SHA256
1
0
forked from pool/krb5

- update to version 1.11.1

* Improve ASN.1 support code, making it table-driven for
    decoding as well as encoding
  * Refactor parts of KDC
  * Documentation consolidation
  * build docs in the main package
  * bugfixing
- obsolets a lot of patches
- refactor some patches

- update to version 1.11.1
  * Improve ASN.1 support code, making it table-driven for
    decoding as well as encoding
  * Refactor parts of KDC
  * Documentation consolidation
  * build docs in the main package
  * bugfixing
- obsolets a lot of patches
- refactor some patches

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=90
This commit is contained in:
Michael Calmer 2013-03-15 10:21:16 +00:00 committed by Git OBS Bridge
parent 66ced8b26b
commit 13e38775f6
25 changed files with 610 additions and 952 deletions

View File

@ -1,45 +0,0 @@
commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed
Author: Xi Wang <xi.wang@gmail.com>
Date: Thu Feb 14 18:17:40 2013 -0500
PKINIT null pointer deref [CVE-2013-1415]
Don't dereference a null pointer when cleaning up.
The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process. An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C
This is a minimal commit for pullup; style fixes in a followup.
[kaduk@mit.edu: reformat and edit commit message]
ticket: 7570 (new)
target_version: 1.11.1
tags: pullup
Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -3242,7 +3242,7 @@ pkinit_check_kdc_pkid(krb5_context conte
pkiDebug("found kdcPkId in AS REQ\n");
is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len);
if (is == NULL)
- goto cleanup;
+ return retval;
status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer);
if (!status) {
@@ -3252,7 +3252,6 @@ pkinit_check_kdc_pkid(krb5_context conte
}
retval = 0;
-cleanup:
X509_NAME_free(is->issuer);
ASN1_INTEGER_free(is->serial);
free(is);

View File

@ -1,40 +0,0 @@
commit cd5ff932c9d1439c961b0cf9ccff979356686aff
Author: Nalin Dahyabhai <nalin@redhat.com>
Date: Thu Dec 13 14:26:07 2012 -0500
PKINIT (draft9) null ptr deref [CVE-2012-1016]
Don't check for an agility KDF identifier in the non-draft9 reply
structure when we're building a draft9 reply, because it'll be NULL.
The KDC plugin for PKINIT can dereference a null pointer when handling
a draft9 request, leading to a crash of the KDC process. An attacker
would need to have a valid PKINIT certificate, or an unauthenticated
attacker could execute the attack if anonymous PKINIT is enabled.
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
[tlyu@mit.edu: reformat comment and edit log message]
ticket: 7506 (new)
target_version: 1.11
tags: pullup
Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_srv.c
+++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -1016,9 +1016,10 @@ pkinit_server_return_padata(krb5_context
rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
(rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
- /* If mutually supported KDFs were found, use the alg agility KDF */
- if (rep->u.dh_Info.kdfID) {
- secret.data = server_key;
+ /* If we're not doing draft 9, and mutually supported KDFs were found,
+ * use the algorithm agility KDF. */
+ if (rep != NULL && rep->u.dh_Info.kdfID) {
+ secret.data = (char *)server_key;
secret.length = server_key_len;
retval = pkinit_alg_agility_kdf(context, &secret,

View File

@ -4,10 +4,10 @@ the -L/usr/lib* and PIE flags where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags.
Index: krb5-1.10.2/src/config/shlib.conf
Index: krb5-1.11/src/config/shlib.conf
===================================================================
--- krb5-1.10.2.orig/src/config/shlib.conf
+++ krb5-1.10.2/src/config/shlib.conf
--- krb5-1.11.orig/src/config/shlib.conf
+++ krb5-1.11/src/config/shlib.conf
@@ -419,7 +419,7 @@ mips-*-netbsd*)
SHLIBEXT=.so
# Linux ld doesn't default to stuffing the SONAME field...
@ -27,11 +27,11 @@ Index: krb5-1.10.2/src/config/shlib.conf
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
Index: krb5-1.10.2/src/krb5-config.in
Index: krb5-1.11/src/krb5-config.in
===================================================================
--- krb5-1.10.2.orig/src/krb5-config.in
+++ krb5-1.10.2/src/krb5-config.in
@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
--- krb5-1.11.orig/src/krb5-config.in
+++ krb5-1.11/src/krb5-config.in
@@ -221,6 +221,13 @@ if test -n "$do_libs"; then
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-e 's#\$(CFLAGS)##'`
@ -45,11 +45,11 @@ Index: krb5-1.10.2/src/krb5-config.in
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5
Index: krb5-1.10.2/src/config/pre.in
Index: krb5-1.11/src/config/pre.in
===================================================================
--- krb5-1.10.2.orig/src/config/pre.in
+++ krb5-1.10.2/src/config/pre.in
@@ -190,7 +190,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
--- krb5-1.11.orig/src/config/pre.in
+++ krb5-1.11/src/config/pre.in
@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
INSTALL_SCRIPT=@INSTALL_PROGRAM@
INSTALL_DATA=@INSTALL_DATA@
INSTALL_SHLIB=@INSTALL_SHLIB@

View File

@ -1,12 +0,0 @@
This file also triggers the maybe-uninitialized warning/error. RT#7080
--- src/lib/krb5/krb/x-deltat.y
+++ src/lib/krb5/krb/x-deltat.y
@@ -44,6 +44,7 @@
#ifdef __GNUC__
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wuninitialized"
+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
#endif
#include <ctype.h>

View File

@ -0,0 +1,53 @@
The idea is to not complain about problems in the default ticket file if we
couldn't read it, because the client would be able to tell if it's there or
not, and we're implicitly letting the client tell us where it is. Still needs
work, I think.
Index: krb5-1.11.1/src/clients/ksu/ccache.c
===================================================================
--- krb5-1.11.1.orig/src/clients/ksu/ccache.c
+++ krb5-1.11.1/src/clients/ksu/ccache.c
@@ -77,7 +77,7 @@ krb5_error_code krb5_ccache_copy (contex
cc_def_name = krb5_cc_get_name(context, cc_def);
cc_other_name = krb5_cc_get_name(context, *cc_other);
- if ( ! stat(cc_def_name, &st_temp)){
+ if ( ! access(cc_def_name, R_OK) && ! stat(cc_def_name, &st_temp)){
if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
return retval;
}
Index: krb5-1.11.1/src/clients/ksu/heuristic.c
===================================================================
--- krb5-1.11.1.orig/src/clients/ksu/heuristic.c
+++ krb5-1.11.1/src/clients/ksu/heuristic.c
@@ -409,7 +409,7 @@ krb5_error_code find_either_ticket (cont
cc_source_name = krb5_cc_get_name(context, cc);
- if ( ! stat(cc_source_name, &st_temp)){
+ if ( ! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)){
retval = find_ticket(context, cc, client, end_server, &temp_found);
if (retval)
@@ -569,7 +569,7 @@ krb5_error_code get_best_princ_for_targe
cc_source_name = krb5_cc_get_name(context, cc_source);
- if (! stat(cc_source_name, &st_temp)) {
+ if (! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)) {
retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
if (retval)
return retval;
Index: krb5-1.11.1/src/clients/ksu/main.c
===================================================================
--- krb5-1.11.1.orig/src/clients/ksu/main.c
+++ krb5-1.11.1/src/clients/ksu/main.c
@@ -271,7 +271,7 @@ main (argc, argv)
if ( strchr(cc_source_tag, ':')){
cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
- if( stat( cc_source_tag_tmp, &st_temp)){
+ if( access( cc_source_tag_tmp, F_OK | R_OK) || stat( cc_source_tag_tmp, &st_temp)){
com_err(prog_name, errno,
_("while looking for credentials file %s"),
cc_source_tag_tmp);

View File

@ -1,29 +0,0 @@
commit 2b06a22f7fd8ec01fb27a7335125290b8ceb6f18
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Nov 29 01:58:13 2012 -0500
Fix spin-loop bug in k5_sendto_kdc
In the second part of the first pass over the server list, we passed
the wrong list pointer to service_fds, causing it to see only a subset
of the server entries corresponding to sel_state. This could cause
service_fds to spin if an event is reported on an fd not in the
subset.
ticket: 7454
target_version: 1.10.4
tags: pullup
Index: krb5-1.10.2/src/lib/krb5/os/sendto_kdc.c
===================================================================
--- krb5-1.10.2.orig/src/lib/krb5/os/sendto_kdc.c
+++ krb5-1.10.2/src/lib/krb5/os/sendto_kdc.c
@@ -1287,7 +1287,7 @@ k5_sendto(krb5_context context, const kr
continue;
if (maybe_send(context, state, sel_state, callback_info))
continue;
- done = service_fds(context, sel_state, 1, state, seltemp, msg_handler,
+ done = service_fds(context, sel_state, 1, conns, seltemp, msg_handler,
msg_handler_data, &winner);
}

