diff options
| author |   Eray Aslan <eras@gentoo.org> | 2012-08-01 16:38:00 +0000 |
|---|---|---|
| committer | Eray Aslan <eras@gentoo.org> | 2012-08-01 16:38:00 +0000 |
| commit | 140f77da5ec3dca1a7c0dc247a1a4011336c8f52 (patch) | |
| tree | f0d9f1a4206b43a4749b9dda527d59af905b594a /app-crypt | |
| parent | sci-geosciences/gebabbel: Respect CFLAGS, #429356; use eclass functions, inst... (diff) | |
| download | gentoo-2-140f77da5ec3dca1a7c0dc247a1a4011336c8f52.tar.gz gentoo-2-140f77da5ec3dca1a7c0dc247a1a4011336c8f52.tar.bz2 gentoo-2-140f77da5ec3dca1a7c0dc247a1a4011336c8f52.zip | |
Security bump - bug #429324
(Portage version: 2.1.11.9/cvs/Linux x86_64)
Diffstat (limited to 'app-crypt')
| -rw-r--r-- | app-crypt/mit-krb5/ChangeLog | 10 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/files/CVE-2012-1014.patch | 21 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/files/CVE-2012-1015.patch | 40 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/mit-krb5-1.10.2-r1.ebuild | 127 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/mit-krb5-1.9.4-r1.ebuild | 119 |
5 files changed, 316 insertions, 1 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog index 01541f25ce8a..e6fdecea27b2 100644 --- a/app-crypt/mit-krb5/ChangeLog +++ b/app-crypt/mit-krb5/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for app-crypt/mit-krb5 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.329 2012/07/09 05:18:26 xmw Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.330 2012/08/01 16:38:00 eras Exp $ + +*mit-krb5-1.10.2-r1 (01 Aug 2012) +*mit-krb5-1.9.4-r1 (01 Aug 2012) + + 01 Aug 2012; Eray Aslan <eras@gentoo.org> +mit-krb5-1.9.4-r1.ebuild, + +mit-krb5-1.10.2-r1.ebuild, +files/CVE-2012-1014.patch, + +files/CVE-2012-1015.patch: + Security bump - bug #429324 09 Jul 2012; Michael Weber <xmw@gentoo.org> mit-krb5-1.9.4.ebuild: ppc stable (bug 419765) diff --git a/app-crypt/mit-krb5/files/CVE-2012-1014.patch b/app-crypt/mit-krb5/files/CVE-2012-1014.patch new file mode 100644 index 000000000000..c7da7171959f --- /dev/null +++ b/app-crypt/mit-krb5/files/CVE-2012-1014.patch @@ -0,0 +1,21 @@ +diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c +index 23623fe..8ada9d0 100644 +--- a/src/kdc/do_as_req.c ++++ b/src/kdc/do_as_req.c +@@ -463,7 +463,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, + krb5_enctype useenctype; + struct as_req_state *state; + +- state = malloc(sizeof(*state)); ++ state = calloc(sizeof(*state), 1); + if (!state) { + (*respond)(arg, ENOMEM, NULL); + return; +@@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, + state->authtime = 0; + state->c_flags = 0; + state->req_pkt = req_pkt; ++ state->inner_body = NULL; + state->rstate = NULL; + state->sname = 0; + state->cname = 0; diff --git a/app-crypt/mit-krb5/files/CVE-2012-1015.patch b/app-crypt/mit-krb5/files/CVE-2012-1015.patch new file mode 100644 index 000000000000..60f2b38a2ffa --- /dev/null +++ b/app-crypt/mit-krb5/files/CVE-2012-1015.patch @@ -0,0 +1,40 @@ +diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c +index 9d8cb34..d4ece3f 100644 +--- a/src/kdc/kdc_preauth.c ++++ b/src/kdc/kdc_preauth.c +@@ -1438,7 +1438,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request, + continue; + + } +- if (request_contains_enctype(context, request, db_etype)) { ++ if (krb5_is_permitted_enctype(context, db_etype) && ++ request_contains_enctype(context, request, db_etype)) { + retval = _make_etype_info_entry(context, client->princ, + client_key, db_etype, + &entry[i], etype_info2); +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index a43b291..94dad3a 