app-crypt/mit-krb5: bump, fixes CVE-2017-7562

Ebuild changes: =============== - Dropped the following upstreamed patches which are now included in v1.16: - mit-krb5-1.14.2-redeclared-ttyname.patch - mit-krb5-1.14.4-disable-nls.patch - mit-krb5-1.15.2-fix-pkinit.patch - We are now installing systemd services. [Bug 524412] - Tests are now restricted because they are requiring network access. Closes: https://bugs.gentoo.org/524412 Bug: https://bugs.gentoo.org/628936 Package-Manager: Portage-2.3.20, Repoman-2.3.6
johu · Jan 26, 2018 · f4a050c · f4a050c
1 parent 40a807c
commit f4a050c
Show file tree

Hide file tree

Showing 7 changed files with 198 additions and 0 deletions.
diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
@@ -1 +1,2 @@
 DIST krb5-1.15.2.tar.gz 9380755 BLAKE2B 3f5d00a70bf44ef077872bde282e4753e82acb70632e136b8f9f8d3a192e3e7b692840803e5a3f67ddb202d53631767ea9eb8b7615d45a3479389a01a6390ac4 SHA512 e5814bb66384b13637c37918df694c6b9933c29c2d952da0ed0dcd2e623b269060b4c16b6c02162039dadebdab99ff1085e37e7621ae4748dafb036424e612c2
+DIST krb5-1.16.tar.gz 9474479 BLAKE2B 0c5caa0a0d2308a447d47ab94d7b8dc92a67ad78b3bac1678c3f3ece3905f27feda5a23d28b3c13ebd64d1760726888c759fb19da82ad960c6f84a433b753873 SHA512 7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9
diff --git a/app-crypt/mit-krb5/files/mit-krb5kadmind.service b/app-crypt/mit-krb5/files/mit-krb5kadmind.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 administration server
+
+[Service]
+ExecStart=/usr/sbin/kadmind -nofork
+
+[Install]
+WantedBy=multi-user.target
diff --git a/app-crypt/mit-krb5/files/mit-krb5kdc.service b/app-crypt/mit-krb5/files/mit-krb5kdc.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Kerberos 5 KDC
+
+[Service]
+ExecStart=/usr/sbin/krb5kdc -n
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd.service b/app-crypt/mit-krb5/files/mit-krb5kpropd.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 propagation server
+
+[Service]
+ExecStart=/usr/sbin/kpropd -S
+
+[Install]
+WantedBy=multi-user.target
diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd.socket b/app-crypt/mit-krb5/files/mit-krb5kpropd.socket
@@ -0,0 +1,9 @@
+[Unit]
+Description=Kerberos 5 propagation server
+
+[Socket]
+ListenStream=754
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd_at.service b/app-crypt/mit-krb5/files/mit-krb5kpropd_at.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 propagation server
+Conflicts=mit-krb5kpropd.service
+
+[Service]
+ExecStart=/usr/sbin/kpropd
+StandardInput=socket
+StandardError=syslog
diff --git a/app-crypt/mit-krb5/mit-krb5-1.16.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16.ebuild
@@ -0,0 +1,155 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/"
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
+
+# Test suite require network access
+RESTRICT="test"
+
+CDEPEND="
+	!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+	|| (
+		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+	)
+	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	pkinit? (
+		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0[${MULTILIB_USEDEP}] )
+		libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
+	)
+	xinetd? ( sys-apps/xinetd )
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r1
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+DEPEND="${CDEPEND}
+	${PYTHON_DEPS}
+	virtual/yacc
+	doc? ( virtual/latex-base )
+	test? (
+		${PYTHON_DEPS}
+		dev-lang/tcl:0
+		dev-util/dejagnu
+	)"
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+src_prepare() {
+	eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+	eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+
+	# Make sure we always use the system copies.
+	rm -rf util/{et,ss,verto}
+	sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
+
+	eapply_user
+	eautoreconf
+}
+
+src_configure() {
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use keyutils || export ac_cv_header_keyutils_h=no
+	ECONF_SOURCE=${S} \
+	WARN_CFLAGS="set" \
+	econf \
+		$(use_with openldap ldap) \
+		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable nls) \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--with-system-verto \
+		--disable-rpath
+}
+
+multilib_src_compile() {
+	emake -j1
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install
+}
+
+multilib_src_install_all() {
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+
+	if use doc; then
+		dodoc -r doc/html
+		docinto pdf
+		dodoc doc/pdf/*.pdf
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "[email protected]"
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd
+	fi
+}