Date: Monday, August 11, 2014 @ 23:19:33 Author: eric Revision: 219583
archrelease: copy trunk to testing-i686, testing-x86_64 Added: krb5/repos/testing-i686/ krb5/repos/testing-i686/PKGBUILD (from rev 219582, krb5/trunk/PKGBUILD) krb5/repos/testing-i686/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch (from rev 219582, krb5/trunk/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch) krb5/repos/testing-i686/krb5-config_LDFLAGS.patch (from rev 219582, krb5/trunk/krb5-config_LDFLAGS.patch) krb5/repos/testing-i686/krb5-kadmind.service (from rev 219582, krb5/trunk/krb5-kadmind.service) krb5/repos/testing-i686/krb5-kdc.service (from rev 219582, krb5/trunk/krb5-kdc.service) krb5/repos/testing-i686/krb5-kpropd.service (from rev 219582, krb5/trunk/krb5-kpropd.service) krb5/repos/testing-i686/krb5-kpropd.socket (from rev 219582, krb5/trunk/krb5-kpropd.socket) krb5/repos/testing-i686/krb5-kpropd@.service (from rev 219582, krb5/trunk/krb5-kpropd@.service) krb5/repos/testing-x86_64/ krb5/repos/testing-x86_64/PKGBUILD (from rev 219582, krb5/trunk/PKGBUILD) krb5/repos/testing-x86_64/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch (from rev 219582, krb5/trunk/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch) krb5/repos/testing-x86_64/krb5-config_LDFLAGS.patch (from rev 219582, krb5/trunk/krb5-config_LDFLAGS.patch) krb5/repos/testing-x86_64/krb5-kadmind.service (from rev 219582, krb5/trunk/krb5-kadmind.service) krb5/repos/testing-x86_64/krb5-kdc.service (from rev 219582, krb5/trunk/krb5-kdc.service) krb5/repos/testing-x86_64/krb5-kpropd.service (from rev 219582, krb5/trunk/krb5-kpropd.service) krb5/repos/testing-x86_64/krb5-kpropd.socket (from rev 219582, krb5/trunk/krb5-kpropd.socket) krb5/repos/testing-x86_64/krb5-kpropd@.service (from rev 219582, krb5/trunk/krb5-kpropd@.service) --------------------------------------------------------------------+ testing-i686/PKGBUILD | 142 ++++++++++ testing-i686/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch | 64 ++++ testing-i686/krb5-config_LDFLAGS.patch | 12 testing-i686/krb5-kadmind.service | 8 testing-i686/krb5-kdc.service | 9 testing-i686/krb5-kpropd.service | 8 testing-i686/krb5-kpropd.socket | 9 testing-i686/krb5-kpropd@.service | 8 testing-x86_64/PKGBUILD | 142 ++++++++++ testing-x86_64/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch | 64 ++++ testing-x86_64/krb5-config_LDFLAGS.patch | 12 testing-x86_64/krb5-kadmind.service | 8 testing-x86_64/krb5-kdc.service | 9 testing-x86_64/krb5-kpropd.service | 8 testing-x86_64/krb5-kpropd.socket | 9 testing-x86_64/krb5-kpropd@.service | 8 16 files changed, 520 insertions(+) Copied: krb5/repos/testing-i686/PKGBUILD (from rev 219582, krb5/trunk/PKGBUILD) =================================================================== --- testing-i686/PKGBUILD (rev 0) +++ testing-i686/PKGBUILD 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,142 @@ +# $Id$ +# Maintainer: Stéphane Gaudreault <steph...@archlinux.org> + +pkgname=krb5 +pkgver=1.12.1 +pkgrel=2 +pkgdesc="The Kerberos network authentication system" +arch=('i686' 'x86_64') +url="http://web.mit.edu/kerberos/" +license=('custom') +depends=('e2fsprogs' 'libldap' 'keyutils') +makedepends=('perl') +backup=('etc/krb5.conf' 'var/lib/krb5kdc/kdc.conf') +options=('!emptydirs') +source=(http://web.mit.edu/kerberos/dist/krb5/${pkgver%.