diff --git a/krb5-1.3.3-rcp-markus.dif b/krb5-1.3.3-rcp-markus.dif new file mode 100644 index 0000000..c52a6ec --- /dev/null +++ b/krb5-1.3.3-rcp-markus.dif @@ -0,0 +1,50 @@ +Fix for CAN-2004-0175, based on Markus Friedl's fix for OpenSSH scp. + +Index: krb5-1.6.3/src/appl/bsd/krcp.c +=================================================================== +--- krb5-1.6.3.orig/src/appl/bsd/krcp.c ++++ krb5-1.6.3/src/appl/bsd/krcp.c +@@ -1096,6 +1096,10 @@ void sink(argc, argv) + size = size * 10 + (*cp++ - '0'); + if (*cp++ != ' ') + SCREWUP("size not delimited"); ++ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { ++ error("error: unexpected filename: %s", cp); ++ exit(1); ++ } + if (targisdir) { + if(strlen(targ) + strlen(cp) + 2 >= sizeof(nambuf)) + SCREWUP("target name too long"); +@@ -1109,6 +1113,8 @@ void sink(argc, argv) + nambuf[sizeof(nambuf) - 1] = '\0'; + exists = stat(nambuf, &stb) == 0; + if (cmdbuf[0] == 'D') { ++ if (!iamrecursive) ++ SCREWUP("received directory without -r"); + if (exists) { + if ((stb.st_mode&S_IFMT) != S_IFDIR) { + errno = ENOTDIR; +Index: krb5-1.6.3/src/appl/bsd/v4rcp.c +=================================================================== +--- krb5-1.6.3.orig/src/appl/bsd/v4rcp.c ++++ krb5-1.6.3/src/appl/bsd/v4rcp.c +@@ -807,6 +807,10 @@ void sink(argc, argv) + size = size * 10 + (*cp++ - '0'); + if (*cp++ != ' ') + SCREWUP("size not delimited"); ++ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { ++ error("error: unexpected filename: %s", cp); ++ exit(1); ++ } + if (targisdir) { + if (strlen(targ) + strlen(cp) + 1 < sizeof(nambuf)) { + (void) sprintf(nambuf, "%s%s%s", targ, +@@ -823,6 +827,8 @@ void sink(argc, argv) + nambuf[sizeof(nambuf)-1] = '\0'; + exists = stat(nambuf, &stb) == 0; + if (cmdbuf[0] == 'D') { ++ if (!iamrecursive) ++ SCREWUP("received directory without -r"); + if (exists) { + if ((stb.st_mode&S_IFMT) != S_IFDIR) { + errno = ENOTDIR; diff --git a/krb5-1.4.3-enospc.dif b/krb5-1.4.3-enospc.dif new file mode 100644 index 0000000..7acd9f5 --- /dev/null +++ b/krb5-1.4.3-enospc.dif @@ -0,0 +1,32 @@ +If the error message is going to be ambiguous, try to give the user some clue +by returning the last error reported by the OS. + +Index: krb5-1.6.3/src/clients/kinit/kinit.c +=================================================================== +--- krb5-1.6.3.orig/src/clients/kinit/kinit.c ++++ krb5-1.6.3/src/clients/kinit/kinit.c +@@ -35,6 +35,7 @@ + #else + #undef HAVE_KRB524 + #endif ++#include + #include + #include + #include +@@ -921,8 +922,14 @@ k5_kinit(opts, k5) + + code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me); + if (code) { +- com_err(progname, code, "when initializing cache %s", +- opts->k5_cache_name?opts->k5_cache_name:""); ++ if ((code == KRB5_CC_IO) && (errno != 0)) { ++ com_err(progname, code, "when initializing cache %s: %s", ++ opts->k5_cache_name?opts->k5_cache_name:"", ++ strerror(errno)); ++ } else { ++ com_err(progname, code, "when initializing cache %s", ++ opts->k5_cache_name?opts->k5_cache_name:""); ++ } + goto cleanup; + } + diff --git a/krb5-1.4.3-extra-check-kt_file.c.dif b/krb5-1.4.3-extra-check-kt_file.c.dif deleted file mode 100644 index af68a6d..0000000 --- a/krb5-1.4.3-extra-check-kt_file.c.dif +++ /dev/null @@ -1,15 +0,0 @@ -Index: src/lib/krb5/keytab/kt_file.c -=================================================================== ---- src/lib/krb5/keytab/kt_file.c.orig -+++ src/lib/krb5/keytab/kt_file.c -@@ -461,6 +461,10 @@ krb5_ktfile_get_next(krb5_context contex - kerror = KTLOCK(id); - if (kerror) - return kerror; -+ if (KTFILEP(id) == NULL) { -+ KTUNLOCK(id); -+ return KRB5_KT_IOERR; -+ } - if (fseek(KTFILEP(id), *fileoff, 0) == -1) { - KTUNLOCK(id); - return KRB5_KT_END; diff --git a/krb5-1.6-ldap-man.dif b/krb5-1.6-ldap-man.dif new file mode 100644 index 0000000..33dcc65 --- /dev/null +++ b/krb5-1.6-ldap-man.dif @@ -0,0 +1,22 @@ +Index: src/config-files/krb5.conf.M +=================================================================== +--- src/config-files/krb5.conf.M (revision 19507) ++++ src/config-files/krb5.conf.M (working copy) +@@ -600,7 +600,7 @@ + objects used for starting the Kerberos servers. This value is used if no + service password file is mentioned in the configuration section under dbmodules. + +-.IP ldap_server ++.IP ldap_servers + This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers + is whitespace-separated. The LDAP server is specified by a LDAP URI. + This value is used if no LDAP servers are mentioned in the configuration +@@ -641,7 +641,7 @@ + This LDAP specific tag indicates the file containing the stashed passwords for the + objects used for starting the Kerberos servers. + +-.IP ldap_server ++.IP ldap_servers + This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers + is whitespace-separated. The LDAP server is specified by a LDAP URI. + diff --git a/krb5-1.6.2-post.dif b/krb5-1.6.2-post.dif deleted file mode 100644 index bc809b7..0000000 --- a/krb5-1.6.2-post.dif +++ /dev/null @@ -1,858 +0,0 @@ -Index: src/include/k5-int.h -=================================================================== ---- src/include/k5-int.h (.../tags/krb5-1-6-2-final) (Revision 19936) -+++ src/include/k5-int.h (.../branches/krb5-1-6) (Revision 19936) -@@ -216,6 +216,10 @@ - /* required */ - #define KDC_ERR_SERVER_NOMATCH 26 /* Requested server and */ - /* ticket don't match*/ -+#define KDC_ERR_SVC_UNAVAILABLE 29 /* A service is not -+ * available that is -+ * required to process the -+ * request */ - /* Application errors */ - #define KRB_AP_ERR_BAD_INTEGRITY 31 /* Decrypt integrity check failed */ - #define KRB_AP_ERR_TKT_EXPIRED 32 /* Ticket expired */ -@@ -498,7 +502,9 @@ - krb5_error_code krb5int_sendto (krb5_context context, const krb5_data *message, - const struct addrlist *addrs, struct sendto_callback_info* callback_info, - krb5_data *reply, struct sockaddr *localaddr, socklen_t *localaddrlen, -- struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, int *addr_used); -+ struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, int *addr_used, -+ int (*msg_handler)(krb5_context, const krb5_data *, void *), -+ void *msg_handler_data); - - krb5_error_code krb5_get_krbhst (krb5_context, const krb5_data *, char *** ); - krb5_error_code krb5_free_krbhst (krb5_context, char * const * ); -@@ -1885,7 +1891,9 @@ - krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg, - const struct addrlist *, struct sendto_callback_info*, krb5_data *reply, - struct sockaddr *, socklen_t *,struct sockaddr *, -- socklen_t *, int *); -+ socklen_t *, int *, -+ int (*msg_handler)(krb5_context, const krb5_data *, void *), -+ void *msg_handler_data); - krb5_error_code (*add_host_to_list)(struct addrlist *lp, - const char *hostname, - int port, int secport, -Index: src/clients/kvno/kvno.M -=================================================================== ---- src/clients/kvno/kvno.M (.../tags/krb5-1-6-2-final) (Revision 19936) -+++ src/clients/kvno/kvno.M (.../branches/krb5-1-6) (Revision 19936) -@@ -55,6 +55,15 @@ - specifies that Kerberos version 4 tickets should be acquired and - described. This option is only available if Kerberos 4 support was - enabled at compilation time. -+.TP -+.B \-S sname -+specifies that krb5_sname_to_principal() will be used to build -+principal names. If this flag is specified, the -+.B service1 service2 ... -+arguments are interpreted as hostnames (rather than principal names), -+and -+.B sname -+is interpreted as the service name. - .SH ENVIRONMENT - .B Kvno - uses the following environment variable: -Index: src/clients/kvno/kvno.c -=================================================================== ---- src/clients/kvno/kvno.c (.../tags/krb5-1-6-2-final) (Revision 19936) -+++ src/clients/kvno/kvno.c (.../branches/krb5-1-6) (Revision 19936) -@@ -41,10 +41,10 @@ - { - #ifdef KRB5_KRB4_COMPAT - fprintf(stderr, -- "usage: %s [-4 | [-c ccache] [-e etype] [-k keytab]] service1 service2 ...