pool/krb5
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

merge into: pool:factory
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2
...
pull from: pool:slfo-main
Branches Tags
pool:slfo-main pool:factory pool:slfo-1.2

3 Commits
factory ... slfo-main

Author SHA256 Message Date
Noel Power
8b32daee32 Remove unused old file 0010-CVE-2025-24528.patch 
Signed-off-by: Noel Power <noel.power@suse.com>
 2026-01-26 15:26:03 +00:00
Noel Power
059debc8f0 Remove old unused file (from previous version) 
Signed-off-by: Noel Power <noel.power@suse.com>
 2026-01-26 14:45:57 +00:00
Noel Power
796c8f1350 Update version to 1.22.1 (submitting also to network/krb5) 
Contains additionally changes for (PED-14767)

Signed-off-by: Noel Power <noel.power@suse.com>
 2026-01-23 12:44:47 +00:00
20 changed files with 693 additions and 432 deletions
Expand all files Collapse all files

30
0001-ksu-pam-integration.patch
View File

@@ -1,7 +1,7 @@
From cb49731c07ee57f64bd5a93a182446bc834b9057 Mon Sep 17 00:00:00 2001
From c9ba1af2540cd00b700a7db6ff3f7a0e507cb6b8 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH 1/8] ksu pam integration
Subject: [PATCH 1/9] ksu pam integration
Modify ksu so that it performs account and session management on behalf of
the target user account, mimicking the action of regular su. The default
@@ -30,10 +30,10 @@ Last-updated: krb5-1.18-beta1
create mode 100644 src/clients/ksu/pam.h
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 024d6370c..43eed3b87 100644
index 7397bdcc2..3b3be926b 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -1677,3 +1677,71 @@ if test "$with_ldap" = yes; then
@@ -1413,3 +1413,71 @@ if test "$with_ldap" = yes; then
OPENLDAP_PLUGIN=yes
fi
])dnl
@@ -106,7 +106,7 @@ index 024d6370c..43eed3b87 100644
+AC_SUBST(NON_PAM_MAN)
+])dnl
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index 8b4edce4d..9d58f29b5 100644
index 9a892e665..5c9845c1f 100644
--- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
@@ -144,7 +144,7 @@ index 8b4edce4d..9d58f29b5 100644
clean:
$(RM) ksu
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index af1286172..931f05404 100644
index ca3981ea7..da029e877 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
@@ -174,7 +174,7 @@ index af1286172..931f05404 100644
/***********/
#define KS_TEMPORARY_CACHE "MEMORY:_ksu"
@@ -536,6 +542,23 @@ main (argc, argv)
@@ -523,6 +529,23 @@ main(int argc, char ** argv)
prog_name,target_user,client_name,
source_user,ontty());
@@ -198,7 +198,7 @@ index af1286172..931f05404 100644
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for "
@@ -596,6 +619,24 @@ main (argc, argv)
@@ -583,6 +606,24 @@ main(int argc, char ** argv)
exit(1);
}
@@ -223,7 +223,7 @@ index af1286172..931f05404 100644
}
if( some_rest_copy){
@@ -653,6 +694,30 @@ main (argc, argv)
@@ -640,6 +681,30 @@ main(int argc, char ** argv)
exit(1);
}
@@ -254,7 +254,7 @@ index af1286172..931f05404 100644
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -750,7 +815,7 @@ main (argc, argv)
@@ -737,7 +802,7 @@ main(int argc, char ** argv)
fprintf(stderr, "program to be execed %s\n",params[0]);
}
@@ -263,7 +263,7 @@ index af1286172..931f05404 100644
execv(params[0], params);
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
sweep_up(ksu_context, cc_target);
@@ -780,16 +845,35 @@ main (argc, argv)
@@ -767,16 +832,35 @@ main(int argc, char ** argv)
if (ret_pid == -1) {
com_err(prog_name, errno, _("while calling waitpid"));
}
@@ -271,7 +271,7 @@ index af1286172..931f05404 100644
+ if( !keep_target_cache ) {
+ sweep_up(ksu_context, cc_target);
+ }
exit (statusp);
exit (WIFEXITED(statusp) ? WEXITSTATUS(statusp) : 1);
case -1:
com_err(prog_name, errno, _("while trying to fork."));
sweep_up(ksu_context, cc_target);
@@ -759,10 +759,10 @@ index 000000000..d45b9fd84
+void appl_pam_cleanup(void);
+#endif
diff --git a/src/configure.ac b/src/configure.ac
index 4eb080784..693f76a81 100644
index 4325fae99..969d05fff 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1389,6 +1389,8 @@ AC_SUBST([VERTO_VERSION])
@@ -1407,6 +1407,8 @@ AC_SUBST([VERTO_VERSION])
AC_PATH_PROG(GROFF, groff)
@@ -772,5 +772,5 @@ index 4eb080784..693f76a81 100644
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
--
2.30.0
2.51.0

25
0002-krb5-1.9-manpaths.patch
View File

@@ -1,7 +1,7 @@
From 852d6a0d81b21673bdcb80ff13bf60dd5a416dd4 Mon Sep 17 00:00:00 2001
From c79a302c3ddf91ef9b389be3bab47abf4261e2e3 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:06:55 +0100
Subject: [PATCH 2/8] krb5-1.9-manpaths
Subject: [PATCH 2/9] krb5-1.9-manpaths
Import krb5-1.9-manpaths.dif
@@ -13,16 +13,19 @@ configure scripts should be rebuilt. Originally RT#6525
src/man/kpropd.man | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: krb5-1.19.3/src/man/kpropd.man
===================================================================
--- krb5-1.19.3.orig/src/man/kpropd.man
+++ krb5-1.19.3/src/man/kpropd.man
@@ -68,7 +68,7 @@ the \fB/etc/inetd.conf\fP file which loo
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index b1caad000..9bfa7be94 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -67,7 +67,7 @@ the \fB/etc/inetd.conf\fP file which looks like this:
.INDENT 3.5
.sp
.nf
.ft C
.EX
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root @SBINDIR@/kpropd kpropd
.ft P
.fi
.EE
.UNINDENT
.UNINDENT
--
2.51.0

43
0003-Adjust-build-configuration.patch
View File

@@ -1,7 +1,7 @@
From 48abdf7c7b28611c1135b35dfa23ac61899e80b2 Mon Sep 17 00:00:00 2001
From 25aaa35ecfe65cf857ae2319c49602255684ca4d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:45:26 -0400
Subject: [PATCH 3/8] Adjust build configuration
Subject: [PATCH 3/9] Adjust build configuration
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
and install shared libraries with the execute bit set on them. Prune out
@@ -16,11 +16,11 @@ Last-updated: krb5-1.15-beta1
src/config/shlib.conf | 5 +++--
3 files changed, 11 insertions(+), 3 deletions(-)
Index: krb5-1.19.3/src/build-tools/krb5-config.in
===================================================================
--- krb5-1.19.3.orig/src/build-tools/krb5-config.in
+++ krb5-1.19.3/src/build-tools/krb5-config.in
@@ -224,6 +224,13 @@ if test -n "$do_libs"; then
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
index 2cb439887..9c6e55bf6 100755
--- a/src/build-tools/krb5-config.in
+++ b/src/build-tools/krb5-config.in
@@ -222,6 +222,13 @@ if test -n "$do_libs"; then
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-e 's#\$(CFLAGS)##'`
@@ -34,11 +34,11 @@ Index: krb5-1.19.3/src/build-tools/krb5-config.in
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5
Index: krb5-1.19.3/src/config/pre.in
===================================================================
--- krb5-1.19.3.orig/src/config/pre.in
+++ krb5-1.19.3/src/config/pre.in
@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
diff --git a/src/config/pre.in b/src/config/pre.in
index 1197c1ffd..a04b3890a 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
INSTALL_SCRIPT=@INSTALL_PROGRAM@
INSTALL_DATA=@INSTALL_DATA@
INSTALL_SHLIB=@INSTALL_SHLIB@
@@ -47,20 +47,20 @@ Index: krb5-1.19.3/src/config/pre.in
## This is needed because autoconf will sometimes define @exec_prefix@ to be
## ${prefix}.
prefix=@prefix@
Index: krb5-1.19.3/src/config/shlib.conf
===================================================================
--- krb5-1.19.3.orig/src/config/shlib.conf
+++ krb5-1.19.3/src/config/shlib.conf
@@ -424,7 +424,7 @@ mips-*-netbsd*)
diff --git a/src/config/shlib.conf b/src/config/shlib.conf
index f838c2536..b5008ac7a 100644
--- a/src/config/shlib.conf
+++ b/src/config/shlib.conf
@@ -273,7 +273,7 @@ mips-*-netbsd*)
# Linux ld doesn't default to stuffing the SONAME field...
# Use objdump -x to examine the fields of the library
# UNDEF_CHECK is suppressed by --enable-asan
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro -Wl,--warn-shared-textrel'
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-z,nodelete -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-z,nodelete -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro -Wl,--warn-shared-textrel'
UNDEF_CHECK='-Wl,--no-undefined'
# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
@@ -436,7 +436,8 @@ mips-*-netbsd*)
@@ -285,7 +285,8 @@ mips-*-netbsd*)
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
@@ -70,3 +70,6 @@ Index: krb5-1.19.3/src/config/shlib.conf
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
--
2.51.0

