diff options
Diffstat (limited to 'app-crypt/mit-krb5')
-rw-r--r-- | app-crypt/mit-krb5/Manifest | 2 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch | 43 | ||||
-rw-r--r-- | app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch | 12 | ||||
-rw-r--r-- | app-crypt/mit-krb5/metadata.xml | 5 | ||||
-rw-r--r-- | app-crypt/mit-krb5/mit-krb5-1.21.2.ebuild (renamed from app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild) | 41 |
5 files changed, 18 insertions, 85 deletions
diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest index a5005ab76f7e..1ce7821058e3 100644 --- a/app-crypt/mit-krb5/Manifest +++ b/app-crypt/mit-krb5/Manifest @@ -1 +1 @@ -DIST krb5-1.19.2.tar.gz 8741053 BLAKE2B 963722721201e75381c91a2af6e982f569a5b1602beb2d1ded83d35f6f914235a6ed91e5d54f56c97e94921a32ed27c49aded258327966ee13d39485208c38d8 SHA512 b90d6ed0e1e8a87eb5cb2c36d88b823a6a6caabf85e5d419adb8a930f7eea09a5f8491464e7e454cca7ba88be09d19415962fe0036ad2e31fc584f9fc0bbd470 +DIST krb5-1.21.2.tar.gz 8622513 BLAKE2B 2afb3ff962a343bc07182fdab0c0ffb221632ff38baab74278cfc721ae72deacc260221470de36e420584f00b780e13221d2e511d4831bca8e1270b7f3d9e824 SHA512 4e09296b412383d53872661718dbfaa90201e0d85f69db48e57a8d4bd73c95a90c7ec7b6f0f325f6bc967f8d203b256b071c0191facf080aca0e2caec5d0ac49 diff --git a/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch b/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch deleted file mode 100644 index 2f4c949e9f31..000000000000 --- a/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch +++ /dev/null @@ -1,43 +0,0 @@ -From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Tue, 3 Aug 2021 01:15:27 -0400 -Subject: [PATCH] Fix KDC null deref on TGS inner body null server - -After the KDC decodes a FAST inner body, it does not check for a null -server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this -would typically result in an error from krb5_unparse_name(), but with -the addition of get_local_tgt() it results in a null dereference. Add -a null check. - -Reported by Joseph Sutton of Catalyst. - -CVE-2021-37750: - -In MIT krb5 releases 1.14 and later, an authenticated attacker can -cause a null dereference in the KDC by sending a FAST TGS request with -no server field. - -ticket: 9008 (new) -tags: pullup -target_version: 1.19-next -target_version: 1.18-next ---- - src/kdc/do_tgs_req.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index 582e497cc9..32dc65fa8e 100644 ---- a/kdc/do_tgs_req.c -+++ b/kdc/do_tgs_req.c -@@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, - status = "FIND_FAST"; - goto cleanup; - } -+ if (sprinc == NULL) { -+ status = "NULL_SERVER"; -+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; -+ goto cleanup; -+ } - - errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server, - &local_tgt, &local_tgt_storage, &local_tgt_key); diff --git a/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch b/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch deleted file mode 100644 index 39bac974afca..000000000000 --- a/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch +++ /dev/null @@ -1,12 +0,0 @@ -Bug #448778 ---- a/build-tools/krb5-config.in 2012-12-18 02:47:04.000000000 +0000 -+++ b/build-tools/krb5-config.in 2012-12-28 07:13:16.582693363 +0000 -@@ -217,7 +217,7 @@ - -e 's#\$(PROG_RPATH)#'$libdir'#' \ - -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \ - -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ -- -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ -+ -e 's#\$(LDFLAGS)##' \ - -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ - -e 's#\$(CFLAGS)##'` - diff --git a/app-crypt/mit-krb5/metadata.xml