Fri Oct 21 23:14:53 UTC 2011

5 files changed, 340 insertions, 17 deletions

diff --git a/core/glib2/PKGBUILD b/core/glib2/PKGBUILD
index 662893003..6c37dd14b 100644
--- a/core/glib2/PKGBUILD
+++ b/core/glib2/PKGBUILD
@@ -1,8 +1,8 @@
-# $Id: PKGBUILD 140113 2011-10-07 08:18:56Z ibiru $
+# $Id: PKGBUILD 140832 2011-10-20 05:41:08Z ibiru $
 # Maintainer: Jan de Groot <jgc@archlinux.org>
 
 pkgname=glib2
-pkgver=2.30.0
+pkgver=2.30.1
 pkgrel=1
 pkgdesc="Common C routines used by GTK+ and other libs"
 url="http://www.gtk.org/"
@@ -15,7 +15,7 @@ options=('!libtool' '!docs' '!emptydirs')
 source=(http://ftp.gnome.org/pub/GNOME/sources/glib/2.30/glib-${pkgver}.tar.xz
         glib2.sh
         glib2.csh)
-sha256sums=('d64c00b43409eabb89aad78501fcb1a992b002b314a4414a9bd069585cb7cdc1'
+sha256sums=('82fde222ea33a0faac88e9b50f5b1f7fcfc235c861a9371e8fe47ec12c1e27f9'
             '9456872cdedcc639fb679448d74b85b0facf81033e27157d2861b991823b5a2a'
             '8d5626ffa361304ad3696493c0ef041d0ab10c857f6ef32116b3e2878ecf89e3')
 
diff --git a/core/krb5/PKGBUILD b/core/krb5/PKGBUILD
index b86c0a91c..38cf23966 100644
--- a/core/krb5/PKGBUILD
+++ b/core/krb5/PKGBUILD
@@ -1,9 +1,9 @@
-# $Id: PKGBUILD 139635 2011-10-03 23:42:42Z stephane $
+# $Id: PKGBUILD 141000 2011-10-21 02:57:57Z stephane $
 # Maintainer: Stéphane Gaudreault <stephane@archlinux.org>
 
 pkgname=krb5
 pkgver=1.9.1
-pkgrel=4
+pkgrel=5
 pkgdesc="The Kerberos network authentication system"
 arch=('i686' 'x86_64')
 url="http://web.mit.edu/kerberos/"
@@ -18,12 +18,14 @@ source=(http://web.mit.edu/kerberos/dist/${pkgname}/1.9/${pkgname}-${pkgver}-sig
         krb5-kadmind
         krb5-kdc
         krb5-1.9.1-config-script.patch
-        krb5-1.9.1-canonicalize-fallback.patch)
+        krb5-1.9.1-canonicalize-fallback.patch
+        krb5-1.9.1-2011-006.patch)
 sha1sums=('e23a1795a237521493da9cf3443ac8b98a90c066'
           '2aa229369079ed1bbb201a1ef72c47bf143f4dbe'
           '77d2312ecd8bf12a6e72cc8fd871a8ac93b23393'
           '7342410760cf44bfa01bb99bb4c49e12496cb46f'
-          '238c268fa6cb42fc7324ab54db9abda5cd77f833')
+          '238c268fa6cb42fc7324ab54db9abda5cd77f833'
+          '0b0016b0e341dcf720f67925b0d451b328e02583')
 options=('!emptydirs')
 
 build() {
@@ -47,6 +49,10 @@ build() {
    # FS#25384
    sed -i "/KRB5ROOT=/s/\/local//" util/ac_check_krb5.m4
 
