[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
commit: 5163051e02908e8415eb36cbee56727e08c3b1c1 Author: Sam James gentoo org> AuthorDate: Tue Nov 22 04:44:24 2022 + Commit: Sam James gentoo org> CommitDate: Tue Nov 22 04:44:24 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5163051e app-crypt/mit-krb5: add autoconf 2.72 patch Signed-off-by: Sam James gentoo.org> .../files/mit-krb5-1.20.1-autoconf-2.72.patch | 31 ++ app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild | 1 + 2 files changed, 32 insertions(+) diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch b/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch new file mode 100644 index ..b55193bcc7fa --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch @@ -0,0 +1,31 @@ +https://github.com/krb5/krb5/commit/d864d740d019fdf2c640460f2aa2760c7fa4d5e9 + +From d864d740d019fdf2c640460f2aa2760c7fa4d5e9 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 17 Nov 2022 15:01:24 +0100 +Subject: [PATCH] Fix aclocal.m4 syntax error for autoconf 2.72 + +An incorrect closure inside KRB5_AC_INET6 is innocuous with autoconf +versions up to 2.71, but will cause an error at configure time with +the forthcoming autoconf 2.72. + +[ghud...@mit.edu: added more context to commit message] + +ticket: 9077 (new) +tags: pullup +target_version: 1.20-next +target_version: 1.19-next +--- a/aclocal.m4 b/aclocal.m4 +@@ -409,8 +409,8 @@ else + [[struct sockaddr_in6 in; + AF_INET6; + IN6_IS_ADDR_LINKLOCAL(_addr);]])], +-[krb5_cv_inet6=yes], [krb5_cv_inet6=no])]) +-fi ++[krb5_cv_inet6=yes], [krb5_cv_inet6=no]) ++fi]) + AC_MSG_RESULT($krb5_cv_inet6) + if test "$krb5_cv_inet6" = no && test "$ac_cv_func_inet_ntop" = yes; then + AC_MSG_CHECKING(for IPv6 compile-time support with -DINET6) + diff --git a/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild index 1d7889bfab83..cd47708db88f 100644 --- a/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild +++ b/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild @@ -54,6 +54,7 @@ PATCHES=( "${FILESDIR}/${PN}_dont_create_rundir.patch" "${FILESDIR}/${PN}-1.18.2-krb5-config.patch" "${FILESDIR}/${PN}-1.20-missing-time-include.patch" + "${FILESDIR}/${PN}-1.20.1-autoconf-2.72.patch" ) MULTILIB_CHOST_TOOLS=(
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
commit: 3fb4979bc5980af0060e50e80ee5bea3ae72a713 Author: Eray Aslan gentoo org> AuthorDate: Mon Nov 7 10:43:02 2022 + Commit: Eray Aslan gentoo org> CommitDate: Mon Nov 7 10:43:02 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3fb4979b app-crypt/mit-krb5: drop 1.19.2-r4, 1.19.3-r2 Signed-off-by: Eray Aslan gentoo.org> app-crypt/mit-krb5/Manifest| 2 - .../mit-krb5/files/mit-krb5-CVE-2021-37750.patch | 43 -- app-crypt/mit-krb5/mit-krb5-1.19.2-r4.ebuild | 162 - app-crypt/mit-krb5/mit-krb5-1.19.3-r2.ebuild | 161 4 files changed, 368 deletions(-) diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest index 04c701bf322e..ed2f9ab88d2c 100644 --- a/app-crypt/mit-krb5/Manifest +++ b/app-crypt/mit-krb5/Manifest @@ -1,3 +1 @@ -DIST krb5-1.19.2.tar.gz 8741053 BLAKE2B 963722721201e75381c91a2af6e982f569a5b1602beb2d1ded83d35f6f914235a6ed91e5d54f56c97e94921a32ed27c49aded258327966ee13d39485208c38d8 SHA512 b90d6ed0e1e8a87eb5cb2c36d88b823a6a6caabf85e5d419adb8a930f7eea09a5f8491464e7e454cca7ba88be09d19415962fe0036ad2e31fc584f9fc0bbd470 -DIST krb5-1.19.3.tar.gz 8741343 BLAKE2B 79e68237ee82affa85299060c509e303453c0fab965adc6b9ed305ab64a1f73bd51e65df1b3faadc60815cd506ffefaeed535765ca060d393a9141812f85b48a SHA512 18235440d6f7d8a72c5d7ca5cd8c6465e8adf091d85c483225c7b00d64b4688c1c7924cb800c2fc17e590b2709f1a9de48e6ec79f6debd11dcb7d6fa16c6f351 DIST krb5-1.20.tar.gz 8660756 BLAKE2B fdaaab6c16dbe073c4308f312e321536b582b75fad10e5450be66b6b828825c8c775e56f5287d4a7df819d20889e5c0d9cc1d179d861c9caba185332c0db7387 SHA512 9aed84a971a4d74188468870260087ec7c3a614cceb5fe32ad7da1cb8db3d66e00df801c9f900f0131ac56eb828674b8be93df474c2d13b892b70c7977388604 diff --git a/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch b/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch deleted file mode 100644 index 2f4c949e9f31.. --- a/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch +++ /dev/null @@ -1,43 +0,0 @@ -From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 3 Aug 2021 01:15:27 -0400 -Subject: [PATCH] Fix KDC null deref on TGS inner body null server - -After the KDC decodes a FAST inner body, it does not check for a null -server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this -would typically result in an error from krb5_unparse_name(), but with -the addition of get_local_tgt() it results in a null dereference. Add -a null check. - -Reported by Joseph Sutton of Catalyst. - -CVE-2021-37750: - -In MIT krb5 releases 1.14 and later, an authenticated attacker can -cause a null dereference in the KDC by sending a FAST TGS request with -no server field. - -ticket: 9008 (new) -tags: pullup -target_version: 1.19-next -target_version: 1.18-next - src/kdc/do_tgs_req.c | 5 + - 1 file changed, 5 insertions(+) - -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index 582e497cc9..32dc65fa8e 100644 a/kdc/do_tgs_req.c -+++ b/kdc/do_tgs_req.c -@@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, - status = "FIND_FAST"; - goto cleanup; - } -+if (sprinc == NULL) { -+status = "NULL_SERVER"; -+errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; -+goto cleanup; -+} - - errcode = get_local_tgt(kdc_context, >realm, header_server, - _tgt, _tgt_storage, _tgt_key); diff --git a/app-crypt/mit-krb5/mit-krb5-1.19.2-r4.ebuild b/app-crypt/mit-krb5/mit-krb5-1.19.2-r4.ebuild deleted file mode 100644 index a88217f5154c.. --- a/app-crypt/mit-krb5/mit-krb5-1.19.2-r4.ebuild +++ /dev/null @@ -1,162 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -PYTHON_COMPAT=( python3_{8..10} ) -inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd toolchain-funcs - -MY_P="${P/mit-}" -P_DIR=$(ver_cut 1-2) -DESCRIPTION="MIT Kerberos V" -HOMEPAGE="https://web.mit.edu/kerberos/www/; -SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz; - -LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ~ppc ppc64 ~riscv ~s390 sparc x86" -IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux +threads test xinetd" - -# some tests requires network access -RESTRICT="test" - -DEPEND=" - !!app-crypt/heimdal - >=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}] - || ( - >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}] - >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}] - ) - keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] ) - lmdb? ( dev-db/lmdb:= ) - nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] ) -
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
