Security bump - bug #517936

(Portage version: 2.2.10/cvs/Linux x86_64, signed Manifest commit with key 0x77F1F175586A3B1F)
author: Eray Aslan <eras@gentoo.org> 2014-07-25 13:40:34 +0000
committer: Eray Aslan <eras@gentoo.org> 2014-07-25 13:40:34 +0000
commit: 90ce89cea9d3b88ad198b2edd401377f05c37a19 (patch)
tree: dc88cf4cb5a53f2f549851d5b912dc9a84de2df0 /app-crypt
parent: Cleanup old. (diff)
download: gentoo-2-90ce89cea9d3b88ad198b2edd401377f05c37a19.tar.gz
gentoo-2-90ce89cea9d3b88ad198b2edd401377f05c37a19.tar.bz2
gentoo-2-90ce89cea9d3b88ad198b2edd401377f05c37a19.zip
4 files changed, 180 insertions, 1 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog
index e7d61c73ef8d..19248dd32c4a 100644
--- a/app-crypt/mit-krb5/ChangeLog
+++ b/app-crypt/mit-krb5/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for app-crypt/mit-krb5
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.406 2014/07/23 15:13:07 ago Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.407 2014/07/25 13:40:34 eras Exp $
+
+*mit-krb5-1.12.1-r2 (25 Jul 2014)
+
+  25 Jul 2014; Eray Aslan <eras@gentoo.org> +files/CVE-2014-4343.patch,
+  +files/CVE-2014-4344.patch, +mit-krb5-1.12.1-r2.ebuild:
+  Security bump - bug #517936
 
   23 Jul 2014; Agostino Sarubbo <ago@gentoo.org> mit-krb5-1.12.1-r1.ebuild:
   Stable for x86, wrt bug #512012
diff --git a/app-crypt/mit-krb5/files/CVE-2014-4343.patch b/app-crypt/mit-krb5/files/CVE-2014-4343.patch
new file mode 100644
index 000000000000..cb229f99ad46
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2014-4343.patch
@@ -0,0 +1,11 @@
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
+ 	OM_uint32 tmpmin;
+ 	size_t i;
+ 
+-	generic_gss_release_oid(&tmpmin, &sc->internal_mech);
+ 	gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
+ 			       GSS_C_NO_BUFFER);
+ 
+
diff --git a/app-crypt/mit-krb5/files/CVE-2014-4344.patch b/app-crypt/mit-krb5/files/CVE-2014-4344.patch
new file mode 100644
index 000000000000..241d3ee5588a
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2014-4344.patch
@@ -0,0 +1,12 @@
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat,
+ 
+ 	ptr = bufstart = buf->value;
+ #define REMAIN (buf->length - (ptr - bufstart))
+-	if (REMAIN > INT_MAX)
++	if (REMAIN == 0 || REMAIN > INT_MAX)
+ 		return GSS_S_DEFECTIVE_TOKEN;
+ 
+ 	/*
+
diff --git a/app-crypt/mit-krb5/mit-krb5-1.12.1-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.12.1-r2.ebuild
new file mode 100644
index 000000000000..605f89d13136
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.12.1-r2.ebuild
@@ -0,0 +1,150 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.12.1-r2.ebuild,v 1.1 2014/07/25 13:40:34 eras Exp $
+
+EAPI=5
+
+PYTHON_COMPAT=( python{2_6,2_7} )
+inherit autotools eutils flag-o-matic multilib-minimal python-any-r1 versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="doc +keyutils openldap +pkinit selinux +threads test xinetd"
+
+RDEPEND="!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+	|| ( >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}] )
+	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	pkinit? ( >=dev-libs/openssl-1.0.1h-r2[${MULTILIB_USEDEP}] )
+	selinux? ( sec-policy/selinux-kerberos )
+	xinetd? ( sys-apps/xinetd )
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r1
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+DEPEND="${RDEPEND}
+	${PYTHON_DEPS}
+	virtual/yacc
+	doc? ( virtual/latex-base )
+	test? ( ${PYTHON_DEPS}
+			dev-lang/tcl
+			dev-util/dejagnu )"
+
+S=${WORKDIR}/${MY_P}/src
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+src_unpack() {
+	unpack ${A}
+	unpack ./"${MY_P}".tar.gz
+}
+
+src_prepare() {
+	epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+	epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+	epatch "${FILESDIR}/CVE-2014-4343.patch"
+	epatch "${FILESDIR}/CVE-2014-4344.patch"
+
+	# tcl-8.6 compatibility
+	sed -i -e 's/interp->result/Tcl_GetStringResult(interp)/' \
+		kadmin/testing/util/tcl_kadm5.c || die
+
+	eautoreconf
+}
+
+src_configure() {
+	append-cppflags "-I${EPREFIX}/usr/include/et"
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use keyutils || export ac_cv_header_keyutils_h=no
+	ECONF_SOURCE=${S} \
+	WARN_CFLAGS="set" \
+	econf \
+		$(use_with openldap ldap) \
+		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--with-system-verto \
+		--disable-rpath
+}
+
+multilib_src_compile() {
+	emake -j1
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install
+}
+
+multilib_src_install_all() {
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+
+	if use doc; then
+		dohtml -r doc/html/*
+		docinto pdf
+		dodoc doc/pdf/*.pdf
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r1 mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r1 mit-krb5kdc
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r1 mit-krb5kpropd
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd
+	fi
+}
+
+pkg_preinst() {
+	if has_version "<${CATEGORY}/${PN}-1.8.0" ; then
+		elog "MIT split the Kerberos applications from the base Kerberos"
+		elog "distribution.  Kerberized versions of telnet, rlogin, rsh, rcp,"
+		elog "ftp clients and telnet, ftp deamons now live in"
+		elog "\"app-crypt/mit-krb5-appl\" package."
+	fi
+}
author	Eray Aslan <eras@gentoo.org>	2014-07-25 13:40:34 +0000
committer	Eray Aslan <eras@gentoo.org>	2014-07-25 13:40:34 +0000
commit	90ce89cea9d3b88ad198b2edd401377f05c37a19 (patch)
tree	dc88cf4cb5a53f2f549851d5b912dc9a84de2df0 /app-crypt
parent	Cleanup old. (diff)
download	gentoo-2-90ce89cea9d3b88ad198b2edd401377f05c37a19.tar.gz gentoo-2-90ce89cea9d3b88ad198b2edd401377f05c37a19.tar.bz2 gentoo-2-90ce89cea9d3b88ad198b2edd401377f05c37a19.zip