diff options
author | Eray Aslan <eras@gentoo.org> | 2012-12-24 17:43:25 +0000 |
---|---|---|
committer | Eray Aslan <eras@gentoo.org> | 2012-12-24 17:43:25 +0000 |
commit | eef6732088ff23825491e3abfac4bdcc0b0e6324 (patch) | |
tree | ef098dd21c9991f4c300758ed47d0a674c10ce4d /app-crypt/mit-krb5 | |
parent | Remove redundant einfo message. (diff) | |
download | gentoo-2-eef6732088ff23825491e3abfac4bdcc0b0e6324.tar.gz gentoo-2-eef6732088ff23825491e3abfac4bdcc0b0e6324.tar.bz2 gentoo-2-eef6732088ff23825491e3abfac4bdcc0b0e6324.zip |
Remove old patches
(Portage version: 2.2.0_alpha149/cvs/Linux x86_64, signed Manifest commit with key 0x77F1F175586A3B1F)
Diffstat (limited to 'app-crypt/mit-krb5')
-rw-r--r-- | app-crypt/mit-krb5/ChangeLog | 12 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/2011-006-patch-r18.patch | 73 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/CVE-2010-1322.patch | 33 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch | 202 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/CVE-2010-4022.patch | 19 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/CVE-2011-0281.0282.0283.patch | 126 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/CVE-2011-0284.patch | 13 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/CVE-2011-0285.patch | 39 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/CVE-2011-1530.patch | 40 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/mit-krb5-1.10_uninitialized.patch | 13 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0281.0282.0283.patch | 112 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0285.patch | 35 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/mit-krb5-kprop_exit_on_error.patch | 25 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/mit-krb5_testsuite.patch | 93 |
14 files changed, 11 insertions, 824 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog index 0eb755162b4d..166553a45d29 100644 --- a/app-crypt/mit-krb5/ChangeLog +++ b/app-crypt/mit-krb5/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for app-crypt/mit-krb5 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.346 2012/12/24 17:27:55 eras Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.347 2012/12/24 17:43:24 eras Exp $ + + 24 Dec 2012; Eray Aslan <eras@gentoo.org> -files/2011-006-patch-r18.patch, + -files/CVE-2010-1322.patch, -files/CVE-2010-1323.1324.4020.patch, + -files/CVE-2010-4022.patch, -files/CVE-2011-0281.0282.0283.patch, + -files/CVE-2011-0284.patch, -files/CVE-2011-0285.patch, + -files/CVE-2011-1530.patch, -files/mit-krb5-1.10_uninitialized.patch, + -files/mit-krb5-1.8.3-CVE-2011-0281.0282.0283.patch, + -files/mit-krb5-1.8.3-CVE-2011-0285.patch, + -files/mit-krb5-kprop_exit_on_error.patch, -files/mit-krb5_testsuite.patch: + Remove old patches 24 Dec 2012; Eray Aslan <eras@gentoo.org> files/mit-krb5-1.11_uninitialized.patch: diff --git a/app-crypt/mit-krb5/files/2011-006-patch-r18.patch b/app-crypt/mit-krb5/files/2011-006-patch-r18.patch deleted file mode 100644 index 2da0e1439d82..000000000000 --- a/app-crypt/mit-krb5/files/2011-006-patch-r18.patch +++ /dev/null @@ -1,73 +0,0 @@ -diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c -index 498c0de..5f973fb 100644 ---- a/src/plugins/kdb/db2/lockout.c -+++ b/src/plugins/kdb/db2/lockout.c -@@ -158,13 +158,23 @@ krb5_db2_lockout_audit(krb5_context context, - return 0; - } - -+ if (entry == NULL) -+ return 0; -+ - code = lookup_lockout_policy(context, entry, &max_fail, - &failcnt_interval, - &lockout_duration); - if (code != 0) - return code; - -- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry)); -+ /* -+ * Don't continue to modify the DB for an already locked account. -+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and -+ * this check is unneeded, but in rare cases, we can fail with an -+ * integrity error or preauth failure before a policy check.) -+ */ -+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry)) -+ return 0; - - if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) { - /* -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index 