Security bump for CVE-2010-{1323,1324,4020}. Working test suite and test USE flag added.

(Portage version: 2.1.9.25/cvs/Linux x86_64)

4 files changed, 425 insertions, 1 deletions

diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog
index 0145625da24f..24a72d4840dd 100644
--- a/app-crypt/mit-krb5/ChangeLog
+++ b/app-crypt/mit-krb5/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for app-crypt/mit-krb5
 # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.240 2010/11/27 15:23:06 eras Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.241 2010/12/01 07:22:44 eras Exp $
+
+*mit-krb5-1.8.3-r2 (01 Dec 2010)
+
+  01 Dec 2010; Eray Aslan <eras@gentoo.org> +mit-krb5-1.8.3-r2.ebuild,
+  +files/CVE-2010-1323.1324.4020.patch, +files/mit-krb5_testsuite.patch:
+  Security bump. Working test suite with test USE flag.
 
   27 Nov 2010; Eray Aslan <eras@gentoo.org> -mit-krb5-1.8.2.ebuild,
   -mit-krb5-1.8.2-r1.ebuild, -mit-krb5-1.8.3.ebuild:
diff --git a/app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch b/app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch
new file mode 100644
index 000000000000..b1c3793b9ffb
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2010-1323.1324.4020.patch
@@ -0,0 +1,202 @@
+Index: krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c
+===================================================================
+--- krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c	(revision 24455)
++++ krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c	(working copy)
+@@ -691,8 +691,7 @@
+     krb5_reply_key_pack *key_pack = NULL;
+     krb5_reply_key_pack_draft9 *key_pack9 = NULL;
+     krb5_data *encoded_key_pack = NULL;
+-    unsigned int num_types;
+-    krb5_cksumtype *cksum_types = NULL;
++    krb5_cksumtype cksum_type;
+ 
+     pkinit_kdc_context plgctx;
+     pkinit_kdc_req_context reqctx;
+@@ -882,14 +881,25 @@
+                 retval = ENOMEM;
+                 goto cleanup;
+             }
+-            /* retrieve checksums for a given enctype of the reply key */
+-            retval = krb5_c_keyed_checksum_types(context,
+-                                                 encrypting_key->enctype, &num_types, &cksum_types);
+-            if (retval)
+-                goto cleanup;
+ 
+-            /* pick the first of acceptable enctypes for the checksum */
+-            retval = krb5_c_make_checksum(context, cksum_types[0],
++            switch (encrypting_key->enctype) {
++            case ENCTYPE_DES_CBC_MD4:
++                cksum_type = CKSUMTYPE_RSA_MD4_DES;
++                break;
++            case ENCTYPE_DES_CBC_MD5:
++            case ENCTYPE_DES_CBC_CRC:
++                cksum_type = CKSUMTYPE_RSA_MD5_DES;
++                break;
++            default:
++                retval = krb5int_c_mandatory_cksumtype(context,
++                                                       encrypting_key->enctype,
++                                                       &cksum_type);
++                if (retval)
++                    goto cleanup;
++                break;
++            }
++
++            retval = krb5_c_make_checksum(context, cksum_type,
+                                           encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
+                                           req_pkt, &key_pack->asChecksum);
+             if (retval) {
+@@ -1033,7 +1043,6 @@
+         krb5_free_data(context, encoded_key_pack);
+     free(dh_pubkey);
+     free(server_key);
+-    free(cksum_types);
+ 
+     switch ((int)padata->pa_type) {
+     case KRB5_PADATA_PK_AS_REQ:
+Index: krb5-1.8/src/lib/crypto/krb/cksumtypes.c
+===================================================================
+--- krb5-1.8/src/lib/crypto/krb/cksumtypes.c	(revision 24455)
++++ krb5-1.8/src/lib/crypto/krb/cksumtypes.c	(working copy)
+@@ -101,7 +101,7 @@
+ 
+     { CKSUMTYPE_MD5_HMAC_ARCFOUR,
+       "md5-hmac-rc4", { 0 }, "Microsoft MD5 HMAC",
+-      NULL, &krb5int_hash_md5,
