[pkgsrc/trunk]: pkgsrc/security/mit-krb5 mit-krb5: update to 1.14.6

[tez <tez%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/93369a0f029f
branches:  trunk
changeset: 370062:93369a0f029f
user:      tez <tez%pkgsrc.org@localhost>
date:      Tue Oct 10 21:22:53 2017 +0000

description:
mit-krb5: update to 1.14.6

Major changes in 1.14.6 (2017-09-25)

This is a bug fix release.

    Fix a KDC denial of service vulnerability caused by unset status strings [CVE-2017-11368]
    Preserve GSS contexts on init/accept failure [CVE-2017-11462]
    Fix kadm5 setkey operation with LDAP KDB module
    Use a ten-second timeout after successful connection for HTTPS KDC requests, as we do for TCP requests
    Fix client null dereference when KDC offers encrypted challenge without FAST

diffstat:

 security/mit-krb5/Makefile                     |   5 +-
 security/mit-krb5/distinfo                     |  10 +-
 security/mit-krb5/patches/patch-CVE-2017-11368 |  79 --------------------------
 3 files changed, 7 insertions(+), 87 deletions(-)

diffs (115 lines):

diff -r ce131f39af1e -r 93369a0f029f security/mit-krb5/Makefile
--- a/security/mit-krb5/Makefile        Tue Oct 10 19:49:04 2017 +0000
+++ b/security/mit-krb5/Makefile        Tue Oct 10 21:22:53 2017 +0000
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.94 2017/08/21 22:19:26 tez Exp $
+# $NetBSD: Makefile,v 1.95 2017/10/10 21:22:53 tez Exp $
 
-DISTNAME=      krb5-1.14.5
+DISTNAME=      krb5-1.14.6
 PKGNAME=       mit-${DISTNAME}
-PKGREVISION=   1
 CATEGORIES=    security
 MASTER_SITES=  http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/
 EXTRACT_SUFX=  .tar.gz
diff -r ce131f39af1e -r 93369a0f029f security/mit-krb5/distinfo
--- a/security/mit-krb5/distinfo        Tue Oct 10 19:49:04 2017 +0000
+++ b/security/mit-krb5/distinfo        Tue Oct 10 21:22:53 2017 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.61 2017/08/21 22:19:26 tez Exp $
+$NetBSD: distinfo,v 1.62 2017/10/10 21:22:53 tez Exp $
 
-SHA1 (krb5-1.14.5.tar.gz) = 3b8d8c4a09350f8807a8e6eb9971617755a4521f
-RMD160 (krb5-1.14.5.tar.gz) = 673087853a1ce9551d69516e01fbfd888feff717
-SHA512 (krb5-1.14.5.tar.gz) = 2484f9581b5e0b99cc49ba7f8770ea3a8751e756c98cc552d92ca223575eac58f6f1a9c268254ead4435d2d49b50ccf3181eb7bdbd56874c43f91bcfc2a66d3b
-Size (krb5-1.14.5.tar.gz) = 12322802 bytes
+SHA1 (krb5-1.14.6.tar.gz) = ea7928a3368ae6d8ecf29a70f70598091f226740
+RMD160 (krb5-1.14.6.tar.gz) = 7e9f8192845d11108a3c48dd707d7d4bc5dd0a29
+SHA512 (krb5-1.14.6.tar.gz) = 8a88193e40aa60bb10dc57028a7c83aaac48cfded5d369b9f5383851854f1ea3df3587f7bce8b22d4e5cf2ce5825eb37c8d85684abad29da04db34e8f7962ca7
+Size (krb5-1.14.6.tar.gz) = 12326355 bytes
 SHA1 (patch-CVE-2017-11368) = 91551099d48690c051ada72889bc645706775eb1
 SHA1 (patch-Makefile.in) = 11ead9de708f4da99233b66df2cf906b156faa87
 SHA1 (patch-aa) = 941848a1773dfbe51dff3134d4b8504a850a958d
diff -r ce131f39af1e -r 93369a0f029f security/mit-krb5/patches/patch-CVE-2017-11368
--- a/security/mit-krb5/patches/patch-CVE-2017-11368    Tue Oct 10 19:49:04 2017 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,79 +0,0 @@
-$NetBSD: patch-CVE-2017-11368,v 1.1 2017/08/21 22:19:26 tez Exp $
-
-Patch for CVE-2017-11368 from:
-https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970.diff
-
-
-diff --git kdc/do_as_req.c b/src/kdc/do_as_req.c
-index 2d3ad134d0..9b256c8764 100644
---- kdc/do_as_req.c
-+++ kdc/do_as_req.c
-@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
-     did_log = 1;
- 
- egress:
--    if (errcode != 0)
--        assert (state->status != 0);
-+    if (errcode != 0 && state->status == NULL)
-+        state->status = "UNKNOWN_REASON";
- 
-     au_state->status = state->status;
-     au_state->reply = &state->reply;
-diff --git kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
-index cdc79ad2f1..d8d67199b9 100644
---- kdc/do_tgs_req.c
-+++ kdc/do_tgs_req.c
-@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
-     free(reply.enc_part.ciphertext.data);
- 
- cleanup:
--    assert(status != NULL);
-+    if (status == NULL)
-+        status = "UNKNOWN_REASON";
-     if (reply_key)
-         krb5_free_keyblock(kdc_context, reply_key);
-     if (errcode)
-diff --git kdc/kdc_util.c b/src/kdc/kdc_util.c
-index 778a629e52..b710aefe4c 100644
---- kdc/kdc_util.c
-+++ kdc/kdc_util.c
-@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
-     req_data.data = (char *)pa_data->contents;
- 
-     code = decode_krb5_pa_for_user(&req_data, &for_user);
--    if (code)
-+    if (code) {
-+        *status = "DECODE_PA_FOR_USER";
-         return code;
-+    }
- 
-     code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
-     if (code) {
-@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
-     req_data.data = (char *)pa_data->contents;
- 
-     code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
--    if (code)
-+    if (code) {
-+        *status = "DECODE_PA_S4U_X509_USER";
-         return code;
-+    }
- 
-     code = verify_s4u_x509_user_checksum(context,
-                                          tgs_subkey ? tgs_subkey :
-@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
-      * that is validated previously in validate_tgs_request().
-      */
-     if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
-+        *status = "INVALID_S4U2PROXY_OPTIONS";
-         return KRB5KDC_ERR_BADOPTION;
-     }
- 
-@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
-     if (!krb5_principal_compare(kdc_context,
-                                 server->princ, /* after canon */
-                                 server_princ)) {
-+        *status = "EVIDENCE_TICKET_MISMATCH";
-         return KRB5KDC_ERR_SERVER_NOMATCH;
-     }
-