version bump to pam_krb5-3.12 to fix security issue - see bug #257075

Package-Manager: portage-2.1.6.7/cvs/Linux x86_64
RepoMan-Options: --force

4 files changed, 245 insertions, 3 deletions

diff --git a/sys-auth/pam_krb5/ChangeLog b/sys-auth/pam_krb5/ChangeLog
index 0887b303c2ab..230602083459 100644
--- a/sys-auth/pam_krb5/ChangeLog
+++ b/sys-auth/pam_krb5/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for sys-auth/pam_krb5
-# Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/pam_krb5/ChangeLog,v 1.21 2008/09/20 09:49:33 dertobi123 Exp $
+# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/pam_krb5/ChangeLog,v 1.22 2009/02/12 09:28:40 mueli Exp $
+
+*pam_krb5-3.12 (12 Feb 2009)
+
+  12 Feb 2009; Michael Hammer <mueli@gentoo.org>
+  +files/pam_krb5-3.12-CVE-20090211.patch, +pam_krb5-3.12.ebuild:
+  version bump to fix security issue - see bug #257075
 
   20 Sep 2008; Tobias Scherbaum <dertobi123@gentoo.org>
   pam_krb5-3.10.ebuild:
diff --git a/sys-auth/pam_krb5/Manifest b/sys-auth/pam_krb5/Manifest
index 16a6effb2419..2e86531aa76a 100644
--- a/sys-auth/pam_krb5/Manifest
+++ b/sys-auth/pam_krb5/Manifest
@@ -1,6 +1,9 @@
+AUX pam_krb5-3.12-CVE-20090211.patch 7309 RMD160 06d55aa90457db36c23e470dcba3d3851c8f345a SHA1 5f85c68623bb334f07f5ef9ac7f937ba49abc0c7 SHA256 d1bc55e80b24cf27d6a90a282d9c8696c30f18d68195e4c3f222b611d3b62052
 DIST pam-krb5-3.10.tar.gz 156259 RMD160 bd6218660838a43789ffd123a03e1fe1318b2b62 SHA1 2aaae960239a0875efc239cc3bdc5ae685184809 SHA256 e1760284417a8a4b4ffe0889bffc8cf05869d5ead680d50931e714a1a97a86db
+DIST pam-krb5-3.12.tar.gz 153230 RMD160 053c6bce707c4f17986a64401bd688ed85cb240b SHA1 363b4c7a1031f134164190c2cf116f41170012ad SHA256 f5242f509212ab08cdf87b7f399469eca08ea8f3f885dc589d35b225d39b30db
 DIST pam-krb5-3.9.tar.gz 147458 RMD160 d2e0956d05f74ffb0789b82e3d37af7c61e71d3a SHA1 3025f95252ddd9203f71f326434f273728bfcb2f SHA256 94f2604f084db50c48786a96285c5f98ff867a134282f6b5f43e951c20ef8969
 EBUILD pam_krb5-3.10.ebuild 846 RMD160 dffe0f867f8c247d03216d4d739e237de28f0ae7 SHA1 70e53b38758a21e5baf83f19dd2268f1802fa0d1 SHA256 be94ffb1c359ec4c9358ca8c53cbc5314cb0f196c685e45c9a7ecb873453a7cb
+EBUILD pam_krb5-3.12.ebuild 933 RMD160 4cdbf93944b66c97ca1e830ecf5214ff0782d2bf SHA1 edd442efe420931aee70e30d2d6926a90eb7f5a2 SHA256 ec7a738346100b068050061af921fe7cefe0b021990c7b61242c1a0b870b0df5
 EBUILD pam_krb5-3.9.ebuild 727 RMD160 3b4d5109db8fe280c611e759e8fa76a844600ecf SHA1 7509ee2adfae19357df89d8e5e75df937b7d2f9a SHA256 6bc67fac64851c2cacebda28e68b4fcd16ab399e81c8931ceb856618c97f8b92
-MISC ChangeLog 5035 RMD160 0e670497175b8c0a73cd928b26825eb458ab39fb SHA1 26837ab9c0082906be1fc856b30ac0f64b0b854d SHA256 61dd13ac32f76627d1c8c7c5845bf4ce8b1330e82fb06d7a3891ced3b3d0e4fb
+MISC ChangeLog 5231 RMD160 79df41eaa2f6cc8d983b461fb8e3c8f07de76cd8 SHA1 8b49756cb87b4421417501ba48c395b1fa7282be SHA256 fb3f7becd210d5abf20ba75d8fae9ad9736d3fd6e40fc50e3172a7bb30fe2e3a
 MISC metadata.xml 286 RMD160 68591cbd444b09bf50d001e435ed79df0d08e989 SHA1 4fd7e6c6cc64f39891ccebb2f80d38c6ff5392cf SHA256 1dd58a36b818e19ef7c51584885c66e9fe669c6ecd1b364947a7a8e3b76980db
diff --git a/sys-auth/pam_krb5/files/pam_krb5-3.12-CVE-20090211.patch b/sys-auth/pam_krb5/files/pam_krb5-3.12-CVE-20090211.patch
new file mode 100644
index 000000000000..542679a42b6f
--- /dev/null
+++ b/sys-auth/pam_krb5/files/pam_krb5-3.12-CVE-20090211.patch
@@ -0,0 +1,194 @@
+diff --git a/api-auth.c b/api-auth.c
+index 55df461..f6af390 100644
+--- a/api-auth.c
++++ b/api-auth.c
+@@ -494,6 +494,37 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+     if (reinit) {
+         const char *name, *k5name;
+ 
++        /*
++         * Solaris su calls pam_setcred as root with PAM_REINITIALIZE_CREDS,
++         * preserving the user-supplied environment.  An xlock program may
++         * also do this if it's setuid root and doesn't drop credentials
++         * before calling pam_setcred.
