9 files changed, 474 insertions, 85 deletions

diff --git a/app-crypt/heimdal/Manifest b/app-crypt/heimdal/Manifest
index 7402ad50fecf..1c1d72c4ec6f 100644
--- a/app-crypt/heimdal/Manifest
+++ b/app-crypt/heimdal/Manifest
@@ -1 +1 @@
-DIST heimdal-7.7.0.tar.gz 10189293 BLAKE2B db9cdd1861dc9214a7f76b3d8b9656cfc0bad11cb6eadffa4fa29ea7f9aabd4c3d1b628c510644ec9abe1b3bf27a413ccf8cd590d602c4a4ac54ba3deb4cedc4 SHA512 6660939b5a36ce36310721a08a089fb671d1e3d2e8ac74ea4775bfa5f8f772d32de805551456200fe96cc486c092c44beb84f5dd877008bc305490ee971bbf99
+DIST heimdal-7.8.0.tar.gz 10024936 BLAKE2B bab8ed12a5257395b34bb88e22147912857015c652f0899c54809582c49f9c33b9ac748b28dd38ac7072d245e86e44c5dafb8725103fcb4a6dae16c8d1d4b623 SHA512 0167345aca77d65b7a1113874eee5b65ec6e1fec1f196d57e571265409fa35ef95a673a4fd4aafbb0ab5fb5b246b97412353a68d6613a8aff6393a9f1e72999e
diff --git a/app-crypt/heimdal/files/heimdal-7.8.0-CVE-2022-45142.patch b/app-crypt/heimdal/files/heimdal-7.8.0-CVE-2022-45142.patch
new file mode 100644
index 000000000000..dad75df4b3b8
--- /dev/null
+++ b/app-crypt/heimdal/files/heimdal-7.8.0-CVE-2022-45142.patch
@@ -0,0 +1,36 @@
+https://bugs.gentoo.org/893722
+https://www.openwall.com/lists/oss-security/2023/02/08/1
+
+From: Helmut Grohne <helmut@...divi.de>
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne <helmut@...divi.de>
+--- a/lib/gssapi/krb5/arcfour.c
++++ b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++    cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+     if (cmp) {
+ 	*minor_status = 0;
+ 	return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+     if (cmp) {
+ 	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+ 	*minor_status = 0;
+--
+2.38.1
diff --git a/app-crypt/heimdal/files/heimdal-7.8.0-configure-clang16.patch b/app-crypt/heimdal/files/heimdal-7.8.0-configure-clang16.patch
new file mode 100644
index 000000000000..6e948bc51c3b
--- /dev/null
+++ b/app-crypt/heimdal/files/heimdal-7.8.0-configure-clang16.patch
@@ -0,0 +1,54 @@
+https://bugs.gentoo.org/899072
+https://github.com/heimdal/heimdal/issues/790
+https://github.com/heimdal/heimdal/pull/1085
+
+From 5b872a635c9c8f04f58e03c43e7953c35e1f66b7 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 13 Apr 2023 13:13:59 +0200
+Subject: [PATCH 1/2] cf: Include <string.h> for memset in AC_HAVE_STRUCT_FIELD
+
+Otherwise, the check relies on an implicit function declaration,
+and will fail unconditionally with compilers that do not support
+them.
+--- a/cf/have-struct-field.m4
++++ b/cf/have-struct-field.m4
+@@ -7,7 +7,8 @@ dnl AC_HAVE_STRUCT_FIELD(struct, field, headers)
+ AC_DEFUN([AC_HAVE_STRUCT_FIELD], [
+ define(cache_val, translit(ac_cv_type_$1_$2, [A-Z ], [a-z_]))
+ AC_CACHE_CHECK([for $2 in $1], cache_val,[
+-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$3]],
++AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <string.h>
++$3]],
+ 	[[$1 x; memset(&x, 0, sizeof(x)); x.$2]])],
+ 	[cache_val=yes],
+ 	[cache_val=no])
+
+From fc6d5b5c7677bb7271361c4bd60ea1bd36d944b9 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 13 Apr 2023 13:26:29 +0200
+Subject: [PATCH 2/2] cf: Do not use headers and argument lists in
+ AC_FIND_FUNC_NO_LIBS2
+
+The callers of this macro generally do not supply this information.
