Security bump - bugs #533734 #538842

Package-Manager: portage-2.2.15/cvs/Linux x86_64 Manifest-Sign-Key: 0x77F1F175586A3B1F
author: Eray Aslan <eras@gentoo.org> 2015-02-05 16:25:00 +0000
committer: Eray Aslan <eras@gentoo.org> 2015-02-05 16:25:00 +0000
commit: 585ff15d200c15980b7790d046053ee1c0e6367e (patch)
tree: 06c6f6a09b6682d706e268c0f1789bb367132b48 /app-crypt
parent: Version bump for 5.5 series (diff)
download: historical-585ff15d200c15980b7790d046053ee1c0e6367e.tar.gz
historical-585ff15d200c15980b7790d046053ee1c0e6367e.tar.bz2
historical-585ff15d200c15980b7790d046053ee1c0e6367e.zip
6 files changed, 595 insertions, 17 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog
index 3f9c2ac44da2..83467b6ef1a0 100644
--- a/app-crypt/mit-krb5/ChangeLog
+++ b/app-crypt/mit-krb5/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for app-crypt/mit-krb5
-# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.441 2014/11/24 08:53:32 eras Exp $
+# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.442 2015/02/05 16:24:40 eras Exp $
+
+*mit-krb5-1.13-r1 (05 Feb 2015)
+
+  05 Feb 2015; Eray Aslan <eras@gentoo.org> +files/2015-001-patch-r113.patch,
+  +files/mit-krb5-CVE-2014-5353.patch, +files/mit-krb5-CVE-2014-5354.patch,
+  +mit-krb5-1.13-r1.ebuild:
+  Security bump - bugs #533734 #538842
 
   24 Nov 2014; Eray Aslan <eras@gentoo.org> -mit-krb5-1.12.2.ebuild:
   Remove old
diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index f8e3f156950f..ea47b8d7423c 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,30 +1,36 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
+AUX 2015-001-patch-r113.patch 12569 SHA256 c41cb0dd88abb53543697a6e91832d6e0639a99a811c3092904eff03fa4b5ec6 SHA512 9c3d1f75ba6814dc8864a6b6c5a5e53d729ec2f8fe468036bea5cb540ac4a58b4748c5af920c61347fe71af8d900501b68b5d3f538bc89791d7bfde70e1ebb69 WHIRLPOOL 771fa37b8496a77e9913c4882ea7ab8e03cc9dd32b00c024549f54c15d0dba1bbcf3e224abb567dc1acfc13d6e33ffa2b9973c777d4f730c3c5b95b1196e90aa
 AUX kpropd.xinetd 194 SHA256 eaa3838a6ca8db901db359cac3435d4f703a9a10534f02eeb37f494dd21a1736 SHA512 c9bbd13f2fadfd2a925bfae834ba61f227cd4386b4c4466b5227d93c792f4549778ef4d6e08353372df99804459277c71f61b41ec71f3afcc600d73c5705f72f WHIRLPOOL d77ae7b0094c4f42a7ea9cee5d36d0dba844a9ed5d59c621e47c7fa4b75c84fec3414e079c570513711b378d1b0fef61156f675a0df79ee61540d9492416fe42
 AUX mit-krb5-1.12_warn_cflags.patch 448 SHA256 67d3c91061933bd5393b9a6ee8fe2e3f5cd287c4eee7b92798cc2e201712c681 SHA512 42364d9cd8c0a6fd28ae661eeac4d0dd3f2001fe290bf9731ee99c2c786a6488805fc93057d59e201e2cef1e5280af4c170187aa5603f4cf542906abc0fccc2b WHIRLPOOL 9fa704dde00b0201d765199893bf787c5c104070596b05bc12e7f41ae21c4c60c8d25b21fe8573ecd3e63ab769238a78c5cf70f4d086a23f71423b1cad283eaa
+AUX mit-krb5-CVE-2014-5353.patch 820 SHA256 dbe25b16592a11e4c04652f0fc0267cf09bf7d6536b1eae063022ea2f90c4c81 SHA512 db45cf33516483024cc11242d35b011c750c61c77fc4baaa952172d36a2484f2ffee0bc6170e3d54ac34155f284bb40d73bbb9843fc78cfc127807efb960b8ea WHIRLPOOL 27150b91e0b9d055caff9bd6e8bb736e0bf25836ad719384a1b1456c70a48f64c815dabe445ccfe7eb42280ae7d91440994c2ce46cf9ca77195621ed0ece399a
+AUX mit-krb5-CVE-2014-5354.patch 2344 SHA256 8cb9458dba6bd3e195c95d09097d69a2dedf687a7f5111f9d4ba54498b1e524c SHA512 134e3efb0fc9e562ba47b8ac013f62c6e3fa438ee8df1b68426303c8892f647aa74a6476be80d54ed7a1dd68dc60430f1bd15d6a04ae840a3c7fbe5a9f86298d WHIRLPOOL 611fe25ea4e9e5ffef5fab294843f1fd566c0cb5dbbd9e75879159ab902c42b0b127b451c35e50797cb36d8af2f131661773b0b856eaf762f8081310de4d498e
