security bump - bug #393429

Package-Manager: portage-2.1.10.39/cvs/Linux x86_64
author: Eray Aslan <eras@gentoo.org> 2011-12-07 08:05:41 +0000
committer: Eray Aslan <eras@gentoo.org> 2011-12-07 08:05:41 +0000
commit: c8f7926aedaf275b4dacc82d95e90039c392fea7 (patch)
tree: 8675768f048ed0143871dfd6f0b66a9d423a9506 /app-crypt
parent: Remove old. (diff)
download: historical-c8f7926aedaf275b4dacc82d95e90039c392fea7.tar.gz
historical-c8f7926aedaf275b4dacc82d95e90039c392fea7.tar.bz2
historical-c8f7926aedaf275b4dacc82d95e90039c392fea7.zip
4 files changed, 187 insertions, 7 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog
index f6249180bf7a..1c014dc26e72 100644
--- a/app-crypt/mit-krb5/ChangeLog
+++ b/app-crypt/mit-krb5/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for app-crypt/mit-krb5
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.301 2011/12/04 10:38:22 swegener Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.302 2011/12/07 08:05:41 eras Exp $
+
+*mit-krb5-1.9.2-r1 (07 Dec 2011)
+
+  07 Dec 2011; Eray Aslan <eras@gentoo.org> +mit-krb5-1.9.2-r1.ebuild,
+  +files/CVE-2011-1530.patch:
+  security bump - bug #393429
 
   04 Dec 2011; Sven Wegener <swegener@gentoo.org> files/mit-krb5kadmind.initd,
   files/mit-krb5kdc.initd, files/mit-krb5kpropd.initd:
diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index bfe83acb840c..4bf6bf586271 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,5 +1,5 @@
 -----BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
+Hash: SHA256
 
 AUX 2011-006-patch-r18.patch 2908 RMD160 829a6d2dc876190996e90e0a6a43e2d018cbaaa5 SHA1 30b66b6c5dce537d66874ac58e622b3f6e992ac6 SHA256 54490a4152e2bf912fa92137c3be90221fd64f818a09be256a1147b351e676e3
 AUX CVE-2010-1322.patch 1066 RMD160 fc262a23e9aa118262a4258f74832445062444e4 SHA1 600f0890de65f96112f267b56317a4fd0166cba0 SHA256 7d9fbfffdaa0cde0ca499ccbb2cf09a6c7253e537755bbf6da9e08715fd9a474
@@ -9,6 +9,7 @@ AUX CVE-2011-0281.0282.0283.patch 6663 RMD160 15913f4fccc2424f4264ce222563685b29
 AUX CVE-2011-0284.patch 544 RMD160 9b0d172a1abfaf437edacc9f18fd0a6e83028b3e SHA1 1c72390c5d629eee592e5cb0c2b600b376e2fdc5 SHA256 bf93bbaf5d502f5b5bdcfa612e36c3828d3be869b154545bad1c7109f4eedae4
 AUX CVE-2011-0285.patch 1154 RMD160 a635a940613663f6fe07534d08c7781090fcc9f0 SHA1 b6ae716616ecd5e92f32ec8203a1ab51b5726184 SHA256 6a972da0e87dce82e801590a7bdcca300a5b31ed569f834e0a6634a185a9aac0
 AUX CVE-2011-1527.1528.1529.patch 3092 RMD160 06b85bf757b84486461697fac126953e7b9d2558 SHA1 0b0016b0e341dcf720f67925b0d451b328e02583 SHA256 50d2ef225e16fb267dcfe87bb6596c5061ccb5ef617ce7e42e83dd4b2db27468
+AUX CVE-2011-1530.patch 1417 RMD160 c72c99b40c5f230ca430fde33460616c7634b037 SHA1 ec917dd1d1c96fa331f512331d5aa37c2e9b9df7 SHA256 0b0413e175e81b5fb7497f3351341066644431d72663bb1cba9d59b715669486
 AUX kpropd.xinetd 194 RMD160 5772b04bf7f6b8a5588331a4d9dca03738756f15 SHA1 a9c84a4197ba133144e754d68847cece6203ed4a SHA256 eaa3838a6ca8db901db359cac3435d4f703a9a10534f02eeb37f494dd21a1736
 AUX mit-krb5-1.8.3-CVE-2011-0281.0282.0283.patch 6130 RMD160 23cb2560f0d87e6128cdbb12f1e7d8aae85f85f5 SHA1 574a3c82ad7d3c9a1c9c62c6ff95c2d6f0e0fc96 SHA256 7831c9a9553404b41774f40f3fc0df6769342c1923c5b1177062710fd5f0f2bb
 AUX mit-krb5-1.8.3-CVE-2011-0285.patch 1136 RMD160 03d06d5c88505688eb4dbcd516144999ecb89a70 SHA1 7853bcbdf0dba6f0fce15fc3b475f86d692287b2 SHA256 88f8d015f2bce8f54a6a0321716ed887aef587aeae3017d47c7c18de26189f02
@@ -27,13 +28,24 @@ EBUILD mit-krb5-1.8.3-r5.ebuild 2939 RMD160 df03d1333c291448be9c88931854c8e1bbe6
