rpm/krb5
SHA256
1
0
Fork 0
forked from pool/krb5
Code Pull Requests Activity

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=26

Browse Source
This commit is contained in:
OBS User unknown 2007-10-25 00:08:58 +00:00 committed by Git OBS Bridge
parent e64e277961
commit 480b1fc937
18 changed files with 560 additions and 956 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
krb5-1.3.3-rcp-markus.dif Normal file
View File

@ -0,0 +1,50 @@
Fix for CAN-2004-0175, based on Markus Friedl's fix for OpenSSH scp.
Index: krb5-1.6.3/src/appl/bsd/krcp.c
===================================================================
--- krb5-1.6.3.orig/src/appl/bsd/krcp.c
+++ krb5-1.6.3/src/appl/bsd/krcp.c
@@ -1096,6 +1096,10 @@ void sink(argc, argv)
size = size * 10 + (*cp++ - '0');
if (*cp++ != ' ')
SCREWUP("size not delimited");
+ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+ error("error: unexpected filename: %s", cp);
+ exit(1);
+ }
if (targisdir) {
if(strlen(targ) + strlen(cp) + 2 >= sizeof(nambuf))
SCREWUP("target name too long");
@@ -1109,6 +1113,8 @@ void sink(argc, argv)
nambuf[sizeof(nambuf) - 1] = '\0';
exists = stat(nambuf, &stb) == 0;
if (cmdbuf[0] == 'D') {
+ if (!iamrecursive)
+ SCREWUP("received directory without -r");
if (exists) {
if ((stb.st_mode&S_IFMT) != S_IFDIR) {
errno = ENOTDIR;
Index: krb5-1.6.3/src/appl/bsd/v4rcp.c
===================================================================
--- krb5-1.6.3.orig/src/appl/bsd/v4rcp.c
+++ krb5-1.6.3/src/appl/bsd/v4rcp.c
@@ -807,6 +807,10 @@ void sink(argc, argv)
size = size * 10 + (*cp++ - '0');
if (*cp++ != ' ')
SCREWUP("size not delimited");
+ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+ error("error: unexpected filename: %s", cp);
+ exit(1);
+ }
if (targisdir) {
if (strlen(targ) + strlen(cp) + 1 < sizeof(nambuf)) {
(void) sprintf(nambuf, "%s%s%s", targ,
@@ -823,6 +827,8 @@ void sink(argc, argv)
nambuf[sizeof(nambuf)-1] = '\0';
exists = stat(nambuf, &stb) == 0;
if (cmdbuf[0] == 'D') {
+ if (!iamrecursive)
+ SCREWUP("received directory without -r");
if (exists) {
if ((stb.st_mode&S_IFMT) != S_IFDIR) {
errno = ENOTDIR;

32
krb5-1.4.3-enospc.dif Normal file
View File

@ -0,0 +1,32 @@
If the error message is going to be ambiguous, try to give the user some clue
by returning the last error reported by the OS.
Index: krb5-1.6.3/src/clients/kinit/kinit.c
===================================================================
--- krb5-1.6.3.orig/src/clients/kinit/kinit.c
+++ krb5-1.6.3/src/clients/kinit/kinit.c
@@ -35,6 +35,7 @@
#else
#undef HAVE_KRB524
#endif
+#include <errno.h>
#include <string.h>
#include <stdio.h>
#include <time.h>
@@ -921,8 +922,14 @@ k5_kinit(opts, k5)
code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me);
if (code) {
- com_err(progname, code, "when initializing cache %s",
- opts->k5_cache_name?opts->k5_cache_name:"");
+ if ((code == KRB5_CC_IO) && (errno != 0)) {
+ com_err(progname, code, "when initializing cache %s: %s",
+ opts->k5_cache_name?opts->k5_cache_name:"",
+ strerror(errno));
+ } else {
+ com_err(progname, code, "when initializing cache %s",
+ opts->k5_cache_name?opts->k5_cache_name:"");
+ }
goto cleanup;
}

15
krb5-1.4.3-extra-check-kt_file.c.dif
View File

@ -1,15 +0,0 @@
Index: src/lib/krb5/keytab/kt_file.c
===================================================================
--- src/lib/krb5/keytab/kt_file.c.orig
+++ src/lib/krb5/keytab/kt_file.c
@@ -461,6 +461,10 @@ krb5_ktfile_get_next(krb5_context contex
kerror = KTLOCK(id);
if (kerror)
return kerror;
+ if (KTFILEP(id) == NULL) {
+ KTUNLOCK(id);
+ return KRB5_KT_IOERR;
+ }
if (fseek(KTFILEP(id), *fileoff, 0) == -1) {
KTUNLOCK(id);
return KRB5_KT_END;

22
krb5-1.6-ldap-man.dif Normal file
View File

@ -0,0 +1,22 @@
Index: src/config-files/krb5.conf.M
===================================================================
--- src/config-files/krb5.conf.M (revision 19507)
+++ src/config-files/krb5.conf.M (working copy)
@@ -600,7 +600,7 @@
objects used for starting the Kerberos servers. This value is used if no
service password file is mentioned in the configuration section under dbmodules.
-.IP ldap_server
+.IP ldap_servers
This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
is whitespace-separated. The LDAP server is specified by a LDAP URI.
This value is used if no LDAP servers are mentioned in the configuration
@@ -641,7 +641,7 @@
This LDAP specific tag indicates the file containing the stashed passwords for the
objects used for starting the Kerberos servers.
-.IP ldap_server
+.IP ldap_servers
This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
is whitespace-separated. The LDAP server is specified by a LDAP URI.

