<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[145688] trunk/dports/net/kerberos5</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="https://trac.macports.org/changeset/145688">145688</a></dd>
<dt>Author</dt> <dd>cal@macports.org</dd>
<dt>Date</dt> <dd>2016-02-12 15:27:40 -0800 (Fri, 12 Feb 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>kerberos5: 1.14, multiple vulnerabilities
Updated to 1.14, dropped unused code from Portfile, changed livecheck to
GitHub.
Fixes CVE-2015-8629, CVE-2015-8630, CVE-2015-8631. For more information, see:
- https://www.debian.org/security/2016/dsa-3466
- https://github.com/krb5/krb5/commit/df17a1224a3406f57477bcd372c61e04c0e5a5bb
- https://github.com/krb5/krb5/commit/b863de7fbf080b15e347a736fdda0a82d42f4f6b
- https://github.com/krb5/krb5/commit/83ed75feba32e46f736fcce0d96a0445f29b96c2</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkdportsnetkerberos5Portfile">trunk/dports/net/kerberos5/Portfile</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkdportsnetkerberos5files83ed75feba32e46f736fcce0d96a0445f29b96c2patch">trunk/dports/net/kerberos5/files/83ed75feba32e46f736fcce0d96a0445f29b96c2.patch</a></li>
<li><a href="#trunkdportsnetkerberos5filesb863de7fbf080b15e347a736fdda0a82d42f4f6bpatch">trunk/dports/net/kerberos5/files/b863de7fbf080b15e347a736fdda0a82d42f4f6b.patch</a></li>
<li><a href="#trunkdportsnetkerberos5filesdf17a1224a3406f57477bcd372c61e04c0e5a5bbpatch">trunk/dports/net/kerberos5/files/df17a1224a3406f57477bcd372c61e04c0e5a5bb.patch</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkdportsnetkerberos5Portfile"></a>
<div class="modfile"><h4>Modified: trunk/dports/net/kerberos5/Portfile (145687 => 145688)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/net/kerberos5/Portfile 2016-02-12 23:14:24 UTC (rev 145687)
+++ trunk/dports/net/kerberos5/Portfile 2016-02-12 23:27:40 UTC (rev 145688)
</span><span class="lines">@@ -5,12 +5,11 @@
</span><span class="cx"> PortGroup github 1.0
</span><span class="cx"> PortGroup compiler_blacklist_versions 1.0
</span><span class="cx">
</span><del>-github.setup krb5 krb5 1.13.2-final krb5-
</del><ins>+github.setup krb5 krb5 1.14-final krb5-
</ins><span class="cx"> name kerberos5
</span><del>-version 1.13.2
-revision 2
</del><ins>+version 1.14
+
</ins><span class="cx"> conflicts fbopenssl
</span><del>-set branch [join [lrange [split ${version} .] 0 1] .]
</del><span class="cx"> categories net security
</span><span class="cx"> maintainers ryandesign openmaintainer
</span><span class="cx"> license MIT BSD ISC OpenLDAP-2.8+
</span><span class="lines">@@ -27,8 +26,8 @@
</span><span class="cx"> Technology. Kerberos is available in many commercial \
</span><span class="cx"> products as well.
