[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/

2024-04-05 Thread Eray Aslan 
commit: 804b1075226d5093c6541db7837efd767ab08bb2
Author: Eray Aslan  gentoo  org>
AuthorDate: Fri Apr  5 07:11:53 2024 +
Commit: Eray Aslan  gentoo  org>
CommitDate: Fri Apr  5 07:11:53 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=804b1075

app-crypt/mit-krb5: security cleanup

Bug: https://bugs.gentoo.org/917464
Signed-off-by: Eray Aslan  gentoo.org>

 app-crypt/mit-krb5/Manifest|   3 -
 .../files/mit-krb5-1.20-missing-time-include.patch |  20 ---
 .../files/mit-krb5-1.20.1-autoconf-2.72.patch  |  31 -
 .../files/mit-krb5-config_LDFLAGS-r1.patch |  12 --
 app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild  | 149 -
 app-crypt/mit-krb5/mit-krb5-1.20.2.ebuild  | 148 
 app-crypt/mit-krb5/mit-krb5-1.21.1.ebuild  | 146 
 7 files changed, 509 deletions(-)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 1ed2bb5561f7..1ce7821058e3 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,4 +1 @@
-DIST krb5-1.20.1.tar.gz 8661660 BLAKE2B 
ead16f8b1aec8bba3776628b74257c9aec891770c1fa6d5c5e66275db5f078ca59c9944cd2b017453b777ce080f8e5a322f735fab77691479cfad7b881b92830
 SHA512 
6f57479f13f107cd84f30de5c758eb6b9fc59171329c13e5da6073b806755f8d163eb7bd84767ea861ad6458ea0c9eeb00ee044d3bcad01ef136e9888564b6a2
-DIST krb5-1.20.2.tar.gz 8662259 BLAKE2B 
35f9e82390b5ba7227d0b5c40ab08f128ff27e7264d48585e2bfd08a443cb4b06415216190a3c35c6bc505f33483bcbe11430d9e40c3907f838798b2dc492416
 SHA512 
69e263ef74116a3332c632a2a243499bcc47b01b1e57d02fe35aa6c2ff655674b6cf2b815457145f788bceac4d466d3f55f8c20ec9ee4a6051128417e1e7e99e
-DIST krb5-1.21.1.tar.gz 8623049 BLAKE2B 
d90a994b5d39dc88573e5cfca280565b0909b2e9aa8710a6d695e2c1faec37ea0c008d05894e8952dcf72348403f76fd8a124de8d8f34c70fad6de8866a92f0e
 SHA512 
6f04216b0a151d6a9886bf009777bc95a7d3f9bcab30427cc8bbef3357e0130748c1d42b477be0eb2d469d9e0fb65bf5ac5ff05c22d6e1046795e161fe6afbcc
 DIST krb5-1.21.2.tar.gz 8622513 BLAKE2B 
2afb3ff962a343bc07182fdab0c0ffb221632ff38baab74278cfc721ae72deacc260221470de36e420584f00b780e13221d2e511d4831bca8e1270b7f3d9e824
 SHA512 
4e09296b412383d53872661718dbfaa90201e0d85f69db48e57a8d4bd73c95a90c7ec7b6f0f325f6bc967f8d203b256b071c0191facf080aca0e2caec5d0ac49

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.20-missing-time-include.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.20-missing-time-include.patch
deleted file mode 100644
index a8a495699129..
--- a/app-crypt/mit-krb5/files/mit-krb5-1.20-missing-time-include.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-https://github.com/krb5/krb5/commit/c3958cec43b598b25484b9805224c56f25f7a755
-https://bugs.gentoo.org/854561
-
-From: Greg Hudson 
-Date: Tue, 29 Mar 2022 16:27:55 -0400
-Subject: [PATCH] Include time.h in kdb.h
-
-kdb.h uses time_t, and therefore must include  to ensure its
-definition.  Noticed when building t_sort_key_data.c on macOS.
 a/include/kdb.h
-+++ b/include/kdb.h
-@@ -65,6 +65,7 @@
- #ifndef KRB5_KDB5__
- #define KRB5_KDB5__
- 
-+#include 
- #include 
- 
- /* This version will be incremented when incompatible changes are made to the
-

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch
deleted file mode 100644
index b55193bcc7fa..
--- a/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-https://github.com/krb5/krb5/commit/d864d740d019fdf2c640460f2aa2760c7fa4d5e9
-
-From d864d740d019fdf2c640460f2aa2760c7fa4d5e9 Mon Sep 17 00:00:00 2001
-From: Julien Rische 
-Date: Thu, 17 Nov 2022 15:01:24 +0100
-Subject: [PATCH] Fix aclocal.m4 syntax error for autoconf 2.72
-
-An incorrect closure inside KRB5_AC_INET6 is innocuous with autoconf
-versions up to 2.71, but will cause an error at configure time with
-the forthcoming autoconf 2.72.
-
-[ghud...@mit.edu: added more context to commit message]
-
-ticket: 9077 (new)
-tags: pullup
-target_version: 1.20-next
-target_version: 1.19-next
 a/aclocal.m4
-+++ b/aclocal.m4
-@@ -409,8 +409,8 @@ else
-   [[struct sockaddr_in6 in;
- AF_INET6;
- IN6_IS_ADDR_LINKLOCAL(_addr);]])],
--[krb5_cv_inet6=yes], [krb5_cv_inet6=no])])
--fi
-+[krb5_cv_inet6=yes], [krb5_cv_inet6=no])
-+fi])
- AC_MSG_RESULT($krb5_cv_inet6)
- if test "$krb5_cv_inet6" = no && test "$ac_cv_func_inet_ntop" = yes; then
- AC_MSG_CHECKING(for IPv6 compile-time support with -DINET6)
-

