From 13e38775f644f644a97672e0d54c1932d663bba41b5670eff99382637070689a Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Fri, 15 Mar 2013 10:21:16 +0000 Subject: [PATCH 1/6] - update to version 1.11.1 * Improve ASN.1 support code, making it table-driven for decoding as well as encoding * Refactor parts of KDC * Documentation consolidation * build docs in the main package * bugfixing - obsolets a lot of patches - refactor some patches - update to version 1.11.1 * Improve ASN.1 support code, making it table-driven for decoding as well as encoding * Refactor parts of KDC * Documentation consolidation * build docs in the main package * bugfixing - obsolets a lot of patches - refactor some patches OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=90 --- ...013-1415-fix-PKINIT-null-pointer-deref.dif | 45 -- ...12-1016-fix-PKINIT-null-pointer-deref2.dif | 40 -- krb5-1.10-buildconf.patch | 22 +- krb5-1.10-gcc47.patch | 12 - krb5-1.10-ksu-access.patch | 53 +++ krb5-1.10-spin-loop.patch | 29 -- krb5-1.10.2.tar.bz2 | 3 - krb5-1.8-pam.patch => krb5-1.11-pam.patch | 46 +- ...bel.patch => krb5-1.11-selinux-label.patch | 420 ++++++++++-------- krb5-1.11.1.tar.bz2 | 3 + krb5-1.3.5-perlfix.dif | 9 - krb5-1.6.3-ktutil-manpage.dif | 17 +- krb5-1.8-manpaths.txt | 7 - krb5-1.9-debuginfo.patch | 30 ++ krb5-1.9-kprop-mktemp.patch | 10 +- krb5-1.9-manpaths.dif | 212 +-------- krb5-doc-rpmlintrc | 2 - krb5-doc.changes | 196 -------- krb5-doc.spec | 91 ---- krb5-kvno-230379.patch | 53 +++ krb5-lookup_etypes-leak.patch | 42 ++ krb5-mini.changes | 13 + krb5-mini.spec | 97 ++-- krb5.changes | 13 + krb5.spec | 97 ++-- 25 files changed, 610 insertions(+), 952 deletions(-) delete mode 100644 bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif delete mode 100644 bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif delete mode 100644 krb5-1.10-gcc47.patch create mode 100644 krb5-1.10-ksu-access.patch delete mode 100644 krb5-1.10-spin-loop.patch delete mode 100644 krb5-1.10.2.tar.bz2 rename krb5-1.8-pam.patch => krb5-1.11-pam.patch (96%) rename krb5-1.10-selinux-label.patch => krb5-1.11-selinux-label.patch (75%) create mode 100644 krb5-1.11.1.tar.bz2 delete mode 100644 krb5-1.3.5-perlfix.dif delete mode 100644 krb5-1.8-manpaths.txt create mode 100644 krb5-1.9-debuginfo.patch delete mode 100644 krb5-doc-rpmlintrc delete mode 100644 krb5-doc.changes delete mode 100644 krb5-doc.spec create mode 100644 krb5-kvno-230379.patch create mode 100644 krb5-lookup_etypes-leak.patch diff --git a/bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif b/bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif deleted file mode 100644 index 9b13e87..0000000 --- a/bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif +++ /dev/null @@ -1,45 +0,0 @@ -commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed -Author: Xi Wang -Date: Thu Feb 14 18:17:40 2013 -0500 - - PKINIT null pointer deref [CVE-2013-1415] - - Don't dereference a null pointer when cleaning up. - - The KDC plugin for PKINIT can dereference a null pointer when a - malformed packet causes processing to terminate early, leading to - a crash of the KDC process. An attacker would need to have a valid - PKINIT certificate or have observed a successful PKINIT authentication, - or an unauthenticated attacker could execute the attack if anonymous - PKINIT is enabled. - - CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C - - This is a minimal commit for pullup; style fixes in a followup. - [kaduk@mit.edu: reformat and edit commit message] - - ticket: 7570 (new) - target_version: 1.11.1 - tags: pullup - -Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -=================================================================== ---- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -3242,7 +3242,7 @@ pkinit_check_kdc_pkid(krb5_context conte - pkiDebug("found kdcPkId in AS REQ\n"); - is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len); - if (is == NULL) -- goto cleanup; -+ return retval; - - status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer); - if (!status) { -@@ -3252,7 +3252,6 @@ pkinit_check_kdc_pkid(krb5_context conte - } - - retval = 0; --cleanup: - X509_NAME_free(is->issuer); - ASN1_INTEGER_free(is->serial); - free(is); diff --git a/bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif b/bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif deleted file mode 100644 index ad7638e..0000000 --- a/bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif +++ /dev/null @@ -1,40 +0,0 @@ -commit cd5ff932c9d1439c961b0cf9ccff979356686aff -Author: Nalin Dahyabhai -Date: Thu Dec 13 14:26:07 2012 -0500 - - PKINIT (draft9) null ptr deref [CVE-2012-1016] - - Don't check for an agility KDF identifier in the non-draft9 reply - structure when we're building a draft9 reply, because it'll be NULL. - - The KDC plugin for PKINIT can dereference a null pointer when handling - a draft9 request, leading to a crash of the KDC process. An attacker - would need to have a valid PKINIT certificate, or an unauthenticated - attacker could execute the attack if anonymous PKINIT is enabled. - - CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C - - [tlyu@mit.edu: reformat comment and edit log message] - - ticket: 7506 (new) - target_version: 1.11 - tags: pullup - -Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c -=================================================================== ---- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_srv.c -+++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c -@@ -1016,9 +1016,10 @@ pkinit_server_return_padata(krb5_context - rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) || - (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) { - -- /* If mutually supported KDFs were found, use the alg agility KDF */ -- if (rep->u.dh_Info.kdfID) { -- secret.data = server_key; -+ /* If we're not doing draft 9, and mutually supported KDFs were found, -+ * use the algorithm agility KDF. */ -+ if (rep != NULL && rep->u.dh_Info.kdfID) { -+ secret.data = (char *)server_key; - secret.length = server_key_len; - - retval = pkinit_alg_agility_kdf(context, &secret, diff --git a/krb5-1.10-buildconf.patch b/krb5-1.10-buildconf.patch index d7f5ed9..b62e1cf 100644 --- a/krb5-1.10-buildconf.patch +++ b/krb5-1.10-buildconf.patch @@ -4,10 +4,10 @@ the -L/usr/lib* and PIE flags where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. -Index: krb5-1.10.2/src/config/shlib.conf +Index: krb5-1.11/src/config/shlib.conf =================================================================== ---- krb5-1.10.2.orig/src/config/shlib.conf -+++ krb5-1.10.2/src/config/shlib.conf +--- krb5-1.11.orig/src/config/shlib.conf ++++ krb5-1.11/src/config/shlib.conf @@ -419,7 +419,7 @@ mips-*-netbsd*) SHLIBEXT=.so # Linux ld doesn't default to stuffing the SONAME field... @@ -27,11 +27,11 @@ Index: krb5-1.10.2/src/config/shlib.conf CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' -Index: krb5-1.10.2/src/krb5-config.in +Index: krb5-1.11/src/krb5-config.in =================================================================== ---- krb5-1.10.2.orig/src/krb5-config.in -+++ krb5-1.10.2/src/krb5-config.in -@@ -189,6 +189,13 @@ if test -n "$do_libs"; then +--- krb5-1.11.orig/src/krb5-config.in ++++ krb5-1.11/src/krb5-config.in +@@ -221,6 +221,13 @@ if test -n "$do_libs"; then -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ -e 's#\$(CFLAGS)##'` @@ -45,11 +45,11 @@ Index: krb5-1.10.2/src/krb5-config.in if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 -Index: krb5-1.10.2/src/config/pre.in +Index: krb5-1.11/src/config/pre.in =================================================================== ---- krb5-1.10.2.orig/src/config/pre.in -+++ krb5-1.10.2/src/config/pre.in -@@ -190,7 +190,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST +--- krb5-1.11.orig/src/config/pre.in ++++ krb5-1.11/src/config/pre.in +@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST INSTALL_SCRIPT=@INSTALL_PROGRAM@ INSTALL_DATA=@INSTALL_DATA@ INSTALL_SHLIB=@INSTALL_SHLIB@ diff --git a/krb5-1.10-gcc47.patch b/krb5-1.10-gcc47.patch deleted file mode 100644 index 5831fba..0000000 --- a/krb5-1.10-gcc47.patch +++ /dev/null @@ -1,12 +0,0 @@ -This file also triggers the maybe-uninitialized warning/error. RT#7080 - ---- src/lib/krb5/krb/x-deltat.y -+++ src/lib/krb5/krb/x-deltat.y -@@ -44,6 +44,7 @@ - #ifdef __GNUC__ - #pragma GCC diagnostic push - #pragma GCC diagnostic ignored "-Wuninitialized" -+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" - #endif - - #include diff --git a/krb5-1.10-ksu-access.patch b/krb5-1.10-ksu-access.patch new file mode 100644 index 0000000..b903f7e --- /dev/null +++ b/krb5-1.10-ksu-access.patch @@ -0,0 +1,53 @@ +The idea is to not complain about problems in the default ticket file if we +couldn't read it, because the client would be able to tell if it's there or +not, and we're implicitly letting the client tell us where it is. Still needs +work, I think. + +Index: krb5-1.11.1/src/clients/ksu/ccache.c +=================================================================== +--- krb5-1.11.1.orig/src/clients/ksu/ccache.c ++++ krb5-1.11.1/src/clients/ksu/ccache.c +@@ -77,7 +77,7 @@ krb5_error_code krb5_ccache_copy (contex + cc_def_name = krb5_cc_get_name(context, cc_def); + cc_other_name = krb5_cc_get_name(context, *cc_other); + +- if ( ! stat(cc_def_name, &st_temp)){ ++ if ( ! access(cc_def_name, R_OK) && ! stat(cc_def_name, &st_temp)){ + if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ + return retval; + } +Index: krb5-1.11.1/src/clients/ksu/heuristic.c +=================================================================== +--- krb5-1.11.1.orig/src/clients/ksu/heuristic.c ++++ krb5-1.11.1/src/clients/ksu/heuristic.c +@@ -409,7 +409,7 @@ krb5_error_code find_either_ticket (cont + + cc_source_name = krb5_cc_get_name(context, cc); + +- if ( ! stat(cc_source_name, &st_temp)){ ++ if ( ! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)){ + + retval = find_ticket(context, cc, client, end_server, &temp_found); + if (retval) +@@ -569,7 +569,7 @@ krb5_error_code get_best_princ_for_targe + cc_source_name = krb5_cc_get_name(context, cc_source); + + +- if (! stat(cc_source_name, &st_temp)) { ++ if (! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)) { + retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ); + if (retval) + return retval; +Index: krb5-1.11.1/src/clients/ksu/main.c +=================================================================== +--- krb5-1.11.1.orig/src/clients/ksu/main.c ++++ krb5-1.11.1/src/clients/ksu/main.c +@@ -271,7 +271,7 @@ main (argc, argv) + if ( strchr(cc_source_tag, ':')){ + cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1; + +- if( stat( cc_source_tag_tmp, &st_temp)){ ++ if( access( cc_source_tag_tmp, F_OK | R_OK) || stat( cc_source_tag_tmp, &st_temp)){ + com_err(prog_name, errno, + _("while looking for credentials file %s"), + cc_source_tag_tmp); diff --git a/krb5-1.10-spin-loop.patch b/krb5-1.10-spin-loop.patch deleted file mode 100644 index 4a3b24c..0000000 --- a/krb5-1.10-spin-loop.patch +++ /dev/null @@ -1,29 +0,0 @@ -commit 2b06a22f7fd8ec01fb27a7335125290b8ceb6f18 -Author: Greg Hudson -Date: Thu Nov 29 01:58:13 2012 -0500 - - Fix spin-loop bug in k5_sendto_kdc - - In the second part of the first pass over the server list, we passed - the wrong list pointer to service_fds, causing it to see only a subset - of the server entries corresponding to sel_state. This could cause - service_fds to spin if an event is reported on an fd not in the - subset. - - ticket: 7454 - target_version: 1.10.4 - tags: pullup - -Index: krb5-1.10.2/src/lib/krb5/os/sendto_kdc.c -=================================================================== ---- krb5-1.10.2.orig/src/lib/krb5/os/sendto_kdc.c -+++ krb5-1.10.2/src/lib/krb5/os/sendto_kdc.c -@@ -1287,7 +1287,7 @@ k5_sendto(krb5_context context, const kr - continue; - if (maybe_send(context, state, sel_state, callback_info)) - continue; -- done = service_fds(context, sel_state, 1, state, seltemp, msg_handler, -+ done = service_fds(context, sel_state, 1, conns, seltemp, msg_handler, - msg_handler_data, &winner); - } - diff --git a/krb5-1.10.2.tar.bz2 b/krb5-1.10.2.tar.bz2 deleted file mode 100644 index 752e403..0000000 --- a/krb5-1.10.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:479d66291ae989d5db9daca5838ff4bddde45c77b703fadcf78ca6d1db315bd8 -size 9457236 diff --git a/krb5-1.8-pam.patch b/krb5-1.11-pam.patch similarity index 96% rename from krb5-1.8-pam.patch rename to krb5-1.11-pam.patch index e21648b..adf3824 100644 --- a/krb5-1.8-pam.patch +++ b/krb5-1.11-pam.patch @@ -11,11 +11,11 @@ When enabled, ksu gains a dependency on libpam. Originally RT#5939, though it's changed since then to perform the account and session management before dropping privileges. -Index: krb5-1.10.2/src/aclocal.m4 +Index: krb5-1.11.1/src/aclocal.m4 =================================================================== ---- krb5-1.10.2.orig/src/aclocal.m4 -+++ krb5-1.10.2/src/aclocal.m4 -@@ -1676,3 +1676,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ +--- krb5-1.11.1.orig/src/aclocal.m4 ++++ krb5-1.11.1/src/aclocal.m4 +@@ -1664,3 +1664,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ ])) ])dnl dnl @@ -86,10 +86,10 @@ Index: krb5-1.10.2/src/aclocal.m4 +AC_SUBST(PAM_MAN) +AC_SUBST(NON_PAM_MAN) +])dnl -Index: krb5-1.10.2/src/clients/ksu/main.c +Index: krb5-1.11.1/src/clients/ksu/main.c =================================================================== ---- krb5-1.10.2.orig/src/clients/ksu/main.c -+++ krb5-1.10.2/src/clients/ksu/main.c +--- krb5-1.11.1.orig/src/clients/ksu/main.c ++++ krb5-1.11.1/src/clients/ksu/main.c @@ -26,6 +26,7 @@ * KSU was writen by: Ari Medvinsky, ari@isi.edu */ @@ -249,10 +249,10 @@ Index: krb5-1.10.2/src/clients/ksu/main.c exit (1); } } -Index: krb5-1.10.2/src/clients/ksu/Makefile.in +Index: krb5-1.11.1/src/clients/ksu/Makefile.in =================================================================== ---- krb5-1.10.2.orig/src/clients/ksu/Makefile.in -+++ krb5-1.10.2/src/clients/ksu/Makefile.in +--- krb5-1.11.1.orig/src/clients/ksu/Makefile.in ++++ krb5-1.11.1/src/clients/ksu/Makefile.in @@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) @@ -287,10 +287,10 @@ Index: krb5-1.10.2/src/clients/ksu/Makefile.in clean:: $(RM) ksu -Index: krb5-1.10.2/src/clients/ksu/pam.c +Index: krb5-1.11.1/src/clients/ksu/pam.c =================================================================== --- /dev/null -+++ krb5-1.10.2/src/clients/ksu/pam.c ++++ krb5-1.11.1/src/clients/ksu/pam.c @@ -0,0 +1,389 @@ +/* + * src/clients/ksu/pam.c @@ -681,10 +681,10 @@ Index: krb5-1.10.2/src/clients/ksu/pam.c + return ret; +} +#endif -Index: krb5-1.10.2/src/clients/ksu/pam.h +Index: krb5-1.11.1/src/clients/ksu/pam.h =================================================================== --- /dev/null -+++ krb5-1.10.2/src/clients/ksu/pam.h ++++ krb5-1.11.1/src/clients/ksu/pam.h @@ -0,0 +1,57 @@ +/* + * src/clients/ksu/pam.h @@ -743,16 +743,16 @@ Index: krb5-1.10.2/src/clients/ksu/pam.h +int appl_pam_cred_init(void); +void appl_pam_cleanup(void); +#endif -Index: krb5-1.10.2/src/configure.in +Index: krb5-1.11.1/src/configure.in =================================================================== ---- krb5-1.10.2.orig/src/configure.in -+++ krb5-1.10.2/src/configure.in -@@ -1246,6 +1246,8 @@ if test "${localedir+set}" != set; then - fi - AC_SUBST(localedir) +--- krb5-1.11.1.orig/src/configure.in ++++ krb5-1.11.1/src/configure.in +@@ -1244,6 +1244,8 @@ AC_SUBST([VERTO_VERSION]) + + AC_PATH_PROG(GROFF, groff) +KRB5_WITH_PAM + - AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) - V5_AC_OUTPUT_MAKEFILE(. - + # Make localedir work in autoconf 2.5x. + if test "${localedir+set}" != set; then + localedir='$(datadir)/locale' diff --git a/krb5-1.10-selinux-label.patch b/krb5-1.11-selinux-label.patch similarity index 75% rename from krb5-1.10-selinux-label.patch rename to krb5-1.11-selinux-label.patch index bf9a9f0..6af6440 100644 --- a/krb5-1.10-selinux-label.patch +++ b/krb5-1.11-selinux-label.patch @@ -31,10 +31,10 @@ The selabel APIs for looking up the context should be thread-safe (per Red Hat #273081), so switching to using them instead of matchpathcon(), which we used earlier, is some improvement. -Index: krb5-1.10.2/src/aclocal.m4 +Index: krb5-1.11.1/src/aclocal.m4 =================================================================== ---- krb5-1.10.2.orig/src/aclocal.m4 -+++ krb5-1.10.2/src/aclocal.m4 +--- krb5-1.11.1.orig/src/aclocal.m4 ++++ krb5-1.11.1/src/aclocal.m4 @@ -84,6 +84,7 @@ AC_SUBST_FILE(libnodeps_frag) dnl KRB5_AC_PRAGMA_WEAK_REF @@ -43,10 +43,10 @@ Index: krb5-1.10.2/src/aclocal.m4 KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1764,3 +1765,51 @@ AC_SUBST(manlocalstatedir) - AC_SUBST(manlibexecdir) - AC_CONFIG_FILES($1) - ]) +@@ -1731,3 +1732,51 @@ AC_SUBST(PAM_LIBS) + AC_SUBST(PAM_MAN) + AC_SUBST(NON_PAM_MAN) + ])dnl +dnl +dnl Use libselinux to set file contexts on newly-created files. +dnl @@ -95,11 +95,11 @@ Index: krb5-1.10.2/src/aclocal.m4 +LIBS="$old_LIBS" +AC_SUBST(SELINUX_LIBS) +])dnl -Index: krb5-1.10.2/src/config/pre.in +Index: krb5-1.11.1/src/config/pre.in =================================================================== ---- krb5-1.10.2.orig/src/config/pre.in -+++ krb5-1.10.2/src/config/pre.in -@@ -182,6 +182,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR +--- krb5-1.11.1.orig/src/config/pre.in ++++ krb5-1.11.1/src/config/pre.in +@@ -178,6 +178,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@ LDARGS = @LDARGS@ LIBS = @LIBS@ @@ -107,7 +107,7 @@ Index: krb5-1.10.2/src/config/pre.in INSTALL=@INSTALL@ INSTALL_STRIP= -@@ -406,7 +407,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) +@@ -403,7 +404,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) # HESIOD_LIBS is -lhesiod... HESIOD_LIBS = @HESIOD_LIBS@ @@ -116,24 +116,24 @@ Index: krb5-1.10.2/src/config/pre.in KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on Mac OS X! -Index: krb5-1.10.2/src/configure.in +Index: krb5-1.11.1/src/configure.in =================================================================== ---- krb5-1.10.2.orig/src/configure.in -+++ krb5-1.10.2/src/configure.in -@@ -1248,6 +1248,8 @@ AC_SUBST(localedir) +--- krb5-1.11.1.orig/src/configure.in ++++ krb5-1.11.1/src/configure.in +@@ -1246,6 +1246,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM +KRB5_WITH_SELINUX + - AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) - - V5_AC_OUTPUT_MANPAGE([ -Index: krb5-1.10.2/src/include/k5-int.h + # Make localedir work in autoconf 2.5x. + if test "${localedir+set}" != set; then + localedir='$(datadir)/locale' +Index: krb5-1.11.1/src/include/k5-int.h =================================================================== ---- krb5-1.10.2.orig/src/include/k5-int.h -+++ krb5-1.10.2/src/include/k5-int.h -@@ -135,6 +135,7 @@ typedef unsigned char u_char; +--- krb5-1.11.1.orig/src/include/k5-int.h ++++ krb5-1.11.1/src/include/k5-int.h +@@ -133,6 +133,7 @@ typedef unsigned char u_char; typedef UINT64_TYPE krb5_ui_8; typedef INT64_TYPE krb5_int64; @@ -141,10 +141,10 @@ Index: krb5-1.10.2/src/include/k5-int.h #define DEFAULT_PWD_STRING1 "Enter password" #define DEFAULT_PWD_STRING2 "Re-enter password for verification" -Index: krb5-1.10.2/src/include/k5-label.h +Index: krb5-1.11.1/src/include/k5-label.h =================================================================== --- /dev/null -+++ krb5-1.10.2/src/include/k5-label.h ++++ krb5-1.11.1/src/include/k5-label.h @@ -0,0 +1,32 @@ +#ifndef _KRB5_LABEL_H +#define _KRB5_LABEL_H @@ -178,11 +178,11 @@ Index: krb5-1.10.2/src/include/k5-label.h +#define THREEPARAMOPEN(x,y,z) open(x,y,z) +#endif +#endif -Index: krb5-1.10.2/src/include/krb5/krb5.hin +Index: krb5-1.11.1/src/include/krb5/krb5.hin =================================================================== ---- krb5-1.10.2.orig/src/include/krb5/krb5.hin -+++ krb5-1.10.2/src/include/krb5/krb5.hin -@@ -83,6 +83,12 @@ +--- krb5-1.11.1.orig/src/include/krb5/krb5.hin ++++ krb5-1.11.1/src/include/krb5/krb5.hin +@@ -87,6 +87,12 @@ #define THREEPARAMOPEN(x,y,z) open(x,y,z) #endif @@ -195,41 +195,54 @@ Index: krb5-1.10.2/src/include/krb5/krb5.hin #define KRB5_OLD_CRYPTO #include -Index: krb5-1.10.2/src/kadmin/dbutil/dump.c +Index: krb5-1.11.1/src/kadmin/dbutil/dump.c =================================================================== ---- krb5-1.10.2.orig/src/kadmin/dbutil/dump.c -+++ krb5-1.10.2/src/kadmin/dbutil/dump.c -@@ -346,7 +346,7 @@ void update_ok_file (file_name) - exit_status++; - return; +--- krb5-1.11.1.orig/src/kadmin/dbutil/dump.c ++++ krb5-1.11.1/src/kadmin/dbutil/dump.c +@@ -376,12 +376,21 @@ create_ofile(char *ofile, char **tmpname + { + int fd = -1; + FILE *f; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + *tmpname = NULL; + if (asprintf(tmpname, "%s-XXXXXX", ofile) < 0) + goto error; + ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(ofile); ++#endif + fd = mkstemp(*tmpname); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (fd == -1) + goto error; + +@@ -505,7 +514,7 @@ prep_ok_file(krb5_context context, char + return 0; } -- if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) { -+ if ((fd = THREEPARAMOPEN(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) { - com_err(progname, errno, _("while creating 'ok' file, '%s'"), - file_ok); + +- *fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); ++ *fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (*fd == -1) { + com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); exit_status++; -@@ -1251,7 +1251,7 @@ dump_db(argc, argv) - * want to get into. - */ - unlink(ofile); -- if (!(f = fopen(ofile, "w"))) { -+ if (!