*}/${pkgname}-${pkgver}-signed.tar + krb5-config_LDFLAGS.patch + krb5-kadmind.service + krb5-kdc.service + krb5-kpropd.service + krb5-kpropd@.service + krb5-kpropd.socket + krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch) +sha1sums=('d59e8dc0fc9e1890e109cd033756539984e3d3fe' + 'f125824ed37f31e6fd2fdb6a437be8ff1c3700ab' + '59bbc7e686cbb4bcefddf0f134d928d7bd5e7722' + '2ef2476a8673b3b702e829d8f451c839c2273b02' + '74d66aefd291f22dd80799f0437cc03d83083ed5' + '6787c6ce2783b3f980c423e2dd4abf5236af670b' + 'f3677d30dbbd7106c581379c2c6ebb1bf7738912' + '8273976824137df1d42a4f9c7bafdfbd92f27d0a') + +prepare() { + # the signature and source are bundled together, so signature check needs to be done here + _check_pgpsig + + tar -xf ${pkgname}-${pkgver}.tar.gz + cd ${pkgname}-${pkgver} + # cf https://bugs.gentoo.org/show_bug.cgi?id=448778 + patch -p1 -i "${srcdir}"/krb5-config_LDFLAGS.patch + patch -p1 -i "${srcdir}"/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch + + # FS#25384 + sed -i "/KRB5ROOT=/s/\/local//" src/util/ac_check_krb5.m4 +} + +build() { + cd ${pkgname}-${pkgver}/src + export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all" + export CPPFLAGS+=" -I/usr/include/et" + ./configure --prefix=/usr \ + --sbindir=/usr/bin \ + --sysconfdir=/etc \ + --localstatedir=/var/lib \ + --enable-shared \ + --with-system-et \ + --with-system-ss \ + --disable-rpath \ + --without-tcl \ + --enable-dns-for-realm \ + --with-ldap \ + --without-system-verto + make +} + +package() { + cd ${pkgname}-${pkgver}/src + make DESTDIR="${pkgdir}" EXAMPLEDIR=/usr/share/doc/${pkgname}/examples install + + # Fix FS#29889 + install -m 644 plugins/kdb/ldap/libkdb_ldap/kerberos.{ldif,schema} "${pkgdir}"/usr/share/doc/${pkgname}/examples + + # Sample KDC config file + install -dm 755 "${pkgdir}"/var/lib/krb5kdc + install -pm 644 config-files/kdc.conf "${pkgdir}"/var/lib/krb5kdc/kdc.conf + + # Default configuration file + install -dm 755 "${pkgdir}"/etc + install -pm 644 config-files/krb5.conf "${pkgdir}"/etc/krb5.conf + + install -dm 755 "${pkgdir}"/usr/share/aclocal + install -m 644 util/ac_check_krb5.m4 "${pkgdir}"/usr/share/aclocal + + install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE + + # systemd stuff + install -dm 755 "${pkgdir}"/usr/lib/systemd/system + install -m 644 ../../krb5-{kadmind.service,kdc.service,kpropd.service,kpropd@.service,kpropd.socket} \ + "${pkgdir}"/usr/lib/systemd/system +} + +_check_pgpsig() { + (( SKIPPGPCHECK )) && return 0 + + msg "$(gettext "Verifying source file signatures with %s...")" "gpg" + + local file=${pkgname}-${pkgver}.tar.gz.asc + local sourcefile=${file%.*} + local pubkey + local warning=0 + local errors=0 + local statusfile=$(mktemp) + + printf " %s ... " "${file%.*}" >&2 + + if ! gpg --quiet --batch --status-file "$statusfile" --verify "$file" "$sourcefile" 2> /dev/null; then + printf "FAILED" >&2 + if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then + printf " (unknown public key $pubkey)" >&2 + warnings=1 + else + errors=1 + fi + printf '\n' >&2 + else + if grep -q "REVKEYSIG" "$statusfile"; then + printf "FAILED (the key has been revoked.)" >&2 + errors=1 + else + printf "Passed" >&2 + if grep -q "EXPSIG" "$statusfile"; then + printf " (WARNING: the signature has expired.)" >&2 + warnings=1 + elif grep -q "EXPKEYSIG" "$statusfile"; then + printf " (WARNING: the key has expired.)" >&2 + warnings=1 + fi + fi + printf '\n' >&2 + fi + + rm -f "$statusfile" + + if (( errors )); then + error "One or more PGP signatures could not be verified!" + exit 1 + fi + + if (( warnings )); then + warning "Warnings have occurred while verifying the signatures." + plain "Please make sure you really trust them." + fi +} Copied: krb5/repos/testing-i686/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch (from rev 219582, krb5/trunk/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch) =================================================================== --- testing-i686/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch (rev 0) +++ testing-i686/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,64 @@ +From 81c332e29f10887c6b9deb065f81ba259f4c7e03 Mon Sep 17 00:00:00 2001 +From: Tomas Kuthan <tkut...