summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEray Aslan <eras@gentoo.org>2013-05-14 06:02:01 +0000
committerEray Aslan <eras@gentoo.org>2013-05-14 06:02:01 +0000
commit43b9e41df5631d47658564fb6ec2622ce6745973 (patch)
treea2a5ae3b0cc5c89186c7b5c05f487624b7010c2a /app-crypt/mit-krb5
parentDrop old version. (diff)
downloadhistorical-43b9e41df5631d47658564fb6ec2622ce6745973.tar.gz
historical-43b9e41df5631d47658564fb6ec2622ce6745973.tar.bz2
historical-43b9e41df5631d47658564fb6ec2622ce6745973.zip
Security bump - bug #469752
Package-Manager: portage-2.2.0_alpha174/cvs/Linux x86_64 Manifest-Sign-Key: 0x77F1F175586A3B1F
Diffstat (limited to 'app-crypt/mit-krb5')
-rw-r--r--app-crypt/mit-krb5/ChangeLog8
-rw-r--r--app-crypt/mit-krb5/Manifest30
-rw-r--r--app-crypt/mit-krb5/files/CVE-2002-2443.patch69
-rw-r--r--app-crypt/mit-krb5/mit-krb5-1.11.2-r1.ebuild127
4 files changed, 219 insertions, 15 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog
index 7dd1bbf84aac..ad8997eff64e 100644
--- a/app-crypt/mit-krb5/ChangeLog
+++ b/app-crypt/mit-krb5/ChangeLog
@@ -1,6 +1,12 @@
# ChangeLog for app-crypt/mit-krb5
# Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.366 2013/04/19 06:45:27 eras Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.367 2013/05/14 06:01:50 eras Exp $
+
+*mit-krb5-1.11.2-r1 (14 May 2013)
+
+ 14 May 2013; Eray Aslan <eras@gentoo.org> +files/CVE-2002-2443.patch,
+ +mit-krb5-1.11.2-r1.ebuild:
+ Security bump - bug #469752
*mit-krb5-1.11.2 (19 Apr 2013)
diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index cec948539652..0b71623a31b0 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,6 +1,7 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
+AUX CVE-2002-2443.patch 2131 SHA256 1e2b53152faa9309d4dbfa0126d4e041d3c5a4519b91487aa20d019b9c00af9b SHA512 4f578a1c52de1cf2483aac4798eb577add8149daec9cb34c8cb1c2aeec8f78c8422f24c0a6844c8cc57d3eeea673d5f71fdb4369b11d3c682cf608270be07808 WHIRLPOOL a8cf34496ebfeb48c22717680384697639b76d8b66116e29ee960514a066c2517b54abd2ac04685445bbf15438e2b40674e61b635a987f52d5c7e85e1ae58cb0
AUX kpropd.xinetd 194 SHA256 eaa3838a6ca8db901db359cac3435d4f703a9a10534f02eeb37f494dd21a1736 SHA512 c9bbd13f2fadfd2a925bfae834ba61f227cd4386b4c4466b5227d93c792f4549778ef4d6e08353372df99804459277c71f61b41ec71f3afcc600d73c5705f72f WHIRLPOOL d77ae7b0094c4f42a7ea9cee5d36d0dba844a9ed5d59c621e47c7fa4b75c84fec3414e079c570513711b378d1b0fef61156f675a0df79ee61540d9492416fe42
AUX mit-krb5-1.11_uninitialized.patch 2081 SHA256 d48d228e0c78d8a2b8c6b807e0294d68b87c9316770ece4b2033852ecff1ea30 SHA512 e108b183f9dddecf7a1decbfd1db14decf45799002401f77d9910c39125f14a4520a3e8588c1c55244add8a9c42a3066bd060b869d30b1e252fc7a9fa1935d88 WHIRLPOOL 03da04c94eb1f953310d7cf3b1f9f71322f51bb2582dde0c2d9b24a951420b60b77039726178d021a6068f489a6174f0099485f0817f954105a6ceaa1a6fc6e7
