[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
commit: 804b1075226d5093c6541db7837efd767ab08bb2 Author: Eray Aslan gentoo org> AuthorDate: Fri Apr 5 07:11:53 2024 + Commit: Eray Aslan gentoo org> CommitDate: Fri Apr 5 07:11:53 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=804b1075 app-crypt/mit-krb5: security cleanup Bug: https://bugs.gentoo.org/917464 Signed-off-by: Eray Aslan gentoo.org> app-crypt/mit-krb5/Manifest| 3 - .../files/mit-krb5-1.20-missing-time-include.patch | 20 --- .../files/mit-krb5-1.20.1-autoconf-2.72.patch | 31 - .../files/mit-krb5-config_LDFLAGS-r1.patch | 12 -- app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild | 149 - app-crypt/mit-krb5/mit-krb5-1.20.2.ebuild | 148 app-crypt/mit-krb5/mit-krb5-1.21.1.ebuild | 146 7 files changed, 509 deletions(-) diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest index 1ed2bb5561f7..1ce7821058e3 100644 --- a/app-crypt/mit-krb5/Manifest +++ b/app-crypt/mit-krb5/Manifest @@ -1,4 +1 @@ -DIST krb5-1.20.1.tar.gz 8661660 BLAKE2B ead16f8b1aec8bba3776628b74257c9aec891770c1fa6d5c5e66275db5f078ca59c9944cd2b017453b777ce080f8e5a322f735fab77691479cfad7b881b92830 SHA512 6f57479f13f107cd84f30de5c758eb6b9fc59171329c13e5da6073b806755f8d163eb7bd84767ea861ad6458ea0c9eeb00ee044d3bcad01ef136e9888564b6a2 -DIST krb5-1.20.2.tar.gz 8662259 BLAKE2B 35f9e82390b5ba7227d0b5c40ab08f128ff27e7264d48585e2bfd08a443cb4b06415216190a3c35c6bc505f33483bcbe11430d9e40c3907f838798b2dc492416 SHA512 69e263ef74116a3332c632a2a243499bcc47b01b1e57d02fe35aa6c2ff655674b6cf2b815457145f788bceac4d466d3f55f8c20ec9ee4a6051128417e1e7e99e -DIST krb5-1.21.1.tar.gz 8623049 BLAKE2B d90a994b5d39dc88573e5cfca280565b0909b2e9aa8710a6d695e2c1faec37ea0c008d05894e8952dcf72348403f76fd8a124de8d8f34c70fad6de8866a92f0e SHA512 6f04216b0a151d6a9886bf009777bc95a7d3f9bcab30427cc8bbef3357e0130748c1d42b477be0eb2d469d9e0fb65bf5ac5ff05c22d6e1046795e161fe6afbcc DIST krb5-1.21.2.tar.gz 8622513 BLAKE2B 2afb3ff962a343bc07182fdab0c0ffb221632ff38baab74278cfc721ae72deacc260221470de36e420584f00b780e13221d2e511d4831bca8e1270b7f3d9e824 SHA512 4e09296b412383d53872661718dbfaa90201e0d85f69db48e57a8d4bd73c95a90c7ec7b6f0f325f6bc967f8d203b256b071c0191facf080aca0e2caec5d0ac49 diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.20-missing-time-include.patch b/app-crypt/mit-krb5/files/mit-krb5-1.20-missing-time-include.patch deleted file mode 100644 index a8a495699129.. --- a/app-crypt/mit-krb5/files/mit-krb5-1.20-missing-time-include.patch +++ /dev/null @@ -1,20 +0,0 @@ -https://github.com/krb5/krb5/commit/c3958cec43b598b25484b9805224c56f25f7a755 -https://bugs.gentoo.org/854561 - -From: Greg Hudson -Date: Tue, 29 Mar 2022 16:27:55 -0400 -Subject: [PATCH] Include time.h in kdb.h - -kdb.h uses time_t, and therefore must include to ensure its -definition. Noticed when building t_sort_key_data.c on macOS. a/include/kdb.h -+++ b/include/kdb.h -@@ -65,6 +65,7 @@ - #ifndef KRB5_KDB5__ - #define KRB5_KDB5__ - -+#include - #include - - /* This version will be incremented when incompatible changes are made to the - diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch b/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch deleted file mode 100644 index b55193bcc7fa.. --- a/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch +++ /dev/null @@ -1,31 +0,0 @@ -https://github.com/krb5/krb5/commit/d864d740d019fdf2c640460f2aa2760c7fa4d5e9 - -From d864d740d019fdf2c640460f2aa2760c7fa4d5e9 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Thu, 17 Nov 2022 15:01:24 +0100 -Subject: [PATCH] Fix aclocal.m4 syntax error for autoconf 2.72 - -An incorrect closure inside KRB5_AC_INET6 is innocuous with autoconf -versions up to 2.71, but will cause an error at configure time with -the forthcoming autoconf 2.72. - -[ghud...@mit.edu: added more context to commit message] - -ticket: 9077 (new) -tags: pullup -target_version: 1.20-next -target_version: 1.19-next a/aclocal.m4 -+++ b/aclocal.m4 -@@ -409,8 +409,8 @@ else - [[struct sockaddr_in6 in; - AF_INET6; - IN6_IS_ADDR_LINKLOCAL(_addr);]])], --[krb5_cv_inet6=yes], [krb5_cv_inet6=no])]) --fi -+[krb5_cv_inet6=yes], [krb5_cv_inet6=no]) -+fi]) - AC_MSG_RESULT($krb5_cv_inet6) - if test "$krb5_cv_inet6" = no && test "$ac_cv_func_inet_ntop" = yes; then - AC_MSG_CHECKING(for IPv6 compile-time support with -DINET6) - diff --git a/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch b/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch deleted file mode 100644 index 39bac974afca.. --- a/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch +++ /dev/null @@ -1,12 +0,0 @@ -Bug #448778 a/build-tools/krb5-config.in 2012-12-18 02:47:04.0 + -+++ b/build-tools/krb5-config.in 2012-12-28
