diff options
| author | tls <tls@pkgsrc.org> | 2007-06-25 09:53:42 +0000 |
|---|---|---|
| committer | tls <tls@pkgsrc.org> | 2007-06-25 09:53:42 +0000 |
| commit | 36ca7970b379c79e1c875ce26cd841f072c69ede (patch) | |
| tree | 9586dfb9edc59513767d46cac743535de773a8f8 /security/sudo/distinfo | |
| parent | 035ecc47a4b24727b8b567f475fd9dbc08f3baf9 (diff) | |
| download | pkgsrc-36ca7970b379c79e1c875ce26cd841f072c69ede.tar.gz | |
Fix privilege-escalation vulnerability with PKG_OPTIONS.sudo=kerberos:
cleanse environment of variables that alter behavior of Kerberos library
so the user can't override the default keytab location, and do *not*
ignore missing keytab errors. Prevents root compromise via spoofed KDC
on systems with Kerberos libraries but no host key in keytab, no keytab,
or keytab overidden via environment.
Don't insist that the keytab key be DES -- some Kerberos sites are 3DES/AES
only.
Somewhat less invasive than the fix Todd incorporated into the 1.6.9 branch
of sudo (presently beta) but equivalent (though not as clean).
Diffstat (limited to 'security/sudo/distinfo')
| -rw-r--r-- | security/sudo/distinfo | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/security/sudo/distinfo b/security/sudo/distinfo index 38e745ba073..67a3bd6dcff 100644 --- a/security/sudo/distinfo +++ b/security/sudo/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.34 2006/01/15 11:32:06 adrianp Exp $ +$NetBSD: distinfo,v 1.35 2007/06/25 09:53:42 tls Exp $ SHA1 (sudo-1.6.8p12.tar.gz) = a79631e9e1c0d0d3f2aa88ae685628e5fde61982 RMD160 (sudo-1.6.8p12.tar.gz) = d7ff9f18ca0973615258c2e975300b94567451d5 @@ -6,4 +6,5 @@ Size (sudo-1.6.8p12.tar.gz) = 585643 bytes SHA1 (patch-aa) = a4f29f2c228eb3b4af0872cf04a00ffdf41c603c SHA1 (patch-af) = 245761812dc600b3d2752fa135ba367bb0223370 SHA1 (patch-ag) = 87c3263674ec98ccc9cc33f2108a2456eddaecc5 -SHA1 (patch-ah) = 3ca7f39f5a882c5a340a053ddd925ebdaef48df5 +SHA1 (patch-ah) = 142a8884aebdc1cffc256c3ca0ee9addc34f8054 +SHA1 (patch-ai) = 2523a87dc8af7d09573569c7b3e7068d8d927097 |