pool/krb5
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 280033 from network

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/280033
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=107
This commit is contained in:
Dominique Leuenberger 2015-01-08 22:01:05 +00:00 committed by Git OBS Bridge
commit 823f9c3d3d
15 changed files with 253 additions and 454 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
bnc#897874-CVE-2014-5351.diff
View File

@ -1,49 +0,0 @@
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 5d358bd..d4e74cc 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -344,6 +344,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
*passptr = NULL;
}
+/* Return the number of keys with the newest kvno. Assumes that all key data
+ * with the newest kvno are at the front of the key data array. */
+static int
+count_new_keys(int n_key_data, krb5_key_data *key_data)
+{
+ int n;
+
+ for (n = 1; n < n_key_data; n++) {
+ if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno)
+ return n;
+ }
+ return n_key_data;
+}
+
kadm5_ret_t
kadm5_create_principal(void *server_handle,
kadm5_principal_ent_t entry, long mask,
@@ -1593,7 +1607,7 @@ kadm5_randkey_principal_3(void *server_handle,
osa_princ_ent_rec adb;
krb5_int32 now;
kadm5_policy_ent_rec pol;
- int ret, last_pwd;
+ int ret, last_pwd, n_new_keys;
krb5_boolean have_pol = FALSE;
kadm5_server_handle_t handle = server_handle;
krb5_keyblock *act_mkey;
@@ -1686,8 +1700,9 @@ kadm5_randkey_principal_3(void *server_handle,
kdb->fail_auth_count = 0;
if (keyblocks) {
- ret = decrypt_key_data(handle->context,
- kdb->n_key_data, kdb->key_data,
+ /* Return only the new keys added by krb5_dbe_crk. */
+ n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data);
+ ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data,
keyblocks, n_keys);
if (ret)
goto done;
--
1.8.5.2

34
krb5-1.10-kpasswd_tcp.patch
View File

@ -1,34 +0,0 @@
Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
to wait for UDP to fail, so this might not be ideal. RT #5868.
Index: krb5-1.10.2/src/lib/krb5/os/changepw.c
===================================================================
--- krb5-1.10.2.orig/src/lib/krb5/os/changepw.c
+++ krb5-1.10.2/src/lib/krb5/os/changepw.c
@@ -274,10 +274,22 @@ change_set_password(krb5_context context
&callback_info, &chpw_rep, ss2sa(&remote_addr),
&addrlen, NULL, NULL, NULL);
if (code) {
- /*
- * Here we may want to switch to TCP on some errors.
- * right?
- */
+ /* if we're not using a stream socket, and it's an error which
+ * might reasonably be specific to a datagram "connection", try
+ * again with a stream socket */
+ if (!use_tcp) {
+ switch (code) {
+ case KRB5_KDC_UNREACH:
+ case KRB5_REALM_CANT_RESOLVE:
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
+ /* should we do this for more result codes than these? */
+ k5_free_serverlist (&sl);
+ use_tcp = 1;
+ continue;
+ default:
+ break;
+ }
+ }
break;
}

53
krb5-1.10-ksu-access.patch
View File

@ -1,53 +0,0 @@
The idea is to not complain about problems in the default ticket file if we
couldn't read it, because the client would be able to tell if it's there or
not, and we're implicitly letting the client tell us where it is. Still needs
work, I think.
Index: krb5-1.11.1/src/clients/ksu/ccache.c
===================================================================
--- krb5-1.11.1.orig/src/clients/ksu/ccache.c
+++ krb5-1.11.1/src/clients/ksu/ccache.c
@@ -77,7 +77,7 @@ krb5_error_code krb5_ccache_copy (contex
cc_def_name = krb5_cc_get_name(context, cc_def);
cc_other_name = krb5_cc_get_name(context, *cc_other);
- if ( ! stat(cc_def_name, &st_temp)){
+ if ( ! access(cc_def_name, R_OK) && ! stat(cc_def_name, &st_temp)){
if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
return retval;
}
Index: krb5-1.11.1/src/clients/ksu/heuristic.c
===================================================================
--- krb5-1.11.1.orig/src/clients/ksu/heuristic.c
+++ krb5-1.11.1/src/clients/ksu/heuristic.c
@@ -409,7 +409,7 @@ krb5_error_code find_either_ticket (cont
cc_source_name = krb5_cc_get_name(context, cc);
- if ( ! stat(cc_source_name, &st_temp)){
+ if ( ! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)){
retval = find_ticket(context, cc, client, end_server, &temp_found);
if (retval)
@@ -569,7 +569,7 @@ krb5_error_code get_best_princ_for_targe
cc_source_name = krb5_cc_get_name(context, cc_source);
- if (! stat(cc_source_name, &st_temp)) {
+ if (! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)) {
retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
if (retval)
return retval;
Index: krb5-1.11.1/src/clients/ksu/main.c
===================================================================
--- krb5-1.11.1.orig/src/clients/ksu/main.c
+++ krb5-1.11.1/src/clients/ksu/main.c
@@ -271,7 +271,7 @@ main (argc, argv)
if ( strchr(cc_source_tag, ':')){
cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
- if( stat( cc_source_tag_tmp, &st_temp)){
+ if( access( cc_source_tag_tmp, F_OK | R_OK) || stat( cc_source_tag_tmp, &st_temp)){
com_err(prog_name, errno,
_("while looking for credentials file %s"),
cc_source_tag_tmp);