b/app-crypt/mit-krb5/metadata.xml index af3905a6da5d..8abc95804e47 100644 --- a/app-crypt/mit-krb5/metadata.xml +++ b/app-crypt/mit-krb5/metadata.xml @@ -12,11 +12,12 @@ which depends on kerberos </flag> <flag name="keyutils">Enable for the keyring ccache using keyutils</flag> - <flag name="lmdb">Add support for using dev-db/lmdb for lookup tables</flag> + <flag name="lmdb">Add support for using <pkg>dev-db/lmdb</pkg> for lookup tables</flag> <flag name="pkinit">Enable pkinit support for the initial ticket</flag> <flag name="openldap">Enable support for ldap as a database backend</flag> </use> <upstream> - <remote-id type="cpe">cpe:/a:mit:kerberos</remote-id> + <remote-id type="cpe">cpe:/a:mit:kerberos_5</remote-id> + <remote-id type="github">krb5/krb5</remote-id> </upstream> </pkgmetadata> diff --git a/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.21.2.ebuild index 5598ad9bed53..8f94ab10df74 100644 --- a/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild +++ b/app-crypt/mit-krb5/mit-krb5-1.21.2.ebuild @@ -1,67 +1,56 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 -PYTHON_COMPAT=( python3_{8..10} ) -inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd toolchain-funcs +PYTHON_COMPAT=( python3_{10..12} ) +inherit autotools flag-o-matic python-any-r1 systemd toolchain-funcs multilib-minimal MY_P="${P/mit-}" P_DIR=$(ver_cut 1-2) DESCRIPTION="MIT Kerberos V" HOMEPAGE="https://web.mit.edu/kerberos/www/" SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz" +S=${WORKDIR}/${MY_P}/src LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv ~s390 sparc x86" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~mips ~ppc ppc64 ~riscv ~s390 sparc x86" IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux +threads test xinetd" -# some tests requires network access -RESTRICT="test" +RESTRICT="!test? ( test )" DEPEND=" !!app-crypt/heimdal - || ( - >=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}] - sys-libs/e2fsprogs-libs[${MULTILIB_USEDEP}] - ) + >=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}] || ( >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}] >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}] ) keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] ) - lmdb? ( dev-db/lmdb ) + lmdb? ( dev-db/lmdb:= ) nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] ) - openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] ) + openldap? ( >=net-nds/openldap-2.4.38-r1:=[${MULTILIB_USEDEP}] ) pkinit? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] ) xinetd? ( sys-apps/xinetd ) " BDEPEND=" ${PYTHON_DEPS} - virtual/yacc + app-alternatives/yacc cpu_flags_x86_aes? ( amd64? ( dev-lang/yasm ) x86? ( dev-lang/yasm ) ) doc? ( virtual/latex-base ) - test? ( - ${PYTHON_DEPS} - dev-lang/tcl:0 - dev-util/dejagnu - dev-util/cmocka - )" + test? ( dev-util/cmocka ) + " RDEPEND="${DEPEND} selinux? ( sec-policy/selinux-kerberos )" -S=${WORKDIR}/${MY_P}/src - PATCHES=( "${FILESDIR}/${PN}-1.12_warn_cflags.patch" - "${FILESDIR}/${PN}-config_LDFLAGS-r1.patch" "${FILESDIR}/${PN}_dont_create_rundir.patch" "${FILESDIR}/${PN}-1.18.2-krb5-config.patch" - "${FILESDIR}/${PN}-CVE-2021-37750.patch" ) MULTILIB_CHOST_TOOLS=( @@ -78,9 +67,8 @@ src_prepare() { } src_configure() { - # QA - append-flags -fno-strict-aliasing - append-flags -fno-strict-overflow + # lto-type-mismatch (bug #854225) + filter-lto multilib-minimal_src_configure } @@ -91,7 +79,6 @@ multilib_src_configure() { WARN_CFLAGS="set" \ econf \ $(use_with openldap ldap) \ - "$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \ $(use_enable nls) \ $(use_enable pkinit) \ $(use_enable threads thread-support) \ |