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -2461,6 +2461,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request, + return 0; + pa.magic = KV5M_PA_DATA; + pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP; ++ memset(&checksum, 0, sizeof(checksum)); + retval = krb5_c_make_checksum(kdc_context,0, reply_key, + KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum); + if (retval != 0) +diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c +index c4bf92e..367c894 100644 +--- a/src/lib/kdb/kdb_default.c ++++ b/src/lib/kdb/kdb_default.c +@@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) + krb5_boolean saw_non_permitted = FALSE; + + ret = 0; ++ if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype)) ++ return KRB5_KDB_NO_PERMITTED_KEY; ++ + if (kvno == -1 && stype == -1 && ktype == -1) + kvno = 0; + diff --git a/app-crypt/mit-krb5/mit-krb5-1.10.2-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.10.2-r1.ebuild new file mode 100644 index 000000000000..33c3a05d36d9 --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.10.2-r1.ebuild @@ -0,0 +1,127 @@ +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.10.2-r1.ebuild,v 1.1 2012/08/01 16:38:00 eras Exp $ + +EAPI=4 +inherit eutils flag-o-matic versionator + +MY_P="${P/mit-}" +P_DIR=$(get_version_component_range 1-2) +DESCRIPTION="MIT Kerberos V" +HOMEPAGE="http://web.mit.edu/kerberos/www/" +SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="~amd64 ~arm ~hppa ~ppc ~x86" +IUSE="doc +keyutils openldap +pkinit +threads test xinetd" + +RDEPEND="!!app-crypt/heimdal + >=sys-libs/e2fsprogs-libs-1.41.0 + dev-libs/libverto + keyutils? ( sys-apps/keyutils ) + openldap? ( net-nds/openldap ) + xinetd? ( sys-apps/xinetd )" +DEPEND="${RDEPEND} + virtual/yacc + doc? ( virtual/latex-base ) + test? ( dev-lang/tcl + dev-lang/python + dev-util/dejagnu )" + +S=${WORKDIR}/${MY_P}/src + +src_unpack() { + unpack ${A} + unpack ./"${MY_P}".tar.gz +} + +src_prepare() { + epatch "${FILESDIR}/${PN}-1.10.1_uninitialized_extra.patch" + epatch "${FILESDIR}/${PN}-1.10.1_uninitialized_extra-2.patch" + epatch "${FILESDIR}/${PN}-1.10.1_gcc470.patch" + epatch "${FILESDIR}"/CVE-2012-1014.patch + epatch "${FILESDIR}"/CVE-2012-1015.patch +} + +src_configure() { + append-cppflags "-I${EPREFIX}/usr/include/et" + # QA + append-flags -fno-strict-aliasing + append-flags -fno-strict-overflow + [[ $(gcc-version) == "4.7" ]] && replace-flags -O? -O0 + + use keyutils || export ac_cv_header_keyutils_h=no + econf \ + $(use_with openldap ldap) \ + "$(use_with test tcl "${EPREFIX}/usr")" \ + $(use_enable pkinit) \ + $(use_enable threads thread-support) \ + --without-hesiod \ + --enable-shared \ + --with-system-et \ + --with-system-ss \ + --enable-dns-for-realm \ + --enable-kdc-lookaside-cache \ + --with-system-verto \ + --disable-rpath +} + +src_compile() { + emake -j1 + + if use doc ; then + cd ../doc + for dir in api implement ; do + emake -C "${dir}" + done + fi +} + +src_install() { + emake \ + DESTDIR="${D}" \ + EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \ + install + + # default database dir + keepdir /var/lib/krb5kdc + + cd .. + dodoc NOTICE README + dodoc doc/*.