32
krb5-1.12-doxygen.patch
View File

@ -1,32 +0,0 @@
commit b7a4d695263f1a5b7fe72b1eadce4acdc3f0490b
From: Ben Kaduk <kaduk@mit.edu>
Date: Thu Aug 28 17:54:39 2014 -0400
Subject: Map .hin files to the C language for doxygen
Upstream: Committed
References: https://github.com/krb5/krb5/commit/b7a4d695263f1a5b7fe72b1eadce4acdc3f0490b https://github.com/krb5/krb5/pull/198
Doxygen 1.8.8 is unhappy with the generated Doxyfile, and does not
handle krb5.hin in the expected fashion (as a C header). Work
around this issue by explicitly specifying that files with the
.hin extension are to be treated as C language files.
Fixes the following build failure with doxygen 1.8.8:
[ 326s] cp rst_apiref/*.rst rst_composite/appdev/refs/api
[ 326s] cp: cannot stat 'rst_apiref/*.rst': No such file or directory
[ 326s] Makefile:692: recipe for target 'composite' failed
[ 326s] make: *** [composite] Error 1
diff --git a/src/doc/Doxyfile.in b/src/doc/Doxyfile.in
index 2082b6d..c225864 100644
--- a/src/doc/Doxyfile.in
+++ b/src/doc/Doxyfile.in
@@ -4,6 +4,7 @@ JAVADOC_AUTOBRIEF = YES
OPTIMIZE_OUTPUT_FOR_C = YES
WARN_IF_UNDOCUMENTED = NO
SHOW_FILES = NO
+EXTENSION_MAPPING = hin=C
INPUT = @SRC@/include/krb5/krb5.hin @DOC@/doxy_examples
EXAMPLE_PATH = @DOC@/doxy_examples
GENERATE_HTML = NO
lines 1-28/28 (END)

56
krb5-1.12-pam.patch
View File

@ -11,10 +11,9 @@ When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges.
diff -Naur krb5/src/aclocal.m4 krb5/src/aclocal.m4
--- krb5/src/aclocal.m4 2014-01-13 17:12:47.509022000 +0100
+++ krb5/src/aclocal.m4 2014-01-13 17:13:24.552689000 +0100
@@ -1668,3 +1668,70 @@
--- krb5-1.13.orig/src/aclocal.m4
+++ krb5-1.13/src/aclocal.m4
@@ -1671,3 +1671,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
]))
])dnl
dnl
@ -85,9 +84,8 @@ diff -Naur krb5/src/aclocal.m4 krb5/src/aclocal.m4
+AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN)
+])dnl
diff -Naur krb5/src/clients/ksu/main.c krb5/src/clients/ksu/main.c
--- krb5/src/clients/ksu/main.c 2014-01-13 17:12:44.864970000 +0100
+++ krb5/src/clients/ksu/main.c 2014-01-13 17:13:24.563692000 +0100
--- krb5-1.13.orig/src/clients/ksu/main.c
+++ krb5-1.13/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
* KSU was writen by: Ari Medvinsky, ari@isi.edu
*/
@ -107,15 +105,15 @@ diff -Naur krb5/src/clients/ksu/main.c krb5/src/clients/ksu/main.c
/* globals */
char * prog_name;
int auth_debug =0;
@@ -40,6 +45,7 @@
@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN];
char k5users_path[MAXPATHLEN];
char * gb_err = NULL;
int quiet = 0;
+int force_fork = 0;
/***********/
#define _DEF_CSH "/bin/csh"
@@ -584,6 +590,25 @@
#define KS_TEMPORARY_CACHE "MEMORY:_ksu"
@@ -519,6 +525,25 @@ main (argc, argv)
prog_name,target_user,client_name,
source_user,ontty());
@ -141,8 +139,8 @@ diff -Naur krb5/src/clients/ksu/main.c krb5/src/clients/ksu/main.c
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for "
@@ -648,6 +673,26 @@
sweep_up(ksu_context, cc_target);
@@ -587,6 +612,26 @@ main (argc, argv)
com_err(prog_name,retval, _("while calling cc_filter"));
exit(1);
}
+#ifdef USE_PAM
@ -167,8 +165,8 @@ diff -Naur krb5/src/clients/ksu/main.c krb5/src/clients/ksu/main.c
+#endif
}
if( some_rest_copy){
@@ -717,6 +762,32 @@
if (all_rest_copy){
@@ -636,6 +681,32 @@ main (argc, argv)
exit(1);
}
@ -201,7 +199,7 @@ diff -Naur krb5/src/clients/ksu/main.c krb5/src/clients/ksu/main.c
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -789,7 +860,7 @@
@@ -733,7 +804,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]);
}
@ -210,7 +208,7 @@ diff -Naur krb5/src/clients/ksu/main.c krb5/src/clients/ksu/main.c
execv(params[0], params);
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
sweep_up(ksu_context, cc_target);
@@ -819,16 +890,35 @@
@@ -763,16 +834,35 @@ main (argc, argv)
if (ret_pid == -1) {
com_err(prog_name, errno, _("while calling waitpid"));
}
@ -247,10 +245,9 @@ diff -Naur krb5/src/clients/ksu/main.c krb5/src/clients/ksu/main.c
exit (1);
}
}
diff -Naur krb5/src/clients/ksu/Makefile.in krb5/src/clients/ksu/Makefile.in
--- krb5/src/clients/ksu/Makefile.in 2014-01-13 17:12:44.868981000 +0100
+++ krb5/src/clients/ksu/Makefile.in 2014-01-13 17:13:24.580690000 +0100
@@ -3,12 +3,14 @@
--- krb5-1.13.orig/src/clients/ksu/Makefile.in
+++ krb5-1.13/src/clients/ksu/Makefile.in
@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
KSU_LIBS=@KSU_LIBS@
@ -265,7 +262,7 @@ diff -Naur krb5/src/clients/ksu/Makefile.in krb5/src/clients/ksu/Makefile.in
$(srcdir)/heuristic.c \
$(srcdir)/xmalloc.c \
$(srcdir)/setenv.c
@@ -17,13 +19,17 @@
@@ -17,13 +19,17 @@ OBJS = \
ccache.o \
authorization.o \
main.o \
@ -284,9 +281,8 @@ diff -Naur krb5/src/clients/ksu/Makefile.in krb5/src/clients/ksu/Makefile.in
clean::
$(RM) ksu
diff -Naur krb5/src/clients/ksu/pam.c krb5/src/clients/ksu/pam.c
--- krb5/src/clients/ksu/pam.c 1970-01-01 01:00:00.000000000 +0100
+++ krb5/src/clients/ksu/pam.c 2014-01-13 17:13:24.589692000 +0100
--- /dev/null
+++ krb5-1.13/src/clients/ksu/pam.c
@@ -0,0 +1,389 @@
+/*
+ * src/clients/ksu/pam.c
@ -677,9 +673,8 @@ diff -Naur krb5/src/clients/ksu/pam.c krb5/src/clients/ksu/pam.c
+ return ret;
+}
+#endif
diff -Naur krb5/src/clients/ksu/pam.h krb5/src/clients/ksu/pam.h
--- krb5/src/clients/ksu/pam.h 1970-01-01 01:00:00.000000000 +0100
+++ krb5/src/clients/ksu/pam.h 2014-01-13 17:13:24.595690000 +0100
--- /dev/null
+++ krb5-1.13/src/clients/ksu/pam.h
@@ -0,0 +1,57 @@
+/*
+ * src/clients/ksu/pam.h
@ -738,10 +733,9 @@ diff -Naur krb5/src/clients/ksu/pam.h krb5/src/clients/ksu/pam.h
+int appl_pam_cred_init(void);
+void appl_pam_cleanup(void);
+#endif
diff -Naur krb5/src/configure.in krb5/src/configure.in
--- krb5/src/configure.in 2014-01-13 17:12:48.401059000 +0100
+++ krb5/src/configure.in 2014-01-13 17:13:24.603693000 +0100
@@ -1281,6 +1281,8 @@
--- krb5-1.13.orig/src/configure.in
+++ krb5-1.13/src/configure.in
@@ -1285,6 +1285,8 @@ AC_SUBST([VERTO_VERSION])
AC_PATH_PROG(GROFF, groff)

