Security update

author: Daniel Ahlberg <aliz@gentoo.org> 2003-03-30 17:40:52 +0000
committer: Daniel Ahlberg <aliz@gentoo.org> 2003-03-30 17:40:52 +0000
commit: aea6f568429bdd12cc356686efcb102d6aa3b557 (patch)
tree: e7bb4485b59ac83ed2040d93b2251525c3c13072 /app-crypt
parent: small fixes (diff)
download: gentoo-2-aea6f568429bdd12cc356686efcb102d6aa3b557.tar.gz
gentoo-2-aea6f568429bdd12cc356686efcb102d6aa3b557.tar.bz2
gentoo-2-aea6f568429bdd12cc356686efcb102d6aa3b557.zip
5 files changed, 286 insertions, 1 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog
index 064d3e5f8283..2edf8e520230 100644
--- a/app-crypt/mit-krb5/ChangeLog
+++ b/app-crypt/mit-krb5/ChangeLog
@@ -1,6 +1,11 @@
 # ChangeLog for app-crypt/mit-krb5
 # Copyright 2002-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.3 2003/02/12 03:28:22 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.4 2003/03/30 17:40:52 aliz Exp $
+
+*mit-krb5-1.2.7 (30 Mar 2003)
+
+  30 Mar 2003; Daniel Ahlberg <aliz@gentoo.org> mit-krb5-1.2.7.ebuid :
+  Security update. Various patches from MIT applied.  
 
 *mit-krb5-1.2.6-r2 (07 Dec 2002)
 
diff --git a/app-crypt/mit-krb5/files/digest-mit-krb5-1.2.7 b/app-crypt/mit-krb5/files/digest-mit-krb5-1.2.7
new file mode 100644
index 000000000000..a408c7ae4794
--- /dev/null
+++ b/app-crypt/mit-krb5/files/digest-mit-krb5-1.2.7
@@ -0,0 +1,2 @@
+MD5 854b52face2a8f771caf88166fa269d3 krb5-1.2.7.tar.gz 5491926
+MD5 88d770f2de2c1bd842b511f47002a807 2003-004-krb4_patchkit.tar.gz 11493
diff --git a/app-crypt/mit-krb5/files/krb5-1.2.7-principal_name_handling.patch b/app-crypt/mit-krb5/files/krb5-1.2.7-principal_name_handling.patch
new file mode 100644
index 000000000000..a220866d8237
--- /dev/null
+++ b/app-crypt/mit-krb5/files/krb5-1.2.7-principal_name_handling.patch
@@ -0,0 +1,51 @@
+Index: include/krb5.hin
+===================================================================
+RCS file: /cvs/krbdev/krb5/src/include/krb5.hin,v
+retrieving revision 1.94.2.5.2.17
+diff -p -u -r1.94.2.5.2.17 krb5.hin
+--- src/include/krb5.hin	2002/04/16 23:47:53	1.94.2.5.2.17
++++ src/include/krb5.hin	2003/03/19 00:38:54
+@@ -326,7 +326,7 @@ typedef krb5_const krb5_principal_data F
+ #define	krb5_princ_size(context, princ) (princ)->length
+ #define	krb5_princ_type(context, princ) (princ)->type
+ #define	krb5_princ_name(context, princ) (princ)->data
+-#define	krb5_princ_component(context, princ,i) ((princ)->data + i)
++#define	krb5_princ_component(context, princ,i) (i < krb5_princ_size(context, princ) ? ((princ)->data + i) : NULL)
+
+ /*
+  * end "base-defs.h"
+Index: kdc/kdc_util.c
+===================================================================
+RCS file: /cvs/krbdev/krb5/src/kdc/kdc_util.c,v
+retrieving revision 5.96.2.2.2.3
+diff -p -u -r5.96.2.2.2.3 kdc_util.c
+--- src/kdc/kdc_util.c	2002/10/31 00:38:34	5.96.2.2.2.3
++++ src/kdc/kdc_util.c	2003/03/19 00:39:00
+@@ -157,7 +157,8 @@ realm_compare(princ1, princ2)
+ krb5_boolean krb5_is_tgs_principal(principal)
+ 	krb5_principal	principal;
+ {
+-	if ((krb5_princ_component(kdc_context, principal, 0)->length ==
++	if (krb5_princ_size(kdc_context, principal) > 0 &&
++	    (krb5_princ_component(kdc_context, principal, 0)->length ==
+ 	     KRB5_TGS_NAME_SIZE) &&
+ 	    (!memcmp(krb5_princ_component(kdc_context, principal, 0)->data,
+ 		     KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE)))
+Index: lib/krb5/krb/unparse.c
+===================================================================
+RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/unparse.c,v
+retrieving revision 5.27.4.1
+diff -p -u -r5.27.4.1 unparse.c
+--- src/lib/krb5/krb/unparse.c	2002/08/12 22:55:01	5.27.4.1