626ed1f..68e8ec4 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -131,6 +131,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, - CHECK_LDAP_HANDLE(ldap_context); - - if (is_principal_in_realm(ldap_context, searchfor) != 0) { -+ st = KRB5_KDB_NOENTRY; - *more = 0; - krb5_set_error_message (context, st, "Principal does not belong to realm"); - goto cleanup; -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c -index 020c77a..24b9493 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c -@@ -150,15 +150,25 @@ krb5_ldap_lockout_audit(krb5_context context, - return 0; - } - -+ if (entry == NULL) -+ return 0; -+ - code = lookup_lockout_policy(context, entry, &max_fail, - &failcnt_interval, - &lockout_duration); - if (code != 0) - return code; - -- entry->mask = 0; -+ /* -+ * Don't continue to modify the DB for an already locked account. -+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and -+ * this check is unneeded, but in rare cases, we can fail with an -+ * integrity error or preauth failure before a policy check.) -+ */ -+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry)) -+ return 0; - -- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry)); -+ entry->mask = 0; - - if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) { - /* diff --git a/app-crypt/mit-krb5/files/CVE-2010-1322.patch b/app-crypt/mit-krb5/files/CVE-2010-1322.patch deleted file mode 100644 index 0de12e62f3e1..000000000000 --- a/app-crypt/mit-krb5/files/CVE-2010-1322.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c -index b5de64d..cc44e29 100644 ---- a/src/kdc/kdc_authdata.c -+++ b/src/kdc/kdc_authdata.c -@@ -495,7 +495,7 @@ merge_authdata (krb5_context context, - krb5_boolean copy, - krb5_boolean ignore_kdc_issued) - { -- size_t i, nadata = 0; -+ size_t i, j, nadata = 0; - krb5_authdata **authdata = *out_authdata; - - if (in_authdata == NULL || in_authdata[0] == NULL) -@@ -529,16 +529,16 @@ merge_authdata (krb5_context context, - in_authdata = tmp; - } - -- for (i = 0; in_authdata[i] != NULL; i++) { -+ for (i = 0, j = 0; in_authdata[i] != NULL; i++) { - if (ignore_kdc_issued && - is_kdc_issued_authdatum(context, in_authdata[i], 0)) { - free(in_authdata[i]->contents); - free(in_authdata[i]); - } else -- authdata[nadata + i] = in_authdata[i]; -+ authdata[nadata + j++] = in_authdata[i]; - } - -- authdata[nadata + i] = NULL; -+ authdata[nadata + j] = NULL; - - free(in_authdata); - diff --git a/app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch b/app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch deleted file mode 100644 index b1c3793b9ffb..000000000000 --- a/app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch +++ /dev/null @@ -1,202 +0,0 @@ -Index: krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c -=================================================================== ---- krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (revision 24455) -+++ krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (working copy) -@@ -691,8 +691,7 @@ - krb5_reply_key_pack *key_pack = NULL; - krb5_reply_key_pack_draft9 *key_pack9 = NULL; - krb5_data *encoded_key_pack = NULL; -- unsigned int num_types; -- krb5_cksumtype *cksum_types = NULL; -+ krb5_cksumtype cksum_type; - - pkinit_kdc_context plgctx; - pkinit_kdc_req_context reqctx; -@@ -882,14 +881,25 @@ - retval = ENOMEM; - goto cleanup; - } -- /* retrieve checksums for a given enctype of the reply key */ -- retval = krb5_c_keyed_checksum_types(context, -- encrypting_key->enctype, &num_types, &cksum_types); -- if (retval) -- goto cleanup; - -- /* pick the first of acceptable enctypes for the checksum */ -- retval = krb5_c_make_checksum(context, cksum_types[0], -+ switch (encrypting_key->enctype) { -+ case ENCTYPE_DES_CBC_MD4: -+ cksum_type = CKSUMTYPE_RSA_MD4_DES; -+ break; -+ case ENCTYPE_DES_CBC_MD5: -+ case ENCTYPE_DES_CBC_CRC: -+ cksum_type = CKSUMTYPE_RSA_MD5_DES; -+ break; -+ default: -+ retval = krb5int_c_mandatory_cksumtype(context, -+ encrypting_key->enctype, -+ &cksum_type); -+ if (retval) -+ goto cleanup; -+ break; -+ } -+ -+ retval = krb5_c_make_checksum(context, cksum_type, - encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - req_pkt, &key_pack->asChecksum); - if (retval) { -@@ -1033,7 +1043,6 @@ - krb5_free_data(context, encoded_key_pack); - free(dh_pubkey); - free(server_key); -- free(cksum_types); - - switch ((int)padata->pa_type) { - case KRB5_PADATA_PK_AS_REQ: -Index: krb5-1.8/src/lib/crypto/krb/cksumtypes.c -=================================================================== ---- krb5-1.8/src/lib/crypto/krb/cksumtypes.c (revision 24455) -+++ krb5-1.8/src/lib/crypto/krb/cksumtypes.c (working copy) -@@ -101,7 +101,7 @@ - - { CKSUMTYPE_MD5_HMAC_ARCFOUR, - "md5-hmac-rc4", { 0 }, "Microsoft MD5 HMAC", -- NULL, &krb5int_hash_md5, -+ &krb5int_enc_arcfour, &krb5int_hash_md5, - krb5int_hmacmd5_checksum, NULL, - 16, 16, 0 }, - }; -Index: krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c -=================================================================== ---- krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (revision 24455) -+++ krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (working copy) -@@ -35,6 +35,13 @@ - { - if (ctp->flags & CKSUM_UNKEYED) - return FALSE; -+ /* Stream ciphers do not play well with RFC 3961 key derivation, so be -+ * conservative with RC4. */ -+ if ((ktp->etype == ENCTYPE_ARCFOUR_HMAC || -+ ktp->etype == ENCTYPE_ARCFOUR_HMAC_EXP) && -+ ctp->ctype != CKSUMTYPE_HMAC_MD5_ARCFOUR && -+ ctp->ctype != CKSUMTYPE_MD5_HMAC_ARCFOUR) -+ return FALSE; - return (!ctp->enc || ktp->enc == ctp->enc); - } - -Index: krb5-1.8/src/lib/crypto/krb/dk/derive.c -=================================================================== ---- krb5-1.8/src/lib/crypto/krb/dk/derive.c (revision 24455) -+++ krb5-1.8/src/lib/crypto/krb/dk/derive.c (working copy) -@@ -91,6 +91,8 @@ - blocksize = enc->block_size; - keybytes = enc->keybytes; - -+ if (blocksize == 1) -+ return KRB5_BAD_ENCTYPE; - if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes) - return KRB5_CRYPTO_INTERNAL; - -Index: krb5-1.8/src/lib/gssapi/krb5/util_crypt.c -=================================================================== ---- krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (revision 24455) -+++ krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (working copy) -@@ -119,10 +119,22 @@ - if (code != 0) - return code; - -- code = (*kaccess.mandatory_cksumtype)(context, subkey->keyblock.enctype, -- cksumtype); -- if (code != 0) -- return code; -+ switch (subkey->keyblock.enctype) { -+ case ENCTYPE_DES_CBC_MD4: -+ *cksumtype = CKSUMTYPE_RSA_MD4_DES; -+ break; -+ case ENCTYPE_DES_CBC_MD5: -+ case ENCTYPE_DES_CBC_CRC: -+ *cksumtype = CKSUMTYPE_RSA_MD5_DES; -+ break; -+ default: -+ code = (*kaccess.mandatory_cksumtype)(context, -+ subkey->keyblock.enctype, -+ cksumtype); -+ if (code != 0) -+ return code; -+ break; -+ } - - switch (subkey->keyblock.enctype) { - case ENCTYPE_DES_CBC_MD5: -Index: krb5-1.8/src/lib/krb5/krb/pac.c -=================================================================== ---- krb5-1.8/src/lib/krb5/krb/pac.c (revision 24455) -+++ krb5-1.8/src/lib/krb5/krb/pac.c (working copy) -@@ -582,6 +582,8 @@ - checksum.checksum_type = load_32_le(p); - checksum.length = checksum_data.length - PAC_SIGNATURE_DATA_LENGTH; - checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH; -+ if (!krb5_c_is_keyed_cksum(checksum.checksum_type)) -+ return KRB5KRB_AP_ERR_INAPP_CKSUM; - - pac_data.length = pac->data.length; - pac_data.data = malloc(pac->data.length); -Index: krb5-1.8/src/lib/krb5/krb/preauth2.c -=================================================================== ---- krb5-1.8/src/lib/krb5/krb/preauth2.c (revision 24455) -+++ krb5-1.8/src/lib/krb5/krb/preauth2.c (working copy) -@@ -1578,7 +1578,9 @@ - - cksum = sc2->sam_cksum; - -- while (*cksum) { -+ for (; *cksum; cksum++) { -+ if (!krb5_c_is_keyed_cksum((*cksum)->checksum_type)) -+ continue; - /* Check this cksum */ - retval = krb5_c_verify_checksum(context, as_key, - KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM, -@@ -1592,7 +1594,6 @@ - } - if (valid_cksum) - break; -- cksum++; - } - - if (!valid_cksum) { -Index: krb5-1.8/src/lib/krb5/krb/mk_safe.c -=================================================================== ---- krb5-1.8/src/lib/krb5/krb/mk_safe.c (revision 24455) -+++ krb5-1.8/src/lib/krb5/krb/mk_safe.c (working copy) -@@ -215,10 +215,28 @@ - for (i = 0; i < nsumtypes; i++) - if (auth_context->safe_cksumtype == sumtypes[i]) - break; -- if (i == nsumtypes) -- i = 0; -- sumtype = sumtypes[i]; - krb5_free_cksumtypes (context, sumtypes); -+ if (i < nsumtypes) -+ sumtype = auth_context->safe_cksumtype; -+ else { -+ switch (enctype) { -+ case ENCTYPE_DES_CBC_MD4: -+ sumtype = CKSUMTYPE_RSA_MD4_DES; -+ break; -+ case ENCTYPE_DES_CBC_MD5: -+ case ENCTYPE_DES_CBC_CRC: -+ sumtype = CKSUMTYPE_RSA_MD5_DES; -+ break; -+ default: -+ retval = krb5int_c_mandatory_cksumtype(context, enctype, -+ &sumtype); -+ if (retval) { -+ CLEANUP_DONE(); -+ goto error; -+ } -+ break; -+ } -+ } - } - if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata, - plocal_fulladdr, premote_fulladdr, diff --git a/app-crypt/mit-krb5/files/CVE-2010-4022.patch b/app-crypt/mit-krb5/files/CVE-2010-4022.patch deleted file mode 100644 index 30ebf9638f4e..000000000000 --- a/app-crypt/mit-krb5/files/CVE-2010-4022.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -up krb5/src/slave/kpropd.c krb5/src/slave/kpropd.c ---- krb5/src/slave/kpropd.c 2010-12-17 11:14:26.000000000 -0500 -+++ krb5/src/slave/kpropd.c 2010-12-17 11:41:19.000000000 -0500 -@@ -404,11 +404,11 @@ retry: - } - - close(s); -- if (iproprole == IPROP_SLAVE) -+ if (iproprole == IPROP_SLAVE) { - close(finet); -- -- if ((ret = WEXITSTATUS(status)) != 0) -- return (ret); -+ if ((ret = WEXITSTATUS(status)) != 0) -+ return (ret); -+ } - } - if (iproprole == IPROP_SLAVE) - break; diff --git a/app-crypt/mit-krb5/files/CVE-2011-0281.0282.0283.patch b/app-crypt/mit-krb5/files/CVE-2011-0281.0282.0283.patch deleted file mode 100644 index e4623e910fa1..000000000000 --- a/app-crypt/mit-krb5/files/CVE-2011-0281.0282.0283.patch +++ /dev/null @@ -1,126 +0,0 @@ -diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c -index 63ff3b3..b4a90bb 100644 ---- a/src/kdc/dispatch.c -+++ b/src/kdc/dispatch.c -@@ -115,7 +115,8 @@ dispatch(void *cb, struct sockaddr *local_saddr, const krb5_fulladdr *from, - kdc_insert_lookaside(pkt, *response); - #endif - -- if (is_tcp == 0 && (*response)->length > max_dgram_reply_size) { -+ if (is_tcp == 0 && *response != NULL && -+ (*response)->length > max_dgram_reply_size) { - too_big_for_udp: - krb5_free_data(kdc_context, *response); - retval = make_too_big_error(response); -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -index d677bb2..a356907 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er - #define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS) - - #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \ -- do { \ -- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \ -- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ -- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ -- if (ldap_server_handle) \ -- ld = ldap_server_handle->ldap_handle; \ -- } \ -- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \ -+ tempst = 0; \ -+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \ -+ NULL, &timelimit, LDAP_NO_LIMIT, &result); \ -+ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ -+ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ -+ if (ldap_server_handle) \ -+ ld = ldap_server_handle->ldap_handle; \ -+ if (tempst == 0) \ -+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \ -+ NULL, NULL, &timelimit, \ -+ LDAP_NO_LIMIT, &result); \ -+ } \ - \ - if (status_check != IGNORE_STATUS) { \ - if (tempst != 0) { \ -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c -index 82b0333..84e80ee 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c -@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context, - { - krb5_ldap_server_handle *handle = *ldap_server_handle; - -+ ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL); - if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS) - || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS)) - return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle); -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -index 86fa4d1..0f49c86 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -@@ -487,12 +487,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context, - * portion, then the first portion of the principal name SHOULD be - * "krbtgt". All this check is done in the immediate block. - */ -- if (searchfor->length == 2) -- if ((strncasecmp(searchfor->data[0].data, "krbtgt", -- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) && -- (strncasecmp(searchfor->data[1].data, defrealm, -- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0)) -+ if (searchfor->length == 2) { -+ if (data_eq_string(searchfor->data[0], "krbtgt") && -+ data_eq_string(searchfor->data[1], defrealm)) - return 0; -+ } - - /* first check the length, if they are not equal, then they are not same */ - if (strlen(defrealm) != searchfor->realm.length) -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index 140db1a..552e39a 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -78,10 +78,10 @@ krb5_error_code - krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, - unsigned int flags, krb5_db_entry **entry_ptr) - { -- char *user=NULL, *filter=NULL, **subtree=NULL; -+ char *user=NULL, *filter=NULL, *filtuser=NULL; - unsigned int tree=0, ntrees=1, princlen=0; - krb5_error_code tempst=0, st=0; -- char **values=NULL, *cname=NULL; -+ char **values=NULL, **subtree=NULL, *cname=NULL; - LDAP *ld=NULL; - LDAPMessage *result=NULL, *ent=NULL; - krb5_ldap_context *ldap_context=NULL; -@@ -115,12 +115,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, - if ((st=krb5_ldap_unparse_principal_name(user)) != 0) - goto cleanup; - -- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ -+ filtuser = ldap_filter_correct(user); -+ if (filtuser == NULL) { -+ st = ENOMEM; -+ goto cleanup; -+ } -+ -+ princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */ - if ((filter = malloc(princlen)) == NULL) { - st = ENOMEM; - goto cleanup; - } -- snprintf(filter, princlen, FILTER"%s))", user); -+ snprintf(filter, princlen, FILTER"%s))", filtuser); - - if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0) - goto cleanup; -@@ -207,6 +213,9 @@ cleanup: - if (user) - free(user); - -+ if (filtuser) -+ free(filtuser); -+ - if (cname) - free(cname); - diff --git a/app-crypt/mit-krb5/files/CVE-2011-0284.patch b/app-crypt/mit-krb5/files/CVE-2011-0284.patch deleted file mode 100644 index c977275687af..000000000000 --- a/app-crypt/mit-krb5/files/CVE-2011-0284.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c -index 46b5fa1..464cb6e 100644 ---- a/src/kdc/do_as_req.c -+++ b/src/kdc/do_as_req.c -@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, - pad->contents = td[size]->data; - pad->length = td[size]->length; - pa[size] = pad; -+ td[size]->data = NULL; -+ td[size]->length = 0; - } - krb5_free_typed_data(kdc_context, td); - } diff --git a/app-crypt/mit-krb5/files/CVE-2011-0285.patch b/app-crypt/mit-krb5/files/CVE-2011-0285.patch deleted file mode 100644 index 61039113f97c..000000000000 --- a/app-crypt/mit-krb5/files/CVE-2011-0285.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c -index 1124445..0056885 100644 ---- a/src/kadmin/server/schpw.c -+++ b/src/kadmin/server/schpw.c -@@ -52,6 +52,7 @@ process_chpw_request(context, server_handle, realm, keytab, - - ret = 0; - rep->length = 0; -+ rep->data = NULL; - - auth_context = NULL; - changepw = NULL; -@@ -76,8 +77,13 @@ process_chpw_request(context, server_handle, realm, keytab, - plen = (*ptr++ & 0xff); - plen = (plen<<8) | (*ptr++ & 0xff); - -- if (plen != req->length) -- return(KRB5KRB_AP_ERR_MODIFIED); -+ if (plen != req->length) { -+ ret = KRB5KRB_AP_ERR_MODIFIED; -+ numresult = KRB5_KPASSWD_MALFORMED; -+ strlcpy(strresult, "Request length was inconsistent", -+ sizeof(strresult)); -+ goto chpwfail; -+ } - - /* verify version number */ - -@@ -531,6 +537,10 @@ cleanup: - if (local_kaddrs != NULL) - krb5_free_addresses(server_handle->context, local_kaddrs); - -+ if ((*response)->data == NULL) { -+ free(*response); -+ *response = NULL; -+ } - krb5_kt_close(server_handle->context, kt); - - return ret; diff --git a/app-crypt/mit-krb5/files/CVE-2011-1530.patch b/app-crypt/mit-krb5/files/CVE-2011-1530.patch deleted file mode 100644 index 336a4ad3172a..000000000000 --- a/app-crypt/mit-krb5/files/CVE-2011-1530.