6
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
View File

@@ -1,7 +1,7 @@
From c1b8aa3d8546453544fd659ef18b96709eb88e54 Mon Sep 17 00:00:00 2001
From b1a1a178c86a03a0059d4f3fd57b8d94dc24ecc2 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:09:05 +0100
Subject: [PATCH 4/8] krb5-1.6.3-gssapi_improve_errormessages
Subject: [PATCH 4/9] krb5-1.6.3-gssapi_improve_errormessages
Import krb5-1.6.3-gssapi_improve_errormessages.dif
---
@@ -22,5 +22,5 @@ index bc416107e..22612f970 100644
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
--
2.25.0
2.51.0

21
0005-krb5-1.6.3-ktutil-manpage.patch
View File

@@ -1,20 +1,20 @@
From 2a5b2877495384bbe5db8f3b66ac342f83cd45dc Mon Sep 17 00:00:00 2001
From 75806e167e2ee2b9334b049ac9829fd76db2e65b Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:14:47 +0100
Subject: [PATCH 5/8] krb5-1.6.3-ktutil-manpage
Subject: [PATCH 5/9] krb5-1.6.3-ktutil-manpage
Import krb5-1.6.3-ktutil-manpage.dif
---
src/man/ktutil.man | 12 ++++++++++++
1 file changed, 12 insertions(+)
Index: krb5-1.19.3/src/man/ktutil.man
===================================================================
--- krb5-1.19.3.orig/src/man/ktutil.man
+++ krb5-1.19.3/src/man/ktutil.man
@@ -153,6 +153,18 @@ ktutil:
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index 8e4ec8377..06aaa6635 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -151,6 +151,18 @@ ktutil:
.sp
See kerberos(7) for a description of Kerberos environment
See \fI\%kerberos\fP for a description of Kerberos environment
variables.
+.SH REMARKS
+Changes to the keytab are appended to the keytab file (i.e., the keytab file
@@ -30,4 +30,7 @@ Index: krb5-1.19.3/src/man/ktutil.man
+# mv /tmp/krb5.newtab /etc/krb5.keytab
.SH SEE ALSO
.sp
kadmin(1), kdb5_util(8), kerberos(7)
\fI\%kadmin\fP, \fI\%kdb5_util\fP, \fI\%kerberos\fP
--
2.51.0

6
0006-krb5-1.12-api.patch
View File

@@ -1,7 +1,7 @@
From b8544a75b273008042fadf51f0b49c00617ff275 Mon Sep 17 00:00:00 2001
From 3938177c375ed9db1693651546e9d0cc345377f5 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:15:50 +0100
Subject: [PATCH 6/8] krb5-1.12-api
Subject: [PATCH 6/9] krb5-1.12-api
Import krb5-1.12-api.patch
@@ -38,5 +38,5 @@ index a6936107d..0ed78833b 100644
/* Treat UPNs as if they were real principals */
if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
--
2.25.0
2.51.0

