summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEray Aslan <eras@gentoo.org>2012-12-24 17:43:25 +0000
committerEray Aslan <eras@gentoo.org>2012-12-24 17:43:25 +0000
commiteef6732088ff23825491e3abfac4bdcc0b0e6324 (patch)
treeef098dd21c9991f4c300758ed47d0a674c10ce4d /app-crypt/mit-krb5
parentRemove redundant einfo message. (diff)
downloadgentoo-2-eef6732088ff23825491e3abfac4bdcc0b0e6324.tar.gz
gentoo-2-eef6732088ff23825491e3abfac4bdcc0b0e6324.tar.bz2
gentoo-2-eef6732088ff23825491e3abfac4bdcc0b0e6324.zip
Remove old patches
(Portage version: 2.2.0_alpha149/cvs/Linux x86_64, signed Manifest commit with key 0x77F1F175586A3B1F)
Diffstat (limited to 'app-crypt/mit-krb5')
-rw-r--r--app-crypt/mit-krb5/ChangeLog12
-rw-r--r--app-crypt/mit-krb5/files/2011-006-patch-r18.patch73
-rw-r--r--app-crypt/mit-krb5/files/CVE-2010-1322.patch33
-rw-r--r--app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch202
-rw-r--r--app-crypt/mit-krb5/files/CVE-2010-4022.patch19
-rw-r--r--app-crypt/mit-krb5/files/CVE-2011-0281.0282.0283.patch126
-rw-r--r--app-crypt/mit-krb5/files/CVE-2011-0284.patch13
-rw-r--r--app-crypt/mit-krb5/files/CVE-2011-0285.patch39
-rw-r--r--app-crypt/mit-krb5/files/CVE-2011-1530.patch40
-rw-r--r--app-crypt/mit-krb5/files/mit-krb5-1.10_uninitialized.patch13
-rw-r--r--app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0281.0282.0283.patch112
-rw-r--r--app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0285.patch35
-rw-r--r--app-crypt/mit-krb5/files/mit-krb5-kprop_exit_on_error.patch25
-rw-r--r--app-crypt/mit-krb5/files/mit-krb5_testsuite.patch93
14 files changed, 11 insertions, 824 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog
index 0eb755162b4d..166553a45d29 100644
--- a/app-crypt/mit-krb5/ChangeLog
+++ b/app-crypt/mit-krb5/ChangeLog
@@ -1,6 +1,16 @@
# ChangeLog for app-crypt/mit-krb5
# Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.346 2012/12/24 17:27:55 eras Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.347 2012/12/24 17:43:24 eras Exp $
+
+ 24 Dec 2012; Eray Aslan <eras@gentoo.org> -files/2011-006-patch-r18.patch,
+ -files/CVE-2010-1322.patch, -files/CVE-2010-1323.1324.4020.patch,
+ -files/CVE-2010-4022.patch, -files/CVE-2011-0281.0282.0283.patch,
+ -files/CVE-2011-0284.patch, -files/CVE-2011-0285.patch,
+ -files/CVE-2011-1530.patch, -files/mit-krb5-1.10_uninitialized.patch,
+ -files/mit-krb5-1.8.3-CVE-2011-0281.0282.0283.patch,
+ -files/mit-krb5-1.8.3-CVE-2011-0285.patch,
+ -files/mit-krb5-kprop_exit_on_error.patch, -files/mit-krb5_testsuite.patch:
+ Remove old patches
24 Dec 2012; Eray Aslan <eras@gentoo.org>
files/mit-krb5-1.11_uninitialized.patch:
diff --git a/app-crypt/mit-krb5/files/2011-006-patch-r18.patch b/app-crypt/mit-krb5/files/2011-006-patch-r18.patch
deleted file mode 100644
index 2da0e1439d82..000000000000
--- a/app-crypt/mit-krb5/files/2011-006-patch-r18.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c
-index 498c0de..5f973fb 100644
---- a/src/plugins/kdb/db2/lockout.c
-+++ b/src/plugins/kdb/db2/lockout.c
-@@ -158,13 +158,23 @@ krb5_db2_lockout_audit(krb5_context context,
- return 0;
- }
-
-+ if (entry == NULL)
-+ return 0;
-+
- code = lookup_lockout_policy(context, entry, &max_fail,
- &failcnt_interval,
- &lockout_duration);
- if (code != 0)
- return code;
-
-- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry));
-+ /*
-+ * Don't continue to modify the DB for an already locked account.
-+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
-+ * this check is unneeded, but in rare cases, we can fail with an
-+ * integrity error or preauth failure before a policy check.)