diff --git a/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch 
b/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch
deleted file mode 100644
index 39bac974afca..
--- a/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Bug #448778
 a/build-tools/krb5-config.in   2012-12-18 02:47:04.0 +
-+++ b/build-tools/krb5-config.in   2012-12-28

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/

2022-01-05 Thread Eray Aslan 
commit: 16e1279e1a0b87ab89031972ea5b9f5136a67e76
Author: Eray Aslan  gentoo  org>
AuthorDate: Wed Jan  5 09:56:43 2022 +
Commit: Eray Aslan  gentoo  org>
CommitDate: Wed Jan  5 09:56:43 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16e1279e

app-crypt/mit-krb5: security bump

Bug: https://bugs.gentoo.org/809845
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Eray Aslan  gentoo.org>

 .../mit-krb5/files/mit-krb5-CVE-2021-37750.patch   |  43 ++
 app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild   | 165 +
 2 files changed, 208 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch 
b/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch
new file mode 100644
index ..2f4c949e9f31
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch
@@ -0,0 +1,43 @@
+From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001
+From: Greg Hudson 
+Date: Tue, 3 Aug 2021 01:15:27 -0400
+Subject: [PATCH] Fix KDC null deref on TGS inner body null server
+
+After the KDC decodes a FAST inner body, it does not check for a null
+server.  Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
+would typically result in an error from krb5_unparse_name(), but with
+the addition of get_local_tgt() it results in a null dereference.  Add
+a null check.
+
+Reported by Joseph Sutton of Catalyst.
+
+CVE-2021-37750:
+
+In MIT krb5 releases 1.14 and later, an authenticated attacker can
+cause a null dereference in the KDC by sending a FAST TGS request with
+no server field.
+
+ticket: 9008 (new)
+tags: pullup
+target_version: 1.19-next
+target_version: 1.18-next
+---
+ src/kdc/do_tgs_req.c | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index 582e497cc9..32dc65fa8e 100644
+--- a/kdc/do_tgs_req.c
 b/kdc/do_tgs_req.c
+@@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
+ status = "FIND_FAST";
+ goto cleanup;
+ }
++if (sprinc == NULL) {
++status = "NULL_SERVER";
++errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
++goto cleanup;
++}
+ 
+ errcode = get_local_tgt(kdc_context, >realm, header_server,
+ _tgt, _tgt_storage, _tgt_key);

diff --git a/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild
new file mode 100644
index ..cd2e67613dd3
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild
@@ -0,0 +1,165 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{8..10} )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd 
toolchain-funcs
+
+MY_P="${P/mit-}"
+P_DIR=$(ver_cut 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/;
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz;
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 
|| ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 
~sparc ~x86"
+IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux 
+threads test xinetd"
+
+# some tests requires network access
+RESTRICT="test"
+
+DEPEND="
+   !!app-crypt/heimdal
+   || (
+   >=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}]
+   sys-libs/e2fsprogs-libs[${MULTILIB_USEDEP}]
+   )
+   || (
+   >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+   >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+   )
+   keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
+   lmdb? ( dev-db/lmdb )
+   nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
+   openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+   pkinit? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+   xinetd? ( sys-apps/xinetd )
+   "
+BDEPEND="
+   ${PYTHON_DEPS}
+   virtual/yacc
+   cpu_flags_x86_aes? (
+   amd64? ( dev-lang/yasm )
+   x86? ( dev-lang/yasm )
+   )
+   doc? ( virtual/latex-base )
+   test? (
+   ${PYTHON_DEPS}
+   dev-lang/tcl:0
+   dev-util/dejagnu
+   dev-util/cmocka
+   )"
+RDEPEND="${DEPEND}
+   selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+PATCHES=(
+   "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+   "${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
+   "${FILESDIR}/${PN}_dont_create_rundir.patch"
+   "${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
+   "${FILESDIR}/${PN}-CVE-2021-37750.patch"
+)
+
+MULTILIB_CHOST_TOOLS=(
+   /usr/bin/krb5-config
+)
+
+src_prepare() {
+   default
+   # Make sure we always use the system copies.
+   rm -rf util/{et,ss,verto}
+