\n", -+ "usage: %s [-4 | [-c ccache] [-e etype] [-k keytab] [-S sname]] service1 service2 ...\n", - prog); - #else -- fprintf(stderr, "usage: %s [-c ccache] [-e etype] [-k keytab] service1 service2 ...\n", -+ fprintf(stderr, "usage: %s [-c ccache] [-e etype] [-k keytab] [-S sname] service1 service2 ...\n", - prog); - #endif - exit(1); -@@ -54,7 +54,8 @@ - - static void do_v4_kvno (int argc, char *argv[]); - static void do_v5_kvno (int argc, char *argv[], -- char *ccachestr, char *etypestr, char *keytab_name); -+ char *ccachestr, char *etypestr, char *keytab_name, -+ char *sname); - - #include - static void extended_com_err_fn (const char *, errcode_t, const char *, -@@ -64,6 +65,7 @@ - { - int option; - char *etypestr = NULL, *ccachestr = NULL, *keytab_name = NULL; -+ char *sname = NULL; - int v4 = 0; - - set_com_err_hook (extended_com_err_fn); -@@ -71,7 +73,7 @@ - prog = strrchr(argv[0], '/'); - prog = prog ? (prog + 1) : argv[0]; - -- while ((option = getopt(argc, argv, "c:e:hk:q4")) != -1) { -+ while ((option = getopt(argc, argv, "c:e:hk:q4S:")) != -1) { - switch (option) { - case 'c': - ccachestr = optarg; -@@ -91,6 +93,9 @@ - case '4': - v4 = 1; - break; -+ case 'S': -+ sname = optarg; -+ break; - default: - xusage(); - break; -@@ -103,10 +108,14 @@ - if ((ccachestr != NULL || etypestr != NULL || keytab_name != NULL) && v4) - xusage(); - -+ if (sname != NULL && v4) -+ xusage(); -+ - if (v4) - do_v4_kvno(argc - optind, argv + optind); - else -- do_v5_kvno(argc - optind, argv + optind, ccachestr, etypestr, keytab_name); -+ do_v5_kvno(argc - optind, argv + optind, -+ ccachestr, etypestr, keytab_name, sname); - return 0; - } - -@@ -172,7 +181,8 @@ - } - - static void do_v5_kvno (int count, char *names[], -- char * ccachestr, char *etypestr, char *keytab_name) -+ char * ccachestr, char *etypestr, char *keytab_name, -+ char *sname) - { - krb5_error_code ret; - int i, errors; -@@ -230,7 +240,13 @@ - - in_creds.client = me; - -- ret = krb5_parse_name(context, names[i], &in_creds.server); -+ if (sname != NULL) { -+ ret = krb5_sname_to_principal(context, names[i], -+ sname, KRB5_NT_SRV_HST, -+ &in_creds.server); -+ } else { -+ ret = krb5_parse_name(context, names[i], &in_creds.server); -+ } - if (ret) { - if (!quiet) - com_err(prog, ret, "while parsing principal name %s", names[i]); -Index: src/lib/crypto/prng.c -=================================================================== ---- src/lib/crypto/prng.c (.../tags/krb5-1-6-2-final) (Revision 19936) -+++ src/lib/crypto/prng.c (.../branches/krb5-1-6) (Revision 19936) -@@ -162,7 +162,7 @@ - krb5_data data; - struct stat sb; - int fd; -- unsigned char buf[YARROW_SLOW_THRESH/8]; -+ unsigned char buf[YARROW_SLOW_THRESH/8], *bp; - int left; - fd = open (device, O_RDONLY); - if (fd == -1) -@@ -173,14 +173,16 @@ - close(fd); - return 0; - } -- for (left = sizeof (buf); left > 0;) { -+ -+ for (bp = &buf, left = sizeof (buf); left > 0;) { - ssize_t count; -- count = read (fd, &buf, (unsigned) left); -+ count = read (fd, bp, (unsigned) left); - if (count <= 0) { - close(fd); - return 0; - } - left -= count; -+ bp += count; - } - close (fd); - data.length = sizeof (buf); -@@ -199,7 +201,7 @@ - int unused; - int *oursuccess = success?success:&unused; - *oursuccess = 0; -- /* If we are getting strong data then try that first. We aare -+ /* If we are getting strong data then try that first. We are - guaranteed to cause a reseed of some kind if strong is true and - we have both /dev/random and /dev/urandom. We want the strong - data included in the reseed so we get it first.