 AUX mit-krb5-config_LDFLAGS.patch 466 SHA256 fbb4d9be71ef536a344d415b9c56ea42c5c2a2ef02ec3a866d9da47b3acd93d3 SHA512 9a1ca9b33e7708346eda78d199fdc51f0d7bd08d3d65ea15a19955a6155ab71b8ee0c8989859d6dff293a141f197ea19394a91b3b641181140a289b743e0f0e7 WHIRLPOOL f6c58e652c4c365c4f28894d404413a075cc6c5323f83b18d711dc831bb574623db371ccbc1a5aae0ddf030a1b85e1ad50c06f5904ae5554bb4026e464a2c75f
 AUX mit-krb5kadmind.initd-r1 592 SHA256 3e55c79f19aaa6ef6b64a621c03dbb2eac3ad923916dc803f4c1bfe48ce89fbb SHA512 f0595e9bbcd85badb403af7febce1fa28278bd7fc8118498948171ea12a27ce8b3c479a34b36639d7370193bc69a0b093ae7e3b66473078dabc38864fec931e9 WHIRLPOOL 16147fc873ad16c16410e82df817fdb7ff068ef5cc1c50d9bb5558f134db36d516ab80628714e836a20883d0d1dfd17bfca5a41225be4ecca270580f2db28e70
 AUX mit-krb5kdc.initd-r1 556 SHA256 709309dea043aa306c2fcf0960e0993a6db540c220de64cf92d6b85f1cca23c5 SHA512 d6d0076886ce284fc395fafc2dc253b4b3ee97b2986dea51388d96a1e1294680fb171f475efc7844559e2c6aac44b26678a9255921db9a58dcf2e7164f0aeec5 WHIRLPOOL 87e54c3df6b8b45058fe0c90c25946e37228aba32077ebcb595a82a0a6fc7268a516dcb1cfd0ce3fd82afedf19b5df2399ac05931f207d0f3d2e26afd590abef
 AUX mit-krb5kpropd.initd-r1 595 SHA256 c374ea05d7e9f15e10c8f9dbd0cad6548e0f92aef7de33e5dbc27222e9407e7b SHA512 a18c523aebbb6b8512cd261eac2149c7422214ef6a233e1ceb1b4da9187eeca317ddd75a153b13382571778931bbed00b1803ed015ff01875c8d565b3f3a593f WHIRLPOOL 869f8aec4764a12b5b5506a2fab8ea2641b58cb347a1db60110cccbb011dc51ab9115824828184abc55efccf540d6b014a57e0891b1d6d4ce28ff35405197aeb
 DIST krb5-1.13-signed.tar 12083200 SHA256 dc8f79ae9ab777d0f815e84ed02ac4ccfe3d5826eb4947a195dfce9fd95a9582 SHA512 99cf647ab39f5a34acaf2049908f91d3f3822f4afd3b9dad1630b31c72518398069f4f3d3840168122cb12aa5e5540466729bc714fbda96eb9403e635f88d244 WHIRLPOOL 4cb9bff7c9bf97cbe2a41eaa0f253a8c891b9beff9a2e65f1652eae235c90b811efeae1ee7b608e90ad993a3959a787a06a34f62cec1a709b2fe6ec59f91e3d1
+EBUILD mit-krb5-1.13-r1.ebuild 4004 SHA256 c8f248cfdf76abb06d0f66c4a4ad2def779c1f08843f21e811c4be09ee873280 SHA512 edab5aef319d6357544d3f36c9df27ff36e2ba518eeb3f931b757c577e799c000efadca7843c2b25878e4e9e9bd83f1fa5735ee22cff38e16588983909d15155 WHIRLPOOL a7060c304a51e630a0501a764d803942d48030a48b474ef12e639fb3fce5c01eb08a7c789dda0bef4b4cf68157bb02ca1bc4fdf7f8b2cf948f17a576bce6356a
 EBUILD mit-krb5-1.13.ebuild 3852 SHA256 517b74d24b7aaf6262974ea579527f726ddb2b660d00fada3537820bd1aa93fa SHA512 1b6051b7a2f0dd14ab15f77285efc49861e095ba2cac7b6ae9d96cbaac8095b2fc5bb2043b19be118996689841f0c14ebbe673773d304ae224eed20343e6b5a0 WHIRLPOOL 91343588511735397042a93154e17800af95f84cb9a022c51aa8433975fa1edc16615a4902bc81f71570c54abb693d3c0216604cbbcb1937ebadedf350f188a3
-MISC ChangeLog 66879 SHA256 44c911cb03f9aff015ad41938c3584182bc0f7a716ed28b19578ead8536a7756 SHA512 81ba6c44652b497323608c6e9089e458ae861d35b8e5a01effe8062d39cfb20ef7b17632272694c0c3fce0a0883714e403e182f7dca6e0de2eebc9142e51e04d WHIRLPOOL 78992f6a54210d75bdfcb6c89a8a6a7bb0b41e6565afcf27b94021d6de6bf93bd1178f0dd502c8fe80f0f07d20a427efcecf31432fdfa4ff183a3d1130f5eae4
+MISC ChangeLog 67134 SHA256 c75114547001535e00643855202570bce6d6bdf5c3ce6a58640efe226dcfa11e SHA512 73297b8d999a50f467a2ae32b22651a08a0ad38a46d71679b50c77385e5cf432bb89899c02239c619b1df13040acc395d331e20fbed0ddefb14bb9588bb17682 WHIRLPOOL b7b1e3d85c40233edcd2e72a5199f0e31a6dbd35fe19c9b7a22845db3dbfdffe85f6d48c9c4142de1ea87f24312d7fd2664b20cd5dd3137faaf3b6134234280d
