[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/

Wed, 05 Jan 2022 01:57:14 -0800 

commit:     16e1279e1a0b87ab89031972ea5b9f5136a67e76
Author:     Eray Aslan <eras <AT> gentoo <DOT> org>
AuthorDate: Wed Jan  5 09:56:43 2022 +0000
Commit:     Eray Aslan <eras <AT> gentoo <DOT> org>
CommitDate: Wed Jan  5 09:56:43 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16e1279e

app-crypt/mit-krb5: security bump

Bug: https://bugs.gentoo.org/809845
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Eray Aslan <eras <AT> gentoo.org>

 .../mit-krb5/files/mit-krb5-CVE-2021-37750.patch   |  43 ++++++
 app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild       | 165 +++++++++++++++++++++
 2 files changed, 208 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch 
b/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch
new file mode 100644
index 000000000000..2f4c949e9f31
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch
@@ -0,0 +1,43 @@
+From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghud...@mit.edu>
+Date: Tue, 3 Aug 2021 01:15:27 -0400
+Subject: [PATCH] Fix KDC null deref on TGS inner body null server
+
+After the KDC decodes a FAST inner body, it does not check for a null
+server.  Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
+would typically result in an error from krb5_unparse_name(), but with
+the addition of get_local_tgt() it results in a null dereference.  Add
+a null check.
+
+Reported by Joseph Sutton of Catalyst.
+
+CVE-2021-37750:
+
+In MIT krb5 releases 1.14 and later, an authenticated attacker can
+cause a null dereference in the KDC by sending a FAST TGS request with
+no server field.
+
+ticket: 9008 (new)
+tags: pullup
+target_version: 1.19-next
+target_version: 1.18-next
+---
+ src/kdc/do_tgs_req.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index 582e497cc9..32dc65fa8e 100644
+--- a/kdc/do_tgs_req.c
++++ b/kdc/do_tgs_req.c
+@@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
+         status = "FIND_FAST";
+         goto cleanup;
+     }
++    if (sprinc == NULL) {
++        status = "NULL_SERVER";
++        errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
++        goto cleanup;
++    }
+ 
+     errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
+                             &local_tgt, &local_tgt_storage, &local_tgt_key);

diff --git a/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild
new file mode 100644
index 000000000000..cd2e67613dd3
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild
@@ -0,0 +1,165 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{8..10} )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd 
toolchain-funcs
+
+MY_P="${P/mit-}"
+P_DIR=$(ver_cut 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/";
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz";
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 
|| ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 
~sparc ~x86"
+IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux 
+threads test xinetd"
+
+# some tests requires network access
+RESTRICT="test"
+
+DEPEND="
+       !!app-crypt/heimdal
+       || (
+               >=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}]
+               sys-libs/e2fsprogs-libs[${MULTILIB_USEDEP}]
+       )
+       || (
+               >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+               >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+       )
+       keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
+       lmdb? ( dev-db/lmdb )
+       nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
+       openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+       pkinit? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+       xinetd? ( sys-apps/xinetd )
+       "
+BDEPEND="
+       ${PYTHON_DEPS}
+       virtual/yacc
+       cpu_flags_x86_aes? (
+               amd64? ( dev-lang/yasm )
+               x86? ( dev-lang/yasm )
+       )
+       doc? ( virtual/latex-base )
+       test? (
+               ${PYTHON_DEPS}
+               dev-lang/tcl:0
+               dev-util/dejagnu
+               dev-util/cmocka
+       )"
+RDEPEND="${DEPEND}
+       selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+PATCHES=(
+       "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+       "${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
+       "${FILESDIR}/${PN}_dont_create_rundir.patch"
+       "${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
+       "${FILESDIR}/${PN}-CVE-2021-37750.patch"
+)
+
+MULTILIB_CHOST_TOOLS=(
+       /usr/bin/krb5-config
+)
+
+src_prepare() {
+       default
+       # Make sure we always use the system copies.
+       rm -rf util/{et,ss,verto}
+       sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die
+
+       eautoreconf
+}
+
+src_configure() {
+       # QA
+       append-flags -fno-strict-aliasing
+       append-flags -fno-strict-overflow
+
+       multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+       ECONF_SOURCE=${S} \
+       AR="$(tc-getAR)" \
+       WARN_CFLAGS="set" \
+       econf \
+               $(use_with openldap ldap) \
+               "$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+               $(use_enable nls) \
+               $(use_enable pkinit) \
+               $(use_enable threads thread-support) \
+               $(use_with lmdb) \
+               $(use_with keyutils) \
+               --without-hesiod \
+               --enable-shared \
+               --with-system-et \
+               --with-system-ss \
+               --enable-dns-for-realm \
+               --enable-kdc-lookaside-cache \
+               --with-system-verto \
+               --disable-rpath
+}
+
+multilib_src_compile() {
+       emake -j1
+}
+
+multilib_src_test() {
+       multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+       emake \
+               DESTDIR="${D}" \
+               EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+               install
+}
+
+multilib_src_install_all() {
+       # default database dir
+       keepdir /var/lib/krb5kdc
+
+       cd ..
+       dodoc README
+
+       if use doc; then
+               dodoc -r doc/html
+               docinto pdf
+               dodoc doc/pdf/*.pdf
+       fi
+
+       newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+       newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+       newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+       newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+       newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+       newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+       systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service 
mit-krb5kadmind.service
+       systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
+       systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service 
mit-krb5kpropd.service
+       systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service 
"mit-krb5kpropd@.service"
+       systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket 
mit-krb5kpropd.socket
+
+       insinto /etc
+       newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+       insinto /var/lib/krb5kdc
+       newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+       if use openldap ; then
+               insinto /etc/openldap/schema
+               doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+       fi
+
+       if use xinetd ; then
+               insinto /etc/xinetd.d
+               newins "${FILESDIR}/kpropd.xinetd" kpropd
+       fi
+}

Reply via email to