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:479d66291ae989d5db9daca5838ff4bddde45c77b703fadcf78ca6d1db315bd8
size 9457236

View File

@ -11,11 +11,11 @@ When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges.
Index: krb5-1.10.2/src/aclocal.m4
Index: krb5-1.11.1/src/aclocal.m4
===================================================================
--- krb5-1.10.2.orig/src/aclocal.m4
+++ krb5-1.10.2/src/aclocal.m4
@@ -1676,3 +1676,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
--- krb5-1.11.1.orig/src/aclocal.m4
+++ krb5-1.11.1/src/aclocal.m4
@@ -1664,3 +1664,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
]))
])dnl
dnl
@ -86,10 +86,10 @@ Index: krb5-1.10.2/src/aclocal.m4
+AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN)
+])dnl
Index: krb5-1.10.2/src/clients/ksu/main.c
Index: krb5-1.11.1/src/clients/ksu/main.c
===================================================================
--- krb5-1.10.2.orig/src/clients/ksu/main.c
+++ krb5-1.10.2/src/clients/ksu/main.c
--- krb5-1.11.1.orig/src/clients/ksu/main.c
+++ krb5-1.11.1/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
* KSU was writen by: Ari Medvinsky, ari@isi.edu
*/
@ -249,10 +249,10 @@ Index: krb5-1.10.2/src/clients/ksu/main.c
exit (1);
}
}
Index: krb5-1.10.2/src/clients/ksu/Makefile.in
Index: krb5-1.11.1/src/clients/ksu/Makefile.in
===================================================================
--- krb5-1.10.2.orig/src/clients/ksu/Makefile.in
+++ krb5-1.10.2/src/clients/ksu/Makefile.in
--- krb5-1.11.1.orig/src/clients/ksu/Makefile.in
+++ krb5-1.11.1/src/clients/ksu/Makefile.in
@@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
@ -287,10 +287,10 @@ Index: krb5-1.10.2/src/clients/ksu/Makefile.in
clean::
$(RM) ksu
Index: krb5-1.10.2/src/clients/ksu/pam.c
Index: krb5-1.11.1/src/clients/ksu/pam.c
===================================================================
--- /dev/null
+++ krb5-1.10.2/src/clients/ksu/pam.c
+++ krb5-1.11.1/src/clients/ksu/pam.c
@@ -0,0 +1,389 @@
+/*
+ * src/clients/ksu/pam.c
@ -681,10 +681,10 @@ Index: krb5-1.10.2/src/clients/ksu/pam.c
+ return ret;
+}
+#endif
Index: krb5-1.10.2/src/clients/ksu/pam.h
Index: krb5-1.11.1/src/clients/ksu/pam.h
===================================================================
--- /dev/null
+++ krb5-1.10.2/src/clients/ksu/pam.h
+++ krb5-1.11.1/src/clients/ksu/pam.h
@@ -0,0 +1,57 @@
+/*
+ * src/clients/ksu/pam.h
@ -743,16 +743,16 @@ Index: krb5-1.10.2/src/clients/ksu/pam.h
+int appl_pam_cred_init(void);
+void appl_pam_cleanup(void);
+#endif
Index: krb5-1.10.2/src/configure.in
Index: krb5-1.11.1/src/configure.in
===================================================================
--- krb5-1.10.2.orig/src/configure.in
+++ krb5-1.10.2/src/configure.in
@@ -1246,6 +1246,8 @@ if test "${localedir+set}" != set; then
fi
AC_SUBST(localedir)
--- krb5-1.11.1.orig/src/configure.in
+++ krb5-1.11.1/src/configure.in
@@ -1244,6 +1244,8 @@ AC_SUBST([VERTO_VERSION])
AC_PATH_PROG(GROFF, groff)
+KRB5_WITH_PAM
+
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
V5_AC_OUTPUT_MAKEFILE(.
# Make localedir work in autoconf 2.5x.
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'