110
0007-SELinux-integration.patch
View File

@@ -1,7 +1,7 @@
From cc329567eec2ab99f2dd883b2d48b069054d85b5 Mon Sep 17 00:00:00 2001
From ca713cfac29cd557bb8247d6629aa5d5abc9d6b2 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] SELinux integration
Subject: [PATCH 7/9] SELinux integration
SELinux bases access to files on the domain of the requesting process,
the operation being performed, and the context applied to the file.
@@ -69,7 +69,7 @@ Last-updated: krb5-1.20.1
create mode 100644 src/util/support/selinux.c
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index baec309ae..b09c74b1b 100644
index 3b3be926b..e61826542 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag)
@@ -80,7 +80,7 @@ index baec309ae..b09c74b1b 100644
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1526,3 +1527,51 @@ AC_SUBST(PAM_LIBS)
@@ -1481,3 +1482,51 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
@@ -133,52 +133,52 @@ index baec309ae..b09c74b1b 100644
+AC_SUBST(SELINUX_LIBS)
+])dnl
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
index f153aeb1c..c2f13f38c 100755
index 9c6e55bf6..c484f5340 100755
--- a/src/build-tools/krb5-config.in
+++ b/src/build-tools/krb5-config.in
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
@@ -40,6 +40,7 @@ DL_LIB='@DL_LIB@'
DEFCCNAME='@DEFCCNAME@'
DEFKTNAME='@DEFKTNAME@'
DEFCKTNAME='@DEFCKTNAME@'
+SELINUX_LIBS='@SELINUX_LIBS@'
LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@
@@ -261,7 +262,7 @@ if test -n "$do_libs"; then
@@ -259,7 +260,7 @@ if test -n "$do_libs"; then
fi
# If we ever support a flag to generate output suitable for static
- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
# here.
- # linking, we would output "-lkrb5support $LIBS $DL_LIB" here.
+ # linking, we would output "-lkrb5support $LIBS $SELINUX_LIBS $DL_LIB" here.
echo $lib_flags
fi
diff --git a/src/config/pre.in b/src/config/pre.in
index c96d7c1f4..290f06cc2 100644
index a04b3890a..0676e11c2 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -177,6 +177,7 @@ LD = $(PURE) @LD@
KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
@@ -178,6 +178,7 @@ KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
LDFLAGS = @LDFLAGS@
LIBS = @LIBS@
FUZZ_LDFLAGS = @FUZZ_LDFLAGS@
+SELINUX_LIBS=@SELINUX_LIBS@
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
@@ -377,7 +378,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB)
+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(LIBS) $(DL_LIB)
+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on macOS!
diff --git a/src/configure.ac b/src/configure.ac
index aa970b044..40545f2bf 100644
index 969d05fff..53936759e 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1402,6 +1402,8 @@ AC_PATH_PROG(GROFF, groff)
@@ -1409,6 +1409,8 @@ AC_PATH_PROG(GROFF, groff)
KRB5_WITH_PAM
@@ -188,7 +188,7 @@ index aa970b044..40545f2bf 100644
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 44dc1eeb3..c3aecba7d 100644
index cfd2cc939..bc2a0a3f6 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -128,6 +128,7 @@ typedef unsigned char u_char;
@@ -238,10 +238,10 @@ index 000000000..dfaaa847c
+#endif
+#endif
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index c0194c3c9..7e1dea2cb 100644
index b5d295f33..0225ad37c 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
@@ -83,6 +83,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
@@ -255,10 +255,10 @@ index c0194c3c9..7e1dea2cb 100644
#include <stdlib.h>
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index a89b5144f..4d6cc0bdf 100644
index e45551a20..cd32ebdaf 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
@@ -134,12 +134,21 @@ create_ofile(char *ofile, char **tmpname)
{
int fd = -1;
FILE *f;
@@ -280,7 +280,7 @@ index a89b5144f..4d6cc0bdf 100644
if (fd == -1)
goto error;
@@ -197,7 +206,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd_out)
@@ -183,7 +192,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd_out)
goto cleanup;
}
@@ -290,23 +290,23 @@ index a89b5144f..4d6cc0bdf 100644
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
goto cleanup;
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 38b929906..085afc922 100644
index 105276601..f48d60a77 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -848,7 +848,7 @@ write_pid_file(const char *path)
FILE *file;
@@ -837,7 +837,7 @@ write_pid_file(const char *path)
unsigned long pid;
int st1, st2;
- file = fopen(path, "w");
+ file = WRITABLEFOPEN(path, "w");
if (file == NULL)
return errno;
pid = (unsigned long) getpid();
pid = (unsigned long)getpid();
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
index f2341d720..ffdac9f39 100644
index 4b3675264..296ca2bb7 100644
--- a/src/kprop/kpropd.c
+++ b/src/kprop/kpropd.c
@@ -488,6 +488,9 @@ doit(int fd)
@@ -489,6 +489,9 @@ doit(int fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN + 1];
@@ -316,7 +316,7 @@ index f2341d720..ffdac9f39 100644
signal_wrapper(SIGALRM, alarm_handler);
alarm(params.iprop_resync_timeout);
@@ -543,9 +546,15 @@ doit(int fd)
@@ -544,9 +547,15 @@ doit(int fd)
free(name);
exit(1);
}
@@ -333,10 +333,10 @@ index f2341d720..ffdac9f39 100644
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
if (retval) {
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index c6885edf2..9aec3c05e 100644
index e14da5379..b879a4049 100644
--- a/src/lib/kadm5/logger.c
+++ b/src/lib/kadm5/logger.c
@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
@@ -310,7 +310,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
*/
append = (cp[4] == ':') ? O_APPEND : 0;
if (append || cp[4] == '=') {
@@ -345,7 +345,7 @@ index c6885edf2..9aec3c05e 100644
S_IRUSR | S_IWUSR | S_IRGRP);
if (fd != -1)
f = fdopen(fd, append ? "a" : "w");
@@ -776,7 +776,7 @@ krb5_klog_reopen(krb5_context kcontext)
@@ -777,7 +777,7 @@ krb5_klog_reopen(krb5_context kcontext)
* In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs.
*/
@@ -355,10 +355,10 @@ index c6885edf2..9aec3c05e 100644
set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f;
diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
index 2659a2501..e9b95fce5 100644
index b840eec9a..419beab9e 100644
--- a/src/lib/kdb/kdb_log.c
+++ b/src/lib/kdb/kdb_log.c
@@ -480,7 +480,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)
@@ -512,7 +512,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)
return ENOMEM;
if (stat(logname, &st) == -1) {
@@ -418,10 +418,10 @@ index 1da40b51d..f3ab7340a 100644
_("Credential cache directory %s does not exist"),
dirname);
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index e510211fc..f3ea28c8e 100644
index 993f902c7..8fd150511 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
@@ -736,14 +736,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
KTCHECKLOCK(id);
errno = 0;
@@ -439,10 +439,10 @@ index e510211fc..f3ea28c8e 100644
goto report_errno;
writevno = 1;
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index 3369fc4ba..95f82cda0 100644
index 89699f7df..9c7d7dad6 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -459,7 +459,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
@@ -455,7 +455,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
fd = malloc(sizeof(*fd));
if (fd == NULL)
return ENOMEM;
@@ -452,7 +452,7 @@ index 3369fc4ba..95f82cda0 100644
free(fd);
return errno;
diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
index 7db30a33b..2b9d01921 100644
index 9a506e9d4..f92ab4714 100644
--- a/src/plugins/kdb/db2/adb_openclose.c
+++ b/src/plugins/kdb/db2/adb_openclose.c
@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
@@ -465,7 +465,7 @@ index 7db30a33b..2b9d01921 100644
* maybe someone took away write permission so we could only
* get shared locks?
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
index 2c163d91c..9a344a603 100644
index 381228e6d..eb8610b2a 100644
--- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc)
@@ -480,7 +480,7 @@ index 2c163d91c..9a344a603 100644
retval = errno;
goto cleanup;
diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
index 2977b17f3..d5809a5a9 100644
index 56bab1941..ef7515c3d 100644
--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95";
@@ -491,7 +491,7 @@ index 2977b17f3..d5809a5a9 100644
#include "db-int.h"
#include "btree.h"
@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags)
@@ -201,7 +202,7 @@ __bt_open(const char *fname, int flags, int mode, const BTREEINFO *openinfo,
goto einval;
}
@@ -501,7 +501,7 @@ index 2977b17f3..d5809a5a9 100644
} else {
diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
index 862dbb164..686a960c9 100644
index 7c3e951aa..9528b6253 100644
--- a/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95";
@@ -512,7 +512,7 @@ index 862dbb164..686a960c9 100644
#include "db-int.h"
#include "hash.h"
#include "page.h"
@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags)
@@ -127,7 +128,7 @@ __kdb2_hash_open(const char *file, int flags, int mode, const HASHINFO *info,
new_table = 1;
}
if (file) {
@@ -522,7 +522,7 @@ index 862dbb164..686a960c9 100644
(void)fcntl(hashp->fp, F_SETFD, 1);
}
diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
index d8b26e701..b0daa7c02 100644
index acbf03d9d..de3fc3f4d 100644
--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94";
@@ -533,7 +533,7 @@ index d8b26e701..b0daa7c02 100644
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags)
@@ -66,7 +67,8 @@ __rec_open(const char *fname, int flags, int mode, const RECNOINFO *openinfo,
int rfd = -1, sverrno;
/* Open the user's file -- if this fails, we're done. */
@@ -581,7 +581,7 @@ index e87688d66..30f7c00ab 100644
if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file);
diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
index aa951df05..79f9500f6 100644
index 8b0b2bb44..9468e317b 100644
--- a/src/util/profile/prof_file.c
+++ b/src/util/profile/prof_file.c
@@ -33,6 +33,7 @@
@@ -592,7 +592,7 @@ index aa951df05..79f9500f6 100644
struct global_shared_profile_data {
/* This is the head of the global list of shared trees */
@@ -391,7 +392,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile,
@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile,
errno = 0;
@@ -602,10 +602,10 @@ index aa951df05..79f9500f6 100644
retval = errno;
if (retval == 0)
diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
index 86d5a950a..1052d53a1 100644
index b9cd70dac..6705681df 100644
--- a/src/util/support/Makefile.in
+++ b/src/util/support/Makefile.in
@@ -74,6 +74,7 @@ IPC_SYMS= \
@@ -79,6 +79,7 @@ IPC_SYMS= \
STLIBOBJS= \
threads.o \
@@ -613,7 +613,7 @@ index 86d5a950a..1052d53a1 100644
init-addrinfo.o \
plugins.o \
errors.o \
@@ -168,7 +169,7 @@ SRCS=\
@@ -176,7 +177,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
@@ -1034,5 +1034,5 @@ index 000000000..807d039da
+
+#endif /* USE_SELINUX */
--
2.39.2
2.51.0

6
0008-krb5-1.9-debuginfo.patch
View File

@@ -1,7 +1,7 @@
From f079a7f765dc76eb01ba80fb7214ee0d25116e59 Mon Sep 17 00:00:00 2001
From 48f6d3981f4c1231c6357c41371a682c5277cdc4 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:18:16 +0100
Subject: [PATCH 8/8] krb5-1.9-debuginfo
Subject: [PATCH 8/9] krb5-1.9-debuginfo
Import krb5-1.9-debuginfo.patch
@@ -40,5 +40,5 @@ index 8669c2436..a22f23c02 100644
install:
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
--
2.25.0
2.51.0

