summaryrefslogtreecommitdiffstats
path: root/main/heimdal
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2013-09-27 14:10:53 +0000
committerTimo Teräs <timo.teras@iki.fi>2013-09-27 14:22:25 +0000
commit4819e6abcde1eb62ced53602c27590d3b92ae9e0 (patch)
tree7745acb9545b1a659f2a87cc9af83e2b07e91549 /main/heimdal
parent447e3ad633a27422ae2ad67685cbb6b952b09db4 (diff)
downloadaports-4819e6abcde1eb62ced53602c27590d3b92ae9e0.tar.bz2
aports-4819e6abcde1eb62ced53602c27590d3b92ae9e0.tar.xz
main/heimdal: remove broken authentication in rsh/rshd
as stated, it's broken by design security wise. and uses obsolete functions that don't exist in musl. this fixes musl build.
Diffstat (limited to 'main/heimdal')
-rw-r--r--main/heimdal/APKBUILD12
-rw-r--r--main/heimdal/heimdal-remove-broken-auth.patch163
2 files changed, 171 insertions, 4 deletions
diff --git a/main/heimdal/APKBUILD b/main/heimdal/APKBUILD
index d5a71f309..e87cb1bc4 100644
--- a/main/heimdal/APKBUILD
+++ b/main/heimdal/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
pkgname=heimdal
pkgver=1.5.2
-pkgrel=7
+pkgrel=8
pkgdesc="An implementation of Kerberos 5"
arch="all"
url="http://www.h5l.org/"
@@ -28,6 +28,7 @@ source="http://ftp4.de.freesbie.org/pub/misc/heimdal/src/$pkgname-$pkgver.tar.gz
heimdal_missing_symbols.patch
heimdal-1.5-use-perl-Getopt_Std.patch
heimdal_texinfo-5.patch
+ heimdal-remove-broken-auth.patch
"
_builddir="$srcdir/$pkgname-$pkgver"
@@ -204,7 +205,8 @@ f320b91692b872e28f446f9cf1bc68bf telnetd.patch
8e127440fe11380c65fda40283326a46 heimdal_missing-include.patch
a14b9001271c3b794b083c25936ebe21 heimdal_missing_symbols.patch
dbe4106d1ca938587c948ee34121c020 heimdal-1.5-use-perl-Getopt_Std.patch
-53201e2a953c47a7437ce0222c4fb80d heimdal_texinfo-5.patch"
+53201e2a953c47a7437ce0222c4fb80d heimdal_texinfo-5.patch
+c66dd8d9dd6a2105ff8e49aca32315c8 heimdal-remove-broken-auth.patch"
sha256sums="22603f282f31173533b939d289f3374258aa1ccccbe51ee088d7568d321279ec heimdal-1.5.2.tar.gz
0fb8800c421a0a129c9c23c74498a9fbaaaf89d5730b186795ce325d8fcfc294 heimdal-kadmind.initd
ad51a116ec8a7d3cab7632335e76f99732b8115d929584c5fce6f0ed5b010d64 heimdal-kdc.initd
@@ -216,7 +218,8 @@ e9b5ca5bab430500b25ff5191d3bb2fd85133c5b4649c21cbc51f6c7d9151e5e 014_all_heimda
1ad9d71d01776e2d2dd49da5951f6f02630ce137be910ff8484968e8327837c3 heimdal_missing-include.patch
0620144d5f4c8a477276da487875e573c2bab4f5ea056c70b1eec2e13cffed58 heimdal_missing_symbols.patch
1a3d06b306fb30e5ce947d612901b2b246d2b6af3e7234c6b10c13f29c376349 heimdal-1.5-use-perl-Getopt_Std.patch
-fb77b0c0dd4e5b55e65f16e2ddac99ece9bd20f505e2cef9c4d795224b6e0d86 heimdal_texinfo-5.patch"
