Sync from SUSE:ALP:Source:Standard:1.0 libheimdal revision 6c545f3eb69f6f265e5a1571d4a221d1

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

heimdal-CVE-2022-45142.patch

@@ -0,0 +1,46 @@
+From: Helmut Grohne <helmut@...divi.de>
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne <helmut@...divi.de>
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
++++ b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++    cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+     if (cmp) {
+ 	*minor_status = 0;
+ 	return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+     if (cmp) {
+ 	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+ 	*minor_status = 0;
+--
+2.38.1

heimdal-patch-source.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+REMOVE_DIRS=( 
+admin
+appl
+etc
+kadmin
+kcm
+kpasswd
+kuser
+packages
+po
+tests
+tools
+windows
+)
+
+set -o errexit
+
+CMDNAME=${0##*/}
+SOURCEDIR=${0%$CMDNAME}
+
+BASENAME=${1%.tar.gz}
+
+trap "rm -rf \"$BASENAME-patched.tar\" \"$BASENAME-patched.tar.bz2\"" ERR
+
+for (( N=0; N<${#REMOVE_DIRS[@]}; N++ )) ; do
+    REMOVE_DIRS[N]="*/${REMOVE_DIRS[N]}"
+done
+
+cd "$SOURCEDIR" > /dev/null
+
+if [ ! -f "$BASENAME.tar.gz" ]; then
+    exit 0
+fi
+
+if [ -f "$BASENAME-patched.tar.bz2" ] && [ "$BASENAME.tar.gz" -ot "$BASENAME-patched.tar.bz2" ]; then
+    if [ $CMDNAME -ot "$BASENAME-patched.tar.bz2" ]; then
+        exit 0
+    fi
+fi
+
+gzip -d "$BASENAME.tar.gz"
+mv -f "$BASENAME.tar" "$BASENAME-patched.tar"
+tar --wildcards --delete -f "$BASENAME-patched.tar" "${REMOVE_DIRS[@]}"
+bzip2 "$BASENAME-patched.tar"

heimdal-patched.diff

@@ -0,0 +1,690 @@
+diff -uNr heimdal-7.8.0/configure.ac heimdal-7.8.0-patched/configure.ac
+--- heimdal-7.8.0/configure.ac	2022-11-15 19:56:25.000000000 +0100
++++ heimdal-7.8.0-patched/configure.ac	2022-12-20 16:57:00.506113493 +0100
+@@ -3,7 +3,6 @@
+ AC_PREREQ(2.62)
+ test -z "$CFLAGS" && CFLAGS="-g"
+ AC_INIT([Heimdal],[7.8.0],[https://github.com/heimdal/heimdal/issues])
+-AC_CONFIG_SRCDIR([kuser/kinit.c])
+ AC_CONFIG_HEADERS(include/config.h)
+ AC_CONFIG_MACRO_DIR([cf])
+ 
+@@ -594,7 +593,6 @@
+ AM_CONDITIONAL(HEIMDAL_DOCUMENTATION, test "$enable_heimdal_documentation" != no)
+ 
+ AC_CONFIG_FILES(Makefile 		\
+-	etc/Makefile			\
+ 	include/Makefile		\
+ 	include/gssapi/Makefile		\
+ 	include/hcrypto/Makefile	\
+@@ -619,35 +617,8 @@
+ 	lib/sqlite/Makefile		\
+ 	lib/vers/Makefile		\
+ 	lib/wind/Makefile		\
+-	po/Makefile			\
+-	kuser/Makefile			\
+-	kpasswd/Makefile		\
+-	kadmin/Makefile			\
+-	admin/Makefile			\
+-	kcm/Makefile			\
+ 	kdc/Makefile			\
+-	appl/Makefile			\
+-	appl/afsutil/Makefile		\
+-	appl/dbutils/Makefile		\
+-	appl/gssmask/Makefile		\
+-	appl/otp/Makefile		\
+-	appl/su/Makefile		\
+-	appl/test/Makefile		\
+-	appl/kf/Makefile		\
+-	appl/dceutils/Makefile		\
+-	tests/Makefile			\
+-	tests/bin/Makefile		\
+-	tests/can/Makefile		\
+-	tests/db/Makefile		\
+-	tests/kdc/Makefile		\
+-	tests/ldap/Makefile		\
+-	tests/gss/Makefile		\
+-	tests/java/Makefile		\
+-	tests/plugin/Makefile		\
+-	packages/Makefile		\
+-	packages/mac/Makefile		\
+ 	doc/Makefile			\
+-	tools/Makefile			\
+ )
+ 
+ AC_OUTPUT
+diff -uNr heimdal-7.8.0/doc/Makefile.am heimdal-7.8.0-patched/doc/Makefile.am
+--- heimdal-7.8.0/doc/Makefile.am	2022-09-16 00:59:25.000000000 +0200
++++ heimdal-7.8.0-patched/doc/Makefile.am	2022-12-20 17:02:32.781246824 +0100
+@@ -10,50 +10,6 @@
+ 
+ info_TEXINFOS = heimdal.texi hx509.texi
+ 
+-dxy_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+-	-e 's,[@]objdir[@],.,g' \
+-	-e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g'
+-
+-hcrypto.dxy: hcrypto.din Makefile
+-	$(dxy_subst) < $(srcdir)/hcrypto.din > hcrypto.dxy.tmp
+-	chmod +x hcrypto.dxy.tmp
+-	mv hcrypto.dxy.tmp hcrypto.dxy
+-
+-hdb.dxy: hdb.din Makefile
+-	$(dxy_subst) < $(srcdir)/hdb.din > hdb.dxy.tmp
+-	chmod +x hdb.dxy.tmp
+-	mv hdb.dxy.tmp hdb.dxy
+-
+-base.dxy: base.din Makefile
+-	$(dxy_subst) < $(srcdir)/base.din > base.dxy.tmp
+-	chmod +x base.dxy.tmp
+-	mv base.dxy.tmp base.dxy
+-
+-hx509.dxy: hx509.din Makefile
+-	$(dxy_subst) < $(srcdir)/hx509.din > hx509.dxy.tmp
+-	chmod +x hx509.dxy.tmp
+-	mv hx509.dxy.tmp hx509.dxy
+-
+-gssapi.dxy: gssapi.din Makefile
+-	$(dxy_subst) < $(srcdir)/gssapi.din > gssapi.dxy.tmp
+-	chmod +x gssapi.dxy.tmp
+-	mv gssapi.dxy.tmp gssapi.dxy
+-
+-krb5.dxy: krb5.din Makefile
+-	$(dxy_subst) < $(srcdir)/krb5.din > krb5.dxy.tmp
+-	chmod +x krb5.dxy.tmp
+-	mv krb5.dxy.tmp krb5.dxy
+-
+-ntlm.dxy: ntlm.din Makefile
+-	$(dxy_subst) < $(srcdir)/ntlm.din > ntlm.dxy.tmp
+-	chmod +x ntlm.dxy.tmp
+-	mv ntlm.dxy.tmp ntlm.dxy
+-
+-wind.dxy: wind.din Makefile
+-	$(dxy_subst) < $(srcdir)/wind.din > wind.dxy.tmp
+-	chmod +x wind.dxy.tmp
+-	mv wind.dxy.tmp wind.dxy
+-
+ texi_subst = sed -e 's,[@]dbdir[@],$(localstatedir),g' \
+ 	-e 's,[@]dbtype[@],$(db_type),g' \
+ 	-e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g'
+@@ -63,55 +19,6 @@
+ 	chmod +x vars.texi.tmp
+ 	mv vars.texi.tmp vars.texi
+ 
+-PROJECTS = base hdb hx509 gssapi krb5 ntlm wind 
+-
+-PROJECTS += hcrypto
+-
+-doxyout doxygen: base.dxy hdb.dxy hx509.dxy hcrypto.dxy gssapi.dxy krb5.dxy ntlm.dxy wind.dxy
+-	@test -d $(srcdir)/doxyout && \
+-	find $(srcdir)/doxyout -type d ! -perm -200 -exec chmod u+w {} ';' ; \
+-	rm -rf $(srcdir)/doxyout ; \
+-	mkdir $(srcdir)/doxyout ; \
+-	for a in $(PROJECTS) ; do \
+-		echo $$a ; \
+-		doxygen $$a.dxy; \
+-		(cd $(srcdir)/doxyout && \
+-		    find $$a/man -name '_*' -type f -print | \
+-			perl -lne unlink && \
+-		    find $$a/html -name 'dir_*.html' -type f -print | \
+-			perl -lne unlink && \
