From 84f939323f492bf73c39d0847e95f883d028aba9920a68fd690b62021dd0df73 Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Wed, 6 Jun 2012 14:55:51 +0000 Subject: [PATCH] - update to version 1.10.2 obsolte patches: * krb5-1.7-nodeplibs.patch * krb5-1.9.1-ai_addrconfig.patch * krb5-1.9.1-ai_addrconfig2.patch * krb5-1.9.1-sendto_poll.patch * krb5-1.9-canonicalize-fallback.patch * krb5-1.9-paren.patch * krb5-klist_s.patch * krb5-pkinit-cms2.patch * krb5-trunk-chpw-err.patch * krb5-trunk-gss_delete_sec.patch * krb5-trunk-kadmin-oldproto.patch * krb5-1.9-MITKRB5-SA-2011-006.dif * krb5-1.9-gss_display_status-iakerb.patch * krb5-1.9.1-sendto_poll2.patch * krb5-1.9.1-sendto_poll3.patch * krb5-1.9-MITKRB5-SA-2011-007.dif - Fix an interop issue with Windows Server 2008 R2 Read-Only Domain Controllers. - Update a workaround for a glibc bug that would cause DNS PTR queries to occur even when rdns = false. - Fix a kadmind denial of service issue (null pointer dereference), which could only be triggered by an administrator with the "create" privilege. [CVE-2012-1013] - Fix access controls for KDB string attributes [CVE-2012-1012] - Make the ASN.1 encoding of key version numbers interoperate with Windows Read-Only Domain Controllers - Avoid generating spurious password expiry warnings in cases where the KDC sends an account expiry time without a password expiry time OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=65 --- krb5-1.10-buildconf.patch | 60 ++ krb5-1.10-gcc47.patch | 12 + ...d_tcp.patch => krb5-1.10-kpasswd_tcp.patch | 20 +- ...bel.patch => krb5-1.10-selinux-label.patch | 378 ++++++----- krb5-1.10.2.tar.bz2 | 3 + krb5-1.6.3-gssapi_improve_errormessages.dif | 8 +- krb5-1.7-doublelog.patch | 20 +- krb5-1.7-nodeplibs.patch | 21 - krb5-1.8-api.patch | 11 +- krb5-1.8-manpaths.txt | 1 + krb5-1.8-pam.patch | 61 +- krb5-1.9-MITKRB5-SA-2011-006.dif | 75 --- krb5-1.9-MITKRB5-SA-2011-007.dif | 42 -- krb5-1.9-buildconf.patch | 38 -- krb5-1.9-canonicalize-fallback.patch | 61 -- krb5-1.9-gss_display_status-iakerb.patch | 14 - krb5-1.9-kprop-mktemp.patch | 10 +- krb5-1.9-manpaths.dif | 113 ++-- krb5-1.9-paren.patch | 13 - krb5-1.9.1-ai_addrconfig.patch | 30 - krb5-1.9.1-ai_addrconfig2.patch | 122 ---- krb5-1.9.1-sendto_poll.patch | 624 ------------------ krb5-1.9.1-sendto_poll2.patch | 22 - krb5-1.9.1-sendto_poll3.patch | 18 - krb5-1.9.1.tar.bz2 | 3 - krb5-doc.spec | 5 +- krb5-klist_s.patch | 29 - krb5-mini.changes | 59 +- krb5-mini.spec | 60 +- krb5-pkinit-cms2.patch | 290 -------- krb5-trunk-chpw-err.patch | 24 - krb5-trunk-gss_delete_sec.patch | 27 - krb5-trunk-kadmin-oldproto.patch | 39 -- krb5.changes | 45 ++ krb5.spec | 55 +- 35 files changed, 564 insertions(+), 1849 deletions(-) create mode 100644 krb5-1.10-buildconf.patch create mode 100644 krb5-1.10-gcc47.patch rename krb5-1.6.3-kpasswd_tcp.patch => krb5-1.10-kpasswd_tcp.patch (66%) rename krb5-1.9-selinux-label.patch => krb5-1.10-selinux-label.patch (73%) create mode 100644 krb5-1.10.2.tar.bz2 delete mode 100644 krb5-1.7-nodeplibs.patch delete mode 100644 krb5-1.9-MITKRB5-SA-2011-006.dif delete mode 100644 krb5-1.9-MITKRB5-SA-2011-007.dif delete mode 100644 krb5-1.9-buildconf.patch delete mode 100644 krb5-1.9-canonicalize-fallback.patch delete mode 100644 krb5-1.9-gss_display_status-iakerb.patch delete mode 100644 krb5-1.9-paren.patch delete mode 100644 krb5-1.9.1-ai_addrconfig.patch delete mode 100644 krb5-1.9.1-ai_addrconfig2.patch delete mode 100644 krb5-1.9.1-sendto_poll.patch delete mode 100644 krb5-1.9.1-sendto_poll2.patch delete mode 100644 krb5-1.9.1-sendto_poll3.patch delete mode 100644 krb5-1.9.1.tar.bz2 delete mode 100644 krb5-klist_s.patch delete mode 100644 krb5-pkinit-cms2.patch delete mode 100644 krb5-trunk-chpw-err.patch delete mode 100644 krb5-trunk-gss_delete_sec.patch delete mode 100644 krb5-trunk-kadmin-oldproto.patch diff --git a/krb5-1.10-buildconf.patch b/krb5-1.10-buildconf.patch new file mode 100644 index 0000000..d7f5ed9 --- /dev/null +++ b/krb5-1.10-buildconf.patch @@ -0,0 +1,60 @@ +Build binaries in this package as RELRO PIEs, libraries as partial RELRO, +and install shared libraries with the execute bit set on them. Prune out +the -L/usr/lib* and PIE flags where they might leak out and affect +apps which just want to link with the libraries. FIXME: needs to check and +not just assume that the compiler supports using these flags. + +Index: krb5-1.10.2/src/config/shlib.conf +=================================================================== +--- krb5-1.10.2.orig/src/config/shlib.conf ++++ krb5-1.10.2/src/config/shlib.conf +@@ -419,7 +419,7 @@ mips-*-netbsd*) + SHLIBEXT=.so + # Linux ld doesn't default to stuffing the SONAME field... + # Use objdump -x to examine the fields of the library +- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined' ++ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro' + # + LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' + SHLIB_EXPORT_FILE_DEP=binutils.versions +@@ -430,7 +430,8 @@ mips-*-netbsd*) + SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' + PROFFLAGS=-pg + PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' +- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' ++ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' ++ INSTALL_SHLIB='${INSTALL} -m755' + CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' + CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' + CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' +Index: krb5-1.10.2/src/krb5-config.in +=================================================================== +--- krb5-1.10.2.orig/src/krb5-config.in ++++ krb5-1.10.2/src/krb5-config.in +@@ -189,6 +189,13 @@ if test -n "$do_libs"; then + -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ + -e 's#\$(CFLAGS)##'` + ++ if test `dirname $libdir` = /usr ; then ++ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` ++ fi ++ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"` ++ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"` ++ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"` ++ + if test $library = 'kdb'; then + lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" + library=krb5 +Index: krb5-1.10.2/src/config/pre.in +=================================================================== +--- krb5-1.10.2.orig/src/config/pre.in ++++ krb5-1.10.2/src/config/pre.in +@@ -190,7 +190,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST + INSTALL_SCRIPT=@INSTALL_PROGRAM@ + INSTALL_DATA=@INSTALL_DATA@ + INSTALL_SHLIB=@INSTALL_SHLIB@ +-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root ++INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 + ## This is needed because autoconf will sometimes define @exec_prefix@ to be + ## ${prefix}. + prefix=@prefix@ diff --git a/krb5-1.10-gcc47.patch b/krb5-1.10-gcc47.patch new file mode 100644 index 0000000..5831fba --- /dev/null +++ b/krb5-1.10-gcc47.patch @@ -0,0 +1,12 @@ +This file also triggers the maybe-uninitialized warning/error. RT#7080 + +--- src/lib/krb5/krb/x-deltat.y ++++ src/lib/krb5/krb/x-deltat.y +@@ -44,6 +44,7 @@ + #ifdef __GNUC__ + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wuninitialized" ++#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" + #endif + + #include diff --git a/krb5-1.6.3-kpasswd_tcp.patch b/krb5-1.10-kpasswd_tcp.patch similarity index 66% rename from krb5-1.6.3-kpasswd_tcp.patch rename to krb5-1.10-kpasswd_tcp.patch index 4b10fc7..c4948ea 100644 --- a/krb5-1.6.3-kpasswd_tcp.patch +++ b/krb5-1.10-kpasswd_tcp.patch @@ -1,14 +1,14 @@ Fall back to TCP on kdc-unresolvable/unreachable errors. We still have to wait for UDP to fail, so this might not be ideal. RT #5868. -Index: src/lib/krb5/os/changepw.c +Index: krb5-1.10.2/src/lib/krb5/os/changepw.c =================================================================== ---- src/lib/krb5/os/changepw.c.orig -+++ src/lib/krb5/os/changepw.c -@@ -282,10 +282,22 @@ change_set_password(krb5_context context - NULL - ))) { - +--- krb5-1.10.2.orig/src/lib/krb5/os/changepw.c ++++ krb5-1.10.2/src/lib/krb5/os/changepw.c +@@ -274,10 +274,22 @@ change_set_password(krb5_context context + &callback_info, &chpw_rep, ss2sa(&remote_addr), + &addrlen, NULL, NULL, NULL); + if (code) { - /* - * Here we may want to switch to TCP on some errors. - * right? @@ -16,14 +16,14 @@ Index: src/lib/krb5/os/changepw.c + /* if we're not using a stream socket, and it's an error which + * might reasonably be specific to a datagram "connection", try + * again with a stream socket */ -+ if (!useTcp) { ++ if (!use_tcp) { + switch (code) { + case KRB5_KDC_UNREACH: + case KRB5_REALM_CANT_RESOLVE: + case KRB5KRB_ERR_RESPONSE_TOO_BIG: + /* should we do this for more result codes than these? */ -+ krb5int_free_addrlist (&al); -+ useTcp = 1; ++ k5_free_serverlist (&sl); ++ use_tcp = 1; + continue; + default: + break; diff --git a/krb5-1.9-selinux-label.patch b/krb5-1.10-selinux-label.patch similarity index 73% rename from krb5-1.9-selinux-label.patch rename to krb5-1.10-selinux-label.patch index 2ddb34b..bf9a9f0 100644 --- a/krb5-1.9-selinux-label.patch +++ b/krb5-1.10-selinux-label.patch @@ -31,11 +31,11 @@ The selabel APIs for looking up the context should be thread-safe (per Red Hat #273081), so switching to using them instead of matchpathcon(), which we used earlier, is some improvement. -Index: krb5-1.9.1/src/aclocal.m4 +Index: krb5-1.10.2/src/aclocal.m4 =================================================================== ---- krb5-1.9.1.orig/src/aclocal.m4 -+++ krb5-1.9.1/src/aclocal.m4 -@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag) +--- krb5-1.10.2.orig/src/aclocal.m4 ++++ krb5-1.10.2/src/aclocal.m4 +@@ -84,6 +84,7 @@ AC_SUBST_FILE(libnodeps_frag) dnl KRB5_AC_PRAGMA_WEAK_REF WITH_LDAP @@ -43,7 +43,7 @@ Index: krb5-1.9.1/src/aclocal.m4 KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1803,3 +1804,51 @@ AC_SUBST(manlocalstatedir) +@@ -1764,3 +1765,51 @@ AC_SUBST(manlocalstatedir) AC_SUBST(manlibexecdir) AC_CONFIG_FILES($1) ]) @@ -95,11 +95,11 @@ Index: krb5-1.9.1/src/aclocal.m4 +LIBS="$old_LIBS" +AC_SUBST(SELINUX_LIBS) +])dnl -Index: krb5-1.9.1/src/config/pre.in +Index: krb5-1.10.2/src/config/pre.in =================================================================== ---- krb5-1.9.1.orig/src/config/pre.in -+++ krb5-1.9.1/src/config/pre.in -@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR +--- krb5-1.10.2.orig/src/config/pre.in ++++ krb5-1.10.2/src/config/pre.in +@@ -182,6 +182,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@ LDARGS = @LDARGS@ LIBS = @LIBS@ @@ -107,7 +107,7 @@ Index: krb5-1.9.1/src/config/pre.in INSTALL=@INSTALL@ INSTALL_STRIP= -@@ -382,7 +383,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) +@@ -406,7 +407,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) # HESIOD_LIBS is -lhesiod... HESIOD_LIBS = @HESIOD_LIBS@ @@ -116,11 +116,11 @@ Index: krb5-1.9.1/src/config/pre.in KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on Mac OS X! -Index: krb5-1.9.1/src/configure.in +Index: krb5-1.10.2/src/configure.in =================================================================== ---- krb5-1.9.1.orig/src/configure.in -+++ krb5-1.9.1/src/configure.in -@@ -1127,6 +1127,8 @@ fi +--- krb5-1.10.2.orig/src/configure.in ++++ krb5-1.10.2/src/configure.in +@@ -1248,6 +1248,8 @@ AC_SUBST(localedir) KRB5_WITH_PAM @@ -129,10 +129,10 @@ Index: krb5-1.9.1/src/configure.in AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) V5_AC_OUTPUT_MANPAGE([ -Index: krb5-1.9.1/src/include/k5-int.h +Index: krb5-1.10.2/src/include/k5-int.h =================================================================== ---- krb5-1.9.1.orig/src/include/k5-int.h -+++ krb5-1.9.1/src/include/k5-int.h +--- krb5-1.10.2.orig/src/include/k5-int.h ++++ krb5-1.10.2/src/include/k5-int.h @@ -135,6 +135,7 @@ typedef unsigned char u_char; typedef UINT64_TYPE krb5_ui_8; typedef INT64_TYPE krb5_int64; @@ -141,10 +141,10 @@ Index: krb5-1.9.1/src/include/k5-int.h #define DEFAULT_PWD_STRING1 "Enter password" #define DEFAULT_PWD_STRING2 "Re-enter password for verification" -Index: krb5-1.9.1/src/include/k5-label.h +Index: krb5-1.10.2/src/include/k5-label.h =================================================================== --- /dev/null -+++ krb5-1.9.1/src/include/k5-label.h ++++ krb5-1.10.2/src/include/k5-label.h @@ -0,0 +1,32 @@ +#ifndef _KRB5_LABEL_H +#define _KRB5_LABEL_H @@ -178,11 +178,11 @@ Index: krb5-1.9.1/src/include/k5-label.h +#define THREEPARAMOPEN(x,y,z) open(x,y,z) +#endif +#endif -Index: krb5-1.9.1/src/include/krb5/krb5.hin +Index: krb5-1.10.2/src/include/krb5/krb5.hin =================================================================== ---- krb5-1.9.1.orig/src/include/krb5/krb5.hin -+++ krb5-1.9.1/src/include/krb5/krb5.hin -@@ -87,6 +87,12 @@ +--- krb5-1.10.2.orig/src/include/krb5/krb5.hin ++++ krb5-1.10.2/src/include/krb5/krb5.hin +@@ -83,6 +83,12 @@ #define THREEPARAMOPEN(x,y,z) open(x,y,z) #endif @@ -195,11 +195,20 @@ Index: krb5-1.9.1/src/include/krb5/krb5.hin #define KRB5_OLD_CRYPTO #include -Index: krb5-1.9.1/src/kadmin/dbutil/dump.c +Index: krb5-1.10.2/src/kadmin/dbutil/dump.c =================================================================== ---- krb5-1.9.1.orig/src/kadmin/dbutil/dump.c -+++ krb5-1.9.1/src/kadmin/dbutil/dump.c -@@ -1257,7 +1257,7 @@ dump_db(argc, argv) +--- krb5-1.10.2.orig/src/kadmin/dbutil/dump.c ++++ krb5-1.10.2/src/kadmin/dbutil/dump.c +@@ -346,7 +346,7 @@ void update_ok_file (file_name) + exit_status++; + return; + } +- if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) { ++ if ((fd = THREEPARAMOPEN(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) { + com_err(progname, errno, _("while creating 'ok' file, '%s'"), + file_ok); + exit_status++; +@@ -1251,7 +1251,7 @@ dump_db(argc, argv) * want to get into. */ unlink(ofile); @@ -208,10 +217,10 @@ Index: krb5-1.9.1/src/kadmin/dbutil/dump.c fprintf(stderr, ofopen_error, progname, ofile, error_message(errno)); exit_status++; -Index: krb5-1.9.1/src/krb5-config.in +Index: krb5-1.10.2/src/krb5-config.in =================================================================== ---- krb5-1.9.1.orig/src/krb5-config.in -+++ krb5-1.9.1/src/krb5-config.in +--- krb5-1.10.2.orig/src/krb5-config.in ++++ krb5-1.10.2/src/krb5-config.in @@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@' PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@' PTHREAD_CFLAGS='@PTHREAD_CFLAGS@' @@ -220,20 +229,20 @@ Index: krb5-1.9.1/src/krb5-config.in LIBS='@LIBS@' GEN_LIB=@GEN_LIB@ -@@ -214,7 +215,7 @@ if test -n "$do_libs"; then +@@ -218,7 +219,7 @@ if test -n "$do_libs"; then fi - if test $library = 'krb5'; then -- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB" -+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" - fi + # If we ever support a flag to generate output suitable for static +- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" ++ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + # here. echo $lib_flags -Index: krb5-1.9.1/src/lib/kadm5/logger.c +Index: krb5-1.10.2/src/lib/kadm5/logger.c =================================================================== ---- krb5-1.9.1.orig/src/lib/kadm5/logger.c -+++ krb5-1.9.1/src/lib/kadm5/logger.c -@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch +--- krb5-1.10.2.orig/src/lib/kadm5/logger.c ++++ krb5-1.10.2/src/lib/kadm5/logger.c +@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, ch * Check for append/overwrite, then open the file. */ if (cp[4] == ':' || cp[4] == '=') { @@ -242,7 +251,7 @@ Index: krb5-1.9.1/src/lib/kadm5/logger.c if (f) { set_cloexec_file(f); log_control.log_entries[i].lfu_filep = f; -@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext) +@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext) * In case the old logfile did not get moved out of the * way, open for append to prevent squashing the old logs. */ @@ -251,11 +260,11 @@ Index: krb5-1.9.1/src/lib/kadm5/logger.c if (f) { set_cloexec_file(f); log_control.log_entries[lindex].lfu_filep = f; -Index: krb5-1.9.1/src/lib/krb5/keytab/kt_file.c +Index: krb5-1.10.2/src/lib/krb5/keytab/kt_file.c =================================================================== ---- krb5-1.9.1.orig/src/lib/krb5/keytab/kt_file.c -+++ krb5-1.9.1/src/lib/krb5/keytab/kt_file.c -@@ -1057,7 +1057,7 @@ krb5_ktfileint_open(krb5_context context +--- krb5-1.10.2.orig/src/lib/krb5/keytab/kt_file.c ++++ krb5-1.10.2/src/lib/krb5/keytab/kt_file.c +@@ -1039,7 +1039,7 @@ krb5_ktfileint_open(krb5_context context KTCHECKLOCK(id); errno = 0; @@ -264,7 +273,7 @@ Index: krb5-1.9.1/src/lib/krb5/keytab/kt_file.c (mode == KRB5_LOCKMODE_EXCLUSIVE) ? fopen_mode_rbplus : fopen_mode_rb); if (!KTFILEP(id)) { -@@ -1065,7 +1065,7 @@ krb5_ktfileint_open(krb5_context context +@@ -1047,7 +1047,7 @@ krb5_ktfileint_open(krb5_context context /* try making it first time around */ krb5_create_secure_file(context, KTFILENAME(id)); errno = 0; @@ -273,11 +282,11 @@ Index: krb5-1.9.1/src/lib/krb5/keytab/kt_file.c if (!KTFILEP(id)) goto report_errno; writevno = 1; -Index: krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c +Index: krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c =================================================================== ---- krb5-1.9.1.orig/src/plugins/kdb/db2/adb_openclose.c -+++ krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c -@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char +--- krb5-1.10.2.orig/src/plugins/kdb/db2/adb_openclose.c ++++ krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c +@@ -197,7 +197,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char * POSIX systems */ lockp->lockinfo.filename = strdup(lockfilename); @@ -286,43 +295,10 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/adb_openclose.c /* * maybe someone took away write permission so we could only * get shared locks? -Index: krb5-1.9.1/src/plugins/kdb/db2/kdb_db2.c +Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c =================================================================== ---- krb5-1.9.1.orig/src/plugins/kdb/db2/kdb_db2.c -+++ krb5-1.9.1/src/plugins/kdb/db2/kdb_db2.c -@@ -374,8 +374,8 @@ krb5_db2_init(krb5_context context) - * should be opened read/write so that write locking can work with - * POSIX systems - */ -- if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) { -- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) { -+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDWR, 0666)) < 0) { -+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) { - retval = errno; - goto err_out; - } -@@ -676,7 +676,7 @@ create_db(krb5_context context, char *db - if (!okname) - retval = ENOMEM; - else { -- fd = open(okname, O_CREAT | O_RDWR | O_TRUNC, 0600); -+ fd = THREEPARAMOPEN(okname, O_CREAT | O_RDWR | O_TRUNC, 0600); - if (fd < 0) - retval = errno; - else -@@ -1532,7 +1532,7 @@ krb5_db2_rename(krb5_context context, ch - retval = ENOMEM; - goto errout; - } -- db_ctx->db_lf_file = open(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600); -+ db_ctx->db_lf_file = THREEPARAMOPEN(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600); - if (db_ctx->db_lf_file < 0) { - retval = errno; - goto errout; -Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c -=================================================================== ---- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c -+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c +--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c @@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. #include "k5-platform.h" /* mkstemp? */ @@ -340,10 +316,10 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c goto err; } else { -Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c +Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c =================================================================== ---- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c -+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c +--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c @@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 #include #endif @@ -361,31 +337,10 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c RETURN_ERROR(errno, error0); (void)fcntl(hashp->fp, F_SETFD, 1); } -Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c +Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in =================================================================== ---- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c -+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8 - #include - #include - -+#include "k5-int.h" - #include "db-int.h" - #include "recno.h" - -@@ -68,7 +69,7 @@ __rec_open(fname, flags, mode, openinfo, - int rfd, sverrno; - - /* Open the user's file -- if this fails, we're done. */ -- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) -+ if (fname != NULL && (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) - return (NULL); - - if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { -Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in -=================================================================== ---- krb5-1.9.1.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in -+++ krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in +--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in ++++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in @@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR) KRB5_RUN_ENV= @KRB5_RUN_ENV@ @@ -396,11 +351,11 @@ Index: krb5-1.9.1/src/plugins/kdb/db2/libdb2/test/Makefile.in DB_DEPLIB = ../libdb$(DEPLIBEXT) all:: -Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +Index: krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c =================================================================== ---- krb5-1.9.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -+++ krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -@@ -1091,7 +1091,7 @@ rem_service_entry_from_file(int argc, ch +--- krb5-1.10.2.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +@@ -1088,7 +1088,7 @@ rem_service_entry_from_file(int argc, ch /* Create a temporary file which contains all the entries except the entry for the given service dn */ @@ -409,7 +364,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c if (pfile == NULL) { com_err(me, errno, "while deleting entry from file %s", file_name); goto cleanup; -@@ -1108,7 +1108,7 @@ rem_service_entry_from_file(int argc, ch +@@ -1105,7 +1105,7 @@ rem_service_entry_from_file(int argc, ch snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp"); @@ -418,7 +373,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c umask(omask); if (tmpfd == -1) { com_err(me, errno, "while deleting entry from file\n"); -@@ -1728,7 +1728,7 @@ kdb5_ldap_set_service_password(int argc, +@@ -1725,7 +1725,7 @@ kdb5_ldap_set_service_password(int argc, printf("File does not exist. Creating the file %s...\n", file_name); omask = umask(077); @@ -427,7 +382,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c umask(omask); if (fd == -1) { com_err(me, errno, "Error creating file %s", file_name); -@@ -1756,7 +1756,7 @@ kdb5_ldap_set_service_password(int argc, +@@ -1753,7 +1753,7 @@ kdb5_ldap_set_service_password(int argc, /* TODO: file lock for the service password file */ /* set password in the file */ @@ -436,7 +391,7 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c if (pfile == NULL) { com_err(me, errno, "Failed to open file %s", file_name); goto cleanup; -@@ -1797,7 +1797,7 @@ kdb5_ldap_set_service_password(int argc, +@@ -1794,7 +1794,7 @@ kdb5_ldap_set_service_password(int argc, } omask = umask(077); @@ -445,16 +400,16 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c umask(omask); if (newfile == NULL) { com_err(me, errno, "Error creating file %s", tmp_file); -@@ -2019,7 +2019,7 @@ done: +@@ -2016,7 +2016,7 @@ done: /* set password in the file */ old_mode = umask(0177); - pfile = fopen(file_name, "a+"); + pfile = WRITABLEFOPEN(file_name, "a+"); if (pfile == NULL) { - com_err(me, errno, "Failed to open file %s: %s", file_name, + com_err(me, errno, _("Failed to open file %s: %s"), file_name, strerror (errno)); -@@ -2069,7 +2069,7 @@ done: +@@ -2068,7 +2068,7 @@ done: } omask = umask(077); @@ -462,12 +417,12 @@ Index: krb5-1.9.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c + newfile = WRITABLEFOPEN(tmp_file, "w"); umask (omask); if (newfile == NULL) { - com_err(me, errno, "Error creating file %s", tmp_file); -Index: krb5-1.9.1/src/slave/kpropd.c + com_err(me, errno, _("Error creating file %s"), tmp_file); +Index: krb5-1.10.2/src/slave/kpropd.c =================================================================== ---- krb5-1.9.1.orig/src/slave/kpropd.c -+++ krb5-1.9.1/src/slave/kpropd.c -@@ -338,7 +338,7 @@ retry: +--- krb5-1.10.2.orig/src/slave/kpropd.c ++++ krb5-1.10.2/src/slave/kpropd.c +@@ -336,7 +336,7 @@ retry: if (!debug && iproprole != IPROP_SLAVE) daemon(1, 0); #ifdef PID_FILE @@ -476,10 +431,36 @@ Index: krb5-1.9.1/src/slave/kpropd.c fprintf(pidfile, "%d\n", getpid()); fclose(pidfile); } else -Index: krb5-1.9.1/src/util/profile/prof_file.c +@@ -437,6 +437,9 @@ void doit(fd) + krb5_enctype etype; + int database_fd; + char host[INET6_ADDRSTRLEN+1]; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (kpropd_context->kdblog_context && + kpropd_context->kdblog_context->iproprole == IPROP_SLAVE) { +@@ -515,9 +518,15 @@ void doit(fd) + free(name); + exit(1); + } ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(file); ++#endif + omask = umask(077); + lock_fd = open(temp_file_name, O_RDWR|O_CREAT, 0600); + (void) umask(omask); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + retval = krb5_lock_file(kpropd_context, lock_fd, + KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK); + if (retval) { +Index: krb5-1.10.2/src/util/profile/prof_file.c =================================================================== ---- krb5-1.9.1.orig/src/util/profile/prof_file.c -+++ krb5-1.9.1/src/util/profile/prof_file.c +--- krb5-1.10.2.orig/src/util/profile/prof_file.c ++++ krb5-1.10.2/src/util/profile/prof_file.c @@ -30,6 +30,7 @@ #endif @@ -488,7 +469,7 @@ Index: krb5-1.9.1/src/util/profile/prof_file.c struct global_shared_profile_data { /* This is the head of the global list of shared trees */ -@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_ +@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_ errno = 0; @@ -497,11 +478,11 @@ Index: krb5-1.9.1/src/util/profile/prof_file.c if (!f) { retval = errno; if (retval == 0) -Index: krb5-1.9.1/src/util/support/Makefile.in +Index: krb5-1.10.2/src/util/support/Makefile.in =================================================================== ---- krb5-1.9.1.orig/src/util/support/Makefile.in -+++ krb5-1.9.1/src/util/support/Makefile.in -@@ -54,6 +54,7 @@ IPC_SYMS= \ +--- krb5-1.10.2.orig/src/util/support/Makefile.in ++++ krb5-1.10.2/src/util/support/Makefile.in +@@ -64,6 +64,7 @@ IPC_SYMS= \ STLIBOBJS= \ threads.o \ @@ -509,7 +490,7 @@ Index: krb5-1.9.1/src/util/support/Makefile.in init-addrinfo.o \ plugins.o \ errors.o \ -@@ -108,7 +109,7 @@ SRCS=\ +@@ -127,7 +128,7 @@ SRCS=\ SHLIB_EXPDEPS = # Add -lm if dumping thread stats, for sqrt. @@ -518,11 +499,11 @@ Index: krb5-1.9.1/src/util/support/Makefile.in SHLIB_DIRS= SHLIB_RDIRS=$(KRB5_LIBDIR) -Index: krb5-1.9.1/src/util/support/selinux.c +Index: krb5-1.10.2/src/util/support/selinux.c =================================================================== --- /dev/null -+++ krb5-1.9.1/src/util/support/selinux.c -@@ -0,0 +1,362 @@ ++++ krb5-1.10.2/src/util/support/selinux.c +@@ -0,0 +1,372 @@ +/* + * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved. + * @@ -746,16 +727,26 @@ Index: krb5-1.9.1/src/util/support/selinux.c +krb5int_push_fscreatecon_for(const char *pathname) +{ + struct stat st; -+ if (stat(pathname, &st) != 0) { -+ st.st_mode = S_IRUSR | S_IWUSR; ++ void *retval; ++ k5_once(&labeled_once, label_mutex_init); ++ if (k5_mutex_lock(&labeled_mutex) == 0) { ++ if (stat(pathname, &st) != 0) { ++ st.st_mode = S_IRUSR | S_IWUSR; ++ } ++ retval = push_fscreatecon(pathname, st.st_mode); ++ return retval ? retval : (void *) -1; ++ } else { ++ return NULL; + } -+ return push_fscreatecon(pathname, st.st_mode); +} + +void +krb5int_pop_fscreatecon(void *con) +{ -+ pop_fscreatecon(con); ++ if (con != NULL) { ++ pop_fscreatecon((con == (void *) -1) ? NULL : con); ++ k5_mutex_unlock(&labeled_mutex); ++ } +} + +FILE * @@ -885,11 +876,11 @@ Index: krb5-1.9.1/src/util/support/selinux.c +} + +#endif -Index: krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c +Index: krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c =================================================================== ---- krb5-1.9.1.orig/src/lib/krb5/rcache/rc_dfl.c -+++ krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c -@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context +--- krb5-1.10.2.orig/src/lib/krb5/rcache/rc_dfl.c ++++ krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c +@@ -812,6 +812,9 @@ krb5_rc_dfl_expunge_locked(krb5_context krb5_error_code retval = 0; krb5_rcache tmp; krb5_deltat lifespan = t->lifespan; /* save original lifespan */ @@ -899,7 +890,7 @@ Index: krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c if (! t->recovering) { name = t->name; -@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context +@@ -833,7 +836,17 @@ krb5_rc_dfl_expunge_locked(krb5_context retval = krb5_rc_resolve(context, tmp, 0); if (retval) goto cleanup; @@ -917,3 +908,92 @@ Index: krb5-1.9.1/src/lib/krb5/rcache/rc_dfl.c if (retval) goto cleanup; for (q = t->a; q; q = q->na) { +Index: krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c +=================================================================== +--- krb5-1.10.2.orig/src/plugins/kdb/db2/kdb_db2.c ++++ krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c +@@ -683,8 +683,8 @@ ctx_create_db(krb5_context context, krb5 + if (retval) + return retval; + +- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, +- 0600); ++ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, ++ O_CREAT | O_RDWR | O_TRUNC, 0600); + if (dbc->db_lf_file < 0) { + retval = errno; + goto cleanup; +Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c +=================================================================== +--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8 + #include + #include + ++#include "k5-int.h" + #include "db-int.h" + #include "recno.h" + +@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, + int rfd = -1, sverrno; + + /* Open the user's file -- if this fails, we're done. */ +- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) ++ if (fname != NULL && ++ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + return (NULL); + + if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { +Index: krb5-1.10.2/src/kdc/main.c +=================================================================== +--- krb5-1.10.2.orig/src/kdc/main.c ++++ krb5-1.10.2/src/kdc/main.c +@@ -909,7 +909,7 @@ write_pid_file(const char *path) + FILE *file; + unsigned long pid; + +- file = fopen(path, "w"); ++ file = WRITABLEFOPEN(path, "w"); + if (file == NULL) + return errno; + pid = (unsigned long) getpid(); +Index: krb5-1.10.2/src/lib/kdb/kdb_log.c +=================================================================== +--- krb5-1.10.2.orig/src/lib/kdb/kdb_log.c ++++ krb5-1.10.2/src/lib/kdb/kdb_log.c +@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha + return (errno); + } + +- if ((ulogfd = open(logname, O_RDWR+O_CREAT, 0600)) == -1) { ++ if ((ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600)) == -1) { + return (errno); + } + +Index: krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in +=================================================================== +--- krb5-1.10.2.orig/src/util/gss-kernel-lib/Makefile.in ++++ krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in +@@ -66,6 +66,7 @@ HEADERS= \ + gssapi_err_generic.h \ + k5-int.h \ + k5-int-pkinit.h \ ++ k5-label.h \ + k5-thread.h \ + k5-platform.h \ + k5-buf.h \ +@@ -167,10 +168,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_ + $(CP) $(GSS_GENERIC)/gssapi_generic.h $@ + gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h + $(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@ +-k5-int.h: $(INCLUDE)/k5-int.h ++k5-int.h: $(INCLUDE)/k5-int.h k5-label.h + $(CP) $(INCLUDE)/k5-int.h $@ + k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h + $(CP) $(INCLUDE)/k5-int-pkinit.h $@ ++k5-label.h: $(INCLUDE)/k5-label.h ++ $(CP) $(INCLUDE)/k5-label.h $@ + k5-thread.h: $(INCLUDE)/k5-thread.h + $(CP) $(INCLUDE)/k5-thread.h $@ + k5-platform.h: $(INCLUDE)/k5-platform.h diff --git a/krb5-1.10.2.tar.bz2 b/krb5-1.10.2.tar.bz2 new file mode 100644 index 0000000..752e403 --- /dev/null +++ b/krb5-1.10.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:479d66291ae989d5db9daca5838ff4bddde45c77b703fadcf78ca6d1db315bd8 +size 9457236 diff --git a/krb5-1.6.3-gssapi_improve_errormessages.dif b/krb5-1.6.3-gssapi_improve_errormessages.dif index c37d29f..d6afe07 100644 --- a/krb5-1.6.3-gssapi_improve_errormessages.dif +++ b/krb5-1.6.3-gssapi_improve_errormessages.dif @@ -1,8 +1,8 @@ -Index: trunk/src/lib/gssapi/generic/disp_com_err_status.c +Index: krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c =================================================================== ---- trunk.orig/src/lib/gssapi/generic/disp_com_err_status.c -+++ trunk/src/lib/gssapi/generic/disp_com_err_status.c -@@ -54,7 +54,7 @@ g_display_com_err_status(minor_status, s +--- krb5-1.10.2.orig/src/lib/gssapi/generic/disp_com_err_status.c ++++ krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c +@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *mino status_string->value = NULL; if (! g_make_string_buffer(((status_value == 0)?no_error: diff --git a/krb5-1.7-doublelog.patch b/krb5-1.7-doublelog.patch index 10e4777..1c948bd 100644 --- a/krb5-1.7-doublelog.patch +++ b/krb5-1.7-doublelog.patch @@ -1,18 +1,16 @@ Don't double-log (actually, don't process /etc/krb5.conf twice) just because we built with --sysconfdir=/etc. RT#3277 -Index: krb5-1.9.1/src/include/Makefile.in +Index: krb5-1.10.2/src/include/Makefile.in =================================================================== ---- krb5-1.9.1.orig/src/include/Makefile.in -+++ krb5-1.9.1/src/include/Makefile.in -@@ -66,7 +66,9 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$( - -e "s+@MODULEDIR+$(MODULE_DIR)+" \ +--- krb5-1.10.2.orig/src/include/Makefile.in ++++ krb5-1.10.2/src/include/Makefile.in +@@ -67,6 +67,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$( -e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \ - -e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \ -- -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' -+ -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \ -+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \ -+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' + -e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \ + -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \ ++ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \ ++ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \ + -e 's+@DYNOBJEXT+$(DYNOBJEXT)+' OSCONFSRC = $(srcdir)/osconf.hin - diff --git a/krb5-1.7-nodeplibs.patch b/krb5-1.7-nodeplibs.patch deleted file mode 100644 index 6ce80be..0000000 --- a/krb5-1.7-nodeplibs.patch +++ /dev/null @@ -1,21 +0,0 @@ -Omit extra libraries because their interfaces aren't exposed to applications -by libkrb5, unless do_deps is set to 1, which indicates that the caller -wants the whole list. - -Index: krb5-1.9.1/src/krb5-config.in -=================================================================== ---- krb5-1.9.1.orig/src/krb5-config.in -+++ krb5-1.9.1/src/krb5-config.in -@@ -221,7 +221,11 @@ if test -n "$do_libs"; then - fi - - if test $library = 'krb5'; then -- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" -+ if test 0$do_deps -eq 1 ; then -+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" -+ else -+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err" -+ fi - fi - - echo $lib_flags diff --git a/krb5-1.8-api.patch b/krb5-1.8-api.patch index 9bbec30..986049a 100644 --- a/krb5-1.8-api.patch +++ b/krb5-1.8-api.patch @@ -2,10 +2,11 @@ Reference docs don't define what happens if you call krb5_realm_compare() with malformed krb5_principal structures. Define a behavior which keeps it from crashing if applications don't check ahead of time. -diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/princ_comp.c ---- krb5-1.8/src/lib/krb5/krb/princ_comp.c.api 2009-10-30 20:48:38.000000000 -0400 -+++ krb5-1.8/src/lib/krb5/krb/princ_comp.c 2010-03-05 11:00:55.000000000 -0500 -@@ -41,6 +41,12 @@ realm_compare_flags(krb5_context context +Index: krb5-1.10.2/src/lib/krb5/krb/princ_comp.c +=================================================================== +--- krb5-1.10.2.orig/src/lib/krb5/krb/princ_comp.c ++++ krb5-1.10.2/src/lib/krb5/krb/princ_comp.c +@@ -36,6 +36,12 @@ realm_compare_flags(krb5_context context const krb5_data *realm1 = krb5_princ_realm(context, princ1); const krb5_data *realm2 = krb5_princ_realm(context, princ2); @@ -18,7 +19,7 @@ diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/pr if (realm1->length != realm2->length) return FALSE; -@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex +@@ -87,6 +93,9 @@ krb5_principal_compare_flags(krb5_contex krb5_principal upn2 = NULL; krb5_boolean ret = FALSE; diff --git a/krb5-1.8-manpaths.txt b/krb5-1.8-manpaths.txt index 99cbbf0..eaf544f 100644 --- a/krb5-1.8-manpaths.txt +++ b/krb5-1.8-manpaths.txt @@ -1,6 +1,7 @@ appl/sample/sserver/sserver.M config-files/kdc.conf.M config-files/krb5.conf.M +gen-manpages/kerberos.M kadmin/cli/kadmin.M slave/kpropd.M slave/kprop.M diff --git a/krb5-1.8-pam.patch b/krb5-1.8-pam.patch index a09fd9e..e21648b 100644 --- a/krb5-1.8-pam.patch +++ b/krb5-1.8-pam.patch @@ -11,11 +11,11 @@ When enabled, ksu gains a dependency on libpam. Originally RT#5939, though it's changed since then to perform the account and session management before dropping privileges. -Index: krb5-1.9.1/src/aclocal.m4 +Index: krb5-1.10.2/src/aclocal.m4 =================================================================== ---- krb5-1.9.1.orig/src/aclocal.m4 -+++ krb5-1.9.1/src/aclocal.m4 -@@ -1715,3 +1715,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ +--- krb5-1.10.2.orig/src/aclocal.m4 ++++ krb5-1.10.2/src/aclocal.m4 +@@ -1676,3 +1676,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ ])) ])dnl dnl @@ -86,10 +86,10 @@ Index: krb5-1.9.1/src/aclocal.m4 +AC_SUBST(PAM_MAN) +AC_SUBST(NON_PAM_MAN) +])dnl -Index: krb5-1.9.1/src/clients/ksu/main.c +Index: krb5-1.10.2/src/clients/ksu/main.c =================================================================== ---- krb5-1.9.1.orig/src/clients/ksu/main.c -+++ krb5-1.9.1/src/clients/ksu/main.c +--- krb5-1.10.2.orig/src/clients/ksu/main.c ++++ krb5-1.10.2/src/clients/ksu/main.c @@ -26,6 +26,7 @@ * KSU was writen by: Ari Medvinsky, ari@isi.edu */ @@ -117,7 +117,7 @@ Index: krb5-1.9.1/src/clients/ksu/main.c /***********/ #define _DEF_CSH "/bin/csh" -@@ -586,6 +592,25 @@ main (argc, argv) +@@ -584,6 +590,25 @@ main (argc, argv) prog_name,target_user,client_name, source_user,ontty()); @@ -142,8 +142,8 @@ Index: krb5-1.9.1/src/clients/ksu/main.c + /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { - com_err(prog_name, errno, "while switching to target for authorization check"); -@@ -651,6 +676,26 @@ main (argc, argv) + com_err(prog_name, errno, _("while switching to target for " +@@ -648,6 +673,26 @@ main (argc, argv) sweep_up(ksu_context, cc_target); exit(1); } @@ -170,7 +170,7 @@ Index: krb5-1.9.1/src/clients/ksu/main.c } if( some_rest_copy){ -@@ -720,6 +765,32 @@ main (argc, argv) +@@ -717,6 +762,32 @@ main (argc, argv) exit(1); } @@ -203,18 +203,18 @@ Index: krb5-1.9.1/src/clients/ksu/main.c /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { perror("ksu: setgid"); -@@ -792,7 +863,7 @@ main (argc, argv) +@@ -789,7 +860,7 @@ main (argc, argv) fprintf(stderr, "program to be execed %s\n",params[0]); } - if( keep_target_cache ) { + if( keep_target_cache && !force_fork ) { execv(params[0], params); - com_err(prog_name, errno, "while trying to execv %s", - params[0]); -@@ -823,15 +894,34 @@ main (argc, argv) + com_err(prog_name, errno, _("while trying to execv %s"), params[0]); + sweep_up(ksu_context, cc_target); +@@ -819,16 +890,35 @@ main (argc, argv) if (ret_pid == -1) { - com_err(prog_name, errno, "while calling waitpid"); + com_err(prog_name, errno, _("while calling waitpid")); } - sweep_up(ksu_context, cc_target); + if( !keep_target_cache ) { @@ -222,7 +222,7 @@ Index: krb5-1.9.1/src/clients/ksu/main.c + } exit (statusp); case -1: - com_err(prog_name, errno, "while trying to fork."); + com_err(prog_name, errno, _("while trying to fork.")); sweep_up(ksu_context, cc_target); exit (1); case 0: @@ -241,17 +241,18 @@ Index: krb5-1.9.1/src/clients/ksu/main.c + } +#endif execv(params[0], params); - com_err(prog_name, errno, "while trying to execv %s", params[0]); + com_err(prog_name, errno, _("while trying to execv %s"), + params[0]); + if( keep_target_cache ) { + sweep_up(ksu_context, cc_target); + } exit (1); } } -Index: krb5-1.9.1/src/clients/ksu/Makefile.in +Index: krb5-1.10.2/src/clients/ksu/Makefile.in =================================================================== ---- krb5-1.9.1.orig/src/clients/ksu/Makefile.in -+++ krb5-1.9.1/src/clients/ksu/Makefile.in +--- krb5-1.10.2.orig/src/clients/ksu/Makefile.in ++++ krb5-1.10.2/src/clients/ksu/Makefile.in @@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) @@ -286,10 +287,10 @@ Index: krb5-1.9.1/src/clients/ksu/Makefile.in clean:: $(RM) ksu -Index: krb5-1.9.1/src/clients/ksu/pam.c +Index: krb5-1.10.2/src/clients/ksu/pam.c =================================================================== --- /dev/null -+++ krb5-1.9.1/src/clients/ksu/pam.c ++++ krb5-1.10.2/src/clients/ksu/pam.c @@ -0,0 +1,389 @@ +/* + * src/clients/ksu/pam.c @@ -680,10 +681,10 @@ Index: krb5-1.9.1/src/clients/ksu/pam.c + return ret; +} +#endif -Index: krb5-1.9.1/src/clients/ksu/pam.h +Index: krb5-1.10.2/src/clients/ksu/pam.h =================================================================== --- /dev/null -+++ krb5-1.9.1/src/clients/ksu/pam.h ++++ krb5-1.10.2/src/clients/ksu/pam.h @@ -0,0 +1,57 @@ +/* + * src/clients/ksu/pam.h @@ -742,13 +743,13 @@ Index: krb5-1.9.1/src/clients/ksu/pam.h +int appl_pam_cred_init(void); +void appl_pam_cleanup(void); +#endif -Index: krb5-1.9.1/src/configure.in +Index: krb5-1.10.2/src/configure.in =================================================================== ---- krb5-1.9.1.orig/src/configure.in -+++ krb5-1.9.1/src/configure.in -@@ -1125,6 +1125,8 @@ if test "$ac_cv_lib_socket" = "yes" -a " - AC_DEFINE(BROKEN_STREAMS_SOCKETS,1,[Define if socket can't be bound to 0.0.0.0]) +--- krb5-1.10.2.orig/src/configure.in ++++ krb5-1.10.2/src/configure.in +@@ -1246,6 +1246,8 @@ if test "${localedir+set}" != set; then fi + AC_SUBST(localedir) +KRB5_WITH_PAM + diff --git a/krb5-1.9-MITKRB5-SA-2011-006.dif b/krb5-1.9-MITKRB5-SA-2011-006.dif deleted file mode 100644 index f7aa03e..0000000 --- a/krb5-1.9-MITKRB5-SA-2011-006.dif +++ /dev/null @@ -1,75 +0,0 @@ -diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c -index b473611..50c60b7 100644 ---- a/src/plugins/kdb/db2/lockout.c -+++ b/src/plugins/kdb/db2/lockout.c -@@ -169,6 +169,9 @@ krb5_db2_lockout_audit(krb5_context context, - return 0; - } - -+ if (entry == NULL) -+ return 0; -+ - if (!db_ctx->disable_lockout) { - code = lookup_lockout_policy(context, entry, &max_fail, - &failcnt_interval, &lockout_duration); -@@ -176,6 +179,15 @@ krb5_db2_lockout_audit(krb5_context context, - return code; - } - -+ /* -+ * Don't continue to modify the DB for an already locked account. -+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and -+ * this check is unneeded, but in rare cases, we can fail with an -+ * integrity error or preauth failure before a policy check.) -+ */ -+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry)) -+ return 0; -+ - /* Only mark the authentication as successful if the entry - * required preauthentication, otherwise we have no idea. */ - if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) { -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index 552e39a..c2f44ab 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -105,6 +105,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, - CHECK_LDAP_HANDLE(ldap_context); - - if (is_principal_in_realm(ldap_context, searchfor) != 0) { -+ st = KRB5_KDB_NOENTRY; - krb5_set_error_message (context, st, "Principal does not belong to realm"); - goto cleanup; - } -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c -index a218dc7..fd164dd 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c -@@ -165,6 +165,9 @@ krb5_ldap_lockout_audit(krb5_context context, - return 0; - } - -+ if (entry == NULL) -+ return 0; -+ - if (!ldap_context->disable_lockout) { - code = lookup_lockout_policy(context, entry, &max_fail, - &failcnt_interval, -@@ -173,9 +176,16 @@ krb5_ldap_lockout_audit(krb5_context context, - return code; - } - -- entry->mask = 0; -+ /* -+ * Don't continue to modify the DB for an already locked account. -+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and -+ * this check is unneeded, but in rare cases, we can fail with an -+ * integrity error or preauth failure before a policy check.) -+ */ -+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry)) -+ return 0; - -- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry)); -+ entry->mask = 0; - - /* Only mark the authentication as successful if the entry - * required preauthentication, otherwise we have no idea. */ diff --git a/krb5-1.9-MITKRB5-SA-2011-007.dif b/krb5-1.9-MITKRB5-SA-2011-007.dif deleted file mode 100644 index 9435410..0000000 --- a/krb5-1.9-MITKRB5-SA-2011-007.dif +++ /dev/null @@ -1,42 +0,0 @@ -diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in -index f46cad3..102fbaa 100644 ---- a/src/kdc/Makefile.in -+++ b/src/kdc/Makefile.in -@@ -67,6 +67,7 @@ check-unix:: rtest - - check-pytests:: - $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS) -+ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS) - - install:: - $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index c169c54..840a2ef 100644 ---- a/src/kdc/do_tgs_req.c -+++ b/src/kdc/do_tgs_req.c -@@ -243,7 +243,8 @@ tgt_again: - if (!tgs_1 || !data_eq(*server_1, *tgs_1)) { - errcode = find_alternate_tgs(request, &server); - firstpass = 0; -- goto tgt_again; -+ if (errcode == 0) -+ goto tgt_again; - } - } - status = "UNKNOWN_SERVER"; -diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py -new file mode 100644 -index 0000000..1760bcd ---- /dev/null -+++ b/src/kdc/t_emptytgt.py -@@ -0,0 +1,8 @@ -+#!/usr/bin/python -+from k5test import * -+ -+realm = K5Realm(start_kadmind=False, create_host=False) -+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1) -+if 'not found in Kerberos database' not in output: -+ fail('TGT lookup for empty realm failed in unexpected way') -+success('Empty tgt lookup.') - - diff --git a/krb5-1.9-buildconf.patch b/krb5-1.9-buildconf.patch deleted file mode 100644 index e4593e3..0000000 --- a/krb5-1.9-buildconf.patch +++ /dev/null @@ -1,38 +0,0 @@ -Build binaries in this package as RELRO PIEs and install shared libraries with -the execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS -where they might leak out and affect apps which just want to link with the -libraries. FIXME: needs to check and not just assume that the compiler supports -using these flags. - -diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf ---- krb5-1.9/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500 -+++ krb5-1.9/src/config/shlib.conf 2009-06-04 14:01:28.000000000 -0400 -@@ -430,7 +430,8 @@ - SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' - PROFFLAGS=-pg - PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' -- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' -+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)' -+ INSTALL_SHLIB='${INSTALL} -m755' - CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' - CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' - CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' -diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in ---- krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 -+++ krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 -@@ -187,8 +187,14 @@ if test -n "$do_libs"; then - -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ - -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ - -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ -- -e 's#\$(CFLAGS)#'"$CFLAGS"'#'` -+ -e 's#\$(CFLAGS)##'` - -+ if test `dirname $libdir` = /usr ; then -+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` -+ fi -+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"` -+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"` -+ - if test $library = 'kdb'; then - lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" - library=krb5 diff --git a/krb5-1.9-canonicalize-fallback.patch b/krb5-1.9-canonicalize-fallback.patch deleted file mode 100644 index d1f994c..0000000 --- a/krb5-1.9-canonicalize-fallback.patch +++ /dev/null @@ -1,61 +0,0 @@ -From RT#6917. - -Index: krb5-1.9.1/src/lib/krb5/krb/get_creds.c -=================================================================== ---- krb5-1.9.1.orig/src/lib/krb5/krb/get_creds.c -+++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c -@@ -470,13 +470,10 @@ begin_non_referral(krb5_context context, - - /***** STATE_REFERRALS *****/ - --/* -- * Possibly retry a request in the fallback realm after a referral request -- * failure in the local realm. Expects ctx->reply_code to be set to the error -- * from a referral request. -- */ -+/* Possibly try a non-referral request after a referral request failure. -+ * Expects ctx->reply_code to be set to the error from a referral request. */ - static krb5_error_code --try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx) -+try_fallback(krb5_context context, krb5_tkt_creds_context ctx) - { - krb5_error_code code; - char **hrealms; -@@ -485,9 +482,10 @@ try_fallback_realm(krb5_context context, - if (ctx->referral_count > 1) - return ctx->reply_code; - -- /* Only fall back if the original request used the referral realm. */ -+ /* If the request used a specified realm, make a non-referral request to -+ * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */ - if (!krb5_is_referral_realm(&ctx->req_server->realm)) -- return ctx->reply_code; -+ return begin_non_referral(context, ctx); - - if (ctx->server->length < 2) { - /* We need a type/host format principal to find a fallback realm. */ -@@ -500,10 +498,10 @@ try_fallback_realm(krb5_context context, - if (code != 0) - return code; - -- /* Give up if the fallback realm isn't any different. */ -+ /* If the fallback realm isn't any different, use the existing TGT. */ - if (data_eq_string(ctx->server->realm, hrealms[0])) { - krb5_free_host_realm(context, hrealms); -- return ctx->reply_code; -+ return begin_non_referral(context, ctx); - } - - /* Rewrite server->realm to be the fallback realm. */ -@@ -540,9 +538,9 @@ step_referrals(krb5_context context, krb - krb5_error_code code; - const krb5_data *referral_realm; - -- /* Possibly retry with the fallback realm on error. */ -+ /* Possibly try a non-referral fallback request on error. */ - if (ctx->reply_code != 0) -- return try_fallback_realm(context, ctx); -+ return try_fallback(context, ctx); - - if (krb5_principal_compare(context, ctx->reply_creds->server, - ctx->server)) { diff --git a/krb5-1.9-gss_display_status-iakerb.patch b/krb5-1.9-gss_display_status-iakerb.patch deleted file mode 100644 index 9fa917a..0000000 --- a/krb5-1.9-gss_display_status-iakerb.patch +++ /dev/null @@ -1,14 +0,0 @@ -Index: krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c -=================================================================== ---- krb5-1.9.1.orig/src/lib/gssapi/krb5/disp_status.c -+++ krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c -@@ -167,7 +167,8 @@ krb5_gss_display_status(minor_status, st - - if ((mech_type != GSS_C_NULL_OID) && - !g_OID_equal(gss_mech_krb5, mech_type) && -- !g_OID_equal(gss_mech_krb5_old, mech_type)) { -+ !g_OID_equal(gss_mech_krb5_old, mech_type) && -+ !g_OID_equal(gss_mech_iakerb, mech_type)) { - *minor_status = 0; - return(GSS_S_BAD_MECH); - } diff --git a/krb5-1.9-kprop-mktemp.patch b/krb5-1.9-kprop-mktemp.patch index 907f453..dca8f8b 100644 --- a/krb5-1.9-kprop-mktemp.patch +++ b/krb5-1.9-kprop-mktemp.patch @@ -1,10 +1,10 @@ Use an in-memory ccache to silence a compiler warning, for RT#6414. -Index: krb5-1.9.1/src/slave/kprop.c +Index: krb5-1.10.2/src/slave/kprop.c =================================================================== ---- krb5-1.9.1.orig/src/slave/kprop.c -+++ krb5-1.9.1/src/slave/kprop.c -@@ -188,9 +188,8 @@ void PRS(argc, argv) +--- krb5-1.10.2.orig/src/slave/kprop.c ++++ krb5-1.10.2/src/slave/kprop.c +@@ -186,9 +186,8 @@ void PRS(argc, argv) void get_tickets(context) krb5_context context; { @@ -27,4 +27,4 @@ Index: krb5-1.9.1/src/slave/kprop.c - retval = krb5_cc_resolve(context, buf, &ccache); if (retval) { - com_err(progname, retval, "while opening credential cache %s", + com_err(progname, retval, _("while opening credential cache %s"), buf); diff --git a/krb5-1.9-manpaths.dif b/krb5-1.9-manpaths.dif index 71cc421..645672d 100644 --- a/krb5-1.9-manpaths.dif +++ b/krb5-1.9-manpaths.dif @@ -3,11 +3,11 @@ values can be dropped in by config.status. After applying this patch, these files should be renamed to their ".in" counterparts, and then the configure scripts should be rebuilt. Originally RT#6525 -Index: krb5-1.9.1/src/aclocal.m4 +Index: krb5-1.10.2/src/aclocal.m4 =================================================================== ---- krb5-1.9.1.orig/src/aclocal.m4 -+++ krb5-1.9.1/src/aclocal.m4 -@@ -1782,3 +1782,24 @@ AC_SUBST(PAM_LIBS) +--- krb5-1.10.2.orig/src/aclocal.m4 ++++ krb5-1.10.2/src/aclocal.m4 +@@ -1743,3 +1743,24 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl @@ -32,10 +32,32 @@ Index: krb5-1.9.1/src/aclocal.m4 +AC_SUBST(manlibexecdir) +AC_CONFIG_FILES($1) +]) -Index: krb5-1.9.1/src/appl/sample/sserver/sserver.M +Index: krb5-1.10.2/src/configure.in =================================================================== ---- krb5-1.9.1.orig/src/appl/sample/sserver/sserver.M -+++ krb5-1.9.1/src/appl/sample/sserver/sserver.M +--- krb5-1.10.2.orig/src/configure.in ++++ krb5-1.10.2/src/configure.in +@@ -1249,6 +1249,17 @@ AC_SUBST(localedir) + KRB5_WITH_PAM + + AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) ++ ++V5_AC_OUTPUT_MANPAGE([ ++ appl/sample/sserver/sserver.M ++ config-files/kdc.conf.M ++ config-files/krb5.conf.M ++ gen-manpages/kerberos.M ++ kadmin/cli/kadmin.M ++ slave/kpropd.M ++ slave/kprop.M ++]) ++ + V5_AC_OUTPUT_MAKEFILE(. + + util util/support util/profile util/profile/testmod util/send-pr +Index: krb5-1.10.2/src/appl/sample/sserver/sserver.M +=================================================================== +--- krb5-1.10.2.orig/src/appl/sample/sserver/sserver.M ++++ krb5-1.10.2/src/appl/sample/sserver/sserver.M @@ -59,7 +59,7 @@ option allows for a different keytab tha using a line in /etc/inetd.conf that looks like this: @@ -45,10 +67,10 @@ Index: krb5-1.9.1/src/appl/sample/sserver/sserver.M .PP Since \fBsample\fP is normally not a port defined in /etc/services, you will usually have to add a line to /etc/services which looks like this: -Index: krb5-1.9.1/src/config-files/kdc.conf.M +Index: krb5-1.10.2/src/config-files/kdc.conf.M =================================================================== ---- krb5-1.9.1.orig/src/config-files/kdc.conf.M -+++ krb5-1.9.1/src/config-files/kdc.conf.M +--- krb5-1.10.2.orig/src/config-files/kdc.conf.M ++++ krb5-1.10.2/src/config-files/kdc.conf.M @@ -92,14 +92,14 @@ This .B string specifies the location of the access control list (acl) file that @@ -75,44 +97,36 @@ Index: krb5-1.9.1/src/config-files/kdc.conf.M .SH SEE ALSO krb5.conf(5), krb5kdc(8) -Index: krb5-1.9.1/src/config-files/krb5.conf.M +Index: krb5-1.10.2/src/config-files/krb5.conf.M =================================================================== ---- krb5-1.9.1.orig/src/config-files/krb5.conf.M -+++ krb5-1.9.1/src/config-files/krb5.conf.M -@@ -768,6 +768,6 @@ with another database such as Active Dir - in for this interface. +--- krb5-1.10.2.orig/src/config-files/krb5.conf.M ++++ krb5-1.10.2/src/config-files/krb5.conf.M +@@ -808,6 +808,6 @@ This module implements the encrypted cha + This module implements the encrypted timestamp mechanism. .SH FILES -/etc/krb5.conf +@mansysconfdir@/krb5.conf .SH SEE ALSO syslog(3) -Index: krb5-1.9.1/src/configure.in +Index: krb5-1.10.2/src/gen-manpages/kerberos.M =================================================================== ---- krb5-1.9.1.orig/src/configure.in -+++ krb5-1.9.1/src/configure.in -@@ -1128,6 +1128,16 @@ fi - KRB5_WITH_PAM - - AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) -+ -+V5_AC_OUTPUT_MANPAGE([ -+ appl/sample/sserver/sserver.M -+ config-files/kdc.conf.M -+ config-files/krb5.conf.M -+ kadmin/cli/kadmin.M -+ slave/kpropd.M -+ slave/kprop.M -+]) -+ - V5_AC_OUTPUT_MAKEFILE(. - - util util/support util/profile util/send-pr -Index: krb5-1.9.1/src/kadmin/cli/kadmin.M +--- krb5-1.10.2.orig/src/gen-manpages/kerberos.M ++++ krb5-1.10.2/src/gen-manpages/kerberos.M +@@ -125,7 +125,7 @@ default is /etc/krb5.conf. + Specifies the location of the KDC configuration file, which contains + additional configuration directives for the Key Distribution Center + daemon and associated programs. The default is +-/usr/local/var/krb5kdc/kdc.conf. ++@manlocalstatedir@/krb5kdc/kdc.conf. + .TP + .B