Date: Wednesday, May 22, 2013 @ 02:37:41 Author: stephane Revision: 186200
db-move: moved krb5 from [testing] to [core] (i686, x86_64) Added: krb5/repos/core-i686/CVE-2002-2443.patch (from rev 186199, krb5/repos/testing-i686/CVE-2002-2443.patch) krb5/repos/core-i686/PKGBUILD (from rev 186199, krb5/repos/testing-i686/PKGBUILD) krb5/repos/core-i686/krb5-1.10.1-gcc47.patch (from rev 186199, krb5/repos/testing-i686/krb5-1.10.1-gcc47.patch) krb5/repos/core-i686/krb5-config_LDFLAGS.patch (from rev 186199, krb5/repos/testing-i686/krb5-config_LDFLAGS.patch) krb5/repos/core-i686/krb5-kadmind.service (from rev 186199, krb5/repos/testing-i686/krb5-kadmind.service) krb5/repos/core-i686/krb5-kdc.service (from rev 186199, krb5/repos/testing-i686/krb5-kdc.service) krb5/repos/core-i686/krb5-kpropd.service (from rev 186199, krb5/repos/testing-i686/krb5-kpropd.service) krb5/repos/core-i686/krb5-kpropd.socket (from rev 186199, krb5/repos/testing-i686/krb5-kpropd.socket) krb5/repos/core-i686/krb5-kpropd@.service (from rev 186199, krb5/repos/testing-i686/krb5-kpropd@.service) krb5/repos/core-x86_64/CVE-2002-2443.patch (from rev 186199, krb5/repos/testing-x86_64/CVE-2002-2443.patch) krb5/repos/core-x86_64/PKGBUILD (from rev 186199, krb5/repos/testing-x86_64/PKGBUILD) krb5/repos/core-x86_64/krb5-1.10.1-gcc47.patch (from rev 186199, krb5/repos/testing-x86_64/krb5-1.10.1-gcc47.patch) krb5/repos/core-x86_64/krb5-config_LDFLAGS.patch (from rev 186199, krb5/repos/testing-x86_64/krb5-config_LDFLAGS.patch) krb5/repos/core-x86_64/krb5-kadmind.service (from rev 186199, krb5/repos/testing-x86_64/krb5-kadmind.service) krb5/repos/core-x86_64/krb5-kdc.service (from rev 186199, krb5/repos/testing-x86_64/krb5-kdc.service) krb5/repos/core-x86_64/krb5-kpropd.service (from rev 186199, krb5/repos/testing-x86_64/krb5-kpropd.service) krb5/repos/core-x86_64/krb5-kpropd.socket (from rev 186199, krb5/repos/testing-x86_64/krb5-kpropd.socket) krb5/repos/core-x86_64/krb5-kpropd@.service (from rev 186199, krb5/repos/testing-x86_64/krb5-kpropd@.service) Deleted: krb5/repos/core-i686/PKGBUILD krb5/repos/core-i686/krb5-1.10.1-gcc47.patch krb5/repos/core-i686/krb5-config_LDFLAGS.patch krb5/repos/core-i686/krb5-kadmind.service krb5/repos/core-i686/krb5-kdc.service krb5/repos/core-i686/krb5-kpropd.service krb5/repos/core-i686/krb5-kpropd.socket krb5/repos/core-i686/krb5-kpropd@.service krb5/repos/core-x86_64/PKGBUILD krb5/repos/core-x86_64/krb5-1.10.1-gcc47.patch krb5/repos/core-x86_64/krb5-config_LDFLAGS.patch krb5/repos/core-x86_64/krb5-kadmind.service krb5/repos/core-x86_64/krb5-kdc.service krb5/repos/core-x86_64/krb5-kpropd.service krb5/repos/core-x86_64/krb5-kpropd.socket krb5/repos/core-x86_64/krb5-kpropd@.service krb5/repos/testing-i686/ krb5/repos/testing-x86_64/ ---------------------------------------+ /PKGBUILD | 178 ++++++++++++++++++++++++++++++++ /krb5-1.10.1-gcc47.patch | 22 +++ /krb5-config_LDFLAGS.patch | 24 ++++ /krb5-kadmind.service | 16 ++ /krb5-kdc.service | 18 +++ /krb5-kpropd.service | 16 ++ /krb5-kpropd.socket | 18 +++ /krb5-kpropd@.service | 16 ++ core-i686/CVE-2002-2443.patch | 69 ++++++++++++ core-i686/PKGBUILD | 84 --------------- core-i686/krb5-1.10.1-gcc47.patch | 11 - core-i686/krb5-config_LDFLAGS.patch | 12 -- core-i686/krb5-kadmind.service | 8 - core-i686/krb5-kdc.service | 9 - core-i686/krb5-kpropd.service | 8 - core-i686/krb5-kpropd.socket | 9 - core-i686/krb5-kpropd@.service | 8 - core-x86_64/CVE-2002-2443.patch | 69 ++++++++++++ core-x86_64/PKGBUILD | 84 --------------- core-x86_64/krb5-1.10.1-gcc47.patch | 11 - core-x86_64/krb5-config_LDFLAGS.patch | 12 -- core-x86_64/krb5-kadmind.service | 8 - core-x86_64/krb5-kdc.service | 9 - core-x86_64/krb5-kpropd.service | 8 - core-x86_64/krb5-kpropd.socket | 9 - core-x86_64/krb5-kpropd@.service | 8 - 26 files changed, 446 insertions(+), 298 deletions(-) Copied: krb5/repos/core-i686/CVE-2002-2443.patch (from rev 186199, krb5/repos/testing-i686/CVE-2002-2443.patch) =================================================================== --- core-i686/CVE-2002-2443.patch (rev 0) +++ core-i686/CVE-2002-2443.patch 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,69 @@ +From cf1a0c411b2668c57c41e9c4efd15ba17b6b322c Mon Sep 17 00:00:00 2001 +From: Tom Yu <t...