+-		 find $$a/man -type f > $$a/manpages ) ; \
+-	done
+-
+-install-data-hook: install-doxygen-manpage
+-uninstall-hook: uninstall-doxygen-manpage
+-dist-hook: doxygen
+-
+-install-doxygen-manpage:
+-	for a in $(PROJECTS) ; do \
+-		f="$(srcdir)/doxyout/$$a/manpages" ; \
+-		test -f $$f || continue ; \
+-		echo "install $$a manual pages $$(wc -l < $$f)" ; \
+-		while read x ; do \
+-			section=`echo "$$x" | sed 's/.*\.\([0-9]\)/\1/'` ; \
+-			$(mkinstalldirs) "$(DESTDIR)$(mandir)/man$$section" ; \
+-			$(INSTALL_DATA) $(srcdir)/doxyout/$$x "$(DESTDIR)$(mandir)/man$$section" ; \
+-		done < $$f ; \
+-	done ; exit 0
+-
+-uninstall-doxygen-manpage:
+-	@for a in $(PROJECTS) ; do \
+-		f="$(srcdir)/doxyout/$$a/manpages" ; \
+-		test -f $$f || continue ; \
+-		echo "removing $$a manual pages" ; \
+-		while read x ; do \
+-			section=`echo "$$x" | sed 's/.*\.\([0-9]\)/\1/'` ; \
+-			base=`basename $$x` ; \
+-			rm "$(DESTDIR)$(mandir)/man$$section/$$base" ; \
+-		done < $$f ; \
+-	done
+-
+-
+ heimdal_TEXINFOS = \
+ 	ack.texi \
+ 	apps.texi \
+@@ -129,35 +36,6 @@
+ 	win2k.texi
+ 
+ EXTRA_DIST = \
+-	NTMakefile \
+-	doxyout \
+-	footer.html \
+-	gssapi.din \
+-	hdb.din \
+-	hcrypto.din \
+-	header.html \
+ 	heimdal.css \
+-	base.din \
+-	hx509.din \
+-	krb5.din \
+-	ntlm.din \
+-	init-creds \
+-	latin1.tex \
+-	layman.asc \
+-	doxytmpl.dxy \
+-	wind.din \
+-	base.hhp \
+ 	heimdal.hhp \
+-	hx509.hhp \
+ 	vars.tin
+-
+-CLEANFILES = \
+-	hcrypto.dxy* \
+-	base.dxy* \
+-	hx509.dxy* \
+-	hdb.dxy* \
+-	gssapi.dxy* \
+-	krb5.dxy* \
+-	ntlm.dxy* \
+-	wind.dxy* \
+-	vars.texi*
+diff -uNr heimdal-7.8.0/kdc/Makefile.am heimdal-7.8.0-patched/kdc/Makefile.am
+--- heimdal-7.8.0/kdc/Makefile.am	2022-09-16 01:54:19.000000000 +0200
++++ heimdal-7.8.0-patched/kdc/Makefile.am	2022-12-20 17:07:05.344492344 +0100
+@@ -6,35 +6,6 @@
+ 
+ lib_LTLIBRARIES = libkdc.la
+ 
+-bin_PROGRAMS = string2key
+-
+-sbin_PROGRAMS = kstash
+-
+-libexec_PROGRAMS = hprop hpropd kdc digest-service
+-
+-noinst_PROGRAMS = kdc-replay kdc-tester
+-
+-man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8 string2key.8
+-
+-hprop_SOURCES = hprop.c mit_dump.c hprop.h
+-hpropd_SOURCES = hpropd.c hprop.h
+-
+-kstash_SOURCES = kstash.c headers.h
+-
+-string2key_SOURCES = string2key.c headers.h
+-
+-digest_service_SOURCES = \
+-	digest-service.c
+-
+-kdc_SOURCES = connect.c	\
+-	config.c	\
+-	announce.c	\
+-	main.c
+-
+-kdc_tester_SOURCES = \
+-	config.c	\
+-	kdc-tester.c
+-
+ libkdc_la_SOURCES = 		\
+ 	default_config.c 	\
+ 	set_dbinfo.c	 	\
+@@ -54,15 +25,7 @@
+ 
+ KDC_PROTOS = $(srcdir)/kdc-protos.h $(srcdir)/kdc-private.h
+ 
+-ALL_OBJECTS  = $(kdc_OBJECTS)
+-ALL_OBJECTS += $(kdc_replay_OBJECTS)
+-ALL_OBJECTS += $(kdc_tester_OBJECTS)
+-ALL_OBJECTS += $(libkdc_la_OBJECTS)
+-ALL_OBJECTS += $(string2key_OBJECTS)
+-ALL_OBJECTS += $(kstash_OBJECTS)
+-ALL_OBJECTS += $(hprop_OBJECTS)
+-ALL_OBJECTS += $(hpropd_OBJECTS)
+-ALL_OBJECTS += $(digest_service_OBJECTS)
++ALL_OBJECTS = $(libkdc_la_OBJECTS)
+ 
+ $(ALL_OBJECTS): $(KDC_PROTOS)
+ 
+@@ -80,24 +43,6 @@
+ 	cd $(srcdir) && perl ../cf/make-proto.pl -q -P comment -p kdc-private.h $(libkdc_la_SOURCES) || rm -f kdc-private.h
+ 
+ 
+-hprop_LDADD = \
+-	$(top_builddir)/lib/hdb/libhdb.la \
+-	$(top_builddir)/lib/krb5/libkrb5.la \
+-	$(LIB_kdb)  \
+-	$(LIB_hcrypto) \
+-	$(top_builddir)/lib/asn1/libasn1.la \
+-	$(LIB_roken) \
+-	$(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB)
+-
+-hpropd_LDADD = \
+-	$(top_builddir)/lib/hdb/libhdb.la \
+-	$(top_builddir)/lib/krb5/libkrb5.la \
+-	$(LIB_kdb)  \
+-	$(LIB_hcrypto) \
+-	$(top_builddir)/lib/asn1/libasn1.la \
+-	$(LIB_roken) \
+-	$(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB)
+-
+ if PKINIT
+ LIB_pkinit = $(top_builddir)/lib/hx509/libhx509.la
+ endif
+@@ -121,21 +66,6 @@
+ 	$(LIB_roken) \
+ 	$(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB)
+ 
+-kdc_LDADD = libkdc.la $(LDADD) $(LIB_pidfile) $(CAPNG_LIBS)
+-
+-if FRAMEWORK_SECURITY
+-kdc_LDFLAGS = -framework SystemConfiguration -framework CoreFoundation
+-endif
+-kdc_CFLAGS = $(CAPNG_CFLAGS)
+-
+-digest_service_LDADD = \
+-	libkdc.la \
+-	$(top_builddir)/lib/ntlm/libheimntlm.la \
+-	$(top_builddir)/lib/ipc/libheim-ipcs.la \
+-	$(LDADD) $(LIB_pidfile)
+-kdc_replay_LDADD = libkdc.la $(LDADD) $(LIB_pidfile)
+-kdc_tester_LDADD = libkdc.la $(LDADD) $(LIB_pidfile) $(LIB_heimbase)
+-
+ include_HEADERS = kdc.h $(srcdir)/kdc-protos.h
+ 
+ noinst_HEADERS = $(srcdir)/kdc-private.h
+@@ -146,11 +76,6 @@
+ build_HEADERZ = $(krb5_HEADERS) # XXX
+ 
+ EXTRA_DIST = \
+-	hprop-version.rc \
+-	hpropd-version.rc \
+-	kdc-version.rc \
+-	kstash-version.rc \
+ 	libkdc-version.rc \
+-	string2key-version.rc \
+ 	libkdc-exports.def \
+-	NTMakefile $(man_MANS) version-script.map
++	NTMakefile version-script.map
+diff -uNr heimdal-7.8.0/lib/asn1/Makefile.am heimdal-7.8.0-patched/lib/asn1/Makefile.am
+--- heimdal-7.8.0/lib/asn1/Makefile.am	2022-09-16 01:54:19.000000000 +0200
++++ heimdal-7.8.0-patched/lib/asn1/Makefile.am	2022-12-20 17:08:36.808229786 +0100
+@@ -44,9 +44,7 @@
+ gen_files_digest = asn1_digest_asn1.x
+ gen_files_kx509 = asn1_kx509_asn1.x
+ 
+-noinst_PROGRAMS = asn1_gen
+-
+-libexec_heimdal_PROGRAMS = asn1_compile asn1_print
++noinst_PROGRAMS = asn1_gen asn1_compile asn1_print
+ 
+ TESTS = check-der check-gen check-timegm check-ber check-template
+ check_PROGRAMS = $(TESTS)
+diff -uNr heimdal-7.8.0/lib/com_err/Makefile.am heimdal-7.8.0-patched/lib/com_err/Makefile.am
+--- heimdal-7.8.0/lib/com_err/Makefile.am	2022-09-16 01:54:19.000000000 +0200
++++ heimdal-7.8.0-patched/lib/com_err/Makefile.am	2022-12-20 17:14:40.343183718 +0100
