summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEray Aslan <eras@gentoo.org>2011-10-18 20:22:00 +0000
committerEray Aslan <eras@gentoo.org>2011-10-18 20:22:00 +0000
commit4151a8113b5cc1bb14c7ac34a70d7e71ba0ffe10 (patch)
tree9243833b4865392a399892172117f00733e25167 /app-crypt
parentadd patch from Marcel Pennewiß to improve flexibility (bug #373583) (diff)
downloadhistorical-4151a8113b5cc1bb14c7ac34a70d7e71ba0ffe10.tar.gz
historical-4151a8113b5cc1bb14c7ac34a70d7e71ba0ffe10.tar.bz2
historical-4151a8113b5cc1bb14c7ac34a70d7e71ba0ffe10.zip
security bump - bug #387585
Package-Manager: portage-2.1.10.29/cvs/Linux x86_64
Diffstat (limited to 'app-crypt')
-rw-r--r--app-crypt/mit-krb5/ChangeLog10
-rw-r--r--app-crypt/mit-krb5/Manifest32
-rw-r--r--app-crypt/mit-krb5/files/2011-006-patch-r18.patch73
-rw-r--r--app-crypt/mit-krb5/files/CVE-2011-1527.1528.1529.patch75
-rw-r--r--app-crypt/mit-krb5/mit-krb5-1.8.4-r1.ebuild116
-rw-r--r--app-crypt/mit-krb5/mit-krb5-1.9.1-r2.ebuild123
6 files changed, 414 insertions, 15 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog
index 7de1d0ae5add..d7ecb34cf002 100644
--- a/app-crypt/mit-krb5/ChangeLog
+++ b/app-crypt/mit-krb5/ChangeLog
@@ -1,6 +1,14 @@
# ChangeLog for app-crypt/mit-krb5
# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.291 2011/10/18 06:55:19 eras Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.292 2011/10/18 20:21:59 eras Exp $
+
+*mit-krb5-1.9.1-r2 (18 Oct 2011)
+*mit-krb5-1.8.4-r1 (18 Oct 2011)
+
+ 18 Oct 2011; Eray Aslan <eras@gentoo.org> +mit-krb5-1.8.4-r1.ebuild,
+ +mit-krb5-1.9.1-r2.ebuild, +files/2011-006-patch-r18.patch,
+ +files/CVE-2011-1527.1528.1529.patch:
+ security bump - bug #387585
*mit-krb5-1.9.1-r1 (18 Oct 2011)
diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 2b502c2957d5..fe08456c52d9 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,12 +1,14 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
+AUX 2011-006-patch-r18.patch 2908 RMD160 829a6d2dc876190996e90e0a6a43e2d018cbaaa5 SHA1 30b66b6c5dce537d66874ac58e622b3f6e992ac6 SHA256 54490a4152e2bf912fa92137c3be90221fd64f818a09be256a1147b351e676e3
AUX CVE-2010-1322.patch 1066 RMD160 fc262a23e9aa118262a4258f74832445062444e4 SHA1 600f0890de65f96112f267b56317a4fd0166cba0 SHA256 7d9fbfffdaa0cde0ca499ccbb2cf09a6c7253e537755bbf6da9e08715fd9a474
AUX CVE-2010-1323.1324.4020.patch 7908 RMD160 848b776218473200e5a54beb4f3adfc3db915cf4 SHA1 a6fbc3b6ab15ca98c1aa1521fd42dad1f5003ee8 SHA256 ec08fca9738b5fae619154379ae0158531cb630b6f25551c14d87313c2d2a5f0
AUX CVE-2010-4022.patch 632 RMD160 62a7b2b0d4acbca919fd9df52e707bf0b9fff076 SHA1 79ece8b1c140deb2c01bfb64af575636b9bc7704 SHA256 25f50e9406a36525b5f727041c9d584ef3f188fa5d3a39b4e63d1a853219a9e2
AUX CVE-2011-0281.0282.0283.patch 6663 RMD160 15913f4fccc2424f4264ce222563685b29b53fb2 SHA1 fb2486168ce128cb1a2866bd0df8cd7c4bcd7824 SHA256 1b3ccea9022527c36e153c5d89ecfd9609a111e235b1d0430e1fcc6933e76e48