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/

2021-03-25 Thread Sam James 
commit: 232b26749202346408c3757cc4c79af08208007a
Author: Sam James  gentoo  org>
AuthorDate: Thu Mar 25 12:50:15 2021 +
Commit: Sam James  gentoo  org>
CommitDate: Thu Mar 25 13:02:16 2021 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=232b2674

app-crypt/mit-krb5: fix build with autoconf 2.70

Thanks-to: Sergei Trofimovich  gentoo.org>
Closes: https://bugs.gentoo.org/778167
Signed-off-by: Sam James  gentoo.org>

 .../files/mit-krb5-1.18.2-autoconf-2.70.patch  | 35 ++
 app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild   |  1 +
 2 files changed, 36 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.18.2-autoconf-2.70.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.18.2-autoconf-2.70.patch
new file mode 100644
index 000..6741c47e0d1
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.18.2-autoconf-2.70.patch
@@ -0,0 +1,35 @@
+https://bugs.gentoo.org/778167
+
+From f78edbe30816f049e1360cb6e203fabfdf7b98df Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich 
+Date: Fri, 6 Nov 2020 08:14:57 +
+Subject: [PATCH] Fix compatibility with upcoming autoconf 2.70
+
+Mainline autoconf generates no shell code for AC_CONFIG_AUX_DIR().
+Call it unconditionally to avoid a syntax error.
+
+[ghud...@mit.edu: rewrote commit message]
+
+ticket: 8960 (new)
+tags: pullup
+target_version: 1.18-next
+target_version: 1.17-next
+---
+ src/aclocal.m4 | 6 +-
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- src/aclocal.m4
 src/aclocal.m4
+@@ -13,11 +13,7 @@ fi
+ ac_topdir=$srcdir/$ac_reltopdir
+ ac_config_fragdir=$ac_reltopdir/config
+ # echo "Looking for $srcdir/$ac_config_fragdir"
+-if test -d "$srcdir/$ac_config_fragdir"; then
+-  AC_CONFIG_AUX_DIR(K5_TOPDIR/config)
+-else
+-  AC_MSG_ERROR([can not find config/ directory in $ac_reltopdir])
+-fi
++AC_CONFIG_AUX_DIR(K5_TOPDIR/config)
+ ])dnl
+ dnl
+ dnl Version info.

diff --git a/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild
index 15bd4e8cb41..8482b1acd95 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild
@@ -65,6 +65,7 @@ PATCHES=(
"${FILESDIR}/${PN}-1.18-libressl.patch"
"${FILESDIR}/CVE-2020-28196.patch"
"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
+   "${FILESDIR}/${PN}-1.18.2-autoconf-2.70.patch"
 )
 
 MULTILIB_CHOST_TOOLS=(

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/

2021-01-20 Thread Conrad Kostecki 
commit: 04bdab0f9da07f3c3242281135914029efe44caf
Author: Conrad Kostecki  gentoo  org>
AuthorDate: Wed Jan 20 20:30:20 2021 +
Commit: Conrad Kostecki  gentoo  org>
CommitDate: Wed Jan 20 20:47:22 2021 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04bdab0f

app-crypt/mit-krb5: don't hardcode libpath

If libpath is hardcoded for 'krb5-config --libs' this will fail the
compilation on 32-bit systems.

Closes: https://bugs.gentoo.org/634126
Package-Manager: Portage-3.0.12, Repoman-3.0.2
Signed-off-by: Conrad Kostecki  gentoo.org>

 .../files/mit-krb5-1.18.2-krb5-config.patch|  15 ++
 app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild   | 169 +
 app-crypt/mit-krb5/mit-krb5-1.18.3-r1.ebuild   | 168 
 3 files changed, 352 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.18.2-krb5-config.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.18.2-krb5-config.patch
new file mode 100644
index 000..ec901ce9c31
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.18.2-krb5-config.patch
@@ -0,0 +1,15 @@
+--- a/build-tools/krb5-config.in
 b/build-tools/krb5-config.in
+@@ -208,12 +208,6 @@
+ 
+ 
+ if test -n "$do_libs"; then
+-# Assumes /usr/lib is the standard library directory everywhere...
+-if test "$libdir" = /usr/lib; then
+-  libdirarg=
+-else
+-  libdirarg="-L$libdir"
+-fi
+ # Ugly gross hack for our build tree
+ lib_flags=`echo $CC_LINK | sed -e 's/\$(CC)//' \
+   -e 's/\$(PURE)//' \