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
commit: 16e1279e1a0b87ab89031972ea5b9f5136a67e76 Author: Eray Aslan gentoo org> AuthorDate: Wed Jan 5 09:56:43 2022 + Commit: Eray Aslan gentoo org> CommitDate: Wed Jan 5 09:56:43 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16e1279e app-crypt/mit-krb5: security bump Bug: https://bugs.gentoo.org/809845 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Eray Aslan gentoo.org> .../mit-krb5/files/mit-krb5-CVE-2021-37750.patch | 43 ++ app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild | 165 + 2 files changed, 208 insertions(+) diff --git a/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch b/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch new file mode 100644 index ..2f4c949e9f31 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch @@ -0,0 +1,43 @@ +From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 3 Aug 2021 01:15:27 -0400 +Subject: [PATCH] Fix KDC null deref on TGS inner body null server + +After the KDC decodes a FAST inner body, it does not check for a null +server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this +would typically result in an error from krb5_unparse_name(), but with +the addition of get_local_tgt() it results in a null dereference. Add +a null check. + +Reported by Joseph Sutton of Catalyst. + +CVE-2021-37750: + +In MIT krb5 releases 1.14 and later, an authenticated attacker can +cause a null dereference in the KDC by sending a FAST TGS request with +no server field. + +ticket: 9008 (new) +tags: pullup +target_version: 1.19-next +target_version: 1.18-next +--- + src/kdc/do_tgs_req.c | 5 + + 1 file changed, 5 insertions(+) + +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index 582e497cc9..32dc65fa8e 100644 +--- a/kdc/do_tgs_req.c b/kdc/do_tgs_req.c +@@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, + status = "FIND_FAST"; + goto cleanup; + } ++if (sprinc == NULL) { ++status = "NULL_SERVER"; ++errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; ++goto cleanup; ++} + + errcode = get_local_tgt(kdc_context, >realm, header_server, + _tgt, _tgt_storage, _tgt_key); diff --git a/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild new file mode 100644 index ..cd2e67613dd3 --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild @@ -0,0 +1,165 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{8..10} ) +inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd toolchain-funcs + +MY_P="${P/mit-}" +P_DIR=$(ver_cut 1-2) +DESCRIPTION="MIT Kerberos V" +HOMEPAGE="https://web.mit.edu/kerberos/www/; +SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz; + +LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux +threads test xinetd" + +# some tests requires network access +RESTRICT="test" + +DEPEND=" + !!app-crypt/heimdal + || ( + >=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}] + sys-libs/e2fsprogs-libs[${MULTILIB_USEDEP}] + ) + || ( + >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}] + >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}] + ) + keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] ) + lmdb? ( dev-db/lmdb ) + nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] ) + openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] ) + pkinit? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] ) + xinetd? ( sys-apps/xinetd ) + " +BDEPEND=" + ${PYTHON_DEPS} + virtual/yacc + cpu_flags_x86_aes? ( + amd64? ( dev-lang/yasm ) + x86? ( dev-lang/yasm ) + ) + doc? ( virtual/latex-base ) + test? ( + ${PYTHON_DEPS} + dev-lang/tcl:0 + dev-util/dejagnu + dev-util/cmocka + )" +RDEPEND="${DEPEND} + selinux? ( sec-policy/selinux-kerberos )" + +S=${WORKDIR}/${MY_P}/src + +PATCHES=( + "${FILESDIR}/${PN}-1.12_warn_cflags.patch" + "${FILESDIR}/${PN}-config_LDFLAGS-r1.patch" + "${FILESDIR}/${PN}_dont_create_rundir.patch" + "${FILESDIR}/${PN}-1.18.2-krb5-config.patch" + "${FILESDIR}/${PN}-CVE-2021-37750.patch" +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/krb5-config +) + +src_prepare() { + default + # Make sure we always use the system copies. + rm -rf util/{et,ss,verto} +
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
