diff options
-rw-r--r-- | app-crypt/mit-krb5/ChangeLog | 9 | ||||
-rw-r--r-- | app-crypt/mit-krb5/Manifest | 5 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch | 48 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/CVE-2009-0846.patch | 40 | ||||
-rw-r--r-- | app-crypt/mit-krb5/mit-krb5-1.6.3-r6.ebuild | 108 |
5 files changed, 208 insertions, 2 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog index 9ac6a081b206..7460f60b4d74 100644 --- a/app-crypt/mit-krb5/ChangeLog +++ b/app-crypt/mit-krb5/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for app-crypt/mit-krb5 # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.206 2009/03/27 21:41:44 jer Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.207 2009/04/08 14:29:10 mueli Exp $ + +*mit-krb5-1.6.3-r6 (08 Apr 2009) + + 08 Apr 2009; Michael Hammer <mueli@gentoo.org> + +files/CVE-2009-0844+CVE-2009-0847.patch, +files/CVE-2009-0846.patch, + +mit-krb5-1.6.3-r6.ebuild: + added mit-krb5-1.6.3-r6 - see bug #263398 27 Mar 2009; Jeroen Roovers <jer@gentoo.org> mit-krb5-1.6.3-r5.ebuild: Stable for HPPA (bug #262736). diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest index 84cd1e29d8b6..abbbe798654b 100644 --- a/app-crypt/mit-krb5/Manifest +++ b/app-crypt/mit-krb5/Manifest @@ -1,4 +1,6 @@ AUX 1.6-MITKRB5-SA-2008-001.patch 11080 RMD160 12415f2329536352cd4d4aaa340951771b1e5114 SHA1 0cc2549ab6fd44180b3cdf4327efeaa6fe43b6e2 SHA256 0af6931dd33d9a2622714de3e06e68dde0d6e9215d9b08c478a441ce7fb6d7a6 +AUX CVE-2009-0844+CVE-2009-0847.patch 2075 RMD160 eba543da0eafa13158a71947bf22783292d23951 SHA1 087e0dfcdff3dd08b9085fda47099c438871488d SHA256 abdff5ffb07b57d6156722ea6ee12a73ae3337ff05687e384a59989074ab4316 +AUX CVE-2009-0846.patch 1682 RMD160 80292c97735b2e45eb450d2c8f6c30e6b0dbf199 SHA1 4bde9e943f4604bfde41cb91f923c123716add71 SHA256 71914affe6f8623b44f3b8ac9c98a83783e41200f8965ea5d68e7fb8a4bc3088 AUX MITKRB5-SA-2008-002.patch 1505 RMD160 35bb24ae802b532836810588e13c775ef8522cc1 SHA1 70fb0d83da33eb3e00355a11894c37f7c9d2b9aa SHA256 8e84a55080461f117f61501550c364f9ac25d9079601281a0d413bff664fc386 AUX mit-krb5-lazyldflags.patch 509 RMD160 47515882e93e0db7db6980a4460a01f2cbc3f382 SHA1 db880ff82bd72afd2815a8e8d345c815c2769715 SHA256 272b3a18303b43c64bbcc1da9bcb7cd60d56337700d84c78741c7096c18044d5 AUX mit-krb5kadmind.initd 687 RMD160 7602d12d570e80edf24953befbe4ec03d247e4ba SHA1 753a5875659d3bef63c1a50bb0228f1c3c06bdf9 SHA256 427953b3a2dbe0a8f85bee1294a348c97dbbdac4741f06c2a3768170ba29161a @@ -10,5 +12,6 @@ DIST mit-krb5-1.6.3-patches-0.5.tar.bz2 5317 RMD160 423c728e6f399fb4605373495a36 EBUILD mit-krb5-1.6.3-r3.ebuild 2755 RMD160 9002c52b81fc1dfce676ac6acd03fb14e82a0ace SHA1 4d394249c151156bd714703b8567fd99e98fb203 SHA256 35a0dddb4b83b16753ddf1c2fdde0216ab074f7ba4498d864ebcdca3014c5550 EBUILD mit-krb5-1.6.3-r4.ebuild 2702 RMD160 314eeeb4f167b6d2a6916b46ec2f675974d3fc8d SHA1 f0ba7d0ea99e973ef4fbddb2e241580bce694968 SHA256 6ea5d318dd7c1cc97e3d7ee9430257241c4a49010e6c61b94697cdf3c0dad9cf EBUILD mit-krb5-1.6.3-r5.ebuild 2697 RMD160 45ab89f2f008de9a4c2e58720e55d4d616e50c99 SHA1 1f94e676bdeb18370bb47d3c17ffd76eeddf4009 SHA256 f915bf7dbd546d20f46d72485d5c7d268d5be6cd411a8288fbd99238d55a8387 -MISC ChangeLog 33387 RMD160 363fc7b8a793aac2492daa7038ffcb083dfa6009 SHA1 63558ecc32e0f848ea612c9cb21179c980a97b18 SHA256 b16a46bbd3d34ceec4d197b54107ae9b18f2241a373bf6123fec3fe8ab1c45ce +EBUILD mit-krb5-1.6.3-r6.ebuild 2809 RMD160 8654fe9c4819e259ade76109c108c34690d90bdb