From 6c03664bc8605ec644ca48e914b8fc94877dedb9d32a245e404e433a3a0aaf38 Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Thu, 4 Mar 2010 10:58:13 +0000 Subject: [PATCH 1/6] - update to version 1.8 - update to version 1.8 * Increase code quality * Move toward improved KDB interface * Investigate and remedy repeatedly-reported performance bottlenecks. * Reduce DNS dependence by implementing an interface that allows client library to track whether a KDC supports service principal referrals. * Disable DES by default * Account lockout for repeated login failures * Bridge layer to allow Heimdal HDB modules to act as KDB backend modules * FAST enhancements * Microsoft Services for User (S4U) compatibility * Anonymous PKINIT - fix KDC denial of service CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) - moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl - update to version 1.8 * Increase code quality * Move toward improved KDB interface * Investigate and remedy repeatedly-reported performance bottlenecks. * Reduce DNS dependence by implementing an interface that allows client library to track whether a KDC supports service principal referrals. * Disable DES by default * Account lockout for repeated login failures * Bridge layer to allow Heimdal HDB modules to act as KDB backend modules * FAST enhancements * Microsoft Services for User (S4U) compatibility * Anonymous PKINIT - fix KDC denial of service CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) - moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=11 --- krb5-doc.spec | 3 ++- krb5-mini.changes | 5 ----- krb5-mini.spec | 6 +++--- krb5.changes | 5 ----- krb5.spec | 4 ++-- 5 files changed, 7 insertions(+), 16 deletions(-) diff --git a/krb5-doc.spec b/krb5-doc.spec index ea6ce01..1095545 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -1,6 +1,7 @@ # # spec file for package krb5-doc (Version 1.8) # +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties @@ -21,7 +22,7 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive Version: 1.8 -Release: 1 +Release: 6 %define srcRoot krb5-1.8 Summary: MIT Kerberos5 Implementation--Documentation License: MIT License (or similar) diff --git a/krb5-mini.changes b/krb5-mini.changes index 58bfdc3..8c77179 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -24,11 +24,6 @@ Thu Mar 4 10:42:29 CET 2010 - mc@suse.de CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) - moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl -------------------------------------------------------------------- -Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de - -- add baselibs.conf as a source - ------------------------------------------------------------------- Fri Nov 13 16:51:37 CET 2009 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index fe27dc3..8e1675b 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,6 +1,7 @@ # -# spec file for package krb5-mini (Version 1.8) +# spec file for package krb5 (Version 1.8) # +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties @@ -28,7 +29,7 @@ Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel Version: 1.8 -Release: 1 +Release: 6 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -44,7 +45,6 @@ Group: Productivity/Networking/Security %endif Source: krb5-1.8.tar.bz2 Source1: vendor-files.tar.bz2 -Source2: baselibs.conf Source5: krb5-%{version}-rpmlintrc Source10: krb5-1.7-manpaths.txt Patch2: krb5-1.6.1-compile_pie.dif diff --git a/krb5.changes b/krb5.changes index 58bfdc3..8c77179 100644 --- a/krb5.changes +++ b/krb5.changes @@ -24,11 +24,6 @@ Thu Mar 4 10:42:29 CET 2010 - mc@suse.de CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) - moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl -------------------------------------------------------------------- -Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de - -- add baselibs.conf as a source - ------------------------------------------------------------------- Fri Nov 13 16:51:37 CET 2009 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 38bed32..298f286 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,6 +1,7 @@ # # spec file for package krb5 (Version 1.8) # +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties @@ -28,7 +29,7 @@ Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel Version: 1.8 -Release: 1 +Release: 6 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -44,7 +45,6 @@ Group: Productivity/Networking/Security %endif Source: krb5-1.8.tar.bz2 Source1: vendor-files.tar.bz2 -Source2: baselibs.conf Source5: krb5-%{version}-rpmlintrc Source10: krb5-1.7-manpaths.txt Patch2: krb5-1.6.1-compile_pie.dif From 2e036bfdfd2b4d8b083bfc6e7c7efcdf45d4aaabdba68ecdc3a456f88eec74b5 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Fri, 5 Mar 2010 01:10:03 +0000 Subject: [PATCH 2/6] Accepting request 33933 from network checked in (request 33933) OBS-URL: https://build.opensuse.org/request/show/33933 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=12 --- README.Source | 9 + krb5-1.4.3-enospc.dif | 38 +- krb5-1.5.1-fix-ftp-var-used-uninitialized.dif | 13 + krb5-1.5.1-fix-var-used-before-value-set.dif | 10 + krb5-1.6.1-compile_pie.dif | 2 +- krb5-1.6.3-fix-ipv6-query.dif | 54 +-- krb5-1.6.3-kpasswd_tcp.patch | 53 +-- krb5-1.6.3-kprop-use-mkstemp.dif | 28 +- krb5-1.7-MITKRB5-SA-2009-003.dif | 27 ++ krb5-1.7-MITKRB5-SA-2009-004.dif | 377 ++++++++++++++++++ krb5-1.7-manpaths.dif | 108 +++-- krb5-1.7-manpaths.txt | 11 + krb5-1.8-rpmlintrc => krb5-1.7-rpmlintrc | 0 krb5-1.7.tar.bz2 | 3 + krb5-1.8.tar.bz2 | 3 - ...oc-1.8-rpmlintrc => krb5-doc-1.7-rpmlintrc | 0 krb5-doc.changes | 5 - krb5-doc.spec | 12 +- krb5-mini.changes | 29 +- krb5-mini.spec | 170 ++++++-- krb5.changes | 29 +- krb5.spec | 170 ++++++-- ready | 0 spx.c | 50 +++ vendor-files.tar.bz2 | 4 +- 25 files changed, 987 insertions(+), 218 deletions(-) create mode 100644 README.Source create mode 100644 krb5-1.5.1-fix-ftp-var-used-uninitialized.dif create mode 100644 krb5-1.5.1-fix-var-used-before-value-set.dif create mode 100644 krb5-1.7-MITKRB5-SA-2009-003.dif create mode 100644 krb5-1.7-MITKRB5-SA-2009-004.dif rename krb5-1.8-rpmlintrc => krb5-1.7-rpmlintrc (100%) create mode 100644 krb5-1.7.tar.bz2 delete mode 100644 krb5-1.8.tar.bz2 rename krb5-doc-1.8-rpmlintrc => krb5-doc-1.7-rpmlintrc (100%) create mode 100644 ready create mode 100644 spx.c diff --git a/README.Source b/README.Source new file mode 100644 index 0000000..9bf6da7 --- /dev/null +++ b/README.Source @@ -0,0 +1,9 @@ +Because of potential legal risk we have removed the +file "src/appl/telnet/libtelnet/spx.c" from the +source tarball. + +If you want to see the original sources you can download +them from + + http://web.mit.edu/kerberos/www/ . + diff --git a/krb5-1.4.3-enospc.dif b/krb5-1.4.3-enospc.dif index 0a0d9ce..69c6328 100644 --- a/krb5-1.4.3-enospc.dif +++ b/krb5-1.4.3-enospc.dif @@ -1,24 +1,24 @@ If the error message is going to be ambiguous, try to give the user some clue by returning the last error reported by the OS. -Index: krb5-1.8-alpha1/src/clients/kinit/kinit.c +Index: krb5-1.7/src/clients/kinit/kinit.c =================================================================== ---- krb5-1.8-alpha1.orig/src/clients/kinit/kinit.c -+++ krb5-1.8-alpha1/src/clients/kinit/kinit.c -@@ -712,8 +712,14 @@ k5_kinit(opts, k5) - code = krb5_cc_initialize(k5->ctx, k5->cc, opts->canonicalize ? - my_creds.client : k5->me); - if (code) { -- com_err(progname, code, "when initializing cache %s", -- opts->k5_cache_name?opts->k5_cache_name:""); -+ if ((code == KRB5_CC_IO) && (errno != 0)) { -+ com_err(progname, code, "when initializing cache %s: %s", -+ opts->k5_cache_name?opts->k5_cache_name:"", -+ strerror(errno)); -+ } else { -+ com_err(progname, code, "when initializing cache %s", -+ opts->k5_cache_name?opts->k5_cache_name:""); -+ } - goto cleanup; - } +--- krb5-1.7.orig/src/clients/kinit/kinit.c ++++ krb5-1.7/src/clients/kinit/kinit.c +@@ -670,8 +670,14 @@ k5_kinit(opts, k5) + code = krb5_cc_initialize(k5->ctx, k5->cc, + opts->canonicalize ? my_creds.client : k5->me); + if (code) { +- com_err(progname, code, "when initializing cache %s", +- opts->k5_cache_name?opts->k5_cache_name:""); ++ if ((code == KRB5_CC_IO) && (errno != 0)) { ++ com_err(progname, code, "when initializing cache %s: %s", ++ opts->k5_cache_name?opts->k5_cache_name:"", ++ strerror(errno)); ++ } else { ++ com_err(progname, code, "when initializing cache %s", ++ opts->k5_cache_name?opts->k5_cache_name:""); ++ } + goto cleanup; + } diff --git a/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif b/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif new file mode 100644 index 0000000..ad5f8c9 --- /dev/null +++ b/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif @@ -0,0 +1,13 @@ +Index: src/appl/gssftp/ftp/ftp.c +=================================================================== +--- src/appl/gssftp/ftp/ftp.c.orig ++++ src/appl/gssftp/ftp/ftp.c +@@ -1912,7 +1912,7 @@ int do_auth() + + #ifdef GSSAPI + if (command("AUTH %s", "GSSAPI") == CONTINUE) { +- OM_uint32 maj_stat, min_stat, dummy_stat; ++ OM_uint32 maj_stat = GSS_S_FAILURE , min_stat, dummy_stat; + gss_name_t target_name; + gss_buffer_desc send_tok, recv_tok, *token_ptr; + char stbuf[FTP_BUFSIZ]; diff --git a/krb5-1.5.1-fix-var-used-before-value-set.dif b/krb5-1.5.1-fix-var-used-before-value-set.dif new file mode 100644 index 0000000..cfa5930 --- /dev/null +++ b/krb5-1.5.1-fix-var-used-before-value-set.dif @@ -0,0 +1,10 @@ +--- src/appl/telnet/telnetd/utility.c ++++ src/appl/telnet/telnetd/utility.c 2006/11/06 10:34:09 +@@ -127,6 +127,7 @@ + } + tv.tv_sec = 1; + tv.tv_usec = 0; ++ FD_ZERO(&fds); + FD_SET(net, &fds); + + while (select(net + 1, &fds, NULL, NULL, &tv) == 1) diff --git a/krb5-1.6.1-compile_pie.dif b/krb5-1.6.1-compile_pie.dif index 08e14fc..8a0d66f 100644 --- a/krb5-1.6.1-compile_pie.dif +++ b/krb5-1.6.1-compile_pie.dif @@ -15,7 +15,7 @@ Index: src/config/shlib.conf =================================================================== --- src/config/shlib.conf.orig +++ src/config/shlib.conf -@@ -419,7 +419,8 @@ mips-*-netbsd*) +@@ -420,7 +420,8 @@ mips-*-netbsd*) PROFFLAGS=-pg RPATH_FLAG='-Wl,-rpath -Wl,' PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' diff --git a/krb5-1.6.3-fix-ipv6-query.dif b/krb5-1.6.3-fix-ipv6-query.dif index 4ba81b8..4220f2e 100644 --- a/krb5-1.6.3-fix-ipv6-query.dif +++ b/krb5-1.6.3-fix-ipv6-query.dif @@ -1,9 +1,9 @@ -Index: krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c +Index: trunk/src/lib/krb5/os/hostaddr.c =================================================================== ---- krb5-1.8-alpha1.orig/src/lib/krb5/os/hostaddr.c -+++ krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c -@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c - return KRB5_ERR_BAD_HOSTNAME; +--- trunk.orig/src/lib/krb5/os/hostaddr.c ++++ trunk/src/lib/krb5/os/hostaddr.c +@@ -43,7 +43,7 @@ krb5_os_hostaddr(krb5_context context, c + return KRB5_ERR_BAD_HOSTNAME; memset (&hints, 0, sizeof (hints)); - hints.ai_flags = AI_NUMERICHOST; @@ -11,11 +11,11 @@ Index: krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c /* We don't care what kind at this point, really, but without this, we can get back multiple sockaddrs per address, for SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if -Index: krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c +Index: trunk/src/lib/krb5/os/hst_realm.c =================================================================== ---- krb5-1.8-alpha1.orig/src/lib/krb5/os/hst_realm.c -+++ krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c -@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz +--- trunk.orig/src/lib/krb5/os/hst_realm.c ++++ trunk/src/lib/krb5/os/hst_realm.c +@@ -171,7 +171,7 @@ krb5int_get_fq_hostname (char *buf, size int err; memset (&hints, 0, sizeof (hints)); @@ -23,12 +23,12 @@ Index: krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c + hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; err = getaddrinfo (name, 0, &hints, &ai); if (err) - return krb5int_translate_gai_error (err); -Index: krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c + return krb5int_translate_gai_error (err); +Index: trunk/src/lib/krb5/os/locate_kdc.c =================================================================== ---- krb5-1.8-alpha1.orig/src/lib/krb5/os/locate_kdc.c -+++ krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c -@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis +--- trunk.orig/src/lib/krb5/os/locate_kdc.c ++++ trunk/src/lib/krb5/os/locate_kdc.c +@@ -254,8 +254,9 @@ krb5int_add_host_to_list (struct addrlis memset(&hint, 0, sizeof(hint)); hint.ai_family = family; hint.ai_socktype = socktype; @@ -37,18 +37,18 @@ Index: krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c - hint.ai_flags = AI_NUMERICSERV; + hint.ai_flags |= AI_NUMERICSERV; #endif - result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)); - if (SNPRINTF_OVERFLOW(result, sizeof(portbuf))) -Index: krb5-1.8-alpha1/src/lib/krb5/os/sn2princ.c + if (snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)) >= sizeof(portbuf)) + /* XXX */ +Index: trunk/src/lib/krb5/os/sn2princ.c =================================================================== ---- krb5-1.8-alpha1.orig/src/lib/krb5/os/sn2princ.c -+++ krb5-1.8-alpha1/src/lib/krb5/os/sn2princ.c -@@ -108,7 +108,7 @@ krb5_sname_to_principal(krb5_context con +--- trunk.orig/src/lib/krb5/os/sn2princ.c ++++ trunk/src/lib/krb5/os/sn2princ.c +@@ -107,7 +107,7 @@ krb5_sname_to_principal(krb5_context con - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_INET; -- hints.ai_flags = AI_CANONNAME; -+ hints.ai_flags = AI_CANONNAME|AI_ADDRCONFIG; - try_getaddrinfo_again: - err = getaddrinfo(hostname, 0, &hints, &ai); - if (err) { + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_INET; +- hints.ai_flags = AI_CANONNAME; ++ hints.ai_flags = AI_CANONNAME|AI_ADDRCONFIG; + try_getaddrinfo_again: + err = getaddrinfo(hostname, 0, &hints, &ai); + if (err) { diff --git a/krb5-1.6.3-kpasswd_tcp.patch b/krb5-1.6.3-kpasswd_tcp.patch index 360149f..757b3f6 100644 --- a/krb5-1.6.3-kpasswd_tcp.patch +++ b/krb5-1.6.3-kpasswd_tcp.patch @@ -5,30 +5,31 @@ Index: src/lib/krb5/os/changepw.c =================================================================== --- src/lib/krb5/os/changepw.c.orig +++ src/lib/krb5/os/changepw.c -@@ -271,10 +271,22 @@ change_set_password(krb5_context context - NULL - ))) { - -- /* -- * Here we may want to switch to TCP on some errors. -- * right? -- */ -+ /* if we're not using a stream socket, and it's an error which -+ * might reasonably be specific to a datagram "connection", try -+ * again with a stream socket */ -+ if (!useTcp) { -+ switch (code) { -+ case KRB5_KDC_UNREACH: -+ case KRB5_REALM_CANT_RESOLVE: -+ case KRB5KRB_ERR_RESPONSE_TOO_BIG: -+ /* should we do this for more result codes than these? */ -+ krb5int_free_addrlist (&al); -+ useTcp = 1; -+ continue; -+ default: -+ break; -+ } -+ } - break; - } +@@ -261,11 +261,22 @@ krb5_change_set_password(krb5_context co + NULL, + NULL + ))) { +- +- /* +- * Here we may want to switch to TCP on some errors. +- * right? +- */ ++ /* if we're not using a stream socket, and it's an error which ++ * might reasonably be specific to a datagram "connection", try ++ * again with a stream socket */ ++ if (!useTcp) { ++ switch (code) { ++ case KRB5_KDC_UNREACH: ++ case KRB5_REALM_CANT_RESOLVE: ++ case KRB5KRB_ERR_RESPONSE_TOO_BIG: ++ /* should we do this for more result codes than these? */ ++ krb5int_free_addrlist (&al); ++ useTcp = 1; ++ continue; ++ default: ++ break; ++ } ++ } + break; + } diff --git a/krb5-1.6.3-kprop-use-mkstemp.dif b/krb5-1.6.3-kprop-use-mkstemp.dif index 9ea2577..2277883 100644 --- a/krb5-1.6.3-kprop-use-mkstemp.dif +++ b/krb5-1.6.3-kprop-use-mkstemp.dif @@ -2,18 +2,18 @@ Index: src/slave/kprop.c =================================================================== --- src/slave/kprop.c.orig +++ src/slave/kprop.c -@@ -206,6 +206,7 @@ void get_tickets(context) - krb5_error_code retval; - static char tkstring[] = "/tmp/kproptktXXXXXX"; - krb5_keytab keytab = NULL; -+ int ret = 0; +@@ -215,6 +215,7 @@ void get_tickets(context) + krb5_error_code retval; + static char tkstring[] = "/tmp/kproptktXXXXXX"; + krb5_keytab keytab = NULL; ++ int ret = 0; - /* - * Figure out what tickets we'll be using to send stuff -@@ -231,7 +232,15 @@ void get_tickets(context) - /* - * Initialize cache file which we're going to be using - */ + /* + * Figure out what tickets we'll be using to send stuff +@@ -240,7 +241,15 @@ void get_tickets(context) + /* + * Initialize cache file which we're going to be using + */ +#ifdef HAVE_MKSTEMP + ret = mkstemp(tkstring); + if (ret == -1) { @@ -21,8 +21,8 @@ Index: src/slave/kprop.c + exit(1); + } else close(ret); +#else - (void) mktemp(tkstring); + (void) mktemp(tkstring); +#endif - snprintf(buf, sizeof(buf), "FILE:%s", tkstring); + snprintf(buf, sizeof(buf), "FILE:%s", tkstring); - retval = krb5_cc_resolve(context, buf, &ccache); + retval = krb5_cc_resolve(context, buf, &ccache); diff --git a/krb5-1.7-MITKRB5-SA-2009-003.dif b/krb5-1.7-MITKRB5-SA-2009-003.dif new file mode 100644 index 0000000..c3d0d1a --- /dev/null +++ b/krb5-1.7-MITKRB5-SA-2009-003.dif @@ -0,0 +1,27 @@ +Index: krb5-1.7/src/kdc/do_tgs_req.c +=================================================================== +--- krb5-1.7.orig/src/kdc/do_tgs_req.c ++++ krb5-1.7/src/kdc/do_tgs_req.c +@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request + free(temp_buf); + if (retval) { + /* no match found */ +- kdc_err(kdc_context, retval, 0); ++ kdc_err(kdc_context, retval, "unable to find realm of host"); + goto cleanup; + } + if (realms == 0) { +Index: krb5-1.7/src/lib/kadm5/logger.c +=================================================================== +--- krb5-1.7.orig/src/lib/kadm5/logger.c ++++ krb5-1.7/src/lib/kadm5/logger.c +@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, lo + char *cp; + char *syslogp; + ++ if (whoami == NULL || format == NULL) ++ return; ++ + /* Make the header */ + snprintf(outbuf, sizeof(outbuf), "%s: ", whoami); + /* diff --git a/krb5-1.7-MITKRB5-SA-2009-004.dif b/krb5-1.7-MITKRB5-SA-2009-004.dif new file mode 100644 index 0000000..67c5738 --- /dev/null +++ b/krb5-1.7-MITKRB5-SA-2009-004.dif @@ -0,0 +1,377 @@ +Index: krb5-1.7/src/lib/crypto/Makefile.in +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/Makefile.in ++++ krb5-1.7/src/lib/crypto/Makefile.in +@@ -18,6 +18,7 @@ EXTRADEPSRCS=\ + $(srcdir)/t_nfold.c \ + $(srcdir)/t_cf2.c \ + $(srcdir)/t_encrypt.c \ ++ $(srcdir)/t_short.c \ + $(srcdir)/t_prf.c \ + $(srcdir)/t_prng.c \ + $(srcdir)/t_hmac.c \ +@@ -206,7 +207,7 @@ libcrypto.lib: + + clean-unix:: clean-liblinks clean-libs clean-libobjs + +-check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 ++check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 t_short + $(RUN_SETUP) $(VALGRIND) ./t_nfold + $(RUN_SETUP) $(VALGRIND) ./t_encrypt + $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \ +@@ -216,6 +217,7 @@ check-unix:: t_nfold t_encrypt t_prf t_p + diff t_prf.output $(srcdir)/t_prf.expected + $(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output + diff t_cf2.output $(srcdir)/t_cf2.expected ++ $(RUN_SETUP) $(VALGRIND) ./t_short + + + # $(RUN_SETUP) $(VALGRIND) ./t_pkcs5 +@@ -249,10 +251,14 @@ t_cts$(EXEEXT): t_cts.$(OBJEXT) $(CRYPTO + $(CC_LINK) -o $@ t_cts.$(OBJEXT) \ + $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) + ++t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB) ++ $(CC_LINK) -o $@ t_short.