diff options
Diffstat (limited to 'user/heimdal')
-rw-r--r-- | user/heimdal/005_all_heimdal-suid_fix.patch | 20 | ||||
-rw-r--r-- | user/heimdal/APKBUILD | 131 | ||||
-rw-r--r-- | user/heimdal/CVE-2017-17439.patch | 45 | ||||
-rwxr-xr-x | user/heimdal/heimdal-kadmind.initd | 24 | ||||
-rwxr-xr-x | user/heimdal/heimdal-kdc.initd | 23 | ||||
-rwxr-xr-x | user/heimdal/heimdal-kpasswdd.initd | 24 | ||||
-rw-r--r-- | user/heimdal/heimdal_missing-include.patch | 11 | ||||
-rw-r--r-- | user/heimdal/only-build-libedit-when-necessary.patch | 21 |
8 files changed, 299 insertions, 0 deletions
diff --git a/user/heimdal/005_all_heimdal-suid_fix.patch b/user/heimdal/005_all_heimdal-suid_fix.patch new file mode 100644 index 000000000..0524db61e --- /dev/null +++ b/user/heimdal/005_all_heimdal-suid_fix.patch @@ -0,0 +1,20 @@ +--- appl/su/Makefile.am 2005-06-16 18:27:46.000000000 +0200 ++++ b/appl/su/Makefile.am 2005-06-27 23:25:21.000000000 +0200 +@@ -7,6 +7,7 @@ + bin_PROGRAMS = su + bin_SUIDS = su + su_SOURCES = su.c supaths.h ++su_LDFLAGS = -Wl,-z,now + man_MANS = su.1 + + LDADD = $(LIB_kafs) \ +--- appl/otp/Makefile.am 2005-06-16 18:28:46.000000000 +0200 ++++ b/appl/otp/Makefile.am 2005-06-27 23:25:40.000000000 +0200 +@@ -8,6 +8,7 @@ + bin_SUIDS = otp + otp_SOURCES = otp.c otp_locl.h + otpprint_SOURCES = otpprint.c otp_locl.h ++otp_LDFLAGS = -Wl,-z,now + + man_MANS = otp.1 otpprint.1 + diff --git a/user/heimdal/APKBUILD b/user/heimdal/APKBUILD new file mode 100644 index 000000000..f8cb57211 --- /dev/null +++ b/user/heimdal/APKBUILD @@ -0,0 +1,131 @@ +# Contributor: Natanael Copa <ncopa@alpinelinux.org> +# Maintainer: +pkgname=heimdal +pkgver=7.5.0 +pkgrel=2 +pkgdesc="An implementation of Kerberos 5" +url="http://www.h5l.org/" +arch="all" +options="suid" +license="BSD-3-Clause AND BSD-2-Clause AND Public-Domain AND MIT" +depends="krb5-conf" +depends_dev="openssl-dev e2fsprogs-dev db-dev" +makedepends="$depends_dev autoconf automake bash libtool + ncurses-dev perl libedit-dev sqlite-dev texinfo perl-json" +install= +subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-openrc" +source="https://github.com/heimdal/heimdal/releases/download/heimdal-$pkgver/heimdal-$pkgver.tar.gz + heimdal-kadmind.initd + heimdal-kdc.initd + heimdal-kpasswdd.initd + + 005_all_heimdal-suid_fix.patch + heimdal_missing-include.patch + only-build-libedit-when-necessary.patch + " + +# secfixes: +# 7.4.0-r2: +# - CVE-2017-17439 +# 7.4.0-r0: +# - CVE-2017-11103 + +prepare() { + [ -e /usr/lib/libasn1.so ] && echo "## remove old heimdal pkg first ##" && return 1 + + cd "$builddir" + default_prepare + + sh ./autogen.sh +} + +build() { + cd "$builddir" + export LDFLAGS="${LDFLAGS} -Wl,--as-needed" + export LIBS="-ldb" + + ./configure \ + --build=$CBUILD \ + --host=$CHOST \ + --prefix=/usr \ + --enable-shared=yes \ + --without-x \ + --with-berkeley-db \ + --with-libedit=/usr \ + --with-libedit-lib=/usr/lib \ + --with-sqlite3=/usr \ + --without-openssl + + # make sure we use system version + rm -r lib/sqlite lib/com_err + + # workarount a parallell build issue + make -C lib/asn1 der-protos.h der-private.h + make -C lib/kadm5 kadm5-protos.h kadm5-private.h kadm5_err.h + make -C lib/krb5 krb5-protos.h krb5-private.h krb5_err.h krb_err.h \ + heim_err.h k524_err.h + make -C lib/hx509 hx509-private.h hx509-protos.h + make +} + +check() { + cd "$builddir" + make -j1 check +} + +package() { + cd "$builddir" + make DESTDIR="$pkgdir" exec_prefix=/usr sysconfdir=/etc \ + mandir=/usr/share/man infodir=/usr/share/info datadir=/var/lib/heimdal \ + localstatedir=/var/lib/heimdal libexecdir=/usr/sbin