AUX mit-krb5_krb5-config_LDFLAGS.patch 458 SHA256 9ebfc38cc167bbf451105807512845cd961f839d64b7e2904a6c4e722e41fe2b SHA512 8118518e359cb5e69e3321b7438b200d5d74ceeac16b4623bf4e4bfb4ead6c656de6fa153f9bcc454097b45a512bc8cd0798b1f062a2c4a09f75253b204a7a17 WHIRLPOOL 61d4a6ba6ef4114c8277330c36e0e6c2c625536c8011d1badd1dd5393c4549f63e5402520a6260bf81c5d9e512a76a9b1b4369eb9e9d13379e5ff887cf67d750
@@ -10,23 +11,24 @@ AUX mit-krb5kpropd.initd-r1 595 SHA256 c374ea05d7e9f15e10c8f9dbd0cad6548e0f92aef
DIST krb5-1.11.1-signed.tar 11663360 SHA256 3a230ff6a7f8775752292e9303d3fa8a801a353301bc24d80b860d99f9d20768 SHA512 721a14bf09571d951b0070110e2f2469e55b593d7321a1288bea1da62f33fb6d2be556bf6410a8ad0134cecdb6b67dafbd5f34404eb00383fe8fcac167f7743e WHIRLPOOL e8363343229e96eb9d2e05767d4b9b426b41a8bca51bb91cf815b50f920d289a7273d7cf9d279bfafcc3407ca0ecf67559c5c0a510562d2f7b61fc5d71f8cf3d
DIST krb5-1.11.2-signed.tar 11673600 SHA256 f0373295fb320b9702468eb0df33397e7278326ec1681a8c6037cc53cb0120a5 SHA512 2db58530a98c4bdf9c6f797f3fb2881a3bdeda680804309f1f40e877a5a1c6e589021e1e0521b5a258626e5d04105ad0c01575b2104313b4b9592ee1ae8b8006 WHIRLPOOL 10deade6b13e88187e827513a8e56a4287a654e5b6f9554ef85657fd6d7ded5ba0d2311c001e1b35f13e0d1c5ddeefeca68cdf43ee4192432b318d8cc55c2bdd
EBUILD mit-krb5-1.11.1.ebuild 3270 SHA256 e39ba0c861bdd3f9477d55faf647e3985db5aa9d6178db5525dbb17ae87fd5aa SHA512 90429906b3f86720c1055c0bca1053826c0bf64a631b84d8177d3b5d111de5303e9d82b94eda074958f2931f5843f187aa71373a1c633bbc6755211306170e55 WHIRLPOOL f32dba7942629ade9facdf9b2c8b9a42e6a27cb67d046b2b030ce8bb666fb4294734dd038cd5913522eab22f864ce71a2195cb1f80d0244eee42ef6f722e8e0a
+EBUILD mit-krb5-1.11.2-r1.ebuild 3325 SHA256 e7ec907d50e97fc4a99694f5356db423b639adb8b7eea5bb2a53c83ba89534b3 SHA512 233d78b49bc6d9a6749cdcbba7974f2e53031b4525802fad18c8b95fa06ebad359a9f4e377cb44d8489c58268832a0b23911a8922c2bb94649b026fe9e68b8bb WHIRLPOOL 7e38a0427919dade826ef79230d9c3060aeb12fc53d54d7e741d0e6acb367418bb6638b98bee1f5678003fa7a263871fc5022e8f3ff065bf75f0b7983b7d62cb
EBUILD mit-krb5-1.11.2.ebuild 3280 SHA256 aa04117b955500335d92d84611ecec0676b96337863a80dedac49014f1460c0a SHA512 9b96ccdb8f9ae4f581d0a19b49ad12c2299c9b03501a3fdd4ddc6c5aaa2e42a5be9c143c0c442640ffbe0a4c2d17e0546ef83b3c866ef376cc6e71d97c86d3d8 WHIRLPOOL 3ebd47ad0b81262f5940c5e5763c28eef2223a04d7a5a3ca8b1cf7eb18c1ce320514af296d10391364b5d8e965a0f548632ff9e95927ef7075f35b60166efaca