858
krb5-1.6.2-post.dif
View File

@ -1,858 +0,0 @@
Index: src/include/k5-int.h
===================================================================
--- src/include/k5-int.h (.../tags/krb5-1-6-2-final) (Revision 19936)
+++ src/include/k5-int.h (.../branches/krb5-1-6) (Revision 19936)
@@ -216,6 +216,10 @@
/* required */
#define KDC_ERR_SERVER_NOMATCH 26 /* Requested server and */
/* ticket don't match*/
+#define KDC_ERR_SVC_UNAVAILABLE 29 /* A service is not
+ * available that is
+ * required to process the
+ * request */
/* Application errors */
#define KRB_AP_ERR_BAD_INTEGRITY 31 /* Decrypt integrity check failed */
#define KRB_AP_ERR_TKT_EXPIRED 32 /* Ticket expired */
@@ -498,7 +502,9 @@
krb5_error_code krb5int_sendto (krb5_context context, const krb5_data *message,
const struct addrlist *addrs, struct sendto_callback_info* callback_info,
krb5_data *reply, struct sockaddr *localaddr, socklen_t *localaddrlen,
- struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, int *addr_used);
+ struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, int *addr_used,
+ int (*msg_handler)(krb5_context, const krb5_data *, void *),
+ void *msg_handler_data);
krb5_error_code krb5_get_krbhst (krb5_context, const krb5_data *, char *** );
krb5_error_code krb5_free_krbhst (krb5_context, char * const * );
@@ -1885,7 +1891,9 @@
krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
const struct addrlist *, struct sendto_callback_info*, krb5_data *reply,
struct sockaddr *, socklen_t *,struct sockaddr *,
- socklen_t *, int *);
+ socklen_t *, int *,
+ int (*msg_handler)(krb5_context, const krb5_data *, void *),
+ void *msg_handler_data);
krb5_error_code (*add_host_to_list)(struct addrlist *lp,
const char *hostname,
int port, int secport,
Index: src/clients/kvno/kvno.M
===================================================================
--- src/clients/kvno/kvno.M (.../tags/krb5-1-6-2-final) (Revision 19936)
+++ src/clients/kvno/kvno.M (.../branches/krb5-1-6) (Revision 19936)
@@ -55,6 +55,15 @@
specifies that Kerberos version 4 tickets should be acquired and
described. This option is only available if Kerberos 4 support was
enabled at compilation time.
+.TP
+.B \-S sname
+specifies that krb5_sname_to_principal() will be used to build
+principal names. If this flag is specified, the
+.B service1 service2 ...
+arguments are interpreted as hostnames (rather than principal names),
+and
+.B sname
+is interpreted as the service name.
.SH ENVIRONMENT
.B Kvno
uses the following environment variable:
Index: src/clients/kvno/kvno.c
===================================================================
--- src/clients/kvno/kvno.c (.../tags/krb5-1-6-2-final) (Revision 19936)
+++ src/clients/kvno/kvno.c (.../branches/krb5-1-6) (Revision 19936)
@@ -41,10 +41,10 @@
{
#ifdef KRB5_KRB4_COMPAT
fprintf(stderr,
- "usage: %s [-4 | [-c ccache] [-e etype] [-k keytab]] service1 service2 ...\n",
+ "usage: %s [-4 | [-c ccache] [-e etype] [-k keytab] [-S sname]] service1 service2 ...\n",
prog);
#else
- fprintf(stderr, "usage: %s [-c ccache] [-e etype] [-k keytab] service1 service2 ...\n",
+ fprintf(stderr, "usage: %s [-c ccache] [-e etype] [-k keytab] [-S sname] service1 service2 ...\n",
prog);
#endif
exit(1);
@@ -54,7 +54,8 @@
static void do_v4_kvno (int argc, char *argv[]);
static void do_v5_kvno (int argc, char *argv[],
- char *ccachestr, char *etypestr, char *keytab_name);
+ char *ccachestr, char *etypestr, char *keytab_name,
+ char *sname);
#include <com_err.h>
static void extended_com_err_fn (const char *, errcode_t, const char *,
@@ -64,6 +65,7 @@
{
int option;
char *etypestr = NULL, *ccachestr = NULL, *keytab_name = NULL;
+ char *sname = NULL;
int v4 = 0;
set_com_err_hook (extended_com_err_fn);
@@ -71,7 +73,7 @@
prog = strrchr(argv[0], '/');
prog = prog ? (prog + 1) : argv[0];
- while ((option = getopt(argc, argv, "c:e:hk:q4")) != -1) {
+ while ((option = getopt(argc, argv, "c:e:hk:q4S:")) != -1) {
switch (option) {
case 'c':
ccachestr = optarg;
@@ -91,6 +93,9 @@
case '4':
v4 = 1;
break;
+ case 'S':
+ sname = optarg;
+ break;
default:
xusage();
break;
@@ -103,10 +108,14 @@
if ((ccachestr != NULL || etypestr != NULL || keytab_name != NULL) && v4)
xusage();
+ if (sname != NULL && v4)
+ xusage();
+
if (v4)
do_v4_kvno(argc - optind, argv + optind);
else
- do_v5_kvno(argc - optind, argv + optind, ccachestr, etypestr, keytab_name);
+ do_v5_kvno(argc - optind, argv + optind,
+ ccachestr, etypestr, keytab_name, sname);
return 0;
}
@@ -172,7 +181,8 @@
}
static void do_v5_kvno (int count, char *names[],
- char * ccachestr, char *etypestr, char *keytab_name)
+ char * ccachestr, char *etypestr, char *keytab_name,
+ char *sname)
{
krb5_error_code ret;
int i, errors;
@@ -230,7 +240,13 @@
in_creds.client = me;
- ret = krb5_parse_name(context, names[i], &in_creds.server);
+ if (sname != NULL) {
+ ret = krb5_sname_to_principal(context, names[i],
+ sname, KRB5_NT_SRV_HST,
+ &in_creds.server);
+ } else {
+ ret = krb5_parse_name(context, names[i], &in_creds.server);
+ }
if (ret) {
if (!quiet)
com_err(prog, ret, "while parsing principal name %s", names[i]);
Index: src/lib/crypto/prng.c
===================================================================
--- src/lib/crypto/prng.c (.../tags/krb5-1-6-2-final) (Revision 19936)
+++ src/lib/crypto/prng.c (.../branches/krb5-1-6) (Revision 19936)
@@ -162,7 +162,7 @@
krb5_data data;
struct stat sb;
int fd;
- unsigned char buf[YARROW_SLOW_THRESH/8];
+ unsigned char buf[YARROW_SLOW_THRESH/8], *bp;
int left;
fd = open (device, O_RDONLY);
if (fd == -1)
@@ -173,14 +173,16 @@
close(fd);
return 0;
}
- for (left = sizeof (buf); left > 0;) {
+
+ for (bp = &buf, left = sizeof (buf); left > 0;) {
ssize_t count;
- count = read (fd, &buf, (unsigned) left);
+ count = read (fd, bp, (unsigned) left);
if (count <= 0) {
close(fd);
return 0;
}
left -= count;
+ bp += count;
}
close (fd);
data.length = sizeof (buf);
@@ -199,7 +201,7 @@
int unused;
int *oursuccess = success?success:&unused;
*oursuccess = 0;
- /* If we are getting strong data then try that first. We aare
+ /* If we are getting strong data then try that first. We are
guaranteed to cause a reseed of some kind if strong is true and
we have both /dev/random and /dev/urandom. We want the strong
data included in the reseed so we get it first.*/
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c (.../tags/krb5-1-6-2-final) (Revision 19936)
+++ src/lib/gssapi/spnego/spnego_mech.c (.../branches/krb5-1-6) (Revision 19936)
@@ -61,7 +61,7 @@
/* private routines for spnego_mechanism */
static spnego_token_t make_spnego_token(char *);
static gss_buffer_desc make_err_msg(char *);
-static int g_token_size(gss_OID_const, OM_uint32);
+static int g_token_size(gss_OID_const, unsigned int);
static int g_make_token_header(gss_OID_const, unsigned int,
unsigned char **, unsigned int);
static int g_verify_token_header(gss_OID_const, unsigned int *,
@@ -835,6 +835,7 @@
ret = GSS_S_FAILURE;
}
}
+ gss_release_buffer(&tmpmin, &mechtok_out);
if (ret == GSS_S_COMPLETE) {
/*
* Now, switch the output context to refer to the
Index: src/lib/krb4/send_to_kdc.c
===================================================================
--- src/lib/krb4/send_to_kdc.c (.../tags/krb5-1-6-2-final) (Revision 19936)
+++ src/lib/krb4/send_to_kdc.c (.../branches/krb5-1-6) (Revision 19936)
@@ -181,7 +181,7 @@
message.length = pkt->length;
message.data = (char *)pkt->dat; /* XXX yuck */
retval = internals.sendto_udp(NULL, &message, &al, NULL, &reply, addr,
- addrlen, NULL, 0, NULL);
+ addrlen, NULL, 0, NULL, NULL, NULL);
DEB(("sendto_udp returns %d\n", retval));
free_al:
internals.free_addrlist(&al);
Index: src/lib/krb5/os/sendto_kdc.c
===================================================================
--- src/lib/krb5/os/sendto_kdc.c (.../tags/krb5-1-6-2-final) (Revision 19936)
+++ src/lib/krb5/os/sendto_kdc.c (.../branches/krb5-1-6) (Revision 19936)
@@ -1,7 +1,7 @@
/*
* lib/krb5/os/sendto_kdc.c
*
- * Copyright 1990,1991,2001,2002,2004,2005 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2001,2002,2004,2005,2007 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -295,6 +295,30 @@
return 0;
}
+static int
+check_for_svc_unavailable (krb5_context context,
+ const krb5_data *reply,
+ void *msg_handler_data)
+{
+ krb5_error_code *retval = (krb5_error_code *)msg_handler_data;
+
+ *retval = 0;
+
+ if (krb5_is_krb_error(reply)) {
+ krb5_error *err_reply;
+
+ if (decode_krb5_error(reply, &err_reply) == 0) {
