diff --git a/README.Source b/README.Source new file mode 100644 index 0000000..9bf6da7 --- /dev/null +++ b/README.Source @@ -0,0 +1,9 @@ +Because of potential legal risk we have removed the +file "src/appl/telnet/libtelnet/spx.c" from the +source tarball. + +If you want to see the original sources you can download +them from + + http://web.mit.edu/kerberos/www/ . + diff --git a/krb5-1.4.3-enospc.dif b/krb5-1.4.3-enospc.dif index 0a0d9ce..69c6328 100644 --- a/krb5-1.4.3-enospc.dif +++ b/krb5-1.4.3-enospc.dif @@ -1,24 +1,24 @@ If the error message is going to be ambiguous, try to give the user some clue by returning the last error reported by the OS. -Index: krb5-1.8-alpha1/src/clients/kinit/kinit.c +Index: krb5-1.7/src/clients/kinit/kinit.c =================================================================== ---- krb5-1.8-alpha1.orig/src/clients/kinit/kinit.c -+++ krb5-1.8-alpha1/src/clients/kinit/kinit.c -@@ -712,8 +712,14 @@ k5_kinit(opts, k5) - code = krb5_cc_initialize(k5->ctx, k5->cc, opts->canonicalize ? - my_creds.client : k5->me); - if (code) { -- com_err(progname, code, "when initializing cache %s", -- opts->k5_cache_name?opts->k5_cache_name:""); -+ if ((code == KRB5_CC_IO) && (errno != 0)) { -+ com_err(progname, code, "when initializing cache %s: %s", -+ opts->k5_cache_name?opts->k5_cache_name:"", -+ strerror(errno)); -+ } else { -+ com_err(progname, code, "when initializing cache %s", -+ opts->k5_cache_name?opts->k5_cache_name:""); -+ } - goto cleanup; - } +--- krb5-1.7.orig/src/clients/kinit/kinit.c ++++ krb5-1.7/src/clients/kinit/kinit.c +@@ -670,8 +670,14 @@ k5_kinit(opts, k5) + code = krb5_cc_initialize(k5->ctx, k5->cc, + opts->canonicalize ? my_creds.client : k5->me); + if (code) { +- com_err(progname, code, "when initializing cache %s", +- opts->k5_cache_name?opts->k5_cache_name:""); ++ if ((code == KRB5_CC_IO) && (errno != 0)) { ++ com_err(progname, code, "when initializing cache %s: %s", ++ opts->k5_cache_name?opts->k5_cache_name:"", ++ strerror(errno)); ++ } else { ++ com_err(progname, code, "when initializing cache %s", ++ opts->k5_cache_name?opts->k5_cache_name:""); ++ } + goto cleanup; + } diff --git a/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif b/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif new file mode 100644 index 0000000..ad5f8c9 --- /dev/null +++ b/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif @@ -0,0 +1,13 @@ +Index: src/appl/gssftp/ftp/ftp.c +=================================================================== +--- src/appl/gssftp/ftp/ftp.c.orig ++++ src/appl/gssftp/ftp/ftp.c +@@ -1912,7 +1912,7 @@ int do_auth() + + #ifdef GSSAPI + if (command("AUTH %s", "GSSAPI") == CONTINUE) { +- OM_uint32 maj_stat, min_stat, dummy_stat; ++ OM_uint32 maj_stat = GSS_S_FAILURE , min_stat, dummy_stat; + gss_name_t target_name; + gss_buffer_desc send_tok, recv_tok, *token_ptr; + char stbuf[FTP_BUFSIZ]; diff --git a/krb5-1.5.1-fix-var-used-before-value-set.dif b/krb5-1.5.1-fix-var-used-before-value-set.dif new file mode 100644 index 0000000..cfa5930 --- /dev/null +++ b/krb5-1.5.1-fix-var-used-before-value-set.dif @@ -0,0 +1,10 @@ +--- src/appl/telnet/telnetd/utility.c ++++ src/appl/telnet/telnetd/utility.c 2006/11/06 10:34:09 +@@ -127,6 +127,7 @@ + } + tv.tv_sec = 1; + tv.tv_usec = 0; ++ FD_ZERO(&fds); + FD_SET(net, &fds); + + while (select(net + 1, &fds, NULL, NULL, &tv) == 1) diff --git a/krb5-1.6.1-compile_pie.dif b/krb5-1.6.1-compile_pie.dif index 08e14fc..8a0d66f 100644 --- a/krb5-1.6.1-compile_pie.dif +++ b/krb5-1.6.1-compile_pie.dif @@ -15,7 +15,7 @@ Index: src/config/shlib.conf =================================================================== --- src/config/shlib.conf.orig +++ src/config/shlib.conf -@@ -419,7 +419,8 @@ mips-*-netbsd*) +@@ -420,7 +420,8 @@ mips-*-netbsd*) PROFFLAGS=-pg RPATH_FLAG='-Wl,-rpath -Wl,' PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' diff --git a/krb5-1.6.3-fix-ipv6-query.dif b/krb5-1.6.3-fix-ipv6-query.dif index 4ba81b8..4220f2e 100644 --- a/krb5-1.6.3-fix-ipv6-query.dif +++ b/krb5-1.6.3-fix-ipv6-query.dif @@ -1,9 +1,9 @@ -Index: krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c +Index: trunk/src/lib/krb5/os/hostaddr.c =================================================================== ---- krb5-1.8-alpha1.orig/src/lib/krb5/os/hostaddr.c -+++ krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c -@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c - return KRB5_ERR_BAD_HOSTNAME; +--- trunk.orig/src/lib/krb5/os/hostaddr.c ++++ trunk/src/lib/krb5/os/hostaddr.c +@@ -43,7 +43,7 @@ krb5_os_hostaddr(krb5_context context, c + return KRB5_ERR_BAD_HOSTNAME; memset (&hints, 0, sizeof (hints)); - hints.ai_flags = AI_NUMERICHOST; @@ -11,11 +11,11 @@ Index: krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c /* We don't care what kind at this point, really, but without this, we can get back multiple sockaddrs per address, for SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if -Index: krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c +Index: trunk/src/lib/krb5/os/hst_realm.c =================================================================== ---- krb5-1.8-alpha1.orig/src/lib/krb5/os/hst_realm.c -+++ krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c -@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz +--- trunk.orig/src/lib/krb5/os/hst_realm.c ++++ trunk/src/lib/krb5/os/hst_realm.c +@@ -171,7 +171,7 @@ krb5int_get_fq_hostname (char *buf, size int err; memset (&hints, 0, sizeof (hints)); @@ -23,12 +23,12 @@ Index: krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c + hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; err = getaddrinfo (name, 0, &hints, &ai); if (err) - return krb5int_translate_gai_error (err); -Index: krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c + return krb5int_translate_gai_error (err); +Index: trunk/src/lib/krb5/os/locate_kdc.c =================================================================== ---- krb5-1.8-alpha1.orig/src/lib/krb5/os/locate_kdc.c -+++ krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c -@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis +--- trunk.orig/src/lib/krb5/os/locate_kdc.c ++++ trunk/src/lib/krb5/os/locate_kdc.c +@@ -254,8 +254,9 @@ krb5int_add_host_to_list (struct addrlis memset(&hint, 0, sizeof(hint)); hint.ai_family = family; hint.ai_socktype = socktype; @@ -37,18 +37,18 @@ Index: krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c - hint.ai_flags = AI_NUMERICSERV; + hint.ai_flags |= AI_NUMERICSERV; #endif - result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)); - if (SNPRINTF_OVERFLOW(result, sizeof(portbuf))) -Index: krb5-1.8-alpha1/src/lib/krb5/os/sn2princ.c + if (snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)) >= sizeof(portbuf)) + /* XXX */ +Index: trunk/src/lib/krb5/os/sn2princ.c =================================================================== ---- krb5-1.8-alpha1.orig/src/lib/krb5/os/sn2princ.c -+++ krb5-1.8-alpha1/src/lib/krb5/os/sn2princ.c -@@ -108,7 +108,7 @@ krb5_sname_to_principal(krb5_context con +--- trunk.orig/src/lib/krb5/os/sn2princ.c ++++ trunk/src/lib/krb5/os/sn2princ.c +@@ -107,7 +107,7 @@ krb5_sname_to_principal(krb5_context con - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_INET; -- hints.ai_flags = AI_CANONNAME; -+ hints.ai_flags = AI_CANONNAME|AI_ADDRCONFIG; - try_getaddrinfo_again: - err = getaddrinfo(hostname, 0, &hints, &ai); - if (err) { + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_INET; +- hints.ai_flags = AI_CANONNAME; ++ hints.ai_flags = AI_CANONNAME|AI_ADDRCONFIG; + try_getaddrinfo_again: + err = getaddrinfo(hostname, 0, &hints, &ai); + if (err) { diff --git a/krb5-1.6.3-kpasswd_tcp.patch b/krb5-1.6.3-kpasswd_tcp.patch index 360149f..757b3f6 100644 --- a/krb5-1.6.3-kpasswd_tcp.patch +++ b/krb5-1.6.3-kpasswd_tcp.patch @@ -5,30 +5,31 @@ Index: src/lib/krb5/os/changepw.c =================================================================== --- src/lib/krb5/os/changepw.c.orig +++ src/lib/krb5/os/changepw.c -@@ -271,10 +271,22 @@ change_set_password(krb5_context context - NULL - ))) { - -- /* -- * Here we may want to switch to TCP on some errors. -- * right? -- */ -+ /* if we're not using a stream socket, and it's an error which -+ * might reasonably be specific to a datagram "connection", try -+ * again with a stream socket */ -+ if (!useTcp) { -+ switch (code) { -+ case KRB5_KDC_UNREACH: -+ case KRB5_REALM_CANT_RESOLVE: -+ case KRB5KRB_ERR_RESPONSE_TOO_BIG: -+ /* should we do this for more result codes than these? */ -+ krb5int_free_addrlist (&al); -+ useTcp = 1; -+ continue; -+ default: -+ break; -+ } -+ } - break; - } +@@ -261,11 +261,22 @@ krb5_change_set_password(krb5_context co + NULL, + NULL + ))) { +- +- /* +- * Here we may want to switch to TCP on some errors. +- * right? +- */ ++ /* if we're not using a stream socket, and it's an error which ++ * might reasonably be specific to a datagram "connection", try ++ * again with a stream socket */ ++ if (!useTcp) { ++ switch (code) { ++ case KRB5_KDC_UNREACH: ++ case KRB5_REALM_CANT_RESOLVE: ++ case KRB5KRB_ERR_RESPONSE_TOO_BIG: ++ /* should we do this for more result codes than these? */ ++ krb5int_free_addrlist (&al); ++ useTcp = 1; ++ continue; ++ default: ++ break; ++ } ++ } + break; + } diff --git a/krb5-1.6.3-kprop-use-mkstemp.dif b/krb5-1.6.3-kprop-use-mkstemp.dif index 9ea2577..2277883 100644 --- a/krb5-1.6.3-kprop-use-mkstemp.dif +++ b/krb5-1.6.3-kprop-use-mkstemp.dif @@ -2,18 +2,18 @@ Index: src/slave/kprop.c =================================================================== --- src/slave/kprop.c.orig +++ src/slave/kprop.c -@@ -206,6 +206,7 @@ void get_tickets(context) - krb5_error_code retval; - static char tkstring[] = "/tmp/kproptktXXXXXX"; - krb5_keytab keytab = NULL; -+ int ret = 0; +@@ -215,6 +215,7 @@ void get_tickets(context) + krb5_error_code retval; + static char tkstring[] = "/tmp/kproptktXXXXXX"; + krb5_keytab keytab = NULL; ++ int ret = 0; - /* - * Figure out what tickets we'll be using to send stuff -@@ -231,7 +232,15 @@ void get_tickets(context) - /* - * Initialize cache file which we're going to be using - */ + /* + * Figure out what tickets we'll be using to send stuff +@@ -240,7 +241,15 @@ void get_tickets(context) + /* + * Initialize cache file which we're going to be using + */ +#ifdef HAVE_MKSTEMP + ret = mkstemp(tkstring); + if (ret == -1) { @@ -21,8 +21,8 @@ Index: src/slave/kprop.c + exit(1); + } else close(ret); +#else - (void) mktemp(tkstring); + (void) mktemp(tkstring); +#endif - snprintf(buf, sizeof(buf), "FILE:%s", tkstring); + snprintf(buf, sizeof(buf), "FILE:%s", tkstring); - retval = krb5_cc_resolve(context, buf, &ccache); + retval = krb5_cc_resolve(context, buf, &ccache); diff --git a/krb5-1.7-MITKRB5-SA-2009-003.dif b/krb5-1.7-MITKRB5-SA-2009-003.dif new file mode 100644 index 0000000..c3d0d1a --- /dev/null +++ b/krb5-1.7-MITKRB5-SA-2009-003.dif @@ -0,0 +1,27 @@ +Index: krb5-1.7/src/kdc/do_tgs_req.c +=================================================================== +--- krb5-1.7.orig/src/kdc/do_tgs_req.c ++++ krb5-1.7/src/kdc/do_tgs_req.c +@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request + free(temp_buf); + if (retval) { + /* no match found */ +- kdc_err(kdc_context, retval, 0); ++ kdc_err(kdc_context, retval, "unable to find realm of host"); + goto cleanup; + } + if (realms == 0) { +Index: krb5-1.7/src/lib/kadm5/logger.c +=================================================================== +--- krb5-1.7.orig/src/lib/kadm5/logger.c ++++ krb5-1.7/src/lib/kadm5/logger.c +@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, lo + char *cp; + char *syslogp; + ++ if (whoami == NULL || format == NULL) ++ return; ++ + /* Make the header */ + snprintf(outbuf, sizeof(outbuf), "%s: ", whoami); + /* diff --git a/krb5-1.7-MITKRB5-SA-2009-004.dif b/krb5-1.7-MITKRB5-SA-2009-004.dif new file mode 100644 index 0000000..67c5738 --- /dev/null +++ b/krb5-1.7-MITKRB5-SA-2009-004.dif @@ -0,0 +1,377 @@ +Index: krb5-1.7/src/lib/crypto/Makefile.in +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/Makefile.in ++++ krb5-1.7/src/lib/crypto/Makefile.in +@@ -18,6 +18,7 @@ EXTRADEPSRCS=\ + $(srcdir)/t_nfold.c \ + $(srcdir)/t_cf2.c \ + $(srcdir)/t_encrypt.c \ ++ $(srcdir)/t_short.c \ + $(srcdir)/t_prf.c \ + $(srcdir)/t_prng.c \ + $(srcdir)/t_hmac.c \ +@@ -206,7 +207,7 @@ libcrypto.lib: + + clean-unix:: clean-liblinks clean-libs clean-libobjs + +-check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 ++check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 t_short + $(RUN_SETUP) $(VALGRIND) ./t_nfold + $(RUN_SETUP) $(VALGRIND) ./t_encrypt + $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \ +@@ -216,6 +217,7 @@ check-unix:: t_nfold t_encrypt t_prf t_p + diff t_prf.output $(srcdir)/t_prf.expected + $(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output + diff t_cf2.output $(srcdir)/t_cf2.expected ++ $(RUN_SETUP) $(VALGRIND) ./t_short + + + # $(RUN_SETUP) $(VALGRIND) ./t_pkcs5 +@@ -249,10 +251,14 @@ t_cts$(EXEEXT): t_cts.$(OBJEXT) $(CRYPTO + $(CC_LINK) -o $@ t_cts.$(OBJEXT) \ + $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) + ++t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB) ++ $(CC_LINK) -o $@ t_short.