KRB5RCACHETYPE + Specifies the default type of replay cache to use for servers. Valid +Index: krb5-1.10.2/src/kadmin/cli/kadmin.M =================================================================== ---- krb5-1.9.1.orig/src/kadmin/cli/kadmin.M -+++ krb5-1.9.1/src/kadmin/cli/kadmin.M -@@ -880,9 +880,9 @@ option is specified, less verbose status +--- krb5-1.10.2.orig/src/kadmin/cli/kadmin.M ++++ krb5-1.10.2/src/kadmin/cli/kadmin.M +@@ -924,9 +924,9 @@ option is specified, less verbose status .RS .TP EXAMPLE: @@ -124,19 +138,10 @@ Index: krb5-1.9.1/src/kadmin/cli/kadmin.M kadmin: .RE .fi -@@ -924,7 +924,7 @@ passwords. - .SH HISTORY - The - .B kadmin --prorgam was originally written by Tom Yu at MIT, as an interface to the -+program was originally written by Tom Yu at MIT, as an interface to the - OpenVision Kerberos administration program. - .SH SEE ALSO - .IR kerberos (1), -Index: krb5-1.9.1/src/slave/kpropd.M +Index: krb5-1.10.2/src/slave/kpropd.M =================================================================== ---- krb5-1.9.1.orig/src/slave/kpropd.M -+++ krb5-1.9.1/src/slave/kpropd.M +--- krb5-1.10.2.orig/src/slave/kpropd.M ++++ krb5-1.10.2/src/slave/kpropd.M @@ -74,7 +74,7 @@ Normally, kpropd is invoked out of This is done by adding a line to the inetd.conf file which looks like this: @@ -179,10 +184,10 @@ Index: krb5-1.9.1/src/slave/kpropd.M Each entry is a line containing the principal of a host from which the local machine will allow Kerberos database propagation via kprop. .SH SEE ALSO -Index: krb5-1.9.1/src/slave/kprop.M +Index: krb5-1.10.2/src/slave/kprop.M =================================================================== ---- krb5-1.9.1.orig/src/slave/kprop.M -+++ krb5-1.9.1/src/slave/kprop.M +--- krb5-1.10.2.orig/src/slave/kprop.M ++++ krb5-1.10.2/src/slave/kprop.M @@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv This is done by transmitting the dumped database file to the slave server over an encrypted, secure channel. The dump file must be created diff --git a/krb5-1.9-paren.patch b/krb5-1.9-paren.patch deleted file mode 100644 index c5afd7a..0000000 --- a/krb5-1.9-paren.patch +++ /dev/null @@ -1,13 +0,0 @@ -Upstream commit #24477. -diff -up krb5-1.9/src/slave/kpropd.c krb5-1.9/src/slave/kpropd.c ---- krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:24.020999947 -0400 -+++ krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:34.159999947 -0400 -@@ -993,7 +993,7 @@ unsigned int backoff_from_master(int *cn - btime = (unsigned int)(2<<(*cnt)); - if (btime > MAX_BACKOFF) { - btime = MAX_BACKOFF; -- *cnt--; -+ (*cnt)--; - } - - return (btime); diff --git a/krb5-1.9.1-ai_addrconfig.patch b/krb5-1.9.1-ai_addrconfig.patch deleted file mode 100644 index 202dde5..0000000 --- a/krb5-1.9.1-ai_addrconfig.patch +++ /dev/null @@ -1,30 +0,0 @@ -From RT#6922. When we're converting a host/service pair into a principal -name, specify AF_UNSPEC instead of AF_INET4 and then maybe AF_INET6 to try -to avoid libc having doing a PTR lookup because we also specify -AI_CANONNAME. Add AI_ADDRCONFIG because it's usually the right idea. - -Index: src/lib/krb5/os/sn2princ.c -=================================================================== ---- src/lib/krb5/os/sn2princ.c.orig -+++ src/lib/krb5/os/sn2princ.c -@@ -107,19 +107,12 @@ krb5_sname_to_principal(krb5_context con - hostnames associated. */ - - memset(&hints, 0, sizeof(hints)); -- hints.ai_family = AF_INET; -- hints.ai_flags = AI_CANONNAME; -- try_getaddrinfo_again: -+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; - err = getaddrinfo(hostname, 0, &hints, &ai); - if (err) { - #ifdef DEBUG_REFERRALS - printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname); - #endif -- if (hints.ai_family == AF_INET) { -- /* Just in case it's an IPv6-only name. */ -- hints.ai_family = 0; -- goto try_getaddrinfo_again; -- } - return KRB5_ERR_BAD_HOSTNAME; - } - remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname); diff --git a/krb5-1.9.1-ai_addrconfig2.patch b/krb5-1.9.1-ai_addrconfig2.patch deleted file mode 100644 index 53f9820..0000000 --- a/krb5-1.9.1-ai_addrconfig2.patch +++ /dev/null @@ -1,122 +0,0 @@ -Most of RT#6923, except for the part that depends on the sendto_kdc rewrite -(it's still in locate_kdc in this version): pass AI_ADDRCONFIG whenever we -specify hints to getaddrinfo() to get the address of a server. - -Index: src/plugins/locate/python/py-locate.c -=================================================================== ---- src/plugins/locate/python/py-locate.c.orig -+++ src/plugins/locate/python/py-locate.c -@@ -303,6 +303,7 @@ lookup(void *blob, enum locate_service_t - return -1; - } - aihints.ai_socktype = thissocktype; -+ aihints.ai_flags = AI_ADDRCONFIG; - x = getaddrinfo (hoststr, portstr, &aihints, &airesult); - if (x != 0) - continue; -Index: src/appl/sample/sclient/sclient.c -=================================================================== ---- src/appl/sample/sclient/sclient.c.orig -+++ src/appl/sample/sclient/sclient.c -@@ -124,6 +124,7 @@ main(int argc, char *argv[]) - - memset(&aihints, 0, sizeof(aihints)); - aihints.ai_socktype = SOCK_STREAM; -+ aihints.ai_flags = AI_ADDRCONFIG; - aierr = getaddrinfo(argv[1], portstr, &aihints, &ap); - if (aierr) { - fprintf(stderr, "%s: error looking up host '%s' port '%s'/tcp: %s\n", -Index: src/kadmin/dbutil/kadm5_create.c -=================================================================== ---- src/kadmin/dbutil/kadm5_create.c.orig -+++ src/kadmin/dbutil/kadm5_create.c -@@ -182,7 +182,7 @@ static int add_admin_princs(void *handle - goto clean_and_exit; - } - memset(&ai_hints, 0, sizeof(ai_hints)); -- ai_hints.ai_flags = AI_CANONNAME; -+ ai_hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; - gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai); - if (gai_error) { - ret = EINVAL; -Index: src/lib/kadm5/alt_prof.c -=================================================================== ---- src/lib/kadm5/alt_prof.c.orig -+++ src/lib/kadm5/alt_prof.c -@@ -901,7 +901,7 @@ kadm5_get_admin_service_name(krb5_contex - } - - memset(&hint, 0, sizeof(hint)); -- hint.ai_flags = AI_CANONNAME; -+ hint.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; - err = getaddrinfo(params_out.admin_server, NULL, &hint, &ai); - if (err != 0) { - ret = KADM5_CANT_RESOLVE; -Index: src/lib/kadm5/clnt/client_init.c -=================================================================== ---- src/lib/kadm5/clnt/client_init.c.orig -+++ src/lib/kadm5/clnt/client_init.c -@@ -563,8 +563,9 @@ connect_to_server(const char *hostname, - (void) snprintf(portbuf, sizeof(portbuf), "%d", port); - memset(&hint, 0, sizeof(hint)); - hint.ai_socktype = SOCK_STREAM; -+ hint.ai_flags = AI_ADDRCONFIG; - #ifdef AI_NUMERICSERV -- hint.ai_flags = AI_NUMERICSERV; -+ hint.ai_flags |= AI_NUMERICSERV; - #endif - err = getaddrinfo(hostname, portbuf, &hint, &addrs); - if (err != 0) -Index: src/lib/krb5/os/hostaddr.c -=================================================================== ---- src/lib/krb5/os/hostaddr.c.orig -+++ src/lib/krb5/os/hostaddr.c -@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c - return KRB5_ERR_BAD_HOSTNAME; - - memset (&hints, 0, sizeof (hints)); -- hints.ai_flags = AI_NUMERICHOST; -+ hints.ai_flags = AI_NUMERICHOST | AI_ADDRCONFIG; - /* We don't care what kind at this point, really, but without - this, we can get back multiple sockaddrs per address, for - SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if -Index: src/lib/krb5/os/hst_realm.c -=================================================================== ---- src/lib/krb5/os/hst_realm.c.orig -+++ src/lib/krb5/os/hst_realm.c -@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz - int err; - - memset (&hints, 0, sizeof (hints)); -- hints.ai_flags = AI_CANONNAME; -+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; - err = getaddrinfo (name, 0, &hints, &ai); - if (err) - return krb5int_translate_gai_error (err); -Index: src/slave/kprop.c -=================================================================== ---- src/slave/kprop.c.orig -+++ src/slave/kprop.c -@@ -325,6 +325,7 @@ open_connection(krb5_context context, ch - memset(&hints, 0, sizeof(hints)); - hints.ai_family = PF_UNSPEC; - hints.ai_socktype = SOCK_STREAM; -+ hints.ai_flags = AI_ADDRCONFIG; - error = getaddrinfo(host, port, &hints, &answers); - if (error != 0) { - com_err(progname, 0, "%s: %s", host, gai_strerror(error)); -Index: src/lib/krb5/os/locate_kdc.c -=================================================================== ---- src/lib/krb5/os/locate_kdc.c.orig -+++ src/lib/krb5/os/locate_kdc.c -@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis - memset(&hint, 0, sizeof(hint)); - hint.ai_family = family; - hint.ai_socktype = socktype; -+ hint.ai_flags = AI_ADDRCONFIG; - #ifdef AI_NUMERICSERV -- hint.ai_flags = AI_NUMERICSERV; -+ hint.ai_flags |= AI_NUMERICSERV; - #endif - result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)); - if (SNPRINTF_OVERFLOW(result, sizeof(portbuf))) diff --git a/krb5-1.9.1-sendto_poll.patch b/krb5-1.9.1-sendto_poll.patch deleted file mode 100644 index b9923ee..0000000 --- a/krb5-1.9.1-sendto_poll.patch +++ /dev/null @@ -1,624 +0,0 @@ -Pulled from SVN, then munged to apply to 1.9. Modifies cm.h so that a -struct select_state has an alternate layout when USE_POLL is defined, -and if we detect at configure-time, have sendto_kdc.c define -USE_POLL to force its use. Adapts sendto_kdc.c to handle both cases, -so that the previous behavior is preserved when is not found. -RT#6905 - -Index: src/include/cm.h -=================================================================== ---- src/include/cm.h.orig -+++ src/include/cm.h -@@ -25,11 +25,20 @@ - * or implied warranty. - */ - --/* Since fd_set is large on some platforms (8K on AIX 5.2), this -- probably shouldn't be allocated in automatic storage. */ -+/* -+ * Since fd_set is large on some platforms (8K on AIX 5.2), this probably -+ * shouldn't be allocated in automatic storage. Define USE_POLL and -+ * MAX_POLLFDS in the consumer of this header file to use poll state instead of -+ * select state. -+ */ - struct select_state { -- int max, nfds; -+#ifdef USE_POLL -+ struct pollfd fds[MAX_POLLFDS]; -+#else -+ int max; - fd_set rfds, wfds, xfds; -+#endif -+ int nfds; - struct timeval end_time; /* magic: tv_sec==0 => never time out */ - }; - -Index: src/configure.in -=================================================================== ---- src/configure.in.orig -+++ src/configure.in -@@ -74,7 +74,7 @@ LIBUTIL=-lutil - ]) - AC_SUBST(LIBUTIL) - # for kdc --AC_CHECK_HEADERS(syslog.h stdarg.h sys/select.h sys/sockio.h ifaddrs.h unistd.h) -+AC_CHECK_HEADERS(syslog.h stdarg.h sys/sockio.h ifaddrs.h unistd.h) - AC_CHECK_FUNCS(openlog syslog closelog strftime vsprintf vasprintf vsnprintf) - AC_CHECK_FUNCS(strlcpy) - EXTRA_SUPPORT_SYMS= -@@ -493,7 +493,7 @@ AC_CHECK_HEADER(termios.h, - AC_DEFINE(POSIX_TERMIOS,1,[Define if termios.h exists and tcsetattr exists]))]) - - KRB5_SIGTYPE --AC_CHECK_HEADERS(stdlib.h string.h stddef.h sys/types.h sys/file.h sys/param.h sys/stat.h sys/time.h netinet/in.h sys/uio.h sys/filio.h sys/select.h time.h paths.h errno.h) -+AC_CHECK_HEADERS(poll.h stdlib.h string.h stddef.h sys/types.h sys/file.h sys/param.h sys/stat.h sys/time.h netinet/in.h sys/uio.h sys/filio.h sys/select.h time.h paths.h errno.h) - AC_HEADER_STDARG - KRB5_AC_INET6 - -Index: src/lib/krb5/os/cm.c -=================================================================== ---- /dev/null -+++ src/lib/krb5/os/cm.c -@@ -0,0 +1,97 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* lib/krb5/os/cm.c - Connection manager functions */ -+/* -+ * Copyright (C) 2011 by the Massachusetts Institute of Technology. -+ * All rights reserved. -+ * -+ * Export of this software from the United States of America may -+ * require a specific license from the United States Government. -+ * It is the responsibility of any person or organization contemplating -+ * export to obtain such a license before exporting. -+ * -+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -+ * distribute this software and its documentation for any purpose and -+ * without fee is hereby granted, provided that the above copyright -+ * notice appear in all copies and that both that copyright notice and -+ * this permission notice appear in supporting documentation, and that -+ * the name of M.I.T. not be used in advertising or publicity pertaining -+ * to distribution of the software without specific, written prior -+ * permission. Furthermore if you modify this software you must label -+ * your software as modified software and not distribute it in such a -+ * fashion that it might be confused with the original M.I.T. software. -+ * M.I.T. makes no representations about the suitability of -+ * this software for any purpose. It is provided "as is" without express -+ * or implied warranty. -+ */ -+ -+/* -+ * This file include krb5int_cm_call_select, which is used by -+ * lib/apputils/net-server.c and sometimes by sendto_kdc.c. -+ */ -+ -+#include "k5-int.h" -+#ifdef HAVE_SYS_SELECT_H -+#include -+#endif -+#ifdef _WIN32 -+#include -+#endif -+#include "cm.h" -+ -+int -+k5_getcurtime(struct timeval *tvp) -+{ -+#ifdef _WIN32 -+ struct _timeb tb; -+ _ftime(&tb); -+ tvp->tv_sec = tb.time; -+ tvp->tv_usec = tb.millitm * 1000; -+ /* Can _ftime fail? */ -+ return 0; -+#else -+ if (gettimeofday(tvp, 0)) -+ return errno; -+ return 0; -+#endif -+} -+ -+/* -+ * Call select and return results. -+ * Input: interesting file descriptors and absolute timeout -+ * Output: select return value (-1 or num fds ready) and fd_sets -+ * Return: 0 (for i/o available or timeout) or error code. -+ */ -+krb5_error_code -+krb5int_cm_call_select (const struct select_state *in, -+ struct select_state *out, int *sret) -+{ -+ struct timeval now, *timo; -+ krb5_error_code e; -+ -+ *out = *in; -+ e = k5_getcurtime(&now); -+ if (e) -+ return e; -+ if (out->end_time.tv_sec == 0) -+ timo = 0; -+ else { -+ timo = &out->end_time; -+ out->end_time.tv_sec -= now.tv_sec; -+ out->end_time.tv_usec -= now.tv_usec; -+ if (out->end_time.tv_usec < 0) { -+ out->end_time.tv_usec += 1000000; -+ out->end_time.tv_sec--; -+ } -+ if (out->end_time.tv_sec < 0) { -+ *sret = 0; -+ return 0; -+ } -+ } -+ -+ *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, timo); -+ e = SOCKET_ERRNO; -+ -+ if (*sret < 0) -+ return e; -+ return 0; -+} -Index: src/lib/krb5/os/Makefile.in -=================================================================== ---- src/lib/krb5/os/Makefile.in.orig -+++ src/lib/krb5/os/Makefile.in -@@ -18,6 +18,7 @@ STLIBOBJS= \ - def_realm.o \ - ccdefname.o \ - changepw.o \ -+ cm.o \ - dnsglue.o \ - dnssrv.o \ - free_krbhs.o \ -@@ -62,6 +63,7 @@ OBJS= \ - $(OUTPRE)def_realm.