++++ src/lib/krb5/krb/unparse.c	2003/03/19 00:39:02
+@@ -153,7 +153,8 @@ krb5_unparse_name_ext(context, principal
+ 		*q++ = COMPONENT_SEP;
+ 	}
+ 
+-	q--;			/* Back up last component separator */
++	if (i > 0)
++	    q--;		/* Back up last component separator */
+ 	*q++ = REALM_SEP;
+ 	
+ 	cp = krb5_princ_realm(context, principal)->data;
+
diff --git a/app-crypt/mit-krb5/files/krb5-1.2.7-xdr.patch b/app-crypt/mit-krb5/files/krb5-1.2.7-xdr.patch
new file mode 100644
index 000000000000..d25f5717bff1
--- /dev/null
+++ b/app-crypt/mit-krb5/files/krb5-1.2.7-xdr.patch
@@ -0,0 +1,137 @@
+Index: xdr_mem.c
+===================================================================
+RCS file: /cvs/krbdev/krb5/src/lib/rpc/xdr_mem.c,v
+retrieving revision 1.8
+diff -c -r1.8 xdr_mem.c
+*** src/lib/rpc/xdr_mem.c	1998/02/14 02:27:24	1.8
+- --- src/lib/rpc/xdr_mem.c	2003/02/04 22:57:24
+***************
+*** 47,52 ****
+- --- 47,54 ----
+  #include <gssrpc/xdr.h>
+  #include <netinet/in.h>
+  #include <stdio.h>
++ #include <string.h>
++ #include <limits.h>
+
+  static bool_t	xdrmem_getlong();
+  static bool_t	xdrmem_putlong();
+***************
+*** 83,89 ****
+  	xdrs->x_op = op;
+  	xdrs->x_ops = &xdrmem_ops;
+  	xdrs->x_private = xdrs->x_base = addr;
+! 	xdrs->x_handy = size;
+  }
+  
+  static void
+- --- 85,91 ----
+  	xdrs->x_op = op;
+  	xdrs->x_ops = &xdrmem_ops;
+  	xdrs->x_private = xdrs->x_base = addr;
+! 	xdrs->x_handy = (size > INT_MAX) ? INT_MAX : size; /* XXX */
+  }
+
+  static void
+***************
+*** 98,105 ****
+  	long *lp;
+  {
+
+! 	if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0)
+  		return (FALSE);
+  	*lp = (long)ntohl(*((rpc_u_int32 *)(xdrs->x_private)));
+  	xdrs->x_private += sizeof(rpc_int32);
+  	return (TRUE);
+- --- 100,109 ----
+  	long *lp;
+  {
+  
+! 	if (xdrs->x_handy < sizeof(rpc_int32))
+  		return (FALSE);
++ 	else
++ 		xdrs->x_handy -= sizeof(rpc_int32);
+  	*lp = (long)ntohl(*((rpc_u_int32 *)(xdrs->x_private)));
+  	xdrs->x_private += sizeof(rpc_int32);
+  	return (TRUE);
+***************
+*** 111,118 ****
+  	long *lp;
+  {
+  
+! 	if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0)
+  		return (FALSE);
+  	*(rpc_int32 *)xdrs->x_private = (rpc_int32)htonl((rpc_u_int32)(*lp));
+  	xdrs->x_private += sizeof(rpc_int32);
+  	return (TRUE);
+- --- 115,124 ----
+  	long *lp;
+  {
+
+! 	if (xdrs->x_handy < sizeof(rpc_int32))
+  		return (FALSE);
++ 	else
++ 		xdrs->x_handy -= sizeof(rpc_int32);
+  	*(rpc_int32 *)xdrs->x_private = (rpc_int32)htonl((rpc_u_int32)(*lp));
+  	xdrs->x_private += sizeof(rpc_int32);
+  	return (TRUE);
+***************
+*** 125,132 ****
+  	register unsigned int len;
+  {
+
+! 	if ((xdrs->x_handy -= len) < 0)
+  		return (FALSE);
+  	memmove(addr, xdrs->x_private, len);
+  	xdrs->x_private += len;
+  	return (TRUE);
+- --- 131,140 ----
+  	register unsigned int len;
+  {
+  
+! 	if (xdrs->x_handy < len)
+  		return (FALSE);
++ 	else
++ 		xdrs->x_handy -= len;
+  	memmove(addr, xdrs->x_private, len);
+  	xdrs->x_private += len;
+  	return (TRUE);
+***************
+*** 139,146 ****
+  	register unsigned int len;
+  {
+  
+! 	if ((xdrs->x_handy -= len) < 0)
+  		return (FALSE);
+  	memmove(xdrs->x_private, addr, len);
+  	xdrs->x_private += len;
+  	return (TRUE);
+- --- 147,156 ----
+  	register unsigned int len;
+  {
+  
+! 	if (xdrs->x_handy < len)
+  		return (FALSE);
++ 	else
++ 		xdrs->x_handy -= len;
+  	memmove(xdrs->x_private, addr, len);
+  	xdrs->x_private += len;
+  	return (TRUE);
+***************
+*** 179,185 ****
+  {
+  	rpc_int32 *buf = 0;
+  
+! 	if (xdrs->x_handy >= len) {
+  		xdrs->x_handy -= len;
