Kerberos Version 5, Release 1.12.3 is released. This fixes multiple

vulnerabilities, some previously committed by point patches and others
newly fixed in this release.

* Fix multiple vulnerabilities in the LDAP KDC back end.
  [CVE-2014-5354] [CVE-2014-5353]

* Fix multiple kadmind vulnerabilities, some of which are based in the
  gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421
  CVE-2014-9422 CVE-2014-9423]

Security:	VuXML: 63527d0d-b9de-11e4-8a48-206a8a720317
Security:	CVE-2014-5354, CVE-2014-5353
Security:	CVE-2014-5352, CVE-2014-5352, CVE-2014-9421
Security:	CVE-2014-9422, CVE-2014-9423

5 files changed, 3 insertions, 200 deletions

diff --git a/security/krb5-112/Makefile b/security/krb5-112/Makefile
index 496dab7e5eb2..e4ff7a40f945 100644
--- a/security/krb5-112/Makefile
+++ b/security/krb5-112/Makefile
@@ -2,8 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=		krb5
-PORTVERSION=		1.12.2
-PORTREVISION=		3
+PORTVERSION=		1.12.3
 CATEGORIES=		security
 MASTER_SITES=		http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
 PKGNAMESUFFIX=		-112
@@ -12,7 +11,6 @@ EXTRACT_SUFX=		.tar
 
 PATCH_SITES=		http://web.mit.edu/kerberos/advisories/
 PATCH_DIST_STRIP=	-p2
-PATCHFILES=		2015-001-patch-r112.txt
 