 MISC metadata.xml 668 SHA256 da5862dde92f34b882870961cb9f1e4aa8209fc549e32a43d99770a9de8b232d SHA512 0038aeb7cda74161d2e2fe97c5124ee6cc86a24b9503714c128cd8b9af8b8050a89cf5dd3aadd66b1714c1d1aeb8564d50479547a586200793ea485e9f9c6c8b WHIRLPOOL 52394a4f4d5acb11f3bf2e76e036707c7f7741990d70bafb5c87a6da5d191b6aee3cb8383f6e66694cbda7458eb1a869c7ec8758750741835e2f1af4e028378c
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
+Version: GnuPG v2.0
 
-iQIcBAEBCAAGBQJUcvIfAAoJEHfx8XVYajsf4/YP/jSNvDrqyihf26FzbvaBxmHw
-0FJJdmx05rp0Mlv4SaTcGg3hw11SP3YhV1b9Opx4n4j8a8IUiAezRXdOVfch8hpy
-7tQyE0ZKgTpC9G/Rgh8P/6crk+pyDSUIVI7mnnWH/hQ5nCGaXPUgQn7XSD7nT4/a
-XQGkILl60Dhslp2wsv0uVMEhdlwHfEt3I4oCLm3eor+feEBgyrF//Yes0iFLW4G0
-lgiVW0tqvK45idoHJywlqjt0lMsoHxDI+qSaj+R0QVYKX/lCq+i454j726hAACuw
-MxEGe0l9m1kSuIDHJfXV8avOjtHUoeoGooeH9wnU+oFbT4FFEK0CeeLz/ipVQDnV
-EXzOdExCVDVPv4kd6WDbcpB30dp0NYl0TL6lTBkAFCx3hF0vCLEZru53qzSogLHC
-Ex6ImvFDHjsHRL6tYko0gC8kxic7zjJx3YrQ24qFUSWiVmlAainSvpDYGx5mgtC6
-mFCw1ih14OW0+UbCDKZTFHQ5ONfsyVq9IPRV7zrxeIcFScpK7A45mqD5EGczwSd2
-NQsL/qvZi1X4wcYYsvQaMgZg62CRHiOjiL/rAVUfQ0vwsabIfihaHzfmDPMmCJyC
-+EnPvuxn20vI/r+B65mwoX5SBkb4KHc9nQmysdpubkvg+TTmKNRMtvVk4KWHmjwa
-X3WAVeq7CarzN1/Un2oJ
-=aNu4
+iQJ8BAEBCABmBQJU05lbXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
+ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQjk1NkM0NUMxNzFCRTY4Rjk4NENDMDk3
+N0YxRjE3NTU4NkEzQjFGAAoJEHfx8XVYajsfCZAP+QEjqIBoGE3ZerZ2pkEldal7
+xc6JFDrQH6HxmXplZ7x1KqDy4+7rtAP6OETwk8uvghquHdPKeFMLxMNF5xelXqoE
+8l1cRKwBoaAsAFn63Z3BX0mpxtJ3sednpfZ66DaLCcmeGFBwQQmAdeKod/42//KT
+fhDEUUKcUzNRrm9GT+UBCXjqiSfL4SOH1VKpVLKd2qeWgZ/V8hsbluzcIShXpGnq
+poaavR4YAEzrIimaedvD2f+xFdMUJoE/Qy11+Cp/jy78KH5RNJk6ere/syHpbIQO
+qo+C8w1aHIqzwUqGQmh+IY6nCPofQNHNNglX2duRe+I60MlveXHZOsp5JIyrs9eS
+wTcbJwSy/lpuWinK08yOAYmB9uNu/BQyMXf2Yrrt6FlfoAhqdOtEvHKwQHgZCKHp
+zEAqt0HpyVaTdOJ13kZpb7Y0rN5mDb47DUQDaq4KhlpDqY0beq//aVk7iEL5WOe0
+DU71LNtMQLVm7xt4CLMGo2UwgIpd2xaZhyMmgYZfbcEbUxowcVzyQxkn6GPpfsY+
+MFFCsOlU+2Pguyk6ZSkE5bom8zi0AibM+LiW24q9R9czFGUBUC1cnNzFR4zLJX/S
+vfWA4hVcaMxBc9/QmSb/bUY8j8VFxONPgtGxYWenq8YPuhSdatVw9GmOVhYfctdS
+M/2E95tSa5wbodu6QhcW
+=SL9N
 -----END PGP SIGNATURE-----
diff --git a/app-crypt/mit-krb5/files/2015-001-patch-r113.patch b/app-crypt/mit-krb5/files/2015-001-patch-r113.patch
new file mode 100644
index 000000000000..455735ba41c8
--- /dev/null
+++ b/app-crypt/mit-krb5/files/2015-001-patch-r113.patch
@@ -0,0 +1,343 @@
+diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c
+index 3837931..f4d2a7c 100644
+--- a/src/kadmin/server/kadm_rpc_svc.c
++++ b/src/kadmin/server/kadm_rpc_svc.c
+@@ -4,7 +4,7 @@
+  *
+  */
+ 
+-#include <k5-platform.h>
++#include <k5-int.h>
+ #include <gssrpc/rpc.h>
+ #include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */
+ #include <syslog.h>
+@@ -296,14 +296,8 @@ check_rpcsec_auth(struct svc_req *rqstp)
+      c1 = krb5_princ_component(kctx, princ, 0);
+      c2 = krb5_princ_component(kctx, princ, 1);
+      realm = krb5_princ_realm(kctx, princ);
+-     if (strncmp(handle->params.realm, realm->data, realm->length) == 0
+-	 && strncmp("kadmin", c1->data, c1->length) == 0) {
+-
+-	  if (strncmp("history", c2->data, c2->length) == 0)
+-	       goto fail_princ;
+-	  else
+-	       success = 1;
+-     }
++     success = data_eq_string(*realm, handle->params.realm) &&
++	     data_eq_string(*c1, "kadmin") && !data_eq_string(*c2, "history");
+ 
+ fail_princ:
+      if (!success) {
+diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c
+index b3d1db0..a18cfb0 100644
+--- a/src/lib/gssapi/krb5/context_time.c
++++ b/src/lib/gssapi/krb5/context_time.c
+@@ -40,7 +40,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec)
+ 
+     ctx = (krb5_gss_ctx_id_rec *) context_handle;
+ 