$(OBJEXT) \ ++ $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) + + clean:: + $(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \ +- t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o ++ t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \ ++ t_cf2 t_cf2.o t_short t_short.o + -$(RM) t_prng.output + + all-windows:: +Index: krb5-1.7/src/lib/crypto/arcfour/arcfour.c +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/arcfour/arcfour.c ++++ krb5-1.7/src/lib/crypto/arcfour/arcfour.c +@@ -199,6 +199,12 @@ krb5_arcfour_decrypt(const struct krb5_e + keylength = enc->keylength; + hashsize = hash->hashsize; + ++ /* Verify input and output lengths. */ ++ if (input->length < hashsize + CONFOUNDERLENGTH) ++ return KRB5_BAD_MSIZE; ++ if (output->length < input->length - hashsize - CONFOUNDERLENGTH) ++ return KRB5_BAD_MSIZE; ++ + d1.length=keybytes; + d1.data=malloc(d1.length); + if (d1.data == NULL) +Index: krb5-1.7/src/lib/crypto/enc_provider/aes.c +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/enc_provider/aes.c ++++ krb5-1.7/src/lib/crypto/enc_provider/aes.c +@@ -105,9 +105,11 @@ krb5int_aes_encrypt(const krb5_keyblock + nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE; + + if (nblocks == 1) { +- /* XXX Used for DK function. */ ++ /* Used when deriving keys. */ ++ if (input->length < BLOCK_SIZE) ++ return KRB5_BAD_MSIZE; + enc(output->data, input->data, &ctx); +- } else { ++ } else if (nblocks > 1) { + unsigned int nleft; + + for (blockno = 0; blockno < nblocks - 2; blockno++) { +@@ -160,9 +162,9 @@ krb5int_aes_decrypt(const krb5_keyblock + + if (nblocks == 1) { + if (input->length < BLOCK_SIZE) +- abort(); ++ return KRB5_BAD_MSIZE; + dec(output->data, input->data, &ctx); +- } else { ++ } else if (nblocks > 1) { + + for (blockno = 0; blockno < nblocks - 2; blockno++) { + dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx); +@@ -208,6 +210,7 @@ krb5int_aes_encrypt_iov(const krb5_keybl + char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE]; + int nblocks = 0, blockno; + size_t input_length, i; ++ struct iov_block_state input_pos, output_pos; + + if (aes_enc_key(key->contents, key->length, &ctx) != aes_good) + abort(); +@@ -224,17 +227,19 @@ krb5int_aes_encrypt_iov(const krb5_keybl + input_length += iov->data.length; + } + +- nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; +- +- assert(nblocks > 1); ++ IOV_BLOCK_STATE_INIT(&input_pos); ++ IOV_BLOCK_STATE_INIT(&output_pos); + +- { ++ nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; ++ if (nblocks == 1) { ++ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, ++ data, num_data, &input_pos); ++ enc(tmp2, tmp, &ctx); ++ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, ++ BLOCK_SIZE, &output_pos); ++ } else if (nblocks > 1) { + char blockN2[BLOCK_SIZE]; /* second last */ + char blockN1[BLOCK_SIZE]; /* last block */ +- struct iov_block_state input_pos, output_pos; +- +- IOV_BLOCK_STATE_INIT(&input_pos); +- IOV_BLOCK_STATE_INIT(&output_pos); + + for (blockno = 0; blockno < nblocks - 2; blockno++) { + char blockN[BLOCK_SIZE]; +@@ -288,6 +293,7 @@ krb5int_aes_decrypt_iov(const krb5_keybl + char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; + int nblocks = 0, blockno, i; + size_t input_length; ++ struct iov_block_state input_pos, output_pos; + + CHECK_SIZES; + +@@ -305,18 +311,19 @@ krb5int_aes_decrypt_iov(const krb5_keybl + if (ENCRYPT_IOV(iov)) + input_length += iov->data.length; + } ++ IOV_BLOCK_STATE_INIT(&input_pos); ++ IOV_BLOCK_STATE_INIT(&output_pos); + + nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; +- +- assert(nblocks > 1); +- +- { ++ if (nblocks == 1) { ++ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, ++ data, num_data, &input_pos); ++ dec(tmp2, tmp, &ctx); ++ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, ++ BLOCK_SIZE, &output_pos); ++ } else if (nblocks > 1) { + char blockN2[BLOCK_SIZE]; /* second last */ + char blockN1[BLOCK_SIZE]; /* last block */ +- struct iov_block_state input_pos, output_pos; +- +- IOV_BLOCK_STATE_INIT(&input_pos); +- IOV_BLOCK_STATE_INIT(&output_pos); + + for (blockno = 0; blockno < nblocks - 2; blockno++) { + char blockN[BLOCK_SIZE]; +Index: krb5-1.7/src/lib/crypto/old/old_decrypt.c +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/old/old_decrypt.c ++++ krb5-1.7/src/lib/crypto/old/old_decrypt.c +@@ -45,8 +45,10 @@ krb5_old_decrypt(const struct krb5_enc_p + blocksize = enc->block_size; + hashsize = hash->hashsize; + ++ /* Verify input and output lengths. */ ++ if (input->length < blocksize + hashsize || input->length % blocksize != 0) ++ return(KRB5_BAD_MSIZE); + plainsize = input->length - blocksize - hashsize; +- + if (arg_output->length < plainsize) + return(KRB5_BAD_MSIZE); + +Index: krb5-1.7/src/lib/crypto/raw/raw_decrypt.c +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/raw/raw_decrypt.c ++++ krb5-1.7/src/lib/crypto/raw/raw_decrypt.c +@@ -34,5 +34,7 @@ krb5_raw_decrypt(const struct krb5_enc_p + const krb5_data *ivec, const krb5_data *input, + krb5_data *output) + { +- return((*(enc->decrypt))(key, ivec, input, output)); ++ if (output->length < input->length) ++ return KRB5_BAD_MSIZE; ++ return((*(enc->decrypt))(key, ivec, input, output)); + } +Index: krb5-1.7/src/lib/crypto/t_short.c +=================================================================== +--- /dev/null ++++ krb5-1.7/src/lib/crypto/t_short.c +@@ -0,0 +1,128 @@ ++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ ++/* ++ * lib/crypto/crypto_tests/t_short.c ++ * ++ * Copyright (C) 2009 by the Massachusetts Institute of Technology. ++ * All rights reserved. ++ * ++ * Export of this software from the United States of America may ++ * require a specific license from the United States Government. ++ * It is the responsibility of any person or organization contemplating ++ * export to obtain such a license before exporting. ++ * ++ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and ++ * distribute this software and its documentation for any purpose and ++ * without fee is hereby granted, provided that the above copyright ++ * notice appear in all copies and that both that copyright notice and ++ * this permission notice appear in supporting documentation, and that ++ * the name of M.I.T. not be used in advertising or publicity pertaining ++ * to distribution of the software without specific, written prior ++ * permission. Furthermore if you modify this software you must label ++ * your software as modified software and not distribute it in such a ++ * fashion that it might be confused with the original M.I.T. software. ++ * M.I.T. makes no representations about the suitability of ++ * this software for any purpose. It is provided "as is" without express ++ * or implied warranty. ++ * ++ * Tests the outcome of decrypting overly short tokens. This program can be ++ * run under a tool like valgrind to detect bad memory accesses; when run ++ * normally by the test suite, it verifies that each operation returns ++ * KRB5_BAD_MSIZE. ++ */ ++ ++#include "k5-int.h" ++ ++ ++krb5_enctype interesting_enctypes[] = { ++ ENCTYPE_DES_CBC_CRC, ++ ENCTYPE_DES_CBC_MD4, ++ ENCTYPE_DES_CBC_MD5, ++ ENCTYPE_DES3_CBC_SHA1, ++ ENCTYPE_ARCFOUR_HMAC, ++ ENCTYPE_ARCFOUR_HMAC_EXP, ++ ENCTYPE_AES256_CTS_HMAC_SHA1_96, ++ ENCTYPE_AES128_CTS_HMAC_SHA1_96, ++ 0 ++}; ++ ++/* Abort if an operation unexpectedly fails. */ ++static void ++x(krb5_error_code code) ++{ ++ if (code != 0) ++ abort(); ++} ++ ++/* Abort if a decrypt operation doesn't have the expected result. */ ++static void ++check_decrypt_result(krb5_error_code code, size_t len, size_t min_len) ++{ ++ if (len < min_len) { ++ /* Undersized tokens should always result in BAD_MSIZE. */ ++ if (code != KRB5_BAD_MSIZE) ++ abort(); ++ } else { ++ /* Min-size tokens should succeed or fail the integrity check. */ ++ if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY) ++ abort(); ++ } ++} ++ ++static void ++test_enctype(krb5_enctype enctype) ++{ ++ krb5_error_code ret; ++ krb5_keyblock keyblock; ++ krb5_enc_data input; ++ krb5_data output; ++ krb5_crypto_iov iov[2]; ++ unsigned int dummy; ++ size_t min_len, len; ++ ++ printf("Testing enctype %d\n", (int) enctype); ++ x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len)); ++ x(krb5_c_make_random_key(NULL, enctype, &keyblock)); ++ input.enctype = enctype; ++ ++ /* Try each length up to the minimum length. */ ++ for (len = 0; len <= min_len; len++) { ++ input.ciphertext.data = calloc(len, 1); ++ input.ciphertext.length = len; ++ output.data = calloc(len, 1); ++ output.length = len; ++ ++ /* Attempt a normal decryption. */ ++ ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output); ++ check_decrypt_result(ret, len, min_len); ++ ++ if (krb5_c_crypto_length(NULL, enctype, KRB5_CRYPTO_TYPE_HEADER, ++ &dummy) == 0) { ++ /* Attempt an IOV stream decryption. */ ++ iov[0].flags = KRB5_CRYPTO_TYPE_STREAM; ++ iov[0].data = input.ciphertext; ++ iov[1].flags = KRB5_CRYPTO_TYPE_DATA; ++ iov[1].data.data = NULL; ++ iov[1].data.length = 0; ++ ret = krb5_c_decrypt_iov(NULL, &keyblock, 0, NULL, iov, 2); ++ check_decrypt_result(ret, len, min_len); ++ } ++ ++ free(input.ciphertext.data); ++ free(output.data); ++ } ++} ++ ++int ++main(int argc, char **argv) ++{ ++ int i; ++ krb5_data notrandom; ++ ++ notrandom.data = "notrandom"; ++ notrandom.length = 9; ++ krb5_c_random_seed(NULL, ¬random); ++ for (i = 0; interesting_enctypes[i]; i++) ++ test_enctype(interesting_enctypes[i]); ++ return 0; ++} ++ +Index: krb5-1.7/src/lib/crypto/deps +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/deps ++++ krb5-1.7/src/lib/crypto/deps +@@ -463,6 +463,16 @@ t_encrypt.so t_encrypt.po $(OUTPRE)t_enc + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h etypes.h t_encrypt.c ++t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ ++ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ ++ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ ++ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ ++ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ ++ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ ++ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ ++ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ ++ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ ++ t_short.c + t_prf.so t_prf.po $(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ +Index: krb5-1.7/src/lib/crypto/dk/dk_aead.c +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/dk/dk_aead.c ++++ krb5-1.7/src/lib/crypto/dk/dk_aead.c +@@ -248,7 +248,7 @@ krb5int_dk_decrypt_iov(const struct krb5 + for (i = 0; i < num_data; i++) { + const krb5_crypto_iov *iov = &data[i]; + +- if (ENCRYPT_DATA_IOV(iov)) ++ if (ENCRYPT_IOV(iov)) + cipherlen += iov->data.length; + } + +Index: krb5-1.7/src/lib/crypto/dk/dk_decrypt.c +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/dk/dk_decrypt.c ++++ krb5-1.7/src/lib/crypto/dk/dk_decrypt.c +@@ -89,6 +89,12 @@ krb5_dk_decrypt_maybe_trunc_hmac(const s + else if (hmacsize > hashsize) + return KRB5KRB_AP_ERR_BAD_INTEGRITY; + ++ /* Verify input and output lengths. */ ++ if (input->length < blocksize + hmacsize) ++ return KRB5_BAD_MSIZE; ++ if (output->length < input->length - blocksize - hmacsize) ++ return KRB5_BAD_MSIZE; ++ + enclen = input->length - hmacsize; + + if ((kedata = (unsigned char *) malloc(keylength)) == NULL) diff --git a/krb5-1.7-manpaths.dif b/krb5-1.7-manpaths.dif index a9c9e95..ab8e30e 100644 --- a/krb5-1.7-manpaths.dif +++ b/krb5-1.7-manpaths.dif @@ -1,9 +1,43 @@ - -Index: krb5-1.8-alpha1/src/appl/sample/sserver/sserver.M +Index: krb5-1.7/src/appl/bsd/klogind.M =================================================================== ---- krb5-1.8-alpha1.orig/src/appl/sample/sserver/sserver.M -+++ krb5-1.8-alpha1/src/appl/sample/sserver/sserver.M +--- krb5-1.7.orig/src/appl/bsd/klogind.M ++++ krb5-1.7/src/appl/bsd/klogind.M +@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when + the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf + configuration line for \fIklogind\fP might be: + +-klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c ++klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c + + When a service request is received, the following protocol is initiated: + +Index: krb5-1.7/src/appl/bsd/kshd.M +=================================================================== +--- krb5-1.7.orig/src/appl/bsd/kshd.M ++++ krb5-1.7/src/appl/bsd/kshd.M +@@ -8,7 +8,7 @@ + .SH NAME + kshd \- kerberized remote shell server + .SH SYNOPSIS +-.B /usr/local/sbin/kshd ++.B @mansbindir@/kshd + [ + .B \-kr45ec + ] +@@ -30,7 +30,7 @@ server is invoked by \fIinetd(8c)\fP whe + on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf + configuration line for \fIkrshd\fP might be: + +-kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c ++kshell stream tcp nowait root @mansbindir@/kshd kshd -5c + + When a service request is received, the following protocol is initiated: + +Index: krb5-1.7/src/appl/sample/sserver/sserver.M +=================================================================== +--- krb5-1.7.orig/src/appl/sample/sserver/sserver.M ++++ krb5-1.7/src/appl/sample/sserver/sserver.M @@ -59,7 +59,7 @@ option allows for a different keytab tha using a line in /etc/inetd.conf that looks like this: @@ -13,10 +47,23 @@ Index: krb5-1.8-alpha1/src/appl/sample/sserver/sserver.M .PP Since \fBsample\fP is normally not a port defined in /etc/services, you will usually have to add a line to /etc/services which looks like this: -Index: krb5-1.8-alpha1/src/config-files/kdc.conf.M +Index: krb5-1.7/src/appl/telnet/telnetd/telnetd.8 =================================================================== ---- krb5-1.8-alpha1.orig/src/config-files/kdc.conf.M -+++ krb5-1.8-alpha1/src/config-files/kdc.conf.M +--- krb5-1.7.orig/src/appl/telnet/telnetd/telnetd.8 ++++ krb5-1.7/src/appl/telnet/telnetd/telnetd.8 +@@ -37,7 +37,7 @@ telnetd \- + .SM DARPA TELNET + protocol server + .SH SYNOPSIS +-.B /usr/libexec/telnetd ++.B @manlibexecdir@/telnetd + [\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP] + [\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP] + [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP] +Index: krb5-1.7/src/config-files/kdc.conf.M +=================================================================== +--- krb5-1.7.orig/src/config-files/kdc.conf.M ++++ krb5-1.7/src/config-files/kdc.conf.M @@ -82,14 +82,14 @@ This .B string specifies the location of the access control list (acl) file that @@ -34,7 +81,7 @@ Index: krb5-1.8-alpha1/src/config-files/kdc.conf.M .IP database_name This -@@ -254,7 +254,7 @@ tickets should be checked against the tr +@@ -257,7 +257,7 @@ tickets should be checked against the tr realm names and the [capaths] section of its krb5.conf file .SH FILES @@ -43,12 +90,12 @@ Index: krb5-1.8-alpha1/src/config-files/kdc.conf.M .SH SEE ALSO krb5.conf(5), krb5kdc(8) -Index: krb5-1.8-alpha1/src/configure.in +Index: krb5-1.7/src/configure.in =================================================================== ---- krb5-1.8-alpha1.orig/src/configure.in -+++ krb5-1.8-alpha1/src/configure.in -@@ -1052,6 +1052,58 @@ if test "$ac_cv_lib_socket" = "yes" -a " - fi +--- krb5-1.7.orig/src/configure.in ++++ krb5-1.7/src/configure.in +@@ -1041,6 +1041,69 @@ dnl + AC_CONFIG_SUBDIRS(appl/libpty appl/bsd appl/gssftp appl/telnet) AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + @@ -71,8 +118,18 @@ Index: krb5-1.8-alpha1/src/configure.in +AC_SUBST(manlocalstatedir) +AC_SUBST(manlibexecdir) +AC_OUTPUT([ ++ appl/bsd/klogind.M ++ appl/bsd/kshd.M ++ appl/bsd/login.M ++ appl/bsd/rcp.M ++ appl/bsd/rlogin.M ++ appl/bsd/rsh.M ++ appl/gssftp/ftpd/ftpd.M ++ appl/gssftp/ftp/ftp.M + appl/sample/sclient/sclient.M + appl/sample/sserver/sserver.M ++ appl/telnet/telnetd/telnetd.8 ++ appl/telnet/telnet/telnet.1 + clients/kcpytkt/kcpytkt.M + clients/kdeltkt/kdeltkt.M + clients/kdestroy/kdestroy.M @@ -90,6 +147,7 @@ Index: krb5-1.8-alpha1/src/configure.in + kadmin/cli/kadmin.M + kadmin/dbutil/kdb5_util.M + kadmin/ktutil/ktutil.M ++ kadmin/passwd/kpasswd.M + kadmin/server/kadmind.M + kdc/krb5kdc.M + krb5-config.M @@ -106,11 +164,11 @@ Index: krb5-1.8-alpha1/src/configure.in V5_AC_OUTPUT_MAKEFILE(. util util/support util/profile util/send-pr -Index: krb5-1.8-alpha1/src/kadmin/cli/kadmin.M +Index: krb5-1.7/src/kadmin/cli/kadmin.M =================================================================== ---- krb5-1.8-alpha1.orig/src/kadmin/cli/kadmin.M -+++ krb5-1.8-alpha1/src/kadmin/cli/kadmin.M -@@ -869,9 +869,9 @@ option is specified, less verbose status +--- krb5-1.7.orig/src/kadmin/cli/kadmin.M ++++ krb5-1.7/src/kadmin/cli/kadmin.M +@@ -850,9 +850,9 @@ option is specified, less verbose status .RS .TP EXAMPLE: @@ -122,7 +180,7 @@ Index: krb5-1.8-alpha1/src/kadmin/cli/kadmin.M kadmin: .RE .fi -@@ -913,7 +913,7 @@ passwords. +@@ -894,7 +894,7 @@ passwords. .SH HISTORY The .B kadmin @@ -131,10 +189,10 @@ Index: krb5-1.8-alpha1/src/kadmin/cli/kadmin.M OpenVision Kerberos administration program. .SH SEE ALSO .IR kerberos (1), -Index: krb5-1.8-alpha1/src/slave/kprop.M +Index: krb5-1.7/src/slave/kprop.M =================================================================== ---- krb5-1.8-alpha1.orig/src/slave/kprop.M -+++ krb5-1.8-alpha1/src/slave/kprop.M +--- krb5-1.7.orig/src/slave/kprop.M ++++ krb5-1.7/src/slave/kprop.M @@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv This is done by transmitting the dumped database file to the slave server over an encrypted, secure channel. The dump file must be created @@ -153,10 +211,10 @@ Index: krb5-1.8-alpha1/src/slave/kprop.M .TP \fB\-P\fP \fIport\fP specifies the port to use to contact the -Index: krb5-1.8-alpha1/src/slave/kpropd.M +Index: krb5-1.7/src/slave/kpropd.M =================================================================== ---- krb5-1.8-alpha1.orig/src/slave/kpropd.M -+++ krb5-1.8-alpha1/src/slave/kpropd.M +--- krb5-1.7.orig/src/slave/kpropd.M ++++ krb5-1.7/src/slave/kpropd.M @@ -74,7 +74,7 @@ Normally, kpropd is invoked out of This is done by adding a line to the inetd.conf file which looks like this: @@ -164,7 +222,7 @@ Index: krb5-1.8-alpha1/src/slave/kpropd.M -kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd +kprop stream tcp nowait root @mansbindir@/kpropd kpropd - However, kpropd can also run as a standalone daemon, if the + However, kpropd can also run as a standalone deamon, if the .B \-S @@ -111,13 +111,13 @@ is used. \fB\-f\fP \fIfile\fP diff --git a/krb5-1.7-manpaths.txt b/krb5-1.7-manpaths.txt index d6df93e..a85dcae 100644 --- a/krb5-1.7-manpaths.txt +++ b/krb5-1.7-manpaths.txt @@ -1,5 +1,15 @@ +appl/bsd/klogind.M +appl/bsd/kshd.M +appl/bsd/login.M +appl/bsd/rcp.M +appl/bsd/rlogin.M +appl/bsd/rsh.M +appl/gssftp/ftpd/ftpd.M +appl/gssftp/ftp/ftp.M appl/sample/sclient/sclient.M appl/sample/sserver/sserver.M +appl/telnet/telnetd/telnetd.8 +appl/telnet/telnet/telnet.1 clients/kcpytkt/kcpytkt.M clients/kdeltkt/kdeltkt.M clients/kdestroy/kdestroy.M @@ -17,6 +27,7 @@ kadmin/cli/kadmin.local.M kadmin/cli/kadmin.M kadmin/dbutil/kdb5_util.M kadmin/ktutil/ktutil.M +kadmin/passwd/kpasswd.M kadmin/server/kadmind.M kdc/krb5kdc.M krb5-config.M diff --git a/krb5-1.8-rpmlintrc b/krb5-1.7-rpmlintrc similarity index 100% rename from krb5-1.8-rpmlintrc rename to krb5-1.7-rpmlintrc diff --git a/krb5-1.7.tar.bz2 b/krb5-1.7.tar.bz2 new file mode 100644 index 0000000..9efcda8 --- /dev/null +++ b/krb5-1.7.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2043f38c46a9721cfab28f0fdf876af17d542cab458a87d0324783189e9570cd +size 10407001 diff --git a/krb5-1.8.tar.bz2 b/krb5-1.8.tar.bz2 deleted file mode 100644 index 771b1d5..0000000 --- a/krb5-1.8.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:10890ef19905e36e99d82cbe7caa6e8b0875b2a304f9a9e2d05137c87aff8212 -size 9958816 diff --git a/krb5-doc-1.8-rpmlintrc b/krb5-doc-1.7-rpmlintrc similarity index 100% rename from krb5-doc-1.8-rpmlintrc rename to krb5-doc-1.7-rpmlintrc diff --git a/krb5-doc.changes b/krb5-doc.changes index 6dfd162..7aeb8cb 100644 --- a/krb5-doc.changes +++ b/krb5-doc.changes @@ -1,8 +1,3 @@ -------------------------------------------------------------------- -Thu Mar 4 11:45:22 CET 2010 - mc@suse.de - -- update to version 1.8 - ------------------------------------------------------------------- Wed Jun 3 10:47:07 CEST 2009 - mc@suse.de diff --git a/krb5-doc.spec b/krb5-doc.spec index 1095545..79b2313 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -1,7 +1,6 @@ # -# spec file for package krb5-doc (Version 1.8) +# spec file for package krb5-doc (Version 1.7) # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties @@ -21,14 +20,15 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive -Version: 1.8 -Release: 6 -%define srcRoot krb5-1.8 +Version: 1.7 +Release: 7 +%define srcRoot krb5-1.7 Summary: MIT Kerberos5 Implementation--Documentation License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ Group: Documentation/Other -Source: krb5-1.8.tar.bz2 +Source: krb5-%{version}.tar.bz2 +Source1: README.Source Source3: %{name}-%{version}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif diff --git a/krb5-mini.changes b/krb5-mini.changes index 8c77179..9f3fded 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,29 +1,16 @@ ------------------------------------------------------------------- -Thu Mar 4 10:42:29 CET 2010 - mc@suse.de +Thu Jan 7 11:45:14 CET 2010 - mc@suse.de -- update to version 1.8 - * Increase code quality - * Move toward improved KDB interface - * Investigate and remedy repeatedly-reported performance - bottlenecks. - * Reduce DNS dependence by implementing an interface that allows - client library to track whether a KDC supports service - principal referrals. - * Disable DES by default - * Account lockout for repeated login failures - * Bridge layer to allow Heimdal HDB modules to act as KDB - backend modules - * FAST enhancements - * Microsoft Services for User (S4U) compatibility - * Anonymous PKINIT -- fix KDC denial of service - CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) - fix KDC denial of service in cross-realm referral processing CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347) - fix integer underflow in AES and RC4 decryption - CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) -- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl - + CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) + +------------------------------------------------------------------- +Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source + ------------------------------------------------------------------- Fri Nov 13 16:51:37 CET 2009 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index 8e1675b..c305dc6 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,7 +1,6 @@ # -# spec file for package krb5 (Version 1.8) +# spec file for package krb5-mini (Version 1.7) # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties @@ -19,7 +18,7 @@ # norootforbuild %define build_mini 1 -%define srcRoot krb5-1.8 +%define srcRoot krb5-1.7 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -28,8 +27,8 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8 -Release: 6 +Version: 1.7 +Release: 7 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -43,18 +42,25 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.tar.bz2 +Source: krb5-1.7.tar.bz2 Source1: vendor-files.tar.bz2 +Source2: README.Source +Source3: spx.c +Source4: baselibs.conf Source5: krb5-%{version}-rpmlintrc Source10: krb5-1.7-manpaths.txt Patch2: krb5-1.6.1-compile_pie.dif Patch20: krb5-1.6.3-kprop-use-mkstemp.dif +Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif +Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif Patch30: krb5-1.7-manpaths.dif Patch32: krb5-1.4.3-enospc.dif Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif +Patch47: krb5-1.7-MITKRB5-SA-2009-003.dif +Patch48: krb5-1.7-MITKRB5-SA-2009-004.