@mit.edu> +Date: Fri, 3 May 2013 16:26:46 -0400 +Subject: [PATCH] Fix kpasswd UDP ping-pong [CVE-2002-2443] + +The kpasswd service provided by kadmind was vulnerable to a UDP +"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless +they pass some basic validation, and don't respond to our own error +packets. + +Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong +attack or UDP ping-pong attacks in general, but there is discussion +leading toward narrowing the definition of CVE-1999-0103 to the echo, +chargen, or other similar built-in inetd services. + +Thanks to Vincent Danen for alerting us to this issue. + +CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C + +ticket: 7637 (new) +target_version: 1.11.3 +tags: pullup +--- + src/kadmin/server/schpw.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c +index 15b0ab5..7f455d8 100644 +--- a/src/kadmin/server/schpw.c ++++ b/src/kadmin/server/schpw.c +@@ -52,7 +52,7 @@ + ret = KRB5KRB_AP_ERR_MODIFIED; + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated", sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + ptr = req->data; +@@ -67,7 +67,7 @@ + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request length was inconsistent", + sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + /* verify version number */ +@@ -80,7 +80,7 @@ + numresult = KRB5_KPASSWD_BAD_VERSION; + snprintf(strresult, sizeof(strresult), + "Request contained unknown protocol version number %d", vno); +- goto chpwfail; ++ goto bailout; + } + + /* read, check ap-req length */ +@@ -93,7 +93,7 @@ + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated in AP-REQ", + sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + /* verify ap_req */ +-- +1.8.1.6 + Deleted: core-i686/PKGBUILD =================================================================== --- core-i686/PKGBUILD 2013-05-22 00:29:27 UTC (rev 186199) +++ core-i686/PKGBUILD 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,84 +0,0 @@ -# $Id$ -# Maintainer: Stéphane Gaudreault <steph...@archlinux.org> - -pkgname=krb5 -pkgver=1.11.2 -pkgrel=3 -pkgdesc="The Kerberos network authentication system" -arch=('i686' 'x86_64') -url="http://web.mit.edu/kerberos/" -license=('custom') -depends=('e2fsprogs' 'libldap' 'keyutils') -makedepends=('perl') -backup=('etc/krb5.conf' 'var/lib/krb5kdc/kdc.conf') -source=(http://web.mit.edu/kerberos/dist/${pkgname}/1.11/${pkgname}-${pkgver}-signed.tar - krb5-config_LDFLAGS.patch - krb5-kadmind.service - krb5-kdc.service - krb5-kpropd.service - krb5-kpropd@.service - krb5-kpropd.socket) -sha1sums=('3863f7bdb2d8fc3e50484fb566124373c4b0a250' - '09e478cddfb9d46d2981dd25ef96b8c3fd91e1aa' - 'a2a01e7077d9e89cda3457ea0e216debb3dc353c' - 'f5e4fa073e11b0fcb4e3098a5d58a4f791ec841e' - '614401dd4ac18e310153240bb26eb32ff1e8cf5b' - '023a8164f8ee7066ac814486a68bc605e79f6101' - 'f3677d30dbbd7106c581379c2c6ebb1bf7738912') -options=('!emptydirs') - -build() { - tar zxvf ${pkgname}-${pkgver}.tar.gz - cd "${srcdir}/${pkgname}-${pkgver}/src" - - # cf https://bugs.gentoo.org/show_bug.cgi?id=448778 - patch -Np2 -i "${srcdir}"/krb5-config_LDFLAGS.patch - - rm lib/krb5/krb/deltat.c - - # FS#25384 - sed -i "/KRB5ROOT=/s/\/local//" util/ac_check_krb5.m4 - - export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all" - export CPPFLAGS+=" -I/usr/include/et" - ./configure --prefix=/usr \ - --sbindir=/usr/bin \ - --sysconfdir=/etc \ - --mandir=/usr/share/man \ - --localstatedir=/var/lib \ - --enable-shared \ - --with-system-et \ - --with-system-ss \ - --disable-rpath \ - --without-tcl \ - --enable-dns-for-realm \ - --with-ldap \ - --without-system-verto - make -} - -package() { - cd "${srcdir}/${pkgname}-${pkgver}/src" - make DESTDIR="${pkgdir}" EXAMPLEDIR=/usr/share/doc/${pkgname}/examples install - - # Fix FS#29889 - install -m 644 plugins/kdb/ldap/libkdb_ldap/kerberos.{ldif,schema} "${pkgdir}"/usr/share/doc/${pkgname}/examples - - # Sample KDC config file - install -dm 755 "${pkgdir}"/var/lib/krb5kdc - install -pm 644 config-files/kdc.conf "${pkgdir}"/var/lib/krb5kdc/kdc.conf - - # Default configuration file - install -dm 755 "${pkgdir}"/etc - install -pm 644 config-files/krb5.conf "${pkgdir}"/etc/krb5.conf - - install -dm 755 "${pkgdir}"/usr/share/aclocal - install -m 644 util/ac_check_krb5.m4 "${pkgdir}"/usr/share/aclocal - - install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE - - # systemd stuff - install -dm 755 "${pkgdir}"/usr/lib/systemd/system - install -m 644 ../../krb5-{kadmind.service,kdc.service,kpropd.service,kpropd@.service,kpropd.socket} \ - "${pkgdir}"/usr/lib/systemd/system -} Copied: krb5/repos/core-i686/PKGBUILD (from rev 186199, krb5/repos/testing-i686/PKGBUILD) =================================================================== --- core-i686/PKGBUILD (rev 0) +++ core-i686/PKGBUILD 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,89 @@ +# $Id$ +# Maintainer: Stéphane Gaudreault <steph...