View File

@ -31,10 +31,10 @@ The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
Index: krb5-1.10.2/src/aclocal.m4
Index: krb5-1.11.1/src/aclocal.m4
===================================================================
--- krb5-1.10.2.orig/src/aclocal.m4
+++ krb5-1.10.2/src/aclocal.m4
--- krb5-1.11.1.orig/src/aclocal.m4
+++ krb5-1.11.1/src/aclocal.m4
@@ -84,6 +84,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl
KRB5_AC_PRAGMA_WEAK_REF
@ -43,10 +43,10 @@ Index: krb5-1.10.2/src/aclocal.m4
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1764,3 +1765,51 @@ AC_SUBST(manlocalstatedir)
AC_SUBST(manlibexecdir)
AC_CONFIG_FILES($1)
])
@@ -1731,3 +1732,51 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
+dnl
+dnl Use libselinux to set file contexts on newly-created files.
+dnl
@ -95,11 +95,11 @@ Index: krb5-1.10.2/src/aclocal.m4
+LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS)
+])dnl
Index: krb5-1.10.2/src/config/pre.in
Index: krb5-1.11.1/src/config/pre.in
===================================================================
--- krb5-1.10.2.orig/src/config/pre.in
+++ krb5-1.10.2/src/config/pre.in
@@ -182,6 +182,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
--- krb5-1.11.1.orig/src/config/pre.in
+++ krb5-1.11.1/src/config/pre.in
@@ -178,6 +178,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
LDARGS = @LDARGS@
LIBS = @LIBS@
@ -107,7 +107,7 @@ Index: krb5-1.10.2/src/config/pre.in
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -406,7 +407,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
@@ -403,7 +404,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
@ -116,24 +116,24 @@ Index: krb5-1.10.2/src/config/pre.in
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on Mac OS X!
Index: krb5-1.10.2/src/configure.in
Index: krb5-1.11.1/src/configure.in
===================================================================
--- krb5-1.10.2.orig/src/configure.in
+++ krb5-1.10.2/src/configure.in
@@ -1248,6 +1248,8 @@ AC_SUBST(localedir)
--- krb5-1.11.1.orig/src/configure.in
+++ krb5-1.11.1/src/configure.in
@@ -1246,6 +1246,8 @@ AC_PATH_PROG(GROFF, groff)
KRB5_WITH_PAM
+KRB5_WITH_SELINUX
+
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
V5_AC_OUTPUT_MANPAGE([
Index: krb5-1.10.2/src/include/k5-int.h
# Make localedir work in autoconf 2.5x.
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
Index: krb5-1.11.1/src/include/k5-int.h
===================================================================
--- krb5-1.10.2.orig/src/include/k5-int.h
+++ krb5-1.10.2/src/include/k5-int.h
@@ -135,6 +135,7 @@ typedef unsigned char u_char;
--- krb5-1.11.1.orig/src/include/k5-int.h
+++ krb5-1.11.1/src/include/k5-int.h
@@ -133,6 +133,7 @@ typedef unsigned char u_char;
typedef UINT64_TYPE krb5_ui_8;
typedef INT64_TYPE krb5_int64;
@ -141,10 +141,10 @@ Index: krb5-1.10.2/src/include/k5-int.h
#define DEFAULT_PWD_STRING1 "Enter password"
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
Index: krb5-1.10.2/src/include/k5-label.h
Index: krb5-1.11.1/src/include/k5-label.h
===================================================================
--- /dev/null
+++ krb5-1.10.2/src/include/k5-label.h
+++ krb5-1.11.1/src/include/k5-label.h
@@ -0,0 +1,32 @@
+#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H
@ -178,11 +178,11 @@ Index: krb5-1.10.2/src/include/k5-label.h
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
+#endif
+#endif
Index: krb5-1.10.2/src/include/krb5/krb5.hin
Index: krb5-1.11.1/src/include/krb5/krb5.hin
===================================================================
--- krb5-1.10.2.orig/src/include/krb5/krb5.hin
+++ krb5-1.10.2/src/include/krb5/krb5.hin
@@ -83,6 +83,12 @@
--- krb5-1.11.1.orig/src/include/krb5/krb5.hin
+++ krb5-1.11.1/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
@ -195,41 +195,54 @@ Index: krb5-1.10.2/src/include/krb5/krb5.hin
#define KRB5_OLD_CRYPTO
#include <stdlib.h>
Index: krb5-1.10.2/src/kadmin/dbutil/dump.c
Index: krb5-1.11.1/src/kadmin/dbutil/dump.c
===================================================================
--- krb5-1.10.2.orig/src/kadmin/dbutil/dump.c
+++ krb5-1.10.2/src/kadmin/dbutil/dump.c
@@ -346,7 +346,7 @@ void update_ok_file (file_name)
exit_status++;
return;
--- krb5-1.11.1.orig/src/kadmin/dbutil/dump.c
+++ krb5-1.11.1/src/kadmin/dbutil/dump.c
@@ -376,12 +376,21 @@ create_ofile(char *ofile, char **tmpname
{
int fd = -1;
FILE *f;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
*tmpname = NULL;
if (asprintf(tmpname, "%s-XXXXXX", ofile) < 0)
goto error;
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(ofile);
+#endif
fd = mkstemp(*tmpname);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (fd == -1)
goto error;
@@ -505,7 +514,7 @@ prep_ok_file(krb5_context context, char
return 0;
}
- if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
+ if ((fd = THREEPARAMOPEN(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
com_err(progname, errno, _("while creating 'ok' file, '%s'"),
file_ok);
- *fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ *fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
if (*fd == -1) {
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
exit_status++;
@@ -1251,7 +1251,7 @@ dump_db(argc, argv)
* want to get into.
*/
unlink(ofile);
- if (!(f = fopen(ofile, "w"))) {
+ if (!(f = WRITABLEFOPEN(ofile, "w"))) {
fprintf(stderr, ofopen_error,
progname, ofile, error_message(errno));
exit_status++;
Index: krb5-1.10.2/src/krb5-config.in
Index: krb5-1.11.1/src/krb5-config.in
===================================================================
--- krb5-1.10.2.orig/src/krb5-config.in
+++ krb5-1.10.2/src/krb5-config.in
@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@'
PTHREAD_CFLAGS='@PTHREAD_CFLAGS@'
DL_LIB='@DL_LIB@'
--- krb5-1.11.1.orig/src/krb5-config.in
+++ krb5-1.11.1/src/krb5-config.in
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
DEFCCNAME='@DEFCCNAME@'
DEFKTNAME='@DEFKTNAME@'
DEFCKTNAME='@DEFCKTNAME@'
+SELINUX_LIBS='@SELINUX_LIBS@'
LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@
@@ -218,7 +219,7 @@ if test -n "$do_libs"; then
@@ -258,7 +259,7 @@ if test -n "$do_libs"; then
fi
# If we ever support a flag to generate output suitable for static
@ -238,10 +251,10 @@ Index: krb5-1.10.2/src/krb5-config.in
# here.
echo $lib_flags
Index: krb5-1.10.2/src/lib/kadm5/logger.c
Index: krb5-1.11.1/src/lib/kadm5/logger.c
===================================================================
--- krb5-1.10.2.orig/src/lib/kadm5/logger.c
+++ krb5-1.10.2/src/lib/kadm5/logger.c
--- krb5-1.11.1.orig/src/lib/kadm5/logger.c
+++ krb5-1.11.1/src/lib/kadm5/logger.c
@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, ch
* Check for append/overwrite, then open the file.
*/
@ -260,10 +273,10 @@ Index: krb5-1.10.2/src/lib/kadm5/logger.c
if (f) {
set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f;
Index: krb5-1.10.2/src/lib/krb5/keytab/kt_file.c
Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
===================================================================
--- krb5-1.10.2.orig/src/lib/krb5/keytab/kt_file.c
+++ krb5-1.10.2/src/lib/krb5/keytab/kt_file.c
--- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c
+++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
@@ -1039,7 +1039,7 @@ krb5_ktfileint_open(krb5_context context
KTCHECKLOCK(id);
@ -282,11 +295,11 @@ Index: krb5-1.10.2/src/lib/krb5/keytab/kt_file.c
if (!KTFILEP(id))
goto report_errno;
writevno = 1;
Index: krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c
Index: krb5-1.11.1/src/plugins/kdb/db2/adb_openclose.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/db2/adb_openclose.c
+++ krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c
@@ -197,7 +197,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
--- krb5-1.11.1.orig/src/plugins/kdb/db2/adb_openclose.c
+++ krb5-1.11.1/src/plugins/kdb/db2/adb_openclose.c
@@ -147,7 +147,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
* POSIX systems
*/
lockp->lockinfo.filename = strdup(lockfilename);
@ -295,10 +308,10 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c
/*
* maybe someone took away write permission so we could only
* get shared locks?
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c
Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c
--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
#include "k5-platform.h" /* mkstemp? */
@ -316,10 +329,10 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c
goto err;
} else {
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c
Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/hash/hash.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c
--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
#include <assert.h>
#endif
@ -337,10 +350,10 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c
RETURN_ERROR(errno, error0);
(void)fcntl(hashp->fp, F_SETFD, 1);
}
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in
Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in
--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in
+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
KRB5_RUN_ENV= @KRB5_RUN_ENV@
@ -351,56 +364,11 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in
DB_DEPLIB = ../libdb$(DEPLIBEXT)
all::
Index: krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
Index: krb5-1.11.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -1088,7 +1088,7 @@ rem_service_entry_from_file(int argc, ch
/* Create a temporary file which contains all the entries except the
entry for the given service dn */
- pfile = fopen(file_name, "r+");
+ pfile = WRITABLEFOPEN(file_name, "r+");
if (pfile == NULL) {
com_err(me, errno, "while deleting entry from file %s", file_name);
goto cleanup;
@@ -1105,7 +1105,7 @@ rem_service_entry_from_file(int argc, ch
snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp");
- tmpfd = creat(tmp_file, S_IRUSR|S_IWUSR);
+ tmpfd = THREEPARAMOPEN(tmp_file, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR);
umask(omask);
if (tmpfd == -1) {
com_err(me, errno, "while deleting entry from file\n");
@@ -1725,7 +1725,7 @@ kdb5_ldap_set_service_password(int argc,
printf("File does not exist. Creating the file %s...\n", file_name);
omask = umask(077);
- fd = creat(file_name, S_IRUSR|S_IWUSR);
+ fd = THREEPARAMOPEN(file_name, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR);
umask(omask);
if (fd == -1) {
com_err(me, errno, "Error creating file %s", file_name);
@@ -1753,7 +1753,7 @@ kdb5_ldap_set_service_password(int argc,
/* TODO: file lock for the service password file */
/* set password in the file */
- pfile = fopen(file_name, "r+");
+ pfile = WRITABLEFOPEN(file_name, "r+");
if (pfile == NULL) {
com_err(me, errno, "Failed to open file %s", file_name);