@gmail.com> +Date: Fri, 1 Aug 2014 15:25:50 +0200 +Subject: [PATCH] Fix LDAP key data segmentation [CVE-2014-4345] + +For principal entries having keys with multiple kvnos (due to use of +-keepold), the LDAP KDB module makes an attempt to store all the keys +having the same kvno into a single krbPrincipalKey attribute value. +There is a fencepost error in the loop, causing currkvno to be set to +the just-processed value instead of the next kvno. As a result, the +second and all following groups of multiple keys by kvno are each +stored in two krbPrincipalKey attribute values. Fix the loop to use +the correct kvno value. + +CVE-2014-4345: + +In MIT krb5, when kadmind is configured to use LDAP for the KDC +database, an authenticated remote attacker can cause it to perform an +out-of-bounds write (buffer overrun) by performing multiple cpw +-keepold operations. An off-by-one error while copying key +information to the new database entry results in keys sharing a common +kvno being written to different array buckets, in an array whose size +is determined by the number of kvnos present. After sufficient +iterations, the extra writes extend past the end of the +(NULL-terminated) array. The NULL terminator is always written after +the end of the loop, so no out-of-bounds data is read, it is only +written. + +Historically, it has been possible to convert an out-of-bounds write +into remote code execution in some cases, though the necessary +exploits must be tailored to the individual application and are +usually quite complicated. Depending on the allocated length of the +array, an out-of-bounds write may also cause a segmentation fault +and/or application crash. + + CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C + +[ghud...@mit.edu: clarified commit message] +[ka...@mit.edu: CVE summary, CVSSv2 vector] + +ticket: 7980 (new) +target_version: 1.12.2 +tags: pullup +--- + src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +index ce851ea..df5934c 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data, + j++; + last = i + 1; + +- currkvno = key_data[i].key_data_kvno; ++ if (i < n_key_data - 1) ++ currkvno = key_data[i + 1].key_data_kvno; + } + } + ret[num_versions] = NULL; +-- +2.0.3 + Copied: krb5/repos/testing-i686/krb5-config_LDFLAGS.patch (from rev 219582, krb5/trunk/krb5-config_LDFLAGS.patch) =================================================================== --- testing-i686/krb5-config_LDFLAGS.patch (rev 0) +++ testing-i686/krb5-config_LDFLAGS.patch 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,12 @@ +Bug #448778 +--- krb5-1.11/src/build-tools/krb5-config.in 2012-12-18 02:47:04.000000000 +0000 ++++ krb5-1.11/src/build-tools/krb5-config.in 2012-12-28 07:13:16.582693363 +0000 +@@ -217,7 +217,7 @@ + -e 's#\$(PROG_RPATH)#'$libdir'#' \ + -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \ + -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ +- -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ ++ -e 's#\$(LDFLAGS)##' \ + -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ + -e 's#\$(CFLAGS)##'` + Copied: krb5/repos/testing-i686/krb5-kadmind.service (from rev 219582, krb5/trunk/krb5-kadmind.service) =================================================================== --- testing-i686/krb5-kadmind.service (rev 0) +++ testing-i686/krb5-kadmind.service 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,8 @@ +[Unit] +Description=Kerberos 5 administration server + +[Service] +ExecStart=/usr/bin/kadmind -nofork + +[Install] +WantedBy=multi-user.target Copied: krb5/repos/testing-i686/krb5-kdc.service (from rev 219582, krb5/trunk/krb5-kdc.service) =================================================================== --- testing-i686/krb5-kdc.service (rev 0) +++ testing-i686/krb5-kdc.service 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,9 @@ +[Unit] +Description=Kerberos 5 KDC + +[Service] +ExecStart=/usr/bin/krb5kdc -n +Restart=always + +[Install] +WantedBy=multi-user.target Copied: krb5/repos/testing-i686/krb5-kpropd.service (from rev 