diff options
author | V3n3RiX <venerix@koprulu.sector> | 2022-01-04 01:27:12 +0000 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2022-01-04 01:27:12 +0000 |
commit | 3517852e3b8a68d1e997770fc0650c5053bafc6c (patch) | |
tree | 44068672445b1418489aed82de58df3c470289e7 /www-apache/mod_auth_kerb | |
parent | 0f15659d48c193027158492acb726297501202c5 (diff) |
gentoo resync : 04.01.2022
Diffstat (limited to 'www-apache/mod_auth_kerb')
-rw-r--r-- | www-apache/mod_auth_kerb/Manifest | 5 | ||||
-rw-r--r-- | www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch | 73 | ||||
-rw-r--r-- | www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-krb5pwd-double-free.patch | 22 | ||||
-rw-r--r-- | www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild | 58 | ||||
-rw-r--r-- | www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r5.ebuild (renamed from www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r3.ebuild) | 12 |
5 files changed, 107 insertions, 63 deletions
diff --git a/www-apache/mod_auth_kerb/Manifest b/www-apache/mod_auth_kerb/Manifest index 588c9a8fc0dc..c0c1e5b3e8e9 100644 --- a/www-apache/mod_auth_kerb/Manifest +++ b/www-apache/mod_auth_kerb/Manifest @@ -1,7 +1,8 @@ AUX 11_mod_auth_kerb.conf 338 BLAKE2B c9093c961dae957f392bde032b20690a9a83c0fcac3b2ca0e8d46da584c040d79967793767371358e38bf3a9de48605b4ee35177d1692b1b9ce71b3ab49f4eeb SHA512 82ea692ed8189bb3255347d5d7829f84c8b3edc66e9d99c974f9c8ed56227a60b8925eee11f027fbd694ef1be8d09ff3f4b92e96cd68a77cea84e6e237048c53 +AUX mod_auth_kerb-5.4-api-change-krb5.patch 2638 BLAKE2B 735a80f6d03e7a71dd5477d8529bc80daaa4e948dd2b374027f3608c7b07c543160328b8744d9d92aa8c493b22e591fb3ead2a4e7dc8a841941a79c77fd1fc44 SHA512 d24d44772f3c615c38d97aca4a6e8f59e53c94d61de95608c88ac17e3e1fc2f800a4e4e96abb8cbf187cacd7a8323dfe6e62b0ea000873177b330c8f3fd17b9a +AUX mod_auth_kerb-5.4-krb5pwd-double-free.patch 963 BLAKE2B 4967bfa2e12e3ebdb325ddb12846786b05369c2cd2d5544631e98ce1b655de936da6c53567fa4ab31c85813021272543bde63a4509dcf0bd060aec31796a4ad3 SHA512 50e8ddc9c0366055f4b54a00d6b6f2d983e4ed7b49786559b8312b9967bfc838f6e9c653b1aecd9c77370d211c9c35274c64bb38af2a279cdf16d2e25f359a11 AUX mod_auth_kerb.conf 40 BLAKE2B 76bfe68f7dd32d9f8dffb5a2124628c7971f7f7470182d003fa576ba386239fd946d2eee50b49f2e4f0d6d8061b61c927e212a68fb3e1cfc21d9c2dc01c688a8 SHA512 fd21cb7d6da1ac4ce5becab4e3c72a56245878625990ebddbf1d612a3b9cc273a6b3e87509db59ed67e934b5834c3db10914118982cb77a6b8220b0f65cd6e1d DIST mod_auth_kerb-5.4-gentoo-patchset.tar.bz2 8717 BLAKE2B 759ad350bb6c07226c86fa51e22f17023378928abed3fd80ff280bac54a472a8d918cba680b3c75ce93805a7f803bbd370a6bb1b73665f5a8d5fb7cdc6353d1c SHA512 3909c2677b30790cc17c0d8843feaa00d9acd14a012672443a887c0e88473d6b1572ba045e1491bcab53cbacff193c11cfe15e63ef1046cfcdf1f4ab60e0ac57 DIST mod_auth_kerb-5.4.tar.gz 93033 BLAKE2B 2f5c2c26f0f9fa5919f879680e0b8f29087edd001c166655f8130e8d7efd527b0bb9bbb79fe3e508c14622ecefaa693a96dc7dd16a3298da8ae0ad4b69b48ca6 SHA512 93fdf0e43af1c24e8c8204d09240b708747068ef99dd8d21b45cb4d132d31e6d582d49ea5e23b905f55cb0d4a20b1ecb58de1bcbfdad1d016e536fc622b63214 -EBUILD mod_auth_kerb-5.4-r2.ebuild 1397 BLAKE2B 793f5f2703d63596e4ea97cfb8cda795d4e10238814f7fff08429fbce086cf09c211eedf32ce6e348b868d6f8d2acca35cfefb395ca83c7dc451e19a15bb8fcd SHA512 664917f2de1e463573baba7599f68022270480cc9210b520fbd4d551549a8b02045210722c1f2824ef2914dfcebabf5ee53fca528d0fef85791e246a96d57f00 -EBUILD mod_auth_kerb-5.4-r3.ebuild 1453 BLAKE2B def0046f355054c2f4db256f0e6eba587e2adfb530c2257312a9d8b8f44bd927297250a946a0d01b1d8f934da6bfc0dafec68cf76aab9a828558515a25cb8975 SHA512 