+@@ -13,12 +13,8 @@
+ 
+ libcom_err_la_LIBADD = $(LIB_libintl)
+ 
+-noinst_PROGRAMS = compile_et
+-
+ include_HEADERS = com_err.h com_right.h
+ 
+-compile_et_SOURCES = compile_et.c compile_et.h parse.y lex.l lex.h
+-
+ libcom_err_la_CPPFLAGS = $(ROKEN_RENAME) $(INCLUDE_libintl)
+ dist_libcom_err_la_SOURCES = error.c com_err.c roken_rename.h
+ 
+@@ -43,7 +39,6 @@
+ EXTRA_DIST = \
+ 	NTMakefile \
+ 	com_err.3 \
+-	compile_et-version.rc \
+ 	libcom_err-version.rc \
+ 	libcom_err-exports.def \
+ 	version-script.map
+diff -uNr heimdal-7.8.0/lib/gssapi/Makefile.am heimdal-7.8.0-patched/lib/gssapi/Makefile.am
+--- heimdal-7.8.0/lib/gssapi/Makefile.am	2022-09-16 01:54:19.000000000 +0200
++++ heimdal-7.8.0-patched/lib/gssapi/Makefile.am	2022-12-20 17:16:41.706826603 +0100
+@@ -227,8 +227,6 @@
+ 	$(LIB_hcrypto) \
+ 	$(LIBADD_roken)
+ 
+-man_MANS = gssapi.3 gss_acquire_cred.3 mech/mech.5
+-
+ include_HEADERS = gssapi.h
+ noinst_HEADERS = \
+ 	gssapi_mech.h \
+@@ -303,8 +301,7 @@
+ 
+ check_PROGRAMS = test_acquire_cred $(TESTS)
+ 
+-bin_PROGRAMS = gsstool
+-noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm test_add_store_cred
++noinst_PROGRAMS = gsstool test_cred test_kcred test_context test_ntlm test_add_store_cred
+ 
+ test_context_SOURCES = test_context.c test_common.c test_common.h
+ test_ntlm_SOURCES = test_ntlm.c test_common.c test_common.h
+@@ -340,7 +337,6 @@
+ 	NTMakefile \
+ 	libgssapi-version.rc \
+ 	libgssapi-exports.def \
+-	$(man_MANS) \
+ 	gen-oid.pl \
+ 	gssapi/gssapi_netlogon.h \
+ 	krb5/test_acquire_cred.c \
+diff -uNr heimdal-7.8.0/lib/hx509/Makefile.am heimdal-7.8.0-patched/lib/hx509/Makefile.am
+--- heimdal-7.8.0/lib/hx509/Makefile.am	2022-11-15 18:24:40.000000000 +0100
++++ heimdal-7.8.0-patched/lib/hx509/Makefile.am	2022-12-20 17:19:57.330257091 +0100
+@@ -141,7 +141,6 @@
+ 	$(heim_verbose)$(ASN1_COMPILE) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
+ 
+ ALL_OBJECTS  = $(libhx509_la_OBJECTS)
+-ALL_OBJECTS += $(hxtool_OBJECTS)
+ 
+ HX509_PROTOS = $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h
+ 
+@@ -156,23 +155,6 @@
+ $(srcdir)/hx509-private.h: $(dist_libhx509_la_SOURCES)
+ 	$(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p hx509-private.h $(dist_libhx509_la_SOURCES) || rm -f hx509-private.h
+ 
+-bin_PROGRAMS = hxtool
+-
+-hxtool-commands.c hxtool-commands.h: hxtool-commands.in $(SLC)
+-	$(heim_verbose)$(SLC) $(srcdir)/hxtool-commands.in
+-
+-dist_hxtool_SOURCES = hxtool.c
+-nodist_hxtool_SOURCES = hxtool-commands.c hxtool-commands.h
+-
+-$(hxtool_OBJECTS): hxtool-commands.h $(nodist_include_HEADERS)
+-
+-hxtool_LDADD = \
+-	libhx509.la \
+-	$(top_builddir)/lib/asn1/libasn1.la \
+-	$(LIB_hcrypto) \
+-	$(LIB_roken) \
+-	$(top_builddir)/lib/sl/libsl.la
+-
+ CLEANFILES = $(BUILT_SOURCES) sel-gram.c sel-lex.c \
+ 	$(gen_files_ocsp) ocsp_asn1_files ocsp_asn1{,-priv}.h* \
+ 	ocsp_asn1-template.[chx]* \
+@@ -181,7 +163,7 @@
+ 	$(gen_files_crmf) crmf_asn1_files crmf_asn1{,-priv}.h* \
+ 	crmf_asn1-template.[chx]* \
+ 	$(TESTS) \
+-	hxtool-commands.c hxtool-commands.h *.tmp \
++	*.tmp \
+ 	request.out \
+ 	out.pem out2.pem \
+ 	sd sd.pem \
+@@ -311,12 +293,10 @@
+ 
+ EXTRA_DIST = \
+ 	NTMakefile \
+-	hxtool-version.rc \
+ 	libhx509-exports.def \
+ 	version-script.map \
+ 	crmf.asn1 \
+ 	hx509_err.et \
+-	hxtool-commands.in \
+ 	quote.py \
+ 	ocsp.asn1 \
+ 	ocsp.opt \
+diff -uNr heimdal-7.8.0/lib/kadm5/Makefile.am heimdal-7.8.0-patched/lib/kadm5/Makefile.am
+--- heimdal-7.8.0/lib/kadm5/Makefile.am	2022-11-15 18:06:45.000000000 +0100
++++ heimdal-7.8.0-patched/lib/kadm5/Makefile.am	2022-12-20 17:24:31.273484873 +0100
+@@ -14,10 +14,6 @@
+ libkadm5srv_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
+ endif
+ 
+-sbin_PROGRAMS = iprop-log
+-check_PROGRAMS = default_keys
+-noinst_PROGRAMS = test_pw_quality
+-
+ noinst_LTLIBRARIES = sample_passwd_check.la
+ 
+ sample_passwd_check_la_SOURCES = sample_passwd_check.c
+@@ -29,8 +25,6 @@
+ libkadm5clnt_la_LIBADD = \
+ 	$(LIB_com_err) ../krb5/libkrb5.la $(LIBADD_roken)
+ 
+-libexec_PROGRAMS = ipropd-master ipropd-slave
+-
+ default_keys_SOURCES = default_keys.c
+ default_keys_CPPFLAGS = -I$(srcdir)/../krb5
+ 
+@@ -122,17 +116,6 @@
+ libkadm5srv_la_DEPENDENCIES =			\
+ 	version-script.map
+ 
+-dist_iprop_log_SOURCES = iprop-log.c
+-nodist_iprop_log_SOURCES = iprop-commands.c
+-
+-ipropd_master_SOURCES = ipropd_master.c ipropd_common.c iprop.h kadm5_locl.h
+-ipropd_master_CPPFLAGS = -I$(srcdir)/../krb5
+-
+-ipropd_slave_SOURCES = ipropd_slave.c ipropd_common.c iprop.h kadm5_locl.h
+-ipropd_slave_CPPFLAGS = -I$(srcdir)/../krb5
+-
+-man_MANS = kadm5_pwcheck.3 iprop.8 iprop-log.8
+-
+ LDADD = \
+ 	libkadm5srv.la \
+ 	$(top_builddir)/lib/hdb/libhdb.la \
+@@ -144,27 +127,8 @@
+ 	$(LIB_dlopen) \
+ 	$(LIB_pidfile)
+ 
+-iprop_log_LDADD = \
+-	libkadm5srv.la \
+-	$(top_builddir)/lib/hdb/libhdb.la \
+-	$(top_builddir)/lib/krb5/libkrb5.la \
+-	$(top_builddir)/lib/asn1/libasn1.la \
+-	$(LIB_hcrypto) \
+-	$(top_builddir)/lib/sl/libsl.la \
+-	$(LIB_readline) \
+-	$(LIB_roken) \
+-	$(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB) \
+-	$(LIB_dlopen) \
+-	$(LIB_pidfile)
+-
+-iprop_log_CPPFLAGS = -I$(srcdir)/../krb5
+-
+-iprop-commands.c iprop-commands.h: iprop-commands.in
+-	$(SLC) $(srcdir)/iprop-commands.in
+-
+ $(libkadm5srv_la_OBJECTS): kadm5_err.h
+ $(libkadm5clnt_la_OBJECTS): kadm5_err.h
+-$(iprop_log_OBJECTS): iprop-commands.h
+ 
+ client_glue.lo server_glue.lo: $(srcdir)/common_glue.c
+ 
+@@ -176,12 +140,7 @@
+ 
+ ALL_OBJECTS  = $(libkadm5clnt_la_OBJECTS)
+ ALL_OBJECTS += $(libkadm5srv_la_OBJECTS)