++      &krb5int_enc_arcfour, &krb5int_hash_md5,
+       krb5int_hmacmd5_checksum, NULL,
+       16, 16, 0 },
+ };
+Index: krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c
+===================================================================
+--- krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c	(revision 24455)
++++ krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c	(working copy)
+@@ -35,6 +35,13 @@
+ {
+     if (ctp->flags & CKSUM_UNKEYED)
+         return FALSE;
++    /* Stream ciphers do not play well with RFC 3961 key derivation, so be
++     * conservative with RC4. */
++    if ((ktp->etype == ENCTYPE_ARCFOUR_HMAC ||
++         ktp->etype == ENCTYPE_ARCFOUR_HMAC_EXP) &&
++        ctp->ctype != CKSUMTYPE_HMAC_MD5_ARCFOUR &&
++        ctp->ctype != CKSUMTYPE_MD5_HMAC_ARCFOUR)
++        return FALSE;
+     return (!ctp->enc || ktp->enc == ctp->enc);
+ }
+ 
+Index: krb5-1.8/src/lib/crypto/krb/dk/derive.c
+===================================================================
+--- krb5-1.8/src/lib/crypto/krb/dk/derive.c	(revision 24455)
++++ krb5-1.8/src/lib/crypto/krb/dk/derive.c	(working copy)
+@@ -91,6 +91,8 @@
+     blocksize = enc->block_size;
+     keybytes = enc->keybytes;
+ 
++    if (blocksize == 1)
++        return KRB5_BAD_ENCTYPE;
+     if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes)
+         return KRB5_CRYPTO_INTERNAL;
+ 
+Index: krb5-1.8/src/lib/gssapi/krb5/util_crypt.c
+===================================================================
+--- krb5-1.8/src/lib/gssapi/krb5/util_crypt.c	(revision 24455)
++++ krb5-1.8/src/lib/gssapi/krb5/util_crypt.c	(working copy)
+@@ -119,10 +119,22 @@
+     if (code != 0)
+         return code;
+ 
+-    code = (*kaccess.mandatory_cksumtype)(context, subkey->keyblock.enctype,
+-                                          cksumtype);
+-    if (code != 0)
+-        return code;
++    switch (subkey->keyblock.enctype) {
++    case ENCTYPE_DES_CBC_MD4:
++        *cksumtype = CKSUMTYPE_RSA_MD4_DES;
++        break;
++    case ENCTYPE_DES_CBC_MD5:
++    case ENCTYPE_DES_CBC_CRC:
++        *cksumtype = CKSUMTYPE_RSA_MD5_DES;
++        break;
++    default:
++        code = (*kaccess.mandatory_cksumtype)(context,
++                                              subkey->keyblock.enctype,
++                                              cksumtype);
++        if (code != 0)
++            return code;
++        break;
++    }
+ 
+     switch (subkey->keyblock.enctype) {
+     case ENCTYPE_DES_CBC_MD5:
+Index: krb5-1.8/src/lib/krb5/krb/pac.c
+===================================================================
+--- krb5-1.8/src/lib/krb5/krb/pac.c	(revision 24455)
++++ krb5-1.8/src/lib/krb5/krb/pac.c	(working copy)
+@@ -582,6 +582,8 @@
+     checksum.checksum_type = load_32_le(p);
+     checksum.length = checksum_data.length - PAC_SIGNATURE_DATA_LENGTH;
+     checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH;
++    if (!krb5_c_is_keyed_cksum(checksum.checksum_type))
++        return KRB5KRB_AP_ERR_INAPP_CKSUM;
+ 
+     pac_data.length = pac->data.length;
+     pac_data.data = malloc(pac->data.length);
+Index: krb5-1.8/src/lib/krb5/krb/preauth2.c
+===================================================================
+--- krb5-1.8/src/lib/krb5/krb/preauth2.c	(revision 24455)
++++ krb5-1.8/src/lib/krb5/krb/preauth2.c	(working copy)
+@@ -1578,7 +1578,9 @@
+ 
+     cksum = sc2->sam_cksum;
+ 
+-    while (*cksum) {
++    for (; *cksum; cksum++) {
++        if (!krb5_c_is_keyed_cksum((*cksum)->checksum_type))
++            continue;
+         /* Check this cksum */
+         retval = krb5_c_verify_checksum(context, as_key,
+                                         KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM,
+@@ -1592,7 +1594,6 @@
+         }
+         if (valid_cksum)
+             break;
+-        cksum++;
+     }
+ 
+     if (!valid_cksum) {
+Index: krb5-1.8/src/lib/krb5/krb/mk_safe.c
+===================================================================