commit: 98dc35e8c0f276aa167465b5e7636e8a975beaed Author: Eray Aslan gentoo org> AuthorDate: Mon Aug 2 10:35:50 2021 + Commit: Eray Aslan gentoo org> CommitDate: Mon Aug 2 10:35:50 2021 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=98dc35e8 app-crypt/mit-krb5: cleanup Bug: https://bugs.gentoo.org/803434 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Eray Aslan gentoo.org> app-crypt/mit-krb5/Manifest| 3 - app-crypt/mit-krb5/files/CVE-2020-28196.patch | 71 - .../files/mit-krb5-1.18.2-autoconf-2.70.patch | 35 - .../mit-krb5/files/mit-krb5_dont_create_run.patch | 10 -- app-crypt/mit-krb5/mit-krb5-1.18.2-r4.ebuild | 166 - app-crypt/mit-krb5/mit-krb5-1.18.3-r2.ebuild | 164 app-crypt/mit-krb5/mit-krb5-1.19.1-r1.ebuild | 161 7 files changed, 610 deletions(-) diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest index 57a2a337308..a5005ab76f7 100644 --- a/app-crypt/mit-krb5/Manifest +++ b/app-crypt/mit-krb5/Manifest @@ -1,4 +1 @@ -DIST krb5-1.18.2.tar.gz 8713927 BLAKE2B f0eb34e67adcb86f347c59ec6ef74970a57530cc56336a84909f852cd6135079ea89828e77c906a272f54e0faf6a4a0497f2b648446eb9d048d1c51e4ec513af SHA512 7cbb1b28e677fea3e0794e93951f3caaa2c49bb1175dd187951e72a466cc69d96c3b833d838000fe911c1a437d96a558e550f27c53a8b332fb9dfc7cbb7ec44c -DIST krb5-1.18.3.tar.gz 8715312 BLAKE2B 4f6ad4a529e7578e83d82b43c2cada33bce1dca5081ec826ee06a713f82520b783f72ec56d2ce289e10d1ddcfaa079491e43f21c035b214d244bb80e6b2a1c9f SHA512 cf0bf6cf8f622fa085954e6da998d952cf64dc7ccc319972ed81ea0542089cabf2d0e8243df84da01ad6f40584768ca2f02d108630c6741fa7b3d7d98c887c01 -DIST krb5-1.19.1.tar.gz 8738142 BLAKE2B 902dd08fe4b81b1cb0ec2bf1b95eeece0f8a87b87bae865272c7bf5dd028c01997ec4c5d24df605328db85e7cbfe9a38dd804b363b651aefa7b4eaec958a280c SHA512 36bf33802119ada4650a8f69f1daca95aaf882dc96bfa7061f0340a5decd588c31fc10108ddadf1042934e0e2c3bbd975deec565b0a7f0fc2baf8b8cc6d97491 DIST krb5-1.19.2.tar.gz 8741053 BLAKE2B 963722721201e75381c91a2af6e982f569a5b1602beb2d1ded83d35f6f914235a6ed91e5d54f56c97e94921a32ed27c49aded258327966ee13d39485208c38d8 SHA512 b90d6ed0e1e8a87eb5cb2c36d88b823a6a6caabf85e5d419adb8a930f7eea09a5f8491464e7e454cca7ba88be09d19415962fe0036ad2e31fc584f9fc0bbd470 diff --git a/app-crypt/mit-krb5/files/CVE-2020-28196.patch b/app-crypt/mit-krb5/files/CVE-2020-28196.patch deleted file mode 100644 index 486078437e8..000 --- a/app-crypt/mit-krb5/files/CVE-2020-28196.patch +++ /dev/null @@ -1,71 +0,0 @@ -diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c -index a160cf4fe8..cd6b879f77 100644 a/lib/krb5/asn.1/asn1_encode.c -+++ b/lib/krb5/asn.1/asn1_encode.c -@@ -356,7 +356,7 @@ make_tag(asn1buf *buf, const taginfo *t, size_t len) - static krb5_error_code - get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out, - const uint8_t **contents_out, size_t *clen_out, --const uint8_t **remainder_out, size_t *rlen_out) -+const uint8_t **remainder_out, size_t *rlen_out, int recursion) - { - krb5_error_code ret; - uint8_t o; -@@ -394,9 +394,11 @@ get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out, - /* Indefinite form (should not be present in DER, but we accept it). */ - if (tag_out->construction != CONSTRUCTED) - return ASN1_MISMATCH_INDEF; -+if (recursion >= 32) -+return ASN1_OVERFLOW; - p = asn1; - while (!(len >= 2 && p[0] == 0 && p[1] == 0)) { --ret = get_tag(p, len, , , , , ); -+ret = get_tag(p, len, , , , , , recursion + 1); - if (ret) - return ret; - } -@@ -613,7 +615,7 @@ split_der(asn1buf *buf, uint8_t *const *der, size_t len, taginfo *tag_out) - const uint8_t *contents, *remainder; - size_t clen, rlen; - --ret = get_tag(*der, len, tag_out, , , , ); -+ret = get_tag(*der, len, tag_out, , , , , 0); - if (ret) - return ret; - if (rlen != 0) -@@ -1199,7 +1201,7 @@ decode_atype(const taginfo *t, const uint8_t *asn1, size_t len, - const uint8_t *rem; - size_t rlen; - if (!tag->implicit) { --ret = get_tag(asn1, len, _tag, , , , ); -+ret = get_tag(asn1, len, _tag, , , , , 0); - if (ret) - return ret; - /* Note: we don't check rlen (it should be 0). */ -@@ -1420,7 +1422,7 @@ decode_sequence(const uint8_t *asn1, size_t len, const struct seq_info *seq, - for (i = 0; i < seq->n_fields; i++) { - if (len == 0) - break; --ret = get_tag(asn1, len, , , , , ); -+ret = get_tag(asn1, len, , , , , , 0); - if (ret) - goto error; - /* -@@ -1478,7 +1480,7 @@ decode_sequence_of(const uint8_t *asn1, size_t len, - *seq_out = NULL; - *count_out =
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
commit: 180ca9f16a555d6e4b66f13411c12fe3eea5eb5b Author: Sam James gentoo org> AuthorDate: Sat May 1 17:20:13 2021 + Commit: Sam James gentoo org> CommitDate: Sat May 1 18:06:21 2021 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=180ca9f1 app-crypt/mit-krb5: drop obsolete LibreSSL patches Signed-off-by: Sam James gentoo.org> .../files/mit-krb5-1.16.3-libressl-r1.patch| 101 - .../mit-krb5/files/mit-krb5-1.18-libressl.patch| 42 - app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild | 2 - app-crypt/mit-krb5/mit-krb5-1.18.3-r1.ebuild | 2 - 4 files changed, 147 deletions(-) diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch deleted file mode 100644 index ca74b88bb0f..000 --- a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 58263cbf3106f4c9c9a2252794093014a2f9c01f Mon Sep 17 00:00:00 2001 -From: Stefan Strogin -Date: Thu, 25 Apr 2019 03:48:10 +0300 -Subject: [PATCH] Fix build for LibreSSL 2.9.x - -asn1_mac.h is removed from LibreSSL 2.9.0, but static_ASN1_*() methods -are not defined. Define them. - -Upstream-Status: Pending -[Needs to be amended if -https://github.com/libressl-portable/openbsd/pull/109 is accepted] -Signed-off-by: Stefan Strogin - .../preauth/pkinit/pkinit_crypto_openssl.c| 13 - .../preauth/pkinit/pkinit_crypto_openssl.h| 20 ++- - 2 files changed, 28 insertions(+), 5 deletions(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 2064eb7bd..81d5d3cf2 100644 a/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -188,14 +188,16 @@ pkinit_pkcs11_code_to_text(int err); - (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si) - #endif - --#if OPENSSL_VERSION_NUMBER < 0x1010L -+#if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER) - --/* 1.1 standardizes constructor and destructor names, renaming -- * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */ -+/* 1.1 (and LibreSSL 2.7) standardizes constructor and destructor names, -+ * renaming EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */ - -+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x207fL - #define EVP_MD_CTX_new EVP_MD_CTX_create - #define EVP_MD_CTX_free EVP_MD_CTX_destroy - #define ASN1_STRING_get0_data ASN1_STRING_data -+#endif - - /* 1.1 makes many handle types opaque and adds accessors. Add compatibility - * versions of the new accessors we use for pre-1.1. */ -@@ -203,6 +205,7 @@ pkinit_pkcs11_code_to_text(int err); - #define OBJ_get0_data(o) ((o)->data) - #define OBJ_length(o) ((o)->length) - -+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x207fL - #define DH_set0_pqg compat_dh_set0_pqg - static int compat_dh_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) - { -@@ -235,6 +238,7 @@ static void compat_dh_get0_key(const DH *dh, const BIGNUM **pub, - if (priv != NULL) - *priv = dh->priv_key; - } -+#endif /* LIBRESSL_VERSION_NUMBER */ - - /* Return true if the cert c includes a key usage which doesn't include u. - * Define using direct member access for pre-1.1. */ -@@ -3040,7 +3044,8 @@ cleanup: - return