(f = WRITABLEFOPEN(ofile, "w"))) { - fprintf(stderr, ofopen_error, - progname, ofile, error_message(errno)); - exit_status++; -Index: krb5-1.10.2/src/krb5-config.in +Index: krb5-1.11.1/src/krb5-config.in =================================================================== ---- krb5-1.10.2.orig/src/krb5-config.in -+++ krb5-1.10.2/src/krb5-config.in -@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@' - PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@' - PTHREAD_CFLAGS='@PTHREAD_CFLAGS@' - DL_LIB='@DL_LIB@' +--- krb5-1.11.1.orig/src/krb5-config.in ++++ krb5-1.11.1/src/krb5-config.in +@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' + DEFCCNAME='@DEFCCNAME@' + DEFKTNAME='@DEFKTNAME@' + DEFCKTNAME='@DEFCKTNAME@' +SELINUX_LIBS='@SELINUX_LIBS@' LIBS='@LIBS@' GEN_LIB=@GEN_LIB@ -@@ -218,7 +219,7 @@ if test -n "$do_libs"; then +@@ -258,7 +259,7 @@ if test -n "$do_libs"; then fi # If we ever support a flag to generate output suitable for static @@ -238,10 +251,10 @@ Index: krb5-1.10.2/src/krb5-config.in # here. echo $lib_flags -Index: krb5-1.10.2/src/lib/kadm5/logger.c +Index: krb5-1.11.1/src/lib/kadm5/logger.c =================================================================== ---- krb5-1.10.2.orig/src/lib/kadm5/logger.c -+++ krb5-1.10.2/src/lib/kadm5/logger.c +--- krb5-1.11.1.orig/src/lib/kadm5/logger.c ++++ krb5-1.11.1/src/lib/kadm5/logger.c @@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, ch * Check for append/overwrite, then open the file. */ @@ -260,10 +273,10 @@ Index: krb5-1.10.2/src/lib/kadm5/logger.c if (f) { set_cloexec_file(f); log_control.log_entries[lindex].lfu_filep = f; -Index: krb5-1.10.2/src/lib/krb5/keytab/kt_file.c +Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c =================================================================== ---- krb5-1.10.2.orig/src/lib/krb5/keytab/kt_file.c -+++ krb5-1.10.2/src/lib/krb5/keytab/kt_file.c +--- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c ++++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c @@ -1039,7 +1039,7 @@ krb5_ktfileint_open(krb5_context context KTCHECKLOCK(id); @@ -282,11 +295,11 @@ Index: krb5-1.10.2/src/lib/krb5/keytab/kt_file.c if (!KTFILEP(id)) goto report_errno; writevno = 1; -Index: krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c +Index: krb5-1.11.1/src/plugins/kdb/db2/adb_openclose.c =================================================================== ---- krb5-1.10.2.orig/src/plugins/kdb/db2/adb_openclose.c -+++ krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c -@@ -197,7 +197,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char +--- krb5-1.11.1.orig/src/plugins/kdb/db2/adb_openclose.c ++++ krb5-1.11.1/src/plugins/kdb/db2/adb_openclose.c +@@ -147,7 +147,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char * POSIX systems */ lockp->lockinfo.filename = strdup(lockfilename); @@ -295,10 +308,10 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c /* * maybe someone took away write permission so we could only * get shared locks? -Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c +Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c =================================================================== ---- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c -+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c +--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c @@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. #include "k5-platform.h" /* mkstemp? */ @@ -316,10 +329,10 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c goto err; } else { -Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c +Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/hash/hash.c =================================================================== ---- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/hash/hash.c -+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c +--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/hash/hash.c @@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 #include #endif @@ -337,10 +350,10 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c RETURN_ERROR(errno, error0); (void)fcntl(hashp->fp, F_SETFD, 1); } -Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in +Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/test/Makefile.in =================================================================== ---- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in -+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in +--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in ++++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/test/Makefile.in @@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR) KRB5_RUN_ENV= @KRB5_RUN_ENV@ @@ -351,56 +364,11 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in DB_DEPLIB = ../libdb$(DEPLIBEXT) all:: -Index: krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +Index: krb5-1.11.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c =================================================================== ---- krb5-1.10.2.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -+++ krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -@@ -1088,7 +1088,7 @@ rem_service_entry_from_file(int argc, ch - - /* Create a temporary file which contains all the entries except the - entry for the given service dn */ -- pfile = fopen(file_name, "r+"); -+ pfile = WRITABLEFOPEN(file_name, "r+"); - if (pfile == NULL) { - com_err(me, errno, "while deleting entry from file %s", file_name); - goto cleanup; -@@ -1105,7 +1105,7 @@ rem_service_entry_from_file(int argc, ch - snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp"); - - -- tmpfd = creat(tmp_file, S_IRUSR|S_IWUSR); -+ tmpfd = THREEPARAMOPEN(tmp_file, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR); - umask(omask); - if (tmpfd == -1) { - com_err(me, errno, "while deleting entry from file\n"); -@@ -1725,7 +1725,7 @@ kdb5_ldap_set_service_password(int argc, - - printf("File does not exist. Creating the file %s...\n", file_name); - omask = umask(077); -- fd = creat(file_name, S_IRUSR|S_IWUSR); -+ fd = THREEPARAMOPEN(file_name, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR); - umask(omask); - if (fd == -1) { - com_err(me, errno, "Error creating file %s", file_name); -@@ -1753,7 +1753,7 @@ kdb5_ldap_set_service_password(int argc, - - /* TODO: file lock for the service password file */ - /* set password in the file */ -- pfile = fopen(file_name, "r+"); -+ pfile = WRITABLEFOPEN(file_name, "r+"); - if (pfile == NULL) { - com_err(me, errno, "Failed to open file %s", file_name); - goto cleanup; -@@ -1794,7 +1794,7 @@ kdb5_ldap_set_service_password(int argc, - } - - omask = umask(077); -- newfile = fopen(tmp_file, "w+"); -+ newfile = WRITABLEFOPEN(tmp_file, "w+"); - umask(omask); - if (newfile == NULL) { - com_err(me, errno, "Error creating file %s", tmp_file); -@@ -2016,7 +2016,7 @@ done: +--- krb5-1.11.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ krb5-1.11.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +@@ -179,7 +179,7 @@ done: /* set password in the file */ old_mode = umask(0177); @@ -409,29 +377,35 @@ Index: krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c if (pfile == NULL) { com_err(me, errno, _("Failed to open file %s: %s"), file_name, strerror (errno)); -@@ -2068,7 +2068,7 @@ done: +@@ -220,6 +220,9 @@ done: + * Delete the existing entry and add the new entry + */ + FILE *newfile; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + mode_t omask; + +@@ -231,7 +234,13 @@ done: } omask = umask(077); -- newfile = fopen(tmp_file, "w"); -+ newfile = WRITABLEFOPEN(tmp_file, "w"); ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(file_name); ++#endif + newfile = fopen(tmp_file, "w"); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif umask (omask); if (newfile == NULL) { com_err(me, errno, _("Error creating file %s"), tmp_file); -Index: krb5-1.10.2/src/slave/kpropd.c +Index: krb5-1.11.1/src/slave/kpropd.c =================================================================== ---- krb5-1.10.2.orig/src/slave/kpropd.c -+++ krb5-1.10.2/src/slave/kpropd.c -@@ -336,7 +336,7 @@ retry: - if (!debug && iproprole != IPROP_SLAVE) - daemon(1, 0); - #ifdef PID_FILE -- if ((pidfile = fopen(PID_FILE, "w")) != NULL) { -+ if ((pidfile = WRITABLEFOPEN(PID_FILE, "w")) != NULL) { - fprintf(pidfile, "%d\n", getpid()); - fclose(pidfile); - } else -@@ -437,6 +437,9 @@ void doit(fd) +--- krb5-1.11.1.orig/src/slave/kpropd.c ++++ krb5-1.11.1/src/slave/kpropd.c +@@ -459,6 +459,9 @@ void doit(fd) krb5_enctype etype; int database_fd; char host[INET6_ADDRSTRLEN+1]; @@ -439,9 +413,9 @@ Index: krb5-1.10.2/src/slave/kpropd.c + void *selabel; +#endif - if (kpropd_context->kdblog_context && - kpropd_context->kdblog_context->iproprole == IPROP_SLAVE) { -@@ -515,9 +518,15 @@ void doit(fd) + signal_wrapper(SIGALRM, alarm_handler); + alarm(params.iprop_resync_timeout); +@@ -516,9 +519,15 @@ void doit(fd) free(name); exit(1); } @@ -457,10 +431,10 @@ Index: krb5-1.10.2/src/slave/kpropd.c retval = krb5_lock_file(kpropd_context, lock_fd, KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK); if (retval) { -Index: krb5-1.10.2/src/util/profile/prof_file.c +Index: krb5-1.11.1/src/util/profile/prof_file.c =================================================================== ---- krb5-1.10.2.orig/src/util/profile/prof_file.c -+++ krb5-1.10.2/src/util/profile/prof_file.c +--- krb5-1.11.1.orig/src/util/profile/prof_file.c ++++ krb5-1.11.1/src/util/profile/prof_file.c @@ -30,6 +30,7 @@ #endif @@ -478,10 +452,10 @@ Index: krb5-1.10.2/src/util/profile/prof_file.c if (!f) { retval = errno; if (retval == 0) -Index: krb5-1.10.2/src/util/support/Makefile.in +Index: krb5-1.11.1/src/util/support/Makefile.in =================================================================== ---- krb5-1.10.2.orig/src/util/support/Makefile.in -+++ krb5-1.10.2/src/util/support/Makefile.in +--- krb5-1.11.1.orig/src/util/support/Makefile.in ++++ krb5-1.11.1/src/util/support/Makefile.in @@ -64,6 +64,7 @@ IPC_SYMS= \ STLIBOBJS= \ @@ -490,7 +464,7 @@ Index: krb5-1.10.2/src/util/support/Makefile.in init-addrinfo.o \ plugins.o \ errors.o \ -@@ -127,7 +128,7 @@ SRCS=\ +@@ -135,7 +136,7 @@ SRCS=\ SHLIB_EXPDEPS = # Add -lm if dumping thread stats, for sqrt. @@ -499,13 +473,13 @@ Index: krb5-1.10.2/src/util/support/Makefile.in SHLIB_DIRS= SHLIB_RDIRS=$(KRB5_LIBDIR) -Index: krb5-1.10.2/src/util/support/selinux.c +Index: krb5-1.11.1/src/util/support/selinux.c =================================================================== --- /dev/null -+++ krb5-1.10.2/src/util/support/selinux.c -@@ -0,0 +1,372 @@ ++++ krb5-1.11.1/src/util/support/selinux.c +@@ -0,0 +1,405 @@ +/* -+ * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved. ++ * Copyright 2007,2008,2009,2011,2012 Red Hat, Inc. All Rights Reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: @@ -542,7 +516,7 @@ Index: krb5-1.10.2/src/util/support/selinux.c +#ifdef USE_SELINUX + +#include -+#include ++#include +#include +#include +#include @@ -573,15 +547,28 @@ Index: krb5-1.10.2/src/util/support/selinux.c + k5_mutex_finish_init(&labeled_mutex); +} + ++#ifdef HAVE_SELINUX_LABEL_H ++static