205
0009-Fix-three-memory-leaks.patch
View File

@@ -1,205 +0,0 @@
From 489deee29f427f22e2a26de729319bdb70819c37 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 5 Mar 2024 19:53:07 -0500
Subject: [PATCH 2/2] Fix two unlikely memory leaks
In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
could probably never be triggered) leaks plain.data. Fix this leak
and use current practices for cleanup throughout the function.
In xmt_rmtcallres() (unused within the tree and likely elsewhere),
store port_ptr into crp->port_ptr as soon as it is allocated;
otherwise it could leak if the subsequent xdr_u_int32() operation
fails.
(cherry picked from commit c5f9c816107f70139de11b38aa02db2f1774ee0d)
---
src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++-------------------
src/lib/rpc/pmap_rmt.c | 9 +++---
2 files changed, 29 insertions(+), 36 deletions(-)
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
index 3b4f8cb837..e881eee835 100644
--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
int conf_req_flag, int toktype)
{
size_t bufsize = 16;
- unsigned char *outbuf = 0;
+ unsigned char *outbuf = NULL;
krb5_error_code err;
int key_usage;
unsigned char acceptor_flag;
@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
#endif
size_t ec;
unsigned short tok_id;
- krb5_checksum sum;
+ krb5_checksum sum = { 0 };
krb5_key key;
krb5_cksumtype cksumtype;
+ krb5_data plain = empty_data();
+
+ token->value = NULL;
+ token->length = 0;
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
key_usage = (toktype == KG_TOK_WRAP_MSG
@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
#endif
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
- krb5_data plain;
krb5_enc_data cipher;
size_t ec_max;
size_t encrypt_size;
/* 300: Adds some slop. */
- if (SIZE_MAX - 300 < message->length)
- return ENOMEM;
+ if (SIZE_MAX - 300 < message->length) {
+ err = ENOMEM;
+ goto cleanup;
+ }
ec_max = SIZE_MAX - message->length - 300;
if (ec_max > 0xffff)
ec_max = 0xffff;
@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
#endif
err = alloc_data(&plain, message->length + 16 + ec);
if (err)
- return err;
+ goto cleanup;
/* Get size of ciphertext. */
encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
if (encrypt_size > SIZE_MAX / 2) {
err = ENOMEM;
- goto error;
+ goto cleanup;
}
bufsize = 16 + encrypt_size;
/* Allocate space for header plus encrypted data. */
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
- free(plain.data);
- return ENOMEM;
+ err = ENOMEM;
+ goto cleanup;
}
/* TOK_ID */
@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
cipher.ciphertext.length = bufsize - 16;
cipher.enctype = key->keyblock.enctype;
err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
- zap(plain.data, plain.length);
- free(plain.data);
- plain.data = 0;
if (err)
- goto error;
+ goto cleanup;
/* Now that we know we're returning a valid token.... */
ctx->seq_send++;
@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
/* If the rotate fails, don't worry about it. */
#endif
} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
- krb5_data plain;
size_t cksumsize;
/* Here, message is the application-supplied data; message2 is
@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
wrap_with_checksum:
err = alloc_data(&plain, message->length + 16);
if (err)
- return err;
+ goto cleanup;
err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
if (err)
- goto error;
+ goto cleanup;
assert(cksumsize <= 0xffff);
bufsize = 16 + message2->length + cksumsize;
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
- free(plain.data);
- plain.data = 0;
err = ENOMEM;
- goto error;
+ goto cleanup;
}
/* TOK_ID */
@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
if (message2->length)
memcpy(outbuf + 16, message2->value, message2->length);
- sum.contents = outbuf + 16 + message2->length;
- sum.length = cksumsize;
-
err = krb5_k_make_checksum(context, cksumtype, key,
key_usage, &plain, &sum);
- zap(plain.data, plain.length);
- free(plain.data);
- plain.data = 0;
if (err) {
zap(outbuf,bufsize);
- goto error;
+ goto cleanup;
}
if (sum.length != cksumsize)
abort();
memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
- krb5_free_checksum_contents(context, &sum);
- sum.contents = 0;
/* Now that we know we're actually generating the token... */
ctx->seq_send++;
@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
token->value = outbuf;
token->length = bufsize;
- return 0;
+ outbuf = NULL;
+ err = 0;
-error:
+cleanup:
+ krb5_free_checksum_contents(context, &sum);
+ zapfree(plain.data, plain.length);
gssalloc_free(outbuf);
- token->value = NULL;
- token->length = 0;
return err;
}
diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
index 8c7e30c21a..0748af34a7 100644
--- a/src/lib/rpc/pmap_rmt.c
+++ b/src/lib/rpc/pmap_rmt.c
@@ -160,11 +160,12 @@ xdr_rmtcallres(
caddr_t port_ptr;
port_ptr = (caddr_t)(void *)crp->port_ptr;
- if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
- xdr_u_int32) && xdr_u_int32(xdrs, &crp->resultslen)) {
- crp->port_ptr = (uint32_t *)(void *)port_ptr;
+ if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
+ (xdrproc_t)xdr_u_int32))
+ return (FALSE);
+ crp->port_ptr = (uint32_t *)(void *)port_ptr;
+ if (xdr_u_int32(xdrs, &crp->resultslen))
return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
- }
return (FALSE);
}
--
2.44.0

