summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'app-crypt/mit-krb5')
-rw-r--r--app-crypt/mit-krb5/ChangeLog9
-rw-r--r--app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch48
-rw-r--r--app-crypt/mit-krb5/files/CVE-2009-0846.patch40
-rw-r--r--app-crypt/mit-krb5/mit-krb5-1.6.3-r6.ebuild108
4 files changed, 204 insertions, 1 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog
index 9ac6a081b206..7460f60b4d74 100644
--- a/app-crypt/mit-krb5/ChangeLog
+++ b/app-crypt/mit-krb5/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for app-crypt/mit-krb5
# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.206 2009/03/27 21:41:44 jer Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.207 2009/04/08 14:29:10 mueli Exp $
+
+*mit-krb5-1.6.3-r6 (08 Apr 2009)
+
+ 08 Apr 2009; Michael Hammer <mueli@gentoo.org>
+ +files/CVE-2009-0844+CVE-2009-0847.patch, +files/CVE-2009-0846.patch,
+ +mit-krb5-1.6.3-r6.ebuild:
+ added mit-krb5-1.6.3-r6 - see bug #263398
27 Mar 2009; Jeroen Roovers <jer@gentoo.org> mit-krb5-1.6.3-r5.ebuild:
Stable for HPPA (bug #262736).
diff --git a/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch b/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch
new file mode 100644
index 000000000000..310963c2390a
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch
@@ -0,0 +1,48 @@
+Index: krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c
+===================================================================
+--- krb5-1.6.3.orig/src/lib/gssapi/spnego/spnego_mech.c
++++ krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c
+@@ -1815,7 +1815,8 @@ get_input_token(unsigned char **buff_in,
+ return (NULL);
+
+ input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes);
+- if ((int)input_token->length == -1) {
++ if ((int)input_token->length == -1 ||
++ input_token->length > buff_length) {
+ free(input_token);
+ return (NULL);
+ }
+Index: krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c
+===================================================================
+--- krb5-1.6.3.orig/src/lib/krb5/asn.1/asn1buf.c
++++ krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c
+@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1bu
+
+ asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
+ {
++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
+ subbuf->base = subbuf->next = buf->next;
+ if (!indef) {
++ if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
+ subbuf->bound = subbuf->base + length - 1;
+- if (subbuf->bound > buf->bound)
+- return ASN1_OVERRUN;
+ } else /* constructed indefinite */
+ subbuf->bound = buf->bound;
+ return 0;
+@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstri
+ {
+ int i;
+
++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
+ if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
+ if (len == 0) {
+ *s = 0;
+@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstrin
+ {
+ int i;
+
++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
+ if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
+ if (len == 0) {
+ *s = 0;
diff --git a/app-crypt/mit-krb5/files/CVE-2009-0846.patch b/app-crypt/mit-krb5/files/CVE-2009-0846.patch
new file mode 100644
index 000000000000..efbb9af889ee
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2009-0846.patch
@@ -0,0 +1,40 @@
+diff --git a/src/lib/krb5/asn.1/asn1_decode.c
+b/src/lib/krb5/asn.1/asn1_decode.c
+index aa4be32..5f7461d 100644
+--- a/src/lib/krb5/asn.1/asn1_decode.c
++++ b/src/lib/krb5/asn.1/asn1_decode.c
+@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val)
+
+ if(length != 15) return ASN1_BAD_LENGTH;
+ retval = asn1buf_remove_charstring(buf,15,&s);
++ if (retval) return retval;
+ /* Time encoding: YYYYMMDDhhmmssZ */
