kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

http://www.pdc.kth.se/heimdal/releases/0.7.2/

Browse source 
http://www.pdc.kth.se/heimdal/advisory/2006-02-06/

Changes in Heimdal 0.7.2

* Fix security problem in rshd that enable an attacker to overwrite
  and change ownership of any file that root could write.
* Fix a DOS in telnetd. The attacker could force the server to crash
  in a NULL de-reference before the user logged in, resulting in inetd
  turning telnetd off because it forked too fast.
* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
  exists in the keytab before returning success. This allows servers
  to check if its even possible to use GSSAPI.
* Fix receiving end of token delegation for GSS-API. It still wrongly
  uses subkey for sending for compatibility reasons, this will change
  in 0.8.
* telnetd, login and rshd are now more verbose in logging failed and
  successful logins.
* Bug fixes
This commit is contained in:
lha 2006-02-07 12:20:52 +00:00
parent a67f880f33
commit ae3b03d6dd
10 changed files with 6 additions and 308 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
security/heimdal/Makefile
View file

@ -1,7 +1,6 @@
# $NetBSD: Makefile,v 1.53 2006/01/25 03:47:51 jlam Exp $
# $NetBSD: Makefile,v 1.54 2006/02/07 12:20:52 lha Exp $
DISTNAME= heimdal-0.7.1
PKGREVISION= 2
DISTNAME= heimdal-0.7.2
CATEGORIES= security
MASTER_SITES= ftp://ftp.pdc.kth.se/pub/heimdal/src/ \
ftp://ftp.sunet.se/pub/unix/admin/mirror-pdc/heimdal/src/

16
security/heimdal/distinfo
View file

@ -1,15 +1,7 @@
$NetBSD: distinfo,v 1.18 2005/10/29 21:05:28 tonio Exp $
$NetBSD: distinfo,v 1.19 2006/02/07 12:20:52 lha Exp $
SHA1 (heimdal-0.7.1.tar.gz) = ab3e6f5fe6de86f7ba7413f8600f9b1ed956b620
RMD160 (heimdal-0.7.1.tar.gz) = 30373d227452e20187ca4bad1dc980c3f952be26
Size (heimdal-0.7.1.tar.gz) = 4515175 bytes
SHA1 (patch-ab) = 50c526185cd64e48b7b60f154011e5efa6930570
SHA1 (heimdal-0.7.2.tar.gz) = a902e6ad7c31d940b588dc0235b348936f0d719d
RMD160 (heimdal-0.7.2.tar.gz) = 0f028a9d5a6a66e8efc0397e4d8c8adc2183b409
Size (heimdal-0.7.2.tar.gz) = 4525734 bytes
SHA1 (patch-ac) = 313c0a1f91e4f9546ae906f981adae0d499dd9cf
SHA1 (patch-ad) = a7cfc038e76f8c3da38f8eb0ee48a7f8c7a9c7df
SHA1 (patch-ae) = a9ec9b28a6291786631f900972fe231150d4afe0
SHA1 (patch-af) = c8ef770eba0647d71f3bbbaca1d3fb0eaa7875d2
SHA1 (patch-ag) = 003307136227d75729fc4d7f95a7debc7e91136e
SHA1 (patch-ah) = 797785f2f5f1530782d42393d2cc242f03fc20e6
SHA1 (patch-ai) = 55276d0becee47ae62ccfe5cd837b0fd4d7e6ff6
SHA1 (patch-aj) = ad30690ce7b7f11a80513df4d3e932bce095d863
SHA1 (patch-ak) = cf9cf0dd7b40e7fe46efbd4954a66bc451179f4b

