head 1.3; access; symbols pkgsrc-2013Q2:1.3.0.8 pkgsrc-2013Q2-base:1.3 pkgsrc-2012Q4:1.3.0.6 pkgsrc-2012Q4-base:1.3 pkgsrc-2011Q4:1.3.0.4 pkgsrc-2011Q4-base:1.3 pkgsrc-2011Q2:1.3.0.2 pkgsrc-2011Q2-base:1.3 pkgsrc-2010Q4:1.2.0.28 pkgsrc-2010Q4-base:1.2 pkgsrc-2010Q3:1.2.0.26 pkgsrc-2010Q3-base:1.2 pkgsrc-2010Q2:1.2.0.24 pkgsrc-2010Q2-base:1.2 pkgsrc-2010Q1:1.2.0.22 pkgsrc-2010Q1-base:1.2 pkgsrc-2009Q4:1.2.0.20 pkgsrc-2009Q4-base:1.2 pkgsrc-2009Q3:1.2.0.18 pkgsrc-2009Q3-base:1.2 pkgsrc-2009Q2:1.2.0.16 pkgsrc-2009Q2-base:1.2 pkgsrc-2009Q1:1.2.0.14 pkgsrc-2009Q1-base:1.2 pkgsrc-2008Q4:1.2.0.12 pkgsrc-2008Q4-base:1.2 pkgsrc-2008Q3:1.2.0.10 pkgsrc-2008Q3-base:1.2 cube-native-xorg:1.2.0.8 cube-native-xorg-base:1.2 pkgsrc-2008Q2:1.2.0.6 pkgsrc-2008Q2-base:1.2 cwrapper:1.2.0.4 pkgsrc-2008Q1:1.2.0.2; locks; strict; comment @# @; expand @k@; 1.3 date 2011.03.22.23.31.04; author tez; state dead; branches; next 1.2; 1.2 date 2008.06.07.20.22.18; author tonnerre; state Exp; branches 1.2.2.1; next 1.1; 1.1 date 2008.06.07.18.36.06; author tonnerre; state Exp; branches; next ; 1.2.2.1 date 2008.06.07.20.22.18; author tron; state dead; branches; next 1.2.2.2; 1.2.2.2 date 2008.06.08.11.47.13; author tron; state Exp; branches; next ; desc @@ 1.3 log @Update MIT Kerberos to v1.8.3 with the latest security patches up to and including MITKRB5-SA-2011-003. Please see http://web.mit.edu/kerberos/ for the change logs since v1.4.2 Note that the r-services, telnetd and ftpd services and the related client applications are now in a separate pacakge security/mit-krb5-appl. @ text @$NetBSD$ --- kdc/do_tgs_req.c.orig 2005-07-12 22:59:51.000000000 +0200 +++ kdc/do_tgs_req.c @@@@ -490,27 +490,38 @@@@ tgt_again: newtransited = 1; } if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { + unsigned int tlen; + char *tdots; + errcode = krb5_check_transited_list (kdc_context, &enc_tkt_reply.transited.tr_contents, krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), krb5_princ_realm (kdc_context, request->server)); + tlen = enc_tkt_reply.transited.tr_contents.length; + tdots = tlen > 125 ? "..." : ""; + tlen = tlen > 125 ? 125 : tlen; + if (errcode == 0) { setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) krb5_klog_syslog (LOG_INFO, - "bad realm transit path from '%s' to '%s' via '%.*s'", + "bad realm transit path from '%s' to '%s' " + "via '%.*s%s'", cname ? cname : "", sname ? sname : "", - enc_tkt_reply.transited.tr_contents.length, - enc_tkt_reply.transited.tr_contents.data); - else + tlen, + enc_tkt_reply.transited.tr_contents.data, + tdots); + else { krb5_klog_syslog (LOG_ERR, - "unexpected error checking transit from '%s' to '%s' via '%.*s': %s", + "unexpected error checking transit from " + "'%s' to '%s' via '%.