05d73f3dadf4e50dd3f6052aa05ea0d943b2cae62843942cc2772720627704fbe4fc5f7c84669342b478c2aef911761e669ee2e74f619c7b3115592768e48b5e +EBUILD mod_auth_kerb-5.4-r5.ebuild 1571 BLAKE2B b7d3d3d4cc8e5cc1303db29a0cde9391648cbb46b74a5dc8366bfb1ca72f7335c2c29ca60c325a8d2d7665774f51f51eba7628b84ec97cbc1c6b6cfa3f9a3ae6 SHA512 32d8423a9201791d0632158ca268461c43519389f8013fcbf7f961fb658dc8f8394ae16961074c4d3319892c5376d30eeb3b3c8c563bd85023d769731169e6e6 MISC metadata.xml 249 BLAKE2B fcfd318a3d8fe55ad58570ca24b63d7e0160c65b5a66c0540d53d0f4123b42359a474eb0b9b3ee687686d6d2809b61f4bea13d7130f44c6a1036badfc0bec9cd SHA512 d812a7cc336482b8febeb447231bbc0d4aa105cfc780990627b16dd29f74dbf727ed52cf317def938759aded98d8bc1992f8cbc20bbb6b18575945682c42d26f diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch new file mode 100644 index 000000000000..fb402de44a8d --- /dev/null +++ b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch @@ -0,0 +1,73 @@ +https://sources.debian.org/data/main/liba/libapache-mod-auth-kerb/5.4-2.5/debian/patches/0011-Always-use-NONE-replay-cache-type.patch +https://bugs.gentoo.org/830208 + +From: Sam Hartman <hartmans@debian.org> +Date: Mon, 23 Nov 2020 09:30:22 -0500 +Subject: Always use NONE replay cache type + +It's 2020. Any MIT Kerberos in the wild supports the none replay +cache type. The previous code used an internal function to detect +that replay cache type; that function is no longer available. +Instead, assume it is present. + +An alternative would be to enable the default replay cache. It was +originally disabled because of problems between Microsoft +authenticators and 2004-era MIT Kerberos 1.3. That's probably a good +idea. It probably closes off security attacks, although analyzing the +impact of replays in cases where neither channel binding nor +per-message services are used is difficult. I believe that a replay +cache is not strictly necessary in the common configuration where +mod-auth-kerb is used over a TLS-protected connection where the client +properly verifies the TLS certificate presented by the server prior to +sending a GSS token. + +I have elected not to enable replay cache to affect a minimal change. +--- a/src/mod_auth_kerb.c ++++ b/src/mod_auth_kerb.c +@@ -2061,28 +2061,6 @@ + return ret; + } + +-static int +-have_rcache_type(const char *type) +-{ +- krb5_error_code ret; +- krb5_context context; +- krb5_rcache id = NULL; +- int found; +- +- ret = krb5_init_context(&context); +- if (ret) +- return 0; +- +- ret = krb5_rc_resolve_full(context, &id, "none:"); +- found = (ret == 0); +- +- if (ret == 0) +- krb5_rc_destroy(context, id); +- krb5_free_context(context); +- +- return found; +-} +- + /*************************************************************************** + Module Setup/Configuration + ***************************************************************************/ +@@ -2143,7 +2121,7 @@ + #ifndef HEIMDAL + /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. + 1.3.x are covered by the hack overiding the replay calls */ +- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) ++ if (getenv("KRB5RCACHETYPE") == NULL) + putenv(strdup("KRB5RCACHETYPE=none")); + #endif + } +@@ -2185,7 +2163,7 @@ + #ifndef HEIMDAL + /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. + 1.3.x are covered by the hack overiding the replay calls */ +- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) ++ if (getenv("KRB5RCACHETYPE") == NULL) + putenv(strdup("KRB5RCACHETYPE=none")); + #endif + #ifdef STANDARD20_MODULE_STUFF diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-krb5pwd-double-free.