-+ */
-+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
-+ return 0;
-
- if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) {
- /*
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-index 626ed1f..68e8ec4 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-@@ -131,6 +131,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
- CHECK_LDAP_HANDLE(ldap_context);
-
- if (is_principal_in_realm(ldap_context, searchfor) != 0) {
-+ st = KRB5_KDB_NOENTRY;
- *more = 0;
- krb5_set_error_message (context, st, "Principal does not belong to realm");
- goto cleanup;
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
-index 020c77a..24b9493 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
-@@ -150,15 +150,25 @@ krb5_ldap_lockout_audit(krb5_context context,
- return 0;
- }
-
-+ if (entry == NULL)
-+ return 0;
-+
- code = lookup_lockout_policy(context, entry, &max_fail,
- &failcnt_interval,
- &lockout_duration);
- if (code != 0)
- return code;
-
-- entry->mask = 0;
-+ /*
-+ * Don't continue to modify the DB for an already locked account.
-+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
-+ * this check is unneeded, but in rare cases, we can fail with an
-+ * integrity error or preauth failure before a policy check.)
-+ */
-+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
-+ return 0;
-
-- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry));
-+ entry->mask = 0;
-
- if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) {
- /*
diff --git a/app-crypt/mit-krb5/files/CVE-2010-1322.patch b/app-crypt/mit-krb5/files/CVE-2010-1322.patch
deleted file mode 100644
index 0de12e62f3e1..000000000000
--- a/app-crypt/mit-krb5/files/CVE-2010-1322.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
-index b5de64d..cc44e29 100644
---- a/src/kdc/kdc_authdata.c
-+++ b/src/kdc/kdc_authdata.c
-@@ -495,7 +495,7 @@ merge_authdata (krb5_context context,
- krb5_boolean copy,
- krb5_boolean ignore_kdc_issued)
- {
-- size_t i, nadata = 0;
-+ size_t i, j, nadata = 0;
- krb5_authdata **authdata = *out_authdata;
-
- if (in_authdata == NULL || in_authdata[0] == NULL)
-@@ -529,16 +529,16 @@ merge_authdata (krb5_context context,
- in_authdata = tmp;
- }
-
-- for (i = 0; in_authdata[i] != NULL; i++) {
-+ for (i = 0, j = 0; in_authdata[i] != NULL; i++) {
- if (ignore_kdc_issued &&
- is_kdc_issued_authdatum(context, in_authdata[i], 0)) {
- free(in_authdata[i]->contents);
- free(in_authdata[i]);
- } else
-- authdata[nadata + i] = in_authdata[i];
-+ authdata[nadata + j++] = in_authdata[i];
- }
-
-- authdata[nadata + i] = NULL;
-+ authdata[nadata + j] = NULL;
-
- free(in_authdata);
-
diff --git a/app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch b/app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch
deleted file mode 100644
index b1c3793b9ffb..000000000000
--- a/app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch
+++ /dev/null
@@ -1,202 +0,0 @@
-Index: krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c
-===================================================================
---- krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (revision 24455)
-+++ krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (working copy)
-@@ -691,8 +691,7 @@
- krb5_reply_key_pack *key_pack = NULL;
- krb5_reply_key_pack_draft9 *key_pack9 = NULL;
- krb5_data *encoded_key_pack = NULL;
-- unsigned int num_types;
-- krb5_cksumtype *cksum_types = NULL;
-+ krb5_cksumtype cksum_type;
-
- pkinit_kdc_context plgctx;
- pkinit_kdc_req_context reqctx;
-@@ -882,14 +881,25 @@
- retval = ENOMEM;
- goto cleanup;
- }
-- /* retrieve checksums for a given enctype of the reply key */
-- retval = krb5_c_keyed_checksum_types(context,
-- encrypting_key->enctype, &num_types, &cksum_types);
-- if (retval)
-- goto cleanup;
-
-- /* pick the first of acceptable enctypes for the checksum */
-- retval = krb5_c_make_checksum(context, cksum_types[0],
-+ switch (encrypting_key->enctype) {
-+ case ENCTYPE_DES_CBC_MD4:
-+ cksum_type = CKSUMTYPE_RSA_MD4_DES;
-+ break;
-+ case ENCTYPE_DES_CBC_MD5:
-+ case ENCTYPE_DES_CBC_CRC:
-+ cksum_type = CKSUMTYPE_RSA_MD5_DES;
-+ break;
-+ default:
-+ retval = krb5int_c_mandatory_cksumtype(context,
-+ encrypting_key->enctype,
-+ &cksum_type);
-+ if (retval)
-+ goto cleanup;