@archlinux.org> + +pkgname=krb5 +pkgver=1.11.2 +pkgrel=4 +pkgdesc="The Kerberos network authentication system" +arch=('i686' 'x86_64') +url="http://web.mit.edu/kerberos/" +license=('custom') +depends=('e2fsprogs' 'libldap' 'keyutils') +makedepends=('perl') +backup=('etc/krb5.conf' 'var/lib/krb5kdc/kdc.conf') +source=(http://web.mit.edu/kerberos/dist/${pkgname}/1.11/${pkgname}-${pkgver}-signed.tar + CVE-2002-2443.patch + krb5-config_LDFLAGS.patch + krb5-kadmind.service + krb5-kdc.service + krb5-kpropd.service + krb5-kpropd@.service + krb5-kpropd.socket) +sha1sums=('3863f7bdb2d8fc3e50484fb566124373c4b0a250' + '78ec307c2b5e32481a6da401013c428e0b867f36' + '09e478cddfb9d46d2981dd25ef96b8c3fd91e1aa' + 'a2a01e7077d9e89cda3457ea0e216debb3dc353c' + 'f5e4fa073e11b0fcb4e3098a5d58a4f791ec841e' + '614401dd4ac18e310153240bb26eb32ff1e8cf5b' + '023a8164f8ee7066ac814486a68bc605e79f6101' + 'f3677d30dbbd7106c581379c2c6ebb1bf7738912') +options=('!emptydirs') + +build() { + tar zxvf ${pkgname}-${pkgver}.tar.gz + cd "${srcdir}/${pkgname}-${pkgver}/src" + + # cf https://bugs.gentoo.org/show_bug.cgi?id=448778 + patch -Np2 -i "${srcdir}"/krb5-config_LDFLAGS.patch + + # Fix kpasswd UDP ping-pong (CVE-2002-2443) + patch -Np2 -i "${srcdir}"/CVE-2002-2443.patch + + rm lib/krb5/krb/deltat.c + + # FS#25384 + sed -i "/KRB5ROOT=/s/\/local//" util/ac_check_krb5.m4 + + export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all" + export CPPFLAGS+=" -I/usr/include/et" + ./configure --prefix=/usr \ + --sbindir=/usr/bin \ + --sysconfdir=/etc \ + --mandir=/usr/share/man \ + --localstatedir=/var/lib \ + --enable-shared \ + --with-system-et \ + --with-system-ss \ + --disable-rpath \ + --without-tcl \ + --enable-dns-for-realm \ + --with-ldap \ + --without-system-verto + make +} + +package() { + cd "${srcdir}/${pkgname}-${pkgver}/src" + make DESTDIR="${pkgdir}" EXAMPLEDIR=/usr/share/doc/${pkgname}/examples install + + # Fix FS#29889 + install -m 644 plugins/kdb/ldap/libkdb_ldap/kerberos.{ldif,schema} "${pkgdir}"/usr/share/doc/${pkgname}/examples + + # Sample KDC config file + install -dm 755 "${pkgdir}"/var/lib/krb5kdc + install -pm 644 config-files/kdc.conf "${pkgdir}"/var/lib/krb5kdc/kdc.conf + + # Default configuration file + install -dm 755 "${pkgdir}"/etc + install -pm 644 config-files/krb5.conf "${pkgdir}"/etc/krb5.conf + + install -dm 755 "${pkgdir}"/usr/share/aclocal + install -m 644 util/ac_check_krb5.m4 "${pkgdir}"/usr/share/aclocal + + install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE + + # systemd stuff + install -dm 755 "${pkgdir}"/usr/lib/systemd/system + install -m 644 ../../krb5-{kadmind.service,kdc.service,kpropd.service,kpropd@.service,kpropd.socket} \ + "${pkgdir}"/usr/lib/systemd/system +} Deleted: core-i686/krb5-1.10.1-gcc47.patch =================================================================== --- core-i686/krb5-1.10.1-gcc47.patch 2013-05-22 00:29:27 UTC (rev 186199) +++ core-i686/krb5-1.10.1-gcc47.patch 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,11 +0,0 @@ -diff -Naur krb5-1.10.1.ori/src/lib/krb5/krb/x-deltat.y krb5-1.10.1/src/lib/krb5/krb/x-deltat.y ---- krb5-1.10.1.ori/src/lib/krb5/krb/x-deltat.y 2011-09-06 07:34:32.000000000 -0400 -+++ krb5-1.10.1/src/lib/krb5/krb/x-deltat.y 2012-03-24 13:15:11.543551318 -0400 -@@ -44,6 +44,7 @@ - #ifdef __GNUC__ - #pragma GCC diagnostic push - #pragma GCC diagnostic ignored "-Wuninitialized" -+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" - #endif - - #include <ctype.h> Copied: krb5/repos/core-i686/krb5-1.10.1-gcc47.patch (from rev 186199, krb5/repos/testing-i686/krb5-1.10.1-gcc47.patch) =================================================================== --- core-i686/krb5-1.10.1-gcc47.patch (rev 0) +++ core-i686/krb5-1.10.1-gcc47.patch 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,11 @@ +diff -Naur krb5-1.10.1.ori/src/lib/krb5/krb/x-deltat.y krb5-1.10.1/src/lib/krb5/krb/x-deltat.y +--- krb5-1.10.1.ori/src/lib/krb5/krb/x-deltat.y 