*/ -Index: src/lib/gssapi/spnego/spnego_mech.c -=================================================================== ---- src/lib/gssapi/spnego/spnego_mech.c (.../tags/krb5-1-6-2-final) (Revision 19936) -+++ src/lib/gssapi/spnego/spnego_mech.c (.../branches/krb5-1-6) (Revision 19936) -@@ -61,7 +61,7 @@ - /* private routines for spnego_mechanism */ - static spnego_token_t make_spnego_token(char *); - static gss_buffer_desc make_err_msg(char *); --static int g_token_size(gss_OID_const, OM_uint32); -+static int g_token_size(gss_OID_const, unsigned int); - static int g_make_token_header(gss_OID_const, unsigned int, - unsigned char **, unsigned int); - static int g_verify_token_header(gss_OID_const, unsigned int *, -@@ -835,6 +835,7 @@ - ret = GSS_S_FAILURE; - } - } -+ gss_release_buffer(&tmpmin, &mechtok_out); - if (ret == GSS_S_COMPLETE) { - /* - * Now, switch the output context to refer to the -Index: src/lib/krb4/send_to_kdc.c -=================================================================== ---- src/lib/krb4/send_to_kdc.c (.../tags/krb5-1-6-2-final) (Revision 19936) -+++ src/lib/krb4/send_to_kdc.c (.../branches/krb5-1-6) (Revision 19936) -@@ -181,7 +181,7 @@ - message.length = pkt->length; - message.data = (char *)pkt->dat; /* XXX yuck */ - retval = internals.sendto_udp(NULL, &message, &al, NULL, &reply, addr, -- addrlen, NULL, 0, NULL); -+ addrlen, NULL, 0, NULL, NULL, NULL); - DEB(("sendto_udp returns %d\n", retval)); - free_al: - internals.free_addrlist(&al); -Index: src/lib/krb5/os/sendto_kdc.c -=================================================================== ---- src/lib/krb5/os/sendto_kdc.c (.../tags/krb5-1-6-2-final) (Revision 19936) -+++ src/lib/krb5/os/sendto_kdc.c (.../branches/krb5-1-6) (Revision 19936) -@@ -1,7 +1,7 @@ - /* - * lib/krb5/os/sendto_kdc.c - * -- * Copyright 1990,1991,2001,2002,2004,2005 by the Massachusetts Institute of Technology. -+ * Copyright 1990,1991,2001,2002,2004,2005,2007 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may -@@ -295,6 +295,30 @@ - return 0; - } - -+static int -+check_for_svc_unavailable (krb5_context context, -+ const krb5_data *reply, -+ void *msg_handler_data) -+{ -+ krb5_error_code *retval = (krb5_error_code *)msg_handler_data; -+ -+ *retval = 0; -+ -+ if (krb5_is_krb_error(reply)) { -+ krb5_error *err_reply; -+ -+ if (decode_krb5_error(reply, &err_reply) == 0) { -+ *retval = err_reply->error; -+ krb5_free_error(context, err_reply); -+ -+ /* Returning 0 means continue to next KDC */ -+ return (*retval != KDC_ERR_SVC_UNAVAILABLE); -+ } -+ } -+ -+ return 1; -+} -+ - /* - * send the formatted request 'message' to a KDC for realm 'realm' and - * return the response (if any) in 'reply'. -@@ -381,9 +405,12 @@ - } - - if (addrs.naddrs > 0) { -+ krb5_error_code err = 0; -+ - retval = krb5int_sendto (context, message, &addrs, 0, reply, 0, 0, -- 0, 0, &addr_used); -- if (retval == 0) { -+ 0, 0, &addr_used, check_for_svc_unavailable, &err); -+ switch (retval) { -+ case 0: - /* - * Set use_master to 1 if we ended up talking to a master when - * we didn't explicitly request to -@@ -401,7 +428,19 @@ - } - krb5int_free_addrlist (&addrs); - return 0; -- } -+ default: -+ break; -+ /* Cases here are for constructing useful error messages. */ -+ case KRB5_KDC_UNREACH: -+ if (err == KDC_ERR_SVC_UNAVAILABLE) { -+ retval = KRB5KDC_ERR_SVC_UNAVAILABLE; -+ } else { -+ krb5_set_error_message(context, retval, -+ "Cannot contact any KDC for realm '%.*s'", -+ realm->length, realm->data); -+ } -+ break; -+ } - krb5int_free_addrlist (&addrs); - } - return retval; -@@ -1015,9 +1054,12 @@ - } - - static int --service_fds (struct select_state *selstate, -+service_fds (krb5_context context, -+ struct select_state *selstate, - struct conn_state *conns, size_t n_conns, int *winning_conn, -- struct select_state *seltemp) -+ struct select_state *seltemp, -+ int (*msg_handler)(krb5_context, const krb5_data *, void *), -+ void *msg_handler_data) - { - int e, selret; - -@@ -1056,9 +1098,22 @@ - state_strings[(int) conns[i].state]); - - if (conns[i].service (&conns[i], selstate, ssflags)) { -- dprint("fd service routine says we're done\n"); -- *winning_conn = i; -- return 1; -+ int stop = 1; -+ -+ if (msg_handler != NULL) { -+ krb5_data reply; -+ -+ reply.data = conns[i].x.in.buf; -+ reply.length = conns[i].x.in.pos - conns[i].x.in.buf; -+ -+ stop = (msg_handler(context, &reply, msg_handler_data) != 0); -+ } -+ -+ if (stop) { -+ dprint("fd service routine