commit: 232b26749202346408c3757cc4c79af08208007a Author: Sam James gentoo org> AuthorDate: Thu Mar 25 12:50:15 2021 + Commit: Sam James gentoo org> CommitDate: Thu Mar 25 13:02:16 2021 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=232b2674 app-crypt/mit-krb5: fix build with autoconf 2.70 Thanks-to: Sergei Trofimovich gentoo.org> Closes: https://bugs.gentoo.org/778167 Signed-off-by: Sam James gentoo.org> .../files/mit-krb5-1.18.2-autoconf-2.70.patch | 35 ++ app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild | 1 + 2 files changed, 36 insertions(+) diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.18.2-autoconf-2.70.patch b/app-crypt/mit-krb5/files/mit-krb5-1.18.2-autoconf-2.70.patch new file mode 100644 index 000..6741c47e0d1 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-1.18.2-autoconf-2.70.patch @@ -0,0 +1,35 @@ +https://bugs.gentoo.org/778167 + +From f78edbe30816f049e1360cb6e203fabfdf7b98df Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich +Date: Fri, 6 Nov 2020 08:14:57 + +Subject: [PATCH] Fix compatibility with upcoming autoconf 2.70 + +Mainline autoconf generates no shell code for AC_CONFIG_AUX_DIR(). +Call it unconditionally to avoid a syntax error. + +[ghud...@mit.edu: rewrote commit message] + +ticket: 8960 (new) +tags: pullup +target_version: 1.18-next +target_version: 1.17-next +--- + src/aclocal.m4 | 6 +- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- src/aclocal.m4 src/aclocal.m4 +@@ -13,11 +13,7 @@ fi + ac_topdir=$srcdir/$ac_reltopdir + ac_config_fragdir=$ac_reltopdir/config + # echo "Looking for $srcdir/$ac_config_fragdir" +-if test -d "$srcdir/$ac_config_fragdir"; then +- AC_CONFIG_AUX_DIR(K5_TOPDIR/config) +-else +- AC_MSG_ERROR([can not find config/ directory in $ac_reltopdir]) +-fi ++AC_CONFIG_AUX_DIR(K5_TOPDIR/config) + ])dnl + dnl + dnl Version info. diff --git a/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild b/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild index 15bd4e8cb41..8482b1acd95 100644 --- a/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild +++ b/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild @@ -65,6 +65,7 @@ PATCHES=( "${FILESDIR}/${PN}-1.18-libressl.patch" "${FILESDIR}/CVE-2020-28196.patch" "${FILESDIR}/${PN}-1.18.2-krb5-config.patch" + "${FILESDIR}/${PN}-1.18.2-autoconf-2.70.patch" ) MULTILIB_CHOST_TOOLS=(
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
commit: 04bdab0f9da07f3c3242281135914029efe44caf Author: Conrad Kostecki gentoo org> AuthorDate: Wed Jan 20 20:30:20 2021 + Commit: Conrad Kostecki gentoo org> CommitDate: Wed Jan 20 20:47:22 2021 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04bdab0f app-crypt/mit-krb5: don't hardcode libpath If libpath is hardcoded for 'krb5-config --libs' this will fail the compilation on 32-bit systems. Closes: https://bugs.gentoo.org/634126 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Conrad Kostecki gentoo.org> .../files/mit-krb5-1.18.2-krb5-config.patch| 15 ++ app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild | 169 + app-crypt/mit-krb5/mit-krb5-1.18.3-r1.ebuild | 168 3 files changed, 352 insertions(+) diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.18.2-krb5-config.patch b/app-crypt/mit-krb5/files/mit-krb5-1.18.2-krb5-config.patch new file mode 100644 index 000..ec901ce9c31 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-1.18.2-krb5-config.patch @@ -0,0 +1,15 @@ +--- a/build-tools/krb5-config.in b/build-tools/krb5-config.in +@@ -208,12 +208,6 @@ + + + if test -n "$do_libs"; then +-# Assumes /usr/lib is the standard library directory everywhere... +-if test "$libdir" = /usr/lib; then +- libdirarg= +-else +- libdirarg="-L$libdir" +-fi + # Ugly gross hack for our build tree + lib_flags=`echo $CC_LINK | sed -e 's/\$(CC)//' \ + -e 's/\$(PURE)//' \ diff --git a/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild b/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild new file mode 100644 index 000..7bbe482d448 --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild @@ -0,0 +1,169 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python3_{7,8,9} ) +inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd toolchain-funcs + +MY_P="${P/mit-}" +P_DIR=$(ver_cut 1-2) +DESCRIPTION="MIT Kerberos V" +HOMEPAGE="https://web.mit.edu/kerberos/www/; +SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz; + +LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" +IUSE="cpu_flags_x86_aes doc +keyutils libressl lmdb nls openldap +pkinit selinux +threads test xinetd" + +# Test suite requires network access +RESTRICT="test" + +DEPEND=" + !!app-crypt/heimdal + >=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}] + || ( + >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}] + >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}] + >=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}] + ) + keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] ) + lmdb? ( dev-db/lmdb ) + nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] ) + openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] ) + pkinit? ( + !libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] ) + libressl? ( dev-libs/libressl:0=[${MULTILIB_USEDEP}] ) + ) + xinetd? ( sys-apps/xinetd ) + " +BDEPEND=" + ${PYTHON_DEPS} + virtual/yacc + cpu_flags_x86_aes? ( + amd64? ( dev-lang/yasm ) + x86? ( dev-lang/yasm ) + ) + doc? ( virtual/latex-base ) + test? ( + ${PYTHON_DEPS} + dev-lang/tcl:0 + dev-util/dejagnu + dev-util/cmocka + )" +RDEPEND="${DEPEND} + selinux? ( sec-policy/selinux-kerberos )" + +S=${WORKDIR}/${MY_P}/src + +PATCHES=( + "${FILESDIR}/${PN}-1.12_warn_cflags.patch" + "${FILESDIR}/${PN}-config_LDFLAGS-r1.patch" + "${FILESDIR}/${PN}-1.16.3-libressl-r1.patch" + "${FILESDIR}/${PN}_dont_create_run.patch" + "${FILESDIR}/${PN}-1.18-libressl.patch" + "${FILESDIR}/CVE-2020-28196.patch" + "${FILESDIR}/${PN}-1.18.2-krb5-config.patch" +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/krb5-config +) + +src_prepare() { + default + # Make sure we always use the system copies. + rm -rf util/{et,ss,verto} + sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die + + eautoreconf +} + +src_configure() { + # QA + append-flags -fno-strict-aliasing + append-flags -fno-strict-overflow + + multilib-minimal_src_configure +} + +multilib_src_configure() { + ECONF_SOURCE=${S} \ + WARN_CFLAGS="set" \ + econf \ + $(use_with openldap ldap) \ + "$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \ + $(use_enable nls) \ + $(use_enable pkinit) \ + $(use_enable threads thread-support) \ +
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
commit: bd1940d2e752a50a37710fcec0984fc1ff0234e7 Author: Matt Turner gentoo org> AuthorDate: Sat Sep 28 18:25:58 2019 + Commit: Matt Turner gentoo org> CommitDate: Sat Sep 28 18:27:13 2019 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd1940d2 app-crypt/mit-krb5: Drop old versions Signed-off-by: Matt Turner gentoo.org> app-crypt/mit-krb5/Manifest| 4 - app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch | 297 - .../mit-krb5/files/mit-krb5-1.16.3-libressl.patch | 101 --- .../mit-krb5/files/mit-krb5-config_LDFLAGS.patch | 12 - .../files/mit-krb5-libressl-version-check.patch| 31 --- app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild | 154 --- app-crypt/mit-krb5/mit-krb5-1.16.1.ebuild | 153 --- app-crypt/mit-krb5/mit-krb5-1.16.2.ebuild | 161 --- app-crypt/mit-krb5/mit-krb5-1.16.3.ebuild | 161 --- 9 files changed, 1074 deletions(-) diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest index 0911382bd22..4b2ab0c10a3 100644 --- a/app-crypt/mit-krb5/Manifest +++ b/app-crypt/mit-krb5/Manifest @@ -1,5 +1 @@ -DIST krb5-1.16.1.tar.gz 9477480 BLAKE2B 16bdd7d6d03ddbd4b070663c3a7a3d2331d54e8590b24f1dc162be2531bfbbbd65878d426a160c65ffc1ba4751f16bbbd177a8a91c01002fde0e886cc1bd91b9 SHA512 fa4ec14a4ffe690861e2dd7ea39d7698af2058ce181bb733ea891f80279f4dde4bb891adec5ccb0eaddf737306e6ceb1fe3744a2946e6189a7d7d2dd3bc5ba84 -DIST krb5-1.16.2.tar.gz 9652415 BLAKE2B 21c4d56e43476a9b87a4ca9a8b7d0dd5739d3d70731fb4727de5ae248d8638e2016581cd2462f5e2ec7950d9e216aa165199505e581fa10db81ce26062fc097e SHA512 738c071a90e0f38680bb17bdcf950310bc4549f3cb851e1d34de11239ae88178e6ee1a5e5d48c6d3efef544339b07d22dba5347dd763a4266d8d4df7cf47afc9 -DIST krb5-1.16.3.tar.gz 9656985 BLAKE2B 92e6d2b5f27e80f495d7bb3fb64acfb03530156fb8e1a07dbc8d045616fd2ac4be8047d844580e3aa01d5e8b733ceea9024290dcc53b691696201f02a31e3034 SHA512 77da5f8bb19108e158c3df5a17b9141b7cbbae7d01f9f0dca5c504dc4b468953d67a1f4566bed5a062d8ff8e0d80796094dea12d2e45bdda810a1633bb08318d -DIST krb5-1.16.tar.gz 9474479 BLAKE2B 0c5caa0a0d2308a447d47ab94d7b8dc92a67ad78b3bac1678c3f3ece3905f27feda5a23d28b3c13ebd64d1760726888c759fb19da82ad960c6f84a433b753873 SHA512 7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9 DIST krb5-1.17.tar.gz 8761763 BLAKE2B 76f636836c67e9eefca91c9417118efdcf4437c1220691f43f3d246daf3eabd53b40a30956f0e57703c3fde5d7193b1d86b68becf3ae1c0c803d2462e79d3014 SHA512 7462a578b936bd17f155a362dbb5d388e157a80a096549028be6c55400b11361c7f8a28e424fd5674801873651df4e694d536cae66728b7ae5e840e532358c52 diff --git