30
security/heimdal/patches/patch-ab
View file

@ -1,30 +0,0 @@
$NetBSD: patch-ab,v 1.2 2005/10/26 15:12:45 jlam Exp $
--- cf/install-catman.sh.orig 2005-09-09 08:12:22.000000000 -0400
+++ cf/install-catman.sh
@@ -9,6 +9,7 @@ mkinstalldirs="$1"; shift
srcdir="$1"; shift
manbase="$1"; shift
suffix="$1"; shift
+catinstall="${INSTALL_CATPAGES-yes}"
for f in "$@"; do
base=`echo "$f" | sed 's/\(.*\)\.\([^.]*\)$/\1/'`
@@ -17,7 +18,7 @@ for f in "$@"; do
catdir="$manbase/cat$section"
c="$base.cat$section"
- if test -f "$srcdir/$c"; then
+ if test "$catinstall" = yes -a -f "$srcdir/$c"; then
if test \! -d "$catdir"; then
eval "$mkinstalldirs $catdir"
fi
@@ -36,7 +37,7 @@ for f in "$@"; do
break
fi
done
- if test -f "$srcdir/$c"; then
+ if test "$catinstall" = yes -a -f "$srcdir/$c"; then
target="$catdir/$link.$suffix"
for cmd in "ln -f $catdir/$base.$suffix $target" \
"ln -fs $base.$suffix $target" \

13
security/heimdal/patches/patch-ae
View file

@ -1,13 +0,0 @@
$NetBSD: patch-ae,v 1.5 2005/10/26 15:12:45 jlam Exp $
--- lib/krb5/krb5_encrypt.3.orig 2005-09-09 08:12:13.000000000 -0400
+++ lib/krb5/krb5_encrypt.3
@@ -44,7 +44,7 @@
.Nm krb5_decrypt_ivec ,
.Nm krb5_decrypt_ticket ,
.Nm krb5_encrypt ,
-.Nm krb5_encrypt_EncryptedData,
+.Nm krb5_encrypt_EncryptedData ,
.Nm krb5_encrypt_ivec ,
.Nm krb5_enctype_disable ,
.Nm krb5_enctype_keysize ,

12
security/heimdal/patches/patch-af
View file

@ -1,12 +0,0 @@
$NetBSD: patch-af,v 1.3 2005/10/26 15:12:45 jlam Exp $
--- lib/krb5/Makefile.in.orig 2005-09-09 08:17:31.000000000 -0400
+++ lib/krb5/Makefile.in
@@ -737,6 +737,7 @@ man_MANS = \
krb5_rcache.3 \
krb5_rd_error.3 \
krb5_set_default_realm.3 \
+ krb5_set_password.3 \
krb5_storage.3 \
krb5_string_to_key.3 \
krb5_ticket.3 \

13
security/heimdal/patches/patch-ag
View file

@ -1,13 +0,0 @@
$NetBSD: patch-ag,v 1.3 2005/10/26 16:44:24 jlam Exp $
--- lib/krb5/krb5.h.orig 2005-09-09 08:12:13.000000000 -0400
+++ lib/krb5/krb5.h
@@ -657,7 +657,7 @@ typedef struct _krb5_get_init_creds_opt
krb5_preauthtype *preauth_list;
int preauth_list_length;
krb5_data *salt;
- struct _krb5_get_init_creds_opt_private *private;
+ struct _krb5_get_init_creds_opt_private *opt_private;
} krb5_get_init_creds_opt;
#define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE 0x0001