diff --git a/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild
new file mode 100644
index 000..7bbe482d448
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild
@@ -0,0 +1,169 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{7,8,9} )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd 
toolchain-funcs
+
+MY_P="${P/mit-}"
+P_DIR=$(ver_cut 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/;
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz;
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 
|| ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc 
~x86"
+IUSE="cpu_flags_x86_aes doc +keyutils libressl lmdb nls openldap +pkinit 
selinux +threads test xinetd"
+
+# Test suite requires network access
+RESTRICT="test"
+
+DEPEND="
+   !!app-crypt/heimdal
+   >=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+   || (
+   >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+   >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+   >=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+   )
+   keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
+   lmdb? ( dev-db/lmdb )
+   nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
+   openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+   pkinit? (
+   !libressl? ( 
>=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+   libressl? ( dev-libs/libressl:0=[${MULTILIB_USEDEP}] )
+   )
+   xinetd? ( sys-apps/xinetd )
+   "
+BDEPEND="
+   ${PYTHON_DEPS}
+   virtual/yacc
+   cpu_flags_x86_aes? (
+   amd64? ( dev-lang/yasm )
+   x86? ( dev-lang/yasm )
+   )
+   doc? ( virtual/latex-base )
+   test? (
+   ${PYTHON_DEPS}
+   dev-lang/tcl:0
+   dev-util/dejagnu
+   dev-util/cmocka
+   )"
+RDEPEND="${DEPEND}
+   selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+PATCHES=(
+   "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+   "${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
+   "${FILESDIR}/${PN}-1.16.3-libressl-r1.patch"
+   "${FILESDIR}/${PN}_dont_create_run.patch"
+   "${FILESDIR}/${PN}-1.18-libressl.patch"
+   "${FILESDIR}/CVE-2020-28196.patch"
+   "${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
+)
+
+MULTILIB_CHOST_TOOLS=(
+   /usr/bin/krb5-config
+)
+
+src_prepare() {
+   default
+   # Make sure we always use the system copies.
+   rm -rf util/{et,ss,verto}
+   sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die
+
+   eautoreconf
+}
+
+src_configure() {
+   # QA
+   append-flags -fno-strict-aliasing
+   append-flags -fno-strict-overflow
+
+   multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+   ECONF_SOURCE=${S} \
+   WARN_CFLAGS="set" \
+   econf \
+   $(use_with openldap ldap) \
+   "$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+   $(use_enable nls) \
+   $(use_enable pkinit) \
+   $(use_enable threads thread-support) \
+

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/

2019-09-28 Thread Matt Turner 
commit: bd1940d2e752a50a37710fcec0984fc1ff0234e7
Author: Matt Turner  gentoo  org>
AuthorDate: Sat Sep 28 18:25:58 2019 +
Commit: Matt Turner  gentoo  org>
CommitDate: Sat Sep 28 18:27:13 2019 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd1940d2

app-crypt/mit-krb5: Drop old versions

Signed-off-by: Matt Turner  gentoo.org>

 app-crypt/mit-krb5/Manifest|   4 -
 app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch  | 297 -
 .../mit-krb5/files/mit-krb5-1.16.3-libressl.patch  | 101 ---
 .../mit-krb5/files/mit-krb5-config_LDFLAGS.patch   |  12 -
 .../files/mit-krb5-libressl-version-check.patch|  31 ---
 app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild | 154 ---
 app-crypt/mit-krb5/mit-krb5-1.16.1.ebuild  | 153 ---
 app-crypt/mit-krb5/mit-krb5-1.16.2.ebuild  | 161 ---
 app-crypt/mit-krb5/mit-krb5-1.16.3.ebuild  | 161 ---
 9 files changed, 1074 deletions(-)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 0911382bd22..4b2ab0c10a3 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,5 +1 @@
-DIST krb5-1.16.1.tar.gz 9477480 BLAKE2B 
16bdd7d6d03ddbd4b070663c3a7a3d2331d54e8590b24f1dc162be2531bfbbbd65878d426a160c65ffc1ba4751f16bbbd177a8a91c01002fde0e886cc1bd91b9
 SHA512 
fa4ec14a4ffe690861e2dd7ea39d7698af2058ce181bb733ea891f80279f4dde4bb891adec5ccb0eaddf737306e6ceb1fe3744a2946e6189a7d7d2dd3bc5ba84
-DIST krb5-1.16.2.tar.gz 9652415 BLAKE2B 
21c4d56e43476a9b87a4ca9a8b7d0dd5739d3d70731fb4727de5ae248d8638e2016581cd2462f5e2ec7950d9e216aa165199505e581fa10db81ce26062fc097e
 SHA512 
738c071a90e0f38680bb17bdcf950310bc4549f3cb851e1d34de11239ae88178e6ee1a5e5d48c6d3efef544339b07d22dba5347dd763a4266d8d4df7cf47afc9
-DIST krb5-1.16.3.tar.gz 9656985 BLAKE2B 
92e6d2b5f27e80f495d7bb3fb64acfb03530156fb8e1a07dbc8d045616fd2ac4be8047d844580e3aa01d5e8b733ceea9024290dcc53b691696201f02a31e3034
 SHA512 
77da5f8bb19108e158c3df5a17b9141b7cbbae7d01f9f0dca5c504dc4b468953d67a1f4566bed5a062d8ff8e0d80796094dea12d2e45bdda810a1633bb08318d
-DIST krb5-1.16.tar.gz 9474479 BLAKE2B 
0c5caa0a0d2308a447d47ab94d7b8dc92a67ad78b3bac1678c3f3ece3905f27feda5a23d28b3c13ebd64d1760726888c759fb19da82ad960c6f84a433b753873
 SHA512 
7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9
 DIST krb5-1.17.tar.gz 8761763 BLAKE2B 
76f636836c67e9eefca91c9417118efdcf4437c1220691f43f3d246daf3eabd53b40a30956f0e57703c3fde5d7193b1d86b68becf3ae1c0c803d2462e79d3014
 SHA512 
7462a578b936bd17f155a362dbb5d388e157a80a096549028be6c55400b11361c7f8a28e424fd5674801873651df4e694d536cae66728b7ae5e840e532358c52