</span><span class="cx">
</span><del>-checksums rmd160 0d3248b49ac3bb08d6e5b0fdc3d8fd9168e293c7 \
- sha256 33da60a9297e1b6a58d1bc3c71f6bfb9ef441193a7904271437d8463e0cd1a54
</del><ins>+checksums rmd160 ae291f655922f93f61f6c9ca92a9a2c1126d38d6 \
+ sha256 bc3237d8ab2ecb21b5a2cf32c09d368385b7779efc0db1a90cbfa1f671453db5
</ins><span class="cx">
</span><span class="cx"> depends_build port:python27
</span><span class="cx">
</span><span class="lines">@@ -42,7 +41,10 @@
</span><span class="cx">
</span><span class="cx"> patchfiles patch-util__verto__Makefile.in-use-nonzero-compat-version.diff \
</span><span class="cx"> patch-config__shlib.conf-do-not-pass-dylib-file-ldflags.diff \
</span><del>- patch-lib_rpc_Makefile.in-explicitly-link-krb5support.diff
</del><ins>+ patch-lib_rpc_Makefile.in-explicitly-link-krb5support.diff \
+ df17a1224a3406f57477bcd372c61e04c0e5a5bb.patch \
+ b863de7fbf080b15e347a736fdda0a82d42f4f6b.patch \
+ 83ed75feba32e46f736fcce0d96a0445f29b96c2.patch
</ins><span class="cx">
</span><span class="cx"> use_autoreconf yes
</span><span class="cx"> # kerberos5 fails to build in its own presence, see #23769, #37944
</span><span class="lines">@@ -79,10 +81,7 @@
</span><span class="cx">
</span><span class="cx"> post-destroot {
</span><span class="cx"> # Remove LDFLAGS settings that are needed for building this port but not dependents
</span><del>- reinplace "/^LDFLAGS=/s/^.*$/LDFLAGS=''/" ${destroot}${prefix}/bin/krb5-config
</del><ins>+ reinplace "/^LDFLAGS=/s/^.*$/LDFLAGS=''/" ${destroot}${prefix}/bin/krb5-config
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-livecheck.regex krb5-(\[0-9.\]+)-signed.tar
-livecheck.version ${version}
-livecheck.type regex
-livecheck.url http://web.mit.edu/kerberos/dist/index.html
</del><ins>+livecheck.regex {archive/krb5-([^"]+)-final.tar.gz}
</ins></span></pre></div>
<a id="trunkdportsnetkerberos5files83ed75feba32e46f736fcce0d96a0445f29b96c2patch"></a>
<div class="addfile"><h4>Added: trunk/dports/net/kerberos5/files/83ed75feba32e46f736fcce0d96a0445f29b96c2.patch (0 => 145688)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/net/kerberos5/files/83ed75feba32e46f736fcce0d96a0445f29b96c2.patch (rev 0)
+++ trunk/dports/net/kerberos5/files/83ed75feba32e46f736fcce0d96a0445f29b96c2.patch 2016-02-12 23:27:40 UTC (rev 145688)
</span><span class="lines">@@ -0,0 +1,571 @@
</span><ins>+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/83ed75feba32e46f736fcce0d96a0445f29b96c2]
+From 83ed75feba32e46f736fcce0d96a0445f29b96c2 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 8 Jan 2016 13:16:54 -0500
+Subject: [PATCH] Fix leaks in kadmin server stubs [CVE-2015-8631]
+
+In each kadmind server stub, initialize the client_name and
+server_name variables, and release them in the cleanup handler. Many
+of the stubs will otherwise leak the client and server name if
+krb5_unparse_name() fails. Also make sure to free the prime_arg
+variables in rename_principal_2_svc(), or we can leak the first one if
+unparsing the second one fails. Discovered by Simo Sorce.
+
+CVE-2015-8631:
+
+In all versions of MIT krb5, an authenticated attacker can cause
+kadmind to leak memory by supplying a null principal name in a request
+which uses one. Repeating these requests will eventually cause
+kadmind to exhaust all available memory.
+
+ CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+ticket: 8343 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+---
+ src/kadmin/server/server_stubs.c | 151 ++++++++++++++++++++-------------------
+ 1 file changed, 77 insertions(+), 74 deletions(-)
+
+diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
+index 1879dc6..6ac797e 100644
+--- kadmin/server/server_stubs.c
++++ kadmin/server/server_stubs.c
+@@ -334,7 +334,8 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name, service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ restriction_t *rp;
+@@ -382,10 +383,10 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
+- gss_release_buffer(&minor_stat, &client_name);
+- gss_release_buffer(&minor_stat, &service_name);
+
+ exit_func:
++ gss_release_buffer(&minor_stat, &client_name);
++ gss_release_buffer(&minor_stat, &service_name);
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -395,7 +396,8 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name, service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ restriction_t *rp;
+@@ -444,10 +446,10 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
+- gss_release_buffer(&minor_stat, &client_name);
+- gss_release_buffer(&minor_stat, &service_name);
+
+ exit_func:
++ gss_release_buffer(&minor_stat, &client_name);
++ gss_release_buffer(&minor_stat, &service_name);
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -457,8 +459,8 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -501,10 +503,10 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp)
+
+ }
+ free(prime_arg);
+- gss_release_buffer(&minor_stat, &client_name);
+- gss_release_buffer(&minor_stat, &service_name);
+
+ exit_func:
++ gss_release_buffer(&minor_stat, &client_name);
++ gss_release_buffer(&minor_stat, &service_name);
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -514,8 +516,8 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ restriction_t *rp;
+@@ -559,9 +561,9 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -570,10 +572,9 @@ generic_ret *
+ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+- char *prime_arg1,
+- *prime_arg2;
+- gss_buffer_desc client_name,
+- service_name;
++ char *prime_arg1 = NULL, *prime_arg2 = NULL;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ restriction_t *rp;
+@@ -655,11 +656,11 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+
+ }
++exit_func:
+ free(prime_arg1);
+ free(prime_arg2);
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -669,8 +670,8 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp)
+ {
+ static gprinc_ret ret;
+ char *prime_arg, *funcname;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -719,9 +720,9 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -731,8 +732,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
+ {
+ static gprincs_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -777,9 +778,9 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+