+Without it, the checks rely on compiler support for implicit function
+declarations.  It would be possible to supply this information in
+the callers.  But even then, with the existing macro interface, it
+would be necessary to pass eg. null pointers where they trigger
+undefined behavior.  Therefore, use the same kludge that autoconf
+uses to make up prototypes, avoiding those implicit function
+declarations.
+
+The includes/arguments macro parameters are now ignored, but preserved
+for interface compatibility.
+--- a/cf/find-func-no-libs2.m4
++++ b/cf/find-func-no-libs2.m4
+@@ -21,7 +21,7 @@ if eval "test \"\$ac_cv_func_$1\" != yes" ; then
+ 		*) ac_lib="-l$ac_lib" ;;
+ 		esac
+ 		LIBS="$6 $ac_lib $5 $ac_save_LIBS"
+-		AC_LINK_IFELSE([AC_LANG_PROGRAM([[$3]],[[$1($4)]])],[eval "if test -n \"$ac_lib\";then ac_cv_funclib_$1=$ac_lib; else ac_cv_funclib_$1=yes; fi";break])
++		AC_LINK_IFELSE([AC_LANG_PROGRAM([[char $1 (void);]],[[$1()]])],[eval "if test -n \"$ac_lib\";then ac_cv_funclib_$1=$ac_lib; else ac_cv_funclib_$1=yes; fi";break])
+ 	done
+ 	eval "ac_cv_funclib_$1=\${ac_cv_funclib_$1-no}"
+ 	LIBS="$ac_save_LIBS"
+
diff --git a/app-crypt/heimdal/files/heimdal_fix-autoconf-2.70.patch b/app-crypt/heimdal/files/heimdal_fix-autoconf-2.70.patch
deleted file mode 100644
index 0dcc31026203..000000000000
--- a/app-crypt/heimdal/files/heimdal_fix-autoconf-2.70.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 22352b90e78e2d162b98b5ef6c84672c397be40a Mon Sep 17 00:00:00 2001
-From: Lars Wendler <polynomial-c@gentoo.org>
-Date: Wed, 17 Mar 2021 17:49:18 +0100
-Subject: [PATCH] autoconf-2.70 fix
-
-autoconf-2.70 and newer are more strict with quoting etc. and thus generate
-a broken configure file:
-
-  configure: 20855: Syntax error: ")" unexpected (expecting "fi")
-
-Gentoo-bug: https://bugs.gentoo.org/776241
-Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
----
- cf/check-var.m4 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/cf/check-var.m4 b/cf/check-var.m4
-index 2fd7bca6f0..71d6f70ca8 100644
---- a/cf/check-var.m4
-+++ b/cf/check-var.m4
-@@ -20,7 +20,7 @@ AC_MSG_RESULT($ac_foo)
- if test "$ac_foo" = yes; then
- 	AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1, 
- 		[Define if you have the `]$1[' variable.])
--	m4_ifval([$2], AC_CHECK_DECLS([$1],[],[],[$2]))
-+	m4_ifval([$2], [AC_CHECK_DECLS([$1],[],[],[$2])])
- fi
- ])
- 
diff --git a/app-crypt/heimdal/files/heimdal_hcrypto.patch b/app-crypt/heimdal/files/heimdal_hcrypto.patch
deleted file mode 100644
index ff3228d4973a..000000000000
--- a/app-crypt/heimdal/files/heimdal_hcrypto.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 329918bd671c89de6e1c2874baba48d658a89a10 Mon Sep 17 00:00:00 2001
-From: Damir Franusic <df@release14.org>
-Date: Sun, 9 Dec 2018 19:53:58 +0100
-Subject: [PATCH] hcrypto: fix include path
-
----
- lib/hcrypto/Makefile.am | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/lib/hcrypto/Makefile.am b/lib/hcrypto/Makefile.am
-index 469176b6c6..195117d174 100644
---- a/lib/hcrypto/Makefile.am
-+++ b/lib/hcrypto/Makefile.am
-@@ -9,7 +9,8 @@ AM_CPPFLAGS += $(INCLUDE_openssl_crypto)
- endif
- 
- AM_CPPFLAGS += -I$(top_srcdir)/lib/hx509 \
--	       -I$(srcdir)/libtommath -DUSE_HCRYPTO_LTM=1
-+	       -I$(srcdir)/libtommath -DUSE_HCRYPTO_LTM=1 \
-+	       -I$(srcdir)/..
