diff options
-rw-r--r-- | security/mit-krb5/Makefile | 4 | ||||
-rw-r--r-- | security/mit-krb5/distinfo | 9 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-am | 39 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-an | 30 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-ao | 38 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-ap | 18 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-aq | 24 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-ar | 20 | ||||
-rw-r--r-- | security/mit-krb5/patches/patch-as | 20 |
9 files changed, 199 insertions, 3 deletions
diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile index d6381897227..58df00cbf35 100644 --- a/security/mit-krb5/Makefile +++ b/security/mit-krb5/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.37 2006/04/22 09:22:14 rillig Exp $ +# $NetBSD: Makefile,v 1.38 2006/08/09 17:31:10 salo Exp $ DISTNAME= krb5-1.4.2 PKGNAME= mit-${DISTNAME:S/-signed$//} -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/1.4/ DISTFILES= ${DISTNAME}-signed${EXTRACT_SUFX} diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo index d112bf7fcc6..8bac9094368 100644 --- a/security/mit-krb5/distinfo +++ b/security/mit-krb5/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.14 2006/03/17 15:44:45 joerg Exp $ +$NetBSD: distinfo,v 1.15 2006/08/09 17:31:10 salo Exp $ SHA1 (krb5-1.4.2-signed.tar) = bbc03bd319d539fb9523c2545d80ba0784522e88 RMD160 (krb5-1.4.2-signed.tar) = 44500f5fab8e5959cf43f17f5f52f68e2dc73a1f @@ -14,3 +14,10 @@ SHA1 (patch-ah) = 59a6bfc341a22234b38db406abe83b0d6d358a9f SHA1 (patch-aj) = 5c633571ea932ce349065cbb4c3bf482cc971675 SHA1 (patch-ak) = 9d95372fd8edddbf0366e83a51d7a0b8a507f218 SHA1 (patch-al) = fb611fe47bd7c773d7baf11424e90cd3af70c422 +SHA1 (patch-am) = 050690479d75c5df6e89424bac594ab48ae98a8c +SHA1 (patch-an) = ccf76eecb4a0f3b4c7addd37ab8391dc831caa41 +SHA1 (patch-ao) = 22f907ce8c6d66582523b05326a9e8d56ae28401 +SHA1 (patch-ap) = c77a8f7bc35aa184e510bac576c12f55d5cfbf65 +SHA1 (patch-aq) = 52429b712ca7a478caeb76fd165585c7aab7fa02 +SHA1 (patch-ar) = 37807c14f03533aef8796ac90e5fac36ff98308a +SHA1 (patch-as) = b155219fd512b59f698497af1bf6acf1ca4f4a34 diff --git a/security/mit-krb5/patches/patch-am b/security/mit-krb5/patches/patch-am new file mode 100644 index 00000000000..da683b8dcd1 --- /dev/null +++ b/security/mit-krb5/patches/patch-am @@ -0,0 +1,39 @@ +$NetBSD: patch-am,v 1.1 2006/08/09 17:31:10 salo Exp $ + +Security fix for SA21402. + +--- appl/gssftp/ftpd/ftpd.c.orig 2005-01-21 23:46:46.000000000 +0100 ++++ appl/gssftp/ftpd/ftpd.c 2006-08-09 18:52:53.000000000 +0200 +@@ -1368,7 +1368,9 @@ getdatasock(fmode) + goto bad; + sleep(tries); + } +- (void) krb5_seteuid((uid_t)pw->pw_uid); ++ if (krb5_seteuid((uid_t)pw->pw_uid)) { ++ fatal("seteuid user"); ++ } + #ifdef IP_TOS + #ifdef IPTOS_THROUGHPUT + on = IPTOS_THROUGHPUT; +@@ -1378,7 +1380,9 @@ getdatasock(fmode) + #endif + return (fdopen(s, fmode)); + bad: +- (void) krb5_seteuid((uid_t)pw->pw_uid); ++ if (krb5_seteuid((uid_t)pw->pw_uid)) { ++ fatal("seteuid user"); ++ } + (void) close(s); + return (NULL); + } +@@ -2187,7 +2191,9 @@ passive() + (void) krb5_seteuid((uid_t)pw->pw_uid); + goto pasv_error; + } +- (void) krb5_seteuid((uid_t)pw->pw_uid); ++ if (krb5_seteuid((uid_t)pw->pw_uid)) { ++ fatal("seteuid user"); ++ } + len = sizeof(pasv_addr); + if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0) + goto pasv_error; diff --git a/security/mit-krb5/patches/patch-an b/security/mit-krb5/patches/patch-an new file mode 100644 index 00000000000..822a5c6353b --- /dev/null +++ b/security/mit-krb5/patches/patch-an @@ -0,0 +1,30 @@ +$NetBSD: patch-an,v 1.1 2006/08/09 17:31:10 salo Exp $ + +Security fix for SA21402. + +--- appl/bsd/v4rcp.c.orig 2002-07-12 22:21:31.000000000 +0200 ++++ appl/bsd/v4rcp.c 2006-08-09 18:52:53.000000000 +0200 +@@ -436,7 +436,10 @@ int main(argc, argv) + kstream_set_buffer_mode (krem, 0); + #endif /* KERBEROS && !NOENCRYPTION */ + (void) response(); +- (void) setuid(userid); ++ if (setuid(userid)) { ++ error("rcp: can't setuid(user)\n"); ++ exit(1); ++ } + source(--argc, ++argv); + exit(errs); + +@@ -452,7 +455,10 @@ int main(argc, argv) + krem = kstream_create_from_fd (rem, 0, 0); + kstream_set_buffer_mode (krem, 0); + #endif /* KERBEROS && !NOENCRYPTION */ +- (void) setuid(userid); ++ if (setuid(userid)) { ++ error("rcp: can't setuid(user)\n"); ++ exit(1); ++ } + sink(--argc, ++argv); + exit(errs); + diff --git a/security/mit-krb5/patches/patch-ao b/security/mit-krb5/patches/patch-ao new file mode 100644 index 00000000000..1623919578d --- /dev/null +++ b/security/mit-krb5/patches/patch-ao @@ -0,0 +1,38 @@ +$NetBSD: patch-ao,v 1.1 2006/08/09 17:31:10 salo Exp $ + +Security fix for SA21402. + +--- appl/bsd/krcp.c.orig 2003-05-10 02:00:58.000000000 +0200 ++++ appl/bsd/krcp.c 2006-08-09 18:52:53.000000000 +0200 +@@ -620,7 +620,9 @@ int main(argc, argv) + + euid = geteuid(); + if (euid == 0) { +- (void) setuid(0); ++ if (setuid(0)) { ++ perror("rcp setuid 0"); errs++; exit(errs); ++ } + if(krb5_seteuid(userid)) { + perror("rcp seteuid user"); errs++; exit(errs); + } +@@ -638,11 +640,17 @@ int main(argc, argv) + continue; + rcmd_stream_init_normal(); + #ifdef HAVE_SETREUID +- (void) setreuid(0, userid); ++ if (setreuid(0, userid)) { ++ perror("rcp setreuid 0,user"); errs++; exit(errs); ++ } + sink(1, argv+argc-1); +- (void) setreuid(userid, 0); ++ if (setreuid(userid, 0)) { ++ perror("rcp setreuid user,0"); errs++; exit(errs); ++ } + #else +- (void) setuid(0); ++ if (setuid(0)) { ++ perror("rcp setuid 0"); errs++; exit(errs); ++ } + if(seteuid(userid)) { + perror("rcp seteuid user"); errs++; exit(errs); + } diff --git a/security/mit-krb5/patches/patch-ap b/security/mit-krb5/patches/patch-ap new file mode 100644 index 00000000000..612b419b981 --- /dev/null +++ b/security/mit-krb5/patches/patch-ap @@ -0,0 +1,18 @@ +$NetBSD: patch-ap,v 1.1 2006/08/09 17:31:10 salo Exp $ + +Security fix for SA21402. + +--- appl/bsd/login.c.orig 2005-04-07 23:17:25.000000000 +0200 ++++ appl/bsd/login.c 2006-08-09 18:52:53.000000000 +0200 +@@ -1648,7 +1648,10 @@ int main(argc, argv) + } + #endif /* HAVE_SETLUID */ + #ifdef _IBMR2 +- setuidx(ID_LOGIN, pwd->pw_uid); ++ if (setuidx(ID_LOGIN, pwd->pw_uid) < 0) { ++ perror("setuidx"); ++ sleepexit(1); ++ }; + #endif + + /* This call MUST succeed */ diff --git a/security/mit-krb5/patches/patch-aq b/security/mit-krb5/patches/patch-aq new file mode 100644 index 00000000000..c91badb3ddc --- /dev/null +++ b/security/mit-krb5/patches/patch-aq @@ -0,0 +1,24 @@ +$NetBSD: patch-aq,v 1.1 2006/08/09 17:31:10 salo Exp $ + +Security fix for SA21402. + +--- appl/bsd/krshd.c.orig 2005-04-07 23:17:25.000000000 +0200 ++++ appl/bsd/krshd.c 2006-08-09 18:52:53.000000000 +0200 +@@ -1379,9 +1379,15 @@ void doit(f, fromp) + * If we're on a system which keeps track of login uids, then + * set the login uid. + */ +- setluid((uid_t) pwd->pw_uid); ++ if (setluid((uid_t) pwd->pw_uid) < 0) { ++ perror("setluid"); ++ _exit(1); ++ } + #endif /* HAVE_SETLUID */ +- (void) setuid((uid_t)pwd->pw_uid); ++ if (setuid((uid_t)pwd->pw_uid) < 0) { ++ perror("setuid"); ++ _exit(1); ++ } + /* if TZ is set in the parent, drag it in */ + { + char **findtz = environ; diff --git a/security/mit-krb5/patches/patch-ar b/security/mit-krb5/patches/patch-ar new file mode 100644 index 00000000000..6443fdae025 --- /dev/null +++ b/security/mit-krb5/patches/patch-ar @@ -0,0 +1,20 @@ +$NetBSD: patch-ar,v 1.1 2006/08/09 17:31:10 salo Exp $ + +Security fix for SA21402. + +--- clients/ksu/main.c.orig 2002-08-14 21:14:49.000000000 +0200 ++++ clients/ksu/main.c 2006-08-09 18:52:53.000000000 +0200 +@@ -892,8 +892,11 @@ static void sweep_up(context, cc) + const char * cc_name; + struct stat st_temp; + +- krb5_seteuid(0); +- krb5_seteuid(target_uid); ++ if (krb5_seteuid(0) < 0 || krb5_seteuid(target_uid) < 0) { ++ com_err(prog_name, errno, ++ "while returning to source uid for destroying ccache"); ++ exit(1); ++ } + + cc_name = krb5_cc_get_name(context, cc); + if ( ! stat(cc_name, &st_temp)){ diff --git a/security/mit-krb5/patches/patch-as b/security/mit-krb5/patches/patch-as new file mode 100644 index 00000000000..dd64800c0d2 --- /dev/null +++ b/security/mit-krb5/patches/patch-as @@ -0,0 +1,20 @@ +$NetBSD: patch-as,v 1.1 2006/08/09 17:31:10 salo Exp $ + +Security fix for SA21402. + +--- lib/krb4/kuserok.c.orig 2003-03-05 04:38:51.000000000 +0100 ++++ lib/krb4/kuserok.c 2006-08-09 18:52:53.000000000 +0200 +@@ -159,9 +159,11 @@ kuserok(kdata, luser) + */ + if(getuid() == 0) { + uid_t old_euid = geteuid(); +- seteuid(pwd->pw_uid); ++ if (seteuid(pwd->pw_uid) < 0) ++ return NOTOK; + fp = fopen(pbuf, "r"); +- seteuid(old_euid); ++ if (seteuid(old_euid) < 0) ++ return NOTOK; + if ((fp) == NULL) { + return(NOTOK); + } |