+ }
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -789,8 +790,8 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -840,9 +841,9 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp)
+ }
+
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -852,8 +853,8 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -909,9 +910,9 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp)
+ }
+
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -921,8 +922,8 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -969,9 +970,9 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp)
+ }
+
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -981,8 +982,8 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1029,9 +1030,9 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp)
+ }
+
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1041,8 +1042,8 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1092,9 +1093,9 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp)
+ }
+
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1106,8 +1107,8 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp)
+ krb5_keyblock *k;
+ int nkeys;
+ char *prime_arg, *funcname;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1164,9 +1165,9 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1178,8 +1179,8 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp)
+ krb5_keyblock *k;
+ int nkeys;
+ char *prime_arg, *funcname;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1241,9 +1242,9 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1253,8 +1254,8 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1295,9 +1296,9 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp)
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
+ }
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1307,8 +1308,8 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1347,9 +1348,9 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp)
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
+ }
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1359,8 +1360,8 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1400,9 +1401,9 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp)
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
+ }
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1413,8 +1414,8 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp)
+ static gpol_ret ret;
+ kadm5_ret_t ret2;
+ char *prime_arg, *funcname;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_principal_ent_rec caller_ent;
+ kadm5_server_handle_t handle;
+@@ -1475,9 +1476,9 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp)
+ log_unauth(funcname, prime_arg,
+ &client_name, &service_name, rqstp);
+ }
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+
+@@ -1488,8 +1489,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp)
+ {
+ static gpols_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1531,9 +1532,9 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp)
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
+ }
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1541,7 +1542,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp)
+ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
+ {
+ static getprivs_ret ret;
+- gss_buffer_desc client_name, service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1571,9 +1573,9 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
+ if (errmsg != NULL)
+ krb5_free_error_message(handle->context, errmsg);
+
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1583,7 +1585,8 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg, *funcname;
+- gss_buffer_desc client_name, service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+
+@@ -1629,9 +1632,9 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1641,8 +1644,8 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
+ {
+ static gstrings_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1688,9 +1691,9 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1700,8 +1703,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+ char *prime_arg;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ const char *errmsg = NULL;
+@@ -1744,9 +1747,9 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
+ krb5_free_error_message(handle->context, errmsg);
+ }
+ free(prime_arg);
++exit_func:
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+-exit_func:
+ free_server_handle(handle);
+ return &ret;
+ }
+@@ -1754,8 +1757,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
+ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
+ {
+ static generic_ret ret;
+- gss_buffer_desc client_name,
+- service_name;
++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
+ kadm5_server_handle_t handle;
+ OM_uint32 minor_stat;
+ const char *errmsg = NULL;
+@@ -1797,10 +1800,10 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
+ rqstp->rq_cred.oa_flavor);
+ if (errmsg != NULL)
+ krb5_free_error_message(NULL, errmsg);
+- gss_release_buffer(&minor_stat, &client_name);
+- gss_release_buffer(&minor_stat, &service_name);
+
+ exit_func:
++ gss_release_buffer(&minor_stat, &client_name);
++ gss_release_buffer(&minor_stat, &service_name);
+ return(&ret);
+ }
+
</ins></span></pre></div>
<a id="trunkdportsnetkerberos5filesb863de7fbf080b15e347a736fdda0a82d42f4f6bpatch"></a>
<div class="addfile"><h4>Added: trunk/dports/net/kerberos5/files/b863de7fbf080b15e347a736fdda0a82d42f4f6b.patch (0 => 145688)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/net/kerberos5/files/b863de7fbf080b15e347a736fdda0a82d42f4f6b.patch (rev 0)
+++ trunk/dports/net/kerberos5/files/b863de7fbf080b15e347a736fdda0a82d42f4f6b.patch 2016-02-12 23:27:40 UTC (rev 145688)
</span><span class="lines">@@ -0,0 +1,76 @@
</span><ins>+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/b863de7fbf080b15e347a736fdda0a82d42f4f6b]
+From b863de7fbf080b15e347a736fdda0a82d42f4f6b Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 8 Jan 2016 12:52:28 -0500
+Subject: [PATCH] Check for null kadm5 policy name [CVE-2015-8630]
+
+In kadm5_create_principal_3() and kadm5_modify_principal(), check for
+entry->policy being null when KADM5_POLICY is included in the mask.