$(OBJEXT) \ - $(OUTPRE)ccdefname.$(OBJEXT) \ - $(OUTPRE)changepw.$(OBJEXT) \ -+ $(OUTPRE)cm.$(OBJEXT) \ - $(OUTPRE)dnsglue.$(OBJEXT) \ - $(OUTPRE)dnssrv.$(OBJEXT) \ - $(OUTPRE)free_krbhs.$(OBJEXT) \ -@@ -106,6 +108,7 @@ SRCS= \ - $(srcdir)/def_realm.c \ - $(srcdir)/ccdefname.c \ - $(srcdir)/changepw.c \ -+ $(srcdir)/cm.c \ - $(srcdir)/dnsglue.c \ - $(srcdir)/dnssrv.c \ - $(srcdir)/free_krbhs.c \ -Index: src/lib/krb5/os/os-proto.h -=================================================================== ---- src/lib/krb5/os/os-proto.h.orig -+++ src/lib/krb5/os/os-proto.h -@@ -31,6 +31,10 @@ - #ifndef KRB5_LIBOS_INT_PROTO__ - #define KRB5_LIBOS_INT_PROTO__ - -+#ifdef HAVE_SYS_TIME_H -+#include -+#endif -+ - struct addrlist; - krb5_error_code krb5_locate_kdc(krb5_context, const krb5_data *, - struct addrlist *, int, int, int); -@@ -75,6 +79,8 @@ krb5_error_code krb5int_get_fq_local_hos - /* The io vector is *not* const here, unlike writev()! */ - int krb5int_net_writev (krb5_context, int, sg_buf *, int); - -+int k5_getcurtime(struct timeval *tvp); -+ - #include "k5-thread.h" - extern k5_mutex_t krb5int_us_time_mutex; - -Index: src/lib/krb5/os/sendto_kdc.c -=================================================================== ---- src/lib/krb5/os/sendto_kdc.c.orig -+++ src/lib/krb5/os/sendto_kdc.c -@@ -32,17 +32,16 @@ - #include "fake-addrinfo.h" - #include "k5-int.h" - --#ifdef HAVE_SYS_TIME_H --#include --#else --#include --#endif - #include "os-proto.h" - #ifdef _WIN32 - #include - #endif - --#ifdef _AIX -+#if defined(HAVE_POLL_H) -+#include -+#define USE_POLL -+#define MAX_POLLFDS 1024 -+#elif defined(HAVE_SYS_SELECT_H) - #include - #endif - -@@ -170,29 +169,6 @@ krb5int_debug_fprint (const char *fmt, . - p = strerror(err); - putstr(p); - break; -- case 'F': -- /* %F => fd_set *, fd_set *, fd_set *, int */ -- rfds = va_arg(args, fd_set *); -- wfds = va_arg(args, fd_set *); -- xfds = va_arg(args, fd_set *); -- maxfd = va_arg(args, int); -- -- for (i = 0; i < maxfd; i++) { -- int r = FD_ISSET(i, rfds); -- int w = wfds && FD_ISSET(i, wfds); -- int x = xfds && FD_ISSET(i, xfds); -- if (r || w || x) { -- putf(" %d", i); -- if (r) -- putstr("r"); -- if (w) -- putstr("w"); -- if (x) -- putstr("x"); -- } -- } -- putstr(" "); -- break; - case 's': - /* %s => char * */ - p = va_arg(args, const char *); -@@ -506,75 +482,154 @@ krb5_sendto_kdc (krb5_context context, c - - #include "cm.h" - --static int --getcurtime (struct timeval *tvp) -+/* -+ * Currently only sendto_kdc.c knows how to use poll(); the other candidate -+ * user, lib/apputils/net-server.c, is stuck using select() for the moment -+ * since it is entangled with the RPC library. The following cm_* functions -+ * are not fully generic, are O(n^2) in the poll case, and are limited to -+ * handling 1024 connections (in order to maintain a constant-sized selstate). -+ * More rearchitecting would be appropriate before extending this support to -+ * the KDC and kadmind. -+ */ -+ -+static void -+cm_init_selstate(struct select_state *selstate) - { --#ifdef _WIN32 -- struct _timeb tb; -- _ftime(&tb); -- tvp->tv_sec = tb.time; -- tvp->tv_usec = tb.millitm * 1000; -- /* Can _ftime fail? */ -- return 0; -+ selstate->nfds = 0; -+ selstate->end_time.tv_sec = selstate->end_time.tv_usec = 0; -+#ifndef USE_POLL -+ selstate->max = 0; -+ selstate->nfds = 0; -+ FD_ZERO(&selstate->rfds); -+ FD_ZERO(&selstate->wfds); -+ FD_ZERO(&selstate->xfds); -+#endif -+} -+ -+static krb5_boolean -+cm_add_fd(struct select_state *selstate, int fd, unsigned int ssflags) -+{ -+#ifdef USE_POLL -+ if (selstate->nfds >= MAX_POLLFDS) -+ return FALSE; -+ selstate->fds[selstate->nfds].fd = fd; -+ selstate->fds[selstate->nfds].events = 0; -+ if (ssflags & SSF_READ) -+ selstate->fds[selstate->nfds].events |= POLLIN; -+ if (ssflags & SSF_WRITE) -+ selstate->fds[selstate->nfds].events |= POLLOUT; -+#else -+#ifndef _WIN32 /* On Windows FD_SETSIZE is a count, not a max value. */ -+ if (fd >= FD_SETSIZE) -+ return FALSE; -+#endif -+ if (ssflags & SSF_READ) -+ FD_SET(fd, &selstate->rfds); -+ if (ssflags & SSF_WRITE) -+ FD_SET(fd, &selstate->wfds); -+ if (ssflags & SSF_EXCEPTION) -+ FD_SET(fd, &selstate->xfds); -+ if (selstate->max <= fd) -+ selstate->max = fd + 1; -+#endif -+ selstate->nfds++; -+ return TRUE; -+} -+ -+static void -+cm_remove_fd(struct select_state *selstate, int fd) -+{ -+#ifdef USE_POLL -+ int i; -+ -+ /* Find the FD in the array and move the last entry to its place. */ -+ assert(selstate->nfds > 0); -+ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++); -+ assert(i < selstate->nfds); -+ selstate->fds[i] = selstate->fds[selstate->nfds - 1]; - #else -- if (gettimeofday(tvp, 0)) { -- dperror("gettimeofday"); -- return errno; -+ FD_CLR(fd, &selstate->rfds); -+ FD_CLR(fd, &selstate->wfds); -+ FD_CLR(fd, &selstate->xfds); -+ if (selstate->max == 1 + fd) { -+ while (selstate->max > 0 -+ && ! FD_ISSET(selstate->max-1, &selstate->rfds) -+ && ! FD_ISSET(selstate->max-1, &selstate->wfds) -+ && ! FD_ISSET(selstate->max-1, &selstate->xfds)) -+ selstate->max--; -+ dprint("new max_fd + 1 is %d\n", selstate->max); - } -- return 0; - #endif -+ selstate->nfds--; - } - --/* -- * Call select and return results. -- * Input: interesting file descriptors and absolute timeout -- * Output: select return value (-1 or num fds ready) and fd_sets -- * Return: 0 (for i/o available or timeout) or error code. -- */ --krb5_error_code --krb5int_cm_call_select (const struct select_state *in, -- struct select_state *out, int *sret) -+static void -+cm_unset_write(struct select_state *selstate, int fd) - { -- struct timeval now, *timo; -- krb5_error_code e; -+#ifdef USE_POLL -+ int i; - -- *out = *in; -- e = getcurtime(&now); -- if (e) -- return e; -- if (out->end_time.tv_sec == 0) -- timo = 0; -+ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++); -+ assert(i < selstate->nfds); -+ selstate->fds[i].events &= ~POLLOUT; -+#else -+ FD_CLR(fd, &selstate->wfds); -+#endif -+} -+ -+static krb5_error_code -+cm_select_or_poll(const struct select_state *in, struct select_state *out, -+ int *sret) -+{ -+#ifdef USE_POLL -+ struct timeval now; -+ int e, timeout; -+ -+ if (in->end_time.tv_sec == 0) -+ timeout = -1; - else { -- timo = &out->end_time; -- out->end_time.tv_sec -= now.tv_sec; -- out->end_time.tv_usec -= now.tv_usec; -- if (out->end_time.tv_usec < 0) { -- out->end_time.tv_usec += 1000000; -- out->end_time.tv_sec--; -- } -- if (out->end_time.tv_sec < 0) { -- *sret = 0; -- return 0; -- } -+ e = k5_getcurtime(&now); -+ if (e) -+ return e; -+ timeout = (in->end_time.tv_sec - now.tv_sec) * 1000 + -+ (in->end_time.tv_usec - now.tv_usec) / 1000; - } -- dprint("selecting on max=%d sockets [%F] timeout %t\n", -- out->max, -- &out->rfds, &out->wfds, &out->xfds, out->max, -- timo); -- *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, timo); -+ /* We don't need a separate copy of the selstate for poll, but use one -+ * anyone for consistency with the select wrapper. */ -+ *out = *in; -+ *sret = poll(out->fds, out->nfds, timeout); - e = SOCKET_ERRNO; -+ return (*sret < 0) ? e : 0; -+#else -+ /* Use the select wrapper from cm.c. */ -+ return krb5int_cm_call_select(in, out, sret); -+#endif -+} - -- dprint("select returns %d", *sret); -- if (*sret < 0) -- dprint(", error = %E\n", e); -- else if (*sret == 0) -- dprint(" (timeout)\n"); -- else -- dprint(":%F\n", &out->rfds, &out->wfds, &out->xfds, out->max); -+static unsigned int -+cm_get_ssflags(struct select_state *selstate, int fd) -+{ -+ unsigned int ssflags = 0; -+#ifdef USE_POLL -+ int i; - -- if (*sret < 0) -- return e; -- return 0; -+ for (i = 0; i < selstate->nfds && selstate->fds[i].fd != fd; i++); -+ assert(i < selstate->nfds); -+ if (selstate->fds[i].revents & POLLIN) -+ ssflags |= SSF_READ; -+ if (selstate->fds[i].revents & POLLOUT) -+ ssflags |= SSF_WRITE; -+ if (selstate->fds[i].revents & POLLERR) -+ ssflags |= SSF_EXCEPTION; -+#else -+ if (FD_ISSET(fd, &selstate->rfds)) -+ ssflags |= SSF_READ; -+ if (FD_ISSET(fd, &selstate->wfds)) -+ ssflags |= SSF_WRITE; -+ if (FD_ISSET(fd, &selstate->xfds)) -+ ssflags |= SSF_EXCEPTION; -+#endif -+ return ssflags; - } - - static int service_tcp_fd(krb5_context context, struct conn_state *conn, -@@ -657,6 +712,7 @@ start_connection(krb5_context context, s - krb5_data *callback_buffer) - { - int fd, e; -+ unsigned int ssflags; - struct addrinfo *ai = state->addr; - - dprint("start_connection(@%p)\ngetting %s socket in family %d...", state, -@@ -667,14 +723,6 @@ start_connection(krb5_context context, s - dprint("socket: %m creating with af %d\n", state->err, ai->ai_family); - return -1; /* try other hosts */ - } --#ifndef _WIN32 /* On Windows FD_SETSIZE is a count, not a max value. */ -- if (fd >= FD_SETSIZE) { -- closesocket(fd); -- state->err = EMFILE; -- dprint("socket: fd %d too high\n", fd); -- return -1; -- } --#endif - set_cloexec_fd(fd); - /* Make it non-blocking. */ - if (ai->ai_socktype == SOCK_STREAM) { -@@ -778,16 +826,15 @@ start_connection(krb5_context context, s - } - } - #endif -- FD_SET(state->fd, &selstate->rfds); -+ ssflags = SSF_READ | SSF_EXCEPTION; - if (state->state == CONNECTING || state->state == WRITING) -- FD_SET(state->fd, &selstate->wfds); -- FD_SET(state->fd, &selstate->xfds); -- if (selstate->max <= state->fd) -- selstate->max = state->fd + 1; -- selstate->nfds++; -- -- dprint("new select vectors: %F\n", -- &selstate->rfds, &selstate->wfds, &selstate->xfds, selstate->max); -+ ssflags |= SSF_WRITE; -+ if (!cm_add_fd(selstate, state->fd, ssflags)) { -+ (void) closesocket(state->fd); -+ state->fd = INVALID_SOCKET; -+ state->state = FAILED; -+ return -1; -+ } - - return 0; - } -@@ -849,22 +896,11 @@ static void - kill_conn(struct conn_state *conn, struct select_state *selstate, int err) - { - conn->state = FAILED; -- shutdown(conn->fd, SHUTDOWN_BOTH); -- FD_CLR(conn->fd, &selstate->rfds); -- FD_CLR(conn->fd, &selstate->wfds); -- FD_CLR(conn->fd, &selstate->xfds); - conn->err = err; -+ shutdown(conn->fd, SHUTDOWN_BOTH); -+ cm_remove_fd(selstate, conn->fd); - dprint("abandoning connection %d: %m\n", conn->fd, err); - /* Fix up max fd for next select call. */ -- if (selstate->max == 1 + conn->fd) { -- while (selstate->max > 0 -- && ! FD_ISSET(selstate->max-1, &selstate->rfds) -- && ! FD_ISSET(selstate->max-1, &selstate->wfds) -- && ! FD_ISSET(selstate->max-1, &selstate->xfds)) -- selstate->max--; -- dprint("new max_fd + 1 is %d\n", selstate->max); -- } -- selstate->nfds--; - } - - /* Check socket for error. */ -@@ -986,7 +1022,7 @@ service_tcp_fd(krb5_context context, str - /* Done writing, switch to reading. */ - /* Don't call shutdown at this point because - * some implementations cannot deal with half-closed connections.*/ -- FD_CLR(conn->fd, &selstate->wfds); -+ cm_unset_write(selstate, conn->fd); - /* Q: How do we detect failures to send the remaining data - to the remote side, since we're in non-blocking mode? - Will we always get errors on the reading side? */ -@@ -1100,7 +1136,8 @@ service_fds (krb5_context context, - while (selstate->nfds > 0) { - unsigned int i; - -- e = krb5int_cm_call_select(selstate, seltemp, &selret); -+ selret = 0; -+ e = cm_select_or_poll(selstate, seltemp, &selret); - if (e == EINTR) - continue; - if (e != 0) -@@ -1113,18 +1150,12 @@ service_fds (krb5_context context, - return 0; - - /* Got something on a socket, process it. */ -- for (i = 0; i <= (unsigned int)selstate->max && selret > 0 && i < n_conns; i++) { -+ for (i = 0; i < n_conns; i++) { - int ssflags; - - if (conns[i].fd == INVALID_SOCKET) - continue; -- ssflags = 0; -- if (FD_ISSET(conns[i].fd, &seltemp->rfds)) -- ssflags |= SSF_READ, selret--; -- if (FD_ISSET(conns[i].fd, &seltemp->wfds)) -- ssflags |= SSF_WRITE, selret--; -- if (FD_ISSET(conns[i].fd, &seltemp->xfds)) -- ssflags |= SSF_EXCEPTION, selret--; -+ ssflags = cm_get_ssflags(seltemp, conns[i].fd); - if (!ssflags) - continue; - -@@ -1239,12 +1270,7 @@ krb5int_sendto (krb5_context context, co - retval = ENOMEM; - goto egress; - } -- sel_state->max = 0; -- sel_state->nfds = 0; -- sel_state->end_time.tv_sec = sel_state->end_time.tv_usec = 0; -- FD_ZERO(&sel_state->rfds); -- FD_ZERO(&sel_state->wfds); -- FD_ZERO(&sel_state->xfds); -+ cm_init_selstate(sel_state); - - - /* Set up connections. */ -@@ -1265,7 +1291,7 @@ krb5int_sendto (krb5_context context, co - (callback_info ? &callback_data[host] : NULL))) - continue; - -- retval = getcurtime(&now); -+ retval = k5_getcurtime(&now); - if (retval) - goto egress; - sel_state->end_time = now; -@@ -1284,7 +1310,7 @@ krb5int_sendto (krb5_context context, co - } - if (e) - break; -- retval = getcurtime(&now); -+ retval = k5_getcurtime(&now); - if (retval) - goto egress; - /* Possible optimization: Find a way to integrate this select diff --git a/krb5-1.9.1-sendto_poll2.patch b/krb5-1.9.1-sendto_poll2.patch deleted file mode 100644 index 5a323d7..0000000 --- a/krb5-1.9.1-sendto_poll2.patch +++ /dev/null @@ -1,22 +0,0 @@ -RT#6951 -Index: krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c -=================================================================== ---- krb5-1.9.1.orig/src/lib/krb5/os/sendto_kdc.c -+++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c -@@ -895,12 +895,12 @@ maybe_send(krb5_context context, struct - static void - kill_conn(struct conn_state *conn, struct select_state *selstate, int err) - { -+ dprint("abandoning connection %d: %m\n", conn->fd, err); -+ cm_remove_fd(selstate, conn->fd); -+ closesocket(conn->fd); -+ conn->fd = INVALID_SOCKET; - conn->state = FAILED; - conn->err = err; -- shutdown(conn->fd, SHUTDOWN_BOTH); -- cm_remove_fd(selstate, conn->fd); -- dprint("abandoning connection %d: %m\n", conn->fd, err); -- /* Fix up max fd for next select call. */ - } - - /* Check socket for error. */ diff --git a/krb5-1.9.1-sendto_poll3.patch b/krb5-1.9.1-sendto_poll3.patch deleted file mode 100644 index 60f966d..0000000 --- a/krb5-1.9.1-sendto_poll3.patch +++ /dev/null @@ -1,18 +0,0 @@ -If we exit the transmit loop cleanly, don't overestimate the size of the -connections array. This bug appears to have been removed upstream when -this function was rewritten in trunk, and the select()-based implementation -is still what's in 1.9, so this patch has nowhere to go. ---- krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:20.560811664 -0400 -+++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:11.396812292 -0400 -@@ -1317,7 +1319,10 @@ krb5int_sendto (krb5_context context, co - call with the last one from the above loop, if the loop - actually calls select. */ - sel_state->end_time.tv_sec += delay_this_pass; -- e = service_fds(context, sel_state, conns, host+1, &winning_conn, -+ i = host+1; -+ if (i > n_conns) -+ i = n_conns; -+ e = service_fds(context, sel_state, conns, i, &winning_conn, - sel_state+1, msg_handler, msg_handler_data); - if (e) - break; diff --git a/krb5-1.9.1.tar.bz2 b/krb5-1.9.1.tar.bz2 deleted file mode 100644 index daa962e..0000000 --- a/krb5-1.9.