summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDiego Elio Pettenò <flameeyes@gentoo.org>2010-10-15 15:04:56 +0000
committerDiego Elio Pettenò <flameeyes@gentoo.org>2010-10-15 15:04:56 +0000
commitfa348b099b3c277a49a9f18f4d165548d4846e4f (patch)
tree2c457049e89934e8b8e47cede4a76fa0db094cd2
parentSimplify dependencies (changed versioning scheme). (diff)
downloadgentoo-2-fa348b099b3c277a49a9f18f4d165548d4846e4f.tar.gz
gentoo-2-fa348b099b3c277a49a9f18f4d165548d4846e4f.tar.bz2
gentoo-2-fa348b099b3c277a49a9f18f4d165548d4846e4f.zip
Remove old vulnerable version.
(Portage version: 2.2_rc96/cvs/Linux x86_64)
-rw-r--r--sys-auth/pam_krb5/ChangeLog6
-rw-r--r--sys-auth/pam_krb5/files/pam_krb5-3.12-CVE-2009-0361-0362.patch194
-rw-r--r--sys-auth/pam_krb5/pam_krb5-3.12.ebuild39
3 files changed, 5 insertions, 234 deletions
diff --git a/sys-auth/pam_krb5/ChangeLog b/sys-auth/pam_krb5/ChangeLog
index ac8ea5093f96..75ca8d664606 100644
--- a/sys-auth/pam_krb5/ChangeLog
+++ b/sys-auth/pam_krb5/ChangeLog
@@ -1,6 +1,10 @@
# ChangeLog for sys-auth/pam_krb5
# Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/pam_krb5/ChangeLog,v 1.37 2010/09/12 04:17:30 josejx Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/pam_krb5/ChangeLog,v 1.38 2010/10/15 15:04:55 flameeyes Exp $
+
+ 15 Oct 2010; Diego E. Pettenò <flameeyes@gentoo.org>
+ -pam_krb5-3.12.ebuild, -files/pam_krb5-3.12-CVE-2009-0361-0362.patch:
+ Remove old vulnerable version.
12 Sep 2010; Joseph Jezak <josejx@gentoo.org> pam_krb5-4.3.ebuild:
Marked ppc stable for bug #326953.
diff --git a/sys-auth/pam_krb5/files/pam_krb5-3.12-CVE-2009-0361-0362.patch b/sys-auth/pam_krb5/files/pam_krb5-3.12-CVE-2009-0361-0362.patch
deleted file mode 100644
index 542679a42b6f..000000000000
--- a/sys-auth/pam_krb5/files/pam_krb5-3.12-CVE-2009-0361-0362.patch
+++ /dev/null
@@ -1,194 +0,0 @@
-diff --git a/api-auth.c b/api-auth.c
-index 55df461..f6af390 100644
---- a/api-auth.c
-+++ b/api-auth.c
-@@ -494,6 +494,37 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
- if (reinit) {
- const char *name, *k5name;
-
-+ /*
-+ * Solaris su calls pam_setcred as root with PAM_REINITIALIZE_CREDS,
-+ * preserving the user-supplied environment. An xlock program may
-+ * also do this if it's setuid root and doesn't drop credentials
-+ * before calling pam_setcred.
-+ *
-+ * There isn't any safe way of reinitializing the exiting ticket cache
-+ * for the user if we're setuid without calling setreuid(). Calling
-+ * setreuid() is possible, but if the calling application is threaded,
-+ * it will change credentials for the whole application, with possibly
-+ * bizarre and unintended (and insecure) results. Trying to verify
-+ * ownership of the existing ticket cache before using it fails under
-+ * various race conditions (for example, having one of the elements of
-+ * the path be a symlink and changing the target of that symlink
-+ * between our check and the call to krb5_cc_resolve. Without calling
-+ * setreuid(), we run the risk of replacing a file owned by another
-+ * user with a credential cache.
-+ *
-+ * We could fail with an error in the setuid case, which would be
-+ * maximally safe, but it would prevent use of the module for
-+ * authentication with programs such as Solaris su. Failure to
-+ * reinitialize the cache is normally not a serious problem, just a
-+ * missing feature. We therefore log an error and exit with
-+ * PAM_SUCCESS for the setuid case.