+ if(s[14] != 'Z') {
+ free(s);
+diff --git a/src/tests/asn.1/krb5_decode_test.c
+b/src/tests/asn.1/krb5_decode_test.c
+index 0ff9343..1c427d1 100644
+--- a/src/tests/asn.1/krb5_decode_test.c
++++ b/src/tests/asn.1/krb5_decode_test.c
+@@ -485,5 +485,21 @@ int main(argc, argv)
+ ktest_destroy_keyblock(&(ref.subkey));
+ ref.seq_number = 0;
+ decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
++
++ retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
++ if (retval) {
++ com_err("krb5_decode_test", retval, "while parsing");
++ exit(1);
++ }
++ retval = decode_krb5_ap_rep_enc_part(&code, &var);
++ if (retval != ASN1_OVERRUN) {
++ printf("ERROR: ");
++ } else {
++ printf("OK: ");
++ }
++ printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
++ krb5_free_data_contents(test_context, &code);
++ krb5_free_ap_rep_enc_part(test_context, var);
++
+ ktest_empty_ap_rep_enc_part(&ref);
+ }
diff --git a/app-crypt/mit-krb5/mit-krb5-1.6.3-r6.ebuild b/app-crypt/mit-krb5/mit-krb5-1.6.3-r6.ebuild
new file mode 100644
index 000000000000..b0a37c69df30
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.6.3-r6.ebuild
@@ -0,0 +1,108 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.6.3-r6.ebuild,v 1.1 2009/04/08 14:29:10 mueli Exp $
+
+inherit eutils flag-o-matic versionator autotools
+
+PATCHV="0.5"
+MY_P=${P/mit-}
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar
+ mirror://gentoo/${P}-patches-${PATCHV}.tar.bz2"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="krb4 doc"
+
+RDEPEND="!virtual/krb5
+ >=sys-libs/e2fsprogs-libs-1.41.0"
+DEPEND="${RDEPEND}
+ doc? ( virtual/latex-base )"
+
+S=${WORKDIR}/${MY_P}/src
+
+PROVIDE="virtual/krb5"
+
+src_unpack() {
+ unpack ${A}
+ unpack ./${MY_P}.tar.gz
+ cd "${S}"
+ EPATCH_SUFFIX="patch" epatch "${PATCHDIR}"
+ epatch "${FILESDIR}/CVE-2009-0844+CVE-2009-0847.patch"
+ epatch "${FILESDIR}/CVE-2009-0846.patch"
+ einfo "Regenerating configure scripts (be patient)"
+ local subdir
+ for subdir in $(find . -name configure.in \
+ | xargs grep -l 'AC_CONFIG_SUBDIRS' \
+ | sed 's@/configure\.in$@@'); do
+ ebegin "Regenerating configure script in ${subdir}"
+ cd "${S}"/${subdir}
+ eautoconf --force -I "${S}"
+ eend $?
+ done
+}
+
+src_compile() {
+ # needed to work with sys-libs/e2fsprogs-libs <- should be removed!!
+ append-flags "-I/usr/include/et"
+ econf \
+ $(use_with krb4) \
+ --enable-shared \
+ --with-system-et --with-system-ss \
+ --enable-dns-for-realm \
+ --enable-kdc-replay-cache || die
+
+ emake -j1 || die
+
+ if use doc ; then
+ cd ../doc
+ for dir in api implement ; do
+ make -C "${dir}" || die
+ done
+ fi
+}
+
+src_test() {
+ einfo "Tests do not run in sandbox, have a lot of dependencies and are therefore completely disabled."
+}
+
+src_install() {
+ emake \
+ DESTDIR="${D}" \
+ EXAMPLEDIR=/usr/share/doc/${PF}/examples \
+ install || die
+
+ keepdir /var/lib/krb5kdc
+
+ cd ..
+ dodoc README
+ dodoc doc/*.ps
+ doinfo doc/*.info*
+ dohtml -r doc/*
+
+ use doc && dodoc doc/{api,implement}/*.ps
+
+ for i in {telnetd,ftpd} ; do
+ mv "${D}"/usr/share/man/man8/${i}.8 "${D}"/usr/share/man/man8/k${i}.8
+ mv "${D}"/usr/sbin/${i} "${D}"/usr/sbin/k${i}
+ done
+
+ for i in {rcp,rlogin,rsh,telnet,ftp} ; do
+ mv "${D}"/usr/share/man/man1/${i}.1 "${D}"/usr/share/man/man1/k${i}.1
+ mv "${D}"/usr/bin/${i} "${D}"/usr/bin/k${i}
+ done
+
+ newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind
+ newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc
+
+ insinto /etc
+ newins "${D}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+ newins "${D}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+}
+
+pkg_postinst() {
+ elog "See /usr/share/doc/${PF}/html/krb5-admin.html for documentation."
+}