257
krb5-1.12-selinux-label.patch
View File

@ -31,9 +31,9 @@ The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
--- krb5/src/aclocal.m4
+++ krb5/src/aclocal.m4
@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag)
--- krb5-1.13.orig/src/aclocal.m4
+++ krb5-1.13/src/aclocal.m4
@@ -87,6 +87,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl
KRB5_AC_PRAGMA_WEAK_REF
WITH_LDAP
@ -41,7 +41,7 @@ which we used earlier, is some improvement.
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1791,3 +1792,51 @@ AC_SUBST(manlocalstatedir)
@@ -1738,3 +1739,51 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
@ -93,9 +93,9 @@ which we used earlier, is some improvement.
+LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS)
+])dnl
--- krb5/src/config/pre.in
+++ krb5/src/config/pre.in
@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@
--- krb5-1.13.orig/src/config/pre.in
+++ krb5-1.13/src/config/pre.in
@@ -174,6 +174,7 @@ LD = $(PURE) @LD@
KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
LDFLAGS = @LDFLAGS@
LIBS = @LIBS@
@ -103,7 +103,7 @@ which we used earlier, is some improvement.
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
@@ -394,7 +395,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
@ -112,9 +112,9 @@ which we used earlier, is some improvement.
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on Mac OS X!
--- krb5/src/configure.in
+++ krb5/src/configure.in
@@ -1053,6 +1053,8 @@ fi
--- krb5-1.13.orig/src/configure.in
+++ krb5-1.13/src/configure.in
@@ -1287,6 +1287,8 @@ AC_PATH_PROG(GROFF, groff)
KRB5_WITH_PAM
@ -123,18 +123,18 @@ which we used earlier, is some improvement.
# Make localedir work in autoconf 2.5x.
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
--- krb5/src/include/k5-int.h
+++ krb5/src/include/k5-int.h
@@ -133,6 +133,7 @@ typedef unsigned char u_char;
typedef UINT64_TYPE krb5_ui_8;
typedef INT64_TYPE krb5_int64;
--- krb5-1.13.orig/src/include/k5-int.h
+++ krb5-1.13/src/include/k5-int.h
@@ -127,6 +127,7 @@ typedef unsigned char u_char;
#endif /* HAVE_SYS_TYPES_H */
#endif /* KRB5_SYSTYPES__ */
+#include "k5-label.h"
#define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */
#define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */
--- krb5/src/include/k5-label.h
+++ krb5/src/include/k5-label.h
#include "k5-platform.h"
--- /dev/null
+++ krb5-1.13/src/include/k5-label.h
@@ -0,0 +1,32 @@
+#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H
@ -168,8 +168,8 @@ which we used earlier, is some improvement.
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
+#endif
+#endif
--- krb5/src/include/krb5/krb5.hin
+++ krb5/src/include/krb5/krb5.hin
--- krb5-1.13.orig/src/include/krb5/krb5.hin
+++ krb5-1.13/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
@ -183,9 +183,9 @@ which we used earlier, is some improvement.
#define KRB5_OLD_CRYPTO
#include <stdlib.h>
--- krb5/src/kadmin/dbutil/dump.c
+++ krb5/src/kadmin/dbutil/dump.c
@@ -376,12 +376,21 @@ create_ofile(char *ofile, char **tmpname
--- krb5-1.13.orig/src/kadmin/dbutil/dump.c
+++ krb5-1.13/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname
{
int fd = -1;
FILE *f;
@ -207,7 +207,7 @@ which we used earlier, is some improvement.
if (fd == -1)
goto error;
@@ -514,7 +514,7 @@ prep_ok_file(krb5_context context, char
@@ -194,7 +203,7 @@ prep_ok_file(krb5_context context, char
return 0;
}
@ -216,9 +216,9 @@ which we used earlier, is some improvement.
if (*fd == -1) {
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
exit_status++;
--- krb5/src/build-tools/krb5-config.in
+++ krb5/src/build-tools/krb5-config.in
@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
--- krb5-1.13.orig/src/build-tools/krb5-config.in
+++ krb5-1.13/src/build-tools/krb5-config.in
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
DEFCCNAME='@DEFCCNAME@'
DEFKTNAME='@DEFKTNAME@'
DEFCKTNAME='@DEFCKTNAME@'
@ -226,7 +226,7 @@ which we used earlier, is some improvement.
LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@
@@ -218,7 +219,7 @@
@@ -262,7 +263,7 @@ if test -n "$do_libs"; then
fi
# If we ever support a flag to generate output suitable for static
@ -235,9 +235,9 @@ which we used earlier, is some improvement.
# here.
echo $lib_flags
--- krb5/src/lib/kadm5/logger.c
+++ krb5/src/lib/kadm5/logger.c
@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch
--- krb5-1.13.orig/src/lib/kadm5/logger.c
+++ krb5-1.13/src/lib/kadm5/logger.c
@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, ch
* Check for append/overwrite, then open the file.
*/
if (cp[4] == ':' || cp[4] == '=') {
@ -246,7 +246,7 @@ which we used earlier, is some improvement.
if (f) {
set_cloexec_file(f);
log_control.log_entries[i].lfu_filep = f;
@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext)
@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext)
* In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs.
*/
@ -255,9 +255,9 @@ which we used earlier, is some improvement.
if (f) {
set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f;
--- krb5/src/lib/krb5/keytab/kt_file.c
+++ krb5/src/lib/krb5/keytab/kt_file.c
@@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context
--- krb5-1.13.orig/src/lib/krb5/keytab/kt_file.c