+-ALL_OBJECTS += $(ipropd_master_OBJECTS)
+-ALL_OBJECTS += $(ipropd_slave_OBJECTS)
+-ALL_OBJECTS += $(iprop_log_OBJECTS)
+-ALL_OBJECTS += $(test_pw_quality_OBJECTS)
+ ALL_OBJECTS += $(sample_passwd_check_la_OBJECTS)
+-ALL_OBJECTS += $(default_keys_OBJECTS)
+ 
+ $(ALL_OBJECTS): $(srcdir)/kadm5-protos.h $(srcdir)/kadm5-private.h
+ $(ALL_OBJECTS): kadm5_err.h
+@@ -213,7 +172,6 @@
+ 	libkadm5srv-exports.def \
+ 	kadm5_err.et \
+ 	iprop-commands.in \
+-	$(man_MANS) \
+ 	check-cracklib.pl \
+ 	flush.c \
+ 	sample_passwd_check.c \
+diff -uNr heimdal-7.8.0/lib/kafs/Makefile.am heimdal-7.8.0-patched/lib/kafs/Makefile.am
+--- heimdal-7.8.0/lib/kafs/Makefile.am	2022-09-16 01:54:19.000000000 +0200
++++ heimdal-7.8.0-patched/lib/kafs/Makefile.am	2022-12-20 17:25:26.133332421 +0100
+@@ -74,8 +74,6 @@
+ 
+ EXTRA_DIST = NTMakefile afsl.exp afslib.exp $(man_MANS)
+ 
+-man_MANS = kafs.3
+-
+ # AIX: this almost works with gcc, but somehow it fails to use the
+ # correct ld, use ld instead
+ afslib.so: afslib.o
+diff -uNr heimdal-7.8.0/lib/krb5/Makefile.am heimdal-7.8.0-patched/lib/krb5/Makefile.am
+--- heimdal-7.8.0/lib/krb5/Makefile.am	2022-09-16 01:54:19.000000000 +0200
++++ heimdal-7.8.0-patched/lib/krb5/Makefile.am	2022-12-20 17:27:49.080935177 +0100
+@@ -4,8 +4,6 @@
+ 
+ AM_CPPFLAGS += -I../com_err -I$(srcdir)/../com_err $(INCLUDE_sqlite3) $(INCLUDE_libintl) $(INCLUDE_openssl_crypto)
+ 
+-bin_PROGRAMS = verify_krb5_conf
+-
+ noinst_PROGRAMS =				\
+ 	krbhst-test				\
+ 	test_alname				\
+@@ -258,7 +256,6 @@
+ endif
+ 
+ ALL_OBJECTS  = $(libkrb5_la_OBJECTS)
+-ALL_OBJECTS += $(verify_krb5_conf_OBJECTS)
+ ALL_OBJECTS += $(librfc3961_la_OBJECTS)
+ ALL_OBJECTS += $(librfc3961_la_OBJECTS)
+ ALL_OBJECTS += $(krbhst_test_OBJECTS)
+@@ -322,52 +319,6 @@
+ $(srcdir)/krb5-private.h: $(headerdeps)
+ 	@cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-private.h
+ 
+-man_MANS =					\
+-	kerberos.8				\
+-	krb5.conf.5				\
+-	krb5-plugin.7				\
+-	krb524_convert_creds_kdc.3		\
+-	krb5_425_conv_principal.3		\
+-	krb5_acl_match_file.3			\
+-	krb5_aname_to_localname.3		\
+-	krb5_appdefault.3			\
+-	krb5_auth_context.3			\
+-	krb5_c_make_checksum.3			\
+-	krb5_check_transited.3			\
+-	krb5_create_checksum.3			\
+-	krb5_creds.3				\
+-	krb5_digest.3				\
+-	krb5_eai_to_heim_errno.3		\
+-	krb5_encrypt.3				\
+-	krb5_find_padata.3			\
+-	krb5_generate_random_block.3		\
+-	krb5_get_all_client_addrs.3		\
+-	krb5_get_credentials.3			\
+-	krb5_get_creds.3			\
+-	krb5_get_forwarded_creds.3		\
+-	krb5_get_in_cred.3			\
+-	krb5_get_init_creds.3			\
+-	krb5_get_krbhst.3			\
+-	krb5_getportbyname.3			\
+-	krb5_init_context.3			\
+-	krb5_is_thread_safe.3			\
+-	krb5_krbhst_init.3			\
+-	krb5_mk_req.3				\
+-	krb5_mk_safe.3				\
+-	krb5_openlog.3				\
+-	krb5_parse_name.3			\
+-	krb5_principal.3			\
+-	krb5_rcache.3				\
+-	krb5_rd_error.3				\
+-	krb5_rd_safe.3				\
+-	krb5_set_default_realm.3		\
+-	krb5_set_password.3			\
+-	krb5_string_to_key.3			\
+-	krb5_timeofday.3			\
+-	krb5_verify_init_creds.3		\
+-	krb5_verify_user.3			\
+-	verify_krb5_conf.8
+-
+ dist_include_HEADERS = \
+ 	krb5.h \
+ 	$(srcdir)/krb5-protos.h \
+@@ -409,7 +360,6 @@
+ 	krb_err.et \
+ 	heim_err.et \
+ 	k524_err.et \
+-	$(man_MANS) \
+ 	version-script.map \
+ 	test_config_strings.cfg \
+ 	krb5.moduli
+diff -uNr heimdal-7.8.0/lib/roken/Makefile.am heimdal-7.8.0-patched/lib/roken/Makefile.am
+--- heimdal-7.8.0/lib/roken/Makefile.am	2022-09-16 01:54:19.000000000 +0200
++++ heimdal-7.8.0-patched/lib/roken/Makefile.am	2022-12-20 17:28:54.084761232 +0100
+@@ -209,8 +209,6 @@
+ rokenincludedir = $(includedir)/roken
+ nodist_rokeninclude_HEADERS = $(XHEADERS)
+ 
+-man_MANS = getarg.3 parse_time.3 rtbl.3 ecalloc.3
+-
+ SUFFIXES += .hin
+ .hin.h:
+ 	cp $< $@
+@@ -244,7 +242,6 @@
+ EXTRA_DIST = \
+ 	NTMakefile \
+ 	roken.awk roken.h.in \
+-	$(man_MANS) \
+ 	dirent.c \
+ 	dirent.hin \
+ 	dirent-test.c \
+diff -uNr heimdal-7.8.0/lib/sl/Makefile.am heimdal-7.8.0-patched/lib/sl/Makefile.am
+--- heimdal-7.8.0/lib/sl/Makefile.am	2022-09-16 01:54:19.000000000 +0200
++++ heimdal-7.8.0-patched/lib/sl/Makefile.am	2022-12-20 17:30:00.352598492 +0100
+@@ -25,7 +25,7 @@
+ 
+ # install these?
+ 
+-libexec_heimdal_PROGRAMS = slc
++noinst_PROGRAMS = slc
+ 
+ slc_SOURCES = slc-gram.y slc-lex.l slc.h
+ 
+diff -uNr heimdal-7.8.0/lib/wind/Makefile.am heimdal-7.8.0-patched/lib/wind/Makefile.am
+--- heimdal-7.8.0/lib/wind/Makefile.am	2022-11-15 18:14:35.000000000 +0100
++++ heimdal-7.8.0-patched/lib/wind/Makefile.am	2022-12-20 17:31:00.324451186 +0100
+@@ -83,12 +83,6 @@
+ 
+ $(test_punycode_OBJECTS): $(built_tests)
+ 
+-bin_PROGRAMS = idn-lookup
+-
+-idn_lookup_SOURCES = idn-lookup.c
+-
+-LDADD = libwind.la $(LIB_roken)
+-
+ if !MAINTAINER_MODE
+ skip_python = test -f $@ ||
+ endif
+diff -uNr heimdal-7.8.0/Makefile.am heimdal-7.8.0-patched/Makefile.am
+--- heimdal-7.8.0/Makefile.am	2022-09-16 01:54:19.000000000 +0200
++++ heimdal-7.8.0-patched/Makefile.am	2022-12-20 17:32:16.540264008 +0100
+@@ -2,12 +2,7 @@
+ 
+ include $(top_srcdir)/Makefile.am.common
+ 
+-if KCM
+-kcm_dir = kcm
+-endif
+-
+-SUBDIRS=  include lib kuser kdc admin kadmin kpasswd 
+-SUBDIRS+= $(kcm_dir) appl tools tests packages etc po
++SUBDIRS=  include lib kdc
+ 
+ if HEIMDAL_DOCUMENTATION
+ SUBDIRS+= doc

libheimdal.changes

@@ -0,0 +1,382 @@
+-------------------------------------------------------------------
+Thu Apr  6 13:26:58 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Add heimdal-CVE-2022-45142.patch: Fix logic inversion introduced
+  when fixing/backporting CVE-2022-3437 (CVE-2022-45142,
+  boo#1208992).