-MISC ChangeLog 57683 SHA256 6e6dbf15d7066fc59aabad00c9ed7d3fef813109f374f5134465535ad54a4152 SHA512 baecab64b21a36c7def46664938bb618d6b96db2032b873d0a23375da7c75d981925b6cdc9b6896a8b926c8a06b6047f060b82e7af2fabfe365f099e0a068adf WHIRLPOOL 1a809025f9c1a96b9a59de7815d4ccc5e4b63b892911d7f986fc6720af3e852c9d5eefbd6a275ffa17094c79d162aa4130f1368ec60f3729507412b5df2e6bb1
+MISC ChangeLog 57851 SHA256 50f57992f8dbd11abb017a7845dec0819525dfd387db596784fb3959dbe5b275 SHA512 e2c60faad40c2142d253b885ea1181dff3f062c3192702f8f8649d7c73f29915fb57a6ca953e2cfac952e67793f58da4f8672b45a1884ca09c1527039a6e39fa WHIRLPOOL 4629bf6c9e6fdcd8a4de7a23e110b3a5e51b2d9aed65447ef600931f1be298b8e03689ff60275548d37f8c18b02a5d70bb127070ed5f683b5ccc35f74068e033
MISC metadata.xml 668 SHA256 da5862dde92f34b882870961cb9f1e4aa8209fc549e32a43d99770a9de8b232d SHA512 0038aeb7cda74161d2e2fe97c5124ee6cc86a24b9503714c128cd8b9af8b8050a89cf5dd3aadd66b1714c1d1aeb8564d50479547a586200793ea485e9f9c6c8b WHIRLPOOL 52394a4f4d5acb11f3bf2e76e036707c7f7741990d70bafb5c87a6da5d191b6aee3cb8383f6e66694cbda7458eb1a869c7ec8758750741835e2f1af4e028378c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
-iQIcBAEBCAAGBQJRcOgSAAoJEHfx8XVYajsfceMQAJBSRk5aHqhG5pYS+WFccF9R
-Bd1EnSQ3wn4znVhK1TkncSw+Q/oVRo35acVqCy3zCJrDAvFN6zM0K61zTfoHFNvA
-2cHOKLFpZaaee3kwUhydl6PtEzKZDY8LRqGcQqd80UBtKGZV/bz4KwLLQXPTFbO0
-4CqKJPCmzFVItiKXPzPAxOL1O9aE06rYIiJJ94HHLgp6HJ8H6/RO1jrcEjIWmATh
-fti5pq/5Yx0rcM8S97O3Q3VMX9qB5dKBnlubenx/uNqQRvBf+xonuTS4QbAX6CX9
-2gqkAvc33Dzq4FK7xTNaliuX0DRxcJk9JDJq5zji6KUtWTU7vEMDIpI0sSg+33J3
-aX7LdSwO8QXnAZxHcRcF0hRtRj6/FVPfyGwv6IP8UmIHcVNAZ09exBJ6vlBievep
-Vxx+N2OzwzziwNbLwQJLU4LFdFzqyVYoF+LaHP3rLRxxhaeV9GF+CAm9AL7pkmUO
-VMKgloGHNR1DPTzVNMubmn9JjjY1OFa4mT/DsWK/yJWkVxMBtybT7odUU7jnmv66
-wZ5A++xTeJCyJ7vd1hcgSAQpeo+Tjnih5AbJlOiNRwrKLj4KyLjzdH6NiR0lfrxD
-uSI+vxcVVruioSGU+KdJX1gG8teVZSDYM6pcmMKGQjA7Hd2VLMXc/xL0fsddPoQq
-7T/oSXSy59LT2+6fB6q0
-=KU03
+iQIcBAEBCAAGBQJRkdNZAAoJEHfx8XVYajsf89AP/1Ghq+kJDNzUdAGhKpNs6x8Q
+4gq30TiEmaDpWquHkQ7Jv9D6Rf6sph5jaYlLYK14ShDHUiLm9qfzUd7VtbEb5+xM
+RT5H3NazHLgr0wFr+Ruz0AyshwwccmeCgE2eam+tyeo4PBDcbW3yLjDdeibyhOnM
+yswsEelzOqBTc1pIl6MONMa4h1G91dMbAfaHe7gADUA5xleyY0EG5OB5yVymhNy5
+Wj2c8KOa474aSVZnpMdQbz4fgIQqrvtacu5Ybruy8rP7TEL9sjZOVKHXgZ7atLhY
+d7a9V21rK/rRHPVcnBFEnqH2T5H006zW8gL0WmBp4kfMZoA8YywLgM1yYU7e8TcI
+uRTUjmdgVJdIlp9ky55fM3vabeLQR1TEN6mAS1O3BPaGOYigW2izoRYfbZM23/Pa
+8jKrhnCYJvuq+TJ//wu9sqisKoEJzQo52YZBiaT3KITAVrDFOFkKT32owre0YMWH
+bF3XbN2yog70PllrfU87fJQyd5RlGhIiy3mc2Z6MRDM5uZkSU/kC564y/oqDkf3B
+QgdG9t4OBkhnGBjfQ0/UX7iCNoZeqCdXSDsdHWXM82M4Fr6+TRqNJGtlqG+ZteDz
+jP7bUAlpW6kucGQAWNQMdHLGpQPkcuANMNV4Y0adL+H8dKmdRwsk2ON3fTU1iVUi
+PK7BrbjIy9a3AY8erJiP
+=8OXz
-----END PGP SIGNATURE-----
