[pkgsrc/pkgsrc-2007Q1]: pkgsrc/security/sudo Pullup ticket 2121, 2122 - reque...

[ghen <ghen%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/31cd3de26dd3
branches:  pkgsrc-2007Q1
changeset: 527436:31cd3de26dd3
user:      ghen <ghen%pkgsrc.org@localhost>
date:      Tue Jun 26 11:59:28 2007 +0000

description:
Pullup ticket 2121, 2122 - requested by tls
security fix for sudo

- pkgsrc/security/sudo/Makefile                         1.90
- pkgsrc/security/sudo/distinfo                         1.35
- pkgsrc/security/sudo/patches/patch-ah                 1.5
- pkgsrc/security/sudo/patches/patch-ai                 1.1

   Module Name: pkgsrc
   Committed By:        tls
   Date:                Mon Jun 25 09:53:42 UTC 2007

   Modified Files:
           pkgsrc/security/sudo: Makefile distinfo
           pkgsrc/security/sudo/patches: patch-ah

   Log Message:
   Fix privilege-escalation vulnerability with PKG_OPTIONS.sudo=kerberos:
   cleanse environment of variables that alter behavior of Kerberos library
   so the user can't override the default keytab location, and do *not*
   ignore missing keytab errors.  Prevents root compromise via spoofed KDC
   on systems with Kerberos libraries but no host key in keytab, no keytab,
   or keytab overidden via environment.

   Don't insist that the keytab key be DES -- some Kerberos sites are 3DES/AES
   only.

   Somewhat less invasive than the fix Todd incorporated into the 1.6.9 branch
   of sudo (presently beta) but equivalent (though not as clean).
---
   Module Name: pkgsrc
   Committed By:        tls
   Date:                Mon Jun 25 23:53:28 UTC 2007

   Added Files:
           pkgsrc/security/sudo/patches: patch-ai

   Log Message:
   Add file omitted from previous commit.

diffstat:

 security/sudo/Makefile         |   4 ++--
 security/sudo/distinfo         |   5 +++--
 security/sudo/patches/patch-ah |  27 +++++++++++++++++++++++----
 security/sudo/patches/patch-ai |  21 +++++++++++++++++++++
 4 files changed, 49 insertions(+), 8 deletions(-)

diffs (91 lines):

diff -r bf49db7f880f -r 31cd3de26dd3 security/sudo/Makefile
--- a/security/sudo/Makefile    Mon Jun 25 18:17:49 2007 +0000
+++ b/security/sudo/Makefile    Tue Jun 26 11:59:28 2007 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.89 2007/03/13 09:46:00 rillig Exp $
+# $NetBSD: Makefile,v 1.89.2.1 2007/06/26 11:59:28 ghen Exp $
 #
 
 DISTNAME=              sudo-1.6.8p12
 PKGNAME=               sudo-1.6.8pl12
-PKGREVISION=           3
+PKGREVISION=           4
 CATEGORIES=            security
 MASTER_SITES=          http://www.courtesan.com/sudo/dist/ \
                        ftp://ftp.courtesan.com/pub/sudo/ \
diff -r bf49db7f880f -r 31cd3de26dd3 security/sudo/distinfo
--- a/security/sudo/distinfo    Mon Jun 25 18:17:49 2007 +0000
+++ b/security/sudo/distinfo    Tue Jun 26 11:59:28 2007 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.34 2006/01/15 11:32:06 adrianp Exp $
+$NetBSD: distinfo,v 1.34.10.1 2007/06/26 11:59:28 ghen Exp $
 
 SHA1 (sudo-1.6.8p12.tar.gz) = a79631e9e1c0d0d3f2aa88ae685628e5fde61982
 RMD160 (sudo-1.6.8p12.tar.gz) = d7ff9f18ca0973615258c2e975300b94567451d5
@@ -6,4 +6,5 @@
 SHA1 (patch-aa) = a4f29f2c228eb3b4af0872cf04a00ffdf41c603c
 SHA1 (patch-af) = 245761812dc600b3d2752fa135ba367bb0223370
 SHA1 (patch-ag) = 87c3263674ec98ccc9cc33f2108a2456eddaecc5
-SHA1 (patch-ah) = 3ca7f39f5a882c5a340a053ddd925ebdaef48df5
+SHA1 (patch-ah) = 142a8884aebdc1cffc256c3ca0ee9addc34f8054
+SHA1 (patch-ai) = 2523a87dc8af7d09573569c7b3e7068d8d927097
diff -r bf49db7f880f -r 31cd3de26dd3 security/sudo/patches/patch-ah
--- a/security/sudo/patches/patch-ah    Mon Jun 25 18:17:49 2007 +0000
+++ b/security/sudo/patches/patch-ah    Tue Jun 26 11:59:28 2007 +0000
@@ -1,8 +1,27 @@
-$NetBSD: patch-ah,v 1.4 2006/01/15 11:32:07 adrianp Exp $
+$NetBSD: patch-ah,v 1.4.10.1 2007/06/26 11:59:28 ghen Exp $
 
---- env.c.orig 2005-11-08 18:21:33.000000000 +0000
-+++ env.c
-@@ -130,6 +130,7 @@ static const char *initial_badenv_table[
+--- env.c.orig 2005-11-08 13:21:33.000000000 -0500
++++ env.c      2007-06-25 04:44:24.000000000 -0400
+@@ -105,14 +105,14 @@
+ #ifdef __APPLE__
+     "DYLD_*",
+ #endif
+-#ifdef HAVE_KERB4
++#if defined(HAVE_KERB4) || defined(HAVE_KERB5)
+     "KRB_CONF*",
+     "KRBCONFDIR",
+     "KRBTKFILE",
+-#endif /* HAVE_KERB4 */
+-#ifdef HAVE_KERB5
+     "KRB5_CONFIG*",
+-#endif /* HAVE_KERB5 */
++    "KRB5_KTNAME",
++    "KRB5CCNAME",
++#endif /* HAVE_KERB4 || HAVE_KERB5 */
+ #ifdef HAVE_SECURID
+     "VAR_ACE",
+     "USR_ACE",
+@@ -130,6 +130,7 @@
      "PERLLIB",
      "PERL5LIB",
      "PERL5OPT",
diff -r bf49db7f880f -r 31cd3de26dd3 security/sudo/patches/patch-ai
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/sudo/patches/patch-ai    Tue Jun 26 11:59:28 2007 +0000
@@ -0,0 +1,21 @@
+$NetBSD: patch-ai,v 1.1.2.2 2007/06/26 11:59:28 ghen Exp $
+
+--- auth/kerb5.c.orig  2005-03-29 23:38:36.000000000 -0500
++++ auth/kerb5.c       2007-06-25 04:51:20.000000000 -0400
+@@ -57,7 +57,7 @@
+ #ifdef HAVE_HEIMDAL
+ # define extract_name(c, p)           krb5_principal_get_comp_string(c, p, 1)
+ # define krb5_free_data_contents(c, d)        krb5_data_free(d)
+-# define ENCTYPE_DES_CBC_MD5          ETYPE_DES_CBC_MD5       /* XXX */
++# define ENCTYPE_DES_CBC_MD5          0               /* 0 is wildcard */
+ #else
+ # define extract_name(c, p)           (krb5_princ_component(c, p, 1)->data)
+ #endif
+@@ -274,7 +274,6 @@
+       log_error(NO_EXIT,
+                 "%s: host service key not found: %s", auth_name,
+                 error_message(error));
+-      error = 0;
+       goto cleanup;
+     }
+     if (keyblock)