a/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch deleted file mode 100644 index 114cfe688e7..000 --- a/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch +++ /dev/null @@ -1,297 +0,0 @@ -diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c -index 2420f2c2be..a59a65e8f6 100644 a/src/lib/kadm5/srv/svr_principal.c -+++ b/src/lib/kadm5/srv/svr_principal.c -@@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle, - return KADM5_BAD_MASK; - if((mask & ~ALL_PRINC_MASK)) - return KADM5_BAD_MASK; -+if (mask & KADM5_TL_DATA) { -+for (tl_data_tail = entry->tl_data; tl_data_tail != NULL; -+ tl_data_tail = tl_data_tail->tl_data_next) { -+if (tl_data_tail->tl_data_type < 256) -+return KADM5_BAD_TL_TYPE; -+} -+} - - /* - * Check to see if the principal exists -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -index 535a1f309e..8b8420faa9 100644 a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h -@@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int op); - #define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr)) - #define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr)) - --#define KDB_TL_USER_INFO 0x7ffe -+#define KDB_TL_USER_INFO 0xff - - #define KDB_TL_PRINCTYPE 0x01 - #define KDB_TL_PRINCCOUNT 0x02 -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index 88a1704950..b7c9212cb2 100644 a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -651,6 +651,107 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry, - return ret; - } - -+static krb5_error_code -+check_dn_in_container(krb5_context context, const char *dn, -+ char *const *subtrees, unsigned int ntrees) -+{ -+unsigned int i; -+size_t dnlen = strlen(dn), stlen; -+ -+for (i = 0; i < ntrees; i++) { -+if
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
commit: 2bacefac07dbccfa01942e1ec9245d6cbd598268 Author: Eray Aslan gentoo org> AuthorDate: Thu Jun 20 11:07:51 2019 + Commit: Eray Aslan gentoo org> CommitDate: Thu Jun 20 11:07:51 2019 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bacefac app-crypt/mit-krb5: bump to 1.17 Closes: https://bugs.gentoo.org/687730 Package-Manager: Portage-2.3.67, Repoman-2.3.15 Signed-off-by: Eray Aslan gentoo.org> app-crypt/mit-krb5/Manifest| 1 + .../files/mit-krb5-1.16.3-libressl-r1.patch| 101 + .../files/mit-krb5-config_LDFLAGS-r1.patch | 12 ++ app-crypt/mit-krb5/metadata.xml| 9 +- app-crypt/mit-krb5/mit-krb5-1.17.ebuild| 165 + 5 files changed, 284 insertions(+), 4 deletions(-) diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest index 3d33ce756db..0911382bd22 100644 --- a/app-crypt/mit-krb5/Manifest +++ b/app-crypt/mit-krb5/Manifest @@ -2,3 +2,4 @@ DIST krb5-1.16.1.tar.gz 9477480 BLAKE2B 16bdd7d6d03ddbd4b070663c3a7a3d2331d54e85 DIST krb5-1.16.2.tar.gz 9652415 BLAKE2B 21c4d56e43476a9b87a4ca9a8b7d0dd5739d3d70731fb4727de5ae248d8638e2016581cd2462f5e2ec7950d9e216aa165199505e581fa10db81ce26062fc097e SHA512 738c071a90e0f38680bb17bdcf950310bc4549f3cb851e1d34de11239ae88178e6ee1a5e5d48c6d3efef544339b07d22dba5347dd763a4266d8d4df7cf47afc9 DIST krb5-1.16.3.tar.gz 9656985 BLAKE2B 92e6d2b5f27e80f495d7bb3fb64acfb03530156fb8e1a07dbc8d045616fd2ac4be8047d844580e3aa01d5e8b733ceea9024290dcc53b691696201f02a31e3034 SHA512 77da5f8bb19108e158c3df5a17b9141b7cbbae7d01f9f0dca5c504dc4b468953d67a1f4566bed5a062d8ff8e0d80796094dea12d2e45bdda810a1633bb08318d DIST krb5-1.16.tar.gz 9474479 BLAKE2B 0c5caa0a0d2308a447d47ab94d7b8dc92a67ad78b3bac1678c3f3ece3905f27feda5a23d28b3c13ebd64d1760726888c759fb19da82ad960c6f84a433b753873 SHA512 7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9 +DIST krb5-1.17.tar.gz 8761763 BLAKE2B 76f636836c67e9eefca91c9417118efdcf4437c1220691f43f3d246daf3eabd53b40a30956f0e57703c3fde5d7193b1d86b68becf3ae1c0c803d2462e79d3014 SHA512 7462a578b936bd17f155a362dbb5d388e157a80a096549028be6c55400b11361c7f8a28e424fd5674801873651df4e694d536cae66728b7ae5e840e532358c52 diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch new file mode 100644 index 000..ca74b88bb0f --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch @@ -0,0 +1,101 @@ +From 58263cbf3106f4c9c9a2252794093014a2f9c01f Mon Sep 17 00:00:00 2001 +From: Stefan Strogin +Date: Thu, 25 Apr 2019 03:48:10 +0300 +Subject: [PATCH] Fix build for LibreSSL 2.9.x + +asn1_mac.h is removed from LibreSSL 2.9.0, but static_ASN1_*() methods +are not defined. Define them. + +Upstream-Status: Pending +[Needs to be amended if +https://github.com/libressl-portable/openbsd/pull/109 is accepted] +Signed-off-by: Stefan Strogin +--- + .../preauth/pkinit/pkinit_crypto_openssl.c| 