goto cleanup;
@@ -1794,7 +1794,7 @@ kdb5_ldap_set_service_password(int argc,
}
omask = umask(077);
- newfile = fopen(tmp_file, "w+");
+ newfile = WRITABLEFOPEN(tmp_file, "w+");
umask(omask);
if (newfile == NULL) {
com_err(me, errno, "Error creating file %s", tmp_file);
@@ -2016,7 +2016,7 @@ done:
--- krb5-1.11.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ krb5-1.11.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -179,7 +179,7 @@ done:
/* set password in the file */
old_mode = umask(0177);
@ -409,29 +377,35 @@ Index: krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
if (pfile == NULL) {
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
strerror (errno));
@@ -2068,7 +2068,7 @@ done:
@@ -220,6 +220,9 @@ done:
* Delete the existing entry and add the new entry
*/
FILE *newfile;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
mode_t omask;
@@ -231,7 +234,13 @@ done:
}
omask = umask(077);
- newfile = fopen(tmp_file, "w");
+ newfile = WRITABLEFOPEN(tmp_file, "w");
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(file_name);
+#endif
newfile = fopen(tmp_file, "w");
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
umask (omask);
if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file);
Index: krb5-1.10.2/src/slave/kpropd.c
Index: krb5-1.11.1/src/slave/kpropd.c
===================================================================
--- krb5-1.10.2.orig/src/slave/kpropd.c
+++ krb5-1.10.2/src/slave/kpropd.c
@@ -336,7 +336,7 @@ retry:
if (!debug && iproprole != IPROP_SLAVE)
daemon(1, 0);
#ifdef PID_FILE
- if ((pidfile = fopen(PID_FILE, "w")) != NULL) {
+ if ((pidfile = WRITABLEFOPEN(PID_FILE, "w")) != NULL) {
fprintf(pidfile, "%d\n", getpid());
fclose(pidfile);
} else
@@ -437,6 +437,9 @@ void doit(fd)
--- krb5-1.11.1.orig/src/slave/kpropd.c
+++ krb5-1.11.1/src/slave/kpropd.c
@@ -459,6 +459,9 @@ void doit(fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN+1];
@ -439,9 +413,9 @@ Index: krb5-1.10.2/src/slave/kpropd.c
+ void *selabel;
+#endif
if (kpropd_context->kdblog_context &&
kpropd_context->kdblog_context->iproprole == IPROP_SLAVE) {
@@ -515,9 +518,15 @@ void doit(fd)
signal_wrapper(SIGALRM, alarm_handler);
alarm(params.iprop_resync_timeout);
@@ -516,9 +519,15 @@ void doit(fd)
free(name);
exit(1);
}
@ -457,10 +431,10 @@ Index: krb5-1.10.2/src/slave/kpropd.c
retval = krb5_lock_file(kpropd_context, lock_fd,
KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK);
if (retval) {
Index: krb5-1.10.2/src/util/profile/prof_file.c
Index: krb5-1.11.1/src/util/profile/prof_file.c
===================================================================
--- krb5-1.10.2.orig/src/util/profile/prof_file.c
+++ krb5-1.10.2/src/util/profile/prof_file.c
--- krb5-1.11.1.orig/src/util/profile/prof_file.c
+++ krb5-1.11.1/src/util/profile/prof_file.c
@@ -30,6 +30,7 @@
#endif
@ -478,10 +452,10 @@ Index: krb5-1.10.2/src/util/profile/prof_file.c
if (!f) {
retval = errno;
if (retval == 0)
Index: krb5-1.10.2/src/util/support/Makefile.in
Index: krb5-1.11.1/src/util/support/Makefile.in
===================================================================
--- krb5-1.10.2.orig/src/util/support/Makefile.in
+++ krb5-1.10.2/src/util/support/Makefile.in
--- krb5-1.11.1.orig/src/util/support/Makefile.in
+++ krb5-1.11.1/src/util/support/Makefile.in
@@ -64,6 +64,7 @@ IPC_SYMS= \
STLIBOBJS= \
@ -490,7 +464,7 @@ Index: krb5-1.10.2/src/util/support/Makefile.in
init-addrinfo.o \
plugins.o \
errors.o \
@@ -127,7 +128,7 @@ SRCS=\
@@ -135,7 +136,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
@ -499,13 +473,13 @@ Index: krb5-1.10.2/src/util/support/Makefile.in
SHLIB_DIRS=
SHLIB_RDIRS=$(KRB5_LIBDIR)
Index: krb5-1.10.2/src/util/support/selinux.c
Index: krb5-1.11.1/src/util/support/selinux.c
===================================================================
--- /dev/null
+++ krb5-1.10.2/src/util/support/selinux.c
@@ -0,0 +1,372 @@
+++ krb5-1.11.1/src/util/support/selinux.c
@@ -0,0 +1,405 @@
+/*
+ * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved.
+ * Copyright 2007,2008,2009,2011,2012 Red Hat, Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
@ -542,7 +516,7 @@ Index: krb5-1.10.2/src/util/support/selinux.c
+#ifdef USE_SELINUX
+
+#include <k5-label.h>
+#include <k5-thread.h>
+#include <k5-platform.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <errno.h>
@ -573,15 +547,28 @@ Index: krb5-1.10.2/src/util/support/selinux.c
+ k5_mutex_finish_init(&labeled_mutex);
+}
+
+#ifdef HAVE_SELINUX_LABEL_H
+static struct selabel_handle *selabel_ctx;
+static time_t selabel_last_changed;
+
+MAKE_FINI_FUNCTION(cleanup_fscreatecon);
+
+static void
+cleanup_fscreatecon(void)
+{
+ if (selabel_ctx != NULL) {
+ selabel_close(selabel_ctx);
+ selabel_ctx = NULL;
+ }
+}
+#endif
+
+static security_context_t
+push_fscreatecon(const char *pathname, mode_t mode)
+{
+ security_context_t previous, configuredsc, currentsc, derivedsc;
+ context_t current, derived;
+ const char *fullpath, *currentuser;
+#ifdef HAVE_SELINUX_LABEL_H
+ struct selabel_handle *ctx;
+#endif
+
+ previous = NULL;
+ if (is_selinux_enabled()) {
@ -622,18 +609,37 @@ Index: krb5-1.10.2/src/util/support/selinux.c
+#endif
+ configuredsc = NULL;
+#ifdef HAVE_SELINUX_LABEL_H
+ ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ if (ctx != NULL) {
+ if (selabel_lookup(ctx, &configuredsc,
+ if ((selabel_ctx != NULL) ||
+ (selabel_last_changed == 0)) {
+ const char *cpath;
+ struct stat st;
+ int i = -1;
+ cpath = selinux_file_context_path();
+ if ((cpath == NULL) ||
+ ((i = stat(cpath, &st)) != 0) ||
+ (st.st_mtime != selabel_last_changed)) {
+ if (selabel_ctx != NULL) {
+ selabel_close(selabel_ctx);
+ selabel_ctx = NULL;
+ }
+ selabel_last_changed = i ?
+ time(NULL) :
+ st.st_mtime;
+ }
+ }
+ if (selabel_ctx == NULL) {
+ selabel_ctx = selabel_open(SELABEL_CTX_FILE,
+ NULL, 0);
+ }
+ if (selabel_ctx != NULL) {
+ if (selabel_lookup(selabel_ctx, &configuredsc,
+ fullpath, mode) != 0) {
+ selabel_close(ctx);
+ free(genpath);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ selabel_close(ctx);
+ }
+#else
+ if (matchpathcon(fullpath, mode, &configuredsc) != 0) {
@ -756,7 +762,8 @@ Index: krb5-1.10.2/src/util/support/selinux.c
+ int errno_save;
+ security_context_t ctx;
+
+ if (strcmp(mode, "r") == 0) {
+ if ((strcmp(mode, "r") == 0) ||
+ (strcmp(mode, "rb") == 0)) {
+ return fopen(path, mode);
+ }
+
@ -876,10 +883,10 @@ Index: krb5-1.10.2/src/util/support/selinux.c
+}
+
+#endif
Index: krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c
Index: krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c
===================================================================
--- krb5-1.10.2.orig/src/lib/krb5/rcache/rc_dfl.c
+++ krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c
--- krb5-1.11.1.orig/src/lib/krb5/rcache/rc_dfl.c
+++ krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c
@@ -812,6 +812,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
krb5_error_code retval = 0;
krb5_rcache tmp;
@ -908,11 +915,48 @@ Index: krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
Index: krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c
Index: krb5-1.11.1/src/lib/krb5/ccache/cc_dir.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/db2/kdb_db2.c
+++ krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c
@@ -683,8 +683,8 @@ ctx_create_db(krb5_context context, krb5
--- krb5-1.11.1.orig/src/lib/krb5/ccache/cc_dir.c
+++ krb5-1.11.1/src/lib/krb5/ccache/cc_dir.c
@@ -185,10 +185,19 @@ write_primary_file(const char *primary_p
char *newpath = NULL;
FILE *fp = NULL;
int fd = -1, status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)
return ENOMEM;
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(primary_path);
+#endif
fd = mkstemp(newpath);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (fd < 0)
goto cleanup;
#ifdef HAVE_CHMOD
Index: krb5-1.11.1/src/lib/krb5/os/trace.c
===================================================================
--- krb5-1.11.1.orig/src/lib/krb5/os/trace.c
+++ krb5-1.11.1/src/lib/krb5/os/trace.c
@@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con
fd = malloc(sizeof(*fd));
if (fd == NULL)
return ENOMEM;
- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
if (*fd == -1) {
free(fd);
return errno;
Index: krb5-1.11.1/src/plugins/kdb/db2/kdb_db2.c
===================================================================
--- krb5-1.11.1.orig/src/plugins/kdb/db2/kdb_db2.c
+++ krb5-1.11.1/src/plugins/kdb/db2/kdb_db2.c
@@ -681,8 +681,8 @@ ctx_create_db(krb5_context context, krb5
if (retval)
return retval;
@ -923,10 +967,10 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c
if (dbc->db_lf_file < 0) {
retval = errno;
goto cleanup;
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c
Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c
--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
#include <stdio.h>
#include <unistd.h>
@ -945,11 +989,11 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
Index: krb5-1.10.2/src/kdc/main.c
Index: krb5-1.11.1/src/kdc/main.c
===================================================================
--- krb5-1.10.2.orig/src/kdc/main.c
+++ krb5-1.10.2/src/kdc/main.c
@@ -909,7 +909,7 @@ write_pid_file(const char *path)
--- krb5-1.11.1.orig/src/kdc/main.c
+++ krb5-1.11.1/src/kdc/main.c
@@ -902,7 +902,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
@ -958,23 +1002,23 @@ Index: krb5-1.10.2/src/kdc/main.c
if (file == NULL)
return errno;
pid = (unsigned long) getpid();
Index: krb5-1.10.2/src/lib/kdb/kdb_log.c
Index: krb5-1.11.1/src/lib/kdb/kdb_log.c
===================================================================
--- krb5-1.10.2.orig/src/lib/kdb/kdb_log.c
+++ krb5-1.10.2/src/lib/kdb/kdb_log.c
@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha
--- krb5-1.11.1.orig/src/lib/kdb/kdb_log.c
+++ krb5-1.11.1/src/lib/kdb/kdb_log.c
@@ -604,7 +604,7 @@ ulog_map(krb5_context context, const cha
return (errno);
}
- if ((ulogfd = open(logname, O_RDWR+O_CREAT, 0600)) == -1) {
+ if ((ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600)) == -1) {
- ulogfd = open(logname, O_RDWR | O_CREAT, 0600);
+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
if (ulogfd == -1) {
return (errno);
}
Index: krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in
Index: krb5-1.11.1/src/util/gss-kernel-lib/Makefile.in
===================================================================
--- krb5-1.10.2.orig/src/util/gss-kernel-lib/Makefile.in
+++ krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in
--- krb5-1.11.1.orig/src/util/gss-kernel-lib/Makefile.in
+++ krb5-1.11.1/src/util/gss-kernel-lib/Makefile.in
@@ -66,6 +66,7 @@ HEADERS= \
gssapi_err_generic.h \
k5-int.h \