99
security/heimdal/patches/patch-ah
View file

@ -1,99 +0,0 @@
$NetBSD: patch-ah,v 1.3 2005/10/26 16:44:24 jlam Exp $
--- lib/krb5/init_creds.c.orig 2005-09-09 08:12:13.000000000 -0400
+++ lib/krb5/init_creds.c
@@ -40,7 +40,7 @@ krb5_get_init_creds_opt_init(krb5_get_in
{
memset (opt, 0, sizeof(*opt));
opt->flags = 0;
- opt->private = NULL;
+ opt->opt_private = NULL;
}
krb5_error_code KRB5_LIB_FUNCTION
@@ -56,13 +56,13 @@ krb5_get_init_creds_opt_alloc(krb5_conte
return ENOMEM;
}
krb5_get_init_creds_opt_init(o);
- o->private = calloc(1, sizeof(*o->private));
- if (o->private == NULL) {
+ o->opt_private = calloc(1, sizeof(*o->opt_private));
+ if (o->opt_private == NULL) {
krb5_set_error_string(context, "out of memory");
free(o);
return ENOMEM;
}
- o->private->refcount = 1;
+ o->opt_private->refcount = 1;
*opt = o;
return 0;
}
@@ -82,16 +82,16 @@ _krb5_get_init_creds_opt_copy(krb5_conte
}
if (in)
*opt = *in;
- if(opt->private == NULL) {
- opt->private = calloc(1, sizeof(*opt->private));
- if (opt->private == NULL) {
+ if(opt->opt_private == NULL) {
+ opt->opt_private = calloc(1, sizeof(*opt->opt_private));
+ if (opt->opt_private == NULL) {
krb5_set_error_string(context, "out of memory");
free(opt);
return ENOMEM;
}
- opt->private->refcount = 1;
+ opt->opt_private->refcount = 1;
} else
- opt->private->refcount++;
+ opt->opt_private->refcount++;
*out = opt;
return 0;
}
@@ -99,13 +99,13 @@ _krb5_get_init_creds_opt_copy(krb5_conte
void KRB5_LIB_FUNCTION
krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opt)
{
- if (opt->private == NULL)
+ if (opt->opt_private == NULL)
return;
- if (opt->private->refcount < 1) /* abort ? */
+ if (opt->opt_private->refcount < 1) /* abort ? */
return;
- if (--opt->private->refcount == 0) {
+ if (--opt->opt_private->refcount == 0) {
_krb5_get_init_creds_opt_free_pkinit(opt);
- free(opt->private);
+ free(opt->opt_private);
}
memset(opt, 0, sizeof(*opt));
free(opt);
@@ -293,7 +293,7 @@ require_ext_opt(krb5_context context,
krb5_get_init_creds_opt *opt,
const char *type)
{
- if (opt->private == NULL) {
+ if (opt->opt_private == NULL) {
krb5_set_error_string(context, "%s on non extendable opt", type);
return EINVAL;
}
@@ -310,8 +310,8 @@ krb5_get_init_creds_opt_set_pa_password(
ret = require_ext_opt(context, opt, "init_creds_opt_set_pa_password");
if (ret)
return ret;
- opt->private->password = password;
- opt->private->key_proc = key_proc;
+ opt->opt_private->password = password;
+ opt->opt_private->key_proc = key_proc;
return 0;
}
@@ -324,7 +324,7 @@ krb5_get_init_creds_opt_set_pac_request(
ret = require_ext_opt(context, opt, "init_creds_opt_set_pac_req");
if (ret)
return ret;
- opt->private->req_pac = req_pac ?
+ opt->opt_private->req_pac = req_pac ?
KRB5_PA_PAC_REQ_TRUE :
KRB5_PA_PAC_REQ_FALSE;
return 0;

41
security/heimdal/patches/patch-ai
View file

@ -1,41 +0,0 @@
$NetBSD: patch-ai,v 1.1 2005/10/26 16:44:24 jlam Exp $
--- lib/krb5/init_creds_pw.c.orig 2005-09-09 08:12:13.000000000 -0400
+++ lib/krb5/init_creds_pw.c
@@ -274,11 +274,11 @@ get_init_creds_common(krb5_context conte
options = &default_opt;
}
- if (options->private) {
- ctx->password = options->private->password;
- ctx->key_proc = options->private->key_proc;
- ctx->req_pac = options->private->req_pac;
- ctx->pk_init_ctx = options->private->pk_init_ctx;
+ if (options->opt_private) {
+ ctx->password = options->opt_private->password;
+ ctx->key_proc = options->opt_private->key_proc;
+ ctx->req_pac = options->opt_private->req_pac;
+ ctx->pk_init_ctx = options->opt_private->pk_init_ctx;
} else
ctx->req_pac = KRB5_PA_PAC_DONT_CARE;
@@ -1458,8 +1458,8 @@ krb5_get_init_creds_password(krb5_contex
return ret;
if (password == NULL &&
- options->private->password == NULL &&
- options->private->pk_init_ctx == NULL)
+ options->opt_private->password == NULL &&
+ options->opt_private->pk_init_ctx == NULL)
{
krb5_prompt prompt;
krb5_data password_data;
@@ -1487,7 +1487,7 @@ krb5_get_init_creds_password(krb5_contex
password = password_data.data;
}
- if (options->private->password == NULL) {
+ if (options->opt_private->password == NULL) {
ret = krb5_get_init_creds_opt_set_pa_password(context, options,
password, NULL);
if (ret) {