+++ krb5-1.13/src/lib/krb5/keytab/kt_file.c
@@ -1024,7 +1024,7 @@ krb5_ktfileint_open(krb5_context context
KTCHECKLOCK(id);
errno = 0;
@ -266,7 +266,7 @@ which we used earlier, is some improvement.
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
fopen_mode_rbplus : fopen_mode_rb);
if (!KTFILEP(id)) {
@@ -1058,7 +1058,7 @@ krb5_ktfileint_open(krb5_context context
@@ -1032,7 +1032,7 @@ krb5_ktfileint_open(krb5_context context
/* try making it first time around */
k5_create_secure_file(context, KTFILENAME(id));
errno = 0;
@ -275,9 +275,9 @@ which we used earlier, is some improvement.
if (!KTFILEP(id))
goto report_errno;
writevno = 1;
--- krb5/src/plugins/kdb/db2/adb_openclose.c
+++ krb5/src/plugins/kdb/db2/adb_openclose.c
@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
--- krb5-1.13.orig/src/plugins/kdb/db2/adb_openclose.c
+++ krb5-1.13/src/plugins/kdb/db2/adb_openclose.c
@@ -147,7 +147,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
* POSIX systems
*/
lockp->lockinfo.filename = strdup(lockfilename);
@ -286,11 +286,11 @@ which we used earlier, is some improvement.
/*
* maybe someone took away write permission so we could only
* get shared locks?
--- krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c
--- krb5-1.13.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ krb5-1.13/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
#include "k5-platform.h" /* mkstemp? */
#include <string.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
@ -305,8 +305,8 @@ which we used earlier, is some improvement.
goto err;
} else {
--- krb5/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ krb5/src/plugins/kdb/db2/libdb2/hash/hash.c
--- krb5-1.13.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ krb5-1.13/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
#include <assert.h>
#endif
@ -324,9 +324,9 @@ which we used earlier, is some improvement.
RETURN_ERROR(errno, error0);
(void)fcntl(hashp->fp, F_SETFD, 1);
}
--- krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -179,7 +179,7 @@ done:
--- krb5-1.13.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ krb5-1.13/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -178,7 +178,7 @@ done:
/* set password in the file */
old_mode = umask(0177);
@ -335,7 +335,7 @@ which we used earlier, is some improvement.
if (pfile == NULL) {
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
strerror (errno));
@@ -220,6 +220,9 @@ done:
@@ -219,6 +219,9 @@ done:
* Delete the existing entry and add the new entry
*/
FILE *newfile;
@ -345,7 +345,7 @@ which we used earlier, is some improvement.
mode_t omask;
@@ -231,7 +234,13 @@ done:
@@ -230,7 +233,13 @@ done:
}
omask = umask(077);
@ -359,36 +359,8 @@ which we used earlier, is some improvement.
umask (omask);
if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file);
--- krb5/src/slave/kpropd.c
+++ krb5/src/slave/kpropd.c
@@ -437,6 +437,9 @@ void doit(fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN+1];
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
signal_wrapper(SIGALRM, alarm_handler);
alarm(params.iprop_resync_timeout);
@@ -515,9 +518,15 @@ void doit(fd)
free(name);
exit(1);
}
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(file);
+#endif
omask = umask(077);
lock_fd = open(temp_file_name, O_RDWR|O_CREAT, 0600);
(void) umask(omask);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
retval = krb5_lock_file(kpropd_context, lock_fd,
KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK);
if (retval) {
--- krb5/src/util/profile/prof_file.c
+++ krb5/src/util/profile/prof_file.c
--- krb5-1.13.orig/src/util/profile/prof_file.c
+++ krb5-1.13/src/util/profile/prof_file.c
@@ -30,6 +30,7 @@
#endif
@ -397,7 +369,7 @@ which we used earlier, is some improvement.
struct global_shared_profile_data {
/* This is the head of the global list of shared trees */
@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_
@@ -411,7 +412,7 @@ static errcode_t write_data_to_file(prf_
errno = 0;
@ -406,9 +378,9 @@ which we used earlier, is some improvement.
if (!f) {
retval = errno;
if (retval == 0)
--- krb5/src/util/support/Makefile.in
+++ krb5/src/util/support/Makefile.in
@@ -54,6 +54,7 @@ IPC_SYMS= \
--- krb5-1.13.orig/src/util/support/Makefile.in
+++ krb5-1.13/src/util/support/Makefile.in
@@ -59,6 +59,7 @@ IPC_SYMS= \
STLIBOBJS= \
threads.o \
@ -416,7 +388,7 @@ which we used earlier, is some improvement.
init-addrinfo.o \
plugins.o \
errors.o \
@@ -108,7 +109,7 @@ SRCS=\
@@ -131,7 +132,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
@ -425,8 +397,8 @@ which we used earlier, is some improvement.
DEPLIBS=
--- krb5/src/util/support/selinux.c
+++ krb5/src/util/support/selinux.c
--- /dev/null
+++ krb5-1.13/src/util/support/selinux.c
@@ -0,0 +1,381 @@
+/*
+ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved.
@ -809,9 +781,9 @@ which we used earlier, is some improvement.
+}
+
+#endif
--- krb5/src/lib/krb5/rcache/rc_dfl.c
+++ krb5/src/lib/krb5/rcache/rc_dfl.c
@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
--- krb5-1.13.orig/src/lib/krb5/rcache/rc_dfl.c
+++ krb5-1.13/src/lib/krb5/rcache/rc_dfl.c
@@ -794,6 +794,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