+   # KDC denial of service vulnerabilities
+   # http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-006.txt
+   patch -Np2 -i ${srcdir}/krb5-1.9.1-2011-006.patch
+
    export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all"
    export CPPFLAGS+=" -I/usr/include/et"
    ./configure --prefix=/usr \
diff --git a/core/krb5/krb5-1.9.1-2011-006.patch b/core/krb5/krb5-1.9.1-2011-006.patch
new file mode 100644
index 000000000..05a22caf5
--- /dev/null
+++ b/core/krb5/krb5-1.9.1-2011-006.patch
@@ -0,0 +1,75 @@
+diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c
+index b473611..50c60b7 100644
+--- a/src/plugins/kdb/db2/lockout.c
++++ b/src/plugins/kdb/db2/lockout.c
+@@ -169,6 +169,9 @@ krb5_db2_lockout_audit(krb5_context context,
+         return 0;
+     }
+ 
++    if (entry == NULL)
++        return 0;
++
+     if (!db_ctx->disable_lockout) {
+         code = lookup_lockout_policy(context, entry, &max_fail,
+                                      &failcnt_interval, &lockout_duration);
+@@ -176,6 +179,15 @@ krb5_db2_lockout_audit(krb5_context context,
+             return code;
+     }
+ 
++    /*
++     * Don't continue to modify the DB for an already locked account.
++     * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
++     * this check is unneeded, but in rare cases, we can fail with an
++     * integrity error or preauth failure before a policy check.)
++     */
++    if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
++        return 0;
++
+     /* Only mark the authentication as successful if the entry
+      * required preauthentication, otherwise we have no idea. */
+     if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) {
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index 552e39a..c2f44ab 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -105,6 +105,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
+     CHECK_LDAP_HANDLE(ldap_context);
+ 
+     if (is_principal_in_realm(ldap_context, searchfor) != 0) {
++        st = KRB5_KDB_NOENTRY;
+         krb5_set_error_message (context, st, "Principal does not belong to realm");
+         goto cleanup;
+     }
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
+index a218dc7..fd164dd 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
+@@ -165,6 +165,9 @@ krb5_ldap_lockout_audit(krb5_context context,
+         return 0;
+     }
+ 
++    if (entry == NULL)
++        return 0;
++
+     if (!ldap_context->disable_lockout) {
+         code = lookup_lockout_policy(context, entry, &max_fail,
+                                      &failcnt_interval,
+@@ -173,9 +176,16 @@ krb5_ldap_lockout_audit(krb5_context context,
+             return code;
+     }
+ 
+-    entry->mask = 0;
++    /*
++     * Don't continue to modify the DB for an already locked account.
++     * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
++     * this check is unneeded, but in rare cases, we can fail with an
++     * integrity error or preauth failure before a policy check.)
++     */
++    if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
++        return 0;
+ 
+-    assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry));
++    entry->mask = 0;
+ 
+     /* Only mark the authentication as successful if the entry
+      * required preauthentication, otherwise we have no idea. */
diff --git a/core/libarchive/PKGBUILD b/core/libarchive/PKGBUILD
index 218d6f3e1..a64e19690 100644
--- a/core/libarchive/PKGBUILD
+++ b/core/libarchive/PKGBUILD
@@ -1,30 +1,38 @@
-# $Id: PKGBUILD 137228 2011-09-06 21:10:41Z dan $
+# $Id: PKGBUILD 140981 2011-10-20 13:56:51Z dan $
 # Maintainer: Dan McGee <dan@archlinux.org>
-# Maintainer: Aaron Griffin <aaron@archlinux.org>
 pkgname=libarchive
 pkgver=2.8.5
-pkgrel=1
+pkgrel=2
 pkgdesc="library that can create and read several streaming archive formats"
 arch=('i686' 'x86_64')
 url="http://libarchive.googlecode.com/"
 license=('BSD')
 depends=('zlib' 'bzip2' 'xz>=5.0.0' 'acl' 'openssl>=1.0.0' 'expat')
-source=("http://libarchive.googlecode.com/files/libarchive-${pkgver}.tar.gz")
-md5sums=('9caf51dcf6213e9c9f5a1c27448b9c90')
-sha256sums=('13993e0ffbd121ccda46ea226b1f8eac218de0fa8da7d8b1f998093d5c32a72d')
+source=("http://libarchive.googlecode.com/files/libarchive-${pkgver}.tar.gz"
+        release-2.8-fixes.patch)
+md5sums=('9caf51dcf6213e9c9f5a1c27448b9c90'
+         '14dbbf2d31d68d8eedb93ec5531f3b0c')
+sha256sums=('13993e0ffbd121ccda46ea226b1f8eac218de0fa8da7d8b1f998093d5c32a72d'
+            'fcadc5ac3020a9fab5922d343baca28f067cc051e9b6f59e480349ba5b0a5060')
 
