The kpasswd service provided by kadmind was vulnerable to a UDP

"ping-pong" attack [CVE-2002-2443].  Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
packets.

Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.

https://github.com/krb5/krb5/commit/cf1a0c411b2668c57c41e9c4efd15ba17b6b322ccvs

3 files changed, 57 insertions, 2 deletions

diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile
index 90051336734..9259cd9ee2f 100644
--- a/security/mit-krb5/Makefile
+++ b/security/mit-krb5/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.69 2013/05/09 08:40:05 adam Exp $
+# $NetBSD: Makefile,v 1.70 2013/05/13 22:42:33 tez Exp $
 
 DISTNAME=	krb5-1.10.5
+PKGREVISION=	1
 PKGNAME=	mit-${DISTNAME}
 CATEGORIES=	security
 MASTER_SITES=	http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/
diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo
index 6f0e67c2cd9..6a2fbe7bfcb 100644
--- a/security/mit-krb5/distinfo
+++ b/security/mit-krb5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.42 2013/05/09 08:40:05 adam Exp $
+$NetBSD: distinfo,v 1.43 2013/05/13 22:42:33 tez Exp $
 
 SHA1 (krb5-1.10.5-signed.tar) = 5c94637ee2355dc0e032abadec4ad207d0f04022
 RMD160 (krb5-1.10.5-signed.tar) = 4800d2da6cf68dacf3e116a29f443010220f3237
@@ -19,5 +19,6 @@ SHA1 (patch-ci) = 4e310f0a4dfe27cf94d0e63d623590691b6c5970
 SHA1 (patch-cj) = 78342f649f8e9d3a3b5a4f83e65b6c46f589586b
 SHA1 (patch-ck) = 37bfef80329f8ae0fb35c35e70032a0040ba5591
 SHA1 (patch-kadmin_dbutil_dump.c) = 4b49c116dbed9e6be4a0bf0a731c3ae82808d82e
+SHA1 (patch-kadmin_server_schpw.c) = 87d849b6dcc0ad22f377e18f57d0731e642943bc
 SHA1 (patch-lib_krb5_asn.1_asn1buf.h) = a1e46ca9256aea4facc1d41841b1707b044a69e7
 SHA1 (patch-util_k5ev_verto-k5ev.c) = 79a2be64fa4f9b0dc3a333271e8a3ff7944e5c18
diff --git a/security/mit-krb5/patches/patch-kadmin_server_schpw.c b/security/mit-krb5/patches/patch-kadmin_server_schpw.c
new file mode 100644
index 00000000000..de8180355bb
--- /dev/null
+++ b/security/mit-krb5/patches/patch-kadmin_server_schpw.c
@@ -0,0 +1,53 @@
+$NetBSD: patch-kadmin_server_schpw.c,v 1.1 2013/05/13 22:42:34 tez Exp $
+
+The kpasswd service provided by kadmind was vulnerable to a UDP
+"ping-pong" attack [CVE-2002-2443].  Don't respond to packets unless
+they pass some basic validation, and don't respond to our own error
+packets.
+
+Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
+attack or UDP ping-pong attacks in general, but there is discussion
+leading toward narrowing the definition of CVE-1999-0103 to the echo,
+chargen, or other similar built-in inetd services.
+
+from https://github.com/krb5/krb5/commit/cf1a0c411b2668c57c41e9c4efd15ba17b6b322c
+
+
+--- kadmin/server/schpw.c.orig	2013-05-13 22:31:47.496049500 +0000
++++ kadmin/server/schpw.c
+@@ -52,7 +52,7 @@ process_chpw_request(krb5_context contex
+         ret = KRB5KRB_AP_ERR_MODIFIED;
+         numresult = KRB5_KPASSWD_MALFORMED;
+         strlcpy(strresult, "Request was truncated", sizeof(strresult));
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     ptr = req->data;
+@@ -67,7 +67,7 @@ process_chpw_request(krb5_context contex
+         numresult = KRB5_KPASSWD_MALFORMED;
+         strlcpy(strresult, "Request length was inconsistent",
+                 sizeof(strresult));
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     /* verify version number */
+@@ -80,7 +80,7 @@ process_chpw_request(krb5_context contex
+         numresult = KRB5_KPASSWD_BAD_VERSION;
+         snprintf(strresult, sizeof(strresult),
+                  "Request contained unknown protocol version number %d", vno);
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     /* read, check ap-req length */
+@@ -93,7 +93,7 @@ process_chpw_request(krb5_context contex
+         numresult = KRB5_KPASSWD_MALFORMED;
+         strlcpy(strresult, "Request was truncated in AP-REQ",
+                 sizeof(strresult));
+-        goto chpwfail;
++        goto bailout;
+     }
+ 
+     /* verify ap_req */