diff --git a/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch 
b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch
deleted file mode 100644
index 114cfe688e7..000
--- a/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch
+++ /dev/null
@@ -1,297 +0,0 @@
-diff --git a/src/lib/kadm5/srv/svr_principal.c 
b/src/lib/kadm5/srv/svr_principal.c
-index 2420f2c2be..a59a65e8f6 100644
 a/src/lib/kadm5/srv/svr_principal.c
-+++ b/src/lib/kadm5/srv/svr_principal.c
-@@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle,
- return KADM5_BAD_MASK;
- if((mask & ~ALL_PRINC_MASK))
- return KADM5_BAD_MASK;
-+if (mask & KADM5_TL_DATA) {
-+for (tl_data_tail = entry->tl_data; tl_data_tail != NULL;
-+ tl_data_tail = tl_data_tail->tl_data_next) {
-+if (tl_data_tail->tl_data_type < 256)
-+return KADM5_BAD_TL_TYPE;
-+}
-+}
- 
- /*
-  * Check to see if the principal exists
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h 
b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-index 535a1f309e..8b8420faa9 100644
 a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-@@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int 
op);
- #define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr))
- #define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr))
- 
--#define  KDB_TL_USER_INFO  0x7ffe
-+#define  KDB_TL_USER_INFO  0xff
- 
- #define KDB_TL_PRINCTYPE  0x01
- #define KDB_TL_PRINCCOUNT 0x02
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 
b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-index 88a1704950..b7c9212cb2 100644
 a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-@@ -651,6 +651,107 @@ update_ldap_mod_auth_ind(krb5_context context, 
krb5_db_entry *entry,
- return ret;
- }
- 
-+static krb5_error_code
-+check_dn_in_container(krb5_context context, const char *dn,
-+  char *const *subtrees, unsigned int ntrees)
-+{
-+unsigned int i;
-+size_t dnlen = strlen(dn), stlen;
-+
-+for (i = 0; i < ntrees; i++) {
-+if

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/

2019-06-20 Thread Eray Aslan 
commit: 2bacefac07dbccfa01942e1ec9245d6cbd598268
Author: Eray Aslan  gentoo  org>
AuthorDate: Thu Jun 20 11:07:51 2019 +
Commit: Eray Aslan  gentoo  org>
CommitDate: Thu Jun 20 11:07:51 2019 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bacefac

app-crypt/mit-krb5: bump to 1.17

Closes: https://bugs.gentoo.org/687730
Package-Manager: Portage-2.3.67, Repoman-2.3.15
Signed-off-by: Eray Aslan  gentoo.org>

 app-crypt/mit-krb5/Manifest|   1 +
 .../files/mit-krb5-1.16.3-libressl-r1.patch| 101 +
 .../files/mit-krb5-config_LDFLAGS-r1.patch |  12 ++
 app-crypt/mit-krb5/metadata.xml|   9 +-
 app-crypt/mit-krb5/mit-krb5-1.17.ebuild| 165 +
 5 files changed, 284 insertions(+), 4 deletions(-)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 3d33ce756db..0911382bd22 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -2,3 +2,4 @@ DIST krb5-1.16.1.tar.gz 9477480 BLAKE2B 
16bdd7d6d03ddbd4b070663c3a7a3d2331d54e85
 DIST krb5-1.16.2.tar.gz 9652415 BLAKE2B 
21c4d56e43476a9b87a4ca9a8b7d0dd5739d3d70731fb4727de5ae248d8638e2016581cd2462f5e2ec7950d9e216aa165199505e581fa10db81ce26062fc097e
 SHA512 
738c071a90e0f38680bb17bdcf950310bc4549f3cb851e1d34de11239ae88178e6ee1a5e5d48c6d3efef544339b07d22dba5347dd763a4266d8d4df7cf47afc9
 DIST krb5-1.16.3.tar.gz 9656985 BLAKE2B 
92e6d2b5f27e80f495d7bb3fb64acfb03530156fb8e1a07dbc8d045616fd2ac4be8047d844580e3aa01d5e8b733ceea9024290dcc53b691696201f02a31e3034
 SHA512 
77da5f8bb19108e158c3df5a17b9141b7cbbae7d01f9f0dca5c504dc4b468953d67a1f4566bed5a062d8ff8e0d80796094dea12d2e45bdda810a1633bb08318d
 DIST krb5-1.16.tar.gz 9474479 BLAKE2B 
0c5caa0a0d2308a447d47ab94d7b8dc92a67ad78b3bac1678c3f3ece3905f27feda5a23d28b3c13ebd64d1760726888c759fb19da82ad960c6f84a433b753873
 SHA512 
7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9
+DIST krb5-1.17.tar.gz 8761763 BLAKE2B 
76f636836c67e9eefca91c9417118efdcf4437c1220691f43f3d246daf3eabd53b40a30956f0e57703c3fde5d7193b1d86b68becf3ae1c0c803d2462e79d3014
 SHA512 
7462a578b936bd17f155a362dbb5d388e157a80a096549028be6c55400b11361c7f8a28e424fd5674801873651df4e694d536cae66728b7ae5e840e532358c52