3
krb5-1.11.1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7994928de3fbaeaef4862798ad1608c8bd886b91cc15de7b49d6c3c3cadc1d0d
size 9433869

View File

@ -1,9 +0,0 @@
--- doc/man2html
+++ doc/man2html 2004/10/18 16:20:53
@@ -1,5 +1,4 @@
-#!/usr/athena/bin/perl
-#!/usr/local/bin/perl
+#!/usr/bin/perl
##---------------------------------------------------------------------------##
## File:
## @(#) man2html 1.2 97/08/12 12:57:30 @(#)

View File

@ -1,11 +1,11 @@
Index: krb5-1.6.3/src/kadmin/ktutil/ktutil.M
Index: krb5-1.11/src/man/ktutil.man
===================================================================
--- krb5-1.6.3.orig/src/kadmin/ktutil/ktutil.M
+++ krb5-1.6.3/src/kadmin/ktutil/ktutil.M
@@ -63,5 +63,17 @@ Quits
Aliases:
.BR exit ,
.BR q .
--- krb5-1.11.orig/src/man/ktutil.man
+++ krb5-1.11/src/man/ktutil.man
@@ -158,6 +158,18 @@ ktutil:
.fi
.UNINDENT
.UNINDENT
+.SH REMARKS
+Changes to the keytab are appended to the keytab file (i.e., the keytab file
+is never overwritten). To directly modify a keytab, save the changes to a
@ -19,4 +19,5 @@ Index: krb5-1.6.3/src/kadmin/ktutil/ktutil.M
+ktutil> q
+# mv /tmp/krb5.newtab /etc/krb5.keytab
.SH SEE ALSO
kadmin(8), kdb5_util(8)
.sp
\fIkadmin(1)\fP, \fIkdb5_util(8)\fP

View File

@ -1,7 +0,0 @@
appl/sample/sserver/sserver.M
config-files/kdc.conf.M
config-files/krb5.conf.M
gen-manpages/kerberos.M
kadmin/cli/kadmin.M
slave/kpropd.M
slave/kprop.M

30
krb5-1.9-debuginfo.patch Normal file
View File

@ -0,0 +1,30 @@
We want to keep these y.tab.c files around because the debuginfo points to
them. It would be more elegant at the end to use symbolic links, but that
could mess up people working in the tree on other things.
Index: src/kadmin/cli/Makefile.in
===================================================================
--- src/kadmin/cli/Makefile.in.orig
+++ src/kadmin/cli/Makefile.in
@@ -40,3 +40,8 @@ clean-unix::
# CC_LINK is not meant for compilation and this use may break in the future.
datetest: getdate.c
$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
+
+%.c: %.y
+ $(RM) y.tab.c $@
+ $(YACC.y) $<
+ $(CP) y.tab.c $@
Index: src/plugins/kdb/ldap/ldap_util/Makefile.in
===================================================================
--- src/plugins/kdb/ldap/ldap_util/Makefile.in.orig
+++ src/plugins/kdb/ldap/ldap_util/Makefile.in
@@ -22,7 +22,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KR
getdate.c: $(GETDATE)
$(RM) getdate.c y.tab.c
$(YACC) $(GETDATE)
- $(MV) y.tab.c getdate.c
+ $(CP) y.tab.c getdate.c
install::
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)

View File

@ -1,10 +1,10 @@
Use an in-memory ccache to silence a compiler warning, for RT#6414.
Index: krb5-1.10.2/src/slave/kprop.c
Index: krb5-1.11/src/slave/kprop.c
===================================================================
--- krb5-1.10.2.orig/src/slave/kprop.c
+++ krb5-1.10.2/src/slave/kprop.c
@@ -186,9 +186,8 @@ void PRS(argc, argv)
--- krb5-1.11.orig/src/slave/kprop.c
+++ krb5-1.11/src/slave/kprop.c
@@ -187,9 +187,8 @@ void PRS(argc, argv)
void get_tickets(context)
krb5_context context;
{
@ -15,7 +15,7 @@ Index: krb5-1.10.2/src/slave/kprop.c
krb5_keytab keytab = NULL;
/*
@@ -229,11 +228,8 @@ void get_tickets(context)
@@ -230,11 +229,8 @@ void get_tickets(context)
#endif
/*