 # keep an upgrade path for older installations
 PKGEXT='.pkg.tar.gz'
 
 build() {
-  cd $srcdir/$pkgname-$pkgver
+  cd "$srcdir/$pkgname-$pkgver"
+  patch -Np0 < ../release-2.8-fixes.patch
   ./configure --prefix=/usr --without-xml2
   make
 }
 
+check() {
+  cd "$srcdir/$pkgname-$pkgver"
+  make check
+}
+
 package() {
-  cd $srcdir/$pkgname-$pkgver
-  make DESTDIR=$pkgdir install
+  cd "$srcdir/$pkgname-$pkgver"
+  make DESTDIR="$pkgdir" install
 
-  install -D -m644 COPYING $pkgdir/usr/share/licenses/libarchive/COPYING
+  install -D -m644 COPYING "$pkgdir"/usr/share/licenses/libarchive/COPYING
 }
diff --git a/core/libarchive/release-2.8-fixes.patch b/core/libarchive/release-2.8-fixes.patch
new file mode 100644
index 000000000..c21eeaa7b
--- /dev/null
+++ b/core/libarchive/release-2.8-fixes.patch
@@ -0,0 +1,234 @@
+Index: build/cmake/config.h.in
+===================================================================
+--- build/cmake/config.h.in	(revision 3670)
++++ build/cmake/config.h.in	(revision 3737)
+@@ -1,5 +1,8 @@
+ /* config.h.  Generated from config.h.cmake by cmake configure */
+ 
++/* Define ZLIB_WINAPI if zlib was built on Visual Studio. */
++#cmakedefine ZLIB_WINAPI 1
++
+ /* MD5 via ARCHIVE_HASH_MD5_LIBC supported. */
+ #cmakedefine ARCHIVE_HASH_MD5_LIBC
+ 
+Index: libarchive/archive_read_support_format_all.c
+===================================================================
+--- libarchive/archive_read_support_format_all.c	(revision 3670)
++++ libarchive/archive_read_support_format_all.c	(revision 3737)
+@@ -1,5 +1,5 @@
+ /*-
+- * Copyright (c) 2003-2007 Tim Kientzle
++ * Copyright (c) 2003-2011 Tim Kientzle
+  * All rights reserved.
+  *
+  * Redistribution and use in source and binary forms, with or without
+@@ -39,5 +39,13 @@
+ 	archive_read_support_format_tar(a);
+ 	archive_read_support_format_xar(a);
+ 	archive_read_support_format_zip(a);
++
++	/* Note: We always return ARCHIVE_OK here, even if some of the
++	 * above return ARCHIVE_WARN.  The intent here is to enable
++	 * "as much as possible."  Clients who need specific
++	 * compression should enable those individually so they can
++	 * verify the level of support. */
++	/* Clear any warning messages set by the above functions. */
++	archive_clear_error(a);
+ 	return (ARCHIVE_OK);
+ }
+Index: libarchive/archive_write_disk.c
+===================================================================
+--- libarchive/archive_write_disk.c	(revision 3670)
++++ libarchive/archive_write_disk.c	(revision 3737)
+@@ -1513,6 +1513,22 @@
+ }
+ 
+ #if defined(_WIN32) || defined(__CYGWIN__)
++static int
++guidword(const char *p, int n)
++{
++	int i;
++
++	for (i = 0; i < n; i++) {
++		if ((*p >= '0' && *p <= '9') ||
++		    (*p >= 'a' && *p <= 'f') ||
++		    (*p >= 'A' && *p <= 'F'))
++			p++;