+  		buf = (rpc_int32 *) xdrs->x_private;
+  		xdrs->x_private += len;
+- --- 189,195 ----
+  {
+  	rpc_int32 *buf = 0;
+
+! 	if (len >= 0 && xdrs->x_handy >= len) {
+  		xdrs->x_handy -= len;
+  		buf = (rpc_int32 *) xdrs->x_private;
+  		xdrs->x_private += len;
+
diff --git a/app-crypt/mit-krb5/mit-krb5-1.2.7.ebuild b/app-crypt/mit-krb5/mit-krb5-1.2.7.ebuild
new file mode 100644
index 000000000000..5a1ba5b49252
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.2.7.ebuild
@@ -0,0 +1,90 @@
+# Copyright 1999-2003 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.2.7.ebuild,v 1.1 2003/03/30 17:40:52 aliz Exp $
+
+inherit eutils
+
+MY_P=${PN/mit-}-${PV}
+S=${WORKDIR}/${MY_P}/src
+SRC_URI="http://www.mirrors.wiretapped.net/security/cryptography/apps/kerberos/krb5-mit/unix/${MY_P}.tar.gz
+        http://www.galiette.com/krb5/${MY_P}.tar.gz
+        http://munitions.vipul.net/software/system/auth/kerberos/${MY_P}.tar.gz
+        http://web.mit.edu/kerberos/www/advisories/2003-004-krb4_patchkit.tar.gz"
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+IUSE="krb4"
+SLOT="0"
+LICENSE="as-is"
+KEYWORDS="~x86"
+PROVIDE="virtual/krb5"
+DEPEND="virtual/glibc"
+
+src_unpack() {
+	unpack ${A} ; cd ${S}
+
+        EPATCH_SINGLE_MSG="Applying MIT krb5 Security Advisory 2003-003 fix"
+        epatch ${FILESDIR}/${MY_P}-xdr.patch
+        EPATCH_SINGLE_MSG="Applying MIT krb5 Security Advisory 2003-004 fix"
+        epatch ${WORKDIR}/2003-004-krb4_patchkit/patch.${PV}
+        EPATCH_SINGLE_MSG="Applying MIT krb5 Security Advisory 2003-005 fix"
+        epatch ${FILESDIR}/${MY_P}-principal_name_handling.patch
+
+        # Fix bad errno definitions (bug #16450 and #16267)
+        ebegin Fixing errno definitions
+        find . -name '*.[ch]' | xargs grep -l 'extern.*int.*errno' \
+          | xargs -n1 perl -pi.orig -e '
+                $.==1 && s/^/#include <errno.h>\n/;
+                s/extern\s+int\s+errno\s*\;//;'
+        eend 0
+}
+
+src_compile() {
+	local myconf
+	
+	use krb4 && myconf="${myconf} --with-krb4 --enable-krb4" \
+		|| myconf="${myconf} --without-krb4 --disable-krb4"
+
+	econf \
+		--mandir=/usr/share/man \
+		--localstatedir=/etc \
+		--enable-shared \
+		--host=${CHOST} \
+		--prefix=/usr \
+		--enable-dns \
+		${myconf} || die
+
+	make || die
+}
+
+src_install () {
+	make DESTDIR=${D} install || die
+	cd ..
+	dodoc README
+
+	# Begin client rename and install
+	for i in {telnetd,ftpd}
+	do
+		mv ${D}/usr/share/man/man8/${i}.8.gz ${D}/usr/share/man/man8/k${i}.8.gz
+		mv ${D}/usr/sbin/${i} ${D}/usr/sbin/k${i}
+	done
+	for i in {rcp,rsh,telnet,v4rcp,ftp,rlogin}
+	do
+		mv ${D}/usr/share/man/man1/${i}.1.gz ${D}/usr/share/man/man1/k${i}.1.gz
+		mv ${D}/usr/bin/${i} ${D}/usr/bin/k${i}
+	done
+										
+	insinto /etc
+	newins ${FILESDIR}/krb5.conf krb5.conf
+	insinto /etc/krb5kdc
+	newins ${FILESDIR}/kdc.conf kdc.conf
+	insinto /etc/conf.d
+	newins ${FILESDIR}/krb5.confd krb5
+	exeinto /etc/init.d
+	newexe ${FILESDIR}/krb5.initd krb5
+}
+
+pkg_postinst() {
+	einfo "Configuration files are now under /etc."
+	einfo "The client apps are now installed with the k prefix"
+	einfo "(ie. kftp, kftpd, ktelnet, ktelnetd, etc...)"
+}
author	Daniel Ahlberg <aliz@gentoo.org>	2003-03-30 17:40:52 +0000
committer	Daniel Ahlberg <aliz@gentoo.org>	2003-03-30 17:40:52 +0000
commit	aea6f568429bdd12cc356686efcb102d6aa3b557 (patch)
tree	e7bb4485b59ac83ed2040d93b2251525c3c13072 /app-crypt
parent	small fixes (diff)
download	gentoo-2-aea6f568429bdd12cc356686efcb102d6aa3b557.tar.gz gentoo-2-aea6f568429bdd12cc356686efcb102d6aa3b557.tar.bz2 gentoo-2-aea6f568429bdd12cc356686efcb102d6aa3b557.zip