From c3bc61051d7f12b4c682efa7a5460bbc8815649e Mon Sep 17 00:00:00 2001
From: V3n3RiX <venerix@koprulu.sector>
Date: Fri, 7 Jan 2022 22:48:01 +0000
Subject: gentoo resync : 07.01.2022

---
 app-crypt/mit-krb5/Manifest                        |   2 +
 .../mit-krb5/files/mit-krb5-CVE-2021-37750.patch   |  43 ++++++
 app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild       | 165 +++++++++++++++++++++
 3 files changed, 210 insertions(+)
 create mode 100644 app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch
 create mode 100644 app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild

(limited to 'app-crypt/mit-krb5')

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 93a5e21ae979..0d1d1a144b95 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,6 +1,7 @@
 AUX kpropd.xinetd 194 BLAKE2B cfc40af2e75b0ce5a71e0dfdcfe076d13d996b25d2cb50d4282bc88d7b33b317a202d57df0bb4a2b47113f0d38cb508614e122e4a3bb7dfd2397e2daa3178396 SHA512 c9bbd13f2fadfd2a925bfae834ba61f227cd4386b4c4466b5227d93c792f4549778ef4d6e08353372df99804459277c71f61b41ec71f3afcc600d73c5705f72f
 AUX mit-krb5-1.12_warn_cflags.patch 448 BLAKE2B cd9793866173b394bab3497d19653ca3296924cc49aaf540499b149254265af1d995b4d7493b76185ce35d123e70827cb5fcb221efc6499b86a346cfad7478ab SHA512 42364d9cd8c0a6fd28ae661eeac4d0dd3f2001fe290bf9731ee99c2c786a6488805fc93057d59e201e2cef1e5280af4c170187aa5603f4cf542906abc0fccc2b
 AUX mit-krb5-1.18.2-krb5-config.patch 409 BLAKE2B 90290aa717c929d97d38f542753fba7fd4a85aa5d960b1bf8acf9898dfaa16fa9433d2ec5cc985757ae6bfc356cf46fabbb1632f5005f8a93a2ed22699ccaad0 SHA512 2faf5a39b9d7c8bca71d23d0226c2fa8fd9759366c9c2385b8479481b4fcf546d506ee3a4bc1caaf855e8cdfe1abb1b11536bdf9bd06e3c5d9b776bd7926a104
+AUX mit-krb5-CVE-2021-37750.patch 1446 BLAKE2B ad3d60c7e8c2b18a5d18431abf3edd53c4dbe2dc3bb2747273ff8a6fe87d292174b86c5e68859c6577a913216f76bc19d20415692713c72a124d3de2f8b19d33 SHA512 84c5f48c16609e6008b11bf728745bf018a184ce5a9bf877b0a471e2e3fc6eae6f4908be8e6d21d46ba6cfffe0c8b020c32773011e3b7e1d59acb5302b02f4c7
 AUX mit-krb5-config_LDFLAGS-r1.patch 458 BLAKE2B adf95690d6bb698dbdb6bf9c4220f3498a332186b059986c5a699aeec81b3342931ca664244fbcb76a61f9a5177972f0e47535035dbf88c949691d5d80d58084 SHA512 4c7ff3f63c9615dae1dbbf03795fede34d54d043acfd91f77f7fef7534253ea308a59657fa93d09f99d1d5ff5d21b58eb6b86bfbe6d65aa82ca1fa187b65d1dc
 AUX mit-krb5_dont_create_rundir.patch 373 BLAKE2B 0306d4089f4163bba703e1cd209a0233a0a0c9e63babca6ff060131e191f814548db276ff5c8d8a73b10d2a301d6b4aa4b416be88287e1e719a2ebaebbc427cd SHA512 450b0dfff536ea76ddb45de5bb38237ad4c5ffb12a21d26cf0971ff9b2221868a4d2d3a9144561a7d967f49f80e3ddb91c8caa24d1a3523fa578820572c9096f
 AUX mit-krb5kadmind.confd 76 BLAKE2B ca69357a77ddaf67e2f9c104b17d49af5da9891b13bd855f8b04d54bfb6ccf07ae8c5cb694f65a47646675c844c8f8c7224e8487081df678c73c554498259516 SHA512 dbf968800959f0463899031e823f003e9ece90132f452ebf03df08caf0e6a6e6ca2cfdee91491d269cfa24bef19e72dd33c7d818a4bb13ef85edfb6f0e8299f3
@@ -16,4 +17,5 @@ AUX mit-krb5kpropd.socket 122 BLAKE2B 2ce51e67b909c6955d9796f80f7985c9209af398ad
 AUX mit-krb5kpropd_at.service 162 BLAKE2B ccd1dea2419656a95ea1e5068457ea45a765a831f36e7abe3e27cdd9b42f2b703cd6ddad1ac60d75feff4d74bf31dbf146ee2cbfdd34ac38c11908d44162e77a SHA512 4b7121da07b11fa65db4edc185c57197ebb25ed5c49797e36bc31b8b7bbb22a6f512f4a986c8430dfc31b1b8fcfba66dcfe154cd6eeb8b4bb445d5006fff3802
 DIST krb5-1.19.2.tar.gz 8741053 BLAKE2B 963722721201e75381c91a2af6e982f569a5b1602beb2d1ded83d35f6f914235a6ed91e5d54f56c97e94921a32ed27c49aded258327966ee13d39485208c38d8 SHA512 b90d6ed0e1e8a87eb5cb2c36d88b823a6a6caabf85e5d419adb8a930f7eea09a5f8491464e7e454cca7ba88be09d19415962fe0036ad2e31fc584f9fc0bbd470
 EBUILD mit-krb5-1.19.2-r1.ebuild 4249 BLAKE2B 1d9ccacfafa601471e041a20144b213fe695cb5fc2a3574fd3dad4073e28b646a043384aa4aa9de93c5ab4fc549ca3c379c1dfa99023114ce5d2d1233da6aceb SHA512 dc1bc87a3503c07f9a3313102542a20203e22e35d954c67cd548b3b4c1b6094db79a5f58da03517d98b8bdebaf9d01412c8f494added5c6bba983f3ae0891ee7
+EBUILD mit-krb5-1.19.2-r2.ebuild 4293 BLAKE2B 3d6d79a2110194d25486aa7055174f982878e11944ce6e023e4c04e4d5e21118f057d74a4ef24eec19ea54d546206d4b1f0d1020843234b0fd633ac8c4a5b83c SHA512 8790f0941fffe6a160d30b920f2bfc4004b8314d4d2252e5d0824cd8e351ebca6839680853064cec1db7789d70b867feba5754ad96d15305135963343ea11dc3
