Add patches for CVE-2009-0846 & CVE-2009-0847

approved by agc

5 files changed, 73 insertions, 3 deletions

diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile
index 6f5d1db5b57..491fe31be23 100644
--- a/security/mit-krb5/Makefile
+++ b/security/mit-krb5/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.44 2008/12/11 09:42:25 wiz Exp $
+# $NetBSD: Makefile,v 1.45 2009/04/21 18:58:17 tez Exp $
 
 DISTNAME=	krb5-1.4.2
 PKGNAME=	mit-${DISTNAME:S/-signed$//}
-PKGREVISION=	7
+PKGREVISION=	8
 CATEGORIES=	security
 MASTER_SITES=	http://web.mit.edu/kerberos/dist/krb5/1.4/
 DISTFILES=	${DISTNAME}-signed${EXTRACT_SUFX}
diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo
index dbd61f07be4..a2121326989 100644
--- a/security/mit-krb5/distinfo
+++ b/security/mit-krb5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.21 2008/12/11 09:42:25 wiz Exp $
+$NetBSD: distinfo,v 1.22 2009/04/21 18:58:17 tez Exp $
 
 SHA1 (krb5-1.4.2-signed.tar) = bbc03bd319d539fb9523c2545d80ba0784522e88
 RMD160 (krb5-1.4.2-signed.tar) = 44500f5fab8e5959cf43f17f5f52f68e2dc73a1f
@@ -42,3 +42,6 @@ SHA1 (patch-bj) = d0deae92b8b4d9ad671c98ccb3debd7a4216f646
 SHA1 (patch-bk) = 9bf37086a4e7661e8aacc2736d21f61db154263e
 SHA1 (patch-bl) = d1239c8c8279680a97f7c555907ac1b4ccfca6b4
 SHA1 (patch-bm) = d8e46f448fa4a51e3b8a42279cf1ab54b0598dd3
+SHA1 (patch-bn) = 82c6f98474f31e1e231d3e89d6a24e20ec7fd123
+SHA1 (patch-bo) = dcfeab32537f8b89e3ed6a52a69601e3e7822e35
+SHA1 (patch-bp) = 5308176a1229b5ac0d0f24eb2f657fdf48935f80
diff --git a/security/mit-krb5/patches/patch-bn b/security/mit-krb5/patches/patch-bn
new file mode 100644
index 00000000000..32528119801
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bn
@@ -0,0 +1,32 @@
+--- lib/krb5/asn.1/asn1buf.c.orig	2009-04-17 16:07:27.348357800 -0500
++++ lib/krb5/asn.1/asn1buf.c	2009-04-17 16:23:10.726869700 -0500
+@@ -78,11 +78,11 @@
+ 
+ asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
+ {
++  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
+   subbuf->base = subbuf->next = buf->next;
+   if (!indef) {
++      if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
+       subbuf->bound = subbuf->base + length - 1;
+-      if (subbuf->bound > buf->bound)
+-	  return ASN1_OVERRUN;
+   } else /* constructed indefinite */
+       subbuf->bound = buf->bound;
+   return 0;
+@@ -200,6 +200,7 @@
+ {
+   int i;
+ 
++  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
+   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
+   if (len == 0) {
+       *s = 0;
+@@ -218,6 +219,7 @@
+ {
+   int i;
+ 
++  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
+   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
+   if (len == 0) {
+       *s = 0;
diff --git a/security/mit-krb5/patches/patch-bo b/security/mit-krb5/patches/patch-bo
new file mode 100644
index 00000000000..4e6939c92f3
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bo
@@ -0,0 +1,10 @@
+--- lib/krb5/asn.1/asn1_decode.c.orig	2009-04-17 16:24:41.318878800 -0500
++++ lib/krb5/asn.1/asn1_decode.c	2009-04-17 16:25:52.914274500 -0500
+@@ -231,6 +231,7 @@
+ 
+   if(length != 15) return ASN1_BAD_LENGTH;
+   retval = asn1buf_remove_charstring(buf,15,&s);
++  if (retval) return retval;
+   /* Time encoding: YYYYMMDDhhmmssZ */
+   if(s[14] != 'Z') {
+       free(s);
diff --git a/security/mit-krb5/patches/patch-bp b/security/mit-krb5/patches/patch-bp
new file mode 100644
index 00000000000..3bc1fb177f0
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bp
@@ -0,0 +1,25 @@
+--- tests/asn.1/krb5_decode_test.c.orig	2009-04-17 16:25:31.678326000 -0500
++++ tests/asn.1/krb5_decode_test.c	2009-04-17 16:26:03.499429900 -0500
+@@ -485,6 +485,22 @@
+     ktest_destroy_keyblock(&(ref.subkey));
+     ref.seq_number = 0;
+     decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
++
++    retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
++    if (retval) {
++	com_err("krb5_decode_test", retval, "while parsing");
++	exit(1);
++    }
++    retval = decode_krb5_ap_rep_enc_part(&code, &var);
++    if (retval != ASN1_OVERRUN) {
++	printf("ERROR: ");
++    } else {
++	printf("OK: ");
++    }
++    printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
++    krb5_free_data_contents(test_context, &code);
++    krb5_free_ap_rep_enc_part(test_context, var);
++
+     ktest_empty_ap_rep_enc_part(&ref);
+   }
+