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch
new file mode 100644
index 000..ca74b88bb0f
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch
@@ -0,0 +1,101 @@
+From 58263cbf3106f4c9c9a2252794093014a2f9c01f Mon Sep 17 00:00:00 2001
+From: Stefan Strogin 
+Date: Thu, 25 Apr 2019 03:48:10 +0300
+Subject: [PATCH] Fix build for LibreSSL 2.9.x
+
+asn1_mac.h is removed from LibreSSL 2.9.0, but static_ASN1_*() methods
+are not defined. Define them.
+
+Upstream-Status: Pending
+[Needs to be amended if
+https://github.com/libressl-portable/openbsd/pull/109 is accepted]
+Signed-off-by: Stefan Strogin 
+---
+ .../preauth/pkinit/pkinit_crypto_openssl.c| 13 
+ .../preauth/pkinit/pkinit_crypto_openssl.h| 20 ++-
+ 2 files changed, 28 insertions(+), 5 deletions(-)
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 
b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 2064eb7bd..81d5d3cf2 100644
+--- a/plugins/preauth/pkinit/pkinit_crypto_openssl.c
 b/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -188,14 +188,16 @@ pkinit_pkcs11_code_to_text(int err);
+ (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x1010L
++#if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+-/* 1.1 standardizes constructor and destructor names, renaming
+- * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
++/* 1.1 (and LibreSSL 2.7) standardizes constructor and destructor names,
++ * renaming EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
+ 
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x207fL
+ #define EVP_MD_CTX_new EVP_MD_CTX_create
+ #define EVP_MD_CTX_free EVP_MD_CTX_destroy
+ #define ASN1_STRING_get0_data ASN1_STRING_data
++#endif
+ 
+ /* 1.1 makes many handle types opaque and adds accessors.  Add compatibility
+  * versions of the new accessors we use for pre-1.1. */
+@@ -203,6 +205,7 @@ pkinit_pkcs11_code_to_text(int err);
+ #define OBJ_get0_data(o) ((o)->data)
+ #define OBJ_length(o) ((o)->length)
+ 
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x207fL
+ #define DH_set0_pqg compat_dh_set0_pqg
+ static int compat_dh_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+ {
+@@ -235,6 +238,7 @@ static void compat_dh_get0_key(const DH *dh, const BIGNUM 
**pub,
+ if (priv != NULL)
+ *priv = dh->priv_key;
+ }
++#endif /* LIBRESSL_VERSION_NUMBER */
+ 
+ /* Return true if the cert c

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/

2016-12-22 Thread Mike Frysinger 
commit: acab2831eac296a423c8204013f0290f2c4f3b5b
Author: Mike Frysinger  gentoo  org>
AuthorDate: Thu Dec 22 22:34:28 2016 +
Commit: Mike Frysinger  gentoo  org>
CommitDate: Thu Dec 22 22:36:01 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=acab2831

app-crypt/mit-krb5: respect USE=nls

Patch from Chromium OS.

 .../files/mit-krb5-1.14.4-disable-nls.patch| 45 ++
 app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild  |  4 +-
 app-crypt/mit-krb5/mit-krb5-1.15.ebuild|  4 +-
 3 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch
new file mode 100644
index ..63cb0fc
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch
@@ -0,0 +1,45 @@
+Adds support for --(enable|disable)-nls configure option.
+
+This enables\disables the generation of language files and
+sets the ENABLE_NLS define appropriately.
+
+Default value is enabled to preserve current behavior.
+
+Patch by Zentaro Kavanagh 
+https://crbug.com/654842
+
+https://github.com/krb5/krb5/pull/584
+
+--- src/configure.in
 src/configure.in
+@@ -118,15 +118,22 @@
+ ])
+ AC_SUBST(LIBUTIL)
+ 
+-AC_CHECK_HEADER(libintl.h, [
+-  AC_SEARCH_LIBS(dgettext, intl, [
+-  AC_DEFINE(ENABLE_NLS, 1,
+-  [Define if translation functions should be used.])])])
+-
+-AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt)
++# Determine if NLS is desired and supported.
+ po=
+-if test x"$MSGFMT" != x; then
+-  po=po
++AC_ARG_ENABLE([nls],
++AC_HELP_STRING([--disable-nls],
++   [Disable Native Language Support(NLS).]), ,
++   enableval=yes)
++if test "$enableval" = yes ; then
++AC_CHECK_HEADER(libintl.h, [
++AC_SEARCH_LIBS(dgettext, intl, [
++AC_DEFINE(ENABLE_NLS, 1,
++[Define if translation functions should be 
used.])])])
++
++AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt)
++if test x"$MSGFMT" != x; then
++po=po
++fi
+ fi
+ AC_SUBST(po)
+ 

diff --git a/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild
index 0eff67b..5662c02 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild
@@ -16,7 +16,7 @@ 
SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz;
 LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 
|| ( BSD-2 GPL-2+ )"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh 
~sparc ~x86"
-IUSE="doc +keyutils libressl openldap +pkinit selinux +threads test xinetd"
+IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
 