struct selabel_handle *selabel_ctx; ++static time_t selabel_last_changed; ++ ++MAKE_FINI_FUNCTION(cleanup_fscreatecon); ++ ++static void ++cleanup_fscreatecon(void) ++{ ++ if (selabel_ctx != NULL) { ++ selabel_close(selabel_ctx); ++ selabel_ctx = NULL; ++ } ++} ++#endif ++ +static security_context_t +push_fscreatecon(const char *pathname, mode_t mode) +{ + security_context_t previous, configuredsc, currentsc, derivedsc; + context_t current, derived; + const char *fullpath, *currentuser; -+#ifdef HAVE_SELINUX_LABEL_H -+ struct selabel_handle *ctx; -+#endif + + previous = NULL; + if (is_selinux_enabled()) { @@ -622,18 +609,37 @@ Index: krb5-1.10.2/src/util/support/selinux.c +#endif + configuredsc = NULL; +#ifdef HAVE_SELINUX_LABEL_H -+ ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); -+ if (ctx != NULL) { -+ if (selabel_lookup(ctx, &configuredsc, ++ if ((selabel_ctx != NULL) || ++ (selabel_last_changed == 0)) { ++ const char *cpath; ++ struct stat st; ++ int i = -1; ++ cpath = selinux_file_context_path(); ++ if ((cpath == NULL) || ++ ((i = stat(cpath, &st)) != 0) || ++ (st.st_mtime != selabel_last_changed)) { ++ if (selabel_ctx != NULL) { ++ selabel_close(selabel_ctx); ++ selabel_ctx = NULL; ++ } ++ selabel_last_changed = i ? ++ time(NULL) : ++ st.st_mtime; ++ } ++ } ++ if (selabel_ctx == NULL) { ++ selabel_ctx = selabel_open(SELABEL_CTX_FILE, ++ NULL, 0); ++ } ++ if (selabel_ctx != NULL) { ++ if (selabel_lookup(selabel_ctx, &configuredsc, + fullpath, mode) != 0) { -+ selabel_close(ctx); + free(genpath); + if (previous != NULL) { + freecon(previous); + } + return NULL; + } -+ selabel_close(ctx); + } +#else + if (matchpathcon(fullpath, mode, &configuredsc) != 0) { @@ -756,7 +762,8 @@ Index: krb5-1.10.2/src/util/support/selinux.c + int errno_save; + security_context_t ctx; + -+ if (strcmp(mode, "r") == 0) { ++ if ((strcmp(mode, "r") == 0) || ++ (strcmp(mode, "rb") == 0)) { + return fopen(path, mode); + } + @@ -876,10 +883,10 @@ Index: krb5-1.10.2/src/util/support/selinux.c +} + +#endif -Index: krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c +Index: krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c =================================================================== ---- krb5-1.10.2.orig/src/lib/krb5/rcache/rc_dfl.c -+++ krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c +--- krb5-1.11.1.orig/src/lib/krb5/rcache/rc_dfl.c ++++ krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c @@ -812,6 +812,9 @@ krb5_rc_dfl_expunge_locked(krb5_context krb5_error_code retval = 0; krb5_rcache tmp; @@ -908,11 +915,48 @@ Index: krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c if (retval) goto cleanup; for (q = t->a; q; q = q->na) { -Index: krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c +Index: krb5-1.11.1/src/lib/krb5/ccache/cc_dir.c =================================================================== ---- krb5-1.10.2.orig/src/plugins/kdb/db2/kdb_db2.c -+++ krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c -@@ -683,8 +683,8 @@ ctx_create_db(krb5_context context, krb5 +--- krb5-1.11.1.orig/src/lib/krb5/ccache/cc_dir.c ++++ krb5-1.11.1/src/lib/krb5/ccache/cc_dir.c +@@ -185,10 +185,19 @@ write_primary_file(const char *primary_p + char *newpath = NULL; + FILE *fp = NULL; + int fd = -1, status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0) + return ENOMEM; ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(primary_path); ++#endif + fd = mkstemp(newpath); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (fd < 0) + goto cleanup; + #ifdef HAVE_CHMOD +Index: krb5-1.11.1/src/lib/krb5/os/trace.c +=================================================================== +--- krb5-1.11.1.orig/src/lib/krb5/os/trace.c ++++ krb5-1.11.1/src/lib/krb5/os/trace.c +@@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con + fd = malloc(sizeof(*fd)); + if (fd == NULL) + return ENOMEM; +- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); ++ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); + if (*fd == -1) { + free(fd); + return errno; +Index: krb5-1.11.1/src/plugins/kdb/db2/kdb_db2.c +=================================================================== +--- krb5-1.11.1.orig/src/plugins/kdb/db2/kdb_db2.c ++++ krb5-1.11.1/src/plugins/kdb/db2/kdb_db2.c +@@ -681,8 +681,8 @@ ctx_create_db(krb5_context context, krb5 if (retval) return retval; @@ -923,10 +967,10 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c if (dbc->db_lf_file < 0) { retval = errno; goto cleanup; -Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c +Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c =================================================================== ---- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c -+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c +--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c @@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8 #include #include @@ -945,11 +989,11 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c return (NULL); if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { -Index: krb5-1.10.2/src/kdc/main.c +Index: krb5-1.11.1/src/kdc/main.c =================================================================== ---- krb5-1.10.2.orig/src/kdc/main.c -+++ krb5-1.10.2/src/kdc/main.c -@@ -909,7 +909,7 @@ write_pid_file(const char *path) +--- krb5-1.11.1.orig/src/kdc/main.c ++++ krb5-1.11.1/src/kdc/main.c +@@ -902,7 +902,7 @@ write_pid_file(const char *path) FILE *file; unsigned long pid; @@ -958,23 +1002,23 @@ Index: krb5-1.10.2/src/kdc/main.c if (file == NULL) return errno; pid = (unsigned long) getpid(); -Index: krb5-1.10.2/src/lib/kdb/kdb_log.c +Index: krb5-1.11.1/src/lib/kdb/kdb_log.c =================================================================== ---- krb5-1.10.2.orig/src/lib/kdb/kdb_log.c -+++ krb5-1.10.2/src/lib/kdb/kdb_log.c -@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha +--- krb5-1.11.1.orig/src/lib/kdb/kdb_log.c ++++ krb5-1.11.1/src/lib/kdb/kdb_log.c +@@ -604,7 +604,7 @@ ulog_map(krb5_context context, const cha return (errno); } -- if ((ulogfd = open(logname, O_RDWR+O_CREAT, 0600)) == -1) { -+ if ((ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600)) == -1) { +- ulogfd = open(logname, O_RDWR | O_CREAT, 0600); ++ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); + if (ulogfd == -1) { return (errno); } - -Index: krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in +Index: krb5-1.11.1/src/util/gss-kernel-lib/Makefile.in =================================================================== ---- krb5-1.10.2.orig/src/util/gss-kernel-lib/Makefile.in -+++ krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in +--- krb5-1.11.1.orig/src/util/gss-kernel-lib/Makefile.in ++++ krb5-1.11.1/src/util/gss-kernel-lib/Makefile.in @@ -66,6 +66,7 @@ HEADERS= \ gssapi_err_generic.h \ k5-int.h \ diff --git a/krb5-1.11.1.tar.bz2 b/krb5-1.11.1.tar.bz2 new file mode 100644 index 0000000..0d923b8 --- /dev/null +++ b/krb5-1.11.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7994928de3fbaeaef4862798ad1608c8bd886b91cc15de7b49d6c3c3cadc1d0d +size 9433869 diff --git a/krb5-1.3.5-perlfix.dif b/krb5-1.3.5-perlfix.dif deleted file mode 100644 index 8920770..0000000 --- a/krb5-1.3.5-perlfix.dif +++ /dev/null @@ -1,9 +0,0 @@ ---- doc/man2html -+++ doc/man2html 2004/10/18 16:20:53 -@@ -1,5 +1,4 @@ --#!/usr/athena/bin/perl --#!/usr/local/bin/perl -+#!/usr/bin/perl - ##---------------------------------------------------------------------------## - ## File: - ## @(#) man2html 1.2 97/08/12 12:57:30 @(#) diff --git a/krb5-1.6.3-ktutil-manpage.dif b/krb5-1.6.3-ktutil-manpage.dif index 5d0d58a..956b816 100644 --- a/krb5-1.6.3-ktutil-manpage.dif +++ b/krb5-1.6.3-ktutil-manpage.dif @@ -1,11 +1,11 @@ -Index: krb5-1.6.3/src/kadmin/ktutil/ktutil.M +Index: krb5-1.11/src/man/ktutil.man =================================================================== ---- krb5-1.6.3.orig/src/kadmin/ktutil/ktutil.M -+++ krb5-1.6.3/src/kadmin/ktutil/ktutil.M -@@ -63,5 +63,17 @@ Quits - Aliases: - .BR exit , - .BR q . +--- krb5-1.11.orig/src/man/ktutil.man ++++ krb5-1.11/src/man/ktutil.man +@@ -158,6 +158,18 @@ ktutil: + .fi + .UNINDENT + .UNINDENT +.SH REMARKS +Changes to the keytab are appended to the keytab file (i.e., the keytab file +is never overwritten). To directly modify a keytab, save the changes to a @@ -19,4 +19,5 @@ Index: krb5-1.6.3/src/kadmin/ktutil/ktutil.M +ktutil> q +# mv /tmp/krb5.newtab /etc/krb5.keytab .SH SEE ALSO - kadmin(8), kdb5_util(8) + .sp + \fIkadmin(1)\fP, \fIkdb5_util(8)\fP diff --git a/krb5-1.8-manpaths.txt b/krb5-1.8-manpaths.txt deleted file mode 100644 index eaf544f..0000000 --- a/krb5-1.8-manpaths.txt +++ /dev/null @@ -1,7 +0,0 @@ -appl/sample/sserver/sserver.M -config-files/kdc.conf.M -config-files/krb5.conf.M -gen-manpages/kerberos.M -kadmin/cli/kadmin.M -slave/kpropd.M -slave/kprop.M diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch new file mode 100644 index 0000000..0bf795e --- /dev/null +++ b/krb5-1.9-debuginfo.patch @@ -0,0 +1,30 @@ +We want to keep these y.tab.c files around because the debuginfo points to +them. It would be more elegant at the end to use symbolic links, but that +could mess up people working in the tree on other things. + +Index: src/kadmin/cli/Makefile.in +=================================================================== +--- src/kadmin/cli/Makefile.in.orig ++++ src/kadmin/cli/Makefile.in +@@ -40,3 +40,8 @@ clean-unix:: + # CC_LINK is not meant for compilation and this use may break in the future. + datetest: getdate.c + $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c ++ ++%.c: %.y ++ $(RM) y.tab.c $@ ++ $(YACC.y) $< ++ $(CP) y.tab.c $@ +Index: src/plugins/kdb/ldap/ldap_util/Makefile.in +=================================================================== +--- src/plugins/kdb/ldap/ldap_util/Makefile.in.orig ++++ src/plugins/kdb/ldap/ldap_util/Makefile.in +@@ -22,7 +22,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KR + getdate.c: $(GETDATE) + $(RM) getdate.c y.tab.c + $(YACC) $(GETDATE) +- $(MV) y.tab.c getdate.c ++ $(CP) y.tab.c getdate.c + + install:: + $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) diff --git a/krb5-1.9-kprop-mktemp.patch b/krb5-1.9-kprop-mktemp.patch index dca8f8b..70996ce 100644 --- a/krb5-1.9-kprop-mktemp.patch +++ b/krb5-1.9-kprop-mktemp.patch @@ -1,10 +1,10 @@ Use an in-memory ccache to silence a compiler warning, for RT#6414. -Index: krb5-1.10.2/src/slave/kprop.c +Index: krb5-1.11/src/slave/kprop.c =================================================================== ---- krb5-1.10.2.orig/src/slave/kprop.c -+++ krb5-1.10.2/src/slave/kprop.c -@@ -186,9 +186,8 @@ void PRS(argc, argv) +--- krb5-1.11.orig/src/slave/kprop.c ++++ krb5-1.11/src/slave/kprop.c +@@ -187,9 +187,8 @@ void PRS(argc, argv) void get_tickets(context) krb5_context context; { @@ -15,7 +15,7 @@ Index: krb5-1.10.2/src/slave/kprop.c krb5_keytab keytab = NULL; /* -@@ -229,11 +228,8 @@ void get_tickets(context) +@@ -230,11 +229,8 @@ void get_tickets(context) #endif /* diff --git a/krb5-1.9-manpaths.dif b/krb5-1.9-manpaths.dif index 645672d..9d4b2f5 100644 --- a/krb5-1.9-manpaths.dif +++ b/krb5-1.9-manpaths.dif @@ -3,206 +3,16 @@ values can be dropped in by config.status. After applying this patch, these files should be renamed to their ".in" counterparts, and then the configure scripts should be rebuilt. Originally RT#6525 -Index: krb5-1.10.2/src/aclocal.m4 +Index: krb5-1.11/src/man/kpropd.man =================================================================== ---- krb5-1.10.2.orig/src/aclocal.m4 -+++ krb5-1.10.2/src/aclocal.m4 -@@ -1743,3 +1743,24 @@ AC_SUBST(PAM_LIBS) - AC_SUBST(PAM_MAN) - AC_SUBST(NON_PAM_MAN) - ])dnl -+AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[ -+mansysconfdir=$sysconfdir -+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"` -+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"` -+mansbindir=$sbindir -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"` -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"` -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"` -+manlocalstatedir=$localstatedir -+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"` -+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"` -+manlibexecdir=$libexecdir -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"` -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"` -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"` -+AC_SUBST(mansysconfdir) -+AC_SUBST(mansbindir) -+AC_SUBST(manlocalstatedir) -+AC_SUBST(manlibexecdir) -+AC_CONFIG_FILES($1) -+]) -Index: krb5-1.10.2/src/configure.in -=================================================================== ---- krb5-1.10.2.orig/src/configure.in -+++ krb5-1.10.2/src/configure.in -@@ -1249,6 +1249,17 @@ AC_SUBST(localedir) - KRB5_WITH_PAM - - AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) -+ -+V5_AC_OUTPUT_MANPAGE([ -+ appl/sample/sserver/sserver.M -+ config-files/kdc.conf.M -+ config-files/krb5.conf.M -+ gen-manpages/kerberos.M -+ kadmin/cli/kadmin.M -+ slave/kpropd.M -+ slave/kprop.M -+]) -+ - V5_AC_OUTPUT_MAKEFILE(. - - util util/support util/profile util/profile/testmod util/send-pr -Index: krb5-1.10.2/src/appl/sample/sserver/sserver.M -=================================================================== ---- krb5-1.10.2.orig/src/appl/sample/sserver/sserver.M -+++ krb5-1.10.2/src/appl/sample/sserver/sserver.M -@@ -59,7 +59,7 @@ option allows for a different keytab tha - using a line in - /etc/inetd.conf that looks like this: - .PP --sample stream tcp nowait root /usr/local/sbin/sserver sserver -+sample stream tcp nowait root @mansbindir@/sserver sserver - .PP - Since \fBsample\fP is normally not a port defined in /etc/services, you will - usually have to add a line to /etc/services which looks like this: -Index: krb5-1.10.2/src/config-files/kdc.conf.M -=================================================================== ---- krb5-1.10.2.orig/src/config-files/kdc.conf.M -+++ krb5-1.10.2/src/config-files/kdc.conf.M -@@ -92,14 +92,14 @@ This - .B string - specifies the location of the access control list (acl) file that - kadmin uses to determine which principals are allowed which permissions --on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl. -+on the database. The default value is @manlocalstatedir@/krb5kdc/kadm5.acl. - - .IP admin_keytab - This - .B string - Specifies the location of the keytab file that kadmin uses to - authenticate to the database. The default value is --/usr/local/var/krb5kdc/kadm5.keytab. -+@manlocalstatedir@/krb5kdc/kadm5.keytab. - - .IP database_name - This -@@ -274,7 +274,7 @@ tickets should be checked against the tr - realm names and the [capaths] section of its krb5.conf file - - .SH FILES --/usr/local/var/krb5kdc/kdc.conf -+@manlocalstatedir@/krb5kdc/kdc.conf - - .SH SEE ALSO - krb5.conf(5), krb5kdc(8) -Index: krb5-1.10.2/src/config-files/krb5.conf.M -=================================================================== ---- krb5-1.10.2.orig/src/config-files/krb5.conf.M -+++ krb5-1.10.2/src/config-files/krb5.conf.M -@@ -808,6 +808,6 @@ This module implements the encrypted cha - This module implements the encrypted timestamp mechanism. - - .SH FILES --/etc/krb5.conf -+@mansysconfdir@/krb5.conf - .SH SEE ALSO - syslog(3) -Index: krb5-1.10.2/src/gen-manpages/kerberos.M -=================================================================== ---- krb5-1.10.2.orig/src/gen-manpages/kerberos.M -+++ krb5-1.10.2/src/gen-manpages/kerberos.M -@@ -125,7 +125,7 @@ default is /etc/krb5.conf. - Specifies the location of the KDC configuration file, which contains - additional configuration directives for the Key Distribution Center - daemon and associated programs. The default is --/usr/local/var/krb5kdc/kdc.conf. -+@manlocalstatedir@/krb5kdc/kdc.conf. - .TP - .B KRB5RCACHETYPE - Specifies the default type of replay cache to use for servers. Valid -Index: krb5-1.10.2/src/kadmin/cli/kadmin.M -=================================================================== ---- krb5-1.10.2.orig/src/kadmin/cli/kadmin.M -+++ krb5-1.10.2/src/kadmin/cli/kadmin.M -@@ -924,9 +924,9 @@ option is specified, less verbose status - .RS - .TP - EXAMPLE: --kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin -+kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin - Entry for principal kadmin/admin with kvno 3 removed -- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab. -+ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab. - kadmin: - .RE +--- krb5-1.11.orig/src/man/kpropd.man ++++ krb5-1.11/src/man/kpropd.man +@@ -63,7 +63,7 @@ the \fB/etc/inetd.conf\fP file which loo + .sp + .nf + .ft C +-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd ++kprop stream tcp nowait root @SBINDIR@/kpropd kpropd + .ft P .fi -Index: krb5-1.10.2/src/slave/kpropd.M -=================================================================== ---- krb5-1.10.2.orig/src/slave/kpropd.M -+++ krb5-1.10.2/src/slave/kpropd.M -@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of - This is done by adding a line to the inetd.conf file which looks like - this: - --kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd -+kprop stream tcp nowait root @mansbindir@/kpropd kpropd - - However, kpropd can also run as a standalone daemon, if the - .B \-S -@@ -111,13 +111,13 @@ is used. - \fB\-f\fP \fIfile\fP - specifies the filename where the dumped principal database file is to be - stored; by default the dumped database file is KPROPD_DEFAULT_FILE --(normally /usr/local/var/krb5kdc/from_master). -+(normally @manlocalstatedir@/krb5kdc/from_master). - .TP - .B \-p - allows the user to specify the pathname to the - .IR kdb5_util (8) - program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL --(normally /usr/local/sbin/kdb5_util). -+(normally @mansbindir@/kdb5_util). - .TP - .B \-S - turn on standalone mode. Normally, kpropd is invoked out of -@@ -148,14 +148,14 @@ mode. - allows the user to specify the path to the - kpropd.acl - file; by default the path used is KPROPD_ACL_FILE --(normally /usr/local/var/krb5kdc/kpropd.acl). -+(normally @manlocalstatedir@/krb5kdc/kpropd.acl). - .SH FILES - .TP "\w'kpropd.acl\ \ 'u" - kpropd.acl - Access file for - .BR kpropd ; - the default location is KPROPD_ACL_FILE (normally --/usr/local/var/krb5kdc/kpropd.acl). -+@manlocalstatedir@/krb5kdc/kpropd.acl). - Each entry is a line containing the principal of a host from which the - local machine will allow Kerberos database propagation via kprop. - .SH SEE ALSO -Index: krb5-1.10.2/src/slave/kprop.M -=================================================================== ---- krb5-1.10.2.orig/src/slave/kprop.M -+++ krb5-1.10.2/src/slave/kprop.M -@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv - This is done by transmitting the dumped database file to the slave - server over an encrypted, secure channel. The dump file must be created - by kdb5_util, and is normally KPROP_DEFAULT_FILE --(/usr/local/var/krb5kdc/slave_datatrans). -+(@manlocalstatedir@/krb5kdc/slave_datatrans). - .SH OPTIONS - .TP - \fB\-r\fP \fIrealm\fP -@@ -51,7 +51,7 @@ is used. - \fB\-f\fP \fIfile\fP - specifies the filename where the dumped principal database file is to be - found; by default the dumped database file is KPROP_DEFAULT_FILE --(normally /usr/local/var/krb5kdc/slave_datatrans). -+(normally @manlocalstatedir@/krb5kdc/slave_datatrans). - .TP - \fB\-P\fP \fIport\fP - specifies the port to use to contact the + .UNINDENT diff --git a/krb5-doc-rpmlintrc b/krb5-doc-rpmlintrc deleted file mode 100644 index de258e7..0000000 --- a/krb5-doc-rpmlintrc +++ /dev/null @@ -1,2 +0,0 @@ -addFilter("files-duplicate .*css") -addFilter("files-duplicate .*img.*png") diff --git a/krb5-doc.changes b/krb5-doc.changes deleted file mode 100644 index 211fa6c..0000000 --- a/krb5-doc.changes +++ /dev/null @@ -1,196 +0,0 @@ -------------------------------------------------------------------- -Mon Sep 3 14:34:35 UTC 2012 - idonmez@suse.com - -- Build depend on texinfo & texlive-dvips to fix the build - -------------------------------------------------------------------- -Wed Jun 6 17:34:26 CEST 2012 - mc@suse.de - -- update to version 1.10.2 - -------------------------------------------------------------------- -Mon Aug 22 10:21:56 CEST 2011 - mc@suse.de - -- update to version 1.9.1 - -------------------------------------------------------------------- -Fri Apr 9 12:45:30 CEST 2010 - mc@suse.de - -- update to version 1.8.1 - -------------------------------------------------------------------- -Tue Mar 23 12:38:29 CET 2010 - mc@suse.de - -- add post 1.8 fixes - * Document the ticket_lifetime libdefaults setting - -------------------------------------------------------------------- -Thu Mar 4 11:45:22 CET 2010 - mc@suse.de - -- update to version 1.8 - -------------------------------------------------------------------- -Wed Jun 3 10:47:07 CEST 2009 - mc@suse.de - -- update to final version 1.7 - -------------------------------------------------------------------- -Wed May 13 11:34:07 CEST 2009 - mc@suse.de - -- update to version 1.7 Beta2 - -------------------------------------------------------------------- -Mon Feb 16 13:08:05 CET 2009 - mc@suse.de - -- update to pre 1.7 version - * remove outdated documentation for kadm5 API - -------------------------------------------------------------------- -Fri Jul 25 12:17:10 CEST 2008 - mc@suse.de - -- add patches from SVN post 1.6.3 - * some fixes in the man pages - -------------------------------------------------------------------- -Wed Jun 18 15:34:16 CEST 2008 - mc@suse.de - -- reduce rpmlint warnings - -------------------------------------------------------------------- -Tue Oct 23 10:29:23 CEST 2007 - mc@suse.de - -- update to krb5 version 1.6.3 - * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow - * fix CVE-2007-4000 modify_policy vulnerability - * Add PKINIT support -- remove patches which are upstream now -- enhance init