version bump to pam_krb5-3.12 to fix security issue - see bug #257075

(Portage version: 2.1.6.7/cvs/Linux x86_64, RepoMan options: --force)

3 files changed, 241 insertions, 2 deletions

diff --git a/sys-auth/pam_krb5/ChangeLog b/sys-auth/pam_krb5/ChangeLog
index 0887b303c2ab..230602083459 100644
--- a/sys-auth/pam_krb5/ChangeLog
+++ b/sys-auth/pam_krb5/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for sys-auth/pam_krb5
-# Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/pam_krb5/ChangeLog,v 1.21 2008/09/20 09:49:33 dertobi123 Exp $
+# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/pam_krb5/ChangeLog,v 1.22 2009/02/12 09:28:40 mueli Exp $
+
+*pam_krb5-3.12 (12 Feb 2009)
+
+  12 Feb 2009; Michael Hammer <mueli@gentoo.org>
+  +files/pam_krb5-3.12-CVE-20090211.patch, +pam_krb5-3.12.ebuild:
+  version bump to fix security issue - see bug #257075
 
   20 Sep 2008; Tobias Scherbaum <dertobi123@gentoo.org>
   pam_krb5-3.10.ebuild:
diff --git a/sys-auth/pam_krb5/files/pam_krb5-3.12-CVE-20090211.patch b/sys-auth/pam_krb5/files/pam_krb5-3.12-CVE-20090211.patch
new file mode 100644
index 000000000000..542679a42b6f
--- /dev/null
+++ b/sys-auth/pam_krb5/files/pam_krb5-3.12-CVE-20090211.patch
@@ -0,0 +1,194 @@
+diff --git a/api-auth.c b/api-auth.c
+index 55df461..f6af390 100644
+--- a/api-auth.c
++++ b/api-auth.c
+@@ -494,6 +494,37 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+     if (reinit) {
+         const char *name, *k5name;
+ 
++        /*
++         * Solaris su calls pam_setcred as root with PAM_REINITIALIZE_CREDS,
++         * preserving the user-supplied environment.  An xlock program may
++         * also do this if it's setuid root and doesn't drop credentials
++         * before calling pam_setcred.
++         *
++         * There isn't any safe way of reinitializing the exiting ticket cache
++         * for the user if we're setuid without calling setreuid().  Calling
++         * setreuid() is possible, but if the calling application is threaded,
++         * it will change credentials for the whole application, with possibly
++         * bizarre and unintended (and insecure) results.  Trying to verify
++         * ownership of the existing ticket cache before using it fails under
++         * various race conditions (for example, having one of the elements of
++         * the path be a symlink and changing the target of that symlink
++         * between our check and the call to krb5_cc_resolve.  Without calling
++         * setreuid(), we run the risk of replacing a file owned by another
++         * user with a credential cache.
++         *
++         * We could fail with an error in the setuid case, which would be
++         * maximally safe, but it would prevent use of the module for
++         * authentication with programs such as Solaris su.  Failure to
++         * reinitialize the cache is normally not a serious problem, just a
++         * missing feature.  We therefore log an error and exit with
++         * PAM_SUCCESS for the setuid case.
++         */
++        if (pamk5_compat_issetugid()) {
++            pamk5_error(args, "credential reinitialization in a setuid"
++                        " context ignored");
++            pamret = PAM_SUCCESS;
++            goto done;
++        }
+         name = pamk5_get_krb5ccname(args, "KRB5CCNAME");
+         if (name == NULL)
+             name = krb5_cc_default_name(ctx->context);
+diff --git a/compat.c b/compat.c
+index e6ad6b0..1bf981d 100644
+--- a/compat.c
++++ b/compat.c
+@@ -24,6 +24,7 @@
+ # include <security/pam_modutil.h>
+ #endif
+ #include <stdlib.h>
++#include <unistd.h>
+ 
+ #if !defined(HAVE_KRB5_GET_ERROR_MESSAGE) && !defined(HAVE_KRB5_GET_ERR_TEXT)
+ # if !defined(HAVE_KRB5_GET_ERROR_STRING)
+@@ -146,6 +147,39 @@ pamk5_compat_free_error(krb5_context ctx, const char *msg)
+ 
+ 
+ /*
++ * AIX's NAS Kerberos implementation mysteriously provides the struct and the
++ * krb5_verify_init_creds function but not this function.
++ */
++#ifndef HAVE_KRB5_VERIFY_INIT_CREDS_OPT_INIT
++void
++krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *opt)
++{
++    opt->flags = 0;
++    opt->ap_req_nofail = 0;
++}
++#endif
++
++
++/*
++ * MIT provides a krb5_init_secure_context that ignores all the environment
++ * variables that may otherwise influence context creation.  We call that
++ * function if we detect that we're setuid.  Heimdal doesn't have this
++ * function, but instead automatically ignores the environment variables if it
++ * detects we're setuid.  This means that we should be able to fall back
++ * safely to krb5_init_context if krb5_init_secure_context isn't available.
++ */
++krb5_error_code
++pamk5_compat_secure_context(krb5_context *ctx)
++{
++#ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
++    return krb5_init_secure_context(ctx);
++#else
++    return krb5_init_context(ctx);
++#endif
++}
++
++
++/*
