summaryrefslogtreecommitdiff
path: root/repo/heimdal
diff options
context:
space:
mode:
authordavidovski <david@davidovski.xyz>2023-02-02 14:10:02 +0000
committerdavidovski <david@davidovski.xyz>2023-02-02 14:10:02 +0000
commitf29d569cd33a73da5ad675f43a34ad53c5cc9bc6 (patch)
tree76fe6267f8307e7630fc6f53ff99a9767ad40de0 /repo/heimdal
parent05d004dfe0c9a9d898fac8a4a0292ca2a74ca391 (diff)
Work
Diffstat (limited to 'repo/heimdal')
-rw-r--r--repo/heimdal/005_all_heimdal-suid_fix.patch20
-rw-r--r--repo/heimdal/CVE-2018-16860.patch147
-rw-r--r--repo/heimdal/autoconf-270.patch27
-rwxr-xr-xrepo/heimdal/heimdal-kadmind.initd24
-rwxr-xr-xrepo/heimdal/heimdal-kdc.initd23
-rwxr-xr-xrepo/heimdal/heimdal-kpasswdd.initd24
-rw-r--r--repo/heimdal/heimdal.xibuild82
-rw-r--r--repo/heimdal/heimdal_missing-include.patch11
-rw-r--r--repo/heimdal/silence-include-headers-redirect-warnings.patch80
9 files changed, 0 insertions, 438 deletions
diff --git a/repo/heimdal/005_all_heimdal-suid_fix.patch b/repo/heimdal/005_all_heimdal-suid_fix.patch
deleted file mode 100644
index 0524db6..0000000
--- a/repo/heimdal/005_all_heimdal-suid_fix.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- appl/su/Makefile.am 2005-06-16 18:27:46.000000000 +0200
-+++ b/appl/su/Makefile.am 2005-06-27 23:25:21.000000000 +0200
-@@ -7,6 +7,7 @@
- bin_PROGRAMS = su
- bin_SUIDS = su
- su_SOURCES = su.c supaths.h
-+su_LDFLAGS = -Wl,-z,now
- man_MANS = su.1
-
- LDADD = $(LIB_kafs) \
---- appl/otp/Makefile.am 2005-06-16 18:28:46.000000000 +0200
-+++ b/appl/otp/Makefile.am 2005-06-27 23:25:40.000000000 +0200
-@@ -8,6 +8,7 @@
- bin_SUIDS = otp
- otp_SOURCES = otp.c otp_locl.h
- otpprint_SOURCES = otpprint.c otp_locl.h
-+otp_LDFLAGS = -Wl,-z,now
-
- man_MANS = otp.1 otpprint.1
-
diff --git a/repo/heimdal/CVE-2018-16860.patch b/repo/heimdal/CVE-2018-16860.patch
deleted file mode 100644
index 6424b9e..0000000
--- a/repo/heimdal/CVE-2018-16860.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From c6257cc2c842c0faaeb4ef34e33890ee88c4cbba Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Tue, 14 May 2019 09:03:18 -0400
-Subject: [PATCH] CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed
- checksum
-
-S4U2Self is an extension to Kerberos used in Active Directory to allow
-a service to request a kerberos ticket to itself from the Kerberos Key
-Distribution Center (KDC) for a non-Kerberos authenticated user
-(principal in Kerboros parlance). This is useful to allow internal
-code paths to be standardized around Kerberos.
-
-S4U2Proxy (constrained-delegation) is an extension of this mechanism
-allowing this impersonation to a second service over the network. It
-allows a privileged server that obtained a S4U2Self ticket to itself
-to then assert the identity of that principal to a second service and
-present itself as that principal to get services from the second
-service.
-
-There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
-KDC checks the checksum that is placed on the S4U2Self packet by the
-server to protect the requested principal against modification, it
-does not confirm that the checksum algorithm that protects the user
-name (principal) in the request is keyed. This allows a
-man-in-the-middle attacker who can intercept the request to the KDC to
-modify the packet by replacing the user name (principal) in the
-request with any desired user name (principal) that exists in the KDC
-and replace the checksum protecting that name with a CRC32 checksum
-(which requires no prior knowledge to compute).
-
-This would allow a S4U2Self ticket requested on behalf of user name
-(principal) user@EXAMPLE.COM to any service to be changed to a
-S4U2Self ticket with a user name (principal) of
-Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
-the modified user name (principal).
-
-==================
-CVSSv3 calculation
-==================
-
-CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
-
-=========================
-Workaround and Mitigation
-=========================
-
-If server does not take privileged actions based on Kerberos tickets
-obtained by S4U2Self nor obtains Kerberos tickets via further
-S4U2Proxy requests then this issue cannot be exploited.