++         *
++         * There isn't any safe way of reinitializing the exiting ticket cache
++         * for the user if we're setuid without calling setreuid().  Calling
++         * setreuid() is possible, but if the calling application is threaded,
++         * it will change credentials for the whole application, with possibly
++         * bizarre and unintended (and insecure) results.  Trying to verify
++         * ownership of the existing ticket cache before using it fails under
++         * various race conditions (for example, having one of the elements of
++         * the path be a symlink and changing the target of that symlink
++         * between our check and the call to krb5_cc_resolve.  Without calling
++         * setreuid(), we run the risk of replacing a file owned by another
++         * user with a credential cache.
++         *
++         * We could fail with an error in the setuid case, which would be
++         * maximally safe, but it would prevent use of the module for
++         * authentication with programs such as Solaris su.  Failure to
++         * reinitialize the cache is normally not a serious problem, just a
++         * missing feature.  We therefore log an error and exit with
++         * PAM_SUCCESS for the setuid case.
++         */
++        if (pamk5_compat_issetugid()) {
++            pamk5_error(args, "credential reinitialization in a setuid"
++                        " context ignored");
++            pamret = PAM_SUCCESS;
++            goto done;
++        }
+         name = pamk5_get_krb5ccname(args, "KRB5CCNAME");
+         if (name == NULL)
+             name = krb5_cc_default_name(ctx->context);
+diff --git a/compat.c b/compat.c
+index e6ad6b0..1bf981d 100644
+--- a/compat.c
++++ b/compat.c
+@@ -24,6 +24,7 @@
+ # include <security/pam_modutil.h>
+ #endif
+ #include <stdlib.h>
++#include <unistd.h>
+ 
+ #if !defined(HAVE_KRB5_GET_ERROR_MESSAGE) && !defined(HAVE_KRB5_GET_ERR_TEXT)
+ # if !defined(HAVE_KRB5_GET_ERROR_STRING)
+@@ -146,6 +147,39 @@ pamk5_compat_free_error(krb5_context ctx, const char *msg)
+ 
+ 
+ /*
++ * AIX's NAS Kerberos implementation mysteriously provides the struct and the
++ * krb5_verify_init_creds function but not this function.
++ */
++#ifndef HAVE_KRB5_VERIFY_INIT_CREDS_OPT_INIT
++void
++krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *opt)
++{
++    opt->flags = 0;
++    opt->ap_req_nofail = 0;
++}
++#endif
++
++
++/*
++ * MIT provides a krb5_init_secure_context that ignores all the environment
++ * variables that may otherwise influence context creation.  We call that
++ * function if we detect that we're setuid.  Heimdal doesn't have this
++ * function, but instead automatically ignores the environment variables if it
++ * detects we're setuid.  This means that we should be able to fall back
++ * safely to krb5_init_context if krb5_init_secure_context isn't available.
++ */
++krb5_error_code
++pamk5_compat_secure_context(krb5_context *ctx)
++{
++#ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
++    return krb5_init_secure_context(ctx);
++#else
++    return krb5_init_context(ctx);
++#endif
++}
++
++
++/*
+  * Linux PAM provides a thread-safe version of getpwnam that we want to use if
+  * available.  If it's not, fall back on getpwnam.  (Ideally, we should check
+  * for getpwnam_r and use it, but I haven't written that routine.)
+@@ -162,14 +196,19 @@ pamk5_compat_getpwnam(struct pam_args *args UNUSED, const char *user)
+ 
+ 
+ /*
+- * AIX's NAS Kerberos implementation mysteriously provides the struct and the
+- * krb5_verify_init_creds function but not this function.
++ * Call the Solaris issetugid function if available.  If not, check whether
++ * the real and effective UIDs and GIDs match.