+-    if (! ctx->established) {
++    if (ctx->terminated || !ctx->established) {
+         *minor_status = KG_CTX_INCOMPLETE;
+         return(GSS_S_NO_CONTEXT);
+     }
+diff --git a/src/lib/gssapi/krb5/export_sec_context.c b/src/lib/gssapi/krb5/export_sec_context.c
+index 18a3a34..1b3de68 100644
+--- a/src/lib/gssapi/krb5/export_sec_context.c
++++ b/src/lib/gssapi/krb5/export_sec_context.c
+@@ -45,6 +45,11 @@ krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token)
+     *minor_status = 0;
+ 
+     ctx = (krb5_gss_ctx_id_t) *context_handle;
++    if (ctx->terminated) {
++        *minor_status = KG_CTX_INCOMPLETE;
++        return (GSS_S_NO_CONTEXT);
++    }
++
+     context = ctx->k5_context;
+     kret = krb5_gss_ser_init(context);
+     if (kret)
+diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
+index 7e807cc..a0e8625 100644
+--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
+@@ -206,6 +206,7 @@ typedef struct _krb5_gss_ctx_id_rec {
+     unsigned int established : 1;
+     unsigned int have_acceptor_subkey : 1;
+     unsigned int seed_init : 1;  /* XXX tested but never actually set */
++    unsigned int terminated : 1;
+     OM_uint32 gss_flags;
+     unsigned char seed[16];
+     krb5_gss_name_t here;
+diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
+index 6456b23..77b7fff 100644
+--- a/src/lib/gssapi/krb5/gssapi_krb5.c
++++ b/src/lib/gssapi/krb5/gssapi_krb5.c
+@@ -369,7 +369,7 @@ krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
+ 
+     ctx = (krb5_gss_ctx_id_rec *) context_handle;
+ 
+-    if (!ctx->established)
++    if (ctx->terminated || !ctx->established)
+         return GSS_S_NO_CONTEXT;
+ 
+     for (i = 0; i < sizeof(krb5_gss_inquire_sec_context_by_oid_ops)/
+diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c
+index eacb0fd..096df2a 100644
+--- a/src/lib/gssapi/krb5/inq_context.c
++++ b/src/lib/gssapi/krb5/inq_context.c
+@@ -105,7 +105,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
+ 
+     ctx = (krb5_gss_ctx_id_rec *) context_handle;
+ 
+-    if (! ctx->established) {
++    if (ctx->terminated || !ctx->established) {
+         *minor_status = KG_CTX_INCOMPLETE;
+         return(GSS_S_NO_CONTEXT);
+     }
+diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c
+index 7665cba..f1c74dd 100644
+--- a/src/lib/gssapi/krb5/k5seal.c
++++ b/src/lib/gssapi/krb5/k5seal.c
+@@ -342,7 +342,7 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req,
+ 
+     ctx = (krb5_gss_ctx_id_rec *) context_handle;
+ 
+-    if (! ctx->established) {
++    if (ctx->terminated || !ctx->established) {
+         *minor_status = KG_CTX_INCOMPLETE;
+         return(GSS_S_NO_CONTEXT);
+     }
+diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c
+index a129670..b53e348 100644
+--- a/src/lib/gssapi/krb5/k5sealiov.c
++++ b/src/lib/gssapi/krb5/k5sealiov.c
+@@ -281,7 +281,7 @@ kg_seal_iov(OM_uint32 *minor_status,
+     }
+ 
+     ctx = (krb5_gss_ctx_id_rec *)context_handle;
+-    if (!ctx->established) {
++    if (ctx->terminated || !ctx->established) {
+         *minor_status = KG_CTX_INCOMPLETE;
+         return GSS_S_NO_CONTEXT;
+     }
+diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
+index 0573958..673c883 100644
+--- a/src/lib/gssapi/krb5/k5unseal.c
++++ b/src/lib/gssapi/krb5/k5unseal.c
+@@ -492,7 +492,7 @@ kg_unseal(minor_status, context_handle, input_token_buffer,
+ 
+     ctx = (krb5_gss_ctx_id_rec *) context_handle;
+ 
+-    if (! ctx->established) {
++    if (ctx->terminated || !ctx->established) {
+         *minor_status = KG_CTX_INCOMPLETE;