2011-09-06 07:34:32.000000000 -0400 ++++ krb5-1.10.1/src/lib/krb5/krb/x-deltat.y 2012-03-24 13:15:11.543551318 -0400 +@@ -44,6 +44,7 @@ + #ifdef __GNUC__ + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wuninitialized" ++#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" + #endif + + #include <ctype.h> Deleted: core-i686/krb5-config_LDFLAGS.patch =================================================================== --- core-i686/krb5-config_LDFLAGS.patch 2013-05-22 00:29:27 UTC (rev 186199) +++ core-i686/krb5-config_LDFLAGS.patch 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,12 +0,0 @@ -Bug #448778 ---- krb5-1.11/src/krb5-config.in 2012-12-18 02:47:04.000000000 +0000 -+++ krb5-1.11/src/krb5-config.in 2012-12-28 07:13:16.582693363 +0000 -@@ -217,7 +217,7 @@ - -e 's#\$(PROG_RPATH)#'$libdir'#' \ - -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \ - -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ -- -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ -+ -e 's#\$(LDFLAGS)##' \ - -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ - -e 's#\$(CFLAGS)##'` - Copied: krb5/repos/core-i686/krb5-config_LDFLAGS.patch (from rev 186199, krb5/repos/testing-i686/krb5-config_LDFLAGS.patch) =================================================================== --- core-i686/krb5-config_LDFLAGS.patch (rev 0) +++ core-i686/krb5-config_LDFLAGS.patch 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,12 @@ +Bug #448778 +--- krb5-1.11/src/krb5-config.in 2012-12-18 02:47:04.000000000 +0000 ++++ krb5-1.11/src/krb5-config.in 2012-12-28 07:13:16.582693363 +0000 +@@ -217,7 +217,7 @@ + -e 's#\$(PROG_RPATH)#'$libdir'#' \ + -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \ + -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ +- -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ ++ -e 's#\$(LDFLAGS)##' \ + -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ + -e 's#\$(CFLAGS)##'` + Deleted: core-i686/krb5-kadmind.service =================================================================== --- core-i686/krb5-kadmind.service 2013-05-22 00:29:27 UTC (rev 186199) +++ core-i686/krb5-kadmind.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,8 +0,0 @@ -[Unit] -Description=Kerberos 5 administration server - -[Service] -ExecStart=/usr/sbin/kadmind -nofork - -[Install] -WantedBy=multi-user.target Copied: krb5/repos/core-i686/krb5-kadmind.service (from rev 186199, krb5/repos/testing-i686/krb5-kadmind.service) =================================================================== --- core-i686/krb5-kadmind.service (rev 0) +++ core-i686/krb5-kadmind.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,8 @@ +[Unit] +Description=Kerberos 5 administration server + +[Service] +ExecStart=/usr/sbin/kadmind -nofork + +[Install] +WantedBy=multi-user.target Deleted: core-i686/krb5-kdc.service =================================================================== --- core-i686/krb5-kdc.service 2013-05-22 00:29:27 UTC (rev 186199) +++ core-i686/krb5-kdc.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,9 +0,0 @@ -[Unit] -Description=Kerberos 5 KDC - -[Service] -ExecStart=/usr/sbin/krb5kdc -n -Restart=always - -[Install] -WantedBy=multi-user.target Copied: krb5/repos/core-i686/krb5-kdc.service (from rev 186199, krb5/repos/testing-i686/krb5-kdc.service) =================================================================== --- core-i686/krb5-kdc.service (rev 0) +++ core-i686/krb5-kdc.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,9 @@ +[Unit] +Description=Kerberos 5 KDC + +[Service] +ExecStart=/usr/sbin/krb5kdc -n +Restart=always + +[Install] +WantedBy=multi-user.target Deleted: core-i686/krb5-kpropd.service =================================================================== --- core-i686/krb5-kpropd.service 2013-05-22 00:29:27 UTC (rev 186199) +++ core-i686/krb5-kpropd.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,8 +0,0 @@ -[Unit] -Description=Kerberos 5 propagation server - -[Service] -ExecStart=/usr/sbin/kpropd -S - -[Install] -WantedBy=multi-user.target Copied: krb5/repos/core-i686/krb5-kpropd.service (from rev 186199, krb5/repos/testing-i686/krb5-kpropd.service) =================================================================== --- core-i686/krb5-kpropd.service (rev 0) +++ core-i686/krb5-kpropd.