diff options
Diffstat (limited to 'core')
-rw-r--r-- | core/glib2/PKGBUILD | 6 | ||||
-rw-r--r-- | core/krb5/PKGBUILD | 14 | ||||
-rw-r--r-- | core/krb5/krb5-1.9.1-2011-006.patch | 75 | ||||
-rw-r--r-- | core/libarchive/PKGBUILD | 28 | ||||
-rw-r--r-- | core/libarchive/release-2.8-fixes.patch | 234 |
5 files changed, 340 insertions, 17 deletions
diff --git a/core/glib2/PKGBUILD b/core/glib2/PKGBUILD index 662893003..6c37dd14b 100644 --- a/core/glib2/PKGBUILD +++ b/core/glib2/PKGBUILD @@ -1,8 +1,8 @@ -# $Id: PKGBUILD 140113 2011-10-07 08:18:56Z ibiru $ +# $Id: PKGBUILD 140832 2011-10-20 05:41:08Z ibiru $ # Maintainer: Jan de Groot <jgc@archlinux.org> pkgname=glib2 -pkgver=2.30.0 +pkgver=2.30.1 pkgrel=1 pkgdesc="Common C routines used by GTK+ and other libs" url="http://www.gtk.org/" @@ -15,7 +15,7 @@ options=('!libtool' '!docs' '!emptydirs') source=(http://ftp.gnome.org/pub/GNOME/sources/glib/2.30/glib-${pkgver}.tar.xz glib2.sh glib2.csh) -sha256sums=('d64c00b43409eabb89aad78501fcb1a992b002b314a4414a9bd069585cb7cdc1' +sha256sums=('82fde222ea33a0faac88e9b50f5b1f7fcfc235c861a9371e8fe47ec12c1e27f9' '9456872cdedcc639fb679448d74b85b0facf81033e27157d2861b991823b5a2a' '8d5626ffa361304ad3696493c0ef041d0ab10c857f6ef32116b3e2878ecf89e3') diff --git a/core/krb5/PKGBUILD b/core/krb5/PKGBUILD index b86c0a91c..38cf23966 100644 --- a/core/krb5/PKGBUILD +++ b/core/krb5/PKGBUILD @@ -1,9 +1,9 @@ -# $Id: PKGBUILD 139635 2011-10-03 23:42:42Z stephane $ +# $Id: PKGBUILD 141000 2011-10-21 02:57:57Z stephane $ # Maintainer: Stéphane Gaudreault <stephane@archlinux.org> pkgname=krb5 pkgver=1.9.1 -pkgrel=4 +pkgrel=5 pkgdesc="The Kerberos network authentication system" arch=('i686' 'x86_64') url="http://web.mit.edu/kerberos/" @@ -18,12 +18,14 @@ source=(http://web.mit.edu/kerberos/dist/${pkgname}/1.9/${pkgname}-${pkgver}-sig krb5-kadmind krb5-kdc krb5-1.9.1-config-script.patch - krb5-1.9.1-canonicalize-fallback.patch) + krb5-1.9.1-canonicalize-fallback.patch + krb5-1.9.1-2011-006.patch) sha1sums=('e23a1795a237521493da9cf3443ac8b98a90c066' '2aa229369079ed1bbb201a1ef72c47bf143f4dbe' '77d2312ecd8bf12a6e72cc8fd871a8ac93b23393' '7342410760cf44bfa01bb99bb4c49e12496cb46f' - '238c268fa6cb42fc7324ab54db9abda5cd77f833') + '238c268fa6cb42fc7324ab54db9abda5cd77f833' + '0b0016b0e341dcf720f67925b0d451b328e02583') options=('!emptydirs') build() { @@ -47,6 +49,10 @@ build() { # FS#25384 sed -i "/KRB5ROOT=/s/\/local//" util/ac_check_krb5.m4 + # KDC denial of service vulnerabilities + # http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-006.txt + patch -Np2 -i ${srcdir}/krb5-1.9.1-2011-006.patch + export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all" export CPPFLAGS+=" -I/usr/include/et" ./configure --prefix=/usr \ diff --git a/core/krb5/krb5-1.9.1-2011-006.patch b/core/krb5/krb5-1.9.1-2011-006.patch new file mode 100644 index 000000000..05a22caf5 --- /dev/null +++ b/core/krb5/krb5-1.9.1-2011-006.patch @@ -0,0 +1,75 @@ +diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c +index b473611..50c60b7 100644 +--- a/src/plugins/kdb/db2/lockout.c ++++ b/src/plugins/kdb/db2/lockout.c +@@ -169,6 +169,9 @@ krb5_db2_lockout_audit(krb5_context context, + return 0; + } + ++ if (entry == NULL) ++ return 0; ++ + if (!db_ctx->disable_lockout) { + code = lookup_lockout_policy(context, entry, &max_fail, + &failcnt_interval, &lockout_duration); +@@ -176,6 +179,15 @@ krb5_db2_lockout_audit(krb5_context context, + return code; + } + ++ /* ++ * Don't continue to modify the DB for an already locked account. ++ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and ++ * this check is unneeded, but in rare cases, we can fail with an ++ * integrity error or preauth failure before a policy check.) ++ */ ++ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry)) ++ return 0; ++ + /* Only mark the authentication as successful if the entry + * required preauthentication, otherwise we have no idea. */ + if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) { +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +index 552e39a..c2f44ab 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +@@ -105,6 +105,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, + CHECK_LDAP_HANDLE(ldap_context); + + if (is_principal_in_realm(ldap_context, searchfor) != 0) { ++ st = KRB5_KDB_NOENTRY; + krb5_set_error_message (context, st, "Principal does not belong to realm"); + goto cleanup; + } +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c +index a218dc7..fd164dd 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c +@@ -165,6 +165,9 @@ krb5_ldap_lockout_audit(krb5_context context, + return 0; + } + ++ if (entry == NULL) ++ return 0; ++ + if (!ldap_context->disable_lockout) { + code = lookup_lockout_policy(context, entry, &max_fail, + &failcnt_interval, +@@ -173,9 +176,16 @@ krb5_ldap_lockout_audit(krb5_context context, + return code; + } + +- entry->mask = 0; ++ /* ++ * Don't continue to modify the DB for an already locked account. ++ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and ++ * this check is unneeded, but in rare cases, we can fail with an ++ * integrity error or preauth failure before a policy check.) ++ */ ++ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry)) ++ return 0; + +- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry)); ++ entry->mask = 0; + + /* Only mark the authentication as successful if the entry + * required preauthentication, otherwise we have no idea. */ diff --git a/core/libarchive/PKGBUILD b/core/libarchive/PKGBUILD index 218d6f3e1..a64e19690 100644 --- a/core/libarchive/PKGBUILD +++ b/core/libarchive/PKGBUILD @@ -1,30 +1,38 @@ -# $Id: PKGBUILD 137228 2011-09-06 21:10:41Z dan $ +# $Id: PKGBUILD 140981 2011-10-20 13:56:51Z dan $ # Maintainer: Dan McGee <dan@archlinux.org> -# Maintainer: Aaron Griffin <aaron@archlinux.org> pkgname=libarchive pkgver=2.8.5 -pkgrel=1 +pkgrel=2 pkgdesc="library that can create and read several streaming archive formats" arch=('i686' 'x86_64') url="http://libarchive.googlecode.com/" license=('BSD') depends=('zlib' 'bzip2' 'xz>=5.0.0' 'acl' 'openssl>=1.0.0' 'expat') -source=("http://libarchive.googlecode.com/files/libarchive-${pkgver}.tar.gz") -md5sums=('9caf51dcf6213e9c9f5a1c27448b9c90') -sha256sums=('13993e0ffbd121ccda46ea226b1f8eac218de0fa8da7d8b1f998093d5c32a72d') +source=("http://libarchive.googlecode.com/files/libarchive-${pkgver}.tar.gz" + release-2.8-fixes.patch) +md5sums=('9caf51dcf6213e9c9f5a1c27448b9c90' + '14dbbf2d31d68d8eedb93ec5531f3b0c') +sha256sums=('13993e0ffbd121ccda46ea226b1f8eac218de0fa8da7d8b1f998093d5c32a72d' + 'fcadc5ac3020a9fab5922d343baca28f067cc051e9b6f59e480349ba5b0a5060') # keep an upgrade path for older installations PKGEXT='.pkg.tar.gz' build() { - cd $srcdir/$pkgname-$pkgver + cd "$srcdir/$pkgname-$pkgver" + patch -Np0 < ../release-2.8-fixes.patch ./configure --prefix=/usr --without-xml2 make } +check() { + cd "$srcdir/$pkgname-$pkgver" + make check +} + package() { - cd $srcdir/$pkgname-$pkgver - make DESTDIR=$pkgdir install + cd "$srcdir/$pkgname-$pkgver" + make DESTDIR="$pkgdir" install - install -D -m644 COPYING $pkgdir/usr/share/licenses/libarchive/COPYING + install -D -m644 COPYING "$pkgdir"/usr/share/licenses/libarchive/COPYING } diff --git a/core/libarchive/release-2.8-fixes.patch b/core/libarchive/release-2.8-fixes.patch