Index: branches/2017Q2/security/heimdal/Makefile =================================================================== --- branches/2017Q2/security/heimdal/Makefile (revision 443016) +++ branches/2017Q2/security/heimdal/Makefile (revision 443017) @@ -1,124 +1,124 @@ # Created by: nectar@FreeBSD.org # $FreeBSD$ PORTNAME= heimdal PORTVERSION= 7.1.0 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security ipv6 MASTER_SITES= http://www.h5l.org/dist/src/ \ http://ftp.pdc.kth.se/pub/heimdal/src/ \ ftp://ftp.pdc.kth.se/pub/heimdal/src/ \ ftp://ftp.sunet.se/pub/unix/admin/mirror-pdc/heimdal/src/ MAINTAINER= hrs@FreeBSD.org COMMENT= Popular BSD-licensed implementation of Kerberos 5 LICENSE= BSD3CLAUSE LICENSE_FILE= ${WRKSRC}/LICENSE CONFLICTS= krb4-[0-9]* krb5-[0-9]* krb5-maint-[0-9]* srp-[0-9]* \ wu-ftpd-[0-9]* wu-ftpd+ipv6-[0-9]* USES= gettext-runtime gssapi:bootstrap,heimdal libtool pathfix \ pkgconfig readline makeinfo ssl USE_LDCONFIG= ${GSSAPILIBDIR} GNU_CONFIGURE= yes CONFIGURE_ENV= ac_cv_header_fnmatch_h=yes \ ac_cv_header_db_h=no \ ac_cv_header_db3_db_h=no \ ac_cv_header_db4_db_h=no \ ac_cv_header_db5_db_h=no \ ac_cv_header_db5_h=no \ ac_cv_prog_COMPILE_ET=${WRKSRC}/lib/com_err/compile_et CONFIGURE_ARGS= --with-berkeley-db \ --with-libintl \ --with-libintl-include="${LOCALBASE}/include" \ --with-libintl-lib="${LOCALBASE}/lib" \ --libdir="${GSSAPILIBDIR}" \ --includedir="${GSSAPIINCDIR}" \ --with-kcm \ --with-openssl \ --with-openssl-include="${OPENSSLINC}" \ --with-openssl-lib="${OPENSSLLIB}" \ --enable-otp \ --enable-pthread-support \ --with-readline="${LOCALBASE}" \ --with-hdbdir="/var/${PORTNAME}" \ --sysconfdir="${PREFIX}/etc" # XXX --with-readline picks up libreadline even if found in /usr/lib. MAKE_ENV= INSTALL_CATPAGES=no INSTALL_TARGET= install-strip .if !exists(/etc/rc.d/ipropd_master) USE_RC_SUBR= ipropd_master ipropd_slave .endif INFO= heimdal hx509 MAKE_JOBS_UNSAFE= yes OPTIONS_DEFINE= IPV6 BDB LMDB SQLITE LDAP PKINIT DIGEST KX509 CRACKLIB OPTIONS_DEFAULT= BDB PKINIT DIGEST KX509 OPTIONS_SUB= yes IPV6_CONFIGURE_WITH= ipv6 BDB_DESC= Enable BerkeleyDB KDC backend support BDB_USES= bdb:5 localbase BDB_CONFIGURE_ENV= ac_cv_header_db${BDB_VER}_db_h=yes \ ac_cv_func_db_create=yes \ ac_cv_funclib_db_create="-l${BDB_LIB_NAME}" BDB_CONFIGURE_ON= --disable-ndbm-db BDB_CONFIGURE_ENV_OFF= ac_cv_header_db_h=yes \ ac_cv_func_db_create=no \ ac_cv_funclib_db_create=no BDB_CONFIGURE_OFF= --enable-ndbm-db LMDB_DESC= Enable LMDB KDC backend support LMDB_CONFIGURE_ENABLE= mdb_db LMDB_LIB_DEPENDS= liblmdb.so:databases/lmdb SQLITE_DESC= Enable SQLite KDC backend support SQLITE_USES= sqlite SQLITE_CONFIGURE_ON= --with-sqlite3-include="${LOCALBASE}/include" \ --with-sqlite3-lib="${LOCALBASE}/lib" SQLITE_CONFIGURE_WITH= sqlite3 LDAP_DESC= Enable OpenLDAP KDC backend support LDAP_USE= OPENLDAP=yes LDAP_CONFIGURE_ON= --with-openldap-include="${LOCALBASE}/include" \ --with-openldap-lib="${LOCALBASE}/lib" LDAP_CONFIGURE_WITH= openldap PKINIT_DESC= Enable PK-INIT support PKINIT_CONFIGURE_ENABLE=pk-init DIGEST_DESC= Enable DIGEST support DIGEST_CONFIGURE_ENABLE=digest KX509_DESC= Enable kx509 support KX509_CONFIGURE_ENABLE= kx509 CRACKLIB_DESC= Use CrackLib for password quality checking CRACKLIB_LIB_DEPENDS= libcrack.so:security/cracklib .include .if ${PORT_OPTIONS:MLDAP} WANT_OPENLDAP_SASL?