diff options
author | Eray Aslan <eras@gentoo.org> | 2013-05-14 06:02:01 +0000 |
---|---|---|
committer | Eray Aslan <eras@gentoo.org> | 2013-05-14 06:02:01 +0000 |
commit | 43b9e41df5631d47658564fb6ec2622ce6745973 (patch) | |
tree | a2a5ae3b0cc5c89186c7b5c05f487624b7010c2a /app-crypt/mit-krb5 | |
parent | Drop old version. (diff) | |
download | historical-43b9e41df5631d47658564fb6ec2622ce6745973.tar.gz historical-43b9e41df5631d47658564fb6ec2622ce6745973.tar.bz2 historical-43b9e41df5631d47658564fb6ec2622ce6745973.zip |
Security bump - bug #469752
Package-Manager: portage-2.2.0_alpha174/cvs/Linux x86_64
Manifest-Sign-Key: 0x77F1F175586A3B1F
Diffstat (limited to 'app-crypt/mit-krb5')
-rw-r--r-- | app-crypt/mit-krb5/ChangeLog | 8 | ||||
-rw-r--r-- | app-crypt/mit-krb5/Manifest | 30 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/CVE-2002-2443.patch | 69 | ||||
-rw-r--r-- | app-crypt/mit-krb5/mit-krb5-1.11.2-r1.ebuild | 127 |
4 files changed, 219 insertions, 15 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog index 7dd1bbf84aac..ad8997eff64e 100644 --- a/app-crypt/mit-krb5/ChangeLog +++ b/app-crypt/mit-krb5/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for app-crypt/mit-krb5 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.366 2013/04/19 06:45:27 eras Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.367 2013/05/14 06:01:50 eras Exp $ + +*mit-krb5-1.11.2-r1 (14 May 2013) + + 14 May 2013; Eray Aslan <eras@gentoo.org> +files/CVE-2002-2443.patch, + +mit-krb5-1.11.2-r1.ebuild: + Security bump - bug #469752 *mit-krb5-1.11.2 (19 Apr 2013) diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest index cec948539652..0b71623a31b0 100644 --- a/app-crypt/mit-krb5/Manifest +++ b/app-crypt/mit-krb5/Manifest @@ -1,6 +1,7 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 +AUX CVE-2002-2443.patch 2131 SHA256 1e2b53152faa9309d4dbfa0126d4e041d3c5a4519b91487aa20d019b9c00af9b SHA512 4f578a1c52de1cf2483aac4798eb577add8149daec9cb34c8cb1c2aeec8f78c8422f24c0a6844c8cc57d3eeea673d5f71fdb4369b11d3c682cf608270be07808 WHIRLPOOL a8cf34496ebfeb48c22717680384697639b76d8b66116e29ee960514a066c2517b54abd2ac04685445bbf15438e2b40674e61b635a987f52d5c7e85e1ae58cb0 AUX kpropd.xinetd 194 SHA256 eaa3838a6ca8db901db359cac3435d4f703a9a10534f02eeb37f494dd21a1736 SHA512 c9bbd13f2fadfd2a925bfae834ba61f227cd4386b4c4466b5227d93c792f4549778ef4d6e08353372df99804459277c71f61b41ec71f3afcc600d73c5705f72f WHIRLPOOL d77ae7b0094c4f42a7ea9cee5d36d0dba844a9ed5d59c621e47c7fa4b75c84fec3414e079c570513711b378d1b0fef61156f675a0df79ee61540d9492416fe42 AUX mit-krb5-1.11_uninitialized.patch 2081 SHA256 d48d228e0c78d8a2b8c6b807e0294d68b87c9316770ece4b2033852ecff1ea30 SHA512 