diff options
| author |   Eray Aslan <eras@gentoo.org> | 2011-12-23 08:43:57 +0000 |
|---|---|---|
| committer | Eray Aslan <eras@gentoo.org> | 2011-12-23 08:43:57 +0000 |
| commit | f760e56445859eafaac563ab17da28b01c9b01be (patch) | |
| tree | 04f1b79eedcbf1d3f60777cb7307a15f642371db /app-crypt | |
| parent | Support /etc/machine-id fallback wrt #390463 by "Alphat-PC" (diff) | |
| download | gentoo-2-f760e56445859eafaac563ab17da28b01c9b01be.tar.gz gentoo-2-f760e56445859eafaac563ab17da28b01c9b01be.tar.bz2 gentoo-2-f760e56445859eafaac563ab17da28b01c9b01be.zip | |
remove vulnerable versions
(Portage version: 2.1.10.41/cvs/Linux x86_64)
Diffstat (limited to 'app-crypt')
| -rw-r--r-- | app-crypt/mit-krb5/ChangeLog | 7 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/files/CVE-2011-1527.1528.1529.patch | 75 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/files/mit-krb5-1.9.1-fd-leak.patch | 65 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/mit-krb5-1.9.1-r2.ebuild | 123 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/mit-krb5-1.9.2.ebuild | 121 |
5 files changed, 6 insertions, 385 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog index 140577d8b4f3..a4ad6214b71e 100644 --- a/app-crypt/mit-krb5/ChangeLog +++ b/app-crypt/mit-krb5/ChangeLog @@ -1,6 +1,11 @@ # ChangeLog for app-crypt/mit-krb5 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.307 2011/12/22 23:24:00 halcy0n Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.308 2011/12/23 08:43:57 eras Exp $ + + 23 Dec 2011; Eray Aslan <eras@gentoo.org> + -mit-krb5-1.9.1-r2.ebuild, -files/mit-krb5-1.9.1-fd-leak.patch, + -mit-krb5-1.9.2.ebuild, -files/CVE-2011-1527.1528.1529.patch: + remove vulnerable versions 22 Dec 2011; Mark Loeser <halcy0n@gentoo.org> mit-krb5-1.9.2-r1.ebuild: Stable for ppc/ppc64; bug #393429 diff --git a/app-crypt/mit-krb5/files/CVE-2011-1527.1528.1529.patch b/app-crypt/mit-krb5/files/CVE-2011-1527.1528.1529.patch deleted file mode 100644 index 05a22caf53e1..000000000000 --- a/app-crypt/mit-krb5/files/CVE-2011-1527.1528.1529.patch +++ /dev/null @@ -1,75 +0,0 @@ -diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c -index b473611..50c60b7 100644 ---- a/src/plugins/kdb/db2/lockout.c -+++ b/src/plugins/kdb/db2/lockout.c -@@ -169,6 +169,9 @@ krb5_db2_lockout_audit(krb5_context context, - return 0; - } - -+ if (entry == NULL) -+ return 0; -+ - if (!db_ctx->disable_lockout) { - code = lookup_lockout_policy(context, entry, &max_fail, - &failcnt_interval, &lockout_duration); -@@ -176,6 +179,15 @@ krb5_db2_lockout_audit(krb5_context context, - return code; - } - -+ /* -+ * Don't continue to modify the DB for an already locked account. -+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and -+ * this check is unneeded, but in rare cases, we can fail with an -+ * integrity error or preauth failure before a policy check.) -+ */ -+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry)) -+ return 0; -+ - /* Only mark the authentication as successful if the entry - * required preauthentication, otherwise we have no idea. */ - if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) { -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index 552e39a..c2f44ab 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -105,6 +105,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, - CHECK_LDAP_HANDLE(ldap_context); - - if (is_principal_in_realm(ldap_context, searchfor) != 0) { -+ st = KRB5_KDB_NOENTRY; - krb5_set_error_message (context, st, "Principal does not belong to realm"); - goto cleanup; - } -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c -index a218dc7..fd164dd 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c -@@ -165,6 +165,9 @@ krb5_ldap_lockout_audit(krb5_context context, - return 0; - } - -+ if (entry == NULL) -+ return 0; -+ - if (!ldap_context->disable_lockout) { - code = lookup_lockout_policy(context, entry, &max_fail, - &failcnt_interval, -@@ -173,9 +176,16 @@ krb5_ldap_lockout_audit(krb5_context context, - return code; - } - -- entry->mask = 0; -+ /* -+ * Don't continue to modify the DB for an already locked account. -+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and -+ * this check is unneeded, but in rare cases, we can fail with an -+ * integrity error or preauth failure before a policy check.) -+ */ -+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry)) -+ return 0; - -- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry)); -+ entry->mask = 0; - - /* Only mark the authentication