+--- krb5-1.8/src/lib/krb5/krb/mk_safe.c	(revision 24455)
++++ krb5-1.8/src/lib/krb5/krb/mk_safe.c	(working copy)
+@@ -215,10 +215,28 @@
+             for (i = 0; i < nsumtypes; i++)
+                 if (auth_context->safe_cksumtype == sumtypes[i])
+                     break;
+-            if (i == nsumtypes)
+-                i = 0;
+-            sumtype = sumtypes[i];
+             krb5_free_cksumtypes (context, sumtypes);
++            if (i < nsumtypes)
++                sumtype = auth_context->safe_cksumtype;
++            else {
++                switch (enctype) {
++                case ENCTYPE_DES_CBC_MD4:
++                    sumtype = CKSUMTYPE_RSA_MD4_DES;
++                    break;
++                case ENCTYPE_DES_CBC_MD5:
++                case ENCTYPE_DES_CBC_CRC:
++                    sumtype = CKSUMTYPE_RSA_MD5_DES;
++                    break;
++                default:
++                    retval = krb5int_c_mandatory_cksumtype(context, enctype,
++                                                           &sumtype);
++                    if (retval) {
++                        CLEANUP_DONE();
++                        goto error;
++                    }
++                    break;
++                }
++            }
+         }
+         if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata,
+                                          plocal_fulladdr, premote_fulladdr,
diff --git a/app-crypt/mit-krb5/files/mit-krb5_testsuite.patch b/app-crypt/mit-krb5/files/mit-krb5_testsuite.patch
new file mode 100644
index 000000000000..a91136aafbc5
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5_testsuite.patch
@@ -0,0 +1,93 @@
+--- a/src/tests/dejagnu/config/default.exp	2010-04-21 01:37:22.000000000 +0300
++++ b/src/tests/dejagnu/config/default.exp	2010-11-24 16:51:53.000000000 +0200
+@@ -1619,7 +1619,7 @@
+     set spawnid $spawn_id
+     set pid [exp_pid]
+ 
+-    set markstr "===MARK $pid [clock format [clock seconds]] ==="
++    set markstr "===MARK $pid [clock seconds] ==="
+     puts $f $markstr
+     flush $f
+ 
+--- a/src/tests/dejagnu/krb-standalone/gssapi.exp	2009-06-11 20:27:45.000000000 +0300
++++ b/src/tests/dejagnu/krb-standalone/gssapi.exp	2010-11-24 16:52:21.000000000 +0200
+@@ -182,7 +182,7 @@
+ 	}
+     }
+     catch "expect_after"
+-    if ![check_exit_status $test] {
++    if { [check_exit_status $test] == 0 } {
+ 	# check_exit_staus already calls fail for us
+ 	return
+     }
+@@ -209,59 +209,59 @@
+     global portbase
+ 
+     # Start up the kerberos and kadmind daemons.
+-    if ![start_kerberos_daemons 0] {
++    if { [start_kerberos_daemons 0] == 0 } {
+ 	perror "failed to start kerberos daemons"
+     }
+ 
+     # Use kadmin to add a key for us.
+-    if ![add_kerberos_key gsstest0 0] {
++    if { [add_kerberos_key gsstest0 0] == 0 } {
+ 	perror "failed to set up gsstest0 key"
+     }
+ 
+     # Use kadmin to add a key for us.
+-    if ![add_kerberos_key gsstest1 0] {
++    if { [add_kerberos_key gsstest1 0] ==0 } {
+ 	perror "failed to set up gsstest1 key"
+     }
+ 
+     # Use kadmin to add a key for us.
+-    if ![add_kerberos_key gsstest2 0] {
++    if { [add_kerberos_key gsstest2 0] == 0 } {
+ 	perror "failed to set up gsstest2 key"
+     }
+ 
+     # Use kadmin to add a key for us.
+-    if ![add_kerberos_key gsstest3 0] {
++    if { [add_kerberos_key gsstest3 0] == 0 } {
+ 	perror "failed to set up gsstest3 key"
+     }
+ 
+     # Use kadmin to add a service key for us.
+-    if ![add_random_key gssservice/$hostname 0] {
++    if { [add_random_key gssservice/$hostname 0] == 0 } {
+ 	perror "failed to set up gssservice/$hostname key"
+     }
+ 
+     # Use kdb5_edit to create a srvtab entry for gssservice
+-    if ![setup_srvtab 0 gssservice] {
++    if { [setup_srvtab 0 gssservice] == 0 } {
+ 	perror "failed to set up gssservice srvtab"
+     }
+ 
+     catch "exec rm -f $tmppwd/gss_tk_0 $tmppwd/gss_tk_1 $tmppwd/gss_tk_2 $tmppwd/gss_tk_3"
+ 
+     # Use kinit to get a ticket.