+ *retval = err_reply->error;
+ krb5_free_error(context, err_reply);
+
+ /* Returning 0 means continue to next KDC */
+ return (*retval != KDC_ERR_SVC_UNAVAILABLE);
+ }
+ }
+
+ return 1;
+}
+
/*
* send the formatted request 'message' to a KDC for realm 'realm' and
* return the response (if any) in 'reply'.
@@ -381,9 +405,12 @@
}
if (addrs.naddrs > 0) {
+ krb5_error_code err = 0;
+
retval = krb5int_sendto (context, message, &addrs, 0, reply, 0, 0,
- 0, 0, &addr_used);
- if (retval == 0) {
+ 0, 0, &addr_used, check_for_svc_unavailable, &err);
+ switch (retval) {
+ case 0:
/*
* Set use_master to 1 if we ended up talking to a master when
* we didn't explicitly request to
@@ -401,7 +428,19 @@
}
krb5int_free_addrlist (&addrs);
return 0;
- }
+ default:
+ break;
+ /* Cases here are for constructing useful error messages. */
+ case KRB5_KDC_UNREACH:
+ if (err == KDC_ERR_SVC_UNAVAILABLE) {
+ retval = KRB5KDC_ERR_SVC_UNAVAILABLE;
+ } else {
+ krb5_set_error_message(context, retval,
+ "Cannot contact any KDC for realm '%.*s'",
+ realm->length, realm->data);
+ }
+ break;
+ }
krb5int_free_addrlist (&addrs);
}
return retval;
@@ -1015,9 +1054,12 @@
}
static int
-service_fds (struct select_state *selstate,
+service_fds (krb5_context context,
+ struct select_state *selstate,
struct conn_state *conns, size_t n_conns, int *winning_conn,
- struct select_state *seltemp)
+ struct select_state *seltemp,
+ int (*msg_handler)(krb5_context, const krb5_data *, void *),
+ void *msg_handler_data)
{
int e, selret;
@@ -1056,9 +1098,22 @@
state_strings[(int) conns[i].state]);
if (conns[i].service (&conns[i], selstate, ssflags)) {
- dprint("fd service routine says we're done\n");
- *winning_conn = i;
- return 1;
+ int stop = 1;
+
+ if (msg_handler != NULL) {
+ krb5_data reply;
+
+ reply.data = conns[i].x.in.buf;
+ reply.length = conns[i].x.in.pos - conns[i].x.in.buf;
+
+ stop = (msg_handler(context, &reply, msg_handler_data) != 0);
+ }
+
+ if (stop) {
+ dprint("fd service routine says we're done\n");
+ *winning_conn = i;
+ return 1;
+ }
}
}
}
@@ -1098,7 +1153,10 @@
struct sendto_callback_info* callback_info, krb5_data *reply,
struct sockaddr *localaddr, socklen_t *localaddrlen,
struct sockaddr *remoteaddr, socklen_t *remoteaddrlen,
- int *addr_used)
+ int *addr_used,
+ /* return 0 -> keep going, 1 -> quit */
+ int (*msg_handler)(krb5_context, const krb5_data *, void *),
+ void *msg_handler_data)
{
int i, pass;
int delay_this_pass = 2;
@@ -1185,8 +1243,8 @@
goto egress;
sel_state->end_time = now;
sel_state->end_time.tv_sec += 1;
- e = service_fds(sel_state, conns, host+1, &winning_conn,
- sel_state+1);
+ e = service_fds(context, sel_state, conns, host+1, &winning_conn,
+ sel_state+1, msg_handler, msg_handler_data);
if (e)
break;
if (pass > 0 && sel_state->nfds == 0)
@@ -1206,7 +1264,8 @@
call with the last one from the above loop, if the loop
actually calls select. */
sel_state->end_time.tv_sec += delay_this_pass;
- e = service_fds(sel_state, conns, host+1, &winning_conn, sel_state+1);
+ e = service_fds(context, sel_state, conns, host+1, &winning_conn,
+ sel_state+1, msg_handler, msg_handler_data);
if (e)
break;
if (sel_state->nfds == 0)
Index: src/lib/krb5/os/send524.c
===================================================================
--- src/lib/krb5/os/send524.c (.../tags/krb5-1-6-2-final) (Revision 19936)
+++ src/lib/krb5/os/send524.c (.../branches/krb5-1-6) (Revision 19936)
@@ -98,7 +98,7 @@
if (al.naddrs == 0)
return KRB5_REALM_UNKNOWN;
- retval = krb5int_sendto (context, message, &al, NULL, reply, addr, addrlen, NULL, 0, NULL);
+ retval = krb5int_sendto (context, message, &al, NULL, reply, addr, addrlen, NULL, 0, NULL, NULL, NULL);
krb5int_free_addrlist (&al);
return retval;
#else
Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c (.../tags/krb5-1-6-2-final) (Revision 19936)
+++ src/lib/krb5/os/changepw.c (.../branches/krb5-1-6) (Revision 19936)
@@ -247,6 +247,8 @@
NULL,
ss2sa(&remote_addr),
&addrlen,
+ NULL,
+ NULL,
NULL
))) {
Index: src/lib/krb5/error_tables/krb5_err.et
===================================================================
--- src/lib/krb5/error_tables/krb5_err.et (.../tags/krb5-1-6-2-final) (Revision 19936)
+++ src/lib/krb5/error_tables/krb5_err.et (.../branches/krb5-1-6) (Revision 19936)
@@ -1,7 +1,7 @@
#
# lib/krb5/error_tables/krb5_err.et
#
-# Copyright 1989,1990,1991 by the Massachusetts Institute of Technology.
+# Copyright 1989,1990,1991,2007 by the Massachusetts Institute of Technology.
# All Rights Reserved.
#
# Export of this software from the United States of America may
@@ -68,7 +68,7 @@
error_code KRB5KDC_ERR_SERVER_NOMATCH, "Requested server and ticket don't match"
error_code KRB5PLACEHOLD_27, "KRB5 error code 27"
error_code KRB5PLACEHOLD_28, "KRB5 error code 28"
-error_code KRB5PLACEHOLD_29, "KRB5 error code 29"
+error_code KRB5KDC_ERR_SVC_UNAVAILABLE, "A service is not available that is required to process the request"
error_code KRB5PLACEHOLD_30, "KRB5 error code 30"
# vv 31
error_code KRB5KRB_AP_ERR_BAD_INTEGRITY, "Decrypt integrity check failed"
Index: src/lib/krb5/ccache/t_cc.c
===================================================================
--- src/lib/krb5/ccache/t_cc.c (.../tags/krb5-1-6-2-final) (Revision 19936)
+++ src/lib/krb5/ccache/t_cc.c (.../branches/krb5-1-6) (Revision 19936)
@@ -123,6 +123,7 @@
krb5_cc_cursor cursor;
const char *c_name;
char newcache[300];
+ char *save_type;
init_test_cred(context);
@@ -135,7 +136,9 @@
CHECK_STR(c_name, "get_name");
c_name = krb5_cc_get_type(context, id);
- CHECK_STR(c_name, "get_prefix");
+ CHECK_STR(c_name, "get_type");
+ save_type=strdup(c_name);
+ CHECK_STR(save_type, "copying type");
kret = krb5_cc_store_cred(context, id, &test_creds);
CHECK(kret, "store");
@@ -192,17 +195,22 @@
kret = krb5_cc_destroy(context, id);
CHECK(kret, "destroy");
-#if 0
/* ----------------------------------------------------- */
/* Tests the generate new code */
- kret = krb5_cc_resolve(context, name, &id);
- CHECK(kret, "resolve");
- kret = krb5_cc_gen_new(context, &id);
- CHECK(kret, "gen_new");
- kret = krb5_cc_destroy(context, id);
- CHECK(kret, "destroy");
-#endif
+ kret = krb5_cc_new_unique(context, save_type,
+ NULL, &id2);
+ CHECK(kret, "new_unique");
+
+ kret = krb5_cc_initialize(context, id2, test_creds.client);
+ CHECK(kret, "initialize");
+ kret = krb5_cc_store_cred(context, id2, &test_creds);
+ CHECK(kret, "store");
+
+ kret = krb5_cc_destroy(context, id2);
+ CHECK(kret, "destroy id2");
+
+ free(save_type);
free_test_cred(context);
}
Index: src/lib/krb5/ccache/cc_file.c
===================================================================
--- src/lib/krb5/ccache/cc_file.c (.../tags/krb5-1-6-2-final) (Revision 19936)
+++ src/lib/krb5/ccache/cc_file.c (.../branches/krb5-1-6) (Revision 19936)
@@ -1950,115 +1950,165 @@
{
krb5_ccache lid;
int ret;
- krb5_error_code retcode = 0;
+ krb5_error_code kret = 0;
char scratch[sizeof(TKT_ROOT)+6+1]; /* +6 for the scratch part, +1 for
NUL */
krb5_fcc_data *data;
+ krb5_int16 fcc_fvno = htons(context->fcc_default_format);
+ krb5_int16 fcc_flen = 0;
+ int errsave, cnt;
+ struct fcc_set *setptr;
- /* Allocate memory */
- lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache));
- if (lid == NULL)
- return KRB5_CC_NOMEM;
+ /* Set master lock */
+ kret = k5_mutex_lock(&krb5int_cc_file_mutex);
+ if (kret)
+ return kret;
- lid->ops = &krb5_fcc_ops;
-
(void) strcpy(scratch, TKT_ROOT);
(void) strcat(scratch, "XXXXXX");
#ifdef HAVE_MKSTEMP
ret = mkstemp(scratch);
if (ret == -1) {
+ k5_mutex_unlock(&krb5int_cc_file_mutex);
return krb5_fcc_interpret(context, errno);
- } else close(ret);
+ }
#else /*HAVE_MKSTEMP*/
mktemp(scratch);
+ /* Make sure the file name is reserved */
+ ret = THREEPARAMOPEN(scratch, O_CREAT | O_EXCL | O_WRONLY | O_BINARY, 0);
+ if (ret == -1) {
+ return krb5_fcc_interpret(context, errno);
+ }
#endif
- lid->data = (krb5_pointer) malloc(sizeof(krb5_fcc_data));
- if (lid->data == NULL) {
- krb5_xfree(lid);
+ /* Allocate memory */
+ data = (krb5_pointer) malloc(sizeof(krb5_fcc_data));
+ if (data == NULL) {
+ close(ret);
+ unlink(scratch);
+ k5_mutex_unlock(&krb5int_cc_file_mutex);
return KRB5_CC_NOMEM;
}
- ((krb5_fcc_data *) lid->data)->filename = (char *)
- malloc(strlen(scratch) + 1);
- if (((krb5_fcc_data *) lid->data)->filename == NULL) {
- krb5_xfree(((krb5_fcc_data *) lid->data));
- krb5_xfree(lid);
+ data->filename = strdup(scratch);