retval; - } - --#if OPENSSL_VERSION_NUMBER >= 0x1010L -+#if (OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)) || \ -+ LIBRESSL_VERSION_NUMBER >= 0x209fL - - /* - * We need to decode DomainParameters from RFC 3279 section 2.3.3. We would -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h -index 7411348fa..ac91408c4 100644 a/plugins/preauth/pkinit/pkinit_crypto_openssl.h -+++ b/plugins/preauth/pkinit/pkinit_crypto_openssl.h -@@ -46,7 +46,25 @@ - #include - #include - --#if OPENSSL_VERSION_NUMBER >= 0x1010L -+#if (OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)) || \ -+ LIBRESSL_VERSION_NUMBER >= 0x209fL -+ -+#ifndef static_ASN1_SEQUENCE_END_name -+#define static_ASN1_ITEM_start(itname) \ -+ static const ASN1_ITEM itname##_it = { -+#define static_ASN1_SEQUENCE_END_name(stname, tname) \ -+ ;\ -+ static_ASN1_ITEM_start(tname) \ -+ ASN1_ITYPE_SEQUENCE,\ -+ V_ASN1_SEQUENCE,\ -+ tname##_seq_tt,\ -+ sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ -+ NULL,\ -+ sizeof(stname),\ -+ #stname \ -+ ASN1_ITEM_end(tname) -+#endif /* !defined(static_ASN1_SEQUENCE_END_name) */ -+ - #include - #else - #include --- -2.21.0 - diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch b/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
commit: 96076573ffc3c9e64a31dd6258129bd5044bb9ee Author: Stefan Strogin gentoo org> AuthorDate: Sat Feb 15 08:50:01 2020 + Commit: Stefan Strogin gentoo org> CommitDate: Sat Feb 15 08:50:01 2020 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96076573 app-crypt/mit-krb5: add patch for LibreSSL for 1.18 Closes: https://bugs.gentoo.org/709640 Package-Manager: Portage-2.3.88, Repoman-2.3.20 Signed-off-by: Stefan Strogin gentoo.org> .../mit-krb5/files/mit-krb5-1.18-libressl.patch| 42 ++ app-crypt/mit-krb5/mit-krb5-1.18.ebuild| 1 + 2 files changed, 43 insertions(+) diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch b/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch new file mode 100644 index 000..1522d42a730 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch @@ -0,0 +1,42 @@ +From e3e3bc2a20795becda6e130d511fe59f04635624 Mon Sep 17 00:00:00 2001 +From: Stefan Strogin +Date: Sat, 15 Feb 2020 10:27:20 +0200 +Subject: [PATCH] Fix compilation for LibreSSL 3.0.2 + +RSA_PKCS1_OpenSSL() is provided in LibreSSL the master branch, +expected to be in the next release. +See: https://github.com/libressl-portable/openbsd/commit/3a8c41f3a84868337fde01ec1122198ec60bdc8e + +Bug: https://bugs.gentoo.org/709640 +Signed-off-by: Stefan Strogin +--- + tests/softpkcs11/main.c | 6 +- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tests/softpkcs11/main.c b/tests/softpkcs11/main.c +index 1cccdfb43..a5099fbe4 100644 +--- a/tests/softpkcs11/main.c b/tests/softpkcs11/main.c +@@ -47,7 +47,6 @@ + + #if OPENSSL_VERSION_NUMBER < 0x1010L + #define EVP_PKEY_get0_RSA(key) ((key)->pkey.rsa) +-#define RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay + #define RSA_get0_key compat_rsa_get0_key + static void + compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e, +@@ -62,6 +61,11 @@ compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e, + } + #endif + ++#if (OPENSSL_VERSION_NUMBER < 0x1010L) || \ ++defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER <= 0x3000200fL) ++#define RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay ++#endif ++ + #define OPENSSL_ASN1_MALLOC_ENCODE(T, B, BL, S, R) \ + { \ + unsigned char *p; \ +-- +2.25.0 + diff --git a/app-crypt/mit-krb5/mit-krb5-1.18.ebuild b/app-crypt/mit-krb5/mit-krb5-1.18.ebuild index 393c85034b8..2c9031b2e10 100644 --- a/app-crypt/mit-krb5/mit-krb5-1.18.ebuild +++ b/app-crypt/mit-krb5/mit-krb5-1.18.ebuild @@ -63,6 +63,7 @@ PATCHES=( "${FILESDIR}/${PN}-config_LDFLAGS-r1.patch" "${FILESDIR}/${PN}-1.16.3-libressl-r1.patch" "${FILESDIR}/${PN}_dont_create_run.patch" + "${FILESDIR}/${P}-libressl.patch" ) MULTILIB_CHOST_TOOLS=(
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
commit: 7be2eed6b6b41bfa1fd1769d3e9909f571851074 Author: Eray Aslan gentoo org> AuthorDate: Thu Dec 12 07:46:07 2019 + Commit: Eray Aslan gentoo org> CommitDate: Thu Dec 12 07:46:07 2019 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7be2eed6 app-crypt/mit-krb5: bump to 1.17.1 and dont create /run Closes: https://bugs.gentoo.org/701430 Package-Manager: Portage-2.3.81, Repoman-2.3.20 Signed-off-by: Eray Aslan gentoo.org> app-crypt/mit-krb5/Manifest| 1 + .../mit-krb5/files/mit-krb5_dont_create_run.patch | 10 ++ app-crypt/mit-krb5/mit-krb5-1.17.1.ebuild | 164 + 3 files changed, 175 insertions(+) diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest index 4b2ab0c10a3..4f15bcb4650 100644 --- a/app-crypt/mit-krb5/Manifest +++ b/app-crypt/mit-krb5/Manifest @@ -1 +1,2 @@ +DIST krb5-1.17.1.tar.gz 8765399 BLAKE2B 46be864e2db9c70d164532d82776195bf57342ce4f1fd7dfcf3cf6bd72a3639a69954f742607a2b8950b4dea8acfac5d633aa379d669de20bafe54b407bab94b SHA512 e0c3dc0a6554ab3105ac32f3f01519f56064500213aa743816235d83250abc1db9a9ca38a2ba93a938d562b4af135a013017ce96346d6742bca0c812b842ceef DIST krb5-1.17.tar.gz 8761763 BLAKE2B 76f636836c67e9eefca91c9417118efdcf4437c1220691f43f3d246daf3eabd53b40a30956f0e57703c3fde5d7193b1d86b68becf3ae1c0c803d2462e79d3014 SHA512 7462a578b936bd17f155a362dbb5d388e157a80a096549028be6c55400b11361c7f8a28e424fd5674801873651df4e694d536cae66728b7ae5e840e532358c52 diff --git a/app-crypt/mit-krb5/files/mit-krb5_dont_create_run.patch b/app-crypt/mit-krb5/files/mit-krb5_dont_create_run.patch new file mode 100644 index 000..d68e13b0675 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5_dont_create_run.patch @@ -0,0 +1,10 @@ +--- src/Makefile.in2019-12-12 10:15:51.674552983 +0300 src/Makefile.in2019-12-12 10:16:33.205543490 +0300 +@@ -71,7 +71,6 @@ + $(KRB5_AD_MODULE_DIR) \ + $(KRB5_LIBKRB5_MODULE_DIR) $(KRB5_TLS_MODULE_DIR) \ + @localstatedir@ @localstatedir@/krb5kdc \ +- @runstatedir@ @runstatedir@/krb5kdc \ + $(KRB5_INCSUBDIRS) $(datadir) $(EXAMPLEDIR) \ + $(PKGCONFIG_DIR) + diff --git a/app-crypt/mit-krb5/mit-krb5-1.17.1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.17.1.ebuild new file mode 100644 index 000..1b7882df2d0 --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.17.1.ebuild @@ -0,0 +1,164 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python3_{5,6,7} ) +inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd + +MY_P="${P/mit-}" +P_DIR=$(ver_cut 1-2) +DESCRIPTION="MIT Kerberos V" +HOMEPAGE="https://web.mit.edu/kerberos/www/; +SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz; + +LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="cpu_flags_x86_aes doc +keyutils libressl lmdb nls openldap +pkinit selinux +threads test xinetd" + +# Test suite requires network access +#RESTRICT="test" + +DEPEND=" + !!app-crypt/heimdal + >=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}] + || ( + >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}] + >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}] + >=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}] + ) + keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] ) + lmdb? ( dev-db/lmdb ) + nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] ) + openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] ) + pkinit? ( + !libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] ) + libressl? ( dev-libs/libressl:0=[${MULTILIB_USEDEP}] ) + ) + xinetd? ( sys-apps/xinetd ) + " +BDEPEND=" + ${PYTHON_DEPS} + virtual/yacc + cpu_flags_x86_aes? ( + amd64? ( dev-lang/yasm ) + x86? ( dev-lang/yasm ) + ) + doc? ( virtual/latex-base ) + test? ( + ${PYTHON_DEPS} + dev-lang/tcl:0 + dev-util/dejagnu + dev-util/cmocka + )" +RDEPEND="${DEPEND} + selinux? ( sec-policy/selinux-kerberos )" + +S=${WORKDIR}/${MY_P}/src + +PATCHES=( + "${FILESDIR}/${PN}-1.12_warn_cflags.patch" + "${FILESDIR}/${PN}-config_LDFLAGS-r1.patch" + "${FILESDIR}/${PN}-1.16.3-libressl-r1.patch" + "${FILESDIR}/${PN}_dont_create_run.patch" +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/krb5-config +) + +src_prepare() { + default + # Make sure we always use the system copies. + rm -rf util/{et,ss,verto} + sed -i 's:^[[:space:]]*util/verto$::' configure.in || die + +