- 
- lib_LTLIBRARIES = libhcrypto.la
- check_LTLIBRARIES = libhctest.la
-From 572a6fd7ac41e9210ef3eb765fe7da4ec8a94bb2 Mon Sep 17 00:00:00 2001
-From: Luke Howard <lukeh@padl.com>
-Date: Mon, 24 Dec 2018 02:21:32 +0000
-Subject: [PATCH] hx509: fix dependency, hxtool requires ASN.1 headers
-
----
- lib/hx509/Makefile.am | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/hx509/Makefile.am b/lib/hx509/Makefile.am
-index b58deb3e37..09643c43a0 100644
---- a/lib/hx509/Makefile.am
-+++ b/lib/hx509/Makefile.am
-@@ -164,7 +164,7 @@ hxtool-commands.c hxtool-commands.h: hxtool-commands.in $(SLC)
- dist_hxtool_SOURCES = hxtool.c
- nodist_hxtool_SOURCES = hxtool-commands.c hxtool-commands.h
- 
--$(hxtool_OBJECTS): hxtool-commands.h hx509_err.h
-+$(hxtool_OBJECTS): hxtool-commands.h $(nodist_include_HEADERS)
- 
- hxtool_LDADD = \
- 	libhx509.la \
diff --git a/app-crypt/heimdal/heimdal-7.7.0-r5.ebuild b/app-crypt/heimdal/heimdal-7.8.0-r1.ebuild
index 7faee15b679b..2db7d36fe6fe 100644
--- a/app-crypt/heimdal/heimdal-7.7.0-r5.ebuild
+++ b/app-crypt/heimdal/heimdal-7.8.0-r1.ebuild
@@ -1,16 +1,16 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 
-PYTHON_COMPAT=( python3_{8..10} )
+PYTHON_COMPAT=( python3_{10..11} )
 VIRTUALX_REQUIRED="manual"
 
-inherit autotools db-use multilib multilib-minimal python-any-r1 virtualx flag-o-matic
+inherit autotools db-use multilib-minimal python-any-r1 virtualx flag-o-matic
 
 MY_P="${P}"
 DESCRIPTION="Kerberos 5 implementation from KTH"
-HOMEPAGE="http://www.h5l.org/"
+HOMEPAGE="https://www.heimdal.software/"
 SRC_URI="https://github.com/${PN}/${PN}/releases/download/${P}/${P}.tar.gz"
 
 LICENSE="BSD"
@@ -19,6 +19,9 @@ KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ~ppc ppc64 ~riscv ~s390 sparc
 IUSE="afs +berkdb caps gdbm hdb-ldap +lmdb otp selinux ssl static-libs test X"
 RESTRICT="!test? ( test )"
 
+# 717740
+REQUIRED_USE="otp? ( berkdb )"
+
 CDEPEND="
 	virtual/libcrypt:=[${MULTILIB_USEDEP}]
 	ssl? (
@@ -47,7 +50,7 @@ DEPEND="${CDEPEND}
 	dev-perl/JSON
 	virtual/pkgconfig
 	sys-apps/texinfo
-	>=sys-devel/autoconf-2.62
+	>=dev-build/autoconf-2.62
 	test? ( X? ( ${VIRTUALX_DEPEND} ) )"
 
 RDEPEND="${CDEPEND}
@@ -71,10 +74,9 @@ MULTILIB_CHOST_TOOLS=(
 PATCHES=(
 	"${FILESDIR}/heimdal_disable-check-iprop.patch"
 	"${FILESDIR}/heimdal_tinfo.patch"
-	"${FILESDIR}/heimdal_hcrypto.patch"
 	"${FILESDIR}/heimdal_build-headers-before-use.patch"
 	"${FILESDIR}/heimdal_fix-db60.patch"
-	"${FILESDIR}/heimdal_fix-autoconf-2.70.patch"
+	"${FILESDIR}/heimdal-7.8.0-CVE-2022-45142.patch"
 )
 
 src_prepare() {
@@ -123,7 +125,7 @@ multilib_src_configure() {
 		)
 	fi
 
-	ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+	CONFIG_SHELL="${BROOT}"/bin/bash ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
 }
 
 multilib_src_compile() {
diff --git a/app-crypt/heimdal/heimdal-7.8.0-r2.ebuild b/app-crypt/heimdal/heimdal-7.8.0-r2.ebuild
new file mode 100644
index 000000000000..8645dd099c0d
--- /dev/null
+++ b/app-crypt/heimdal/heimdal-7.8.0-r2.ebuild
@@ -0,0 +1,191 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..11} )
+VIRTUALX_REQUIRED="manual"