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -111,6 +117,46 @@ and more. +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package apps-servers +License: MIT License (or similar) +Summary: MIT Kerberos5 server applications +Group: Productivity/Networking/Security + +%description apps-servers +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes some kerberos +compatible server applications like ftpd, klogind, telnetd, ... + + + +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package apps-clients +License: MIT License (or similar) +Summary: MIT Kerberos5 client applications +Group: Productivity/Networking/Security + +%description apps-clients +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes some kerberos +compatible client applications like ftp, rpc, rlogin, telnet, ... + + + Authors: -------- The MIT Kerberos Team @@ -194,14 +240,25 @@ Authors: %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} +if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ] +then + echo "spx.c contains potential legal risks." + exit 1; +else + cp %{SOURCE3} %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c +fi %patch2 %patch20 +%patch21 +%patch22 %patch30 -p1 %patch32 -p1 %patch34 -p1 %patch41 %patch44 -p1 %patch46 -p1 +%patch47 -p1 +%patch48 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -262,6 +319,12 @@ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.c install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind +for n in ftpd.8 telnetd.8; do + mv %{buildroot}%{_mandir}/man8/${n} %{buildroot}%{_mandir}/man8/k${n} +done +for n in ftp.1 rlogin.1 rcp.1 rsh.1 telnet.1; do + mv %{buildroot}%{_mandir}/man1/${n} %{buildroot}%{_mandir}/man1/k${n} +done # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -274,6 +337,12 @@ mkdir -p %{buildroot}%{_sysconfdir}/init.d install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd +# install xinetd files +mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d +install -m 644 %{vendorFiles}/klogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/klogin +install -m 644 %{vendorFiles}/eklogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/eklogin +install -m 644 %{vendorFiles}/krb5-telnet.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/ktelnet +install -m 644 %{vendorFiles}/kshell.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/kshell # install logrotate files mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server @@ -352,9 +421,7 @@ rm -rf %{buildroot} %dir /usr/lib/mit/sbin %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so -%{_libdir}/libkadm5clnt_mit.so %{_libdir}/libkadm5clnt.so -%{_libdir}/libkadm5srv_mit.so %{_libdir}/libkadm5srv.so %{_libdir}/libkdb5.so %{_libdir}/libkrb5.so @@ -388,13 +455,17 @@ rm -rf %{buildroot} %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict +%config(noreplace) %{_sysconfdir}/xinetd.d/klogin +%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin +%config(noreplace) %{_sysconfdir}/xinetd.d/kshell +%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* %{_sysconfdir}/init.d/* %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt_mit.so.* -%{_libdir}/libkadm5srv_mit.so.* +%{_libdir}/libkadm5clnt.so.* +%{_libdir}/libkadm5srv.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -408,10 +479,15 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc +/usr/lib/mit/sbin/ftpd +/usr/lib/mit/sbin/klogind +/usr/lib/mit/sbin/kshd +/usr/lib/mit/sbin/telnetd /usr/lib/mit/sbin/uuserver /usr/lib/mit/sbin/sserver /usr/lib/mit/sbin/gss-server /usr/lib/mit/sbin/sim_server +/usr/lib/mit/sbin/login.krb5 /usr/lib/mit/bin/k5srvutil /usr/lib/mit/bin/kvno /usr/lib/mit/bin/kinit @@ -421,10 +497,16 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil %attr(0755,root,root) /usr/lib/mit/bin/ksu +/usr/lib/mit/bin/rcp +/usr/lib/mit/bin/rsh +/usr/lib/mit/bin/telnet /usr/lib/mit/bin/uuclient /usr/lib/mit/bin/sclient /usr/lib/mit/bin/gss-client /usr/lib/mit/bin/sim_client +/usr/lib/mit/bin/ftp +/usr/lib/mit/bin/rlogin +#/usr/lib/mit/bin/* /usr/bin/kinit /usr/bin/klist /usr/bin/rc* @@ -435,7 +517,12 @@ rm -rf %{buildroot} %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* %{_mandir}/man1/kerberos.1* +%{_mandir}/man1/kftp.1* +%{_mandir}/man1/krlogin.1* +%{_mandir}/man1/krsh.1* +%{_mandir}/man1/ktelnet.1* %{_mandir}/man1/ksu.1* +%{_mandir}/man1/krcp.1* %{_mandir}/man1/sclient.1* %{_mandir}/man1/kadmin.1* %{_mandir}/man1/ktutil.1* @@ -462,8 +549,8 @@ rm -rf %{buildroot} %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt_mit.so.* -%{_libdir}/libkadm5srv_mit.so.* +%{_libdir}/libkadm5clnt.so.* +%{_libdir}/libkadm5srv.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -495,10 +582,6 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc -/usr/lib/mit/sbin/gss-server -/usr/lib/mit/sbin/sim_server -/usr/lib/mit/sbin/sserver -/usr/lib/mit/sbin/uuserver %{_libdir}/krb5/plugins/kdb/db2.so %{_mandir}/man5/kdc.conf.5* %{_mandir}/man8/kadmind.8* @@ -508,7 +591,6 @@ rm -rf %{buildroot} %{_mandir}/man8/kproplog.8.gz %{_mandir}/man8/kdb5_util.8* %{_mandir}/man8/krb5kdc.8* -%{_mandir}/man8/sserver.8* %files client %defattr(-,root,root) @@ -523,11 +605,6 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil /usr/lib/mit/bin/k5srvutil -/usr/lib/mit/bin/gss-client -/usr/lib/mit/bin/ksu -/usr/lib/mit/bin/sclient -/usr/lib/mit/bin/sim_client -/usr/lib/mit/bin/uuclient /usr/bin/kinit /usr/bin/klist %{_mandir}/man1/kvno.1* @@ -541,8 +618,53 @@ rm -rf %{buildroot} %{_mandir}/man1/k5srvutil.1* %{_mandir}/man5/krb5.conf.5* %{_mandir}/man5/.k5login.5* -%{_mandir}/man1/ksu.1.gz -%{_mandir}/man1/sclient.1.gz + +%files apps-servers +%defattr(-,root,root) +%config(noreplace) %{_sysconfdir}/xinetd.d/klogin +%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin +%config(noreplace) %{_sysconfdir}/xinetd.d/kshell +%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet +%dir /usr/lib/mit +%dir /usr/lib/mit/sbin +/usr/lib/mit/sbin/ftpd +/usr/lib/mit/sbin/klogind +/usr/lib/mit/sbin/kshd +/usr/lib/mit/sbin/telnetd +/usr/lib/mit/sbin/uuserver +/usr/lib/mit/sbin/sserver +/usr/lib/mit/sbin/gss-server +/usr/lib/mit/sbin/sim_server +/usr/lib/mit/sbin/login.krb5 +%{_mandir}/man8/kftpd.8* +%{_mandir}/man8/klogind.8* +%{_mandir}/man8/kshd.8* +%{_mandir}/man8/ktelnetd.8* +%{_mandir}/man8/sserver.8* +%{_mandir}/man8/login.krb5.8* + +%files apps-clients +%defattr(-,root,root) +%dir /usr/lib/mit +%dir /usr/lib/mit/bin +/usr/lib/mit/bin/ftp +/usr/lib/mit/bin/rlogin +# removed SUID bit, we will rely on su + pam_krb +%attr(0755,root,root) /usr/lib/mit/bin/ksu +/usr/lib/mit/bin/rcp +/usr/lib/mit/bin/rsh +/usr/lib/mit/bin/telnet +/usr/lib/mit/bin/uuclient +/usr/lib/mit/bin/sclient +/usr/lib/mit/bin/gss-client +/usr/lib/mit/bin/sim_client +%{_mandir}/man1/kftp.1* +%{_mandir}/man1/krlogin.1* +%{_mandir}/man1/krsh.1* +%{_mandir}/man1/ktelnet.1* +%{_mandir}/man1/ksu.1* +%{_mandir}/man1/krcp.1* +%{_mandir}/man1/sclient.1* %files plugin-kdb-ldap %defattr(-,root,root) diff --git a/krb5.changes b/krb5.changes index 8c77179..9f3fded 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,29 +1,16 @@ ------------------------------------------------------------------- -Thu Mar 4 10:42:29 CET 2010 - mc@suse.de +Thu Jan 7 11:45:14 CET 2010 - mc@suse.de -- update to version 1.8 - * Increase code quality - * Move toward improved KDB interface - * Investigate and remedy repeatedly-reported performance - bottlenecks. - * Reduce DNS dependence by implementing an interface that allows - client library to track whether a KDC supports service - principal referrals. - * Disable DES by default - * Account lockout for repeated login failures - * Bridge layer to allow Heimdal HDB modules to act as KDB - backend modules - * FAST enhancements - * Microsoft Services for User (S4U) compatibility - * Anonymous PKINIT -- fix KDC denial of service - CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) - fix KDC denial of service in cross-realm referral processing CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347) - fix integer underflow in AES and RC4 decryption - CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) -- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl - + CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) + +------------------------------------------------------------------- +Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source + ------------------------------------------------------------------- Fri Nov 13 16:51:37 CET 2009 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 298f286..549b327 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,7 +1,6 @@ # -# spec file for package krb5 (Version 1.8) +# spec file for package krb5 (Version 1.7) # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties @@ -19,7 +18,7 @@ # norootforbuild %define build_mini 0 -%define srcRoot krb5-1.8 +%define srcRoot krb5-1.7 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -28,8 +27,8 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8 -Release: 6 +Version: 1.7 +Release: 7 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -43,18 +42,25 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.tar.bz2 +Source: krb5-1.7.tar.bz2 Source1: vendor-files.tar.bz2 +Source2: README.Source +Source3: spx.c +Source4: baselibs.conf Source5: krb5-%{version}-rpmlintrc Source10: krb5-1.7-manpaths.txt Patch2: krb5-1.6.1-compile_pie.dif Patch20: krb5-1.6.3-kprop-use-mkstemp.dif +Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif +Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif Patch30: krb5-1.7-manpaths.dif Patch32: krb5-1.4.3-enospc.dif Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif +Patch47: krb5-1.7-MITKRB5-SA-2009-003.dif +Patch48: krb5-1.7-MITKRB5-SA-2009-004.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -111,6 +117,46 @@ and more. +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package apps-servers +License: MIT License (or similar) +Summary: MIT Kerberos5 server applications +Group: Productivity/Networking/Security + +%description apps-servers +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes some kerberos +compatible server applications like ftpd, klogind, telnetd, ... + + + +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package apps-clients +License: MIT License (or similar) +Summary: MIT Kerberos5 client applications +Group: Productivity/Networking/Security + +%description apps-clients +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes some kerberos +compatible client applications like ftp, rpc, rlogin, telnet, ... + + + Authors: -------- The MIT Kerberos Team @@ -194,14 +240,25 @@ Authors: %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} +if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ] +then + echo "spx.c contains potential legal risks." + exit 1; +else + cp %{SOURCE3} %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c +fi %patch2 %patch20 +%patch21 +%patch22 %patch30 -p1 %patch32 -p1 %patch34 -p1 %patch41 %patch44 -p1 %patch46 -p1 +%patch47 -p1 +%patch48 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -262,6 +319,12 @@ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.c install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind +for n in ftpd.8 telnetd.8; do + mv %{buildroot}%{_mandir}/man8/${n} %{buildroot}%{_mandir}/man8/k${n} +done +for n in ftp.1 rlogin.1 rcp.1 rsh.1 telnet.1; do + mv %{buildroot}%{_mandir}/man1/${n} %{buildroot}%{_mandir}/man1/k${n} +done # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -274,6 +337,12 @@ mkdir -p %{buildroot}%{_sysconfdir}/init.d install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd +# install xinetd files +mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d +install -m 644 %{vendorFiles}/klogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/klogin +install -m 644 %{vendorFiles}/eklogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/eklogin +install -m 644 %{vendorFiles}/krb5-telnet.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/ktelnet +install -m 644 %{vendorFiles}/kshell.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/kshell # install logrotate files mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server @@ -352,9 +421,7 @@ rm -rf %{buildroot} %dir /usr/lib/mit/sbin %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so -%{_libdir}/libkadm5clnt_mit.so %{_libdir}/libkadm5clnt.so -%{_libdir}/libkadm5srv_mit.so %{_libdir}/libkadm5srv.so %{_libdir}/libkdb5.so %{_libdir}/libkrb5.so @@ -388,13 +455,17 @@ rm -rf %{buildroot} %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict +%config(noreplace) %{_sysconfdir}/xinetd.d/klogin +%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin +%config(noreplace) %{_sysconfdir}/xinetd.d/kshell +%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* %{_sysconfdir}/init.d/* %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt_mit.so.* -%{_libdir}/libkadm5srv_mit.so.* +%{_libdir}/libkadm5clnt.so.* +%{_libdir}/libkadm5srv.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -408,10 +479,15 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc +/usr/lib/mit/sbin/ftpd +/usr/lib/mit/sbin/klogind +/usr/lib/mit/sbin/kshd +/usr/lib/mit/sbin/telnetd /usr/lib/mit/sbin/uuserver /usr/lib/mit/sbin/sserver /usr/lib/mit/sbin/gss-server /usr/lib/mit/sbin/sim_server +/usr/lib/mit/sbin/login.krb5 /usr/lib/mit/bin/k5srvutil /usr/lib/mit/bin/kvno /usr/lib/mit/bin/kinit @@ -421,10 +497,16 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil %attr(0755,root,root) /usr/lib/mit/bin/ksu +/usr/lib/mit/bin/rcp +/usr/lib/mit/bin/rsh +/usr/lib/mit/bin/telnet /usr/lib/mit/bin/uuclient /usr/lib/mit/bin/sclient /usr/lib/mit/bin/gss-client /usr/lib/mit/bin/sim_client +/usr/lib/mit/bin/ftp +/usr/lib/mit/bin/rlogin +#/usr/lib/mit/bin/* /usr/bin/kinit /usr/bin/klist /usr/bin/rc* @@ -435,7 +517,12 @@ rm -rf %{buildroot} %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* %{_mandir}/man1/kerberos.1* +%{_mandir}/man1/kftp.1* +%{_mandir}/man1/krlogin.1* +%{_mandir}/man1/krsh.1* +%{_mandir}/man1/ktelnet.1* %{_mandir}/man1/ksu.1* +%{_mandir}/man1/krcp.1* %{_mandir}/man1/sclient.1* %{_mandir}/man1/kadmin.1* %{_mandir}/man1/ktutil.1* @@ -462,8 +549,8 @@ rm -rf %{buildroot} %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt_mit.so.* -%{_libdir}/libkadm5srv_mit.so.* +%{_libdir}/libkadm5clnt.so.* +%{_libdir}/libkadm5srv.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -495,10 +582,6 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc -/usr/lib/mit/sbin/gss-server -/usr/lib/mit/sbin/sim_server -/usr/lib/mit/sbin/sserver -/usr/lib/mit/sbin/uuserver %{_libdir}/krb5/plugins/kdb/db2.so %{_mandir}/man5/kdc.conf.5* %{_mandir}/man8/kadmind.8* @@ -508,7 +591,6 @@ rm -rf %{buildroot} %{_mandir}/man8/kproplog.8.gz %{_mandir}/man8/kdb5_util.8* %{_mandir}/man8/krb5kdc.8* -%{_mandir}/man8/sserver.8* %files client %defattr(-,root,root) @@ -523,11 +605,6 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil /usr/lib/mit/bin/k5srvutil -/usr/lib/mit/bin/gss-client -/usr/lib/mit/bin/ksu -/usr/lib/mit/bin/sclient -/usr/lib/mit/bin/sim_client -/usr/lib/mit/bin/uuclient /usr/bin/kinit /usr/bin/klist %{_mandir}/man1/kvno.1* @@ -541,8 +618,53 @@ rm -rf %{buildroot} %{_mandir}/man1/k5srvutil.1* %{_mandir}/man5/krb5.conf.5* %{_mandir}/man5/.k5login.5* -%{_mandir}/man1/ksu.1.gz -%{_mandir}/man1/sclient.1.gz + +%files apps-servers +%defattr(-,root,root) +%config(noreplace) %{_sysconfdir}/xinetd.d/klogin +%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin +%config(noreplace) %{_sysconfdir}/xinetd.d/kshell +%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet +%dir /usr/lib/mit +%dir /usr/lib/mit/sbin +/usr/lib/mit/sbin/ftpd +/usr/lib/mit/sbin/klogind +/usr/lib/mit/sbin/kshd +/usr/lib/mit/sbin/telnetd +/usr/lib/mit/sbin/uuserver +/usr/lib/mit/sbin/sserver +/usr/lib/mit/sbin/gss-server +/usr/lib/mit/sbin/sim_server +/usr/lib/mit/sbin/login.krb5 +%{_mandir}/man8/kftpd.8* +%{_mandir}/man8/klogind.8* +%{_mandir}/man8/kshd.8* +%{_mandir}/man8/ktelnetd.8* +%{_mandir}/man8/sserver.8* +%{_mandir}/man8/login.krb5.8* + +%files apps-clients +%defattr(-,root,root) +%dir /usr/lib/mit +%dir /usr/lib/mit/bin +/usr/lib/mit/bin/ftp +/usr/lib/mit/bin/rlogin +# removed SUID bit, we will rely on su + pam_krb +%attr(0755,root,root) /usr/lib/mit/bin/ksu +/usr/lib/mit/bin/rcp +/usr/lib/mit/bin/rsh +/usr/lib/mit/bin/telnet +/usr/lib/mit/bin/uuclient +/usr/lib/mit/bin/sclient +/usr/lib/mit/bin/gss-client +/usr/lib/mit/bin/sim_client +%{_mandir}/man1/kftp.1* +%{_mandir}/man1/krlogin.1* +%{_mandir}/man1/krsh.1* +%{_mandir}/man1/ktelnet.1* +%{_mandir}/man1/ksu.1* +%{_mandir}/man1/krcp.1* +%{_mandir}/man1/sclient.1* %files plugin-kdb-ldap %defattr(-,root,root) diff --git a/ready b/ready new file mode 100644 index 0000000..473a0f4 diff --git a/spx.c b/spx.c new file mode 100644 index 0000000..256ccd5 --- /dev/null +++ b/spx.c @@ -0,0 +1,50 @@ +/*- + * Copyright (c) 1992, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* based on @(#)spx.c 8.1 (Berkeley) 6/4/93 */ + +#include "misc-proto.h" + +#ifdef notdef + +prkey(msg, key) + char *msg; + unsigned char *key; +{ + register int i; + printf("%s:", msg); + for (i = 0; i < 8; i++) + printf(" %3d", key[i]); + printf("\r\n"); +} +#endif diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2 index 9c9d317..125b194 100644 --- a/vendor-files.tar.bz2 +++ b/vendor-files.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:afd7fcef667fa671ba023b747d95c62dd83b03c4bb93c7132e1ae78fe837c35e -size 182067 +oid sha256:cc8af64eb451283d9ed22d52848a923e65a50b5c80442fe3165f238efdd34571 +size 182153 From f9e6d882fda4910f6ede88d96a8ef6f30c14c796b2bf9241833de9d2f1857bde Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Tue, 23 Mar 2010 11:40:55 +0000 Subject: [PATCH 3/6] - add post 1.8 fixes * Add IPv6 support to changepw.c * fix two problems in kadm5_get_principal mask handling * Ignore improperly encoded signedpath AD elements * handle NT_SRV_INST in service principal referrals * dereference options while checking KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT * Fix the kpasswd fallback from the ccache principal name * Document the ticket_lifetime libdefaults setting * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=13 --- README.Source | 9 - krb5-1.4.3-enospc.dif | 38 +- krb5-1.5.1-fix-ftp-var-used-uninitialized.dif | 13 - krb5-1.5.1-fix-var-used-before-value-set.dif | 10 - krb5-1.6.1-compile_pie.dif | 2 +- krb5-1.6.3-fix-ipv6-query.dif | 54 +-- krb5-1.6.3-kpasswd_tcp.patch | 53 ++- krb5-1.6.3-kprop-use-mkstemp.dif | 28 +- krb5-1.7-MITKRB5-SA-2009-003.dif | 27 -- krb5-1.7-MITKRB5-SA-2009-004.dif | 377 ------------------ krb5-1.7-manpaths.dif | 108 ++--- krb5-1.7-manpaths.txt | 11 - krb5-1.7.tar.bz2 | 3 - krb5-1.8-POST.dif | 315 +++++++++++++++ krb5-1.7-rpmlintrc => krb5-1.8-rpmlintrc | 0 krb5-1.8.tar.bz2 | 3 + ...oc-1.7-rpmlintrc => krb5-doc-1.8-rpmlintrc | 0 krb5-doc.changes | 11 + krb5-doc.spec | 13 +- krb5-mini.changes | 38 +- krb5-mini.spec | 172 ++------ krb5.changes | 38 +- krb5.spec | 172 ++------ ready | 0 spx.c | 50 --- vendor-files.tar.bz2 | 4 +- 26 files changed, 572 insertions(+), 977 deletions(-) delete mode 100644 README.Source delete mode 100644 krb5-1.5.1-fix-ftp-var-used-uninitialized.dif delete mode 100644 krb5-1.5.1-fix-var-used-before-value-set.dif delete mode 100644 krb5-1.7-MITKRB5-SA-2009-003.dif delete mode 100644 krb5-1.7-MITKRB5-SA-2009-004.dif delete mode 100644 krb5-1.7.tar.bz2 create mode 100644 krb5-1.8-POST.dif rename krb5-1.7-rpmlintrc => krb5-1.8-rpmlintrc (100%) create mode 100644 krb5-1.8.tar.bz2 rename krb5-doc-1.7-rpmlintrc => krb5-doc-1.8-rpmlintrc (100%) delete mode 100644 ready delete mode 100644 spx.c diff --git a/README.Source b/README.Source deleted file mode 100644 index 9bf6da7..0000000 --- a/README.Source +++ /dev/null @@ -1,9 +0,0 @@ -Because of potential legal risk we have removed the -file "src/appl/telnet/libtelnet/spx.c" from the -source tarball. - -If you want to see the original sources you can download -them from - - http://web.mit.edu/kerberos/www/ . - diff --git a/krb5-1.4.3-enospc.dif b/krb5-1.4.3-enospc.dif index 69c6328..0a0d9ce 100644 --- a/krb5-1.4.3-enospc.dif +++ b/krb5-1.4.3-enospc.dif @@ -1,24 +1,24 @@ If the error message is going to be ambiguous, try to give the user some clue by returning the last error reported by the OS. -Index: krb5-1.7/src/clients/kinit/kinit.c +Index: krb5-1.8-alpha1/src/clients/kinit/kinit.c =================================================================== ---- krb5-1.7.orig/src/clients/kinit/kinit.c -+++ krb5-1.7/src/clients/kinit/kinit.c -@@ -670,8 +670,14 @@ k5_kinit(opts, k5) - code = krb5_cc_initialize(k5->ctx, k5->cc, - opts->canonicalize ? my_creds.client : k5->me); - if (code) { -- com_err(progname, code, "when initializing cache %s", -- opts->k5_cache_name?opts->k5_cache_name:""); -+ if ((code == KRB5_CC_IO) && (errno != 0)) { -+ com_err(progname, code, "when initializing cache %s: %s", -+ opts->k5_cache_name?opts->k5_cache_name:"", -+ strerror(errno)); -+ } else { -+ com_err(progname, code, "when initializing cache %s", -+ opts->k5_cache_name?opts->k5_cache_name:""); -+ } - goto cleanup; - } +--- krb5-1.8-alpha1.orig/src/clients/kinit/kinit.c ++++ krb5-1.8-alpha1/src/clients/kinit/kinit.c +@@ -712,8 +712,14 @@ k5_kinit(opts, k5) + code = krb5_cc_initialize(k5->ctx, k5->cc, opts->canonicalize ? + my_creds.client : k5->me); + if (code) { +- com_err(progname, code, "when initializing cache %s", +- opts->k5_cache_name?opts->k5_cache_name:""); ++ if ((code == KRB5_CC_IO) && (errno != 0)) { ++ com_err(progname, code, "when initializing cache %s: %s", ++ opts->k5_cache_name?opts->k5_cache_name:"", ++ strerror(errno)); ++ } else { ++ com_err(progname, code, "when initializing cache %s", ++ opts->k5_cache_name?opts->k5_cache_name:""); ++ } + goto cleanup; + } diff --git a/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif b/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif deleted file mode 100644 index ad5f8c9..0000000 --- a/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif +++ /dev/null @@ -1,13 +0,0 @@ -Index: src/appl/gssftp/ftp/ftp.c -=================================================================== ---- src/appl/gssftp/ftp/ftp.c.orig -+++ src/appl/gssftp/ftp/ftp.c -@@ -1912,7 +1912,7 @@ int do_auth() - - #ifdef GSSAPI - if (command("AUTH %s", "GSSAPI") == CONTINUE) { -- OM_uint32 maj_stat, min_stat, dummy_stat; -+ OM_uint32 maj_stat = GSS_S_FAILURE , min_stat, dummy_stat; - gss_name_t target_name; - gss_buffer_desc send_tok, recv_tok, *token_ptr; - char stbuf[FTP_BUFSIZ]; diff --git a/krb5-1.5.1-fix-var-used-before-value-set.dif b/krb5-1.5.1-fix-var-used-before-value-set.dif deleted file mode 100644 index cfa5930..0000000 --- a/krb5-1.5.1-fix-var-used-before-value-set.dif +++ /dev/null @@ -1,10 +0,0 @@ ---- src/appl/telnet/telnetd/utility.c -+++ src/appl/telnet/telnetd/utility.c 2006/11/06 10:34:09 -@@ -127,6 +127,7 @@ - } - tv.tv_sec = 1; - tv.tv_usec = 0; -+ FD_ZERO(&fds); - FD_SET(net, &fds); - - while (select(net + 1, &fds, NULL, NULL, &tv) == 1) diff --git a/krb5-1.6.1-compile_pie.dif b/krb5-1.6.1-compile_pie.dif index 8a0d66f..08e14fc 100644 --- a/krb5-1.6.1-compile_pie.dif +++ b/krb5-1.6.1-compile_pie.dif @@ -15,7 +15,7 @@ Index: src/config/shlib.conf =================================================================== --- src/config/shlib.conf.orig +++ src/config/shlib.conf -@@ -420,7 +420,8 @@ mips-*-netbsd*) +@@ -419,7 +419,8 @@ mips-*-netbsd*) PROFFLAGS=-pg RPATH_FLAG='-Wl,-rpath -Wl,' PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' diff --git a/krb5-1.6.3-fix-ipv6-query.dif b/krb5-1.6.3-fix-ipv6-query.dif index 4220f2e..4ba81b8 100644 --- a/krb5-1.6.3-fix-ipv6-query.dif +++ b/krb5-1.6.3-fix-ipv6-query.dif @@ -1,9 +1,9 @@ -Index: trunk/src/lib/krb5/os/hostaddr.c +Index: krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c =================================================================== ---- trunk.orig/src/lib/krb5/os/hostaddr.c -+++ trunk/src/lib/krb5/os/hostaddr.c -@@ -43,7 +43,7 @@ krb5_os_hostaddr(krb5_context context, c - return KRB5_ERR_BAD_HOSTNAME; +--- krb5-1.8-alpha1.orig/src/lib/krb5/os/hostaddr.c ++++ krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c +@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c + return KRB5_ERR_BAD_HOSTNAME; memset (&hints, 0, sizeof (hints)); - hints.ai_flags = AI_NUMERICHOST; @@ -11,11 +11,11 @@ Index: trunk/src/lib/krb5/os/hostaddr.c /* We don't care what kind at this point, really, but without this, we can get back multiple sockaddrs per address, for SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if -Index: trunk/src/lib/krb5/os/hst_realm.c +Index: krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c =================================================================== ---- trunk.orig/src/lib/krb5/os/hst_realm.c -+++ trunk/src/lib/krb5/os/hst_realm.c -@@ -171,7 +171,7 @@ krb5int_get_fq_hostname (char *buf, size +--- krb5-1.8-alpha1.orig/src/lib/krb5/os/hst_realm.c ++++ krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c +@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz int err; memset (&hints, 0, sizeof (hints)); @@ -23,12 +23,12 @@ Index: trunk/src/lib/krb5/os/hst_realm.c + hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; err = getaddrinfo (name, 0, &hints, &ai); if (err) - return krb5int_translate_gai_error (err); -Index: trunk/src/lib/krb5/os/locate_kdc.c + return krb5int_translate_gai_error (err); +Index: krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c =================================================================== ---- trunk.orig/src/lib/krb5/os/locate_kdc.c -+++ trunk/src/lib/krb5/os/locate_kdc.c -@@ -254,8 +254,9 @@ krb5int_add_host_to_list (struct addrlis +--- krb5-1.8-alpha1.orig/src/lib/krb5/os/locate_kdc.c ++++ krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c +@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis memset(&hint, 0, sizeof(hint)); hint.ai_family = family; hint.ai_socktype = socktype; @@ -37,18 +37,18 @@ Index: trunk/src/lib/krb5/os/locate_kdc.c - hint.ai_flags = AI_NUMERICSERV; + hint.ai_flags |= AI_NUMERICSERV; #endif - if (snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)) >= sizeof(portbuf)) - /* XXX */ -Index: trunk/src/lib/krb5/os/sn2princ.c + result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)); + if (SNPRINTF_OVERFLOW(result, sizeof(portbuf))) +Index: krb5-1.8-alpha1/src/lib/krb5/os/sn2princ.c =================================================================== ---- trunk.orig/src/lib/krb5/os/sn2princ.c -+++ trunk/src/lib/krb5/os/sn2princ.c -@@ -107,7 +107,7 @@ krb5_sname_to_principal(krb5_context con +--- krb5-1.8-alpha1.orig/src/lib/krb5/os/sn2princ.c ++++ krb5-1.8-alpha1/src/lib/krb5/os/sn2princ.c +@@ -108,7 +108,7 @@ krb5_sname_to_principal(krb5_context con - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_INET; -- hints.ai_flags = AI_CANONNAME; -+ hints.ai_flags = AI_CANONNAME|AI_ADDRCONFIG; - try_getaddrinfo_again: - err = getaddrinfo(hostname, 0, &hints, &ai); - if (err) { + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_INET; +- hints.ai_flags = AI_CANONNAME; ++ hints.ai_flags = AI_CANONNAME|AI_ADDRCONFIG; + try_getaddrinfo_again: + err = getaddrinfo(hostname, 0, &hints, &ai); + if (err) { diff --git a/krb5-1.6.3-kpasswd_tcp.patch b/krb5-1.6.3-kpasswd_tcp.patch index 757b3f6..360149f 100644 --- a/krb5-1.6.3-kpasswd_tcp.patch +++ b/krb5-1.6.3-kpasswd_tcp.patch @@ -5,31 +5,30 @@ Index: src/lib/krb5/os/changepw.c =================================================================== --- src/lib/krb5/os/changepw.c.orig +++ src/lib/krb5/os/changepw.c -@@ -261,11 +261,22 @@ krb5_change_set_password(krb5_context co - NULL, - NULL - ))) { -- -- /* -- * Here we may want to switch to TCP on some errors. -- * right? -- */ -+ /* if we're not using a stream socket, and it's an error which -+ * might reasonably be specific to a datagram "connection", try -+ * again with a stream socket */ -+ if (!useTcp) { -+ switch (code) { -+ case KRB5_KDC_UNREACH: -+ case KRB5_REALM_CANT_RESOLVE: -+ case KRB5KRB_ERR_RESPONSE_TOO_BIG: -+ /* should we do this for more result codes than these? */ -+ krb5int_free_addrlist (&al); -+ useTcp = 1; -+ continue; -+ default: -+ break; -+ } -+ } - break; - } +@@ -271,10 +271,22 @@ change_set_password(krb5_context context + NULL + ))) { + +- /* +- * Here we may want to switch to TCP on some errors. +- * right? +- */ ++ /* if we're not using a stream socket, and it's an error which ++ * might reasonably be specific to a datagram "connection", try ++ * again with a stream socket */ ++ if (!useTcp) { ++ switch (code) { ++ case KRB5_KDC_UNREACH: ++ case KRB5_REALM_CANT_RESOLVE: ++ case KRB5KRB_ERR_RESPONSE_TOO_BIG: ++ /* should we do this for more result codes than these? */ ++ krb5int_free_addrlist (&al); ++ useTcp = 1; ++ continue; ++ default: ++ break; ++ } ++ } + break; + } diff --git a/krb5-1.6.3-kprop-use-mkstemp.dif b/krb5-1.6.3-kprop-use-mkstemp.dif index 2277883..9ea2577 100644 --- a/krb5-1.6.3-kprop-use-mkstemp.dif +++ b/krb5-1.6.3-kprop-use-mkstemp.dif @@ -2,18 +2,18 @@ Index: src/slave/kprop.c =================================================================== --- src/slave/kprop.c.orig +++ src/slave/kprop.c -@@ -215,6 +215,7 @@ void get_tickets(context) - krb5_error_code retval; - static char tkstring[] = "/tmp/kproptktXXXXXX"; - krb5_keytab keytab = NULL; -+ int ret = 0; +@@ -206,6 +206,7 @@ void get_tickets(context) + krb5_error_code retval; + static char tkstring[] = "/tmp/kproptktXXXXXX"; + krb5_keytab keytab = NULL; ++ int ret = 0; - /* - * Figure out what tickets we'll be using to send stuff -@@ -240,7 +241,15 @@ void get_tickets(context) - /* - * Initialize cache file which we're going to be using - */ + /* + * Figure out what tickets we'll be using to send stuff +@@ -231,7 +232,15 @@ void get_tickets(context) + /* + * Initialize cache file which we're going to be using + */ +#ifdef HAVE_MKSTEMP + ret = mkstemp(tkstring); + if (ret == -1) { @@ -21,8 +21,8 @@ Index: src/slave/kprop.c + exit(1); + } else close(ret); +#else - (void) mktemp(tkstring); + (void) mktemp(tkstring); +#endif - snprintf(buf, sizeof(buf), "FILE:%s", tkstring); + snprintf(buf, sizeof(buf), "FILE:%s", tkstring); - retval = krb5_cc_resolve(context, buf, &ccache); + retval = krb5_cc_resolve(context, buf, &ccache); diff --git a/krb5-1.7-MITKRB5-SA-2009-003.dif b/krb5-1.7-MITKRB5-SA-2009-003.dif deleted file mode 100644 index c3d0d1a..0000000 --- a/krb5-1.7-MITKRB5-SA-2009-003.dif +++ /dev/null @@ -1,27 +0,0 @@ -Index: krb5-1.7/src/kdc/do_tgs_req.c -=================================================================== ---- krb5-1.7.orig/src/kdc/do_tgs_req.c -+++ krb5-1.7/src/kdc/do_tgs_req.c -@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request - free(temp_buf); - if (retval) { - /* no match found */ -- kdc_err(kdc_context, retval, 0); -+ kdc_err(kdc_context, retval, "unable to find realm of host"); - goto cleanup; - } - if (realms == 0) { -Index: krb5-1.7/src/lib/kadm5/logger.c -=================================================================== ---- krb5-1.7.orig/src/lib/kadm5/logger.c -+++ krb5-1.7/src/lib/kadm5/logger.c -@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, lo - char *cp; - char *syslogp; - -+ if (whoami == NULL || format == NULL) -+ return; -+ - /* Make the header */ - snprintf(outbuf, sizeof(outbuf), "%s: ", whoami); - /* diff --git a/krb5-1.7-MITKRB5-SA-2009-004.dif b/krb5-1.7-MITKRB5-SA-2009-004.dif deleted file mode 100644 index 67c5738..0000000 --- a/krb5-1.7-MITKRB5-SA-2009-004.dif +++ /dev/null @@ -1,377 +0,0 @@ -Index: krb5-1.7/src/lib/crypto/Makefile.in -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/Makefile.in -+++ krb5-1.7/src/lib/crypto/Makefile.in -@@ -18,6 +18,7 @@ EXTRADEPSRCS=\ - $(srcdir)/t_nfold.c \ - $(srcdir)/t_cf2.c \ - $(srcdir)/t_encrypt.c \ -+ $(srcdir)/t_short.c \ - $(srcdir)/t_prf.c \ - $(srcdir)/t_prng.c \ - $(srcdir)/t_hmac.c \ -@@ -206,7 +207,7 @@ libcrypto.lib: - - clean-unix:: clean-liblinks clean-libs clean-libobjs - --check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 -+check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 t_short - $(RUN_SETUP) $(VALGRIND) ./t_nfold - $(RUN_SETUP) $(VALGRIND) ./t_encrypt - $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \ -@@ -216,6 +217,7 @@ check-unix:: t_nfold t_encrypt t_prf t_p - diff t_prf.output $(srcdir)/t_prf.expected - $(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output - diff t_cf2.output $(srcdir)/t_cf2.expected -+ $(RUN_SETUP) $(VALGRIND) ./t_short - - - # $(RUN_SETUP) $(VALGRIND) ./t_pkcs5 -@@ -249,10 +251,14 @@ t_cts$(EXEEXT): t_cts.$(OBJEXT) $(CRYPTO - $(CC_LINK) -o $@ t_cts.$(OBJEXT) \ - $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) - -+t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB) -+ $(CC_LINK) -o $@ t_short.$(OBJEXT) \ -+ $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) - - clean:: - $(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \ -- t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o -+ t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \ -+ t_cf2 t_cf2.o t_short t_short.o - -$(RM) t_prng.output - - all-windows:: -Index: krb5-1.7/src/lib/crypto/arcfour/arcfour.c -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/arcfour/arcfour.c -+++ krb5-1.7/src/lib/crypto/arcfour/arcfour.c -@@ -199,6 +199,12 @@ krb5_arcfour_decrypt(const struct krb5_e - keylength = enc->keylength; - hashsize = hash->hashsize; - -+ /* Verify input and output lengths. */ -+ if (input->length < hashsize + CONFOUNDERLENGTH) -+ return KRB5_BAD_MSIZE; -+ if (output->length < input->length - hashsize - CONFOUNDERLENGTH) -+ return KRB5_BAD_MSIZE; -+ - d1.length=keybytes; - d1.data=malloc(d1.length); - if (d1.data == NULL) -Index: krb5-1.7/src/lib/crypto/enc_provider/aes.c -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/enc_provider/aes.c -+++ krb5-1.7/src/lib/crypto/enc_provider/aes.c -@@ -105,9 +105,11 @@ krb5int_aes_encrypt(const krb5_keyblock - nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE; - - if (nblocks == 1) { -- /* XXX Used for DK function. */ -+ /* Used when deriving keys. */ -+ if (input->length < BLOCK_SIZE) -+ return KRB5_BAD_MSIZE; - enc(output->data, input->data, &ctx); -- } else { -+ } else if (nblocks > 1) { - unsigned int nleft; - - for (blockno = 0; blockno < nblocks - 2; blockno++) { -@@ -160,9 +162,9 @@ krb5int_aes_decrypt(const krb5_keyblock - - if (nblocks == 1) { - if (input->length < BLOCK_SIZE) -- abort(); -+ return KRB5_BAD_MSIZE; - dec(output->data, input->data, &ctx); -- } else { -+ } else if (nblocks > 1) { - - for (blockno = 0; blockno < nblocks - 2; blockno++) { - dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx); -@@ -208,6 +210,7 @@ krb5int_aes_encrypt_iov(const krb5_keybl - char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE]; - int nblocks = 0, blockno; - size_t input_length, i; -+ struct iov_block_state input_pos, output_pos; - - if (aes_enc_key(key->contents, key->length, &ctx) != aes_good) - abort(); -@@ -224,17 +227,19 @@ krb5int_aes_encrypt_iov(const krb5_keybl - input_length += iov->data.length; - } - -- nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; -- -- assert(nblocks > 1); -+ IOV_BLOCK_STATE_INIT(&input_pos); -+ IOV_BLOCK_STATE_INIT(&output_pos); - -- { -+ nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; -+ if (nblocks == 1) { -+ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, -+ data, num_data, &input_pos); -+ enc(tmp2, tmp, &ctx); -+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, -+ BLOCK_SIZE, &output_pos); -+ } else if (nblocks > 1) { - char blockN2[BLOCK_SIZE]; /* second last */ - char blockN1[BLOCK_SIZE]; /* last block */ -- struct iov_block_state input_pos, output_pos; -- -- IOV_BLOCK_STATE_INIT(&input_pos); -- IOV_BLOCK_STATE_INIT(&output_pos); - - for (blockno = 0; blockno < nblocks - 2; blockno++) { - char blockN[BLOCK_SIZE]; -@@ -288,6 +293,7 @@ krb5int_aes_decrypt_iov(const krb5_keybl - char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; - int nblocks = 0, blockno, i; - size_t input_length; -+ struct iov_block_state input_pos, output_pos; - - CHECK_SIZES; - -@@ -305,18 +311,19 @@ krb5int_aes_decrypt_iov(const krb5_keybl - if (ENCRYPT_IOV(iov)) - input_length += iov->data.length; - } -+ IOV_BLOCK_STATE_INIT(&input_pos); -+ IOV_BLOCK_STATE_INIT(&output_pos); - - nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; -- -- assert(nblocks > 1); -- -- { -+ if (nblocks == 1) { -+ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, -+ data, num_data, &input_pos); -+ dec(tmp2, tmp, &ctx); -+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, -+ BLOCK_SIZE, &output_pos); -+ } else if (nblocks > 1) { - char blockN2[BLOCK_SIZE]; /* second last */ - char blockN1[BLOCK_SIZE]; /* last block */ -- struct iov_block_state input_pos, output_pos; -- -- IOV_BLOCK_STATE_INIT(&input_pos); -- IOV_BLOCK_STATE_INIT(&output_pos); - - for (blockno = 0; blockno < nblocks - 2; blockno++) { - char blockN[BLOCK_SIZE]; -Index: krb5-1.7/src/lib/crypto/old/old_decrypt.c -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/old/old_decrypt.c -+++ krb5-1.7/src/lib/crypto/old/old_decrypt.c -@@ -45,8 +45,10 @@ krb5_old_decrypt(const struct krb5_enc_p - blocksize = enc->block_size; - hashsize = hash->hashsize; - -+ /* Verify input and output lengths. */ -+ if (input->length < blocksize + hashsize || input->length % blocksize != 0) -+ return(KRB5_BAD_MSIZE); - plainsize = input->length - blocksize - hashsize; -- - if (arg_output->length < plainsize) - return(KRB5_BAD_MSIZE); - -Index: krb5-1.7/src/lib/crypto/raw/raw_decrypt.c -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/raw/raw_decrypt.c -+++ krb5-1.7/src/lib/crypto/raw/raw_decrypt.c -@@ -34,5 +34,7 @@ krb5_raw_decrypt(const struct krb5_enc_p - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) - { -- return((*(enc->decrypt))(key, ivec, input, output)); -+ if (output->length < input->length) -+ return KRB5_BAD_MSIZE; -+ return((*(enc->decrypt))(key, ivec, input, output)); - } -Index: krb5-1.7/src/lib/crypto/t_short.c -=================================================================== ---- /dev/null -+++ krb5-1.7/src/lib/crypto/t_short.c -@@ -0,0 +1,128 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* -+ * lib/crypto/crypto_tests/t_short.c -+ * -+ * Copyright (C) 2009 by the Massachusetts Institute of Technology. -+ * All rights reserved. -+ * -+ * Export of this software from the United States of America may -+ * require a specific license from the United States Government. -+ * It is the responsibility of any person or organization contemplating -+ * export to obtain such a license before exporting. -+ * -+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -+ * distribute this software and its documentation for any purpose and -+ * without fee is hereby granted, provided that the above copyright -+ * notice appear in all copies and that both that copyright notice and -+ * this permission notice appear in supporting documentation, and that -+ * the name of M.I.T. not be used in advertising or publicity pertaining -+ * to distribution of the software without specific, written prior -+ * permission. Furthermore if you modify this software you must label -+ * your software as modified software and not distribute it in such a -+ * fashion that it might be confused with the original M.I.T. software. -+ * M.I.T. makes no representations about the suitability of -+ * this software for any purpose. It is provided "as is" without express -+ * or implied warranty. -+ * -+ * Tests the outcome of decrypting overly short tokens. This program can be -+ * run under a tool like valgrind to detect bad memory accesses; when run -+ * normally by the test suite, it verifies that each operation returns -+ * KRB5_BAD_MSIZE. -+ */ -+ -+#include "k5-int.h" -+ -+ -+krb5_enctype interesting_enctypes[] = { -+ ENCTYPE_DES_CBC_CRC, -+ ENCTYPE_DES_CBC_MD4, -+ ENCTYPE_DES_CBC_MD5, -+ ENCTYPE_DES3_CBC_SHA1, -+ ENCTYPE_ARCFOUR_HMAC, -+ ENCTYPE_ARCFOUR_HMAC_EXP, -+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, -+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, -+ 0 -+}; -+ -+/* Abort if an operation unexpectedly fails. */ -+static void -+x(krb5_error_code code) -+{ -+ if (code != 0) -+ abort(); -+} -+ -+/* Abort if a decrypt operation doesn't have the expected result. */ -+static void -+check_decrypt_result(krb5_error_code code, size_t len, size_t min_len) -+{ -+ if (len < min_len) { -+ /* Undersized tokens should always result in BAD_MSIZE. */ -+ if (code != KRB5_BAD_MSIZE) -+ abort(); -+ } else { -+ /* Min-size tokens should succeed or fail the integrity check. */ -+ if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY) -+ abort(); -+ } -+} -+ -+static void -+test_enctype(krb5_enctype enctype) -+{ -+ krb5_error_code ret; -+ krb5_keyblock keyblock; -+ krb5_enc_data input; -+ krb5_data output; -+ krb5_crypto_iov iov[2]; -+ unsigned int dummy; -+ size_t min_len, len; -+ -+ printf("Testing enctype %d\n", (int) enctype); -+ x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len)); -+ x(krb5_c_make_random_key(NULL, enctype, &keyblock)); -+ input.enctype = enctype; -+ -+ /* Try each length up to the minimum length. */ -+ for (len = 0; len <= min_len; len++) { -+ input.ciphertext.data = calloc(len, 1); -+ input.ciphertext.length = len; -+ output.data = calloc(len, 1); -+ output.length = len; -+ -+ /* Attempt a normal decryption. */ -+ ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output); -+ check_decrypt_result(ret, len, min_len); -+ -+ if (krb5_c_crypto_length(NULL, enctype, KRB5_CRYPTO_TYPE_HEADER, -+ &dummy) == 0) { -+ /* Attempt an IOV stream decryption. */ -+ iov[0].flags = KRB5_CRYPTO_TYPE_STREAM; -+ iov[0].data = input.ciphertext; -+ iov[1].flags = KRB5_CRYPTO_TYPE_DATA; -+ iov[1].data.data = NULL; -+ iov[1].data.length = 0; -+ ret = krb5_c_decrypt_iov(NULL, &keyblock, 0, NULL, iov, 2); -+ check_decrypt_result(ret, len, min_len); -+ } -+ -+ free(input.ciphertext.data); -+ free(output.data); -+ } -+} -+ -+int -+main(int argc, char **argv) -+{ -+ int i; -+ krb5_data notrandom; -+ -+ notrandom.data = "notrandom"; -+ notrandom.length = 9; -+ krb5_c_random_seed(NULL, ¬random); -+ for (i = 0; interesting_enctypes[i]; i++) -+ test_enctype(interesting_enctypes[i]); -+ return 0; -+} -+ -Index: krb5-1.7/src/lib/crypto/deps -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/deps -+++ krb5-1.7/src/lib/crypto/deps -@@ -463,6 +463,16 @@ t_encrypt.so t_encrypt.po $(OUTPRE)t_enc - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h etypes.h t_encrypt.c -+t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ -+ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ -+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ -+ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ -+ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ -+ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ -+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ -+ t_short.c - t_prf.so t_prf.po $(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ -Index: krb5-1.7/src/lib/crypto/dk/dk_aead.c -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/dk/dk_aead.c -+++ krb5-1.7/src/lib/crypto/dk/dk_aead.c -@@ -248,7 +248,7 @@ krb5int_dk_decrypt_iov(const struct krb5 - for (i = 0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; - -- if (ENCRYPT_DATA_IOV(iov)) -+ if (ENCRYPT_IOV(iov)) - cipherlen += iov->data.length; - } - -Index: krb5-1.7/src/lib/crypto/dk/dk_decrypt.c -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/dk/dk_decrypt.c -+++ krb5-1.7/src/lib/crypto/dk/dk_decrypt.c -@@ -89,6 +89,12 @@ krb5_dk_decrypt_maybe_trunc_hmac(const s - else if (hmacsize > hashsize) - return KRB5KRB_AP_ERR_BAD_INTEGRITY; - -+ /* Verify input and output lengths. */ -+ if (input->length < blocksize + hmacsize) -+ return KRB5_BAD_MSIZE; -+ if (output->length < input->length - blocksize - hmacsize) -+ return KRB5_BAD_MSIZE; -+ - enclen = input->length - hmacsize; - - if ((kedata = (unsigned char *) malloc(keylength)) == NULL) diff --git a/krb5-1.7-manpaths.dif b/krb5-1.7-manpaths.dif index ab8e30e..a9c9e95 100644 --- a/krb5-1.7-manpaths.dif +++ b/krb5-1.7-manpaths.dif @@ -1,43 +1,9 @@ -Index: krb5-1.7/src/appl/bsd/klogind.M + +Index: krb5-1.8-alpha1/src/appl/sample/sserver/sserver.M =================================================================== ---- krb5-1.7.orig/src/appl/bsd/klogind.M -+++ krb5-1.7/src/appl/bsd/klogind.M -@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when - the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf - configuration line for \fIklogind\fP might be: - --klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c -+klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c - - When a service request is received, the following protocol is initiated: - -Index: krb5-1.7/src/appl/bsd/kshd.M -=================================================================== ---- krb5-1.7.orig/src/appl/bsd/kshd.M -+++ krb5-1.7/src/appl/bsd/kshd.M -@@ -8,7 +8,7 @@ - .SH NAME - kshd \- kerberized remote shell server - .SH SYNOPSIS --.B /usr/local/sbin/kshd -+.B @mansbindir@/kshd - [ - .B \-kr45ec - ] -@@ -30,7 +30,7 @@ server is invoked by \fIinetd(8c)\fP whe - on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf - configuration line for \fIkrshd\fP might be: - --kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c -+kshell stream tcp nowait root @mansbindir@/kshd kshd -5c - - When a service request is received, the following protocol is initiated: - -Index: krb5-1.7/src/appl/sample/sserver/sserver.M -=================================================================== ---- krb5-1.7.orig/src/appl/sample/sserver/sserver.M -+++ krb5-1.7/src/appl/sample/sserver/sserver.M +--- krb5-1.8-alpha1.orig/src/appl/sample/sserver/sserver.M ++++ krb5-1.8-alpha1/src/appl/sample/sserver/sserver.M @@ -59,7 +59,7 @@ option allows for a different keytab tha using a line in /etc/inetd.conf that looks like this: @@ -47,23 +13,10 @@ Index: krb5-1.7/src/appl/sample/sserver/sserver.M .PP Since \fBsample\fP is normally not a port defined in /etc/services, you will usually have to add a line to /etc/services which looks like this: -Index: krb5-1.7/src/appl/telnet/telnetd/telnetd.8 +Index: krb5-1.8-alpha1/src/config-files/kdc.conf.M =================================================================== ---- krb5-1.7.orig/src/appl/telnet/telnetd/telnetd.8 -+++ krb5-1.7/src/appl/telnet/telnetd/telnetd.8 -@@ -37,7 +37,7 @@ telnetd \- - .SM DARPA TELNET - protocol server - .SH SYNOPSIS --.B /usr/libexec/telnetd -+.B @manlibexecdir@/telnetd - [\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP] - [\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP] - [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP] -Index: krb5-1.7/src/config-files/kdc.conf.M -=================================================================== ---- krb5-1.7.orig/src/config-files/kdc.conf.M -+++ krb5-1.7/src/config-files/kdc.conf.M +--- krb5-1.8-alpha1.orig/src/config-files/kdc.conf.M ++++ krb5-1.8-alpha1/src/config-files/kdc.conf.M @@ -82,14 +82,14 @@ This .B string specifies the location of the access control list (acl) file that @@ -81,7 +34,7 @@ Index: krb5-1.7/src/config-files/kdc.conf.M .IP database_name This -@@ -257,7 +257,7 @@ tickets should be checked against the tr +@@ -254,7 +254,7 @@ tickets should be checked against the tr realm names and the [capaths] section of its krb5.conf file .SH FILES @@ -90,12 +43,12 @@ Index: krb5-1.7/src/config-files/kdc.conf.M .SH SEE ALSO krb5.conf(5), krb5kdc(8) -Index: krb5-1.7/src/configure.in +Index: krb5-1.8-alpha1/src/configure.in =================================================================== ---- krb5-1.7.orig/src/configure.in -+++ krb5-1.7/src/configure.in -@@ -1041,6 +1041,69 @@ dnl - AC_CONFIG_SUBDIRS(appl/libpty appl/bsd appl/gssftp appl/telnet) +--- krb5-1.8-alpha1.orig/src/configure.in ++++ krb5-1.8-alpha1/src/configure.in +@@ -1052,6 +1052,58 @@ if test "$ac_cv_lib_socket" = "yes" -a " + fi AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + @@ -118,18 +71,8 @@ Index: krb5-1.7/src/configure.in +AC_SUBST(manlocalstatedir) +AC_SUBST(manlibexecdir) +AC_OUTPUT([ -+ appl/bsd/klogind.M -+ appl/bsd/kshd.M -+ appl/bsd/login.M -+ appl/bsd/rcp.M -+ appl/bsd/rlogin.M -+ appl/bsd/rsh.M -+ appl/gssftp/ftpd/ftpd.M -+ appl/gssftp/ftp/ftp.M + appl/sample/sclient/sclient.M + appl/sample/sserver/sserver.M -+ appl/telnet/telnetd/telnetd.8 -+ appl/telnet/telnet/telnet.1 + clients/kcpytkt/kcpytkt.M + clients/kdeltkt/kdeltkt.M + clients/kdestroy/kdestroy.M @@ -147,7 +90,6 @@ Index: krb5-1.7/src/configure.in + kadmin/cli/kadmin.M + kadmin/dbutil/kdb5_util.M + kadmin/ktutil/ktutil.M -+ kadmin/passwd/kpasswd.M + kadmin/server/kadmind.M + kdc/krb5kdc.M + krb5-config.M @@ -164,11 +106,11 @@ Index: krb5-1.7/src/configure.in V5_AC_OUTPUT_MAKEFILE(. util util/support util/profile util/send-pr -Index: krb5-1.7/src/kadmin/cli/kadmin.M +Index: krb5-1.8-alpha1/src/kadmin/cli/kadmin.M =================================================================== ---- krb5-1.7.orig/src/kadmin/cli/kadmin.M -+++ krb5-1.7/src/kadmin/cli/kadmin.M -@@ -850,9 +850,9 @@ option is specified, less verbose status +--- krb5-1.8-alpha1.orig/src/kadmin/cli/kadmin.M ++++ krb5-1.8-alpha1/src/kadmin/cli/kadmin.M +@@ -869,9 +869,9 @@ option is specified, less verbose status .RS .TP EXAMPLE: @@ -180,7 +122,7 @@ Index: krb5-1.7/src/kadmin/cli/kadmin.M kadmin: .RE .fi -@@ -894,7 +894,7 @@ passwords. +@@ -913,7 +913,7 @@ passwords. .SH HISTORY The .B kadmin @@ -189,10 +131,10 @@ Index: krb5-1.7/src/kadmin/cli/kadmin.M OpenVision Kerberos administration program. .SH SEE ALSO .IR kerberos (1), -Index: krb5-1.7/src/slave/kprop.M +Index: krb5-1.8-alpha1/src/slave/kprop.M =================================================================== ---- krb5-1.7.orig/src/slave/kprop.M -+++ krb5-1.7/src/slave/kprop.M +--- krb5-1.8-alpha1.orig/src/slave/kprop.M ++++ krb5-1.8-alpha1/src/slave/kprop.M @@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv This is done by transmitting the dumped database file to the slave server over an encrypted, secure channel. The dump file must be created @@ -211,10 +153,10 @@ Index: krb5-1.7/src/slave/kprop.M .TP \fB\-P\fP \fIport\fP specifies the port to use to contact the -Index: krb5-1.7/src/slave/kpropd.M +Index: krb5-1.8-alpha1/src/slave/kpropd.M =================================================================== ---- krb5-1.7.orig/src/slave/kpropd.M -+++ krb5-1.7/src/slave/kpropd.M +--- krb5-1.8-alpha1.orig/src/slave/kpropd.M ++++ krb5-1.8-alpha1/src/slave/kpropd.M @@ -74,7 +74,7 @@ Normally, kpropd is invoked out of This is done by adding a line to the inetd.conf file which looks like this: @@ -222,7 +164,7 @@ Index: krb5-1.7/src/slave/kpropd.M -kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd +kprop stream tcp nowait root @mansbindir@/kpropd kpropd - However, kpropd can also run as a standalone deamon, if the + However, kpropd can also run as a standalone daemon, if the .B \-S @@ -111,13 +111,13 @@ is used. \fB\-f\fP \fIfile\fP diff --git a/krb5-1.7-manpaths.txt b/krb5-1.7-manpaths.txt index a85dcae..d6df93e 100644 --- a/krb5-1.7-manpaths.txt +++ b/krb5-1.7-manpaths.txt @@ -1,15 +1,5 @@ -appl/bsd/klogind.M -appl/bsd/kshd.M -appl/bsd/login.M -appl/bsd/rcp.M -appl/bsd/rlogin.M -appl/bsd/rsh.M -appl/gssftp/ftpd/ftpd.M -appl/gssftp/ftp/ftp.M appl/sample/sclient/sclient.M appl/sample/sserver/sserver.M -appl/telnet/telnetd/telnetd.8 -appl/telnet/telnet/telnet.1 clients/kcpytkt/kcpytkt.M clients/kdeltkt/kdeltkt.M clients/kdestroy/kdestroy.M @@ -27,7 +17,6 @@ kadmin/cli/kadmin.local.M kadmin/cli/kadmin.M kadmin/dbutil/kdb5_util.M kadmin/ktutil/ktutil.M -kadmin/passwd/kpasswd.M kadmin/server/kadmind.M kdc/krb5kdc.M krb5-config.M diff --git a/krb5-1.7.tar.bz2 b/krb5-1.7.tar.bz2 deleted file mode 100644 index 9efcda8..0000000 --- a/krb5-1.7.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2043f38c46a9721cfab28f0fdf876af17d542cab458a87d0324783189e9570cd -size 10407001 diff --git a/krb5-1.8-POST.dif b/krb5-1.8-POST.dif new file mode 100644 index 0000000..0db3bf7 --- /dev/null +++ b/krb5-1.8-POST.dif @@ -0,0 +1,315 @@ +Index: doc/admin.texinfo +=================================================================== +--- doc/admin.texinfo.orig ++++ doc/admin.texinfo +@@ -516,13 +516,6 @@ DCE do not support the default cache as + Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on + DCE 1.1 systems. The default value is @value{DefaultCcacheType}. + +-@ignore +-@itemx tkt_lifetime +-The default lifetime of a ticket. The default is +-@value{DefaultTktLifetime}. This is currently not supported by the +-code. +-@end ignore +- + @itemx dns_lookup_kdc + Indicate whether DNS SRV records should be used to locate the KDCs and + other servers for a realm, if they are not listed in the information for +@@ -583,6 +576,11 @@ If this flag is set, then an attempt to + fail if the client machine does not have a keytab. The default for the + flag is @value{DefaultVerifyApReqNofail}. + ++@itemx ticket_lifetime ++The value of this tag is the default lifetime for ++initial tickets. The default value for the tag is ++@value{DefaultTktLifetime}. ++ + @itemx renew_lifetime + The value of this tag is the default renewable lifetime for + initial tickets. The default value for the tag is +Index: src/include/krb5/krb5.hin +=================================================================== +--- src/include/krb5/krb5.hin.orig ++++ src/include/krb5/krb5.hin +@@ -1066,7 +1066,7 @@ krb5_verify_checksum(krb5_context contex + #define KRB5_AUTHDATA_SESAME 65 + #define KRB5_AUTHDATA_WIN2K_PAC 128 + #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */ +-#define KRB5_AUTHDATA_SIGNTICKET 142 ++#define KRB5_AUTHDATA_SIGNTICKET 512 /* formerly 142 in krb5 1.8 */ + #define KRB5_AUTHDATA_FX_ARMOR 71 + /* password change constants */ + +@@ -1184,6 +1184,19 @@ typedef struct _krb5_pa_data { + krb5_octet *contents; + } krb5_pa_data; + ++/* typed data */ ++/* ++ * The FAST error handling logic currently assumes that this structure and ++ * krb5_pa_data * can be safely cast to each other if this structure changes, ++ * that code needs to be updated to copy. ++ */ ++typedef struct _krb5_typed_data { ++ krb5_magic magic; ++ krb5_int32 type; ++ unsigned int length; ++ krb5_octet *data; ++} krb5_typed_data; ++ + typedef struct _krb5_kdc_req { + krb5_magic magic; + krb5_msgtype msg_type; /* AS_REQ or TGS_REQ? */ +Index: src/include/k5-int-pkinit.h +=================================================================== +--- src/include/k5-int-pkinit.h.orig ++++ src/include/k5-int-pkinit.h +@@ -101,17 +101,6 @@ typedef struct _krb5_trusted_ca { + } u; + } krb5_trusted_ca; + +-/* typed data */ +-/* The FAST error handling logic currently assumes that this structure and krb5_pa_data * can be safely cast to each other +- * if this structure changes, that code needs to be updated to copy. +- */ +-typedef struct _krb5_typed_data { +- krb5_magic magic; +- krb5_int32 type; +- unsigned int length; +- krb5_octet *data; +-} krb5_typed_data; +- + /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */ + typedef struct _krb5_pa_pk_as_req_draft9 { + krb5_octet_data signedAuthPack; +Index: src/kdc/kdc_authdata.c +=================================================================== +--- src/kdc/kdc_authdata.c.orig ++++ src/kdc/kdc_authdata.c +@@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context contex + enc_sp.length = sp_authdata[0]->length; + + code = decode_krb5_ad_signedpath(&enc_sp, &sp); +- if (code != 0) ++ if (code != 0) { ++ /* Treat an invalid signedpath authdata element as a missing one, since ++ * we believe MS is using the same number for something else. */ ++ code = 0; + goto cleanup; ++ } + + code = verify_ad_signedpath_checksum(context, + krbtgt, +Index: src/kdc/do_tgs_req.c +=================================================================== +--- src/kdc/do_tgs_req.c.orig ++++ src/kdc/do_tgs_req.c +@@ -1215,6 +1215,7 @@ prep_reprocess_req(krb5_kdc_req *request + strlcpy(comp1_str,comp1->data,comp1->length+1); + + if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST || ++ krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST || + (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN && + kdc_active_realm->realm_host_based_services != NULL && + (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, +Index: src/clients/kpasswd/kpasswd.c +=================================================================== +--- src/clients/kpasswd/kpasswd.c.orig ++++ src/clients/kpasswd/kpasswd.c +@@ -47,7 +47,7 @@ int main(int argc, char *argv[]) + { + krb5_error_code ret; + krb5_context context; +- krb5_principal princ; ++ krb5_principal princ = NULL; + char *pname; + krb5_ccache ccache; + krb5_get_init_creds_opt *opts = NULL; +@@ -84,23 +84,27 @@ int main(int argc, char *argv[]) + com_err(argv[0], ret, "parsing client name"); + exit(1); + } +- } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) { +- if (ret) { ++ } else { ++ ret = krb5_cc_default(context, &ccache); ++ if (ret != 0) { + com_err(argv[0], ret, "opening default ccache"); + exit(1); + } + +- if ((ret = krb5_cc_get_principal(context, ccache, &princ))) { ++ ret = krb5_cc_get_principal(context, ccache, &princ); ++ if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) { + com_err(argv[0], ret, "getting principal from ccache"); + exit(1); + } + +- if ((ret = krb5_cc_close(context, ccache))) { ++ ret = krb5_cc_close(context, ccache); ++ if (ret != 0) { + com_err(argv[0], ret, "closing ccache"); + exit(1); + } +- } else { +- get_name_from_passwd_file(argv[0], context, &princ); ++ ++ if (princ == NULL) ++ get_name_from_passwd_file(argv[0], context, &princ); + } + + if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) { +Index: src/config-files/krb5.conf.M +=================================================================== +--- src/config-files/krb5.conf.M.orig ++++ src/config-files/krb5.conf.M +@@ -220,6 +220,10 @@ If this flag is set, then an attempt to + fail if the client machine does not have a keytab. The default for the + flag is false. + ++.IP ticket_lifetime ++The value of this tag is the default lifetime for initial tickets. The ++default value for the tag is 1 day (1d). ++ + .IP renew_lifetime + The value of this tag is the default renewable lifetime for initial + tickets. The default value for the tag is 0. +Index: src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- src/lib/gssapi/spnego/spnego_mech.c.orig ++++ src/lib/gssapi/spnego/spnego_mech.c +@@ -1693,6 +1693,7 @@ cleanup: + if (sc->internal_name != GSS_C_NO_NAME && + src_name != NULL) { + *src_name = sc->internal_name; ++ sc->internal_name = GSS_C_NO_NAME; + } + release_spnego_ctx(&sc); + } else if (ret != GSS_S_CONTINUE_NEEDED) { +@@ -2578,6 +2579,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t * + (void) generic_gss_release_oid(&minor_stat, + &context->internal_mech); + ++ (void) gss_release_name(&minor_stat, &context->internal_name); ++ + if (context->optionStr != NULL) { + free(context->optionStr); + context->optionStr = NULL; +Index: src/lib/kadm5/srv/svr_principal.c +=================================================================== +--- src/lib/kadm5/srv/svr_principal.c.orig ++++ src/lib/kadm5/srv/svr_principal.c +@@ -858,8 +858,8 @@ kadm5_get_principal(void *server_handle, + if (! (mask & KADM5_MOD_TIME)) + entry->mod_date = 0; + if (! (mask & KADM5_MOD_NAME)) { +- krb5_free_principal(handle->context, entry->principal); +- entry->principal = NULL; ++ krb5_free_principal(handle->context, entry->mod_name); ++ entry->mod_name = NULL; + } + } + +@@ -871,10 +871,12 @@ kadm5_get_principal(void *server_handle, + if (kdb.key_data[i].key_data_kvno > entry->kvno) + entry->kvno = kdb.key_data[i].key_data_kvno; + +- ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, +- &entry->mkvno); +- if (ret) +- goto done; ++ if (mask & KADM5_MKVNO) { ++ ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, ++ &entry->mkvno); ++ if (ret) ++ goto done; ++ } + + if (mask & KADM5_MAX_RLIFE) + entry->max_renewable_life = kdb.max_renewable_life; +Index: src/lib/krb5/os/changepw.c +=================================================================== +--- src/lib/krb5/os/changepw.c.orig ++++ src/lib/krb5/os/changepw.c +@@ -65,20 +65,23 @@ locate_kpasswd(krb5_context context, con + int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM); + + code = krb5int_locate_server (context, realm, addrlist, +- locate_service_kpasswd, sockType, AF_INET); ++ locate_service_kpasswd, sockType, AF_UNSPEC); + + if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) { + code = krb5int_locate_server (context, realm, addrlist, + locate_service_kadmin, SOCK_STREAM, +- AF_INET); ++ AF_UNSPEC); + if (!code) { + /* Success with admin_server but now we need to change the + port number to use DEFAULT_KPASSWD_PORT and the socktype. */ + size_t i; + for (i=0; inaddrs; i++) { + struct addrinfo *a = addrlist->addrs[i].ai; ++ krb5_ui_2 kpasswd_port = htons(DEFAULT_KPASSWD_PORT); + if (a->ai_family == AF_INET) +- sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT); ++ sa2sin (a->ai_addr)->sin_port = kpasswd_port; ++ if (a->ai_family == AF_INET6) ++ sa2sin6 (a->ai_addr)->sin6_port = kpasswd_port; + if (sockType != SOCK_STREAM) + a->ai_socktype = sockType; + } +@@ -131,10 +134,16 @@ kpasswd_sendto_msg_callback(struct conn_ + /* some brain-dead OS's don't return useful information from + * the getsockname call. Namely, windows and solaris. */ + +- if (ss2sin(&local_addr)->sin_addr.s_addr != 0) { ++ if (local_addr.ss_family == AF_INET && ++ ss2sin(&local_addr)->sin_addr.s_addr != 0) { + local_kaddr.addrtype = ADDRTYPE_INET; + local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr); + local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr; ++ } else if (local_addr.ss_family == AF_INET6 && ++ ss2sin6(&local_addr)->sin6_addr.s6_addr != 0) { ++ local_kaddr.addrtype = ADDRTYPE_INET6; ++ local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr); ++ local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr; + } else { + krb5_address **addrs; + +@@ -290,9 +299,19 @@ change_set_password(krb5_context context + break; + } + +- remote_kaddr.addrtype = ADDRTYPE_INET; +- remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); +- remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; ++ if (remote_addr.ss_family == AF_INET) { ++ remote_kaddr.addrtype = ADDRTYPE_INET; ++ remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); ++ remote_kaddr.contents = ++ (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; ++ } else if (remote_addr.ss_family == AF_INET6) { ++ remote_kaddr.addrtype = ADDRTYPE_INET6; ++ remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr); ++ remote_kaddr.contents = ++ (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr; ++ } else { ++ break; ++ } + + if ((code = krb5_auth_con_setaddrs(callback_ctx.context, + callback_ctx.auth_context, +Index: src/lib/krb5/krb/gic_pwd.c +=================================================================== +--- src/lib/krb5/krb/gic_pwd.c.orig ++++ src/lib/krb5/krb/gic_pwd.c +@@ -218,7 +218,7 @@ krb5_get_init_creds_password(krb5_contex + * to prompt. Prompting is only disabled if the option has been set + * and the value has been set to false. + */ +- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) ++ if (options && !(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) + goto cleanup; + + /* ok, we have an expired password. Give the user a few chances diff --git a/krb5-1.7-rpmlintrc b/krb5-1.8-rpmlintrc similarity index 100% rename from krb5-1.7-rpmlintrc rename to krb5-1.8-rpmlintrc diff --git a/krb5-1.8.tar.bz2 b/krb5-1.8.tar.bz2 new file mode 100644 index 0000000..771b1d5 --- /dev/null +++ b/krb5-1.8.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:10890ef19905e36e99d82cbe7caa6e8b0875b2a304f9a9e2d05137c87aff8212 +size 9958816 diff --git a/krb5-doc-1.7-rpmlintrc b/krb5-doc-1.8-rpmlintrc similarity index 100% rename from krb5-doc-1.7-rpmlintrc rename to krb5-doc-1.8-rpmlintrc diff --git a/krb5-doc.changes b/krb5-doc.changes index 7aeb8cb..7ac797d 100644 --- a/krb5-doc.changes +++ b/krb5-doc.