View File

@ -3,206 +3,16 @@ values can be dropped in by config.status. After applying this patch,
these files should be renamed to their ".in" counterparts, and then the
configure scripts should be rebuilt. Originally RT#6525
Index: krb5-1.10.2/src/aclocal.m4
Index: krb5-1.11/src/man/kpropd.man
===================================================================
--- krb5-1.10.2.orig/src/aclocal.m4
+++ krb5-1.10.2/src/aclocal.m4
@@ -1743,3 +1743,24 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
+AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[
+mansysconfdir=$sysconfdir
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"`
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"`
+mansbindir=$sbindir
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlocalstatedir=$localstatedir
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"`
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlibexecdir=$libexecdir
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"`
+AC_SUBST(mansysconfdir)
+AC_SUBST(mansbindir)
+AC_SUBST(manlocalstatedir)
+AC_SUBST(manlibexecdir)
+AC_CONFIG_FILES($1)
+])
Index: krb5-1.10.2/src/configure.in
===================================================================
--- krb5-1.10.2.orig/src/configure.in
+++ krb5-1.10.2/src/configure.in
@@ -1249,6 +1249,17 @@ AC_SUBST(localedir)
KRB5_WITH_PAM
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
+
+V5_AC_OUTPUT_MANPAGE([
+ appl/sample/sserver/sserver.M
+ config-files/kdc.conf.M
+ config-files/krb5.conf.M
+ gen-manpages/kerberos.M
+ kadmin/cli/kadmin.M
+ slave/kpropd.M
+ slave/kprop.M
+])
+
V5_AC_OUTPUT_MAKEFILE(.
util util/support util/profile util/profile/testmod util/send-pr
Index: krb5-1.10.2/src/appl/sample/sserver/sserver.M
===================================================================
--- krb5-1.10.2.orig/src/appl/sample/sserver/sserver.M
+++ krb5-1.10.2/src/appl/sample/sserver/sserver.M
@@ -59,7 +59,7 @@ option allows for a different keytab tha
using a line in
/etc/inetd.conf that looks like this:
.PP
-sample stream tcp nowait root /usr/local/sbin/sserver sserver
+sample stream tcp nowait root @mansbindir@/sserver sserver
.PP
Since \fBsample\fP is normally not a port defined in /etc/services, you will
usually have to add a line to /etc/services which looks like this:
Index: krb5-1.10.2/src/config-files/kdc.conf.M
===================================================================
--- krb5-1.10.2.orig/src/config-files/kdc.conf.M
+++ krb5-1.10.2/src/config-files/kdc.conf.M
@@ -92,14 +92,14 @@ This
.B string
specifies the location of the access control list (acl) file that
kadmin uses to determine which principals are allowed which permissions
-on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl.
+on the database. The default value is @manlocalstatedir@/krb5kdc/kadm5.acl.
.IP admin_keytab
This
.B string
Specifies the location of the keytab file that kadmin uses to
authenticate to the database. The default value is
-/usr/local/var/krb5kdc/kadm5.keytab.
+@manlocalstatedir@/krb5kdc/kadm5.keytab.
.IP database_name
This
@@ -274,7 +274,7 @@ tickets should be checked against the tr
realm names and the [capaths] section of its krb5.conf file
.SH FILES
-/usr/local/var/krb5kdc/kdc.conf
+@manlocalstatedir@/krb5kdc/kdc.conf
.SH SEE ALSO
krb5.conf(5), krb5kdc(8)
Index: krb5-1.10.2/src/config-files/krb5.conf.M
===================================================================
--- krb5-1.10.2.orig/src/config-files/krb5.conf.M
+++ krb5-1.10.2/src/config-files/krb5.conf.M
@@ -808,6 +808,6 @@ This module implements the encrypted cha
This module implements the encrypted timestamp mechanism.
.SH FILES
-/etc/krb5.conf
+@mansysconfdir@/krb5.conf
.SH SEE ALSO
syslog(3)
Index: krb5-1.10.2/src/gen-manpages/kerberos.M
===================================================================
--- krb5-1.10.2.orig/src/gen-manpages/kerberos.M
+++ krb5-1.10.2/src/gen-manpages/kerberos.M
@@ -125,7 +125,7 @@ default is /etc/krb5.conf.
Specifies the location of the KDC configuration file, which contains
additional configuration directives for the Key Distribution Center
daemon and associated programs. The default is
-/usr/local/var/krb5kdc/kdc.conf.
+@manlocalstatedir@/krb5kdc/kdc.conf.
.TP
.B KRB5RCACHETYPE
Specifies the default type of replay cache to use for servers. Valid
Index: krb5-1.10.2/src/kadmin/cli/kadmin.M
===================================================================
--- krb5-1.10.2.orig/src/kadmin/cli/kadmin.M
+++ krb5-1.10.2/src/kadmin/cli/kadmin.M
@@ -924,9 +924,9 @@ option is specified, less verbose status
.RS
.TP
EXAMPLE:
-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
+kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin
Entry for principal kadmin/admin with kvno 3 removed
- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
+ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab.
kadmin:
.RE
.fi
Index: krb5-1.10.2/src/slave/kpropd.M
===================================================================
--- krb5-1.10.2.orig/src/slave/kpropd.M
+++ krb5-1.10.2/src/slave/kpropd.M
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
This is done by adding a line to the inetd.conf file which looks like
this:
--- krb5-1.11.orig/src/man/kpropd.man
+++ krb5-1.11/src/man/kpropd.man
@@ -63,7 +63,7 @@ the \fB/etc/inetd.conf\fP file which loo
.sp
.nf
.ft C
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root @mansbindir@/kpropd kpropd
However, kpropd can also run as a standalone daemon, if the
.B \-S
@@ -111,13 +111,13 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
stored; by default the dumped database file is KPROPD_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/from_master).
+(normally @manlocalstatedir@/krb5kdc/from_master).
.TP
.B \-p
allows the user to specify the pathname to the
.IR kdb5_util (8)
program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL
-(normally /usr/local/sbin/kdb5_util).
+(normally @mansbindir@/kdb5_util).
.TP
.B \-S
turn on standalone mode. Normally, kpropd is invoked out of
@@ -148,14 +148,14 @@ mode.
allows the user to specify the path to the
kpropd.acl
file; by default the path used is KPROPD_ACL_FILE
-(normally /usr/local/var/krb5kdc/kpropd.acl).
+(normally @manlocalstatedir@/krb5kdc/kpropd.acl).
.SH FILES
.TP "\w'kpropd.acl\ \ 'u"
kpropd.acl
Access file for
.BR kpropd ;
the default location is KPROPD_ACL_FILE (normally
-/usr/local/var/krb5kdc/kpropd.acl).
+@manlocalstatedir@/krb5kdc/kpropd.acl).
Each entry is a line containing the principal of a host from which the
local machine will allow Kerberos database propagation via kprop.
.SH SEE ALSO
Index: krb5-1.10.2/src/slave/kprop.M
===================================================================
--- krb5-1.10.2.orig/src/slave/kprop.M
+++ krb5-1.10.2/src/slave/kprop.M
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
This is done by transmitting the dumped database file to the slave
server over an encrypted, secure channel. The dump file must be created
by kdb5_util, and is normally KPROP_DEFAULT_FILE
-(/usr/local/var/krb5kdc/slave_datatrans).
+(@manlocalstatedir@/krb5kdc/slave_datatrans).
.SH OPTIONS
.TP
\fB\-r\fP \fIrealm\fP
@@ -51,7 +51,7 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
found; by default the dumped database file is KPROP_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/slave_datatrans).
+(normally @manlocalstatedir@/krb5kdc/slave_datatrans).
.TP
\fB\-P\fP \fIport\fP
specifies the port to use to contact the
+kprop stream tcp nowait root @SBINDIR@/kpropd kpropd
.ft P
.fi
.UNINDENT

View File

@ -1,2 +0,0 @@
addFilter("files-duplicate .*css")
addFilter("files-duplicate .*img.*png")

View File

@ -1,196 +0,0 @@
-------------------------------------------------------------------
Mon Sep 3 14:34:35 UTC 2012 - idonmez@suse.com
- Build depend on texinfo & texlive-dvips to fix the build
-------------------------------------------------------------------
Wed Jun 6 17:34:26 CEST 2012 - mc@suse.de
- update to version 1.10.2
-------------------------------------------------------------------
Mon Aug 22 10:21:56 CEST 2011 - mc@suse.de
- update to version 1.9.1
-------------------------------------------------------------------
Fri Apr 9 12:45:30 CEST 2010 - mc@suse.de
- update to version 1.8.1
-------------------------------------------------------------------
Tue Mar 23 12:38:29 CET 2010 - mc@suse.de
- add post 1.8 fixes
* Document the ticket_lifetime libdefaults setting
-------------------------------------------------------------------
Thu Mar 4 11:45:22 CET 2010 - mc@suse.de
- update to version 1.8
-------------------------------------------------------------------
Wed Jun 3 10:47:07 CEST 2009 - mc@suse.de
- update to final version 1.7
-------------------------------------------------------------------
Wed May 13 11:34:07 CEST 2009 - mc@suse.de
- update to version 1.7 Beta2
-------------------------------------------------------------------
Mon Feb 16 13:08:05 CET 2009 - mc@suse.de
- update to pre 1.7 version
* remove outdated documentation for kadm5 API
-------------------------------------------------------------------
Fri Jul 25 12:17:10 CEST 2008 - mc@suse.de
- add patches from SVN post 1.6.3
* some fixes in the man pages
-------------------------------------------------------------------
Wed Jun 18 15:34:16 CEST 2008 - mc@suse.de
- reduce rpmlint warnings
-------------------------------------------------------------------
Tue Oct 23 10:29:23 CEST 2007 - mc@suse.de
- update to krb5 version 1.6.3
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
* fix CVE-2007-4000 modify_policy vulnerability
* Add PKINIT support
- remove patches which are upstream now
- enhance init scripts and xinetd profiles
-------------------------------------------------------------------
Thu Jul 12 17:02:30 CEST 2007 - mc@suse.de
- update to version 1.6.2
- remove krb5-1.6.1-post.dif all fixes are included in this release
-------------------------------------------------------------------
Wed Jun 13 15:29:42 CEST 2007 - sschober@suse.de
- removed executable permission from doc file
-------------------------------------------------------------------
Mon Apr 23 11:15:59 CEST 2007 - mc@suse.de
- update to final 1.6.1 version
- replace te_ams with texlive in BuildRequires
-------------------------------------------------------------------
Wed Apr 18 14:47:49 CEST 2007 - mc@suse.de
- build implementor.ps
-------------------------------------------------------------------
Mon Apr 16 14:39:40 CEST 2007 - mc@suse.de
- update to version 1.6.1 Beta1
- remove obsolete patches
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
-------------------------------------------------------------------
Mon Feb 19 14:00:49 CET 2007 - mc@suse.de
- add krb5-1.6-post.dif
-------------------------------------------------------------------
Mon Jan 22 12:21:20 CET 2007 - mc@suse.de
- update to version 1.6
* Major changes in 1.6 include
* Partial client implementation to handle server name referrals.
* Pre-authentication plug-in framework, donated by Red Hat.
* LDAP KDB plug-in, donated by Novell.
-------------------------------------------------------------------
Thu Aug 24 12:53:25 CEST 2006 - mc@suse.de
- update to version 1.5.1
- remove obsolete patches which are now included upstream
* krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
* trunk-fix-uninitialized-vars.dif
-------------------------------------------------------------------
Mon Jul 3 15:01:57 CEST 2006 - mc@suse.de
- update to version 1.5
* KDB abstraction layer, donated by Novell.
* plug-in architecture, allowing for extension modules to be
loaded at run-time.
* multi-mechanism GSS-API implementation ("mechglue"),
donated by Sun Microsystems
* Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
implementation, donated by Sun Microsystems
- remove obsolete patches and add some new
-------------------------------------------------------------------
Mon Mar 13 18:01:06 CET 2006 - mc@suse.de
- set BuildArchitectures to noarch
- set norootforbuild
-------------------------------------------------------------------
Wed Jan 25 21:30:24 CET 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Fri Nov 18 12:15:07 CET 2005 - mc@suse.de
- update to version 1.4.3
- fix tex for kadm5 documentation (krb5-1.4.3-kadm5-tex.dif)
-------------------------------------------------------------------
Wed Oct 12 16:19:08 CEST 2005 - mc@suse.de
- build kadm5 documentation
- build documentation also as html
- include the text only documentation
-------------------------------------------------------------------
Tue Oct 11 17:40:26 CEST 2005 - mc@suse.de
- update to version 1.4.2
- remove some obsolet patches
-------------------------------------------------------------------
Mon Jun 27 13:36:04 CEST 2005 - mc@suse.de
- update to version 1.4.1
- remove obsolet patches
- krb5-1.4-VUL-0-telnet.dif
-------------------------------------------------------------------
Thu Feb 10 02:38:39 CET 2005 - ro@suse.de
- added libpng to neededforbuild (for tetex)
-------------------------------------------------------------------
Fri Feb 4 16:50:34 CET 2005 - mc@suse.de
- remove spx.c from tarball because of legal risk
- add README.Source which tell the user about this
action.
-------------------------------------------------------------------
Fri Jan 28 13:28:18 CET 2005 - mc@suse.de
- update to version 1.4
-------------------------------------------------------------------
Mon Jan 10 12:20:11 CET 2005 - mc@suse.de
- update to version 1.3.6
-------------------------------------------------------------------
Tue Dec 14 15:21:02 CET 2004 - mc@suse.de
- initial release