13 + .../preauth/pkinit/pkinit_crypto_openssl.h| 20 ++- + 2 files changed, 28 insertions(+), 5 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 2064eb7bd..81d5d3cf2 100644 +--- a/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -188,14 +188,16 @@ pkinit_pkcs11_code_to_text(int err); + (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si) + #endif + +-#if OPENSSL_VERSION_NUMBER < 0x1010L ++#if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER) + +-/* 1.1 standardizes constructor and destructor names, renaming +- * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */ ++/* 1.1 (and LibreSSL 2.7) standardizes constructor and destructor names, ++ * renaming EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */ + ++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x207fL + #define EVP_MD_CTX_new EVP_MD_CTX_create + #define EVP_MD_CTX_free EVP_MD_CTX_destroy + #define ASN1_STRING_get0_data ASN1_STRING_data ++#endif + + /* 1.1 makes many handle types opaque and adds accessors. Add compatibility + * versions of the new accessors we use for pre-1.1. */ +@@ -203,6 +205,7 @@ pkinit_pkcs11_code_to_text(int err); + #define OBJ_get0_data(o) ((o)->data) + #define OBJ_length(o) ((o)->length) + ++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x207fL + #define DH_set0_pqg compat_dh_set0_pqg + static int compat_dh_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) + { +@@ -235,6 +238,7 @@ static void compat_dh_get0_key(const DH *dh, const BIGNUM **pub, + if (priv != NULL) + *priv = dh->priv_key; + } ++#endif /* LIBRESSL_VERSION_NUMBER */ + + /* Return true if the cert c
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
commit: acab2831eac296a423c8204013f0290f2c4f3b5b Author: Mike Frysinger gentoo org> AuthorDate: Thu Dec 22 22:34:28 2016 + Commit: Mike Frysinger gentoo org> CommitDate: Thu Dec 22 22:36:01 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=acab2831 app-crypt/mit-krb5: respect USE=nls Patch from Chromium OS. .../files/mit-krb5-1.14.4-disable-nls.patch| 45 ++ app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild | 4 +- app-crypt/mit-krb5/mit-krb5-1.15.ebuild| 4 +- 3 files changed, 51 insertions(+), 2 deletions(-) diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch b/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch new file mode 100644 index ..63cb0fc --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch @@ -0,0 +1,45 @@ +Adds support for --(enable|disable)-nls configure option. + +This enables\disables the generation of language files and +sets the ENABLE_NLS define appropriately. + +Default value is enabled to preserve current behavior. + +Patch by Zentaro Kavanagh+https://crbug.com/654842 + +https://github.com/krb5/krb5/pull/584 + +--- src/configure.in src/configure.in +@@ -118,15 +118,22 @@ + ]) + AC_SUBST(LIBUTIL) + +-AC_CHECK_HEADER(libintl.h, [ +- AC_SEARCH_LIBS(dgettext, intl, [ +- AC_DEFINE(ENABLE_NLS, 1, +- [Define if translation functions should be used.])])]) +- +-AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt) ++# Determine if NLS is desired and supported. + po= +-if test x"$MSGFMT" != x; then +- po=po ++AC_ARG_ENABLE([nls], ++AC_HELP_STRING([--disable-nls], ++ [Disable Native Language Support(NLS).]), , ++ enableval=yes) ++if test "$enableval" = yes ; then ++AC_CHECK_HEADER(libintl.h, [ ++AC_SEARCH_LIBS(dgettext, intl, [ ++AC_DEFINE(ENABLE_NLS, 1, ++[Define if translation functions should be used.])])]) ++ ++AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt) ++if test x"$MSGFMT" != x; then ++po=po ++fi + fi + AC_SUBST(po) + diff --git a/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild b/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild index 0eff67b..5662c02 100644 --- a/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild +++ b/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild @@ -16,7 +16,7 @@ SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz; LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )" SLOT="0" KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" -IUSE="doc +keyutils libressl openldap +pkinit selinux +threads test xinetd" +IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd" CDEPEND=" !!app-crypt/heimdal @@ -59,6 +59,7 @@ src_prepare() { epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch" epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch" epatch "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch" + epatch "${FILESDIR}/${PN}-1.14.4-disable-nls.patch" # Make