gentoo resync : 04.01.2022

5 files changed, 107 insertions, 63 deletions

diff --git a/www-apache/mod_auth_kerb/Manifest b/www-apache/mod_auth_kerb/Manifest
index 588c9a8fc0dc..c0c1e5b3e8e9 100644
--- a/www-apache/mod_auth_kerb/Manifest
+++ b/www-apache/mod_auth_kerb/Manifest
@@ -1,7 +1,8 @@
 AUX 11_mod_auth_kerb.conf 338 BLAKE2B c9093c961dae957f392bde032b20690a9a83c0fcac3b2ca0e8d46da584c040d79967793767371358e38bf3a9de48605b4ee35177d1692b1b9ce71b3ab49f4eeb SHA512 82ea692ed8189bb3255347d5d7829f84c8b3edc66e9d99c974f9c8ed56227a60b8925eee11f027fbd694ef1be8d09ff3f4b92e96cd68a77cea84e6e237048c53
+AUX mod_auth_kerb-5.4-api-change-krb5.patch 2638 BLAKE2B 735a80f6d03e7a71dd5477d8529bc80daaa4e948dd2b374027f3608c7b07c543160328b8744d9d92aa8c493b22e591fb3ead2a4e7dc8a841941a79c77fd1fc44 SHA512 d24d44772f3c615c38d97aca4a6e8f59e53c94d61de95608c88ac17e3e1fc2f800a4e4e96abb8cbf187cacd7a8323dfe6e62b0ea000873177b330c8f3fd17b9a
+AUX mod_auth_kerb-5.4-krb5pwd-double-free.patch 963 BLAKE2B 4967bfa2e12e3ebdb325ddb12846786b05369c2cd2d5544631e98ce1b655de936da6c53567fa4ab31c85813021272543bde63a4509dcf0bd060aec31796a4ad3 SHA512 50e8ddc9c0366055f4b54a00d6b6f2d983e4ed7b49786559b8312b9967bfc838f6e9c653b1aecd9c77370d211c9c35274c64bb38af2a279cdf16d2e25f359a11
 AUX mod_auth_kerb.conf 40 BLAKE2B 76bfe68f7dd32d9f8dffb5a2124628c7971f7f7470182d003fa576ba386239fd946d2eee50b49f2e4f0d6d8061b61c927e212a68fb3e1cfc21d9c2dc01c688a8 SHA512 fd21cb7d6da1ac4ce5becab4e3c72a56245878625990ebddbf1d612a3b9cc273a6b3e87509db59ed67e934b5834c3db10914118982cb77a6b8220b0f65cd6e1d
 DIST mod_auth_kerb-5.4-gentoo-patchset.tar.bz2 8717 BLAKE2B 759ad350bb6c07226c86fa51e22f17023378928abed3fd80ff280bac54a472a8d918cba680b3c75ce93805a7f803bbd370a6bb1b73665f5a8d5fb7cdc6353d1c SHA512 3909c2677b30790cc17c0d8843feaa00d9acd14a012672443a887c0e88473d6b1572ba045e1491bcab53cbacff193c11cfe15e63ef1046cfcdf1f4ab60e0ac57
 DIST mod_auth_kerb-5.4.tar.gz 93033 BLAKE2B 2f5c2c26f0f9fa5919f879680e0b8f29087edd001c166655f8130e8d7efd527b0bb9bbb79fe3e508c14622ecefaa693a96dc7dd16a3298da8ae0ad4b69b48ca6 SHA512 93fdf0e43af1c24e8c8204d09240b708747068ef99dd8d21b45cb4d132d31e6d582d49ea5e23b905f55cb0d4a20b1ecb58de1bcbfdad1d016e536fc622b63214
-EBUILD mod_auth_kerb-5.4-r2.ebuild 1397 BLAKE2B 793f5f2703d63596e4ea97cfb8cda795d4e10238814f7fff08429fbce086cf09c211eedf32ce6e348b868d6f8d2acca35cfefb395ca83c7dc451e19a15bb8fcd SHA512 664917f2de1e463573baba7599f68022270480cc9210b520fbd4d551549a8b02045210722c1f2824ef2914dfcebabf5ee53fca528d0fef85791e246a96d57f00
-EBUILD mod_auth_kerb-5.4-r3.ebuild 1453 BLAKE2B def0046f355054c2f4db256f0e6eba587e2adfb530c2257312a9d8b8f44bd927297250a946a0d01b1d8f934da6bfc0dafec68cf76aab9a828558515a25cb8975 SHA512 05d73f3dadf4e50dd3f6052aa05ea0d943b2cae62843942cc2772720627704fbe4fc5f7c84669342b478c2aef911761e669ee2e74f619c7b3115592768e48b5e
+EBUILD mod_auth_kerb-5.4-r5.ebuild 1571 BLAKE2B b7d3d3d4cc8e5cc1303db29a0cde9391648cbb46b74a5dc8366bfb1ca72f7335c2c29ca60c325a8d2d7665774f51f51eba7628b84ec97cbc1c6b6cfa3f9a3ae6 SHA512 32d8423a9201791d0632158ca268461c43519389f8013fcbf7f961fb658dc8f8394ae16961074c4d3319892c5376d30eeb3b3c8c563bd85023d769731169e6e6
 MISC metadata.xml 249 BLAKE2B fcfd318a3d8fe55ad58570ca24b63d7e0160c65b5a66c0540d53d0f4123b42359a474eb0b9b3ee687686d6d2809b61f4bea13d7130f44c6a1036badfc0bec9cd SHA512 d812a7cc336482b8febeb447231bbc0d4aa105cfc780990627b16dd29f74dbf727ed52cf317def938759aded98d8bc1992f8cbc20bbb6b18575945682c42d26f
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch
new file mode 100644
index 000000000000..fb402de44a8d
--- /dev/null
+++ b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch
@@ -0,0 +1,73 @@
+https://sources.debian.org/data/main/liba/libapache-mod-auth-kerb/5.4-2.5/debian/patches/0011-Always-use-NONE-replay-cache-type.patch
+https://bugs.gentoo.org/830208
+
+From: Sam Hartman <hartmans@debian.org>
+Date: Mon, 23 Nov 2020 09:30:22 -0500
+Subject: Always use NONE replay cache type
+
+It's 2020.  Any MIT Kerberos in the wild supports the none replay
+cache type.  The previous code used an internal function to detect
+that replay cache type; that function is no longer available.
+Instead, assume it is present.
+
+An alternative would be to enable the default replay cache.  It was
+originally disabled because of problems between Microsoft
+authenticators and 2004-era MIT Kerberos 1.3.  That's probably a good
+idea.  It probably closes off security attacks, although analyzing the
+impact of replays in cases where neither channel binding nor
+per-message services are used is difficult.  I believe that a replay
+cache is not strictly necessary in the common configuration where
+mod-auth-kerb is used over a TLS-protected connection where the client
+properly verifies the TLS certificate presented by the server prior to
+sending a GSS token.
+
+I have elected not to enable replay cache to affect a minimal change.
+--- a/src/mod_auth_kerb.c
++++ b/src/mod_auth_kerb.c
+@@ -2061,28 +2061,6 @@
+    return ret;
+ }
+ 
+-static int
+-have_rcache_type(const char *type)
+-{
+-   krb5_error_code ret;
+-   krb5_context context;
+-   krb5_rcache id = NULL;
+-   int found;
+-
+-   ret = krb5_init_context(&context);
+-   if (ret)
+-      return 0;
+-
+-   ret = krb5_rc_resolve_full(context, &id, "none:");
+-   found = (ret == 0);
+-
+-   if (ret == 0)
+-      krb5_rc_destroy(context, id);
+-   krb5_free_context(context);
+-
+-   return found;
+-}
+-
+ /*************************************************************************** 
+  Module Setup/Configuration
+  ***************************************************************************/
+@@ -2143,7 +2121,7 @@
+ #ifndef HEIMDAL
+    /* Suppress the MIT replay cache.  Requires MIT Kerberos 1.4.0 or later.
+       1.3.x are covered by the hack overiding the replay calls */
+-   if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
++   if (getenv("KRB5RCACHETYPE") == NULL)
+       putenv(strdup("KRB5RCACHETYPE=none"));
+ #endif
+ }
+@@ -2185,7 +2163,7 @@
+ #ifndef HEIMDAL
+    /* Suppress the MIT replay cache.  Requires MIT Kerberos 1.4.0 or later.
+       1.3.x are covered by the hack overiding the replay calls */
+-   if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
++   if (getenv("KRB5RCACHETYPE") == NULL)
+       putenv(strdup("KRB5RCACHETYPE=none"));
+ #endif
+ #ifdef STANDARD20_MODULE_STUFF
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-krb5pwd-double-free.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-krb5pwd-double-free.patch
new file mode 100644
index 000000000000..aa8ced49c103
--- /dev/null
+++ b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-krb5pwd-double-free.patch
@@ -0,0 +1,22 @@
+https://sources.debian.org/src/libapache-mod-auth-kerb/5.4-2.5/debian/patches/mod_auth_kerb-krb5_kt_close.patch/
+https://bugs.gentoo.org/673066
+
+Description: fix use after free in authenticate_user_krb5pwd()
+Origin: https://sourceforge.net/p/modauthkerb/bugs/61/attachment/mod_auth_kerb-krb5_kt_close.patch
