summaryrefslogtreecommitdiff
path: root/staging/krb5
diff options
context:
space:
mode:
authorParabola <dev@list.parabolagnulinux.org>2011-05-09 00:26:43 +0000
committerParabola <dev@list.parabolagnulinux.org>2011-05-09 00:26:43 +0000
commitd2f2d3b5c845807249680c275031f94047f9e762 (patch)
tree1237bb3dc8d677e2e405d11f905e143714638be8 /staging/krb5
parent886d3d0994eb8e9f3e797155619619e0ef1353f8 (diff)
Mon May 9 00:26:43 UTC 2011
Diffstat (limited to 'staging/krb5')
-rw-r--r--staging/krb5/CVE-2010-4022.patch19
-rw-r--r--staging/krb5/CVE-2011-0281.0282.0283.patch126
-rw-r--r--staging/krb5/CVE-2011-0284.patch13
-rw-r--r--staging/krb5/CVE-2011-0285.patch39
-rw-r--r--staging/krb5/PKGBUILD64
-rw-r--r--staging/krb5/kadmind.rc40
-rw-r--r--staging/krb5/krb5-kdc.rc40
7 files changed, 0 insertions, 341 deletions
diff --git a/staging/krb5/CVE-2010-4022.patch b/staging/krb5/CVE-2010-4022.patch
deleted file mode 100644
index 30ebf9638..000000000
--- a/staging/krb5/CVE-2010-4022.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-diff -up krb5/src/slave/kpropd.c krb5/src/slave/kpropd.c
---- krb5/src/slave/kpropd.c 2010-12-17 11:14:26.000000000 -0500
-+++ krb5/src/slave/kpropd.c 2010-12-17 11:41:19.000000000 -0500
-@@ -404,11 +404,11 @@ retry:
- }
-
- close(s);
-- if (iproprole == IPROP_SLAVE)
-+ if (iproprole == IPROP_SLAVE) {
- close(finet);
--
-- if ((ret = WEXITSTATUS(status)) != 0)
-- return (ret);
-+ if ((ret = WEXITSTATUS(status)) != 0)
-+ return (ret);
-+ }
- }
- if (iproprole == IPROP_SLAVE)
- break;
diff --git a/staging/krb5/CVE-2011-0281.0282.0283.patch b/staging/krb5/CVE-2011-0281.0282.0283.patch
deleted file mode 100644
index e4623e910..000000000
--- a/staging/krb5/CVE-2011-0281.0282.0283.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
-index 63ff3b3..b4a90bb 100644
---- a/src/kdc/dispatch.c
-+++ b/src/kdc/dispatch.c
-@@ -115,7 +115,8 @@ dispatch(void *cb, struct sockaddr *local_saddr, const krb5_fulladdr *from,
- kdc_insert_lookaside(pkt, *response);
- #endif
-
-- if (is_tcp == 0 && (*response)->length > max_dgram_reply_size) {
-+ if (is_tcp == 0 && *response != NULL &&
-+ (*response)->length > max_dgram_reply_size) {
- too_big_for_udp:
- krb5_free_data(kdc_context, *response);
- retval = make_too_big_error(response);
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-index d677bb2..a356907 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er
- #define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
-
- #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \
-- do { \
-- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
-- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
-- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
-- if (ldap_server_handle) \
-- ld = ldap_server_handle->ldap_handle; \
-- } \
-- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
-+ tempst = 0; \
-+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \
-+ NULL, &timelimit, LDAP_NO_LIMIT, &result); \
-+ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
-+ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
-+ if (ldap_server_handle) \
-+ ld = ldap_server_handle->ldap_handle; \
-+ if (tempst == 0) \
-+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \
-+ NULL, NULL, &timelimit, \
-+ LDAP_NO_LIMIT, &result); \
-+ } \
- \
- if (status_check != IGNORE_STATUS) { \
- if (tempst != 0) { \
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-index 82b0333..84e80ee 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
-@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context,
- {
- krb5_ldap_server_handle *handle = *ldap_server_handle;
-
-+ ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
- if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
- || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
- return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-index 86fa4d1..0f49c86 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-@@ -487,12 +487,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context,
- * portion, then the first portion of the principal name SHOULD be
- * "krbtgt". All this check is done in the immediate block.