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,8 @@ +[Unit] +Description=Kerberos 5 propagation server + +[Service] +ExecStart=/usr/sbin/kpropd -S + +[Install] +WantedBy=multi-user.target Deleted: core-i686/krb5-kpropd.socket =================================================================== --- core-i686/krb5-kpropd.socket 2013-05-22 00:29:27 UTC (rev 186199) +++ core-i686/krb5-kpropd.socket 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,9 +0,0 @@ -[Unit] -Description=Kerberos 5 propagation server - -[Socket] -ListenStream=754 -Accept=yes - -[Install] -WantedBy=sockets.target Copied: krb5/repos/core-i686/krb5-kpropd.socket (from rev 186199, krb5/repos/testing-i686/krb5-kpropd.socket) =================================================================== --- core-i686/krb5-kpropd.socket (rev 0) +++ core-i686/krb5-kpropd.socket 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,9 @@ +[Unit] +Description=Kerberos 5 propagation server + +[Socket] +ListenStream=754 +Accept=yes + +[Install] +WantedBy=sockets.target Deleted: core-i686/krb5-kpropd@.service =================================================================== --- core-i686/krb5-kpropd@.service 2013-05-22 00:29:27 UTC (rev 186199) +++ core-i686/krb5-kpropd@.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,8 +0,0 @@ -[Unit] -Description=Kerberos 5 propagation server -Conflicts=krb5-kpropd.service - -[Service] -ExecStart=/usr/sbin/kpropd -StandardInput=socket -StandardError=syslog Copied: krb5/repos/core-i686/krb5-kpropd@.service (from rev 186199, krb5/repos/testing-i686/krb5-kpropd@.service) =================================================================== --- core-i686/krb5-kpropd@.service (rev 0) +++ core-i686/krb5-kpropd@.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,8 @@ +[Unit] +Description=Kerberos 5 propagation server +Conflicts=krb5-kpropd.service + +[Service] +ExecStart=/usr/sbin/kpropd +StandardInput=socket +StandardError=syslog Copied: krb5/repos/core-x86_64/CVE-2002-2443.patch (from rev 186199, krb5/repos/testing-x86_64/CVE-2002-2443.patch) =================================================================== --- core-x86_64/CVE-2002-2443.patch (rev 0) +++ core-x86_64/CVE-2002-2443.patch 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,69 @@ +From cf1a0c411b2668c57c41e9c4efd15ba17b6b322c Mon Sep 17 00:00:00 2001 +From: Tom Yu <t...@mit.edu> +Date: Fri, 3 May 2013 16:26:46 -0400 +Subject: [PATCH] Fix kpasswd UDP ping-pong [CVE-2002-2443] + +The kpasswd service provided by kadmind was vulnerable to a UDP +"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless +they pass some basic validation, and don't respond to our own error +packets. + +Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong +attack or UDP ping-pong attacks in general, but there is discussion +leading toward narrowing the definition of CVE-1999-0103 to the echo, +chargen, or other similar built-in inetd services. + +Thanks to Vincent Danen for alerting us to this issue. + +CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C + +ticket: 7637 (new) +target_version: 1.11.3 +tags: pullup +--- + src/kadmin/server/schpw.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c +index 15b0ab5..7f455d8 100644 +--- a/src/kadmin/server/schpw.c ++++ b/src/kadmin/server/schpw.c +@@ -52,7 +52,7 @@ + ret = KRB5KRB_AP_ERR_MODIFIED; + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated", sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + ptr = req->data; +@@ -67,7 +67,7 @@ + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request length was inconsistent", + sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + /* verify version number */ +@@ -80,7 +80,7 @@ + numresult = KRB5_KPASSWD_BAD_VERSION; + snprintf(strresult, sizeof(strresult), + "Request contained unknown protocol version number %d", vno); +- goto chpwfail; ++ goto bailout; + } + + /* read, check ap-req length */ +@@ -93,7 +93,7 @@ + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated in AP-REQ", + sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + /* verify ap_req */ +-- +1.8.1.6 + Deleted: core-x86_64/PKGBUILD =================================================================== --- core-x86_64/PKGBUILD 2013-05-22 00:29:27 UTC (rev 186199) +++ core-x86_64/PKGBUILD 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,84 +0,0 @@ -# $Id$ -# Maintainer: Stéphane Gaudreault <steph...