sure we always use the system copies. rm -rf util/{et,ss,verto} @@ -82,6 +83,7 @@ multilib_src_configure() { econf \ $(use_with openldap ldap) \ "$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \ + $(use_enable nls) \ $(use_enable pkinit) \ $(use_enable threads thread-support) \ --without-hesiod \ diff --git a/app-crypt/mit-krb5/mit-krb5-1.15.ebuild b/app-crypt/mit-krb5/mit-krb5-1.15.ebuild index 8d0ae5b..0859120 100644 --- a/app-crypt/mit-krb5/mit-krb5-1.15.ebuild +++ b/app-crypt/mit-krb5/mit-krb5-1.15.ebuild @@ -16,7 +16,7 @@ SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz; LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )" SLOT="0" KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" -IUSE="doc +keyutils libressl openldap +pkinit selinux +threads test xinetd" +IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd" CDEPEND=" !!app-crypt/heimdal @@ -59,6 +59,7 @@ src_prepare() { eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch" eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch" eapply -p0 "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch" + eapply "${FILESDIR}/${PN}-1.14.4-disable-nls.patch" # Make sure we always use the system copies. rm -rf util/{et,ss,verto} @@ -83,6 +84,7 @@ multilib_src_configure() { econf \ $(use_with openldap ldap) \ "$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \ + $(use_enable nls) \ $(use_enable pkinit) \
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
commit: e506143656e90f7f705f9727d128d176e1700b2a Author: Zentaro Kavanagh google com> AuthorDate: Wed Nov 16 23:21:13 2016 + Commit: Mike Frysinger gentoo org> CommitDate: Wed Nov 16 23:21:13 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5061436 app-crypt/mit-krb5: fix clang build due to ttyname redecl .../files/mit-krb5-1.14.2-redeclared-ttyname.patch | 26 ++ app-crypt/mit-krb5/mit-krb5-1.14.2.ebuild | 1 + app-crypt/mit-krb5/mit-krb5-1.14.3.ebuild | 1 + app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild | 1 + 4 files changed, 29 insertions(+) diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch b/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch new file mode 100644 index ..a76cd3a --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch @@ -0,0 +1,26 @@ +Fixes the redeclaration of ttyname which was preventing +enabling clang fortify. + +The error was; + +main.c:858:15: error: redeclaration of 'ttyname' must have the 'overloadable' attribute +char *p, *ttyname(); + ^ +/build/samus/usr/include/unistd.h:784:14: note: previous overload of function is here +extern char *ttyname (int __fd) __THROW __CLANG_NO_MANGLE (ttyname); + +https://github.com/krb5/krb5/pull/568 + +Patch by Zentaro Kavanagh+ +--- clients/ksu/main.c clients/ksu/main.c +@@ -855,7 +855,7 @@ + + static char * ontty() + { +-char *p, *ttyname(); ++char *p; + static char buf[MAXPATHLEN + 5]; + int result; + diff --git a/app-crypt/mit-krb5/mit-krb5-1.14.2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.14.2.ebuild index 60d7a5b..8a3c7c3 100644 --- a/app-crypt/mit-krb5/mit-krb5-1.14.2.ebuild +++ b/app-crypt/mit-krb5/mit-krb5-1.14.2.ebuild @@ -58,6 +58,7 @@ MULTILIB_CHOST_TOOLS=( src_prepare() { epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch" epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch" + epatch "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch" eautoreconf } diff --git a/app-crypt/mit-krb5/mit-krb5-1.14.3.ebuild b/app-crypt/mit-krb5/mit-krb5-1.14.3.ebuild index 4a050dd..0a8a335 100644 --- a/app-crypt/mit-krb5/mit-krb5-1.14.3.ebuild +++ b/app-crypt/mit-krb5/mit-krb5-1.14.3.ebuild @@ -58,6 +58,7 @@ MULTILIB_CHOST_TOOLS=( src_prepare() { epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch" epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch" + epatch "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch" eautoreconf } diff --git a/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild b/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild index 9e30788..0eff67b 100644 --- a/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild +++ b/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild @@ -58,6 +58,7 @@ MULTILIB_CHOST_TOOLS=( src_prepare() { epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch" epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch" + epatch "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch" # Make sure we always use the system copies. rm -rf util/{et,ss,verto}
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