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
commit: bb54b6ddf7a0ba9ad911ea73b747743eb00759b0 Author: Stefan Strogin gmail com> AuthorDate: Thu Apr 25 03:02:10 2019 + Commit: Aaron Bauman gentoo org> CommitDate: Thu Apr 25 03:31:04 2019 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb54b6dd app-crypt/mit-krb5: update patch for LibreSSL 2.9.1 Closes: https://bugs.gentoo.org/684302 Package-Manager: Portage-2.3.64, Repoman-2.3.12 Signed-off-by: Stefan Strogin gmail.com> Closes: https://github.com/gentoo/gentoo/pull/11821 Signed-off-by: Aaron Bauman gentoo.org> .../mit-krb5/files/mit-krb5-1.16.3-libressl.patch | 101 + app-crypt/mit-krb5/mit-krb5-1.16.3.ebuild | 2 +- 2 files changed, 102 insertions(+), 1 deletion(-) diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl.patch b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl.patch new file mode 100644 index 000..7a655fb9a1d --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl.patch @@ -0,0 +1,101 @@ +From 58263cbf3106f4c9c9a2252794093014a2f9c01f Mon Sep 17 00:00:00 2001 +From: Stefan Strogin +Date: Thu, 25 Apr 2019 03:48:10 +0300 +Subject: [PATCH] Fix build for LibreSSL 2.9.x + +asn1_mac.h is removed from LibreSSL 2.9.0, but static_ASN1_*() methods +are not defined. Define them. + +Upstream-Status: Pending +[Needs to be amended if +https://github.com/libressl-portable/openbsd/pull/109 is accepted] +Signed-off-by: Stefan Strogin +--- + .../preauth/pkinit/pkinit_crypto_openssl.c| 13 + .../preauth/pkinit/pkinit_crypto_openssl.h| 20 ++- + 2 files changed, 28 insertions(+), 5 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 2064eb7bd..81d5d3cf2 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -188,14 +188,16 @@ pkinit_pkcs11_code_to_text(int err); + (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si) + #endif + +-#if OPENSSL_VERSION_NUMBER < 0x1010L ++#if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER) + +-/* 1.1 standardizes constructor and destructor names, renaming +- * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */ ++/* 1.1 (and LibreSSL 2.7) standardizes constructor and destructor names, ++ * renaming EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */ + ++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x207fL + #define EVP_MD_CTX_new EVP_MD_CTX_create + #define EVP_MD_CTX_free EVP_MD_CTX_destroy + #define ASN1_STRING_get0_data ASN1_STRING_data ++#endif + + /* 1.1 makes many handle types opaque and adds accessors. Add compatibility + * versions of the new accessors we use for pre-1.1. */ +@@ -203,6 +205,7 @@ pkinit_pkcs11_code_to_text(int err); + #define OBJ_get0_data(o) ((o)->data) + #define OBJ_length(o) ((o)->length) + ++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x207fL + #define DH_set0_pqg compat_dh_set0_pqg + static int compat_dh_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) + { +@@ -235,6 +238,7 @@ static void compat_dh_get0_key(const DH *dh, const BIGNUM **pub, + if (priv != NULL) + *priv = dh->priv_key; + } ++#endif /* LIBRESSL_VERSION_NUMBER */ + + /* Return true if the cert c includes a key usage which doesn't include u. + * Define using direct member access for pre-1.1. */ +@@ -3040,7 +3044,8 @@ cleanup: + return retval; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x1010L ++#if (OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)) || \ ++ LIBRESSL_VERSION_NUMBER >= 0x209fL + + /* + * We need to decode DomainParameters from RFC 3279 section 2.3.3. We would +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h +index 7411348fa..ac91408c4 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h +@@ -46,7 +46,25 @@ + #include + #include + +-#if OPENSSL_VERSION_NUMBER >= 0x1010L ++#if (OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)) || \ ++ LIBRESSL_VERSION_NUMBER >= 0x209fL ++ ++#ifndef static_ASN1_SEQUENCE_END_name ++#define static_ASN1_ITEM_start(itname) \ ++ static const ASN1_ITEM itname##_it = { ++#define static_ASN1_SEQUENCE_END_name(stname, tname) \ ++ ;\ ++ static_ASN1_ITEM_start(tname) \ ++ ASN1_ITYPE_SEQUENCE,\ ++ V_ASN1_SEQUENCE,\ ++ tname##_seq_tt,\ ++ sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ ++ NULL,\ ++ sizeof(stname),\ ++ #stname \ ++ ASN1_ITEM_end(tname) ++#endif /* !defined(static_ASN1_SEQUENCE_END_name) */ ++ + #include + #else + #include +-- +2.21.0 + diff --git
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
commit: f7248912b982989fc1aa142bdbbab3a375725fa5 Author: Eray Aslan gentoo org> AuthorDate: Thu May 10 06:41:26 2018 + Commit: Eray Aslan gentoo org> CommitDate: Thu May 10 06:41:53 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7248912 app-crypt/mit-krb5: remove old Package-Manager: Portage-2.3.36, Repoman-2.3.9 app-crypt/mit-krb5/Manifest| 1 - .../files/mit-krb5-1.14.2-redeclared-ttyname.patch | 26 .../files/mit-krb5-1.14.4-disable-nls.patch| 45 -- .../files/mit-krb5-1.15.2-fix-pkinit.patch | 98 - app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild | 145 app-crypt/mit-krb5/mit-krb5-1.15.2.ebuild | 144 --- app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild | 152 - 7 files changed, 611 deletions(-) diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest index 2e79cf89fa3..80fe45536f5 100644 --- a/app-crypt/mit-krb5/Manifest +++ b/app-crypt/mit-krb5/Manifest @@ -1,3 +1,2 @@ -DIST krb5-1.15.2.tar.gz 9380755 BLAKE2B 3f5d00a70bf44ef077872bde282e4753e82acb70632e136b8f9f8d3a192e3e7b692840803e5a3f67ddb202d53631767ea9eb8b7615d45a3479389a01a6390ac4 SHA512 e5814bb66384b13637c37918df694c6b9933c29c2d952da0ed0dcd2e623b269060b4c16b6c02162039dadebdab99ff1085e37e7621ae4748dafb036424e612c2 DIST krb5-1.16.1.tar.gz 9477480 BLAKE2B 16bdd7d6d03ddbd4b070663c3a7a3d2331d54e8590b24f1dc162be2531bfbbbd65878d426a160c65ffc1ba4751f16bbbd177a8a91c01002fde0e886cc1bd91b9 SHA512 fa4ec14a4ffe690861e2dd7ea39d7698af2058ce181bb733ea891f80279f4dde4bb891adec5ccb0eaddf737306e6ceb1fe3744a2946e6189a7d7d2dd3bc5ba84 DIST krb5-1.16.tar.gz 9474479 BLAKE2B 0c5caa0a0d2308a447d47ab94d7b8dc92a67ad78b3bac1678c3f3ece3905f27feda5a23d28b3c13ebd64d1760726888c759fb19da82ad960c6f84a433b753873 