new file mode 100644 index 000000000..c21eeaa7b --- /dev/null +++ b/core/libarchive/release-2.8-fixes.patch @@ -0,0 +1,234 @@ +Index: build/cmake/config.h.in +=================================================================== +--- build/cmake/config.h.in (revision 3670) ++++ build/cmake/config.h.in (revision 3737) +@@ -1,5 +1,8 @@ + /* config.h. Generated from config.h.cmake by cmake configure */ + ++/* Define ZLIB_WINAPI if zlib was built on Visual Studio. */ ++#cmakedefine ZLIB_WINAPI 1 ++ + /* MD5 via ARCHIVE_HASH_MD5_LIBC supported. */ + #cmakedefine ARCHIVE_HASH_MD5_LIBC + +Index: libarchive/archive_read_support_format_all.c +=================================================================== +--- libarchive/archive_read_support_format_all.c (revision 3670) ++++ libarchive/archive_read_support_format_all.c (revision 3737) +@@ -1,5 +1,5 @@ + /*- +- * Copyright (c) 2003-2007 Tim Kientzle ++ * Copyright (c) 2003-2011 Tim Kientzle + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -39,5 +39,13 @@ + archive_read_support_format_tar(a); + archive_read_support_format_xar(a); + archive_read_support_format_zip(a); ++ ++ /* Note: We always return ARCHIVE_OK here, even if some of the ++ * above return ARCHIVE_WARN. The intent here is to enable ++ * "as much as possible." Clients who need specific ++ * compression should enable those individually so they can ++ * verify the level of support. */ ++ /* Clear any warning messages set by the above functions. */ ++ archive_clear_error(a); + return (ARCHIVE_OK); + } +Index: libarchive/archive_write_disk.c +=================================================================== +--- libarchive/archive_write_disk.c (revision 3670) ++++ libarchive/archive_write_disk.c (revision 3737) +@@ -1513,6 +1513,22 @@ + } + + #if defined(_WIN32) || defined(__CYGWIN__) ++static int ++guidword(const char *p, int n) ++{ ++ int i; ++ ++ for (i = 0; i < n; i++) { ++ if ((*p >= '0' && *p <= '9') || ++ (*p >= 'a' && *p <= 'f') || ++ (*p >= 'A' && *p <= 'F')) ++ p++; ++ else ++ return (-1); ++ } ++ return (0); ++} ++ + /* + * 1. Convert a path separator from '\' to '/' . + * We shouldn't check multi-byte character directly because some +@@ -1521,26 +1537,92 @@ + * 2. Replace unusable characters in Windows with underscore('_'). + * See also : http://msdn.microsoft.com/en-us/library/aa365247.aspx + */ +-static void ++static int + cleanup_pathname_win(struct archive_write_disk *a) + { + wchar_t wc; + char *p; + size_t alen, l; + +- alen = 0; +- l = 0; +- for (p = a->name; *p != '\0'; p++) { +- ++alen; +- if (*p == '\\') +- l = 1; ++ p = a->name; ++ /* Skip leading "\\.\" or "\\?\" or "\\?\UNC\" or ++ * "\\?\Volume{GUID}\" ++ * (absolute path prefixes used by Windows API) */ ++ if ((p[0] == '\\' || p[0] == '/') && (p[1] == '\\' || p[1] == '/' ) && ++ (p[2] == '.' || p[2] == '?') && (p[3] == '\\' || p[3] == '/')) ++ { ++ /* A path begin with "\\?\UNC\" */ ++ if (p[2] == '?' && ++ (p[4] == 'U' || p[4] == 'u') && ++ (p[5] == 'N' || p[5] == 'n') && ++ (p[6] == 'C' || p[6] == 'c') && ++ (p[7] == '\\' || p[7] == '/')) ++ p += 8; ++ /* A path begin with "\\?\Volume{GUID}\" */ ++ else if (p[2] == '?' && ++ (p[4] == 'V' || p[4] == 'v') && ++ (p[5] == 'O' || p[5] == 'o') && ++ (p[6] == 'L' || p[6] == 'l') && ++ (p[7] == 'U' || p[7] == 'u') && ++ (p[8] == 'M' || p[8] == 'm') && ++ (p[9] == 'E' || p[9] == 'e') && ++ p[10] == '{') { ++ if (guidword(p+11, 8) == 0 && p[19] == '-' && ++ guidword(p+20, 4) == 0 && p[24] == '-' && ++ guidword(p+25, 4) == 0 && p[29] == '-' && ++ guidword(p+30, 4) == 0 && p[34] == '-' && ++ guidword(p+35, 12) == 0 && p[47] == '}' && ++ (p[48] == '\\' || p[48] == '/')) ++ p += 49; ++ else ++ p += 4; ++ /* A path begin with "\\.