View File

@ -1,91 +0,0 @@
#
# spec file for package krb5-doc
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: krb5-doc
BuildRequires: ghostscript-library
BuildRequires: texinfo
BuildRequires: texlive-dvips
Version: 1.10.2
Release: 0
%define srcRoot krb5-1.10.2
Summary: MIT Kerberos5 Implementation--Documentation
License: MIT
Group: Documentation/Other
Url: http://web.mit.edu/kerberos/www/
Source: krb5-%{version}.tar.bz2
Source3: %{name}-rpmlintrc
Patch0: krb5-1.3.5-perlfix.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
%description
Kerberos V5 is a trusted-third-party network authentication
system,which can improve your network's security by eliminating the
insecurepractice of clear text passwords. This package includes
extended documentation for MIT Kerberos.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%prep
%setup -n %{srcRoot}
%patch0
%build
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
sed -i -e '1c\
\\documentclass{article}\
\\usepackage{fixunder}\
\\usepackage{functions}\
\\usepackage{fancyheadings}\
\\usepackage{hyperref}' doc/implement/implement.tex
%install
cd doc
mkdir -p html
make
make implementor.ps
make -C api
make -C implement
mv *.html html/
cd ..
find . -type f -name '*.ps' -exec gzip -9 {} \;
chmod 644 doc/man2ps
chmod 644 doc/krb5-protocol/draft-jaganathan-rc4-hmac-03.txt
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root)
%doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz
%doc doc/krb5-protocol doc/kadmin
%doc doc/html
%changelog

53
krb5-kvno-230379.patch Normal file
View File

@ -0,0 +1,53 @@
From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349,
at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted
as needed to apply to 1.10. FIXME: I'd like to better handle cases where we
have a new key with the right version stored later in the keytab file.
Currently, we're setting up to overlook that possibility.
Note that this only affects the path taken when krb5_rd_rep() is passed a
server principal name, as without a server principal name it already tries
all of the keys it finds in the keytab, regardless of version numbers.
Index: krb5-1.11.1/src/kadmin/ktutil/ktutil.c
===================================================================
--- krb5-1.11.1.orig/src/kadmin/ktutil/ktutil.c
+++ krb5-1.11.1/src/kadmin/ktutil/ktutil.c
@@ -140,7 +140,7 @@ void ktutil_add_entry(argc, argv)
char *princ = NULL;
char *enctype = NULL;
krb5_kvno kvno = 0;
- int use_pass = 0, use_key = 0, i;
+ int use_pass = 0, use_key = 0, use_kvno = 0, i;
for (i = 1; i < argc; i++) {
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) {
@@ -149,6 +149,7 @@ void ktutil_add_entry(argc, argv)
}
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) {
kvno = (krb5_kvno) atoi(argv[++i]);
+ use_kvno++;
continue;
}
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
@@ -165,7 +166,7 @@ void ktutil_add_entry(argc, argv)
}
}
- if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) {
+ if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) {
fprintf(stderr, _("usage: %s (-key | -password) -p principal "
"-k kvno -e enctype\n"), argv[0]);
return;
Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
===================================================================
--- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c
+++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
@@ -376,7 +376,7 @@ krb5_ktfile_get_entry(krb5_context conte
higher than that. Short-term workaround: only compare
the low 8 bits. */
- if (new_entry.vno == (kvno & 0xff)) {
+ if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) {
krb5_kt_free_entry(context, &cur_entry);
cur_entry = new_entry;
break;

View File

@ -0,0 +1,42 @@
Petr Spacek notes that when we walk the keytab in lookup_etypes_for_keytab(),
we don't free entries when we're finished examining them. Ensure that when
krb5_kt_next_entry() succeeds, we make sure to free the entry storage before we
exit the current loop iteration. (RT#7586)
--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
@@ -110,9 +110,9 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab,
goto cleanup;
if (!krb5_c_valid_enctype(entry.key.enctype))
- continue;
+ goto next_entry;
if (!krb5_principal_compare(context, entry.principal, client))
- continue;
+ goto next_entry;
/* Make sure our list is for the highest kvno found for client. */
if (entry.vno > max_kvno) {
free(etypes);
@@ -120,11 +120,12 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab,
count = 0;
max_kvno = entry.vno;
} else if (entry.vno != max_kvno)
- continue;
+ goto next_entry;
/* Leave room for the terminator and possibly a second entry. */
p = realloc(etypes, (count + 3) * sizeof(*etypes));
if (p == NULL) {
+ krb5_free_keytab_entry_contents(context, &entry);
ret = ENOMEM;
goto cleanup;
}
@@ -136,6 +137,8 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab,
entry.key.enctype == ENCTYPE_DES_CBC_MD4)
etypes[count++] = ENCTYPE_DES_CBC_CRC;
etypes[count] = 0;
+next_entry:
+ krb5_free_keytab_entry_contents(context, &entry);
}
ret = 0;

View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Fri Mar 15 11:14:21 CET 2013 - mc@suse.de
- update to version 1.11.1
* Improve ASN.1 support code, making it table-driven for
decoding as well as encoding
* Refactor parts of KDC
* Documentation consolidation
* build docs in the main package
* bugfixing
- obsolets a lot of patches
- refactor some patches
-------------------------------------------------------------------
Wed Mar 6 12:01:32 CET 2013 - mc@suse.de

