diff options
author | ghen <ghen@pkgsrc.org> | 2007-06-26 11:59:28 +0000 |
---|---|---|
committer | ghen <ghen@pkgsrc.org> | 2007-06-26 11:59:28 +0000 |
commit | 35df17efbc1e7816cecfeba4fdde64b28865cbf7 (patch) | |
tree | 70bc0195bb91a84e7728b25f6f98bfea46de1c98 | |
parent | e9575d567c33bfe64f518e800d4f14158df10f2b (diff) | |
download | pkgsrc-35df17efbc1e7816cecfeba4fdde64b28865cbf7.tar.gz |
Pullup ticket 2121, 2122 - requested by tls
security fix for sudo
- pkgsrc/security/sudo/Makefile 1.90
- pkgsrc/security/sudo/distinfo 1.35
- pkgsrc/security/sudo/patches/patch-ah 1.5
- pkgsrc/security/sudo/patches/patch-ai 1.1
Module Name: pkgsrc
Committed By: tls
Date: Mon Jun 25 09:53:42 UTC 2007
Modified Files:
pkgsrc/security/sudo: Makefile distinfo
pkgsrc/security/sudo/patches: patch-ah
Log Message:
Fix privilege-escalation vulnerability with PKG_OPTIONS.sudo=kerberos:
cleanse environment of variables that alter behavior of Kerberos library
so the user can't override the default keytab location, and do *not*
ignore missing keytab errors. Prevents root compromise via spoofed KDC
on systems with Kerberos libraries but no host key in keytab, no keytab,
or keytab overidden via environment.
Don't insist that the keytab key be DES -- some Kerberos sites are 3DES/AES
only.
Somewhat less invasive than the fix Todd incorporated into the 1.6.9 branch
of sudo (presently beta) but equivalent (though not as clean).
---
Module Name: pkgsrc
Committed By: tls
Date: Mon Jun 25 23:53:28 UTC 2007
Added Files:
pkgsrc/security/sudo/patches: patch-ai
Log Message:
Add file omitted from previous commit.
-rw-r--r-- | security/sudo/Makefile | 4 | ||||
-rw-r--r-- | security/sudo/distinfo | 5 | ||||
-rw-r--r-- | security/sudo/patches/patch-ah | 27 | ||||
-rw-r--r-- | security/sudo/patches/patch-ai | 21 |
4 files changed, 49 insertions, 8 deletions
diff --git a/security/sudo/Makefile b/security/sudo/Makefile index 2dfb06e6195..4e7dc0da2a4 100644 --- a/security/sudo/Makefile +++ b/security/sudo/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.89 2007/03/13 09:46:00 rillig Exp $ +# $NetBSD: Makefile,v 1.89.2.1 2007/06/26 11:59:28 ghen Exp $ # DISTNAME= sudo-1.6.8p12 PKGNAME= sudo-1.6.8pl12 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= security MASTER_SITES= http://www.courtesan.com/sudo/dist/ \ ftp://ftp.courtesan.com/pub/sudo/ \ diff --git a/security/sudo/distinfo b/security/sudo/distinfo index 38e745ba073..a52211d816b 100644 --- a/security/sudo/distinfo +++ b/security/sudo/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.34 2006/01/15 11:32:06 adrianp Exp $ +$NetBSD: distinfo,v 1.34.10.1 2007/06/26 11:59:28 ghen Exp $ SHA1 (sudo-1.6.8p12.tar.gz) = a79631e9e1c0d0d3f2aa88ae685628e5fde61982 RMD160 (sudo-1.6.8p12.tar.gz) = d7ff9f18ca0973615258c2e975300b94567451d5 @@ -6,4 +6,5 @@ Size (sudo-1.6.8p12.tar.gz) = 585643 bytes SHA1 (patch-aa) = a4f29f2c228eb3b4af0872cf04a00ffdf41c603c SHA1 (patch-af) = 245761812dc600b3d2752fa135ba367bb0223370 SHA1 (patch-ag) = 87c3263674ec98ccc9cc33f2108a2456eddaecc5 -SHA1 (patch-ah) = 3ca7f39f5a882c5a340a053ddd925ebdaef48df5 +SHA1 (patch-ah) = 142a8884aebdc1cffc256c3ca0ee9addc34f8054 +SHA1 (patch-ai) = 2523a87dc8af7d09573569c7b3e7068d8d927097 diff --git a/security/sudo/patches/patch-ah b/security/sudo/patches/patch-ah index 6f089950dea..180c35996e9 100644 --- a/security/sudo/patches/patch-ah +++ b/security/sudo/patches/patch-ah @@ -1,8 +1,27 @@ -$NetBSD: patch-ah,v 1.4 2006/01/15 11:32:07 adrianp Exp $ +$NetBSD: patch-ah,v 1.4.10.1 2007/06/26 11:59:28 ghen Exp $ ---- env.c.orig 2005-11-08 18:21:33.000000000 +0000 -+++ env.c -@@ -130,6 +130,7 @@ static const char *initial_badenv_table[ +--- env.c.orig 2005-11-08 13:21:33.000000000 -0500 ++++ env.c 2007-06-25 04:44:24.000000000 -0400 +@@ -105,14 +105,14 @@ + #ifdef __APPLE__ + "DYLD_*", + #endif +-#ifdef HAVE_KERB4 ++#if defined(HAVE_KERB4) || defined(HAVE_KERB5) + "KRB_CONF*", + "KRBCONFDIR", + "KRBTKFILE", +-#endif /* HAVE_KERB4 */ +-#ifdef HAVE_KERB5 + "KRB5_CONFIG*", +-#endif /* HAVE_KERB5 */ ++ "KRB5_KTNAME", ++ "KRB5CCNAME", ++#endif /* HAVE_KERB4 || HAVE_KERB5 */ + #ifdef HAVE_SECURID + "VAR_ACE", + "USR_ACE", +@@ -130,6 +130,7 @@ "PERLLIB", "PERL5LIB", "PERL5OPT", diff --git a/security/sudo/patches/patch-ai b/security/sudo/patches/patch-ai new file mode 100644 index 00000000000..37eeecf975a --- /dev/null +++ b/security/sudo/patches/patch-ai @@ -0,0 +1,21 @@ +$NetBSD: patch-ai,v 1.1.2.2 2007/06/26 11:59:28 ghen Exp $ + +--- auth/kerb5.c.orig 2005-03-29 23:38:36.000000000 -0500 ++++ auth/kerb5.c 2007-06-25 04:51:20.000000000 -0400 +@@ -57,7 +57,7 @@ + #ifdef HAVE_HEIMDAL + # define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1) + # define krb5_free_data_contents(c, d) krb5_data_free(d) +-# define ENCTYPE_DES_CBC_MD5 ETYPE_DES_CBC_MD5 /* XXX */ ++# define ENCTYPE_DES_CBC_MD5 0 /* 0 is wildcard */ + #else + # define extract_name(c, p) (krb5_princ_component(c, p, 1)->data) + #endif +@@ -274,7 +274,6 @@ + log_error(NO_EXIT, + "%s: host service key not found: %s", auth_name, + error_message(error)); +- error = 0; + goto cleanup; + } + if (keyblock) |