+
+-------------------------------------------------------------------
+Tue Jan 10 19:30:57 UTC 2023 - Marcus Meissner <meissner@suse.com>
+
+- replace libheimdal conflicts by obsoletes / provides to provide a
+  smooth update in the new libheimdal-devel.
+
+-------------------------------------------------------------------
+Wed Dec 21 09:53:45 UTC 2022 - enzokiel@kabelmail.de
+
+- Update to version 7.8.0
+  + This release includes both the Heimdal 7.7.1 Security
+    Vulnerability fixes and non-Security bug fixes/improvements.
+  + Security Vulnerabilities:
+    - CVE-2022-42898 PAC parse integer overflows
+    - CVE-2022-3437 Overflows and non-constant time leaks in
+      DES{,3} and arcfour
+    - CVE-2022-41916 Fix Unicode normalization read of 1 bytes past
+      end of array
+    - CVE-2021-44758 A null pointer de-reference DoS in SPNEGO
+      acceptors
+    - CVE-2021-3671 A null pointer de-reference when handling
+      missing sname in TGS-REQ
+    - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
+        Note that CVE-2022-44640 is a severe vulnerability,
+        possibly a 10.0 on the Common Vulnerability Scoring
+        System (CVSS) v3, as we believe it should be possible to
+        get an RCE on a KDC, which means that credentials can be
+        compromised that can be used to impersonate anyone in a
+        realm or forest of realms.
+        Heimdal's ASN.1 compiler generates code that allows
+        specially crafted DER encodings of CHOICEs to invoke the
+        wrong free function on the decoded structure upon decode
+        error. This is known to impact the Heimdal KDC, leading to
+        an invalid free() of an address partly or wholly under the
+        control of the attacker, in turn leading to a potential
+        remote code execution (RCE) vulnerability.
+        This error affects the DER codec for all extensible CHOICE
+        types used in Heimdal, though not all cases will be
+        exploitable. We have not completed a thorough analysis of
+        all the Heimdal components affected, thus the Kerberos
+        client, the X.509 library, and other parts, may be affected
+        as well.
+        This bug has been in Heimdal's ASN.1 compiler since 2005,
+        but it may only affect Heimdal 1.6 and up. It was first
+        reported by Douglas Bagnall, though it had been found
+        independently by the Heimdal maintainers via fuzzing a few
+        weeks earlier.
+        While no zero-day exploit is known, such an exploit will
+        likely be available soon after public disclosure.
+    - CVE-2019-14870: Validate client attributes in
+      protocol-transition
+    - CVE-2019-14870: Apply forwardable policy in
+      protocol-transition
+    - CVE-2019-14870: Always lookup impersonate client in DB
+  + Other changes:
+    - Bugs found by UBSAN (including the incorrect encoding of
+      unconstrained INTEGER value -1).
+    - Errors found by the LLVM scan-build static analyzer.
+    - Errors found by the valgrind memory debugger.
+    - Work around GCC Bug 95189 (memcmp wrongly stripped like
+      strcmp).
+    - Correct ASN.1 OID typo for SHA-384
+    - Fix a deadlock in in the MEMORY ccache type.
+    - TGS: strip forwardable and proxiable flags if the server is
+      disallowed.
+    - CVE-2019-14870: Validate client attributes in
+      protocol-transition
+    - CVE-2019-14870: Apply forwardable policy in
+      protocol-transition
+    - CVE-2019-14870: Always lookup impersonate client in DB
+    - Incremental HDB propagation improvements
+        Refactor send_diffs making it progressive
+        Handle partial writes on non-blocking sockets
+        Disable Nagle in iprop master and slave
+        Use async I/O
+        Don't send I_HAVE in response to AYT
+        Do not recover log in kadm5_get_principal()
+        Don't send diffs to slaves with not yet known version
+        Don't stutter in send_diffs
+    - Optional backwards-compatible anon-pkinit behavior
+- Removed heimdal-7.7.0-autoconf-2.70.patch, fixed upstream.
+
+-------------------------------------------------------------------
+Thu Jun 30 20:44:57 UTC 2022 - Antoine Belvire <antoine.belvire@opensuse.org>
+
+- Add ldconfig scriptlets.
+- Fix 'Conflicts:' tags.
+- Remove obsolete macros and conditionals.
+- Ran spec-cleaner.
+
+-------------------------------------------------------------------
+Tue Jun 28 18:47:19 UTC 2022 - Antoine Belvire <antoine.belvire@opensuse.org>
+
+- Add heimdal-7.7.0-autoconf-2.70.patch: Fix build with autoconf
+  2.70 (gh#heimdal/heimdal#856).
+
+-------------------------------------------------------------------
+Wed May 25 11:59:29 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
+
+- Apply Shared Library Packaging Policy and resolve rpmlint
+  errors like "libheimdal.x86_64: E: shlib-policy-name-error
+  SONAME: libasn1.so.8, expected package suffix: 8"
+
+-------------------------------------------------------------------
+Sun Jun 23 00:50:31 UTC 2019 - enzokiel@kabelmail.de
+
+- Update to version 7.7.0
+  + Bug fixes:
+    - PKCS#11 hcrypto back-end:
+      + initialize the p11_module_load function list
+      + verify that not only is a mechanism present but that its
+        mechanism info states that it offers the required
+        encryption, decryption or digest services
+    - krb5:
+      + Starting with 7.6, Heimdal permitted requesting
+        authenticated anonymous tickets. However, it did not
+        verify that a KDC in fact returned an anonymous ticket
+        when one was requested.
+      + Cease setting the KDCOption reaquest_anonymous flag when
+        issuing S4UProxy (constrained delegation) TGS requests.
+      + when the Win2K PKINIT compatibility option is set, do not
+        require krbtgt otherName to match when validating KDC
+        certificate.
+      + set PKINIT_BTMM flag per Apple implementation
+      + use memset_s() instead of memset()
+    - kdc:
+      + When generating KRB5SignedPath in the AS, use the reply
+        client name rather than the one from the request, so
+        validation will work correctly in the TGS.
+      + allow checksum of PA-FOR-USER to be HMAC_MD5. Even if TGT
+        used an enctype with a different checksum. Per [MS-SFU]
+        2.2.1 PA-FOR-USER the checksum is always HMAC_MD5, and
+        that's what Windows and MIT clients send.
+        In Heimdal both the client and kdc use instead the
+        checksum of the TGT, and therefore work with each other
+        but Windows and MIT clients fail against Heimdal KDC.
+        Both Windows and MIT KDC would allow any keyed checksum
+        to be used so Heimdal client work fine against it.
+        Change Heimdal KDC to allow HMAC_MD5 even for non RC4
+        based TGT in order to support per-spec clients.
+      + use memset_s() instead of memset()
+      + Detect Heimdal 1.0 through 7.6 clients that issue
+        S4UProxy (constrained delegation) TGS Requests with the
+        request anonymous flag set. These requests will be
+        treated as S4UProxy requests and not anonymous requests.
+    - HDB:
+      + Set SQLite3 backend default page size to 8KB.
+      + Add hdb_set_sync() method
+    - kadmind:
+      + disable HDB sync during database load avoiding
+        unnecessary disk i/o.
+    - ipropd:
+      + disable HDB sync during receive_everything. Doing an
+        fsync per-record when receiving the complete HDB is a
+        performance disaster. Among other things, if the HDB is
+        very large, then one slave receving a full HDB can cause
+        other slaves to timeout and, if HDB write activity is
+        high enough to cause iprop log truncation, then also need
+        full syncs, which leads to a cycle of full syncs for all
+        slaves until HDB write activity drops.
+        Allowing the iprop log to be larger helps, but improving
+        receive_everything() performance helps even more.
+    - kinit:
+      + Anonymous PKINIT tickets discard the realm information
+        used to locate the issuing AS. Store the issuing realm in
+        the credentials cache in order to locate a KDC which can
+        renew them.