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:72dd8f30d605fa2e6f19df32414bc35a46e3ad1954b1b142d987ccd492c7bfbc -size 10126613 diff --git a/krb5-doc.spec b/krb5-doc.spec index 4083ad3..621ec78 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -16,14 +16,13 @@ # - Name: krb5-doc BuildRequires: ghostscript-library BuildRequires: latex2html BuildRequires: texlive -Version: 1.9.1 +Version: 1.10.2 Release: 0 -%define srcRoot krb5-1.9.1 +%define srcRoot krb5-1.10.2 Summary: MIT Kerberos5 Implementation--Documentation License: MIT Group: Documentation/Other diff --git a/krb5-klist_s.patch b/krb5-klist_s.patch deleted file mode 100644 index 628a495..0000000 --- a/krb5-klist_s.patch +++ /dev/null @@ -1,29 +0,0 @@ -Don't trip over referral entries. RT#6915 - -Index: krb5-1.9.1/src/clients/klist/klist.c -=================================================================== ---- krb5-1.9.1.orig/src/clients/klist/klist.c -+++ krb5-1.9.1/src/clients/klist/klist.c -@@ -28,7 +28,7 @@ - * List out the contents of your credential cache or keytab. - */ - --#include "autoconf.h" -+#include "k5-int.h" - #include - #include - #include -@@ -390,10 +390,9 @@ void do_ccache(name) - continue; - if (status_only) { - if (exit_status && creds.server->length == 2 && -- strcmp(creds.server->realm.data, princ->realm.data) == 0 && -- strcmp((char *)creds.server->data[0].data, "krbtgt") == 0 && -- strcmp((char *)creds.server->data[1].data, -- princ->realm.data) == 0 && -+ data_eq(creds.server->realm, princ->realm) && -+ data_eq_string(creds.server->data[0], "krbtgt") && -+ data_eq(creds.server->data[1], princ->realm) && - creds.times.endtime > now) - exit_status = 0; - } else { diff --git a/krb5-mini.changes b/krb5-mini.changes index f35dc53..f4f845c 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,7 +1,62 @@ ------------------------------------------------------------------- -Tue Jan 31 15:32:51 CET 2012 - meissner@suse.de +Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de -- fix License in krb5-mini +- update to version 1.10.2 + obsolte patches: + * krb5-1.7-nodeplibs.patch + * krb5-1.9.1-ai_addrconfig.patch + * krb5-1.9.1-ai_addrconfig2.patch + * krb5-1.9.1-sendto_poll.patch + * krb5-1.9-canonicalize-fallback.patch + * krb5-1.9-paren.patch + * krb5-klist_s.patch + * krb5-pkinit-cms2.patch + * krb5-trunk-chpw-err.patch + * krb5-trunk-gss_delete_sec.patch + * krb5-trunk-kadmin-oldproto.patch + * krb5-1.9-MITKRB5-SA-2011-006.dif + * krb5-1.9-gss_display_status-iakerb.patch + * krb5-1.9.1-sendto_poll2.patch + * krb5-1.9.1-sendto_poll3.patch + * krb5-1.9-MITKRB5-SA-2011-007.dif +- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain + Controllers. +- Update a workaround for a glibc bug that would cause DNS PTR queries + to occur even when rdns = false. +- Fix a kadmind denial of service issue (null pointer dereference), + which could only be triggered by an administrator with the "create" + privilege. [CVE-2012-1013] +- Fix access controls for KDB string attributes [CVE-2012-1012] +- Make the ASN.1 encoding of key version numbers interoperate with + Windows Read-Only Domain Controllers +- Avoid generating spurious password expiry warnings in cases where + the KDC sends an account expiry time without a password expiry time +- Make PKINIT work with FAST in the client library. +- Add the DIR credential cache type, which can hold a collection of + credential caches. +- Enhance kinit, klist, and kdestroy to support credential cache + collections if the cache type supports it. +- Add the kswitch command, which changes the selected default cache + within a collection. +- Add heuristic support for choosing client credentials based on + the service realm. +- Add support for $HOME/.k5identity, which allows credential + choice based on configured rules. + +------------------------------------------------------------------- +Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de + +- add autoconf macro to devel subpackage + +------------------------------------------------------------------- +Tue Jan 31 15:33:05 CET 2012 - meissner@suse.de + +- fix license in krb5-mini + +------------------------------------------------------------------- +Tue Dec 20 20:57:26 UTC 2011 - coolo@suse.com + +- add autoconf as buildrequire to avoid implicit dependency ------------------------------------------------------------------- Tue Dec 20 11:01:39 UTC 2011 - coolo@suse.com diff --git a/krb5-mini.spec b/krb5-mini.spec index 116537d..e052907 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -17,7 +17,7 @@ %define build_mini 1 -%define srcRoot krb5-1.9.1 +%define srcRoot krb5-1.10.2 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -30,7 +30,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.9.1 +Version: 1.10.2 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -45,38 +45,23 @@ Obsoletes: krb5-64bit %endif # %endif -Source: krb5-1.9.1.tar.bz2 +Source: krb5-%{version}.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-rpmlintrc Source10: krb5-1.8-manpaths.txt -Patch1: krb5-1.9-buildconf.patch +Patch1: krb5-1.10-buildconf.patch Patch3: krb5-1.9-manpaths.dif Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif -Patch6: krb5-1.6.3-kpasswd_tcp.patch +Patch6: krb5-1.10-kpasswd_tcp.patch Patch7: krb5-1.6.3-ktutil-manpage.dif Patch10: krb5-1.7-doublelog.patch -Patch11: krb5-1.7-nodeplibs.patch Patch12: krb5-1.8-api.patch Patch13: krb5-1.8-pam.patch -Patch14: krb5-1.9.1-ai_addrconfig.patch -Patch15: krb5-1.9.1-ai_addrconfig2.patch -Patch16: krb5-1.9.1-sendto_poll.patch -Patch17: krb5-1.9-canonicalize-fallback.patch Patch18: krb5-1.9-kprop-mktemp.patch Patch19: krb5-1.9-ksu-path.patch -Patch20: krb5-1.9-paren.patch -Patch21: krb5-1.9-selinux-label.patch -Patch22: krb5-klist_s.patch -Patch23: krb5-pkinit-cms2.patch -Patch24: krb5-trunk-chpw-err.patch -Patch25: krb5-trunk-gss_delete_sec.patch -Patch26: krb5-trunk-kadmin-oldproto.patch -Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif -Patch31: krb5-1.9-gss_display_status-iakerb.patch -Patch32: krb5-1.9.1-sendto_poll2.patch -Patch33: krb5-1.9.1-sendto_poll3.patch -Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif +Patch20: krb5-1.10-gcc47.patch +Patch21: krb5-1.10-selinux-label.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -119,8 +104,9 @@ Authors: %package server Summary: MIT Kerberos5 implementation - server Group: Productivity/Networking/Security +Requires: cron +Requires: logrotate Requires: perl-Date-Calc -Requires: logrotate cron PreReq: %insserv_prereq %fillup_prereq %description server @@ -182,8 +168,8 @@ Authors: Summary: MIT Kerberos5 - Include Files and Libraries Group: Development/Libraries/C and C++ PreReq: %{name} = %{version} -Requires: libcom_err-devel Requires: keyutils-devel +Requires: libcom_err-devel # bug437293 %ifarch ppc64 Obsoletes: krb5-devel-64bit @@ -209,35 +195,20 @@ Authors: Tom Yu %prep -%setup -q -n %{srcRoot} +%setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} %patch13 -p1 %patch3 -p1 %patch21 -p1 %patch1 -p1 %patch5 -p1 -%patch6 +%patch6 -p1 %patch7 -p1 %patch10 -p1 -%patch11 -p1 %patch12 -p1 -%patch14 -%patch15 -%patch16 -%patch17 -p1 %patch18 -p1 %patch19 -p1 -%patch20 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -%patch25 -p1 -%patch26 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 -%patch33 -p1 -%patch34 -p1 +%patch20 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -282,6 +253,9 @@ make DESTDIR=%{buildroot} install cd .. # Munge the krb5-config script to remove rpaths and CFLAGS. sed "s|^CC_LINK=.*|CC_LINK='\$(CC) \$(PROG_LIBPATH)'|g" src/krb5-config > $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config +# install autoconf macro +mkdir -p %{buildroot}/%{_datadir}/aclocal +install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/ # install sample config files # I'll probably do something about this later on mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc @@ -389,6 +363,7 @@ rm -rf %{buildroot} %dir /usr/lib/mit %dir /usr/lib/mit/bin %dir /usr/lib/mit/sbin +%dir %{_datadir}/aclocal %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so %{_libdir}/libkadm5clnt_mit.so @@ -403,6 +378,7 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/krb5-send-pr %{_mandir}/man1/krb5-send-pr.1* %{_mandir}/man1/krb5-config.1* +%{_datadir}/aclocal/ac_check_krb5.m4 %if %{build_mini} %files diff --git a/krb5-pkinit-cms2.patch b/krb5-pkinit-cms2.patch deleted file mode 100644 index 5f04da5..0000000 --- a/krb5-pkinit-cms2.patch +++ /dev/null @@ -1,290 +0,0 @@ -When verifying signed-data, use the OpenSSL CMS APIs if we're building with a -version of OpenSSL which supplies them (1.0.0 or later). Revised proposal for -RT#6851. - -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index bb8f036..6aedec4 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -41,6 +41,34 @@ - - #include "pkinit_crypto_openssl.h" - -+#if OPENSSL_VERSION_NUMBER >= 0x10000000L -+#include -+#define pkinit_CMS_free1_crls(_sk_x509crl) sk_X509_CRL_free((_sk_x509crl)) -+#define pkinit_CMS_free1_certs(_sk_x509) sk_X509_free((_sk_x509)) -+#define pkinit_CMS_SignerInfo_get_cert(_cms,_si,_x509_pp) CMS_SignerInfo_get0_algs(_si,NULL,_x509_pp,NULL,NULL) -+#else -+#define pkinit_CMS_free1_crls(_stack_of_x509crls) /* don't free these CRLs */ -+#define pkinit_CMS_free1_certs(_stack_of_x509certs) /* don't free these certs */ -+#define CMS_NO_SIGNER_CERT_VERIFY PKCS7_NOVERIFY -+#define CMS_NOATTR PKCS7_NOATTR -+#define CMS_ContentInfo PKCS7 -+#define CMS_SignerInfo PKCS7_SIGNER_INFO -+#define d2i_CMS_ContentInfo d2i_PKCS7 -+#define CMS_get0_type(_p7) ((_p7)->type) -+#define CMS_get0_content(_p7) (&((_p7)->d.other->value.octet_string)) -+#define CMS_set1_signers_certs(_p7,_stack_of_x509,_uint) -+#define CMS_get0_SignerInfos PKCS7_get_signer_info -+#define stack_st_CMS_SignerInfo stack_st_PKCS7_SIGNER_INFO -+#undef sk_CMS_SignerInfo_value -+#define sk_CMS_SignerInfo_value sk_PKCS7_SIGNER_INFO_value -+#define CMS_get0_eContentType(_p7) (_p7->d.sign->contents->type) -+#define CMS_verify PKCS7_verify -+#define CMS_get1_crls(_p7) (_p7->d.sign->crl) -+#define CMS_get1_certs(_p7) (_p7->d.sign->cert) -+#define CMS_ContentInfo_free(_p7) PKCS7_free(_p7) -+#define pkinit_CMS_SignerInfo_get_cert(_p7,_si,_x509_pp) (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si) -+#endif -+ - static struct pkcs11_errstrings { - short code; - char *text; -@@ -1127,21 +1155,25 @@ cms_signeddata_verify(krb5_context context, - int *is_signed) - { - krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; -- PKCS7 *p7 = NULL; -+ CMS_ContentInfo *cms = NULL; - BIO *out = NULL; -- int flags = PKCS7_NOVERIFY; -+ int flags = CMS_NO_SIGNER_CERT_VERIFY; - unsigned int i = 0; - unsigned int vflags = 0, size = 0; - const unsigned char *p = signed_data; -- STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL; -- PKCS7_SIGNER_INFO *si = NULL; -+ STACK_OF(CMS_SignerInfo) *si_sk = NULL; -+ CMS_SignerInfo *si = NULL; - X509 *x = NULL; - X509_STORE *store = NULL; - X509_STORE_CTX cert_ctx; -+ STACK_OF(X509) *signerCerts = NULL; - STACK_OF(X509) *intermediateCAs = NULL; -+ STACK_OF(X509_CRL) *signerRevoked = NULL; - STACK_OF(X509_CRL) *revoked = NULL; - STACK_OF(X509) *verified_chain = NULL; - ASN1_OBJECT *oid = NULL; -+ const ASN1_OBJECT *type = NULL, *etype = NULL; -+ ASN1_OCTET_STRING **octets; - krb5_external_principal_identifier **krb5_verified_chain = NULL; - krb5_data *authz = NULL; - char buf[DN_BUF_LEN]; -@@ -1157,8 +1189,8 @@ cms_signeddata_verify(krb5_context context, - if (oid == NULL) - goto cleanup; - -- /* decode received PKCS7 message */ -- if ((p7 = d2i_PKCS7(NULL, &p, (int)signed_data_len)) == NULL) { -+ /* decode received CMS message */ -+ if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) { - unsigned long err = ERR_peek_error(); - krb5_set_error_message(context, retval, "%s\n", - ERR_error_string(err, NULL)); -@@ -1168,37 +1200,39 @@ cms_signeddata_verify(krb5_context context, - } - - /* Handle the case in pkinit anonymous where we get unsigned data. */ -- if (is_signed && !OBJ_cmp(p7->type, oid)) { -+ type = CMS_get0_type(cms); -+ if (is_signed && !OBJ_cmp(type, oid)) { - unsigned char *d; - *is_signed = 0; -- if (p7->d.other->type != V_ASN1_OCTET_STRING) { -+ octets = CMS_get0_content(cms); -+ if (!octets || ((*octets)->type != V_ASN1_OCTET_STRING)) { - retval = KRB5KDC_ERR_PREAUTH_FAILED; - krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, - "Invalid pkinit packet: octet string " - "expected"); - goto cleanup; - } -- *data_len = ASN1_STRING_length(p7->d.other->value.octet_string); -+ *data_len = ASN1_STRING_length(*octets); - d = malloc(*data_len); - if (d == NULL) { - retval = ENOMEM; - goto cleanup; - } -- memcpy(d, ASN1_STRING_data(p7->d.other->value.octet_string), -+ memcpy(d, ASN1_STRING_data(*octets), - *data_len); - *data = d; - goto out; - } else { -- /* Verify that the received message is PKCS7 SignedData message. */ -- if (OBJ_obj2nid(p7->type) != NID_pkcs7_signed) { -- pkiDebug("Expected id-signedData PKCS7 msg (received type = %d)\n", -- OBJ_obj2nid(p7->type)); -+ /* Verify that the received message is CMS SignedData message. */ -+ if (OBJ_obj2nid(type) != NID_pkcs7_signed) { -+ pkiDebug("Expected id-signedData CMS msg (received type = %d)\n", -+ OBJ_obj2nid(type)); - krb5_set_error_message(context, retval, "wrong oid\n"); - goto cleanup; - } - } - -- /* setup to verify X509 certificate used to sign PKCS7 message */ -+ /* setup to verify X509 certificate used to sign CMS message */ - if (!