$(OBJEXT) \ ++ $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) + + clean:: + $(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \ +- t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o ++ t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \ ++ t_cf2 t_cf2.o t_short t_short.o + -$(RM) t_prng.output + + all-windows:: +Index: krb5-1.7/src/lib/crypto/arcfour/arcfour.c +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/arcfour/arcfour.c ++++ krb5-1.7/src/lib/crypto/arcfour/arcfour.c +@@ -199,6 +199,12 @@ krb5_arcfour_decrypt(const struct krb5_e + keylength = enc->keylength; + hashsize = hash->hashsize; + ++ /* Verify input and output lengths. */ ++ if (input->length < hashsize + CONFOUNDERLENGTH) ++ return KRB5_BAD_MSIZE; ++ if (output->length < input->length - hashsize - CONFOUNDERLENGTH) ++ return KRB5_BAD_MSIZE; ++ + d1.length=keybytes; + d1.data=malloc(d1.length); + if (d1.data == NULL) +Index: krb5-1.7/src/lib/crypto/enc_provider/aes.c +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/enc_provider/aes.c ++++ krb5-1.7/src/lib/crypto/enc_provider/aes.c +@@ -105,9 +105,11 @@ krb5int_aes_encrypt(const krb5_keyblock + nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE; + + if (nblocks == 1) { +- /* XXX Used for DK function. */ ++ /* Used when deriving keys. */ ++ if (input->length < BLOCK_SIZE) ++ return KRB5_BAD_MSIZE; + enc(output->data, input->data, &ctx); +- } else { ++ } else if (nblocks > 1) { + unsigned int nleft; + + for (blockno = 0; blockno < nblocks - 2; blockno++) { +@@ -160,9 +162,9 @@ krb5int_aes_decrypt(const krb5_keyblock + + if (nblocks == 1) { + if (input->length < BLOCK_SIZE) +- abort(); ++ return KRB5_BAD_MSIZE; + dec(output->data, input->data, &ctx); +- } else { ++ } else if (nblocks > 1) { + + for (blockno = 0; blockno < nblocks - 2; blockno++) { + dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx); +@@ -208,6 +210,7 @@ krb5int_aes_encrypt_iov(const krb5_keybl + char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE]; + int nblocks = 0, blockno; + size_t input_length, i; ++ struct iov_block_state input_pos, output_pos; + + if (aes_enc_key(key->contents, key->length, &ctx) != aes_good) + abort(); +@@ -224,17 +227,19 @@ krb5int_aes_encrypt_iov(const krb5_keybl + input_length += iov->data.length; + } + +- nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; +- +- assert(nblocks > 1); ++ IOV_BLOCK_STATE_INIT(&input_pos); ++ IOV_BLOCK_STATE_INIT(&output_pos); + +- { ++ nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; ++ if (nblocks == 1) { ++ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, ++ data, num_data, &input_pos); ++ enc(tmp2, tmp, &ctx); ++ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, ++ BLOCK_SIZE, &output_pos); ++ } else if (nblocks > 1) { + char blockN2[BLOCK_SIZE]; /* second last */ + char blockN1[BLOCK_SIZE]; /* last block */ +- struct iov_block_state input_pos, output_pos; +- +- IOV_BLOCK_STATE_INIT(&input_pos); +- IOV_BLOCK_STATE_INIT(&output_pos); + + for (blockno = 0; blockno < nblocks - 2; blockno++) { + char blockN[BLOCK_SIZE]; +@@ -288,6 +293,7 @@ krb5int_aes_decrypt_iov(const krb5_keybl + char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; + int nblocks = 0, blockno, i; + size_t input_length; ++ struct iov_block_state input_pos, output_pos; + + CHECK_SIZES; + +@@ -305,18 +311,19 @@ krb5int_aes_decrypt_iov(const krb5_keybl + if (ENCRYPT_IOV(iov)) + input_length += iov->data.length; + } ++ IOV_BLOCK_STATE_INIT(&input_pos); ++ IOV_BLOCK_STATE_INIT(&output_pos); + + nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; +- +- assert(nblocks > 1); +- +- { ++ if (nblocks == 1) { ++ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, ++ data, num_data, &input_pos); ++ dec(tmp2, tmp, &ctx); ++ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, ++ BLOCK_SIZE, &output_pos); ++ } else if (nblocks > 1) { + char blockN2[BLOCK_SIZE]; /* second last */ + char blockN1[BLOCK_SIZE]; /* last block */ +- struct iov_block_state input_pos, output_pos; +- +- IOV_BLOCK_STATE_INIT(&input_pos); +- IOV_BLOCK_STATE_INIT(&output_pos); + + for (blockno = 0; blockno < nblocks - 2; blockno++) { + char blockN[BLOCK_SIZE]; +Index: krb5-1.7/src/lib/crypto/old/old_decrypt.c +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/old/old_decrypt.c ++++ krb5-1.7/src/lib/crypto/old/old_decrypt.c +@@ -45,8 +45,10 @@ krb5_old_decrypt(const struct krb5_enc_p + blocksize = enc->block_size; + hashsize = hash->hashsize; + ++ /* Verify input and output lengths. */ ++ if (input->length < blocksize + hashsize || input->length % blocksize != 0) ++ return(KRB5_BAD_MSIZE); + plainsize = input->length - blocksize - hashsize; +- + if (arg_output->length < plainsize) + return(KRB5_BAD_MSIZE); + +Index: krb5-1.7/src/lib/crypto/raw/raw_decrypt.c +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/raw/raw_decrypt.c ++++ krb5-1.7/src/lib/crypto/raw/raw_decrypt.c +@@ -34,5 +34,7 @@ krb5_raw_decrypt(const struct krb5_enc_p + const krb5_data *ivec, const krb5_data *input, + krb5_data *output) + { +- return((*(enc->decrypt))(key, ivec, input, output)); ++ if (output->length < input->length) ++ return KRB5_BAD_MSIZE; ++ return((*(enc->decrypt))(key, ivec, input, output)); + } +Index: krb5-1.7/src/lib/crypto/t_short.c +=================================================================== +--- /dev/null ++++ krb5-1.7/src/lib/crypto/t_short.c +@@ -0,0 +1,128 @@ ++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ ++/* ++ * lib/crypto/crypto_tests/t_short.c ++ * ++ * Copyright (C) 2009 by the Massachusetts Institute of Technology. ++ * All rights reserved. ++ * ++ * Export of this software from the United States of America may ++ * require a specific license from the United States Government. ++ * It is the responsibility of any person or organization contemplating ++ * export to obtain such a license before exporting. ++ * ++ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and ++ * distribute this software and its documentation for any purpose and ++ * without fee is hereby granted, provided that the above copyright ++ * notice appear in all copies and that both that copyright notice and ++ * this permission notice appear in supporting documentation, and that ++ * the name of M.I.T. not be used in advertising or publicity pertaining ++ * to distribution of the software without specific, written prior ++ * permission. Furthermore if you modify this software you must label ++ * your software as modified software and not distribute it in such a ++ * fashion that it might be confused with the original M.I.T. software. ++ * M.I.T. makes no representations about the suitability of ++ * this software for any purpose. It is provided "as is" without express ++ * or implied warranty. ++ * ++ * Tests the outcome of decrypting overly short tokens. This program can be ++ * run under a tool like valgrind to detect bad memory accesses; when run ++ * normally by the test suite, it verifies that each operation returns ++ * KRB5_BAD_MSIZE. ++ */ ++ ++#include "k5-int.h" ++ ++ ++krb5_enctype interesting_enctypes[] = { ++ ENCTYPE_DES_CBC_CRC, ++ ENCTYPE_DES_CBC_MD4, ++ ENCTYPE_DES_CBC_MD5, ++ ENCTYPE_DES3_CBC_SHA1, ++ ENCTYPE_ARCFOUR_HMAC, ++ ENCTYPE_ARCFOUR_HMAC_EXP, ++ ENCTYPE_AES256_CTS_HMAC_SHA1_96, ++ ENCTYPE_AES128_CTS_HMAC_SHA1_96, ++ 