+fb77b0c0dd4e5b55e65f16e2ddac99ece9bd20f505e2cef9c4d795224b6e0d86 heimdal_texinfo-5.patch
+75e6aeeaa91174c470cbb007cd89cf4f0f9bc4955bdc2062b4d3132d12ca481b heimdal-remove-broken-auth.patch"
sha512sums="a04abb6f6ad3b1d6c366d9c4e6d92f5c2ca00ae0261c7acbfb1a5782d1bab4b3c498c4fa4b114867cb7e09291cee663cf4fd5c25afca8deb425a8e5112308957 heimdal-1.5.2.tar.gz
ce48a30fea02c630e94a25214fa792d107a66f4703c81fa924467f67e909d830732e92b3433b049bd4683591276b3e13e6637b8c217577fa1964fb152342539e heimdal-kadmind.initd
aecad5b194522d032ff56b65d878548d0f6502757f5e802f7f8616bc7686a540079f812f652b0c219c7514a04cec9e7dcaadecaa1666a325fa2f10d6f95f34bf heimdal-kdc.initd
@@ -228,4 +231,5 @@ eb6ec2606556c004d83cc52d3537f8a42dace7992c05dc474de44b66333442b218bbdd4408ee86b6
18f4a5b0c74ae11fbd8874d2954639f36d480655d978af2b2dd19a8ec2b206057ef4be5861d8daca0725926b295604daeaa895b6024b2098922cd189d3e4484b heimdal_missing-include.patch
af3ce21d6fe2e5b8902167a556bc48c29f544da2556ef0635308bdc0f9c9538b8afe7a6f3964c4a4f1d87db09da01a2d8c777e1339c28933b758f71d786b5bf7 heimdal_missing_symbols.patch
07bfcc27dc7d15cdd282770ad1e91d0aeaecdb6f4c2463b75352550b7ec116399fca00445d800bfb6ce825e58c05ec0c81c0d3e92ffde037bf3d774b4a2f2500 heimdal-1.5-use-perl-Getopt_Std.patch
-12abf4837c0daff6e51e8728dcf55752407e3616c8d657409d159119d60133a268e664a7eb1a6ad8632f17ef194933fac035c2856299ba4c4fb6053208cd1608 heimdal_texinfo-5.patch"
+12abf4837c0daff6e51e8728dcf55752407e3616c8d657409d159119d60133a268e664a7eb1a6ad8632f17ef194933fac035c2856299ba4c4fb6053208cd1608 heimdal_texinfo-5.patch
+db549d2f4293290a7a9c3a1a0df85c66d82e710acff5d86df0d272f7567f448200e00aee82ca6136ec58f69403a1a127b963683f7a25165dc41a751e10225f69 heimdal-remove-broken-auth.patch"
diff --git a/main/heimdal/heimdal-remove-broken-auth.patch b/main/heimdal/heimdal-remove-broken-auth.patch
new file mode 100644
index 000000000..1affcba2c
--- /dev/null
+++ b/main/heimdal/heimdal-remove-broken-auth.patch
@@ -0,0 +1,163 @@
+--- appl/rsh/rsh.c.orig
++++ appl/rsh/rsh.c
+@@ -399,6 +399,8 @@
+
+ #endif /* KRB5 */
+
++#ifdef BROKEN_AUTH
++
+ static int
+ send_broken_auth(int s,
+ struct sockaddr *thisaddr,
+@@ -428,6 +430,8 @@
+ return 0;
+ }
+
++#endif /* BROKEN_AUTH */
++
+ static int
+ proto (int s, int errsock,
+ const char *hostname, const char *local_user, const char *remote_user,
+@@ -629,6 +633,8 @@
+ return res;
+ }
+
++#ifdef BROKEN_AUTH
++
+ static int
+ doit_broken (int argc,
+ char **argv,
+@@ -702,6 +708,8 @@
+ }
+ }
+
++#endif
++
+ #if defined(KRB5)
+ static int
+ doit (const char *hostname,
+@@ -796,7 +804,9 @@
+ { "protocol", 'P', arg_string, &protocol_version_str,
+ "Protocol version [krb5]", "protocol" },
+ #endif