-
-Note that the path to an exploit is not generic, the KDC is not harmed
-by the malicious checksum, it is the client service requesting the
-ticket being mislead, because it trusted the KDC to return the correct
-ticket and PAC.
-
-It is out of scope for Samba to describe all of the possible tool
-chains that might be vulnerable. Here are two examples of possible
-exploits in order to explain the issue more clearly.
-
-1). SFU2Self might be used by a web service authenticating an end user
-via OAuth, Shibboleth, or other protocols to obtain a S4U2Self
-Kerberos service ticket for use by any Kerberos service principal the
-web service has a keytab for. One example is acquiring an AFS token
-by requesting an afs/cell@REALM service ticket for a client via
-SFU2Self. With this exploit an organization that deploys a KDC built
-from Heimdal (be it Heimdal directly or vendor versions such as found
-in Samba) is vulnerable to privilege escalation attacks.
-
-2). If a server authenticates users using X509 certificates, and then
-uses S4U2Self to obtain a Kerberos service ticket on behalf of the
-user (principal) in order to authorize access to local resources, a
-man-in-the-middle attacker could allow a non-privilaged user to access
-privilaged resources being protected by the server, or privilaged
-resources being protected by a second server, if the first server uses
-the S4U2Proxy extension in order to get a new Kerberos service ticket
-to obtain access to the second server.
-
-In both these scenarios under conditions allowing man-in-the-middle
-active network protocol manipulation, a malicious user could
-authenticate using the non-Kerborized credentials of an unprivileged
-user, and then elevate its privileges by intercepting the packet from
-the server to the KDC and changing the requested user name (principal).
-
-The only Samba clients that use S4U2Self are:
-
-- the "net ads kerberos pac dump" (debugging) tool.
-
-- the CIFS proxy in the deprecated/developer-only NTVFS file
-server. Note this code is not compiled or enabled by default.
-
-In particular, winbindd does *not* use S4U2Self.
-
-Finally, MIT Kerberos and so therefore the experimental MIT KDC backend
-for Samba AD is understood not to be impacted.
-
-===============
-Further Reading
-===============
-
-There is more detail on and a description of the protocols in
-
-[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained
-Delegation Protocol
-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
-
-=======
-Credits
-=======
-
-Originally reported by Isaac Boukris and Andrew Bartlett of the Samba
-Team and Catalyst.
-
-Patches provided by Isaac Boukris.
-
-Advisory written by Andrew Bartlett of the Samba Team and Catalyst,
-with contributions from Isaac Boukris, Jeffrey Altman and Jeremy
-Allison.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685
-Change-Id: I4ac69ebf0503eb999a7d497a2c30fe4d293a8cc8
-Signed-off-by: Isaac Boukris <iboukris@gmail.com>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
-Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
----
- kdc/krb5tgs.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
-index 8318bc0025..14943077a4 100644
---- a/kdc/krb5tgs.c
-+++ b/kdc/krb5tgs.c
-@@ -2031,6 +2031,13 @@ tgs_build_reply(krb5_context context,
- goto out;
- }
-
-+ if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
-+ free_PA_S4U2Self(&self);
-+ kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed checksum");
-+ ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
-+ goto out;
-+ }
-+
- ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
- if (ret)
- goto out;
diff --git a/repo/heimdal/autoconf-270.patch b/repo/heimdal/autoconf-270.patch
deleted file mode 100644
index 05cdc09..0000000
--- a/repo/heimdal/autoconf-270.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-commit 22352b90e78e2d162b98b5ef6c84672c397be40a
-Author: Lars Wendler <polynomial-c@gentoo.org>
-Date: Wed Mar 17 17:49:18 2021 +0100
-
- autoconf-2.70 fix
-
- autoconf-2.70 and newer are more strict with quoting etc. and thus generate
- a broken configure file:
-
- configure: 20855: Syntax error: ")" unexpected (expecting "fi")
-
- Gentoo-bug: https://bugs.gentoo.org/776241
- Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
-
-diff --git a/cf/check-var.m4 b/cf/check-var.m4
-index 2fd7bca6f..71d6f70ca 100644
---- a/cf/check-var.m4
-+++ b/cf/check-var.m4
-@@ -20,7 +20,7 @@ AC_MSG_RESULT($ac_foo)
- if test "$ac_foo" = yes; then
- AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1,
- [Define if you have the `]$1[' variable.])