@ -821,7 +793,7 @@ which we used earlier, is some improvement.
if (! t->recovering) {
name = t->name;
@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
@@ -815,7 +818,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
@ -839,9 +811,9 @@ which we used earlier, is some improvement.
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
--- krb5/src/lib/krb5/ccache/cc_dir.c
+++ krb5/src/lib/krb5/ccache/cc_dir.c
@@ -185,10 +185,19 @@ write_primary_file(const char *primary_p
--- krb5-1.13.orig/src/lib/krb5/ccache/cc_dir.c
+++ krb5-1.13/src/lib/krb5/ccache/cc_dir.c
@@ -183,10 +183,19 @@ write_primary_file(const char *primary_p
char *newpath = NULL;
FILE *fp = NULL;
int fd = -1, status;
@ -861,7 +833,7 @@ which we used earlier, is some improvement.
if (fd < 0)
goto cleanup;
#ifdef HAVE_CHMOD
@@ -223,10 +232,23 @@
@@ -221,10 +230,23 @@ static krb5_error_code
verify_dir(krb5_context context, const char *dirname)
{
struct stat st;
@ -884,12 +856,12 @@ which we used earlier, is some improvement.
+ if (status == 0)
+ return 0;
+ }
krb5_set_error_message(context, KRB5_FCC_NOFILE,
_("Credential cache directory %s does not "
"exist"), dirname);
--- krb5/src/lib/krb5/os/trace.c
+++ krb5/src/lib/krb5/os/trace.c
@@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con
k5_setmsg(context, KRB5_FCC_NOFILE,
_("Credential cache directory %s does not exist"),
dirname);
--- krb5-1.13.orig/src/lib/krb5/os/trace.c
+++ krb5-1.13/src/lib/krb5/os/trace.c
@@ -397,7 +397,7 @@ krb5_set_trace_filename(krb5_context con
fd = malloc(sizeof(*fd));
if (fd == NULL)
return ENOMEM;
@ -898,9 +870,9 @@ which we used earlier, is some improvement.
if (*fd == -1) {
free(fd);
return errno;
--- krb5/src/plugins/kdb/db2/kdb_db2.c
+++ krb5/src/plugins/kdb/db2/kdb_db2.c
@@ -683,8 +683,8 @@
--- krb5-1.13.orig/src/plugins/kdb/db2/kdb_db2.c
+++ krb5-1.13/src/plugins/kdb/db2/kdb_db2.c
@@ -695,8 +695,8 @@ ctx_create_db(krb5_context context, krb5
if (retval)
return retval;
@ -911,9 +883,9 @@ which we used earlier, is some improvement.
if (dbc->db_lf_file < 0) {
retval = errno;
goto cleanup;
--- krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@
--- krb5-1.13.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5-1.13/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
#include <stdio.h>
#include <unistd.h>
@ -921,7 +893,7 @@ which we used earlier, is some improvement.
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,8 @@
@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo,
int rfd = -1, sverrno;
/* Open the user's file -- if this fails, we're done. */
@ -931,9 +903,9 @@ which we used earlier, is some improvement.
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
--- krb5/src/kdc/main.c
+++ krb5/src/kdc/main.c
@@ -905,7 +905,7 @@ write_pid_file(const char *path)
--- krb5-1.13.orig/src/kdc/main.c
+++ krb5-1.13/src/kdc/main.c
@@ -847,7 +847,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
@ -942,20 +914,9 @@ which we used earlier, is some improvement.
if (file == NULL)
return errno;
pid = (unsigned long) getpid();
--- krb5/src/lib/kdb/kdb_log.c
+++ krb5/src/lib/kdb/kdb_log.c
@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha
if (caller == FKPROPLOG)
return errno;
- ulogfd = open(logname, O_RDWR | O_CREAT, 0600);
+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
if (ulogfd == -1)
return errno;
--- krb5/src/util/gss-kernel-lib/Makefile.in
+++ krb5/src/util/gss-kernel-lib/Makefile.in
@@ -60,6 +60,7 @@ HEADERS= \
--- krb5-1.13.orig/src/util/gss-kernel-lib/Makefile.in
+++ krb5-1.13/src/util/gss-kernel-lib/Makefile.in
@@ -61,6 +61,7 @@ HEADERS= \
gssapi_err_generic.h \
k5-int.h \
k5-int-pkinit.h \
@ -963,7 +924,7 @@ which we used earlier, is some improvement.
k5-thread.h \
k5-platform.h \
k5-buf.h \
@@ -166,10 +167,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_
@@ -162,10 +163,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_
$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@
@ -977,3 +938,43 @@ which we used earlier, is some improvement.
k5-thread.h: $(INCLUDE)/k5-thread.h
$(CP) $(INCLUDE)/k5-thread.h $@
k5-platform.h: $(INCLUDE)/k5-platform.h
--- krb5-1.13.orig/src/lib/kdb/kdb_log.c
+++ krb5-1.13/src/lib/kdb/kdb_log.c
@@ -464,7 +464,7 @@ ulog_map(krb5_context context, const cha
if (extend_file_to(ulogfd, filesize) < 0)
return errno;
} else {
- ulogfd = open(logname, O_RDWR, 0600);
+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
if (ulogfd == -1)
return errno;
}
--- krb5-1.13.orig/src/slave/kpropd.c
+++ krb5-1.13/src/slave/kpropd.c
@@ -460,7 +460,9 @@ doit(int fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN + 1];
-
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
signal_wrapper(SIGALRM, alarm_handler);
alarm(params.iprop_resync_timeout);
fromlen = sizeof(from);
@@ -516,9 +518,15 @@ doit(int fd)
free(name);
exit(1);
}
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(file);
+#endif
omask = umask(077);
lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600);
(void)umask(omask);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
retval = krb5_lock_file(kpropd_context, lock_fd,
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
if (retval) {

