Work

9 files changed, 0 insertions, 438 deletions

diff --git a/repo/heimdal/005_all_heimdal-suid_fix.patch b/repo/heimdal/005_all_heimdal-suid_fix.patch
deleted file mode 100644
index 0524db6..0000000
--- a/repo/heimdal/005_all_heimdal-suid_fix.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- appl/su/Makefile.am	2005-06-16 18:27:46.000000000 +0200
-+++ b/appl/su/Makefile.am	2005-06-27 23:25:21.000000000 +0200
-@@ -7,6 +7,7 @@
- bin_PROGRAMS = su
- bin_SUIDS = su
- su_SOURCES = su.c supaths.h
-+su_LDFLAGS = -Wl,-z,now
- man_MANS = su.1
- 
- LDADD = $(LIB_kafs) \
---- appl/otp/Makefile.am	2005-06-16 18:28:46.000000000 +0200
-+++ b/appl/otp/Makefile.am	2005-06-27 23:25:40.000000000 +0200
-@@ -8,6 +8,7 @@
- bin_SUIDS = otp
- otp_SOURCES = otp.c otp_locl.h
- otpprint_SOURCES = otpprint.c otp_locl.h
-+otp_LDFLAGS = -Wl,-z,now
- 
- man_MANS = otp.1  otpprint.1
- 
diff --git a/repo/heimdal/CVE-2018-16860.patch b/repo/heimdal/CVE-2018-16860.patch
deleted file mode 100644
index 6424b9e..0000000
--- a/repo/heimdal/CVE-2018-16860.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From c6257cc2c842c0faaeb4ef34e33890ee88c4cbba Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Tue, 14 May 2019 09:03:18 -0400
-Subject: [PATCH] CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed
- checksum
-
-S4U2Self is an extension to Kerberos used in Active Directory to allow
-a service to request a kerberos ticket to itself from the Kerberos Key
-Distribution Center (KDC) for a non-Kerberos authenticated user
-(principal in Kerboros parlance). This is useful to allow internal
-code paths to be standardized around Kerberos.
-
-S4U2Proxy (constrained-delegation) is an extension of this mechanism
-allowing this impersonation to a second service over the network. It
-allows a privileged server that obtained a S4U2Self ticket to itself
-to then assert the identity of that principal to a second service and
-present itself as that principal to get services from the second
-service.
-
-There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
-KDC checks the checksum that is placed on the S4U2Self packet by the
-server to protect the requested principal against modification, it
-does not confirm that the checksum algorithm that protects the user
-name (principal) in the request is keyed.  This allows a
-man-in-the-middle attacker who can intercept the request to the KDC to
-modify the packet by replacing the user name (principal) in the
-request with any desired user name (principal) that exists in the KDC
-and replace the checksum protecting that name with a CRC32 checksum
-(which requires no prior knowledge to compute).
-
-This would allow a S4U2Self ticket requested on behalf of user name
-(principal) user@EXAMPLE.COM to any service to be changed to a
-S4U2Self ticket with a user name (principal) of
-Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
-the modified user name (principal).
-
-==================
-CVSSv3 calculation
-==================
-
-CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
-
-=========================
-Workaround and Mitigation
-=========================
-
-If server does not take privileged actions based on Kerberos tickets
-obtained by S4U2Self nor obtains Kerberos tickets via further
-S4U2Proxy requests then this issue cannot be exploited.
-
-Note that the path to an exploit is not generic, the KDC is not harmed
-by the malicious checksum, it is the client service requesting the
-ticket being mislead, because it trusted the KDC to return the correct
-ticket and PAC.
-
-It is out of scope for Samba to describe all of the possible tool
-chains that might be vulnerable. Here are two examples of possible
-exploits in order to explain the issue more clearly.
-
-1). SFU2Self might be used by a web service authenticating an end user
-via OAuth, Shibboleth, or other protocols to obtain a S4U2Self
-Kerberos service ticket for use by any Kerberos service principal the
-web service has a keytab for.  One example is acquiring an AFS token
-by requesting an afs/cell@REALM service ticket for a client via
-SFU2Self.  With this exploit an organization that deploys a KDC built
-from Heimdal (be it Heimdal directly or vendor versions such as found
-in Samba) is vulnerable to privilege escalation attacks.