+         return(GSS_S_NO_CONTEXT);
+     }
+diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
+index f34d802..8b67042 100644
+--- a/src/lib/gssapi/krb5/k5unsealiov.c
++++ b/src/lib/gssapi/krb5/k5unsealiov.c
+@@ -625,7 +625,7 @@ kg_unseal_iov(OM_uint32 *minor_status,
+     OM_uint32 code;
+ 
+     ctx = (krb5_gss_ctx_id_rec *)context_handle;
+-    if (!ctx->established) {
++    if (ctx->terminated || !ctx->established) {
+         *minor_status = KG_CTX_INCOMPLETE;
+         return GSS_S_NO_CONTEXT;
+     }
+diff --git a/src/lib/gssapi/krb5/lucid_context.c b/src/lib/gssapi/krb5/lucid_context.c
+index 85df7fd..449e71f 100644
+--- a/src/lib/gssapi/krb5/lucid_context.c
++++ b/src/lib/gssapi/krb5/lucid_context.c
+@@ -75,6 +75,11 @@ gss_krb5int_export_lucid_sec_context(
+     *minor_status = 0;
+     *data_set = GSS_C_NO_BUFFER_SET;
+ 
++    if (ctx->terminated || !ctx->established) {
++        *minor_status = KG_CTX_INCOMPLETE;
++        return GSS_S_NO_CONTEXT;
++    }
++
+     retval = generic_gss_oid_decompose(minor_status,
+                                        GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID,
+                                        GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH,
+diff --git a/src/lib/gssapi/krb5/prf.c b/src/lib/gssapi/krb5/prf.c
+index e19291f..e897074 100644
+--- a/src/lib/gssapi/krb5/prf.c
++++ b/src/lib/gssapi/krb5/prf.c
+@@ -58,6 +58,10 @@ krb5_gss_pseudo_random(OM_uint32 *minor_status,
+     ns.data = NULL;
+ 
+     ctx = (krb5_gss_ctx_id_t)context;
++    if (ctx->terminated || !ctx->established) {
++        *minor_status = KG_CTX_INCOMPLETE;
++        return GSS_S_NO_CONTEXT;
++    }
+ 
+     switch (prf_key) {
+     case GSS_C_PRF_KEY_FULL:
+diff --git a/src/lib/gssapi/krb5/process_context_token.c b/src/lib/gssapi/krb5/process_context_token.c
+index ae33180..a672f48 100644
+--- a/src/lib/gssapi/krb5/process_context_token.c
++++ b/src/lib/gssapi/krb5/process_context_token.c
+@@ -39,11 +39,18 @@ krb5_gss_process_context_token(minor_status, context_handle,
+ 
+     ctx = (krb5_gss_ctx_id_t) context_handle;
+ 
+-    if (! ctx->established) {
++    if (ctx->terminated || !ctx->established) {
+         *minor_status = KG_CTX_INCOMPLETE;
+         return(GSS_S_NO_CONTEXT);
+     }
+ 
++    /* We only support context deletion tokens for now, and RFC 4121 does not
++     * define a context deletion token. */
++    if (ctx->proto) {
++        *minor_status = 0;
++        return(GSS_S_DEFECTIVE_TOKEN);
++    }
++
+     /* "unseal" the token */
+ 
+     if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle,
+@@ -52,8 +59,8 @@ krb5_gss_process_context_token(minor_status, context_handle,
+                                      KG_TOK_DEL_CTX)))
+         return(majerr);
+ 
+-    /* that's it.  delete the context */
+-
+-    return(krb5_gss_delete_sec_context(minor_status, &context_handle,
+-                                       GSS_C_NO_BUFFER));
++    /* Mark the context as terminated, but do not delete it (as that would
++     * leave the caller with a dangling context handle). */
++    ctx->terminated = 1;
++    return(GSS_S_COMPLETE);
+ }
+diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c
+index 7bc4221..ed5c599 100644
+--- a/src/lib/gssapi/krb5/wrap_size_limit.c
++++ b/src/lib/gssapi/krb5/wrap_size_limit.c
+@@ -95,7 +95,7 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag,
+     }
+ 
+     ctx = (krb5_gss_ctx_id_rec *) context_handle;
+-    if (! ctx->established) {
++    if (ctx->terminated || !ctx->established) {