= yes .endif post-extract: @${MKDIR} ${WRKSRC}/kpasswdd-cracklib ${INSTALL_DATA} ${FILESDIR}/kpasswdd-cracklib.c \ ${WRKSRC}/kpasswdd-cracklib ${INSTALL_DATA} ${FILESDIR}/kpasswdd-Makefile \ ${WRKSRC}/kpasswdd-cracklib/Makefile post-build-CRACKLIB-on: cd ${WRKSRC}/kpasswdd-cracklib && \ ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_ARGS} ${BUILD_TARGET} post-install-CRACKLIB-on: cd ${WRKSRC}/kpasswdd-cracklib && \ ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_ARGS} ${INSTALL_TARGET} .include Index: branches/2017Q2/security/heimdal/files/patch-CVE-2017-6594 =================================================================== --- branches/2017Q2/security/heimdal/files/patch-CVE-2017-6594 (nonexistent) +++ branches/2017Q2/security/heimdal/files/patch-CVE-2017-6594 (revision 443017) @@ -0,0 +1,168 @@ +diff -ru NEWS NEWS +--- NEWS 2016-11-29 01:35:27.000000000 +0000 ++++ NEWS 2017-06-03 15:23:36.264325000 +0000 +@@ -1,4 +1,18 @@ +-Release Notes - Heimdal - Version Heimdal 1.6 ++Release Notes - Heimdal - Version Heimdal 7.1.0,2 (FreeBSD port) ++ ++ Security ++ ++ - Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently ++ caused the previous hop realm to not be added to the transit path ++ of issued tickets. This may, in some cases, enable bypass of capath ++ policy in Heimdal versions 1.5 through 7.2. ++ ++ Note, this may break sites that rely on the bug. With the bug some ++ incomplete [capaths] worked, that should not have. These may now break ++ authentication in some cross-realm configurations. ++ (CVE-2017-6594) ++ ++Release Notes - Heimdal - Version Heimdal 7.1 + + Security + - ... +diff -ru kdc/krb5tgs.c kdc/krb5tgs.c +--- kdc/krb5tgs.c 2016-11-29 01:35:27.000000000 +0000 ++++ kdc/krb5tgs.c 2017-06-03 15:23:36.271738000 +0000 +@@ -655,8 +655,12 @@ + "Decoding transited encoding"); + return ret; + } ++ ++ /* ++ * If the realm of the presented tgt is neither the client nor the server ++ * realm, it is a transit realm and must be added to transited set. ++ */ + if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { +- /* not us, so add the previous realm to transited set */ + if (num_realms + 1 > UINT_MAX/sizeof(*realms)) { + ret = ERANGE; + goto free_realms; +@@ -737,6 +741,7 @@ + const char *server_name, + hdb_entry_ex *client, + krb5_principal client_principal, ++ const char *tgt_realm, + hdb_entry_ex *krbtgt, + krb5_enctype krbtgt_etype, + krb5_principals spp, +@@ -798,7 +803,7 @@ + &tgt->transited, &et, + krb5_principal_get_realm(context, client_principal), + krb5_principal_get_realm(context, server->entry.principal), +- krb5_principal_get_realm(context, krbtgt->entry.principal)); ++ tgt_realm); + if(ret) + goto out; + +@@ -1519,6 +1524,8 @@ + krb5_keyblock sessionkey; + krb5_kvno kvno; + krb5_data rspac; ++ const char *tgt_realm = /* Realm of TGT issuer */ ++ krb5_principal_get_realm(context, krbtgt->entry.principal); + const char *our_realm = /* Realm of this KDC */ + krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1); + char **capath = NULL; +@@ -2324,6 +2331,7 @@ + spn, + client, + cp, ++ tgt_realm, + krbtgt_out, + tkey_sign->key.keytype, + spp, +diff -ru tests/kdc/check-kdc.in tests/kdc/check-kdc.in +--- tests/kdc/check-kdc.in 2016-12-14 18:01:18.000000000 +0000 ++++ tests/kdc/check-kdc.in 2017-06-03 15:23:36.276571000 +0000 +@@ -53,6 +53,7 @@ + R5=SOME-REALM5.FR + R6=SOME-REALM6.US + R7=SOME-REALM7.UK ++R8=SOME-REALM8.UK + + H1=H1.