299
0009-UsrEtc-support.patch Normal file
View File

@@ -0,0 +1,299 @@
From 4d138d9b4393ba1e38a0e8a02daf504adc549feb Mon Sep 17 00:00:00 2001
From: Stefan Schubert <schubi@suse.de>
Date: Fri, 29 Aug 2025 20:29:04 +0200
Subject: [PATCH] UsrEtc support
[scabrero@suse.com: Amend to fix memory leak in os_get_default_config_files()]
[scabrero@suse.com: Add --enable-vendordir, simplify configure.ac]
[scabrero@suse.com: Fix typo]
---
doc/admin/conf_files/krb5_conf.rst | 14 ++++++++++++--
doc/conf.py | 5 ++++-
src/configure.ac | 25 +++++++++++++++++++++++++
src/doc/Makefile.in | 23 +++++++++++++++++++----
src/include/Makefile.in | 4 +++-
src/include/osconf.hin | 4 ++++
src/lib/krb5/os/init_os_ctx.c | 22 +++++++++++++++++++++-
src/man/Makefile.in | 9 ++++++++-
8 files changed, 96 insertions(+), 10 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index e0c7a6330..a169b6e36 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -7,8 +7,14 @@ The krb5.conf file contains Kerberos configuration information,
including the locations of KDCs and admin servers for the Kerberos
realms of interest, defaults for the current realm and for Kerberos
applications, and mappings of hostnames onto Kerberos realms.
-Normally, you should install your krb5.conf file in the directory
-``/etc``. You can override the default location by setting the
+Normally, you should install your individual krb5.conf file in the directory
+``/etc``.
+
+.. only:: use_vendordir
+ If there is no individual one the dafault one |vendorkrb5conf| will
+ be taken.
+
+You can override the default location by setting the
environment variable **KRB5_CONFIG**. Multiple colon-separated
filenames may be specified in **KRB5_CONFIG**; all files which are
present will be read. Starting in release 1.14, directory names can
@@ -1271,6 +1277,10 @@ FILES
|krb5conf|
+.. only:: use_vendordir
+
+ |vendorkrb5conf| if |krb5conf| is not there.
+
SEE ALSO
--------
diff --git a/doc/conf.py b/doc/conf.py
index 60835e936..88eee1d60 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -239,6 +239,7 @@ if 'mansubs' in tags:
localstatedir = '``@LOCALSTATEDIR@``'
runstatedir = '``@RUNSTATEDIR@``'
sysconfdir = '``@SYSCONFDIR@``'
+ vendordir = '``@VENDORDIR@``'
ccache = '``@CCNAME@``'
keytab = '``@KTNAME@``'
ckeytab = '``@CKTNAME@``'
@@ -253,6 +254,7 @@ else:
localstatedir = ':ref:`LOCALSTATEDIR <paths>`'
runstatedir = ':ref:`RUNSTATEDIR <paths>`'
sysconfdir = ':ref:`SYSCONFDIR <paths>`'
+ vendordir = ':ref:`VENDORDIR <paths>`'
ccache = ':ref:`DEFCCNAME <paths>`'
keytab = ':ref:`DEFKTNAME <paths>`'
ckeytab = ':ref:`DEFCKTNAME <paths>`'
@@ -278,8 +280,9 @@ else:
rst_epilog += '.. |keytab| replace:: %s\n' % keytab
rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab
rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname
+ rst_epilog += '.. |vendorkrb5conf| replace:: %s/krb5.conf\n' % vendordir
+ rst_epilog += '.. |krb5conf| replace:: %s/krb5.conf\n' % sysconfdir
rst_epilog += '''
-.. |krb5conf| replace:: ``/etc/krb5.conf``
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac``
.. |defmkey| replace:: ``aes256-cts-hmac-sha1-96``
diff --git a/src/configure.ac b/src/configure.ac
index 53936759e..d8a902a6f 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1451,6 +1451,31 @@ fi
AC_SUBST(OSX)
AC_SUBST(MACOS_FRAMEWORK)
+# Vendordir
+AC_ARG_WITH([vendordir],
+ AS_HELP_STRING([--with-vendordir=DIR], [Directory for distribution provided configuration files]),
+ [
+ case $with_vendordir in
+ /*)
+ ;;
+ *)
+ AC_MSG_ERROR(You must specify an absolute path to --with-vendordir=DIR)
+ ;;
+ esac
+ VENDORDIR="$with_vendordir"
+ ],
+ [ VENDORDIR="/usr/etc" ])
+AC_DEFINE_UNQUOTED(VENDORDIR, ["$VENDORDIR"], [Location of vendor configuration files])
+AC_SUBST(VENDORDIR)
+
+AC_ARG_ENABLE([vendordir],
+ [AS_HELP_STRING([--enable-vendordir], [Enable support for distribution provided configuration files])],
+ [], [enable_vendordir=no])
+if test "$enable_vendordir" != no; then
+ AC_DEFINE(USE_VENDORDIR, 1, [Define if distribution provided configuration files should be used.])
+ AC_MSG_NOTICE([Used vendor dir: $VENDORDIR])
+fi
+
# Build-time default ccache, keytab, and client keytab names. These
# can be given as variable arguments DEFCCNAME, DEFKTNAME, and
# DEFCKTNAME. Otherwise, we try to get the OS defaults from
diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in
index a1b0cff0a..d0c8a66cf 100644
--- a/src/doc/Makefile.in
+++ b/src/doc/Makefile.in
@@ -11,6 +11,8 @@ DEFCCNAME=@DEFCCNAME@
DEFKTNAME=@DEFKTNAME@
DEFCKTNAME=@DEFCKTNAME@
PKCS11_MODNAME=@PKCS11_MODNAME@
+VENDORDIR=@VENDORDIR@
+USE_VENDORDIR=@USE_VENDORDIR@
RST_SOURCES= _static \
_templates \
@@ -43,7 +45,11 @@ LATEXOPTS=
# make -f Makefile.in SPHINX_ARGS= htmlsrc
html: composite
rm -rf $(docsrc)/html
- $(SPHINX_BUILD) -q rst_composite $(docsrc)/html
+ if test "$(USE_VENDORDIR)" == "1" ; then \
+ $(SPHINX_BUILD) -q rst_composite -t use_vendordir $(docsrc)/html; \
+ else \
+ $(SPHINX_BUILD) -q rst_composite $(docsrc)/html; \
+ fi
# Dummy target for use in an unconfigured source tree.
htmlsrc:
@@ -55,17 +61,25 @@ htmlsrc:
substhtml: composite paths.py
rm -rf html_subst
cp paths.py rst_composite
- $(SPHINX_BUILD) -t pathsubs -q rst_composite html_subst
+ if test "$(USE_VENDORDIR)" == "1" ; then \
+ $(SPHINX_BUILD) -t pathsubs -q -t use_vendordir rst_composite html_subst; \
+ else \
+ $(SPHINX_BUILD) -t pathsubs -q rst_composite html_subst; \
+ fi
# Create an ASCII (okay, UTF-8) version of the NOTICE file
notice.txt: $(docsrc)/conf.py $(docsrc)/notice.rst $(docsrc)/version.py
- $(SPHINX_BUILD) -b text -t notice -q $(docsrc) .
+ if test "$(USE_VENDORDIR)" == "1" ; then \
+ $(SPHINX_BUILD) -b text -t notice -t use_vendordir -q $(docsrc) .; \
+ else \
+ $(SPHINX_BUILD) -b text -t notice -q $(docsrc) .; \
+ fi
NOTICE: notice.txt
cp notice.txt $(top_srcdir)/../NOTICE
$(PDFDIR): composite
- $(SPHINX_BUILD) -b latex -q rst_composite $(PDFDIR)
+ $(SPHINX_BUILD) -b latex -q -t $(USEVENDORDIR) rst_composite $(PDFDIR)
# sphinx-build generates a gmake-specific Makefile that we don't use
mv $(PDFDIR)/Makefile $(PDFDIR)/GMakefile
@@ -116,6 +130,7 @@ paths.py:
echo 'localstatedir = "``$(localstatedir)``"' >> $@
echo 'runstatedir = "``$(runstatedir)``"' >> $@
echo 'sysconfdir = "``$(sysconfdir)``"' >> $@
+ echo 'vendordir = "``$(VENDORDIR)``"' >> $@
echo 'ccache = "``$(DEFCCNAME)``"' >> $@
echo 'keytab = "``$(DEFKTNAME)``"' >> $@
echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index b9dd98e01..cf4aa0ad6 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -56,6 +56,7 @@ BINDIR = @bindir@
SBINDIR = @sbindir@
LIBDIR = @libdir@
SYSCONFCONF = @SYSCONFCONF@
+VENDORDIR = @VENDORDIR@
PROCESS_REPLACE = -e "s\"@KRB5RCTMPDIR\"$(KRB5RCTMPDIR)\"" \
-e "s\"@PREFIX\"$(INSTALL_PREFIX)\"" \
@@ -69,7 +70,8 @@ PROCESS_REPLACE = -e "s\"@KRB5RCTMPDIR\"$(KRB5RCTMPDIR)\"" \
-e "s\"@RUNSTATEDIR\"$(RUNSTATEDIR)\"" \
-e "s\"@SYSCONFDIR\"$(SYSCONFDIR)\"" \
-e "s\"@DYNOBJEXT\"$(DYNOBJEXT)\"" \
- -e "s\"@SYSCONFCONF\"$(SYSCONFCONF)\""
+ -e "s\"@SYSCONFCONF\"$(SYSCONFCONF)\"" \
+ -e "s\"@VENDORDIR\"$(VENDORDIR)\""
OSCONFSRC = $(srcdir)/osconf.hin
diff --git a/src/include/osconf.hin b/src/include/osconf.hin
index c14297535..bad43f116 100644
--- a/src/include/osconf.hin
+++ b/src/include/osconf.hin
@@ -52,6 +52,10 @@
#else
#define DEFAULT_SECURE_PROFILE_PATH "/etc/krb5.conf@SYSCONFCONF"
#define DEFAULT_PROFILE_PATH DEFAULT_SECURE_PROFILE_PATH
+#if defined(USE_VENDORDIR)
+#define DEFAULT_VENDOR_SECURE_PROFILE_PATH "@VENDORDIR/krb5.conf"
+#define DEFAULT_VENDOR_PROFILE_PATH DEFAULT_VENDOR_SECURE_PROFILE_PATH
+#endif /* USE_VENDORDIR */
#endif
#endif /* _WINDOWS */
diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c
index c35007888..f1ef638fc 100644
--- a/src/lib/krb5/os/init_os_ctx.c
+++ b/src/lib/krb5/os/init_os_ctx.c
@@ -30,6 +30,10 @@
#include "os-proto.h"
#include "../krb/int-proto.h"
+#ifdef USE_VENDORDIR
+#include <sys/stat.h>
+#endif
+
#if defined(_WIN32)
#include <winsock.h>
#include <Shlobj.h>
@@ -294,11 +298,27 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure)
unsigned int ent_len;
const char *s, *t;
+#ifdef USE_VENDORDIR
+ struct stat stats = { 0 };
+#endif /* USE_VENDORDIR */
+
if (secure) {
filepath = DEFAULT_SECURE_PROFILE_PATH;
+#ifdef USE_VENDORDIR
+ if (stat(filepath, &stats) < 0) {
+ filepath = DEFAULT_VENDOR_SECURE_PROFILE_PATH;
+ }
+#endif /* USE_VENDORDIR */
} else {
filepath = secure_getenv("KRB5_CONFIG");
- if (!filepath) filepath = DEFAULT_PROFILE_PATH;
+ if (!filepath) {
+ filepath = DEFAULT_PROFILE_PATH;
+#ifdef USE_VENDORDIR
+ if (stat(filepath, &stats) < 0) {
+ filepath = DEFAULT_VENDOR_PROFILE_PATH;
+ }
+#endif /* USE_VENDORDIR */
+ }
}
/* count the distinct filename components */
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
index 85cae0914..9f7ccaffa 100644
--- a/src/man/Makefile.in
+++ b/src/man/Makefile.in
@@ -9,6 +9,8 @@ DEFCCNAME=@DEFCCNAME@
DEFKTNAME=@DEFKTNAME@
DEFCKTNAME=@DEFCKTNAME@
PKCS11_MODNAME=@PKCS11_MODNAME@
+vendordir=@VENDORDIR@
+USE_VENDORDIR=@USE_VENDORDIR@
MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \
kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \
@@ -26,7 +28,11 @@ docsrc=$(top_srcdir)/../doc
# manpage writer outputs near the end of its output files.
man: $(docsrc)/version.py
rm -rf rst_man
- $(SPHINX_BUILD) -q -t mansubs -b man $(docsrc) rst_man
+ if test "$(USE_VENDORDIR)" == "1" ; then \
+ $(SPHINX_BUILD) -q -t mansubs -t use_vendordir -b man $(docsrc) rst_man; \
+ else \
+ $(SPHINX_BUILD) -q -t mansubs -b man $(docsrc) rst_man; \
+ fi
for f in rst_man/*.[0-9]; do \
name=`echo $$f | sed -e 's|^.*/\(.*\)\.[0-9]$$|\1|'`; \
sed -e '/^\.\\" $$/d' \
@@ -46,6 +52,7 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h
-e 's|@LOCALSTATEDIR@|$(localstatedir)|g' \
-e 's|@RUNSTATEDIR@|$(runstatedir)|g' \
-e 's|@SYSCONFDIR@|$(sysconfdir)|g' \
+ -e 's|@VENDOR_DIR@|$(vendordir)|g' \
-e 's|@CCNAME@|$(DEFCCNAME)|g' \
-e 's|@KTNAME@|$(DEFKTNAME)|g' \
-e 's|@CKTNAME@|$(DEFCKTNAME)|g' \
--
2.52.0

