security bump - bug #363507

(Portage version: 2.1.9.46/cvs/Linux x86_64)
author: Eray Aslan <eras@gentoo.org> 2011-04-14 06:38:45 +0000
committer: Eray Aslan <eras@gentoo.org> 2011-04-14 06:38:45 +0000
commit: 8698dd652f500e59559ce0c63a7bba74a7ef2ce9 (patch)
tree: 07963855780ac0ae2c55ff5557e51495a8dcd67d /app-crypt
parent: version bump (diff)
download: gentoo-2-8698dd652f500e59559ce0c63a7bba74a7ef2ce9.tar.gz
gentoo-2-8698dd652f500e59559ce0c63a7bba74a7ef2ce9.tar.bz2
gentoo-2-8698dd652f500e59559ce0c63a7bba74a7ef2ce9.zip
5 files changed, 322 insertions, 1 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog
index f054357ba304..4a5d1469c4e4 100644
--- a/app-crypt/mit-krb5/ChangeLog
+++ b/app-crypt/mit-krb5/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for app-crypt/mit-krb5
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.271 2011/03/22 07:18:34 eras Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.272 2011/04/14 06:38:45 eras Exp $
+
+*mit-krb5-1.9-r3 (14 Apr 2011)
+*mit-krb5-1.8.3-r5 (14 Apr 2011)
+
+  14 Apr 2011; Eray Aslan <eras@gentoo.org> +mit-krb5-1.8.3-r5.ebuild,
+  +files/mit-krb5-1.8.3-CVE-2011-0285.patch, +mit-krb5-1.9-r3.ebuild,
+  +files/CVE-2011-0285.patch:
+  security bump - bug 363507
 
   22 Mar 2011; Eray Aslan <eras@gentoo.org> -mit-krb5-1.8.3-r3.ebuild:
   remove vulnerable version
diff --git a/app-crypt/mit-krb5/files/CVE-2011-0285.patch b/app-crypt/mit-krb5/files/CVE-2011-0285.patch
new file mode 100644
index 000000000000..61039113f97c
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2011-0285.patch
@@ -0,0 +1,39 @@
+diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
+index 1124445..0056885 100644
+--- a/src/kadmin/server/schpw.c
++++ b/src/kadmin/server/schpw.c
+@@ -52,6 +52,7 @@ process_chpw_request(context, server_handle, realm, keytab,
+ 
+     ret = 0;
+     rep->length = 0;
++    rep->data = NULL;
+ 
+     auth_context = NULL;
+     changepw = NULL;
+@@ -76,8 +77,13 @@ process_chpw_request(context, server_handle, realm, keytab,
+     plen = (*ptr++ & 0xff);
+     plen = (plen<<8) | (*ptr++ & 0xff);
+ 
+-    if (plen != req->length)
+-        return(KRB5KRB_AP_ERR_MODIFIED);
++    if (plen != req->length) {
++        ret = KRB5KRB_AP_ERR_MODIFIED;
++        numresult = KRB5_KPASSWD_MALFORMED;
++        strlcpy(strresult, "Request length was inconsistent",
++                sizeof(strresult));
++        goto chpwfail;
++    }
+ 
+     /* verify version number */
+ 
+@@ -531,6 +537,10 @@ cleanup:
+     if (local_kaddrs != NULL)
+         krb5_free_addresses(server_handle->context, local_kaddrs);
+ 
++    if ((*response)->data == NULL) {
++        free(*response);
++        *response = NULL;
++    }
+     krb5_kt_close(server_handle->context, kt);
+ 
+     return ret;
diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0285.patch b/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0285.patch
new file mode 100644
index 000000000000..43daa9b50f2a
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.8.3-CVE-2011-0285.patch
@@ -0,0 +1,35 @@
+diff --git a/src/kadmin/server/network.c b/src/kadmin/server/network.c
+index c8ce4f1..bb911ff 100644
+--- a/src/kadmin/server/network.c
++++ b/src/kadmin/server/network.c
+@@ -1384,6 +1384,10 @@ cleanup:
+     if (local_kaddrs != NULL)
+         krb5_free_addresses(server_handle->context, local_kaddrs);
+ 
++    if ((*response)->data == NULL) {
++        free(*response);
++        *response = NULL;
