summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorA. Wilcox <AWilcox@Wilcox-Tech.com>2018-07-04 19:22:35 -0500
committerA. Wilcox <AWilcox@Wilcox-Tech.com>2018-07-04 19:22:35 -0500
commit81428a313f361f9befbee70a17f659752ad331c1 (patch)
treeea14faf0854d98e34930395a5468682cc00138ba
parentc864e0201a1d0515fa07be1baa881972d69ab6f8 (diff)
downloadpackages-81428a313f361f9befbee70a17f659752ad331c1.tar.gz
packages-81428a313f361f9befbee70a17f659752ad331c1.tar.bz2
packages-81428a313f361f9befbee70a17f659752ad331c1.tar.xz
packages-81428a313f361f9befbee70a17f659752ad331c1.zip
user/heimdal: pull in for cyrus-sasl
-rw-r--r--user/heimdal/005_all_heimdal-suid_fix.patch20
-rw-r--r--user/heimdal/APKBUILD131
-rw-r--r--user/heimdal/CVE-2017-17439.patch45
-rwxr-xr-xuser/heimdal/heimdal-kadmind.initd24
-rwxr-xr-xuser/heimdal/heimdal-kdc.initd23
-rwxr-xr-xuser/heimdal/heimdal-kpasswdd.initd24
-rw-r--r--user/heimdal/heimdal_missing-include.patch11
-rw-r--r--user/heimdal/only-build-libedit-when-necessary.patch21
8 files changed, 299 insertions, 0 deletions
diff --git a/user/heimdal/005_all_heimdal-suid_fix.patch b/user/heimdal/005_all_heimdal-suid_fix.patch
new file mode 100644
index 000000000..0524db61e
--- /dev/null
+++ b/user/heimdal/005_all_heimdal-suid_fix.patch
@@ -0,0 +1,20 @@
+--- appl/su/Makefile.am 2005-06-16 18:27:46.000000000 +0200
++++ b/appl/su/Makefile.am 2005-06-27 23:25:21.000000000 +0200
+@@ -7,6 +7,7 @@
+ bin_PROGRAMS = su
+ bin_SUIDS = su
+ su_SOURCES = su.c supaths.h
++su_LDFLAGS = -Wl,-z,now
+ man_MANS = su.1
+
+ LDADD = $(LIB_kafs) \
+--- appl/otp/Makefile.am 2005-06-16 18:28:46.000000000 +0200
++++ b/appl/otp/Makefile.am 2005-06-27 23:25:40.000000000 +0200
+@@ -8,6 +8,7 @@
+ bin_SUIDS = otp
+ otp_SOURCES = otp.c otp_locl.h
+ otpprint_SOURCES = otpprint.c otp_locl.h
++otp_LDFLAGS = -Wl,-z,now
+
+ man_MANS = otp.1 otpprint.1
+
diff --git a/user/heimdal/APKBUILD b/user/heimdal/APKBUILD
new file mode 100644
index 000000000..f8cb57211
--- /dev/null
+++ b/user/heimdal/APKBUILD
@@ -0,0 +1,131 @@
+# Contributor: Natanael Copa <ncopa@alpinelinux.org>
+# Maintainer:
+pkgname=heimdal
+pkgver=7.5.0
+pkgrel=2
+pkgdesc="An implementation of Kerberos 5"
+url="http://www.h5l.org/"
+arch="all"
+options="suid"
+license="BSD-3-Clause AND BSD-2-Clause AND Public-Domain AND MIT"
+depends="krb5-conf"
+depends_dev="openssl-dev e2fsprogs-dev db-dev"
+makedepends="$depends_dev autoconf automake bash libtool
+ ncurses-dev perl libedit-dev sqlite-dev texinfo perl-json"
+install=
+subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-openrc"
+source="https://github.com/heimdal/heimdal/releases/download/heimdal-$pkgver/heimdal-$pkgver.tar.gz
+ heimdal-kadmind.initd
+ heimdal-kdc.initd
+ heimdal-kpasswdd.initd
+
+ 005_all_heimdal-suid_fix.patch
+ heimdal_missing-include.patch
+ only-build-libedit-when-necessary.patch