-- m4_ifval([$2], AC_CHECK_DECLS([$1],[],[],[$2]))
-+ m4_ifval([$2], [AC_CHECK_DECLS([$1],[],[],[$2])])
- fi
- ])
-
diff --git a/repo/heimdal/heimdal-kadmind.initd b/repo/heimdal/heimdal-kadmind.initd
deleted file mode 100755
index 73f2381..0000000
--- a/repo/heimdal/heimdal-kadmind.initd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kadmind,v 1.3 2004/09/13 22:44:54 solar Exp $
-
-depend() {
- need net
- use heimdal-kdc
- after logger
-}
-
-start() {
- ebegin "Starting heimdal kadmind"
- /usr/sbin/kadmind &
- echo $! > /var/run/heimdal-kadmind.pid
- eend $?
-}
-
-stop() {
- ebegin "Stopping heimdal kadmind"
- start-stop-daemon --stop --quiet --exec \
- /usr/sbin/kadmind
- eend $?
-}
diff --git a/repo/heimdal/heimdal-kdc.initd b/repo/heimdal/heimdal-kdc.initd
deleted file mode 100755
index 32288c4..0000000
--- a/repo/heimdal/heimdal-kdc.initd
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kdc,v 1.2 2004/09/13 15:40:34 dragonheart Exp $
-
-depend() {
- need net
- after logger
-}
-
-start() {
- ebegin "Starting heimdal kdc"
- start-stop-daemon --start --quiet --exec \
- /usr/sbin/kdc -- --detach
- eend $?
-}
-
-stop() {
- ebegin "Stopping heimdal kdc"
- start-stop-daemon --stop --quiet --exec \
- /usr/sbin/kdc
- eend $?
-}
diff --git a/repo/heimdal/heimdal-kpasswdd.initd b/repo/heimdal/heimdal-kpasswdd.initd
deleted file mode 100755
index 5fc21e0..0000000
--- a/repo/heimdal/heimdal-kpasswdd.initd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kpasswdd,v 1.3 2004/09/13 22:44:54 solar Exp $
-
-depend() {
- need net
- use heimdal-kdc
- after logger
-}
-
-start() {
- ebegin "Starting heimdal kpasswdd"
- start-stop-daemon --background --start --quiet --exec \
- /usr/sbin/kpasswdd
- eend $?
-}
-
-stop() {
- ebegin "Stopping heimdal kpasswdd"
- start-stop-daemon --stop --quiet --exec \
- /usr/sbin/kpasswdd
- eend $?
-}
diff --git a/repo/heimdal/heimdal.xibuild b/repo/heimdal/heimdal.xibuild
deleted file mode 100644
index 6d0e31c..0000000
--- a/repo/heimdal/heimdal.xibuild
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/bin/sh
-
-NAME="heimdal"
-DESC="Iplementation of Kerberos 5"
-
-MAKEDEPS="xipkg openssl e2fsprogs autoconf automake bash gawk libtool ncurses perl readline sqlite3 texinfo perl-json gdbm "
-
-PKG_VER=7.7.0
-SOURCE="https://github.com/heimdal/heimdal/releases/download/heimdal-$PKG_VER/heimdal-$PKG_VER.tar.gz"
-
-ADDITIONAL="
-005_all_heimdal-suid_fix.patch
-CVE-2018-16860.patch
-autoconf-270.patch
-heimdal-kadmind.initd
-heimdal-kdc.initd
-heimdal-kpasswdd.initd
-heimdal_missing-include.patch
-silence-include-headers-redirect-warnings.patch
-"
-
-prepare() {
- [ -e /usr/lib/libasn1.so ] && xi -yl remove heimdal
- apply_patches
- sh ./autogen.sh
-}
-
-build() {
- export LDFLAGS="$LDFLAGS -Wl,--as-needed"
-
- ./configure \
- --build=$CBUILD \
- --host=$CHOST \
- --prefix=/usr \
- --enable-shared=yes \
- --without-x \
- --without-berkeley-db \
- --with-readline-lib=/usr/lib \
- --with-readline-include=/usr/include/readline \
- --with-sqlite3=/usr \
- --without-openssl \
- --with-db-type-preference=
-
- # make sure we use system version
- rm -r lib/sqlite lib/com_err
-
- # workarount a parallell build issue
- make -C lib/asn1 der-protos.h der-private.h
- make -C lib/kadm5 kadm5-protos.h kadm5-private.h kadm5_err.h
- make -C lib/krb5 krb5-protos.h krb5-private.h krb5_err.h krb_err.h \
- heim_err.h k524_err.h
- make -C lib/hx509 hx509-private.h hx509-protos.h
- make
-}
-
-package() {
- make DESTDIR="$PKG_DEST" exec_prefix=/usr sysconfdir=/etc \