says we're done\n"); -+ *winning_conn = i; -+ return 1; -+ } - } - } - } -@@ -1098,7 +1153,10 @@ - struct sendto_callback_info* callback_info, krb5_data *reply, - struct sockaddr *localaddr, socklen_t *localaddrlen, - struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, -- int *addr_used) -+ int *addr_used, -+ /* return 0 -> keep going, 1 -> quit */ -+ int (*msg_handler)(krb5_context, const krb5_data *, void *), -+ void *msg_handler_data) - { - int i, pass; - int delay_this_pass = 2; -@@ -1185,8 +1243,8 @@ - goto egress; - sel_state->end_time = now; - sel_state->end_time.tv_sec += 1; -- e = service_fds(sel_state, conns, host+1, &winning_conn, -- sel_state+1); -+ e = service_fds(context, sel_state, conns, host+1, &winning_conn, -+ sel_state+1, msg_handler, msg_handler_data); - if (e) - break; - if (pass > 0 && sel_state->nfds == 0) -@@ -1206,7 +1264,8 @@ - call with the last one from the above loop, if the loop - actually calls select. */ - sel_state->end_time.tv_sec += delay_this_pass; -- e = service_fds(sel_state, conns, host+1, &winning_conn, sel_state+1); -+ e = service_fds(context, sel_state, conns, host+1, &winning_conn, -+ sel_state+1, msg_handler, msg_handler_data); - if (e) - break; - if (sel_state->nfds == 0) -Index: src/lib/krb5/os/send524.c -=================================================================== ---- src/lib/krb5/os/send524.c (.../tags/krb5-1-6-2-final) (Revision 19936) -+++ src/lib/krb5/os/send524.c (.../branches/krb5-1-6) (Revision 19936) -@@ -98,7 +98,7 @@ - if (al.naddrs == 0) - return KRB5_REALM_UNKNOWN; - -- retval = krb5int_sendto (context, message, &al, NULL, reply, addr, addrlen, NULL, 0, NULL); -+ retval = krb5int_sendto (context, message, &al, NULL, reply, addr, addrlen, NULL, 0, NULL, NULL, NULL); - krb5int_free_addrlist (&al); - return retval; - #else -Index: src/lib/krb5/os/changepw.c -=================================================================== ---- src/lib/krb5/os/changepw.c (.../tags/krb5-1-6-2-final) (Revision 19936) -+++ src/lib/krb5/os/changepw.c (.../branches/krb5-1-6) (Revision 19936) -@@ -247,6 +247,8 @@ - NULL, - ss2sa(&remote_addr), - &addrlen, -+ NULL, -+ NULL, - NULL - ))) { - -Index: src/lib/krb5/error_tables/krb5_err.et -=================================================================== ---- src/lib/krb5/error_tables/krb5_err.et (.../tags/krb5-1-6-2-final) (Revision 19936) -+++ src/lib/krb5/error_tables/krb5_err.et (.../branches/krb5-1-6) (Revision 19936) -@@ -1,7 +1,7 @@ - # - # lib/krb5/error_tables/krb5_err.et - # --# Copyright 1989,1990,1991 by the Massachusetts Institute of Technology. -+# Copyright 1989,1990,1991,2007 by the Massachusetts Institute of Technology. - # All Rights Reserved. - # - # Export of this software from the United States of America may -@@ -68,7 +68,7 @@ - error_code KRB5KDC_ERR_SERVER_NOMATCH, "Requested server and ticket don't match" - error_code KRB5PLACEHOLD_27, "KRB5 error code 27" - error_code KRB5PLACEHOLD_28, "KRB5 error code 28" --error_code KRB5PLACEHOLD_29, "KRB5 error code 29" -+error_code KRB5KDC_ERR_SVC_UNAVAILABLE, "A service is not available that is required to process the request" - error_code KRB5PLACEHOLD_30, "KRB5 error code 30" - # vv 31 - error_code KRB5KRB_AP_ERR_BAD_INTEGRITY, "Decrypt integrity check failed" -Index: src/lib/krb5/ccache/t_cc.c -=================================================================== ---- src/lib/krb5/ccache/t_cc.c (.../tags/krb5-1-6-2-final) (Revision 19936) -+++ src/lib/krb5/ccache/t_cc.c (.../branches/krb5-1-6) (Revision 19936) -@@ -123,6 +123,7 @@ - krb5_cc_cursor cursor; - const char *c_name; - char newcache[300]; -+ char *save_type; - - init_test_cred(context); - -@@ -135,7 +136,9 @@ - CHECK_STR(c_name, "get_name"); - - c_name = krb5_cc_get_type(context, id); -- CHECK_STR(c_name, "get_prefix"); -+ CHECK_STR(c_name, "get_type"); -+ save_type=strdup(c_name); -+ CHECK_STR(save_type, "copying type"); - - kret = krb5_cc_store_cred(context, id, &test_creds); - CHECK(kret, "store"); -@@ -192,17 +195,22 @@ - kret = krb5_cc_destroy(context, id); - CHECK(kret, "destroy"); - --#if 0 - /* ----------------------------------------------------- */ - /* Tests the generate new code */ -- kret = krb5_cc_resolve(context, name, &id); -- CHECK(kret, "resolve"); -- kret = krb5_cc_gen_new(context, &id); -- CHECK(kret, "gen_new"); -- kret = krb5_cc_destroy(context, id); -- CHECK(kret, "destroy"); --#endif -+ kret = krb5_cc_new_unique(context, save_type, -+ NULL, &id2); -+ CHECK(kret, "new_unique"); -+ -+ kret = krb5_cc_initialize(context, id2, test_creds.client); -+ CHECK(kret, "initialize"); - -+ kret = krb5_cc_store_cred(context, id2, &test_creds); -+ CHECK(kret, "store"); -+ -+ kret = krb5_cc_destroy(context, id2); -+ CHECK(kret, "destroy id2"); -+ -+ free(save_type); - free_test_cred(context); - - } -Index: src/lib/krb5/ccache/cc_file.c -=================================================================== ---- src/lib/krb5/ccache/cc_file.c (.../tags/krb5-1-6-2-final) (Revision 19936) -+++ src/lib/krb5/ccache/cc_file.c (.../branches/krb5-1-6) (Revision 19936) -@@ -1950,115 +1950,165 @@ - { - krb5_ccache lid; - int ret; -- krb5_error_code retcode = 0; -+ krb5_error_code kret = 0; - char scratch[sizeof(TKT_ROOT)+6+1]; /* +6 for the scratch part, +1 for - NUL */ - krb5_fcc_data *data; -+ krb5_int16 fcc_fvno = htons(context->fcc_default_format); -+ krb5_int16 fcc_flen = 0; -+ int errsave, cnt; -+ struct fcc_set *setptr; - -- /* Allocate memory */ -- lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); -- if (lid == NULL) -- return KRB5_CC_NOMEM; -+ /* Set master lock */ -+ kret = k5_mutex_lock(&krb5int_cc_file_mutex); -+ if (kret) -+ return kret; - -- lid->ops = &krb5_fcc_ops; -- - (void) strcpy(scratch, TKT_ROOT); - (void) strcat(scratch, "XXXXXX"); - #ifdef HAVE_MKSTEMP - ret = mkstemp(scratch); - if (ret == -1) { -+ k5_mutex_unlock(&krb5int_cc_file_mutex); - return krb5_fcc_interpret(context, errno); -- } else close(ret); -+ } - #else /*HAVE_MKSTEMP*/ - mktemp(scratch); -+ /* Make sure the file name is reserved */ -+ ret = THREEPARAMOPEN(scratch, O_CREAT | O_EXCL | O_WRONLY | O_BINARY, 0); -+ if (ret == -1) { -+ return krb5_fcc_interpret(context, errno); -+ } - #endif - -- lid->data = (krb5_pointer) malloc(sizeof(krb5_fcc_data)); -- if (lid->data == NULL) { -- krb5_xfree(lid); -+ /* Allocate memory */ -+ data = (krb5_pointer) malloc(sizeof(krb5_fcc_data)); -+ if (data == NULL) { -+ close(ret); -+ unlink(scratch); -+ k5_mutex_unlock(&krb5int_cc_file_mutex); - return KRB5_CC_NOMEM; - } - -- ((krb5_fcc_data *) lid->data)->filename = (char *) -- malloc(strlen(scratch) + 1); -- if (((krb5_fcc_data *) lid->data)->filename == NULL) { -- krb5_xfree(((krb5_fcc_data *) lid->data)); -- krb5_xfree(lid); -+ data->filename = strdup(scratch); -+ if (data->filename == NULL) { -+ k5_mutex_unlock(&krb5int_cc_file_mutex); -+ free(data); -+ close(ret); -+ unlink(scratch); -+ k5_mutex_unlock(&krb5int_cc_file_mutex); - return KRB5_CC_NOMEM; - } - -+ kret = k5_mutex_init(&data->lock); -+ if (kret) { -+ k5_mutex_unlock(&krb5int_cc_file_mutex); -+ free(data->filename); -+ free(data); -+ close(ret); -+ unlink(scratch); -+ return kret; -+ } -+ kret = k5_mutex_lock(&data->lock); -+ if (kret) { -+ k5_mutex_unlock(&krb5int_cc_file_mutex); -+ k5_mutex_destroy(&data->lock); -+ free(data->filename); -+ free(data); -+ close(ret); -+ unlink(scratch); -+ return kret; -+ } -+ - /* - * The file is initially closed at the end of this call... - */ -- ((krb5_fcc_data *) lid->data)->flags = 0; -- ((krb5_fcc_data *) lid->data)->file = -1; -- ((krb5_fcc_data *) lid->data)->valid_bytes = 0; -- data = (krb5_fcc_data *) lid->data; -+ data->flags = 0; -+ data->file = -1; -+ data->valid_bytes = 0; -+ /* data->version,mode filled in for real later */ -+ data->version = data->mode = 0; - -- retcode = k5_mutex_init(&data->lock); -- if (retcode) -- goto err_out; - -- /* Set up the filename */ -- strcpy(((krb5_fcc_data *) lid->data)->filename, scratch); -- -- /* Make sure