+      + Do not leak the result of krb5_cc_get_config() when
+        determining anonymous PKINIT start realm.
+    - klist:
+      + Show transited-policy-checked, ok-as-delegate and
+        anonymous flags when listing credentials.
+    - tests:
+      + Regenerate certs so that they expire before the 2038
+        armageddon so the test suite will pass on 32-bit
+        operating systems until the underlying issues can be
+        resolved.
+    - Solaris:
+      + Define _STDC_C11_BCI for memset_s prototype
+    - build tooling:
+      + Convert from python 2 to python 3
+    - documentation:
+      + rename verify-password to verify-password-quality
+      + hprop default mode is encrypt
+      + kadmind "all" permission does not include "get-keys"
+      + verify-password-quality might not be stateless
+
+- Version 7.6.0
+  + Security (#555):
+    - CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed
+      checksum
+      When the Heimdal KDC checks the checksum that is placed on
+      the S4U2Self packet by the server to protect the requested
+      principal against modification, it does not confirm that
+      the checksum algorithm that protects the user name
+      (principal) in the request is keyed. This allows a
+      man-in-the-middle attacker who can intercept the request to
+      the KDC to modify the packet by replacing the user name
+      (principal) in the request with any desired user name
+      (principal) that exists in the KDC and replace the checksum
+      protecting that name with a CRC32 checksum (which requires
+      no prior knowledge to compute).
+      This would allow a S4U2Self ticket requested on behalf of
+      user name (principal) user@EXAMPLE.COM to any service to be
+      changed to a S4U2Self ticket with a user name (principal) of
+      Administrator@EXAMPLE.COM. This ticket would then contain
+      the PAC of the modified user name (principal).
+
+    - CVE-2019-12098, client-only:
+      RFC8062 Section 7 requires verification of the PA-PKINIT-KX
+      key exchange when anonymous PKINIT is used. Failure to do
+      so can permit an active attacker to become a
+      man-in-the-middle.
+  + Bug fixes:
+    - Happy eyeballs: Don't wait for responses from
+      known-unreachable KDCs.
+    - kdc:
+      + check return copy_Realm, copy_PrincipalName,
+        copy_EncryptionKey
+    - kinit:
+      + cleanup temporary ccaches
+      + see man page for "kinit --anonymous" command line syntax
+        change
+    - kdc:
+      + Make anonymous AS-requests more RFC8062-compliant.
+        Updated expired test certificates
+    - Solaris:
+      + PKCS#11 hcrypto backend broken since 7.0.1
+      + Building with Sun Pro C
+  + Features:
+    - kuser: support authenticated anonymous AS-REQs in kinit
+    - kdc: support for anonymous TGS-REQs
+    - kgetcred support for anonymous service tickets
+    - Support builds with OpenSSL 1.1.1
+- fixed heimdal-patched.diff and reproducible.patch
+
+-------------------------------------------------------------------
+Tue Aug  7 06:22:33 UTC 2018 - bwiedemann@suse.com
+
+- Add reproducible.patch to override build date (boo#1047218)
+- Use constant hostname (boo#1084909)
+
+-------------------------------------------------------------------
+Fri Dec 29 13:16:21 UTC 2017 - joerg.lorenzen@ki.tng.de
+
+- Update to version 7.5.0
+  - Security
+    - Fix CVE-2017-17439, which is a remote denial of service
+      vulnerability:
+      In Heimdal 7.1 through 7.4, remote unauthenticated attackers
+      are able to crash the KDC by sending a crafted UDP packet
+      containing empty data fields for client name or realm.
+  - Bug fixes
+    - Handle long input lines when reloading database dumps.
+    - In pre-forked mode (default on Unix), correctly clear the
+      process ids of exited children, allowing new child processes
+      to replace the old.
+    - Fixed incorrect KDC response when no-cross realm TGT exists,
+      allowing client requests to fail quickly rather than time
+      out after trying to get a correct answer from each KDC.
+- Fixed heimdal-patched.diff.
+- Removed Avoid_NULL_structure_pointer_member_dereference.patch,
+  fixed upstream.
+
+-------------------------------------------------------------------
+Thu Dec 07 15:17:23 UTC 2017 - joerg.lorenzen@ki.tng.de
+
+- Added Avoid_NULL_structure_pointer_member_dereference.patch,
+  fixes (bsc#1071675).
+
+-------------------------------------------------------------------
+Thu Aug 03 20:25:45 UTC 2017 - joerg.lorenzen@ki.tng.de
+
+- Update to version 7.4.0
+  - Security
+    - Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name
+      validation.
+      This is a critical vulnerability.
+      In _krb5_extract_ticket() the KDC-REP service name must be
+      obtained from encrypted version stored in 'enc_part' instead
+      of the unencrypted version stored in 'ticket'.
+      Use of the unecrypted version provides an opportunity for
+      successful server impersonation and other attacks.
+      Identified by Jeffrey Altman, Viktor Duchovni and
+      Nico Williams.
+      See https://www.orpheus-lyre.info/ for more details.
+- Fixed heimdal-patched.diff.
+
+-------------------------------------------------------------------
+Thu Jun 15 20:52:17 UTC 2017 - joerg.lorenzen@ki.tng.de
+
+- Update to version 7.3.0
+  - Security
+    + Fix transit path validation. Commit f469fc6 (2010-10-02)
+      inadvertently caused the previous hop realm to not be added
+      to the transit path of issued tickets. This may, in some
+      cases, enable bypass of capath policy in Heimdal versions 1.5
+      through 7.2.
+      Note, this may break sites that rely on the bug. With the bug
+      some incomplete [capaths] worked, that should not have.
+      These may now break authentication in some cross-realm
+      configurations. (CVE-2017-6594)
+- Version 7.2.0
+  - Bug fixes
+    + Portability improvements.
+    + More strict parsing of encoded URI components in HTTP KDC.
+    + Fixed memory leak in malloc error recovery in NTLM GSSAPI
+      mechanism.
+    + Avoid overly specific CPU info in krb5-config in aid of
+      reproducible builds.
+    + Don't do AFS string-to-key tests when feature is disabled.
+    + Skip mdb_stat test when the command is not available.
+    + Windows: update SHA2 timestamp server.
+    + hdb: add missing export 
+      hdb_generate_key_set_password_with_ks_tuple.
+    + Fix signature of hdb_generate_key_set_password().
+    + Windows: enable KX509 support in the KDC.
+    + kdc: fix kx509 service principal match.
+    + iprop: handle case where master sends nothing new.
+    + ipropd-slave: fix incorrect error codes.
+    + Allow choice of sqlite for HDB pref.
+    + check-iprop: don't fail to kill daemons.
+    + roken: pidfile -> rk_pidfile.
+    + kdc: _kdc_do_kx509 fix use after free error.
+    + Do not detect x32 as 64-bit platform.
+    + No sys/ttydefaults.h on CYGWIN.
+    + Fix check-iprop races.
+    + roken_detach_prep() close pipe.
+- Fixed heimdal-patched.diff.
+
+-------------------------------------------------------------------
+Thu Feb  2 01:44:35 UTC 2017 - jengelh@inai.de
+
+- Summary and RPM group update. Do a direct call to ldconfig
+  where possible.
+
+-------------------------------------------------------------------
+Sat Jan 07 22:57:23 UTC 2017 - joerg.lorenzen@ki.tng.de
+
+- Update to version 7.1.0
+- Removed heimdal-version-script-client.map.patch, fixed upstream.
+- Fixed heimdal-patched.diff.
+- Unfortunately there is no updated changelog file in tarball,
+  changes can be seen in source code version control systems
+  history log.
+
+-------------------------------------------------------------------
+Sat Sep 05 07:57:33 UTC 2015 - joerg.lorenzen@ki.tng.de
+
+- Added a patched instead of the original tarball because only
+  shared libraries will be build and source files of these (not to
+  be build) programs have problematic licenses.
+- Added script heimdal-patch-source.sh to sources.
+- Added patch heimdal-patched.diff that fixes configure.ac and
+  several Makefile.am files to successfully build patched source.
+- Removed unneeded dependencies in spec file for build.
+
+-------------------------------------------------------------------
+Wed Sep 02 08:04:33 UTC 2015 - joerg.lorenzen@ki.tng.de
+
+- Added Conflicts tags to spec file because devel package conflicts
+  with krb5-devel and krb5-mini-devel.
+
+-------------------------------------------------------------------
+Tue Sep 01 21:03:13 UTC 2015 - joerg.lorenzen@ki.tng.de
+
+- Some changes in spec file to enable build for SLES.