e108b183f9dddecf7a1decbfd1db14decf45799002401f77d9910c39125f14a4520a3e8588c1c55244add8a9c42a3066bd060b869d30b1e252fc7a9fa1935d88 WHIRLPOOL 03da04c94eb1f953310d7cf3b1f9f71322f51bb2582dde0c2d9b24a951420b60b77039726178d021a6068f489a6174f0099485f0817f954105a6ceaa1a6fc6e7 AUX mit-krb5_krb5-config_LDFLAGS.patch 458 SHA256 9ebfc38cc167bbf451105807512845cd961f839d64b7e2904a6c4e722e41fe2b SHA512 8118518e359cb5e69e3321b7438b200d5d74ceeac16b4623bf4e4bfb4ead6c656de6fa153f9bcc454097b45a512bc8cd0798b1f062a2c4a09f75253b204a7a17 WHIRLPOOL 61d4a6ba6ef4114c8277330c36e0e6c2c625536c8011d1badd1dd5393c4549f63e5402520a6260bf81c5d9e512a76a9b1b4369eb9e9d13379e5ff887cf67d750 @@ -10,23 +11,24 @@ AUX mit-krb5kpropd.initd-r1 595 SHA256 c374ea05d7e9f15e10c8f9dbd0cad6548e0f92aef DIST krb5-1.11.1-signed.tar 11663360 SHA256 3a230ff6a7f8775752292e9303d3fa8a801a353301bc24d80b860d99f9d20768 SHA512 721a14bf09571d951b0070110e2f2469e55b593d7321a1288bea1da62f33fb6d2be556bf6410a8ad0134cecdb6b67dafbd5f34404eb00383fe8fcac167f7743e WHIRLPOOL e8363343229e96eb9d2e05767d4b9b426b41a8bca51bb91cf815b50f920d289a7273d7cf9d279bfafcc3407ca0ecf67559c5c0a510562d2f7b61fc5d71f8cf3d DIST krb5-1.11.2-signed.tar 11673600 SHA256 f0373295fb320b9702468eb0df33397e7278326ec1681a8c6037cc53cb0120a5 SHA512 2db58530a98c4bdf9c6f797f3fb2881a3bdeda680804309f1f40e877a5a1c6e589021e1e0521b5a258626e5d04105ad0c01575b2104313b4b9592ee1ae8b8006 WHIRLPOOL 10deade6b13e88187e827513a8e56a4287a654e5b6f9554ef85657fd6d7ded5ba0d2311c001e1b35f13e0d1c5ddeefeca68cdf43ee4192432b318d8cc55c2bdd EBUILD mit-krb5-1.11.1.ebuild 3270 SHA256 e39ba0c861bdd3f9477d55faf647e3985db5aa9d6178db5525dbb17ae87fd5aa SHA512 90429906b3f86720c1055c0bca1053826c0bf64a631b84d8177d3b5d111de5303e9d82b94eda074958f2931f5843f187aa71373a1c633bbc6755211306170e55 WHIRLPOOL f32dba7942629ade9facdf9b2c8b9a42e6a27cb67d046b2b030ce8bb666fb4294734dd038cd5913522eab22f864ce71a2195cb1f80d0244eee42ef6f722e8e0a +EBUILD mit-krb5-1.11.2-r1.ebuild 3325 SHA256 e7ec907d50e97fc4a99694f5356db423b639adb8b7eea5bb2a53c83ba89534b3 SHA512 233d78b49bc6d9a6749cdcbba7974f2e53031b4525802fad18c8b95fa06ebad359a9f4e377cb44d8489c58268832a0b23911a8922c2bb94649b026fe9e68b8bb WHIRLPOOL 7e38a0427919dade826ef79230d9c3060aeb12fc53d54d7e741d0e6acb367418bb6638b98bee1f5678003fa7a263871fc5022e8f3ff065bf75f0b7983b7d62cb EBUILD mit-krb5-1.11.2.ebuild 3280 SHA256 aa04117b955500335d92d84611ecec0676b96337863a80dedac49014f1460c0a SHA512 9b96ccdb8f9ae4f581d0a19b49ad12c2299c9b03501a3fdd4ddc6c5aaa2e42a5be9c143c0c442640ffbe0a4c2d17e0546ef83b3c866ef376cc6e71d97c86d3d8 WHIRLPOOL 3ebd47ad0b81262f5940c5e5763c28eef2223a04d7a5a3ca8b1cf7eb18c1ce320514af296d10391364b5d8e965a0f548632ff9e95927ef7075f35b60166efaca -MISC ChangeLog 57683 SHA256 