head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.20
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.18
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2011Q4:1.2.0.16
	pkgsrc-2011Q4-base:1.2
	pkgsrc-2011Q2:1.2.0.14
	pkgsrc-2011Q2-base:1.2
	pkgsrc-2009Q4:1.2.0.12
	pkgsrc-2009Q4-base:1.2
	pkgsrc-2008Q4:1.2.0.10
	pkgsrc-2008Q4-base:1.2
	pkgsrc-2008Q3:1.2.0.8
	pkgsrc-2008Q3-base:1.2
	cube-native-xorg:1.2.0.6
	cube-native-xorg-base:1.2
	pkgsrc-2008Q2:1.2.0.4
	pkgsrc-2008Q2-base:1.2
	pkgsrc-2008Q1:1.2.0.2
	pkgsrc-2008Q1-base:1.2
	pkgsrc-2007Q4:1.1.0.14
	pkgsrc-2007Q4-base:1.1
	pkgsrc-2007Q3:1.1.0.12
	pkgsrc-2007Q3-base:1.1
	pkgsrc-2007Q2:1.1.0.10
	pkgsrc-2007Q2-base:1.1
	pkgsrc-2007Q1:1.1.0.8
	pkgsrc-2007Q1-base:1.1
	pkgsrc-2006Q4:1.1.0.6
	pkgsrc-2006Q4-base:1.1
	pkgsrc-2006Q3:1.1.0.4
	pkgsrc-2006Q3-base:1.1
	pkgsrc-2006Q2:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2008.02.28.08.14.41;	author jlam;	state dead;
branches;
next	1.1;

1.1
date	2006.08.09.17.58.09;	author salo;	state Exp;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2006.08.09.17.58.09;	author ghen;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2006.08.10.07.14.03;	author ghen;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update security/heimdal to version 1.1.  Changes from version 0.7.2 include:

 * Read-only PKCS11 provider built-in to hx509.
 * Better compatibilty with Windows 2008 Server pre-releases and Vista.
 * Add RFC3526 modp group14 as default.
 * Handle [kdc] database = { } entries without realm = stanzas.
 * Add gss_pseudo_random() for mechglue and krb5.
 * Make session key for the krbtgt be selected by the best encryption
   type of the client.
 * Better interoperability with other PK-INIT implementations.
 * Alias support for inital ticket requests.
 * Make ASN.1 library less paranoid to with regard to NUL in string to
   make it inter-operate with MIT Kerberos again.
 * PK-INIT support.
 * HDB extensions support, used by PK-INIT.
 * New ASN.1 compiler.
 * GSS-API mechglue from FreeBSD.
 * Updated SPNEGO to support RFC4178.
 * Support for Cryptosystem Negotiation Extension (RFC 4537).
 * A new X.509 library (hx509) and related crypto functions.
 * A new ntlm library (heimntlm) and related crypto functions.
 * KDC will return the "response too big" error to force TCP retries
   for large (default 1400 bytes) UDP replies.  This is common for
   PK-INIT requests.
 * Libkafs defaults to use 2b tokens.
 * krb5_kuserok() also checks ~/.k5login.d directory for acl files.
 * Fix memory leaks.
 * Bugs fixes
@
text
@$NetBSD: patch-aq,v 1.1 2006/08/09 17:58:09 salo Exp $

Security fix for SA21436.

--- lib/roken/iruserok.c.orig	2005-04-12 13:28:54.000000000 +0200
+++ lib/roken/iruserok.c	2006-08-09 19:42:15.000000000 +0200
@@@@ -250,7 +250,8 @@@@ again:
 		 * are protected read/write owner only.
 		 */
 		uid = geteuid();
-		seteuid(pwd->pw_uid);
+		if (seteuid(pwd->pw_uid) < 0)
+			return (-1);
 		hostf = fopen(pbuf, "r");
 		seteuid(uid);
 
@


1.1
log
@Security fix for SA21436:

"A security issue has been reported in Heimdal, which potentially can be
 exploited by malicious, local users to perform certain actions with
 escalated privileges.