+
+CVE-2015-8630:
+
+In MIT krb5 1.12 and later, an authenticated attacker with permission
+to modify a principal entry can cause kadmind to dereference a null
+pointer by supplying a null policy value but including KADM5_POLICY in
+the mask.
+
+ CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+ticket: 8342 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+---
+ src/lib/kadm5/srv/svr_principal.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
+index 5b95fa3..1d4365c 100644
+--- lib/kadm5/srv/svr_principal.c
++++ lib/kadm5/srv/svr_principal.c
+@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle,
+ /*
+ * Argument sanity checking, and opening up the DB
+ */
++ if (entry == NULL)
++ return EINVAL;
+ if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) ||
+ (mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) ||
+ (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
+@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle,
+ return KADM5_BAD_MASK;
+ if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0)
+ return KADM5_BAD_MASK;
++ if((mask & KADM5_POLICY) && entry->policy == NULL)
++ return KADM5_BAD_MASK;
+ if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
+ return KADM5_BAD_MASK;
+ if((mask & ~ALL_PRINC_MASK))
+ return KADM5_BAD_MASK;
+- if (entry == NULL)
+- return EINVAL;
+
+ /*
+ * Check to see if the principal exists
+@@ -643,6 +645,8 @@ kadm5_modify_principal(void *server_handle,
+
+ krb5_clear_error_message(handle->context);
+
++ if(entry == NULL)
++ return EINVAL;
+ if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) ||
+ (mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) ||
+ (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
+@@ -651,10 +655,10 @@ kadm5_modify_principal(void *server_handle,
+ return KADM5_BAD_MASK;
+ if((mask & ~ALL_PRINC_MASK))
+ return KADM5_BAD_MASK;
++ if((mask & KADM5_POLICY) && entry->policy == NULL)
++ return KADM5_BAD_MASK;
+ if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
+ return KADM5_BAD_MASK;
+- if(entry == (kadm5_principal_ent_t) NULL)
+- return EINVAL;
+ if (mask & KADM5_TL_DATA) {
+ tl_data_orig = entry->tl_data;
+ while (tl_data_orig) {
</ins></span></pre></div>
<a id="trunkdportsnetkerberos5filesdf17a1224a3406f57477bcd372c61e04c0e5a5bbpatch"></a>
<div class="addfile"><h4>Added: trunk/dports/net/kerberos5/files/df17a1224a3406f57477bcd372c61e04c0e5a5bb.patch (0 => 145688)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/net/kerberos5/files/df17a1224a3406f57477bcd372c61e04c0e5a5bb.patch (rev 0)
+++ trunk/dports/net/kerberos5/files/df17a1224a3406f57477bcd372c61e04c0e5a5bb.patch 2016-02-12 23:27:40 UTC (rev 145688)
</span><span class="lines">@@ -0,0 +1,46 @@
</span><ins>+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/df17a1224a3406f57477bcd372c61e04c0e5a5bb]
+From df17a1224a3406f57477bcd372c61e04c0e5a5bb Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 8 Jan 2016 12:45:25 -0500
+Subject: [PATCH] Verify decoded kadmin C strings [CVE-2015-8629]
+
+In xdr_nullstring(), check that the decoded string is terminated with
+a zero byte and does not contain any internal zero bytes.
+
+CVE-2015-8629:
+
+In all versions of MIT krb5, an authenticated attacker can cause
+kadmind to read beyond the end of allocated memory by sending a string
+without a terminating zero byte. Information leakage may be possible
+for an attacker with permission to modify the database.
+
+ CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
+
+ticket: 8341 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+---
+ src/lib/kadm5/kadm_rpc_xdr.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+index 2bef858..ba67084 100644
+--- lib/kadm5/kadm_rpc_xdr.c
++++ lib/kadm5/kadm_rpc_xdr.c
+@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp)
+ return FALSE;
+ }
+ }
+- return (xdr_opaque(xdrs, *objp, size));
++ if (!xdr_opaque(xdrs, *objp, size))
++ return FALSE;
++ /* Check that the unmarshalled bytes are a C string. */
++ if ((*objp)[size - 1] != '\0')
++ return FALSE;
++ if (memchr(*objp, '\0', size - 1) != NULL)
++ return FALSE;
++ return TRUE;
+
+ case XDR_ENCODE:
+ if (size != 0)
</ins></span></pre>
</div>
</div>
</body>
</html>