-+ */
-+ if (pamk5_compat_issetugid()) {
-+ pamk5_error(args, "credential reinitialization in a setuid"
-+ " context ignored");
-+ pamret = PAM_SUCCESS;
-+ goto done;
-+ }
- name = pamk5_get_krb5ccname(args, "KRB5CCNAME");
- if (name == NULL)
- name = krb5_cc_default_name(ctx->context);
-diff --git a/compat.c b/compat.c
-index e6ad6b0..1bf981d 100644
---- a/compat.c
-+++ b/compat.c
-@@ -24,6 +24,7 @@
- # include <security/pam_modutil.h>
- #endif
- #include <stdlib.h>
-+#include <unistd.h>
-
- #if !defined(HAVE_KRB5_GET_ERROR_MESSAGE) && !defined(HAVE_KRB5_GET_ERR_TEXT)
- # if !defined(HAVE_KRB5_GET_ERROR_STRING)
-@@ -146,6 +147,39 @@ pamk5_compat_free_error(krb5_context ctx, const char *msg)
-
-
- /*
-+ * AIX's NAS Kerberos implementation mysteriously provides the struct and the
-+ * krb5_verify_init_creds function but not this function.
-+ */
-+#ifndef HAVE_KRB5_VERIFY_INIT_CREDS_OPT_INIT
-+void
-+krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *opt)
-+{
-+ opt->flags = 0;
-+ opt->ap_req_nofail = 0;
-+}
-+#endif
-+
-+
-+/*
-+ * MIT provides a krb5_init_secure_context that ignores all the environment
-+ * variables that may otherwise influence context creation. We call that
-+ * function if we detect that we're setuid. Heimdal doesn't have this
-+ * function, but instead automatically ignores the environment variables if it
-+ * detects we're setuid. This means that we should be able to fall back
-+ * safely to krb5_init_context if krb5_init_secure_context isn't available.
-+ */
-+krb5_error_code
-+pamk5_compat_secure_context(krb5_context *ctx)
-+{
-+#ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
-+ return krb5_init_secure_context(ctx);
-+#else
-+ return krb5_init_context(ctx);
-+#endif
-+}
-+
-+
-+/*
- * Linux PAM provides a thread-safe version of getpwnam that we want to use if
- * available. If it's not, fall back on getpwnam. (Ideally, we should check
- * for getpwnam_r and use it, but I haven't written that routine.)
-@@ -162,14 +196,19 @@ pamk5_compat_getpwnam(struct pam_args *args UNUSED, const char *user)
-
-
- /*
-- * AIX's NAS Kerberos implementation mysteriously provides the struct and the
-- * krb5_verify_init_creds function but not this function.
-+ * Call the Solaris issetugid function if available. If not, check whether
-+ * the real and effective UIDs and GIDs match.
- */
--#ifndef HAVE_KRB5_VERIFY_INIT_CREDS_OPT_INIT
--void
--krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *opt)
-+int
-+pamk5_compat_issetugid(void)
- {
-- opt->flags = 0;
-- opt->ap_req_nofail = 0;
--}
-+#ifdef HAVE_ISSETUGID
-+ return issetugid();
-+#else
-+ if (getuid() != geteuid())
-+ return 1;
-+ if (getgid() != getegid())
-+ return 1;
-+ return 0;
- #endif
-+}
-diff --git a/configure.ac b/configure.ac
-index 6835a2d..2d04f58 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -21,6 +22,10 @@ AC_PROG_MAKE_SET
- AC_CANONICAL_HOST
- AC_AIX
-
-+dnl Check for the Solaris issetugid function, which is nicer than comparing
-+dnl real and effective UIDs and GIDs.
-+AC_CHECK_FUNCS([issetugid])
-+
- dnl Probe for the functionality of the PAM libraries and their include file
- dnl naming. Mac OS X puts them in pam/* instead of security/*.
