9 files changed, 438 insertions, 0 deletions

diff --git a/skip/heimdal/005_all_heimdal-suid_fix.patch b/skip/heimdal/005_all_heimdal-suid_fix.patch
new file mode 100644
index 0000000..0524db6
--- /dev/null
+++ b/skip/heimdal/005_all_heimdal-suid_fix.patch
@@ -0,0 +1,20 @@
+--- appl/su/Makefile.am	2005-06-16 18:27:46.000000000 +0200
++++ b/appl/su/Makefile.am	2005-06-27 23:25:21.000000000 +0200
+@@ -7,6 +7,7 @@
+ bin_PROGRAMS = su
+ bin_SUIDS = su
+ su_SOURCES = su.c supaths.h
++su_LDFLAGS = -Wl,-z,now
+ man_MANS = su.1
+ 
+ LDADD = $(LIB_kafs) \
+--- appl/otp/Makefile.am	2005-06-16 18:28:46.000000000 +0200
++++ b/appl/otp/Makefile.am	2005-06-27 23:25:40.000000000 +0200
+@@ -8,6 +8,7 @@
+ bin_SUIDS = otp
+ otp_SOURCES = otp.c otp_locl.h
+ otpprint_SOURCES = otpprint.c otp_locl.h
++otp_LDFLAGS = -Wl,-z,now
+ 
+ man_MANS = otp.1  otpprint.1
+ 
diff --git a/skip/heimdal/CVE-2018-16860.patch b/skip/heimdal/CVE-2018-16860.patch
new file mode 100644
index 0000000..6424b9e
--- /dev/null
+++ b/skip/heimdal/CVE-2018-16860.patch
@@ -0,0 +1,147 @@
+From c6257cc2c842c0faaeb4ef34e33890ee88c4cbba Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Tue, 14 May 2019 09:03:18 -0400
+Subject: [PATCH] CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed
+ checksum
+
+S4U2Self is an extension to Kerberos used in Active Directory to allow
+a service to request a kerberos ticket to itself from the Kerberos Key
+Distribution Center (KDC) for a non-Kerberos authenticated user
+(principal in Kerboros parlance). This is useful to allow internal
+code paths to be standardized around Kerberos.
+
+S4U2Proxy (constrained-delegation) is an extension of this mechanism
+allowing this impersonation to a second service over the network. It
+allows a privileged server that obtained a S4U2Self ticket to itself
+to then assert the identity of that principal to a second service and
+present itself as that principal to get services from the second
+service.
+
+There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
+KDC checks the checksum that is placed on the S4U2Self packet by the
+server to protect the requested principal against modification, it
+does not confirm that the checksum algorithm that protects the user
+name (principal) in the request is keyed.  This allows a
+man-in-the-middle attacker who can intercept the request to the KDC to
+modify the packet by replacing the user name (principal) in the
+request with any desired user name (principal) that exists in the KDC
+and replace the checksum protecting that name with a CRC32 checksum
+(which requires no prior knowledge to compute).
+
+This would allow a S4U2Self ticket requested on behalf of user name
+(principal) user@EXAMPLE.COM to any service to be changed to a
+S4U2Self ticket with a user name (principal) of
+Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
+the modified user name (principal).
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
+
+=========================
+Workaround and Mitigation
+=========================
+
+If server does not take privileged actions based on Kerberos tickets
+obtained by S4U2Self nor obtains Kerberos tickets via further
+S4U2Proxy requests then this issue cannot be exploited.
+
+Note that the path to an exploit is not generic, the KDC is not harmed
+by the malicious checksum, it is the client service requesting the
+ticket being mislead, because it trusted the KDC to return the correct
+ticket and PAC.
+
+It is out of scope for Samba to describe all of the possible tool
+chains that might be vulnerable. Here are two examples of possible
+exploits in order to explain the issue more clearly.
+
+1). SFU2Self might be used by a web service authenticating an end user
+via OAuth, Shibboleth, or other protocols to obtain a S4U2Self
+Kerberos service ticket for use by any Kerberos service principal the
+web service has a keytab for.  One example is acquiring an AFS token
+by requesting an afs/cell@REALM service ticket for a client via
+SFU2Self.  With this exploit an organization that deploys a KDC built
+from Heimdal (be it Heimdal directly or vendor versions such as found
+in Samba) is vulnerable to privilege escalation attacks.
+
+2). If a server authenticates users using X509 certificates, and then
+uses S4U2Self to obtain a Kerberos service ticket on behalf of the
+user (principal) in order to authorize access to local resources, a
+man-in-the-middle attacker could allow a non-privilaged user to access
+privilaged resources being protected by the server, or privilaged
+resources being protected by a second server, if the first server uses
+the S4U2Proxy extension in order to get a new Kerberos service ticket
+to obtain access to the second server.