scripts and xinetd profiles - -------------------------------------------------------------------- -Thu Jul 12 17:02:30 CEST 2007 - mc@suse.de - -- update to version 1.6.2 -- remove krb5-1.6.1-post.dif all fixes are included in this release - -------------------------------------------------------------------- -Wed Jun 13 15:29:42 CEST 2007 - sschober@suse.de - -- removed executable permission from doc file - -------------------------------------------------------------------- -Mon Apr 23 11:15:59 CEST 2007 - mc@suse.de - -- update to final 1.6.1 version -- replace te_ams with texlive in BuildRequires - -------------------------------------------------------------------- -Wed Apr 18 14:47:49 CEST 2007 - mc@suse.de - -- build implementor.ps - -------------------------------------------------------------------- -Mon Apr 16 14:39:40 CEST 2007 - mc@suse.de - -- update to version 1.6.1 Beta1 -- remove obsolete patches - (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) - -------------------------------------------------------------------- -Mon Feb 19 14:00:49 CET 2007 - mc@suse.de - -- add krb5-1.6-post.dif - -------------------------------------------------------------------- -Mon Jan 22 12:21:20 CET 2007 - mc@suse.de - -- update to version 1.6 - * Major changes in 1.6 include - * Partial client implementation to handle server name referrals. - * Pre-authentication plug-in framework, donated by Red Hat. - * LDAP KDB plug-in, donated by Novell. - -------------------------------------------------------------------- -Thu Aug 24 12:53:25 CEST 2006 - mc@suse.de - -- update to version 1.5.1 -- remove obsolete patches which are now included upstream - * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif - * trunk-fix-uninitialized-vars.dif - -------------------------------------------------------------------- -Mon Jul 3 15:01:57 CEST 2006 - mc@suse.de - -- update to version 1.5 - * KDB abstraction layer, donated by Novell. - * plug-in architecture, allowing for extension modules to be - loaded at run-time. - * multi-mechanism GSS-API implementation ("mechglue"), - donated by Sun Microsystems - * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") - implementation, donated by Sun Microsystems -- remove obsolete patches and add some new - -------------------------------------------------------------------- -Mon Mar 13 18:01:06 CET 2006 - mc@suse.de - -- set BuildArchitectures to noarch -- set norootforbuild - -------------------------------------------------------------------- -Wed Jan 25 21:30:24 CET 2006 - mls@suse.de - -- converted neededforbuild to BuildRequires - -------------------------------------------------------------------- -Fri Nov 18 12:15:07 CET 2005 - mc@suse.de - -- update to version 1.4.3 -- fix tex for kadm5 documentation (krb5-1.4.3-kadm5-tex.dif) - -------------------------------------------------------------------- -Wed Oct 12 16:19:08 CEST 2005 - mc@suse.de - -- build kadm5 documentation -- build documentation also as html -- include the text only documentation - -------------------------------------------------------------------- -Tue Oct 11 17:40:26 CEST 2005 - mc@suse.de - -- update to version 1.4.2 -- remove some obsolet patches - -------------------------------------------------------------------- -Mon Jun 27 13:36:04 CEST 2005 - mc@suse.de - -- update to version 1.4.1 -- remove obsolet patches - - krb5-1.4-VUL-0-telnet.dif - -------------------------------------------------------------------- -Thu Feb 10 02:38:39 CET 2005 - ro@suse.de - -- added libpng to neededforbuild (for tetex) - -------------------------------------------------------------------- -Fri Feb 4 16:50:34 CET 2005 - mc@suse.de - -- remove spx.c from tarball because of legal risk -- add README.Source which tell the user about this - action. - -------------------------------------------------------------------- -Fri Jan 28 13:28:18 CET 2005 - mc@suse.de - -- update to version 1.4 - -------------------------------------------------------------------- -Mon Jan 10 12:20:11 CET 2005 - mc@suse.de - -- update to version 1.3.6 - -------------------------------------------------------------------- -Tue Dec 14 15:21:02 CET 2004 - mc@suse.de - -- initial release - diff --git a/krb5-doc.spec b/krb5-doc.spec deleted file mode 100644 index 958748b..0000000 --- a/krb5-doc.spec +++ /dev/null @@ -1,91 +0,0 @@ -# -# spec file for package krb5-doc -# -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. -# -# All modifications and additions to the file contributed by third parties -# remain the property of their copyright owners, unless otherwise agreed -# upon. The license for this file, and modifications and additions to the -# file, is the same license as for the pristine package itself (unless the -# license for the pristine package is not an Open Source License, in which -# case the license is the MIT License). An "Open Source License" is a -# license that conforms to the Open Source Definition (Version 1.9) -# published by the Open Source Initiative. - -# Please submit bugfixes or comments via http://bugs.opensuse.org/ -# - - -Name: krb5-doc -BuildRequires: ghostscript-library -BuildRequires: texinfo -BuildRequires: texlive-dvips -Version: 1.10.2 -Release: 0 -%define srcRoot krb5-1.10.2 -Summary: MIT Kerberos5 Implementation--Documentation -License: MIT -Group: Documentation/Other -Url: http://web.mit.edu/kerberos/www/ -Source: krb5-%{version}.tar.bz2 -Source3: %{name}-rpmlintrc -Patch0: krb5-1.3.5-perlfix.dif -BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildArch: noarch - -%description -Kerberos V5 is a trusted-third-party network authentication -system,which can improve your network's security by eliminating the -insecurepractice of clear text passwords. This package includes -extended documentation for MIT Kerberos. - - - -Authors: --------- - The MIT Kerberos Team - Sam Hartman - Ken Raeburn - Tom Yu - -%prep -%setup -n %{srcRoot} -%patch0 - -%build -sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex -sed -i -e '1c\ -\\documentclass{article}\ -\\usepackage{fixunder}\ -\\usepackage{functions}\ -\\usepackage{fancyheadings}\ -\\usepackage{hyperref}' doc/implement/implement.tex - -%install -cd doc -mkdir -p html -make -make implementor.ps -make -C api -make -C implement -mv *.html html/ -cd .. -find . -type f -name '*.ps' -exec gzip -9 {} \; -chmod 644 doc/man2ps -chmod 644 doc/krb5-protocol/draft-jaganathan-rc4-hmac-03.txt -# cleanup -rm -f %{buildroot}/usr/share/man/man1/tmac.doc* -rm -f /usr/share/man/man1/tmac.doc* -rm -rf /usr/lib/mit/share -rm -rf %{buildroot}/usr/lib/mit/share - -%clean -rm -rf %{buildroot} - -%files -%defattr(-,root,root) -%doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz -%doc doc/krb5-protocol doc/kadmin -%doc doc/html - -%changelog diff --git a/krb5-kvno-230379.patch b/krb5-kvno-230379.patch new file mode 100644 index 0000000..e4fed5f --- /dev/null +++ b/krb5-kvno-230379.patch @@ -0,0 +1,53 @@ +From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349, +at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted +as needed to apply to 1.10. FIXME: I'd like to better handle cases where we +have a new key with the right version stored later in the keytab file. +Currently, we're setting up to overlook that possibility. + +Note that this only affects the path taken when krb5_rd_rep() is passed a +server principal name, as without a server principal name it already tries +all of the keys it finds in the keytab, regardless of version numbers. + +Index: krb5-1.11.1/src/kadmin/ktutil/ktutil.c +=================================================================== +--- krb5-1.11.1.orig/src/kadmin/ktutil/ktutil.c ++++ krb5-1.11.1/src/kadmin/ktutil/ktutil.c +@@ -140,7 +140,7 @@ void ktutil_add_entry(argc, argv) + char *princ = NULL; + char *enctype = NULL; + krb5_kvno kvno = 0; +- int use_pass = 0, use_key = 0, i; ++ int use_pass = 0, use_key = 0, use_kvno = 0, i; + + for (i = 1; i < argc; i++) { + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) { +@@ -149,6 +149,7 @@ void ktutil_add_entry(argc, argv) + } + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) { + kvno = (krb5_kvno) atoi(argv[++i]); ++ use_kvno++; + continue; + } + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) { +@@ -165,7 +166,7 @@ void ktutil_add_entry(argc, argv) + } + } + +- if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) { ++ if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) { + fprintf(stderr, _("usage: %s (-key | -password) -p principal " + "-k kvno -e enctype\n"), argv[0]); + return; +Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c +=================================================================== +--- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c ++++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c +@@ -376,7 +376,7 @@ krb5_ktfile_get_entry(krb5_context conte + higher than that. Short-term workaround: only compare + the low 8 bits. */ + +- if (new_entry.vno == (kvno & 0xff)) { ++ if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) { + krb5_kt_free_entry(context, &cur_entry); + cur_entry = new_entry; + break; diff --git a/krb5-lookup_etypes-leak.patch b/krb5-lookup_etypes-leak.patch new file mode 100644 index 0000000..0345e12 --- /dev/null +++ b/krb5-lookup_etypes-leak.patch @@ -0,0 +1,42 @@ +Petr Spacek notes that when we walk the keytab in lookup_etypes_for_keytab(), +we don't free entries when we're finished examining them. Ensure that when +krb5_kt_next_entry() succeeds, we make sure to free the entry storage before we +exit the current loop iteration. (RT#7586) + +--- a/src/lib/krb5/krb/gic_keytab.c ++++ b/src/lib/krb5/krb/gic_keytab.c +@@ -110,9 +110,9 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab, + goto cleanup; + + if (!krb5_c_valid_enctype(entry.key.enctype)) +- continue; ++ goto next_entry; + if (!krb5_principal_compare(context, entry.principal, client)) +- continue; ++ goto next_entry; + /* Make sure our list is for the highest kvno found for client. */ + if (entry.vno > max_kvno) { + free(etypes); +@@ -120,11 +120,12 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab, + count = 0; + max_kvno = entry.vno; + } else if (entry.vno != max_kvno) +- continue; ++ goto next_entry; + + /* Leave room for the terminator and possibly a second entry. */ + p = realloc(etypes, (count + 3) * sizeof(*etypes)); + if (p == NULL) { ++ krb5_free_keytab_entry_contents(context, &entry); + ret = ENOMEM; + goto cleanup; + } +@@ -136,6 +137,8 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab, + entry.key.enctype == ENCTYPE_DES_CBC_MD4) + etypes[count++] = ENCTYPE_DES_CBC_CRC; + etypes[count] = 0; ++next_entry: ++ krb5_free_keytab_entry_contents(context, &entry); + } + + ret = 0; diff --git a/krb5-mini.changes b/krb5-mini.changes index 0bc981d..e87cc36 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Fri Mar 15 11:14:21 CET 2013 - mc@suse.de + +- update to version 1.11.1 + * Improve ASN.1 support code, making it table-driven for + decoding as well as encoding + * Refactor parts of KDC + * Documentation consolidation + * build docs in the main package + * bugfixing +- obsolets a lot of patches +- refactor some patches + ------------------------------------------------------------------- Wed Mar 6 12:01:32 CET 2013 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index a39612c..c08285d 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -17,7 +17,7 @@ %define build_mini 1 -%define srcRoot krb5-1.10.2 +%define srcRoot krb5-1.11.