as successful if the entry - * required preauthentication, otherwise we have no idea. */ diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.9.1-fd-leak.patch b/app-crypt/mit-krb5/files/mit-krb5-1.9.1-fd-leak.patch deleted file mode 100644 index 9eeb17a94cc6..000000000000 --- a/app-crypt/mit-krb5/files/mit-krb5-1.9.1-fd-leak.patch +++ /dev/null @@ -1,65 +0,0 @@ -bug #387485 - -Index: trunk/src/lib/kadm5/clnt/client_init.c -=================================================================== -diff -u -N -r24978 -r25115 ---- trunk/src/lib/kadm5/clnt/client_init.c (.../client_init.c) (revision 24978) -+++ trunk/src/lib/kadm5/clnt/client_init.c (.../client_init.c) (revision 25115) -@@ -155,7 +155,7 @@ - kadm5_config_params *params_in, krb5_ui_4 struct_version, - krb5_ui_4 api_version, char **db_args, void **server_handle) - { -- int fd; -+ int fd = -1; - - krb5_boolean iprop_enable; - int port; -@@ -192,6 +192,7 @@ - handle->struct_version = struct_version; - handle->api_version = api_version; - handle->clnt = 0; -+ handle->client_socket = -1; - handle->cache_name = 0; - handle->destroy_cache = 0; - handle->context = 0; -@@ -301,7 +302,9 @@ - #endif - goto error; - } -+ handle->client_socket = fd; - handle->lhandle->clnt = handle->clnt; -+ handle->lhandle->client_socket = fd; - - /* now that handle->clnt is set, we can check the handle */ - if ((code = _kadm5_check_handle((void *) handle))) -@@ -372,6 +375,8 @@ - AUTH_DESTROY(handle->clnt->cl_auth); - if(handle->clnt) - clnt_destroy(handle->clnt); -+ if (fd != -1) -+ close(fd); - - kadm5_free_config_params(handle->context, &handle->params); - -@@ -796,6 +801,8 @@ - AUTH_DESTROY(handle->clnt->cl_auth); - if (handle->clnt) - clnt_destroy(handle->clnt); -+ if (handle->client_socket != -1) -+ close(handle->client_socket); - if (handle->lhandle) - free (handle->lhandle); - -Index: trunk/src/lib/kadm5/clnt/client_internal.h -=================================================================== -diff -u -N -r23100 -r25115 ---- trunk/src/lib/kadm5/clnt/client_internal.h (.../client_internal.h) (revision 23100) -+++ trunk/src/lib/kadm5/clnt/client_internal.h (.../client_internal.h) (revision 25115) -@@ -72,6 +72,7 @@ - char * cache_name; - int destroy_cache; - CLIENT * clnt; -+ int client_socket; - krb5_context context; - kadm5_config_params params; - struct _kadm5_server_handle_t *lhandle; diff --git a/app-crypt/mit-krb5/mit-krb5-1.9.1-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.9.1-r2.ebuild deleted file mode 100644 index cb5065dda0a4..000000000000 --- a/app-crypt/mit-krb5/mit-krb5-1.9.1-r2.ebuild +++ /dev/null @@ -1,123 +0,0 @@ -# Copyright 1999-2011 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.9.1-r2.ebuild,v 1.6 2011/10/23 08:55:53 xarthisius Exp $ - -EAPI=3 - -inherit eutils flag-o-matic versionator - -MY_P="${P/mit-}" -P_DIR=$(get_version_component_range 1-2) -DESCRIPTION="MIT Kerberos V" -HOMEPAGE="http://web.mit.edu/kerberos/www/" -SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar" - -LICENSE="as-is" -SLOT="0" -KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos" -IUSE="doc +keyutils openldap +pkinit +threads test xinetd" - -RDEPEND="!!app-crypt/heimdal - >=sys-libs/e2fsprogs-libs-1.41.0 - keyutils? ( sys-apps/keyutils ) - openldap? ( net-nds/openldap ) - xinetd? ( sys-apps/xinetd )" -DEPEND="${RDEPEND} - virtual/yacc - doc? ( virtual/latex-base ) - test? ( dev-lang/tcl - dev-lang/python - dev-util/dejagnu )" - -S=${WORKDIR}/${MY_P}/src - -src_unpack() { - unpack ${A} - unpack ./"${MY_P}".tar.gz -} - -src_prepare() { - epatch "${FILESDIR}/${P}-fd-leak.patch" - epatch "${FILESDIR}/CVE-2011-1527.1528.1529.patch" -} - -src_configure() { - append-flags "-I${EPREFIX}/usr/include/et" - # QA - append-flags -fno-strict-aliasing - append-flags -fno-strict-overflow - use keyutils || export ac_cv_header_keyutils_h=no - econf \ - $(use_with openldap ldap) \ - "$(use_with test tcl "${EPREFIX}/usr")" \ - $(use_enable pkinit) \ - $(use_enable threads thread-support) \ - --without-krb4 \ - --without-hesiod \ - --enable-shared \ - --with-system-et \ - --with-system-ss \ - --enable-dns-for-realm \ - --enable-kdc-lookaside-cache \ - --disable-rpath -} - -src_compile() { - emake -j1 || die "emake failed" - - if use doc ; then - cd ../doc - for dir in api implement ; do - emake -C "${dir}" || die "doc emake failed" - done - fi -} - -src_install() { - emake \ - DESTDIR="${D}" \ - EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \ - install || die "install failed" - - # default database dir - keepdir /var/lib/krb5kdc - - cd .. - dodoc NOTICE README - dodoc doc/*.