main/krb5: security fix (CVE-2002-2443)

ref ##1927

2 files changed, 73 insertions, 0 deletions

diff --git a/main/krb5/APKBUILD b/main/krb5/APKBUILD
index 43479b9ab1..766214eb83 100644
--- a/main/krb5/APKBUILD
+++ b/main/krb5/APKBUILD
@@ -16,6 +16,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-server
 source="http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-$pkgver-signed.tar
 	mit-krb5-1.11_uninitialized.patch
 	mit-krb5_krb5-config_LDFLAGS.patch
+	CVE-2002-2443.patch
 	krb5kadmind.initd
 	krb5kdc.initd
 	krb5kpropd.initd
@@ -113,18 +114,21 @@ libs() {
 md5sums="d7a63c9c68b65efa71a615c67b6edf70  krb5-1.11.2-signed.tar
 597cd7ab74a8113b86e3405c15ccfecb  mit-krb5-1.11_uninitialized.patch
 656e242de9b5ada1edf398983db51eef  mit-krb5_krb5-config_LDFLAGS.patch
+0cdce7c384974b916f00e3e9932df488  CVE-2002-2443.patch
 29906e70e15025dda8b315d8209cab4c  krb5kadmind.initd
 47efe7f24c98316d38ea46ad629b3517  krb5kdc.initd
 3e0b8313c1e5bfb7625f35e76a5e53f1  krb5kpropd.initd"
 sha256sums="f0373295fb320b9702468eb0df33397e7278326ec1681a8c6037cc53cb0120a5  krb5-1.11.2-signed.tar
 81a0d432b6d1686587b25b6ce70f0b8558e0c693da4c63b9de881962ae01c043  mit-krb5-1.11_uninitialized.patch
 9ebfc38cc167bbf451105807512845cd961f839d64b7e2904a6c4e722e41fe2b  mit-krb5_krb5-config_LDFLAGS.patch
+1e2b53152faa9309d4dbfa0126d4e041d3c5a4519b91487aa20d019b9c00af9b  CVE-2002-2443.patch
 c7a1ec03472996daaaaf1a4703566113c80f72ee8605d247098a25a13dad1f5f  krb5kadmind.initd
 709309dea043aa306c2fcf0960e0993a6db540c220de64cf92d6b85f1cca23c5  krb5kdc.initd
 86b15d691e32b331ac756ee368b7364de6ab238dcae5adfed2a00b57d1b64ef4  krb5kpropd.initd"
 sha512sums="2db58530a98c4bdf9c6f797f3fb2881a3bdeda680804309f1f40e877a5a1c6e589021e1e0521b5a258626e5d04105ad0c01575b2104313b4b9592ee1ae8b8006  krb5-1.11.2-signed.tar
 4d2ea5189971df13bf874d29bcf89fa3bfeb1d25b3bd9245ee7c88f5c4834e950c5978ce13df3b8fc05f98dd7d5510dad43af0440436958fa23f9e1a51f60f76  mit-krb5-1.11_uninitialized.patch
 8118518e359cb5e69e3321b7438b200d5d74ceeac16b4623bf4e4bfb4ead6c656de6fa153f9bcc454097b45a512bc8cd0798b1f062a2c4a09f75253b204a7a17  mit-krb5_krb5-config_LDFLAGS.patch
+4f578a1c52de1cf2483aac4798eb577add8149daec9cb34c8cb1c2aeec8f78c8422f24c0a6844c8cc57d3eeea673d5f71fdb4369b11d3c682cf608270be07808  CVE-2002-2443.patch
 561af06b4e0f0e130dda345ad934bcdb9984ec00cc38d871df1d3bb3f9e1c7d86f06db5b03229707c88b96ad324e3a2222420f8494aa431002cacea0246b1153  krb5kadmind.initd
 d6d0076886ce284fc395fafc2dc253b4b3ee97b2986dea51388d96a1e1294680fb171f475efc7844559e2c6aac44b26678a9255921db9a58dcf2e7164f0aeec5  krb5kdc.initd
 f97d33fa977c132a470d95fd539d8e8db018e03f28dbc9d3e04faf78ebb7392196e7d5135f138c2390979bf37b3ae0265e6827f0c17b44b277eb2dfff0a96f77  krb5kpropd.initd"
diff --git a/main/krb5/CVE-2002-2443.patch b/main/krb5/CVE-2002-2443.patch
new file mode 100644
index 0000000000..3ef88155c5
--- /dev/null
+++ b/main/krb5/CVE-2002-2443.patch
@@ -0,0 +1,69 @@
+From cf1a0c411b2668c57c41e9c4efd15ba17b6b322c Mon Sep 17 00:00:00 2001
+From: Tom Yu <tlyu@mit.edu>
+Date: Fri, 3 May 2013 16:26:46 -0400
+Subject: [PATCH] Fix kpasswd UDP ping-pong [CVE-2002-2443]
+
+The kpasswd service provided by kadmind was vulnerable to a UDP
+"ping-pong" attack [CVE-2002-2443].  Don't respond to packets unless
+they pass some basic validation, and don't respond to our own error
+packets.
+
+Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
+attack or UDP ping-pong attacks in general, but there is discussion
+leading toward narrowing the definition of CVE-1999-0103 to the echo,
+chargen, or other similar built-in inetd services.
+
+Thanks to Vincent Danen for alerting us to this issue.
+
+CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
+
+ticket: 7637 (new)
+target_version: 1.11.3
+tags: pullup
+---
+ src/kadmin/server/schpw.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
+index 15b0ab5..7f455d8 100644
+--- a/src/kadmin/server/schpw.c
++++ b/src/kadmin/server/schpw.c
+@@ -52,7 +52,7 @@
+         ret = KRB5KRB_AP_ERR_MODIFIED;
+         numresult = KRB5_KPASSWD_MALFORMED;
+         strlcpy(strresult, "Request was truncated", sizeof(strresult));
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     ptr = req->data;
+@@ -67,7 +67,7 @@
+         numresult = KRB5_KPASSWD_MALFORMED;
+         strlcpy(strresult, "Request length was inconsistent",
+                 sizeof(strresult));
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     /* verify version number */
+@@ -80,7 +80,7 @@
+         numresult = KRB5_KPASSWD_BAD_VERSION;
+         snprintf(strresult, sizeof(strresult),
+                  "Request contained unknown protocol version number %d", vno);
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     /* read, check ap-req length */
+@@ -93,7 +93,7 @@
+         numresult = KRB5_KPASSWD_MALFORMED;
+         strlcpy(strresult, "Request was truncated in AP-REQ",
+                 sizeof(strresult));
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     /* verify ap_req */
+-- 
+1.8.1.6
+