 EBUILD mit-krb5-1.8.4-r1.ebuild 2839 RMD160 45cfe931d145d5a0adf11b6c094510bf89091e1b SHA1 6d5f06c229a369103a0864c555708270e57a6d1f SHA256 5a9cadc82825fc506f0895f33b5343eea940f182e7f4603177b7591069b81aaa
 EBUILD mit-krb5-1.8.5.ebuild 2709 RMD160 f6b3a46e9e01d6581ee4d93a11770c6f71eb6461 SHA1 b7409a07e9fe5bb9a664daf896fb4b81bc6d555c SHA256 90c03d3f408262b0b142de45899d2a0637559a5c32cc2721fd77d5be193e66b2
 EBUILD mit-krb5-1.9.1-r2.ebuild 3202 RMD160 9a72d9d3dbf64db70e01a1a95c6902ad17ed0102 SHA1 ca0b2e199042f67cc2698ef55628c3424628238b SHA256 7ec3c4dfa4d0a7c3833d58c4ce137c0379a1ab4c70d4efd2fb969014a868e770
+EBUILD mit-krb5-1.9.2-r1.ebuild 3191 RMD160 c023ee88a6900261d7a26aa058eb8df043da48e1 SHA1 779e0ac529aa960732d17bf053e255983c391a42 SHA256 69052915beb84174a33b097398aa47e7dc39c2c86d8b1701a9807a48da44c3cb
 EBUILD mit-krb5-1.9.2.ebuild 3146 RMD160 53622c78084fbd6ce873bd05c920f7a6a4d8d594 SHA1 f5e1a405183e7a046255d02bb268d4db2f42f188 SHA256 6c49aa492f333d0a13d84e1dd7f3b2cda358bc3c7ce2fff403c25e70b3523efa
-MISC ChangeLog 47601 RMD160 7ef95ef67891c616158987972c1401360692bc14 SHA1 f9672af61237a2963c0f65af4d0267731730f2b7 SHA256 21c08592b4a73bda184aa1f9a6c234fbf012eda812f79e1f8288fd198786a8d3
+MISC ChangeLog 47763 RMD160 a3d2df2236eddb29cc2a1adf58f60defe69daeba SHA1 def7a2013176f20074d9669def9553df53fc20f9 SHA256 d66a9d27cb110799e77aea357973a58f14b30799bb2567c56b8fc996e2441cea
 MISC metadata.xml 668 RMD160 825e73c2b8d1bdcfffb6c5cfa2110f596d7940ae SHA1 b9fca90e7a86fea05d8174d824e939cf61905310 SHA256 da5862dde92f34b882870961cb9f1e4aa8209fc549e32a43d99770a9de8b232d
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.17 (GNU/Linux)
+Version: GnuPG v2.0.18 (GNU/Linux)
 
-iEYEARECAAYFAk7bTaQACgkQI1lqEGTUzyT2ggCgup1RmYhuSjdogJtQZkj+4kJZ
-w+MAniSWRNhV7LLN3w3O19EvE+AYoSc4
-=4QhF
+iQIcBAEBCAAGBQJO3x5kAAoJEHfx8XVYajsf+mEP/2BA9Gq9QJlr7xON4chO6kQ3
+kfYsbFwVJFuNWSi5/6/HfZUSSGlFW0mNptI8RIaSo7hGyw+tM9Ojyd7SqWCwVb4M
+poh7IZ0HMMVTddKXEUUzVEk3tV/6V3l7uKswnzuo7VjwRjsZXAwfUlMAYXdxUU+E
+FGI7NlPfiJWdPjiV9TgwtPeZ/FWwg+uHDg5eFToHP/JUoOZD6RQTKNLGabxFouf1
+q93H0fG1xr2HD1E1MGcItwOMs5vkPwOJLD/woxkxUGqOHRAb4bJ+nYnTIxhKj612
+TBEwiCBfpfbiDkHQXoNgD9F04Hhrjh2rHN5XgEOA3LHaQ8V2d9Aej1XBPpKq6GM9
+ku4zmOvxr+qYSrHHXX2i6heDnuGZgMYkk2sS+K+MxbfhI9kNAzCheXyu34qT0lID
+DM76tU5vhM19MJD4bNtW4f9gij1MriUgfJ+t+CXC21D7s8wLfSFlhzTE+Icbw4jp
+PHqPMd3wu2ds+4a80Oehdeaz31gqfP4PrwcFex9evaBB4QqL7X/HPpDILcIxLEXN
+CpE1hXNM6mEwzO1zxQ+qRmneYAinPst2JbxTjNDKZex4wjtfv0XMm8OVvLSHG68f
+GZM1q5tNz/QaQn23RvUImdIEcdF526oTwbj8T3ypTUt/XFLwhBlSR8Noz8yBOtUO
+HeCGDUWu/pavBLt0O0dY
+=mHbY
 -----END PGP SIGNATURE-----
diff --git a/app-crypt/mit-krb5/files/CVE-2011-1530.patch b/app-crypt/mit-krb5/files/CVE-2011-1530.patch
new file mode 100644
index 000000000000..336a4ad3172a
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2011-1530.patch
@@ -0,0 +1,40 @@
+diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
+index f46cad3..102fbaa 100644
+--- a/src/kdc/Makefile.in
++++ b/src/kdc/Makefile.in
+@@ -67,6 +67,7 @@ check-unix:: rtest
+ 
+ check-pytests::
+ 	$(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
++	$(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
+ 
+ install::
+ 	$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index c169c54..840a2ef 100644
+--- a/src/kdc/do_tgs_req.c
++++ b/src/kdc/do_tgs_req.c
+@@ -243,7 +243,8 @@ tgt_again:
+                     if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
+                         errcode = find_alternate_tgs(request, &server);
+                         firstpass = 0;
+-                        goto tgt_again;
++                        if (errcode == 0)