{ps,txt} - doinfo doc/*.info* - dohtml -r doc/*.html - - # die if we cannot respect a USE flag - if use doc ; then - dodoc doc/{api,implement}/*.ps || die "dodoc failed" - fi - - newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind || die - newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc || die - newinitd "${FILESDIR}"/mit-krb5kpropd.initd mit-krb5kpropd || die - - insinto /etc - newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example - insinto /var/lib/krb5kdc - newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example - - if use openldap ; then - insinto /etc/openldap/schema - doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" || die - fi - - if use xinetd ; then - insinto /etc/xinetd.d - newins "${FILESDIR}/kpropd.xinetd" kpropd || die - fi -} - -pkg_preinst() { - if has_version "<${CATEGORY}/${PN}-1.8.0" ; then - elog "MIT split the Kerberos applications from the base Kerberos" - elog "distribution. Kerberized versions of telnet, rlogin, rsh, rcp," - elog "ftp clients and telnet, ftp deamons now live in" - elog "\"app-crypt/mit-krb5-appl\" package." - fi -} diff --git a/app-crypt/mit-krb5/mit-krb5-1.9.2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.9.2.ebuild deleted file mode 100644 index 6e8f58db1707..000000000000 --- a/app-crypt/mit-krb5/mit-krb5-1.9.2.ebuild +++ /dev/null @@ -1,121 +0,0 @@ -# Copyright 1999-2011 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.9.2.ebuild,v 1.1 2011/11/05 13:08:11 eras Exp $ - -EAPI=3 - -inherit eutils flag-o-matic versionator - -MY_P="${P/mit-}" -P_DIR=$(get_version_component_range 1-2) -DESCRIPTION="MIT Kerberos V" -HOMEPAGE="http://web.mit.edu/kerberos/www/" -SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar" - -LICENSE="as-is" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos" -IUSE="doc +keyutils openldap +pkinit +threads test xinetd" - -RDEPEND="!!app-crypt/heimdal - >=sys-libs/e2fsprogs-libs-1.41.0 - keyutils? ( sys-apps/keyutils ) - openldap? ( net-nds/openldap ) - xinetd? ( sys-apps/xinetd )" -DEPEND="${RDEPEND} - virtual/yacc - doc? ( virtual/latex-base ) - test? ( dev-lang/tcl - dev-lang/python - dev-util/dejagnu )" - -S=${WORKDIR}/${MY_P}/src - -src_unpack() { - unpack ${A} - unpack ./"${MY_P}".tar.gz -} - -src_prepare() { - epatch "${FILESDIR}/${PN}-kprop_exit_on_error.patch" -} - -src_configure() { - append-flags "-I${EPREFIX}/usr/include/et" - # QA - append-flags -fno-strict-aliasing - append-flags -fno-strict-overflow - use keyutils || export ac_cv_header_keyutils_h=no - econf \ - $(use_with openldap ldap) \ - "$(use_with test tcl "${EPREFIX}/usr")" \ - $(use_enable pkinit) \ - $(use_enable threads thread-support) \ - --without-hesiod \ - --enable-shared \ - --with-system-et \ - --with-system-ss \ - --enable-dns-for-realm \ - --enable-kdc-lookaside-cache \ - --disable-rpath -} - -src_compile() { - emake -j1 || die "emake failed" - - if use doc ; then - cd ../doc - for dir in api implement ; do - emake -C "${dir}" || die "doc emake failed" - done - fi -} - -src_install() { - emake \ - DESTDIR="${D}" \ - EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \ - install || die "install failed" - - # default database dir - keepdir /var/lib/krb5kdc - - cd .. - dodoc NOTICE README - dodoc doc/*.{ps,txt} - doinfo doc/*.info* - dohtml -r doc/*.html - - # die if we cannot respect a USE flag - if use doc ; then - dodoc doc/{api,implement}/*.ps || die "dodoc failed" - fi - - newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind || die - newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc || die - newinitd "${FILESDIR}"/mit-krb5kpropd.initd mit-krb5kpropd || die - - insinto /etc - newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example - insinto /var/lib/krb5kdc - newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example - - if use openldap ; then - insinto /etc/openldap/schema - doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" || die - fi - - if use xinetd ; then - insinto /etc/xinetd.d - newins "${FILESDIR}/kpropd.xinetd" kpropd || die - fi -} - -pkg_preinst() { - if has_version "<${CATEGORY}/${PN}-1.8.0" ; then - elog "MIT split the Kerberos applications from the base Kerberos" - elog "distribution. Kerberized versions of telnet, rlogin, rsh, rcp," - elog "ftp clients and telnet, ftp deamons now live in" - elog "\"app-crypt/mit-krb5-appl\" package." - fi -} |