-
-2). If a server authenticates users using X509 certificates, and then
-uses S4U2Self to obtain a Kerberos service ticket on behalf of the
-user (principal) in order to authorize access to local resources, a
-man-in-the-middle attacker could allow a non-privilaged user to access
-privilaged resources being protected by the server, or privilaged
-resources being protected by a second server, if the first server uses
-the S4U2Proxy extension in order to get a new Kerberos service ticket
-to obtain access to the second server.
-
-In both these scenarios under conditions allowing man-in-the-middle
-active network protocol manipulation, a malicious user could
-authenticate using the non-Kerborized credentials of an unprivileged
-user, and then elevate its privileges by intercepting the packet from
-the server to the KDC and changing the requested user name (principal).
-
-The only Samba clients that use S4U2Self are:
-
-- the "net ads kerberos pac dump" (debugging) tool.
-
-- the CIFS proxy in the deprecated/developer-only NTVFS file
-server. Note this code is not compiled or enabled by default.
-
-In particular, winbindd does *not* use S4U2Self.
-
-Finally, MIT Kerberos and so therefore the experimental MIT KDC backend
-for Samba AD is understood not to be impacted.
-
-===============
-Further Reading
-===============
-
-There is more detail on and a description of the protocols in
-
-[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained
-Delegation Protocol
-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
-
-=======
-Credits
-=======
-
-Originally reported by Isaac Boukris and Andrew Bartlett of the Samba
-Team and Catalyst.
-
-Patches provided by Isaac Boukris.
-
-Advisory written by Andrew Bartlett of the Samba Team and Catalyst,
-with contributions from Isaac Boukris, Jeffrey Altman and Jeremy
-Allison.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685
-Change-Id: I4ac69ebf0503eb999a7d497a2c30fe4d293a8cc8
-Signed-off-by: Isaac Boukris <iboukris@gmail.com>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
-Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
----
- kdc/krb5tgs.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
-index 8318bc0025..14943077a4 100644
---- a/kdc/krb5tgs.c
-+++ b/kdc/krb5tgs.c
-@@ -2031,6 +2031,13 @@ tgs_build_reply(krb5_context context,
- 		goto out;
- 	    }
- 
-+	    if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
-+		free_PA_S4U2Self(&self);
-+		kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed checksum");
-+		ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
-+		goto out;
-+	    }
-+
- 	    ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
- 	    if (ret)
- 		goto out;
diff --git a/repo/heimdal/autoconf-270.patch b/repo/heimdal/autoconf-270.patch
deleted file mode 100644
index 05cdc09..0000000
--- a/repo/heimdal/autoconf-270.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-commit 22352b90e78e2d162b98b5ef6c84672c397be40a
-Author: Lars Wendler <polynomial-c@gentoo.org>
-Date:   Wed Mar 17 17:49:18 2021 +0100
-
-    autoconf-2.70 fix
-    
-    autoconf-2.70 and newer are more strict with quoting etc. and thus generate
-    a broken configure file:
-    
-      configure: 20855: Syntax error: ")" unexpected (expecting "fi")
-    
-    Gentoo-bug: https://bugs.gentoo.org/776241
-    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
-
-diff --git a/cf/check-var.m4 b/cf/check-var.m4
-index 2fd7bca6f..71d6f70ca 100644
---- a/cf/check-var.m4
-+++ b/cf/check-var.m4
-@@ -20,7 +20,7 @@ AC_MSG_RESULT($ac_foo)
- if test "$ac_foo" = yes; then
- 	AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1, 
- 		[Define if you have the `]$1[' variable.])
--	m4_ifval([$2], AC_CHECK_DECLS([$1],[],[],[$2]))
-+	m4_ifval([$2], [AC_CHECK_DECLS([$1],[],[],[$2])])
- fi
- ])
-
diff --git a/repo/heimdal/heimdal-kadmind.initd b/repo/heimdal/heimdal-kadmind.initd
deleted file mode 100755
index 73f2381..0000000
--- a/repo/heimdal/heimdal-kadmind.initd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kadmind,v 1.3 2004/09/13 22:44:54 solar Exp $
-
-depend() {
-	need net
-	use heimdal-kdc
-	after logger
-}
-
-start() {
-	ebegin "Starting heimdal kadmind"
-		/usr/sbin/kadmind  &
-		echo $! > /var/run/heimdal-kadmind.pid
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping heimdal kadmind"
-	start-stop-daemon --stop --quiet --exec \
-		/usr/sbin/kadmind
-	eend $?