-+ break;
-+ }
-+
-+ retval = krb5_c_make_checksum(context, cksum_type,
- encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
- req_pkt, &key_pack->asChecksum);
- if (retval) {
-@@ -1033,7 +1043,6 @@
- krb5_free_data(context, encoded_key_pack);
- free(dh_pubkey);
- free(server_key);
-- free(cksum_types);
-
- switch ((int)padata->pa_type) {
- case KRB5_PADATA_PK_AS_REQ:
-Index: krb5-1.8/src/lib/crypto/krb/cksumtypes.c
-===================================================================
---- krb5-1.8/src/lib/crypto/krb/cksumtypes.c (revision 24455)
-+++ krb5-1.8/src/lib/crypto/krb/cksumtypes.c (working copy)
-@@ -101,7 +101,7 @@
-
- { CKSUMTYPE_MD5_HMAC_ARCFOUR,
- "md5-hmac-rc4", { 0 }, "Microsoft MD5 HMAC",
-- NULL, &krb5int_hash_md5,
-+ &krb5int_enc_arcfour, &krb5int_hash_md5,
- krb5int_hmacmd5_checksum, NULL,
- 16, 16, 0 },
- };
-Index: krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c
-===================================================================
---- krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (revision 24455)
-+++ krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (working copy)
-@@ -35,6 +35,13 @@
- {
- if (ctp->flags & CKSUM_UNKEYED)
- return FALSE;
-+ /* Stream ciphers do not play well with RFC 3961 key derivation, so be
-+ * conservative with RC4. */
-+ if ((ktp->etype == ENCTYPE_ARCFOUR_HMAC ||
-+ ktp->etype == ENCTYPE_ARCFOUR_HMAC_EXP) &&
-+ ctp->ctype != CKSUMTYPE_HMAC_MD5_ARCFOUR &&
-+ ctp->ctype != CKSUMTYPE_MD5_HMAC_ARCFOUR)
-+ return FALSE;
- return (!ctp->enc || ktp->enc == ctp->enc);
- }
-
-Index: krb5-1.8/src/lib/crypto/krb/dk/derive.c
-===================================================================
---- krb5-1.8/src/lib/crypto/krb/dk/derive.c (revision 24455)
-+++ krb5-1.8/src/lib/crypto/krb/dk/derive.c (working copy)
-@@ -91,6 +91,8 @@
- blocksize = enc->block_size;
- keybytes = enc->keybytes;
-
-+ if (blocksize == 1)
-+ return KRB5_BAD_ENCTYPE;
- if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes)
- return KRB5_CRYPTO_INTERNAL;
-
-Index: krb5-1.8/src/lib/gssapi/krb5/util_crypt.c
-===================================================================
---- krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (revision 24455)
-+++ krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (working copy)
-@@ -119,10 +119,22 @@
- if (code != 0)
- return code;
-
-- code = (*kaccess.mandatory_cksumtype)(context, subkey->keyblock.enctype,
-- cksumtype);
-- if (code != 0)
-- return code;
-+ switch (subkey->keyblock.enctype) {
-+ case ENCTYPE_DES_CBC_MD4:
-+ *cksumtype = CKSUMTYPE_RSA_MD4_DES;
-+ break;
-+ case ENCTYPE_DES_CBC_MD5:
-+ case ENCTYPE_DES_CBC_CRC:
-+ *cksumtype = CKSUMTYPE_RSA_MD5_DES;
-+ break;
-+ default:
-+ code = (*kaccess.mandatory_cksumtype)(context,
-+ subkey->keyblock.enctype,
-+ cksumtype);
-+ if (code != 0)
-+ return code;
-+ break;
-+ }
-
- switch (subkey->keyblock.enctype) {
- case ENCTYPE_DES_CBC_MD5:
-Index: krb5-1.8/src/lib/krb5/krb/pac.c
-===================================================================
---- krb5-1.8/src/lib/krb5/krb/pac.c (revision 24455)
-+++ krb5-1.8/src/lib/krb5/krb/pac.c (working copy)
-@@ -582,6 +582,8 @@
- checksum.checksum_type = load_32_le(p);
- checksum.length = checksum_data.length - PAC_SIGNATURE_DATA_LENGTH;
- checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH;
-+ if (!krb5_c_is_keyed_cksum(checksum.checksum_type))
-+ return KRB5KRB_AP_ERR_INAPP_CKSUM;
-
- pac_data.length = pac->data.length;
- pac_data.data = malloc(pac->data.length);
-Index: krb5-1.8/src/lib/krb5/krb/preauth2.c
-===================================================================
---- krb5-1.8/src/lib/krb5/krb/preauth2.c (revision 24455)
-+++ krb5-1.8/src/lib/krb5/krb/preauth2.c (working copy)
-@@ -1578,7 +1578,9 @@
-
- cksum = sc2->sam_cksum;
-
-- while (*cksum) {
-+ for (; *cksum; cksum++) {
-+ if (!krb5_c_is_keyed_cksum((*cksum)->checksum_type))
-+ continue;
- /* Check this cksum */
- retval = krb5_c_verify_checksum(context, as_key,
- KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM,
-@@ -1592,7 +1594,6 @@
- }
- if (valid_cksum)
- break;
-- cksum++;
- }
-
- if (!valid_cksum) {
-Index: krb5-1.8/src/lib/krb5/krb/mk_safe.c
-===================================================================
