Index: head/security/krb5-112/Makefile =================================================================== --- head/security/krb5-112/Makefile (revision 379531) +++ head/security/krb5-112/Makefile (revision 379532) @@ -1,156 +1,154 @@ # Created by: nectar@FreeBSD.org # $FreeBSD$ PORTNAME= krb5 -PORTVERSION= 1.12.2 -PORTREVISION= 3 +PORTVERSION= 1.12.3 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/ PKGNAMESUFFIX= -112 DISTNAME= ${PORTNAME}-${PORTVERSION}-signed EXTRACT_SUFX= .tar PATCH_SITES= http://web.mit.edu/kerberos/advisories/ PATCH_DIST_STRIP= -p2 -PATCHFILES= 2015-001-patch-r112.txt MAINTAINER= cy@FreeBSD.org COMMENT= Authentication system developed at MIT, successor to Kerberos IV LICENSE= MIT BUILD_DEPENDS= gm4:${PORTSDIR}/devel/m4 CONFLICTS= heimdal-[0-9]* srp-[0-9]* krb5-[0-9]* krb5-maint-111-* LATEST_LINK= ${PORTNAME}-112 KERBEROSV_URL= http://web.mit.edu/kerberos/ USE_PERL5= build USE_LDCONFIG= yes USE_CSTD= gnu99 GNU_CONFIGURE= yes USES= gettext gmake perl5 libtool:build CONFIGURE_ARGS?= --enable-shared --without-system-verto \ --disable-rpath CONFIGURE_ENV= INSTALL="${INSTALL}" INSTALL_LIB="${INSTALL_LIB}" YACC="${YACC}" MAKE_ARGS= INSTALL="${INSTALL}" INSTALL_LIB="${INSTALL_LIB}" OPTIONS_DEFINE= KRB5_PDF KRB5_HTML DNS_FOR_REALM LDAP READLINE OPTIONS_DEFAULT= KRB5_PDF KRB5_HTML KRB5_PDF_DESC= Install krb5 PDF documentation KRB5_HTML_DESC= Install krb5 HTML documentation DNS_FOR_REALM_DESC= Enable DNS lookups for Kerberos realm names LDAP= Enable LDAP support .if defined(KRB5_HOME) PREFIX= ${KRB5_HOME} .endif CPPFLAGS+= -I${LOCALBASE}/include -I${OPENSSLINC} LDFLAGS+= -L${LOCALBASE}/lib -L${OPENSSLLIB} USE_OPENSSL= yes USE_RC_SUBR= kpropd .include # Fix up -Wl,-rpath in LDFLAGS .if !empty(KRB5_HOME) _RPATH= ${KRB5_HOME}/lib: .else _RPATH= ${LOCALBASE}/lib: .endif .if !empty(LDFLAGS:M-Wl,-rpath,*) .for F in ${LDFLAGS:M-Wl,-rpath,*} LDFLAGS:= -Wl,-rpath,${_RPATH}${F:S/-Wl,-rpath,//} \ ${LDFLAGS:N-Wl,-rpath,*} .endfor .endif .if defined(KRB5_HOME) && ${KRB5_HOME} != ${LOCALBASE} BROKEN= LIB_DEPENDS when using KRB5_HOME is broken .endif .if ${PORT_OPTIONS:MDNS_FOR_REALM} CONFIGURE_ARGS+= --enable-dns-for-realm .endif .if ${PORT_OPTIONS:MLDAP} USE_OPENLDAP= yes CONFIGURE_ARGS+= --with-ldap PLIST_SUB+= LDAP="" .else PLIST_SUB+= LDAP="@comment " .endif .if ${PORT_OPTIONS:MREADLINE} .if ${OSVERSION} >= 1100000 # libtool has some gas with libreadline in 11-CURRENT. BUILD_DEPENDS+= libreadline.so:${PORTSDIR}/devel/readline LIB_DEPENDS+= libreadline.so:${PORTSDIR}/devel/readline .else USES+= readline:port CONFIGURE_ARGS+= --with-readline .endif .endif .if defined(PROGRAM_TRANSFORM_NAME) && ${PROGRAM_TRANSFORM_NAME} != "" CONFIGURE_ARGS+= --program-transform-name="${PROGRAM_TRANSFORM_NAME}" .endif WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}/src HTML_DOC_DIR= ${WRKDIR}/${PORTNAME}-${PORTVERSION}/doc/html PDF_DOC_DIR= ${WRKDIR}/${PORTNAME}-${PORTVERSION}/doc/pdf post-extract: @${TAR} -C ${WRKDIR} -xzf ${WRKDIR}/${PORTNAME}-${PORTVERSION}.tar.gz --no-same-owner --no-same-permissions @${RM} ${WRKDIR}/${PORTNAME}-${PORTVERSION}.tar.gz ${WRKDIR}/${PORTNAME}-${PORTVERSION}.tar.gz.asc post-install: @${MKDIR} ${STAGEDIR}${PREFIX}/share/doc/krb5 # html documentation .if ${PORT_OPTIONS:MKRB5_PDF} pdf_files=`${FIND} ${PDF_DOC_DIR} ! -type d` pdf_dirs=`${FIND} ${PDF_DOC_DIR} -type d` for i in $${pdf_dirs}; do \ ${MKDIR} ${STAGEDIR}${PREFIX}/share/doc/krb5/$${i}; \ done; \ for i in $${pdf_files}; do \ ${INSTALL_MAN} $${pdf} ${PREFIX}/share/doc/krb5/$${i}; \ ${ECHO_CMD} share/doc/krb5/$${i} >> ${TMPPLIST}; \ done .endif .if ${PORT_OPTIONS:MKRB5_HTML} html_files=`${FIND} ${HTML_DOC_DIR} ! -type