 CDEPEND="
!!app-crypt/heimdal
@@ -59,6 +59,7 @@ src_prepare() {
epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"
epatch "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch"
+   epatch "${FILESDIR}/${PN}-1.14.4-disable-nls.patch"
 
# Make sure we always use the system copies.
rm -rf util/{et,ss,verto}
@@ -82,6 +83,7 @@ multilib_src_configure() {
econf \
$(use_with openldap ldap) \
"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+   $(use_enable nls) \
$(use_enable pkinit) \
$(use_enable threads thread-support) \
--without-hesiod \

diff --git a/app-crypt/mit-krb5/mit-krb5-1.15.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.15.ebuild
index 8d0ae5b..0859120 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.15.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.15.ebuild
@@ -16,7 +16,7 @@ 
SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz;
 LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 
|| ( BSD-2 GPL-2+ )"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh 
~sparc ~x86"
-IUSE="doc +keyutils libressl openldap +pkinit selinux +threads test xinetd"
+IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
 
 CDEPEND="
!!app-crypt/heimdal
@@ -59,6 +59,7 @@ src_prepare() {
eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
eapply -p0 "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch"
+   eapply "${FILESDIR}/${PN}-1.14.4-disable-nls.patch"
 
# Make sure we always use the system copies.
rm -rf util/{et,ss,verto}
@@ -83,6 +84,7 @@ multilib_src_configure() {
econf \
$(use_with openldap ldap) \
"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+   $(use_enable nls) \
$(use_enable pkinit) \

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/

2016-11-16 Thread Mike Frysinger 
commit: e506143656e90f7f705f9727d128d176e1700b2a
Author: Zentaro Kavanagh  google  com>
AuthorDate: Wed Nov 16 23:21:13 2016 +
Commit: Mike Frysinger  gentoo  org>
CommitDate: Wed Nov 16 23:21:13 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5061436

app-crypt/mit-krb5: fix clang build due to ttyname redecl

 .../files/mit-krb5-1.14.2-redeclared-ttyname.patch | 26 ++
 app-crypt/mit-krb5/mit-krb5-1.14.2.ebuild  |  1 +
 app-crypt/mit-krb5/mit-krb5-1.14.3.ebuild  |  1 +
 app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild  |  1 +
 4 files changed, 29 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch
new file mode 100644
index ..a76cd3a
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch
@@ -0,0 +1,26 @@
+Fixes the redeclaration of ttyname which was preventing
+enabling clang fortify.
+
+The error was;
+
+main.c:858:15: error: redeclaration of 'ttyname' must have the 'overloadable' 
attribute
+char *p, *ttyname();
+  ^
+/build/samus/usr/include/unistd.h:784:14: note: previous overload of function 
is here
+extern char *ttyname (int __fd) __THROW __CLANG_NO_MANGLE (ttyname);
+
+https://github.com/krb5/krb5/pull/568
+
+Patch by Zentaro Kavanagh 
+
+--- clients/ksu/main.c
 clients/ksu/main.c
+@@ -855,7 +855,7 @@
+ 
+ static char * ontty()
+ {
+-char *p, *ttyname();
++char *p;
+ static char buf[MAXPATHLEN + 5];
+ int result;
+ 

diff --git a/app-crypt/mit-krb5/mit-krb5-1.14.2.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.14.2.ebuild
index 60d7a5b..8a3c7c3 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.14.2.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.14.2.ebuild
@@ -58,6 +58,7 @@ MULTILIB_CHOST_TOOLS=(
 src_prepare() {
epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+   epatch "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch"
 
eautoreconf
 }

diff --git a/app-crypt/mit-krb5/mit-krb5-1.14.3.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.14.3.ebuild
index 4a050dd..0a8a335 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.14.3.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.14.3.ebuild
@@ -58,6 +58,7 @@ MULTILIB_CHOST_TOOLS=(
 src_prepare() {
epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+   epatch "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch"
 
eautoreconf
 }

diff --git a/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild
index 9e30788..0eff67b 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild
@@ -58,6 +58,7 @@ MULTILIB_CHOST_TOOLS=(
 src_prepare() {
epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+   epatch "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch"
 