+
+-------------------------------------------------------------------
+Sun Aug 30 11:20:03 UTC 2015 - joerg.lorenzen@ki.tng.de
+
+- Initial package, version 1.6rc2
+- Added patch heimdal-version-script-client.map.patch to add file
+  version-script-client.map (File is present in git for tag 1.6rc2
+  but missing in tarball).

libheimdal.spec

@@ -0,0 +1,365 @@
+#
+# spec file for package libheimdal
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           libheimdal
+Version:        7.8.0
+Release:        0
+Summary:        The Heimdal implementation of the Kerberos 5 protocol
+License:        BSD-3-Clause
+Group:          Productivity/Networking/Security
+URL:            https://www.h5l.org
+# patched source can be created with script heimdal-patch-source.sh:
+# ./heimdal-patch-source.sh heimdal-%{version}.tar.gz
+Source0:        heimdal-%{version}-patched.tar.bz2
+Source2:        heimdal-patch-source.sh
+Patch0:         heimdal-patched.diff
+# PATCH-FIX-UPSTREAM bmwiedemann -- make build reproducible (boo#1047218)
+Patch1:         reproducible.patch
+# PATCH-FIX-UPSTREAM https://www.openwall.com/lists/oss-security/2023/02/08/1
+Patch2:         heimdal-CVE-2022-45142.patch
+BuildRequires:  automake >= 1.11
+BuildRequires:  bison
+BuildRequires:  db-devel >= 4.8
+BuildRequires:  flex
+BuildRequires:  libtool
+BuildRequires:  pam-devel
+BuildRequires:  pkgconfig
+BuildRequires:  readline-devel
+BuildRequires:  texinfo
+BuildRequires:  perl(JSON)
+BuildRequires:  pkgconfig(com_err)
+BuildRequires:  pkgconfig(ncurses) >= 5.3
+BuildRequires:  pkgconfig(sqlite3)
+
+%description
+Heimdal is an implementation of Kerberos 5 (and some more stuff) largely written
+in Sweden (which was important when we started writing it, less so now).
+It is freely available under a three clause BSD style license.
+
+Other free implementations include the one from MIT, and Shishi.
+Also Microsoft Windows and Sun's Java come with implementations of Kerberos.
+
+This package only provides libraries and devel files (binaries have been removed),
+libraries are required by 64-bit package of ICAClient version 13.2.
+
+%package -n libasn1-8
+Summary:        ASN.1 implementation from Heimdal Kerberos
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libasn1-8
+This package contains the ASN.1 parser required for Heimdal.
+
+%package -n libgssapi3
+Summary:        GSSAPI implementation from Heimdal Kerberos
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libgssapi3
+GSSAPI implementation from Heimdal.
+
+%package -n libhcrypto4
+Summary:        Cryptographic library from Heimdal Kerberos
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libhcrypto4
+This package contains the cryptographic library required for Heimdal.
+
+%package -n libhdb9
+Summary:        Heimdal database backend library
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libhdb9
+libhdb provides the backend support for Heimdal kdc and kadmind. Its
+here where plugins for diffrent database engines can be pluged in and
+extend support for here Heimdal get the principal and policy data
+from.
+
+Example of Heimdal backend are: Berkeley DB (BDB), NDB, LDAP.
+
+%package -n libheimbase1
+Summary:        Base library for Heimdal Kerberos
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libheimbase1
+This package contains the base library for Heimdal Kerberos.
+
+%package -n libheimedit0
+Summary:        libedit fork of the Heimdal Kerberos project
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libheimedit0
+libedit is a command line editing and history library. It is
+designed to be used by interactive programs that allow the user
+to type commands at a terminal prompt.
+
+%package -n libheimntlm0
+Summary:        NTLM implementation from Heimdal Kerberos
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libheimntlm0
+This package contains the NTLM support library from and for Heimdal Kerberos.
+
+%package -n libhx509-5
+Summary:        X.509 implementation from Heimdal Kerberos
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libhx509-5
+This package contains the X.509 support library from and for Heimdal Kerberos.
+
+%package -n libkadm5clnt7
+Summary:        Client library for Heimdal Kerberos
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libkadm5clnt7
+This package contains the client library for Heimdal's kadmin program.
+
+%package -n libkadm5srv8
+Summary:        Server library for Heimdal Kerberos
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libkadm5srv8
+This package contains the server library for Heimdal's kadmin program.
+
+%package -n libkafs0
+Summary:        KAFS support for Heimdal Kerberos
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libkafs0
+This package contains the library for supporting the in-kernel Andrew File System.
+
+%package -n libkdc2
+Summary:        Key Distribution Center library for Heimdal Kerberos
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libkdc2
+This package contains the KDC support library.
+
+%package -n libkrb5-26
+Summary:        Kerberos 5 API for Heimdal Kerberos
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libkrb5-26
+This package contains the Kerberos 5 library.
+
+%package -n libotp0
+Summary:        One Time Password library for Heimdal Kerberos
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libotp0
+This package contains the library for One Time Password support.
+
+%package -n libroken18
+Summary:        OS abstraction library for Heimdal Kerberos
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libroken18
+This package contains a library that wraps or adds utility functions
+missing from certain operating systems.
+
+%package -n libsl0
+Summary:        Implementation of a suggestion lister
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libsl0
+This package contains a library that suggests commands in a "did you
+mean" fashion.
+
+%package -n libwind0
+Summary:        An implementation of RFC 3454 (stringprep)
+Group:          System/Libraries
+Conflicts:      libheimdal < %{version}-%{release}
+
+%description -n libwind0
+This package contains an implementation of the stringprep library.
+
+%package devel
+Summary:        The Heimdal implementation of the Kerberos 5 protocol
+Group:          Development/Libraries/C and C++
+Requires:       db-devel >= 4.8
+Requires:       glibc-devel
+Requires:       libasn1-8 = %{version}-%{release}
+Requires:       libgssapi3 = %{version}-%{release}
+Requires:       libhcrypto4 = %{version}-%{release}
+Requires:       libhdb9 = %{version}-%{release}
+Requires:       libheimbase1 = %{version}-%{release}
+Requires:       libheimedit0 = %{version}-%{release}
+Requires:       libheimntlm0 = %{version}-%{release}
+Requires:       libhx509-5 = %{version}-%{release}
+Requires:       libkadm5clnt7 = %{version}-%{release}
+Requires:       libkadm5srv8 = %{version}-%{release}
+Requires:       libkafs0 = %{version}-%{release}
+Requires:       libkdc2 = %{version}-%{release}
+Requires:       libkrb5-26 = %{version}-%{release}
+Requires:       libotp0 = %{version}-%{release}
+Requires:       libroken18 = %{version}-%{release}
+Requires:       libsl0 = %{version}-%{release}
+Requires:       libwind0 = %{version}-%{release}
+Requires:       pkgconfig(com_err)
+Requires:       pkgconfig(ncurses) >= 5.3
+Requires:       pkgconfig(sqlite3)
+Conflicts:      krb5-devel
+Conflicts:      krb5-mini-devel
+Provides:       libheimdal = %{version}-%{release}
+Obsoletes:      libheimdal < %{version}-%{release}
+
+%description devel
+Heimdal is an implementation of Kerberos 5 (and some more stuff) largely written
+in Sweden (which was important when we started writing it, less so now).
+It is freely available under a three clause BSD style license.
+
+Other free implementations include the one from MIT, and Shishi.
+Also Microsoft Windows and Sun's Java come with implementations of Kerberos.
+
+This package only provides libraries and devel files (binaries have been removed),
+libraries are required by 64-bit package of ICAClient version 13.2.
