SHA256
1
0
forked from pool/krb5
krb5/krb5-plugins.spec

384 lines
12 KiB
RPMSpec
Raw Normal View History

#
# spec file for package krb5-plugins (Version 1.6.3)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
# nodebuginfo
Name: krb5-plugins
Version: 1.6.3
Release: 11
BuildRequires: bison krb5-devel ncurses-devel openldap2-devel
%define srcRoot krb5-1.6.3
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
Requires: krb5-server
Summary: MIT Kerberos5 Implementation--Libraries
License: X11/MIT
Url: http://web.mit.edu/kerberos/www/
Group: Productivity/Networking/Security
Source: krb5-1.6.3.tar.bz2
Source1: vendor-files.tar.bz2
Source2: README.Source
Source3: spx.c
Source4: EncryptWithMasterKey.c
Source5: %{name}-%{version}-rpmlintrc
Source10: krb5-trunk-manpaths.txt
Patch1: krb5-1.5.1-fix-too-few-arguments.dif
Patch2: krb5-1.6.1-compile_pie.dif
Patch3: krb5-1.4-fix-segfault.dif
Patch6: trunk-EncryptWithMasterKey.dif
Patch14: warning-fix-lib-crypto-des.dif
Patch15: warning-fix-lib-crypto-dk.dif
Patch16: warning-fix-lib-crypto.dif
Patch17: warning-fix-lib-crypto-enc_provider.dif
Patch18: warning-fix-lib-crypto-yarrow_arcfour.dif
Patch20: kprop-use-mkstemp.dif
Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif
Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif
Patch24: krb5-1.5.1-fix-strncat-warning.dif
Patch25: krb5-1.6.1-init-salt-length.dif
Patch30: trunk-manpaths.dif
Patch31: krb5-1.6-ldap-man.dif
Patch32: krb5-1.4.3-enospc.dif
Patch33: krb5-1.3.3-rcp-markus.dif
Patch34: gssapi_improve_errormessages.dif
Patch35: krb5-1.6-fix-CVE-2007-5894.dif
Patch36: krb5-1.6-fix-CVE-2007-5902.dif
Patch37: krb5-1.6-fix-CVE-2007-5971.dif
Patch38: krb5-1.6-fix-CVE-2007-5972.dif
Patch39: krb5-1.6-MITKRB5-SA-2008-001.dif
Patch40: krb5-1.6-MITKRB5-SA-2008-002.dif
Patch41: krb5-trunk-kpasswd_tcp.patch
Patch42: krb5-trunk-seqnum.patch
Patch43: krb5-1.6.3-case-insensitive.dif
Patch44: krb5-1.6.3-ktutil-manpage.dif
Patch45: krb5-1.6.3-post.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of clear text passwords.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%package -n krb5-plugin-kdb-ldap
Requires: krb5-server = %{version}
Summary: MIT Kerberos5 Implementation--LDAP Database Plugin
License: X11/MIT
Url: http://web.mit.edu/kerberos/www/
Group: Productivity/Networking/Security
%description -n krb5-plugin-kdb-ldap
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of clear text passwords. This package contains the LDAP
database plugin.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%package -n krb5-plugin-preauth-pkinit
License: X11/MIT
Summary: MIT Kerberos5 Implementation--PKINIT preauth Plugin
Group: Productivity/Networking/Security
Conflicts: krb5-plugin-preauth-pkinit-nss
%description -n krb5-plugin-preauth-pkinit
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a PKINIT plugin.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%prep
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ]
then
echo "spx.c contains potential legal risks."
exit 1;