*s%s': %s", cname ? cname : "", sname ? sname : "", - enc_tkt_reply.transited.tr_contents.length, + tlen, enc_tkt_reply.transited.tr_contents.data, - error_message (errcode)); + tdots, error_message (errcode)); + } } else krb5_klog_syslog (LOG_INFO, "not checking transit path"); if (reject_bad_transit @@@@ -538,6 +549,9 @@@@ tgt_again: if (!krb5_principal_compare(kdc_context, request->server, client2)) { if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp))) tmp = 0; + if (tmp != NULL) + limit_string(tmp); + krb5_klog_syslog(LOG_INFO, "TGS_REQ %s: 2ND_TKT_MISMATCH: " "authtime %d, %s for %s, 2nd tkt client %s", @@@@ -800,6 +814,7 @@@@ find_alternate_tgs(krb5_kdc_req *request krb5_klog_syslog(LOG_INFO, "TGS_REQ: issuing alternate TGT"); } else { + limit_string(sname); krb5_klog_syslog(LOG_INFO, "TGS_REQ: issuing TGT %s", sname); free(sname); @ 1.2 log @Remove parts of a different security patch which slipped in but are not supported yet. Don't bump revision as the package didn't build before. @ text @@ 1.2.2.1 log @file patch-aw was added on branch pkgsrc-2008Q1 on 2008-06-08 11:47:13 +0000 @ text @d1 68 @ 1.2.2.2 log @Pullup ticket #2417 - requested by tonnerre Security patches for mit-krb5 Revisions pulled up: - security/mit-krb5/Makefile 1.42 - security/mit-krb5/distinfo 1.17-1.19 - security/mit-krb5/patches/patch-ai 1.3-1.4 - security/mit-krb5/patches/patch-au 1.1-1.2 - security/mit-krb5/patches/patch-av 1.1-1.2 - security/mit-krb5/patches/patch-aw 1.1-1.2 - security/mit-krb5/patches/patch-ax 1.1-1.2 - security/mit-krb5/patches/patch-ay 1.1-1.2 - security/mit-krb5/patches/patch-az 1.1-1.2 - security/mit-krb5/patches/patch-ba 1.1-1.3 - security/mit-krb5/patches/patch-bb 1.1-1.2 - security/mit-krb5/patches/patch-bc 1.1-1.2 - security/mit-krb5/patches/patch-bd 1.1-1.2 - security/mit-krb5/patches/patch-be 1.1-1.2 - security/mit-krb5/patches/patch-bf 1.1 - security/mit-krb5/patches/patch-bg 1.1 --- Module Name: pkgsrc Committed By: tonnerre Date: Sat Jun 7 18:36:07 UTC 2008 Modified Files: pkgsrc/security/mit-krb5: Makefile distinfo Added Files: pkgsrc/security/mit-krb5/patches: patch-ai patch-au patch-av patch-aw patch-ax patch-ay patch-az patch-ba patch-bb patch-bc patch-bd patch-be Log Message: Add security patches for 3 Kerberos vulnerabilities: - telnetd username and environment sanitizing vulnerabilities ("-f root") as described in MIT Kerberos advisory 2007-001. - krb5_klog_syslog() problems with overly long log strings as described in MIT Kerberos advisory 2007-002. - GSS API kg_unseal_v1() double free vulnerability as described in the MIT Kerberos advisory 2007-003. --- Module Name: pkgsrc Committed By: tonnerre Date: Sat Jun 7 20:22:18 UTC 2008 Modified Files: pkgsrc/security/mit-krb5: distinfo pkgsrc/security/mit-krb5/patches: patch-ai patch-au patch-av patch-aw patch-ax patch-ay patch-az patch-ba patch-bb patch-bc patch-bd patch-be Log Message: Remove parts of a different security patch which slipped in but are not supported yet. Don't bump revision as the package didn't build before. --- Module Name: pkgsrc Committed By: tonnerre Date: Sat Jun 7 22:26:10 UTC 2008 Modified Files: pkgsrc/security/mit-krb5: distinfo pkgsrc/security/mit-krb5/patches: patch-ba Added Files: pkgsrc/security/mit-krb5/patches: patch-bf patch-bg Log Message: Add patches for MITKRB5-SA-2007-004 and MITKRB5-SA-2007-005. PKGREVISION will be bumped again once some other patches are in. @ text @a0 68 $NetBSD: patch-aw,v 1.1 2008/06/07 18:36:06 tonnerre Exp $ --- kdc/do_tgs_req.c.orig 2005-07-12 22:59:51.000000000 +0200 +++ kdc/do_tgs_req.c @@@@ -490,27 +490,38 @@@@ tgt_again: newtransited = 1; } if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { + unsigned int tlen; + char *tdots; + errcode = krb5_check_transited_list (kdc_context, &enc_tkt_reply.transited.tr_contents, krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), krb5_princ_realm (kdc_context, request->server)); + tlen = enc_tkt_reply.transited.tr_contents.length; + tdots = tlen > 125 ? "..." : ""; + tlen = tlen > 125 ? 125 : tlen; + if (errcode == 0) { setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) krb5_klog_syslog (LOG_INFO, - "bad realm transit path from '%s' to '%s' via '%.*s'", + "bad realm transit path from '%s' to '%s' " + "via '%.*s%s'", cname ? cname : "", sname ? sname : "", - enc_tkt_reply.transited.tr_contents.length, - enc_tkt_reply.transited.tr_contents.data); - else + tlen, + enc_tkt_reply.transited.tr_contents.data, + tdots); + else { krb5_klog_syslog (LOG_ERR, - "unexpected error checking transit from '%s' to '%s' via '%.*s': %s", + "unexpected error checking transit from " + "'%s' to '%s' via '%.*s%s': %s", cname ? cname : "", sname ? sname : "", - enc_tkt_reply.transited.tr_contents.length, + tlen, enc_tkt_reply.transited.tr_contents.data, - error_message (errcode)); + tdots, error_message (errcode)); + } } else krb5_klog_syslog (LOG_INFO, "not checking transit path"); if (reject_bad_transit @@@@ -538,6 +549,9 @@@@ tgt_again: if (!krb5_principal_compare(kdc_context, request->server, client2)) { if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp))) tmp = 0; + if (tmp != NULL) + limit_string(tmp); + krb5_klog_syslog(LOG_INFO, "TGS_REQ %s: 2ND_TKT_MISMATCH: " "authtime %d, %s for %s, 2nd tkt client %s", @@@@ -800,6 +814,7 @@@@ find_alternate_tgs(krb5_kdc_req *request krb5_klog_syslog(LOG_INFO, "TGS_REQ: issuing alternate TGT"); } else { + limit_string(sname); krb5_klog_syslog(LOG_INFO, "TGS_REQ: issuing TGT %s", sname); free(sname); @ 1.1 log @Add security patches for 3 Kerberos vulnerabilities: - telnetd username and environment sanitizing vulnerabilities ("-f root") as described in MIT Kerberos advisory 2007-001. - krb5_klog_syslog() problems with overly long log strings as described in MIT Kerberos advisory 2007-002. - GSS API kg_unseal_v1() double free vulnerability as described in the MIT Kerberos advisory 2007-003. @ text @d3 3 a5 3 --- src/kdc/do_tgs_req.c.orig 2005-07-12 22:59:51.000000000 +0200 +++ src/kdc/do_tgs_req.c @@@@ -490,27 +490,40 @@@@ tgt_again: a35 1 + char *emsg = krb5_get_error_message(kdc_context, errcode); d46 1 a46 2 + tdots, emsg); + krb5_free_error_message(kdc_context, emsg); d51 1 a51 1 @@@@ -538,6 +551,9 @@@@ tgt_again: d61 1 a61 1 @@@@ -800,6 +816,7 @@@@ find_alternate_tgs(krb5_kdc_req *request @