diff options
author | Eray Aslan <eras@gentoo.org> | 2011-04-14 06:38:45 +0000 |
---|---|---|
committer | Eray Aslan <eras@gentoo.org> | 2011-04-14 06:38:45 +0000 |
commit | 8698dd652f500e59559ce0c63a7bba74a7ef2ce9 (patch) | |
tree | 07963855780ac0ae2c55ff5557e51495a8dcd67d /app-crypt/mit-krb5 | |
parent | version bump (diff) | |
download | gentoo-2-8698dd652f500e59559ce0c63a7bba74a7ef2ce9.tar.gz gentoo-2-8698dd652f500e59559ce0c63a7bba74a7ef2ce9.tar.bz2 gentoo-2-8698dd652f500e59559ce0c63a7bba74a7ef2ce9.zip |
security bump - bug #363507
(Portage version: 2.1.9.46/cvs/Linux x86_64)
Diffstat (limited to 'app-crypt/mit-krb5')
-rw-r--r-- | app-crypt/mit-krb5/ChangeLog | 10 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/CVE-2011-0285.patch | 39 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0285.patch | 35 | ||||
-rw-r--r-- | app-crypt/mit-krb5/mit-krb5-1.8.3-r5.ebuild | 119 | ||||
-rw-r--r-- | app-crypt/mit-krb5/mit-krb5-1.9-r3.ebuild | 120 |
5 files changed, 322 insertions, 1 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog index f054357ba304..4a5d1469c4e4 100644 --- a/app-crypt/mit-krb5/ChangeLog +++ b/app-crypt/mit-krb5/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for app-crypt/mit-krb5 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.271 2011/03/22 07:18:34 eras Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.272 2011/04/14 06:38:45 eras Exp $ + +*mit-krb5-1.9-r3 (14 Apr 2011) +*mit-krb5-1.8.3-r5 (14 Apr 2011) + + 14 Apr 2011; Eray Aslan <eras@gentoo.org> +mit-krb5-1.8.3-r5.ebuild, + +files/mit-krb5-1.8.3-CVE-2011-0285.patch, +mit-krb5-1.9-r3.ebuild, + +files/CVE-2011-0285.patch: + security bump - bug 363507 22 Mar 2011; Eray Aslan <eras@gentoo.org> -mit-krb5-1.8.3-r3.ebuild: remove vulnerable version diff --git a/app-crypt/mit-krb5/files/CVE-2011-0285.patch b/app-crypt/mit-krb5/files/CVE-2011-0285.patch new file mode 100644 index 000000000000..61039113f97c --- /dev/null +++ b/app-crypt/mit-krb5/files/CVE-2011-0285.patch @@ -0,0 +1,39 @@ +diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c +index 1124445..0056885 100644 +--- a/src/kadmin/server/schpw.c ++++ b/src/kadmin/server/schpw.c +@@ -52,6 +52,7 @@ process_chpw_request(context, server_handle, realm, keytab, + + ret = 0; + rep->length = 0; ++ rep->data = NULL; + + auth_context = NULL; + changepw = NULL; +@@ -76,8 +77,13 @@ process_chpw_request(context, server_handle, realm, keytab, + plen = (*ptr++ & 0xff); + plen = (plen<<8) | (*ptr++ & 0xff); + +- if (plen != req->length) +- return(KRB5KRB_AP_ERR_MODIFIED); ++ if (plen != req->length) { ++ ret = KRB5KRB_AP_ERR_MODIFIED; ++ numresult = KRB5_KPASSWD_MALFORMED; ++ strlcpy(strresult, "Request length was inconsistent", ++ sizeof(strresult)); ++ goto chpwfail; ++ } + + /* verify version number */ + +@@ -531,6 +537,10 @@ cleanup: + if (local_kaddrs != NULL) + krb5_free_addresses(server_handle->context, local_kaddrs); + ++ if ((*response)->data == NULL) { ++ free(*response); ++ *response = NULL; ++ } + krb5_kt_close(server_handle->context, kt); + + return ret; diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0285.patch b/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0285.patch new file mode 100644 index 000000000000..43daa9b50f2a --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0285.patch @@ -0,0 +1,35 @@ +diff --git a/src/kadmin/server/network.c b/src/kadmin/server/network.c +index c8ce4f1..bb911ff 100644 +--- a/src/kadmin/server/network.c ++++ b/src/kadmin/server/network.c +@@ -1384,6 +1384,10 @@ cleanup: + if (local_kaddrs != NULL) + krb5_free_addresses(server_handle->context, local_kaddrs); + ++ if ((*response)->data == NULL) { ++ free(*response); ++ *response = NULL; ++ } + krb5_kt_close(server_handle->context, kt); + + return ret; +diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c +index c1b2217..992b55f 100644 +--- a/src/kadmin/server/schpw.c ++++ b/src/kadmin/server/schpw.c +@@ -74,8 +74,13 @@ process_chpw_request(context, server_handle, realm, keytab, + plen = (*ptr++ & 0xff); + plen = (plen<<8) | (*ptr++ & 0xff); + +- if (plen != req->length) +- return(KRB5KRB_AP_ERR_MODIFIED); ++ if (plen != req->length) { ++ ret = KRB5KRB_AP_ERR_MODIFIED; ++ numresult = KRB5_KPASSWD_MALFORMED; ++ strlcpy(strresult, "Request length was inconsistent", ++ sizeof(strresult)); ++ goto chpwfail; ++ } + + /* verify version number */ + diff --git a/app-crypt/mit-krb5/mit-krb5-1.8.3-r5.ebuild b/app-crypt/mit-krb5/mit-krb5-1.8.3-r5.ebuild new file mode 100644 index 000000000000..6b772f6ac4d0 --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.8.3-r5.ebuild @@ -0,0 +1,119 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.8.3-r5.ebuild,v 1.1 2011/04/14 06:38:45 eras Exp $ + +EAPI=2 + +inherit eutils flag-o-matic versionator + +MY_P=${P/mit-} +P_DIR=$(get_version_component_range 1-2) +DESCRIPTION="MIT Kerberos V" +HOMEPAGE="http://web.mit.edu/kerberos/www/" +SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="doc openldap test xinetd" + +RDEPEND="!!app-crypt/heimdal + >=sys-libs/e2fsprogs-libs-1.41.0 + sys-apps/keyutils + openldap? ( net-nds/openldap ) + xinetd? ( sys-apps/xinetd )" +DEPEND="${RDEPEND} + doc? ( virtual/latex-base ) + test? ( dev-lang/tcl + dev-lang/perl + dev-util/dejagnu )" + +S=${WORKDIR}/${MY_P}/src + +src_unpack() { + unpack ${A} + unpack ./"${MY_P}".tar.gz +} + +src_prepare() { + epatch "${FILESDIR}/CVE-2010-1322.patch" + epatch "${FILESDIR}/CVE-2010-1323.1324.4020.patch" + epatch "${FILESDIR}/CVE-2010-4022.patch" + epatch "${FILESDIR}/${P}-CVE-2011-0281.0282.0283.patch" + epatch "${FILESDIR}/CVE-2011-0284.patch" + epatch "${FILESDIR}/${P}-CVE-2011-0285.patch" + epatch "${FILESDIR}/mit-krb5_testsuite.patch" +} + +src_configure() { + append-flags "-I/usr/include/et" + econf \ + $(use_with openldap ldap) \ + $(use_with test tcl /usr) \ + --without-krb4 \ + --enable-shared \ + --with-system-et \ + --with-system-ss \ + --enable-dns-for-realm \ + --enable-kdc-replay-cache \ + --disable-rpath +} + +src_compile() { + emake -j1 || die "emake failed" + + if use doc ; then + cd ../doc + for dir in api implement ; do + emake -C "${dir}" || die "doc emake failed" + done + fi +} + +src_install() { + emake \ + DESTDIR="${D}" \ + EXAMPLEDIR="/usr/share/doc/${PF}/examples" \ + install || die "install failed" + + # default database dir + keepdir /var/lib/krb5kdc + + cd .. + dodoc README + dodoc doc/*.{ps,txt} + doinfo doc/*.info* + dohtml -r doc/*.html + + # die if we cannot respect a USE flag + if use doc ; then + dodoc doc/{api,implement}/*.ps || die "dodoc failed" + fi + + newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind || die + newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc || die + + insinto /etc + newins "${D}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example + insinto /var/lib/krb5kdc + newins "${D}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example + + if use openldap ; then + insinto /etc/openldap/schema + doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" || die + fi + + if use xinetd ; then + insinto /etc/xinetd.d + newins "${FILESDIR}/kpropd.xinetd" kpropd || die + fi +} + +pkg_preinst() { + if has_version "<${CATEGORY}/${PN}-1.8.0" ; then + elog "MIT split the Kerberos applications from the base Kerberos" + elog "distribution. Kerberized versions of telnet, rlogin, rsh, rcp," + elog "ftp clients and telnet, ftp deamons now live in" + elog "\"app-crypt/mit-krb5-appl\" package." + fi +} diff --git a/app-crypt/mit-krb5/mit-krb5-1.9-r3.ebuild b/app-crypt/mit-krb5/mit-krb5-1.9-r3.ebuild new file mode 100644 index 000000000000..ac62ffc86b7a --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.9-r3.ebuild @@ -0,0 +1,120 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.9-r3.ebuild,v 1.1 2011/04/14 06:38:45 eras Exp $ + +EAPI=3 + +inherit eutils flag-o-matic versionator + +MY_P="${P/mit-}" +P_DIR=$(get_version_component_range 1-2) +DESCRIPTION="MIT Kerberos V" +HOMEPAGE="http://web.mit.edu/kerberos/www/" +SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos" +IUSE="doc +keyutils openldap +pkinit +threads test xinetd" + +RDEPEND="!!app-crypt/heimdal + >=sys-libs/e2fsprogs-libs-1.41.0 + keyutils? ( sys-apps/keyutils ) + openldap? ( net-nds/openldap ) + xinetd? ( sys-apps/xinetd )" +DEPEND="${RDEPEND} + doc? ( virtual/latex-base ) + test? ( dev-lang/tcl + dev-lang/python + dev-util/dejagnu )" + +S=${WORKDIR}/${MY_P}/src + +src_unpack() { + unpack ${A} + unpack ./"${MY_P}".tar.gz +} + +src_prepare() { + epatch "${FILESDIR}/CVE-2010-4022.patch" + epatch "${FILESDIR}/CVE-2011-0281.0282.0283.patch" + epatch "${FILESDIR}/CVE-2011-0284.patch" + epatch "${FILESDIR}/CVE-2011-0285.patch" +} + +src_configure() { + append-flags "-I${EPREFIX}/usr/include/et" + use keyutils || export ac_cv_header_keyutils_h=no + econf \ + $(use_with openldap ldap) \ + "$(use_with test tcl "${EPREFIX}/usr")" \ + $(use_enable pkinit) \ + $(use_enable threads thread-support) \ + --without-krb4 \ + --without-hesiod \ + --enable-shared \ + --with-system-et \ + --with-system-ss \ + --enable-dns-for-realm \ + --enable-kdc-lookaside-cache \ + --disable-rpath +} + +src_compile() { + emake -j1 || die "emake failed" + + if use doc ; then + cd ../doc + for dir in api implement ; do + emake -C "${dir}" || die "doc emake failed" + done + fi +} + +src_install() { + emake \ + DESTDIR="${D}" \ + EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \ + install || die "install failed" + + # default database dir + keepdir /var/lib/krb5kdc + + cd .. + dodoc NOTICE README + dodoc doc/*.{ps,txt} + doinfo doc/*.info* + dohtml -r doc/*.html + + # die if we cannot respect a USE flag + if use doc ; then + dodoc doc/{api,implement}/*.ps || die "dodoc failed" + fi + + newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind || die + newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc || die + + insinto /etc + newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example + insinto /var/lib/krb5kdc + newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example + + if use openldap ; then + insinto /etc/openldap/schema + doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" || die + fi + + if use xinetd ; then + insinto /etc/xinetd.d + newins "${FILESDIR}/kpropd.xinetd" kpropd || die + fi +} + +pkg_preinst() { + if has_version "<${CATEGORY}/${PN}-1.8.0" ; then + elog "MIT split the Kerberos applications from the base Kerberos" + elog "distribution. Kerberized versions of telnet, rlogin, rsh, rcp," + elog "ftp clients and telnet, ftp deamons now live in" + elog "\"app-crypt/mit-krb5-appl\" package." + fi +} |