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-krb5pwd-double-free.patch new file mode 100644 index 000000000000..aa8ced49c103 --- /dev/null +++ b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-krb5pwd-double-free.patch @@ -0,0 +1,22 @@ +https://sources.debian.org/src/libapache-mod-auth-kerb/5.4-2.5/debian/patches/mod_auth_kerb-krb5_kt_close.patch/ +https://bugs.gentoo.org/673066 + +Description: fix use after free in authenticate_user_krb5pwd() +Origin: https://sourceforge.net/p/modauthkerb/bugs/61/attachment/mod_auth_kerb-krb5_kt_close.patch +Bug: https://sourceforge.net/p/modauthkerb/bugs/61/ +Bug-Debian: https://bugs.debian.org/934043 +Author: Johan Ymerson (https://sourceforge.net/u/ymerson/) +--- a/src/mod_auth_kerb.c ++++ b/src/mod_auth_kerb.c +@@ -799,11 +799,9 @@ + "failed to verify krb5 credentials: %s", + krb5_get_err_text(context, ret)); + krb5_kt_end_seq_get(context, keytab, &cursor); +- krb5_kt_close(context, keytab); + goto end; + } + krb5_kt_end_seq_get(context, keytab, &cursor); +- krb5_kt_close(context, keytab); + } + else { + if ((ret = verify_krb5_init_creds(r, context, &creds, server, keytab))) { diff --git a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild deleted file mode 100644 index a83b2926d126..000000000000 --- a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=5 -inherit apache-module epatch tmpfiles - -DESCRIPTION="An Apache authentication module using Kerberos" -HOMEPAGE="http://modauthkerb.sourceforge.net/" -SRC_URI="mirror://sourceforge/modauthkerb/${P}.tar.gz - https://dev.gentoo.org/~mgorny/dist/${P}-gentoo-patchset.tar.bz2" - -LICENSE="BSD openafs-krb5-a HPND" -SLOT="0" -KEYWORDS="amd64 x86" -IUSE="" - -DEPEND="virtual/krb5" -RDEPEND="${DEPEND}" - -APACHE2_MOD_CONF="11_${PN}" -APACHE2_MOD_DEFINE="AUTH_KERB" - -DOCFILES="INSTALL README" - -need_apache2 - -PATCHES=( - "${WORKDIR}/${P}-gentoo-patchset"/${P}-rcopshack.patch - "${WORKDIR}/${P}-gentoo-patchset"/${P}-fixes.patch - "${WORKDIR}/${P}-gentoo-patchset"/${P}-s4u2proxy.patch - "${WORKDIR}/${P}-gentoo-patchset"/${P}-httpd24.patch - "${WORKDIR}/${P}-gentoo-patchset"/${P}-delegation.patch - "${WORKDIR}/${P}-gentoo-patchset"/${P}-cachedir.patch - "${WORKDIR}/${P}-gentoo-patchset"/${P}-longuser.patch - "${WORKDIR}/${P}-gentoo-patchset"/${P}-handle-continue.patch - "${WORKDIR}/${P}-gentoo-patchset"/${P}-heimdal.patch -) - -src_prepare() { - epatch "${PATCHES[@]}" -} - -src_configure() { - CFLAGS="" APXS="${APXS}" econf --with-krb5=/usr --without-krb4 -} - -src_compile() { - emake -} - -src_install() { - apache-module_src_install - dotmpfiles "${FILESDIR}/${PN}.conf" -} - -pkg_postinst() { - tmpfiles_process ${PN}.conf -} diff --git a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r3.ebuild b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r5.ebuild index 0a59d3214ff2..f06674c34353 100644 --- a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r3.ebuild +++ b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r5.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 @@ -12,7 +12,7 @@ SRC_URI="mirror://sourceforge/project/modauthkerb/${PN}/${P}/${P}.tar.gz LICENSE="BSD openafs-krb5-a HPND" SLOT="0" -KEYWORDS="~amd64 ~x86" +KEYWORDS="amd64 x86" DEPEND="virtual/krb5" RDEPEND="${DEPEND}" @@ -34,6 +34,11 @@ PATCHES=( "${WORKDIR}/${P}-gentoo-patchset"/${P}-longuser.patch "${WORKDIR}/${P}-gentoo-patchset"/${P}-handle-continue.patch "${WORKDIR}/${P}-gentoo-patchset"/${P}-heimdal.patch + + # bug #830208 + "${FILESDIR}"/${P}-api-change-krb5.patch + # bug #673066 + "${FILESDIR}"/${P}-krb5pwd-double-free.patch ) # Work around Bug #616612 @@ -52,7 +57,8 @@ src_compile() { src_install() { apache-module_src_install - dotmpfiles "${FILESDIR}/${PN}.conf" + + dotmpfiles "${FILESDIR}"/${PN}.conf } pkg_postinst() { |