+ if (data->filename == NULL) {
+ k5_mutex_unlock(&krb5int_cc_file_mutex);
+ free(data);
+ close(ret);
+ unlink(scratch);
+ k5_mutex_unlock(&krb5int_cc_file_mutex);
return KRB5_CC_NOMEM;
}
+ kret = k5_mutex_init(&data->lock);
+ if (kret) {
+ k5_mutex_unlock(&krb5int_cc_file_mutex);
+ free(data->filename);
+ free(data);
+ close(ret);
+ unlink(scratch);
+ return kret;
+ }
+ kret = k5_mutex_lock(&data->lock);
+ if (kret) {
+ k5_mutex_unlock(&krb5int_cc_file_mutex);
+ k5_mutex_destroy(&data->lock);
+ free(data->filename);
+ free(data);
+ close(ret);
+ unlink(scratch);
+ return kret;
+ }
+
/*
* The file is initially closed at the end of this call...
*/
- ((krb5_fcc_data *) lid->data)->flags = 0;
- ((krb5_fcc_data *) lid->data)->file = -1;
- ((krb5_fcc_data *) lid->data)->valid_bytes = 0;
- data = (krb5_fcc_data *) lid->data;
+ data->flags = 0;
+ data->file = -1;
+ data->valid_bytes = 0;
+ /* data->version,mode filled in for real later */
+ data->version = data->mode = 0;
- retcode = k5_mutex_init(&data->lock);
- if (retcode)
- goto err_out;
- /* Set up the filename */
- strcpy(((krb5_fcc_data *) lid->data)->filename, scratch);
-
- /* Make sure the file name is reserved */
- ret = THREEPARAMOPEN(((krb5_fcc_data *) lid->data)->filename,
- O_CREAT | O_EXCL | O_WRONLY | O_BINARY, 0);
- if (ret == -1) {
- retcode = krb5_fcc_interpret(context, errno);
- goto err_out;
- } else {
- krb5_int16 fcc_fvno = htons(context->fcc_default_format);
- krb5_int16 fcc_flen = 0;
- int errsave, cnt;
-
- /* Ignore user's umask, set mode = 0600 */
+ /* Ignore user's umask, set mode = 0600 */
#ifndef HAVE_FCHMOD
#ifdef HAVE_CHMOD
- chmod(((krb5_fcc_data *) lid->data)->filename, S_IRUSR | S_IWUSR);
+ chmod(data->filename, S_IRUSR | S_IWUSR);
#endif
#else
- fchmod(ret, S_IRUSR | S_IWUSR);
+ fchmod(ret, S_IRUSR | S_IWUSR);
#endif
- if ((cnt = write(ret, (char *)&fcc_fvno, sizeof(fcc_fvno)))
- != sizeof(fcc_fvno)) {
- errsave = errno;
- (void) close(ret);
- (void) unlink(((krb5_fcc_data *) lid->data)->filename);
- retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO;
- goto err_out;
+ if ((cnt = write(ret, (char *)&fcc_fvno, sizeof(fcc_fvno)))
+ != sizeof(fcc_fvno)) {
+ errsave = errno;
+ (void) close(ret);
+ (void) unlink(data->filename);
+ kret = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO;
+ goto err_out;
+ }
+ /* For version 4 we save a length for the rest of the header */
+ if (context->fcc_default_format == KRB5_FCC_FVNO_4) {
+ if ((cnt = write(ret, (char *)&fcc_flen, sizeof(fcc_flen)))
+ != sizeof(fcc_flen)) {
+ errsave = errno;
+ (void) close(ret);
+ (void) unlink(data->filename);
+ kret = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO;
+ goto err_out;
}
- /* For version 4 we save a length for the rest of the header */
- if (context->fcc_default_format == KRB5_FCC_FVNO_4) {
- if ((cnt = write(ret, (char *)&fcc_flen, sizeof(fcc_flen)))
- != sizeof(fcc_flen)) {
- errsave = errno;
- (void) close(ret);
- (void) unlink(((krb5_fcc_data *) lid->data)->filename);
- retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO;
- goto err_out;
- }
- }
- if (close(ret) == -1) {
- errsave = errno;
- (void) unlink(((krb5_fcc_data *) lid->data)->filename);
- retcode = krb5_fcc_interpret(context, errsave);
- goto err_out;
- }
- *id = lid;
- /* default to open/close on every trn - otherwise destroy
- will get as to state confused */
- ((krb5_fcc_data *) lid->data)->flags = KRB5_TC_OPENCLOSE;
- krb5_change_cache ();
- return KRB5_OK;
}
+ if (close(ret) == -1) {
+ errsave = errno;
+ (void) unlink(data->filename);
+ kret = krb5_fcc_interpret(context, errsave);
+ goto err_out;
+ }
+
+ setptr = malloc(sizeof(struct fcc_set));
+ if (setptr == NULL) {
+ k5_mutex_unlock(&krb5int_cc_file_mutex);
+ k5_mutex_destroy(&data->lock);
+ free(data->filename);
+ free(data);
+ (void) close(ret);
+ (void) unlink(scratch);
+ return KRB5_CC_NOMEM;
+ }
+ setptr->refcount = 1;
+ setptr->data = data;
+ setptr->next = fccs;
+ fccs = setptr;
+ k5_mutex_unlock(&krb5int_cc_file_mutex);
+
+ k5_mutex_assert_locked(&data->lock);
+ k5_mutex_unlock(&data->lock);
+ lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache));
+ if (lid == NULL) {
+ dereference(context, data);
+ return KRB5_CC_NOMEM;
+ }
+
+ lid->ops = &krb5_fcc_ops;
+ lid->data = data;
+ lid->magic = KV5M_CCACHE;
+
+ /* default to open/close on every trn - otherwise destroy
+ will get as to state confused */
+ ((krb5_fcc_data *) lid->data)->flags = KRB5_TC_OPENCLOSE;
+
+ *id = lid;
+
+
+ krb5_change_cache ();
+ return KRB5_OK;
+
err_out:
- krb5_xfree(((krb5_fcc_data *) lid->data)->filename);
- krb5_xfree(((krb5_fcc_data *) lid->data));
- krb5_xfree(lid);
- return retcode;
+ k5_mutex_unlock(&krb5int_cc_file_mutex);
+ k5_mutex_destroy(&data->lock);
+ free(data->filename);
+ free(data);
+ return kret;
}
/*
Index: src/lib/krb5/ccache/ccfns.c
===================================================================
--- src/lib/krb5/ccache/ccfns.c (.../tags/krb5-1-6-2-final) (Revision 19936)
+++ src/lib/krb5/ccache/ccfns.c (.../branches/krb5-1-6) (Revision 19936)
@@ -1,7 +1,7 @@
/*
* lib/krb5/ccache/ccfns.c
*
- * Copyright 2000 by the Massachusetts Institute of Technology.
+ * Copyright 2000, 2007 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -65,7 +65,29 @@
krb5_cc_store_cred (krb5_context context, krb5_ccache cache,
krb5_creds *creds)
{
- return cache->ops->store(context, cache, creds);
+ krb5_error_code ret;
+ krb5_ticket *tkt;
+ krb5_principal s1, s2;
+
+ ret = cache->ops->store(context, cache, creds);
+ if (ret) return ret;
+
+ /*
+ * If creds->server and the server in the decoded ticket differ,
+ * store both principals.
+ */
+ s1 = creds->server;
+ ret = decode_krb5_ticket(&creds->ticket, &tkt);
+ /* Bail out on errors in case someone is storing a non-ticket. */
+ if (ret) return 0;
+ s2 = tkt->server;
+ if (!krb5_principal_compare(context, s1, s2)) {
+ creds->server = s2;
+ ret = cache->ops->store(context, cache, creds);
+ creds->server = s1;
+ }
+ krb5_free_ticket(context, tkt);
+ return ret;
}
krb5_error_code KRB5_CALLCONV
@@ -73,7 +95,23 @@
krb5_flags flags, krb5_creds *mcreds,
krb5_creds *creds)
{
- return cache->ops->retrieve(context, cache, flags, mcreds, creds);
+ krb5_error_code ret;
+ krb5_data tmprealm;
+
+ ret = cache->ops->retrieve(context, cache, flags, mcreds, creds);
+ if (ret != KRB5_CC_NOTFOUND)
+ return ret;
+ if (!krb5_is_referral_realm(&mcreds->server->realm))
+ return ret;
+
+ /*
+ * Retry using client's realm if service has referral realm.
+ */
+ tmprealm = mcreds->server->realm;
+ mcreds->server->realm = mcreds->client->realm;
+ ret = cache->ops->retrieve(context, cache, flags, mcreds, creds);
+ mcreds->server->realm = tmprealm;
+ return ret;
}
krb5_error_code KRB5_CALLCONV
Index: src/lib/krb5/krb/gc_frm_kdc.c
===================================================================
--- src/lib/krb5/krb/gc_frm_kdc.c (.../tags/krb5-1-6-2-final) (Revision 19936)
+++ src/lib/krb5/krb/gc_frm_kdc.c (.../branches/krb5-1-6) (Revision 19936)
@@ -906,7 +906,6 @@
/* Whether or not that succeeded, we're done. */
goto cleanup;
}
- else {
/* Referral request succeeded; let's see what it is. */
if (krb5_principal_compare(context, in_cred->server,
(*out_cred)->server)) {
@@ -914,8 +913,40 @@
"for requested server principal\n"));
DUMP_PRINC("gc_from_kdc final referred reply",
in_cred->server);
+
+ /*
+ * Check if the return enctype is one that we requested if
+ * needed.
+ */
+ if (old_use_conf_ktypes || context->tgs_ktype_count == 0)
goto cleanup;
+ for (i = 0; i < context->tgs_ktype_count; i++) {
+ if ((*out_cred)->keyblock.enctype == context->tgs_ktypes[i]) {
+ /* Found an allowable etype, so we're done */
+ goto cleanup;
+ }
}
+ /*
+ * We need to try again, but this time use the
+ * tgs_ktypes in the context. At this point we should
+ * have all the tgts to succeed.
+ */
+
+ /* Free "wrong" credential */
+ krb5_free_creds(context, *out_cred);
+ *out_cred = NULL;
+ /* Re-establish tgs etypes */
+ context->use_conf_ktypes = old_use_conf_ktypes;
+ retval = krb5_get_cred_via_tkt(context, tgtptr,
+ KDC_OPT_CANONICALIZE |
+ FLAGS2OPTS(tgtptr->ticket_flags) |
+ kdcopt |
+ (in_cred->second_ticket.length ?
+ KDC_OPT_ENC_TKT_IN_SKEY : 0),
+ tgtptr->addresses,
+ in_cred, out_cred);
+ goto cleanup;
+ }
else if (IS_TGS_PRINC(context, (*out_cred)->server)) {
krb5_data *r1, *r2;
@@ -978,7 +1009,6 @@
krb5_free_creds(context, *out_cred);
*out_cred = NULL;
break;
- }
}
}