+ "
+
+# secfixes:
+# 7.4.0-r2:
+# - CVE-2017-17439
+# 7.4.0-r0:
+# - CVE-2017-11103
+
+prepare() {
+ [ -e /usr/lib/libasn1.so ] && echo "## remove old heimdal pkg first ##" && return 1
+
+ cd "$builddir"
+ default_prepare
+
+ sh ./autogen.sh
+}
+
+build() {
+ cd "$builddir"
+ export LDFLAGS="${LDFLAGS} -Wl,--as-needed"
+ export LIBS="-ldb"
+
+ ./configure \
+ --build=$CBUILD \
+ --host=$CHOST \
+ --prefix=/usr \
+ --enable-shared=yes \
+ --without-x \
+ --with-berkeley-db \
+ --with-libedit=/usr \
+ --with-libedit-lib=/usr/lib \
+ --with-sqlite3=/usr \
+ --without-openssl
+
+ # make sure we use system version
+ rm -r lib/sqlite lib/com_err
+
+ # workarount a parallell build issue
+ make -C lib/asn1 der-protos.h der-private.h
+ make -C lib/kadm5 kadm5-protos.h kadm5-private.h kadm5_err.h
+ make -C lib/krb5 krb5-protos.h krb5-private.h krb5_err.h krb_err.h \
+ heim_err.h k524_err.h
+ make -C lib/hx509 hx509-private.h hx509-protos.h
+ make
+}
+
+check() {
+ cd "$builddir"
+ make -j1 check
+}
+
+package() {
+ cd "$builddir"
+ make DESTDIR="$pkgdir" exec_prefix=/usr sysconfdir=/etc \
+ mandir=/usr/share/man infodir=/usr/share/info datadir=/var/lib/heimdal \
+ localstatedir=/var/lib/heimdal libexecdir=/usr/sbin install
+
+
+ install -m755 -D "$srcdir"/heimdal-kadmind.initd \
+ "$pkgdir"/etc/init.d/heimdal-kadmind
+ install -m755 -D "$srcdir"/heimdal-kdc.initd \
+ "$pkgdir"/etc/init.d/heimdal-kdc
+ install -m755 -D "$srcdir"/heimdal-kpasswdd.initd \
+ "$pkgdir"/etc/init.d/heimdal-kpasswdd
+
+ for i in 1 3 5 8; do
+ rm -rf "$pkgdir"/usr/share/man/cat$i
+ done
+
+ # Remove conflicts
+ # e2fsprogs
+ rm -f "$pkgdir"/usr/bin/compile_et \
+ "$pkgdir"/usr/share/man/man1/compile_et.1
+
+ # Compress info pages
+ for page in heimdal hx509; do
+ gzip -9 "$pkgdir"/usr/share/info/${page}.info
+ done
+
+ # Install the license
+ install -d "$pkgdir"/usr/share/licenses/$pkgname
+ install -D -m644 "$builddir"/LICENSE \
+ "$pkgdir"/usr/share/licenses/$pkgname/
+}
+
+libs() {
+ pkgdesc="Heimdal libraries"
+ replaces="heimdal"
+ depends="krb5-conf"
+ mkdir -p "$subpkgdir"/usr/bin "$subpkgdir"/usr/sbin
+ mv "$pkgdir"/usr/lib "$subpkgdir"/usr/
+ mv "$pkgdir"/usr/bin/string2key \
+ "$pkgdir"/usr/bin/verify_krb5_conf \
+ "$subpkgdir"/usr/bin/
+ mv "$pkgdir"/usr/sbin/kdigest \
+ "$pkgdir"/usr/sbin/digest-service \
+ "$subpkgdir"/usr/sbin/
+
+}
+
+sha512sums="6d1ad77e795df786680b5e68e2bfefee27bd0207eab507295d7af7053135de9c9ebb517d2c0235bc3a7d50945e18044515f0d76c0899b6b74aa839f1f3e5b131 heimdal-7.5.0.tar.gz
+0ae0fec4bdb3907d9e82e788e12ef185dd00e6db4c17f55758da5600fedd72ed1118b6b492d039f91cc54d54bf2f79f624ea38a68067e424b737b128494a4bbd heimdal-kadmind.initd
+4dca69bb1c1c6dfce8c0fc1da84855e4549be478ab09511fa5143ee61d1609fed7f3303179bc1e499b0f20445e04c41eda132dd1c5f72e2fea4fcf60a35ad2a9 heimdal-kdc.initd