++		else
++			return (-1);
++	}
++	return (0);
++}
++
+ /*
+  * 1. Convert a path separator from '\' to '/' .
+  *    We shouldn't check multi-byte character directly because some
+@@ -1521,26 +1537,92 @@
+  * 2. Replace unusable characters in Windows with underscore('_').
+  * See also : http://msdn.microsoft.com/en-us/library/aa365247.aspx
+  */
+-static void
++static int
+ cleanup_pathname_win(struct archive_write_disk *a)
+ {
+ 	wchar_t wc;
+ 	char *p;
+ 	size_t alen, l;
+ 
+-	alen = 0;
+-	l = 0;
+-	for (p = a->name; *p != '\0'; p++) {
+-		++alen;
+-		if (*p == '\\')
+-			l = 1;
++	p = a->name;
++	/* Skip leading "\\.\" or "\\?\" or "\\?\UNC\" or
++	 * "\\?\Volume{GUID}\"
++	 * (absolute path prefixes used by Windows API) */
++	if ((p[0] == '\\' || p[0] == '/') && (p[1] == '\\' || p[1] == '/' ) &&
++	    (p[2] == '.' || p[2] == '?') && (p[3] ==  '\\' || p[3] == '/'))
++	{
++		/* A path begin with "\\?\UNC\" */
++		if (p[2] == '?' &&
++		    (p[4] == 'U' || p[4] == 'u') &&
++		    (p[5] == 'N' || p[5] == 'n') &&
++		    (p[6] == 'C' || p[6] == 'c') &&
++		    (p[7] == '\\' || p[7] == '/'))
++			p += 8;
++		/* A path begin with "\\?\Volume{GUID}\" */
++		else if (p[2] == '?' &&
++		    (p[4] == 'V' || p[4] == 'v') &&
++		    (p[5] == 'O' || p[5] == 'o') &&
++		    (p[6] == 'L' || p[6] == 'l') &&
++		    (p[7] == 'U' || p[7] == 'u') &&
++		    (p[8] == 'M' || p[8] == 'm') &&
++		    (p[9] == 'E' || p[9] == 'e') &&
++		    p[10] == '{') {
++			if (guidword(p+11, 8) == 0 && p[19] == '-' &&
++			    guidword(p+20, 4) == 0 && p[24] == '-' &&
++			    guidword(p+25, 4) == 0 && p[29] == '-' &&
++			    guidword(p+30, 4) == 0 && p[34] == '-' &&
++			    guidword(p+35, 12) == 0 && p[47] == '}' &&
++			    (p[48] == '\\' || p[48] == '/'))
++				p += 49;
++			else
++				p += 4;
++		/* A path begin with "\\.\PhysicalDriveX" */
++		} else if (p[2] == '.' &&
++		    (p[4] == 'P' || p[4] == 'p') &&
++		    (p[5] == 'H' || p[5] == 'h') &&
++		    (p[6] == 'Y' || p[6] == 'y') &&
++		    (p[7] == 'S' || p[7] == 's') &&
++		    (p[8] == 'I' || p[8] == 'i') &&
++		    (p[9] == 'C' || p[9] == 'c') &&
++		    (p[9] == 'A' || p[9] == 'a') &&
++		    (p[9] == 'L' || p[9] == 'l') &&
++		    (p[9] == 'D' || p[9] == 'd') &&
++		    (p[9] == 'R' || p[9] == 'r') &&
++		    (p[9] == 'I' || p[9] == 'i') &&
++		    (p[9] == 'V' || p[9] == 'v') &&
++		    (p[9] == 'E' || p[9] == 'e') &&
++		    (p[10] >= '0' && p[10] <= '9') &&
++		    p[11] == '\0') {
++			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
++			    "Path is a physical drive name");
++			return (ARCHIVE_FAILED);
++		} else
++			p += 4;
++	}
++
++	/* Skip leading drive letter from archives created
++	 * on Windows. */
++	if (((p[0] >= 'a' && p[0] <= 'z') ||
++	     (p[0] >= 'A' && p[0] <= 'Z')) &&
++		 p[1] == ':') {
