From eaff141ce071840a418119cd94913fea2bad969dd9e9a2cba5d51eb5604a361e Mon Sep 17 00:00:00 2001
From: Michael Calmer <mc@suse.com>
Date: Sun, 9 Jun 2013 14:19:29 +0000
Subject: [PATCH] - update to version 1.11.3   - Fix a UDP ping-pong
 vulnerability in the kpasswd     (password changing) service. [CVE-2002-2443]
   - Improve interoperability with some Windows native PKINIT clients. -
 install translation files - remove outdated configure options

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=104
---
 krb5-1.11.2.tar.bz2 |  3 ---
 krb5-1.11.3.tar.bz2 |  3 +++
 krb5-mini.spec      | 39 +++++++++++++++++++++++++++++----------
 krb5.changes        | 10 ++++++++++
 krb5.spec           | 39 ++++++++++++++++++++++++++++-----------
 5 files changed, 70 insertions(+), 24 deletions(-)
 delete mode 100644 krb5-1.11.2.tar.bz2
 create mode 100644 krb5-1.11.3.tar.bz2

diff --git a/krb5-1.11.2.tar.bz2 b/krb5-1.11.2.tar.bz2
deleted file mode 100644
index 52fa5e8..0000000
--- a/krb5-1.11.2.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:562e6cbbdfa6025082dbb847e7cc992d51e189e34a26fb8b528a9ce42ccbe50f
-size 9438890
diff --git a/krb5-1.11.3.tar.bz2 b/krb5-1.11.3.tar.bz2
new file mode 100644
index 0000000..87e06d4
--- /dev/null
+++ b/krb5-1.11.3.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3c96e54a2975ce4556703f0f13605ef0f3d697a7a332ff00da00e6dd53625488
+size 9440735
diff --git a/krb5-mini.spec b/krb5-mini.spec
index 6c96c16..610201a 100644
--- a/krb5-mini.spec
+++ b/krb5-mini.spec
@@ -17,7 +17,7 @@
 
 
 %define build_mini 1
-%define srcRoot krb5-1.11.2
+%define srcRoot krb5-1.11.3
 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
 %define krb5docdir  %{_defaultdocdir}/krb5
 
@@ -31,7 +31,7 @@ BuildRequires:  keyutils-devel
 BuildRequires:  libcom_err-devel
 BuildRequires:  libselinux-devel
 BuildRequires:  ncurses-devel
-Version:        1.11.2
+Version:        1.11.3
 Release:        0
 Summary:        MIT Kerberos5 Implementation--Libraries
 License:        MIT
@@ -193,8 +193,12 @@ Include Files for Development
 rm -f src/lib/krb5/krb/deltat.c
 cd src
 ./util/reconf
-CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC " \
+DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
 ./configure \
+        CC="%{__cc}" \
+        CFLAGS="$RPM_OPT_FLAGS -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC -fstack-protector-all " \
+        CPPFLAGS="-I%{_includedir}/et " \
+        SS_LIB="-lss" \
 	--prefix=/usr/lib/mit \
 	--sysconfdir=%{_sysconfdir} \
 	--mandir=%{_mandir} \
@@ -203,9 +207,9 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
 	--libdir=%{_libdir} \
 	--includedir=%{_includedir} \
         --localstatedir=%{_localstatedir}/lib/kerberos \
+        --localedir=%{_datadir}/locale \
 	--enable-shared \
 	--disable-static \
-        --enable-kdc-replay-cache \
         --enable-dns-for-realm \
         --disable-rpath \
 %if ! %{build_mini}
@@ -220,7 +224,7 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
         --with-selinux \
         --with-system-et \
         --with-system-ss
-make %{?jobs:-j%jobs}
+%{__make} %{?_smp_mflags}
 %if ! 0%{?build_mini}
 cd doc
 make %{?jobs:-j%jobs} substhtml
@@ -229,11 +233,19 @@ cd ..
 %endif
 
