head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.8
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.6
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2011Q4:1.2.0.4
	pkgsrc-2011Q4-base:1.2
	pkgsrc-2011Q2:1.2.0.2
	pkgsrc-2011Q2-base:1.2
	pkgsrc-2010Q4:1.1.0.4
	pkgsrc-2010Q4-base:1.1
	pkgsrc-2010Q3:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2011.03.22.23.31.05;	author tez;	state dead;
branches;
next	1.1;

1.1
date	2010.12.03.20.11.31;	author tez;	state Exp;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2010.12.03.20.11.31;	author spz;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2010.12.12.15.20.09;	author spz;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update MIT Kerberos to v1.8.3 with the latest security patches up to and
including MITKRB5-SA-2011-003.

Please see http://web.mit.edu/kerberos/ for the change logs since v1.4.2

Note that the r-services, telnetd and ftpd services and the related client
applications are now in a separate pacakge security/mit-krb5-appl.
@
text
@$NetBSD: patch-cd,v 1.1 2010/12/03 20:11:31 tez Exp $

CVE-2010-1323 fix

--- lib/krb5/krb/mk_safe.c.orig	2010-12-03 11:41:53.890970000 -0600
+++ lib/krb5/krb/mk_safe.c	2010-12-03 11:44:00.588325800 -0600
@@@@ -212,10 +212,29 @@@@
 	for (i = 0; i < nsumtypes; i++)
 		if (auth_context->safe_cksumtype == sumtypes[i])
 			break;
-	if (i == nsumtypes)
-		i = 0;
-	sumtype = sumtypes[i];
 	krb5_free_cksumtypes (context, sumtypes);
+	if (i < nsumtypes)
+	    sumtype = auth_context->safe_cksumtype;
+	else {
+	    switch (keyblock->enctype) {
+	    case ENCTYPE_DES_CBC_MD4:
+		sumtype = CKSUMTYPE_RSA_MD4_DES;
+		break;
+	    case ENCTYPE_DES_CBC_MD5:
+	    case ENCTYPE_DES_CBC_CRC:
+		sumtype = CKSUMTYPE_RSA_MD5_DES;
+		break;
+	    default:
+		retval = krb5int_c_mandatory_cksumtype(context,
+						       keyblock->enctype,
+						       &sumtype);
+		if (retval) {
+		    CLEANUP_DONE();
+		    goto error;
+		}
+		break;
+	    }
+	}
     }
     if ((retval = krb5_mk_safe_basic(context, userdata, keyblock, &replaydata, 
 				     plocal_fulladdr, premote_fulladdr,
@


1.1
log
@add fix for CVE-2010-1323 from
http://web.mit.edu/kerberos/advisories/2010-007-patch-r15.txt
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-cd was added on branch pkgsrc-2010Q3 on 2010-12-12 15:20:09 +0000
@
text
@d1 39
@


1.1.2.2
log
@Pullup ticket 3299 - requested by tez
security fixes

Revisions pulled up:
- pkgsrc/security/mit-krb5/Makefile		1.50
- pkgsrc/security/mit-krb5/distinfo		1.26

Files added:
pkgsrc/security/mit-krb5/patches/patch-ca
pkgsrc/security/mit-krb5/patches/patch-cb
pkgsrc/security/mit-krb5/patches/patch-cc
pkgsrc/security/mit-krb5/patches/patch-cd

-------------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   tez
   Date:           Fri Dec  3 20:11:31 UTC 2010

   Modified Files:
           pkgsrc/security/mit-krb5: Makefile distinfo
   Added Files:
           pkgsrc/security/mit-krb5/patches: patch-ca patch-cb patch-cc patch-cd

   Log Message:
   add fix for CVE-2010-1323 from
   http://web.mit.edu/kerberos/advisories/2010-007-patch-r15.txt


   To generate a diff of this commit:
   cvs rdiff -u -r1.49 -r1.50 pkgsrc/security/mit-krb5/Makefile
   cvs rdiff -u -r1.25 -r1.26 pkgsrc/security/mit-krb5/distinfo
   cvs rdiff -u -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-ca \
       pkgsrc/security/mit-krb5/patches/patch-cb \
       pkgsrc/security/mit-krb5/patches/patch-cc \
       pkgsrc/security/mit-krb5/patches/patch-cd
@
text
@a0 39
$NetBSD: patch-cd,v 1.1 2010/12/03 20:11:31 tez Exp $

CVE-2010-1323 fix

--- lib/krb5/krb/mk_safe.c.orig	2010-12-03 11:41:53.890970000 -0600
+++ lib/krb5/krb/mk_safe.c	2010-12-03 11:44:00.588325800 -0600
@@@@ -212,10 +212,29 @@@@
 	for (i = 0; i < nsumtypes; i++)
 		if (auth_context->safe_cksumtype == sumtypes[i])
 			break;
-	if (i == nsumtypes)
-		i = 0;
-	sumtype = sumtypes[i];
 	krb5_free_cksumtypes (context, sumtypes);
+	if (i < nsumtypes)
+	    sumtype = auth_context->safe_cksumtype;
+	else {
+	    switch (keyblock->enctype) {
+	    case ENCTYPE_DES_CBC_MD4:
+		sumtype = CKSUMTYPE_RSA_MD4_DES;
+		break;
+	    case ENCTYPE_DES_CBC_MD5:
+	    case ENCTYPE_DES_CBC_CRC:
+		sumtype = CKSUMTYPE_RSA_MD5_DES;
+		break;
+	    default:
+		retval = krb5int_c_mandatory_cksumtype(context,
+						       keyblock->enctype,
+						       &sumtype);
+		if (retval) {
+		    CLEANUP_DONE();
+		    goto error;
+		}
+		break;
+	    }
+	}
     }
     if ((retval = krb5_mk_safe_basic(context, userdata, keyblock, &replaydata, 
 				     plocal_fulladdr, premote_fulladdr,
@