3
krb5-1.12.2.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b9229d0593ebd30ec0f845b449a83c20fec220bfa424b66f4a61850df34ce0a0
size 11981162

56
krb5-1.13-work-around-replay-cache-creation-race.patch
View File

@ -1,56 +0,0 @@
From 99e08376c14240e2141c6fa9289fafab8245c754 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 17 Sep 2014 10:45:28 -0400
Subject: [PATCH] Work around replay cache creation race
If two processes try to initialize the same replay cache at the same
time, krb5_rc_io_creat can race between unlink and open, leading to a
KRB5_RC_IO_PERM error. When this happens, make the losing process
retry so that it can continue.
This does not solve the replay cache creation race, nor is that the
only replay cache race issue. It simply prevents the race from
causing a spurious failure.
(cherry picked from commit c61e8c0c6ad5fda8d23dd896c4aed0ac5b470020)
ticket: 3498
version_fixed: 1.13
status: resolved
---
src/lib/krb5/rcache/rc_io.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/lib/krb5/rcache/rc_io.c b/src/lib/krb5/rcache/rc_io.c
index 7e3b7e9..b9859fe 100644
--- a/src/lib/krb5/rcache/rc_io.c
+++ b/src/lib/krb5/rcache/rc_io.c
@@ -158,7 +158,7 @@ krb5_rc_io_creat(krb5_context context, krb5_rc_iostuff *d, char **fn)
{
krb5_int16 rc_vno = htons(KRB5_RC_VNO);
krb5_error_code retval = 0;
- int do_not_unlink = 0;
+ int flags, do_not_unlink = 0;
char *dir;
size_t dirlen;
@@ -166,9 +166,13 @@ krb5_rc_io_creat(krb5_context context, krb5_rc_iostuff *d, char **fn)
if (fn && *fn) {
if (asprintf(&d->fn, "%s%s%s", dir, PATH_SEPARATOR, *fn) < 0)
return KRB5_RC_IO_MALLOC;
- unlink(d->fn);
- d->fd = THREEPARAMOPEN(d->fn, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL |
- O_BINARY, 0600);
+ d->fd = -1;
+ do {
+ if (unlink(d->fn) == -1 && errno != ENOENT)
+ break;
+ flags = O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY;
+ d->fd = THREEPARAMOPEN(d->fn, flags, 0600);
+ } while (d->fd == -1 && errno == EEXIST);
} else {
retval = krb5_rc_io_mkstemp(context, d, dir);
if (retval)
--
1.8.4.5