AUX CVE-2011-0284.patch 544 RMD160 9b0d172a1abfaf437edacc9f18fd0a6e83028b3e SHA1 1c72390c5d629eee592e5cb0c2b600b376e2fdc5 SHA256 bf93bbaf5d502f5b5bdcfa612e36c3828d3be869b154545bad1c7109f4eedae4
AUX CVE-2011-0285.patch 1154 RMD160 a635a940613663f6fe07534d08c7781090fcc9f0 SHA1 b6ae716616ecd5e92f32ec8203a1ab51b5726184 SHA256 6a972da0e87dce82e801590a7bdcca300a5b31ed569f834e0a6634a185a9aac0
+AUX CVE-2011-1527.1528.1529.patch 3092 RMD160 06b85bf757b84486461697fac126953e7b9d2558 SHA1 0b0016b0e341dcf720f67925b0d451b328e02583 SHA256 50d2ef225e16fb267dcfe87bb6596c5061ccb5ef617ce7e42e83dd4b2db27468
AUX kpropd.xinetd 194 RMD160 5772b04bf7f6b8a5588331a4d9dca03738756f15 SHA1 a9c84a4197ba133144e754d68847cece6203ed4a SHA256 eaa3838a6ca8db901db359cac3435d4f703a9a10534f02eeb37f494dd21a1736
AUX mit-krb5-1.8.3-CVE-2011-0281.0282.0283.patch 6130 RMD160 23cb2560f0d87e6128cdbb12f1e7d8aae85f85f5 SHA1 574a3c82ad7d3c9a1c9c62c6ff95c2d6f0e0fc96 SHA256 7831c9a9553404b41774f40f3fc0df6769342c1923c5b1177062710fd5f0f2bb
AUX mit-krb5-1.8.3-CVE-2011-0285.patch 1136 RMD160 03d06d5c88505688eb4dbcd516144999ecb89a70 SHA1 7853bcbdf0dba6f0fce15fc3b475f86d692287b2 SHA256 88f8d015f2bce8f54a6a0321716ed887aef587aeae3017d47c7c18de26189f02
@@ -19,25 +21,27 @@ DIST krb5-1.8.3-signed.tar 11642880 RMD160 bdf3a505e4b2447af0c9080b441918d665dcd
DIST krb5-1.8.4-signed.tar 11642880 RMD160 34d6df8248007bac0321400b2650c2aca774af16 SHA1 fe1fc21e923ae8dcaa7a26f4f97e0ac49c8e3115 SHA256 2ea1ad0e02d8040110c70046a3bb44aa116ccc72a351185799cd19a2dec11123
DIST krb5-1.9.1-signed.tar 11888640 RMD160 8de31bc83c2fede038780a4375e29a6b4281581f SHA1 e23a1795a237521493da9cf3443ac8b98a90c066 SHA256 525e258aa7401427a5a9edee0051f83b6151bf96a979ca526393932c90484c8e
EBUILD mit-krb5-1.8.3-r5.ebuild 3005 RMD160 03197bd078cf6ec9fec6298454097540c0e5441d SHA1 d200ce0577d366cfe742901b29a68658bf2776aa SHA256 ace5c2b1bae0933fcea265497ec5b3498fe27e482625324ed2225bc36eeb112c
+EBUILD mit-krb5-1.8.4-r1.ebuild 2844 RMD160 6b51986ae5be1716f5846b08434c50532e17b7e5 SHA1 899d706546b1f54df3afda7d4887431362f920dc SHA256 60246c5b830305440a3371d5a90f297095cd7dffbb91a2ad04832c290d0d096d
EBUILD mit-krb5-1.8.4.ebuild 2720 RMD160 96195f1bcfbbb08993985aa6447e5b9dc5828547 SHA1 0ab22e1bdd4afb2bc552c24abdabc975a976d8da SHA256 a05060443e6d6937acfa7c0efc6be2c67e51392565eb9084ae4a3511bae4a8a2
EBUILD mit-krb5-1.9.1-r1.ebuild 3155 RMD160 67ef7c96e863a93b7a361596a176983304692768 SHA1 77250096143f68c0a756318a25d18543ce33c0b4 SHA256 b1b044759fd765c06b50929b9ae00a77ee2e12d689ca9cfde9c6bfd0ae446c19
+EBUILD mit-krb5-1.9.1-r2.ebuild 3207 RMD160 720caadbee42eed6381bb0d1eb850ad1f927738f SHA1 54aee00d44e6b9dbbd8a0be1fd4f6a208fa3f4d7 SHA256 ec0c48cc498fd6ea8d296975c896fe09ff5228d399893e4461f6bb8f4ffcd1ae
EBUILD mit-krb5-1.9.1.ebuild 3081 RMD160 1fb3e78f9f50167b1f7fdb18094943c4452aef7b SHA1 96d6364657ef0cc8d7a5e2b63bd0258f92a8fcee SHA256 36c41b682da975b1585409b6f383ca66601e58a0f59bd8f596519d14d2d4426d