+Bug: https://sourceforge.net/p/modauthkerb/bugs/61/
+Bug-Debian: https://bugs.debian.org/934043
+Author: Johan Ymerson (https://sourceforge.net/u/ymerson/)
+--- a/src/mod_auth_kerb.c
++++ b/src/mod_auth_kerb.c
+@@ -799,11 +799,9 @@
+ 	            "failed to verify krb5 credentials: %s",
+ 		          krb5_get_err_text(context, ret));
+          krb5_kt_end_seq_get(context, keytab, &cursor);
+-         krb5_kt_close(context, keytab);
+          goto end;
+        }
+        krb5_kt_end_seq_get(context, keytab, &cursor);
+-       krb5_kt_close(context, keytab);
+      }
+      else {
+        if ((ret = verify_krb5_init_creds(r, context, &creds, server, keytab))) {
diff --git a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild
deleted file mode 100644
index a83b2926d126..000000000000
--- a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild
+++ /dev/null
@@ -1,58 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=5
-inherit apache-module epatch tmpfiles
-
-DESCRIPTION="An Apache authentication module using Kerberos"
-HOMEPAGE="http://modauthkerb.sourceforge.net/"
-SRC_URI="mirror://sourceforge/modauthkerb/${P}.tar.gz
-	https://dev.gentoo.org/~mgorny/dist/${P}-gentoo-patchset.tar.bz2"
-
-LICENSE="BSD openafs-krb5-a HPND"
-SLOT="0"
-KEYWORDS="amd64 x86"
-IUSE=""
-
-DEPEND="virtual/krb5"
-RDEPEND="${DEPEND}"
-
-APACHE2_MOD_CONF="11_${PN}"
-APACHE2_MOD_DEFINE="AUTH_KERB"
-
-DOCFILES="INSTALL README"
-
-need_apache2
-
-PATCHES=(
-	"${WORKDIR}/${P}-gentoo-patchset"/${P}-rcopshack.patch
-	"${WORKDIR}/${P}-gentoo-patchset"/${P}-fixes.patch
-	"${WORKDIR}/${P}-gentoo-patchset"/${P}-s4u2proxy.patch
-	"${WORKDIR}/${P}-gentoo-patchset"/${P}-httpd24.patch
-	"${WORKDIR}/${P}-gentoo-patchset"/${P}-delegation.patch
-	"${WORKDIR}/${P}-gentoo-patchset"/${P}-cachedir.patch
-	"${WORKDIR}/${P}-gentoo-patchset"/${P}-longuser.patch
-	"${WORKDIR}/${P}-gentoo-patchset"/${P}-handle-continue.patch
-	"${WORKDIR}/${P}-gentoo-patchset"/${P}-heimdal.patch
-)
-
-src_prepare() {
-	epatch "${PATCHES[@]}"
-}
-
-src_configure() {
-	CFLAGS="" APXS="${APXS}" econf --with-krb5=/usr --without-krb4
-}
-
-src_compile() {
-	emake
-}
-
-src_install() {
-	apache-module_src_install
-	dotmpfiles "${FILESDIR}/${PN}.conf"
-}
-
-pkg_postinst() {
-	tmpfiles_process ${PN}.conf
-}
diff --git a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r3.ebuild b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r5.ebuild
index 0a59d3214ff2..f06674c34353 100644
--- a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r3.ebuild
+++ b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r5.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -12,7 +12,7 @@ SRC_URI="mirror://sourceforge/project/modauthkerb/${PN}/${P}/${P}.tar.gz
 
 LICENSE="BSD openafs-krb5-a HPND"
 SLOT="0"
-KEYWORDS="~amd64 ~x86"
+KEYWORDS="amd64 x86"
 
 DEPEND="virtual/krb5"
 RDEPEND="${DEPEND}"
@@ -34,6 +34,11 @@ PATCHES=(
 	"${WORKDIR}/${P}-gentoo-patchset"/${P}-longuser.patch
 	"${WORKDIR}/${P}-gentoo-patchset"/${P}-handle-continue.patch
 	"${WORKDIR}/${P}-gentoo-patchset"/${P}-heimdal.patch
+
+	# bug #830208
+	"${FILESDIR}"/${P}-api-change-krb5.patch
+	# bug #673066
+	"${FILESDIR}"/${P}-krb5pwd-double-free.patch
 )
 
 # Work around Bug #616612
@@ -52,7 +57,8 @@ src_compile() {
 
 src_install() {
 	apache-module_src_install
-	dotmpfiles "${FILESDIR}/${PN}.conf"
+
+	dotmpfiles "${FILESDIR}"/${PN}.conf
 }
 
 pkg_postinst() {