From f87ca8ed928871223e4233838025e5779caa7e63 Mon Sep 17 00:00:00 2001 From: Ryan Phillips Date: Sat, 29 Mar 2003 23:23:11 +0000 Subject: Added patch to fix security hole in the kaserver --- net-fs/openafs/ChangeLog | 7 ++- net-fs/openafs/files/kaserver-patch.diff | 65 +++++++++++++++++++ net-fs/openafs/openafs-1.3.2-r1.ebuild | 104 +++++++++++++++++++++++++++++++ 3 files changed, 174 insertions(+), 2 deletions(-) create mode 100644 net-fs/openafs/files/kaserver-patch.diff create mode 100644 net-fs/openafs/openafs-1.3.2-r1.ebuild (limited to 'net-fs') diff --git a/net-fs/openafs/ChangeLog b/net-fs/openafs/ChangeLog index 035de57832cf..a21bab127730 100644 --- a/net-fs/openafs/ChangeLog +++ b/net-fs/openafs/ChangeLog @@ -1,12 +1,15 @@ # ChangeLog for net-fs/openafs # Copyright 2002-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-fs/openafs/ChangeLog,v 1.17 2003/02/12 07:57:01 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-fs/openafs/ChangeLog,v 1.18 2003/03/29 23:23:11 rphillips Exp $ + + 29 Mar 2003; Ryan Phillips files/kaserver-diff.patch: + Fixes a security hole in openafs. 03 Jan 2003; Daniel Ahlberg files/afs.rc.rc6 : Fix bug #5634. 06 Dec 2002; Rodney Rees : changed sparc ~sparc keywords - + *openafs-1.2.8 (31 Jan 2003) 31 Jan 2003; Ryan Phillips openafs-1.2.8.ebuild : diff --git a/net-fs/openafs/files/kaserver-patch.diff b/net-fs/openafs/files/kaserver-patch.diff new file mode 100644 index 000000000000..8ea1458580de --- /dev/null +++ b/net-fs/openafs/files/kaserver-patch.diff @@ -0,0 +1,65 @@ +--- openafs/src/kauth/kaprocs.c 6 Sep 2002 02:44:03 -0000 1.12 ++++ openafs/src/kauth/kaprocs.c 18 Mar 2003 03:56:18 -0000 1.13 +@@ -1706,6 +1706,11 @@ + celllen = strlen (cell); + if (import && (celllen == 0)) {code = KABADTICKET; goto abort;} + if (export && (celllen == 0)) strcpy (cell, lrealm); ++ ++ if (!krb4_cross && celllen && strcmp(lrealm, cell) != 0) { ++ code = KABADUSER; ++ goto abort; ++ } + + des_ecb_encrypt (atimes->SeqBody, ×, schedule, DECRYPT); + times.start = ntohl(times.start); +--- openafs/src/kauth/kaserver.c 21 Aug 2002 18:13:22 -0000 1.13 ++++ openafs/src/kauth/kaserver.c 18 Mar 2003 03:56:18 -0000 1.14 +@@ -56,6 +56,8 @@ + struct ubik_dbase *KA_dbase; + afs_int32 myHost = 0; + afs_int32 verbose_track = 1; ++afs_int32 krb4_cross = 0; ++ + struct afsconf_dir *KA_conf; /* for getting cell info */ + + extern afs_int32 ubik_lastYesTime; +@@ -193,6 +195,7 @@ + usage: + printf("Usage: kaserver [-noAuth] [-fastKeys] [-database ] " + "[-localfiles ] [-minhours ] [-servers ] " ++ "[-crossrealm]" + /*" [-enable_peer_stats] [-enable_process_stats] " */ + "[-help]\n"); + exit(1); +@@ -250,6 +253,7 @@ + else if (IsArg("-clear")) level = rxkad_clear; + else if (IsArg("-sorry")) level = rxkad_clear; + else if (IsArg("-debug")) verbose_track = 0; ++ else if (IsArg("-crossrealm")) krb4_cross = 1; + else if (IsArg("-minhours")) { + MinHours = atoi(argv[++a]); + } +--- openafs/src/kauth/kaserver.h 4 Nov 2000 10:04:39 -0000 1.2 ++++ openafs/src/kauth/kaserver.h 18 Mar 2003 23:47:51 -0000 1.4 +@@ -179,6 +179,7 @@ + u_int locktime + ); + ++extern afs_int32 krb4_cross; + + #define LOCKPW + +--- openafs/src/kauth/krb_udp.c 22 Aug 2002 18:45:16 -0000 1.20 ++++ openafs/src/kauth/krb_udp.c 18 Mar 2003 03:56:18 -0000 1.21 +@@ -461,6 +461,11 @@ + strncpy (cell, lrealm, MAXKTCREALMLEN-1); + cell[MAXKTCREALMLEN-1] = 0; + }; ++ ++ if (!krb4_cross && strcmp(lrealm, cell) != 0) { ++ code = KERB_ERR_PRINCIPAL_UNKNOWN; ++ goto abort; ++ } + + if (krb_udp_debug) { + printf ("UGetTicket: got ticket from '%s'.'