++    }
+     krb5_kt_close(server_handle->context, kt);
+ 
+     return ret;
+diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
+index c1b2217..992b55f 100644
+--- a/src/kadmin/server/schpw.c
++++ b/src/kadmin/server/schpw.c
+@@ -74,8 +74,13 @@ process_chpw_request(context, server_handle, realm, keytab,
+     plen = (*ptr++ & 0xff);
+     plen = (plen<<8) | (*ptr++ & 0xff);
+ 
+-    if (plen != req->length)
+-        return(KRB5KRB_AP_ERR_MODIFIED);
++    if (plen != req->length) {
++        ret = KRB5KRB_AP_ERR_MODIFIED;
++        numresult = KRB5_KPASSWD_MALFORMED;
++        strlcpy(strresult, "Request length was inconsistent",
++                sizeof(strresult));
++        goto chpwfail;
++    }
+ 
+     /* verify version number */
+ 
diff --git a/app-crypt/mit-krb5/mit-krb5-1.8.3-r5.ebuild b/app-crypt/mit-krb5/mit-krb5-1.8.3-r5.ebuild
new file mode 100644
index 000000000000..6b772f6ac4d0
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.8.3-r5.ebuild
@@ -0,0 +1,119 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.8.3-r5.ebuild,v 1.1 2011/04/14 06:38:45 eras Exp $
+
+EAPI=2
+
+inherit eutils flag-o-matic versionator
+
+MY_P=${P/mit-}
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="doc openldap test xinetd"
+
+RDEPEND="!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.41.0
+	sys-apps/keyutils
+	openldap? ( net-nds/openldap )
+	xinetd? ( sys-apps/xinetd )"
+DEPEND="${RDEPEND}
+	doc? ( virtual/latex-base )
+	test? (	dev-lang/tcl
+			dev-lang/perl
+			dev-util/dejagnu )"
+
+S=${WORKDIR}/${MY_P}/src
+
+src_unpack() {
+	unpack ${A}
+	unpack ./"${MY_P}".tar.gz
+}
+
+src_prepare() {
+	epatch "${FILESDIR}/CVE-2010-1322.patch"
+	epatch "${FILESDIR}/CVE-2010-1323.1324.4020.patch"
+	epatch "${FILESDIR}/CVE-2010-4022.patch"
+	epatch "${FILESDIR}/${P}-CVE-2011-0281.0282.0283.patch"
+	epatch "${FILESDIR}/CVE-2011-0284.patch"
+	epatch "${FILESDIR}/${P}-CVE-2011-0285.patch"
+	epatch "${FILESDIR}/mit-krb5_testsuite.patch"
+}
+
+src_configure() {
+	append-flags "-I/usr/include/et"
+	econf \
+		$(use_with openldap ldap) \
+		$(use_with test tcl /usr) \
+		--without-krb4 \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-replay-cache \
+		--disable-rpath
+}
+
+src_compile() {
+	emake -j1 || die "emake failed"
+
+	if use doc ; then
+		cd ../doc
+		for dir in api implement ; do
+			emake -C "${dir}" || die "doc emake failed"
+		done
+	fi
+}
+
+src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="/usr/share/doc/${PF}/examples" \
+		install || die "install failed"
+
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+	dodoc doc/*.{ps,txt}
+	doinfo doc/*.info*
+	dohtml -r doc/*.html
+
+	# die if we cannot respect a USE flag
+	if use doc ; then
+	    dodoc doc/{api,implement}/*.ps || die "dodoc failed"
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind || die
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc || die
+
+	insinto /etc
+	newins "${D}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${D}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" || die
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd || die
+	fi
+}
+
+pkg_preinst() {
+	if has_version "<${CATEGORY}/${PN}-1.8.0" ; then
+		elog "MIT split the Kerberos applications from the base Kerberos"
+		elog "distribution.  Kerberized versions of telnet, rlogin, rsh, rcp,"
+		elog "ftp clients and telnet, ftp deamons now live in"
+		elog "\"app-crypt/mit-krb5-appl\" package."