0 ++}; ++ ++/* Abort if an operation unexpectedly fails. */ ++static void ++x(krb5_error_code code) ++{ ++ if (code != 0) ++ abort(); ++} ++ ++/* Abort if a decrypt operation doesn't have the expected result. */ ++static void ++check_decrypt_result(krb5_error_code code, size_t len, size_t min_len) ++{ ++ if (len < min_len) { ++ /* Undersized tokens should always result in BAD_MSIZE. */ ++ if (code != KRB5_BAD_MSIZE) ++ abort(); ++ } else { ++ /* Min-size tokens should succeed or fail the integrity check. */ ++ if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY) ++ abort(); ++ } ++} ++ ++static void ++test_enctype(krb5_enctype enctype) ++{ ++ krb5_error_code ret; ++ krb5_keyblock keyblock; ++ krb5_enc_data input; ++ krb5_data output; ++ krb5_crypto_iov iov[2]; ++ unsigned int dummy; ++ size_t min_len, len; ++ ++ printf("Testing enctype %d\n", (int) enctype); ++ x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len)); ++ x(krb5_c_make_random_key(NULL, enctype, &keyblock)); ++ input.enctype = enctype; ++ ++ /* Try each length up to the minimum length. */ ++ for (len = 0; len <= min_len; len++) { ++ input.ciphertext.data = calloc(len, 1); ++ input.ciphertext.length = len; ++ output.data = calloc(len, 1); ++ output.length = len; ++ ++ /* Attempt a normal decryption. */ ++ ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output); ++ check_decrypt_result(ret, len, min_len); ++ ++ if (krb5_c_crypto_length(NULL, enctype, KRB5_CRYPTO_TYPE_HEADER, ++ &dummy) == 0) { ++ /* Attempt an IOV stream decryption. */ ++ iov[0].flags = KRB5_CRYPTO_TYPE_STREAM; ++ iov[0].data = input.ciphertext; ++ iov[1].flags = KRB5_CRYPTO_TYPE_DATA; ++ iov[1].data.data = NULL; ++ iov[1].data.length = 0; ++ ret = krb5_c_decrypt_iov(NULL, &keyblock, 0, NULL, iov, 2); ++ check_decrypt_result(ret, len, min_len); ++ } ++ ++ free(input.ciphertext.data); ++ free(output.data); ++ } ++} ++ ++int ++main(int argc, char **argv) ++{ ++ int i; ++ krb5_data notrandom; ++ ++ notrandom.data = "notrandom"; ++ notrandom.length = 9; ++ krb5_c_random_seed(NULL, ¬random); ++ for (i = 0; interesting_enctypes[i]; i++) ++ test_enctype(interesting_enctypes[i]); ++ return 0; ++} ++ +Index: krb5-1.7/src/lib/crypto/deps +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/deps ++++ krb5-1.7/src/lib/crypto/deps +@@ -463,6 +463,16 @@ t_encrypt.so t_encrypt.po $(OUTPRE)t_enc + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h etypes.h t_encrypt.c ++t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ ++ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ ++ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ ++ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ ++ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ ++ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ ++ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ ++ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ ++ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ ++ t_short.c + t_prf.so t_prf.po $(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ +Index: krb5-1.7/src/lib/crypto/dk/dk_aead.c +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/dk/dk_aead.c ++++ krb5-1.7/src/lib/crypto/dk/dk_aead.c +@@ -248,7 +248,7 @@ krb5int_dk_decrypt_iov(const struct krb5 + for (i = 0; i < num_data; i++) { + const krb5_crypto_iov *iov = &data[i]; + +- if (ENCRYPT_DATA_IOV(iov)) ++ if (ENCRYPT_IOV(iov)) + cipherlen += iov->data.length; + } + +Index: krb5-1.7/src/lib/crypto/dk/dk_decrypt.c +=================================================================== +--- krb5-1.7.orig/src/lib/crypto/dk/dk_decrypt.c ++++ krb5-1.7/src/lib/crypto/dk/dk_decrypt.c +@@ -89,6 +89,12 @@ krb5_dk_decrypt_maybe_trunc_hmac(const s + else if (hmacsize > hashsize) + return KRB5KRB_AP_ERR_BAD_INTEGRITY; + ++ /* Verify input and output lengths. */ ++ if (input->length < blocksize + hmacsize) ++ return KRB5_BAD_MSIZE; ++ if (output->length < input->length - blocksize - hmacsize) ++ return KRB5_BAD_MSIZE; ++ + enclen = input->length - hmacsize; + + if ((kedata = (unsigned char *) malloc(keylength)) == NULL) diff --git a/krb5-1.7-manpaths.dif b/krb5-1.7-manpaths.dif index a9c9e95..ab8e30e 100644 --- a/krb5-1.7-manpaths.dif +++ b/krb5-1.7-manpaths.dif @@ -1,9 +1,43 @@ - -Index: krb5-1.8-alpha1/src/appl/sample/sserver/sserver.M +Index: krb5-1.7/src/appl/bsd/klogind.M =================================================================== ---- krb5-1.8-alpha1.orig/src/appl/sample/sserver/sserver.M -+++ krb5-1.8-alpha1/src/appl/sample/sserver/sserver.M +--- krb5-1.7.orig/src/appl/bsd/klogind.M ++++ krb5-1.7/src/appl/bsd/klogind.M +@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when + the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf + configuration line for \fIklogind\fP might be: + +-klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c ++klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c + + When a service request is received, the following protocol is initiated: + +Index: krb5-1.7/src/appl/bsd/kshd.M +=================================================================== +--- krb5-1.7.orig/src/appl/bsd/kshd.M ++++ krb5-1.7/src/appl/bsd/kshd.M +@@ -8,7 +8,7 @@ + .SH NAME + kshd \- kerberized remote shell server + .SH SYNOPSIS +-.B /usr/local/sbin/kshd ++.B @mansbindir@/kshd + [ + .B \-kr45ec + ] +@@ -30,7 +30,7 @@ server is invoked by \fIinetd(8c)\fP whe + on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf + configuration line for \fIkrshd\fP might be: + +-kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c ++kshell stream tcp nowait root @mansbindir@/kshd kshd -5c + + When a service request is received, the following protocol is initiated: + +Index: krb5-1.7/src/appl/sample/sserver/sserver.M +=================================================================== +--- krb5-1.7.orig/src/appl/sample/sserver/sserver.M ++++ krb5-1.7/src/appl/sample/sserver/sserver.M @@ -59,7 +59,7 @@ option allows for a different keytab tha using a line in /etc/inetd.conf that looks like this: @@ -13,10 +47,23 @@ Index: krb5-1.8-alpha1/src/appl/sample/sserver/sserver.M .PP Since \fBsample\fP is normally not a port defined in /etc/services, you will usually have to add a line to /etc/services which looks like this: -Index: krb5-1.8-alpha1/src/config-files/kdc.conf.M +Index: krb5-1.7/src/appl/telnet/telnetd/telnetd.8 =================================================================== ---- krb5-1.8-alpha1.orig/src/config-files/kdc.conf.M -+++ krb5-1.8-alpha1/src/config-files/kdc.conf.M +--- krb5-1.7.orig/src/appl/telnet/telnetd/telnetd.8 ++++ krb5-1.7/src/appl/telnet/telnetd/telnetd.8 +@@ -37,7 +37,7 @@ telnetd \- + .SM DARPA TELNET + protocol server + .SH SYNOPSIS +-.B /usr/libexec/telnetd ++.B @manlibexecdir@/telnetd + [\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP] + [\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP] + [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP] +Index: krb5-1.7/src/config-files/kdc.conf.M +=================================================================== +--- krb5-1.7.orig/src/config-files/kdc.conf.M ++++ krb5-1.7/src/config-files/kdc.conf.M @@ -82,14 +82,14 @@ This .B string specifies the location of the access control list (acl) file that @@ -34,7 +81,7 @@ Index: krb5-1.8-alpha1/src/config-files/kdc.conf.M .IP database_name This -@@ -254,7 +254,7 @@ tickets should be checked against the tr +@@ -257,7 +257,7 @@ tickets should be checked against the tr realm names and the [capaths] section of its krb5.conf file .SH FILES @@ -43,12 +90,12 @@ Index: krb5-1.8-alpha1/src/config-files/kdc.conf.M .SH SEE ALSO krb5.conf(5), krb5kdc(8) -Index: krb5-1.8-alpha1/src/configure.in +Index: krb5-1.7/src/configure.in =================================================================== ---- krb5-1.8-alpha1.orig/src/configure.in -+++ krb5-1.8-alpha1/src/configure.in -@@ -1052,6 +1052,58 @@ if test "$ac_cv_lib_socket" = "yes" -a " - fi +--- krb5-1.7.orig/src/configure.in ++++ krb5-1.7/src/configure.in +@@ -1041,6 +1041,69 @@ dnl + AC_CONFIG_SUBDIRS(appl/libpty appl/bsd appl/gssftp appl/telnet) AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + @@ -71,8 +118,18 @@ Index: krb5-1.8-alpha1/src/configure.in +AC_SUBST(manlocalstatedir) +AC_SUBST(manlibexecdir) +AC_OUTPUT([ ++ appl/bsd/klogind.M ++ appl/bsd/kshd.M ++ appl/bsd/login.M ++ appl/bsd/rcp.M ++ appl/bsd/rlogin.M ++ appl/bsd/rsh.M ++ appl/gssftp/ftpd/ftpd.M ++ appl/gssftp/ftp/ftp.M + appl/sample/sclient/sclient.M + appl/sample/sserver/sserver.M ++ appl/telnet/telnetd/telnetd.8 ++ appl/telnet/telnet/telnet.1 + clients/kcpytkt/kcpytkt.M + clients/kdeltkt/kdeltkt.M + clients/kdestroy/kdestroy.M @@ -90,6 +147,7 @@ Index: krb5-1.8-alpha1/src/configure.in + kadmin/cli/kadmin.M + kadmin/dbutil/kdb5_util.M + kadmin/ktutil/ktutil.M ++ kadmin/passwd/kpasswd.M + kadmin/server/kadmind.M + kdc/krb5kdc.M + krb5-config.M @@ -106,11 +164,11 @@ Index: krb5-1.8-alpha1/src/configure.in V5_AC_OUTPUT_MAKEFILE(. util util/support util/profile util/send-pr -Index: krb5-1.8-alpha1/src/kadmin/cli/kadmin.M +Index: krb5-1.7/src/kadmin/cli/kadmin.M =================================================================== ---- krb5-1.8-alpha1.orig/src/kadmin/cli/kadmin.M -+++ krb5-1.8-alpha1/src/kadmin/cli/kadmin.M -@@ -869,9 +869,9 @@ option is specified, less verbose status +--- krb5-1.7.orig/src/kadmin/cli/kadmin.M ++++ krb5-1.7/src/kadmin/cli/kadmin.M +@@ -850,9 +850,9 @@ option is specified, less verbose status .RS .TP EXAMPLE: @@ -122,7 +180,7 @@ Index: krb5-1.8-alpha1/src/kadmin/cli/kadmin.M kadmin: .RE .fi -@@ -913,7 +913,7 @@ passwords. +@@ -894,7 +894,7 @@ passwords. .SH HISTORY The .B kadmin @@ -131,10 +189,10 @@ Index: krb5-1.8-alpha1/src/kadmin/cli/kadmin.M OpenVision Kerberos administration program. .SH SEE ALSO .IR kerberos (1), -Index: krb5-1.8-alpha1/src/slave/kprop.M +Index: krb5-1.7/src/slave/kprop.M =================================================================== ---- krb5-1.8-alpha1.orig/src/slave/kprop.M -+++ krb5-1.8-alpha1/src/slave/kprop.M +--- krb5-1.7.orig/src/slave/kprop.M ++++ krb5-1.7/src/slave/kprop.M @@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv This is done by transmitting the dumped database file to the slave server over an encrypted, secure channel. The dump file must be created @@ -153,10 +211,10 @@ Index: krb5-1.8-alpha1/src/slave/kprop.M .TP \fB\-P\fP \fIport\fP specifies the port to use to contact the -Index: krb5-1.8-alpha1/src/slave/kpropd.M +Index: krb5-1.7/src/slave/kpropd.M =================================================================== ---- krb5-1.8-alpha1.orig/src/slave/kpropd.M -+++ krb5-1.8-alpha1/src/slave/kpropd.M +--- krb5-1.7.orig/src/slave/kpropd.M ++++ krb5-1.7/src/slave/kpropd.M @@ -74,7 +74,7 @@ Normally, kpropd is invoked out of This is done by adding a line to the inetd.conf file which looks like this: @@ -164,7 +222,7 @@ Index: krb5-1.8-alpha1/src/slave/kpropd.M -kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd +kprop stream tcp nowait root @mansbindir@/kpropd kpropd - However, kpropd can also run as a standalone daemon, if the + However, kpropd can also run as a standalone deamon, if the .B \-S @@ -111,13 +111,13 @@ is used. \fB\-f\fP \fIfile\fP diff --git a/krb5-1.7-manpaths.txt b/krb5-1.7-manpaths.txt index d6df93e..a85dcae 100644 --- a/krb5-1.7-manpaths.txt +++ b/krb5-1.7-manpaths.txt @@ -1,5 +1,15 @@ +appl/bsd/klogind.M +appl/bsd/kshd.M +appl/bsd/login.M +appl/bsd/rcp.M +appl/bsd/rlogin.M +appl/bsd/rsh.M +appl/gssftp/ftpd/ftpd.M +appl/gssftp/ftp/ftp.M appl/sample/sclient/sclient.M appl/sample/sserver/sserver.M +appl/telnet/telnetd/telnetd.8 +appl/telnet/telnet/telnet.1 clients/kcpytkt/kcpytkt.M clients/kdeltkt/kdeltkt.M clients/kdestroy/kdestroy.M @@ -17,6 +27,7 @@ kadmin/cli/kadmin.local.M kadmin/cli/kadmin.M kadmin/dbutil/kdb5_util.M kadmin/ktutil/ktutil.M +kadmin/passwd/kpasswd.M kadmin/server/kadmind.M kdc/krb5kdc.M krb5-config.M diff --git a/krb5-1.8-rpmlintrc b/krb5-1.7-rpmlintrc similarity index 100% rename from krb5-1.8-rpmlintrc rename to krb5-1.7-rpmlintrc diff --git a/krb5-1.7.tar.bz2 b/krb5-1.7.tar.bz2 new file mode 100644 index 0000000..9efcda8 --- /dev/null +++ b/krb5-1.7.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2043f38c46a9721cfab28f0fdf876af17d542cab458a87d0324783189e9570cd +size 10407001 diff --git a/krb5-1.8.tar.bz2 b/krb5-1.8.tar.bz2 deleted file mode 100644 index 771b1d5..0000000 --- a/krb5-1.8.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:10890ef19905e36e99d82cbe7caa6e8b0875b2a304f9a9e2d05137c87aff8212 -size 9958816 diff --git a/krb5-doc-1.8-rpmlintrc b/krb5-doc-1.7-rpmlintrc similarity index 100% rename from krb5-doc-1.8-rpmlintrc rename to krb5-doc-1.7-rpmlintrc diff --git a/krb5-doc.changes b/krb5-doc.changes index 6dfd162..7aeb8cb 100644 --- a/krb5-doc.changes +++ b/krb5-doc.changes @@ -1,8 +1,3 @@ -------------------------------------------------------------------- -Thu Mar 4 11:45:22 CET 2010 - mc@suse.de - -- update to version 1.8 - ------------------------------------------------------------------- Wed Jun 3 10:47:07 CEST 2009 - mc@suse.de diff --git a/krb5-doc.spec b/krb5-doc.spec index 1095545..79b2313 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -1,7 +1,6 @@ # -# spec file for package krb5-doc (Version 1.8) +# spec file for package krb5-doc (Version 1.7) # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties @@ -21,14 +20,15 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive -Version: 1.8 -Release: 6 -%define srcRoot krb5-1.8 +Version: 1.7 +Release: 7 +%define srcRoot krb5-1.7 Summary: MIT Kerberos5 Implementation--Documentation License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ Group: Documentation/Other -Source: krb5-1.8.tar.bz2 +Source: krb5-%{version}.tar.bz2 +Source1: README.Source Source3: %{name}-%{version}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif diff --git a/krb5-mini.changes b/krb5-mini.changes index 8c77179..9f3fded 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,29 +1,16 @@ ------------------------------------------------------------------- -Thu Mar 4 10:42:29 CET 2010 - mc@suse.de +Thu Jan 7 11:45:14 CET 2010 - mc@suse.de -- update to version 1.8 - * Increase code quality - * Move toward improved KDB interface - * Investigate and remedy repeatedly-reported performance - bottlenecks. - * Reduce DNS dependence by implementing an interface that allows - client library to track whether a KDC supports service - principal referrals. - * Disable DES by default - * Account lockout for repeated login failures - * Bridge layer to allow Heimdal HDB modules to act as KDB - backend modules - * FAST enhancements - * Microsoft Services for User (S4U) compatibility - * Anonymous PKINIT -- fix KDC denial of service - CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) - fix KDC denial of service in cross-realm referral processing CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347) - fix integer underflow in AES and RC4 decryption - CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) -- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl - + CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) + +------------------------------------------------------------------- +Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source + ------------------------------------------------------------------- Fri Nov 13 16:51:37 CET 2009 - mc@suse.de diff --git a/krb5-mini.spec b/krb5-mini.spec index 8e1675b..c305dc6 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,7 +1,6 @@ # -# spec file for package krb5 (Version 1.8) +# spec file for package krb5-mini (Version 1.7) # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties @@ -19,7 +18,7 @@ # norootforbuild %define build_mini 1 -%define srcRoot krb5-1.8 +%define srcRoot krb5-1.7 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -28,8 +27,8 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8 -Release: 6 +Version: 1.7 +Release: 7 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -43,18 +42,25 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.tar.bz2 +Source: krb5-1.7.tar.bz2 Source1: vendor-files.tar.bz2 +Source2: README.Source +Source3: spx.c +Source4: baselibs.conf Source5: krb5-%{version}-rpmlintrc Source10: krb5-1.7-manpaths.txt Patch2: krb5-1.6.1-compile_pie.dif Patch20: krb5-1.6.3-kprop-use-mkstemp.dif +Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif +Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif Patch30: krb5-1.7-manpaths.dif Patch32: krb5-1.4.3-enospc.dif Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif +Patch47: krb5-1.7-MITKRB5-SA-2009-003.dif +Patch48: krb5-1.7-MITKRB5-SA-2009-004.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -111,6 +117,46 @@ and more. +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package apps-servers +License: MIT License (or similar) +Summary: MIT Kerberos5 server applications +Group: Productivity/Networking/Security + +%description apps-servers +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes some kerberos +compatible server applications like ftpd, klogind, telnetd, ... + + + +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package apps-clients +License: MIT License (or similar) +Summary: MIT Kerberos5 client applications +Group: Productivity/Networking/Security + +%description apps-clients +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes some kerberos +compatible client applications like ftp, rpc, rlogin, telnet, ... + + + Authors: -------- The MIT Kerberos Team @@ -194,14 +240,25 @@ Authors: %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} +if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ] +then + echo "spx.c contains potential legal risks." + exit 1; +else + cp %{SOURCE3} %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c +fi %patch2 %patch20 +%patch21 +%patch22 %patch30 -p1 %patch32 -p1 %patch34 -p1 %patch41 %patch44 -p1 %patch46 -p1 +%patch47 -p1 +%patch48 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -262,6 +319,12 @@ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.c install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind +for n in ftpd.8 telnetd.8; do + mv %{buildroot}%{_mandir}/man8/${n} %{buildroot}%{_mandir}/man8/k${n} +done +for n in ftp.1 rlogin.1 rcp.1 rsh.1 telnet.1; do + mv %{buildroot}%{_mandir}/man1/${n} %{buildroot}%{_mandir}/man1/k${n} +done # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -274,6 +337,12 @@ mkdir -p %{buildroot}%{_sysconfdir}/init.d install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd +# install xinetd files +mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d +install -m 644 %{vendorFiles}/klogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/klogin +install -m 644 %{vendorFiles}/eklogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/eklogin +install -m 644 %{vendorFiles}/krb5-telnet.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/ktelnet +install -m 644 %{vendorFiles}/kshell.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/kshell # install logrotate files mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server @@ -352,9 +421,7 @@ rm -rf %{buildroot} %dir /usr/lib/mit/sbin %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so -%{_libdir}/libkadm5clnt_mit.so %{_libdir}/libkadm5clnt.so -%{_libdir}/libkadm5srv_mit.so %{_libdir}/libkadm5srv.so %{_libdir}/libkdb5.so %{_libdir}/libkrb5.so @@ -388,13 +455,17 @@ rm -rf %{buildroot} %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict +%config(noreplace) %{_sysconfdir}/xinetd.d/klogin +%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin +%config(noreplace) %{_sysconfdir}/xinetd.d/kshell +%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* %{_sysconfdir}/init.d/* %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt_mit.so.* -%{_libdir}/libkadm5srv_mit.so.* +%{_libdir}/libkadm5clnt.so.* +%{_libdir}/libkadm5srv.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -408,10 +479,15 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc +/usr/lib/mit/sbin/ftpd +/usr/lib/mit/sbin/klogind +/usr/lib/mit/sbin/kshd +/usr/lib/mit/sbin/telnetd /usr/lib/mit/sbin/uuserver /usr/lib/mit/sbin/sserver /usr/lib/mit/sbin/gss-server /usr/lib/mit/sbin/sim_server +/usr/lib/mit/sbin/login.krb5 /usr/lib/mit/bin/k5srvutil /usr/lib/mit/bin/kvno /usr/lib/mit/bin/kinit @@ -421,10 +497,16 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil %attr(0755,root,root) /usr/lib/mit/bin/ksu +/usr/lib/mit/bin/rcp +/usr/lib/mit/bin/rsh +/usr/lib/mit/bin/telnet /usr/lib/mit/bin/uuclient /usr/lib/mit/bin/sclient /usr/lib/mit/bin/gss-client /usr/lib/mit/bin/sim_client +/usr/lib/mit/bin/ftp +/usr/lib/mit/bin/rlogin +#/usr/lib/mit/bin/* /usr/bin/kinit /usr/bin/klist /usr/bin/rc* @@ -435,7 +517,12 @@ rm -rf %{buildroot} %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* %{_mandir}/man1/kerberos.1* +%{_mandir}/man1/kftp.1* +%{_mandir}/man1/krlogin.1* +%{_mandir}/man1/krsh.1* +%{_mandir}/man1/ktelnet.1* %{_mandir}/man1/ksu.1* +%{_mandir}/man1/krcp.1* %{_mandir}/man1/sclient.1* %{_mandir}/man1/kadmin.1* %{_mandir}/man1/ktutil.1* @@ -462,8 +549,8 @@ rm -rf %{buildroot} %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt_mit.so.