3
krb5-1.13.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a687dac857146d59a1c4283862e328717ee1aafb08a7d22eace9ef9af842c3b3
size 12078302

10
krb5-1.7-doublelog.patch
View File

@ -5,13 +5,11 @@ because we built with --sysconfdir=/etc. RT#3277
src/include/Makefile.in | 2 ++
1 file changed, 2 insertions(+)
Index: krb5-1.12.2/src/include/Makefile.in
===================================================================
--- krb5-1.12.2.orig/src/include/Makefile.in 2014-08-30 23:08:41.000000000 +0100
+++ krb5-1.12.2/src/include/Makefile.in 2014-08-30 23:09:04.000000000 +0100
@@ -68,6 +68,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
-e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
--- krb5-1.13.orig/src/include/Makefile.in
+++ krb5-1.13/src/include/Makefile.in
@@ -70,6 +70,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
-e 's+@RUNSTATEDIR+$(RUNSTATEDIR)+' \
-e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \

30
krb5-1.9-kprop-mktemp.patch
View File

@ -1,30 +0,0 @@
Use an in-memory ccache to silence a compiler warning, for RT#6414.
Index: krb5-1.11/src/slave/kprop.c
===================================================================
--- krb5-1.11.orig/src/slave/kprop.c
+++ krb5-1.11/src/slave/kprop.c
@@ -202,9 +202,8 @@ void PRS(argc, argv)
void get_tickets(context)
krb5_context context;
{
- char buf[BUFSIZ], *def_realm;
+ char buf[] = "MEMORY:_kproptkt", *def_realm;
krb5_error_code retval;
- static char tkstring[] = "/tmp/kproptktXXXXXX";
krb5_keytab keytab = NULL;
/*
@@ -229,11 +228,8 @@ void get_tickets(context)
#endif
/*
- * Initialize cache file which we're going to be using
+ * Initialize an in-memory cache for temporary use
*/
- (void) mktemp(tkstring);
- snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
-
retval = krb5_cc_resolve(context, buf, &ccache);
if (retval) {
com_err(progname, retval, _("while opening credential cache %s"), buf);

36
krb5-mini.changes
View File

@ -1,3 +1,39 @@
-------------------------------------------------------------------
Tue Jan 6 07:20:54 UTC 2015 - mlin@suse.com
- Update to krb5 1.13
* Add support for accessing KDCs via an HTTPS proxy server using the
MS-KKDCP protocol.
* Add support for hierarchical incremental propagation, where slaves
can act as intermediates between an upstream master and other downstream
slaves.
* Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf
files in addition to /etc/gss/mech.
* Add support to the LDAP KDB module for binding to the LDAP server using
SASL.
* The KDC listens for TCP connections by default.
* Fix a minor key disclosure vulnerability where using the "keepold" option
to the kadmin randkey operation could return the old keys. [CVE-2014-5351]
* Add client support for the Kerberos Cache Manager protocol. If the host
is running a Heimdal kcm daemon, caches served by the daemon can be
accessed with the KCM: cache type.
* When built on OS X 10.7 and higher, use "KCM:" as the default cache type,
unless overridden by command-line options or krb5-config values.
* Add support for doing unlocked database dumps for the DB2 KDC back end,
which would allow the KDC and kadmind to continue accessing the database
during lengthy database dumps.
- Removed patches, useless or upstreamed
* krb5-1.9-kprop-mktemp.patch
* krb5-1.10-ksu-access.patch
* krb5-1.12-doxygen.patch
* bnc#897874-CVE-2014-5351.diff
* krb5-1.13-work-around-replay-cache-creation-race.patch
* krb5-1.10-kpasswd_tcp.patch
- Refreshed patches
* krb5-1.12-pam.patch
* krb5-1.12-selinux-label.patch
* krb5-1.7-doublelog.patch
-------------------------------------------------------------------
Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de

22
krb5-mini.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package krb5-mini
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
%define build_mini 1
%define srcRoot krb5-1.12.2
%define srcRoot krb5-1.13
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.12.2
Version: 1.13
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
@ -72,17 +72,13 @@ Patch1: krb5-1.12-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.12-buildconf.patch
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch5: krb5-1.10-kpasswd_tcp.patch
Patch6: krb5-1.6.3-ktutil-manpage.dif
Patch7: krb5-1.7-doublelog.patch
Patch8: krb5-1.12-api.patch
Patch9: krb5-1.9-kprop-mktemp.patch
Patch10: krb5-1.10-ksu-access.patch
Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Patch14: krb5-kvno-230379.patch
Patch20: krb5-1.12-doxygen.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@ -192,17 +188,13 @@ Include Files for Development
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p0
%patch14 -p1
%patch20 -p1
%build
# needs to be re-generated
@ -276,6 +268,7 @@ mkdir -p %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
@ -471,8 +464,6 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
%{_includedir}/*
/usr/lib/mit/bin/krb5-config
/usr/lib/mit/sbin/krb5-send-pr
/usr/lib/mit/share/gnats
%{_mandir}/man1/krb5-send-pr.1*
%{_mandir}/man1/krb5-config.1*
%{_datadir}/aclocal/ac_check_krb5.m4
@ -487,6 +478,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
%dir %{_libdir}/krb5/plugins/tls
%dir %{_localstatedir}/lib/kerberos/
%dir %{_localstatedir}/lib/kerberos/krb5kdc
%dir %{_localstatedir}/lib/kerberos/krb5
@ -522,6 +514,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
%{_libdir}/libverto.so.*
%{_libdir}/libkrad.so.*
%{_libdir}/krb5/plugins/kdb/*
%{_libdir}/krb5/plugins/tls/*
#/usr/lib/mit/sbin/*
/usr/lib/mit/sbin/kadmin.local
/usr/lib/mit/sbin/kadmind
@ -578,6 +571,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
%dir %{_libdir}/krb5/plugins/tls
# add log directory
%attr(0700,root,root) %dir /var/log/krb5
%doc %{krb5docdir}/README
@ -617,6 +611,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/tls
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
@ -635,6 +630,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/uuserver
%{_libdir}/krb5/plugins/kdb/db2.so
%{_libdir}/krb5/plugins/tls/*.so
%{_mandir}/man5/kdc.conf.5*
%{_mandir}/man5/kadm5.acl.5*
%{_mandir}/man8/kadmind.8*

