diff options
Diffstat (limited to 'main/perl-net-ssleay/krb5')
| -rw-r--r-- | main/perl-net-ssleay/krb5/APKBUILD | 130 | ||||
| -rw-r--r-- | main/perl-net-ssleay/krb5/CVE-2002-2443.patch | 69 | ||||
| -rw-r--r-- | main/perl-net-ssleay/krb5/krb5kadmind.initd | 25 | ||||
| -rw-r--r-- | main/perl-net-ssleay/krb5/krb5kdc.initd | 24 | ||||
| -rw-r--r-- | main/perl-net-ssleay/krb5/krb5kpropd.initd | 24 | ||||
| -rw-r--r-- | main/perl-net-ssleay/krb5/mit-krb5-1.11_uninitialized.patch | 81 | ||||
| -rw-r--r-- | main/perl-net-ssleay/krb5/mit-krb5_krb5-config_LDFLAGS.patch | 12 |
7 files changed, 365 insertions, 0 deletions
diff --git a/main/perl-net-ssleay/krb5/APKBUILD b/main/perl-net-ssleay/krb5/APKBUILD new file mode 100644 index 000000000..72ec85499 --- /dev/null +++ b/main/perl-net-ssleay/krb5/APKBUILD @@ -0,0 +1,130 @@ +# Maintainer: Natanael Copa <ncopa@alpinelinux.org> +pkgname=krb5 +pkgver=1.11.3 +pkgrel=0 +pkgdesc="The Kerberos network authentication system" +url="http://web.mit.edu/kerberos/www/" +arch="all" +license="MIT" +depends="krb5-conf" +depends_dev="e2fsprogs-dev" +makedepends="$depends_dev libverto-dev openldap-dev openssl-dev + keyutils-dev bison flex perl" +install="" +subpackages="$pkgname-dev $pkgname-doc $pkgname-server + $pkgname-server-ldap:ldap $pkgname-pkinit $pkgname-libs" +source="http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-$pkgver-signed.tar + mit-krb5-1.11_uninitialized.patch + mit-krb5_krb5-config_LDFLAGS.patch + krb5kadmind.initd + krb5kdc.initd + krb5kpropd.initd + " + +_builddir="$srcdir"/krb5-$pkgver +unpack() { + default_unpack + cd "$srcdir" + tar -zxf krb5-$pkgver.tar.gz +} + + +prepare() { + local i + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} + +build() { + cd "$_builddir"/src + ./configure \ + CPPFLAGS="$CPPFLAGS -fPIC -I/usr/include/et" \ + --prefix=/usr \ + --localstatedir=/var/lib \ + --enable-shared \ + --disable-static \ + --disable-rpath \ + --with-system-et \ + --with-system-ss \ + --with-system-verto \ + --without-tcl \ + --with-ldap \ + --with-crypto-impl=openssl \ + || return 1 + make +} + +package() { + cd "$_builddir"/src + make install DESTDIR="$pkgdir" || return 1 + mkdir -p "$pkgdir"/usr/share/doc/$pkgname + mv "$pkgdir"/usr/share/examples "$pkgdir"/usr/share/doc/$pkgname/ + + for i in $source; do + case $i in + *.initd) install -Dm755 "$srcdir"/$i \ + "$pkgdir"/etc/init.d/${i%.initd};; + esac + done +} + +server() { + pkgdesc="The KDC and related programs for Kerberos 5" + depends="libverto-libev" + mkdir -p "$subpkgdir"/usr/share \ + "$subpkgdir"/usr/bin \ + "$subpkgdir"/etc/ + install -d "$subpkgdir"/var/lib/krb5kdc || return 1 + mv "$pkgdir"/usr/sbin "$subpkgdir"/usr/ || return 1 + mv "$pkgdir"/usr/share/gnats "$subpkgdir"/usr/share/ || return 1 + mv "$pkgdir"/etc/init.d "$subpkgdir"/etc/ || return 1 + # used for testing server + mv "$pkgdir"/usr/bin/sclient "$subpkgdir"/usr/bin/ + +} + +ldap() { + pkgdesc="The LDAP storage plugin for the Kerberos 5 KDC" + mkdir -p "$subpkgdir"/usr/lib/krb5/plugins/kdb + mv "$pkgdir"/usr/lib/krb5/plugins/kdb/kldap.so \ + "$subpkgdir"/usr/lib/krb5/plugins/kdb/ || return 1 + mv "$pkgdir"/usr/lib/libkdb_ldap* \ + "$subpkgdir"/usr/lib/ +} + +pkinit() { + pkgdesc="The PKINIT module for Kerberos 5" + mkdir -p "$subpkgdir"/usr/lib/krb5/plugins/preauth + mv "$pkgdir"/usr/lib/krb5/plugins/preauth/pkinit.so \ + "$subpkgdir"/usr/lib/krb5/plugins/preauth/pkinit.so +} + +libs() { + pkgdesc="The shared libraries used by Kerberos 5" + depends="krb5-conf" + mkdir -p "$subpkgdir"/usr/ + mv "$pkgdir"/usr/lib "$subpkgdir"/usr/ || return 1 +} + +md5sums="56f0ae274b285320b8a597cb89442449 krb5-1.11.3-signed.tar +597cd7ab74a8113b86e3405c15ccfecb mit-krb5-1.11_uninitialized.patch +656e242de9b5ada1edf398983db51eef mit-krb5_krb5-config_LDFLAGS.patch +29906e70e15025dda8b315d8209cab4c krb5kadmind.initd +47efe7f24c98316d38ea46ad629b3517 krb5kdc.initd +3e0b8313c1e5bfb7625f35e76a5e53f1 krb5kpropd.initd" +sha256sums="9abd94bb94a70996da0f8d90408957154bb543271b097e86c63eb33e5f5751b5 krb5-1.11.3-signed.tar +81a0d432b6d1686587b25b6ce70f0b8558e0c693da4c63b9de881962ae01c043 mit-krb5-1.11_uninitialized.patch +9ebfc38cc167bbf451105807512845cd961f839d64b7e2904a6c4e722e41fe2b mit-krb5_krb5-config_LDFLAGS.patch +c7a1ec03472996daaaaf1a4703566113c80f72ee8605d247098a25a13dad1f5f krb5kadmind.initd +709309dea043aa306c2fcf0960e0993a6db540c220de64cf92d6b85f1cca23c5 krb5kdc.initd +86b15d691e32b331ac756ee368b7364de6ab238dcae5adfed2a00b57d1b64ef4 krb5kpropd.initd" +sha512sums="4d4c5d5c3a495da141bca40fe73378db190ace8ed397b7bb8e38c53757e6df3ec55fa0eb5628f7c6204d1265f8451535e65c4ebd844821c64cdfd0c6e32468a5 krb5-1.11.3-signed.tar +4d2ea5189971df13bf874d29bcf89fa3bfeb1d25b3bd9245ee7c88f5c4834e950c5978ce13df3b8fc05f98dd7d5510dad43af0440436958fa23f9e1a51f60f76 mit-krb5-1.11_uninitialized.patch +8118518e359cb5e69e3321b7438b200d5d74ceeac16b4623bf4e4bfb4ead6c656de6fa153f9bcc454097b45a512bc8cd0798b1f062a2c4a09f75253b204a7a17 mit-krb5_krb5-config_LDFLAGS.patch +561af06b4e0f0e130dda345ad934bcdb9984ec00cc38d871df1d3bb3f9e1c7d86f06db5b03229707c88b96ad324e3a2222420f8494aa431002cacea0246b1153 krb5kadmind.initd +d6d0076886ce284fc395fafc2dc253b4b3ee97b2986dea51388d96a1e1294680fb171f475efc7844559e2c6aac44b26678a9255921db9a58dcf2e7164f0aeec5 krb5kdc.initd +f97d33fa977c132a470d95fd539d8e8db018e03f28dbc9d3e04faf78ebb7392196e7d5135f138c2390979bf37b3ae0265e6827f0c17b44b277eb2dfff0a96f77 krb5kpropd.initd" diff --git a/main/perl-net-ssleay/krb5/CVE-2002-2443.patch b/main/perl-net-ssleay/krb5/CVE-2002-2443.patch new file mode 100644 index 000000000..3ef88155c --- /dev/null +++ b/main/perl-net-ssleay/krb5/CVE-2002-2443.patch @@ -0,0 +1,69 @@ +From cf1a0c411b2668c57c41e9c4efd15ba17b6b322c Mon Sep 17 00:00:00 2001 +From: Tom Yu <tlyu@mit.edu> +Date: Fri, 3 May 2013 16:26:46 -0400 +Subject: [PATCH] Fix kpasswd UDP ping-pong [CVE-2002-2443] + +The kpasswd service provided by kadmind was vulnerable to a UDP +"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless +they pass some basic validation, and don't respond to our own error +packets. + +Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong +attack or UDP ping-pong attacks in general, but there is discussion +leading toward narrowing the definition of CVE-1999-0103 to the echo, +chargen, or other similar built-in inetd services. + +Thanks to Vincent Danen for alerting us to this issue. + +CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C + +ticket: 7637 (new) +target_version: 1.11.3 +tags: pullup +--- + src/kadmin/server/schpw.