62
0010-CVE-2025-24528.patch
View File

@@ -1,62 +0,0 @@
From 78ceba024b64d49612375be4a12d1c066b0bfbd0 Mon Sep 17 00:00:00 2001
From: Zoltan Borbely <Zoltan.Borbely@morganstanley.com>
Date: Tue, 28 Jan 2025 16:39:25 -0500
Subject: [PATCH] Prevent overflow when calculating ulog block size
In kdb_log.c:resize(), log an error and fail if the update size is
larger than the largest possible block size (2^16-1).
CVE-2025-24528:
In MIT krb5 release 1.7 and later with incremental propagation
enabled, an authenticated attacker can cause kadmind to write beyond
the end of the mapped region for the iprop log file, likely causing a
process crash.
[ghudson@mit.edu: edited commit message and added CVE description]
ticket: 9159 (new)
tags: pullup
target_version: 1.21-next
---
src/lib/kdb/kdb_log.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
index 2659a25018..68fae919a5 100644
--- a/src/lib/kdb/kdb_log.c
+++ b/src/lib/kdb/kdb_log.c
@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size)
*/
static krb5_error_code
resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
- unsigned int recsize)
+ unsigned int recsize, const kdb_incr_update_t *upd)
{
unsigned int new_block, new_size;
@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
new_block *= ULOG_BLOCK;
new_size += ulogentries * new_block;
+ if (new_block > UINT16_MAX) {
+ syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
+ upd->kdb_princ_name.utf8str_t_len,
+ upd->kdb_princ_name.utf8str_t_val);
+ return KRB5_LOG_ERROR;
+ }
if (new_size > MAXLOGLEN)
return KRB5_LOG_ERROR;
@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd)
recsize = sizeof(kdb_ent_header_t) + upd_size;
if (recsize > ulog->kdb_block) {
- retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize);
+ retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd);
if (retval)
return retval;
}
--
2.48.1

BIN
krb5-1.21.3.tar.gz LFS
View File

Binary file not shown.

16
krb5-1.21.3.tar.gz.asc
View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmZ8eHkACgkQDLoIV1+D
ct//gw//bmvy6zXbKL6epNaExVgRdqzfQWm6WqeyGNxg59BQyJwsRsArsQRbSTZl
uUExbV4HDTI/SemnYT8MfNOUtGZBCcAMYUr79Zmwi9S2pc30ZHIGcOf5E7HvIj6y
ZZUvddoxWvxpruCuJHb9dP4ZUPE0iU2rJnLsXR/H4E574WlrWBjXu3gimLen7+yg
aCLxIvw6lk4f/X8l+aqbK+haWHwMnca+kWSPbmL2iblHVqmoJVEmWhy7/9WjiT5S
5HhDJIObO2qn1pbE1ZTQqfGOfFgOUVxTl2myMxX1RXEDVFzdLDdnoUJRt4o4GG27
Y0WfLtmN6NisVF91dkl2+F7js+xVI3m9uZnpeccKO2Uq6BQRrfOMWUAHVKMUJZjh
h0GMeTzOhw7qGKitAiuhauyDMMTgMx78bC0DpLYtq24fp7BSvD0jNZnfjUXVCk8D
al9cfxC5m843aKiJ01Of13PziZsTQFz/TUsOrcpx4h7+qY7nldrovkQBiyVbbtn4
MncYq8d84G/0vsbJ/6ftJ6Y+OL20jyzfC5xgmKtK/y1D987aum2BSudISUCylOOt
j5/KiTRe0rWUjBNtoCjrtw4xlSbygmjuiE/xtcow0CHXDtMjlo8PrDi8W+xccBv2
zQ2B+e9ywkF4uC/M91s/bVSMkOtxv2JCoUUHOMF4ku5vzKSOhyk=
=TH0A
-----END PGP SIGNATURE-----

BIN
krb5-1.22.1.tar.gz LFS Normal file
View File

Binary file not shown.

16
krb5-1.22.1.tar.gz.asc Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmimJjcACgkQDLoIV1+D
ct9+vhAAvZ/ifnt/qwzlDuDWczoc2bvBSZzfkhPdLV6m//IdJJTDLssWsQ9CTIn5
HeWxf8fgxwV5inAWbQ6IeFmIwrdOkxUAMWlt9OETBOEKVdL0iou44MV/7yZJehYI
cO730plRbAgCOoiYZsrwmtINyci5siu+YsTfMbrw3AmP5YJLlD1wXXw+d1u0P3XO
vxh5L7+BHd1DxdXf0U06Yh/4DzrKgjURVG/BsjjhFx/g6og3NWj3dZaaLTGXuq5i
otlxvZnN044PTzlZOm4XXZ7SnaX21adep0X62QmfRVGuj4Kw0X5QllAeTMS5r1m6
ERwneFGcXrXJ5JU09Z8iaBTG1y1ynAXUUPS7PlxoEIJ+N68R2aNBKsYHxedKBoA6
6aa9IoFXDl3mR/F5861CfsUVz5w4GmnzXw8yZyqkM8gHQsedxJPwGXiV77TlQ6ik
BzXAskWFvcRNEj6vD21q9bfQE1qCLvqtUNoCEARNOzoQTNB6mRFZ3pqX8iUlVhIS
uvHvVxZj2sVrzx1aryohYmnoGuu0G5WppC6lF1FxoICVwUk1a+NSYELVJtSe6kE1
FJDiI8s5tXrqYOHfNR88nLOh5KrrrDtwpcGSaMLb8DhEfpOBhb4tvboj7qgmCnrs
E68rlNwonKYOGZ8yP7wgSkbDwSISYgiGD/R4X/4cYloo5ZM8Bck=
=IIDA
-----END PGP SIGNATURE-----