3
krb5-1.6.2.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:56549c395f836f2b8c5cc847835df75efb93629e7c97f2719cdc7d2a52424d2f
size 13046355

11
krb5-1.6.3-texi2dvi-fix.dif Normal file
View File

@ -0,0 +1,11 @@
Index: trunk/doc/Makefile
===================================================================
--- doc/Makefile
+++ doc/Makefile
@@ -1,5 +1,5 @@
SRCDIR=../src
-DVI=texi2dvi4a2ps # texi2dvi
+DVI=texi2dvi # texi2dvi
DVIPS=dvips -o "$@"
PSPDF=ps2pdf
INFO=makeinfo

3
krb5-1.6.3.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c272bea49a48059f9a31bca38e9d838c9b52d4257ba764aaed24783c24b36173
size 10091032

41
krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif
View File

@ -1,41 +0,0 @@
--- src/lib/kadm5/srv/svr_policy.c
+++ src/lib/kadm5/srv/svr_policy.c 2007/08/24 14:32:34
@@ -211,8 +211,9 @@
if((mask & KADM5_POLICY))
return KADM5_BAD_MASK;
- ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt);
- if( ret && (cnt==0) )
+ if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt)))
+ return ret;
+ if (cnt != 1)
return KADM5_UNK_POLICY;
if ((mask & KADM5_PW_MAX_LIFE))
--- src/lib/rpc/svc_auth_gss.c
+++ src/lib/rpc/svc_auth_gss.c 2007/09/06 08:32:37
@@ -355,6 +355,15 @@
memset(rpchdr, 0, sizeof(rpchdr));
/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
+ oa = &msg->rm_call.cb_cred;
+ if (oa->oa_length > MAX_AUTH_BYTES)
+ return (FALSE);
+
+ /* 8 XDR units from the IXDR macro calls. */
+ if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
+ RNDUP(oa->oa_length)))
+ return (FALSE);
+
buf = (int32_t *)(void *)rpchdr;
IXDR_PUT_LONG(buf, msg->rm_xid);
IXDR_PUT_ENUM(buf, msg->rm_direction);
@@ -362,7 +371,6 @@
IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
- oa = &msg->rm_call.cb_cred;
IXDR_PUT_ENUM(buf, oa->oa_flavor);
IXDR_PUT_LONG(buf, oa->oa_length);
if (oa->oa_length) {