 %install
+
+# Where per-user keytabs live by default.
+mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user
+mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5
+
 cd src
 make DESTDIR=%{buildroot} install 
 cd ..
-# Munge the krb5-config script to remove rpaths and CFLAGS.
-sed "s|^CC_LINK=.*|CC_LINK='\$(CC) \$(PROG_LIBPATH)'|g" src/krb5-config > $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
+# Munge krb5-config yet again.  This is totally wrong for 64-bit, but chunks
+# of the buildconf patch already conspire to strip out /usr/<anything> from the
+# list of link flags, and it helps prevent file conflicts on multilib systems.
+sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
+
 # install autoconf macro
 mkdir -p %{buildroot}/%{_datadir}/aclocal
 install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
@@ -304,7 +316,9 @@ rm -f  %{buildroot}/usr/share/man/man1/tmac.doc*
 rm -f  /usr/share/man/man1/tmac.doc*
 #rm -rf /usr/lib/mit/share
 rm -rf %{buildroot}/usr/lib/mit/share/examples
-rm -rf %{buildroot}/usr/lib/mit/share/locale
+#rm -rf %{buildroot}/usr/lib/mit/share/locale
+
+%find_lang mit-krb5
 
 #####################################################
 # krb5(-mini) pre/post/postun
@@ -391,7 +405,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
 
 %if %{build_mini}
 
-%files
+%files -f mit-krb5.lang
 %defattr(-,root,root)
 %dir %{krb5docdir}
 # add directories
@@ -402,6 +416,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
 %dir %{_libdir}/krb5/plugins/libkrb5
 %dir %{_localstatedir}/lib/kerberos/
 %dir %{_localstatedir}/lib/kerberos/krb5kdc
+%dir %{_localstatedir}/lib/kerberos/krb5
+%dir %{_localstatedir}/lib/kerberos/krb5/user
 %attr(0700,root,root) %dir /var/log/krb5
 %dir /usr/lib/mit
 %dir /usr/lib/mit/sbin
@@ -473,7 +489,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
 %{_mandir}/man8/*
 %else
 
-%files
+%files -f mit-krb5.lang
 %defattr(-,root,root)
 %dir %{krb5docdir}
 # add plugin directories
@@ -499,6 +515,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
 
 %files server
 %defattr(-,root,root)
+%attr(0700,root,root) %dir /var/log/krb5
 %config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
 %{_sysconfdir}/init.d/kadmind
 %{_sysconfdir}/init.d/krb5kdc
@@ -513,6 +530,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
 %dir /usr/lib/mit/sbin
 %dir %{_localstatedir}/lib/kerberos/
 %dir %{_localstatedir}/lib/kerberos/krb5kdc
+%dir %{_localstatedir}/lib/kerberos/krb5
+%dir %{_localstatedir}/lib/kerberos/krb5/user
 %dir %{_libdir}/krb5
 %dir %{_libdir}/krb5/plugins
 %dir %{_libdir}/krb5/plugins/kdb
diff --git a/krb5.changes b/krb5.changes
index c587101..24ed46f 100644
--- a/krb5.changes
+++ b/krb5.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Sun Jun  9 14:14:48 UTC 2013 - mc@suse.com
+
+- update to version 1.11.3
+  - Fix a UDP ping-pong vulnerability in the kpasswd
+    (password changing) service. [CVE-2002-2443]
+  - Improve interoperability with some Windows native PKINIT clients.
+- install translation files
+- remove outdated configure options
+
 -------------------------------------------------------------------
 Tue May 28 17:08:01 UTC 2013 - mc@suse.com
 
diff --git a/krb5.spec b/krb5.spec
index 83e1a30..119d401 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -17,7 +17,7 @@
 
 
 %define build_mini 0
-%define srcRoot krb5-1.11.2
+%define srcRoot krb5-1.11.3
 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
 %define krb5docdir  %{_defaultdocdir}/krb5
 