+
+inherit autotools db-use multilib-minimal python-any-r1 virtualx flag-o-matic
+
+MY_P="${P}"
+DESCRIPTION="Kerberos 5 implementation from KTH"
+HOMEPAGE="https://www.heimdal.software/"
+SRC_URI="https://github.com/${PN}/${PN}/releases/download/${P}/${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="afs +berkdb caps gdbm hdb-ldap +lmdb otp selinux ssl static-libs test X"
+RESTRICT="!test? ( test )"
+
+# 717740
+REQUIRED_USE="otp? ( berkdb )"
+
+CDEPEND="
+	virtual/libcrypt:=[${MULTILIB_USEDEP}]
+	ssl? (
+		>=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}]
+	)
+	berkdb? ( >=sys-libs/db-4.8.30-r1:*[${MULTILIB_USEDEP}] )
+	gdbm? ( >=sys-libs/gdbm-1.10-r1:=[${MULTILIB_USEDEP}] )
+	lmdb? ( dev-db/lmdb:= )
+	caps? ( sys-libs/libcap-ng )
+	>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
+	>=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}]
+	sys-libs/ncurses:0=
+	>=sys-libs/readline-6.2_p5-r1:0=[${MULTILIB_USEDEP}]
+	afs? ( net-fs/openafs )
+	hdb-ldap? ( >=net-nds/openldap-2.3.0:= )
+	X? (
+		x11-libs/libX11
+		x11-libs/libXau
+		x11-libs/libXt
+	)
+	!!app-crypt/mit-krb5
+	!!app-crypt/mit-krb5-appl"
+
+DEPEND="${CDEPEND}
+	${PYTHON_DEPS}
+	dev-perl/JSON
+	virtual/pkgconfig
+	sys-apps/texinfo
+	>=dev-build/autoconf-2.62
+	test? ( X? ( ${VIRTUALX_DEPEND} ) )"
+
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/krb5-types.h
+	/usr/include/cms_asn1.h
+	/usr/include/digest_asn1.h
+	/usr/include/hdb_asn1.h
+	/usr/include/krb5_asn1.h
+	/usr/include/pkcs12_asn1.h
+	/usr/include/pkinit_asn1.h
+	/usr/include/rfc2459_asn1.h
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+PATCHES=(
+	"${FILESDIR}/heimdal_disable-check-iprop.patch"
+	"${FILESDIR}/heimdal_tinfo.patch"
+	"${FILESDIR}/heimdal_build-headers-before-use.patch"
+	"${FILESDIR}/heimdal_fix-db60.patch"
+	"${FILESDIR}/heimdal-7.8.0-CVE-2022-45142.patch"
+	"${FILESDIR}/heimdal-7.8.0-configure-clang16.patch"
+)
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+src_configure() {
+	# QA
+	append-flags -fno-strict-aliasing
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	local myeconfargs=(
+		--enable-kcm
+		--disable-osfc2
+		--enable-shared
+		--with-libintl="${EPREFIX}"/usr
+		--with-readline="${EPREFIX}"/usr
+		--with-sqlite3="${EPREFIX}"/usr
+		--libexecdir="${EPREFIX}"/usr/sbin
+		--enable-pthread-support
+		--enable-kx509
+		--enable-pk-init
+		--with-ipv6
+		$(use_enable afs afs-support)
+		$(use_enable gdbm ndbm-db)
+		$(use_enable lmdb mdb-db)
+		$(use_enable otp)
+		$(use_enable static-libs static)
+		$(multilib_native_use_with caps capng)
+		$(multilib_native_use_with hdb-ldap openldap "${EPREFIX}"/usr)
+		$(use_with ssl openssl "${EPREFIX}"/usr)
+		$(multilib_native_use_with X x)
+	)
+	if use berkdb; then
+		myeconfargs+=(
+			--with-berkeley-db
+			--with-berkeley-db-include="$(db_includedir)"
+		)
+	else
+		myeconfargs+=(
+			--without-berkeley-db
+		)
+	fi
+
+	CONFIG_SHELL="${BROOT}"/bin/bash ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	if multilib_is_native_abi; then
+		emake
+	else
+		emake -C include
+		emake -C lib
+		emake -C kdc
+		emake -C tools
+		emake -C tests/plugin