10
krb5-doc.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Tue Oct 23 10:29:23 CEST 2007 - mc@suse.de
- update to krb5 version 1.6.3
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
* fix CVE-2007-4000 modify_policy vulnerability
* Add PKINIT support
- remove patches which are upstream now
- enhance init scripts and xinetd profiles
-------------------------------------------------------------------
Thu Jul 12 17:02:30 CEST 2007 - mc@suse.de

20
krb5-doc.spec
View File

@ -1,5 +1,5 @@
#
# spec file for package krb5-doc (Version 1.6.2)
# spec file for package krb5-doc (Version 1.6.3)
#
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@ -12,17 +12,18 @@
Name: krb5-doc
BuildRequires: ghostscript-library latex2html texlive
Version: 1.6.2
Release: 29
%define srcRoot krb5-1.6.2
Version: 1.6.3
Release: 1
%define srcRoot krb5-1.6.3
Summary: MIT Kerberos5 Implementation--Documentation
License: X11/MIT
Url: http://web.mit.edu/kerberos/www/
Group: Documentation/Other
Source: krb5-1.6.2.tar.bz2
Source: krb5-1.6.3.tar.bz2
Source1: README.Source
Source2: Makefile.kadm5
Patch0: krb5-1.3.5-perlfix.dif
Patch1: krb5-1.6.3-texi2dvi-fix.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
@ -44,6 +45,7 @@ Authors:
%prep
%setup -n %{srcRoot}
%patch0
%patch1
cp %{_sourcedir}/Makefile.kadm5 %{_builddir}/%{srcRoot}/doc/kadm5/Makefile
%build
@ -86,8 +88,14 @@ rm -rf %{buildroot}
%doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz doc/kadm5/*.ps.gz
%doc doc/krb5-protocol doc/kadmin
%doc doc/html
%changelog
* Tue Oct 23 2007 - mc@suse.de
- update to krb5 version 1.6.3
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
* fix CVE-2007-4000 modify_policy vulnerability
* Add PKINIT support
- remove patches which are upstream now
- enhance init scripts and xinetd profiles
* Thu Jul 12 2007 - mc@suse.de
- update to version 1.6.2
- remove krb5-1.6.1-post.dif all fixes are included in this release

10
krb5-plugins.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Tue Oct 23 10:29:14 CEST 2007 - mc@suse.de
- update to krb5 version 1.6.3
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
* fix CVE-2007-4000 modify_policy vulnerability
* Add PKINIT support
- remove patches which are upstream now
- enhance init scripts and xinetd profiles
-------------------------------------------------------------------
Fri Sep 14 12:10:01 CEST 2007 - mc@suse.de

73
krb5-plugins.spec
View File

@ -1,5 +1,5 @@
#
# spec file for package krb5-plugins (Version 1.6.2)
# spec file for package krb5-plugins (Version 1.6.3)
#
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@ -12,10 +12,10 @@
# nodebuginfo
Name: krb5-plugins
Version: 1.6.2
Release: 4
Version: 1.6.3
Release: 1
BuildRequires: bison krb5-devel ncurses-devel openldap2-devel
%define srcRoot krb5-1.6.2
%define srcRoot krb5-1.6.3
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
Requires: krb5-server
@ -23,15 +23,15 @@ Summary: MIT Kerberos5 Implementation--Libraries
License: X11/MIT
Url: http://web.mit.edu/kerberos/www/
Group: Productivity/Networking/Security
Source: krb5-1.6.2.tar.bz2
Source: krb5-1.6.3.tar.bz2
Source1: vendor-files.tar.bz2
Source2: README.Source
Source3: spx.c
Source4: EncryptWithMasterKey.c
Source10: krb5-trunk-manpaths.txt
Patch1: krb5-1.5.1-fix-too-few-arguments.dif
Patch2: krb5-1.6.1-compile_pie.dif
Patch3: krb5-1.4-fix-segfault.dif
Patch4: krb5-1.6.2-post.dif
Patch6: trunk-EncryptWithMasterKey.dif
Patch14: warning-fix-lib-crypto-des.dif
Patch15: warning-fix-lib-crypto-dk.dif
@ -41,11 +41,12 @@ Patch18: warning-fix-lib-crypto-yarrow_arcfour.dif
Patch20: kprop-use-mkstemp.dif
Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif
Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif
#Patch23: trunk-install-preauth-header.dif
Patch24: krb5-1.5.1-fix-strncat-warning.dif
Patch25: krb5-1.6.1-init-salt-length.dif
Patch26: krb5-1.4.3-extra-check-kt_file.c.dif
Patch27: krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif
Patch30: trunk-manpaths.dif
Patch31: krb5-1.6-ldap-man.dif
Patch32: krb5-1.4.3-enospc.dif
Patch33: krb5-1.3.3-rcp-markus.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -77,6 +78,25 @@ database plugin.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%package -n krb5-plugin-preauth-pkinit
Summary: MIT Kerberos5 Implementation--PKINIT preauth Plugin
Group: Productivity/Networking/Security
Conflicts: krb5-plugin-preauth-pkinit-nss
%description -n krb5-plugin-preauth-pkinit
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a PKINIT plugin.
Authors:
--------
The MIT Kerberos Team
@ -97,7 +117,6 @@ fi
%patch1
%patch2
%patch3
%patch4
%patch6
%patch14
%patch15
@ -107,12 +126,19 @@ fi
%patch20
%patch21
%patch22
#%patch23
%patch24
%patch25
%patch26
%patch27
%patch30 -p1
%patch31
%patch32 -p1
%patch33 -p1
cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c
# Rename the man pages so that they'll get generated correctly.
pushd src
cat $RPM_SOURCE_DIR/krb5-trunk-manpaths.txt | while read manpage ; do
mv "$manpage" "$manpage".in
done
popd
%build
cd src
@ -155,17 +181,21 @@ ln -s %{_libdir}/libdes425.so %{_builddir}/%{srcRoot}/src/lib/
cd ../../../kadmin/cli
make getdate.o
cd ../../plugins/kdb/ldap/
make %{?jobs:-j%jobs}
make %{?jobs:-j%jobs}
cd ../../preauth/pkinit/
make %{?jobs:-j%jobs}
#make check
%install
rm -rf %{buildroot}
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
mkdir -p %{buildroot}/%{krb5docdir}
mkdir -p %{buildroot}/usr/lib/mit/sbin/
mkdir -p %{buildroot}/%{_mandir}/man8/
cd src/plugins/kdb/ldap/
make DESTDIR=%{buildroot} install
cd ../../preauth/pkinit/
make DESTDIR=%{buildroot} install
# all libs must have permissions 0755
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
do
@ -208,7 +238,20 @@ rm -rf %{buildroot}
%{_libdir}/libkdb_ldap*
%{_mandir}/man8/*
%files -n krb5-plugin-preauth-pkinit
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so
%changelog
* Tue Oct 23 2007 - mc@suse.de
- update to krb5 version 1.6.3
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
* fix CVE-2007-4000 modify_policy vulnerability
* Add PKINIT support
- remove patches which are upstream now
- enhance init scripts and xinetd profiles
* Fri Sep 14 2007 - mc@suse.de
- update krb5-1.6.2-post.dif
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that