%s'@'%s'\n", diff --git a/net-fs/openafs/openafs-1.3.2-r1.ebuild b/net-fs/openafs/openafs-1.3.2-r1.ebuild new file mode 100644 index 000000000000..1090229f450c --- /dev/null +++ b/net-fs/openafs/openafs-1.3.2-r1.ebuild @@ -0,0 +1,104 @@ +# Copyright 1999-2003 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 +# /home/cvsroot/gentoo-x86/net-fs/openafs/openafs-1.1.1.ebuild,v 1.3 2001/08/31 03:23:39 pm Exp + + +S=${WORKDIR}/${P} +DESCRIPTION="The AFS 3 distributed file system targets the issues critical to +distributed computing environments. AFS performs exceptionally well, +both within small, local work groups of machines and across wide-area +configurations in support of large, collaborative efforts. AFS provides +an architecture geared towards system management, along with the tools +to perform important management tasks. For a user, AFS is a familiar yet +extensive UNIX environment for accessing files easily and quickly." + +SRC_URI="http://www.openafs.org/dl/${PN}/${PV}/${P}-src.tar.gz" +HOMEPAGE="http://www.openafs.org/" + +SLOT="0" +LICENSE="IPL-1" +KEYWORDS="-* x86" + +SANDBOX_DISABLED="1" + +DEPEND=">=sys-apps/portage-2.0.47-r10 + >=sys-libs/ncurses-5.2 + >=sys-libs/pam-0.75" + +ARCH=i386_linux24 + +src_unpack() { + unpack ${A} + + cd ${S}/src/config + cp Makefile.in Makefile.in.old + sed -i "s|/usr/lib/libncurses.so|-lncurses|g" Makefile.in + + cd ${S} + patch -p1 < ${FILESDIR}/kaserver-patch.diff +} + +src_compile() { + ./configure \ + --with-afs-sysname=i386_linux24 \ + --enable-transarc-paths || die + make || die + make dest || die +} + +src_install () { + + + # Client + + cd ${S}/${ARCH}/dest/root.client/usr/vice + + insinto /etc/afs/modload + doins etc/modload/* + insinto /etc/afs/C + doins etc/C/* + + insinto /etc/afs + doins ${FILESDIR}/{ThisCell,CellServDB} + doins etc/afs.conf + + dodir /afs + + exeinto /etc/init.d + newexe ${FILESDIR}/afs.rc.rc6 afs + + dosbin etc/afsd + + # Client Bin + cd ${S}/${ARCH}/dest + exeinto /usr/afsws/bin + doexe bin/* + + exeinto /etc/afs/afsws + doexe etc/* + + cp -a include lib ${D}/usr/afsws + dosym /usr/afsws/lib/afs/libtermlib.a /usr/afsws/lib/afs/libnull.a + + # Server + cd ${S}/${ARCH}/dest/root.server/usr/afs + exeinto /usr/afs/bin + doexe bin/* + + dodir /usr/vice + dosym /etc/afs /usr/vice/etc + dosym /etc/afs/afsws /usr/afsws/etc + + dodoc ${FILESDIR}/README + + dodir /etc/env.d + echo 'CONFIG_PROTECT_MASK="/etc/afs/C /etc/afs/afsws"' > ${D}/etc/env.d/01${PN} + echo 'PATH=/usr/afsws/bin:/etc/afs/afsws' >> ${D}/etc/env.d/01${PN} + echo 'ROOTPATH=/usr/afsws/bin:/etc/afs/afsws:/usr/afs/bin' >> ${D}/etc/env.d/01${PN} +} + +pkg_postinst () { + echo ">>> UPDATE CellServDB and ThisCell to your needs !!" + echo ">>> FOLLOW THE INSTRUCTIONS IN AFS QUICK BEGINNINGS" + echo ">>> PAGE >45 TO DO INITIAL SERVER SETUP" fi +} -- cgit v1.2.3-65-gdbad