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -25,12 +25,13 @@ Name: krb5-mini Url: http://web.mit.edu/kerberos/www/ BuildRequires: autoconf BuildRequires: bison +BuildRequires: doxygen BuildRequires: keyutils BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.10.2 +Version: 1.11.1 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -39,6 +40,10 @@ Group: Productivity/Networking/Security BuildRequires: libopenssl-devel BuildRequires: openldap2-devel BuildRequires: pam-devel +BuildRequires: python-Cheetah +BuildRequires: python-Sphinx +BuildRequires: python-libxml2 +BuildRequires: python-lxml %if 0%{?suse_version} >= 1210 BuildRequires: pkgconfig(systemd) %endif @@ -52,22 +57,21 @@ Source: krb5-%{version}.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-rpmlintrc -Source10: krb5-1.8-manpaths.txt -Patch1: krb5-1.10-buildconf.patch -Patch3: krb5-1.9-manpaths.dif -Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif -Patch6: krb5-1.10-kpasswd_tcp.patch -Patch7: krb5-1.6.3-ktutil-manpage.dif -Patch10: krb5-1.7-doublelog.patch -Patch12: krb5-1.8-api.patch -Patch13: krb5-1.8-pam.patch -Patch18: krb5-1.9-kprop-mktemp.patch -Patch19: krb5-1.9-ksu-path.patch -Patch20: krb5-1.10-gcc47.patch -Patch21: krb5-1.10-selinux-label.patch -Patch22: krb5-1.10-spin-loop.patch -Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif -Patch24: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif +Patch1: krb5-1.11-pam.patch +Patch2: krb5-1.9-manpaths.dif +Patch3: krb5-1.10-buildconf.patch +Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif +Patch5: krb5-1.10-kpasswd_tcp.patch +Patch6: krb5-1.6.3-ktutil-manpage.dif +Patch7: krb5-1.7-doublelog.patch +Patch8: krb5-1.8-api.patch +Patch9: krb5-1.9-kprop-mktemp.patch +Patch10: krb5-1.10-ksu-access.patch +Patch11: krb5-1.9-ksu-path.patch +Patch12: krb5-1.11-selinux-label.patch +Patch13: krb5-1.9-debuginfo.patch +Patch14: krb5-kvno-230379.patch +Patch15: krb5-lookup_etypes-leak.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -124,6 +128,16 @@ Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. This package includes a PKINIT plugin. +%package doc +Summary: MIT Kerberos5 Implementation--Documentation +Group: Documentation/Other + +%description doc +Kerberos V5 is a trusted-third-party network authentication +system,which can improve your network's security by eliminating the +insecurepractice of clear text passwords. This package includes +extended documentation for MIT Kerberos. + %endif #! build_mini %package devel @@ -150,27 +164,21 @@ Include Files for Development %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} -%patch13 -p1 -%patch3 -p1 -%patch21 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 +%patch9 -p1 %patch10 -p1 +%patch11 -p1 %patch12 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -# Rename the man pages so that they'll get generated correctly. -pushd src -cat %{SOURCE10} | while read manpage ; do - mv "$manpage" "$manpage".in -done -popd +%patch13 -p0 +%patch14 -p1 +%patch15 -p1 %build # needs to be re-generated @@ -196,14 +204,19 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI --with-ldap \ --with-pam \ --enable-pkinit \ - --with-selinux \ %else --disable-pkinit \ --without-pam \ %endif --with-system-et \ --with-system-ss -make %{?jobs:-j%jobs} +make %{?jobs:-j%jobs} +%if ! 0%{?build_mini} +cd doc +make %{?jobs:-j%jobs} substhtml +cp -a html_subst ../../html +cd .. +%endif %install cd src @@ -279,8 +292,10 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos # cleanup rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* +#rm -rf /usr/lib/mit/share rm -rf %{buildroot}/usr/lib/mit/share/examples rm -rf %{buildroot}/usr/lib/mit/share/locale + ##################################################### # krb5(-mini) pre/post/postun ##################################################### @@ -356,13 +371,11 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_libdir}/libkrb5.so %{_libdir}/libkrb5support.so %{_libdir}/libverto.so -%{_libdir}/libverto-k5ev.so %{_includedir}/* /usr/lib/mit/bin/krb5-config /usr/lib/mit/sbin/krb5-send-pr /usr/lib/mit/share/gnats %{_mandir}/man1/krb5-send-pr.1* -%{_mandir}/man1/krb5-config.1* %{_datadir}/aclocal/ac_check_krb5.m4 %if %{build_mini} @@ -401,7 +414,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* -%{_libdir}/libverto-k5ev.so.* %{_libdir}/krb5/plugins/kdb/* #/usr/lib/mit/sbin/* /usr/lib/mit/sbin/kadmin.local @@ -438,7 +450,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_mandir}/man1/kdestroy.1* %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* -%{_mandir}/man1/kerberos.1* %{_mandir}/man1/ksu.1* %{_mandir}/man1/sclient.1* %{_mandir}/man1/kadmin.1* @@ -474,7 +485,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* -%{_libdir}/libverto-k5ev.so.* %files server %defattr(-,root,root) @@ -514,6 +524,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale /usr/lib/mit/sbin/uuserver %{_libdir}/krb5/plugins/kdb/db2.so %{_mandir}/man5/kdc.conf.5* +%{_mandir}/man5/kadm5.acl.5* %{_mandir}/man8/kadmind.8* %{_mandir}/man8/kadmin.local.8* %{_mandir}/man8/kpropd.8* @@ -549,7 +560,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_mandir}/man1/kdestroy.1* %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* -%{_mandir}/man1/kerberos.1* %{_mandir}/man1/kadmin.1* %{_mandir}/man1/ktutil.1* %{_mandir}/man1/k5srvutil.1* @@ -582,6 +592,11 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/preauth %{_libdir}/krb5/plugins/preauth/pkinit.so + +%files doc +%defattr(-,root,root) +%doc html doc/CHANGES doc/README + %endif #build_mini %changelog diff --git a/krb5.changes b/krb5.changes index 0bc981d..e87cc36 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Fri Mar 15 11:14:21 CET 2013 - mc@suse.de + +- update to version 1.11.1 + * Improve ASN.1 support code, making it table-driven for + decoding as well as encoding + * Refactor parts of KDC + * Documentation consolidation + * build docs in the main package + * bugfixing +- obsolets a lot of patches +- refactor some patches + ------------------------------------------------------------------- Wed Mar 6 12:01:32 CET 2013 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index c525292..a40561e 100644 --- a/krb5.spec +++ b/krb5.spec @@ -17,7 +17,7 @@ %define build_mini 0 -%define srcRoot krb5-1.10.2 +%define srcRoot krb5-1.11.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -25,12 +25,13 @@ Name: krb5 Url: http://web.mit.edu/kerberos/www/ BuildRequires: autoconf BuildRequires: bison +BuildRequires: doxygen BuildRequires: keyutils BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.10.2 +Version: 1.11.1 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -39,6 +40,10 @@ Group: Productivity/Networking/Security BuildRequires: libopenssl-devel BuildRequires: openldap2-devel BuildRequires: pam-devel +BuildRequires: python-Cheetah +BuildRequires: python-Sphinx +BuildRequires: python-libxml2 +BuildRequires: python-lxml %if 0%{?suse_version} >= 1210 BuildRequires: pkgconfig(systemd) %endif @@ -52,22 +57,21 @@ Source: krb5-%{version}.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-rpmlintrc -Source10: krb5-1.8-manpaths.txt -Patch1: krb5-1.10-buildconf.patch -Patch3: krb5-1.9-manpaths.dif -Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif -Patch6: krb5-1.10-kpasswd_tcp.patch -Patch7: krb5-1.6.3-ktutil-manpage.dif -Patch10: krb5-1.7-doublelog.patch -Patch12: krb5-1.8-api.patch -Patch13: krb5-1.8-pam.patch -Patch18: krb5-1.9-kprop-mktemp.patch -Patch19: krb5-1.9-ksu-path.patch -Patch20: krb5-1.10-gcc47.patch -Patch21: krb5-1.10-selinux-label.patch -Patch22: krb5-1.10-spin-loop.patch -Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif -Patch24: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif +Patch1: krb5-1.11-pam.patch +Patch2: krb5-1.9-manpaths.dif +Patch3: krb5-1.10-buildconf.patch +Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif +Patch5: krb5-1.10-kpasswd_tcp.patch +Patch6: krb5-1.6.3-ktutil-manpage.dif +Patch7: krb5-1.7-doublelog.patch +Patch8: krb5-1.8-api.patch +Patch9: krb5-1.9-kprop-mktemp.patch +Patch10: krb5-1.10-ksu-access.patch +Patch11: krb5-1.9-ksu-path.patch +Patch12: krb5-1.11-selinux-label.patch +Patch13: krb5-1.9-debuginfo.patch +Patch14: krb5-kvno-230379.patch +Patch15: krb5-lookup_etypes-leak.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -124,6 +128,16 @@ Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. This package includes a PKINIT plugin. +%package doc +Summary: MIT Kerberos5 Implementation--Documentation +Group: Documentation/Other + +%description doc +Kerberos V5 is a trusted-third-party network authentication +system,which can improve your network's security by eliminating the +insecurepractice of clear text passwords. This package includes +extended documentation for MIT Kerberos. + %endif #! build_mini %package devel @@ -150,27 +164,21 @@ Include Files for Development %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} -%patch13 -p1 -%patch3 -p1 -%patch21 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 +%patch9 -p1 %patch10 -p1 +%patch11 -p1 %patch12 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -# Rename the man pages so that they'll get generated correctly. -pushd src -cat %{SOURCE10} | while read manpage ; do - mv "$manpage" "$manpage".in -done -popd +%patch13 -p0 +%patch14 -p1 +%patch15 -p1 %build # needs to be re-generated @@ -196,14 +204,19 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI --with-ldap \ --with-pam \ --enable-pkinit \ - --with-selinux \ %else --disable-pkinit \ --without-pam \ %endif --with-system-et \ --with-system-ss -make %{?jobs:-j%jobs} +make %{?jobs:-j%jobs} +%if ! 0%{?build_mini} +cd doc +make %{?jobs:-j%jobs} substhtml +cp -a html_subst ../../html +cd .. +%endif %install cd src @@ -279,8 +292,10 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos # cleanup rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* +#rm -rf /usr/lib/mit/share rm -rf %{buildroot}/usr/lib/mit/share/examples rm -rf %{buildroot}/usr/lib/mit/share/locale + ##################################################### # krb5(-mini) pre/post/postun ##################################################### @@ -356,13 +371,11 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_libdir}/libkrb5.so %{_libdir}/libkrb5support.so %{_libdir}/libverto.so -%{_libdir}/libverto-k5ev.so %{_includedir}/* /usr/lib/mit/bin/krb5-config /usr/lib/mit/sbin/krb5-send-pr /usr/lib/mit/share/gnats %{_mandir}/man1/krb5-send-pr.1* -%{_mandir}/man1/krb5-config.1* %{_datadir}/aclocal/ac_check_krb5.m4 %if %{build_mini} @@ -401,7 +414,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* -%{_libdir}/libverto-k5ev.so.