View File

@ -17,7 +17,7 @@
%define build_mini 1
%define srcRoot krb5-1.10.2
%define srcRoot krb5-1.11.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -25,12 +25,13 @@ Name: krb5-mini
Url: http://web.mit.edu/kerberos/www/
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: doxygen
BuildRequires: keyutils
BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.10.2
Version: 1.11.1
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
@ -39,6 +40,10 @@ Group: Productivity/Networking/Security
BuildRequires: libopenssl-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: python-Cheetah
BuildRequires: python-Sphinx
BuildRequires: python-libxml2
BuildRequires: python-lxml
%if 0%{?suse_version} >= 1210
BuildRequires: pkgconfig(systemd)
%endif
@ -52,22 +57,21 @@ Source: krb5-%{version}.tar.bz2
Source1: vendor-files.tar.bz2
Source2: baselibs.conf
Source5: krb5-rpmlintrc
Source10: krb5-1.8-manpaths.txt
Patch1: krb5-1.10-buildconf.patch
Patch3: krb5-1.9-manpaths.dif
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.10-kpasswd_tcp.patch
Patch7: krb5-1.6.3-ktutil-manpage.dif
Patch10: krb5-1.7-doublelog.patch
Patch12: krb5-1.8-api.patch
Patch13: krb5-1.8-pam.patch
Patch18: krb5-1.9-kprop-mktemp.patch
Patch19: krb5-1.9-ksu-path.patch
Patch20: krb5-1.10-gcc47.patch
Patch21: krb5-1.10-selinux-label.patch
Patch22: krb5-1.10-spin-loop.patch
Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
Patch24: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
Patch1: krb5-1.11-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.10-buildconf.patch
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch5: krb5-1.10-kpasswd_tcp.patch
Patch6: krb5-1.6.3-ktutil-manpage.dif
Patch7: krb5-1.7-doublelog.patch
Patch8: krb5-1.8-api.patch
Patch9: krb5-1.9-kprop-mktemp.patch
Patch10: krb5-1.10-ksu-access.patch
Patch11: krb5-1.9-ksu-path.patch
Patch12: krb5-1.11-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Patch14: krb5-kvno-230379.patch
Patch15: krb5-lookup_etypes-leak.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -124,6 +128,16 @@ Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a PKINIT plugin.
%package doc
Summary: MIT Kerberos5 Implementation--Documentation
Group: Documentation/Other
%description doc
Kerberos V5 is a trusted-third-party network authentication
system,which can improve your network's security by eliminating the
insecurepractice of clear text passwords. This package includes
extended documentation for MIT Kerberos.
%endif #! build_mini
%package devel
@ -150,27 +164,21 @@ Include Files for Development
%prep
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
%patch13 -p1
%patch3 -p1
%patch21 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch18 -p1
%patch19 -p1
%patch20
%patch22 -p1
%patch23 -p1
%patch24 -p1
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do
mv "$manpage" "$manpage".in
done
popd
%patch13 -p0
%patch14 -p1
%patch15 -p1
%build
# needs to be re-generated
@ -196,7 +204,6 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
--with-ldap \
--with-pam \
--enable-pkinit \
--with-selinux \
%else
--disable-pkinit \
--without-pam \
@ -204,6 +211,12 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
--with-system-et \
--with-system-ss
make %{?jobs:-j%jobs}
%if ! 0%{?build_mini}
cd doc
make %{?jobs:-j%jobs} substhtml
cp -a html_subst ../../html
cd ..
%endif
%install
cd src
@ -279,8 +292,10 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
#rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share/examples
rm -rf %{buildroot}/usr/lib/mit/share/locale
#####################################################
# krb5(-mini) pre/post/postun
#####################################################
@ -356,13 +371,11 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_libdir}/libkrb5.so
%{_libdir}/libkrb5support.so
%{_libdir}/libverto.so
%{_libdir}/libverto-k5ev.so
%{_includedir}/*
/usr/lib/mit/bin/krb5-config
/usr/lib/mit/sbin/krb5-send-pr
/usr/lib/mit/share/gnats
%{_mandir}/man1/krb5-send-pr.1*
%{_mandir}/man1/krb5-config.1*
%{_datadir}/aclocal/ac_check_krb5.m4
%if %{build_mini}
@ -401,7 +414,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libverto-k5ev.so.*
%{_libdir}/krb5/plugins/kdb/*
#/usr/lib/mit/sbin/*
/usr/lib/mit/sbin/kadmin.local
@ -438,7 +450,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/ksu.1*
%{_mandir}/man1/sclient.1*
%{_mandir}/man1/kadmin.1*
@ -474,7 +485,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libverto-k5ev.so.*
%files server
%defattr(-,root,root)
@ -514,6 +524,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
/usr/lib/mit/sbin/uuserver
%{_libdir}/krb5/plugins/kdb/db2.so
%{_mandir}/man5/kdc.conf.5*
%{_mandir}/man5/kadm5.acl.5*
%{_mandir}/man8/kadmind.8*
%{_mandir}/man8/kadmin.local.8*
%{_mandir}/man8/kpropd.8*
@ -549,7 +560,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/kadmin.1*
%{_mandir}/man1/ktutil.1*
%{_mandir}/man1/k5srvutil.1*
@ -582,6 +592,11 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so
%files doc
%defattr(-,root,root)
%doc html doc/CHANGES doc/README
%endif #build_mini
%changelog

View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Fri Mar 15 11:14:21 CET 2013 - mc@suse.de
- update to version 1.11.1
* Improve ASN.1 support code, making it table-driven for
decoding as well as encoding
* Refactor parts of KDC
* Documentation consolidation
* build docs in the main package
* bugfixing
- obsolets a lot of patches
- refactor some patches
-------------------------------------------------------------------
Wed Mar 6 12:01:32 CET 2013 - mc@suse.de

View File

@ -17,7 +17,7 @@
%define build_mini 0
%define srcRoot krb5-1.10.2
%define srcRoot krb5-1.11.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -25,12 +25,13 @@ Name: krb5
Url: http://web.mit.edu/kerberos/www/
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: doxygen
BuildRequires: keyutils
BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.10.2
Version: 1.11.1
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
@ -39,6 +40,10 @@ Group: Productivity/Networking/Security
BuildRequires: libopenssl-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: python-Cheetah
BuildRequires: python-Sphinx
BuildRequires: python-libxml2
BuildRequires: python-lxml
%if 0%{?suse_version} >= 1210
BuildRequires: pkgconfig(systemd)
%endif
@ -52,22 +57,21 @@ Source: krb5-%{version}.tar.bz2
Source1: vendor-files.tar.bz2
Source2: baselibs.conf
Source5: krb5-rpmlintrc
Source10: krb5-1.8-manpaths.txt
Patch1: krb5-1.10-buildconf.patch
Patch3: krb5-1.9-manpaths.dif
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.10-kpasswd_tcp.patch
Patch7: krb5-1.6.3-ktutil-manpage.dif
Patch10: krb5-1.7-doublelog.patch
Patch12: krb5-1.8-api.patch
Patch13: krb5-1.8-pam.patch
Patch18: krb5-1.9-kprop-mktemp.patch
Patch19: krb5-1.9-ksu-path.patch
Patch20: krb5-1.10-gcc47.patch
Patch21: krb5-1.10-selinux-label.patch
Patch22: krb5-1.10-spin-loop.patch
Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
Patch24: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
Patch1: krb5-1.11-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.10-buildconf.patch
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch5: krb5-1.10-kpasswd_tcp.patch
Patch6: krb5-1.6.3-ktutil-manpage.dif
Patch7: krb5-1.7-doublelog.patch
Patch8: krb5-1.8-api.patch
Patch9: krb5-1.9-kprop-mktemp.patch
Patch10: krb5-1.10-ksu-access.patch
Patch11: krb5-1.9-ksu-path.patch
Patch12: krb5-1.11-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Patch14: krb5-kvno-230379.patch
Patch15: krb5-lookup_etypes-leak.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -124,6 +128,16 @@ Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a PKINIT plugin.
%package doc
Summary: MIT Kerberos5 Implementation--Documentation
Group: Documentation/Other
%description doc
Kerberos V5 is a trusted-third-party network authentication
system,which can improve your network's security by eliminating the
insecurepractice of clear text passwords. This package includes
extended documentation for MIT Kerberos.
%endif #! build_mini
%package devel
@ -150,27 +164,21 @@ Include Files for Development
%prep
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
%patch13 -p1
%patch3 -p1
%patch21 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch18 -p1
%patch19 -p1
%patch20
%patch22 -p1
%patch23 -p1
%patch24 -p1
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do
mv "$manpage" "$manpage".in
done
popd
%patch13 -p0
%patch14 -p1
%patch15 -p1
%build
# needs to be re-generated
@ -196,7 +204,6 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
--with-ldap \
--with-pam \
--enable-pkinit \
--with-selinux \
%else
--disable-pkinit \
--without-pam \
@ -204,6 +211,12 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
--with-system-et \
--with-system-ss
make %{?jobs:-j%jobs}
%if ! 0%{?build_mini}
cd doc
make %{?jobs:-j%jobs} substhtml
cp -a html_subst ../../html
cd ..
%endif
%install
cd src
@ -279,8 +292,10 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
#rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share/examples
rm -rf %{buildroot}/usr/lib/mit/share/locale
#####################################################
# krb5(-mini) pre/post/postun
#####################################################
@ -356,13 +371,11 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_libdir}/libkrb5.so
%{_libdir}/libkrb5support.so
%{_libdir}/libverto.so
%{_libdir}/libverto-k5ev.so
%{_includedir}/*
/usr/lib/mit/bin/krb5-config
/usr/lib/mit/sbin/krb5-send-pr
/usr/lib/mit/share/gnats
%{_mandir}/man1/krb5-send-pr.1*
%{_mandir}/man1/krb5-config.1*
%{_datadir}/aclocal/ac_check_krb5.m4
%if %{build_mini}
@ -401,7 +414,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libverto-k5ev.so.*
%{_libdir}/krb5/plugins/kdb/*
#/usr/lib/mit/sbin/*
/usr/lib/mit/sbin/kadmin.local
@ -438,7 +450,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/ksu.1*
%{_mandir}/man1/sclient.1*
%{_mandir}/man1/kadmin.1*
@ -474,7 +485,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libverto-k5ev.so.*
%files server
%defattr(-,root,root)
@ -514,6 +524,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
/usr/lib/mit/sbin/uuserver
%{_libdir}/krb5/plugins/kdb/db2.so
%{_mandir}/man5/kdc.conf.5*
%{_mandir}/man5/kadm5.acl.5*
%{_mandir}/man8/kadmind.8*
%{_mandir}/man8/kadmin.local.8*
%{_mandir}/man8/kpropd.8*
@ -549,7 +560,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/kadmin.1*
%{_mandir}/man1/ktutil.1*
%{_mandir}/man1/k5srvutil.1*
@ -582,6 +592,11 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so
%files doc
%defattr(-,root,root)
%doc html doc/CHANGES doc/README
%endif #build_mini
%changelog