219582, krb5/trunk/krb5-kpropd.service) =================================================================== --- testing-i686/krb5-kpropd.service (rev 0) +++ testing-i686/krb5-kpropd.service 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,8 @@ +[Unit] +Description=Kerberos 5 propagation server + +[Service] +ExecStart=/usr/bin/kpropd -S + +[Install] +WantedBy=multi-user.target Copied: krb5/repos/testing-i686/krb5-kpropd.socket (from rev 219582, krb5/trunk/krb5-kpropd.socket) =================================================================== --- testing-i686/krb5-kpropd.socket (rev 0) +++ testing-i686/krb5-kpropd.socket 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,9 @@ +[Unit] +Description=Kerberos 5 propagation server + +[Socket] +ListenStream=754 +Accept=yes + +[Install] +WantedBy=sockets.target Copied: krb5/repos/testing-i686/krb5-kpropd@.service (from rev 219582, krb5/trunk/krb5-kpropd@.service) =================================================================== --- testing-i686/krb5-kpropd@.service (rev 0) +++ testing-i686/krb5-kpropd@.service 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,8 @@ +[Unit] +Description=Kerberos 5 propagation server +Conflicts=krb5-kpropd.service + +[Service] +ExecStart=/usr/bin/kpropd +StandardInput=socket +StandardError=syslog Copied: krb5/repos/testing-x86_64/PKGBUILD (from rev 219582, krb5/trunk/PKGBUILD) =================================================================== --- testing-x86_64/PKGBUILD (rev 0) +++ testing-x86_64/PKGBUILD 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,142 @@ +# $Id$ +# Maintainer: Stéphane Gaudreault <steph...@archlinux.org> + +pkgname=krb5 +pkgver=1.12.1 +pkgrel=2 +pkgdesc="The Kerberos network authentication system" +arch=('i686' 'x86_64') +url="http://web.mit.edu/kerberos/" +license=('custom') +depends=('e2fsprogs' 'libldap' 'keyutils') +makedepends=('perl') +backup=('etc/krb5.conf' 'var/lib/krb5kdc/kdc.conf') +options=('!emptydirs') +source=(http://web.mit.edu/kerberos/dist/krb5/${pkgver%.*}/${pkgname}-${pkgver}-signed.tar + krb5-config_LDFLAGS.patch + krb5-kadmind.service + krb5-kdc.service + krb5-kpropd.service + krb5-kpropd@.service + krb5-kpropd.socket + krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch) +sha1sums=('d59e8dc0fc9e1890e109cd033756539984e3d3fe' + 'f125824ed37f31e6fd2fdb6a437be8ff1c3700ab' + '59bbc7e686cbb4bcefddf0f134d928d7bd5e7722' + '2ef2476a8673b3b702e829d8f451c839c2273b02' + '74d66aefd291f22dd80799f0437cc03d83083ed5' + '6787c6ce2783b3f980c423e2dd4abf5236af670b' + 'f3677d30dbbd7106c581379c2c6ebb1bf7738912' + '8273976824137df1d42a4f9c7bafdfbd92f27d0a') + +prepare() { + # the signature and source are bundled together, so signature check needs to be done here + _check_pgpsig + + tar -xf ${pkgname}-${pkgver}.tar.gz + cd ${pkgname}-${pkgver} + # cf https://bugs.gentoo.org/show_bug.cgi?id=448778 + patch -p1 -i "${srcdir}"/krb5-config_LDFLAGS.patch + patch -p1 -i "${srcdir}"/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch + + # FS#25384 + sed -i "/KRB5ROOT=/s/\/local//" src/util/ac_check_krb5.m4 +} + +build() { + cd ${pkgname}-${pkgver}/src + export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all" + export CPPFLAGS+=" -I/usr/include/et" + ./configure --prefix=/usr \ + --sbindir=/usr/bin \ + --sysconfdir=/etc \ + --localstatedir=/var/lib \ + --enable-shared \ + --with-system-et \ + --with-system-ss \ + --disable-rpath \ + --without-tcl \ + --enable-dns-for-realm \ + --with-ldap \ + --without-system-verto + make +} + +package() { + cd ${pkgname}-${pkgver}/src + make DESTDIR="${pkgdir}" EXAMPLEDIR=/usr/share/doc/${pkgname}/examples install + + # Fix FS#29889 + install -m 644 plugins/kdb/ldap/libkdb_ldap/kerberos.