@archlinux.org> - -pkgname=krb5 -pkgver=1.11.2 -pkgrel=3 -pkgdesc="The Kerberos network authentication system" -arch=('i686' 'x86_64') -url="http://web.mit.edu/kerberos/" -license=('custom') -depends=('e2fsprogs' 'libldap' 'keyutils') -makedepends=('perl') -backup=('etc/krb5.conf' 'var/lib/krb5kdc/kdc.conf') -source=(http://web.mit.edu/kerberos/dist/${pkgname}/1.11/${pkgname}-${pkgver}-signed.tar - krb5-config_LDFLAGS.patch - krb5-kadmind.service - krb5-kdc.service - krb5-kpropd.service - krb5-kpropd@.service - krb5-kpropd.socket) -sha1sums=('3863f7bdb2d8fc3e50484fb566124373c4b0a250' - '09e478cddfb9d46d2981dd25ef96b8c3fd91e1aa' - 'a2a01e7077d9e89cda3457ea0e216debb3dc353c' - 'f5e4fa073e11b0fcb4e3098a5d58a4f791ec841e' - '614401dd4ac18e310153240bb26eb32ff1e8cf5b' - '023a8164f8ee7066ac814486a68bc605e79f6101' - 'f3677d30dbbd7106c581379c2c6ebb1bf7738912') -options=('!emptydirs') - -build() { - tar zxvf ${pkgname}-${pkgver}.tar.gz - cd "${srcdir}/${pkgname}-${pkgver}/src" - - # cf https://bugs.gentoo.org/show_bug.cgi?id=448778 - patch -Np2 -i "${srcdir}"/krb5-config_LDFLAGS.patch - - rm lib/krb5/krb/deltat.c - - # FS#25384 - sed -i "/KRB5ROOT=/s/\/local//" util/ac_check_krb5.m4 - - export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all" - export CPPFLAGS+=" -I/usr/include/et" - ./configure --prefix=/usr \ - --sbindir=/usr/bin \ - --sysconfdir=/etc \ - --mandir=/usr/share/man \ - --localstatedir=/var/lib \ - --enable-shared \ - --with-system-et \ - --with-system-ss \ - --disable-rpath \ - --without-tcl \ - --enable-dns-for-realm \ - --with-ldap \ - --without-system-verto - make -} - -package() { - cd "${srcdir}/${pkgname}-${pkgver}/src" - make DESTDIR="${pkgdir}" EXAMPLEDIR=/usr/share/doc/${pkgname}/examples install - - # Fix FS#29889 - install -m 644 plugins/kdb/ldap/libkdb_ldap/kerberos.{ldif,schema} "${pkgdir}"/usr/share/doc/${pkgname}/examples - - # Sample KDC config file - install -dm 755 "${pkgdir}"/var/lib/krb5kdc - install -pm 644 config-files/kdc.conf "${pkgdir}"/var/lib/krb5kdc/kdc.conf - - # Default configuration file - install -dm 755 "${pkgdir}"/etc - install -pm 644 config-files/krb5.conf "${pkgdir}"/etc/krb5.conf - - install -dm 755 "${pkgdir}"/usr/share/aclocal - install -m 644 util/ac_check_krb5.m4 "${pkgdir}"/usr/share/aclocal - - install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE - - # systemd stuff - install -dm 755 "${pkgdir}"/usr/lib/systemd/system - install -m 644 ../../krb5-{kadmind.service,kdc.service,kpropd.service,kpropd@.service,kpropd.socket} \ - "${pkgdir}"/usr/lib/systemd/system -} Copied: krb5/repos/core-x86_64/PKGBUILD (from rev 186199, krb5/repos/testing-x86_64/PKGBUILD) =================================================================== --- core-x86_64/PKGBUILD (rev 0) +++ core-x86_64/PKGBUILD 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,89 @@ +# $Id$ +# Maintainer: Stéphane Gaudreault <steph...@archlinux.org> + +pkgname=krb5 +pkgver=1.11.2 +pkgrel=4 +pkgdesc="The Kerberos network authentication system" +arch=('i686' 'x86_64') +url="http://web.mit.edu/kerberos/" +license=('custom') +depends=('e2fsprogs' 'libldap' 'keyutils') +makedepends=('perl') +backup=('etc/krb5.conf' 'var/lib/krb5kdc/kdc.conf') +source=(http://web.mit.edu/kerberos/dist/${pkgname}/1.11/${pkgname}-${pkgver}-signed.tar + CVE-2002-2443.patch + krb5-config_LDFLAGS.patch + krb5-kadmind.service + krb5-kdc.service + krb5-kpropd.service + krb5-kpropd@.service + krb5-kpropd.socket) +sha1sums=('3863f7bdb2d8fc3e50484fb566124373c4b0a250' + '78ec307c2b5e32481a6da401013c428e0b867f36' + '09e478cddfb9d46d2981dd25ef96b8c3fd91e1aa' + 'a2a01e7077d9e89cda3457ea0e216debb3dc353c' + 'f5e4fa073e11b0fcb4e3098a5d58a4f791ec841e' + '614401dd4ac18e310153240bb26eb32ff1e8cf5b' + '023a8164f8ee7066ac814486a68bc605e79f6101' + 'f3677d30dbbd7106c581379c2c6ebb1bf7738912') +options=('!emptydirs') + +build() { + tar zxvf ${pkgname}-${pkgver}.tar.gz + cd "${srcdir}/${pkgname}-${pkgver}/src" + + # cf https://bugs.gentoo.org/show_bug.cgi?id=448778 + patch -Np2 -i "${srcdir}"/krb5-config_LDFLAGS.patch + + # Fix kpasswd UDP ping-pong (CVE-2002-2443) + patch -Np2 -i "${srcdir}"/CVE-2002-2443.patch + + rm lib/krb5/krb/deltat.c + + # FS#25384 + sed -i "/KRB5ROOT=/s/\/local//" util/ac_check_krb5.m4 + + export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all" + export CPPFLAGS+=" -I/usr/include/et" + ./configure --prefix=/usr \ + --sbindir=/usr/bin \ + --sysconfdir=/etc \ + --mandir=/usr/share/man \ + --localstatedir=/var/lib \ + --enable-shared \ + --with-system-et \ + --with-system-ss \ + --disable-rpath \ + --without-tcl \ + --enable-dns-for-realm \ + --with-ldap \ + --without-system-verto + make +} + +package() { + cd "${srcdir}/${pkgname}-${pkgver}/src" + make DESTDIR="${pkgdir}" EXAMPLEDIR=/usr/share/doc/${pkgname}/examples install + + # Fix FS#29889 + install -m 644 plugins/kdb/ldap/libkdb_ldap/kerberos.