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in -index f46cad3..102fbaa 100644 ---- a/src/kdc/Makefile.in -+++ b/src/kdc/Makefile.in -@@ -67,6 +67,7 @@ check-unix:: rtest - - check-pytests:: - $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS) -+ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS) - - install:: - $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index c169c54..840a2ef 100644 ---- a/src/kdc/do_tgs_req.c -+++ b/src/kdc/do_tgs_req.c -@@ -243,7 +243,8 @@ tgt_again: - if (!tgs_1 || !data_eq(*server_1, *tgs_1)) { - errcode = find_alternate_tgs(request, &server); - firstpass = 0; -- goto tgt_again; -+ if (errcode == 0) -+ goto tgt_again; - } - } - status = "UNKNOWN_SERVER"; -diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py -new file mode 100644 -index 0000000..1760bcd ---- /dev/null -+++ b/src/kdc/t_emptytgt.py -@@ -0,0 +1,8 @@ -+#!/usr/bin/python -+from k5test import * -+ -+realm = K5Realm(start_kadmind=False, create_host=False) -+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1) -+if 'not found in Kerberos database' not in output: -+ fail('TGT lookup for empty realm failed in unexpected way') -+success('Empty tgt lookup.') diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.10_uninitialized.patch b/app-crypt/mit-krb5/files/mit-krb5-1.10_uninitialized.patch deleted file mode 100644 index b8ead2765c05..000000000000 --- a/app-crypt/mit-krb5/files/mit-krb5-1.10_uninitialized.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/tests/asn.1/trval.c b/tests/asn.1/trval.c -index 780d60c..ffd66ac 100644 ---- a/tests/asn.1/trval.c -+++ b/tests/asn.1/trval.c -@@ -176,7 +176,7 @@ int trval2(fp, enc, len, lev, rlen) - int lev; - int *rlen; - { -- int l, eid, elen, xlen, r, rlen2; -+ int l, eid, elen, xlen, r, rlen2 = 0; - int rlen_ext = 0; - - r = OK; diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0281.0282.0283.patch b/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0281.0282.0283.patch deleted file mode 100644 index 5e0da20c882c..000000000000 --- a/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0281.0282.0283.patch +++ /dev/null @@ -1,112 +0,0 @@ -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -index 1ca09b4..60caf3d 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er - #define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS) - - #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \ -- do { \ -- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \ -- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ -- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ -- if (ldap_server_handle) \ -- ld = ldap_server_handle->ldap_handle; \ -- } \ -- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \ -+ tempst = 0; \ -+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \ -+ NULL, &timelimit, LDAP_NO_LIMIT, &result); \ -+ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ -+ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ -+ if (ldap_server_handle) \ -+ ld = ldap_server_handle->ldap_handle; \ -+ if (tempst == 0) \ -+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \ -+ NULL, NULL, &timelimit, \ -+ LDAP_NO_LIMIT, &result); \ -+ } \ - \ - if (status_check != IGNORE_STATUS) { \ - if (tempst != 0) { \ -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c -index 82b0333..84e80ee 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c -@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context, - { - krb5_ldap_server_handle *handle = *ldap_server_handle; - -+ ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL); - if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS) - || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS)) - return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle); -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -index f549e23..b70940f 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -@@ -446,12 +446,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context, - * portion, then the first portion of the principal name SHOULD be - * "krbtgt". All this check is done in the immediate block. - */ -- if (searchfor->length == 2) -- if ((strncasecmp(searchfor->data[0].data, "krbtgt", -- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) && -- (strncasecmp(searchfor->data[1].data, defrealm, -- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0)) -+ if (searchfor->length == 2) { -+ if (data_eq_string(searchfor->data[0], "krbtgt") && -+ data_eq_string(searchfor->data[1], defrealm)) - return 0; -+ } - - /* first check the length, if they are not equal, then they are not same */ - if (strlen(defrealm) != searchfor->realm.length) -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index 7ad31da..626ed1f 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -103,10 +103,10 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, - unsigned int flags, krb5_db_entry *entries, - int *nentries, krb5_boolean *more) - { -- char *user=NULL, *filter=NULL, **subtree=NULL; -+ char *user=NULL, *filter=NULL, *filtuser=NULL; - unsigned int tree=0, ntrees=1, princlen=0; - krb5_error_code tempst=0, st=0; -- char **values=NULL, *cname=NULL; -+ char **values=NULL, **subtree=NULL, *cname=NULL; - LDAP *ld=NULL; - LDAPMessage *result=NULL, *ent=NULL; - krb5_ldap_context *ldap_context=NULL; -@@ -142,12 +142,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, - if ((st=krb5_ldap_unparse_principal_name(user)) != 0) - goto cleanup; - -- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ -+ filtuser = ldap_filter_correct(user); -+ if (filtuser == NULL) { -+ st = ENOMEM; -+ goto cleanup; -+ } -+ -+ princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */ - if ((filter = malloc(princlen)) == NULL) { - st = ENOMEM; - goto cleanup; - } -- snprintf(filter, princlen, FILTER"%s))", user); -+ snprintf(filter, princlen, FILTER"%s))", filtuser); - - if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0) - goto cleanup; -@@ -231,6 +237,9 @@ cleanup: - if (user) - free(user); - -+ if (filtuser) -+ free(filtuser); -+ - if (cname) - free(cname); - diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0285.patch b/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0285.patch deleted file mode 100644 index 43daa9b50f2a..000000000000 --- a/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0285.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff --git a/src/kadmin/server/network.c b/src/kadmin/server/network.c -index c8ce4f1..bb911ff 100644 ---- a/src/kadmin/server/network.c -+++ b/src/kadmin/server/network.c -@@ -1384,6 +1384,10 @@ cleanup: - if (local_kaddrs != NULL) - krb5_free_addresses(server_handle->context, local_kaddrs); - -+ if ((*response)->data == NULL) { -+ free(*response); -+ *response = NULL; -+ } - krb5_kt_close(server_handle->context, kt); - - return ret; -diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c -index c1b2217..992b55f 100644 ---- a/src/kadmin/server/schpw.c -+++ b/src/kadmin/server/schpw.c -@@ -74,8 +74,13 @@ process_chpw_request(context, server_handle, realm, keytab, - plen = (*ptr++ & 0xff); - plen = (plen<<8) | (*ptr++ & 0xff); - -- if (plen != req->length) -- return(KRB5KRB_AP_ERR_MODIFIED); -+ if (plen != req->length) { -+ ret = KRB5KRB_AP_ERR_MODIFIED; -+ numresult = KRB5_KPASSWD_MALFORMED; -+ strlcpy(strresult, "Request length was inconsistent", -+ sizeof(strresult)); -+ goto chpwfail; -+ } - - /* verify version number */ - diff --git a/app-crypt/mit-krb5/files/mit-krb5-kprop_exit_on_error.patch b/app-crypt/mit-krb5/files/mit-krb5-kprop_exit_on_error.patch