+	fi
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	if multilib_is_native_abi; then
+		INSTALL_CATPAGES="no" emake DESTDIR="${D}" install
+	else
+		emake -C include DESTDIR="${D}" install
+		emake -C lib DESTDIR="${D}" install
+		emake -C kdc DESTDIR="${D}" install
+		emake -C tools DESTDIR="${D}" install
+		emake -C tests/plugin DESTDIR="${D}" install
+	fi
+}
+
+multilib_src_install_all() {
+	dodoc ChangeLog* README NEWS TODO
+
+	# client rename
+	mv "${ED}"/usr/share/man/man1/{,k}su.1
+	mv "${ED}"/usr/bin/{,k}su
+
+	newinitd "${FILESDIR}"/heimdal-kdc.initd-r2 heimdal-kdc
+	newinitd "${FILESDIR}"/heimdal-kadmind.initd-r2 heimdal-kadmind
+	newinitd "${FILESDIR}"/heimdal-kpasswdd.initd-r2 heimdal-kpasswdd
+	newinitd "${FILESDIR}"/heimdal-kcm.initd-r1 heimdal-kcm
+
+	newconfd "${FILESDIR}"/heimdal-kdc.confd heimdal-kdc
+	newconfd "${FILESDIR}"/heimdal-kadmind.confd heimdal-kadmind
+	newconfd "${FILESDIR}"/heimdal-kpasswdd.confd heimdal-kpasswdd
+	newconfd "${FILESDIR}"/heimdal-kcm.confd heimdal-kcm
+
+	insinto /etc
+	newins "${S}"/krb5.conf krb5.conf.example
+
+	if use hdb-ldap; then
+		insinto /etc/openldap/schema
+		doins "${S}/lib/hdb/hdb.schema"
+	fi
+
+	if ! use static-libs ; then
+		find "${ED}" -name "*.la" -delete || die
+	fi
+
+	# default database dir
+	keepdir /var/heimdal
+}
diff --git a/app-crypt/heimdal/heimdal-7.8.0-r3.ebuild b/app-crypt/heimdal/heimdal-7.8.0-r3.ebuild
new file mode 100644
index 000000000000..597d9cf695c5
--- /dev/null
+++ b/app-crypt/heimdal/heimdal-7.8.0-r3.ebuild
@@ -0,0 +1,180 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{11..12} )
+
+inherit autotools db-use multilib-minimal python-any-r1 flag-o-matic
+
+MY_P="${P}"
+DESCRIPTION="Kerberos 5 implementation from KTH"
+HOMEPAGE="https://www.heimdal.software/"
+SRC_URI="https://github.com/${PN}/${PN}/releases/download/${P}/${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="afs +berkdb caps gdbm hdb-ldap +lmdb otp selinux static-libs test X"
+RESTRICT="!test? ( test )"
+
+# 717740
+REQUIRED_USE="otp? ( berkdb )"
+
+CDEPEND="
+	virtual/libcrypt:=[${MULTILIB_USEDEP}]
+	berkdb? ( >=sys-libs/db-4.8.30-r1:*[${MULTILIB_USEDEP}] )
+	gdbm? ( >=sys-libs/gdbm-1.10-r1:=[${MULTILIB_USEDEP}] )
+	lmdb? ( dev-db/lmdb:= )
+	caps? ( sys-libs/libcap-ng )
+	>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
+	>=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}]
+	sys-libs/ncurses:0=
+	>=sys-libs/readline-6.2_p5-r1:0=[${MULTILIB_USEDEP}]
+	afs? ( net-fs/openafs )
+	hdb-ldap? ( >=net-nds/openldap-2.3.0:= )
+	!!app-crypt/mit-krb5
+	!!app-crypt/mit-krb5-appl"
+
+DEPEND="${CDEPEND}
+	${PYTHON_DEPS}
+	dev-perl/JSON
+	virtual/pkgconfig
+	sys-apps/texinfo
+	>=dev-build/autoconf-2.62"
+
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/krb5-types.h
+	/usr/include/cms_asn1.h
+	/usr/include/digest_asn1.h
+	/usr/include/hdb_asn1.h
+	/usr/include/krb5_asn1.h
+	/usr/include/pkcs12_asn1.h
+	/usr/include/pkinit_asn1.h
+	/usr/include/rfc2459_asn1.h
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+PATCHES=(
+	"${FILESDIR}/heimdal_disable-check-iprop.patch"
+	"${FILESDIR}/heimdal_tinfo.patch"