SHA512 7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9 diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch b/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch deleted file mode 100644 index a76cd3a7f84..000 --- a/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch +++ /dev/null @@ -1,26 +0,0 @@ -Fixes the redeclaration of ttyname which was preventing -enabling clang fortify. - -The error was; - -main.c:858:15: error: redeclaration of 'ttyname' must have the 'overloadable' attribute -char *p, *ttyname(); - ^ -/build/samus/usr/include/unistd.h:784:14: note: previous overload of function is here -extern char *ttyname (int __fd) __THROW __CLANG_NO_MANGLE (ttyname); - -https://github.com/krb5/krb5/pull/568 - -Patch by Zentaro Kavanagh- clients/ksu/main.c -+++ clients/ksu/main.c -@@ -855,7 +855,7 @@ - - static char * ontty() - { --char *p, *ttyname(); -+char *p; - static char buf[MAXPATHLEN + 5]; - int result; - diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch b/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch deleted file mode 100644 index 63cb0fc0c55..000 --- a/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch +++ /dev/null @@ -1,45 +0,0 @@ -Adds support for --(enable|disable)-nls configure option. - -This enables\disables the generation of language files and -sets the ENABLE_NLS define appropriately. - -Default value is enabled to preserve current behavior. - -Patch by Zentaro Kavanagh -https://crbug.com/654842 - -https://github.com/krb5/krb5/pull/584 - src/configure.in -+++ src/configure.in -@@ -118,15 +118,22 @@ - ]) - AC_SUBST(LIBUTIL) - --AC_CHECK_HEADER(libintl.h, [ -- AC_SEARCH_LIBS(dgettext, intl, [ -- AC_DEFINE(ENABLE_NLS, 1, -- [Define if translation functions should be used.])])]) -- --AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt) -+# Determine if NLS is desired and supported. - po= --if test x"$MSGFMT" != x; then -- po=po -+AC_ARG_ENABLE([nls], -+AC_HELP_STRING([--disable-nls], -+ [Disable Native Language Support(NLS).]), , -+ enableval=yes) -+if test "$enableval" = yes ; then -+AC_CHECK_HEADER(libintl.h, [ -+AC_SEARCH_LIBS(dgettext, intl, [ -+AC_DEFINE(ENABLE_NLS, 1, -+[Define if translation functions should be used.])])]) -+ -+AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt) -+if test x"$MSGFMT" != x; then -+po=po -+fi - fi - AC_SUBST(po) - diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch b/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch deleted file mode 100644 index 4f721d4d961..000 --- a/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch +++ /dev/null @@ -1,98 +0,0 @@ -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
commit: 95a08abb6dc4b1a0babe590527e19ce7a5c5bd10 Author: Eray Aslan gentoo org> AuthorDate: Fri Apr 13 07:01:47 2018 + Commit: Eray Aslan gentoo org> CommitDate: Fri Apr 13 07:02:17 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=95a08abb app-crypt/mit-krb5: security bump - bug 649610 Also fix gettext dependency Closes: https://bugs.gentoo.org/652108 Package-Manager: Portage-2.3.28, Repoman-2.3.9 app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch | 297 ++ app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild| 158 2 files changed, 455 insertions(+) diff --git a/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch new file mode 100644 index 000..114cfe688e7 --- /dev/null +++ b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch @@ -0,0 +1,297 @@ +diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +index 2420f2c2be..a59a65e8f6 100644 +--- a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +@@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle, + return KADM5_BAD_MASK; + if((mask & ~ALL_PRINC_MASK)) + return KADM5_BAD_MASK; ++if (mask & KADM5_TL_DATA) { ++for (tl_data_tail = entry->tl_data; tl_data_tail != NULL; ++ tl_data_tail = tl_data_tail->tl_data_next) { ++if (tl_data_tail->tl_data_type < 256) ++return KADM5_BAD_TL_TYPE; ++} ++} + + /* + * Check to see if the principal exists +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +index 535a1f309e..8b8420faa9 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +@@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int op); + #define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr)) + #define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr)) + +-#define KDB_TL_USER_INFO 0x7ffe ++#define KDB_TL_USER_INFO 0xff + + #define KDB_TL_PRINCTYPE 0x01 + #define KDB_TL_PRINCCOUNT 0x02 +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +index 88a1704950..b7c9212cb2 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +@@ -651,6 +651,107 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry, + return ret; + } + ++static krb5_error_code ++check_dn_in_container(krb5_context context, const char *dn, ++ char *const *subtrees, unsigned int ntrees) ++{ ++unsigned int i; ++size_t dnlen = strlen(dn), stlen; ++ ++for (i = 0; i < ntrees; i++) { ++if (subtrees[i] == NULL || *subtrees[i] == '\0') ++return 0; ++stlen = strlen(subtrees[i]); ++if (dnlen >= stlen && ++strcasecmp(dn + dnlen - stlen, subtrees[i]) == 0 && ++(dnlen == stlen || dn[dnlen - stlen - 1] == ',')) ++return 0; ++} ++ ++k5_setmsg(context, EINVAL, _("DN is out of the realm subtree")); ++return EINVAL; ++} ++ ++static krb5_error_code ++check_dn_exists(krb5_context context, ++krb5_ldap_server_handle *ldap_server_handle, ++const char *dn, krb5_boolean nonkrb_only) ++{ ++krb5_error_code st = 0, tempst; ++krb5_ldap_context *ldap_context = context->dal_handle->db_context; ++LDAP *ld = ldap_server_handle->ldap_handle; ++LDAPMessage *result = NULL, *ent; ++char *attrs[] = { "krbticketpolicyreference", "krbprincipalname", NULL }; ++char **values; ++ ++LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attrs, IGNORE_STATUS); ++if (st != LDAP_SUCCESS) ++return set_ldap_error(context, st, OP_SEARCH); ++ ++ent = ldap_first_entry(ld, result); ++CHECK_NULL(ent); ++ ++values = ldap_get_values(ld, ent, "krbticketpolicyreference"); ++if (values != NULL) ++ldap_value_free(values); ++ ++values = ldap_get_values(ld, ent, "krbprincipalname"); ++if (values != NULL) { ++ldap_value_free(values); ++if (nonkrb_only) { ++st = EINVAL; ++k5_setmsg(context, st, _("ldap object is already kerberized")); ++goto cleanup; ++} ++} ++ ++cleanup: ++ldap_msgfree(result); ++return st; ++} ++ ++static krb5_error_code ++validate_xargs(krb5_context context, ++ krb5_ldap_server_handle *ldap_server_handle, ++ const xargs_t *xargs, const char *standalone_dn, ++ char *const *subtrees, unsigned int ntrees) ++{ ++krb5_error_code st; ++ ++if (xargs->dn != NULL) { ++/* The supplied dn must be within a realm container. */ ++st = check_dn_in_container(context, xargs->dn, subtrees, ntrees); ++if (st) ++
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