++#ifdef BROKEN_AUTH
+ { "broken", 'K', arg_flag, &use_only_broken, "Use only priv port" },
++#endif
+ #if defined(KRB5)
+ { "encrypt", 'x', arg_flag, &do_encrypt, "Encrypt connection" },
+ { NULL, 'z', arg_negative_flag, &do_encrypt,
+@@ -831,8 +841,10 @@
+ int
+ main(int argc, char **argv)
+ {
++#ifdef BROKEN_AUTH
+ int priv_port1, priv_port2;
+ int priv_socket1, priv_socket2;
++#endif
+ int argindex = 0;
+ int error;
+ struct addrinfo hints, *ai;
+@@ -848,9 +860,11 @@
+ #endif
+ uid_t uid;
+
++#ifdef BROKEN_AUTH
+ priv_port1 = priv_port2 = IPPORT_RESERVED-1;
+ priv_socket1 = rresvport(&priv_port1);
+ priv_socket2 = rresvport(&priv_port2);
++#endif
+ uid = getuid ();
+ if (setuid (uid) || (uid != 0 && setuid(0) == 0))
+ err (1, "setuid");
+@@ -907,6 +921,7 @@
+
+ #endif
+
++#ifdef BROKEN_AUTH
+ if (use_only_broken) {
+ #ifdef KRB5
+ use_v5 = 0;
+@@ -918,6 +933,7 @@
+ errx (1, "unable to bind reserved port: is rsh setuid root?");
+ use_broken = 0;
+ }
++#endif
+
+ #if defined(KRB5)
+ if (do_encrypt == 1 && use_only_broken)
+@@ -956,8 +972,10 @@
+ }
+
+ if (argindex == argc) {
++#ifdef BROKEN_AUTH
+ close (priv_socket1);
+ close (priv_socket2);
++#endif
+ argv[0] = "rlogin";
+ execvp ("rlogin", argv);
+ err (1, "execvp rlogin");
+@@ -1004,6 +1022,7 @@
+ freeaddrinfo(ai);
+ }
+ #endif
++#ifdef BROKEN_AUTH
+ if (ret && use_broken) {
+ memset (&hints, 0, sizeof(hints));
+ hints.ai_socktype = SOCK_STREAM;
+@@ -1027,6 +1046,7 @@
+ cmd, cmd_len);
+ freeaddrinfo(ai);
+ }
++#endif
+ free(cmd);
+ return ret;
+ }
+--- appl/rsh/rshd.c.orig
++++ appl/rsh/rshd.c
+@@ -131,6 +131,7 @@
+ fatal(s, NULL, "%s too long", expl);
+ }
+
++#ifdef BROKEN_AUTH
+ static int
+ recv_bsd_auth (int s, u_char *buf,
+ struct sockaddr_in *thisaddr,
+@@ -152,6 +153,7 @@
+ fatal(s, NULL, "Login incorrect.");
+ return 0;
+ }
++#endif
+
+ #ifdef KRB5
+ static int
+@@ -658,10 +660,11 @@
+ /*
+ * we only do reserved port for IPv4
+ */
+-
++#ifdef BROKEN_AUTH
+ if (erraddr->sa_family == AF_INET)
+ errsock = rresvport (&priv_port);
+ else
++#endif
+ errsock = socket (erraddr->sa_family, SOCK_STREAM, 0);
+ if (errsock < 0)
+ syslog_and_die ("socket: %s", strerror(errno));
+@@ -689,6 +692,7 @@
+ syslog_and_die ("unrecognized auth protocol: %x %x %x %x",
+ buf[0], buf[1], buf[2], buf[3]);
+ } else {
++#ifdef BROKEN_AUTH
+ if(recv_bsd_auth (s, buf,
+ (struct sockaddr_in *)thisaddr,
+ (struct sockaddr_in *)thataddr,
+@@ -702,6 +706,9 @@
+ }
+ } else
+ syslog_and_die("recv_bsd_auth failed");
++#else
++ syslog_and_die("recv_bsd_auth is disabled for security reasons");
++#endif
+ }
+
+ if (client_user == NULL || server_user == NULL || cmd == NULL)