---- krb5-1.8/src/lib/krb5/krb/mk_safe.c (revision 24455)
-+++ krb5-1.8/src/lib/krb5/krb/mk_safe.c (working copy)
-@@ -215,10 +215,28 @@
- for (i = 0; i < nsumtypes; i++)
- if (auth_context->safe_cksumtype == sumtypes[i])
- break;
-- if (i == nsumtypes)
-- i = 0;
-- sumtype = sumtypes[i];
- krb5_free_cksumtypes (context, sumtypes);
-+ if (i < nsumtypes)
-+ sumtype = auth_context->safe_cksumtype;
-+ else {
-+ switch (enctype) {
-+ case ENCTYPE_DES_CBC_MD4:
-+ sumtype = CKSUMTYPE_RSA_MD4_DES;
-+ break;
-+ case ENCTYPE_DES_CBC_MD5:
-+ case ENCTYPE_DES_CBC_CRC:
-+ sumtype = CKSUMTYPE_RSA_MD5_DES;
-+ break;
-+ default:
-+ retval = krb5int_c_mandatory_cksumtype(context, enctype,
-+ &sumtype);
-+ if (retval) {
-+ CLEANUP_DONE();
-+ goto error;
-+ }
-+ break;
-+ }
-+ }
- }
- if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata,
- plocal_fulladdr, premote_fulladdr,
diff --git a/app-crypt/mit-krb5/files/CVE-2010-4022.patch b/app-crypt/mit-krb5/files/CVE-2010-4022.patch
deleted file mode 100644
index 30ebf9638f4e..000000000000
--- a/app-crypt/mit-krb5/files/CVE-2010-4022.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-diff -up krb5/src/slave/kpropd.c krb5/src/slave/kpropd.c
---- krb5/src/slave/kpropd.c 2010-12-17 11:14:26.000000000 -0500
-+++ krb5/src/slave/kpropd.c 2010-12-17 11:41:19.000000000 -0500
-@@ -404,11 +404,11 @@ retry:
- }
-
- close(s);
-- if (iproprole == IPROP_SLAVE)
-+ if (iproprole == IPROP_SLAVE) {
- close(finet);
--
-- if ((ret = WEXITSTATUS(status)) != 0)
-- return (ret);
-+ if ((ret = WEXITSTATUS(status)) != 0)
-+ return (ret);
-+ }
- }
- if (iproprole == IPROP_SLAVE)
- break;
diff --git a/app-crypt/mit-krb5/files/CVE-2011-0281.0282.0283.patch b/app-crypt/mit-krb5/files/CVE-2011-0281.0282.0283.patch
deleted file mode 100644
index e4623e910fa1..000000000000
--- a/app-crypt/mit-krb5/files/CVE-2011-0281.0282.0283.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
-index 63ff3b3..b4a90bb 100644
---- a/src/kdc/dispatch.c
-+++ b/src/kdc/dispatch.c
-@@ -115,7 +115,8 @@ dispatch(void *cb, struct sockaddr *local_saddr, const krb5_fulladdr *from,
- kdc_insert_lookaside(pkt, *response);
- #endif
-
-- if (is_tcp == 0 && (*response)->length > max_dgram_reply_size) {
-+ if (is_tcp == 0 && *response != NULL &&
-+ (*response)->length > max_dgram_reply_size) {
- too_big_for_udp:
- krb5_free_data(kdc_context, *response);
- retval = make_too_big_error(response);
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-index d677bb2..a356907 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er
- #define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
-
- #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \
-- do { \
-- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
-- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
-- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
-- if (ldap_server_handle) \
-- ld = ldap_server_handle->ldap_handle; \
-- } \
-- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
-+ tempst = 0; \
-+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \
-+ NULL, &timelimit, LDAP_NO_LIMIT, &result); \
-+ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
-+ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
-+ if (ldap_server_handle) \
-+ ld = ldap_server_handle->ldap_handle; \
-+ if (tempst == 0) \
-+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \
-+ NULL, NULL, &timelimit, \
-+ LDAP_NO_LIMIT, &result); \
-+ } \
- \
- if (status_check != IGNORE_STATUS) { \
- if (tempst != 0) { \
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-index 82b0333..84e80ee 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context,
- {
- krb5_ldap_server_handle *handle = *ldap_server_handle;
-
-+ ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
- if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
- || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
- return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-index 86fa4d1..0f49c86 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-@@ -487,12 +487,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context,
- * portion, then the first portion of the principal name SHOULD be
- * "krbtgt". All this check is done in the immediate block.
