0-rc6.orig/spnegokrb5/spnego_asn1.h
++++ mod_auth_kerb-5.0-rc6/spnegokrb5/spnego_asn1.h
+@@ -7,6 +7,8 @@
+ #include <stddef.h>
+ #include <time.h>
+ 
++#include "parse_units.h"
++
+ #ifndef __asn1_common_definitions__
+ #define __asn1_common_definitions__
+