1
krb5-log.tmpfiles Normal file
View File

@@ -0,0 +1 @@
d /var/log/krb5 0700 root root -

86
krb5-mini.changes
View File

@@ -1,3 +1,89 @@
-------------------------------------------------------------------
Thu Jan 8 18:47:04 UTC 2026 - Noel Power <nopower@suse.com>
- Immutable mode support, create /var/log/krb5 dir via
systemd.tmpfiles; (PED-14767).
- Add krb5-log.tmpfiles
-------------------------------------------------------------------
Mon Nov 24 12:56:46 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
- Fix memory leak; (bsc#1252989); Update patch
0009-UsrEtc-support.patch
-------------------------------------------------------------------
Fri Aug 29 17:32:17 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
- Update to 1.22.1
* Fix a vulnerability in GSS MIC verification [CVE-2025-57736]
- Changes in 1.22.0
User experience
* The libdefaults configuration variable "request_timeout" can be
set to limit the total timeout for KDC requests. When making a
KDC request, the client will now wait indefinitely (or until the
request timeout has elapsed) on a KDC which accepts a TCP
connection, without contacting any additional KDCs. Clients will
make fewer DNS queries in some configurations.
* The realm configuration variable "sitename" can be set to cause
the client to query site-specific DNS records when making KDC
requests.
Administrator experience
* Principal aliases are supported in the DB2 and LMDB KDB modules
and in the kadmin protocol. (The LDAP KDB module has supported
aliases since release 1.7.)
* UNIX domain sockets are supported for the Kerberos and kpasswd
protocols.
* systemd socket activation is supported for krb5kdc and kadmind.
Developer experience
* KDB modules can be be implemented in terms of other modules using
the new krb5_db_load_module() function.
* The profile library supports the modification of empty profiles
and the copying of modified profiles, making it possible to
construct an in-memory profile and pass it to
krb5_init_context_profile().
* GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to
gss_init_sec_context() to request strict enforcement of channel
bindings by the acceptor.
Protocol evolution
* The PKINIT preauth module supports elliptic curve client
certificates, ECDH key exchange, and the Microsoft paChecksum2 field.
* The IAKERB implementation has been changed to comply with the
most recent draft standard and to support realm discovery.
* Message-Authenticator is supported in the RADIUS implementation
used by the OTP kdcpreauth module.
Code quality
* Removed old-style function declarations, to accomodate compilers
which have removed support for them.
* Added OSS-Fuzz to the project's continuous integration infrastructure.
* Rewrote the GSS per-message token parsing code for improved safety.
- Updated patches:
* 0001-ksu-pam-integration.patch
* 0002-krb5-1.9-manpaths.patch
* 0003-Adjust-build-configuration.patch
* 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* 0005-krb5-1.6.3-ktutil-manpage.patch
* 0006-krb5-1.12-api.patch
* 0007-SELinux-integration.patch
* 0008-krb5-1.9-debuginfo.patch
- Renamed patches:
* 0011_usr_etc.patch -> 0009-UsrEtc-support.patch
- Deleted patches:
* 0009-Fix-three-memory-leaks.patch
* 0010-CVE-2025-24528.patch
-------------------------------------------------------------------
Wed Jul 2 14:07:48 UTC 2025 - Stefan Schubert <schubi@suse.com>
- Moved /etc/krb5.conf to /usr/etc/krb5.conf
This patch (0011_usr_etc.patch) is upstream:
https://github.com/krb5/krb5/pull/1437/
-------------------------------------------------------------------
Mon Apr 21 19:12:40 UTC 2025 - Friedrich Haubensak <hsk17@mail.de>
- add -std=gnu11 to CFLAGS to fix gcc15 compile time error, and to
still allow build on Leap 15.6
-------------------------------------------------------------------
Thu Jan 30 10:01:12 UTC 2025 - Samuel Cabrero <scabrero@suse.de>

43
krb5-mini.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package krb5-mini
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2026 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,18 +24,19 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: krb5-mini
Version: 1.21.3
Version: 1.22.1
Release: 0
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
License: MIT
URL: https://kerberos.org/dist/
Source0: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz
Source1: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc
Source0: https://kerberos.org/dist/krb5/1.22/krb5-%{version}.tar.gz
Source1: https://kerberos.org/dist/krb5/1.22/krb5-%{version}.tar.gz.asc
Source2: krb5.keyring
Source3: vendor-files.tar.bz2
Source4: baselibs.conf
Source5: krb5-rpmlintrc
Source6: krb5.tmpfiles
Source7: krb5-log.tmpfiles
Patch1: 0001-ksu-pam-integration.patch
Patch2: 0002-krb5-1.9-manpaths.patch
Patch3: 0003-Adjust-build-configuration.patch
@@ -44,8 +45,7 @@ Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
Patch6: 0006-krb5-1.12-api.patch
Patch7: 0007-SELinux-integration.patch
Patch8: 0008-krb5-1.9-debuginfo.patch
Patch9: 0009-Fix-three-memory-leaks.patch
Patch10: 0010-CVE-2025-24528.patch
Patch9: 0009-UsrEtc-support.patch
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: pkgconfig
@@ -104,10 +104,13 @@ autoreconf -fi
DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
# FIXME: you should use the %%configure macro
%configure \
CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS) -std=gnu11" \
CPPFLAGS="-I%{_includedir}/et " \
SS_LIB="-lss" \
--sysconfdir=%{_sysconfdir} \
%if 0%{?suse_version} > 1500
--with-vendordir=%{_distconfdir} \
%endif
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--libdir=%{_libdir} \
@@ -131,7 +134,6 @@ DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
cp man/kadmin.man man/kadmin.local.8
%install
mkdir -p %{buildroot}/%{_localstatedir}/log/krb5
%make_install -C src
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
# of the buildconf patch already conspire to strip out /usr/<anything> from the
@@ -145,18 +147,23 @@ install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
# I'll probably do something about this later on
mkdir -p %{buildroot}%{_sysconfdir}
mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
mkdir -p %{buildroot}%{_localstatedir}/log/krb5
# create plugin directories
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
%if 0%{?suse_version} > 1500
mkdir -p %{buildroot}%{_distconfdir}
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_distconfdir}
%else
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
%endif
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
install -d -m 0755 %{buildroot}%{_tmpfilesdir}
install -m 644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/krb5.conf
install -m 644 %{SOURCE7} %{buildroot}%{_tmpfilesdir}/krb5-log.conf
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
# Where per-user keytabs live by default.
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
@@ -230,13 +237,25 @@ sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config
/sbin/ldconfig
%service_add_post krb5kdc.service kadmind.service kpropd.service
%tmpfiles_create krb5.conf
%tmpfiles_create krb5-log.conf
%{fillup_only -n kadmind}
%{fillup_only -n krb5kdc}
%{fillup_only -n kpropd}
%pre
%service_add_pre krb5kdc.service kadmind.service kpropd.service
%if 0%{?suse_version} > 1500
# Prepare for migration to /usr/etc; save any old .rpmsave
for i in krb5.conf ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done
%posttrans
# Migration to /usr/etc, restore just created .rpmsave
for i in krb5.conf; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
done
%endif
########################################################
# files sections
########################################################
@@ -276,9 +295,12 @@ sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
%dir %{_libdir}/krb5/plugins/tls
%attr(0700,root,root) %dir %{_localstatedir}/log/krb5
%doc %{krb5docdir}/README
%if 0%{?suse_version} > 1500
%attr(0644,root,root) %{_distconfdir}/krb5.conf
%else
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
%endif
%dir %{_sysconfdir}/krb5.conf.d
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/crypto-policies
@@ -300,6 +322,7 @@ sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config
%{_libdir}/krb5/plugins/kdb/*
%{_libdir}/krb5/plugins/tls/*
%{_tmpfilesdir}/krb5.conf
%{_tmpfilesdir}/krb5-log.conf
%dir %{_datadir}/kerberos/
%dir %{_datadir}/kerberos/krb5kdc
%dir %{_datadir}/kerberos/krb5