-MISC ChangeLog 45724 RMD160 6bfe23ece676aad6167a1d778fadcf01f108f0fb SHA1 562073f60aa93cea7d8de99eb0755e8f20eeb135 SHA256 8ea4af81e8c0e924163a098e217e8b3cc080b13cb07567064f4c9f1e1a21094b
+MISC ChangeLog 45995 RMD160 c6baf1da1147a1ea2457929573224040b0868deb SHA1 96509fd443c0c3b7619d4207a0e7f9144f00e602 SHA256 8703b3f587cf8a42bec0bc5c3bf4bb084806217fb538864c579734c8b19ecb46
MISC metadata.xml 668 RMD160 825e73c2b8d1bdcfffb6c5cfa2110f596d7940ae SHA1 b9fca90e7a86fea05d8174d824e939cf61905310 SHA256 da5862dde92f34b882870961cb9f1e4aa8209fc549e32a43d99770a9de8b232d
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
-iQIcBAEBCAAGBQJOnSLmAAoJEHfx8XVYajsfmF8P/1Xvzy0F2AOiJjfF+PLINpgm
-ARnEymQYSg4cHV10zQ4BgKkp8we3cYiepoFFGdBEu34GI2iQ0eSpdHR0S9kV/HL3
-SsC8tnY2FwkB0RTUx3TM36+7tUJ1yptkPoOCM8h3E7oghFbsOwIoslSwqJwgtPg8
-dl+S4ViBUpAh+UwsWhK0MAO7iEgzTNfQod2yZkb/n+l44T2d8p1TpvmWw8CT51cV
-Gt7Fl+hN6MbyItfh0eBXGQAbfbifID7ajYSmdNdBoSThdaDd60EjSRuPmWiQZ8/u
-e8HDIeQloeDWwdTZ1XgS/wUIgb9+mTlM1BEHBS6fMRlbxjnhPP0tDMjb6S9YOgVM
-WMB+VWXp9QFInk2rFmioT+RiFKU7fbzCuWQxn8G7AV0IOz5GwpiCvKRM76f/r4N1
-892LzS5+LaYzu3v54ySs6cFbzWh1tvPE37vrepFBdOfXZRMYJuYw7Rpd90QrZdbE
-tJmeEc4K2uqK5he9YeIKdsMjxqZbB3K5EpX+Mb0zDzoofj2ZAlQ/642Mew1pEdCK
-lAlp8USxnm9bOfuvllPAlt/CmMKSkFSeX6BFea5XnBPDEjYJPcF2IiIWrsOo7kcF
-N9Z9TqyW8WkaaZLq6gnXdx2rhEuf+TbtLyBq9J83VhyWAAiQnhQEMGYxFbL2y1nR
-xapBgHCJ0te1rFTbRxtY
-=RyRw
+iQIcBAEBCAAGBQJOnd/4AAoJEHfx8XVYajsff24P/jq0Mx9uMkX1Kub/DO4NisaH
+Oy1RVn+oXbxAGV2JOOGD79++xdFzXrOclbnBajizjzOa3xuEMS67SA6pehdSeqAp
+H9tjBeKO3hKcxOsmtyHrYYJzSGAeK61BdGJHm8aui8r59zw/r6ci6fdY2QEyL6Hk
+IMqCiE9eWvHcfdl8vBBY/LAAND8At5Lcjw1eJGYjPIgDnCx3cAtxGekrBI0zhpyR
+FHChgxE/20KjnXkIF9HdJQdl4k6ys9RNotuhEmpNYR//cKmnuk4G9FxoK6WcpgWH
+9jdhO4uK7qrpQR/Zl29hGHWBF0Vkv7Q1I0kpuzpY939KooulhIjceIRZoEA+B2PH
+h12silD3x7oefzBYs7gEFlaB3nUXlib8zvx6R1tKwtuqbmFGSPpwHhIwKJsRhJx5
+VzByJ8Q+ltXb+A2MXykzlkAqrgRSkMopYcmAtys5hyuHJxZGL/R7w90svQCeXeaA
+rTiPOFNGtbAHwNH3W44drWzklX/7qGncqKFCwyOdbiM3iUQAxsnV6s7iL/xaIh40
+tkn0bh1jF3x8NmIS9N8Nz/TCx9VIHVmulTpeKwXX9tY1sMbRUd2cJ6FLchwoa3+d
+7uH0TW8s0JwoMtQuMuw4k/2Sk9gsep54a0JcbsF9cFdcRENPPwtKF2jhW26Al4w+
+ZP80kUJN8ORWxfdkpYQ0
+=el5D
-----END PGP SIGNATURE-----
diff --git a/app-crypt/mit-krb5/files/2011-006-patch-r18.patch b/app-crypt/mit-krb5/files/2011-006-patch-r18.patch
new file mode 100644
index 000000000000..2da0e1439d82
--- /dev/null
+++ b/app-crypt/mit-krb5/files/2011-006-patch-r18.patch
@@ -0,0 +1,73 @@
+diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c
+index 498c0de..5f973fb 100644
+--- a/src/plugins/kdb/db2/lockout.c
++++ b/src/plugins/kdb/db2/lockout.c
+@@ -158,13 +158,23 @@ krb5_db2_lockout_audit(krb5_context context,
+ return 0;
+ }
+
++ if (entry == NULL)
++ return 0;
++
+ code = lookup_lockout_policy(context, entry, &max_fail,
+ &failcnt_interval,