 The security issue is caused due to missing checks for whether the
 "setuid()" call has succeeded in the bundled rcp application. This may
 be exploited to perform certain actions with root privileges if the
 "setuid()" call fails due to e.g. resource limits."

http://secunia.com/advisories/21436/
http://www.pdc.kth.se/heimdal/advisory/2006-08-08/

Bump PKGREVISION.
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-aq was added on branch pkgsrc-2006Q2 on 2006-08-09 17:58:09 +0000
@
text
@d1 16
@


1.1.2.2
log
@Pullup ticket 1784 - requested by salo
security fix for heimdal

Revisions pulled up:
- pkgsrc/security/heimdal/Makefile			1.60-1.62
- pkgsrc/security/heimdal/distinfo			1.20-1.21
- pkgsrc/security/heimdal/PLIST				1.11
- pkgsrc/security/heimdal/PLIST.Linux			removed
- pkgsrc/security/heimdal/patches/patch-al		1.1
- pkgsrc/security/heimdal/patches/patch-am		1.1
- pkgsrc/security/heimdal/patches/patch-an		1.1
- pkgsrc/security/heimdal/patches/patch-ao		1.1
- pkgsrc/security/heimdal/patches/patch-ap		1.1
- pkgsrc/security/heimdal/patches/patch-aq		1.1

   Module Name:	pkgsrc
   Committed By:	markd
   Date:		Sun Jul  2 13:53:28 UTC 2006

   Modified Files:
	pkgsrc/security/heimdal: Makefile
   Added Files:
	pkgsrc/security/heimdal: PLIST.SunOS

   Log Message:
   Solaris does not have err.h, glob.h, ifaddrs.h and vis.h compatible with
   heimdal, so heimdal installs its own. Add them in PLIST.SunOS
   Fixes PR pkg/33656.   Bump PKGREVISION.
---
   Module Name:	pkgsrc
   Committed By:	jlam
   Date:		Wed Jul  5 04:39:15 UTC 2006

   Modified Files:
	pkgsrc/security/heimdal: Makefile PLIST distinfo
   Added Files:
	pkgsrc/security/heimdal/patches: patch-al
   Removed Files:
	pkgsrc/security/heimdal: PLIST.Linux PLIST.SunOS

   Log Message:
   Back out previous and do the same thing more generally for all platforms.
   Since the heimdal install process will install additional headers in
   ${PREFIX}/include/krb5 depending on what the configure process detects,
   simply query the source Makefile at install-time for the extra headers
   that it will install and dynamically add them to the PLIST.
---
   Module Name:	pkgsrc
   Committed By:	salo
   Date:		Wed Aug  9 17:58:09 UTC 2006

   Modified Files:
	pkgsrc/security/heimdal: Makefile distinfo
   Added Files:
	pkgsrc/security/heimdal/patches: patch-am patch-an patch-ao patch-ap
	    patch-aq

   Log Message:
   Security fix for SA21436:

   "A security issue has been reported in Heimdal, which potentially can be
    exploited by malicious, local users to perform certain actions with
    escalated privileges.

    The security issue is caused due to missing checks for whether the
    "setuid()" call has succeeded in the bundled rcp application. This may
    be exploited to perform certain actions with root privileges if the
    "setuid()" call fails due to e.g. resource limits."

   http://secunia.com/advisories/21436/
   http://www.pdc.kth.se/heimdal/advisory/2006-08-08/

   Bump PKGREVISION.
@
text
@a0 16
$NetBSD: patch-aq,v 1.1.2.1 2006/08/10 07:14:03 ghen Exp $

Security fix for SA21436.

--- lib/roken/iruserok.c.orig	2005-04-12 13:28:54.000000000 +0200
+++ lib/roken/iruserok.c	2006-08-09 19:42:15.000000000 +0200
@@@@ -250,7 +250,8 @@@@ again:
 		 * are protected read/write owner only.
 		 */
 		uid = geteuid();
-		seteuid(pwd->pw_uid);
+		if (seteuid(pwd->pw_uid) < 0)
+			return (-1);
 		hostf = fopen(pbuf, "r");
 		seteuid(uid);
 
@