install + + + install -m755 -D "$srcdir"/heimdal-kadmind.initd \ + "$pkgdir"/etc/init.d/heimdal-kadmind + install -m755 -D "$srcdir"/heimdal-kdc.initd \ + "$pkgdir"/etc/init.d/heimdal-kdc + install -m755 -D "$srcdir"/heimdal-kpasswdd.initd \ + "$pkgdir"/etc/init.d/heimdal-kpasswdd + + for i in 1 3 5 8; do + rm -rf "$pkgdir"/usr/share/man/cat$i + done + + # Remove conflicts + # e2fsprogs + rm -f "$pkgdir"/usr/bin/compile_et \ + "$pkgdir"/usr/share/man/man1/compile_et.1 + + # Compress info pages + for page in heimdal hx509; do + gzip -9 "$pkgdir"/usr/share/info/${page}.info + done + + # Install the license + install -d "$pkgdir"/usr/share/licenses/$pkgname + install -D -m644 "$builddir"/LICENSE \ + "$pkgdir"/usr/share/licenses/$pkgname/ +} + +libs() { + pkgdesc="Heimdal libraries" + replaces="heimdal" + depends="krb5-conf" + mkdir -p "$subpkgdir"/usr/bin "$subpkgdir"/usr/sbin + mv "$pkgdir"/usr/lib "$subpkgdir"/usr/ + mv "$pkgdir"/usr/bin/string2key \ + "$pkgdir"/usr/bin/verify_krb5_conf \ + "$subpkgdir"/usr/bin/ + mv "$pkgdir"/usr/sbin/kdigest \ + "$pkgdir"/usr/sbin/digest-service \ + "$subpkgdir"/usr/sbin/ + +} + +sha512sums="6d1ad77e795df786680b5e68e2bfefee27bd0207eab507295d7af7053135de9c9ebb517d2c0235bc3a7d50945e18044515f0d76c0899b6b74aa839f1f3e5b131 heimdal-7.5.0.tar.gz +0ae0fec4bdb3907d9e82e788e12ef185dd00e6db4c17f55758da5600fedd72ed1118b6b492d039f91cc54d54bf2f79f624ea38a68067e424b737b128494a4bbd heimdal-kadmind.initd +4dca69bb1c1c6dfce8c0fc1da84855e4549be478ab09511fa5143ee61d1609fed7f3303179bc1e499b0f20445e04c41eda132dd1c5f72e2fea4fcf60a35ad2a9 heimdal-kdc.initd +abee8390632fa775e74900d09e5c72b02fe4f9616b43cc8d0a76175486ed6d4707fb3ce4d06ceb09b0e8d1384e037c3cff6525e11def0122c35c32eebd0d196f heimdal-kpasswdd.initd +2a6b20588a86a9ea3c35209b96ef2da0b39bc3112aec1505e69a60efc9ffb9ddc1d0dbdfaf864142e9d2f81da3d2653de56d6ffa01871c20fde17e4642625c56 005_all_heimdal-suid_fix.patch +e89efdc942c512363aac1d9797c6bf622324e9200e282bc5ed680300b9e1b39a4ea20f059cdac8f22f972eb0af0e625fd41f267ebcafcfec0aaa81192aff79c1 heimdal_missing-include.patch +d1c50b0a656f15afeae78ce0ace0f9adceea028e118f3952a724d23c63bba7d5c9a50980de16c7606a93769c0aa48ce3b932e8a64f5d7a2127d31d2f39e9688d only-build-libedit-when-necessary.patch" diff --git a/user/heimdal/CVE-2017-17439.patch b/user/heimdal/CVE-2017-17439.patch new file mode 100644 index 000000000..8c3273971 --- /dev/null +++ b/user/heimdal/CVE-2017-17439.patch @@ -0,0 +1,45 @@ +From 749d377fa357351a7bbba51f8aae72cdf0629592 Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni <viktor@twosigma.com> +Date: Tue, 5 Dec 2017 18:49:50 -0500 +Subject: [PATCH] Security: Avoid NULL structure pointer member dereference + +This can happen in the error path when processing malformed AS +requests with a NULL client name. Bug originally introduced on +Fri Feb 13 09:26:01 2015 +0100 in commit: + + a873e21d7c06f22943a90a41dc733ae76799390d + + kdc: base _kdc_fast_mk_error() on krb5_mk_error_ext() + +Original patch by Jeffrey Altman <jaltman@secure-endpoints.com> + +(cherry picked from commit 1a6a6e462dc2ac6111f9e02c6852ddec4849b887) +--- + kdc/kerberos5.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c +index 95a74927f7..675b406b82 100644 +--- a/kdc/kerberos5.c ++++ b/kdc/kerberos5.c +@@ -2226,15 +2226,17 @@ _kdc_as_rep(kdc_request_t r, + /* + * In case of a non proxy error, build an error message. + */ +- if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) { ++ if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) { + ret = _kdc_fast_mk_error(context, r, + &error_method, + r->armor_crypto, + &req->req_body, + ret, r->e_text, + r->server_princ, +- &r->client_princ->name, +- &r->client_princ->realm, ++ r->client_princ ? ++ &r->client_princ->name : NULL, ++ r->client_princ ? ++ &r->client_princ->realm : NULL, + NULL, NULL, + reply); + if (ret) diff --git a/user/heimdal/heimdal-kadmind.initd b/user/heimdal/heimdal-kadmind.initd new file mode 100755 index 000000000..73f23815c --- /dev/null +++ b/user/heimdal/heimdal-kadmind.initd @@ -0,0 +1,24 @@ +#!