 MISC metadata.xml 824 BLAKE2B 7f8486768dd9da718f2514da9a9b6928a89c43d26fd73f4be651438a4b02cd7a1db7839c580ca4f0812387e77cd002fa3caba86163ec2ecc1c2cdbcd1ffa4270 SHA512 0c075a303679455bd7f288b9345855bb38aa59da73e93f31b697688062399713dae64b39c775f4c74fa1f46fc1c3567732217ddcac7588bf3ae77c3e20e64144
diff --git a/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch b/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch
new file mode 100644
index 000000000000..2f4c949e9f31
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch
@@ -0,0 +1,43 @@
+From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 3 Aug 2021 01:15:27 -0400
+Subject: [PATCH] Fix KDC null deref on TGS inner body null server
+
+After the KDC decodes a FAST inner body, it does not check for a null
+server.  Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
+would typically result in an error from krb5_unparse_name(), but with
+the addition of get_local_tgt() it results in a null dereference.  Add
+a null check.
+
+Reported by Joseph Sutton of Catalyst.
+
+CVE-2021-37750:
+
+In MIT krb5 releases 1.14 and later, an authenticated attacker can
+cause a null dereference in the KDC by sending a FAST TGS request with
+no server field.
+
+ticket: 9008 (new)
+tags: pullup
+target_version: 1.19-next
+target_version: 1.18-next
+---
+ src/kdc/do_tgs_req.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index 582e497cc9..32dc65fa8e 100644
+--- a/kdc/do_tgs_req.c
++++ b/kdc/do_tgs_req.c
+@@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
+         status = "FIND_FAST";
+         goto cleanup;
+     }
++    if (sprinc == NULL) {
++        status = "NULL_SERVER";
++        errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
++        goto cleanup;
++    }
+ 
+     errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
+                             &local_tgt, &local_tgt_storage, &local_tgt_key);
diff --git a/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild
new file mode 100644
index 000000000000..98039ee18e1c
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild
@@ -0,0 +1,165 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{8..10} )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd toolchain-funcs
+
+MY_P="${P/mit-}"
+P_DIR=$(ver_cut 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/"
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ~ppc64 ~riscv ~s390 sparc x86"
+IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux +threads test xinetd"
+
+# some tests requires network access
+RESTRICT="test"
+
+DEPEND="
+	!!app-crypt/heimdal
+	|| (
+		>=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}]
+		sys-libs/e2fsprogs-libs[${MULTILIB_USEDEP}]
+	)
+	|| (
+		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+	)
+	keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
+	lmdb? ( dev-db/lmdb )
+	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	pkinit? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+	xinetd? ( sys-apps/xinetd )
+	"
+BDEPEND="
+	${PYTHON_DEPS}
+	virtual/yacc
+	cpu_flags_x86_aes? (
+		amd64? ( dev-lang/yasm )
+		x86? ( dev-lang/yasm )
+	)
+	doc? ( virtual/latex-base )
+	test? (
+		${PYTHON_DEPS}
+		dev-lang/tcl:0
+		dev-util/dejagnu
+		dev-util/cmocka
+	)"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+PATCHES=(
+	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
+	"${FILESDIR}/${PN}_dont_create_rundir.patch"
+	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
+	"${FILESDIR}/${PN}-CVE-2021-37750.patch"
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+src_prepare() {
+	default
+	# Make sure we always use the system copies.
+	rm -rf util/{et,ss,verto}
+	sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die
+
+	eautoreconf
+}
+
+src_configure() {
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	ECONF_SOURCE=${S} \
+	AR="$(tc-getAR)" \
+	WARN_CFLAGS="set" \
+	econf \
+		$(use_with openldap ldap) \
+		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable nls) \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		$(use_with lmdb) \
+		$(use_with keyutils) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--with-system-verto \
+		--disable-rpath
+}
+
+multilib_src_compile() {
+	emake -j1
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install
+}
+
+multilib_src_install_all() {
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+
+	if use doc; then
+		dodoc -r doc/html
+		docinto pdf
+		dodoc doc/pdf/*.pdf
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd
+	fi
+}
-- 
cgit v1.2.3