++                            goto tgt_again;
+                     }
+                 }
+                 status = "UNKNOWN_SERVER";
+diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
+new file mode 100644
+index 0000000..1760bcd
+--- /dev/null
++++ b/src/kdc/t_emptytgt.py
+@@ -0,0 +1,8 @@
++#!/usr/bin/python
++from k5test import *
++
++realm = K5Realm(start_kadmind=False, create_host=False)
++output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
++if 'not found in Kerberos database' not in output:
++    fail('TGT lookup for empty realm failed in unexpected way')
++success('Empty tgt lookup.')
diff --git a/app-crypt/mit-krb5/mit-krb5-1.9.2-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.9.2-r1.ebuild
new file mode 100644
index 000000000000..a341069c5cae
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.9.2-r1.ebuild
@@ -0,0 +1,122 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.9.2-r1.ebuild,v 1.1 2011/12/07 08:05:41 eras Exp $
+
+EAPI=3
+
+inherit eutils flag-o-matic versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos"
+IUSE="doc +keyutils openldap +pkinit +threads test xinetd"
+
+RDEPEND="!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.41.0
+	keyutils? ( sys-apps/keyutils )
+	openldap? ( net-nds/openldap )
+	xinetd? ( sys-apps/xinetd )"
+DEPEND="${RDEPEND}
+	virtual/yacc
+	doc? ( virtual/latex-base )
+	test? ( dev-lang/tcl
+	        dev-lang/python
+			dev-util/dejagnu )"
+
+S=${WORKDIR}/${MY_P}/src
+
+src_unpack() {
+	unpack ${A}
+	unpack ./"${MY_P}".tar.gz
+}
+
+src_prepare() {
+	epatch "${FILESDIR}/${PN}-kprop_exit_on_error.patch"
+	epatch "${FILESDIR}/CVE-2011-1530.patch"
+}
+
+src_configure() {
+	append-flags "-I${EPREFIX}/usr/include/et"
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+	use keyutils || export ac_cv_header_keyutils_h=no
+	econf \
+		$(use_with openldap ldap) \
+		"$(use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--disable-rpath
+}
+
+src_compile() {
+	emake -j1 || die "emake failed"
+
+	if use doc ; then
+		cd ../doc
+		for dir in api implement ; do
+			emake -C "${dir}" || die "doc emake failed"
+		done
+	fi
+}
+
+src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install || die "install failed"
+
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc NOTICE README
+	dodoc doc/*.{ps,txt}
+	doinfo doc/*.info*
+	dohtml -r doc/*.html
+
+	# die if we cannot respect a USE flag
+	if use doc ; then
+	    dodoc doc/{api,implement}/*.ps || die "dodoc failed"
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind || die
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc || die
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd mit-krb5kpropd || die
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" || die
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd || die
+	fi
+}
+
+pkg_preinst() {
+	if has_version "<${CATEGORY}/${PN}-1.8.0" ; then
+		elog "MIT split the Kerberos applications from the base Kerberos"
+		elog "distribution.  Kerberized versions of telnet, rlogin, rsh, rcp,"
+		elog "ftp clients and telnet, ftp deamons now live in"
+		elog "\"app-crypt/mit-krb5-appl\" package."
+	fi
+}
author	Eray Aslan <eras@gentoo.org>	2011-12-07 08:05:41 +0000
committer	Eray Aslan <eras@gentoo.org>	2011-12-07 08:05:41 +0000
commit	c8f7926aedaf275b4dacc82d95e90039c392fea7 (patch)
tree	8675768f048ed0143871dfd6f0b66a9d423a9506 /app-crypt
parent	Remove old. (diff)
download	historical-c8f7926aedaf275b4dacc82d95e90039c392fea7.tar.gz historical-c8f7926aedaf275b4dacc82d95e90039c392fea7.tar.bz2 historical-c8f7926aedaf275b4dacc82d95e90039c392fea7.zip