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c +index 15b0ab5..7f455d8 100644 +--- a/src/kadmin/server/schpw.c ++++ b/src/kadmin/server/schpw.c +@@ -52,7 +52,7 @@ + ret = KRB5KRB_AP_ERR_MODIFIED; + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated", sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + ptr = req->data; +@@ -67,7 +67,7 @@ + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request length was inconsistent", + sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + /* verify version number */ +@@ -80,7 +80,7 @@ + numresult = KRB5_KPASSWD_BAD_VERSION; + snprintf(strresult, sizeof(strresult), + "Request contained unknown protocol version number %d", vno); +- goto chpwfail; ++ goto bailout; + } + + /* read, check ap-req length */ +@@ -93,7 +93,7 @@ + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated in AP-REQ", + sizeof(strresult)); +- goto chpwfail; ++ goto bailout; + } + + /* verify ap_req */ +-- +1.8.1.6 + diff --git a/main/perl-net-ssleay/krb5/krb5kadmind.initd b/main/perl-net-ssleay/krb5/krb5kadmind.initd new file mode 100644 index 000000000..a1cdfef82 --- /dev/null +++ b/main/perl-net-ssleay/krb5/krb5kadmind.initd @@ -0,0 +1,25 @@ +#!/sbin/runscript + +#--------------------------------------------------------------------------- +# This script starts/stops the MIT Kerberos 5 Admin daemon +#--------------------------------------------------------------------------- + +daemon="MIT Kerberos 5 Admin daemon" +exec="/usr/sbin/kadmind" + +depend() { + need krb5kdc + use net +} + +start() { + ebegin "Starting $daemon" + start-stop-daemon --start --quiet --exec ${exec} 1>&2 + eend $? "Error starting $daemon" +} + +stop() { + ebegin "Stopping $daemon" + start-stop-daemon --stop --quiet --exec ${exec} 1>&2 + eend $? "Error stopping $daemon" +} diff --git a/main/perl-net-ssleay/krb5/krb5kdc.initd b/main/perl-net-ssleay/krb5/krb5kdc.initd new file mode 100644 index 000000000..94f1f7937 --- /dev/null +++ b/main/perl-net-ssleay/krb5/krb5kdc.initd @@ -0,0 +1,24 @@ +#!/sbin/runscript + +#--------------------------------------------------------------------------- +# This script starts/stops the MIT Kerberos 5 KDC +#--------------------------------------------------------------------------- + +daemon="MIT Kerberos 5 KDC" +exec="/usr/sbin/krb5kdc" + +depend() { + use net +} + +start() { + ebegin "Starting $daemon" + start-stop-daemon --start --quiet --exec ${exec} 1>&2 + eend $? "Error starting $daemon" +} + +stop() { + ebegin "Stopping $daemon" + start-stop-daemon --stop --quiet --exec ${exec} 1>&2 + eend $? "Error stopping $daemon" +} diff --git a/main/perl-net-ssleay/krb5/krb5kpropd.initd b/main/perl-net-ssleay/krb5/krb5kpropd.initd new file mode 100644 index 000000000..8b4b82975 --- /dev/null +++ b/main/perl-net-ssleay/krb5/krb5kpropd.initd @@ -0,0 +1,24 @@ +#!/sbin/runscript + +#--------------------------------------------------------------------------- +# This script starts/stops the MIT Kerberos 5 kpropd +#--------------------------------------------------------------------------- + +daemon="MIT Kerberos 5 kpropd" +exec="/usr/sbin/kpropd" + +depend() { + use net krb5kdc krb5kadmind +} + +start() { + ebegin "Starting $daemon" + start-stop-daemon --start --quiet --exec ${exec} -- -S 1>&2 + eend $? "Error starting $daemon" +} + +stop() { + ebegin "Stopping $daemon" + start-stop-daemon --stop --quiet --exec ${exec} 1>&2 + eend $? "Error stopping $daemon" +} diff --git a/main/perl-net-ssleay/krb5/mit-krb5-1.11_uninitialized.patch