+ &lockout_duration);
+ if (code != 0)
+ return code;
+
+- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry));
++ /*
++ * Don't continue to modify the DB for an already locked account.
++ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
++ * this check is unneeded, but in rare cases, we can fail with an
++ * integrity error or preauth failure before a policy check.)
++ */
++ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
++ return 0;
+
+ if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) {
+ /*
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index 626ed1f..68e8ec4 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -131,6 +131,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
+ CHECK_LDAP_HANDLE(ldap_context);
+
+ if (is_principal_in_realm(ldap_context, searchfor) != 0) {
++ st = KRB5_KDB_NOENTRY;
+ *more = 0;
+ krb5_set_error_message (context, st, "Principal does not belong to realm");
+ goto cleanup;
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
+index 020c77a..24b9493 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
+@@ -150,15 +150,25 @@ krb5_ldap_lockout_audit(krb5_context context,
+ return 0;
+ }
+
++ if (entry == NULL)
++ return 0;
++
+ code = lookup_lockout_policy(context, entry, &max_fail,
+ &failcnt_interval,
+ &lockout_duration);
+ if (code != 0)
+ return code;
+
+- entry->mask = 0;
++ /*
++ * Don't continue to modify the DB for an already locked account.
++ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
++ * this check is unneeded, but in rare cases, we can fail with an
++ * integrity error or preauth failure before a policy check.)
++ */
++ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
++ return 0;
+
+- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry));
++ entry->mask = 0;
+
+ if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) {
+ /*
diff --git a/app-crypt/mit-krb5/files/CVE-2011-1527.1528.1529.patch b/app-crypt/mit-krb5/files/CVE-2011-1527.1528.1529.patch
new file mode 100644
index 000000000000..05a22caf53e1
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2011-1527.1528.1529.patch
@@ -0,0 +1,75 @@
+diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c
+index b473611..50c60b7 100644
+--- a/src/plugins/kdb/db2/lockout.c
++++ b/src/plugins/kdb/db2/lockout.c
+@@ -169,6 +169,9 @@ krb5_db2_lockout_audit(krb5_context context,
+ return 0;
+ }
+
++ if (entry == NULL)
++ return 0;
++
+ if (!db_ctx->disable_lockout) {
+ code = lookup_lockout_policy(context, entry, &max_fail,
+ &failcnt_interval, &lockout_duration);
+@@ -176,6 +179,15 @@ krb5_db2_lockout_audit(krb5_context context,
+ return code;
+ }
+
++ /*
++ * Don't continue to modify the DB for an already locked account.
++ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
++ * this check is unneeded, but in rare cases, we can fail with an
++ * integrity error or preauth failure before a policy check.)