- */
-- if (searchfor->length == 2)
-- if ((strncasecmp(searchfor->data[0].data, "krbtgt",
-- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
-- (strncasecmp(searchfor->data[1].data, defrealm,
-- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
-+ if (searchfor->length == 2) {
-+ if (data_eq_string(searchfor->data[0], "krbtgt") &&
-+ data_eq_string(searchfor->data[1], defrealm))
- return 0;
-+ }
-
- /* first check the length, if they are not equal, then they are not same */
- if (strlen(defrealm) != searchfor->realm.length)
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-index 140db1a..552e39a 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-@@ -78,10 +78,10 @@ krb5_error_code
- krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
- unsigned int flags, krb5_db_entry **entry_ptr)
- {
-- char *user=NULL, *filter=NULL, **subtree=NULL;
-+ char *user=NULL, *filter=NULL, *filtuser=NULL;
- unsigned int tree=0, ntrees=1, princlen=0;
- krb5_error_code tempst=0, st=0;
-- char **values=NULL, *cname=NULL;
-+ char **values=NULL, **subtree=NULL, *cname=NULL;
- LDAP *ld=NULL;
- LDAPMessage *result=NULL, *ent=NULL;
- krb5_ldap_context *ldap_context=NULL;
-@@ -115,12 +115,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
- if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
- goto cleanup;
-
-- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
-+ filtuser = ldap_filter_correct(user);
-+ if (filtuser == NULL) {
-+ st = ENOMEM;
-+ goto cleanup;
-+ }
-+
-+ princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */
- if ((filter = malloc(princlen)) == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
-- snprintf(filter, princlen, FILTER"%s))", user);
-+ snprintf(filter, princlen, FILTER"%s))", filtuser);
-
- if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
- goto cleanup;
-@@ -207,6 +213,9 @@ cleanup:
- if (user)
- free(user);
-
-+ if (filtuser)
-+ free(filtuser);
-+
- if (cname)
- free(cname);
-
diff --git a/app-crypt/mit-krb5/files/CVE-2011-0284.patch b/app-crypt/mit-krb5/files/CVE-2011-0284.patch
deleted file mode 100644
index c977275687af..000000000000
--- a/app-crypt/mit-krb5/files/CVE-2011-0284.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
-index 46b5fa1..464cb6e 100644
---- a/src/kdc/do_as_req.c
-+++ b/src/kdc/do_as_req.c
-@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
- pad->contents = td[size]->data;
- pad->length = td[size]->length;
- pa[size] = pad;
-+ td[size]->data = NULL;
-+ td[size]->length = 0;
- }
- krb5_free_typed_data(kdc_context, td);
- }
diff --git a/app-crypt/mit-krb5/files/CVE-2011-0285.patch b/app-crypt/mit-krb5/files/CVE-2011-0285.patch
deleted file mode 100644
index 61039113f97c..000000000000
--- a/app-crypt/mit-krb5/files/CVE-2011-0285.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
-index 1124445..0056885 100644
---- a/src/kadmin/server/schpw.c
-+++ b/src/kadmin/server/schpw.c
-@@ -52,6 +52,7 @@ process_chpw_request(context, server_handle, realm, keytab,
-
- ret = 0;
- rep->length = 0;
-+ rep->data = NULL;
-
- auth_context = NULL;
- changepw = NULL;
-@@ -76,8 +77,13 @@ process_chpw_request(context, server_handle, realm, keytab,
- plen = (*ptr++ & 0xff);
- plen = (plen<<8) | (*ptr++ & 0xff);
-
-- if (plen != req->length)
-- return(KRB5KRB_AP_ERR_MODIFIED);
-+ if (plen != req->length) {
-+ ret = KRB5KRB_AP_ERR_MODIFIED;
-+ numresult = KRB5_KPASSWD_MALFORMED;
-+ strlcpy(strresult, "Request length was inconsistent",
-+ sizeof(strresult));
-+ goto chpwfail;
-+ }
-
- /* verify version number */
-
-@@ -531,6 +537,10 @@ cleanup:
- if (local_kaddrs != NULL)
- krb5_free_addresses(server_handle->context, local_kaddrs);
-
-+ if ((*response)->data == NULL) {
-+ free(*response);
-+ *response = NULL;
-+ }
- krb5_kt_close(server_handle->context, kt);
-
- return ret;
diff --git a/app-crypt/mit-krb5/files/CVE-2011-1530.patch b/app-crypt/mit-krb5/files/CVE-2011-1530.patch
deleted file mode 100644
index 336a4ad3172a..000000000000