+
+In both these scenarios under conditions allowing man-in-the-middle
+active network protocol manipulation, a malicious user could
+authenticate using the non-Kerborized credentials of an unprivileged
+user, and then elevate its privileges by intercepting the packet from
+the server to the KDC and changing the requested user name (principal).
+
+The only Samba clients that use S4U2Self are:
+
+- the "net ads kerberos pac dump" (debugging) tool.
+
+- the CIFS proxy in the deprecated/developer-only NTVFS file
+server. Note this code is not compiled or enabled by default.
+
+In particular, winbindd does *not* use S4U2Self.
+
+Finally, MIT Kerberos and so therefore the experimental MIT KDC backend
+for Samba AD is understood not to be impacted.
+
+===============
+Further Reading
+===============
+
+There is more detail on and a description of the protocols in
+
+[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained
+Delegation Protocol
+https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
+
+=======
+Credits
+=======
+
+Originally reported by Isaac Boukris and Andrew Bartlett of the Samba
+Team and Catalyst.
+
+Patches provided by Isaac Boukris.
+
+Advisory written by Andrew Bartlett of the Samba Team and Catalyst,
+with contributions from Isaac Boukris, Jeffrey Altman and Jeremy
+Allison.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685
+Change-Id: I4ac69ebf0503eb999a7d497a2c30fe4d293a8cc8
+Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
+---
+ kdc/krb5tgs.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
+index 8318bc0025..14943077a4 100644
+--- a/kdc/krb5tgs.c
++++ b/kdc/krb5tgs.c
+@@ -2031,6 +2031,13 @@ tgs_build_reply(krb5_context context,
+ 		goto out;
+ 	    }
+ 
++	    if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
++		free_PA_S4U2Self(&self);
++		kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed checksum");
++		ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
++		goto out;
++	    }
++
+ 	    ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
+ 	    if (ret)
+ 		goto out;
diff --git a/skip/heimdal/autoconf-270.patch b/skip/heimdal/autoconf-270.patch
new file mode 100644
index 0000000..05cdc09
--- /dev/null
+++ b/skip/heimdal/autoconf-270.patch
@@ -0,0 +1,27 @@
+commit 22352b90e78e2d162b98b5ef6c84672c397be40a
+Author: Lars Wendler <polynomial-c@gentoo.org>
+Date:   Wed Mar 17 17:49:18 2021 +0100
+
+    autoconf-2.70 fix
+    
+    autoconf-2.70 and newer are more strict with quoting etc. and thus generate
+    a broken configure file:
+    
+      configure: 20855: Syntax error: ")" unexpected (expecting "fi")
+    
+    Gentoo-bug: https://bugs.gentoo.org/776241
+    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
+
+diff --git a/cf/check-var.m4 b/cf/check-var.m4
+index 2fd7bca6f..71d6f70ca 100644
+--- a/cf/check-var.m4
++++ b/cf/check-var.m4
+@@ -20,7 +20,7 @@ AC_MSG_RESULT($ac_foo)
+ if test "$ac_foo" = yes; then
+ 	AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1, 
+ 		[Define if you have the `]$1[' variable.])
+-	m4_ifval([$2], AC_CHECK_DECLS([$1],[],[],[$2]))
++	m4_ifval([$2], [AC_CHECK_DECLS([$1],[],[],[$2])])
+ fi
+ ])
+
diff --git a/skip/heimdal/heimdal-kadmind.initd b/skip/heimdal/heimdal-kadmind.initd
new file mode 100755
index 0000000..73f2381
--- /dev/null
+++ b/skip/heimdal/heimdal-kadmind.initd
@@ -0,0 +1,24 @@
+#!/sbin/openrc-run
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kadmind,v 1.3 2004/09/13 22:44:54 solar Exp $
+
+depend() {
+	need net
+	use heimdal-kdc
+	after logger
+}
+
+start() {
+	ebegin "Starting heimdal kadmind"
+		/usr/sbin/kadmind  &
+		echo $! > /var/run/heimdal-kadmind.pid
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping heimdal kadmind"
+	start-stop-daemon --stop --quiet --exec \
+		/usr/sbin/kadmind
+	eend $?