-}
diff --git a/repo/heimdal/heimdal-kdc.initd b/repo/heimdal/heimdal-kdc.initd
deleted file mode 100755
index 32288c4..0000000
--- a/repo/heimdal/heimdal-kdc.initd
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kdc,v 1.2 2004/09/13 15:40:34 dragonheart Exp $
-
-depend() {
-	need net
-	after logger
-}
-
-start() {
-	ebegin "Starting heimdal kdc"
-	start-stop-daemon --start --quiet --exec \
-		/usr/sbin/kdc -- --detach
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping heimdal kdc"
-	start-stop-daemon --stop --quiet --exec \
-		/usr/sbin/kdc
-	eend $?
-}
diff --git a/repo/heimdal/heimdal-kpasswdd.initd b/repo/heimdal/heimdal-kpasswdd.initd
deleted file mode 100755
index 5fc21e0..0000000
--- a/repo/heimdal/heimdal-kpasswdd.initd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kpasswdd,v 1.3 2004/09/13 22:44:54 solar Exp $
-
-depend() {
-	need net
-	use heimdal-kdc
-	after logger
-}
-
-start() {
-	ebegin "Starting heimdal kpasswdd"
-	start-stop-daemon --background --start --quiet --exec \
-		/usr/sbin/kpasswdd
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping heimdal kpasswdd"
-	start-stop-daemon --stop --quiet --exec \
-		/usr/sbin/kpasswdd
-	eend $?
-}
diff --git a/repo/heimdal/heimdal.xibuild b/repo/heimdal/heimdal.xibuild
deleted file mode 100644
index 6d0e31c..0000000
--- a/repo/heimdal/heimdal.xibuild
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/bin/sh
-
-NAME="heimdal"
-DESC="Iplementation of Kerberos 5"
-
-MAKEDEPS="xipkg openssl e2fsprogs autoconf automake bash gawk libtool ncurses perl readline sqlite3 texinfo perl-json gdbm "
-
-PKG_VER=7.7.0
-SOURCE="https://github.com/heimdal/heimdal/releases/download/heimdal-$PKG_VER/heimdal-$PKG_VER.tar.gz"
-
-ADDITIONAL="
-005_all_heimdal-suid_fix.patch
-CVE-2018-16860.patch
-autoconf-270.patch
-heimdal-kadmind.initd
-heimdal-kdc.initd
-heimdal-kpasswdd.initd
-heimdal_missing-include.patch
-silence-include-headers-redirect-warnings.patch
-"
-
-prepare() {
-	[ -e /usr/lib/libasn1.so ] && xi -yl remove heimdal
-    apply_patches
-	sh ./autogen.sh
-}
-
-build() {
-	export LDFLAGS="$LDFLAGS -Wl,--as-needed"
-
-	./configure \
-		--build=$CBUILD \
-		--host=$CHOST \
-		--prefix=/usr \
-		--enable-shared=yes \
-		--without-x \
-		--without-berkeley-db \
-		--with-readline-lib=/usr/lib \
-		--with-readline-include=/usr/include/readline \
-		--with-sqlite3=/usr \
-		--without-openssl \
-		--with-db-type-preference=
-
-	# make sure we use system version
-	rm -r lib/sqlite lib/com_err
-
-	# workarount a parallell build issue
-	make -C lib/asn1 der-protos.h der-private.h
-	make -C lib/kadm5 kadm5-protos.h kadm5-private.h kadm5_err.h
-	make -C lib/krb5 krb5-protos.h krb5-private.h krb5_err.h krb_err.h \
-		heim_err.h k524_err.h
-	make -C lib/hx509 hx509-private.h  hx509-protos.h
-	make
-}
-
-package() {
-	make DESTDIR="$PKG_DEST" exec_prefix=/usr sysconfdir=/etc \
-	mandir=/usr/share/man infodir=/usr/share/info datadir=/var/lib/heimdal \
-	localstatedir=/var/lib/heimdal libexecdir=/usr/sbin install
-
-
-	install -m755 -D "$BUILD_ROOT"/heimdal-kadmind.initd \
-		"$PKG_DEST"/etc/init.d/heimdal-kadmind
-	install -m755 -D "$BUILD_ROOT"/heimdal-kdc.initd \
-		"$PKG_DEST"/etc/init.d/heimdal-kdc