+	fi
+}
diff --git a/app-crypt/mit-krb5/mit-krb5-1.9-r3.ebuild b/app-crypt/mit-krb5/mit-krb5-1.9-r3.ebuild
new file mode 100644
index 000000000000..ac62ffc86b7a
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.9-r3.ebuild
@@ -0,0 +1,120 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.9-r3.ebuild,v 1.1 2011/04/14 06:38:45 eras Exp $
+
+EAPI=3
+
+inherit eutils flag-o-matic versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos"
+IUSE="doc +keyutils openldap +pkinit +threads test xinetd"
+
+RDEPEND="!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.41.0
+	keyutils? ( sys-apps/keyutils )
+	openldap? ( net-nds/openldap )
+	xinetd? ( sys-apps/xinetd )"
+DEPEND="${RDEPEND}
+	doc? ( virtual/latex-base )
+	test? ( dev-lang/tcl
+	        dev-lang/python
+			dev-util/dejagnu )"
+
+S=${WORKDIR}/${MY_P}/src
+
+src_unpack() {
+	unpack ${A}
+	unpack ./"${MY_P}".tar.gz
+}
+
+src_prepare() {
+	epatch "${FILESDIR}/CVE-2010-4022.patch"
+	epatch "${FILESDIR}/CVE-2011-0281.0282.0283.patch"
+	epatch "${FILESDIR}/CVE-2011-0284.patch"
+	epatch "${FILESDIR}/CVE-2011-0285.patch"
+}
+
+src_configure() {
+	append-flags "-I${EPREFIX}/usr/include/et"
+	use keyutils || export ac_cv_header_keyutils_h=no
+	econf \
+		$(use_with openldap ldap) \
+		"$(use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		--without-krb4 \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--disable-rpath
+}
+
+src_compile() {
+	emake -j1 || die "emake failed"
+
+	if use doc ; then
+		cd ../doc
+		for dir in api implement ; do
+			emake -C "${dir}" || die "doc emake failed"
+		done
+	fi
+}
+
+src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install || die "install failed"
+
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc NOTICE README
+	dodoc doc/*.{ps,txt}
+	doinfo doc/*.info*
+	dohtml -r doc/*.html
+
+	# die if we cannot respect a USE flag
+	if use doc ; then
+	    dodoc doc/{api,implement}/*.ps || die "dodoc failed"
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind || die
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc || die
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" || die
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd || die
+	fi
+}
+
+pkg_preinst() {
+	if has_version "<${CATEGORY}/${PN}-1.8.0" ; then
+		elog "MIT split the Kerberos applications from the base Kerberos"
+		elog "distribution.  Kerberized versions of telnet, rlogin, rsh, rcp,"
+		elog "ftp clients and telnet, ftp deamons now live in"
+		elog "\"app-crypt/mit-krb5-appl\" package."
+	fi
+}
author	Eray Aslan <eras@gentoo.org>	2011-04-14 06:38:45 +0000
committer	Eray Aslan <eras@gentoo.org>	2011-04-14 06:38:45 +0000
commit	8698dd652f500e59559ce0c63a7bba74a7ef2ce9 (patch)
tree	07963855780ac0ae2c55ff5557e51495a8dcd67d /app-crypt
parent	version bump (diff)
download	gentoo-2-8698dd652f500e59559ce0c63a7bba74a7ef2ce9.tar.gz gentoo-2-8698dd652f500e59559ce0c63a7bba74a7ef2ce9.tar.bz2 gentoo-2-8698dd652f500e59559ce0c63a7bba74a7ef2ce9.zip