--- a/app-crypt/mit-krb5/files/CVE-2011-1530.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
-index f46cad3..102fbaa 100644
---- a/src/kdc/Makefile.in
-+++ b/src/kdc/Makefile.in
-@@ -67,6 +67,7 @@ check-unix:: rtest
-
- check-pytests::
- $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
-+ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
-
- install::
- $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
-diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
-index c169c54..840a2ef 100644
---- a/src/kdc/do_tgs_req.c
-+++ b/src/kdc/do_tgs_req.c
-@@ -243,7 +243,8 @@ tgt_again:
- if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
- errcode = find_alternate_tgs(request, &server);
- firstpass = 0;
-- goto tgt_again;
-+ if (errcode == 0)
-+ goto tgt_again;
- }
- }
- status = "UNKNOWN_SERVER";
-diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
-new file mode 100644
-index 0000000..1760bcd
---- /dev/null
-+++ b/src/kdc/t_emptytgt.py
-@@ -0,0 +1,8 @@
-+#!/usr/bin/python
-+from k5test import *
-+
-+realm = K5Realm(start_kadmind=False, create_host=False)
-+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
-+if 'not found in Kerberos database' not in output:
-+ fail('TGT lookup for empty realm failed in unexpected way')
-+success('Empty tgt lookup.')
diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.10_uninitialized.patch b/app-crypt/mit-krb5/files/mit-krb5-1.10_uninitialized.patch
deleted file mode 100644
index b8ead2765c05..000000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.10_uninitialized.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/tests/asn.1/trval.c b/tests/asn.1/trval.c
-index 780d60c..ffd66ac 100644
---- a/tests/asn.1/trval.c
-+++ b/tests/asn.1/trval.c
-@@ -176,7 +176,7 @@ int trval2(fp, enc, len, lev, rlen)
- int lev;
- int *rlen;
- {
-- int l, eid, elen, xlen, r, rlen2;
-+ int l, eid, elen, xlen, r, rlen2 = 0;
- int rlen_ext = 0;
-
- r = OK;
diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0281.0282.0283.patch b/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0281.0282.0283.patch
deleted file mode 100644
index 5e0da20c882c..000000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0281.0282.0283.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-index 1ca09b4..60caf3d 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er
- #define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
-
- #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \
-- do { \
-- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
-- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
-- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
-- if (ldap_server_handle) \
-- ld = ldap_server_handle->ldap_handle; \
-- } \
-- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
-+ tempst = 0; \
-+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \
-+ NULL, &timelimit, LDAP_NO_LIMIT, &result); \
-+ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
-+ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
-+ if (ldap_server_handle) \
-+ ld = ldap_server_handle->ldap_handle; \
-+ if (tempst == 0) \
-+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \
-+ NULL, NULL, &timelimit, \
-+ LDAP_NO_LIMIT, &result); \
-+ } \
- \
- if (status_check != IGNORE_STATUS) { \
- if (tempst != 0) { \
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-index 82b0333..84e80ee 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context,
- {
- krb5_ldap_server_handle *handle = *ldap_server_handle;
-
-+ ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
- if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
- || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
- return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-index f549e23..b70940f 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-@@ -446,12 +446,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context,
- * portion, then the first portion of the principal name SHOULD be
- * "krbtgt". All this check is done in the immediate block.