6e6dbf15d7066fc59aabad00c9ed7d3fef813109f374f5134465535ad54a4152 SHA512 baecab64b21a36c7def46664938bb618d6b96db2032b873d0a23375da7c75d981925b6cdc9b6896a8b926c8a06b6047f060b82e7af2fabfe365f099e0a068adf WHIRLPOOL 1a809025f9c1a96b9a59de7815d4ccc5e4b63b892911d7f986fc6720af3e852c9d5eefbd6a275ffa17094c79d162aa4130f1368ec60f3729507412b5df2e6bb1 +MISC ChangeLog 57851 SHA256 50f57992f8dbd11abb017a7845dec0819525dfd387db596784fb3959dbe5b275 SHA512 e2c60faad40c2142d253b885ea1181dff3f062c3192702f8f8649d7c73f29915fb57a6ca953e2cfac952e67793f58da4f8672b45a1884ca09c1527039a6e39fa WHIRLPOOL 4629bf6c9e6fdcd8a4de7a23e110b3a5e51b2d9aed65447ef600931f1be298b8e03689ff60275548d37f8c18b02a5d70bb127070ed5f683b5ccc35f74068e033 MISC metadata.xml 668 SHA256 da5862dde92f34b882870961cb9f1e4aa8209fc549e32a43d99770a9de8b232d SHA512 0038aeb7cda74161d2e2fe97c5124ee6cc86a24b9503714c128cd8b9af8b8050a89cf5dd3aadd66b1714c1d1aeb8564d50479547a586200793ea485e9f9c6c8b WHIRLPOOL 52394a4f4d5acb11f3bf2e76e036707c7f7741990d70bafb5c87a6da5d191b6aee3cb8383f6e66694cbda7458eb1a869c7ec8758750741835e2f1af4e028378c -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) -iQIcBAEBCAAGBQJRcOgSAAoJEHfx8XVYajsfceMQAJBSRk5aHqhG5pYS+WFccF9R -Bd1EnSQ3wn4znVhK1TkncSw+Q/oVRo35acVqCy3zCJrDAvFN6zM0K61zTfoHFNvA -2cHOKLFpZaaee3kwUhydl6PtEzKZDY8LRqGcQqd80UBtKGZV/bz4KwLLQXPTFbO0 -4CqKJPCmzFVItiKXPzPAxOL1O9aE06rYIiJJ94HHLgp6HJ8H6/RO1jrcEjIWmATh -fti5pq/5Yx0rcM8S97O3Q3VMX9qB5dKBnlubenx/uNqQRvBf+xonuTS4QbAX6CX9 -2gqkAvc33Dzq4FK7xTNaliuX0DRxcJk9JDJq5zji6KUtWTU7vEMDIpI0sSg+33J3 -aX7LdSwO8QXnAZxHcRcF0hRtRj6/FVPfyGwv6IP8UmIHcVNAZ09exBJ6vlBievep -Vxx+N2OzwzziwNbLwQJLU4LFdFzqyVYoF+LaHP3rLRxxhaeV9GF+CAm9AL7pkmUO -VMKgloGHNR1DPTzVNMubmn9JjjY1OFa4mT/DsWK/yJWkVxMBtybT7odUU7jnmv66 -wZ5A++xTeJCyJ7vd1hcgSAQpeo+Tjnih5AbJlOiNRwrKLj4KyLjzdH6NiR0lfrxD -uSI+vxcVVruioSGU+KdJX1gG8teVZSDYM6pcmMKGQjA7Hd2VLMXc/xL0fsddPoQq -7T/oSXSy59LT2+6fB6q0 -=KU03 +iQIcBAEBCAAGBQJRkdNZAAoJEHfx8XVYajsf89AP/1Ghq+kJDNzUdAGhKpNs6x8Q +4gq30TiEmaDpWquHkQ7Jv9D6Rf6sph5jaYlLYK14ShDHUiLm9qfzUd7VtbEb5+xM +RT5H3NazHLgr0wFr+Ruz0AyshwwccmeCgE2eam+tyeo4PBDcbW3yLjDdeibyhOnM +yswsEelzOqBTc1pIl6MONMa4h1G91dMbAfaHe7gADUA5xleyY0EG5OB5yVymhNy5 +Wj2c8KOa474aSVZnpMdQbz4fgIQqrvtacu5Ybruy8rP7TEL9sjZOVKHXgZ7atLhY +d7a9V21rK/rRHPVcnBFEnqH2T5H006zW8gL0WmBp4kfMZoA8YywLgM1yYU7e8TcI +uRTUjmdgVJdIlp9ky55fM3vabeLQR1TEN6mAS1O3BPaGOYigW2izoRYfbZM23/Pa +8jKrhnCYJvuq+TJ//wu9sqisKoEJzQo52YZBiaT3KITAVrDFOFkKT32owre0YMWH +bF3XbN2yog70PllrfU87fJQyd5RlGhIiy3mc2Z6MRDM5uZkSU/kC564y/oqDkf3B +QgdG9t4OBkhnGBjfQ0/UX7iCNoZeqCdXSDsdHWXM82M4Fr6+TRqNJGtlqG+ZteDz +jP7bUAlpW6kucGQAWNQMdHLGpQPkcuANMNV4Y0adL+H8dKmdRwsk2ON3fTU1iVUi +PK7BrbjIy9a3AY8erJiP +=8OXz -----END PGP SIGNATURE----- diff --git a/app-crypt/mit-krb5/files/CVE-2002-2443.patch