@@ -31,7 +31,7 @@ BuildRequires:  keyutils-devel
 BuildRequires:  libcom_err-devel
 BuildRequires:  libselinux-devel
 BuildRequires:  ncurses-devel
-Version:        1.11.2
+Version:        1.11.3
 Release:        0
 Summary:        MIT Kerberos5 Implementation--Libraries
 License:        MIT
@@ -193,8 +193,12 @@ Include Files for Development
 rm -f src/lib/krb5/krb/deltat.c
 cd src
 ./util/reconf
-CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC " \
+DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
 ./configure \
+        CC="%{__cc}" \
+        CFLAGS="$RPM_OPT_FLAGS -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC -fstack-protector-all " \
+        CPPFLAGS="-I%{_includedir}/et " \
+        SS_LIB="-lss" \
 	--prefix=/usr/lib/mit \
 	--sysconfdir=%{_sysconfdir} \
 	--mandir=%{_mandir} \
@@ -203,9 +207,9 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
 	--libdir=%{_libdir} \
 	--includedir=%{_includedir} \
         --localstatedir=%{_localstatedir}/lib/kerberos \
+        --localedir=%{_datadir}/locale \
 	--enable-shared \
 	--disable-static \
-        --enable-kdc-replay-cache \
         --enable-dns-for-realm \
         --disable-rpath \
 %if ! %{build_mini}
@@ -220,7 +224,7 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
         --with-selinux \
         --with-system-et \
         --with-system-ss
-make %{?jobs:-j%jobs}
+%{__make} %{?_smp_mflags}
 %if ! 0%{?build_mini}
 cd doc
 make %{?jobs:-j%jobs} substhtml
@@ -229,11 +233,19 @@ cd ..
 %endif
 
 %install
+
+# Where per-user keytabs live by default.
+mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user
+mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5
+
 cd src
 make DESTDIR=%{buildroot} install 
 cd ..
-# Munge the krb5-config script to remove rpaths and CFLAGS.
-sed "s|^CC_LINK=.*|CC_LINK='\$(CC) \$(PROG_LIBPATH)'|g" src/krb5-config > $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
+# Munge krb5-config yet again.  This is totally wrong for 64-bit, but chunks
+# of the buildconf patch already conspire to strip out /usr/<anything> from the
+# list of link flags, and it helps prevent file conflicts on multilib systems.
+sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
+
 # install autoconf macro
 mkdir -p %{buildroot}/%{_datadir}/aclocal
 install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
@@ -302,9 +314,9 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos
 # cleanup
 rm -f  %{buildroot}/usr/share/man/man1/tmac.doc*
 rm -f  /usr/share/man/man1/tmac.doc*
-#rm -rf /usr/lib/mit/share
 rm -rf %{buildroot}/usr/lib/mit/share/examples
-rm -rf %{buildroot}/usr/lib/mit/share/locale
+
+%find_lang mit-krb5
 
 #####################################################
 # krb5(-mini) pre/post/postun
@@ -391,7 +403,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
 
 %if %{build_mini}
 
-%files
+%files -f mit-krb5.lang
 %defattr(-,root,root)
 %dir %{krb5docdir}
 # add directories
@@ -402,6 +414,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
 %dir %{_libdir}/krb5/plugins/libkrb5
 %dir %{_localstatedir}/lib/kerberos/
 %dir %{_localstatedir}/lib/kerberos/krb5kdc
+%dir %{_localstatedir}/lib/kerberos/krb5
+%dir %{_localstatedir}/lib/kerberos/krb5/user
 %attr(0700,root,root) %dir /var/log/krb5
 %dir /usr/lib/mit
 %dir /usr/lib/mit/sbin
@@ -473,7 +487,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
 %{_mandir}/man8/*
 %else
 
-%files
+%files -f mit-krb5.lang
 %defattr(-,root,root)
 %dir %{krb5docdir}
 # add plugin directories
@@ -499,6 +513,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
 
 %files server
 %defattr(-,root,root)
+%attr(0700,root,root) %dir /var/log/krb5
 %config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
 %{_sysconfdir}/init.d/kadmind
 %{_sysconfdir}/init.d/krb5kdc
@@ -513,6 +528,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
 %dir /usr/lib/mit/sbin
 %dir %{_localstatedir}/lib/kerberos/
 %dir %{_localstatedir}/lib/kerberos/krb5kdc
+%dir %{_localstatedir}/lib/kerberos/krb5
+%dir %{_localstatedir}/lib/kerberos/krb5/user
 %dir %{_libdir}/krb5
 %dir %{_libdir}/krb5/plugins
 %dir %{_libdir}/krb5/plugins/kdb