commit: e9f7afb1b75a3e78f0f3e468d3164f0eaf06eb10 Author: Aaron Bauman gentoo org> AuthorDate: Thu Apr 12 21:26:27 2018 + Commit: Aaron Bauman gentoo org> CommitDate: Thu Apr 12 21:26:45 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9f7afb1 app-crypt/mit-krb5: properly detect LibreSSL version Closes: https://bugs.gentoo.org/610854 Package-Manager: Portage-2.3.28, Repoman-2.3.9 .../files/mit-krb5-libressl-version-check.patch| 31 app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild | 156 + 2 files changed, 187 insertions(+) diff --git a/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch b/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch new file mode 100644 index 000..5c979cfd1ef --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch @@ -0,0 +1,31 @@ +--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -191,7 +191,7 @@ pkinit_pkcs11_code_to_text(int err); + (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si) + #endif + +-#if OPENSSL_VERSION_NUMBER < 0x1010L ++#if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER) + + /* 1.1 standardizes constructor and destructor names, renaming + * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */ +@@ -3059,7 +3059,7 @@ cleanup: + return retval; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x1010L ++#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER) + + /* + * We need to decode DomainParameters from RFC 3279 section 2.3.3. We would +--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.h src/plugins/preauth/pkinit/pkinit_crypto_openssl.h +@@ -46,7 +46,7 @@ + #include + #include + +-#if OPENSSL_VERSION_NUMBER >= 0x1010L ++#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER) + #include + #else + #include diff --git a/app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild new file mode 100644 index 000..c1f7a782063 --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild @@ -0,0 +1,156 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +PYTHON_COMPAT=( python2_7 ) +inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd versionator + +MY_P="${P/mit-}" +P_DIR=$(get_version_component_range 1-2) +DESCRIPTION="MIT Kerberos V" +HOMEPAGE="https://web.mit.edu/kerberos/www/; +SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz; + +LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd" + +# Test suite require network access +RESTRICT="test" + +CDEPEND=" + !!app-crypt/heimdal + >=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}] + || ( + >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}] + >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}] + >=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}] + ) + keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] ) + openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] ) + pkinit? ( + !libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] ) + libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] ) + ) + xinetd? ( sys-apps/xinetd ) + abi_x86_32? ( + !<=app-emulation/emul-linux-x86-baselibs-20140508-r1 + !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)] + )" +DEPEND="${CDEPEND} + ${PYTHON_DEPS} + virtual/yacc + doc? ( virtual/latex-base ) + test? ( + ${PYTHON_DEPS} + dev-lang/tcl:0 + dev-util/dejagnu + )" +RDEPEND="${CDEPEND} + selinux? ( sec-policy/selinux-kerberos )" + +S=${WORKDIR}/${MY_P}/src + +MULTILIB_CHOST_TOOLS=( + /usr/bin/krb5-config +) + +src_prepare() { + eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch" + eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch" + eapply "${FILESDIR}/${PN}-libressl-version-check.patch" + + # Make sure we always use the system copies. + rm -rf util/{et,ss,verto} + sed -i 's:^[[:space:]]*util/verto$::' configure.in || die + + eapply_user + eautoreconf +} + +src_configure() { + # QA + append-flags -fno-strict-aliasing + append-flags -fno-strict-overflow + + multilib-minimal_src_configure +} + +multilib_src_configure() { + use keyutils || export ac_cv_header_keyutils_h=no + ECONF_SOURCE=${S} \ + WARN_CFLAGS="set" \ + econf \ +
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
commit: f4a050c738af81bb82e7b640667f08e3199c5ca1 Author: Thomas Deutschmann gentoo org> AuthorDate: Fri Jan 26 21:07:00 2018 + Commit: Thomas Deutschmann gentoo org> CommitDate: Fri Jan 26 21:07:29 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4a050c7 app-crypt/mit-krb5: bump, fixes CVE-2017-7562 Ebuild changes: === - Dropped the following upstreamed patches which are now included in v1.16: - mit-krb5-1.14.2-redeclared-ttyname.patch - mit-krb5-1.14.4-disable-nls.patch - mit-krb5-1.15.2-fix-pkinit.patch - We are now installing systemd services. [Bug 524412] - Tests are now restricted because they are requiring network access. Closes: https://bugs.gentoo.org/524412 Bug: https://bugs.gentoo.org/628936 Package-Manager: Portage-2.3.20, Repoman-2.3.6 app-crypt/mit-krb5/Manifest| 1 + app-crypt/mit-krb5/files/mit-krb5kadmind.service | 8 ++ app-crypt/mit-krb5/files/mit-krb5kdc.service | 9 ++ app-crypt/mit-krb5/files/mit-krb5kpropd.service| 8 ++ app-crypt/mit-krb5/files/mit-krb5kpropd.socket | 9 ++ app-crypt/mit-krb5/files/mit-krb5kpropd_at.service | 8 ++ app-crypt/mit-krb5/mit-krb5-1.16.ebuild| 155 + 7 files changed, 198 insertions(+) diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest index 58df981b5a6..ef54ec04904 100644 --- a/app-crypt/mit-krb5/Manifest +++ b/app-crypt/mit-krb5/Manifest @@ -1 +1,2 @@ DIST krb5-1.15.2.tar.gz 9380755 BLAKE2B 3f5d00a70bf44ef077872bde282e4753e82acb70632e136b8f9f8d3a192e3e7b692840803e5a3f67ddb202d53631767ea9eb8b7615d45a3479389a01a6390ac4 SHA512 e5814bb66384b13637c37918df694c6b9933c29c2d952da0ed0dcd2e623b269060b4c16b6c02162039dadebdab99ff1085e37e7621ae4748dafb036424e612c2 +DIST krb5-1.16.tar.gz 9474479 BLAKE2B 0c5caa0a0d2308a447d47ab94d7b8dc92a67ad78b3bac1678c3f3ece3905f27feda5a23d28b3c13ebd64d1760726888c759fb19da82ad960c6f84a433b753873 SHA512 7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9 diff --git a/app-crypt/mit-krb5/files/mit-krb5kadmind.service b/app-crypt/mit-krb5/files/mit-krb5kadmind.service new file mode 100644 index 000..f3836c89862 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5kadmind.service @@ -0,0 +1,8 @@ +[Unit] +Description=Kerberos 5 administration server + +[Service] +ExecStart=/usr/sbin/kadmind -nofork + +[Install] +WantedBy=multi-user.target diff --git a/app-crypt/mit-krb5/files/mit-krb5kdc.service b/app-crypt/mit-krb5/files/mit-krb5kdc.service new file mode 100644 index 000..6ec93bb7232 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5kdc.service @@ -0,0 +1,9 @@ +[Unit] +Description=Kerberos 5 KDC + +[Service] +ExecStart=/usr/sbin/krb5kdc -n +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd.service b/app-crypt/mit-krb5/files/mit-krb5kpropd.service new file mode 100644 index 000..a7c5b579d2b --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5kpropd.service @@ -0,0 +1,8 @@ +[Unit] +Description=Kerberos 5 propagation server + +[Service] +ExecStart=/usr/sbin/kpropd -S + +[Install] +WantedBy=multi-user.target diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd.socket b/app-crypt/mit-krb5/files/mit-krb5kpropd.socket new file mode 100644 index 000..4389290c0b1 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5kpropd.socket @@ -0,0 +1,9 @@ +[Unit] +Description=Kerberos 5 propagation server + +[Socket] +ListenStream=754 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd_at.service b/app-crypt/mit-krb5/files/mit-krb5kpropd_at.service new file mode 100644 index 000..f826eb33cb3 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5kpropd_at.service @@ -0,0 +1,8 @@ +[Unit] +Description=Kerberos 5 propagation server +Conflicts=mit-krb5kpropd.service + +[Service] +ExecStart=/usr/sbin/kpropd +StandardInput=socket +StandardError=syslog diff --git a/app-crypt/mit-krb5/mit-krb5-1.16.