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Tue Mar 23 12:38:29 CET 2010 - mc@suse.de + +- add post 1.8 fixes + * Document the ticket_lifetime libdefaults setting + +------------------------------------------------------------------- +Thu Mar 4 11:45:22 CET 2010 - mc@suse.de + +- update to version 1.8 + ------------------------------------------------------------------- Wed Jun 3 10:47:07 CEST 2009 - mc@suse.de diff --git a/krb5-doc.spec b/krb5-doc.spec index 79b2313..eea2ee1 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5-doc (Version 1.7) +# spec file for package krb5-doc (Version 1.8) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -20,18 +20,18 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive -Version: 1.7 -Release: 7 -%define srcRoot krb5-1.7 +Version: 1.8 +Release: 1 +%define srcRoot krb5-1.8 Summary: MIT Kerberos5 Implementation--Documentation License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ Group: Documentation/Other -Source: krb5-%{version}.tar.bz2 -Source1: README.Source +Source: krb5-1.8.tar.bz2 Source3: %{name}-%{version}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif +Patch2: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -54,6 +54,7 @@ Authors: %setup -n %{srcRoot} %patch0 %patch1 +%patch2 %build diff --git a/krb5-mini.changes b/krb5-mini.changes index 9f3fded..bf323bc 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,11 +1,43 @@ ------------------------------------------------------------------- -Thu Jan 7 11:45:14 CET 2010 - mc@suse.de +Tue Mar 23 12:33:26 CET 2010 - mc@suse.de +- add post 1.8 fixes + * Add IPv6 support to changepw.c + * fix two problems in kadm5_get_principal mask handling + * Ignore improperly encoded signedpath AD elements + * handle NT_SRV_INST in service principal referrals + * dereference options while checking + KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT + * Fix the kpasswd fallback from the ccache principal name + * Document the ticket_lifetime libdefaults setting + * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 + +------------------------------------------------------------------- +Thu Mar 4 10:42:29 CET 2010 - mc@suse.de + +- update to version 1.8 + * Increase code quality + * Move toward improved KDB interface + * Investigate and remedy repeatedly-reported performance + bottlenecks. + * Reduce DNS dependence by implementing an interface that allows + client library to track whether a KDC supports service + principal referrals. + * Disable DES by default + * Account lockout for repeated login failures + * Bridge layer to allow Heimdal HDB modules to act as KDB + backend modules + * FAST enhancements + * Microsoft Services for User (S4U) compatibility + * Anonymous PKINIT +- fix KDC denial of service + CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) - fix KDC denial of service in cross-realm referral processing CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347) - fix integer underflow in AES and RC4 decryption - CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) - + CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) +- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl + ------------------------------------------------------------------- Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de diff --git a/krb5-mini.spec b/krb5-mini.spec index c305dc6..b4867f2 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5-mini (Version 1.7) +# spec file for package krb5 (Version 1.8) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 1 -%define srcRoot krb5-1.7 +%define srcRoot krb5-1.8 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,8 +27,8 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.7 -Release: 7 +Version: 1.8 +Release: 1 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -42,25 +42,20 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.7.tar.bz2 +Source: krb5-1.8.tar.bz2 Source1: vendor-files.tar.bz2 -Source2: README.Source -Source3: spx.c -Source4: baselibs.conf +Source2: baselibs.conf Source5: krb5-%{version}-rpmlintrc Source10: krb5-1.7-manpaths.txt Patch2: krb5-1.6.1-compile_pie.dif Patch20: krb5-1.6.3-kprop-use-mkstemp.dif -Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif -Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif Patch30: krb5-1.7-manpaths.dif Patch32: krb5-1.4.3-enospc.dif Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif -Patch47: krb5-1.7-MITKRB5-SA-2009-003.dif -Patch48: krb5-1.7-MITKRB5-SA-2009-004.dif +Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -117,46 +112,6 @@ and more. -Authors: --------- - The MIT Kerberos Team - Sam Hartman - Ken Raeburn - Tom Yu - -%package apps-servers -License: MIT License (or similar) -Summary: MIT Kerberos5 server applications -Group: Productivity/Networking/Security - -%description apps-servers -Kerberos V5 is a trusted-third-party network authentication system, -which can improve your network's security by eliminating the insecure -practice of cleartext passwords. This package includes some kerberos -compatible server applications like ftpd, klogind, telnetd, ... - - - -Authors: --------- - The MIT Kerberos Team - Sam Hartman - Ken Raeburn - Tom Yu - -%package apps-clients -License: MIT License (or similar) -Summary: MIT Kerberos5 client applications -Group: Productivity/Networking/Security - -%description apps-clients -Kerberos V5 is a trusted-third-party network authentication system, -which can improve your network's security by eliminating the insecure -practice of cleartext passwords. This package includes some kerberos -compatible client applications like ftp, rpc, rlogin, telnet, ... - - - Authors: -------- The MIT Kerberos Team @@ -240,25 +195,15 @@ Authors: %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} -if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ] -then - echo "spx.c contains potential legal risks." - exit 1; -else - cp %{SOURCE3} %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c -fi %patch2 %patch20 -%patch21 -%patch22 %patch30 -p1 %patch32 -p1 %patch34 -p1 %patch41 %patch44 -p1 %patch46 -p1 -%patch47 -p1 -%patch48 -p1 +%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -319,12 +264,6 @@ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.c install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind -for n in ftpd.8 telnetd.8; do - mv %{buildroot}%{_mandir}/man8/${n} %{buildroot}%{_mandir}/man8/k${n} -done -for n in ftp.1 rlogin.1 rcp.1 rsh.1 telnet.1; do - mv %{buildroot}%{_mandir}/man1/${n} %{buildroot}%{_mandir}/man1/k${n} -done # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -337,12 +276,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/init.d install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd -# install xinetd files -mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d -install -m 644 %{vendorFiles}/klogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/klogin -install -m 644 %{vendorFiles}/eklogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/eklogin -install -m 644 %{vendorFiles}/krb5-telnet.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/ktelnet -install -m 644 %{vendorFiles}/kshell.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/kshell # install logrotate files mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server @@ -421,7 +354,9 @@ rm -rf %{buildroot} %dir /usr/lib/mit/sbin %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so +%{_libdir}/libkadm5clnt_mit.so %{_libdir}/libkadm5clnt.so +%{_libdir}/libkadm5srv_mit.so %{_libdir}/libkadm5srv.so %{_libdir}/libkdb5.so %{_libdir}/libkrb5.so @@ -455,17 +390,13 @@ rm -rf %{buildroot} %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict -%config(noreplace) %{_sysconfdir}/xinetd.d/klogin -%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin -%config(noreplace) %{_sysconfdir}/xinetd.d/kshell -%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* %{_sysconfdir}/init.d/* %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt.so.* -%{_libdir}/libkadm5srv.so.* +%{_libdir}/libkadm5clnt_mit.so.* +%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -479,15 +410,10 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc -/usr/lib/mit/sbin/ftpd -/usr/lib/mit/sbin/klogind -/usr/lib/mit/sbin/kshd -/usr/lib/mit/sbin/telnetd /usr/lib/mit/sbin/uuserver /usr/lib/mit/sbin/sserver /usr/lib/mit/sbin/gss-server /usr/lib/mit/sbin/sim_server -/usr/lib/mit/sbin/login.krb5 /usr/lib/mit/bin/k5srvutil /usr/lib/mit/bin/kvno /usr/lib/mit/bin/kinit @@ -497,16 +423,10 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil %attr(0755,root,root) /usr/lib/mit/bin/ksu -/usr/lib/mit/bin/rcp -/usr/lib/mit/bin/rsh -/usr/lib/mit/bin/telnet /usr/lib/mit/bin/uuclient /usr/lib/mit/bin/sclient /usr/lib/mit/bin/gss-client /usr/lib/mit/bin/sim_client -/usr/lib/mit/bin/ftp -/usr/lib/mit/bin/rlogin -#/usr/lib/mit/bin/* /usr/bin/kinit /usr/bin/klist /usr/bin/rc* @@ -517,12 +437,7 @@ rm -rf %{buildroot} %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* %{_mandir}/man1/kerberos.1* -%{_mandir}/man1/kftp.1* -%{_mandir}/man1/krlogin.1* -%{_mandir}/man1/krsh.1* -%{_mandir}/man1/ktelnet.1* %{_mandir}/man1/ksu.1* -%{_mandir}/man1/krcp.1* %{_mandir}/man1/sclient.1* %{_mandir}/man1/kadmin.1* %{_mandir}/man1/ktutil.1* @@ -549,8 +464,8 @@ rm -rf %{buildroot} %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt.so.* -%{_libdir}/libkadm5srv.so.* +%{_libdir}/libkadm5clnt_mit.so.* +%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -582,6 +497,10 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc +/usr/lib/mit/sbin/gss-server +/usr/lib/mit/sbin/sim_server +/usr/lib/mit/sbin/sserver +/usr/lib/mit/sbin/uuserver %{_libdir}/krb5/plugins/kdb/db2.so %{_mandir}/man5/kdc.conf.5* %{_mandir}/man8/kadmind.8* @@ -591,6 +510,7 @@ rm -rf %{buildroot} %{_mandir}/man8/kproplog.8.gz %{_mandir}/man8/kdb5_util.8* %{_mandir}/man8/krb5kdc.8* +%{_mandir}/man8/sserver.8* %files client %defattr(-,root,root) @@ -605,6 +525,11 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil /usr/lib/mit/bin/k5srvutil +/usr/lib/mit/bin/gss-client +/usr/lib/mit/bin/ksu +/usr/lib/mit/bin/sclient +/usr/lib/mit/bin/sim_client +/usr/lib/mit/bin/uuclient /usr/bin/kinit /usr/bin/klist %{_mandir}/man1/kvno.1* @@ -618,53 +543,8 @@ rm -rf %{buildroot} %{_mandir}/man1/k5srvutil.1* %{_mandir}/man5/krb5.conf.5* %{_mandir}/man5/.k5login.5* - -%files apps-servers -%defattr(-,root,root) -%config(noreplace) %{_sysconfdir}/xinetd.d/klogin -%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin -%config(noreplace) %{_sysconfdir}/xinetd.d/kshell -%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet -%dir /usr/lib/mit -%dir /usr/lib/mit/sbin -/usr/lib/mit/sbin/ftpd -/usr/lib/mit/sbin/klogind -/usr/lib/mit/sbin/kshd -/usr/lib/mit/sbin/telnetd -/usr/lib/mit/sbin/uuserver -/usr/lib/mit/sbin/sserver -/usr/lib/mit/sbin/gss-server -/usr/lib/mit/sbin/sim_server -/usr/lib/mit/sbin/login.krb5 -%{_mandir}/man8/kftpd.8* -%{_mandir}/man8/klogind.8* -%{_mandir}/man8/kshd.8* -%{_mandir}/man8/ktelnetd.8* -%{_mandir}/man8/sserver.8* -%{_mandir}/man8/login.krb5.8* - -%files apps-clients -%defattr(-,root,root) -%dir /usr/lib/mit -%dir /usr/lib/mit/bin -/usr/lib/mit/bin/ftp -/usr/lib/mit/bin/rlogin -# removed SUID bit, we will rely on su + pam_krb -%attr(0755,root,root) /usr/lib/mit/bin/ksu -/usr/lib/mit/bin/rcp -/usr/lib/mit/bin/rsh -/usr/lib/mit/bin/telnet -/usr/lib/mit/bin/uuclient -/usr/lib/mit/bin/sclient -/usr/lib/mit/bin/gss-client -/usr/lib/mit/bin/sim_client -%{_mandir}/man1/kftp.1* -%{_mandir}/man1/krlogin.1* -%{_mandir}/man1/krsh.1* -%{_mandir}/man1/ktelnet.1* -%{_mandir}/man1/ksu.1* -%{_mandir}/man1/krcp.1* -%{_mandir}/man1/sclient.1* +%{_mandir}/man1/ksu.1.gz +%{_mandir}/man1/sclient.1.gz %files plugin-kdb-ldap %defattr(-,root,root) diff --git a/krb5.changes b/krb5.changes index 9f3fded..bf323bc 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,11 +1,43 @@ ------------------------------------------------------------------- -Thu Jan 7 11:45:14 CET 2010 - mc@suse.de +Tue Mar 23 12:33:26 CET 2010 - mc@suse.de +- add post 1.8 fixes + * Add IPv6 support to changepw.c + * fix two problems in kadm5_get_principal mask handling + * Ignore improperly encoded signedpath AD elements + * handle NT_SRV_INST in service principal referrals + * dereference options while checking + KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT + * Fix the kpasswd fallback from the ccache principal name + * Document the ticket_lifetime libdefaults setting + * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 + +------------------------------------------------------------------- +Thu Mar 4 10:42:29 CET 2010 - mc@suse.de + +- update to version 1.8 + * Increase code quality + * Move toward improved KDB interface + * Investigate and remedy repeatedly-reported performance + bottlenecks. + * Reduce DNS dependence by implementing an interface that allows + client library to track whether a KDC supports service + principal referrals. + * Disable DES by default + * Account lockout for repeated login failures + * Bridge layer to allow Heimdal HDB modules to act as KDB + backend modules + * FAST enhancements + * Microsoft Services for User (S4U) compatibility + * Anonymous PKINIT +- fix KDC denial of service + CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) - fix KDC denial of service in cross-realm referral processing CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347) - fix integer underflow in AES and RC4 decryption - CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) - + CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) +- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl + ------------------------------------------------------------------- Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de diff --git a/krb5.spec b/krb5.spec index 549b327..68c13d9 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5 (Version 1.7) +# spec file for package krb5 (Version 1.8) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 0 -%define srcRoot krb5-1.7 +%define srcRoot krb5-1.8 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,8 +27,8 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.7 -Release: 7 +Version: 1.8 +Release: 1 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -42,25 +42,20 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.7.tar.bz2 +Source: krb5-1.8.tar.bz2 Source1: vendor-files.tar.bz2 -Source2: README.Source -Source3: spx.c -Source4: baselibs.conf +Source2: baselibs.conf Source5: krb5-%{version}-rpmlintrc Source10: krb5-1.7-manpaths.txt Patch2: krb5-1.6.1-compile_pie.dif Patch20: krb5-1.6.3-kprop-use-mkstemp.dif -Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif -Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif Patch30: krb5-1.7-manpaths.dif Patch32: krb5-1.4.3-enospc.dif Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif -Patch47: krb5-1.7-MITKRB5-SA-2009-003.dif -Patch48: krb5-1.7-MITKRB5-SA-2009-004.dif +Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -117,46 +112,6 @@ and more. -Authors: --------- - The MIT Kerberos Team - Sam Hartman - Ken Raeburn - Tom Yu - -%package apps-servers -License: MIT License (or similar) -Summary: MIT Kerberos5 server applications -Group: Productivity/Networking/Security - -%description apps-servers -Kerberos V5 is a trusted-third-party network authentication system, -which can improve your network's security by eliminating the insecure -practice of cleartext passwords. This package includes some kerberos -compatible server applications like ftpd, klogind, telnetd, ... - - - -Authors: --------- - The MIT Kerberos Team - Sam Hartman - Ken Raeburn - Tom Yu - -%package apps-clients -License: MIT License (or similar) -Summary: MIT Kerberos5 client applications -Group: Productivity/Networking/Security - -%description apps-clients -Kerberos V5 is a trusted-third-party network authentication system, -which can improve your network's security by eliminating the insecure -practice of cleartext passwords. This package includes some kerberos -compatible client applications like ftp, rpc, rlogin, telnet, ... - - - Authors: -------- The MIT Kerberos Team @@ -240,25 +195,15 @@ Authors: %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} -if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ] -then - echo "spx.c contains potential legal risks." - exit 1; -else - cp %{SOURCE3} %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c -fi %patch2 %patch20 -%patch21 -%patch22 %patch30 -p1 %patch32 -p1 %patch34 -p1 %patch41 %patch44 -p1 %patch46 -p1 -%patch47 -p1 -%patch48 -p1 +%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -319,12 +264,6 @@ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.c install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind -for n in ftpd.8 telnetd.8; do - mv %{buildroot}%{_mandir}/man8/${n} %{buildroot}%{_mandir}/man8/k${n} -done -for n in ftp.1 rlogin.1 rcp.1 rsh.1 telnet.1; do - mv %{buildroot}%{_mandir}/man1/${n} %{buildroot}%{_mandir}/man1/k${n} -done # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -337,12 +276,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/init.d install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd -# install xinetd files -mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d -install -m 644 %{vendorFiles}/klogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/klogin -install -m 644 %{vendorFiles}/eklogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/eklogin -install -m 644 %{vendorFiles}/krb5-telnet.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/ktelnet -install -m 644 %{vendorFiles}/kshell.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/kshell # install logrotate files mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server @@ -421,7 +354,9 @@ rm -rf %{buildroot} %dir /usr/lib/mit/sbin %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so +%{_libdir}/libkadm5clnt_mit.so %{_libdir}/libkadm5clnt.so +%{_libdir}/libkadm5srv_mit.so %{_libdir}/libkadm5srv.so %{_libdir}/libkdb5.so %{_libdir}/libkrb5.so @@ -455,17 +390,13 @@ rm -rf %{buildroot} %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict -%config(noreplace) %{_sysconfdir}/xinetd.d/klogin -%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin -%config(noreplace) %{_sysconfdir}/xinetd.d/kshell -%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* %{_sysconfdir}/init.d/* %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt.so.* -%{_libdir}/libkadm5srv.so.* +%{_libdir}/libkadm5clnt_mit.so.* +%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -479,15 +410,10 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc -/usr/lib/mit/sbin/ftpd -/usr/lib/mit/sbin/klogind -/usr/lib/mit/sbin/kshd -/usr/lib/mit/sbin/telnetd /usr/lib/mit/sbin/uuserver /usr/lib/mit/sbin/sserver /usr/lib/mit/sbin/gss-server /usr/lib/mit/sbin/sim_server -/usr/lib/mit/sbin/login.krb5 /usr/lib/mit/bin/k5srvutil /usr/lib/mit/bin/kvno /usr/lib/mit/bin/kinit @@ -497,16 +423,10 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil %attr(0755,root,root) /usr/lib/mit/bin/ksu -/usr/lib/mit/bin/rcp -/usr/lib/mit/bin/rsh -/usr/lib/mit/bin/telnet /usr/lib/mit/bin/uuclient /usr/lib/mit/bin/sclient /usr/lib/mit/bin/gss-client /usr/lib/mit/bin/sim_client -/usr/lib/mit/bin/ftp -/usr/lib/mit/bin/rlogin -#/usr/lib/mit/bin/* /usr/bin/kinit /usr/bin/klist /usr/bin/rc* @@ -517,12 +437,7 @@ rm -rf %{buildroot} %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* %{_mandir}/man1/kerberos.1* -%{_mandir}/man1/kftp.1* -%{_mandir}/man1/krlogin.1* -%{_mandir}/man1/krsh.1* -%{_mandir}/man1/ktelnet.1* %{_mandir}/man1/ksu.1* -%{_mandir}/man1/krcp.1* %{_mandir}/man1/sclient.1* %{_mandir}/man1/kadmin.1* %{_mandir}/man1/ktutil.1* @@ -549,8 +464,8 @@ rm -rf %{buildroot} %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt.so.* -%{_libdir}/libkadm5srv.so.* +%{_libdir}/libkadm5clnt_mit.so.* +%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -582,6 +497,10 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc +/usr/lib/mit/sbin/gss-server +/usr/lib/mit/sbin/sim_server +/usr/lib/mit/sbin/sserver +/usr/lib/mit/sbin/uuserver %{_libdir}/krb5/plugins/kdb/db2.so %{_mandir}/man5/kdc.conf.5* %{_mandir}/man8/kadmind.8* @@ -591,6 +510,7 @@ rm -rf %{buildroot} %{_mandir}/man8/kproplog.8.gz %{_mandir}/man8/kdb5_util.8* %{_mandir}/man8/krb5kdc.8* +%{_mandir}/man8/sserver.8* %files client %defattr(-,root,root) @@ -605,6 +525,11 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil /usr/lib/mit/bin/k5srvutil +/usr/lib/mit/bin/gss-client +/usr/lib/mit/bin/ksu +/usr/lib/mit/bin/sclient +/usr/lib/mit/bin/sim_client +/usr/lib/mit/bin/uuclient /usr/bin/kinit /usr/bin/klist %{_mandir}/man1/kvno.1* @@ -618,53 +543,8 @@ rm -rf %{buildroot} %{_mandir}/man1/k5srvutil.1* %{_mandir}/man5/krb5.conf.5* %{_mandir}/man5/.k5login.5* - -%files apps-servers -%defattr(-,root,root) -%config(noreplace) %{_sysconfdir}/xinetd.d/klogin -%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin -%config(noreplace) %{_sysconfdir}/xinetd.d/kshell -%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet -%dir /usr/lib/mit -%dir /usr/lib/mit/sbin -/usr/lib/mit/sbin/ftpd -/usr/lib/mit/sbin/klogind -/usr/lib/mit/sbin/kshd -/usr/lib/mit/sbin/telnetd -/usr/lib/mit/sbin/uuserver -/usr/lib/mit/sbin/sserver -/usr/lib/mit/sbin/gss-server -/usr/lib/mit/sbin/sim_server -/usr/lib/mit/sbin/login.krb5 -%{_mandir}/man8/kftpd.8* -%{_mandir}/man8/klogind.8* -%{_mandir}/man8/kshd.8* -%{_mandir}/man8/ktelnetd.8* -%{_mandir}/man8/sserver.8* -%{_mandir}/man8/login.krb5.8* - -%files apps-clients -%defattr(-,root,root) -%dir /usr/lib/mit -%dir /usr/lib/mit/bin -/usr/lib/mit/bin/ftp -/usr/lib/mit/bin/rlogin -# removed SUID bit, we will rely on su + pam_krb -%attr(0755,root,root) /usr/lib/mit/bin/ksu -/usr/lib/mit/bin/rcp -/usr/lib/mit/bin/rsh -/usr/lib/mit/bin/telnet -/usr/lib/mit/bin/uuclient -/usr/lib/mit/bin/sclient -/usr/lib/mit/bin/gss-client -/usr/lib/mit/bin/sim_client -%{_mandir}/man1/kftp.1* -%{_mandir}/man1/krlogin.1* -%{_mandir}/man1/krsh.1* -%{_mandir}/man1/ktelnet.1* -%{_mandir}/man1/ksu.1* -%{_mandir}/man1/krcp.1* -%{_mandir}/man1/sclient.1* +%{_mandir}/man1/ksu.1.gz +%{_mandir}/man1/sclient.1.gz %files plugin-kdb-ldap %defattr(-,root,root) diff --git a/ready b/ready deleted file mode 100644 index 473a0f4..0000000 diff --git a/spx.c b/spx.c deleted file mode 100644 index 256ccd5..0000000 --- a/spx.c +++ /dev/null @@ -1,50 +0,0 @@ -/*- - * Copyright (c) 1992, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* based on @(#)spx.c 8.1 (Berkeley) 6/4/93 */ - -#include "misc-proto.h" - -#ifdef notdef - -prkey(msg, key) - char *msg; - unsigned char *key; -{ - register int i; - printf("%s:", msg); - for (i = 0; i < 8; i++) - printf(" %3d", key[i]); - printf("\r\n"); -} -#endif diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2 index 125b194..9c9d317 100644 --- a/vendor-files.tar.bz2 +++ b/vendor-files.