SHA1 6b3033695aafb9817a9fde55cd255e82f641a2b1 SHA256 678650a376c9664e182f2a8b21ff00bc4158c9310a4ec4a37ae3bd95ba58d284 +MISC ChangeLog 33618 RMD160 eae1bb1ab926956af44a12ae2b881181bc9606bb SHA1 af23bcfc9acef789d244c8138f10506a33d3876c SHA256 2e897ddf244f0887575d7c786497893b816616d3b7a862ea8595f9846f9cada9 MISC metadata.xml 639 RMD160 5e0f0a281fd7c2db9cef027d510f4f65fe769e2e SHA1 5ff055ed4d8a80384cba07293c41dd10983d2792 SHA256 fe666e55cb89f0dda7aa81fefe167f1cf2934053c83f1ee147781c34b7f28595 diff --git a/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch b/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch new file mode 100644 index 000000000000..310963c2390a --- /dev/null +++ b/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch @@ -0,0 +1,48 @@ +Index: krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- krb5-1.6.3.orig/src/lib/gssapi/spnego/spnego_mech.c ++++ krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c +@@ -1815,7 +1815,8 @@ get_input_token(unsigned char **buff_in, + return (NULL); + + input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes); +- if ((int)input_token->length == -1) { ++ if ((int)input_token->length == -1 || ++ input_token->length > buff_length) { + free(input_token); + return (NULL); + } +Index: krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c +=================================================================== +--- krb5-1.6.3.orig/src/lib/krb5/asn.1/asn1buf.c ++++ krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c +@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1bu + + asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef) + { ++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; + subbuf->base = subbuf->next = buf->next; + if (!indef) { ++ if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN; + subbuf->bound = subbuf->base + length - 1; +- if (subbuf->bound > buf->bound) +- return ASN1_OVERRUN; + } else /* constructed indefinite */ + subbuf->bound = buf->bound; + return 0; +@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstri + { + int i; + ++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; + if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; + if (len == 0) { + *s = 0; +@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstrin + { + int i; + ++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; + if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; + if (len == 0) { + *s = 0; diff --git a/app-crypt/mit-krb5/files/CVE-2009-0846.patch b/app-crypt/mit-krb5/files/CVE-2009-0846.patch new file mode 100644 index 000000000000..efbb9af889ee --- /dev/null +++ b/app-crypt/mit-krb5/files/CVE-2009-0846.patch @@ -0,0 +1,40 @@ +diff --git a/src/lib/krb5/asn.1/asn1_decode.c +b/src/lib/krb5/asn.1/asn1_decode.c +index aa4be32..5f7461d 100644 +--- a/src/lib/krb5/asn.1/asn1_decode.c ++++ b/src/lib/krb5/asn.1/asn1_decode.c +@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val) + + if(length != 15) return ASN1_BAD_LENGTH; + retval = asn1buf_remove_charstring(buf,15,&s); ++ if (retval) return retval; + /* Time encoding: YYYYMMDDhhmmssZ */ + if(s[14] != 'Z') { + free(s); +diff --git a/src/tests/asn.1/krb5_decode_test.c +b/src/tests/asn.1/krb5_decode_test.c +index 0ff9343..1c427d1 100644 +--- a/src/tests/asn.1/krb5_decode_test.c ++++ b/src/tests/asn.1/krb5_decode_test.c +@@ -485,5 +485,21 @@ int main(argc, argv) + ktest_destroy_keyblock(&(ref.subkey)); + ref.seq_number = 0; + decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part); ++ ++ retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40"); ++ if (retval) { ++ com_err("krb5_decode_test", retval, "while parsing"); ++ exit(1); ++ } ++ retval = decode_krb5_ap_rep_enc_part(&code, &var); ++ if (retval != ASN1_OVERRUN) { ++ printf("ERROR: "); ++ } else { ++ printf("OK: "); ++ } ++ printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n"); ++ krb5_free_data_contents(test_context, &code); ++ krb5_free_ap_rep_enc_part(test_context, var); ++ + ktest_empty_ap_rep_enc_part(&ref); + } diff --git a/app-crypt/mit-krb5/mit-krb5-1.6.3-r6.ebuild b/app-crypt/mit-krb5/mit-krb5-1.6.3-r6.ebuild new file mode 100644 index 000000000000..b0a37c69df30 --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.6.3-r6.ebuild @@ -0,0 +1,108 @@ +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.6.3-r6.ebuild,v 1.1 2009/04/08 14:29:10 mueli Exp $ + +inherit eutils flag-o-matic versionator autotools + +PATCHV="0.5" +MY_P=${P/mit-} +P_DIR=$(get_version_component_range 1-2) +DESCRIPTION="MIT Kerberos V" +HOMEPAGE="http://web.mit.edu/kerberos/www/" +SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar + mirror://gentoo/${P}-patches-${PATCHV}.tar.bz2" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="krb4 doc" + +RDEPEND="!virtual/krb5 + >=sys-libs/e2fsprogs-libs-1.41.0" +DEPEND="${RDEPEND} + doc? ( virtual/latex-base )" + +S=${WORKDIR}/${MY_P}/src + +PROVIDE="virtual/krb5" + +src_unpack() { + unpack ${A} + unpack ./${MY_P}.tar.gz + cd "${S}" + EPATCH_SUFFIX="patch" epatch "${PATCHDIR}" + epatch "${FILESDIR}/CVE-2009-0844+CVE-2009-0847.patch" + epatch "${FILESDIR}/CVE-2009-0846.patch" + einfo "Regenerating configure scripts (be patient)" + local subdir + for subdir in $(find . -name configure.in \ + | xargs grep -l 'AC_CONFIG_SUBDIRS' \ + | sed 's@/configure\.in$@@'); do + ebegin "Regenerating configure script in ${subdir}" + cd "${S}"/${subdir} + eautoconf --force -I "${S}" + eend $? + done +} + +src_compile() { + # needed to work with sys-libs/e2fsprogs-libs <- should be removed!! + append-flags "-I/usr/include/et" + econf \ + $(use_with krb4) \ + --enable-shared \ + --with-system-et --with-system-ss \ + --enable-dns-for-realm \ + --enable-kdc-replay-cache || die + + emake -j1 || die + + if use doc ; then + cd ../doc + for dir in api implement ; do + make -C "${dir}" || die + done + fi +} + +src_test() { + einfo "Tests do not run in sandbox, have a lot of dependencies and are therefore completely disabled." +} + +src_install() { + emake \ + DESTDIR="${D}" \ + EXAMPLEDIR=/usr/share/doc/${PF}/examples \ + install || die + + keepdir /var/lib/krb5kdc + + cd .. + dodoc README + dodoc doc/*.ps + doinfo doc/*.info* + dohtml -r doc/* + + use doc && dodoc doc/{api,implement}/*.ps + + for i in {telnetd,ftpd} ; do + mv "${D}"/usr/share/man/man8/${i}.8 "${D}"/usr/share/man/man8/k${i}.8 + mv "${D}"/usr/sbin/${i} "${D}"/usr/sbin/k${i} + done + + for i in {rcp,rlogin,rsh,telnet,ftp} ; do + mv "${D}"/usr/share/man/man1/${i}.1 "${D}"/usr/share/man/man1/k${i}.1 + mv "${D}"/usr/bin/${i} "${D}"/usr/bin/k${i} + done + + newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind + newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc + + insinto /etc + newins "${D}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example + newins "${D}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example +} + +pkg_postinst() { + elog "See /usr/share/doc/${PF}/html/krb5-admin.html for documentation." +} |