d | ${GREP} -v /_sources` html_dirs=`${FIND} ${HTML_DOC_DIR} -type d | ${GREP} -v /_sources` for i in $${html_dirs}; do \ ${MKDIR} ${PREFIX}/share/doc/krb5/$${i}; \ done; \ for i in $${html_files}; do \ ${INSTALL_MAN} $${i} ${PREFIX}/share/doc/krb5/$${i}; \ ${ECHO_CMD} share/doc/krb5/$${i} >> ${TMPPLIST}; \ done .endif .if ${PORT_OPTIONS:MKRB5_PDF} for i in $${pdf_dirs}; do \ ${ECHO_CMD} @dir share/doc/krb5/$${i} >> ${TMPPLIST}; \ done | ${TAIL} -r >> ${TMPPLIST} .endif .if ${PORT_OPTIONS:MKRB5_HTML} for i in $${html_dirs}; do \ ${ECHO_CMD} @dir share/doc/krb5/$${i} >> ${TMPPLIST}; \ done | ${TAIL} -r >> ${TMPPLIST} .endif ${ECHO_CMD} @dir share/doc/krb5 >> ${TMPPLIST} @${SED} "s%\${PREFIX}%${PREFIX}%" ${FILESDIR}/README.FreeBSD > ${STAGEDIR}${PREFIX}/share/doc/krb5/README.FreeBSD @${CHMOD} 444 ${STAGEDIR}${PREFIX}/share/doc/krb5/README.FreeBSD @${ECHO} "------------------------------------------------------" @${ECHO} "This port of MIT Kerberos 5 includes remote login " @${ECHO} "daemons (telnetd and klogind). These daemons default " @${ECHO} "to using the system login program (/usr/bin/login). " @${ECHO} "Please see the file " @${ECHO} "${PREFIX}/share/doc/krb5/README.FreeBSD" @${ECHO} "for more information. " @${ECHO} "------------------------------------------------------" .include Index: head/security/krb5-112/distinfo =================================================================== --- head/security/krb5-112/distinfo (revision 379531) +++ head/security/krb5-112/distinfo (revision 379532) @@ -1,4 +1,4 @@ -SHA256 (krb5-1.12.2-signed.tar) = 09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744 -SIZE (krb5-1.12.2-signed.tar) = 11991040 +SHA256 (krb5-1.12.3-signed.tar) = 091715da49f6aa72b98c9659229351b4b168fb96f84caa18228aaf7632db3483 +SIZE (krb5-1.12.3-signed.tar) = 12001280 SHA256 (2015-001-patch-r112.txt) = 75d1d070293fef7faa2c5ffbe8de4afaefb95449564e7dd5da458588ba637449 SIZE (2015-001-patch-r112.txt) = 12130 Index: head/security/krb5-112/files/patch-lib-apputils-net-server.c =================================================================== --- head/security/krb5-112/files/patch-lib-apputils-net-server.c (revision 379531) +++ head/security/krb5-112/files/patch-lib-apputils-net-server.c (nonexistent) @@ -1,15 +0,0 @@ ---- lib/apputils/net-server.c.orig 2014-08-11 15:46:27.000000000 -0700 -+++ lib/apputils/net-server.c 2014-08-13 05:33:48.913580280 -0700 -@@ -992,8 +992,12 @@ - case RTM_NEWADDR: return "RTM_NEWADDR"; - case RTM_DELADDR: return "RTM_DELADDR"; - case RTM_IFINFO: return "RTM_IFINFO"; -+#ifdef RTM_OLDADD - case RTM_OLDADD: return "RTM_OLDADD"; -+#endif -+#ifdef RTM_OLDDEL - case RTM_OLDDEL: return "RTM_OLDDEL"; -+#endif - case RTM_RESOLVE: return "RTM_RESOLVE"; - #ifdef RTM_NEWMADDR - case RTM_NEWMADDR: return "RTM_NEWMADDR"; Property changes on: head/security/krb5-112/files/patch-lib-apputils-net-server.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/krb5-112/files/patch-plugins__kdb__ldap__libkdb_ldap__ldap_principal2.c =================================================================== --- head/security/krb5-112/files/patch-plugins__kdb__ldap__libkdb_ldap__ldap_principal2.c (revision 379531) +++ head/security/krb5-112/files/patch-plugins__kdb__ldap__libkdb_ldap__ldap_principal2.c (nonexistent) @@ -1,115 +0,0 @@ -From 46a2d16a5006d61e98a971a8148d2a9574a35bc0 Mon Sep 17 00:00:00 2001 -From: Ben Kaduk -Date: Wed, 19 Nov 2014 12:04:46 -0500 -Subject: [PATCH] Support keyless principals in LDAP [CVE-2014-5354] - -Operations like "kadmin -q 'addprinc -nokey foo'" or -"kadmin -q 'purgekeys -all foo'" result in principal entries with -no keys