+}
diff --git a/skip/heimdal/heimdal-kdc.initd b/skip/heimdal/heimdal-kdc.initd
new file mode 100755
index 0000000..32288c4
--- /dev/null
+++ b/skip/heimdal/heimdal-kdc.initd
@@ -0,0 +1,23 @@
+#!/sbin/openrc-run
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kdc,v 1.2 2004/09/13 15:40:34 dragonheart Exp $
+
+depend() {
+	need net
+	after logger
+}
+
+start() {
+	ebegin "Starting heimdal kdc"
+	start-stop-daemon --start --quiet --exec \
+		/usr/sbin/kdc -- --detach
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping heimdal kdc"
+	start-stop-daemon --stop --quiet --exec \
+		/usr/sbin/kdc
+	eend $?
+}
diff --git a/skip/heimdal/heimdal-kpasswdd.initd b/skip/heimdal/heimdal-kpasswdd.initd
new file mode 100755
index 0000000..5fc21e0
--- /dev/null
+++ b/skip/heimdal/heimdal-kpasswdd.initd
@@ -0,0 +1,24 @@
+#!/sbin/openrc-run
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/heimdal/files/heimdal-kpasswdd,v 1.3 2004/09/13 22:44:54 solar Exp $
+
+depend() {
+	need net
+	use heimdal-kdc
+	after logger
+}
+
+start() {
+	ebegin "Starting heimdal kpasswdd"
+	start-stop-daemon --background --start --quiet --exec \
+		/usr/sbin/kpasswdd
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping heimdal kpasswdd"
+	start-stop-daemon --stop --quiet --exec \
+		/usr/sbin/kpasswdd
+	eend $?
+}
diff --git a/skip/heimdal/heimdal.xibuild b/skip/heimdal/heimdal.xibuild
new file mode 100644
index 0000000..0fcba4b
--- /dev/null
+++ b/skip/heimdal/heimdal.xibuild
@@ -0,0 +1,82 @@
+#!/bin/sh
+
+NAME="heimdal"
+DESC="Implementation of Kerberos 5"
+
+MAKEDEPS="xipkg openssl e2fsprogs autoconf automake bash gawk libtool ncurses perl readline sqlite3 texinfo perl-json gdbm "
+
+PKG_VER=7.7.0
+SOURCE="https://github.com/heimdal/heimdal/releases/download/heimdal-$PKG_VER/heimdal-$PKG_VER.tar.gz"
+
+ADDITIONAL="
+005_all_heimdal-suid_fix.patch
+CVE-2018-16860.patch
+autoconf-270.patch
+heimdal-kadmind.initd
+heimdal-kdc.initd
+heimdal-kpasswdd.initd
+heimdal_missing-include.patch
+silence-include-headers-redirect-warnings.patch
+"
+
+prepare() {
+	[ -e /usr/lib/libasn1.so ] && xi -yl remove heimdal
+    apply_patches
+	sh ./autogen.sh
+}
+
+build() {
+	export LDFLAGS="$LDFLAGS -Wl,--as-needed"
+
+	./configure \
+		--build=$CBUILD \
+		--host=$CHOST \
+		--prefix=/usr \
+		--enable-shared=yes \
+		--without-x \
+		--without-berkeley-db \
+		--with-readline-lib=/usr/lib \
+		--with-readline-include=/usr/include/readline \
+		--with-sqlite3=/usr \
+		--without-openssl \
+		--with-db-type-preference=
+
+	# make sure we use system version
+	rm -r lib/sqlite lib/com_err
+
+	# workarount a parallell build issue
+	make -C lib/asn1 der-protos.h der-private.h
+	make -C lib/kadm5 kadm5-protos.h kadm5-private.h kadm5_err.h
+	make -C lib/krb5 krb5-protos.h krb5-private.h krb5_err.h krb_err.h \
+		heim_err.h k524_err.h
+	make -C lib/hx509 hx509-private.h  hx509-protos.h
+	make
+}
+
+package() {
+	make DESTDIR="$PKG_DEST" exec_prefix=/usr sysconfdir=/etc \
+	mandir=/usr/share/man infodir=/usr/share/info datadir=/var/lib/heimdal \
+	localstatedir=/var/lib/heimdal libexecdir=/usr/sbin install
+
+
+	install -m755 -D "$BUILD_ROOT"/heimdal-kadmind.initd \
+		"$PKG_DEST"/etc/init.d/heimdal-kadmind
+	install -m755 -D "$BUILD_ROOT"/heimdal-kdc.initd \