{ldif,schema} "${pkgdir}"/usr/share/doc/${pkgname}/examples + + # Sample KDC config file + install -dm 755 "${pkgdir}"/var/lib/krb5kdc + install -pm 644 config-files/kdc.conf "${pkgdir}"/var/lib/krb5kdc/kdc.conf + + # Default configuration file + install -dm 755 "${pkgdir}"/etc + install -pm 644 config-files/krb5.conf "${pkgdir}"/etc/krb5.conf + + install -dm 755 "${pkgdir}"/usr/share/aclocal + install -m 644 util/ac_check_krb5.m4 "${pkgdir}"/usr/share/aclocal + + install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE + + # systemd stuff + install -dm 755 "${pkgdir}"/usr/lib/systemd/system + install -m 644 ../../krb5-{kadmind.service,kdc.service,kpropd.service,kpropd@.service,kpropd.socket} \ + "${pkgdir}"/usr/lib/systemd/system +} + +_check_pgpsig() { + (( SKIPPGPCHECK )) && return 0 + + msg "$(gettext "Verifying source file signatures with %s...")" "gpg" + + local file=${pkgname}-${pkgver}.tar.gz.asc + local sourcefile=${file%.*} + local pubkey + local warning=0 + local errors=0 + local statusfile=$(mktemp) + + printf " %s ... " "${file%.*}" >&2 + + if ! gpg --quiet --batch --status-file "$statusfile" --verify "$file" "$sourcefile" 2> /dev/null; then + printf "FAILED" >&2 + if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then + printf " (unknown public key $pubkey)" >&2 + warnings=1 + else + errors=1 + fi + printf '\n' >&2 + else + if grep -q "REVKEYSIG" "$statusfile"; then + printf "FAILED (the key has been revoked.)" >&2 + errors=1 + else + printf "Passed" >&2 + if grep -q "EXPSIG" "$statusfile"; then + printf " (WARNING: the signature has expired.)" >&2 + warnings=1 + elif grep -q "EXPKEYSIG" "$statusfile"; then + printf " (WARNING: the key has expired.)" >&2 + warnings=1 + fi + fi + printf '\n' >&2 + fi + + rm -f "$statusfile" + + if (( errors )); then + error "One or more PGP signatures could not be verified!" + exit 1 + fi + + if (( warnings )); then + warning "Warnings have occurred while verifying the signatures." + plain "Please make sure you really trust them." + fi +} Copied: krb5/repos/testing-x86_64/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch (from rev 219582, krb5/trunk/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch) =================================================================== --- testing-x86_64/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch (rev 0) +++ testing-x86_64/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,64 @@ +From 81c332e29f10887c6b9deb065f81ba259f4c7e03 Mon Sep 17 00:00:00 2001 +From: Tomas Kuthan <tkut...@gmail.com> +Date: Fri, 1 Aug 2014 15:25:50 +0200 +Subject: [PATCH] Fix LDAP key data segmentation [CVE-2014-4345] + +For principal entries having keys with multiple kvnos (due to use of +-keepold), the LDAP KDB module makes an attempt to store all the keys +having the same kvno into a single krbPrincipalKey attribute value. +There is a fencepost error in the loop, causing currkvno to be set to +the just-processed value instead of the next kvno. As a result, the +second and all following groups of multiple keys by kvno are each +stored in two krbPrincipalKey attribute values. Fix the loop to use +the correct kvno value. + +CVE-2014-4345: + +In MIT krb5, when kadmind is configured to use LDAP for the KDC +database, an authenticated remote attacker can cause it to perform an +out-of-bounds write (buffer overrun) by performing multiple cpw +-keepold operations. An off-by-one error while copying key +information to the new database entry results in keys sharing a common +kvno being written to different array buckets, in an array whose size +is determined by the number of kvnos present. After sufficient +iterations, the extra writes extend past the end of the +(NULL-terminated) array. The NULL terminator is always written after +the end of the loop, so no out-of-bounds data is read, it is only +written. + +Historically, it has been possible to convert an out-of-bounds write +into remote code execution in some cases, though the necessary +exploits must be tailored to the individual application and are +usually quite complicated. Depending on the allocated length of the +array, an out-of-bounds write may also cause a segmentation fault +and/or application crash. + + CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C + +[ghud...