-	install -m755 -D "$BUILD_ROOT"/heimdal-kpasswdd.initd \
-		"$PKG_DEST"/etc/init.d/heimdal-kpasswdd
-
-	for i in 1 3 5 8; do
-		rm -rf "$PKG_DEST"/usr/share/man/cat$i
-	done
-
-	# Remove conflicts
-	# e2fsprogs
-	rm -f "$PKG_DEST"/usr/bin/compile_et \
-		"$PKG_DEST"/usr/share/man/man1/compile_et.1
-
-	# Compress info pages
-	for page in heimdal hx509; do
-		gzip -9 "$PKG_DEST"/usr/share/info/$page.info
-	done
-}
diff --git a/repo/heimdal/heimdal_missing-include.patch b/repo/heimdal/heimdal_missing-include.patch
deleted file mode 100644
index 8cca906..0000000
--- a/repo/heimdal/heimdal_missing-include.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- lib/base/test_base.c	2011-09-30 15:58:45.000000000 +0300
-+++ b/lib/base/test_base.c	2011-12-27 23:04:50.482955923 +0200
-@@ -39,6 +39,8 @@
- #include "heimbase.h"
- #include "heimbasepriv.h"
- 
-+#include <stdlib.h>
-+
- static void
- memory_free(heim_object_t obj)
- {
diff --git a/repo/heimdal/silence-include-headers-redirect-warnings.patch b/repo/heimdal/silence-include-headers-redirect-warnings.patch
deleted file mode 100644
index 4505096..0000000
--- a/repo/heimdal/silence-include-headers-redirect-warnings.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 2eb67c91834a21e68c90380254c7c10ffe03a7ca Mon Sep 17 00:00:00 2001
-From: Leonardo Arena <rnalrd@alpinelinux.org>
-Date: Thu, 14 Apr 2022 08:47:15 +0000
-Subject: [PATCH] silence include header warnings
-
----
- cf/roken-frag.m4       | 1 -
- configure              | 2 +-
- lib/ipc/hi_locl.h      | 2 +-
- lib/krb5/krb5_locl.h   | 2 +-
- lib/roken/getifaddrs.c | 2 +-
- 5 files changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/cf/roken-frag.m4 b/cf/roken-frag.m4
-index f22b43a..589b2cc 100644
---- a/cf/roken-frag.m4
-+++ b/cf/roken-frag.m4
-@@ -73,7 +73,6 @@ AC_CHECK_HEADERS([\
- 	stdint.h				\
- 	sys/auxv.h				\
- 	sys/bswap.h				\
--	sys/errno.h				\
- 	sys/ioctl.h				\
- 	sys/mman.h				\
- 	sys/param.h				\
-diff --git a/configure b/configure
-index 4cefc43..bc3bf78 100755
---- a/configure
-+++ b/configure
-@@ -17965,7 +17965,7 @@ for ac_header in \
- 	stdint.h				\
- 	sys/auxv.h				\
- 	sys/bswap.h				\
--	sys/errno.h				\
-+	errno.h					\
- 	sys/ioctl.h				\
- 	sys/mman.h				\
- 	sys/param.h				\
-diff --git a/lib/ipc/hi_locl.h b/lib/ipc/hi_locl.h
-index 7efe6ca..3195b44 100644
---- a/lib/ipc/hi_locl.h
-+++ b/lib/ipc/hi_locl.h
-@@ -41,7 +41,7 @@
- #include <sys/un.h>
- #endif
- 
--#include <sys/poll.h>
-+#include <poll.h>
- 
- #include <ctype.h>
- #include <stdio.h>
-diff --git a/lib/krb5/krb5_locl.h b/lib/krb5/krb5_locl.h
-index b64f3a9..f62c40d 100644
---- a/lib/krb5/krb5_locl.h
-+++ b/lib/krb5/krb5_locl.h
-@@ -44,7 +44,7 @@
- #include <ctype.h>
- 
- #ifdef HAVE_POLL_H
--#include <sys/poll.h>
-+#include <poll.h>
- #endif
- 
- #include <krb5-types.h>
-diff --git a/lib/roken/getifaddrs.c b/lib/roken/getifaddrs.c
-index cc949b0..a82adc5 100644
---- a/lib/roken/getifaddrs.c
-+++ b/lib/roken/getifaddrs.c
-@@ -120,7 +120,7 @@ struct mbuf;
- #include <linux/rtnetlink.h>
- #include <sys/types.h>
- #include <sys/socket.h>
--#include <sys/poll.h>
-+#include <poll.h>
- #include <netpacket/packet.h>
- #include <net/ethernet.h>     /* the L2 protocols */
- #include <sys/uio.h>
--- 
-2.35.1
-