deleted file mode 100644 index c2fb7aa008b5..000000000000 --- a/app-crypt/mit-krb5/files/mit-krb5-kprop_exit_on_error.patch +++ /dev/null @@ -1,25 +0,0 @@ -http://krbdev.mit.edu/rt/Ticket/Display.html?id=7000 - -Index: trunk/src/kadmin/server/ipropd_svc.c -=================================================================== -diff -u -N -r24961 -r25433 ---- trunk/src/kadmin/server/ipropd_svc.c (.../ipropd_svc.c) (revision 24961) -+++ trunk/src/kadmin/server/ipropd_svc.c (.../ipropd_svc.c) (revision 25433) -@@ -380,7 +380,7 @@ - _("%s: pclose(popen) failed: %s"), - whoami, - error_message(errno)); -- goto out; -+ _exit(1); - } - - DPRINT(("%s: exec `kprop -f %s %s' ...\n", -@@ -401,7 +401,7 @@ - _("%s: exec failed: %s"), - whoami, - error_message(errno)); -- goto out; -+ _exit(1); - } - - default: /* parent */ diff --git a/app-crypt/mit-krb5/files/mit-krb5_testsuite.patch b/app-crypt/mit-krb5/files/mit-krb5_testsuite.patch deleted file mode 100644 index a91136aafbc5..000000000000 --- a/app-crypt/mit-krb5/files/mit-krb5_testsuite.patch +++ /dev/null @@ -1,93 +0,0 @@ ---- a/src/tests/dejagnu/config/default.exp 2010-04-21 01:37:22.000000000 +0300 -+++ b/src/tests/dejagnu/config/default.exp 2010-11-24 16:51:53.000000000 +0200 -@@ -1619,7 +1619,7 @@ - set spawnid $spawn_id - set pid [exp_pid] - -- set markstr "===MARK $pid [clock format [clock seconds]] ===" -+ set markstr "===MARK $pid [clock seconds] ===" - puts $f $markstr - flush $f - ---- a/src/tests/dejagnu/krb-standalone/gssapi.exp 2009-06-11 20:27:45.000000000 +0300 -+++ b/src/tests/dejagnu/krb-standalone/gssapi.exp 2010-11-24 16:52:21.000000000 +0200 -@@ -182,7 +182,7 @@ - } - } - catch "expect_after" -- if ![check_exit_status $test] { -+ if { [check_exit_status $test] == 0 } { - # check_exit_staus already calls fail for us - return - } -@@ -209,59 +209,59 @@ - global portbase - - # Start up the kerberos and kadmind daemons. -- if ![start_kerberos_daemons 0] { -+ if { [start_kerberos_daemons 0] == 0 } { - perror "failed to start kerberos daemons" - } - - # Use kadmin to add a key for us. -- if ![add_kerberos_key gsstest0 0] { -+ if { [add_kerberos_key gsstest0 0] == 0 } { - perror "failed to set up gsstest0 key" - } - - # Use kadmin to add a key for us. -- if ![add_kerberos_key gsstest1 0] { -+ if { [add_kerberos_key gsstest1 0] ==0 } { - perror "failed to set up gsstest1 key" - } - - # Use kadmin to add a key for us. -- if ![add_kerberos_key gsstest2 0] { -+ if { [add_kerberos_key gsstest2 0] == 0 } { - perror "failed to set up gsstest2 key" - } - - # Use kadmin to add a key for us. -- if ![add_kerberos_key gsstest3 0] { -+ if { [add_kerberos_key gsstest3 0] == 0 } { - perror "failed to set up gsstest3 key" - } - - # Use kadmin to add a service key for us. -- if ![add_random_key gssservice/$hostname 0] { -+ if { [add_random_key gssservice/$hostname 0] == 0 } { - perror "failed to set up gssservice/$hostname key" - } - - # Use kdb5_edit to create a srvtab entry for gssservice -- if ![setup_srvtab 0 gssservice] { -+ if { [setup_srvtab 0 gssservice] == 0 } { - perror "failed to set up gssservice srvtab" - } - - catch "exec rm -f $tmppwd/gss_tk_0 $tmppwd/gss_tk_1 $tmppwd/gss_tk_2 $tmppwd/gss_tk_3" - - # Use kinit to get a ticket. -- if ![our_kinit gsstest0 gsstest0$KEY $tmppwd/gss_tk_0] { -+ if { [our_kinit gsstest0 gsstest0$KEY $tmppwd/gss_tk_0] == 0 } { - perror "failed to kinit gsstest0" - } - - # Use kinit to get a ticket. -- if ![our_kinit gsstest1 gsstest1$KEY $tmppwd/gss_tk_1] { -+ if { [our_kinit gsstest1 gsstest1$KEY $tmppwd/gss_tk_1] == 0 } { - perror "failed to kinit gsstest1" - } - - # Use kinit to get a ticket. -- if ![our_kinit gsstest2 gsstest2$KEY $tmppwd/gss_tk_2] { -+ if { [our_kinit gsstest2 gsstest2$KEY $tmppwd/gss_tk_2] == 0 } { - perror "failed to kinit gsstest2" - } - - # Use kinit to get a ticket. -- if ![our_kinit gsstest3 gsstest3$KEY $tmppwd/gss_tk_3] { -+ if { [our_kinit gsstest3 gsstest3$KEY $tmppwd/gss_tk_3] == 0 } { - perror "failed to kinit gsstest3" - } - |