Pullup ticket #4134 - requested by tez

security/mit-krb5: security fix

Revisions pulled up:
- security/mit-krb5/Makefile                                    1.70
- security/mit-krb5/distinfo                                    1.43
- security/mit-krb5/patches/patch-kadmin_server_schpw.c         1.1

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   tez
   Date:           Mon May 13 22:42:34 UTC 2013

   Modified Files:
           pkgsrc/security/mit-krb5: Makefile distinfo
   Added Files:
           pkgsrc/security/mit-krb5/patches: patch-kadmin_server_schpw.c

   Log Message:
   The kpasswd service provided by kadmind was vulnerable to a UDP
   "ping-pong" attack [CVE-2002-2443].  Don't respond to packets unless
   they pass some basic validation, and don't respond to our own error
   packets.

   Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
   attack or UDP ping-pong attacks in general, but there is discussion
   leading toward narrowing the definition of CVE-1999-0103 to the echo,
   chargen, or other similar built-in inetd services.

   https://github.com/krb5/krb5/commit/cf1a0c411b2668c57c41e9c4efd15ba17b6b322ccvs


   To generate a diff of this commit:
   cvs rdiff -u -r1.69 -r1.70 pkgsrc/security/mit-krb5/Makefile
   cvs rdiff -u -r1.42 -r1.43 pkgsrc/security/mit-krb5/distinfo
   cvs rdiff -u -r0 -r1.1 \
       pkgsrc/security/mit-krb5/patches/patch-kadmin_server_schpw.c

3 files changed, 57 insertions, 3 deletions

diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile
index 415fd0850ac..81bdab985e9 100644
--- a/security/mit-krb5/Makefile
+++ b/security/mit-krb5/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.67.2.1 2013/04/30 18:50:00 tron Exp $
+# $NetBSD: Makefile,v 1.67.2.2 2013/05/16 22:04:58 spz Exp $
 
 DISTNAME=	krb5-1.10.4
-PKGREVISION=	1
+PKGREVISION=	2
 PKGNAME=	mit-${DISTNAME}
 CATEGORIES=	security
 MASTER_SITES=	http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/
diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo
index 890866ed344..5d554b03106 100644
--- a/security/mit-krb5/distinfo
+++ b/security/mit-krb5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.40.2.1 2013/04/30 18:50:00 tron Exp $
+$NetBSD: distinfo,v 1.40.2.2 2013/05/16 22:04:58 spz Exp $
 
 SHA1 (krb5-1.10.4-signed.tar) = 2b4a0743b95b09cb433d25909e599de27c352f10
 RMD160 (krb5-1.10.4-signed.tar) = 1dbf18f1a02744941ebde3b1db93b2e63e59afcd
@@ -19,6 +19,7 @@ SHA1 (patch-ci) = 4e310f0a4dfe27cf94d0e63d623590691b6c5970
 SHA1 (patch-cj) = 78342f649f8e9d3a3b5a4f83e65b6c46f589586b
 SHA1 (patch-ck) = 37bfef80329f8ae0fb35c35e70032a0040ba5591
 SHA1 (patch-kadmin_dbutil_dump.c) = 4b49c116dbed9e6be4a0bf0a731c3ae82808d82e
+SHA1 (patch-kadmin_server_schpw.c) = 87d849b6dcc0ad22f377e18f57d0731e642943bc
 SHA1 (patch-kdc_do_tgs_req.c) = a7c89338eab17f98c5e2b5d426b3696cc9b4b081
 SHA1 (patch-lib_krb5_asn.1_asn1buf.h) = a1e46ca9256aea4facc1d41841b1707b044a69e7
 SHA1 (patch-util_k5ev_verto-k5ev.c) = 79a2be64fa4f9b0dc3a333271e8a3ff7944e5c18
diff --git a/security/mit-krb5/patches/patch-kadmin_server_schpw.c b/security/mit-krb5/patches/patch-kadmin_server_schpw.c
new file mode 100644
index 00000000000..969e31dbafb
--- /dev/null
+++ b/security/mit-krb5/patches/patch-kadmin_server_schpw.c
@@ -0,0 +1,53 @@
+$NetBSD: patch-kadmin_server_schpw.c,v 1.1.2.2 2013/05/16 22:04:58 spz Exp $
+
+The kpasswd service provided by kadmind was vulnerable to a UDP
+"ping-pong" attack [CVE-2002-2443].  Don't respond to packets unless
+they pass some basic validation, and don't respond to our own error
+packets.
+
+Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
+attack or UDP ping-pong attacks in general, but there is discussion
+leading toward narrowing the definition of CVE-1999-0103 to the echo,
+chargen, or other similar built-in inetd services.
+
+from https://github.com/krb5/krb5/commit/cf1a0c411b2668c57c41e9c4efd15ba17b6b322c
+
+
+--- kadmin/server/schpw.c.orig	2013-05-13 22:31:47.496049500 +0000
++++ kadmin/server/schpw.c
+@@ -52,7 +52,7 @@ process_chpw_request(krb5_context contex
+         ret = KRB5KRB_AP_ERR_MODIFIED;
+         numresult = KRB5_KPASSWD_MALFORMED;
+         strlcpy(strresult, "Request was truncated", sizeof(strresult));
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     ptr = req->data;
+@@ -67,7 +67,7 @@ process_chpw_request(krb5_context contex
+         numresult = KRB5_KPASSWD_MALFORMED;
+         strlcpy(strresult, "Request length was inconsistent",
+                 sizeof(strresult));
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     /* verify version number */
+@@ -80,7 +80,7 @@ process_chpw_request(krb5_context contex
+         numresult = KRB5_KPASSWD_BAD_VERSION;
+         snprintf(strresult, sizeof(strresult),
+                  "Request contained unknown protocol version number %d", vno);
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     /* read, check ap-req length */
+@@ -93,7 +93,7 @@ process_chpw_request(krb5_context contex
+         numresult = KRB5_KPASSWD_MALFORMED;
+         strlcpy(strresult, "Request was truncated in AP-REQ",
+                 sizeof(strresult));
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     /* verify ap_req */