b/main/perl-net-ssleay/krb5/mit-krb5-1.11_uninitialized.patch new file mode 100644 index 000000000..a32d01d51 --- /dev/null +++ b/main/perl-net-ssleay/krb5/mit-krb5-1.11_uninitialized.patch @@ -0,0 +1,81 @@ +--- a/src/slave/kprop.c ++++ b/src/slave/kprop.c +@@ -91,7 +91,7 @@ main(argc, argv) + int argc; + char **argv; + { +- int fd, database_fd, database_size; ++ int fd = -1, database_fd, database_size; + krb5_error_code retval; + krb5_context context; + krb5_creds *my_creds; +--- a/src/kadmin/ktutil/ktutil_funcs.c ++++ b/src/kadmin/ktutil/ktutil_funcs.c +@@ -64,7 +64,7 @@ + krb5_kt_list *list; + int idx; + { +- krb5_kt_list lp, prev; ++ krb5_kt_list lp, prev = NULL; + int i; + + for (lp = *list, i = 1; lp; prev = lp, lp = lp->next, i++) { +--- a/src/lib/kadm5/alt_prof.c ++++ b/src/lib/kadm5/alt_prof.c +@@ -164,7 +164,7 @@ + char **values; + char *valp; + int idx; +- krb5_boolean val; ++ krb5_boolean val = 0; + + kret = krb5_aprof_getvals (acontext, hierarchy, &values); + if (kret) +--- a/src/lib/krb5/unicode/ucstr.c ++++ b/src/lib/krb5/unicode/ucstr.c +@@ -109,7 +109,7 @@ + krb5_data ** newdataptr, + unsigned flags) + { +- int i, j, len, clen, outpos, ucsoutlen, outsize; ++ int i, j, len, clen, outpos = 0, ucsoutlen, outsize; + char *out = NULL, *outtmp, *s; + krb5_ucs4 *ucs = NULL, *p, *ucsout = NULL; + krb5_data *newdata; +diff --git a/src/util/profile/prof_init.c b/src/util/profile/prof_init.c +index 7dc5b47..cd90db8 100644 +--- a/src/util/profile/prof_init.c ++++ b/src/util/profile/prof_init.c +@@ -255,7 +255,7 @@ copy_vtable_profile(profile_t profile, profile_t *ret_new_profile) + { + errcode_t err; + void *cbdata; +- profile_t new_profile; ++ profile_t new_profile = NULL; + + *ret_new_profile = NULL; + +--- a/src/lib/krb5/krb/preauth2.c 2012-12-24 12:39:18.432678497 +0100 ++++ b/src/lib/krb5/krb/preauth2.c 2012-12-24 12:50:49.444099126 +0100 +@@ -956,7 +956,7 @@ + size_t i, h; + int out_pa_list_size = 0; + krb5_pa_data **out_pa_list = NULL; +- krb5_error_code ret, module_ret; ++ krb5_error_code ret, module_ret = 0; + krb5_responder_fn responder = opte->opt_private->responder; + static const int paorder[] = { PA_INFO, PA_REAL }; + +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c.orig 2013-02-15 14:38:43.742293824 +0000 ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2013-02-15 14:41:06.806870075 +0000 +@@ -1359,8 +1359,8 @@ + goto cleanup; + + for (i=0; bvalues[i] != NULL; ++i) { +- krb5_int16 n_kd; +- krb5_key_data *kd; ++ krb5_int16 n_kd = 0; ++ krb5_key_data *kd = NULL; + krb5_data in; + + if (bvalues[i]->bv_len == 0) diff --git a/main/perl-net-ssleay/krb5/mit-krb5_krb5-config_LDFLAGS.patch b/main/perl-net-ssleay/krb5/mit-krb5_krb5-config_LDFLAGS.patch new file mode 100644 index 000000000..0b300cb44 --- /dev/null +++ b/main/perl-net-ssleay/krb5/mit-krb5_krb5-config_LDFLAGS.patch @@ -0,0 +1,12 @@ +Bug #448778 +--- krb5-1.11/src/krb5-config.in 2012-12-18 02:47:04.000000000 +0000 ++++ krb5-1.11/src/krb5-config.in 2012-12-28 07:13:16.582693363 +0000 +@@ -217,7 +217,7 @@ + -e 's#\$(PROG_RPATH)#'$libdir'#' \ + -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \ + -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ +- -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ ++ -e 's#\$(LDFLAGS)##' \ + -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ + -e 's#\$(CFLAGS)##'` + |