$R + H2=H2.$R +@@ -152,6 +153,12 @@ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ ++ ${R8} || exit 1 ++ ++${kadmin} \ ++ init \ ++ --realm-max-ticket-life=1day \ ++ --realm-max-renewable-life=1month \ + ${H1} || exit 1 + + ${kadmin} \ +@@ -191,6 +198,7 @@ + ${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1 + ${kadmin} add -p foo --use-defaults foo@${R6} || exit 1 + ${kadmin} add -p foo --use-defaults foo@${R7} || exit 1 ++${kadmin} add -p foo --use-defaults foo@${R8} || exit 1 + ${kadmin} add -p foo --use-defaults foo@${H1} || exit 1 + ${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1 + ${kadmin} add -p foo --use-defaults foo@${H2} || exit 1 +@@ -249,6 +257,9 @@ + ${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1 + ${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1 + ++${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1 ++${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1 ++ + ${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1 + ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1 + +@@ -284,6 +295,7 @@ + ${kadmin5} check ${R5} || exit 1 + ${kadmin} check ${R6} || exit 1 + ${kadmin} check ${R7} || exit 1 ++${kadmin} check ${R8} || exit 1 + ${kadmin} check ${H1} || exit 1 + ${kadmin} check ${H2} || exit 1 + ${kadmin} check ${H3} || exit 1 +@@ -388,6 +400,8 @@ + ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; } + echo "Getting x-realm tickets with capaths for $R -> $R7" + ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; } ++echo "Should not get x-realm tickets with capaths for $R -> $R8" ++${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + echo "Testing capaths logic (reverse order)" +@@ -418,10 +432,13 @@ + + echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1" + ${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; } ++fgrep "cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } + echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R" + ${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; } ++fgrep "cross-realm ${H3} -> ${R} via [${H2}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } + echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2" + ${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; } ++fgrep "cross-realm ${H3} -> ${H2}" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + echo "Testing multi-hop [capaths] referral logic" +diff -ru tests/kdc/krb5.conf.in tests/kdc/krb5.conf.in +--- tests/kdc/krb5.conf.in 2016-11-29 01:35:28.000000000 +0000 ++++ tests/kdc/krb5.conf.in 2017-06-03 15:23:36.278848000 +0000 +@@ -40,6 +40,9 @@ + SOME-REALM7.UK = { + kdc = localhost:@port@ + } ++ SOME-REALM8.UK = { ++ kdc = localhost:@port@ ++ } + TEST-HTTP.H5L.SE = { + kdc = http/localhost:@port@ + } +@@ -147,6 +150,7 @@ + SOME-REALM6.US = SOME-REALM5.FR + SOME-REALM7.UK = SOME-REALM6.US + SOME-REALM7.UK = SOME-REALM5.FR ++ SOME-REALM8.UK = SOME-REALM6.US + } + H4.H2.TEST.H5L.SE = { + H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE Property changes on: branches/2017Q2/security/heimdal/files/patch-CVE-2017-6594 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q2 =================================================================== --- branches/2017Q2 (revision 443016) +++ branches/2017Q2 (revision 443017) Property changes on: branches/2017Q2 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r443016