* -%{_libdir}/libkadm5srv_mit.so.* +%{_libdir}/libkadm5clnt.so.* +%{_libdir}/libkadm5srv.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -495,10 +582,6 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc -/usr/lib/mit/sbin/gss-server -/usr/lib/mit/sbin/sim_server -/usr/lib/mit/sbin/sserver -/usr/lib/mit/sbin/uuserver %{_libdir}/krb5/plugins/kdb/db2.so %{_mandir}/man5/kdc.conf.5* %{_mandir}/man8/kadmind.8* @@ -508,7 +591,6 @@ rm -rf %{buildroot} %{_mandir}/man8/kproplog.8.gz %{_mandir}/man8/kdb5_util.8* %{_mandir}/man8/krb5kdc.8* -%{_mandir}/man8/sserver.8* %files client %defattr(-,root,root) @@ -523,11 +605,6 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil /usr/lib/mit/bin/k5srvutil -/usr/lib/mit/bin/gss-client -/usr/lib/mit/bin/ksu -/usr/lib/mit/bin/sclient -/usr/lib/mit/bin/sim_client -/usr/lib/mit/bin/uuclient /usr/bin/kinit /usr/bin/klist %{_mandir}/man1/kvno.1* @@ -541,8 +618,53 @@ rm -rf %{buildroot} %{_mandir}/man1/k5srvutil.1* %{_mandir}/man5/krb5.conf.5* %{_mandir}/man5/.k5login.5* -%{_mandir}/man1/ksu.1.gz -%{_mandir}/man1/sclient.1.gz + +%files apps-servers +%defattr(-,root,root) +%config(noreplace) %{_sysconfdir}/xinetd.d/klogin +%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin +%config(noreplace) %{_sysconfdir}/xinetd.d/kshell +%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet +%dir /usr/lib/mit +%dir /usr/lib/mit/sbin +/usr/lib/mit/sbin/ftpd +/usr/lib/mit/sbin/klogind +/usr/lib/mit/sbin/kshd +/usr/lib/mit/sbin/telnetd +/usr/lib/mit/sbin/uuserver +/usr/lib/mit/sbin/sserver +/usr/lib/mit/sbin/gss-server +/usr/lib/mit/sbin/sim_server +/usr/lib/mit/sbin/login.krb5 +%{_mandir}/man8/kftpd.8* +%{_mandir}/man8/klogind.8* +%{_mandir}/man8/kshd.8* +%{_mandir}/man8/ktelnetd.8* +%{_mandir}/man8/sserver.8* +%{_mandir}/man8/login.krb5.8* + +%files apps-clients +%defattr(-,root,root) +%dir /usr/lib/mit +%dir /usr/lib/mit/bin +/usr/lib/mit/bin/ftp +/usr/lib/mit/bin/rlogin +# removed SUID bit, we will rely on su + pam_krb +%attr(0755,root,root) /usr/lib/mit/bin/ksu +/usr/lib/mit/bin/rcp +/usr/lib/mit/bin/rsh +/usr/lib/mit/bin/telnet +/usr/lib/mit/bin/uuclient +/usr/lib/mit/bin/sclient +/usr/lib/mit/bin/gss-client +/usr/lib/mit/bin/sim_client +%{_mandir}/man1/kftp.1* +%{_mandir}/man1/krlogin.1* +%{_mandir}/man1/krsh.1* +%{_mandir}/man1/ktelnet.1* +%{_mandir}/man1/ksu.1* +%{_mandir}/man1/krcp.1* +%{_mandir}/man1/sclient.1* %files plugin-kdb-ldap %defattr(-,root,root) diff --git a/krb5.changes b/krb5.changes index 8c77179..9f3fded 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,29 +1,16 @@ ------------------------------------------------------------------- -Thu Mar 4 10:42:29 CET 2010 - mc@suse.de +Thu Jan 7 11:45:14 CET 2010 - mc@suse.de -- update to version 1.8 - * Increase code quality - * Move toward improved KDB interface - * Investigate and remedy repeatedly-reported performance - bottlenecks. - * Reduce DNS dependence by implementing an interface that allows - client library to track whether a KDC supports service - principal referrals. - * Disable DES by default - * Account lockout for repeated login failures - * Bridge layer to allow Heimdal HDB modules to act as KDB - backend modules - * FAST enhancements - * Microsoft Services for User (S4U) compatibility - * Anonymous PKINIT -- fix KDC denial of service - CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) - fix KDC denial of service in cross-realm referral processing CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347) - fix integer underflow in AES and RC4 decryption - CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) -- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl - + CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) + +------------------------------------------------------------------- +Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source + ------------------------------------------------------------------- Fri Nov 13 16:51:37 CET 2009 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 298f286..549b327 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,7 +1,6 @@ # -# spec file for package krb5 (Version 1.8) +# spec file for package krb5 (Version 1.7) # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties @@ -19,7 +18,7 @@ # norootforbuild %define build_mini 0 -%define srcRoot krb5-1.8 +%define srcRoot krb5-1.7 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -28,8 +27,8 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8 -Release: 6 +Version: 1.7 +Release: 7 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -43,18 +42,25 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.tar.bz2 +Source: krb5-1.7.tar.bz2 Source1: vendor-files.tar.bz2 +Source2: README.Source +Source3: spx.c +Source4: baselibs.conf Source5: krb5-%{version}-rpmlintrc Source10: krb5-1.7-manpaths.txt Patch2: krb5-1.6.1-compile_pie.dif Patch20: krb5-1.6.3-kprop-use-mkstemp.dif +Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif +Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif Patch30: krb5-1.7-manpaths.dif Patch32: krb5-1.4.3-enospc.dif Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif +Patch47: krb5-1.7-MITKRB5-SA-2009-003.dif +Patch48: krb5-1.7-MITKRB5-SA-2009-004.