- */
-- if (searchfor->length == 2)
-- if ((strncasecmp(searchfor->data[0].data, "krbtgt",
-- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
-- (strncasecmp(searchfor->data[1].data, defrealm,
-- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
-+ if (searchfor->length == 2) {
-+ if (data_eq_string(searchfor->data[0], "krbtgt") &&
-+ data_eq_string(searchfor->data[1], defrealm))
- return 0;
-+ }
-
- /* first check the length, if they are not equal, then they are not same */
- if (strlen(defrealm) != searchfor->realm.length)
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-index 140db1a..552e39a 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-@@ -78,10 +78,10 @@ krb5_error_code
- krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
- unsigned int flags, krb5_db_entry **entry_ptr)
- {
-- char *user=NULL, *filter=NULL, **subtree=NULL;
-+ char *user=NULL, *filter=NULL, *filtuser=NULL;
- unsigned int tree=0, ntrees=1, princlen=0;
- krb5_error_code tempst=0, st=0;
-- char **values=NULL, *cname=NULL;
-+ char **values=NULL, **subtree=NULL, *cname=NULL;
- LDAP *ld=NULL;
- LDAPMessage *result=NULL, *ent=NULL;
- krb5_ldap_context *ldap_context=NULL;
-@@ -115,12 +115,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
- if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
- goto cleanup;
-
-- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
-+ filtuser = ldap_filter_correct(user);
-+ if (filtuser == NULL) {
-+ st = ENOMEM;
-+ goto cleanup;
-+ }
-+
-+ princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */
- if ((filter = malloc(princlen)) == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
-- snprintf(filter, princlen, FILTER"%s))", user);
-+ snprintf(filter, princlen, FILTER"%s))", filtuser);
-
- if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
- goto cleanup;
-@@ -207,6 +213,9 @@ cleanup:
- if (user)
- free(user);
-
-+ if (filtuser)
-+ free(filtuser);
-+
- if (cname)
- free(cname);
-
diff --git a/staging/krb5/CVE-2011-0284.patch b/staging/krb5/CVE-2011-0284.patch
deleted file mode 100644
index c97727568..000000000
--- a/staging/krb5/CVE-2011-0284.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
-index 46b5fa1..464cb6e 100644
---- a/src/kdc/do_as_req.c
-+++ b/src/kdc/do_as_req.c
-@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
- pad->contents = td[size]->data;
- pad->length = td[size]->length;
- pa[size] = pad;
-+ td[size]->data = NULL;
-+ td[size]->length = 0;
- }
- krb5_free_typed_data(kdc_context, td);
- }
diff --git a/staging/krb5/CVE-2011-0285.patch b/staging/krb5/CVE-2011-0285.patch
deleted file mode 100644
index 61039113f..000000000
--- a/staging/krb5/CVE-2011-0285.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
-index 1124445..0056885 100644
---- a/src/kadmin/server/schpw.c
-+++ b/src/kadmin/server/schpw.c
-@@ -52,6 +52,7 @@ process_chpw_request(context, server_handle, realm, keytab,
-
- ret = 0;
- rep->length = 0;
-+ rep->data = NULL;
-
- auth_context = NULL;
- changepw = NULL;
-@@ -76,8 +77,13 @@ process_chpw_request(context, server_handle, realm, keytab,
- plen = (*ptr++ & 0xff);
- plen = (plen<<8) | (*ptr++ & 0xff);
-
-- if (plen != req->length)
-- return(KRB5KRB_AP_ERR_MODIFIED);
-+ if (plen != req->length) {
-+ ret = KRB5KRB_AP_ERR_MODIFIED;
-+ numresult = KRB5_KPASSWD_MALFORMED;
-+ strlcpy(strresult, "Request length was inconsistent",
-+ sizeof(strresult));
-+ goto chpwfail;
-+ }
-
- /* verify version number */
-
-@@ -531,6 +537,10 @@ cleanup:
- if (local_kaddrs != NULL)
- krb5_free_addresses(server_handle->context, local_kaddrs);
-
-+ if ((*response)->data == NULL) {
-+ free(*response);
-+ *response = NULL;
-+ }
- krb5_kt_close(server_handle->context, kt);