+		"$PKG_DEST"/etc/init.d/heimdal-kdc
+	install -m755 -D "$BUILD_ROOT"/heimdal-kpasswdd.initd \
+		"$PKG_DEST"/etc/init.d/heimdal-kpasswdd
+
+	for i in 1 3 5 8; do
+		rm -rf "$PKG_DEST"/usr/share/man/cat$i
+	done
+
+	# Remove conflicts
+	# e2fsprogs
+	rm -f "$PKG_DEST"/usr/bin/compile_et \
+		"$PKG_DEST"/usr/share/man/man1/compile_et.1
+
+	# Compress info pages
+	for page in heimdal hx509; do
+		gzip -9 "$PKG_DEST"/usr/share/info/$page.info
+	done
+}
diff --git a/skip/heimdal/heimdal_missing-include.patch b/skip/heimdal/heimdal_missing-include.patch
new file mode 100644
index 0000000..8cca906
--- /dev/null
+++ b/skip/heimdal/heimdal_missing-include.patch
@@ -0,0 +1,11 @@
+--- lib/base/test_base.c	2011-09-30 15:58:45.000000000 +0300
++++ b/lib/base/test_base.c	2011-12-27 23:04:50.482955923 +0200
+@@ -39,6 +39,8 @@
+ #include "heimbase.h"
+ #include "heimbasepriv.h"
+ 
++#include <stdlib.h>
++
+ static void
+ memory_free(heim_object_t obj)
+ {
diff --git a/skip/heimdal/silence-include-headers-redirect-warnings.patch b/skip/heimdal/silence-include-headers-redirect-warnings.patch
new file mode 100644
index 0000000..4505096
--- /dev/null
+++ b/skip/heimdal/silence-include-headers-redirect-warnings.patch
@@ -0,0 +1,80 @@
+From 2eb67c91834a21e68c90380254c7c10ffe03a7ca Mon Sep 17 00:00:00 2001
+From: Leonardo Arena <rnalrd@alpinelinux.org>
+Date: Thu, 14 Apr 2022 08:47:15 +0000
+Subject: [PATCH] silence include header warnings
+
+---
+ cf/roken-frag.m4       | 1 -
+ configure              | 2 +-
+ lib/ipc/hi_locl.h      | 2 +-
+ lib/krb5/krb5_locl.h   | 2 +-
+ lib/roken/getifaddrs.c | 2 +-
+ 5 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/cf/roken-frag.m4 b/cf/roken-frag.m4
+index f22b43a..589b2cc 100644
+--- a/cf/roken-frag.m4
++++ b/cf/roken-frag.m4
+@@ -73,7 +73,6 @@ AC_CHECK_HEADERS([\
+ 	stdint.h				\
+ 	sys/auxv.h				\
+ 	sys/bswap.h				\
+-	sys/errno.h				\
+ 	sys/ioctl.h				\
+ 	sys/mman.h				\
+ 	sys/param.h				\
+diff --git a/configure b/configure
+index 4cefc43..bc3bf78 100755
+--- a/configure
++++ b/configure
+@@ -17965,7 +17965,7 @@ for ac_header in \
+ 	stdint.h				\
+ 	sys/auxv.h				\
+ 	sys/bswap.h				\
+-	sys/errno.h				\
++	errno.h					\
+ 	sys/ioctl.h				\
+ 	sys/mman.h				\
+ 	sys/param.h				\
+diff --git a/lib/ipc/hi_locl.h b/lib/ipc/hi_locl.h
+index 7efe6ca..3195b44 100644
+--- a/lib/ipc/hi_locl.h
++++ b/lib/ipc/hi_locl.h
+@@ -41,7 +41,7 @@
+ #include <sys/un.h>
+ #endif
+ 
+-#include <sys/poll.h>
++#include <poll.h>
+ 
+ #include <ctype.h>
+ #include <stdio.h>
+diff --git a/lib/krb5/krb5_locl.h b/lib/krb5/krb5_locl.h
+index b64f3a9..f62c40d 100644
+--- a/lib/krb5/krb5_locl.h
++++ b/lib/krb5/krb5_locl.h
+@@ -44,7 +44,7 @@
+ #include <ctype.h>
+ 
+ #ifdef HAVE_POLL_H
+-#include <sys/poll.h>
++#include <poll.h>
+ #endif
+ 
+ #include <krb5-types.h>
+diff --git a/lib/roken/getifaddrs.c b/lib/roken/getifaddrs.c
+index cc949b0..a82adc5 100644
+--- a/lib/roken/getifaddrs.c
++++ b/lib/roken/getifaddrs.c
+@@ -120,7 +120,7 @@ struct mbuf;
+ #include <linux/rtnetlink.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+-#include <sys/poll.h>
++#include <poll.h>
+ #include <netpacket/packet.h>
+ #include <net/ethernet.h>     /* the L2 protocols */
+ #include <sys/uio.h>
+-- 
+2.35.1
+