diff --git a/app-crypt/mit-krb5/files/CVE-2002-2443.patch b/app-crypt/mit-krb5/files/CVE-2002-2443.patch
new file mode 100644
index 000000000000..3ef88155c5a1
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2002-2443.patch
@@ -0,0 +1,69 @@
+From cf1a0c411b2668c57c41e9c4efd15ba17b6b322c Mon Sep 17 00:00:00 2001
+From: Tom Yu <tlyu@mit.edu>
+Date: Fri, 3 May 2013 16:26:46 -0400
+Subject: [PATCH] Fix kpasswd UDP ping-pong [CVE-2002-2443]
+
+The kpasswd service provided by kadmind was vulnerable to a UDP
+"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless
+they pass some basic validation, and don't respond to our own error
+packets.
+
+Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
+attack or UDP ping-pong attacks in general, but there is discussion
+leading toward narrowing the definition of CVE-1999-0103 to the echo,
+chargen, or other similar built-in inetd services.
+
+Thanks to Vincent Danen for alerting us to this issue.
+
+CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
+
+ticket: 7637 (new)
+target_version: 1.11.3
+tags: pullup
+---
+ src/kadmin/server/schpw.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
+index 15b0ab5..7f455d8 100644
+--- a/src/kadmin/server/schpw.c
++++ b/src/kadmin/server/schpw.c
+@@ -52,7 +52,7 @@
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ numresult = KRB5_KPASSWD_MALFORMED;
+ strlcpy(strresult, "Request was truncated", sizeof(strresult));
+- goto chpwfail;
++ goto bailout;
+ }
+
+ ptr = req->data;
+@@ -67,7 +67,7 @@
+ numresult = KRB5_KPASSWD_MALFORMED;
+ strlcpy(strresult, "Request length was inconsistent",
+ sizeof(strresult));
+- goto chpwfail;
++ goto bailout;
+ }
+
+ /* verify version number */
+@@ -80,7 +80,7 @@
+ numresult = KRB5_KPASSWD_BAD_VERSION;
+ snprintf(strresult, sizeof(strresult),
+ "Request contained unknown protocol version number %d", vno);
+- goto chpwfail;
++ goto bailout;
+ }
+
+ /* read, check ap-req length */
+@@ -93,7 +93,7 @@
+ numresult = KRB5_KPASSWD_MALFORMED;
+ strlcpy(strresult, "Request was truncated in AP-REQ",
+ sizeof(strresult));
+- goto chpwfail;
++ goto bailout;
+ }
+
+ /* verify ap_req */
+--
+1.8.1.6
+
diff --git a/app-crypt/mit-krb5/mit-krb5-1.11.2-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.11.2-r1.ebuild
new file mode 100644
index 000000000000..2e60948be416
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.11.2-r1.ebuild
@@ -0,0 +1,127 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.11.2-r1.ebuild,v 1.1 2013/05/14 06:01:50 eras Exp $
+
+EAPI=5
+
+PYTHON_COMPAT=( python{2_5,2_6,2_7} )
+inherit eutils flag-o-matic python-any-r1 versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="doc +keyutils openldap +pkinit +threads test xinetd"