- mandir=/usr/share/man infodir=/usr/share/info datadir=/var/lib/heimdal \
- localstatedir=/var/lib/heimdal libexecdir=/usr/sbin install
-
-
- install -m755 -D "$BUILD_ROOT"/heimdal-kadmind.initd \
- "$PKG_DEST"/etc/init.d/heimdal-kadmind
- install -m755 -D "$BUILD_ROOT"/heimdal-kdc.initd \
- "$PKG_DEST"/etc/init.d/heimdal-kdc
- install -m755 -D "$BUILD_ROOT"/heimdal-kpasswdd.initd \
- "$PKG_DEST"/etc/init.d/heimdal-kpasswdd
-
- for i in 1 3 5 8; do
- rm -rf "$PKG_DEST"/usr/share/man/cat$i
- done
-
- # Remove conflicts
- # e2fsprogs
- rm -f "$PKG_DEST"/usr/bin/compile_et \
- "$PKG_DEST"/usr/share/man/man1/compile_et.1
-
- # Compress info pages
- for page in heimdal hx509; do
- gzip -9 "$PKG_DEST"/usr/share/info/$page.info
- done
-}
diff --git a/repo/heimdal/heimdal_missing-include.patch b/repo/heimdal/heimdal_missing-include.patch
deleted file mode 100644
index 8cca906..0000000
--- a/repo/heimdal/heimdal_missing-include.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- lib/base/test_base.c 2011-09-30 15:58:45.000000000 +0300
-+++ b/lib/base/test_base.c 2011-12-27 23:04:50.482955923 +0200
-@@ -39,6 +39,8 @@
- #include "heimbase.h"
- #include "heimbasepriv.h"
-
-+#include <stdlib.h>
-+
- static void
- memory_free(heim_object_t obj)
- {
diff --git a/repo/heimdal/silence-include-headers-redirect-warnings.patch b/repo/heimdal/silence-include-headers-redirect-warnings.patch
deleted file mode 100644
index 4505096..0000000
--- a/repo/heimdal/silence-include-headers-redirect-warnings.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 2eb67c91834a21e68c90380254c7c10ffe03a7ca Mon Sep 17 00:00:00 2001
-From: Leonardo Arena <rnalrd@alpinelinux.org>
-Date: Thu, 14 Apr 2022 08:47:15 +0000
-Subject: [PATCH] silence include header warnings
-
----
- cf/roken-frag.m4 | 1 -
- configure | 2 +-
- lib/ipc/hi_locl.h | 2 +-
- lib/krb5/krb5_locl.h | 2 +-
- lib/roken/getifaddrs.c | 2 +-
- 5 files changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/cf/roken-frag.m4 b/cf/roken-frag.m4
-index f22b43a..589b2cc 100644
---- a/cf/roken-frag.m4
-+++ b/cf/roken-frag.m4
-@@ -73,7 +73,6 @@ AC_CHECK_HEADERS([\
- stdint.h \
- sys/auxv.h \
- sys/bswap.h \
-- sys/errno.h \
- sys/ioctl.h \
- sys/mman.h \
- sys/param.h \
-diff --git a/configure b/configure
-index 4cefc43..bc3bf78 100755
---- a/configure
-+++ b/configure
-@@ -17965,7 +17965,7 @@ for ac_header in \
- stdint.h \
- sys/auxv.h \
- sys/bswap.h \
-- sys/errno.h \
-+ errno.h \
- sys/ioctl.h \
- sys/mman.h \
- sys/param.h \
-diff --git a/lib/ipc/hi_locl.h b/lib/ipc/hi_locl.h
-index 7efe6ca..3195b44 100644
---- a/lib/ipc/hi_locl.h
-+++ b/lib/ipc/hi_locl.h
-@@ -41,7 +41,7 @@
- #include <sys/un.h>
- #endif
-
--#include <sys/poll.h>
-+#include <poll.h>
-
- #include <ctype.h>
- #include <stdio.h>
-diff --git a/lib/krb5/krb5_locl.h b/lib/krb5/krb5_locl.h
-index b64f3a9..f62c40d 100644
---- a/lib/krb5/krb5_locl.h
-+++ b/lib/krb5/krb5_locl.h
-@@ -44,7 +44,7 @@
- #include <ctype.h>
-
- #ifdef HAVE_POLL_H
--#include <sys/poll.h>
-+#include <poll.h>
- #endif
-
- #include <krb5-types.h>
-diff --git a/lib/roken/getifaddrs.c b/lib/roken/getifaddrs.c
-index cc949b0..a82adc5 100644
---- a/lib/roken/getifaddrs.c
-+++ b/lib/roken/getifaddrs.c
-@@ -120,7 +120,7 @@ struct mbuf;
- #include <linux/rtnetlink.h>
- #include <sys/types.h>
- #include <sys/socket.h>
--#include <sys/poll.h>
-+#include <poll.h>
- #include <netpacket/packet.h>
- #include <net/ethernet.h> /* the L2 protocols */
- #include <sys/uio.h>
---
-2.35.1
-