\PhysicalDriveX" */ ++ } else if (p[2] == '.' && ++ (p[4] == 'P' || p[4] == 'p') && ++ (p[5] == 'H' || p[5] == 'h') && ++ (p[6] == 'Y' || p[6] == 'y') && ++ (p[7] == 'S' || p[7] == 's') && ++ (p[8] == 'I' || p[8] == 'i') && ++ (p[9] == 'C' || p[9] == 'c') && ++ (p[9] == 'A' || p[9] == 'a') && ++ (p[9] == 'L' || p[9] == 'l') && ++ (p[9] == 'D' || p[9] == 'd') && ++ (p[9] == 'R' || p[9] == 'r') && ++ (p[9] == 'I' || p[9] == 'i') && ++ (p[9] == 'V' || p[9] == 'v') && ++ (p[9] == 'E' || p[9] == 'e') && ++ (p[10] >= '0' && p[10] <= '9') && ++ p[11] == '\0') { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, ++ "Path is a physical drive name"); ++ return (ARCHIVE_FAILED); ++ } else ++ p += 4; ++ } ++ ++ /* Skip leading drive letter from archives created ++ * on Windows. */ ++ if (((p[0] >= 'a' && p[0] <= 'z') || ++ (p[0] >= 'A' && p[0] <= 'Z')) && ++ p[1] == ':') { ++ if (p[2] == '\0') { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, ++ "Path is a drive name"); ++ return (ARCHIVE_FAILED); ++ } ++ if (p[2] == '\\' || p[2] == '/') ++ p += 3; ++ } ++ ++ for (; *p != '\0'; p++) { + /* Rewrite the path name if its character is a unusable. */ + if (*p == ':' || *p == '*' || *p == '?' || *p == '"' || + *p == '<' || *p == '>' || *p == '|') + *p = '_'; + } +- if (alen == 0 || l == 0) +- return; ++ alen = p - a->name; ++ if (alen == 0 || strchr(a->name, '\\') == NULL) ++ return (ARCHIVE_OK); + /* + * Convert path separator. + */ +@@ -1560,6 +1642,7 @@ + p += l; + alen -= l; + } ++ return (ARCHIVE_OK); + } + #endif + +@@ -1583,7 +1666,8 @@ + } + + #if defined(_WIN32) || defined(__CYGWIN__) +- cleanup_pathname_win(a); ++ if (cleanup_pathname_win(a) != ARCHIVE_OK) ++ return (ARCHIVE_FAILED); + #endif + /* Skip leading '/'. */ + if (*src == '/') +Index: libarchive/archive_util.c +=================================================================== +--- libarchive/archive_util.c (revision 3670) ++++ libarchive/archive_util.c (revision 3737) +@@ -155,6 +155,7 @@ + { + archive_string_empty(&a->error_string); + a->error = NULL; ++ a->archive_error_number = 0; + } + + void +Index: libarchive/archive_read_extract.c +=================================================================== +--- libarchive/archive_read_extract.c (revision 3670) ++++ libarchive/archive_read_extract.c (revision 3737) +@@ -108,7 +108,7 @@ + if (r != ARCHIVE_OK) + /* If _write_header failed, copy the error. */ + archive_copy_error(&a->archive, ad); +- else if (archive_entry_size(entry) > 0) ++ else if (!archive_entry_size_is_set(entry) || archive_entry_size(entry) > 0) + /* Otherwise, pour data into the entry. */ + r = copy_data(_a, ad); + r2 = archive_write_finish_entry(ad); +Index: CMakeLists.txt +=================================================================== +--- CMakeLists.txt (revision 3670) ++++ CMakeLists.txt (revision 3737) +@@ -154,6 +154,13 @@ + SET(HAVE_ZLIB_H 1) + INCLUDE_DIRECTORIES(${ZLIB_INCLUDE_DIR}) + LIST(APPEND ADDITIONAL_LIBS ${ZLIB_LIBRARIES}) ++ IF(WIN32 AND NOT CYGWIN) ++ SET(CMAKE_REQUIRED_INCLUDES ${ZLIB_INCLUDE_DIR}) ++ SET(CMAKE_REQUIRED_LIBRARIES ${ZLIB_LIBRARIES}) ++ CHECK_C_SOURCE_Runs( ++ "#ifndef ZLIB_WINAPI\n#define ZLIB_WINAPI\n#endif\n#include <zlib.h>\nint main() {uLong f = zlibCompileFlags(); return (f&(1U<<10))?0:-1; }" ++ ZLIB_WINAPI) ++ ENDIF(WIN32 AND NOT CYGWIN) + ENDIF(ZLIB_FOUND) + MARK_AS_ADVANCED(CLEAR ZLIB_INCLUDE_DIR) + MARK_AS_ADVANCED(CLEAR ZLIB_LIBRARY) + +Property changes on: . +___________________________________________________________________ +Modified: svn:mergeinfo + Merged /trunk:r1989,3247,3722 + |