+  * Linux PAM provides a thread-safe version of getpwnam that we want to use if
+  * available.  If it's not, fall back on getpwnam.  (Ideally, we should check
+  * for getpwnam_r and use it, but I haven't written that routine.)
+@@ -162,14 +196,19 @@ pamk5_compat_getpwnam(struct pam_args *args UNUSED, const char *user)
+ 
+ 
+ /*
+- * AIX's NAS Kerberos implementation mysteriously provides the struct and the
+- * krb5_verify_init_creds function but not this function.
++ * Call the Solaris issetugid function if available.  If not, check whether
++ * the real and effective UIDs and GIDs match.
+  */
+-#ifndef HAVE_KRB5_VERIFY_INIT_CREDS_OPT_INIT
+-void
+-krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *opt)
++int
++pamk5_compat_issetugid(void)
+ {
+-    opt->flags = 0;
+-    opt->ap_req_nofail = 0;
+-}
++#ifdef HAVE_ISSETUGID
++    return issetugid();
++#else
++    if (getuid() != geteuid())
++        return 1;
++    if (getgid() != getegid())
++        return 1;
++    return 0;
+ #endif
++}
+diff --git a/configure.ac b/configure.ac
+index 6835a2d..2d04f58 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -21,6 +22,10 @@ AC_PROG_MAKE_SET
+ AC_CANONICAL_HOST
+ AC_AIX
+ 
++dnl Check for the Solaris issetugid function, which is nicer than comparing
++dnl real and effective UIDs and GIDs.
++AC_CHECK_FUNCS([issetugid])
++
+ dnl Probe for the functionality of the PAM libraries and their include file
+ dnl naming.  Mac OS X puts them in pam/* instead of security/*.
+ AC_SEARCH_LIBS([pam_set_data], [pam])
+@@ -46,6 +51,7 @@ AC_CHECK_FUNCS([krb5_appdefault_string \
+     krb5_get_init_creds_opt_set_change_password_prompt \
+     krb5_get_init_creds_opt_set_default_flags \
+     krb5_get_init_creds_opt_set_pa \
++    krb5_init_secure_context \
+     krb5_verify_init_creds_opt_init])
+ AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_pkinit],
+     [RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT_ARGS])
+diff --git a/context.c b/context.c
+index 9a70aa7..8475d81 100644
+--- a/context.c
++++ b/context.c
+@@ -66,7 +66,10 @@ pamk5_context_new(struct pam_args *args)
+         goto done;
+     }
+     ctx->name = strdup(name);
+-    retval = krb5_init_context(&ctx->context);
++    if (pamk5_compat_issetugid())
++        retval = pamk5_compat_secure_context(&ctx->context);
++    else
++        retval = krb5_init_context(&ctx->context);
+     if (retval != 0) {
+         pamk5_error_krb5(args, "krb5_init_context", retval);
+         retval = PAM_SERVICE_ERR;
+diff --git a/internal.h b/internal.h
+index 48c5b74..7356e8a 100644
+--- a/internal.h
++++ b/internal.h
+@@ -247,6 +247,12 @@ krb5_error_code pamk5_compat_set_realm(struct pam_args *, const char *)
+     __attribute__((__visibility__("hidden")));
+ void pamk5_compat_free_realm(struct pam_args *)
+     __attribute__((__visibility__("hidden")));
++krb5_error_code pamk5_compat_secure_context(krb5_context *)
++    __attribute__((__visibility__("hidden")));
++
++/* Calls issetugid if available, otherwise checks effective IDs. */
++int pamk5_compat_issetugid(void)
++    __attribute__((__visibility__("hidden")));
+ 
+ /* Calls pam_modutil_getpwnam if available, otherwise getpwnam. */
+ struct passwd *pamk5_compat_getpwnam(struct pam_args *, const char *)
+diff --git a/options.c b/options.c
+index b03ee0a..e8f9da5 100644
+--- a/options.c
++++ b/options.c
+@@ -276,7 +276,10 @@ pamk5_args_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
+      * proceed; we'll die soon enough later and this way we'll die after we
+      * know whether to debug things.
+      */
+-    retval = krb5_init_context(&c);
++    if (pamk5_compat_issetugid())
++        retval = pamk5_compat_secure_context(&c);
++    else
++        retval = krb5_init_context(&c);
+     if (retval != 0)
+         c = NULL;
+     if (c != NULL) {
diff --git a/sys-auth/pam_krb5/pam_krb5-3.12.ebuild b/sys-auth/pam_krb5/pam_krb5-3.12.ebuild
new file mode 100644
index 000000000000..b760efd47aba
--- /dev/null
+++ b/sys-auth/pam_krb5/pam_krb5-3.12.ebuild
@@ -0,0 +1,39 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/pam_krb5/pam_krb5-3.12.ebuild,v 1.1 2009/02/12 09:28:40 mueli Exp $
+
+inherit multilib eutils pam
+
+DESCRIPTION="Kerberos 5 PAM Authentication Module"
+HOMEPAGE="http://www.eyrie.org/~eagle/software/pam-krb5/"
+SRC_URI="http://archives.eyrie.org/software/ARCHIVE/pam-krb5/pam-krb5-${PV}.tar.gz"
+
+LICENSE="|| ( BSD-2 GPL-2 )"
+SLOT="0"
+KEYWORDS="amd64 ~ppc ~sparc x86"
+IUSE="doc"
+
+DEPEND="virtual/krb5"
+RDEPEND="${DEPEND}"
+S="${WORKDIR}/${P/_/-}"
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+	epatch "${FILESDIR}/${P}-CVE-20090211.patch"
+}
+
+src_compile() {
+	econf \
+		  --libdir=/$(get_libdir)\
+		  || die "econf failed"
+	emake || die "emake failed"
+}
+
+src_install() {
+	newpammod pam_krb5.so pam_krb5.so
+	if use doc; then
+		doman pam_krb5.5
+		dodoc CHANGES CHANGES-old NEWS README TODO
+	fi;
+}