[pkgsrc/trunk]: pkgsrc/security/mit-krb5 Update to 1.14.5 and patch for CVE-2...

[tez <tez%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/500e2c83ee72
branches:  trunk
changeset: 367012:500e2c83ee72
user:      tez <tez%pkgsrc.org@localhost>
date:      Mon Aug 21 22:19:26 2017 +0000

description:
Update to 1.14.5 and patch for CVE-2017-11368

diffstat:

 security/mit-krb5/Makefile                     |   5 +-
 security/mit-krb5/distinfo                     |  11 +-
 security/mit-krb5/patches/patch-CVE-2017-11368 |  79 ++++++++++++++++++++++++++
 3 files changed, 88 insertions(+), 7 deletions(-)

diffs (116 lines):

diff -r 9c1b51199414 -r 500e2c83ee72 security/mit-krb5/Makefile
--- a/security/mit-krb5/Makefile        Mon Aug 21 18:49:39 2017 +0000
+++ b/security/mit-krb5/Makefile        Mon Aug 21 22:19:26 2017 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.93 2016/10/28 20:56:14 tez Exp $
+# $NetBSD: Makefile,v 1.94 2017/08/21 22:19:26 tez Exp $
 
-DISTNAME=      krb5-1.14.4
+DISTNAME=      krb5-1.14.5
 PKGNAME=       mit-${DISTNAME}
+PKGREVISION=   1
 CATEGORIES=    security
 MASTER_SITES=  http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/
 EXTRACT_SUFX=  .tar.gz
diff -r 9c1b51199414 -r 500e2c83ee72 security/mit-krb5/distinfo
--- a/security/mit-krb5/distinfo        Mon Aug 21 18:49:39 2017 +0000
+++ b/security/mit-krb5/distinfo        Mon Aug 21 22:19:26 2017 +0000
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.60 2016/10/28 20:56:14 tez Exp $
+$NetBSD: distinfo,v 1.61 2017/08/21 22:19:26 tez Exp $
 
-SHA1 (krb5-1.14.4.tar.gz) = b5b4a940934a5b708fbf30a1a1121439df6d5853
-RMD160 (krb5-1.14.4.tar.gz) = 12d788cca175bcf20e8497d30698a3244a7a6983
-SHA512 (krb5-1.14.4.tar.gz) = 5eb16b909d69143bfa8b2a7ba4c0deb74408462a5ec1241e97f37e30d29e259767be91a4533119e2c5e92d1fcbcab97038b2e45ad3361b5a61c3dc562c6d0d67
-Size (krb5-1.14.4.tar.gz) = 12283989 bytes
+SHA1 (krb5-1.14.5.tar.gz) = 3b8d8c4a09350f8807a8e6eb9971617755a4521f
+RMD160 (krb5-1.14.5.tar.gz) = 673087853a1ce9551d69516e01fbfd888feff717
+SHA512 (krb5-1.14.5.tar.gz) = 2484f9581b5e0b99cc49ba7f8770ea3a8751e756c98cc552d92ca223575eac58f6f1a9c268254ead4435d2d49b50ccf3181eb7bdbd56874c43f91bcfc2a66d3b
+Size (krb5-1.14.5.tar.gz) = 12322802 bytes
+SHA1 (patch-CVE-2017-11368) = 91551099d48690c051ada72889bc645706775eb1
 SHA1 (patch-Makefile.in) = 11ead9de708f4da99233b66df2cf906b156faa87
 SHA1 (patch-aa) = 941848a1773dfbe51dff3134d4b8504a850a958d
 SHA1 (patch-ae) = c7395b9de5baf6612b8787fad55dbc051a680bfd
diff -r 9c1b51199414 -r 500e2c83ee72 security/mit-krb5/patches/patch-CVE-2017-11368
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mit-krb5/patches/patch-CVE-2017-11368    Mon Aug 21 22:19:26 2017 +0000
@@ -0,0 +1,79 @@
+$NetBSD: patch-CVE-2017-11368,v 1.1 2017/08/21 22:19:26 tez Exp $
+
+Patch for CVE-2017-11368 from:
+https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970.diff
+
+
+diff --git kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 2d3ad134d0..9b256c8764 100644
+--- kdc/do_as_req.c
++++ kdc/do_as_req.c
+@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
+     did_log = 1;
+ 
+ egress:
+-    if (errcode != 0)
+-        assert (state->status != 0);
++    if (errcode != 0 && state->status == NULL)
++        state->status = "UNKNOWN_REASON";
+ 
+     au_state->status = state->status;
+     au_state->reply = &state->reply;
+diff --git kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index cdc79ad2f1..d8d67199b9 100644
+--- kdc/do_tgs_req.c
++++ kdc/do_tgs_req.c
+@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
+     free(reply.enc_part.ciphertext.data);
+ 
+ cleanup:
+-    assert(status != NULL);
++    if (status == NULL)
++        status = "UNKNOWN_REASON";
+     if (reply_key)
+         krb5_free_keyblock(kdc_context, reply_key);
+     if (errcode)
+diff --git kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 778a629e52..b710aefe4c 100644
+--- kdc/kdc_util.c
++++ kdc/kdc_util.c
+@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
+     req_data.data = (char *)pa_data->contents;
+ 
+     code = decode_krb5_pa_for_user(&req_data, &for_user);
+-    if (code)
++    if (code) {
++        *status = "DECODE_PA_FOR_USER";
+         return code;
++    }
+ 
+     code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
+     if (code) {
+@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
+     req_data.data = (char *)pa_data->contents;
+ 
+     code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
+-    if (code)
++    if (code) {
++        *status = "DECODE_PA_S4U_X509_USER";
+         return code;
++    }
+ 
+     code = verify_s4u_x509_user_checksum(context,
+                                          tgs_subkey ? tgs_subkey :
+@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
+      * that is validated previously in validate_tgs_request().
+      */
+     if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
++        *status = "INVALID_S4U2PROXY_OPTIONS";
+         return KRB5KDC_ERR_BADOPTION;
+     }
+ 
+@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
+     if (!krb5_principal_compare(kdc_context,
+                                 server->princ, /* after canon */
+                                 server_princ)) {
++        *status = "EVIDENCE_TICKET_MISMATCH";
+         return KRB5KDC_ERR_SERVER_NOMATCH;
+     }
+