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:cc8af64eb451283d9ed22d52848a923e65a50b5c80442fe3165f238efdd34571 -size 182153 +oid sha256:afd7fcef667fa671ba023b747d95c62dd83b03c4bb93c7132e1ae78fe837c35e +size 182067 From 28dc0dd05689ad57b31db9b315e720e40d1cca57940c3399e6b7825df6b54a99 Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Wed, 24 Mar 2010 09:00:53 +0000 Subject: [PATCH 4/6] Accepting request 35618 from home:mcalmer:branches:network Copy from home:mcalmer:branches:network/krb5 via accept of submit request 35618 revision 2. Request was accepted with message: OBS-URL: https://build.opensuse.org/request/show/35618 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=14 --- krb5-1.7-MITKRB5-SA-2010-002.dif | 71 ++++++++++++++++++++++++++++++++ krb5-1.8-POST.dif | 4 +- krb5-mini.changes | 8 ++++ krb5-mini.spec | 2 + krb5.changes | 8 ++++ krb5.spec | 2 + 6 files changed, 93 insertions(+), 2 deletions(-) create mode 100644 krb5-1.7-MITKRB5-SA-2010-002.dif diff --git a/krb5-1.7-MITKRB5-SA-2010-002.dif b/krb5-1.7-MITKRB5-SA-2010-002.dif new file mode 100644 index 0000000..79c4e81 --- /dev/null +++ b/krb5-1.7-MITKRB5-SA-2010-002.dif @@ -0,0 +1,71 @@ +Index: src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- src/lib/gssapi/spnego/spnego_mech.c.orig ++++ src/lib/gssapi/spnego/spnego_mech.c +@@ -1576,7 +1576,7 @@ spnego_gss_accept_sec_context( + spnego_gss_ctx_id_t sc = NULL; + spnego_gss_cred_id_t spcred = NULL; + OM_uint32 mechstat = GSS_S_FAILURE; +- int sendTokenInit = 0; ++ int sendTokenInit = 0, tmpret; + + mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER; + +@@ -1609,7 +1609,6 @@ spnego_gss_accept_sec_context( + if (delegated_cred_handle != NULL) + *delegated_cred_handle = GSS_C_NO_CREDENTIAL; + if (input_token->length == 0) { +- sendTokenInit = 1; + ret = acc_ctx_hints(minor_status, + context_handle, spcred, + &mic_out, +@@ -1617,6 +1616,7 @@ spnego_gss_accept_sec_context( + &return_token); + if (ret != GSS_S_COMPLETE) + goto cleanup; ++ sendTokenInit = 1; + ret = GSS_S_CONTINUE_NEEDED; + } else { + /* Can set negState to REQUEST_MIC */ +@@ -1664,27 +1664,21 @@ spnego_gss_accept_sec_context( + &negState, &return_token); + } + cleanup: +- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { +- /* For acceptor-sends-first send a tokenInit */ +- int tmpret; +- ++ if (return_token == INIT_TOKEN_SEND && sendTokenInit) { + assert(sc != NULL); +- +- if (sendTokenInit) { +- tmpret = make_spnego_tokenInit_msg(sc, +- 1, +- mic_out, +- 0, +- GSS_C_NO_BUFFER, +- return_token, +- output_token); +- } else { +- tmpret = make_spnego_tokenTarg_msg(negState, +- sc ? sc->internal_mech : GSS_C_NO_OID, +- &mechtok_out, mic_out, +- return_token, +- output_token); +- } ++ tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0, ++ GSS_C_NO_BUFFER, ++ return_token, output_token); ++ if (tmpret < 0) ++ ret = GSS_S_FAILURE; ++ } else if (return_token != NO_TOKEN_SEND && ++ return_token != CHECK_MIC) { ++ tmpret = make_spnego_tokenTarg_msg(negState, ++ sc ? sc->internal_mech : ++ GSS_C_NO_OID, ++ &mechtok_out, mic_out, ++ return_token, ++ output_token); + if (tmpret < 0) + ret = GSS_S_FAILURE; + } diff --git a/krb5-1.8-POST.dif b/krb5-1.8-POST.dif index 0db3bf7..14ccdf3 100644 --- a/krb5-1.8-POST.dif +++ b/krb5-1.8-POST.dif @@ -179,7 +179,7 @@ Index: src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- src/lib/gssapi/spnego/spnego_mech.c.orig +++ src/lib/gssapi/spnego/spnego_mech.c -@@ -1693,6 +1693,7 @@ cleanup: +@@ -1687,6 +1687,7 @@ cleanup: if (sc->internal_name != GSS_C_NO_NAME && src_name != NULL) { *src_name = sc->internal_name; @@ -187,7 +187,7 @@ Index: src/lib/gssapi/spnego/spnego_mech.c } release_spnego_ctx(&sc); } else if (ret != GSS_S_CONTINUE_NEEDED) { -@@ -2578,6 +2579,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t * +@@ -2572,6 +2573,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t * (void) generic_gss_release_oid(&minor_stat, &context->internal_mech); diff --git a/krb5-mini.changes b/krb5-mini.changes index bf323bc..c00c208 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Mar 23 14:32:41 CET 2010 - mc@suse.de + +- fix a bug where an unauthenticated remote attacker could cause + a GSS-API application including the Kerberos administration + daemon (kadmind) to crash. + CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) + ------------------------------------------------------------------- Tue Mar 23 12:33:26 CET 2010 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index b4867f2..771f35f 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -55,6 +55,7 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif +Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils @@ -203,6 +204,7 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 +%patch47 %patch50 # Rename the man pages so that they'll get generated correctly. pushd src diff --git a/krb5.changes b/krb5.changes index bf323bc..c00c208 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Mar 23 14:32:41 CET 2010 - mc@suse.de + +- fix a bug where an unauthenticated remote attacker could cause + a GSS-API application including the Kerberos administration + daemon (kadmind) to crash. + CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) + ------------------------------------------------------------------- Tue Mar 23 12:33:26 CET 2010 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 68c13d9..1f59bb2 100644 --- a/krb5.spec +++ b/krb5.spec @@ -55,6 +55,7 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif +Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils @@ -203,6 +204,7 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 +%patch47 %patch50 # Rename the man pages so that they'll get generated correctly. pushd src From 2c72bcf882ef5aabc7b5e0c51b750efe2de917a0e87787308722bdd6dfafb6b2 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Thu, 25 Mar 2010 23:13:30 +0000 Subject: [PATCH 5/6] Accepting request 35620 from network checked in (request 35620) OBS-URL: https://build.opensuse.org/request/show/35620 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=15 --- krb5-1.7-MITKRB5-SA-2010-002.dif | 71 ------- krb5-1.8-POST.dif | 315 ------------------------------- krb5-doc.changes | 6 - krb5-doc.spec | 2 - krb5-mini.changes | 22 --- krb5-mini.spec | 6 +- krb5.changes | 22 --- krb5.spec | 4 - 8 files changed, 1 insertion(+), 447 deletions(-) delete mode 100644 krb5-1.7-MITKRB5-SA-2010-002.dif delete mode 100644 krb5-1.8-POST.dif diff --git a/krb5-1.7-MITKRB5-SA-2010-002.dif b/krb5-1.7-MITKRB5-SA-2010-002.dif deleted file mode 100644 index 79c4e81..0000000 --- a/krb5-1.7-MITKRB5-SA-2010-002.dif +++ /dev/null @@ -1,71 +0,0 @@ -Index: src/lib/gssapi/spnego/spnego_mech.c -=================================================================== ---- src/lib/gssapi/spnego/spnego_mech.c.orig -+++ src/lib/gssapi/spnego/spnego_mech.c -@@ -1576,7 +1576,7 @@ spnego_gss_accept_sec_context( - spnego_gss_ctx_id_t sc = NULL; - spnego_gss_cred_id_t spcred = NULL; - OM_uint32 mechstat = GSS_S_FAILURE; -- int sendTokenInit = 0; -+ int sendTokenInit = 0, tmpret; - - mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER; - -@@ -1609,7 +1609,6 @@ spnego_gss_accept_sec_context( - if (delegated_cred_handle != NULL) - *delegated_cred_handle = GSS_C_NO_CREDENTIAL; - if (input_token->length == 0) { -- sendTokenInit = 1; - ret = acc_ctx_hints(minor_status, - context_handle, spcred, - &mic_out, -@@ -1617,6 +1616,7 @@ spnego_gss_accept_sec_context( - &return_token); - if (ret != GSS_S_COMPLETE) - goto cleanup; -+ sendTokenInit = 1; - ret = GSS_S_CONTINUE_NEEDED; - } else { - /* Can set negState to REQUEST_MIC */ -@@ -1664,27 +1664,21 @@ spnego_gss_accept_sec_context( - &negState, &return_token); - } - cleanup: -- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { -- /* For acceptor-sends-first send a tokenInit */ -- int tmpret; -- -+ if (return_token == INIT_TOKEN_SEND && sendTokenInit) { - assert(sc != NULL); -- -- if (sendTokenInit) { -- tmpret = make_spnego_tokenInit_msg(sc, -- 1, -- mic_out, -- 0, -- GSS_C_NO_BUFFER, -- return_token, -- output_token); -- } else { -- tmpret = make_spnego_tokenTarg_msg(negState, -- sc ? sc->internal_mech : GSS_C_NO_OID, -- &mechtok_out, mic_out, -- return_token, -- output_token); -- } -+ tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0, -+ GSS_C_NO_BUFFER, -+ return_token, output_token); -+ if (tmpret < 0) -+ ret = GSS_S_FAILURE; -+ } else if (return_token != NO_TOKEN_SEND && -+ return_token != CHECK_MIC) { -+ tmpret = make_spnego_tokenTarg_msg(negState, -+ sc ? sc->internal_mech : -+ GSS_C_NO_OID, -+ &mechtok_out, mic_out, -+ return_token, -+ output_token); - if (tmpret < 0) - ret = GSS_S_FAILURE; - } diff --git a/krb5-1.8-POST.dif b/krb5-1.8-POST.dif deleted file mode 100644 index 14ccdf3..0000000 --- a/krb5-1.8-POST.dif +++ /dev/null @@ -1,315 +0,0 @@ -Index: doc/admin.texinfo -=================================================================== ---- doc/admin.texinfo.orig -+++ doc/admin.texinfo -@@ -516,13 +516,6 @@ DCE do not support the default cache as - Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on - DCE 1.1 systems. The default value is @value{DefaultCcacheType}. - --@ignore --@itemx tkt_lifetime --The default lifetime of a ticket. The default is --@value{DefaultTktLifetime}. This is currently not supported by the --code. --@end ignore -- - @itemx dns_lookup_kdc - Indicate whether DNS SRV records should be used to locate the KDCs and - other servers for a realm, if they are not listed in the information for -@@ -583,6 +576,11 @@ If this flag is set, then an attempt to - fail if the client machine does not have a keytab. The default for the - flag is @value{DefaultVerifyApReqNofail}. - -+@itemx ticket_lifetime -+The value of this tag is the default lifetime for -+initial tickets. The default value for the tag is -+@value{DefaultTktLifetime}. -+ - @itemx renew_lifetime - The value of this tag is the default renewable lifetime for - initial tickets. The default value for the tag is -Index: src/include/krb5/krb5.hin -=================================================================== ---- src/include/krb5/krb5.hin.orig -+++ src/include/krb5/krb5.hin -@@ -1066,7 +1066,7 @@ krb5_verify_checksum(krb5_context contex - #define KRB5_AUTHDATA_SESAME 65 - #define KRB5_AUTHDATA_WIN2K_PAC 128 - #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */ --#define KRB5_AUTHDATA_SIGNTICKET 142 -+#define KRB5_AUTHDATA_SIGNTICKET 512 /* formerly 142 in krb5 1.8 */ - #define KRB5_AUTHDATA_FX_ARMOR 71 - /* password change constants */ - -@@ -1184,6 +1184,19 @@ typedef struct _krb5_pa_data { - krb5_octet *contents; - } krb5_pa_data; - -+/* typed data */ -+/* -+ * The FAST error handling logic currently assumes that this structure and -+ * krb5_pa_data * can be safely cast to each other if this structure changes, -+ * that code needs to be updated to copy. -+ */ -+typedef struct _krb5_typed_data { -+ krb5_magic magic; -+ krb5_int32 type; -+ unsigned int length; -+ krb5_octet *data; -+} krb5_typed_data; -+ - typedef struct _krb5_kdc_req { - krb5_magic magic; - krb5_msgtype msg_type; /* AS_REQ or TGS_REQ? */ -Index: src/include/k5-int-pkinit.h -=================================================================== ---- src/include/k5-int-pkinit.h.orig -+++ src/include/k5-int-pkinit.h -@@ -101,17 +101,6 @@ typedef struct _krb5_trusted_ca { - } u; - } krb5_trusted_ca; - --/* typed data */ --/* The FAST error handling logic currently assumes that this structure and krb5_pa_data * can be safely cast to each other -- * if this structure changes, that code needs to be updated to copy. -- */ --typedef struct _krb5_typed_data { -- krb5_magic magic; -- krb5_int32 type; -- unsigned int length; -- krb5_octet *data; --} krb5_typed_data; -- - /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */ - typedef struct _krb5_pa_pk_as_req_draft9 { - krb5_octet_data signedAuthPack; -Index: src/kdc/kdc_authdata.c -=================================================================== ---- src/kdc/kdc_authdata.c.orig -+++ src/kdc/kdc_authdata.c -@@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context contex - enc_sp.length = sp_authdata[0]->length; - - code = decode_krb5_ad_signedpath(&enc_sp, &sp); -- if (code != 0) -+ if (code != 0) { -+ /* Treat an invalid signedpath authdata element as a missing one, since -+ * we believe MS is using the same number for something else. */ -+ code = 0; - goto cleanup; -+ } - - code = verify_ad_signedpath_checksum(context, - krbtgt, -Index: src/kdc/do_tgs_req.c -=================================================================== ---- src/kdc/do_tgs_req.c.orig -+++ src/kdc/do_tgs_req.c -@@ -1215,6 +1215,7 @@ prep_reprocess_req(krb5_kdc_req *request - strlcpy(comp1_str,comp1->data,comp1->length+1); - - if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST || -+ krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST || - (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN && - kdc_active_realm->realm_host_based_services != NULL && - (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, -Index: src/clients/kpasswd/kpasswd.c -=================================================================== ---- src/clients/kpasswd/kpasswd.c.orig -+++ src/clients/kpasswd/kpasswd.c -@@ -47,7 +47,7 @@ int main(int argc, char *argv[]) - { - krb5_error_code ret; - krb5_context context; -- krb5_principal princ; -+ krb5_principal princ = NULL; - char *pname; - krb5_ccache ccache; - krb5_get_init_creds_opt *opts = NULL; -@@ -84,23 +84,27 @@ int main(int argc, char *argv[]) - com_err(argv[0], ret, "parsing client name"); - exit(1); - } -- } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) { -- if (ret) { -+ } else { -+ ret = krb5_cc_default(context, &ccache); -+ if (ret != 0) { - com_err(argv[0], ret, "opening default ccache"); - exit(1); - } - -- if ((ret = krb5_cc_get_principal(context, ccache, &princ))) { -+ ret = krb5_cc_get_principal(context, ccache, &princ); -+ if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) { - com_err(argv[0], ret, "getting principal from ccache"); - exit(1); - } - -- if ((ret = krb5_cc_close(context, ccache))) { -+ ret = krb5_cc_close(context, ccache); -+ if (ret != 0) { - com_err(argv[0], ret, "closing ccache"); - exit(1); - } -- } else { -- get_name_from_passwd_file(argv[0], context, &princ); -+ -+ if (princ == NULL) -+ get_name_from_passwd_file(argv[0], context, &princ); - } - - if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) { -Index: src/config-files/krb5.conf.M -=================================================================== ---- src/config-files/krb5.conf.M.orig -+++ src/config-files/krb5.conf.M -@@ -220,6 +220,10 @@ If this flag is set, then an attempt to - fail if the client machine does not have a keytab. The default for the - flag is false. - -+.IP ticket_lifetime -+The value of this tag is the default lifetime for initial tickets. The -+default value for the tag is 1 day (1d). -+ - .IP renew_lifetime - The value of this tag is the default renewable lifetime for initial - tickets. The default value for the tag is 0. -Index: src/lib/gssapi/spnego/spnego_mech.c -=================================================================== ---- src/lib/gssapi/spnego/spnego_mech.c.orig -+++ src/lib/gssapi/spnego/spnego_mech.c -@@ -1687,6 +1687,7 @@ cleanup: - if (sc->internal_name != GSS_C_NO_NAME && - src_name != NULL) { - *src_name = sc->internal_name; -+ sc->internal_name = GSS_C_NO_NAME; - } - release_spnego_ctx(&sc); - } else if (ret != GSS_S_CONTINUE_NEEDED) { -@@ -2572,6 +2573,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t * - (void) generic_gss_release_oid(&minor_stat, - &context->internal_mech); - -+ (void) gss_release_name(&minor_stat, &context->internal_name); -+ - if (context->optionStr != NULL) { - free(context->optionStr); - context->optionStr = NULL; -Index: src/lib/kadm5/srv/svr_principal.c -=================================================================== ---- src/lib/kadm5/srv/svr_principal.c.orig -+++ src/lib/kadm5/srv/svr_principal.c -@@ -858,8 +858,8 @@ kadm5_get_principal(void *server_handle, - if (! (mask & KADM5_MOD_TIME)) - entry->mod_date = 0; - if (! (mask & KADM5_MOD_NAME)) { -- krb5_free_principal(handle->context, entry->principal); -- entry->principal = NULL; -+ krb5_free_principal(handle->context, entry->mod_name); -+ entry->mod_name = NULL; - } - } - -@@ -871,10 +871,12 @@ kadm5_get_principal(void *server_handle, - if (kdb.key_data[i].key_data_kvno > entry->kvno) - entry->kvno = kdb.key_data[i].key_data_kvno; - -- ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, -- &entry->mkvno); -- if (ret) -- goto done; -+ if (mask & KADM5_MKVNO) { -+ ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, -+ &entry->mkvno); -+ if (ret) -+ goto done; -+ } - - if (mask & KADM5_MAX_RLIFE) - entry->max_renewable_life = kdb.max_renewable_life; -Index: src/lib/krb5/os/changepw.c -=================================================================== ---- src/lib/krb5/os/changepw.c.orig -+++ src/lib/krb5/os/changepw.c -@@ -65,20 +65,23 @@ locate_kpasswd(krb5_context context, con - int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM); - - code = krb5int_locate_server (context, realm, addrlist, -- locate_service_kpasswd, sockType, AF_INET); -+ locate_service_kpasswd, sockType, AF_UNSPEC); - - if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) { - code = krb5int_locate_server (context, realm, addrlist, - locate_service_kadmin, SOCK_STREAM, -- AF_INET); -+ AF_UNSPEC); - if (!code) { - /* Success with admin_server but now we need to change the - port number to use DEFAULT_KPASSWD_PORT and the socktype. */ - size_t i; - for (i=0; inaddrs; i++) { - struct addrinfo *a = addrlist->addrs[i].ai; -+ krb5_ui_2 kpasswd_port = htons(DEFAULT_KPASSWD_PORT); - if (a->ai_family == AF_INET) -- sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT); -+ sa2sin (a->ai_addr)->sin_port = kpasswd_port; -+ if (a->ai_family == AF_INET6) -+ sa2sin6 (a->ai_addr)->sin6_port = kpasswd_port; - if (sockType != SOCK_STREAM) - a->ai_socktype = sockType; - } -@@ -131,10 +134,16 @@ kpasswd_sendto_msg_callback(struct conn_ - /* some brain-dead OS's don't return useful information from - * the getsockname call. Namely, windows and solaris. */ - -- if (ss2sin(&local_addr)->sin_addr.s_addr != 0) { -+ if (local_addr.ss_family == AF_INET && -+ ss2sin(&local_addr)->sin_addr.s_addr != 0) { - local_kaddr.addrtype = ADDRTYPE_INET; - local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr); - local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr; -+ } else if (local_addr.ss_family == AF_INET6 && -+ ss2sin6(&local_addr)->sin6_addr.s6_addr != 0) { -+ local_kaddr.addrtype = ADDRTYPE_INET6; -+ local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr); -+ local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr; - } else { - krb5_address **addrs; - -@@ -290,9 +299,19 @@ change_set_password(krb5_context context - break; - } - -- remote_kaddr.addrtype = ADDRTYPE_INET; -- remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); -- remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; -+ if (remote_addr.ss_family == AF_INET) { -+ remote_kaddr.addrtype = ADDRTYPE_INET; -+ remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); -+ remote_kaddr.contents = -+ (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; -+ } else if (remote_addr.ss_family == AF_INET6) { -+ remote_kaddr.addrtype = ADDRTYPE_INET6; -+ remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr); -+ remote_kaddr.contents = -+ (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr; -+ } else { -+ break; -+ } - - if ((code = krb5_auth_con_setaddrs(callback_ctx.context, - callback_ctx.auth_context, -Index: src/lib/krb5/krb/gic_pwd.c -=================================================================== ---- src/lib/krb5/krb/gic_pwd.c.orig -+++ src/lib/krb5/krb/gic_pwd.c -@@ -218,7 +218,7 @@ krb5_get_init_creds_password(krb5_contex - * to prompt. Prompting is only disabled if the option has been set - * and the value has been set to false. - */ -- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) -+ if (options && !