{ldif,schema} "${pkgdir}"/usr/share/doc/${pkgname}/examples + + # Sample KDC config file + install -dm 755 "${pkgdir}"/var/lib/krb5kdc + install -pm 644 config-files/kdc.conf "${pkgdir}"/var/lib/krb5kdc/kdc.conf + + # Default configuration file + install -dm 755 "${pkgdir}"/etc + install -pm 644 config-files/krb5.conf "${pkgdir}"/etc/krb5.conf + + install -dm 755 "${pkgdir}"/usr/share/aclocal + install -m 644 util/ac_check_krb5.m4 "${pkgdir}"/usr/share/aclocal + + install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE + + # systemd stuff + install -dm 755 "${pkgdir}"/usr/lib/systemd/system + install -m 644 ../../krb5-{kadmind.service,kdc.service,kpropd.service,kpropd@.service,kpropd.socket} \ + "${pkgdir}"/usr/lib/systemd/system +} Deleted: core-x86_64/krb5-1.10.1-gcc47.patch =================================================================== --- core-x86_64/krb5-1.10.1-gcc47.patch 2013-05-22 00:29:27 UTC (rev 186199) +++ core-x86_64/krb5-1.10.1-gcc47.patch 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,11 +0,0 @@ -diff -Naur krb5-1.10.1.ori/src/lib/krb5/krb/x-deltat.y krb5-1.10.1/src/lib/krb5/krb/x-deltat.y ---- krb5-1.10.1.ori/src/lib/krb5/krb/x-deltat.y 2011-09-06 07:34:32.000000000 -0400 -+++ krb5-1.10.1/src/lib/krb5/krb/x-deltat.y 2012-03-24 13:15:11.543551318 -0400 -@@ -44,6 +44,7 @@ - #ifdef __GNUC__ - #pragma GCC diagnostic push - #pragma GCC diagnostic ignored "-Wuninitialized" -+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" - #endif - - #include <ctype.h> Copied: krb5/repos/core-x86_64/krb5-1.10.1-gcc47.patch (from rev 186199, krb5/repos/testing-x86_64/krb5-1.10.1-gcc47.patch) =================================================================== --- core-x86_64/krb5-1.10.1-gcc47.patch (rev 0) +++ core-x86_64/krb5-1.10.1-gcc47.patch 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,11 @@ +diff -Naur krb5-1.10.1.ori/src/lib/krb5/krb/x-deltat.y krb5-1.10.1/src/lib/krb5/krb/x-deltat.y +--- krb5-1.10.1.ori/src/lib/krb5/krb/x-deltat.y 2011-09-06 07:34:32.000000000 -0400 ++++ krb5-1.10.1/src/lib/krb5/krb/x-deltat.y 2012-03-24 13:15:11.543551318 -0400 +@@ -44,6 +44,7 @@ + #ifdef __GNUC__ + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wuninitialized" ++#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" + #endif + + #include <ctype.h> Deleted: core-x86_64/krb5-config_LDFLAGS.patch =================================================================== --- core-x86_64/krb5-config_LDFLAGS.patch 2013-05-22 00:29:27 UTC (rev 186199) +++ core-x86_64/krb5-config_LDFLAGS.patch 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,12 +0,0 @@ -Bug #448778 ---- krb5-1.11/src/krb5-config.in 2012-12-18 02:47:04.000000000 +0000 -+++ krb5-1.11/src/krb5-config.in 2012-12-28 07:13:16.582693363 +0000 -@@ -217,7 +217,7 @@ - -e 's#\$(PROG_RPATH)#'$libdir'#' \ - -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \ - -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ -- -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ -+ -e 's#\$(LDFLAGS)##' \ - -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ - -e 's#\$(CFLAGS)##'` - Copied: krb5/repos/core-x86_64/krb5-config_LDFLAGS.patch (from rev 186199, krb5/repos/testing-x86_64/krb5-config_LDFLAGS.patch) =================================================================== --- core-x86_64/krb5-config_LDFLAGS.patch (rev 0) +++ core-x86_64/krb5-config_LDFLAGS.patch 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,12 @@ +Bug #448778 +--- krb5-1.11/src/krb5-config.in 2012-12-18 02:47:04.000000000 +0000 ++++ krb5-1.11/src/krb5-config.in 2012-12-28 07:13:16.582693363 +0000 +@@ -217,7 +217,7 @@ + -e 's#\$(PROG_RPATH)#'$libdir'#' \ + -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \ + -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ +- -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ ++ -e 's#\$(LDFLAGS)##' \ + -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ + -e 's#\$(CFLAGS)##'` + Deleted: core-x86_64/krb5-kadmind.service =================================================================== --- core-x86_64/krb5-kadmind.service 2013-05-22 00:29:27 UTC (rev 186199) +++ core-x86_64/krb5-kadmind.