commit: dbd92e7f768c3f799be7f7f9e4b0cd3b7282bff3 Author: Eray Aslan gentoo org> AuthorDate: Thu Oct 29 04:37:30 2015 + Commit: Eray Aslan gentoo org> CommitDate: Thu Oct 29 04:37:30 2015 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dbd92e7f app-crypt/mit-krb5: security bump Gentoo-Bug: 564304 Package-Manager: portage-2.2.23 app-crypt/mit-krb5/files/CVE-2015-2695.patch | 564 + app-crypt/mit-krb5/files/CVE-2015-2696.patch | 731 +++ app-crypt/mit-krb5/files/CVE-2015-2697.patch | 50 ++ app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild | 3 + 4 files changed, 1348 insertions(+) diff --git a/app-crypt/mit-krb5/files/CVE-2015-2695.patch b/app-crypt/mit-krb5/files/CVE-2015-2695.patch new file mode 100644 index 000..08bc8ab --- /dev/null +++ b/app-crypt/mit-krb5/files/CVE-2015-2695.patch @@ -0,0 +1,564 @@ +From b51b33f2bc5d1497ddf5bd107f791c101695000d Mon Sep 17 00:00:00 2001 +From: Nicolas Williams+Date: Mon, 14 Sep 2015 12:27:52 -0400 +Subject: [PATCH] Fix SPNEGO context aliasing bugs [CVE-2015-2695] + +The SPNEGO mechanism currently replaces its context handle with the +mechanism context handle upon establishment, under the assumption that +most GSS functions are only called after context establishment. This +assumption is incorrect, and can lead to aliasing violations for some +programs. Maintain the SPNEGO context structure after context +establishment and refer to it in all GSS methods. Add initiate and +opened flags to the SPNEGO context structure for use in +gss_inquire_context() prior to context establishment. + +CVE-2015-2695: + +In MIT krb5 1.5 and later, applications which call +gss_inquire_context() on a partially-established SPNEGO context can +cause the GSS-API library to read from a pointer using the wrong type, +generally causing a process crash. This bug may go unnoticed, because +the most common SPNEGO authentication scenario establishes the context +after just one call to gss_accept_sec_context(). Java server +applications using the native JGSS provider are vulnerable to this +bug. A carefully crafted SPNEGO packet might allow the +gss_inquire_context() call to succeed with attacker-determined +results, but applications should not make access control decisions +based on gss_inquire_context() results prior to context establishment. + +CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C + +[ghud...@mit.edu: several bugfixes, style changes, and edge-case +behavior changes; commit message and CVE description] + +ticket: 8244 +target_version: 1.14 +tags: pullup +--- + src/lib/gssapi/spnego/gssapiP_spnego.h | 2 + + src/lib/gssapi/spnego/spnego_mech.c| 254 - + 2 files changed, 192 insertions(+), 64 deletions(-) + +diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h +index 57372de..5c82764 100644 +--- a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h +@@ -103,6 +103,8 @@ typedef struct { + int firstpass; + int mech_complete; + int nego_done; ++ int initiate; ++ int opened; + OM_uint32 ctx_flags; + gss_name_t internal_name; + gss_OID actual_mech; +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index ef76e1f..7849c85 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +@@ -102,7 +102,7 @@ static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t, + gss_cred_usage_t, gss_OID_set *); + static void release_spnego_ctx(spnego_gss_ctx_id_t *); + static void check_spnego_options(spnego_gss_ctx_id_t); +-static spnego_gss_ctx_id_t create_spnego_ctx(void); ++static spnego_gss_ctx_id_t create_spnego_ctx(int); + static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf); + static int put_input_token(unsigned char **, gss_buffer_t, unsigned int); + static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int); +@@ -454,7 +454,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx) + } + + static spnego_gss_ctx_id_t +-create_spnego_ctx(void) ++create_spnego_ctx(int initiate) + { + spnego_gss_ctx_id_t spnego_ctx = NULL; + spnego_ctx = (spnego_gss_ctx_id_t) +@@ -477,6 +477,8 @@ create_spnego_ctx(void) + spnego_ctx->mic_rcvd = 0; + spnego_ctx->mech_complete = 0; + spnego_ctx->nego_done = 0; ++ spnego_ctx->opened = 0; ++ spnego_ctx->initiate = initiate; + spnego_ctx->internal_name = GSS_C_NO_NAME; + spnego_ctx->actual_mech = GSS_C_NO_OID; + +@@ -642,7 +644,7 @@ init_ctx_new(OM_uint32 *minor_status, + OM_uint32 ret; + spnego_gss_ctx_id_t sc = NULL; + +- sc = create_spnego_ctx(); ++ sc = create_spnego_ctx(1); + if (sc == NULL) + return GSS_S_FAILURE; + +@@ -659,10 +661,7 @@