(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) - goto cleanup; - - /* ok, we have an expired password. Give the user a few chances diff --git a/krb5-doc.changes b/krb5-doc.changes index 7ac797d..6dfd162 100644 --- a/krb5-doc.changes +++ b/krb5-doc.changes @@ -1,9 +1,3 @@ -------------------------------------------------------------------- -Tue Mar 23 12:38:29 CET 2010 - mc@suse.de - -- add post 1.8 fixes - * Document the ticket_lifetime libdefaults setting - ------------------------------------------------------------------- Thu Mar 4 11:45:22 CET 2010 - mc@suse.de diff --git a/krb5-doc.spec b/krb5-doc.spec index eea2ee1..ea6ce01 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -31,7 +31,6 @@ Source: krb5-1.8.tar.bz2 Source3: %{name}-%{version}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif -Patch2: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -54,7 +53,6 @@ Authors: %setup -n %{srcRoot} %patch0 %patch1 -%patch2 %build diff --git a/krb5-mini.changes b/krb5-mini.changes index c00c208..58bfdc3 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,25 +1,3 @@ -------------------------------------------------------------------- -Tue Mar 23 14:32:41 CET 2010 - mc@suse.de - -- fix a bug where an unauthenticated remote attacker could cause - a GSS-API application including the Kerberos administration - daemon (kadmind) to crash. - CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) - -------------------------------------------------------------------- -Tue Mar 23 12:33:26 CET 2010 - mc@suse.de - -- add post 1.8 fixes - * Add IPv6 support to changepw.c - * fix two problems in kadm5_get_principal mask handling - * Ignore improperly encoded signedpath AD elements - * handle NT_SRV_INST in service principal referrals - * dereference options while checking - KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT - * Fix the kpasswd fallback from the ccache principal name - * Document the ticket_lifetime libdefaults setting - * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 - ------------------------------------------------------------------- Thu Mar 4 10:42:29 CET 2010 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index 771f35f..fe27dc3 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5 (Version 1.8) +# spec file for package krb5-mini (Version 1.8) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -55,8 +55,6 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif -Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif -Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -204,8 +202,6 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 -%patch47 -%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do diff --git a/krb5.changes b/krb5.changes index c00c208..58bfdc3 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,25 +1,3 @@ -------------------------------------------------------------------- -Tue Mar 23 14:32:41 CET 2010 - mc@suse.de - -- fix a bug where an unauthenticated remote attacker could cause - a GSS-API application including the Kerberos administration - daemon (kadmind) to crash. - CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) - -------------------------------------------------------------------- -Tue Mar 23 12:33:26 CET 2010 - mc@suse.de - -- add post 1.8 fixes - * Add IPv6 support to changepw.c - * fix two problems in kadm5_get_principal mask handling - * Ignore improperly encoded signedpath AD elements - * handle NT_SRV_INST in service principal referrals - * dereference options while checking - KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT - * Fix the kpasswd fallback from the ccache principal name - * Document the ticket_lifetime libdefaults setting - * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 - ------------------------------------------------------------------- Thu Mar 4 10:42:29 CET 2010 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 1f59bb2..38bed32 100644 --- a/krb5.spec +++ b/krb5.spec @@ -55,8 +55,6 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif -Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif -Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -204,8 +202,6 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 -%patch47 -%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do From 527022b42487a537796e36b465bd1ca6bdc52efc8c59882876db34a6e9438944 Mon Sep 17 00:00:00 2001 From: OBS User buildservice-autocommit Date: Thu, 25 Mar 2010 23:13:31 +0000 Subject: [PATCH 6/6] Updating link to change in openSUSE:Factory/krb5 revision 48.0 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=03eeb0c694a7c98f62758afbaf724d78 --- krb5-1.7-MITKRB5-SA-2010-002.dif | 71 +++++++ krb5-1.8-POST.dif | 315 +++++++++++++++++++++++++++++++ krb5-doc.changes | 6 + krb5-doc.spec | 4 +- krb5-mini.changes | 22 +++ krb5-mini.spec | 6 +- krb5.changes | 22 +++ krb5.spec | 6 +- 8 files changed, 449 insertions(+), 3 deletions(-) create mode 100644 krb5-1.7-MITKRB5-SA-2010-002.dif create mode 100644 krb5-1.8-POST.dif diff --git a/krb5-1.7-MITKRB5-SA-2010-002.dif b/krb5-1.7-MITKRB5-SA-2010-002.dif new file mode 100644 index 0000000..79c4e81 --- /dev/null +++ b/krb5-1.7-MITKRB5-SA-2010-002.dif @@ -0,0 +1,71 @@ +Index: src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- src/lib/gssapi/spnego/spnego_mech.c.orig ++++ src/lib/gssapi/spnego/spnego_mech.c +@@ -1576,7 +1576,7 @@ spnego_gss_accept_sec_context( + spnego_gss_ctx_id_t sc = NULL; + spnego_gss_cred_id_t spcred = NULL; + OM_uint32 mechstat = GSS_S_FAILURE; +- int sendTokenInit = 0; ++ int sendTokenInit = 0, tmpret; + + mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER; + +@@ -1609,7 +1609,6 @@ spnego_gss_accept_sec_context( + if (delegated_cred_handle != NULL) + *delegated_cred_handle = GSS_C_NO_CREDENTIAL; + if (input_token->length == 0) { +- sendTokenInit = 1; + ret = acc_ctx_hints(minor_status, + context_handle, spcred, + &mic_out, +@@ -1617,6 +1616,7 @@ spnego_gss_accept_sec_context( + &return_token); + if (ret != GSS_S_COMPLETE) + goto cleanup; ++ sendTokenInit = 1; + ret = GSS_S_CONTINUE_NEEDED; + } else { + /* Can set negState to REQUEST_MIC */ +@@ -1664,27 +1664,21 @@ spnego_gss_accept_sec_context( + &negState, &return_token); + } + cleanup: +- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { +- /* For acceptor-sends-first send a tokenInit */ +- int tmpret; +- ++ if (return_token == INIT_TOKEN_SEND && sendTokenInit) { + assert(sc != NULL); +- +- if (sendTokenInit) { +- tmpret = make_spnego_tokenInit_msg(sc, +- 1, +- mic_out, +- 0, +- GSS_C_NO_BUFFER, +- return_token, +- output_token); +- } else { +- tmpret = make_spnego_tokenTarg_msg(negState, +- sc ? sc->internal_mech : GSS_C_NO_OID, +- &mechtok_out, mic_out, +- return_token, +- output_token); +- } ++ tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0, ++ GSS_C_NO_BUFFER, ++ return_token, output_token); ++ if (tmpret < 0) ++ ret = GSS_S_FAILURE; ++ } else if (return_token != NO_TOKEN_SEND && ++ return_token != CHECK_MIC) { ++ tmpret = make_spnego_tokenTarg_msg(negState, ++ sc ? sc->internal_mech : ++ GSS_C_NO_OID, ++ &mechtok_out, mic_out, ++ return_token, ++ output_token); + if (tmpret < 0) + ret = GSS_S_FAILURE; + } diff --git a/krb5-1.8-POST.dif b/krb5-1.8-POST.dif new file mode 100644 index 0000000..14ccdf3 --- /dev/null +++ b/krb5-1.8-POST.dif @@ -0,0 +1,315 @@ +Index: doc/admin.texinfo +=================================================================== +--- doc/admin.texinfo.orig ++++ doc/admin.texinfo +@@ -516,13 +516,6 @@ DCE do not support the default cache as + Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on + DCE 1.1 systems. The default value is @value{DefaultCcacheType}. + +-@ignore +-@itemx tkt_lifetime +-The default lifetime of a ticket. The default is +-@value{DefaultTktLifetime}. This is currently not supported by the +-code. +-@end ignore +- + @itemx dns_lookup_kdc + Indicate whether DNS SRV records should be used to locate the KDCs and + other servers for a realm, if they are not listed in the information for +@@ -583,6 +576,11 @@ If this flag is set, then an attempt to + fail if the client machine does not have a keytab. The default for the + flag is @value{DefaultVerifyApReqNofail}. + ++@itemx ticket_lifetime ++The value of this tag is the default lifetime for ++initial tickets. The default value for the tag is ++@value{DefaultTktLifetime}. ++ + @itemx renew_lifetime + The value of this tag is the default renewable lifetime for + initial tickets. The default value for the tag is +Index: src/include/krb5/krb5.hin +=================================================================== +--- src/include/krb5/krb5.hin.orig ++++ src/include/krb5/krb5.hin +@@ -1066,7 +1066,7 @@ krb5_verify_checksum(krb5_context contex + #define KRB5_AUTHDATA_SESAME 65 + #define KRB5_AUTHDATA_WIN2K_PAC 128 + #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */ +-#define KRB5_AUTHDATA_SIGNTICKET 142 ++#define KRB5_AUTHDATA_SIGNTICKET 512 /* formerly 142 in krb5 1.8 */ + #define KRB5_AUTHDATA_FX_ARMOR 71 + /* password change constants */ + +@@ -1184,6 +1184,19 @@ typedef struct _krb5_pa_data { + krb5_octet *contents; + } krb5_pa_data; + ++/* typed data */ ++/* ++ * The FAST error handling logic currently assumes that this structure and ++ * krb5_pa_data * can be safely cast to each other if this structure changes, ++ * that code needs to be updated to copy. ++ */ ++typedef struct _krb5_typed_data { ++ krb5_magic magic; ++ krb5_int32 type; ++ unsigned int length; ++ krb5_octet *data; ++} krb5_typed_data; ++ + typedef struct _krb5_kdc_req { + krb5_magic magic; + krb5_msgtype msg_type; /* AS_REQ or TGS_REQ? */ +Index: src/include/k5-int-pkinit.h +=================================================================== +--- src/include/k5-int-pkinit.h.orig ++++ src/include/k5-int-pkinit.h +@@ -101,17 +101,6 @@ typedef struct _krb5_trusted_ca { + } u; + } krb5_trusted_ca; + +-/* typed data */ +-/* The FAST error handling logic currently assumes that this structure and krb5_pa_data * can be safely cast to each other +- * if this structure changes, that code needs to be updated to copy. +- */ +-typedef struct _krb5_typed_data { +- krb5_magic magic; +- krb5_int32 type; +- unsigned int length; +- krb5_octet *data; +-} krb5_typed_data; +- + /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */ + typedef struct _krb5_pa_pk_as_req_draft9 { + krb5_octet_data signedAuthPack; +Index: src/kdc/kdc_authdata.c +=================================================================== +--- src/kdc/kdc_authdata.c.orig ++++ src/kdc/kdc_authdata.c +@@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context contex + enc_sp.length = sp_authdata[0]->length; + + code = decode_krb5_ad_signedpath(&enc_sp, &sp); +- if (code != 0) ++ if (code != 0) { ++ /* Treat an invalid signedpath authdata element as a missing one, since ++ * we believe MS is using the same number for something else. */ ++ code = 0; + goto cleanup; ++ } + + code = verify_ad_signedpath_checksum(context, + krbtgt, +Index: src/kdc/do_tgs_req.c +=================================================================== +--- src/kdc/do_tgs_req.c.orig ++++ src/kdc/do_tgs_req.c +@@ -1215,6 +1215,7 @@ prep_reprocess_req(krb5_kdc_req *request + strlcpy(comp1_str,comp1->data,comp1->length+1); + + if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST || ++ krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST || + (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN && + kdc_active_realm->realm_host_based_services != NULL && + (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, +Index: src/clients/kpasswd/kpasswd.c +=================================================================== +--- src/clients/kpasswd/kpasswd.c.orig ++++ src/clients/kpasswd/kpasswd.c +@@ -47,7 +47,7 @@ int main(int argc, char *argv[]) + { + krb5_error_code ret; + krb5_context context; +- krb5_principal princ; ++ krb5_principal princ = NULL; + char *pname; + krb5_ccache ccache; + krb5_get_init_creds_opt *opts = NULL; +@@ -84,23 +84,27 @@ int main(int argc, char *argv[]) + com_err(argv[0], ret, "parsing client name"); + exit(1); + } +- } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) { +- if (ret) { ++ } else { ++ ret = krb5_cc_default(context, &ccache); ++ if (ret != 0) { + com_err(argv[0], ret, "opening default ccache"); + exit(1); + } + +- if ((ret = krb5_cc_get_principal(context, ccache, &princ))) { ++ ret = krb5_cc_get_principal(context, ccache, &princ); ++ if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) { + com_err(argv[0], ret, "getting principal from ccache"); + exit(1); + } + +- if ((ret = krb5_cc_close(context, ccache))) { ++ ret = krb5_cc_close(context, ccache); ++ if (ret != 0) { + com_err(argv[0], ret, "closing ccache"); + exit(1); + } +- } else { +- get_name_from_passwd_file(argv[0], context, &princ); ++ ++ if (princ == NULL) ++ get_name_from_passwd_file(argv[0], context, &princ); + } + + if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) { +Index: src/config-files/krb5.conf.M +=================================================================== +--- src/config-files/krb5.conf.M.orig ++++ src/config-files/krb5.conf.M +@@ -220,6 +220,10 @@ If this flag is set, then an attempt to + fail if the client machine does not have a keytab. The default for the + flag is false. + ++.IP ticket_lifetime ++The value of this tag is the default lifetime for initial tickets. The ++default value for the tag is 1 day (1d). ++ + .IP renew_lifetime + The value of this tag is the default renewable lifetime for initial + tickets. The default value for the tag is 0. +Index: src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- src/lib/gssapi/spnego/spnego_mech.c.orig ++++ src/lib/gssapi/spnego/spnego_mech.c +@@ -1687,6 +1687,7 @@ cleanup: + if (sc->internal_name != GSS_C_NO_NAME && + src_name != NULL) { + *src_name = sc->internal_name; ++ sc->internal_name = GSS_C_NO_NAME; + } + release_spnego_ctx(&sc); + } else if (ret != GSS_S_CONTINUE_NEEDED) { +@@ -2572,6 +2573,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t * + (void) generic_gss_release_oid(&minor_stat, + &context->internal_mech); + ++ (void) gss_release_name(&minor_stat, &context->internal_name); ++ + if (context->optionStr != NULL) { + free(context->optionStr); + context->optionStr = NULL; +Index: src/lib/kadm5/srv/svr_principal.c +=================================================================== +--- src/lib/kadm5/srv/svr_principal.c.orig ++++ src/lib/kadm5/srv/svr_principal.c +@@ -858,8 +858,8 @@ kadm5_get_principal(void *server_handle, + if (! (mask & KADM5_MOD_TIME)) + entry->mod_date = 0; + if (! (mask & KADM5_MOD_NAME)) { +- krb5_free_principal(handle->context, entry->principal); +- entry->principal = NULL; ++ krb5_free_principal(handle->context, entry->mod_name); ++ entry->mod_name = NULL; + } + } + +@@ -871,10 +871,12 @@ kadm5_get_principal(void *server_handle, + if (kdb.key_data[i].key_data_kvno > entry->kvno) + entry->kvno = kdb.key_data[i].key_data_kvno; + +- ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, +- &entry->mkvno); +- if (ret) +- goto done; ++ if (mask & KADM5_MKVNO) { ++ ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, ++ &entry->mkvno); ++ if (ret) ++ goto done; ++ } + + if (mask & KADM5_MAX_RLIFE) + entry->max_renewable_life = kdb.max_renewable_life; +Index: src/lib/krb5/os/changepw.c +=================================================================== +--- src/lib/krb5/os/changepw.c.orig ++++ src/lib/krb5/os/changepw.c +@@ -65,20 +65,23 @@ locate_kpasswd(krb5_context context, con + int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM); + + code = krb5int_locate_server (context, realm, addrlist, +- locate_service_kpasswd, sockType, AF_INET); ++ locate_service_kpasswd, sockType, AF_UNSPEC); + + if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) { + code = krb5int_locate_server (context, realm, addrlist, + locate_service_kadmin, SOCK_STREAM, +- AF_INET); ++ AF_UNSPEC); + if (!code) { + /* Success with admin_server but now we need to change the + port number to use DEFAULT_KPASSWD_PORT and the socktype. */ + size_t i; + for (i=0; inaddrs; i++) { + struct addrinfo *a = addrlist->addrs[i].ai; ++ krb5_ui_2 kpasswd_port = htons(DEFAULT_KPASSWD_PORT); + if (a->ai_family == AF_INET) +- sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT); ++ sa2sin (a->ai_addr)->sin_port = kpasswd_port; ++ if (a->ai_family == AF_INET6) ++ sa2sin6 (a->ai_addr)->sin6_port = kpasswd_port; + if (sockType != SOCK_STREAM) + a->ai_socktype = sockType; + } +@@ -131,10 +134,16 @@ kpasswd_sendto_msg_callback(struct conn_ + /* some brain-dead OS's don't return useful information from + * the getsockname call. Namely, windows and solaris. */ + +- if (ss2sin(&local_addr)->sin_addr.s_addr != 0) { ++ if (local_addr.ss_family == AF_INET && ++ ss2sin(&local_addr)->sin_addr.s_addr != 0) { + local_kaddr.addrtype = ADDRTYPE_INET; + local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr); + local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr; ++ } else if (local_addr.ss_family == AF_INET6 && ++ ss2sin6(&local_addr)->sin6_addr.s6_addr != 0) { ++ local_kaddr.addrtype = ADDRTYPE_INET6; ++ local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr); ++ local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr; + } else { + krb5_address **addrs; + +@@ -290,9 +299,19 @@ change_set_password(krb5_context context + break; + } + +- remote_kaddr.addrtype = ADDRTYPE_INET; +- remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); +- remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; ++ if (remote_addr.ss_family == AF_INET) { ++ remote_kaddr.addrtype = ADDRTYPE_INET; ++ remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); ++ remote_kaddr.contents = ++ (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; ++ } else if (remote_addr.ss_family == AF_INET6) { ++ remote_kaddr.addrtype = ADDRTYPE_INET6; ++ remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr); ++ remote_kaddr.contents = ++ (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr; ++ } else { ++ break; ++ } + + if ((code = krb5_auth_con_setaddrs(callback_ctx.context, + callback_ctx.auth_context, +Index: src/lib/krb5/krb/gic_pwd.c +=================================================================== +--- src/lib/krb5/krb/gic_pwd.c.orig ++++ src/lib/krb5/krb/gic_pwd.c +@@ -218,7 +218,7 @@ krb5_get_init_creds_password(krb5_contex + * to prompt. Prompting is only disabled if the option has been set + * and the value has been set to false. + */ +- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) ++ if (options && !(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) + goto cleanup; + + /* ok, we have an expired password. Give the user a few chances diff --git a/krb5-doc.changes b/krb5-doc.changes index 6dfd162..7ac797d 100644 --- a/krb5-doc.changes +++ b/krb5-doc.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Mar 23 12:38:29 CET 2010 - mc@suse.de + +- add post 1.8 fixes + * Document the ticket_lifetime libdefaults setting + ------------------------------------------------------------------- Thu Mar 4 11:45:22 CET 2010 - mc@suse.de diff --git a/krb5-doc.spec b/krb5-doc.spec index ea6ce01..86eface 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -21,7 +21,7 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive Version: 1.8 -Release: 1 +Release: 2 %define srcRoot krb5-1.8 Summary: MIT Kerberos5 Implementation--Documentation License: MIT License (or similar) @@ -31,6 +31,7 @@ Source: krb5-1.8.tar.bz2 Source3: %{name}-%{version}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif +Patch2: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -53,6 +54,7 @@ Authors: %setup -n %{srcRoot} %patch0 %patch1 +%patch2 %build diff --git a/krb5-mini.changes b/krb5-mini.changes index 58bfdc3..c00c208 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Tue Mar 23 14:32:41 CET 2010 - mc@suse.de + +- fix a bug where an unauthenticated remote attacker could cause + a GSS-API application including the Kerberos administration + daemon (kadmind) to crash. + CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) + +------------------------------------------------------------------- +Tue Mar 23 12:33:26 CET 2010 - mc@suse.de + +- add post 1.8 fixes + * Add IPv6 support to changepw.c + * fix two problems in kadm5_get_principal mask handling + * Ignore improperly encoded signedpath AD elements + * handle NT_SRV_INST in service principal referrals + * dereference options while checking + KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT + * Fix the kpasswd fallback from the ccache principal name + * Document the ticket_lifetime libdefaults setting + * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 + ------------------------------------------------------------------- Thu Mar 4 10:42:29 CET 2010 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index fe27dc3..8c1b700 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -28,7 +28,7 @@ Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel Version: 1.8 -Release: 1 +Release: 2 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -55,6 +55,8 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif +Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif +Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -202,6 +204,8 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 +%patch47 +%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do diff --git a/krb5.changes b/krb5.changes index 58bfdc3..c00c208 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Tue Mar 23 14:32:41 CET 2010 - mc@suse.de + +- fix a bug where an unauthenticated remote attacker could cause + a GSS-API application including the Kerberos administration + daemon (kadmind) to crash. + CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) + +------------------------------------------------------------------- +Tue Mar 23 12:33:26 CET 2010 - mc@suse.de + +- add post 1.8 fixes + * Add IPv6 support to changepw.c + * fix two problems in kadm5_get_principal mask handling + * Ignore improperly encoded signedpath AD elements + * handle NT_SRV_INST in service principal referrals + * dereference options while checking + KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT + * Fix the kpasswd fallback from the ccache principal name + * Document the ticket_lifetime libdefaults setting + * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 + ------------------------------------------------------------------- Thu Mar 4 10:42:29 CET 2010 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 38bed32..2196e63 100644 --- a/krb5.spec +++ b/krb5.spec @@ -28,7 +28,7 @@ Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel Version: 1.8 -Release: 1 +Release: 2 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -55,6 +55,8 @@ Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif +Patch47: krb5-1.7-MITKRB5-SA-2010-002.dif +Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -202,6 +204,8 @@ Authors: %patch41 %patch44 -p1 %patch46 -p1 +%patch47 +%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do