+	"${FILESDIR}/heimdal_build-headers-before-use.patch"
+	"${FILESDIR}/heimdal_fix-db60.patch"
+	"${FILESDIR}/heimdal-7.8.0-CVE-2022-45142.patch"
+	"${FILESDIR}/heimdal-7.8.0-configure-clang16.patch"
+)
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+src_configure() {
+	# QA
+	append-flags -fno-strict-aliasing
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	local myeconfargs=(
+		--enable-kcm
+		--disable-osfc2
+		--enable-shared
+		--with-libintl="${EPREFIX}"/usr
+		--with-readline="${EPREFIX}"/usr
+		--with-sqlite3="${EPREFIX}"/usr
+		--libexecdir="${EPREFIX}"/usr/sbin
+		--enable-pthread-support
+		--enable-kx509
+		--enable-pk-init
+		--with-ipv6
+		--without-openssl
+		$(use_enable afs afs-support)
+		$(use_enable gdbm ndbm-db)
+		$(use_enable lmdb mdb-db)
+		$(use_enable otp)
+		$(use_enable static-libs static)
+		$(multilib_native_use_with caps capng)
+		$(multilib_native_use_with hdb-ldap openldap "${EPREFIX}"/usr)
+	)
+	if use berkdb; then
+		myeconfargs+=(
+			--with-berkeley-db
+			--with-berkeley-db-include="$(db_includedir)"
+		)
+	else
+		myeconfargs+=(
+			--without-berkeley-db
+		)
+	fi
+
+	CONFIG_SHELL="${BROOT}"/bin/bash ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	if multilib_is_native_abi; then
+		emake
+	else
+		emake -C include
+		emake -C lib
+		emake -C kdc
+		emake -C tools
+		emake -C tests/plugin
+	fi
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	if multilib_is_native_abi; then
+		INSTALL_CATPAGES="no" emake DESTDIR="${D}" install
+	else
+		emake -C include DESTDIR="${D}" install
+		emake -C lib DESTDIR="${D}" install
+		emake -C kdc DESTDIR="${D}" install
+		emake -C tools DESTDIR="${D}" install
+		emake -C tests/plugin DESTDIR="${D}" install
+	fi
+}
+
+multilib_src_install_all() {
+	dodoc ChangeLog* README NEWS TODO
+
+	# client rename
+	mv "${ED}"/usr/share/man/man1/{,k}su.1
+	mv "${ED}"/usr/bin/{,k}su
+
+	newinitd "${FILESDIR}"/heimdal-kdc.initd-r2 heimdal-kdc
+	newinitd "${FILESDIR}"/heimdal-kadmind.initd-r2 heimdal-kadmind
+	newinitd "${FILESDIR}"/heimdal-kpasswdd.initd-r2 heimdal-kpasswdd
+	newinitd "${FILESDIR}"/heimdal-kcm.initd-r1 heimdal-kcm
+
+	newconfd "${FILESDIR}"/heimdal-kdc.confd heimdal-kdc
+	newconfd "${FILESDIR}"/heimdal-kadmind.confd heimdal-kadmind
+	newconfd "${FILESDIR}"/heimdal-kpasswdd.confd heimdal-kpasswdd
+	newconfd "${FILESDIR}"/heimdal-kcm.confd heimdal-kcm
+
+	insinto /etc
+	newins "${S}"/krb5.conf krb5.conf.example
+
+	if use hdb-ldap; then
+		insinto /etc/openldap/schema
+		doins "${S}/lib/hdb/hdb.schema"
+	fi
+
+	if ! use static-libs ; then
+		find "${ED}" -name "*.la" -delete || die
+	fi
+
+	# default database dir
+	keepdir /var/heimdal
+}
diff --git a/app-crypt/heimdal/metadata.xml b/app-crypt/heimdal/metadata.xml
index 96f5c49962ab..9ac91f9e56c9 100644
--- a/app-crypt/heimdal/metadata.xml
+++ b/app-crypt/heimdal/metadata.xml
@@ -13,7 +13,7 @@
 		Adds support for LDAP as a database backend
 	</flag>
 		<flag name="lmdb">
-		Add support for using dev-db/lmdb for lookup tables
+		Add support for using <pkg>dev-db/lmdb</pkg> for lookup tables
 	</flag>
 	</use>
 	<upstream>