/sbin/openrc-run +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kadmind,v 1.3 2004/09/13 22:44:54 solar Exp $ + +depend() { + need net + use heimdal-kdc + after logger +} + +start() { + ebegin "Starting heimdal kadmind" + /usr/sbin/kadmind & + echo $! > /var/run/heimdal-kadmind.pid + eend $? +} + +stop() { + ebegin "Stopping heimdal kadmind" + start-stop-daemon --stop --quiet --exec \ + /usr/sbin/kadmind + eend $? +} diff --git a/user/heimdal/heimdal-kdc.initd b/user/heimdal/heimdal-kdc.initd new file mode 100755 index 000000000..32288c4e7 --- /dev/null +++ b/user/heimdal/heimdal-kdc.initd @@ -0,0 +1,23 @@ +#!/sbin/openrc-run +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kdc,v 1.2 2004/09/13 15:40:34 dragonheart Exp $ + +depend() { + need net + after logger +} + +start() { + ebegin "Starting heimdal kdc" + start-stop-daemon --start --quiet --exec \ + /usr/sbin/kdc -- --detach + eend $? +} + +stop() { + ebegin "Stopping heimdal kdc" + start-stop-daemon --stop --quiet --exec \ + /usr/sbin/kdc + eend $? +} diff --git a/user/heimdal/heimdal-kpasswdd.initd b/user/heimdal/heimdal-kpasswdd.initd new file mode 100755 index 000000000..5fc21e0dc --- /dev/null +++ b/user/heimdal/heimdal-kpasswdd.initd @@ -0,0 +1,24 @@ +#!/sbin/openrc-run +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kpasswdd,v 1.3 2004/09/13 22:44:54 solar Exp $ + +depend() { + need net + use heimdal-kdc + after logger +} + +start() { + ebegin "Starting heimdal kpasswdd" + start-stop-daemon --background --start --quiet --exec \ + /usr/sbin/kpasswdd + eend $? +} + +stop() { + ebegin "Stopping heimdal kpasswdd" + start-stop-daemon --stop --quiet --exec \ + /usr/sbin/kpasswdd + eend $? +} diff --git a/user/heimdal/heimdal_missing-include.patch b/user/heimdal/heimdal_missing-include.patch new file mode 100644 index 000000000..8cca906a7 --- /dev/null +++ b/user/heimdal/heimdal_missing-include.patch @@ -0,0 +1,11 @@ +--- lib/base/test_base.c 2011-09-30 15:58:45.000000000 +0300 ++++ b/lib/base/test_base.c 2011-12-27 23:04:50.482955923 +0200 +@@ -39,6 +39,8 @@ + #include "heimbase.h" + #include "heimbasepriv.h" + ++#include <stdlib.h> ++ + static void + memory_free(heim_object_t obj) + { diff --git a/user/heimdal/only-build-libedit-when-necessary.patch b/user/heimdal/only-build-libedit-when-necessary.patch new file mode 100644 index 000000000..105c7019d --- /dev/null +++ b/user/heimdal/only-build-libedit-when-necessary.patch @@ -0,0 +1,21 @@ +--- heimdal-7.5.0/configure.ac.old 2017-12-08 01:36:46.000000000 -0600 ++++ heimdal-7.5.0/configure.ac 2018-07-04 18:50:45.720000000 -0500 +@@ -309,8 +309,6 @@ + #endif + ],-ledit,,, READLINE,, [readline.h readline/readline.h editline/readline.h]) + +-AC_CONFIG_SUBDIRS([lib/libedit]) +- + KRB_C_BIGENDIAN + AC_C_INLINE + +--- heimdal-7.5.0/cf/krb-readline.m4.old 2016-12-20 08:23:06.000000000 -0600 ++++ heimdal-7.5.0/cf/krb-readline.m4 2018-07-04 18:50:04.140000000 -0500 +@@ -19,6 +19,7 @@ + : + else + build_libedit=yes ++ AC_CONFIG_SUBDIRS([lib/libedit]) + LIB_readline="\$(top_builddir)/lib/libedit/src/libheimedit.la \$(LIB_tgetent)" + fi + AM_CONDITIONAL(LIBEDIT, test "$build_libedit" = yes) |