+         *minor_status = KG_CTX_INCOMPLETE;
+         return(GSS_S_NO_CONTEXT);
+     }
+diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h
+index e56b9c1..2b5145e 100644
+--- a/src/lib/gssapi/mechglue/mglueP.h
++++ b/src/lib/gssapi/mechglue/mglueP.h
+@@ -25,7 +25,6 @@ do {								\
+  */
+ typedef struct gss_union_ctx_id_struct {
+ 	struct gss_union_ctx_id_struct *loopback;
+-	struct gss_union_ctx_id_struct *interposer;
+ 	gss_OID			mech_type;
+ 	gss_ctx_id_t		internal_ctx_id;
+ } gss_union_ctx_id_desc, *gss_union_ctx_id_t;
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+index 42ac783..975f94c 100644
+--- a/src/lib/kadm5/kadm_rpc_xdr.c
++++ b/src/lib/kadm5/kadm_rpc_xdr.c
+@@ -320,6 +320,7 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head)
+ 	       free(tl);
+ 	       tl = tl2;
+ 	  }
++	  *tl_data_head = NULL;
+ 	  break;
+ 
+      case XDR_ENCODE:
+@@ -1096,6 +1097,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp)
+     case XDR_FREE:
+ 	if(*objp != NULL)
+ 	    krb5_free_principal(context, *objp);
++	*objp = NULL;
+ 	break;
+     }
+     return TRUE;
+diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c
+index 53bdb98..a05ea19 100644
+--- a/src/lib/rpc/auth_gssapi_misc.c
++++ b/src/lib/rpc/auth_gssapi_misc.c
+@@ -322,7 +322,6 @@ bool_t auth_gssapi_unwrap_data(
+      if (! (*xdr_func)(&temp_xdrs, xdr_ptr)) {
+ 	  PRINTF(("gssapi_unwrap_data: deserializing arguments failed\n"));
+ 	  gss_release_buffer(minor, &out_buf);
+-	  xdr_free(xdr_func, xdr_ptr);
+ 	  XDR_DESTROY(&temp_xdrs);
+ 	  return FALSE;
+      }
+diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c
+index 09a3534..b81c4a3 100644
+--- a/src/lib/rpc/svc_auth_gss.c
++++ b/src/lib/rpc/svc_auth_gss.c
+@@ -65,16 +65,6 @@ extern const gss_OID_desc * const gss_mech_spkm3;
+ 
+ extern SVCAUTH svc_auth_none;
+ 
+-/*
+- * from mit-krb5-1.2.1 mechglue/mglueP.h:
+- * Array of context IDs typed by mechanism OID
+- */
+-typedef struct gss_union_ctx_id_t {
+-  gss_OID     mech_type;
+-  gss_ctx_id_t    internal_ctx_id;
+-} gss_union_ctx_id_desc, *gss_union_ctx_id_t;
+-
+-
+ static auth_gssapi_log_badauth_func log_badauth = NULL;
+ static caddr_t log_badauth_data = NULL;
+ static auth_gssapi_log_badauth2_func log_badauth2 = NULL;
+@@ -239,16 +229,8 @@ svcauth_gss_accept_sec_context(struct svc_req *rqst,
+ 		gd->ctx = GSS_C_NO_CONTEXT;
+ 		goto errout;
+ 	}
+-	/*
+-	 * ANDROS: krb5 mechglue returns ctx of size 8 - two pointers,
+-	 * one to the mechanism oid, one to the internal_ctx_id
+-	 */
+-	if ((gr->gr_ctx.value = mem_alloc(sizeof(gss_union_ctx_id_desc))) == NULL) {
+-		fprintf(stderr, "svcauth_gss_accept_context: out of memory\n");
+-		goto errout;
+-	}
+-	memcpy(gr->gr_ctx.value, gd->ctx, sizeof(gss_union_ctx_id_desc));
+-	gr->gr_ctx.length = sizeof(gss_union_ctx_id_desc);
++	gr->gr_ctx.value = "xxxx";
++	gr->gr_ctx.length = 4;
+ 
+ 	/* gr->gr_win = 0x00000005; ANDROS: for debugging linux kernel version...  */
+ 	gr->gr_win = sizeof(gd->seqmask) * 8;
+@@ -520,8 +502,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg,
+ 
+ 		if (!svcauth_gss_nextverf(rqst, htonl(gr.gr_win))) {
+ 			gss_release_buffer(&min_stat, &gr.gr_token);
+-			mem_free(gr.gr_ctx.value,
+-				 sizeof(gss_union_ctx_id_desc));
+ 			ret_freegc (AUTH_FAILED);
+ 		}
+ 		*no_dispatch = TRUE;
+@@ -531,7 +511,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg,
+ 
+ 		gss_release_buffer(&min_stat, &gr.gr_token);
+ 		gss_release_buffer(&min_stat, &gd->checksum);
+-		mem_free(gr.gr_ctx.value, sizeof(gss_union_ctx_id_desc));
