diff options
| author | root <root@rshg054.dnsready.net> | 2011-12-20 23:14:59 +0000 |
|---|---|---|
| committer | root <root@rshg054.dnsready.net> | 2011-12-20 23:14:59 +0000 |
| commit | ea1f4bece8870857691a7123bdc899562760b3fe (patch) | |
| tree | b332a0692c3e63d46cb60cb1214fc57871e619c8 /multilib/lib32-krb5 | |
| parent | 6d2dec5c3443d142a0131c43666929490961c16a (diff) | |
Tue Dec 20 23:14:59 UTC 2011
Diffstat (limited to 'multilib/lib32-krb5')
| -rw-r--r-- | multilib/lib32-krb5/PKGBUILD | 13 | ||||
| -rw-r--r-- | multilib/lib32-krb5/krb5-1.9.1-2011-007.patch | 40 |
2 files changed, 50 insertions, 3 deletions
diff --git a/multilib/lib32-krb5/PKGBUILD b/multilib/lib32-krb5/PKGBUILD index 32debcbae..1b70b9d2b 100644 --- a/multilib/lib32-krb5/PKGBUILD +++ b/multilib/lib32-krb5/PKGBUILD @@ -4,7 +4,7 @@ _pkgbasename=krb5 pkgname=lib32-$_pkgbasename -pkgver=1.9.1 +pkgver=1.9.2 pkgrel=1 pkgdesc="The Kerberos network authentication system (32-bit)" arch=('x86_64') @@ -15,14 +15,21 @@ makedepends=('perl' gcc-multilib) provides=('lib32-heimdal') replaces=('lib32-heimdal') conflicts=('lib32-heimdal') -source=(http://web.mit.edu/kerberos/dist/${_pkgbasename}/1.9/${_pkgbasename}-${pkgver}-signed.tar) -sha1sums=('e23a1795a237521493da9cf3443ac8b98a90c066') +source=(http://web.mit.edu/kerberos/dist/${_pkgbasename}/1.9/${_pkgbasename}-${pkgver}-signed.tar +krb5-1.9.1-2011-007.patch) +sha1sums=('aa06f778ee1f9791cd4c5cf4c9e9465769ffec92' + '31a130542e92b70c807b2dbe6f9b182dc14f5e9f') options=('!emptydirs') build() { tar zxvf ${_pkgbasename}-${pkgver}.tar.gz cd "${srcdir}/${_pkgbasename}-${pkgver}/src" + # Apply upstream patch to fix a null pointer dereference when processing TGS requests + # CVE-2011-1530 + # see http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-007.txt + patch -Np2 -i ${srcdir}/krb5-1.9.1-2011-007.patch + export CC="gcc -m32" export CXX="g++ -m32" export PKG_CONFIG_PATH="/usr/lib32/pkgconfig" diff --git a/multilib/lib32-krb5/krb5-1.9.1-2011-007.patch b/multilib/lib32-krb5/krb5-1.9.1-2011-007.patch new file mode 100644 index 000000000..f1ffdd4d1 --- /dev/null +++ b/multilib/lib32-krb5/krb5-1.9.1-2011-007.patch @@ -0,0 +1,40 @@ +diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in +index f46cad3..102fbaa 100644 +--- a/src/kdc/Makefile.in ++++ b/src/kdc/Makefile.in +@@ -67,6 +67,7 @@ check-unix:: rtest + + check-pytests:: + $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS) ++ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS) + + install:: + $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index c169c54..840a2ef 100644 +--- a/src/kdc/do_tgs_req.c ++++ b/src/kdc/do_tgs_req.c +@@ -243,7 +243,8 @@ tgt_again: + if (!tgs_1 || !data_eq(*server_1, *tgs_1)) { + errcode = find_alternate_tgs(request, &server); + firstpass = 0; +- goto tgt_again; ++ if (errcode == 0) ++ goto tgt_again; + } + } + status = "UNKNOWN_SERVER"; +diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py +new file mode 100644 +index 0000000..1760bcd +--- /dev/null ++++ b/src/kdc/t_emptytgt.py +@@ -0,0 +1,8 @@ ++#!/usr/bin/python ++from k5test import * ++ ++realm = K5Realm(start_kadmind=False, create_host=False) ++output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1) ++if 'not found in Kerberos database' not in output: ++ fail('TGT lookup for empty realm failed in unexpected way') ++success('Empty tgt lookup.') |