# Make sure we always use the system copies.
rm -rf util/{et,ss,verto}

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/

2015-10-28 Thread Eray Aslan 
commit: dbd92e7f768c3f799be7f7f9e4b0cd3b7282bff3
Author: Eray Aslan  gentoo  org>
AuthorDate: Thu Oct 29 04:37:30 2015 +
Commit: Eray Aslan  gentoo  org>
CommitDate: Thu Oct 29 04:37:30 2015 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dbd92e7f

app-crypt/mit-krb5: security bump

Gentoo-Bug: 564304

Package-Manager: portage-2.2.23

 app-crypt/mit-krb5/files/CVE-2015-2695.patch | 564 +
 app-crypt/mit-krb5/files/CVE-2015-2696.patch | 731 +++
 app-crypt/mit-krb5/files/CVE-2015-2697.patch |  50 ++
 app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild |   3 +
 4 files changed, 1348 insertions(+)

diff --git a/app-crypt/mit-krb5/files/CVE-2015-2695.patch 
b/app-crypt/mit-krb5/files/CVE-2015-2695.patch
new file mode 100644
index 000..08bc8ab
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2015-2695.patch
@@ -0,0 +1,564 @@
+From b51b33f2bc5d1497ddf5bd107f791c101695000d Mon Sep 17 00:00:00 2001
+From: Nicolas Williams 
+Date: Mon, 14 Sep 2015 12:27:52 -0400
+Subject: [PATCH] Fix SPNEGO context aliasing bugs [CVE-2015-2695]
+
+The SPNEGO mechanism currently replaces its context handle with the
+mechanism context handle upon establishment, under the assumption that
+most GSS functions are only called after context establishment.  This
+assumption is incorrect, and can lead to aliasing violations for some
+programs.  Maintain the SPNEGO context structure after context
+establishment and refer to it in all GSS methods.  Add initiate and
+opened flags to the SPNEGO context structure for use in
+gss_inquire_context() prior to context establishment.
+
+CVE-2015-2695:
+
+In MIT krb5 1.5 and later, applications which call
+gss_inquire_context() on a partially-established SPNEGO context can
+cause the GSS-API library to read from a pointer using the wrong type,
+generally causing a process crash.  This bug may go unnoticed, because
+the most common SPNEGO authentication scenario establishes the context
+after just one call to gss_accept_sec_context().  Java server
+applications using the native JGSS provider are vulnerable to this
+bug.  A carefully crafted SPNEGO packet might allow the
+gss_inquire_context() call to succeed with attacker-determined
+results, but applications should not make access control decisions
+based on gss_inquire_context() results prior to context establishment.
+
+CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+[ghud...@mit.edu: several bugfixes, style changes, and edge-case
+behavior changes; commit message and CVE description]
+
+ticket: 8244
+target_version: 1.14
+tags: pullup
+---
+ src/lib/gssapi/spnego/gssapiP_spnego.h |   2 +
+ src/lib/gssapi/spnego/spnego_mech.c| 254 -
+ 2 files changed, 192 insertions(+), 64 deletions(-)
+
+diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h 
b/src/lib/gssapi/spnego/gssapiP_spnego.h
+index 57372de..5c82764 100644
+--- a/src/lib/gssapi/spnego/gssapiP_spnego.h
 b/src/lib/gssapi/spnego/gssapiP_spnego.h
+@@ -103,6 +103,8 @@ typedef struct {
+   int firstpass;
+   int mech_complete;
+   int nego_done;
++  int initiate;
++  int opened;
+   OM_uint32 ctx_flags;
+   gss_name_t internal_name;
+   gss_OID actual_mech;
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c 
b/src/lib/gssapi/spnego/spnego_mech.c
+index ef76e1f..7849c85 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
 b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -102,7 +102,7 @@ static OM_uint32 get_negotiable_mechs(OM_uint32 *, 
spnego_gss_cred_id_t,
+ gss_cred_usage_t, gss_OID_set *);
+ static void release_spnego_ctx(spnego_gss_ctx_id_t *);
+ static void check_spnego_options(spnego_gss_ctx_id_t);
+-static spnego_gss_ctx_id_t create_spnego_ctx(void);
++static spnego_gss_ctx_id_t create_spnego_ctx(int);
+ static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf);
+ static int put_input_token(unsigned char **, gss_buffer_t, unsigned int);
+ static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int);
+@@ -454,7 +454,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx)
+ }
+ 
+ static spnego_gss_ctx_id_t
+-create_spnego_ctx(void)
++create_spnego_ctx(int initiate)
+ {
+   spnego_gss_ctx_id_t spnego_ctx = NULL;
+   spnego_ctx = (spnego_gss_ctx_id_t)
+@@ -477,6 +477,8 @@ create_spnego_ctx(void)
+   spnego_ctx->mic_rcvd = 0;
+   spnego_ctx->mech_complete = 0;
+   spnego_ctx->nego_done = 0;
++  spnego_ctx->opened = 0;
++  spnego_ctx->initiate = initiate;
+   spnego_ctx->internal_name = GSS_C_NO_NAME;
+   spnego_ctx->actual_mech = GSS_C_NO_OID;
+ 
+@@ -642,7 +644,7 @@ init_ctx_new(OM_uint32 *minor_status,
+   OM_uint32 ret;
+   spnego_gss_ctx_id_t sc = NULL;
+ 
+-  sc = create_spnego_ctx();
++  sc = create_spnego_ctx(1);
+   if (sc == NULL)
+   return GSS_S_FAILURE;
+ 
+@@ -659,10 +661,7 @@