+  */
+-#ifndef HAVE_KRB5_VERIFY_INIT_CREDS_OPT_INIT
+-void
+-krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *opt)
++int
++pamk5_compat_issetugid(void)
+ {
+-    opt->flags = 0;
+-    opt->ap_req_nofail = 0;
+-}
++#ifdef HAVE_ISSETUGID
++    return issetugid();
++#else
++    if (getuid() != geteuid())
++        return 1;
++    if (getgid() != getegid())
++        return 1;
++    return 0;
+ #endif
++}
+diff --git a/configure.ac b/configure.ac
+index 6835a2d..2d04f58 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -21,6 +22,10 @@ AC_PROG_MAKE_SET
+ AC_CANONICAL_HOST
+ AC_AIX
+ 
++dnl Check for the Solaris issetugid function, which is nicer than comparing
++dnl real and effective UIDs and GIDs.
++AC_CHECK_FUNCS([issetugid])
++
+ dnl Probe for the functionality of the PAM libraries and their include file
+ dnl naming.  Mac OS X puts them in pam/* instead of security/*.
+ AC_SEARCH_LIBS([pam_set_data], [pam])
+@@ -46,6 +51,7 @@ AC_CHECK_FUNCS([krb5_appdefault_string \
+     krb5_get_init_creds_opt_set_change_password_prompt \
+     krb5_get_init_creds_opt_set_default_flags \
+     krb5_get_init_creds_opt_set_pa \
++    krb5_init_secure_context \
+     krb5_verify_init_creds_opt_init])
+ AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_pkinit],
+     [RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT_ARGS])
+diff --git a/context.c b/context.c
+index 9a70aa7..8475d81 100644
+--- a/context.c
++++ b/context.c
+@@ -66,7 +66,10 @@ pamk5_context_new(struct pam_args *args)
+         goto done;
+     }
+     ctx->name = strdup(name);
+-    retval = krb5_init_context(&ctx->context);
++    if (pamk5_compat_issetugid())
++        retval = pamk5_compat_secure_context(&ctx->context);
++    else
++        retval = krb5_init_context(&ctx->context);
+     if (retval != 0) {
+         pamk5_error_krb5(args, "krb5_init_context", retval);
+         retval = PAM_SERVICE_ERR;
+diff --git a/internal.h b/internal.h
+index 48c5b74..7356e8a 100644
+--- a/internal.h
++++ b/internal.h
+@@ -247,6 +247,12 @@ krb5_error_code pamk5_compat_set_realm(struct pam_args *, const char *)
+     __attribute__((__visibility__("hidden")));
+ void pamk5_compat_free_realm(struct pam_args *)
+     __attribute__((__visibility__("hidden")));
++krb5_error_code pamk5_compat_secure_context(krb5_context *)
++    __attribute__((__visibility__("hidden")));
++
++/* Calls issetugid if available, otherwise checks effective IDs. */
++int pamk5_compat_issetugid(void)
++    __attribute__((__visibility__("hidden")));
+ 
+ /* Calls pam_modutil_getpwnam if available, otherwise getpwnam. */
+ struct passwd *pamk5_compat_getpwnam(struct pam_args *, const char *)
+diff --git a/options.c b/options.c
+index b03ee0a..e8f9da5 100644
+--- a/options.c
++++ b/options.c
+@@ -276,7 +276,10 @@ pamk5_args_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
+      * proceed; we'll die soon enough later and this way we'll die after we
+      * know whether to debug things.
+      */
+-    retval = krb5_init_context(&c);
++    if (pamk5_compat_issetugid())
++        retval = pamk5_compat_secure_context(&c);
++    else
++        retval = krb5_init_context(&c);
+     if (retval != 0)
+         c = NULL;
+     if (c != NULL) {
diff --git a/sys-auth/pam_krb5/pam_krb5-3.12.ebuild b/sys-auth/pam_krb5/pam_krb5-3.12.ebuild
new file mode 100644
index 000000000000..b760efd47aba
--- /dev/null
+++ b/sys-auth/pam_krb5/pam_krb5-3.12.ebuild
@@ -0,0 +1,39 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/pam_krb5/pam_krb5-3.12.ebuild,v 1.1 2009/02/12 09:28:40 mueli Exp $
+
+inherit multilib eutils pam
+
+DESCRIPTION="Kerberos 5 PAM Authentication Module"
+HOMEPAGE="http://www.eyrie.org/~eagle/software/pam-krb5/"
+SRC_URI="http://archives.eyrie.org/software/ARCHIVE/pam-krb5/pam-krb5-${PV}.tar.gz"
+
+LICENSE="|| ( BSD-2 GPL-2 )"
+SLOT="0"
+KEYWORDS="amd64 ~ppc ~sparc x86"
+IUSE="doc"
+
+DEPEND="virtual/krb5"
+RDEPEND="${DEPEND}"
+S="${WORKDIR}/${P/_/-}"
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+	epatch "${FILESDIR}/${P}-CVE-20090211.patch"
+}
+
+src_compile() {
+	econf \
+		  --libdir=/$(get_libdir)\
+		  || die "econf failed"
+	emake || die "emake failed"
+}
+
+src_install() {
+	newpammod pam_krb5.so pam_krb5.so
+	if use doc; then
+		doman pam_krb5.5
+		dodoc CHANGES CHANGES-old NEWS README TODO
+	fi;
+}