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,8 +0,0 @@ -[Unit] -Description=Kerberos 5 administration server - -[Service] -ExecStart=/usr/sbin/kadmind -nofork - -[Install] -WantedBy=multi-user.target Copied: krb5/repos/core-x86_64/krb5-kadmind.service (from rev 186199, krb5/repos/testing-x86_64/krb5-kadmind.service) =================================================================== --- core-x86_64/krb5-kadmind.service (rev 0) +++ core-x86_64/krb5-kadmind.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,8 @@ +[Unit] +Description=Kerberos 5 administration server + +[Service] +ExecStart=/usr/sbin/kadmind -nofork + +[Install] +WantedBy=multi-user.target Deleted: core-x86_64/krb5-kdc.service =================================================================== --- core-x86_64/krb5-kdc.service 2013-05-22 00:29:27 UTC (rev 186199) +++ core-x86_64/krb5-kdc.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,9 +0,0 @@ -[Unit] -Description=Kerberos 5 KDC - -[Service] -ExecStart=/usr/sbin/krb5kdc -n -Restart=always - -[Install] -WantedBy=multi-user.target Copied: krb5/repos/core-x86_64/krb5-kdc.service (from rev 186199, krb5/repos/testing-x86_64/krb5-kdc.service) =================================================================== --- core-x86_64/krb5-kdc.service (rev 0) +++ core-x86_64/krb5-kdc.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,9 @@ +[Unit] +Description=Kerberos 5 KDC + +[Service] +ExecStart=/usr/sbin/krb5kdc -n +Restart=always + +[Install] +WantedBy=multi-user.target Deleted: core-x86_64/krb5-kpropd.service =================================================================== --- core-x86_64/krb5-kpropd.service 2013-05-22 00:29:27 UTC (rev 186199) +++ core-x86_64/krb5-kpropd.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,8 +0,0 @@ -[Unit] -Description=Kerberos 5 propagation server - -[Service] -ExecStart=/usr/sbin/kpropd -S - -[Install] -WantedBy=multi-user.target Copied: krb5/repos/core-x86_64/krb5-kpropd.service (from rev 186199, krb5/repos/testing-x86_64/krb5-kpropd.service) =================================================================== --- core-x86_64/krb5-kpropd.service (rev 0) +++ core-x86_64/krb5-kpropd.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,8 @@ +[Unit] +Description=Kerberos 5 propagation server + +[Service] +ExecStart=/usr/sbin/kpropd -S + +[Install] +WantedBy=multi-user.target Deleted: core-x86_64/krb5-kpropd.socket =================================================================== --- core-x86_64/krb5-kpropd.socket 2013-05-22 00:29:27 UTC (rev 186199) +++ core-x86_64/krb5-kpropd.socket 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,9 +0,0 @@ -[Unit] -Description=Kerberos 5 propagation server - -[Socket] -ListenStream=754 -Accept=yes - -[Install] -WantedBy=sockets.target Copied: krb5/repos/core-x86_64/krb5-kpropd.socket (from rev 186199, krb5/repos/testing-x86_64/krb5-kpropd.socket) =================================================================== --- core-x86_64/krb5-kpropd.socket (rev 0) +++ core-x86_64/krb5-kpropd.socket 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,9 @@ +[Unit] +Description=Kerberos 5 propagation server + +[Socket] +ListenStream=754 +Accept=yes + +[Install] +WantedBy=sockets.target Deleted: core-x86_64/krb5-kpropd@.service =================================================================== --- core-x86_64/krb5-kpropd@.service 2013-05-22 00:29:27 UTC (rev 186199) +++ core-x86_64/krb5-kpropd@.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -1,8 +0,0 @@ -[Unit] -Description=Kerberos 5 propagation server -Conflicts=krb5-kpropd.service - -[Service] -ExecStart=/usr/sbin/kpropd -StandardInput=socket -StandardError=syslog Copied: krb5/repos/core-x86_64/krb5-kpropd@.service (from rev 186199, krb5/repos/testing-x86_64/krb5-kpropd@.service) =================================================================== --- core-x86_64/krb5-kpropd@.service (rev 0) +++ core-x86_64/krb5-kpropd@.service 2013-05-22 00:37:41 UTC (rev 186200) @@ -0,0 +1,8 @@ +[Unit] +Description=Kerberos 5 propagation server +Conflicts=krb5-kpropd.service + +[Service] +ExecStart=/usr/sbin/kpropd +StandardInput=socket +StandardError=syslog