+-    if ![our_kinit gsstest0 gsstest0$KEY $tmppwd/gss_tk_0] {
++    if { [our_kinit gsstest0 gsstest0$KEY $tmppwd/gss_tk_0] == 0 } {
+ 	perror "failed to kinit gsstest0"
+     }
+ 
+     # Use kinit to get a ticket.
+-    if ![our_kinit gsstest1 gsstest1$KEY $tmppwd/gss_tk_1] {
++    if { [our_kinit gsstest1 gsstest1$KEY $tmppwd/gss_tk_1] == 0 } {
+ 	perror "failed to kinit gsstest1"
+     }
+ 
+     # Use kinit to get a ticket.
+-    if ![our_kinit gsstest2 gsstest2$KEY $tmppwd/gss_tk_2] {
++    if { [our_kinit gsstest2 gsstest2$KEY $tmppwd/gss_tk_2] == 0 } {
+ 	perror "failed to kinit gsstest2"
+     }
+ 
+     # Use kinit to get a ticket.
+-    if ![our_kinit gsstest3 gsstest3$KEY $tmppwd/gss_tk_3] {
++    if { [our_kinit gsstest3 gsstest3$KEY $tmppwd/gss_tk_3] == 0 } {
+ 	perror "failed to kinit gsstest3"
+     }
+ 
diff --git a/app-crypt/mit-krb5/mit-krb5-1.8.3-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.8.3-r2.ebuild
new file mode 100644
index 000000000000..5e5518b1599c
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.8.3-r2.ebuild
@@ -0,0 +1,123 @@
+# Copyright 1999-2010 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.8.3-r2.ebuild,v 1.1 2010/12/01 07:22:44 eras Exp $
+
+EAPI=2
+
+inherit eutils flag-o-matic versionator
+
+MY_P=${P/mit-}
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="doc ldap test xinetd"
+
+RDEPEND="!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.41.0
+	sys-apps/keyutils
+	ldap? ( net-nds/openldap )
+	xinetd? ( sys-apps/xinetd )"
+DEPEND="${RDEPEND}
+	doc? ( virtual/latex-base )
+	test? ( dev-lang/tcl
+	        dev-lang/perl
+			dev-util/dejagnu )"
+
+S=${WORKDIR}/${MY_P}/src
+
+PROVIDE="virtual/krb5"
+
+src_unpack() {
+	unpack ${A}
+	unpack ./"${MY_P}".tar.gz
+}
+
+src_prepare() {
+	epatch "${FILESDIR}/CVE-2010-1322.patch"
+	epatch "${FILESDIR}/CVE-2010-1323.1324.4020.patch"
+	epatch "${FILESDIR}/mit-krb5_testsuite.patch"
+}
+
+src_configure() {
+	local myconf=""
+	if use test; then
+		myconf="--with-tcl=/usr"
+	fi
+	append-flags "-I/usr/include/et"
+	econf \
+		$(use_with ldap) \
+		$(use_with test tcl /usr) \
+		--without-krb4 \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-replay-cache \
+		--disable-rpath
+}
+
+src_compile() {
+	emake -j1 || die "emake failed"
+
+	if use doc ; then
+		cd ../doc
+		for dir in api implement ; do
+			emake -C "${dir}" || die "doc emake failed"
+		done
+	fi
+}
+
+src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="/usr/share/doc/${PF}/examples" \
+		install || die "install failed"
+
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+	dodoc doc/*.ps
+	doinfo doc/*.info*
+	dohtml -r doc/*
+
+	# die if we cannot respect a USE flag
+	if use doc ; then
+	    dodoc doc/{api,implement}/*.ps || die "dodoc failed"
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind || die
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc || die
+
+	insinto /etc
+	newins "${D}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${D}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use ldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" || die
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd || die
+	fi
+}
+
+pkg_preinst() {
+	if has_version "<${CATEGORY}/${PN}-1.8.0" ; then
+		einfo ""
+		elog "MIT split the Kerberos applications from the base Kerberos"
+		elog "distribution.  Kerberized versions of telnet, rlogin, rsh, rcp,"
+		elog "ftp clients and telnet, ftp deamons now live in"
+		elog "\"app-crypt/mit-krb5-appl\" package."
+		einfo ""
+	fi
+}