71
security/heimdal/patches/patch-aj
View file

@ -1,71 +0,0 @@
$NetBSD: patch-aj,v 1.1 2005/10/26 16:44:24 jlam Exp $
--- lib/krb5/pkinit.c.orig 2005-09-09 08:12:14.000000000 -0400
+++ lib/krb5/pkinit.c
@@ -2469,9 +2469,9 @@ _krb5_get_init_creds_opt_free_pkinit(krb
#ifdef PKINIT
krb5_pk_init_ctx ctx;
- if (opt->private == NULL || opt->private->pk_init_ctx == NULL)
+ if (opt->opt_private == NULL || opt->opt_private->pk_init_ctx == NULL)
return;
- ctx = opt->private->pk_init_ctx;
+ ctx = opt->opt_private->pk_init_ctx;
if (ctx->dh)
DH_free(ctx->dh);
ctx->dh = NULL;
@@ -2490,7 +2490,7 @@ _krb5_get_init_creds_opt_free_pkinit(krb
free(ctx->id);
ctx->id = NULL;
}
- opt->private->pk_init_ctx = NULL;
+ opt->opt_private->pk_init_ctx = NULL;
#endif
}
@@ -2508,28 +2508,28 @@ krb5_get_init_creds_opt_set_pkinit(krb5_
#ifdef PKINIT
krb5_error_code ret;
- if (opt->private == NULL) {
+ if (opt->opt_private == NULL) {
krb5_set_error_string(context, "PKINIT: on non extendable opt");
return EINVAL;
}
- opt->private->pk_init_ctx = malloc(sizeof(*opt->private->pk_init_ctx));
- if (opt->private->pk_init_ctx == NULL) {
+ opt->opt_private->pk_init_ctx = malloc(sizeof(*opt->opt_private->pk_init_ctx));
+ if (opt->opt_private->pk_init_ctx == NULL) {
krb5_set_error_string(context, "malloc: out of memory");
return ENOMEM;
}
- opt->private->pk_init_ctx->dh = NULL;
- opt->private->pk_init_ctx->id = NULL;
+ opt->opt_private->pk_init_ctx->dh = NULL;
+ opt->opt_private->pk_init_ctx->id = NULL;
ret = _krb5_pk_load_openssl_id(context,
- &opt->private->pk_init_ctx->id,
+ &opt->opt_private->pk_init_ctx->id,
user_id,
x509_anchors,
prompter,
prompter_data,
password);
if (ret) {
- free(opt->private->pk_init_ctx);
- opt->private->pk_init_ctx = NULL;
+ free(opt->opt_private->pk_init_ctx);
+ opt->opt_private->pk_init_ctx = NULL;
}
/* XXX */
@@ -2556,7 +2556,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_
_krb5_get_init_creds_opt_free_pkinit(opt);
return ENOMEM;
}
- opt->private->pk_init_ctx->dh = dh;
+ opt->opt_private->pk_init_ctx->dh = dh;
if (!BN_hex2bn(&dh->p, P)) {
_krb5_get_init_creds_opt_free_pkinit(opt);
return ENOMEM;

14
security/heimdal/patches/patch-ak
View file

@ -1,14 +0,0 @@
$NetBSD: patch-ak,v 1.2 2005/10/29 21:05:28 tonio Exp $
--- kcm/connect.c.orig 2005-10-29 17:36:00.000000000 +0200
+++ kcm/connect.c
@@ -32,4 +32,9 @@
*/
+#if defined(__DragonFly__) || defined(__APPLE__)
+#include <sys/param.h>
+#include <sys/ucred.h>
+#endif
+
#include "kcm_locl.h"