+abee8390632fa775e74900d09e5c72b02fe4f9616b43cc8d0a76175486ed6d4707fb3ce4d06ceb09b0e8d1384e037c3cff6525e11def0122c35c32eebd0d196f heimdal-kpasswdd.initd
+2a6b20588a86a9ea3c35209b96ef2da0b39bc3112aec1505e69a60efc9ffb9ddc1d0dbdfaf864142e9d2f81da3d2653de56d6ffa01871c20fde17e4642625c56 005_all_heimdal-suid_fix.patch
+e89efdc942c512363aac1d9797c6bf622324e9200e282bc5ed680300b9e1b39a4ea20f059cdac8f22f972eb0af0e625fd41f267ebcafcfec0aaa81192aff79c1 heimdal_missing-include.patch
+d1c50b0a656f15afeae78ce0ace0f9adceea028e118f3952a724d23c63bba7d5c9a50980de16c7606a93769c0aa48ce3b932e8a64f5d7a2127d31d2f39e9688d only-build-libedit-when-necessary.patch"
diff --git a/user/heimdal/CVE-2017-17439.patch b/user/heimdal/CVE-2017-17439.patch
new file mode 100644
index 000000000..8c3273971
--- /dev/null
+++ b/user/heimdal/CVE-2017-17439.patch
@@ -0,0 +1,45 @@
+From 749d377fa357351a7bbba51f8aae72cdf0629592 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@twosigma.com>
+Date: Tue, 5 Dec 2017 18:49:50 -0500
+Subject: [PATCH] Security: Avoid NULL structure pointer member dereference
+
+This can happen in the error path when processing malformed AS
+requests with a NULL client name. Bug originally introduced on
+Fri Feb 13 09:26:01 2015 +0100 in commit:
+
+ a873e21d7c06f22943a90a41dc733ae76799390d
+
+ kdc: base _kdc_fast_mk_error() on krb5_mk_error_ext()
+
+Original patch by Jeffrey Altman <jaltman@secure-endpoints.com>
+
+(cherry picked from commit 1a6a6e462dc2ac6111f9e02c6852ddec4849b887)
+---
+ kdc/kerberos5.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
+index 95a74927f7..675b406b82 100644
+--- a/kdc/kerberos5.c
++++ b/kdc/kerberos5.c
+@@ -2226,15 +2226,17 @@ _kdc_as_rep(kdc_request_t r,
+ /*
+ * In case of a non proxy error, build an error message.
+ */
+- if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) {
++ if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) {
+ ret = _kdc_fast_mk_error(context, r,
+ &error_method,
+ r->armor_crypto,
+ &req->req_body,
+ ret, r->e_text,
+ r->server_princ,
+- &r->client_princ->name,
+- &r->client_princ->realm,
++ r->client_princ ?
++ &r->client_princ->name : NULL,
++ r->client_princ ?
++ &r->client_princ->realm : NULL,
+ NULL, NULL,
+ reply);
+ if (ret)
diff --git a/user/heimdal/heimdal-kadmind.initd b/user/heimdal/heimdal-kadmind.initd
new file mode 100755
index 000000000..73f23815c
--- /dev/null
+++ b/user/heimdal/heimdal-kadmind.initd
@@ -0,0 +1,24 @@
+#!/sbin/openrc-run
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kadmind,v 1.3 2004/09/13 22:44:54 solar Exp $
+
+depend() {
+ need net
+ use heimdal-kdc
+ after logger
+}
+
+start() {
+ ebegin "Starting heimdal kadmind"
+ /usr/sbin/kadmind &
+ echo $! > /var/run/heimdal-kadmind.pid
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping heimdal kadmind"
+ start-stop-daemon --stop --quiet --exec \
+ /usr/sbin/kadmind
+ eend $?
