05 May 2009; Nathan Phillip Brink <ohnobinki@gentoo.org>

  +mit-krb5-1.6.3-r6.ebuild, +files/CVE-2009-0844+CVE-2009-0847.patch,

  +files/CVE-2009-0846.patch:

  Bumped ebuild parallel to Gentoo tree, dropped most KEYWORDS.

AUX CVE-2009-0844+CVE-2009-0847.patch 2075 RMD160 eba543da0eafa13158a71947bf22783292d23951 SHA1 087e0dfcdff3dd08b9085fda47099c438871488d SHA256 abdff5ffb07b57d6156722ea6ee12a73ae3337ff05687e384a59989074ab4316

AUX CVE-2009-0846.patch 1682 RMD160 80292c97735b2e45eb450d2c8f6c30e6b0dbf199 SHA1 4bde9e943f4604bfde41cb91f923c123716add71 SHA256 71914affe6f8623b44f3b8ac9c98a83783e41200f8965ea5d68e7fb8a4bc3088

DIST mit-krb5-1.6.3-patches-0.5.tar.bz2 5317 RMD160 423c728e6f399fb4605373495a36480147a35e8c SHA1 ec3327acc45ce29cfd4179adf23fbde52eefb774 SHA256 46538d6b59d6fd1756b9ed0f3002886578a90cf5366e2be1d6fd0ffffeea7d3e

EBUILD mit-krb5-1.6.3-r6.ebuild 2954 RMD160 6967c1f94d4e44d0be17b433a1ffd23212a8cbac SHA1 77354b6bf67dbcacd4add52dc2d923fe54d124e2 SHA256 4d0333ae6e46f6a276a13403a83ce607a69443c74581dd9e12c4301fa877f32c

MISC ChangeLog 571 RMD160 203460a8033b0d98f2078f689f2c0a523047935f SHA1 e98321de4a6aab520328daf932dd2806804094d6 SHA256 cbc40b330148a1833646f1d3fc0d98bd4bbff9b4b6d562a2930dfb8f5502e87b

Index: krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c

===================================================================

--- krb5-1.6.3.orig/src/lib/gssapi/spnego/spnego_mech.c

+++ krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c

@@ -1815,7 +1815,8 @@ get_input_token(unsigned char **buff_in,

 		return (NULL);

 	input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes);

-	if ((int)input_token->length == -1) {

+	if ((int)input_token->length == -1 ||                                           

+	    input_token->length > buff_length) {                                        

 		free(input_token);

 		return (NULL);

 	}

Index: krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c

===================================================================

--- krb5-1.6.3.orig/src/lib/krb5/asn.1/asn1buf.c

+++ krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c

@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1bu

 asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)

 {

+  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;                                                       

   subbuf->base = subbuf->next = buf->next;

   if (!indef) {

+      if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;                                

       subbuf->bound = subbuf->base + length - 1;

-      if (subbuf->bound > buf->bound)

-	  return ASN1_OVERRUN;

   } else /* constructed indefinite */

       subbuf->bound = buf->bound;

   return 0;

@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstri

 {

   int i;

+  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;                                                       

   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;

   if (len == 0) {

       *s = 0;

@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstrin

 {

   int i;

+  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;                                                       

   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;

   if (len == 0) {

       *s = 0;

diff --git a/src/lib/krb5/asn.1/asn1_decode.c 

b/src/lib/krb5/asn.1/asn1_decode.c

index aa4be32..5f7461d 100644

--- a/src/lib/krb5/asn.1/asn1_decode.c

+++ b/src/lib/krb5/asn.1/asn1_decode.c

@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val)

   if(length != 15) return ASN1_BAD_LENGTH;

   retval = asn1buf_remove_charstring(buf,15,&s);

+  if (retval) return retval;

   /* Time encoding: YYYYMMDDhhmmssZ */

   if(s[14] != 'Z') {

       free(s);

diff --git a/src/tests/asn.1/krb5_decode_test.c 

b/src/tests/asn.1/krb5_decode_test.c

index 0ff9343..1c427d1 100644

--- a/src/tests/asn.1/krb5_decode_test.c

+++ b/src/tests/asn.1/krb5_decode_test.c

@@ -485,5 +485,21 @@ int main(argc, argv)

     ktest_destroy_keyblock(&(ref.subkey));

     ref.seq_number = 0;

     decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);

