[arch-commits] Commit in lib32-krb5/repos/multilib-x86_64 (7 files)
Florian Pritz
bluewind at archlinux.org
Tue Aug 12 22:13:56 UTC 2014
Date: Wednesday, August 13, 2014 @ 00:13:56
Author: bluewind
Revision: 117324
archrelease: copy trunk to multilib-x86_64
Added:
lib32-krb5/repos/multilib-x86_64/PKGBUILD
(from rev 117323, lib32-krb5/trunk/PKGBUILD)
lib32-krb5/repos/multilib-x86_64/krb5-1.10.1-gcc47.patch
(from rev 117323, lib32-krb5/trunk/krb5-1.10.1-gcc47.patch)
lib32-krb5/repos/multilib-x86_64/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch
(from rev 117323, lib32-krb5/trunk/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch)
lib32-krb5/repos/multilib-x86_64/krb5-config_LDFLAGS.patch
(from rev 117323, lib32-krb5/trunk/krb5-config_LDFLAGS.patch)
Deleted:
lib32-krb5/repos/multilib-x86_64/PKGBUILD
lib32-krb5/repos/multilib-x86_64/krb5-1.10.1-gcc47.patch
lib32-krb5/repos/multilib-x86_64/krb5-config_LDFLAGS.patch
-----------------------------------------------------+
PKGBUILD | 140 +++++++++---------
krb5-1.10.1-gcc47.patch | 22 +-
krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch | 64 ++++++++
krb5-config_LDFLAGS.patch | 24 +--
4 files changed, 158 insertions(+), 92 deletions(-)
Deleted: PKGBUILD
===================================================================
--- PKGBUILD 2014-08-12 22:13:52 UTC (rev 117323)
+++ PKGBUILD 2014-08-12 22:13:56 UTC (rev 117324)
@@ -1,69 +0,0 @@
-# $Id$
-# Maintainer: Florian Pritz <flo at xinu.at>
-# Contributor: Stéphane Gaudreault <stephane at archlinux.org>
-
-_pkgbasename=krb5
-pkgname=lib32-$_pkgbasename
-pkgver=1.12.1
-pkgrel=1
-pkgdesc="The Kerberos network authentication system (32-bit)"
-arch=('x86_64')
-url="http://web.mit.edu/kerberos/"
-license=('custom')
-depends=('lib32-e2fsprogs' 'lib32-libldap' 'lib32-keyutils' "$_pkgbasename")
-makedepends=('perl' 'gcc-multilib')
-source=("http://web.mit.edu/kerberos/dist/${_pkgbasename}/1.12/${_pkgbasename}-${pkgver}-signed.tar"
- krb5-config_LDFLAGS.patch)
-sha1sums=('d59e8dc0fc9e1890e109cd033756539984e3d3fe'
- '09e478cddfb9d46d2981dd25ef96b8c3fd91e1aa')
-options=('!emptydirs')
-
-prepare() {
- tar zxvf ${_pkgbasename}-${pkgver}.tar.gz
- cd "${srcdir}/${_pkgbasename}-${pkgver}/src"
-
- # cf https://bugs.gentoo.org/show_bug.cgi?id=448778
- (cd build-tools; patch -Np2 -i "${srcdir}"/krb5-config_LDFLAGS.patch; cd ..)
-}
-
-build() {
- cd "${srcdir}/${_pkgbasename}-${pkgver}/src"
-
- export CC="gcc -m32"
- export CXX="g++ -m32"
- export PKG_CONFIG_PATH="/usr/lib32/pkgconfig"
-
- export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all"
- export CPPFLAGS+=" -I/usr/include/et"
- ./configure --prefix=/usr \
- --sysconfdir=/etc \
- --localstatedir=/var/lib \
- --libdir=/usr/lib32 \
- --enable-shared \
- --with-system-et \
- --with-system-ss \
- --disable-rpath \
- --without-tcl \
- --enable-dns-for-realm \
- --with-ldap \
- --without-system-verto
-
- make
-}
-
-#check() {
- # We can't do this in the build directory.
-
- # only works if the hostname is set properly/resolves to something. whatever...