(store = X509_STORE_new())) - goto cleanup; - -@@ -1210,37 +1244,41 @@ cms_signeddata_verify(krb5_context context, - X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls); - X509_STORE_set_flags(store, vflags); - -- /* get the signer's information from the PKCS7 message */ -- if ((si_sk = PKCS7_get_signer_info(p7)) == NULL) -+ /* get the signer's information from the CMS message */ -+ CMS_set1_signers_certs(cms, NULL, 0); -+ if ((si_sk = CMS_get0_SignerInfos(cms)) == NULL) - goto cleanup; -- if ((si = sk_PKCS7_SIGNER_INFO_value(si_sk, 0)) == NULL) -+ if ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL) - goto cleanup; -- if ((x = PKCS7_cert_from_signer_info(p7, si)) == NULL) -+ pkinit_CMS_SignerInfo_get_cert(cms, si, &x); -+ if (x == NULL) - goto cleanup; - - /* create available CRL information (get local CRLs and include CRLs -- * received in the PKCS7 message -+ * received in the CMS message - */ -+ signerRevoked = CMS_get1_crls(cms); - if (idctx->revoked == NULL) -- revoked = p7->d.sign->crl; -- else if (p7->d.sign->crl == NULL) -+ revoked = signerRevoked; -+ else if (signerRevoked == NULL) - revoked = idctx->revoked; - else { - size = sk_X509_CRL_num(idctx->revoked); - revoked = sk_X509_CRL_new_null(); - for (i = 0; i < size; i++) - sk_X509_CRL_push(revoked, sk_X509_CRL_value(idctx->revoked, i)); -- size = sk_X509_CRL_num(p7->d.sign->crl); -+ size = sk_X509_CRL_num(signerRevoked); - for (i = 0; i < size; i++) -- sk_X509_CRL_push(revoked, sk_X509_CRL_value(p7->d.sign->crl, i)); -+ sk_X509_CRL_push(revoked, sk_X509_CRL_value(signerRevoked, i)); - } - - /* create available intermediate CAs chains (get local intermediateCAs and -- * include the CA chain received in the PKCS7 message -+ * include the CA chain received in the CMS message - */ -+ signerCerts = CMS_get1_certs(cms); - if (idctx->intermediateCAs == NULL) -- intermediateCAs = p7->d.sign->cert; -- else if (p7->d.sign->cert == NULL) -+ intermediateCAs = signerCerts; -+ else if (signerCerts == NULL) - intermediateCAs = idctx->intermediateCAs; - else { - size = sk_X509_num(idctx->intermediateCAs); -@@ -1249,9 +1287,9 @@ cms_signeddata_verify(krb5_context context, - sk_X509_push(intermediateCAs, - sk_X509_value(idctx->intermediateCAs, i)); - } -- size = sk_X509_num(p7->d.sign->cert); -+ size = sk_X509_num(signerCerts); - for (i = 0; i < size; i++) { -- sk_X509_push(intermediateCAs, sk_X509_value(p7->d.sign->cert, i)); -+ sk_X509_push(intermediateCAs, sk_X509_value(signerCerts, i)); - } - } - -@@ -1329,10 +1367,10 @@ cms_signeddata_verify(krb5_context context, - krb5_set_error_message(context, retval, "%s\n", - X509_verify_cert_error_string(j)); - #ifdef DEBUG_CERTCHAIN -- size = sk_X509_num(p7->d.sign->cert); -+ size = sk_X509_num(signerCerts); - pkiDebug("received cert chain of size %d\n", size); - for (j = 0; j < size; j++) { -- X509 *tmp_cert = sk_X509_value(p7->d.sign->cert, j); -+ X509 *tmp_cert = sk_X509_value(signerCerts, j); - X509_NAME_oneline(X509_get_subject_name(tmp_cert), buf, sizeof(buf)); - pkiDebug("cert #%d: %s\n", j, buf); - } -@@ -1348,11 +1386,12 @@ cms_signeddata_verify(krb5_context context, - - out = BIO_new(BIO_s_mem()); - if (cms_msg_type == CMS_SIGN_DRAFT9) -- flags |= PKCS7_NOATTR; -- if (PKCS7_verify(p7, NULL, store, NULL, out, flags)) { -+ flags |= CMS_NOATTR; -+ etype = CMS_get0_eContentType(cms); -+ if (CMS_verify(cms, NULL, store, NULL, out, flags)) { - int valid_oid = 0; - -- if (!OBJ_cmp(p7->d.sign->contents->type, oid)) -+ if (!OBJ_cmp(etype, oid)) - valid_oid = 1; - else if (cms_msg_type == CMS_SIGN_DRAFT9) { - /* -@@ -1364,18 +1403,18 @@ cms_signeddata_verify(krb5_context context, - client_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_CLIENT); - server_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_SERVER); - rsa_oid = pkinit_pkcs7type2oid(plgctx, CMS_ENVEL_SERVER); -- if (!OBJ_cmp(p7->d.sign->contents->type, client_oid) || -- !OBJ_cmp(p7->d.sign->contents->type, server_oid) || -- !OBJ_cmp(p7->d.sign->contents->type, rsa_oid)) -+ if (!OBJ_cmp(etype, client_oid) || -+ !OBJ_cmp(etype, server_oid) || -+ !OBJ_cmp(etype, rsa_oid)) - valid_oid = 1; - } - - if (valid_oid) -- pkiDebug("PKCS7 Verification successful\n"); -+ pkiDebug("CMS Verification successful\n"); - else { - pkiDebug("wrong oid in eContentType\n"); -- print_buffer(p7->d.sign->contents->type->data, -- (unsigned int)p7->d.sign->contents->type->length); -+ print_buffer(etype->data, -+ (unsigned int)etype->length); - retval = KRB5KDC_ERR_PREAUTH_FAILED; - krb5_set_error_message(context, retval, "wrong oid\n"); - goto cleanup; -@@ -1391,13 +1430,13 @@ cms_signeddata_verify(krb5_context context, - default: - retval = KRB5KDC_ERR_INVALID_SIG; - } -- pkiDebug("PKCS7 Verification failure\n"); -+ pkiDebug("CMS Verification failure\n"); - krb5_set_error_message(context, retval, "%s\n", - ERR_error_string(err, NULL)); - goto cleanup; - } - -- /* transfer the data from PKCS7 message into return buffer */ -+ /* transfer the data from CMS message into return buffer */ - for (size = 0;;) { - int remain; - retval = ENOMEM; -@@ -1452,12 +1491,16 @@ cleanup: - BIO_free(out); - if (store != NULL) - X509_STORE_free(store); -- if (p7 != NULL) { -- if (idctx->intermediateCAs != NULL && p7->d.sign->cert) -+ if (cms != NULL) { -+ if (signerCerts != NULL) -+ pkinit_CMS_free1_certs(signerCerts); -+ if (idctx->intermediateCAs != NULL && signerCerts) - sk_X509_free(intermediateCAs); -- if (idctx->revoked != NULL && p7->d.sign->crl) -+ if (signerRevoked != NULL) -+ pkinit_CMS_free1_crls(signerRevoked); -+ if (idctx->revoked != NULL && signerRevoked) - sk_X509_CRL_free(revoked); -- PKCS7_free(p7); -+ CMS_ContentInfo_free(cms); - } - if (verified_chain != NULL) - sk_X509_pop_free(verified_chain, X509_free); diff --git a/krb5-trunk-chpw-err.patch b/krb5-trunk-chpw-err.patch deleted file mode 100644 index 9deabe2..0000000 --- a/krb5-trunk-chpw-err.patch +++ /dev/null @@ -1,24 +0,0 @@ -Don't suppress the error code from an error message when the error message -contains e-data. RT#6893 -Index: src/lib/krb5/krb/chpw.c -=================================================================== ---- src/lib/krb5/krb/chpw.c (revision 24838) -+++ src/lib/krb5/krb/chpw.c (working copy) -@@ -111,15 +111,11 @@ - if ((ret = krb5_rd_error(context, packet, &krberror))) - return(ret); - -- if (krberror->e_data.data == NULL) -- ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; -- else -- ret = KRB5KRB_AP_ERR_MODIFIED; -+ ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; - krb5_free_error(context, krberror); - return(ret); -- } else { -- return(KRB5KRB_AP_ERR_MODIFIED); - } -+ return(KRB5KRB_AP_ERR_MODIFIED); - } - - diff --git a/krb5-trunk-gss_delete_sec.patch b/krb5-trunk-gss_delete_sec.patch deleted file mode 100644 index efce4cf..0000000 --- a/krb5-trunk-gss_delete_sec.patch +++ /dev/null @@ -1,27 +0,0 @@ -Author: ghudson -Date: Mon May 9 17:28:07 2011 +0000 - - ticket: 6908 - subject: Delete sec context properly in gss_krb5_export_lucid_sec_context - target_version: 1.9.2 - tags: pullup - - Since r21690, gss_krb5_export_lucid_sec_context() has been passing a - union context to krb5_gss_delete_sec_context(), causing a crash as the - krb5 routine attempts to interpret a union context structure as a krb5 - GSS context. Call the mechglue gss_delete_sec_context instead. - - - svn://anonsvn.mit.edu:/krb5/trunk@24917 - ---- a/src/lib/gssapi/krb5/krb5_gss_glue.c -+++ b/src/lib/gssapi/krb5/krb5_gss_glue.c -@@ -196,7 +196,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, - /* Clean up the context state (it is an error for - * someone to attempt to use this context again) - */ -- (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); -+ (void)gss_delete_sec_context(minor_status, context_handle, NULL); - *context_handle = GSS_C_NO_CONTEXT; - - generic_gss_release_buffer_set(&minor, &data_set); diff --git a/krb5-trunk-kadmin-oldproto.patch b/krb5-trunk-kadmin-oldproto.patch deleted file mode 100644 index 0f613c9..0000000 --- a/krb5-trunk-kadmin-oldproto.patch +++ /dev/null @@ -1,39 +0,0 @@ ------------------------------------------------------------------------- -r24967 | ghudson | 2011-06-13 14:54:33 -0400 (Mon, 13 Jun 2011) | 11 lines - -ticket: 6920 -subject: Fix old-style GSSRPC authentication -target_version: 1.9.2 -tags: pullup - -r24147 (ticket #6746) made libgssrpc ignorant of the remote address of -the kadmin socket, even when it's IPv4. This made old-style GSSAPI -authentication fail because it uses the wrong channel bindings. Fix -this problem by making clnttcp_create() get the remote address from -the socket using getpeername() if the caller doesn't provide it and -it's an IPv4 address. ------------------------------------------------------------------------- -Index: src/lib/rpc/clnt_tcp.c -=================================================================== ---- src/lib/rpc/clnt_tcp.c (revision 24966) -+++ src/lib/rpc/clnt_tcp.c (revision 24967) -@@ -187,9 +187,16 @@ - ct->ct_sock = *sockp; - ct->ct_wait.tv_usec = 0; - ct->ct_waitset = FALSE; -- if (raddr == NULL) -- memset(&ct->ct_addr, 0, sizeof(ct->ct_addr)); -- else -+ if (raddr == NULL) { -+ /* Get the remote address from the socket, if it's IPv4. */ -+ struct sockaddr_in sin; -+ socklen_t len = sizeof(sin); -+ int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len); -+ if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET) -+ ct->ct_addr = sin; -+ else -+ memset(&ct->ct_addr, 0, sizeof(ct->ct_addr)); -+ } else - ct->ct_addr = *raddr; - - /* diff --git a/krb5.changes b/krb5.changes index d5b8c03..f4f845c 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,48 @@ +------------------------------------------------------------------- +Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de + +- update to version 1.10.2 + obsolte patches: + * krb5-1.7-nodeplibs.patch + * krb5-1.9.1-ai_addrconfig.patch + * krb5-1.9.1-ai_addrconfig2.patch + * krb5-1.9.1-sendto_poll.patch + * krb5-1.9-canonicalize-fallback.patch + * krb5-1.9-paren.patch + * krb5-klist_s.patch + * krb5-pkinit-cms2.patch + * krb5-trunk-chpw-err.patch + * krb5-trunk-gss_delete_sec.patch + * krb5-trunk-kadmin-oldproto.patch + * krb5-1.9-MITKRB5-SA-2011-006.dif + * krb5-1.9-gss_display_status-iakerb.patch + * krb5-1.9.1-sendto_poll2.patch + * krb5-1.9.1-sendto_poll3.patch + * krb5-1.9-MITKRB5-SA-2011-007.dif +- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain + Controllers. +- Update a workaround for a glibc bug that would cause DNS PTR queries + to occur even when rdns = false. +- Fix a kadmind denial of service issue (null pointer dereference), + which could only be triggered by an administrator with the "create" + privilege. [CVE-2012-1013] +- Fix access controls for KDB string attributes [CVE-2012-1012] +- Make the ASN.1 encoding of key version numbers interoperate with + Windows Read-Only Domain Controllers +- Avoid generating spurious password expiry warnings in cases where + the KDC sends an account expiry time without a password expiry time +- Make PKINIT work with FAST in the client library. +- Add the DIR credential cache type, which can hold a collection of + credential caches. +- Enhance kinit, klist, and kdestroy to support credential cache + collections if the cache type supports it. +- Add the kswitch command, which changes the selected default cache + within a collection. +- Add heuristic support for choosing client credentials based on + the service realm. +- Add support for $HOME/.k5identity, which allows credential + choice based on configured rules. + ------------------------------------------------------------------- Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de diff --git a/krb5.spec b/krb5.spec index f0cb28a..497f9d7 100644 --- a/krb5.spec +++ b/krb5.spec @@ -17,7 +17,7 @@ %define build_mini 0 -%define srcRoot krb5-1.9.1 +%define srcRoot krb5-1.10.2 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -30,7 +30,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.9.1 +Version: 1.10.2 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -45,38 +45,23 @@ Obsoletes: krb5-64bit %endif # %endif -Source: krb5-1.9.1.tar.bz2 +Source: krb5-%{version}.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-rpmlintrc Source10: krb5-1.8-manpaths.txt -Patch1: krb5-1.9-buildconf.patch +Patch1: krb5-1.10-buildconf.patch Patch3: krb5-1.9-manpaths.dif Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif -Patch6: krb5-1.6.3-kpasswd_tcp.patch +Patch6: krb5-1.10-kpasswd_tcp.patch Patch7: krb5-1.6.3-ktutil-manpage.dif Patch10: krb5-1.7-doublelog.patch -Patch11: krb5-1.7-nodeplibs.patch Patch12: krb5-1.8-api.patch Patch13: krb5-1.8-pam.patch -Patch14: krb5-1.9.1-ai_addrconfig.patch -Patch15: krb5-1.9.1-ai_addrconfig2.patch -Patch16: krb5-1.9.1-sendto_poll.patch -Patch17: krb5-1.9-canonicalize-fallback.patch Patch18: krb5-1.9-kprop-mktemp.patch Patch19: krb5-1.9-ksu-path.patch -Patch20: krb5-1.9-paren.patch -Patch21: krb5-1.9-selinux-label.patch -Patch22: krb5-klist_s.patch -Patch23: krb5-pkinit-cms2.patch -Patch24: krb5-trunk-chpw-err.patch -Patch25: krb5-trunk-gss_delete_sec.patch -Patch26: krb5-trunk-kadmin-oldproto.patch -Patch30: krb5-1.9-MITKRB5-SA-2011-006.dif -Patch31: krb5-1.9-gss_display_status-iakerb.patch -Patch32: krb5-1.9.1-sendto_poll2.patch -Patch33: krb5-1.9.1-sendto_poll3.patch -Patch34: krb5-1.9-MITKRB5-SA-2011-007.dif +Patch20: krb5-1.10-gcc47.patch +Patch21: krb5-1.10-selinux-label.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -119,8 +104,9 @@ Authors: %package server Summary: MIT Kerberos5 implementation - server Group: Productivity/Networking/Security +Requires: cron +Requires: logrotate Requires: perl-Date-Calc -Requires: logrotate cron PreReq: %insserv_prereq %fillup_prereq %description server @@ -182,8 +168,8 @@ Authors: Summary: MIT Kerberos5 - Include Files and Libraries Group: Development/Libraries/C and C++ PreReq: %{name} = %{version} -Requires: libcom_err-devel Requires: keyutils-devel +Requires: libcom_err-devel # bug437293 %ifarch ppc64 Obsoletes: krb5-devel-64bit @@ -209,35 +195,20 @@ Authors: Tom Yu %prep -%setup -q -n %{srcRoot} +%setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} %patch13 -p1 %patch3 -p1 %patch21 -p1 %patch1 -p1 %patch5 -p1 -%patch6 +%patch6 -p1 %patch7 -p1 %patch10 -p1 -%patch11 -p1 %patch12 -p1 -%patch14 -%patch15 -%patch16 -%patch17 -p1 %patch18 -p1 %patch19 -p1 -%patch20 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -%patch25 -p1 -%patch26 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 -%patch33 -p1 -%patch34 -p1 +%patch20 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do