@mit.edu: clarified commit message] +[ka...@mit.edu: CVE summary, CVSSv2 vector] + +ticket: 7980 (new) +target_version: 1.12.2 +tags: pullup +--- + src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +index ce851ea..df5934c 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data, + j++; + last = i + 1; + +- currkvno = key_data[i].key_data_kvno; ++ if (i < n_key_data - 1) ++ currkvno = key_data[i + 1].key_data_kvno; + } + } + ret[num_versions] = NULL; +-- +2.0.3 + Copied: krb5/repos/testing-x86_64/krb5-config_LDFLAGS.patch (from rev 219582, krb5/trunk/krb5-config_LDFLAGS.patch) =================================================================== --- testing-x86_64/krb5-config_LDFLAGS.patch (rev 0) +++ testing-x86_64/krb5-config_LDFLAGS.patch 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,12 @@ +Bug #448778 +--- krb5-1.11/src/build-tools/krb5-config.in 2012-12-18 02:47:04.000000000 +0000 ++++ krb5-1.11/src/build-tools/krb5-config.in 2012-12-28 07:13:16.582693363 +0000 +@@ -217,7 +217,7 @@ + -e 's#\$(PROG_RPATH)#'$libdir'#' \ + -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \ + -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ +- -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ ++ -e 's#\$(LDFLAGS)##' \ + -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ + -e 's#\$(CFLAGS)##'` + Copied: krb5/repos/testing-x86_64/krb5-kadmind.service (from rev 219582, krb5/trunk/krb5-kadmind.service) =================================================================== --- testing-x86_64/krb5-kadmind.service (rev 0) +++ testing-x86_64/krb5-kadmind.service 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,8 @@ +[Unit] +Description=Kerberos 5 administration server + +[Service] +ExecStart=/usr/bin/kadmind -nofork + +[Install] +WantedBy=multi-user.target Copied: krb5/repos/testing-x86_64/krb5-kdc.service (from rev 219582, krb5/trunk/krb5-kdc.service) =================================================================== --- testing-x86_64/krb5-kdc.service (rev 0) +++ testing-x86_64/krb5-kdc.service 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,9 @@ +[Unit] +Description=Kerberos 5 KDC + +[Service] +ExecStart=/usr/bin/krb5kdc -n +Restart=always + +[Install] +WantedBy=multi-user.target Copied: krb5/repos/testing-x86_64/krb5-kpropd.service (from rev 219582, krb5/trunk/krb5-kpropd.service) =================================================================== --- testing-x86_64/krb5-kpropd.service (rev 0) +++ testing-x86_64/krb5-kpropd.service 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,8 @@ +[Unit] +Description=Kerberos 5 propagation server + +[Service] +ExecStart=/usr/bin/kpropd -S + +[Install] +WantedBy=multi-user.target Copied: krb5/repos/testing-x86_64/krb5-kpropd.socket (from rev 219582, krb5/trunk/krb5-kpropd.socket) =================================================================== --- testing-x86_64/krb5-kpropd.socket (rev 0) +++ testing-x86_64/krb5-kpropd.socket 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,9 @@ +[Unit] +Description=Kerberos 5 propagation server + +[Socket] +ListenStream=754 +Accept=yes + +[Install] +WantedBy=sockets.target Copied: krb5/repos/testing-x86_64/krb5-kpropd@.service (from rev 219582, krb5/trunk/krb5-kpropd@.service) =================================================================== --- testing-x86_64/krb5-kpropd@.service (rev 0) +++ testing-x86_64/krb5-kpropd@.service 2014-08-11 21:19:33 UTC (rev 219583) @@ -0,0 +1,8 @@ +[Unit] +Description=Kerberos 5 propagation server +Conflicts=krb5-kpropd.service + +[Service] +ExecStart=/usr/bin/kpropd +StandardInput=socket +StandardError=syslog