- #cd "${srcdir}/${_pkgbasename}-${pkgver}"
- #make -C src check
-#}
-
-package() {
- cd "${srcdir}/${_pkgbasename}-${pkgver}/src"
- make DESTDIR="${pkgdir}" install
-
- rm -rf "${pkgdir}"/usr/{include,share,bin,sbin}
- mkdir -p "$pkgdir/usr/share/licenses"
- ln -s $_pkgbasename "$pkgdir/usr/share/licenses/$pkgname"
-}
Copied: lib32-krb5/repos/multilib-x86_64/PKGBUILD (from rev 117323, lib32-krb5/trunk/PKGBUILD)
===================================================================
--- PKGBUILD (rev 0)
+++ PKGBUILD 2014-08-12 22:13:56 UTC (rev 117324)
@@ -0,0 +1,71 @@
+# $Id$
+# Maintainer: Florian Pritz <flo at xinu.at>
+# Contributor: Stéphane Gaudreault <stephane at archlinux.org>
+
+_pkgbasename=krb5
+pkgname=lib32-$_pkgbasename
+pkgver=1.12.1
+pkgrel=2
+pkgdesc="The Kerberos network authentication system (32-bit)"
+arch=('x86_64')
+url="http://web.mit.edu/kerberos/"
+license=('custom')
+depends=('lib32-e2fsprogs' 'lib32-libldap' 'lib32-keyutils' "$_pkgbasename")
+makedepends=('perl' 'gcc-multilib')
+source=("http://web.mit.edu/kerberos/dist/${_pkgbasename}/1.12/${_pkgbasename}-${pkgver}-signed.tar"
+ krb5-config_LDFLAGS.patch krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch)
+sha1sums=('d59e8dc0fc9e1890e109cd033756539984e3d3fe'
+ 'f125824ed37f31e6fd2fdb6a437be8ff1c3700ab'
+ '8273976824137df1d42a4f9c7bafdfbd92f27d0a')
+options=('!emptydirs')
+
+prepare() {
+ tar zxvf ${_pkgbasename}-${pkgver}.tar.gz
+ cd "${srcdir}/${_pkgbasename}-${pkgver}"
+
+ # cf https://bugs.gentoo.org/show_bug.cgi?id=448778
+ patch -p1 -i "${srcdir}"/krb5-config_LDFLAGS.patch
+ patch -p1 -i "${srcdir}"/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch
+}
+
+build() {
+ cd "${srcdir}/${_pkgbasename}-${pkgver}/src"
+
+ export CC="gcc -m32"
+ export CXX="g++ -m32"
+ export PKG_CONFIG_PATH="/usr/lib32/pkgconfig"
+
+ export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all"
+ export CPPFLAGS+=" -I/usr/include/et"
+ ./configure --prefix=/usr \
+ --sysconfdir=/etc \
+ --localstatedir=/var/lib \
+ --libdir=/usr/lib32 \
+ --enable-shared \
+ --with-system-et \
+ --with-system-ss \
+ --disable-rpath \
+ --without-tcl \
+ --enable-dns-for-realm \
+ --with-ldap \
+ --without-system-verto
+
+ make
+}
+
+#check() {
+ # We can't do this in the build directory.
+
+ # only works if the hostname is set properly/resolves to something. whatever...
+ #cd "${srcdir}/${_pkgbasename}-${pkgver}"
+ #make -C src check
+#}
+
+package() {
+ cd "${srcdir}/${_pkgbasename}-${pkgver}/src"
+ make DESTDIR="${pkgdir}" install
+
+ rm -rf "${pkgdir}"/usr/{include,share,bin,sbin}
+ mkdir -p "$pkgdir/usr/share/licenses"
+ ln -s $_pkgbasename "$pkgdir/usr/share/licenses/$pkgname"
+}
Deleted: krb5-1.10.1-gcc47.patch
===================================================================
--- krb5-1.10.1-gcc47.patch 2014-08-12 22:13:52 UTC (rev 117323)
+++ krb5-1.10.1-gcc47.patch 2014-08-12 22:13:56 UTC (rev 117324)
@@ -1,11 +0,0 @@
-diff -Naur krb5-1.10.1.ori/src/lib/krb5/krb/x-deltat.y krb5-1.10.1/src/lib/krb5/krb/x-deltat.y
---- krb5-1.10.1.ori/src/lib/krb5/krb/x-deltat.y 2011-09-06 07:34:32.000000000 -0400
-+++ krb5-1.10.1/src/lib/krb5/krb/x-deltat.y 2012-03-24 13:15:11.543551318 -0400
-@@ -44,6 +44,7 @@
- #ifdef __GNUC__
- #pragma GCC diagnostic push
- #pragma GCC diagnostic ignored "-Wuninitialized"
-+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
- #endif
-
- #include <ctype.h>
Copied: lib32-krb5/repos/multilib-x86_64/krb5-1.10.1-gcc47.patch (from rev 117323, lib32-krb5/trunk/krb5-1.10.1-gcc47.patch)
===================================================================
--- krb5-1.10.1-gcc47.patch (rev 0)
+++ krb5-1.10.1-gcc47.patch 2014-08-12 22:13:56 UTC (rev 117324)
@@ -0,0 +1,11 @@
+diff -Naur krb5-1.10.1.ori/src/lib/krb5/krb/x-deltat.y krb5-1.10.1/src/lib/krb5/krb/x-deltat.y
+--- krb5-1.10.1.ori/src/lib/krb5/krb/x-deltat.y 2011-09-06 07:34:32.000000000 -0400
++++ krb5-1.10.1/src/lib/krb5/krb/x-deltat.y 2012-03-24 13:15:11.543551318 -0400
+@@ -44,6 +44,7 @@
+ #ifdef __GNUC__
+ #pragma GCC diagnostic push
+ #pragma GCC diagnostic ignored "-Wuninitialized"
++#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
+ #endif
+
+ #include <ctype.h>
Copied: lib32-krb5/repos/multilib-x86_64/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch (from rev 117323, lib32-krb5/trunk/krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch)
===================================================================
--- krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch (rev 0)
+++ krb5-81c332e29f10887c6b9deb065f81ba259f4c7e03.patch 2014-08-12 22:13:56 UTC (rev 117324)
@@ -0,0 +1,64 @@
+From 81c332e29f10887c6b9deb065f81ba259f4c7e03 Mon Sep 17 00:00:00 2001
+From: Tomas Kuthan <tkuthan at gmail.com>
+Date: Fri, 1 Aug 2014 15:25:50 +0200
+Subject: [PATCH] Fix LDAP key data segmentation [CVE-2014-4345]
+
+For principal entries having keys with multiple kvnos (due to use of
+-keepold), the LDAP KDB module makes an attempt to store all the keys
+having the same kvno into a single krbPrincipalKey attribute value.