-
- return ret;
diff --git a/staging/krb5/PKGBUILD b/staging/krb5/PKGBUILD
deleted file mode 100644
index 4e3dd2c4f..000000000
--- a/staging/krb5/PKGBUILD
+++ /dev/null
@@ -1,64 +0,0 @@
-# $Id: PKGBUILD 122855 2011-05-06 19:36:38Z stephane $
-# Maintainer: Stéphane Gaudreault <stephane@archlinux.org>
-
-pkgname=krb5
-pkgver=1.9.1
-pkgrel=1
-pkgdesc="The Kerberos network authentication system"
-arch=('i686' 'x86_64')
-url="http://web.mit.edu/kerberos/"
-license=('custom')
-depends=('e2fsprogs' 'libldap' 'keyutils')
-makedepends=('perl')
-provides=('heimdal')
-replaces=('heimdal')
-conflicts=('heimdal')
-backup=('etc/krb5/krb5.conf' 'etc/krb5/kdc.conf')
-source=(http://web.mit.edu/kerberos/dist/${pkgname}/1.9/${pkgname}-${pkgver}-signed.tar
- kadmind.rc
- krb5-kdc.rc)
-sha1sums=('e23a1795a237521493da9cf3443ac8b98a90c066'
- '640e3046c6558313d2be81cf2252afc8622892b0'
- '77d2312ecd8bf12a6e72cc8fd871a8ac93b23393')
-options=('!emptydirs')
-
-build() {
- tar zxvf ${pkgname}-${pkgver}.tar.gz
- cd "${srcdir}/${pkgname}-${pkgver}/src"
-
- export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all"
- export CPPFLAGS+=" -I/usr/include/et"
- ./configure --prefix=/usr \
- --sysconfdir=/etc/krb5 \
- --mandir=/usr/share/man \
- --localstatedir=/var/lib \
- --enable-shared \
- --with-system-et \
- --with-system-ss \
- --disable-rpath \
- --without-tcl \
- --enable-dns-for-realm \
- --with-ldap
-
- make
-}
-
-check() {
- # We can't do this in the build directory.
- cd "${srcdir}/${pkgname}-${pkgver}"
- make -C src check
-}
-
-package() {
- cd "${srcdir}/${pkgname}-${pkgver}/src"
- make DESTDIR="${pkgdir}" EXAMPLEDIR="/usr/share/doc/${pkgname}/examples" install
-
- install -D -m 644 config-files/kdc.conf "${pkgdir}"/etc/krb5/kdc.conf
- install -D -m 644 config-files/krb5.conf "${pkgdir}"/etc/krb5/krb5.conf
-
- install -d -m 755 "${pkgdir}"/etc/rc.d
- install -m 755 ../../krb5-kdc.rc "${pkgdir}"/etc/rc.d
- install -m 755 ../../kadmind.rc "${pkgdir}"/etc/rc.d
-
- install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE
-}
diff --git a/staging/krb5/kadmind.rc b/staging/krb5/kadmind.rc
deleted file mode 100644
index 45835e35b..000000000
--- a/staging/krb5/kadmind.rc
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/bin/bash
-
-# general config
-. /etc/rc.conf
-. /etc/rc.d/functions
-
-PID=`pidof -o %PPID /usr/sbin/kadmind`
-case "$1" in
- start)
- stat_busy "Starting Kerberos Admin Daemon"
- if [ -z "$PID" ]; then
- /usr/sbin/kadmind
- fi
- if [ ! -z "$PID" -o $? -gt 0 ]; then
- stat_fail
- else
- add_daemon kadmind
- stat_done
- fi
- ;;
- stop)
- stat_busy "Stopping Kerberos Admin Daemon"
- [ ! -z "$PID" ] && kill $PID &> /dev/null
- if [ $? -gt 0 ]; then
- stat_fail
- else
- rm_daemon kadmind
- stat_done
- fi
- ;;
- restart)
- $0 stop
- sleep 1
- $0 start
- ;;
- *)
- echo "usage: $0 {start|stop|restart}"
- ;;
-esac
-exit 0
diff --git a/staging/krb5/krb5-kdc.rc b/staging/krb5/krb5-kdc.rc
deleted file mode 100644
index 05a03411e..000000000
--- a/staging/krb5/krb5-kdc.rc
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/bin/bash
-
-# general config
-. /etc/rc.conf
-. /etc/rc.d/functions
-
-PID=`pidof -o %PPID /usr/sbin/krb5kdc`
-case "$1" in
- start)
- stat_busy "Starting Kerberos Authentication"
- if [ -z "$PID" ]; then
- /usr/sbin/krb5kdc
- fi
- if [ ! -z "$PID" -o $? -gt 0 ]; then
- stat_fail
- else
- add_daemon krb5-kdc
- stat_done
- fi
- ;;
- stop)
- stat_busy "Stopping Kerberos Authentication"
- [ ! -z "$PID" ] && kill $PID &> /dev/null
- if [ $? -gt 0 ]; then
- stat_fail
- else
- rm_daemon krb5-kdc
- stat_done
- fi
- ;;
- restart)
- $0 stop
- sleep 1
- $0 start
- ;;
- *)
- echo "usage: $0 {start|stop|restart}"
- ;;
-esac
-exit 0