+
+RDEPEND="!!app-crypt/heimdal
+ >=sys-libs/e2fsprogs-libs-1.41.0
+ || ( dev-libs/libverto[libev] dev-libs/libverto[libevent] dev-libs/libverto[tevent] )
+ keyutils? ( sys-apps/keyutils )
+ openldap? ( net-nds/openldap )
+ pkinit? ( dev-libs/openssl )
+ xinetd? ( sys-apps/xinetd )"
+DEPEND="${RDEPEND}
+ virtual/yacc
+ doc? ( virtual/latex-base )
+ test? ( dev-lang/tcl
+ dev-lang/python
+ dev-util/dejagnu )"
+
+S=${WORKDIR}/${MY_P}/src
+
+src_unpack() {
+ unpack ${A}
+ unpack ./"${MY_P}".tar.gz
+}
+
+src_prepare() {
+ epatch "${FILESDIR}/${PN}-1.11_uninitialized.patch"
+ epatch "${FILESDIR}/${PN}_krb5-config_LDFLAGS.patch"
+ epatch "${FILESDIR}/CVE-2002-2443.patch"
+
+ # tcl-8.6 compatibility
+ sed -i -e 's/interp->result/Tcl_GetStringResult(interp)/' \
+ kadmin/testing/util/tcl_kadm5.c || die
+}
+
+src_configure() {
+ append-cppflags "-I${EPREFIX}/usr/include/et"
+ # QA
+ append-flags -fno-strict-aliasing
+ append-flags -fno-strict-overflow
+
+ use keyutils || export ac_cv_header_keyutils_h=no
+ econf \
+ $(use_with openldap ldap) \
+ "$(use_with test tcl "${EPREFIX}/usr")" \
+ $(use_enable pkinit) \
+ $(use_enable threads thread-support) \
+ --without-hesiod \
+ --enable-shared \
+ --with-system-et \
+ --with-system-ss \
+ --enable-dns-for-realm \
+ --enable-kdc-lookaside-cache \
+ --with-system-verto \
+ --disable-rpath
+}
+
+src_compile() {
+ emake -j1
+}
+
+src_test() {
+ emake -j1 check
+}
+
+src_install() {
+ emake \
+ DESTDIR="${D}" \
+ EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+ install
+
+ # default database dir
+ keepdir /var/lib/krb5kdc
+
+ cd ..
+ dodoc README
+
+ if use doc; then
+ dohtml -r doc/html/*
+ docinto pdf
+ dodoc doc/pdf/*.pdf
+ fi
+
+ newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r1 mit-krb5kadmind
+ newinitd "${FILESDIR}"/mit-krb5kdc.initd-r1 mit-krb5kdc
+ newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r1 mit-krb5kpropd
+
+ insinto /etc
+ newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+ insinto /var/lib/krb5kdc
+ newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+ if use openldap ; then
+ insinto /etc/openldap/schema
+ doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+ fi
+
+ if use xinetd ; then
+ insinto /etc/xinetd.d
+ newins "${FILESDIR}/kpropd.xinetd" kpropd
+ fi
+}
+
+pkg_preinst() {
+ if has_version "<${CATEGORY}/${PN}-1.8.0" ; then
+ elog "MIT split the Kerberos applications from the base Kerberos"
+ elog "distribution. Kerberized versions of telnet, rlogin, rsh, rcp,"
+ elog "ftp clients and telnet, ftp deamons now live in"
+ elog "\"app-crypt/mit-krb5-appl\" package."
+ fi
+}