+There is a fencepost error in the loop, causing currkvno to be set to
+the just-processed value instead of the next kvno. As a result, the
+second and all following groups of multiple keys by kvno are each
+stored in two krbPrincipalKey attribute values. Fix the loop to use
+the correct kvno value.
+
+CVE-2014-4345:
+
+In MIT krb5, when kadmind is configured to use LDAP for the KDC
+database, an authenticated remote attacker can cause it to perform an
+out-of-bounds write (buffer overrun) by performing multiple cpw
+-keepold operations. An off-by-one error while copying key
+information to the new database entry results in keys sharing a common
+kvno being written to different array buckets, in an array whose size
+is determined by the number of kvnos present. After sufficient
+iterations, the extra writes extend past the end of the
+(NULL-terminated) array. The NULL terminator is always written after
+the end of the loop, so no out-of-bounds data is read, it is only
+written.
+
+Historically, it has been possible to convert an out-of-bounds write
+into remote code execution in some cases, though the necessary
+exploits must be tailored to the individual application and are
+usually quite complicated. Depending on the allocated length of the
+array, an out-of-bounds write may also cause a segmentation fault
+and/or application crash.
+
+ CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
+
+[ghudson at mit.edu: clarified commit message]
+[kaduk at mit.edu: CVE summary, CVSSv2 vector]
+
+ticket: 7980 (new)
+target_version: 1.12.2
+tags: pullup
+---
+ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index ce851ea..df5934c 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
+ j++;
+ last = i + 1;
+
+- currkvno = key_data[i].key_data_kvno;
++ if (i < n_key_data - 1)
++ currkvno = key_data[i + 1].key_data_kvno;
+ }
+ }
+ ret[num_versions] = NULL;
+--
+2.0.3
+
Deleted: krb5-config_LDFLAGS.patch
===================================================================
--- krb5-config_LDFLAGS.patch 2014-08-12 22:13:52 UTC (rev 117323)
+++ krb5-config_LDFLAGS.patch 2014-08-12 22:13:56 UTC (rev 117324)
@@ -1,12 +0,0 @@
-Bug #448778
---- krb5-1.11/src/krb5-config.in 2012-12-18 02:47:04.000000000 +0000
-+++ krb5-1.11/src/krb5-config.in 2012-12-28 07:13:16.582693363 +0000
-@@ -217,7 +217,7 @@
- -e 's#\$(PROG_RPATH)#'$libdir'#' \
- -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \
- -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
-- -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
-+ -e 's#\$(LDFLAGS)##' \
- -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
- -e 's#\$(CFLAGS)##'`
-
Copied: lib32-krb5/repos/multilib-x86_64/krb5-config_LDFLAGS.patch (from rev 117323, lib32-krb5/trunk/krb5-config_LDFLAGS.patch)
===================================================================
--- krb5-config_LDFLAGS.patch (rev 0)
+++ krb5-config_LDFLAGS.patch 2014-08-12 22:13:56 UTC (rev 117324)
@@ -0,0 +1,12 @@
+Bug #448778
+--- krb5-1.11/src/build-tools/krb5-config.in 2012-12-18 02:47:04.000000000 +0000
++++ krb5-1.11/src/build-tools/krb5-config.in 2012-12-28 07:13:16.582693363 +0000
+@@ -217,7 +217,7 @@
+ -e 's#\$(PROG_RPATH)#'$libdir'#' \
+ -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \
+ -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
+- -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
++ -e 's#\$(LDFLAGS)##' \
+ -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
+ -e 's#\$(CFLAGS)##'`
+
More information about the arch-commits
mailing list