- */
-- if (searchfor->length == 2)
-- if ((strncasecmp(searchfor->data[0].data, "krbtgt",
-- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
-- (strncasecmp(searchfor->data[1].data, defrealm,
-- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
-+ if (searchfor->length == 2) {
-+ if (data_eq_string(searchfor->data[0], "krbtgt") &&
-+ data_eq_string(searchfor->data[1], defrealm))
- return 0;
-+ }
-
- /* first check the length, if they are not equal, then they are not same */
- if (strlen(defrealm) != searchfor->realm.length)
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-index 7ad31da..626ed1f 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-@@ -103,10 +103,10 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
- unsigned int flags, krb5_db_entry *entries,
- int *nentries, krb5_boolean *more)
- {
-- char *user=NULL, *filter=NULL, **subtree=NULL;
-+ char *user=NULL, *filter=NULL, *filtuser=NULL;
- unsigned int tree=0, ntrees=1, princlen=0;
- krb5_error_code tempst=0, st=0;
-- char **values=NULL, *cname=NULL;
-+ char **values=NULL, **subtree=NULL, *cname=NULL;
- LDAP *ld=NULL;
- LDAPMessage *result=NULL, *ent=NULL;
- krb5_ldap_context *ldap_context=NULL;
-@@ -142,12 +142,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
- if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
- goto cleanup;
-
-- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
-+ filtuser = ldap_filter_correct(user);
-+ if (filtuser == NULL) {
-+ st = ENOMEM;
-+ goto cleanup;
-+ }
-+
-+ princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */
- if ((filter = malloc(princlen)) == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
-- snprintf(filter, princlen, FILTER"%s))", user);
-+ snprintf(filter, princlen, FILTER"%s))", filtuser);
-
- if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
- goto cleanup;
-@@ -231,6 +237,9 @@ cleanup:
- if (user)
- free(user);
-
-+ if (filtuser)
-+ free(filtuser);
-+
- if (cname)
- free(cname);
-
diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0285.patch b/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0285.patch
deleted file mode 100644
index 43daa9b50f2a..000000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0285.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-diff --git a/src/kadmin/server/network.c b/src/kadmin/server/network.c
-index c8ce4f1..bb911ff 100644
---- a/src/kadmin/server/network.c
-+++ b/src/kadmin/server/network.c
-@@ -1384,6 +1384,10 @@ cleanup:
- if (local_kaddrs != NULL)
- krb5_free_addresses(server_handle->context, local_kaddrs);
-
-+ if ((*response)->data == NULL) {
-+ free(*response);
-+ *response = NULL;
-+ }
- krb5_kt_close(server_handle->context, kt);
-
- return ret;
-diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
-index c1b2217..992b55f 100644
---- a/src/kadmin/server/schpw.c
-+++ b/src/kadmin/server/schpw.c
-@@ -74,8 +74,13 @@ process_chpw_request(context, server_handle, realm, keytab,
- plen = (*ptr++ & 0xff);
- plen = (plen<<8) | (*ptr++ & 0xff);
-
-- if (plen != req->length)
-- return(KRB5KRB_AP_ERR_MODIFIED);
-+ if (plen != req->length) {
-+ ret = KRB5KRB_AP_ERR_MODIFIED;
-+ numresult = KRB5_KPASSWD_MALFORMED;
-+ strlcpy(strresult, "Request length was inconsistent",
-+ sizeof(strresult));
-+ goto chpwfail;
-+ }
-
- /* verify version number */
-
diff --git a/app-crypt/mit-krb5/files/mit-krb5-kprop_exit_on_error.patch b/app-crypt/mit-krb5/files/mit-krb5-kprop_exit_on_error.patch
deleted file mode 100644
index c2fb7aa008b5..000000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-kprop_exit_on_error.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-http://krbdev.mit.edu/rt/Ticket/Display.html?id=7000
-
-Index: trunk/src/kadmin/server/ipropd_svc.c