45
krb5-trunk-manpaths.txt Normal file
View File

@ -0,0 +1,45 @@
appl/bsd/klogind.M
appl/bsd/kshd.M
appl/bsd/login.M
appl/bsd/rcp.M
appl/bsd/rlogin.M
appl/bsd/rsh.M
appl/bsd/v4rcp.M
appl/gssftp/ftpd/ftpd.M
appl/gssftp/ftp/ftp.M
appl/sample/sclient/sclient.M
appl/sample/sserver/sserver.M
appl/telnet/telnetd/telnetd.8
appl/telnet/telnet/telnet.1
clients/kcpytkt/kcpytkt.M
clients/kdeltkt/kdeltkt.M
clients/kdestroy/kdestroy.M
clients/kinit/kinit.M
clients/klist/klist.M
clients/kpasswd/kpasswd.M
clients/ksu/ksu.M
clients/kvno/kvno.M
config-files/kdc.conf.M
config-files/krb5.conf.M
gen-manpages/k5login.M
gen-manpages/kerberos.M
kadmin/cli/k5srvutil.M
kadmin/cli/kadmin.local.M
kadmin/cli/kadmin.M
kadmin/dbutil/kdb5_util.M
kadmin/ktutil/ktutil.M
kadmin/passwd/kpasswd.M
kadmin/server/kadmind.M
kdc/fakeka.M
kdc/krb5kdc.M
krb524/k524init.M
krb524/krb524d.M
krb5-config.M
plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
slave/kpropd.M
slave/kprop.M
tests/create/kdb5_mkdums.M
util/et/com_err.3
util/et/compile_et.1
util/profile/profile.5
util/send-pr/send-pr.1

10
krb5.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de
- update to krb5 version 1.6.3
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
* fix CVE-2007-4000 modify_policy vulnerability
* Add PKINIT support
- remove patches which are upstream now
- enhance init scripts and xinetd profiles
-------------------------------------------------------------------
Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de

46
krb5.spec
View File

@ -1,5 +1,5 @@
#
# spec file for package krb5 (Version 1.6.2)
# spec file for package krb5 (Version 1.6.3)
#
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@ -11,13 +11,13 @@
# norootforbuild
Name: krb5
Version: 1.6.2
Release: 19
Version: 1.6.3
Release: 1
BuildRequires: bison libcom_err-devel ncurses-devel
%if %{suse_version} > 1010
BuildRequires: keyutils keyutils-devel
%endif
%define srcRoot krb5-1.6.2
%define srcRoot krb5-1.6.3
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/%{name}
Provides: heimdal-lib
@ -26,16 +26,16 @@ Summary: MIT Kerberos5 Implementation--Libraries
License: X11/MIT
Url: http://web.mit.edu/kerberos/www/
Group: Productivity/Networking/Security
Source: krb5-1.6.2.tar.bz2
Source: krb5-1.6.3.tar.bz2
Source1: vendor-files.tar.bz2
Source2: README.Source
Source3: spx.c
Source4: EncryptWithMasterKey.c
Source5: krb5-1.6.1-rpmlintrc
Source10: krb5-trunk-manpaths.txt
Patch1: krb5-1.5.1-fix-too-few-arguments.dif
Patch2: krb5-1.6.1-compile_pie.dif
Patch3: krb5-1.4-fix-segfault.dif
Patch4: krb5-1.6.2-post.dif
Patch6: trunk-EncryptWithMasterKey.dif
Patch14: warning-fix-lib-crypto-des.dif
Patch15: warning-fix-lib-crypto-dk.dif
@ -45,11 +45,12 @@ Patch18: warning-fix-lib-crypto-yarrow_arcfour.dif
Patch20: kprop-use-mkstemp.dif
Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif
Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif
#Patch23: trunk-install-preauth-header.dif
Patch24: krb5-1.5.1-fix-strncat-warning.dif
Patch25: krb5-1.6.1-init-salt-length.dif
Patch26: krb5-1.4.3-extra-check-kt_file.c.dif
Patch27: krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif
Patch30: trunk-manpaths.dif
Patch31: krb5-1.6-ldap-man.dif
Patch32: krb5-1.4.3-enospc.dif
Patch33: krb5-1.3.3-rcp-markus.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch
@ -188,7 +189,6 @@ fi
%patch1
%patch2
%patch3
%patch4
%patch6
%patch14
%patch15
@ -198,12 +198,19 @@ fi
%patch20
%patch21
%patch22
#%patch23
%patch24
%patch25
%patch26
%patch27
%patch30 -p1
%patch31
%patch32 -p1
%patch33 -p1
cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c
# Rename the man pages so that they'll get generated correctly.
pushd src
cat $RPM_SOURCE_DIR/krb5-trunk-manpaths.txt | while read manpage ; do
mv "$manpage" "$manpage".in
done
popd
%build
cd src
@ -221,8 +228,7 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
--localstatedir=%{_localstatedir}/lib/kerberos \
--enable-shared \
--disable-static \
--enable-kdc-replay-cache \
--enable-dns-for-realm \
--enable-dns \
--with-system-et \
--with-system-ss
make %{?jobs:-j%jobs}
@ -275,6 +281,7 @@ install -m 755 %{vendorFiles}/krb524d.init %{buildroot}%{_sysconfdir}/init.d/krb
# install xinetd files
mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d
install -m 644 %{vendorFiles}/klogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/klogin
install -m 644 %{vendorFiles}/eklogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/eklogin
install -m 644 %{vendorFiles}/krb5-telnet.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/ktelnet
install -m 644 %{vendorFiles}/kshell.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/kshell
# install logrotate files
@ -446,6 +453,7 @@ rm -rf %{buildroot}
%files apps-servers
%defattr(-,root,root)
%config(noreplace) %{_sysconfdir}/xinetd.d/klogin
%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin
%config(noreplace) %{_sysconfdir}/xinetd.d/kshell
%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet
%dir /usr/lib/mit
@ -511,8 +519,14 @@ rm -rf %{buildroot}
/usr/lib/mit/sbin/krb5-send-pr
%{_mandir}/man1/krb5-send-pr.1*
%{_mandir}/man1/krb5-config.1*
%changelog
* Tue Oct 23 2007 - mc@suse.de
- update to krb5 version 1.6.3
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
* fix CVE-2007-4000 modify_policy vulnerability
* Add PKINIT support
- remove patches which are upstream now
- enhance init scripts and xinetd profiles
* Fri Sep 14 2007 - mc@suse.de
- update krb5-1.6.2-post.dif
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that