{ps,txt} + doinfo doc/*.info* + dohtml -r doc/*.html + + if use doc ; then + dodoc doc/{api,implement}/*.ps + fi + + newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind + newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc + newinitd "${FILESDIR}"/mit-krb5kpropd.initd mit-krb5kpropd + + insinto /etc + newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example + insinto /var/lib/krb5kdc + newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example + + if use openldap ; then + insinto /etc/openldap/schema + doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" + fi + + if use xinetd ; then + insinto /etc/xinetd.d + newins "${FILESDIR}/kpropd.xinetd" kpropd + fi +} + +pkg_preinst() { + if has_version "<${CATEGORY}/${PN}-1.8.0" ; then + elog "MIT split the Kerberos applications from the base Kerberos" + elog "distribution. Kerberized versions of telnet, rlogin, rsh, rcp," + elog "ftp clients and telnet, ftp deamons now live in" + elog "\"app-crypt/mit-krb5-appl\" package." + fi +} diff --git a/app-crypt/mit-krb5/mit-krb5-1.9.4-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.9.4-r1.ebuild new file mode 100644 index 000000000000..de09a2fea359 --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.9.4-r1.ebuild @@ -0,0 +1,119 @@ +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.9.4-r1.ebuild,v 1.1 2012/08/01 16:38:00 eras Exp $ + +EAPI=4 +inherit eutils flag-o-matic versionator + +MY_P="${P/mit-}" +P_DIR=$(get_version_component_range 1-2) +DESCRIPTION="MIT Kerberos V" +HOMEPAGE="http://web.mit.edu/kerberos/www/" +SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos" +IUSE="doc +keyutils openldap +pkinit +threads test xinetd" + +RDEPEND="!!app-crypt/heimdal + >=sys-libs/e2fsprogs-libs-1.41.0 + keyutils? ( sys-apps/keyutils ) + openldap? ( net-nds/openldap ) + xinetd? ( sys-apps/xinetd )" +DEPEND="${RDEPEND} + virtual/yacc + doc? ( virtual/latex-base ) + test? ( dev-lang/tcl + dev-lang/python + dev-util/dejagnu )" + +S=${WORKDIR}/${MY_P}/src + +src_unpack() { + unpack ${A} + unpack ./"${MY_P}".tar.gz +} + +src_prepare() { + epatch "${FILESDIR}"/CVE-2012-1015.patch +} + +src_configure() { + # QA + append-flags -fno-strict-aliasing + append-flags -fno-strict-overflow + use keyutils || export ac_cv_header_keyutils_h=no + econf \ + $(use_with openldap ldap) \ + "$(use_with test tcl "${EPREFIX}/usr")" \ + $(use_enable pkinit) \ + $(use_enable threads thread-support) \ + --without-hesiod \ + --enable-shared \ + --with-system-et \ + --with-system-ss \ + --enable-dns-for-realm \ + --enable-kdc-lookaside-cache \ + --disable-rpath +} + +src_compile() { + emake -j1 + + if use doc ; then + cd ../doc + for dir in api implement ; do + emake -C "${dir}" || die "doc emake failed" + done + fi +} + +src_install() { + emake \ + DESTDIR="${D}" \ + EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \ + install + + # default database dir + keepdir /var/lib/krb5kdc + + cd .. + dodoc NOTICE README + dodoc doc/*.{ps,txt} + doinfo doc/*.info* + dohtml -r doc/*.html + + # die if we cannot respect a USE flag + if use doc ; then + dodoc doc/{api,implement}/*.ps + fi + + newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind + newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc + newinitd "${FILESDIR}"/mit-krb5kpropd.initd mit-krb5kpropd + + insinto /etc + newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example + insinto /var/lib/krb5kdc + newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example + + if use openldap ; then + insinto /etc/openldap/schema + doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" + fi + + if use xinetd ; then + insinto /etc/xinetd.d + newins "${FILESDIR}/kpropd.xinetd" kpropd + fi +} + +pkg_preinst() { + if has_version "<${CATEGORY}/${PN}-1.8.0" ; then + elog "MIT split the Kerberos applications from the base Kerberos" + elog "distribution. Kerberized versions of telnet, rlogin, rsh, rcp," + elog "ftp clients and telnet, ftp deamons now live in" + elog "\"app-crypt/mit-krb5-appl\" package." + fi +} |