- AC_SEARCH_LIBS([pam_set_data], [pam])
-@@ -46,6 +51,7 @@ AC_CHECK_FUNCS([krb5_appdefault_string \
- krb5_get_init_creds_opt_set_change_password_prompt \
- krb5_get_init_creds_opt_set_default_flags \
- krb5_get_init_creds_opt_set_pa \
-+ krb5_init_secure_context \
- krb5_verify_init_creds_opt_init])
- AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_pkinit],
- [RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT_ARGS])
-diff --git a/context.c b/context.c
-index 9a70aa7..8475d81 100644
---- a/context.c
-+++ b/context.c
-@@ -66,7 +66,10 @@ pamk5_context_new(struct pam_args *args)
- goto done;
- }
- ctx->name = strdup(name);
-- retval = krb5_init_context(&ctx->context);
-+ if (pamk5_compat_issetugid())
-+ retval = pamk5_compat_secure_context(&ctx->context);
-+ else
-+ retval = krb5_init_context(&ctx->context);
- if (retval != 0) {
- pamk5_error_krb5(args, "krb5_init_context", retval);
- retval = PAM_SERVICE_ERR;
-diff --git a/internal.h b/internal.h
-index 48c5b74..7356e8a 100644
---- a/internal.h
-+++ b/internal.h
-@@ -247,6 +247,12 @@ krb5_error_code pamk5_compat_set_realm(struct pam_args *, const char *)
- __attribute__((__visibility__("hidden")));
- void pamk5_compat_free_realm(struct pam_args *)
- __attribute__((__visibility__("hidden")));
-+krb5_error_code pamk5_compat_secure_context(krb5_context *)
-+ __attribute__((__visibility__("hidden")));
-+
-+/* Calls issetugid if available, otherwise checks effective IDs. */
-+int pamk5_compat_issetugid(void)
-+ __attribute__((__visibility__("hidden")));
-
- /* Calls pam_modutil_getpwnam if available, otherwise getpwnam. */
- struct passwd *pamk5_compat_getpwnam(struct pam_args *, const char *)
-diff --git a/options.c b/options.c
-index b03ee0a..e8f9da5 100644
---- a/options.c
-+++ b/options.c
-@@ -276,7 +276,10 @@ pamk5_args_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
- * proceed; we'll die soon enough later and this way we'll die after we
- * know whether to debug things.
- */
-- retval = krb5_init_context(&c);
-+ if (pamk5_compat_issetugid())
-+ retval = pamk5_compat_secure_context(&c);
-+ else
-+ retval = krb5_init_context(&c);
- if (retval != 0)
- c = NULL;
- if (c != NULL) {
diff --git a/sys-auth/pam_krb5/pam_krb5-3.12.ebuild b/sys-auth/pam_krb5/pam_krb5-3.12.ebuild
deleted file mode 100644
index 823a545dc6f3..000000000000
--- a/sys-auth/pam_krb5/pam_krb5-3.12.ebuild
+++ /dev/null
@@ -1,39 +0,0 @@
-# Copyright 1999-2009 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/pam_krb5/pam_krb5-3.12.ebuild,v 1.4 2009/02/14 16:33:54 armin76 Exp $
-
-inherit multilib eutils pam
-
-DESCRIPTION="Kerberos 5 PAM Authentication Module"
-HOMEPAGE="http://www.eyrie.org/~eagle/software/pam-krb5/"
-SRC_URI="http://archives.eyrie.org/software/ARCHIVE/pam-krb5/pam-krb5-${PV}.tar.gz"
-
-LICENSE="|| ( BSD-2 GPL-2 )"
-SLOT="0"
-KEYWORDS="amd64 ppc sparc x86"
-IUSE="doc"
-
-DEPEND="virtual/krb5"
-RDEPEND="${DEPEND}"
-S="${WORKDIR}/${P/_/-}"
-
-src_unpack() {
- unpack ${A}
- cd "${S}"
- epatch "${FILESDIR}/${P}-CVE-2009-0361-0362.patch"
-}
-
-src_compile() {
- econf \
- --libdir=/$(get_libdir)\
- || die "econf failed"
- emake || die "emake failed"
-}
-
-src_install() {
- newpammod pam_krb5.so pam_krb5.so
- if use doc; then
- doman pam_krb5.5
- dodoc CHANGES CHANGES-old NEWS README TODO
- fi;
-}