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16.ebuild new file mode 100644 index 000..acd4a3ed3b7 --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.16.ebuild @@ -0,0 +1,155 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +PYTHON_COMPAT=( python2_7 ) +inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd versionator + +MY_P="${P/mit-}" +P_DIR=$(get_version_component_range 1-2) +DESCRIPTION="MIT Kerberos V" +HOMEPAGE="https://web.mit.edu/kerberos/www/; +SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz; + +LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="doc +keyutils libressl nls
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
commit: e6232da235fc02eabf2dc7ee0790a51f5e811e0d Author: Eray Aslan gentoo org> AuthorDate: Tue Dec 5 10:00:13 2017 + Commit: Eray Aslan gentoo org> CommitDate: Tue Dec 5 10:00:13 2017 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e6232da2 app-crypt/mit-krb5: security bump to 1.15.2-r1. Bug 639702 Package-Manager: Portage-2.3.16, Repoman-2.3.6 .../files/mit-krb5-1.15.2-fix-pkinit.patch | 98 ++ app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild | 149 + 2 files changed, 247 insertions(+) diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch b/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch new file mode 100644 index 000..4f721d4d961 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch @@ -0,0 +1,98 @@ +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 74fffbf321..4b86a6f302 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -5145,33 +5145,29 @@ crypto_retieve_X509_key_usage(krb5_context context, + return retval; + } + +-/* +- * Return a string format of an X509_NAME in buf where +- * size is an in/out parameter. On input it is the size +- * of the buffer, and on output it is the actual length +- * of the name. +- * If buf is NULL, returns the length req'd to hold name +- */ +-static char * +-X509_NAME_oneline_ex(X509_NAME * a, +- char *buf, +- unsigned int *size, +- unsigned long flag) ++static krb5_error_code ++rfc2253_name(X509_NAME *name, char **str_out) + { +-BIO *out = NULL; ++BIO *b = NULL; ++char *str; + +-out = BIO_new(BIO_s_mem ()); +-if (X509_NAME_print_ex(out, a, 0, flag) > 0) { +-if (buf != NULL && (*size) > (unsigned int) BIO_number_written(out)) { +-memset(buf, 0, *size); +-BIO_read(out, buf, (int) BIO_number_written(out)); +-} +-else { +-*size = BIO_number_written(out); +-} +-} +-BIO_free(out); +-return (buf); ++*str_out = NULL; ++b = BIO_new(BIO_s_mem()); ++if (b == NULL) ++return ENOMEM; ++if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0) ++goto error; ++str = calloc(BIO_number_written(b) + 1, 1); ++if (str == NULL) ++goto error; ++BIO_read(b, str, BIO_number_written(b)); ++BIO_free(b); ++*str_out = str; ++return 0; ++ ++error: ++BIO_free(b); ++return ENOMEM; + } + + /* +@@ -5187,8 +5183,6 @@ crypto_cert_get_matching_data(krb5_context context, + krb5_principal *pkinit_sans =NULL, *upn_sans = NULL; + struct _pkinit_cert_data *cd = (struct _pkinit_cert_data *)ch; + unsigned int i, j; +-char buf[DN_BUF_LEN]; +-unsigned int bufsize = sizeof(buf); + + if (cd == NULL || cd->magic != CERT_MAGIC) + return EINVAL; +@@ -5201,23 +5195,14 @@ crypto_cert_get_matching_data(krb5_context context, + + md->ch = ch; + +-/* get the subject name (in rfc2253 format) */ +-X509_NAME_oneline_ex(X509_get_subject_name(cd->cred->cert), +- buf, , XN_FLAG_SEP_COMMA_PLUS); +-md->subject_dn = strdup(buf); +-if (md->subject_dn == NULL) { +-retval = ENOMEM; ++retval = rfc2253_name(X509_get_subject_name(cd->cred->cert), ++ >subject_dn); ++if (retval) + goto cleanup; +-} +- +-/* get the issuer name (in rfc2253 format) */ +-X509_NAME_oneline_ex(X509_get_issuer_name(cd->cred->cert), +- buf, , XN_FLAG_SEP_COMMA_PLUS); +-md->issuer_dn = strdup(buf); +-if (md->issuer_dn == NULL) { +-retval = ENOMEM; ++retval = rfc2253_name(X509_get_issuer_name(cd->cred->cert), ++ >issuer_dn); ++if (retval) + goto cleanup; +-} + + /* get the san data */ + retval = crypto_retrieve_X509_sans(context, cd->plgctx, cd->reqctx, diff --git a/app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild new file mode 100644 index 000..1f9cfda9466 --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild @@ -0,0 +1,149 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +PYTHON_COMPAT=( python2_7 ) +inherit autotools flag-o-matic multilib-minimal python-any-r1 versionator + +MY_P="${P/mit-}" +P_DIR=$(get_version_component_range 1-2) +DESCRIPTION="MIT Kerberos V" +HOMEPAGE="http://web.mit.edu/kerberos/www/; +SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz; + +LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
commit: 74ebaeed509febece37089ac12fe7127971b0b99 Author: Eray Aslan gentoo org> AuthorDate: Thu Apr 21 16:07:08 2016 + Commit: Eray Aslan gentoo org> CommitDate: Thu Apr 21 16:07:08 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74ebaeed app-crypt/mit-krb5: Remove vulnerable versions Package-Manager: portage-2.2.28 app-crypt/mit-krb5/Manifest | 2 - app-crypt/mit-krb5/files/CVE-2015-2695.patch | 564 - app-crypt/mit-krb5/files/CVE-2015-2696.patch | 731 -- app-crypt/mit-krb5/files/CVE-2015-2697.patch | 50 -- app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r1 | 25 - app-crypt/mit-krb5/files/mit-krb5kdc.initd-r1 | 24 - app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r1 | 24 - app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild | 160 - app-crypt/mit-krb5/mit-krb5-1.13.2-r3.ebuild | 160 - app-crypt/mit-krb5/mit-krb5-1.14.ebuild | 151 - 10 files changed, 1891 deletions(-) diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest index e3d2128..89c6183 100644 --- a/app-crypt/mit-krb5/Manifest +++ b/app-crypt/mit-krb5/Manifest @@ -1,4 +1,2 @@ -DIST krb5-1.13.2-signed.tar 12113920 SHA256 e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1 SHA512 d3f8dde220876bd24703c488122ba8e54ffaa7f8f2c7d325e5d198a4e171248673fc1d5d3c997c6d2e66c314e2b7f4609eb980a789c3556a79458ab4411e61b5 WHIRLPOOL 9f29f4d76b7b2225f18707a95b217ce0eab7ae963ba547460fa6e7ffdc43e3c350ae070265c52b9751a70f80a95086e39c29dc2c44e0a22d17f9b48f7bf838f7 DIST krb5-1.14.1.tar.gz 12259025 SHA256 c8faa44574246f5bd0ce5a3dedc48c32db48a74cc4323949bf70f0ac2d6f1a99 SHA512 5d64bb30ecb9e267e2494cea4995d8cc314916d8f6a9318fb80067ae6389ad7468656400d996698b6dc0bdb4c1355c13701b570521a7c40008cf1f83df24847d WHIRLPOOL 2d4ab7e8e65d27ce207bd1d254586f95c8b219c01d2deb2fe60f8d5f84e13cd52881bbc2b51c1ee2d40a81570afa15d46c8446e5c6ec052e7621b76d34b72a7d DIST krb5-1.14.2.tar.gz 12264762 SHA256 