36
krb5.changes
View File

@ -1,3 +1,39 @@
-------------------------------------------------------------------
Tue Jan 6 07:12:29 UTC 2015 - mlin@suse.com
- Update to krb5 1.13
* Add support for accessing KDCs via an HTTPS proxy server using the
MS-KKDCP protocol.
* Add support for hierarchical incremental propagation, where slaves
can act as intermediates between an upstream master and other downstream
slaves.
* Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf
files in addition to /etc/gss/mech.
* Add support to the LDAP KDB module for binding to the LDAP server using
SASL.
* The KDC listens for TCP connections by default.
* Fix a minor key disclosure vulnerability where using the "keepold" option
to the kadmin randkey operation could return the old keys. [CVE-2014-5351]
* Add client support for the Kerberos Cache Manager protocol. If the host
is running a Heimdal kcm daemon, caches served by the daemon can be
accessed with the KCM: cache type.
* When built on OS X 10.7 and higher, use "KCM:" as the default cache type,
unless overridden by command-line options or krb5-config values.
* Add support for doing unlocked database dumps for the DB2 KDC back end,
which would allow the KDC and kadmind to continue accessing the database
during lengthy database dumps.
- Removed patches, useless or upstreamed
* krb5-1.9-kprop-mktemp.patch
* krb5-1.10-ksu-access.patch
* krb5-1.12-doxygen.patch
* bnc#897874-CVE-2014-5351.diff
* krb5-1.13-work-around-replay-cache-creation-race.patch
* krb5-1.10-kpasswd_tcp.patch
- Refreshed patches
* krb5-1.12-pam.patch
* krb5-1.12-selinux-label.patch
* krb5-1.7-doublelog.patch
-------------------------------------------------------------------
Thu Sep 25 12:48:32 UTC 2014 - ddiss@suse.com

26
krb5.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package krb5
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
%define build_mini 0
%define srcRoot krb5-1.12.2
%define srcRoot krb5-1.13
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.12.2
Version: 1.13
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
@ -72,19 +72,13 @@ Patch1: krb5-1.12-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.12-buildconf.patch
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch5: krb5-1.10-kpasswd_tcp.patch
Patch6: krb5-1.6.3-ktutil-manpage.dif
Patch7: krb5-1.7-doublelog.patch
Patch8: krb5-1.12-api.patch
Patch9: krb5-1.9-kprop-mktemp.patch
Patch10: krb5-1.10-ksu-access.patch
Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Patch14: krb5-kvno-230379.patch
Patch20: krb5-1.12-doxygen.patch
Patch21: bnc#897874-CVE-2014-5351.diff
Patch22: krb5-1.13-work-around-replay-cache-creation-race.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@ -194,19 +188,13 @@ Include Files for Development
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p0
%patch14 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%build
# needs to be re-generated
@ -280,6 +268,7 @@ mkdir -p %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
@ -475,8 +464,6 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
%{_includedir}/*
/usr/lib/mit/bin/krb5-config
/usr/lib/mit/sbin/krb5-send-pr
/usr/lib/mit/share/gnats
%{_mandir}/man1/krb5-send-pr.1*
%{_mandir}/man1/krb5-config.1*
%{_datadir}/aclocal/ac_check_krb5.m4
@ -491,6 +478,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
%dir %{_libdir}/krb5/plugins/tls
%dir %{_localstatedir}/lib/kerberos/
%dir %{_localstatedir}/lib/kerberos/krb5kdc
%dir %{_localstatedir}/lib/kerberos/krb5
@ -526,6 +514,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
%{_libdir}/libverto.so.*
%{_libdir}/libkrad.so.*
%{_libdir}/krb5/plugins/kdb/*
%{_libdir}/krb5/plugins/tls/*
#/usr/lib/mit/sbin/*
/usr/lib/mit/sbin/kadmin.local
/usr/lib/mit/sbin/kadmind
@ -582,6 +571,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
%dir %{_libdir}/krb5/plugins/tls
# add log directory
%attr(0700,root,root) %dir /var/log/krb5
%doc %{krb5docdir}/README
@ -621,6 +611,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/tls
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
@ -639,6 +630,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/uuserver
%{_libdir}/krb5/plugins/kdb/db2.so
%{_libdir}/krb5/plugins/tls/*.so
%{_mandir}/man5/kdc.conf.5*
%{_mandir}/man5/kadm5.acl.5*
%{_mandir}/man8/kadmind.8*