* %{_libdir}/krb5/plugins/kdb/* #/usr/lib/mit/sbin/* /usr/lib/mit/sbin/kadmin.local @@ -438,7 +450,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_mandir}/man1/kdestroy.1* %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* -%{_mandir}/man1/kerberos.1* %{_mandir}/man1/ksu.1* %{_mandir}/man1/sclient.1* %{_mandir}/man1/kadmin.1* @@ -474,7 +485,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* -%{_libdir}/libverto-k5ev.so.* %files server %defattr(-,root,root) @@ -514,6 +524,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale /usr/lib/mit/sbin/uuserver %{_libdir}/krb5/plugins/kdb/db2.so %{_mandir}/man5/kdc.conf.5* +%{_mandir}/man5/kadm5.acl.5* %{_mandir}/man8/kadmind.8* %{_mandir}/man8/kadmin.local.8* %{_mandir}/man8/kpropd.8* @@ -549,7 +560,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_mandir}/man1/kdestroy.1* %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* -%{_mandir}/man1/kerberos.1* %{_mandir}/man1/kadmin.1* %{_mandir}/man1/ktutil.1* %{_mandir}/man1/k5srvutil.1* @@ -582,6 +592,11 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/preauth %{_libdir}/krb5/plugins/preauth/pkinit.so + +%files doc +%defattr(-,root,root) +%doc html doc/CHANGES doc/README + %endif #build_mini %changelog From f4939a9fbacec9213c9c5772b07465d58f674ceb9c33f01c8b2e92c50b038a57 Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Fri, 22 Mar 2013 09:35:21 +0000 Subject: [PATCH 2/6] - fix path to executables in service files (bnc#810926) - fix path to executables in service files (bnc#810926) OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=91 --- krb5-mini.changes | 6 ++++++ krb5.changes | 6 ++++++ vendor-files.tar.bz2 | 4 ++-- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/krb5-mini.changes b/krb5-mini.changes index e87cc36..f3ade3b 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Mar 22 10:34:55 CET 2013 - mc@suse.de + +- fix path to executables in service files + (bnc#810926) + ------------------------------------------------------------------- Fri Mar 15 11:14:21 CET 2013 - mc@suse.de diff --git a/krb5.changes b/krb5.changes index e87cc36..f3ade3b 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Mar 22 10:34:55 CET 2013 - mc@suse.de + +- fix path to executables in service files + (bnc#810926) + ------------------------------------------------------------------- Fri Mar 15 11:14:21 CET 2013 - mc@suse.de diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2 index 38dad5b..ff7aff5 100644 --- a/vendor-files.tar.bz2 +++ b/vendor-files.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:83ab335eb23de931f3ba4fcc855e03717e8932b88a690aa898742c6a2dca6f1c -size 183023 +oid sha256:9f64fdfe055a4f890b19dceff60fad2cce3483630d965128bf7ee97d118634d8 +size 183276 From c043de433575b3857b79d8f9c4070f0bbfed584d5da75e9f15781d05c52314b5 Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Wed, 27 Mar 2013 10:45:21 +0000 Subject: [PATCH 3/6] - enable selinux and set openssl as crypto implementation - enable selinux and set openssl as crypto implementation OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=92 --- krb5-mini.changes | 5 +++++ krb5-mini.spec | 2 ++ krb5.changes | 5 +++++ krb5.spec | 2 ++ 4 files changed, 14 insertions(+) diff --git a/krb5-mini.changes b/krb5-mini.changes index f3ade3b..04e29b2 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Mar 27 11:36:00 CET 2013 - mc@suse.de + +- enable selinux and set openssl as crypto implementation + ------------------------------------------------------------------- Fri Mar 22 10:34:55 CET 2013 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index c08285d..bf60786 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -204,10 +204,12 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI --with-ldap \ --with-pam \ --enable-pkinit \ + --with-pkinit-crypto-impl=openssl \ %else --disable-pkinit \ --without-pam \ %endif + --with-selinux \ --with-system-et \ --with-system-ss make %{?jobs:-j%jobs} diff --git a/krb5.changes b/krb5.changes index f3ade3b..04e29b2 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Mar 27 11:36:00 CET 2013 - mc@suse.de + +- enable selinux and set openssl as crypto implementation + ------------------------------------------------------------------- Fri Mar 22 10:34:55 CET 2013 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index a40561e..bf17262 100644 --- a/krb5.spec +++ b/krb5.spec @@ -204,10 +204,12 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI --with-ldap \ --with-pam \ --enable-pkinit \ + --with-pkinit-crypto-impl=openssl \ %else --disable-pkinit \ --without-pam \ %endif + --with-selinux \ --with-system-et \ --with-system-ss make %{?jobs:-j%jobs} From 729292e4728b1b2284dd0c12af69b46f940e420c14d6aa6891e647f3cff8cf03 Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Tue, 2 Apr 2013 09:44:14 +0000 Subject: [PATCH 4/6] better changelog OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=93 --- krb5-mini.changes | 14 ++++++++++++-- krb5.changes | 14 ++++++++++++-- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/krb5-mini.changes b/krb5-mini.changes index 04e29b2..e41b807 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -19,8 +19,18 @@ Fri Mar 15 11:14:21 CET 2013 - mc@suse.de * Documentation consolidation * build docs in the main package * bugfixing -- obsolets a lot of patches -- refactor some patches +- changes of patches: + * bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif: + upstream + * bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif: + upstream + * krb5-1.10-gcc47.patch: upstream + * krb5-1.10-selinux-label.patch replaced by + krb5-1.11-selinux-label.patch + * krb5-1.10-spin-loop.patch: upstream + * krb5-1.3.5-perlfix.dif: the tool was removed from upstream + * krb5-1.8-pam.patch replaced by + krb5-1.11-pam.patch ------------------------------------------------------------------- Wed Mar 6 12:01:32 CET 2013 - mc@suse.de diff --git a/krb5.changes b/krb5.changes index 04e29b2..e41b807 100644 --- a/krb5.changes +++ b/krb5.changes @@ -19,8 +19,18 @@ Fri Mar 15 11:14:21 CET 2013 - mc@suse.de * Documentation consolidation * build docs in the main package * bugfixing -- obsolets a lot of patches -- refactor some patches +- changes of patches: + * bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif: + upstream + * bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif: + upstream + * krb5-1.10-gcc47.patch: upstream + * krb5-1.10-selinux-label.patch replaced by + krb5-1.11-selinux-label.patch + * krb5-1.10-spin-loop.patch: upstream + * krb5-1.3.5-perlfix.dif: the tool was removed from upstream + * krb5-1.8-pam.patch replaced by + krb5-1.11-pam.patch ------------------------------------------------------------------- Wed Mar 6 12:01:32 CET 2013 - mc@suse.de From 91ad28ede3e3f7c2e4ce824fc29b2d96df144a46471adfb861c8d6534211aecd Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Tue, 2 Apr 2013 15:33:04 +0000 Subject: [PATCH 5/6] - add conflicts between krb5-mini and krb5 and krb5-client - add conflicts between krb5-mini and krb5 and krb5-client OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=94 --- krb5-mini.changes | 5 +++++ krb5-mini.spec | 6 +++++- krb5.changes | 5 +++++ krb5.spec | 6 +++++- 4 files changed, 20 insertions(+), 2 deletions(-) diff --git a/krb5-mini.changes b/krb5-mini.changes index e41b807..49f3577 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Apr 2 17:32:08 CEST 2013 - mc@suse.de + +- add conflicts between krb5-mini and krb5 and krb5-client + ------------------------------------------------------------------- Wed Mar 27 11:36:00 CET 2013 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index bf60786..0ac013f 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -51,7 +51,10 @@ BuildRequires: pkgconfig(systemd) %ifarch ppc64 Obsoletes: krb5-64bit %endif -# +Conflicts: krb5-mini +%else # -mini +Conflicts: krb5 +Conflicts: krb5-client %endif Source: krb5-%{version}.tar.bz2 Source1: vendor-files.tar.bz2 @@ -84,6 +87,7 @@ practice of clear text passwords. %if ! %{build_mini} %package client +Conflicts: krb5-mini Summary: MIT Kerberos5 implementation - client programs Group: Productivity/Networking/Security diff --git a/krb5.changes b/krb5.changes index e41b807..49f3577 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Apr 2 17:32:08 CEST 2013 - mc@suse.de + +- add conflicts between krb5-mini and krb5 and krb5-client + ------------------------------------------------------------------- Wed Mar 27 11:36:00 CET 2013 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index bf17262..708846b 100644 --- a/krb5.spec +++ b/krb5.spec @@ -51,7 +51,10 @@ BuildRequires: pkgconfig(systemd) %ifarch ppc64 Obsoletes: krb5-64bit %endif -# +Conflicts: krb5-mini +%else # -mini +Conflicts: krb5 +Conflicts: krb5-client %endif Source: krb5-%{version}.tar.bz2 Source1: vendor-files.tar.bz2 @@ -84,6 +87,7 @@ practice of clear text passwords. %if ! %{build_mini} %package client +Conflicts: krb5-mini Summary: MIT Kerberos5 implementation - client programs Group: Productivity/Networking/Security From fe67473a6daf6485bad2df3dee1a93fc7fc43951491ed9381be905c8e663dfad Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Thu, 4 Apr 2013 13:10:58 +0000 Subject: [PATCH 6/6] - add conflicts between krb5-mini-devel and krb5-devel - add conflicts between krb5-mini-devel and krb5-devel OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=95 --- krb5-mini.changes | 5 +++++ krb5-mini.spec | 3 +++ krb5.changes | 5 +++++ krb5.spec | 3 +++ 4 files changed, 16 insertions(+) diff --git a/krb5-mini.changes b/krb5-mini.changes index 49f3577..a208a62 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Apr 4 15:10:19 CEST 2013 - mc@suse.de + +- add conflicts between krb5-mini-devel and krb5-devel + ------------------------------------------------------------------- Tue Apr 2 17:32:08 CEST 2013 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index 0ac013f..9385677 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -156,6 +156,9 @@ Obsoletes: krb5-devel-64bit %endif %if %{build_mini} Provides: krb5-devel = %{version} +Conflicts: krb5-devel +%else +Conflicts: krb5-mini-devel %endif # diff --git a/krb5.changes b/krb5.changes index 49f3577..a208a62 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Apr 4 15:10:19 CEST 2013 - mc@suse.de + +- add conflicts between krb5-mini-devel and krb5-devel + ------------------------------------------------------------------- Tue Apr 2 17:32:08 CEST 2013 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 708846b..5769936 100644 --- a/krb5.spec +++ b/krb5.spec @@ -156,6 +156,9 @@ Obsoletes: krb5-devel-64bit %endif %if %{build_mini} Provides: krb5-devel = %{version} +Conflicts: krb5-devel +%else +Conflicts: krb5-mini-devel %endif #