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -111,6 +117,46 @@ and more. +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package apps-servers +License: MIT License (or similar) +Summary: MIT Kerberos5 server applications +Group: Productivity/Networking/Security + +%description apps-servers +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes some kerberos +compatible server applications like ftpd, klogind, telnetd, ... + + + +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package apps-clients +License: MIT License (or similar) +Summary: MIT Kerberos5 client applications +Group: Productivity/Networking/Security + +%description apps-clients +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes some kerberos +compatible client applications like ftp, rpc, rlogin, telnet, ... + + + Authors: -------- The MIT Kerberos Team @@ -194,14 +240,25 @@ Authors: %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} +if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ] +then + echo "spx.c contains potential legal risks." + exit 1; +else + cp %{SOURCE3} %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c +fi %patch2 %patch20 +%patch21 +%patch22 %patch30 -p1 %patch32 -p1 %patch34 -p1 %patch41 %patch44 -p1 %patch46 -p1 +%patch47 -p1 +%patch48 -p1 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -262,6 +319,12 @@ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.c install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind +for n in ftpd.8 telnetd.8; do + mv %{buildroot}%{_mandir}/man8/${n} %{buildroot}%{_mandir}/man8/k${n} +done +for n in ftp.1 rlogin.1 rcp.1 rsh.1 telnet.1; do + mv %{buildroot}%{_mandir}/man1/${n} %{buildroot}%{_mandir}/man1/k${n} +done # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -274,6 +337,12 @@ mkdir -p %{buildroot}%{_sysconfdir}/init.d install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd +# install xinetd files +mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d +install -m 644 %{vendorFiles}/klogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/klogin +install -m 644 %{vendorFiles}/eklogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/eklogin +install -m 644 %{vendorFiles}/krb5-telnet.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/ktelnet +install -m 644 %{vendorFiles}/kshell.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/kshell # install logrotate files mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server @@ -352,9 +421,7 @@ rm -rf %{buildroot} %dir /usr/lib/mit/sbin %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so -%{_libdir}/libkadm5clnt_mit.so %{_libdir}/libkadm5clnt.so -%{_libdir}/libkadm5srv_mit.so %{_libdir}/libkadm5srv.so %{_libdir}/libkdb5.so %{_libdir}/libkrb5.so @@ -388,13 +455,17 @@ rm -rf %{buildroot} %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict +%config(noreplace) %{_sysconfdir}/xinetd.d/klogin +%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin +%config(noreplace) %{_sysconfdir}/xinetd.d/kshell +%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* %{_sysconfdir}/init.d/* %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt_mit.so.* -%{_libdir}/libkadm5srv_mit.so.* +%{_libdir}/libkadm5clnt.so.* +%{_libdir}/libkadm5srv.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -408,10 +479,15 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc +/usr/lib/mit/sbin/ftpd +/usr/lib/mit/sbin/klogind +/usr/lib/mit/sbin/kshd +/usr/lib/mit/sbin/telnetd /usr/lib/mit/sbin/uuserver /usr/lib/mit/sbin/sserver /usr/lib/mit/sbin/gss-server /usr/lib/mit/sbin/sim_server +/usr/lib/mit/sbin/login.krb5 /usr/lib/mit/bin/k5srvutil /usr/lib/mit/bin/kvno /usr/lib/mit/bin/kinit @@ -421,10 +497,16 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil %attr(0755,root,root) /usr/lib/mit/bin/ksu +/usr/lib/mit/bin/rcp +/usr/lib/mit/bin/rsh +/usr/lib/mit/bin/telnet /usr/lib/mit/bin/uuclient /usr/lib/mit/bin/sclient /usr/lib/mit/bin/gss-client /usr/lib/mit/bin/sim_client +/usr/lib/mit/bin/ftp +/usr/lib/mit/bin/rlogin +#/usr/lib/mit/bin/* /usr/bin/kinit /usr/bin/klist /usr/bin/rc* @@ -435,7 +517,12 @@ rm -rf %{buildroot} %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* %{_mandir}/man1/kerberos.1* +%{_mandir}/man1/kftp.1* +%{_mandir}/man1/krlogin.1* +%{_mandir}/man1/krsh.1* +%{_mandir}/man1/ktelnet.1* %{_mandir}/man1/ksu.1* +%{_mandir}/man1/krcp.1* %{_mandir}/man1/sclient.1* %{_mandir}/man1/kadmin.1* %{_mandir}/man1/ktutil.1* @@ -462,8 +549,8 @@ rm -rf %{buildroot} %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt_mit.so.* -%{_libdir}/libkadm5srv_mit.so.* +%{_libdir}/libkadm5clnt.so.* +%{_libdir}/libkadm5srv.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -495,10 +582,6 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc -/usr/lib/mit/sbin/gss-server -/usr/lib/mit/sbin/sim_server -/usr/lib/mit/sbin/sserver -/usr/lib/mit/sbin/uuserver %{_libdir}/krb5/plugins/kdb/db2.so %{_mandir}/man5/kdc.conf.5* %{_mandir}/man8/kadmind.8* @@ -508,7 +591,6 @@ rm -rf %{buildroot} %{_mandir}/man8/kproplog.8.gz %{_mandir}/man8/kdb5_util.8* %{_mandir}/man8/krb5kdc.8* -%{_mandir}/man8/sserver.8* %files client %defattr(-,root,root) @@ -523,11 +605,6 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil /usr/lib/mit/bin/k5srvutil -/usr/lib/mit/bin/gss-client -/usr/lib/mit/bin/ksu -/usr/lib/mit/bin/sclient -/usr/lib/mit/bin/sim_client -/usr/lib/mit/bin/uuclient /usr/bin/kinit /usr/bin/klist %{_mandir}/man1/kvno.1* @@ -541,8 +618,53 @@ rm -rf %{buildroot} %{_mandir}/man1/k5srvutil.1* %{_mandir}/man5/krb5.conf.5* %{_mandir}/man5/.k5login.5* -%{_mandir}/man1/ksu.1.gz -%{_mandir}/man1/sclient.1.gz + +%files apps-servers +%defattr(-,root,root) +%config(noreplace) %{_sysconfdir}/xinetd.d/klogin +%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin +%config(noreplace) %{_sysconfdir}/xinetd.d/kshell +%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet +%dir /usr/lib/mit +%dir /usr/lib/mit/sbin +/usr/lib/mit/sbin/ftpd +/usr/lib/mit/sbin/klogind +/usr/lib/mit/sbin/kshd +/usr/lib/mit/sbin/telnetd +/usr/lib/mit/sbin/uuserver +/usr/lib/mit/sbin/sserver +/usr/lib/mit/sbin/gss-server +/usr/lib/mit/sbin/sim_server +/usr/lib/mit/sbin/login.krb5 +%{_mandir}/man8/kftpd.8* +%{_mandir}/man8/klogind.8* +%{_mandir}/man8/kshd.8* +%{_mandir}/man8/ktelnetd.8* +%{_mandir}/man8/sserver.8* +%{_mandir}/man8/login.krb5.8* + +%files apps-clients +%defattr(-,root,root) +%dir /usr/lib/mit +%dir /usr/lib/mit/bin +/usr/lib/mit/bin/ftp +/usr/lib/mit/bin/rlogin +# removed SUID bit, we will rely on su + pam_krb +%attr(0755,root,root) /usr/lib/mit/bin/ksu +/usr/lib/mit/bin/rcp +/usr/lib/mit/bin/rsh +/usr/lib/mit/bin/telnet +/usr/lib/mit/bin/uuclient +/usr/lib/mit/bin/sclient +/usr/lib/mit/bin/gss-client +/usr/lib/mit/bin/sim_client +%{_mandir}/man1/kftp.1* +%{_mandir}/man1/krlogin.1* +%{_mandir}/man1/krsh.1* +%{_mandir}/man1/ktelnet.1* +%{_mandir}/man1/ksu.1* +%{_mandir}/man1/krcp.1* +%{_mandir}/man1/sclient.1* %files plugin-kdb-ldap %defattr(-,root,root) diff --git a/ready b/ready new file mode 100644 index 0000000..473a0f4 diff --git a/spx.c b/spx.c new file mode 100644 index 0000000..256ccd5 --- /dev/null +++ b/spx.c @@ -0,0 +1,50 @@ +/*- + * Copyright (c) 1992, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* based on @(#)spx.c 8.1 (Berkeley) 6/4/93 */ + +#include "misc-proto.h" + +#ifdef notdef + +prkey(msg, key) + char *msg; + unsigned char *key; +{ + register int i; + printf("%s:", msg); + for (i = 0; i < 8; i++) + printf(" %3d", key[i]); + printf("\r\n"); +} +#endif diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2 index 9c9d317..125b194 100644 --- a/vendor-files.tar.bz2 +++ b/vendor-files.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:afd7fcef667fa671ba023b747d95c62dd83b03c4bb93c7132e1ae78fe837c35e -size 182067 +oid sha256:cc8af64eb451283d9ed22d52848a923e65a50b5c80442fe3165f238efdd34571 +size 182153