b/app-crypt/mit-krb5/files/CVE-2002-2443.patch new file mode 100644 index 000000000000..3ef88155c5a1 --- /dev/null +++ b/app-crypt/mit-krb5/files/CVE-2002-2443.patch @@ -0,0 +1,69 @@ +From cf1a0c411b2668c57c41e9c4efd15ba17b6b322c Mon Sep 17 00:00:00 2001 +From: Tom Yu <tlyu@mit.edu> +Date: Fri, 3 May 2013 16:26:46 -0400 +Subject: [PATCH] Fix kpasswd UDP ping-pong [CVE-2002-2443] + +The kpasswd service provided by kadmind was vulnerable to a UDP +"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless +they pass some basic validation, and don't respond to our own error +packets. + +Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong +attack or UDP ping-pong attacks in general, but there is discussion +leading toward narrowing the definition of CVE-1999-0103 to the echo, +chargen, or other similar built-in inetd services. + +Thanks to Vincent Danen for alerting us to this issue. + +CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C + +ticket: 7637 (new) +target_version: 1.11.3 +tags: pullup +--- + src/kadmin/server/schpw.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c +index 15b0ab5..7f455d8 100644 +--- a/src/kadmin/server/schpw.c ++++ b/src/kadmin/server/schpw.c +@@ -52,7 +52,7 @@ + ret = KRB5KRB_AP_ERR_MODIFIED; + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated", sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + ptr = req->data; +@@ -67,7 +67,7 @@ + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request length was inconsistent", + sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + /* verify version number */ +@@ -80,7 +80,7 @@ + numresult = KRB5_KPASSWD_BAD_VERSION; + snprintf(strresult, sizeof(strresult), + "Request contained unknown protocol version number %d", vno); +- goto chpwfail; ++ goto bailout; + } + + /* read, check ap-req length */ +@@ -93,7 +93,7 @@ + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated in AP-REQ", + sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + /* verify ap_req */ +-- +1.8.1.6 + diff --git a/app-crypt/mit-krb5/mit-krb5-1.11.2-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.11.2-r1.ebuild new file mode 100644 index 000000000000..2e60948be416 --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.11.2-r1.ebuild @@ -0,0 +1,127 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.11.2-r1.ebuild,v 1.1 2013/05/14 06:01:50 eras Exp $ + +EAPI=5 + +PYTHON_COMPAT=( python{2_5,2_6,2_7} ) +inherit eutils flag-o-matic python-any-r1 versionator + +MY_P="${P/mit-}" +P_DIR=$(get_version_component_range 1-2) +DESCRIPTION="MIT Kerberos V" +HOMEPAGE="http://web.mit.edu/kerberos/www/" +SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar" + +LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="doc +keyutils openldap +pkinit +threads test xinetd" + +RDEPEND="!!app-crypt/heimdal + >=sys-libs/e2fsprogs-libs-1.41.0 + || ( dev-libs/libverto[libev] dev-libs/libverto[libevent] dev-libs/libverto[tevent] ) + keyutils? ( sys-apps/keyutils ) + openldap? ( net-nds/openldap ) + pkinit? ( dev-libs/openssl ) + xinetd? ( sys-apps/xinetd )" +DEPEND="${RDEPEND} + virtual/yacc + doc? ( virtual/latex-base ) + test? ( dev-lang/tcl + dev-lang/python + dev-util/dejagnu )" + +S=${WORKDIR}/${MY_P}/src + +src_unpack() { + unpack ${A} + unpack ./"${MY_P}".tar.gz +} + +src_prepare() { + epatch "${FILESDIR}/${PN}-1.11_uninitialized.patch" + epatch "${FILESDIR}/${PN}_krb5-config_LDFLAGS.patch" + epatch "${FILESDIR}/CVE-2002-2443.patch" + + # tcl-8.6 compatibility + sed -i -e 's/interp->result/Tcl_GetStringResult(interp)/' \ + kadmin/testing/util/tcl_kadm5.c || die +} + +src_configure() { + append-cppflags "-I${EPREFIX}/usr/include/et" + # QA + append-flags -fno-strict-aliasing + append-flags -fno-strict-overflow + + use keyutils || export ac_cv_header_keyutils_h=no + econf \ + $(use_with openldap ldap) \ + "$(use_with test tcl "${EPREFIX}/usr")" \ + $(use_enable pkinit) \ + $(use_enable threads thread-support) \ + --without-hesiod \ + --enable-shared \ + --with-system-et \ + --with-system-ss \ + --enable-dns-for-realm \ + --enable-kdc-lookaside-cache \ + --with-system-verto \ + --disable-rpath +} + +src_compile() { + emake -j1 +} + +src_test() { + emake -j1 check +} + +src_install() { + emake \ + DESTDIR="${D}" \ + EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \ + install + + # default database dir + keepdir /var/lib/krb5kdc + + cd .. + dodoc README + + if use doc; then + dohtml -r doc/html/* + docinto pdf + dodoc doc/pdf/*.pdf + fi + + newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r1 mit-krb5kadmind + newinitd "${FILESDIR}"/mit-krb5kdc.initd-r1 mit-krb5kdc + newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r1 mit-krb5kpropd + + insinto /etc + newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example + insinto /var/lib/krb5kdc + newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example + + if use openldap ; then + insinto /etc/openldap/schema + doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" + fi + + if use xinetd ; then + insinto /etc/xinetd.d + newins "${FILESDIR}/kpropd.xinetd" kpropd + fi +} + +pkg_preinst() { + if has_version "<${CATEGORY}/${PN}-1.8.0" ; then + elog "MIT split the Kerberos applications from the base Kerberos" + elog "distribution. Kerberized versions of telnet, rlogin, rsh, rcp," + elog "ftp clients and telnet, ftp deamons now live in" + elog "\"app-crypt/mit-krb5-appl\" package." + fi +} |