+ 		if (!call_stat)
+ 			ret_freegc (AUTH_FAILED);
+ 
+diff --git a/src/tests/gssapi/t_prf.c b/src/tests/gssapi/t_prf.c
+index 254f8fb..7f04899 100644
+--- a/src/tests/gssapi/t_prf.c
++++ b/src/tests/gssapi/t_prf.c
+@@ -127,6 +127,7 @@ main(int argc, char *argv[])
+     uctx.mech_type = &mech_krb5;
+     uctx.internal_ctx_id = (gss_ctx_id_t)&kgctx;
+     kgctx.k5_context = NULL;
++    kgctx.established = 1;
+     kgctx.have_acceptor_subkey = 1;
+     kb1.contents = k1buf;
+     kb2.contents = k2buf;
diff --git a/app-crypt/mit-krb5/files/mit-krb5-CVE-2014-5353.patch b/app-crypt/mit-krb5/files/mit-krb5-CVE-2014-5353.patch
new file mode 100644
index 000000000000..8f8712beec5f
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-CVE-2014-5353.patch
@@ -0,0 +1,19 @@
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+index 522773e..6779f51 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+@@ -314,10 +314,11 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,
+     LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes);
+ 
+     ent=ldap_first_entry(ld, result);
+-    if (ent != NULL) {
+-        if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0)
+-            goto cleanup;
++    if (ent == NULL) {
++        st = KRB5_KDB_NOENTRY;
++        goto cleanup;
+     }
++    st = populate_policy(context, ld, ent, pol_name, *policy);
+ 
+ cleanup:
+     ldap_msgfree(result);
diff --git a/app-crypt/mit-krb5/files/mit-krb5-CVE-2014-5354.patch b/app-crypt/mit-krb5/files/mit-krb5-CVE-2014-5354.patch
new file mode 100644
index 000000000000..3ec02bed0d8e
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-CVE-2014-5354.patch
@@ -0,0 +1,56 @@
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index 3e560d9..10b5982 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -406,14 +406,14 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
+     int num_versions = 1;
+     int i, j, last;
+     krb5_error_code err = 0;
+-    krb5_key_data *key_data;
++    krb5_key_data *key_data = NULL;
+ 
+-    if (n_key_data <= 0)
++    if (n_key_data < 0)
+         return NULL;
+ 
+     /* Make a shallow copy of the key data so we can alter it. */
+     key_data = k5calloc(n_key_data, sizeof(*key_data), &err);
+-    if (key_data_in == NULL)
++    if (key_data == NULL)
+         goto cleanup;
+     memcpy(key_data, key_data_in, n_key_data * sizeof(*key_data));
+ 
+@@ -467,9 +467,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
+     free(key_data);
+     if (err != 0) {
+         if (ret != NULL) {
+-            for (i = 0; i <= num_versions; i++)
+-                if (ret[i] != NULL)
+-                    free (ret[i]);
++            for (i = 0; ret[i] != NULL; i++)
++                free (ret[i]);
+             free (ret);
+             ret = NULL;
+         }
+@@ -1036,9 +1035,19 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+         bersecretkey = krb5_encode_krbsecretkey (entry->key_data,
+                                                  entry->n_key_data, mkvno);
+ 
+-        if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
+-                                          LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
++        if (bersecretkey == NULL) {
++            st = ENOMEM;
+             goto cleanup;
++        }
++        /* An empty list of bervals is only accepted for modify operations,
++         * not add operations. */
++        if (bersecretkey[0] != NULL || !create_standalone_prinicipal) {
++            st = krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