present, so krb5_encode_krbsecretkey() would just return -NULL, which then got unconditionally dereferenced in -krb5_add_ber_mem_ldap_mod(). - -Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key -principals better, correct the test for an allocation failure, and -slightly restructure the cleanup handler to be shorter and more -appropriate for the usage. Once it no longer short-circuits when -n_key_data is zero, it will produce an array of length two with both -entries NULL, which is treated as an empty list by the LDAP library, -the correct behavior for a keyless principal. - -However, attributes with empty values are only handled by the LDAP -library for Modify operations, not Add operations (which only get -a sequence of Attribute, with no operation field). Therefore, only -add an empty krbprincipalkey to the modlist when we will be performing a -Modify, and not when we will be performing an Add, which is conditional -on the (misspelled) create_standalone_prinicipal boolean. - -CVE-2014-5354: - -In MIT krb5, when kadmind is configured to use LDAP for the KDC -database, an authenticated remote attacker can cause a NULL -dereference by inserting into the database a principal entry which -contains no long-term keys. - -In order for the LDAP KDC backend to translate a principal entry -from the database abstraction layer into the form expected by the -LDAP schema, the principal's keys are encoded into a -NULL-terminated array of length-value entries to be stored in the -LDAP database. However, the subroutine which produced this array -did not correctly handle the case where no keys were present, -returning NULL instead of an empty array, and the array was -unconditionally dereferenced while adding to the list of LDAP -operations to perform. - -Versions of MIT krb5 prior to 1.12 did not expose a way for -principal entries to have no long-term key material, and -therefore are not vulnerable. - - CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C - -(cherry picked from commit 04038bf3633c4b909b5ded3072dc88c8c419bf16) - -ticket: 8138 (new) -version_fixed: 1.12.3 -subject: kadmind with ldap backend crashes when putting keyless entries [CVE-2014-5354] -status: resolved ---- - src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 25 +++++++++++++++------- - 1 file changed, 17 insertions(+), 8 deletions(-) - -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index 111b554..b51bebc 100644 ---- plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -413,14 +413,14 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data, - int num_versions = 1; - int i, j, last; - krb5_error_code err = 0; -- krb5_key_data *key_data; -+ krb5_key_data *key_data = NULL; - -- if (n_key_data <= 0) -+ if (n_key_data < 0) - return NULL; - - /* Make a shallow copy of the key data so we can alter it. */ - key_data = k5calloc(n_key_data, sizeof(*key_data), &err); -- if (key_data_in == NULL) -+ if (key_data == NULL) - goto cleanup; - memcpy(key_data, key_data_in, n_key_data * sizeof(*key_data)); - -@@ -474,9 +474,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data, - free(key_data); - if (err != 0) { - if (ret != NULL) { -- for (i = 0; i <= num_versions; i++) -- if (ret[i] != NULL) -- free (ret[i]); -+ for (i = 0; ret[i] != NULL; i++) -+ free (ret[i]); - free (ret); - ret = NULL; - } -@@ -1046,9 +1045,19 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, - bersecretkey = krb5_encode_krbsecretkey (entry->key_data, - entry->n_key_data, mkvno); - -- if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", -- LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0) -+ if (bersecretkey == NULL) { -+ st = ENOMEM; - goto cleanup; -+ } -+ /* An empty list of bervals is only accepted for modify operations, -+ * not add operations. */ -+ if (bersecretkey[0] != NULL || !create_standalone_prinicipal) { -+ st = krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", -+ LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, -+ bersecretkey); -+ if (st != 0) -+ goto cleanup; -+ } - - if (!