++		if (p[2] == '\0') {
++			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
++			    "Path is a drive name");
++			return (ARCHIVE_FAILED);
++		}
++		if (p[2] == '\\' || p[2] == '/')
++			p += 3;
++	}
++
++	for (; *p != '\0'; p++) {
+ 		/* Rewrite the path name if its character is a unusable. */
+ 		if (*p == ':' || *p == '*' || *p == '?' || *p == '"' ||
+ 		    *p == '<' || *p == '>' || *p == '|')
+ 			*p = '_';
+ 	}
+-	if (alen == 0 || l == 0)
+-		return;
++	alen = p - a->name;
++	if (alen == 0 || strchr(a->name, '\\') == NULL)
++		return (ARCHIVE_OK);
+ 	/*
+ 	 * Convert path separator.
+ 	 */
+@@ -1560,6 +1642,7 @@
+ 		p += l;
+ 		alen -= l;
+ 	}
++	return (ARCHIVE_OK);
+ }
+ #endif
+ 
+@@ -1583,7 +1666,8 @@
+ 	}
+ 
+ #if defined(_WIN32) || defined(__CYGWIN__)
+-	cleanup_pathname_win(a);
++	if (cleanup_pathname_win(a) != ARCHIVE_OK)
++		return (ARCHIVE_FAILED);
+ #endif
+ 	/* Skip leading '/'. */
+ 	if (*src == '/')
+Index: libarchive/archive_util.c
+===================================================================
+--- libarchive/archive_util.c	(revision 3670)
++++ libarchive/archive_util.c	(revision 3737)
+@@ -155,6 +155,7 @@
+ {
+ 	archive_string_empty(&a->error_string);
+ 	a->error = NULL;
++	a->archive_error_number = 0;
+ }
+ 
+ void
+Index: libarchive/archive_read_extract.c
+===================================================================
+--- libarchive/archive_read_extract.c	(revision 3670)
++++ libarchive/archive_read_extract.c	(revision 3737)
+@@ -108,7 +108,7 @@
+ 	if (r != ARCHIVE_OK)
+ 		/* If _write_header failed, copy the error. */
+  		archive_copy_error(&a->archive, ad);
+-	else if (archive_entry_size(entry) > 0)
++	else if (!archive_entry_size_is_set(entry) || archive_entry_size(entry) > 0)
+ 		/* Otherwise, pour data into the entry. */
+ 		r = copy_data(_a, ad);
+ 	r2 = archive_write_finish_entry(ad);
+Index: CMakeLists.txt
+===================================================================
+--- CMakeLists.txt	(revision 3670)
++++ CMakeLists.txt	(revision 3737)
+@@ -154,6 +154,13 @@
+   SET(HAVE_ZLIB_H 1)
+   INCLUDE_DIRECTORIES(${ZLIB_INCLUDE_DIR})
+   LIST(APPEND ADDITIONAL_LIBS ${ZLIB_LIBRARIES})
++  IF(WIN32 AND NOT CYGWIN)
++    SET(CMAKE_REQUIRED_INCLUDES ${ZLIB_INCLUDE_DIR})
++    SET(CMAKE_REQUIRED_LIBRARIES ${ZLIB_LIBRARIES})
++    CHECK_C_SOURCE_Runs(
++      "#ifndef ZLIB_WINAPI\n#define ZLIB_WINAPI\n#endif\n#include <zlib.h>\nint main() {uLong f = zlibCompileFlags(); return (f&(1U<<10))?0:-1; }"
++      ZLIB_WINAPI)
++  ENDIF(WIN32 AND NOT CYGWIN)
+ ENDIF(ZLIB_FOUND)
+ MARK_AS_ADVANCED(CLEAR ZLIB_INCLUDE_DIR)
+ MARK_AS_ADVANCED(CLEAR ZLIB_LIBRARY)
+
+Property changes on: .
+___________________________________________________________________
+Modified: svn:mergeinfo
+   Merged /trunk:r1989,3247,3722
+