summaryrefslogtreecommitdiff
path: root/security/mit-krb5
diff options
context:
space:
mode:
authortez <tez@pkgsrc.org>2014-11-25 23:40:49 +0000
committertez <tez@pkgsrc.org>2014-11-25 23:40:49 +0000
commit33902e3662d252d09e44e98c36a9098e5722e3c7 (patch)
tree55616934753c78cc6df6063fe9a281d81f5e5432 /security/mit-krb5
parent7c297b2dabc0cad04fcf529a8b3026fdf0e86d5b (diff)
downloadpkgsrc-33902e3662d252d09e44e98c36a9098e5722e3c7.tar.gz
Add patch for CVE-2014-5351 from:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018 https://github.com/krb5/krb5/commit/3bf9e33f9d66c0eef486cbd83f9e4f13a74d12c3.diff
Diffstat (limited to 'security/mit-krb5')
-rw-r--r--security/mit-krb5/Makefile4
-rw-r--r--security/mit-krb5/distinfo3
-rw-r--r--security/mit-krb5/patches/patch-CVE-2014-535151
3 files changed, 55 insertions, 3 deletions
diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile
index 15233677abb..61a45bb4e12 100644
--- a/security/mit-krb5/Makefile
+++ b/security/mit-krb5/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.76 2014/08/28 22:23:05 tez Exp $
+# $NetBSD: Makefile,v 1.77 2014/11/25 23:40:49 tez Exp $
DISTNAME= krb5-1.10.7
PKGNAME= mit-${DISTNAME}
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= security
MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/
EXTRACT_SUFX= .tar
diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo
index ccc9b532649..abeb8602a2c 100644
--- a/security/mit-krb5/distinfo
+++ b/security/mit-krb5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.48 2014/08/28 22:23:05 tez Exp $
+$NetBSD: distinfo,v 1.49 2014/11/25 23:40:49 tez Exp $
SHA1 (2014-001-patch.txt) = 919402bf3b7c289e847e9adc03a7c30f26966769
RMD160 (2014-001-patch.txt) = a39c8e12e79ab273d562b04c1e7811c414dd70e8
@@ -9,6 +9,7 @@ Size (krb5-1.10.7-signed.tar) = 11632640 bytes
SHA1 (patch-CVE-2014-4341) = 97b316fb3c5dfc626827a13baa5dcf623d67da3c
SHA1 (patch-CVE-2014-4343) = e7d4604d81671f71c9cd9461b65a9e87b5982baa
SHA1 (patch-CVE-2014-4344) = b7ae530beaffcf1c095e6f94bdf608b7a140b064
+SHA1 (patch-CVE-2014-5351) = 2948e2a9f7adb97b8cb70bb8f0043c45e5822465
SHA1 (patch-aa) = 941848a1773dfbe51dff3134d4b8504a850a958d
SHA1 (patch-ad) = b56a7218007560470179dd811c84b8c690c966ac
SHA1 (patch-ae) = c7395b9de5baf6612b8787fad55dbc051a680bfd
diff --git a/security/mit-krb5/patches/patch-CVE-2014-5351 b/security/mit-krb5/patches/patch-CVE-2014-5351
new file mode 100644
index 00000000000..49534c6c8b5
--- /dev/null
+++ b/security/mit-krb5/patches/patch-CVE-2014-5351
@@ -0,0 +1,51 @@
+$NetBSD: patch-CVE-2014-5351,v 1.1 2014/11/25 23:40:49 tez Exp $
+
+Patch for CVE-2014-5351 from:
+http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018
+https://github.com/krb5/krb5/commit/3bf9e33f9d66c0eef486cbd83f9e4f13a74d12c3.diff
+
+
+--- lib/kadm5/srv/svr_principal.c.orig 2014-11-25 17:09:26.278975276 -0600
++++ lib/kadm5/srv/svr_principal.c 2014-11-25 17:11:45.406746599 -0600
+@@ -200,6 +200,20 @@
+ *passptr = NULL;
+ }
+
++/* Return the number of keys with the newest kvno. Assumes that all key data
++ * with the newest kvno are at the front of the key data array. */
++static int
++count_new_keys(int n_key_data, krb5_key_data *key_data)
++{
++ int n;
++
++ for (n = 1; n < n_key_data; n++) {
++ if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno)
++ return n;
++ }
++ return n_key_data;
++}
++
+ kadm5_ret_t
+ kadm5_create_principal(void *server_handle,
+ kadm5_principal_ent_t entry, long mask,
+@@ -1581,7 +1595,7 @@
+ osa_princ_ent_rec adb;
+ krb5_int32 now;
+ kadm5_policy_ent_rec pol;
+- int ret, last_pwd, have_pol = 0;
++ int ret, last_pwd, n_new_keys, have_pol = 0;
+ kadm5_server_handle_t handle = server_handle;
+ krb5_keyblock *act_mkey;
+
+@@ -1667,8 +1681,9 @@
+ kdb->fail_auth_count = 0;
+
+ if (keyblocks) {
+- ret = decrypt_key_data(handle->context,
+- kdb->n_key_data, kdb->key_data,
++ /* Return only the new keys added by krb5_dbe_crk. */
++ n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data);
++ ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data,
+ keyblocks, n_keys);
+ if (ret)
+ goto done;