++                                           LDAP_MOD_REPLACE | LDAP_MOD_BVALUES,
++                                           bersecretkey);
++            if (st != 0)
++                goto cleanup;
++        }
+ 
+         if (!(entry->mask & KADM5_PRINCIPAL)) {
+             memset(strval, 0, sizeof(strval));
diff --git a/app-crypt/mit-krb5/mit-krb5-1.13-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.13-r1.ebuild
new file mode 100644
index 000000000000..6b6abf022fff
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.13-r1.ebuild
@@ -0,0 +1,147 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.13-r1.ebuild,v 1.1 2015/02/05 16:24:40 eras Exp $
+
+EAPI=5
+PYTHON_COMPAT=( python{2_6,2_7} )
+inherit autotools eutils flag-o-matic multilib-minimal python-any-r1 versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="doc +keyutils openldap +pkinit selinux +threads test xinetd"
+
+CDEPEND="!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+	|| ( >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}] )
+	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	pkinit? ( >=dev-libs/openssl-1.0.1h-r2[${MULTILIB_USEDEP}] )
+	xinetd? ( sys-apps/xinetd )
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r1
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+DEPEND="${CDEPEND}
+	${PYTHON_DEPS}
+	virtual/yacc
+	doc? ( virtual/latex-base )
+	test? ( ${PYTHON_DEPS}
+			dev-lang/tcl
+			dev-util/dejagnu )"
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+src_unpack() {
+	unpack ${A}
+	unpack ./"${MY_P}".tar.gz
+}
+
+src_prepare() {
+	epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+	epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+	epatch "${FILESDIR}/${PN}-CVE-2014-5353.patch"
+	epatch "${FILESDIR}/${PN}-CVE-2014-5354.patch"
+	epatch "${FILESDIR}/2015-001-patch-r113.patch"
+
+	eautoreconf
+}
+
+src_configure() {
+	append-cppflags "-I${EPREFIX}/usr/include/et"
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use keyutils || export ac_cv_header_keyutils_h=no
+	ECONF_SOURCE=${S} \
+	WARN_CFLAGS="set" \
+	econf \
+		$(use_with openldap ldap) \
+		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--with-system-verto \
+		--disable-rpath
+}
+
+multilib_src_compile() {
+	emake -j1
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install
+}
+
+multilib_src_install_all() {
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+
+	if use doc; then
+		dohtml -r doc/html/*
+		docinto pdf
+		dodoc doc/pdf/*.pdf
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r1 mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r1 mit-krb5kdc
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r1 mit-krb5kpropd
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd
+	fi
+}
+
+pkg_preinst() {
+	if has_version "<${CATEGORY}/${PN}-1.8.0" ; then
+		elog "MIT split the Kerberos applications from the base Kerberos"
+		elog "distribution.  Kerberized versions of telnet, rlogin, rsh, rcp,"
+		elog "ftp clients and telnet, ftp deamons now live in"
+		elog "\"app-crypt/mit-krb5-appl\" package."
+	fi
+}
author	Eray Aslan <eras@gentoo.org>	2015-02-05 16:25:00 +0000
committer	Eray Aslan <eras@gentoo.org>	2015-02-05 16:25:00 +0000
commit	585ff15d200c15980b7790d046053ee1c0e6367e (patch)
tree	06c6f6a09b6682d706e268c0f1789bb367132b48 /app-crypt
parent	Version bump for 5.5 series (diff)
download	historical-585ff15d200c15980b7790d046053ee1c0e6367e.tar.gz historical-585ff15d200c15980b7790d046053ee1c0e6367e.tar.bz2 historical-585ff15d200c15980b7790d046053ee1c0e6367e.zip