6bcad7e6778d1965e4ce4af21d2efdc15b274c5ce5c69031c58e4c954cda8b27 SHA512 8e0d8203740aac78b65a62c0f79998b56dae23725763f645ae13a92dc4263d193e7334f84e278ca873d2b72d425f47cd4b68b58690d029dccce41e8a157b16f0 WHIRLPOOL 18a3729f5bfb928318f5cc28c919cbc49ee9179199ee82445922a5f2e8afbf4ed5a31f7e710877f8c12ef75f326723e7410608ce538983ce1b811e16091d72a1 -DIST krb5-1.14.tar.gz 12255176 SHA256 cedb07fad8331e3ff2983d26e977a2ddba622f379c2b19bfea85bd695930f9e9 SHA512 b33a85b37f6038e34ba4038c9d1cc6a0df027652cbeccd24e39b323a1ed1bc16305099df04654c80ba7e6b56bd3d3c2df95758add888f9ef8535cb78443684ff WHIRLPOOL e049aea7bcc99fa61af353bb0e831f63512c0c1f9df06332f2aae9add356f0fb27ee46e2a2fab23b7875bb827b2aa2ff78314ffe50d07fc95f089fff5fde5113 diff --git a/app-crypt/mit-krb5/files/CVE-2015-2695.patch b/app-crypt/mit-krb5/files/CVE-2015-2695.patch deleted file mode 100644 index 08bc8ab..000 --- a/app-crypt/mit-krb5/files/CVE-2015-2695.patch +++ /dev/null @@ -1,564 +0,0 @@ -From b51b33f2bc5d1497ddf5bd107f791c101695000d Mon Sep 17 00:00:00 2001 -From: Nicolas Williams-Date: Mon, 14 Sep 2015 12:27:52 -0400 -Subject: [PATCH] Fix SPNEGO context aliasing bugs [CVE-2015-2695] - -The SPNEGO mechanism currently replaces its context handle with the -mechanism context handle upon establishment, under the assumption that -most GSS functions are only called after context establishment. This -assumption is incorrect, and can lead to aliasing violations for some -programs. Maintain the SPNEGO context structure after context -establishment and refer to it in all GSS methods. Add initiate and -opened flags to the SPNEGO context structure for use in -gss_inquire_context() prior to context establishment. - -CVE-2015-2695: - -In MIT krb5 1.5 and later, applications which call -gss_inquire_context() on a partially-established SPNEGO context can -cause the GSS-API library to read from a pointer using the wrong type, -generally causing a process crash. This bug may go unnoticed, because -the most common SPNEGO authentication scenario establishes the context -after just one call to gss_accept_sec_context(). Java server -applications using the native JGSS provider are vulnerable to this -bug. A carefully crafted SPNEGO packet might allow the -gss_inquire_context() call to succeed with attacker-determined -results, but applications should not make access control decisions -based on gss_inquire_context() results prior to context establishment. - -CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C - -[ghud...@mit.edu: several bugfixes, style changes, and edge-case -behavior changes; commit message and CVE description] - -ticket: 8244 -target_version: 1.14 -tags: pullup - src/lib/gssapi/spnego/gssapiP_spnego.h | 2 + - src/lib/gssapi/spnego/spnego_mech.c| 254 - - 2 files changed, 192 insertions(+), 64 deletions(-) - -diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h
[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
commit: f8a5e1f10568cd3f63fe5cbcfd28c46287270234 Author: Eray Aslan gentoo org> AuthorDate: Thu Oct 29 04:24:07 2015 + Commit: Eray Aslan gentoo org> CommitDate: Thu Oct 29 04:24:07 2015 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f8a5e1f1 app-crypt/mit-krb5: add confd files to kdc, kadmind and kpropd daemons Gentoo-Bug: 539010 Thanks to Paul B. Henson Package-Manager: portage-2.2.23 app-crypt/mit-krb5/files/mit-krb5kadmind.confd| 2 + app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r2 | 25 app-crypt/mit-krb5/files/mit-krb5kdc.confd| 2 + app-crypt/mit-krb5/files/mit-krb5kdc.initd-r2 | 24 app-crypt/mit-krb5/files/mit-krb5kpropd.confd | 2 + app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r2 | 24 app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild | 157 ++ 7 files changed, 236 insertions(+) diff --git a/app-crypt/mit-krb5/files/mit-krb5kadmind.confd b/app-crypt/mit-krb5/files/mit-krb5kadmind.confd new file mode 100644 index 000..f6029b6 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5kadmind.confd @@ -0,0 +1,2 @@ +# Define startup options for Kerberos administration server +KADMIND_OPTS="" diff --git a/app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r2 b/app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r2 new file mode 100644 index 000..54dcb87 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r2 @@ -0,0 +1,25 @@ +#!/sbin/runscript + +#--- +# This script starts/stops the MIT Kerberos 5 Admin daemon +#--- + +daemon="MIT Kerberos 5 Admin daemon" +exec="/usr/sbin/kadmind" + +depend() { + need mit-krb5kdc + use net +} + +start() { + ebegin "Starting $daemon" + start-stop-daemon --start --quiet --exec ${exec} -- "${KADMIND_OPTS}" 1>&2 + eend $? "Error starting $daemon" +} + +stop() { + ebegin "Stopping $daemon" + start-stop-daemon --stop --quiet --exec ${exec} 1>&2 + eend $? "Error stopping $daemon" +} diff --git a/app-crypt/mit-krb5/files/mit-krb5kdc.confd b/app-crypt/mit-krb5/files/mit-krb5kdc.confd new file mode 100644 index 000..887d3d8 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5kdc.confd @@ -0,0 +1,2 @@ +# Define startup options for Kerberos KDC +KDC_OPTS="" diff --git a/app-crypt/mit-krb5/files/mit-krb5kdc.initd-r2 b/app-crypt/mit-krb5/files/mit-krb5kdc.initd-r2 new file mode 100644 index 000..12bb47a --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5kdc.initd-r2 @@ -0,0 +1,24 @@ +#!/sbin/runscript + +#--- +# This script starts/stops the MIT Kerberos 5 KDC +#--- + +daemon="MIT Kerberos 5 KDC" +exec="/usr/sbin/krb5kdc" + +depend() { + use net +} + +start() { + ebegin "Starting $daemon" + start-stop-daemon --start --quiet --exec ${exec} -- "${KDC_OPTS}" 1>&2 + eend $? "Error starting $daemon" +} + +stop() { + ebegin "Stopping $daemon" + start-stop-daemon --stop --quiet --exec ${exec} 1>&2 + eend $? "Error stopping $daemon" +} diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd.confd b/app-crypt/mit-krb5/files/mit-krb5kpropd.confd new file mode 100644 index 000..d75d41a --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5kpropd.confd @@ -0,0 +1,2 @@ +# Define startup options for Kerberos incremental propagation server +KPROPD_OPTS="" diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r2 b/app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r2 new file mode 100644 index 000..222c5f7 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r2 @@ -0,0 +1,24 @@ +#!/sbin/runscript + +#--- +# This script starts/stops the MIT Kerberos 5 kpropd +#--- + +daemon="MIT Kerberos 5 kpropd" +exec="/usr/sbin/kpropd" + +depend() { + use net mit-krb5kdc mit-krb5kadmind +} + +start() { + ebegin "Starting $daemon" + start-stop-daemon --start --quiet --exec ${exec} -- "${KPROPD_OPTS}" 1>&2 + eend $? "Error starting $daemon" +} + +stop() { + ebegin "Stopping $daemon" + start-stop-daemon --stop --quiet --exec ${exec} 1>&2 + eend $? "Error stopping $daemon" +} diff --git a/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild new file mode 100644 index 000..d70cb3d --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild @@ -0,0 +1,157 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +PYTHON_COMPAT=( python2_7 ) + +inherit autotools eutils