++ */
++ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
++ return 0;
++
+ /* Only mark the authentication as successful if the entry
+ * required preauthentication, otherwise we have no idea. */
+ if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) {
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index 552e39a..c2f44ab 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -105,6 +105,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
+ CHECK_LDAP_HANDLE(ldap_context);
+
+ if (is_principal_in_realm(ldap_context, searchfor) != 0) {
++ st = KRB5_KDB_NOENTRY;
+ krb5_set_error_message (context, st, "Principal does not belong to realm");
+ goto cleanup;
+ }
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
+index a218dc7..fd164dd 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
+@@ -165,6 +165,9 @@ krb5_ldap_lockout_audit(krb5_context context,
+ return 0;
+ }
+
++ if (entry == NULL)
++ return 0;
++
+ if (!ldap_context->disable_lockout) {
+ code = lookup_lockout_policy(context, entry, &max_fail,
+ &failcnt_interval,
+@@ -173,9 +176,16 @@ krb5_ldap_lockout_audit(krb5_context context,
+ return code;
+ }
+
+- entry->mask = 0;
++ /*
++ * Don't continue to modify the DB for an already locked account.
++ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
++ * this check is unneeded, but in rare cases, we can fail with an
++ * integrity error or preauth failure before a policy check.)
++ */
++ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
++ return 0;
+
+- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry));
++ entry->mask = 0;
+
+ /* Only mark the authentication as successful if the entry
+ * required preauthentication, otherwise we have no idea. */
diff --git a/app-crypt/mit-krb5/mit-krb5-1.8.4-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.8.4-r1.ebuild
new file mode 100644
index 000000000000..f1b767ddf268
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.8.4-r1.ebuild
@@ -0,0 +1,116 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.8.4-r1.ebuild,v 1.1 2011/10/18 20:21:59 eras Exp $
+
+EAPI=2
+
+inherit eutils flag-o-matic versionator
+
+MY_P=${P/mit-}
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="doc openldap test xinetd"
+
+RDEPEND="!!app-crypt/heimdal
+ >=sys-libs/e2fsprogs-libs-1.41.0
+ sys-apps/keyutils
+ openldap? ( net-nds/openldap )
+ xinetd? ( sys-apps/xinetd )"
+DEPEND="${RDEPEND}
+ doc? ( virtual/latex-base )
+ test? ( dev-lang/tcl
+ dev-lang/perl
+ dev-util/dejagnu )"
+
+S=${WORKDIR}/${MY_P}/src
+
+src_unpack() {
+ unpack ${A}
+ unpack ./"${MY_P}".tar.gz
+}
+
+src_prepare() {
+ epatch "${FILESDIR}/mit-krb5_testsuite.patch"
+ epatch "${FILESDIR}/2011-006-patch-r18.patch"
+}
+
+src_configure() {
+ append-flags "-I/usr/include/et"
+ append-flags "-fno-strict-aliasing"
+ append-flags "-fno-strict-overflow"
+ econf \
+ $(use_with openldap ldap) \
+ $(use_with test tcl /usr) \
+ --without-krb4 \
+ --enable-shared \
+ --with-system-et \
+ --with-system-ss \
+ --enable-dns-for-realm \
+ --enable-kdc-replay-cache \
+ --disable-rpath
+}
+
+src_compile() {
+ emake -j1 || die "emake failed"
+
+ if use doc ; then
+ cd ../doc
+ for dir in api implement ; do
+ emake -C "${dir}" || die "doc emake failed"
+ done
+ fi
+}
+
+src_install() {
+ emake \
+ DESTDIR="${D}" \
+ EXAMPLEDIR="/usr/share/doc/${PF}/examples" \
+ install || die "install failed"
+
+ # default database dir
+ keepdir /var/lib/krb5kdc
+
+ cd ..
+ dodoc README
+ dodoc doc/*.{ps,txt}
+ doinfo doc/*.info*
+ dohtml -r doc/*.html
+
+ # die if we cannot respect a USE flag
+ if use doc ; then
+ dodoc doc/{api,implement}/*.ps || die "dodoc failed"
+ fi
+
+ newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind || die
+ newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc || die
+
+ insinto /etc
+ newins "${D}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+ insinto /var/lib/krb5kdc
+ newins "${D}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+ if use openldap ; then
+ insinto /etc/openldap/schema
+ doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" || die
+ fi
+
+ if use xinetd ; then
+ insinto /etc/xinetd.d
+ newins "${FILESDIR}/kpropd.xinetd" kpropd || die
+ fi
+}
+
+pkg_preinst() {
+ if has_version "<${CATEGORY}/${PN}-1.8.0" ; then
+ elog "MIT split the Kerberos applications from the base Kerberos"
+ elog "distribution. Kerberized versions of telnet, rlogin, rsh, rcp,"
+ elog "ftp clients and telnet, ftp deamons now live in"
+ elog "\"app-crypt/mit-krb5-appl\" package."