-===================================================================
-diff -u -N -r24961 -r25433
---- trunk/src/kadmin/server/ipropd_svc.c (.../ipropd_svc.c) (revision 24961)
-+++ trunk/src/kadmin/server/ipropd_svc.c (.../ipropd_svc.c) (revision 25433)
-@@ -380,7 +380,7 @@
- _("%s: pclose(popen) failed: %s"),
- whoami,
- error_message(errno));
-- goto out;
-+ _exit(1);
- }
-
- DPRINT(("%s: exec `kprop -f %s %s' ...\n",
-@@ -401,7 +401,7 @@
- _("%s: exec failed: %s"),
- whoami,
- error_message(errno));
-- goto out;
-+ _exit(1);
- }
-
- default: /* parent */
diff --git a/app-crypt/mit-krb5/files/mit-krb5_testsuite.patch b/app-crypt/mit-krb5/files/mit-krb5_testsuite.patch
deleted file mode 100644
index a91136aafbc5..000000000000
--- a/app-crypt/mit-krb5/files/mit-krb5_testsuite.patch
+++ /dev/null
@@ -1,93 +0,0 @@
---- a/src/tests/dejagnu/config/default.exp 2010-04-21 01:37:22.000000000 +0300
-+++ b/src/tests/dejagnu/config/default.exp 2010-11-24 16:51:53.000000000 +0200
-@@ -1619,7 +1619,7 @@
- set spawnid $spawn_id
- set pid [exp_pid]
-
-- set markstr "===MARK $pid [clock format [clock seconds]] ==="
-+ set markstr "===MARK $pid [clock seconds] ==="
- puts $f $markstr
- flush $f
-
---- a/src/tests/dejagnu/krb-standalone/gssapi.exp 2009-06-11 20:27:45.000000000 +0300
-+++ b/src/tests/dejagnu/krb-standalone/gssapi.exp 2010-11-24 16:52:21.000000000 +0200
-@@ -182,7 +182,7 @@
- }
- }
- catch "expect_after"
-- if ![check_exit_status $test] {
-+ if { [check_exit_status $test] == 0 } {
- # check_exit_staus already calls fail for us
- return
- }
-@@ -209,59 +209,59 @@
- global portbase
-
- # Start up the kerberos and kadmind daemons.
-- if ![start_kerberos_daemons 0] {
-+ if { [start_kerberos_daemons 0] == 0 } {
- perror "failed to start kerberos daemons"
- }
-
- # Use kadmin to add a key for us.
-- if ![add_kerberos_key gsstest0 0] {
-+ if { [add_kerberos_key gsstest0 0] == 0 } {
- perror "failed to set up gsstest0 key"
- }
-
- # Use kadmin to add a key for us.
-- if ![add_kerberos_key gsstest1 0] {
-+ if { [add_kerberos_key gsstest1 0] ==0 } {
- perror "failed to set up gsstest1 key"
- }
-
- # Use kadmin to add a key for us.
-- if ![add_kerberos_key gsstest2 0] {
-+ if { [add_kerberos_key gsstest2 0] == 0 } {
- perror "failed to set up gsstest2 key"
- }
-
- # Use kadmin to add a key for us.
-- if ![add_kerberos_key gsstest3 0] {
-+ if { [add_kerberos_key gsstest3 0] == 0 } {
- perror "failed to set up gsstest3 key"
- }
-
- # Use kadmin to add a service key for us.
-- if ![add_random_key gssservice/$hostname 0] {
-+ if { [add_random_key gssservice/$hostname 0] == 0 } {
- perror "failed to set up gssservice/$hostname key"
- }
-
- # Use kdb5_edit to create a srvtab entry for gssservice
-- if ![setup_srvtab 0 gssservice] {
-+ if { [setup_srvtab 0 gssservice] == 0 } {
- perror "failed to set up gssservice srvtab"
- }
-
- catch "exec rm -f $tmppwd/gss_tk_0 $tmppwd/gss_tk_1 $tmppwd/gss_tk_2 $tmppwd/gss_tk_3"
-
- # Use kinit to get a ticket.
-- if ![our_kinit gsstest0 gsstest0$KEY $tmppwd/gss_tk_0] {
-+ if { [our_kinit gsstest0 gsstest0$KEY $tmppwd/gss_tk_0] == 0 } {
- perror "failed to kinit gsstest0"
- }
-
- # Use kinit to get a ticket.
-- if ![our_kinit gsstest1 gsstest1$KEY $tmppwd/gss_tk_1] {
-+ if { [our_kinit gsstest1 gsstest1$KEY $tmppwd/gss_tk_1] == 0 } {
- perror "failed to kinit gsstest1"
- }
-
- # Use kinit to get a ticket.
-- if ![our_kinit gsstest2 gsstest2$KEY $tmppwd/gss_tk_2] {
-+ if { [our_kinit gsstest2 gsstest2$KEY $tmppwd/gss_tk_2] == 0 } {
- perror "failed to kinit gsstest2"
- }
-
- # Use kinit to get a ticket.
-- if ![our_kinit gsstest3 gsstest3$KEY $tmppwd/gss_tk_3] {
-+ if { [our_kinit gsstest3 gsstest3$KEY $tmppwd/gss_tk_3] == 0 } {
- perror "failed to kinit gsstest3"
- }
-