 MAINTAINER=		cy@FreeBSD.org
 COMMENT=		Authentication system developed at MIT, successor to Kerberos IV
diff --git a/security/krb5-112/distinfo b/security/krb5-112/distinfo
index 1151f0a6f5c4..6b7ba85264c1 100644
--- a/security/krb5-112/distinfo
+++ b/security/krb5-112/distinfo
@@ -1,4 +1,4 @@
-SHA256 (krb5-1.12.2-signed.tar) = 09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744
-SIZE (krb5-1.12.2-signed.tar) = 11991040
+SHA256 (krb5-1.12.3-signed.tar) = 091715da49f6aa72b98c9659229351b4b168fb96f84caa18228aaf7632db3483
+SIZE (krb5-1.12.3-signed.tar) = 12001280
 SHA256 (2015-001-patch-r112.txt) = 75d1d070293fef7faa2c5ffbe8de4afaefb95449564e7dd5da458588ba637449
 SIZE (2015-001-patch-r112.txt) = 12130
diff --git a/security/krb5-112/files/patch-lib-apputils-net-server.c b/security/krb5-112/files/patch-lib-apputils-net-server.c
deleted file mode 100644
index b4fbf4a5655c..000000000000
--- a/security/krb5-112/files/patch-lib-apputils-net-server.c
+++ /dev/null
@@ -1,15 +0,0 @@
---- lib/apputils/net-server.c.orig	2014-08-11 15:46:27.000000000 -0700
-+++ lib/apputils/net-server.c	2014-08-13 05:33:48.913580280 -0700
-@@ -992,8 +992,12 @@
-     case RTM_NEWADDR: return "RTM_NEWADDR";
-     case RTM_DELADDR: return "RTM_DELADDR";
-     case RTM_IFINFO: return "RTM_IFINFO";
-+#ifdef RTM_OLDADD
-     case RTM_OLDADD: return "RTM_OLDADD";
-+#endif
-+#ifdef RTM_OLDDEL
-     case RTM_OLDDEL: return "RTM_OLDDEL";
-+#endif
-     case RTM_RESOLVE: return "RTM_RESOLVE";
- #ifdef RTM_NEWMADDR
-     case RTM_NEWMADDR: return "RTM_NEWMADDR";
diff --git a/security/krb5-112/files/patch-plugins__kdb__ldap__libkdb_ldap__ldap_principal2.c b/security/krb5-112/files/patch-plugins__kdb__ldap__libkdb_ldap__ldap_principal2.c
deleted file mode 100644
index 1b60bed284cf..000000000000
--- a/security/krb5-112/files/patch-plugins__kdb__ldap__libkdb_ldap__ldap_principal2.c
+++ /dev/null
@@ -1,115 +0,0 @@
-From 46a2d16a5006d61e98a971a8148d2a9574a35bc0 Mon Sep 17 00:00:00 2001
-From: Ben Kaduk <kaduk@mit.edu>
-Date: Wed, 19 Nov 2014 12:04:46 -0500
-Subject: [PATCH] Support keyless principals in LDAP [CVE-2014-5354]
-
-Operations like "kadmin -q 'addprinc -nokey foo'" or
-"kadmin -q 'purgekeys -all foo'" result in principal entries with
-no keys present, so krb5_encode_krbsecretkey() would just return
-NULL, which then got unconditionally dereferenced in
-krb5_add_ber_mem_ldap_mod().
-
-Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key
-principals better, correct the test for an allocation failure, and
-slightly restructure the cleanup handler to be shorter and more
-appropriate for the usage.  Once it no longer short-circuits when
-n_key_data is zero, it will produce an array of length two with both
-entries NULL, which is treated as an empty list by the LDAP library,
-the correct behavior for a keyless principal.
-
-However, attributes with empty values are only handled by the LDAP
-library for Modify operations, not Add operations (which only get
-a sequence of Attribute, with no operation field).  Therefore, only
-add an empty krbprincipalkey to the modlist when we will be performing a
-Modify, and not when we will be performing an Add, which is conditional
-on the (misspelled) create_standalone_prinicipal boolean.
-
-CVE-2014-5354:
-
-In MIT krb5, when kadmind is configured to use LDAP for the KDC
-database, an authenticated remote attacker can cause a NULL
-dereference by inserting into the database a principal entry which
-contains no long-term keys.
-
-In order for the LDAP KDC backend to translate a principal entry
-from the database abstraction layer into the form expected by the
-LDAP schema, the principal's keys are encoded into a
-NULL-terminated array of length-value entries to be stored in the
-LDAP database.  However, the subroutine which produced this array
-did not correctly handle the case where no keys were present,
-returning NULL instead of an empty array, and the array was
-unconditionally dereferenced while adding to the list of LDAP
-operations to perform.
-
-Versions of MIT krb5 prior to 1.12 did not expose a way for
-principal entries to have no long-term key material, and
-therefore are not vulnerable.
-
-    CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C
-
-(cherry picked from commit 04038bf3633c4b909b5ded3072dc88c8c419bf16)
-
-ticket: 8138 (new)
-version_fixed: 1.12.3
-subject: kadmind with ldap backend crashes when putting keyless entries [CVE-2014-5354]
-status: resolved
----
- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 25 +++++++++++++++-------
- 1 file changed, 17 insertions(+), 8 deletions(-)
-
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-index 111b554..b51bebc 100644
---- plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-+++ plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-@@ -413,14 +413,14 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
-     int num_versions = 1;
-     int i, j, last;
-     krb5_error_code err = 0;
--    krb5_key_data *key_data;
-+    krb5_key_data *key_data = NULL;
- 
--    if (n_key_data <= 0)
-+    if (n_key_data < 0)
-         return NULL;
- 
-     /* Make a shallow copy of the key data so we can alter it. */
-     key_data = k5calloc(n_key_data, sizeof(*key_data), &err);
--    if (key_data_in == NULL)
-+    if (key_data == NULL)
-         goto cleanup;
-     memcpy(key_data, key_data_in, n_key_data * sizeof(*key_data));
- 
-@@ -474,9 +474,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
-     free(key_data);
-     if (err != 0) {
-         if (ret != NULL) {
--            for (i = 0; i <= num_versions; i++)
--                if (ret[i] != NULL)
--                    free (ret[i]);
-+            for (i = 0; ret[i] != NULL; i++)
-+                free (ret[i]);
-             free (ret);
-             ret = NULL;
-         }
-@@ -1046,9 +1045,19 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
-         bersecretkey = krb5_encode_krbsecretkey (entry->key_data,
-                                                  entry->n_key_data, mkvno);
- 
--        if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
--                                          LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
-+        if (bersecretkey == NULL) {
-+            st = ENOMEM;
-             goto cleanup;
-+        }
-+        /* An empty list of bervals is only accepted for modify operations,
-+         * not add operations. */
-+        if (bersecretkey[0] != NULL || !create_standalone_prinicipal) {
-+            st = krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
-+                                           LDAP_MOD_REPLACE | LDAP_MOD_BVALUES,
-+                                           bersecretkey);
-+            if (st != 0)
-+                goto cleanup;
-+        }
- 
-         if (!(entry->mask & KADM5_PRINCIPAL)) {
-             memset(strval, 0, sizeof(strval));
diff --git a/security/krb5-112/files/patch-plugins__kdb__ldap__libkdb_ldap__ldap_pwd_policy.c b/security/krb5-112/files/patch-plugins__kdb__ldap__libkdb_ldap__ldap_pwd_policy.c
deleted file mode 100644
index 0e254f276ebc..000000000000
--- a/security/krb5-112/files/patch-plugins__kdb__ldap__libkdb_ldap__ldap_pwd_policy.c
+++ /dev/null
@@ -1,65 +0,0 @@
-From 0a97ce4411b34e871ae503b78eedf61db27180ea Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Fri, 5 Dec 2014 14:01:39 -0500
-Subject: [PATCH] Fix LDAP misused policy name crash [CVE-2014-5353]
-
-In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
-successfully with no results, return KRB5_KDB_NOENTRY instead of
-returning success with a zeroed-out policy object.  This fixes a null
-dereference when an admin attempts to use an LDAP ticket policy name
-as a password policy name.
-
-CVE-2014-5353:
-
-In MIT krb5, when kadmind is configured to use LDAP for the KDC
-database, an authenticated remote attacker can cause a NULL dereference
-by attempting to use a named ticket policy object as a password policy
-for a principal.  The attacker needs to be authenticated as a user who
-has the elevated privilege for setting password policy by adding or
-modifying principals.
-
-Queries to LDAP scoped to the krbPwdPolicy object class will correctly
-not return entries of other classes, such as ticket policy objects, but
-may return success with no returned elements if an object with the
-requested DN exists in a different object class.  In this case, the
-routine to retrieve a password policy returned success with a password
-policy object that consisted entirely of zeroed memory.  In particular,
-accesses to the policy name will dereference a NULL pointer.  KDC
-operation does not access the policy name field, but most kadmin
-operations involving the principal with incorrect password policy
-will trigger the crash.
-
-Thanks to Patrik Kis for reporting this problem.
-
-CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
-
-[kaduk@mit.edu: CVE description and CVSS score]
-
-(cherry picked from commit d1f707024f1d0af6e54a18885322d70fa15ec4d3)
-
-ticket: 8137 (new)
-version_fixed: 1.12.3
-status: resolved
----
- src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
-index 522773e..6779f51 100644
---- plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
-+++ plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
-@@ -314,10 +314,11 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,
-     LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes);
- 
-     ent=ldap_first_entry(ld, result);
--    if (ent != NULL) {
--        if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0)
--            goto cleanup;
-+    if (ent == NULL) {
-+        st = KRB5_KDB_NOENTRY;
-+        goto cleanup;
-     }
-+    st = populate_policy(context, ld, ent, pol_name, *policy);
- 
- cleanup:
-     ldap_msgfree(result);