+ fi
+}
diff --git a/app-crypt/mit-krb5/mit-krb5-1.9.1-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.9.1-r2.ebuild
new file mode 100644
index 000000000000..e9332dcef607
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.9.1-r2.ebuild
@@ -0,0 +1,123 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.9.1-r2.ebuild,v 1.1 2011/10/18 20:21:59 eras Exp $
+
+EAPI=3
+
+inherit eutils flag-o-matic versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos"
+IUSE="doc +keyutils openldap +pkinit +threads test xinetd"
+
+RDEPEND="!!app-crypt/heimdal
+ >=sys-libs/e2fsprogs-libs-1.41.0
+ keyutils? ( sys-apps/keyutils )
+ openldap? ( net-nds/openldap )
+ xinetd? ( sys-apps/xinetd )"
+DEPEND="${RDEPEND}
+ virtual/yacc
+ doc? ( virtual/latex-base )
+ test? ( dev-lang/tcl
+ dev-lang/python
+ dev-util/dejagnu )"
+
+S=${WORKDIR}/${MY_P}/src
+
+src_unpack() {
+ unpack ${A}
+ unpack ./"${MY_P}".tar.gz
+}
+
+src_prepare() {
+ epatch "${FILESDIR}/${P}-fd-leak.patch"
+ epatch "${FILESDIR}/CVE-2011-1527.1528.1529.patch"
+}
+
+src_configure() {
+ append-flags "-I${EPREFIX}/usr/include/et"
+ # QA
+ append-flags -fno-strict-aliasing
+ append-flags -fno-strict-overflow
+ use keyutils || export ac_cv_header_keyutils_h=no
+ econf \
+ $(use_with openldap ldap) \
+ "$(use_with test tcl "${EPREFIX}/usr")" \
+ $(use_enable pkinit) \
+ $(use_enable threads thread-support) \
+ --without-krb4 \
+ --without-hesiod \
+ --enable-shared \
+ --with-system-et \
+ --with-system-ss \
+ --enable-dns-for-realm \
+ --enable-kdc-lookaside-cache \
+ --disable-rpath
+}
+
+src_compile() {
+ emake -j1 || die "emake failed"
+
+ if use doc ; then
+ cd ../doc
+ for dir in api implement ; do
+ emake -C "${dir}" || die "doc emake failed"
+ done
+ fi
+}
+
+src_install() {
+ emake \
+ DESTDIR="${D}" \
+ EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+ install || die "install failed"
+
+ # default database dir
+ keepdir /var/lib/krb5kdc
+
+ cd ..
+ dodoc NOTICE README
+ dodoc doc/*.{ps,txt}
+ doinfo doc/*.info*
+ dohtml -r doc/*.html
+
+ # die if we cannot respect a USE flag
+ if use doc ; then
+ dodoc doc/{api,implement}/*.ps || die "dodoc failed"
+ fi
+
+ newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind || die
+ newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc || die
+ newinitd "${FILESDIR}"/mit-krb5kpropd.initd mit-krb5kpropd || die
+
+ insinto /etc
+ newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+ insinto /var/lib/krb5kdc
+ newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+ if use openldap ; then
+ insinto /etc/openldap/schema
+ doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" || die
+ fi
+
+ if use xinetd ; then
+ insinto /etc/xinetd.d
+ newins "${FILESDIR}/kpropd.xinetd" kpropd || die
+ fi
+}
+
+pkg_preinst() {
+ if has_version "<${CATEGORY}/${PN}-1.8.0" ; then
+ elog "MIT split the Kerberos applications from the base Kerberos"
+ elog "distribution. Kerberized versions of telnet, rlogin, rsh, rcp,"
+ elog "ftp clients and telnet, ftp deamons now live in"
+ elog "\"app-crypt/mit-krb5-appl\" package."
+ fi
+}