(entry->mask & KADM5_PRINCIPAL)) { - memset(strval, 0, sizeof(strval)); Property changes on: head/security/krb5-112/files/patch-plugins__kdb__ldap__libkdb_ldap__ldap_principal2.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/krb5-112/files/patch-plugins__kdb__ldap__libkdb_ldap__ldap_pwd_policy.c =================================================================== --- head/security/krb5-112/files/patch-plugins__kdb__ldap__libkdb_ldap__ldap_pwd_policy.c (revision 379531) +++ head/security/krb5-112/files/patch-plugins__kdb__ldap__libkdb_ldap__ldap_pwd_policy.c (nonexistent) @@ -1,65 +0,0 @@ -From 0a97ce4411b34e871ae503b78eedf61db27180ea Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Fri, 5 Dec 2014 14:01:39 -0500 -Subject: [PATCH] Fix LDAP misused policy name crash [CVE-2014-5353] - -In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns -successfully with no results, return KRB5_KDB_NOENTRY instead of -returning success with a zeroed-out policy object. This fixes a null -dereference when an admin attempts to use an LDAP ticket policy name -as a password policy name. - -CVE-2014-5353: - -In MIT krb5, when kadmind is configured to use LDAP for the KDC -database, an authenticated remote attacker can cause a NULL dereference -by attempting to use a named ticket policy object as a password policy -for a principal. The attacker needs to be authenticated as a user who -has the elevated privilege for setting password policy by adding or -modifying principals. - -Queries to LDAP scoped to the krbPwdPolicy object class will correctly -not return entries of other classes, such as ticket policy objects, but -may return success with no returned elements if an object with the -requested DN exists in a different object class. In this case, the -routine to retrieve a password policy returned success with a password -policy object that consisted entirely of zeroed memory. In particular, -accesses to the policy name will dereference a NULL pointer. KDC -operation does not access the policy name field, but most kadmin -operations involving the principal with incorrect password policy -will trigger the crash. - -Thanks to Patrik Kis for reporting this problem. - -CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C - -[kaduk@mit.edu: CVE description and CVSS score] - -(cherry picked from commit d1f707024f1d0af6e54a18885322d70fa15ec4d3) - -ticket: 8137 (new) -version_fixed: 1.12.3 -status: resolved ---- - src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -index 522773e..6779f51 100644 ---- plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -+++ plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -@@ -314,10 +314,11 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name, - LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes); - - ent=ldap_first_entry(ld, result); -- if (ent != NULL) { -- if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0) -- goto cleanup; -+ if (ent == NULL) { -+ st = KRB5_KDB_NOENTRY; -+ goto cleanup; - } -+ st = populate_policy(context, ld, ent, pol_name, *policy); - - cleanup: - ldap_msgfree(result); Property changes on: head/security/krb5-112/files/patch-plugins__kdb__ldap__libkdb_ldap__ldap_pwd_policy.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property