+
+%prep
+%autosetup -p1 -n heimdal-%{version}
+
+%build
+export SOURCE_HOST=OBS # for reproducible builds (boo#1084909)
+autoreconf -fi
+%configure \
+  --with-sqlite3=%{_prefix}
+%make_build
+
+%install
+%make_install
+
+rm -rf %{buildroot}%{_libdir}/*.a
+find %{buildroot} -type f -name "*.la" -delete -print
+
+%post -p /sbin/ldconfig -n libasn1-8
+%postun -p /sbin/ldconfig -n libasn1-8
+%post -p /sbin/ldconfig -n libgssapi3
+%postun -p /sbin/ldconfig -n libgssapi3
+%post -p /sbin/ldconfig -n libhcrypto4
+%postun -p /sbin/ldconfig -n libhcrypto4
+%post -p /sbin/ldconfig -n libhdb9
+%postun -p /sbin/ldconfig -n libhdb9
+%post -p /sbin/ldconfig -n libheimbase1
+%postun -p /sbin/ldconfig -n libheimbase1
+%post -p /sbin/ldconfig -n libheimedit0
+%postun -p /sbin/ldconfig -n libheimedit0
+%post -p /sbin/ldconfig -n libheimntlm0
+%postun -p /sbin/ldconfig -n libheimntlm0
+%post -p /sbin/ldconfig -n libhx509-5
+%postun -p /sbin/ldconfig -n libhx509-5
+%post -p /sbin/ldconfig -n libkadm5clnt7
+%postun -p /sbin/ldconfig -n libkadm5clnt7
+%post -p /sbin/ldconfig -n libkadm5srv8
+%postun -p /sbin/ldconfig -n libkadm5srv8
+%post -p /sbin/ldconfig -n libkafs0
+%postun -p /sbin/ldconfig -n libkafs0
+%post -p /sbin/ldconfig -n libkdc2
+%postun -p /sbin/ldconfig -n libkdc2
+%post -p /sbin/ldconfig -n libkrb5-26
+%postun -p /sbin/ldconfig -n libkrb5-26
+%post -p /sbin/ldconfig -n libotp0
+%postun -p /sbin/ldconfig -n libotp0
+%post -p /sbin/ldconfig -n libroken18
+%postun -p /sbin/ldconfig -n libroken18
+%post -p /sbin/ldconfig -n libsl0
+%postun -p /sbin/ldconfig -n libsl0
+%post -p /sbin/ldconfig -n libwind0
+%postun -p /sbin/ldconfig -n libwind0
+
+%files -n libasn1-8
+%{_libdir}/libasn1.so.8*
+
+%files -n libgssapi3
+%{_libdir}/libgssapi.so.3*
+
+%files -n libhcrypto4
+%{_libdir}/libhcrypto.so.4*
+
+%files -n libhdb9
+%{_libdir}/libhdb.so.9*
+
+%files -n libheimbase1
+%{_libdir}/libheimbase.so.1*
+
+%files -n libheimedit0
+%{_libdir}/libheimedit.so.0*
+
+%files -n libheimntlm0
+%{_libdir}/libheimntlm.so.0*
+
+%files -n libhx509-5
+%{_libdir}/libhx509.so.5*
+
+%files -n libkadm5clnt7
+%{_libdir}/libkadm5clnt.so.7*
+
+%files -n libkadm5srv8
+%{_libdir}/libkadm5srv.so.8*
+
+%files -n libkafs0
+%{_libdir}/libkafs.so.0*
+
+%files -n libkdc2
+%{_libdir}/libkdc.so.2*
+
+%files -n libkrb5-26
+%{_libdir}/libkrb5.so.26*
+
+%files -n libotp0
+%{_libdir}/libotp.so.0*
+
+%files -n libroken18
+%{_libdir}/libroken.so.18*
+
+%files -n libsl0
+%{_libdir}/libsl.so.0*
+
+%files -n libwind0
+%{_libdir}/libwind.so.0*
+
+%files devel
+%license LICENSE
+%doc NEWS README TODO
+%{_includedir}/*.h
+%dir %{_includedir}/gssapi
+%{_includedir}/gssapi/*.h
+%dir %{_includedir}/hcrypto
+%{_includedir}/hcrypto/*.h
+%dir %{_includedir}/kadm5
+%{_includedir}/kadm5/*.h
+%dir %{_includedir}/krb5
+%{_includedir}/krb5/*.h
+%dir %{_includedir}/roken
+%{_includedir}/roken/*.h
+%{_libdir}/*.so
+%{_infodir}/*.info%{?ext_info}
+
+%changelog

reproducible.patch

@@ -0,0 +1,108 @@
+--- heimdal-7.8.0-patched/Makefile.am.orig	2022-12-20 17:40:01.919051445 +0100
++++ heimdal-7.8.0-patched/Makefile.am	2022-12-20 17:40:01.927051422 +0100
+@@ -45,7 +45,6 @@
+ 	cf/krb-prog-yacc.m4 \
+ 	cf/krb-sys-aix.m4 \
+ 	cf/krb-sys-nextstep.m4 \
+-	cf/krb-version.m4 \
+ 	cf/roken.m4 \
+ 	cf/valgrind-suppressions \
+ 	cf/maybe-valgrind.sh \
+--- heimdal-7.8.0-patched/cf/krb-version.m4	2022-09-16 01:54:19.000000000 +0200
++++ /dev/null	2022-12-20 16:43:58.646784977 +0100
+@@ -1,24 +0,0 @@
+-dnl $Id$
+-dnl
+-dnl
+-dnl output a C header-file with some version strings
+-dnl
+-
+-AC_DEFUN([AC_KRB_VERSION],[
+-cat > include/newversion.h.in <<FOOBAR
+-const char *${PACKAGE_TARNAME}_long_version = "@(#)\$Version: $PACKAGE_STRING by @USER@ on @HOST@ ($host) @DATE@ \$";
+-const char *${PACKAGE_TARNAME}_version = "$PACKAGE_STRING";
+-FOOBAR
+-
+-if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
+-	echo "include/version.h is unchanged"
+-	rm -f include/newversion.h.in
+-else
+- 	echo "creating include/version.h"
+- 	User=${USER-${LOGNAME}}
+- 	Host=`(hostname || uname -n) 2>/dev/null | sed 1q`
+- 	Date=`date`
+-	mv -f include/newversion.h.in include/version.h.in
+-	sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h
+-fi
+-])
+--- heimdal-7.8.0-patched/configure.ac.orig	2022-12-20 17:47:29.421826289 +0100
++++ heimdal-7.8.0-patched/configure.ac	2022-12-20 17:47:29.437826248 +0100
+@@ -627,22 +627,63 @@
+ dnl This is the release version name-number[beta]
+ dnl
+ 
+-cat > include/newversion.h.in <<EOF
++if test -d "$srcdir/.git"; then
++    cat > include/newversion.h.in <<EOF
++#ifndef VERSION_HIDDEN
++#define VERSION_HIDDEN
++#endif
++VERSION_HIDDEN const char *heimdal_long_version = "@([#])\$Version: $PACKAGE_STRING by @USER@ on @HOST@ @BRANCH@ @TAG@ ($host) @COMMIT@ @DATE@ \$";
++VERSION_HIDDEN const char *heimdal_version = "AC_PACKAGE_STRING";
++EOF
++else
++    cat > include/newversion.h.in <<EOF
+ #ifndef VERSION_HIDDEN
+ #define VERSION_HIDDEN
+ #endif
+ VERSION_HIDDEN const char *heimdal_long_version = "@([#])\$Version: $PACKAGE_STRING by @USER@ on @HOST@ ($host) @DATE@ \$";
+ VERSION_HIDDEN const char *heimdal_version = "AC_PACKAGE_STRING";
+ EOF
++fi
+ 
+ if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
+ 	echo "include/version.h is unchanged"
+ 	rm -f include/newversion.h.in
+ else
+  	echo "creating include/version.h"
+- 	User=${USER-${LOGNAME}}
+- 	Host=`(hostname || uname -n || echo unknown) 2>/dev/null | sed 1q`
+- 	Date=`date`
++        if test -n "$SOURCE_DATE_EPOCH"; then
++            Date=`date -u -d "@$SOURCE_DATE_EPOCH" "+%Y-%m-%dT%H:%M:%SZ"`
++        else
++            Date=`date -u "+%Y-%m-%dT%H:%M:%SZ"`
++        fi
++        if test -n "$SOURCE_HOST"; then
++            Host=$SOURCE_HOST
++        else
++            Host=`uname -n`
++        fi
++        if test -n "$SOURCE_USER"; then
++            User=$SOURCE_USER
++        else
++            User=${USER:-${LOGNAME:-`id -nu`}}
++        fi
++        if test -d "$srcdir/.git"; then
++            GitCommit=`git rev-parse HEAD`
++            GitBranch=`git rev-parse --abbrev-ref HEAD`
++            if test "x$GitBranch" = master; then
++                GitDesc=`git describe --all --dirty`
++            else
++                GitDesc=`git describe --tags --match 'heimdal-*' --dirty`
++            fi
++        else
++            GitCommit='<commit-unknown>'
++            GitBranch='<branch-unknown>'
++            GitDesc='<tag-unknown>'
++        fi
+ 	mv -f include/newversion.h.in include/version.h.in
+-	sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h
++	sed -e "s/@HOST@/$Host/" \
++            -e "s;@USER@;$User;" \
++            -e "s;@DATE@;$Date;" \
++            -e "s;@BRANCH@;$GitBranch;" \
++            -e "s;@TAG@;$GitDesc;" \
++            -e "s;@COMMIT@;$GitCommit;" \
++            include/version.h.in > include/version.h
+ fi