Add patch for CVE-2013-1415 (SA52390)

3 files changed, 28 insertions, 3 deletions

diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile
index 2b6c8d64c73..c9c3e2f0830 100644
--- a/security/mit-krb5/Makefile
+++ b/security/mit-krb5/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.64 2013/02/06 23:23:39 jperkin Exp $
+# $NetBSD: Makefile,v 1.65 2013/02/28 14:19:36 tez Exp $
 
 DISTNAME=	krb5-1.10.3
 PKGNAME=	mit-${DISTNAME}
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	security
 MASTER_SITES=	http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/
 EXTRACT_SUFX=	.tar
diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo
index 28809bde284..61c22e3b053 100644
--- a/security/mit-krb5/distinfo
+++ b/security/mit-krb5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.38 2012/12/22 02:27:57 joerg Exp $
+$NetBSD: distinfo,v 1.39 2013/02/28 14:19:36 tez Exp $
 
 SHA1 (krb5-1.10.3-signed.tar) = 04ab9837e5d1958158bcb30bd6480201089a0cbb
 RMD160 (krb5-1.10.3-signed.tar) = a1c370c8d39106e8e27651f78520e1cc93154731
@@ -23,3 +23,4 @@ SHA1 (patch-lib_krb5_asn.1_asn1buf.h) = a1e46ca9256aea4facc1d41841b1707b044a69e7
 SHA1 (patch-lib_krb5_krb_deltat.c) = 149f4301d2a2ceff17a038c318c2f2f64a2621e4
 SHA1 (patch-lib_krb5_krb_x-deltat.y) = 7857c9f374d747f494ebb248f34a17599ccf791f
 SHA1 (patch-util_k5ev_verto-k5ev.c) = e8f78ec46543793b284c321a6b7362af9f527489
+SHA1 (patch-plugins_preauth_pkinit_pkinit_crypto_openssl.c) = 9aee85446b80dcc7b54cad27364bebff90c7751b
diff --git a/security/mit-krb5/patches/patch-plugins_preauth_pkinit_pkinit_crypto_openssl.c b/security/mit-krb5/patches/patch-plugins_preauth_pkinit_pkinit_crypto_openssl.c
new file mode 100644
index 00000000000..4d09543ce03
--- /dev/null
+++ b/security/mit-krb5/patches/patch-plugins_preauth_pkinit_pkinit_crypto_openssl.c
@@ -0,0 +1,24 @@
+$NetBSD: patch-plugins_preauth_pkinit_pkinit_crypto_openssl.c,v 1.1 2013/02/28 14:19:36 tez Exp $
+
+Patch for CVE-2013-1415 from
+http://krbdev.mit.edu/rt/Ticket/Display.html?id=7570
+
+--- plugins/preauth/pkinit/pkinit_crypto_openssl.c.orig	2013-02-27 22:15:40.286439500 +0000
++++ plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -3242,7 +3242,7 @@ pkinit_check_kdc_pkid(krb5_context conte
+     pkiDebug("found kdcPkId in AS REQ\n");
+     is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len);
+     if (is == NULL)
+-        goto cleanup;
++        return retval;
+ 
+     status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer);
+     if (!status) {
+@@ -3252,7 +3252,6 @@ pkinit_check_kdc_pkid(krb5_context conte
+     }
+ 
+     retval = 0;
+-cleanup:
+     X509_NAME_free(is->issuer);
+     ASN1_INTEGER_free(is->serial);
+     free(is);