86
krb5.changes
View File

@@ -1,3 +1,89 @@
-------------------------------------------------------------------
Thu Jan 8 18:47:04 UTC 2026 - Noel Power <nopower@suse.com>
- Immutable mode support, create /var/log/krb5 dir via
systemd.tmpfiles; (PED-14767).
- Add krb5-log.tmpfiles
-------------------------------------------------------------------
Mon Nov 24 12:56:46 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
- Fix memory leak; (bsc#1252989); Update patch
0009-UsrEtc-support.patch
-------------------------------------------------------------------
Fri Aug 29 17:32:17 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
- Update to 1.22.1
* Fix a vulnerability in GSS MIC verification [CVE-2025-57736]
- Changes in 1.22.0
User experience
* The libdefaults configuration variable "request_timeout" can be
set to limit the total timeout for KDC requests. When making a
KDC request, the client will now wait indefinitely (or until the
request timeout has elapsed) on a KDC which accepts a TCP
connection, without contacting any additional KDCs. Clients will
make fewer DNS queries in some configurations.
* The realm configuration variable "sitename" can be set to cause
the client to query site-specific DNS records when making KDC
requests.
Administrator experience
* Principal aliases are supported in the DB2 and LMDB KDB modules
and in the kadmin protocol. (The LDAP KDB module has supported
aliases since release 1.7.)
* UNIX domain sockets are supported for the Kerberos and kpasswd
protocols.
* systemd socket activation is supported for krb5kdc and kadmind.
Developer experience
* KDB modules can be be implemented in terms of other modules using
the new krb5_db_load_module() function.
* The profile library supports the modification of empty profiles
and the copying of modified profiles, making it possible to
construct an in-memory profile and pass it to
krb5_init_context_profile().
* GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to
gss_init_sec_context() to request strict enforcement of channel
bindings by the acceptor.
Protocol evolution
* The PKINIT preauth module supports elliptic curve client
certificates, ECDH key exchange, and the Microsoft paChecksum2 field.
* The IAKERB implementation has been changed to comply with the
most recent draft standard and to support realm discovery.
* Message-Authenticator is supported in the RADIUS implementation
used by the OTP kdcpreauth module.
Code quality
* Removed old-style function declarations, to accomodate compilers
which have removed support for them.
* Added OSS-Fuzz to the project's continuous integration infrastructure.
* Rewrote the GSS per-message token parsing code for improved safety.
- Updated patches:
* 0001-ksu-pam-integration.patch
* 0002-krb5-1.9-manpaths.patch
* 0003-Adjust-build-configuration.patch
* 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* 0005-krb5-1.6.3-ktutil-manpage.patch
* 0006-krb5-1.12-api.patch
* 0007-SELinux-integration.patch
* 0008-krb5-1.9-debuginfo.patch
- Renamed patches:
* 0011_usr_etc.patch -> 0009-UsrEtc-support.patch
- Deleted patches:
* 0009-Fix-three-memory-leaks.patch
* 0010-CVE-2025-24528.patch
-------------------------------------------------------------------
Wed Jul 2 14:05:30 UTC 2025 - Stefan Schubert <schubi@suse.com>
- Moved /etc/krb5.conf to /usr/etc/krb5.conf
This patch (0011_usr_etc.patch) is upstream:
https://github.com/krb5/krb5/pull/1437/
-------------------------------------------------------------------
Mon Apr 21 19:12:40 UTC 2025 - Friedrich Haubensak <hsk17@mail.de>
- add -std=gnu11 to CFLAGS to fix gcc15 compile time error, and to
still allow build on Leap 15.6
-------------------------------------------------------------------
Thu Jan 30 10:01:12 UTC 2025 - Samuel Cabrero <scabrero@suse.de>

58
krb5.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package krb5
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2026 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,24 +16,21 @@
#
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: krb5
Version: 1.21.3
Version: 1.22.1
Release: 0
Summary: MIT Kerberos5 implementation
License: MIT
URL: https://kerberos.org/dist/
Source0: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz
Source1: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc
Source0: https://kerberos.org/dist/krb5/1.22/krb5-%{version}.tar.gz
Source1: https://kerberos.org/dist/krb5/1.22/krb5-%{version}.tar.gz.asc
Source2: krb5.keyring
Source3: vendor-files.tar.bz2
Source4: baselibs.conf
Source5: krb5-rpmlintrc
Source6: ksu-pam.d
Source7: krb5.tmpfiles
Source8: krb5-log.tmpfiles
Patch1: 0001-ksu-pam-integration.patch
Patch2: 0002-krb5-1.9-manpaths.patch
Patch3: 0003-Adjust-build-configuration.patch
@@ -42,8 +39,7 @@ Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
Patch6: 0006-krb5-1.12-api.patch
Patch7: 0007-SELinux-integration.patch
Patch8: 0008-krb5-1.9-debuginfo.patch
Patch9: 0009-Fix-three-memory-leaks.patch
Patch10: 0010-CVE-2025-24528.patch
Patch9: 0009-UsrEtc-support.patch
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: cyrus-sasl-devel
@@ -170,10 +166,14 @@ cd src
autoreconf -fi
DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
%configure \
CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS) -std=gnu11" \
CPPFLAGS="-I%{_includedir}/et " \
SS_LIB="-lss" \
--sysconfdir=%{_sysconfdir} \
%if 0%{?suse_version} > 1500
--enable-vendordir \
--with-vendordir=%{_distconfdir} \
%endif
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--libdir=%{_libdir} \
@@ -200,7 +200,6 @@ DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
cp man/kadmin.man man/kadmin.local.8
%install
mkdir -p %{buildroot}/%{_localstatedir}/log/krb5
%make_install -C src
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
# of the buildconf patch already conspire to strip out /usr/<anything> from the
@@ -214,18 +213,23 @@ install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
# I'll probably do something about this later on
mkdir -p %{buildroot}%{_sysconfdir}
mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
mkdir -p %{buildroot}%{_localstatedir}/log/krb5
# create plugin directories
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
%if 0%{?suse_version} > 1500
mkdir -p %{buildroot}%{_distconfdir}
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_distconfdir}
%else
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
%endif
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
install -d -m 0755 %{buildroot}%{_tmpfilesdir}
install -m 644 %{SOURCE7} %{buildroot}%{_tmpfilesdir}/krb5.conf
install -m 644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/krb5-log.conf
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
# Where per-user keytabs live by default.
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
@@ -301,7 +305,24 @@ sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config
%find_lang mit-krb5
%post -p /sbin/ldconfig
%if 0%{?suse_version} > 1500
%pre
# Prepare for migration to /usr/etc; save any old .rpmsave
for i in krb5.conf ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done
%posttrans
# Migration to /usr/etc, restore just created .rpmsave
for i in krb5.conf; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
done
%endif
%post
/sbin/ldconfig
%tmpfiles_create krb5-log.conf
%postun -p /sbin/ldconfig
%preun server
@@ -372,10 +393,12 @@ done
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
%dir %{_libdir}/krb5/plugins/tls
# add log directory
%attr(0700,root,root) %dir %{_localstatedir}/log/krb5
%doc %{krb5docdir}/README
%if 0%{?suse_version} > 1500
%attr(0644,root,root) %{_distconfdir}/krb5.conf
%else
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
%endif
%dir %{_sysconfdir}/krb5.conf.d
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/crypto-policies
@@ -390,9 +413,10 @@ done
%{_libdir}/libkrb5support.so.*
%{_libdir}/libkrad.so.*
%{_libdir}/krb5/plugins/tls/*.so
%{_tmpfilesdir}/krb5-log.conf
%files server
%attr(0700,root,root) %dir %{_localstatedir}/log/krb5
%defattr(-,root,root)
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
%{_unitdir}/kadmind.service
%{_unitdir}/krb5kdc.service