else
cp %{_sourcedir}/spx.c %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c
fi
%patch1
%patch2
%patch3
%patch6
%patch14
%patch15
%patch16
%patch17
%patch18
%patch20
%patch21
%patch22
%patch24
%patch25
%patch30 -p1
%patch31
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35
%patch36
%patch37
%patch38
%patch39 -p1
%patch40
%patch41
%patch42
%patch43
%patch44 -p1
%patch45
cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c
# Rename the man pages so that they'll get generated correctly.
pushd src
cat $RPM_SOURCE_DIR/krb5-trunk-manpaths.txt | while read manpage ; do
mv "$manpage" "$manpage".in
done
popd
%build
cd src
%{?suse_update_config:%{suse_update_config -f}}
./util/reconf
CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -I/usr/include -I%{_builddir}/%{srcRoot}/src/lib/ -fno-strict-aliasing -D_GNU_SOURCE -D__CI_PRINC__ -fPIC " \
./configure \
--prefix=/usr/lib/mit \
--sysconfdir=%{_sysconfdir} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--libexecdir=/usr/lib/mit/sbin \
--libdir=%{_libdir} \
--includedir=%{_includedir} \
--localstatedir=%{_localstatedir}/lib/kerberos \
--enable-shared \
--disable-static \
--enable-kdc-replay-cache \
--enable-dns-for-realm \
--with-ldap \
--with-system-et \
--with-system-ss
cd util/profile
make install-headers-unix
cd ../../include
make
cd ../lib/kadm5
make includes
cd ../gssapi/generic
make gssapi-include
ln -s %{_libdir}/libgssrpc.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libgssapi_krb5.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libk5crypto.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libkrb5support.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libkrb5.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libkadm5srv.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libkdb5.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libkrb4.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libdes425.so %{_builddir}/%{srcRoot}/src/lib/
cd ../../../kadmin/cli
make getdate.o
cd ../../plugins/kdb/ldap/
make %{?jobs:-j%jobs}
cd ../../preauth/pkinit/
make %{?jobs:-j%jobs}
#make check
%install
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
mkdir -p %{buildroot}/%{krb5docdir}
mkdir -p %{buildroot}/usr/lib/mit/sbin/
mkdir -p %{buildroot}/%{_mandir}/man8/
cd src/plugins/kdb/ldap/
make DESTDIR=%{buildroot} install
cd ../../preauth/pkinit/
make DESTDIR=%{buildroot} install
# all libs must have permissions 0755
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
do
chmod 0755 ${lib}
done
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{krb5docdir}/kerberos.schema
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{krb5docdir}/kerberos.ldif
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share
#####################################################
# krb5 pre/post/postun
#####################################################
%post -n krb5-plugin-kdb-ldap
/sbin/ldconfig
%postun -n krb5-plugin-kdb-ldap
/sbin/ldconfig
%clean
rm -rf %{buildroot}
########################################################
# files sections
########################################################
%files -n krb5-plugin-kdb-ldap
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir /usr/lib/mit/sbin/
%dir %{krb5docdir}
%doc %{krb5docdir}/kerberos.schema
%doc %{krb5docdir}/kerberos.ldif
%{_libdir}/krb5/plugins/kdb/*.so
/usr/lib/mit/sbin/*
%{_libdir}/libkdb_ldap*
%{_mandir}/man8/*
%files -n krb5-plugin-preauth-pkinit
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so
%changelog
* Fri Jul 25 2008 mc@suse.de
- add patches from SVN post 1.6.3
* krb5_string_to_keysalts: Fix an infinite loop
* fix some mutex issues
* better recovery from corrupt rcache files
* some more small fixes
* Wed Jun 18 2008 mc@suse.de
- reduce rpmlint warnings
* Tue Dec 04 2007 mc@suse.de
- improve GSSAPI error messages
* Tue Oct 23 2007 mc@suse.de
- update to krb5 version 1.6.3
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
* fix CVE-2007-4000 modify_policy vulnerability
* Add PKINIT support
- remove patches which are upstream now
- enhance init scripts and xinetd profiles
* Fri Sep 14 2007 mc@suse.de
- update krb5-1.6.2-post.dif
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that
that the client library will not failover to the next KDC.
[#310540]
* Tue Sep 11 2007 mc@suse.de
- update krb5-1.6.2-post.dif
* new -S sname option for kvno
* read_entropy_from_device on partial read will not fill buffer
* Bail out if encoded "ticket" doesn't decode correctly.
* patch for referrals loop
* Thu Sep 06 2007 mc@suse.de
- fix a problem with the originally published patch
for MITKRB5-SA-2007-006 - CVE-2007-3999
[#302377]
* Wed Sep 05 2007 mc@suse.de
- fix execute arbitrary code
(MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)
[#302377]
* Tue Aug 07 2007 mc@suse.de
- add krb5-1.6.2-post.dif
* during the referrals loop, check to see if the
session key enctype of a returned credential for the final
service is among the enctypes explicitly selected by the
application, and retry with old_use_conf_ktypes if it is not.
* If mkstemp() is available, the new ccache file gets created but
the subsequent open(O_CREAT|O_EXCL) call fails because the file
was already created by mkstemp(). Apply patch from Apple to keep
the file descriptor open.
* Thu Jul 12 2007 mc@suse.de
- update to version 1.6.2
- remove krb5-1.6.1-post.dif all fixes are included in this release
* Mon Jul 02 2007 mc@suse.de
- update krb5-1.6.1-post.dif
* fix leak in krb5_walk_realm_tree
* rd_req_decoded needs to deal with referral realms
* fix buffer overflow in kadmind
(MITKRB5-SA-2007-005 - CVE-2007-2798)
[#278689]
* fix kadmind code execution bug
(MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
[#271191]
* Wed May 09 2007 mc@suse.de
- fix uninitialized salt length
- add extra check for keytab file
* Thu May 03 2007 mc@suse.de
- adding krb5-1.6.1-post.dif
* fix segfault in krb5_get_init_creds_password
* remove debug output in ftp client
* profile stores empty string values without double quotes
* Mon Apr 23 2007 mc@suse.de
- update to final 1.6.1 version
* Mon Apr 16 2007 mc@suse.de
- update to version 1.6.1 Beta1
- remove obsolete patches
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
- rework compile_pie patch
* Wed Apr 11 2007 mc@suse.de
- update krb5-1.6-post.dif
* fix kadmind stack overflow in krb5_klog_syslog
(MITKRB5-SA-2007-002 - CVE-2007-0957)
[#253548]
* fix double free attack in the RPC library
(MITKRB5-SA-2007-003 - CVE-2007-1216)
[#252487]
* fix krb5 telnetd login injection
(MIT-SA-2007-001 - CVE-2007-0956)
[#247765]
* Thu Mar 29 2007 mc@suse.de
- add ncurses-devel and bison to BuildRequires
- rework some patches
* Mon Feb 19 2007 mc@suse.de
- update krb5-1.6-post.dif
* Fri Feb 09 2007 mc@suse.de
- update krb5-1.6-post.dif
* Mon Jan 29 2007 ro@suse.de
- no main package, no debuginfo
* Mon Jan 29 2007 mc@suse.de
- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif
are now upstream. Remove patches.
- fix leak in krb5_kt_resolve and krb5_kt_wresolve
* Tue Jan 23 2007 mc@suse.de
- fix "local variable used before set" in ftp.c
[#237684]
- use less BuildRequires
* Mon Jan 22 2007 mc@suse.de
- initial release (version 1.6)
* Major changes in 1.6 include
* Partial client implementation to handle server name referrals.
* Pre-authentication plug-in framework, donated by Red Hat.
* LDAP KDB plug-in, donated by Novell.