+}
diff --git a/user/heimdal/heimdal-kdc.initd b/user/heimdal/heimdal-kdc.initd
new file mode 100755
index 000000000..32288c4e7
--- /dev/null
+++ b/user/heimdal/heimdal-kdc.initd
@@ -0,0 +1,23 @@
+#!/sbin/openrc-run
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kdc,v 1.2 2004/09/13 15:40:34 dragonheart Exp $
+
+depend() {
+ need net
+ after logger
+}
+
+start() {
+ ebegin "Starting heimdal kdc"
+ start-stop-daemon --start --quiet --exec \
+ /usr/sbin/kdc -- --detach
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping heimdal kdc"
+ start-stop-daemon --stop --quiet --exec \
+ /usr/sbin/kdc
+ eend $?
+}
diff --git a/user/heimdal/heimdal-kpasswdd.initd b/user/heimdal/heimdal-kpasswdd.initd
new file mode 100755
index 000000000..5fc21e0dc
--- /dev/null
+++ b/user/heimdal/heimdal-kpasswdd.initd
@@ -0,0 +1,24 @@
+#!/sbin/openrc-run
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kpasswdd,v 1.3 2004/09/13 22:44:54 solar Exp $
+
+depend() {
+ need net
+ use heimdal-kdc
+ after logger
+}
+
+start() {
+ ebegin "Starting heimdal kpasswdd"
+ start-stop-daemon --background --start --quiet --exec \
+ /usr/sbin/kpasswdd
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping heimdal kpasswdd"
+ start-stop-daemon --stop --quiet --exec \
+ /usr/sbin/kpasswdd
+ eend $?
+}
diff --git a/user/heimdal/heimdal_missing-include.patch b/user/heimdal/heimdal_missing-include.patch
new file mode 100644
index 000000000..8cca906a7
--- /dev/null
+++ b/user/heimdal/heimdal_missing-include.patch
@@ -0,0 +1,11 @@
+--- lib/base/test_base.c 2011-09-30 15:58:45.000000000 +0300
++++ b/lib/base/test_base.c 2011-12-27 23:04:50.482955923 +0200
+@@ -39,6 +39,8 @@
+ #include "heimbase.h"
+ #include "heimbasepriv.h"
+
++#include <stdlib.h>
++
+ static void
+ memory_free(heim_object_t obj)
+ {
diff --git a/user/heimdal/only-build-libedit-when-necessary.patch b/user/heimdal/only-build-libedit-when-necessary.patch
new file mode 100644
index 000000000..105c7019d
--- /dev/null
+++ b/user/heimdal/only-build-libedit-when-necessary.patch
@@ -0,0 +1,21 @@
+--- heimdal-7.5.0/configure.ac.old 2017-12-08 01:36:46.000000000 -0600
++++ heimdal-7.5.0/configure.ac 2018-07-04 18:50:45.720000000 -0500
+@@ -309,8 +309,6 @@
+ #endif
+ ],-ledit,,, READLINE,, [readline.h readline/readline.h editline/readline.h])
+
+-AC_CONFIG_SUBDIRS([lib/libedit])
+-
+ KRB_C_BIGENDIAN
+ AC_C_INLINE
+
+--- heimdal-7.5.0/cf/krb-readline.m4.old 2016-12-20 08:23:06.000000000 -0600
++++ heimdal-7.5.0/cf/krb-readline.m4 2018-07-04 18:50:04.140000000 -0500
+@@ -19,6 +19,7 @@
+ :
+ else
+ build_libedit=yes
++ AC_CONFIG_SUBDIRS([lib/libedit])
+ LIB_readline="\$(top_builddir)/lib/libedit/src/libheimedit.la \$(LIB_tgetent)"
+ fi
+ AM_CONDITIONAL(LIBEDIT, test "$build_libedit" = yes)