+

+    retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");

+    if (retval) {

+       com_err("krb5_decode_test", retval, "while parsing");

+       exit(1);

+    }

+    retval = decode_krb5_ap_rep_enc_part(&code, &var);

+    if (retval != ASN1_OVERRUN) {

+       printf("ERROR: ");

+    } else {

+       printf("OK: ");

+    }

+    printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");

+    krb5_free_data_contents(test_context, &code);

+    krb5_free_ap_rep_enc_part(test_context, var);

+

     ktest_empty_ap_rep_enc_part(&ref);

   }

# Copyright 1999-2009 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.6.3-r4.ebuild,v 1.9 2008/11/02 10:56:53 dertobi123 Exp $

inherit eutils flag-o-matic versionator autotools

PATCHV="0.5"

MY_P=${P/mit-}

P_DIR=$(get_version_component_range 1-2)

DESCRIPTION="MIT Kerberos V"

HOMEPAGE="http://web.mit.edu/kerberos/www/"

SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar

	mirror://gentoo/${P}-patches-${PATCHV}.tar.bz2"

LICENSE="as-is"

SLOT="0"

KEYWORDS="~amd64"

IUSE="krb4 doc ldap"

RDEPEND="!virtual/krb5

	>=sys-libs/e2fsprogs-libs-1.41.0

	ldap? ( net-nds/openldap )"

DEPEND="${RDEPEND}

	doc? ( virtual/latex-base )"

S=${WORKDIR}/${MY_P}/src

PROVIDE="virtual/krb5"

src_unpack() {

	unpack ${A}

	unpack ./${MY_P}.tar.gz

	cd "${S}"

	EPATCH_SUFFIX="patch" epatch "${PATCHDIR}"

	epatch "${FILESDIR}/CVE-2009-0844+CVE-2009-0847.patch"

	epatch "${FILESDIR}/CVE-2009-0846.patch"

	einfo "Regenerating configure scripts (be patient)"

	local subdir

	for subdir in $(find . -name configure.in \

		| xargs grep -l 'AC_CONFIG_SUBDIRS' \

		| sed 's@/configure\.in$@@'); do

		ebegin "Regenerating configure script in ${subdir}"

		cd "${S}"/${subdir}

		eautoconf --force -I "${S}"

		eend $?

	done

}

src_compile() {

	# needed to work with sys-libs/e2fsprogs-libs <- should be removed!!

	append-flags "-I/usr/include/et"

	econf \

		$(use_with krb4) \

		$(use_with ldap) \

		--enable-shared \

		--with-system-et --with-system-ss \

		--enable-dns-for-realm \

		--enable-kdc-replay-cache || die

	emake -j1 || die

	if use doc ; then

		cd ../doc

		for dir in api implement ; do

			make -C "${dir}" || die

		done

	fi

}

src_test() {

	einfo "Tests do not run in sandbox, have a lot of dependencies and are therefore completely disabled."

}

src_install() {

	emake \

		DESTDIR="${D}" \

		EXAMPLEDIR=/usr/share/doc/${PF}/examples \

		install || die

	keepdir /var/lib/krb5kdc

	cd ..

	dodoc README

	dodoc doc/*.ps

	doinfo doc/*.info*

	dohtml -r doc/*

	use doc && dodoc doc/{api,implement}/*.ps

	for i in {telnetd,ftpd} ; do

		mv "${D}"/usr/share/man/man8/${i}.8 "${D}"/usr/share/man/man8/k${i}.8

		mv "${D}"/usr/sbin/${i} "${D}"/usr/sbin/k${i}

	done

	for i in {rcp,rlogin,rsh,telnet,ftp} ; do

		mv "${D}"/usr/share/man/man1/${i}.1 "${D}"/usr/share/man/man1/k${i}.1

		mv "${D}"/usr/bin/${i} "${D}"/usr/bin/k${i}

	done

	newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind

	newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc

	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc

	insinto /etc

	newins "${D}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example

	newins "${D}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example

	insinto /etc/openldap/schema

	use ldap && doins "${S}"/plugins/kdb/ldap/libkdb_ldap/kerberos.schema

}

pkg_postinst() {

	elog "See /usr/share/doc/${PF}/html/krb5-admin.html for documentation."

}