263
trunk-manpaths.dif Normal file
View File

@ -0,0 +1,263 @@
Index: krb5-1.6.3/src/appl/bsd/klogind.M
===================================================================
--- krb5-1.6.3.orig/src/appl/bsd/klogind.M
+++ krb5-1.6.3/src/appl/bsd/klogind.M
@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when
the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
configuration line for \fIklogind\fP might be:
-klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c
+klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c
When a service request is received, the following protocol is initiated:
Index: krb5-1.6.3/src/appl/bsd/kshd.M
===================================================================
--- krb5-1.6.3.orig/src/appl/bsd/kshd.M
+++ krb5-1.6.3/src/appl/bsd/kshd.M
@@ -8,7 +8,7 @@
.SH NAME
kshd \- kerberized remote shell server
.SH SYNOPSIS
-.B /usr/local/sbin/kshd
+.B @mansbindir@/kshd
[
.B \-kr45ec
]
@@ -30,7 +30,7 @@ server is invoked by \fIinetd(8c)\fP whe
on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
configuration line for \fIkrshd\fP might be:
-kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c
+kshell stream tcp nowait root @mansbindir@/kshd kshd -5c
When a service request is received, the following protocol is initiated:
Index: krb5-1.6.3/src/appl/sample/sserver/sserver.M
===================================================================
--- krb5-1.6.3.orig/src/appl/sample/sserver/sserver.M
+++ krb5-1.6.3/src/appl/sample/sserver/sserver.M
@@ -59,7 +59,7 @@ option allows for a different keytab tha
using a line in
/etc/inetd.conf that looks like this:
.PP
-sample stream tcp nowait root /usr/local/sbin/sserver sserver
+sample stream tcp nowait root @mansbindir@/sserver sserver
.PP
Since \fBsample\fP is normally not a port defined in /etc/services, you will
usually have to add a line to /etc/services which looks like this:
Index: krb5-1.6.3/src/appl/telnet/telnetd/telnetd.8
===================================================================
--- krb5-1.6.3.orig/src/appl/telnet/telnetd/telnetd.8
+++ krb5-1.6.3/src/appl/telnet/telnetd/telnetd.8
@@ -37,7 +37,7 @@ telnetd \-
.SM DARPA TELNET
protocol server
.SH SYNOPSIS
-.B /usr/libexec/telnetd
+.B @manlibexecdir@/telnetd
[\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP]
[\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
[\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
Index: krb5-1.6.3/src/config-files/kdc.conf.M
===================================================================
--- krb5-1.6.3.orig/src/config-files/kdc.conf.M
+++ krb5-1.6.3/src/config-files/kdc.conf.M
@@ -82,14 +82,14 @@ This
.B string
specifies the location of the access control list (acl) file that
kadmin uses to determine which principals are allowed which permissions
-on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl.
+on the database. The default value is @manlocalstatedir@/krb5kdc/kadm5.acl.
.IP admin_keytab
This
.B string
Specifies the location of the keytab file that kadmin uses to
authenticate to the database. The default value is
-/usr/local/var/krb5kdc/kadm5.keytab.
+@manlocalstatedir@/krb5kdc/kadm5.keytab.
.IP database_name
This
@@ -239,7 +239,7 @@ tickets should be checked against the tr
realm names and the [capaths] section of its krb5.conf file
.SH FILES
-/usr/local/var/krb5kdc/kdc.conf
+@manlocalstatedir@/krb5kdc/kdc.conf
.SH SEE ALSO
krb5.conf(5), krb5kdc(8)
Index: krb5-1.6.3/src/configure.in
===================================================================
--- krb5-1.6.3.orig/src/configure.in
+++ krb5-1.6.3/src/configure.in
@@ -944,6 +944,73 @@ if false; then
fi
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
+
+mansysconfdir=$sysconfdir
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"`
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"`
+mansbindir=$sbindir
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlocalstatedir=$localstatedir
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"`
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlibexecdir=$libexecdir
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"`
+AC_SUBST(mansysconfdir)
+AC_SUBST(mansbindir)
+AC_SUBST(manlocalstatedir)
+AC_SUBST(manlibexecdir)
+AC_OUTPUT([
+ appl/bsd/klogind.M
+ appl/bsd/kshd.M
+ appl/bsd/login.M
+ appl/bsd/rcp.M
+ appl/bsd/rlogin.M
+ appl/bsd/rsh.M
+ appl/bsd/v4rcp.M
+ appl/gssftp/ftpd/ftpd.M
+ appl/gssftp/ftp/ftp.M
+ appl/sample/sclient/sclient.M
+ appl/sample/sserver/sserver.M
+ appl/telnet/telnetd/telnetd.8
+ appl/telnet/telnet/telnet.1
+ clients/kcpytkt/kcpytkt.M
+ clients/kdeltkt/kdeltkt.M
+ clients/kdestroy/kdestroy.M
+ clients/kinit/kinit.M
+ clients/klist/klist.M
+ clients/kpasswd/kpasswd.M
+ clients/ksu/ksu.M
+ clients/kvno/kvno.M
+ config-files/kdc.conf.M
+ config-files/krb5.conf.M
+ gen-manpages/k5login.M
+ gen-manpages/kerberos.M
+ kadmin/cli/k5srvutil.M
+ kadmin/cli/kadmin.local.M
+ kadmin/cli/kadmin.M
+ kadmin/dbutil/kdb5_util.M
+ kadmin/ktutil/ktutil.M
+ kadmin/passwd/kpasswd.M
+ kadmin/server/kadmind.M
+ kdc/fakeka.M
+ kdc/krb5kdc.M
+ krb524/k524init.M
+ krb524/krb524d.M
+ krb5-config.M
+ plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
+ slave/kpropd.M
+ slave/kprop.M
+ tests/create/kdb5_mkdums.M
+ util/et/com_err.3
+ util/et/compile_et.1
+ util/profile/profile.5
+ util/send-pr/send-pr.1
+])
+
V5_AC_OUTPUT_MAKEFILE(.
util util/support util/profile util/send-pr
Index: krb5-1.6.3/src/kadmin/cli/kadmin.M
===================================================================
--- krb5-1.6.3.orig/src/kadmin/cli/kadmin.M
+++ krb5-1.6.3/src/kadmin/cli/kadmin.M
@@ -808,9 +808,9 @@ option is specified, less verbose status
.RS
.TP
EXAMPLE:
-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
+kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin
Entry for principal kadmin/admin with kvno 3 removed
- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
+ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab.
kadmin:
.RE
.fi
@@ -852,7 +852,7 @@ passwords.
.SH HISTORY
The
.B kadmin
-prorgam was originally written by Tom Yu at MIT, as an interface to the
+program was originally written by Tom Yu at MIT, as an interface to the
OpenVision Kerberos administration program.
.SH SEE ALSO
.IR kerberos (1),
Index: krb5-1.6.3/src/slave/kprop.M
===================================================================
--- krb5-1.6.3.orig/src/slave/kprop.M
+++ krb5-1.6.3/src/slave/kprop.M
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
This is done by transmitting the dumped database file to the slave
server over an encrypted, secure channel. The dump file must be created
by kdb5_util, and is normally KPROP_DEFAULT_FILE
-(/usr/local/var/krb5kdc/slave_datatrans).
+(@manlocalstatedir@/krb5kdc/slave_datatrans).
.SH OPTIONS
.TP
\fB\-r\fP \fIrealm\fP
@@ -51,7 +51,7 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
found; by default the dumped database file is KPROP_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/slave_datatrans).
+(normally @manlocalstatedir@/krb5kdc/slave_datatrans).
.TP
\fB\-P\fP \fIport\fP
specifies the port to use to contact the
Index: krb5-1.6.3/src/slave/kpropd.M
===================================================================
--- krb5-1.6.3.orig/src/slave/kpropd.M
+++ krb5-1.6.3/src/slave/kpropd.M
@@ -69,7 +69,7 @@ Normally, kpropd is invoked out of
This is done by adding a line to the inetd.conf file which looks like
this:
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root @mansbindir@/kpropd kpropd
However, kpropd can also run as a standalone deamon, if the
.B \-S
@@ -87,13 +87,13 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
stored; by default the dumped database file is KPROPD_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/from_master).
+(normally @manlocalstatedir@/krb5kdc/from_master).
.TP
.B \-p
allows the user to specify the pathname to the
.IR kdb5_util (8)
program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL
-(normally /usr/local/sbin/kdb5_util).
+(normally @mansbindir@/kdb5_util).
.TP
.B \-S
turn on standalone mode. Normally, kpropd is invoked out of
@@ -124,14 +124,14 @@ mode.
allows the user to specify the path to the
.KR kpropd.acl
file; by default the path used is KPROPD_ACL_FILE
-(normally /usr/local/var/krb5kdc/kpropd.acl).
+(normally @manlocalstatedir@/krb5kdc/kpropd.acl).
.SH FILES
.TP "\w'kpropd.acl\ \ 'u"
kpropd.acl
Access file for
.BR kpropd ;
the default location is KPROPD_ACL_FILE (normally
-/usr/local/var/krb5kdc/kpropd.acl).
+@manlocalstatedir@/krb5kdc/kpropd.acl).
Each entry is a line containing the principal of a host from which the
local machine will allow Kerberos database propagation via kprop.
.SH SEE ALSO

4
vendor-files.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6571269211d0d941b7dcf4b72b87d154178529268ef368c4f504e3c251ebb430
size 186347
oid sha256:7ccfa471ed0c7e2646316277ef0dd77463263faeb3febed2e3292048dd3f79e4
size 186569