the file name is reserved */ -- ret = THREEPARAMOPEN(((krb5_fcc_data *) lid->data)->filename, -- O_CREAT | O_EXCL | O_WRONLY | O_BINARY, 0); -- if (ret == -1) { -- retcode = krb5_fcc_interpret(context, errno); -- goto err_out; -- } else { -- krb5_int16 fcc_fvno = htons(context->fcc_default_format); -- krb5_int16 fcc_flen = 0; -- int errsave, cnt; -- -- /* Ignore user's umask, set mode = 0600 */ -+ /* Ignore user's umask, set mode = 0600 */ - #ifndef HAVE_FCHMOD - #ifdef HAVE_CHMOD -- chmod(((krb5_fcc_data *) lid->data)->filename, S_IRUSR | S_IWUSR); -+ chmod(data->filename, S_IRUSR | S_IWUSR); - #endif - #else -- fchmod(ret, S_IRUSR | S_IWUSR); -+ fchmod(ret, S_IRUSR | S_IWUSR); - #endif -- if ((cnt = write(ret, (char *)&fcc_fvno, sizeof(fcc_fvno))) -- != sizeof(fcc_fvno)) { -- errsave = errno; -- (void) close(ret); -- (void) unlink(((krb5_fcc_data *) lid->data)->filename); -- retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; -- goto err_out; -+ if ((cnt = write(ret, (char *)&fcc_fvno, sizeof(fcc_fvno))) -+ != sizeof(fcc_fvno)) { -+ errsave = errno; -+ (void) close(ret); -+ (void) unlink(data->filename); -+ kret = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; -+ goto err_out; -+ } -+ /* For version 4 we save a length for the rest of the header */ -+ if (context->fcc_default_format == KRB5_FCC_FVNO_4) { -+ if ((cnt = write(ret, (char *)&fcc_flen, sizeof(fcc_flen))) -+ != sizeof(fcc_flen)) { -+ errsave = errno; -+ (void) close(ret); -+ (void) unlink(data->filename); -+ kret = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; -+ goto err_out; - } -- /* For version 4 we save a length for the rest of the header */ -- if (context->fcc_default_format == KRB5_FCC_FVNO_4) { -- if ((cnt = write(ret, (char *)&fcc_flen, sizeof(fcc_flen))) -- != sizeof(fcc_flen)) { -- errsave = errno; -- (void) close(ret); -- (void) unlink(((krb5_fcc_data *) lid->data)->filename); -- retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; -- goto err_out; -- } -- } -- if (close(ret) == -1) { -- errsave = errno; -- (void) unlink(((krb5_fcc_data *) lid->data)->filename); -- retcode = krb5_fcc_interpret(context, errsave); -- goto err_out; -- } -- *id = lid; -- /* default to open/close on every trn - otherwise destroy -- will get as to state confused */ -- ((krb5_fcc_data *) lid->data)->flags = KRB5_TC_OPENCLOSE; -- krb5_change_cache (); -- return KRB5_OK; - } -+ if (close(ret) == -1) { -+ errsave = errno; -+ (void) unlink(data->filename); -+ kret = krb5_fcc_interpret(context, errsave); -+ goto err_out; -+ } - -+ -+ setptr = malloc(sizeof(struct fcc_set)); -+ if (setptr == NULL) { -+ k5_mutex_unlock(&krb5int_cc_file_mutex); -+ k5_mutex_destroy(&data->lock); -+ free(data->filename); -+ free(data); -+ (void) close(ret); -+ (void) unlink(scratch); -+ return KRB5_CC_NOMEM; -+ } -+ setptr->refcount = 1; -+ setptr->data = data; -+ setptr->next = fccs; -+ fccs = setptr; -+ k5_mutex_unlock(&krb5int_cc_file_mutex); -+ -+ k5_mutex_assert_locked(&data->lock); -+ k5_mutex_unlock(&data->lock); -+ lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); -+ if (lid == NULL) { -+ dereference(context, data); -+ return KRB5_CC_NOMEM; -+ } -+ -+ lid->ops = &krb5_fcc_ops; -+ lid->data = data; -+ lid->magic = KV5M_CCACHE; -+ -+ /* default to open/close on every trn - otherwise destroy -+ will get as to state confused */ -+ ((krb5_fcc_data *) lid->data)->flags = KRB5_TC_OPENCLOSE; -+ -+ *id = lid; -+ -+ -+ krb5_change_cache (); -+ return KRB5_OK; -+ - err_out: -- krb5_xfree(((krb5_fcc_data *) lid->data)->filename); -- krb5_xfree(((krb5_fcc_data *) lid->data)); -- krb5_xfree(lid); -- return retcode; -+ k5_mutex_unlock(&krb5int_cc_file_mutex); -+ k5_mutex_destroy(&data->lock); -+ free(data->filename); -+ free(data); -+ return kret; - } - - /* -Index: src/lib/krb5/ccache/ccfns.c -=================================================================== ---- src/lib/krb5/ccache/ccfns.c (.../tags/krb5-1-6-2-final) (Revision 19936) -+++ src/lib/krb5/ccache/ccfns.c (.../branches/krb5-1-6) (Revision 19936) -@@ -1,7 +1,7 @@ - /* - * lib/krb5/ccache/ccfns.c - * -- * Copyright 2000 by the Massachusetts Institute of Technology. -+ * Copyright 2000, 2007 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may -@@ -65,7 +65,29 @@ - krb5_cc_store_cred (krb5_context context, krb5_ccache cache, - krb5_creds *creds) - { -- return cache->ops->store(context, cache, creds); -+ krb5_error_code ret; -+ krb5_ticket *tkt; -+ krb5_principal s1, s2; -+ -+ ret = cache->ops->store(context, cache, creds); -+ if (ret) return ret; -+ -+ /* -+ * If creds->server and the server in the decoded ticket differ, -+ * store both principals. -+ */ -+ s1 = creds->server; -+ ret = decode_krb5_ticket(&creds->ticket, &tkt); -+ /* Bail out on errors in case someone is storing a non-ticket. */ -+ if (ret) return 0; -+ s2 = tkt->server; -+ if (!krb5_principal_compare(context, s1, s2)) { -+ creds->server = s2; -+ ret = cache->ops->store(context, cache, creds); -+ creds->server = s1; -+ } -+ krb5_free_ticket(context, tkt); -+ return ret; - } - - krb5_error_code KRB5_CALLCONV -@@ -73,7 +95,23 @@ - krb5_flags flags, krb5_creds *mcreds, - krb5_creds *creds) - { -- return cache->ops->retrieve(context, cache, flags, mcreds, creds); -+ krb5_error_code ret; -+ krb5_data tmprealm; -+ -+ ret = cache->ops->retrieve(context, cache, flags, mcreds, creds); -+ if (ret != KRB5_CC_NOTFOUND) -+ return ret; -+ if (!krb5_is_referral_realm(&mcreds->server->realm)) -+ return ret; -+ -+ /* -+ * Retry using client's realm if service has referral realm. -+ */ -+ tmprealm = mcreds->server->realm; -+ mcreds->server->realm = mcreds->client->realm; -+ ret = cache->ops->retrieve(context, cache, flags, mcreds, creds); -+ mcreds->server->realm = tmprealm; -+ return ret; - } - - krb5_error_code KRB5_CALLCONV -Index: src/lib/krb5/krb/gc_frm_kdc.c -=================================================================== ---- src/lib/krb5/krb/gc_frm_kdc.c (.../tags/krb5-1-6-2-final) (Revision 19936) -+++ src/lib/krb5/krb/gc_frm_kdc.c (.../branches/krb5-1-6) (Revision 19936) -@@ -906,7 +906,6 @@ - /* Whether or not that succeeded, we're done. */ - goto cleanup; - } -- else { - /* Referral request succeeded; let's see what it is. */ - if (krb5_principal_compare(context, in_cred->server, - (*out_cred)->server)) { -@@ -914,8 +913,40 @@ - "for requested server principal\n")); - DUMP_PRINC("gc_from_kdc final referred reply", - in_cred->server); -+ -+ /* -+ * Check if the return enctype is one that we requested if -+ * needed. -+ */ -+ if (old_use_conf_ktypes || context->tgs_ktype_count == 0) - goto cleanup; -+ for (i = 0; i < context->tgs_ktype_count; i++) { -+ if ((*out_cred)->keyblock.enctype == context->tgs_ktypes[i]) { -+ /* Found an allowable etype, so we're done */ -+ goto cleanup; -+ } - } -+ /* -+ * We need to try again, but this time use the -+ * tgs_ktypes in the context. At this point we should -+ * have all the tgts to succeed. -+ */ -+ -+ /* Free "wrong" credential */ -+ krb5_free_creds(context, *out_cred); -+ *out_cred = NULL; -+ /* Re-establish tgs etypes */ -+ context->use_conf_ktypes = old_use_conf_ktypes; -+ retval = krb5_get_cred_via_tkt(context, tgtptr, -+ KDC_OPT_CANONICALIZE | -+ FLAGS2OPTS(tgtptr->ticket_flags) | -+ kdcopt | -+ (in_cred->second_ticket.length ? -+ KDC_OPT_ENC_TKT_IN_SKEY : 0), -+ tgtptr->addresses, -+ in_cred, out_cred); -+ goto cleanup; -+ } - else if (IS_TGS_PRINC(context, (*out_cred)->server)) { - krb5_data *r1, *r2; - -@@ -978,7 +1009,6 @@ - krb5_free_creds(context, *out_cred); - *out_cred = NULL; - break; -- } - } - } - - diff --git a/krb5-1.6.2.tar.bz2 b/krb5-1.6.2.tar.bz2 deleted file mode 100644 index 0846ce9..0000000 --- a/krb5-1.6.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:56549c395f836f2b8c5cc847835df75efb93629e7c97f2719cdc7d2a52424d2f -size 13046355 diff --git a/krb5-1.6.3-texi2dvi-fix.dif b/krb5-1.6.3-texi2dvi-fix.dif new file mode 100644 index 0000000..2238c1b --- /dev/null +++ b/krb5-1.6.3-texi2dvi-fix.dif @@ -0,0 +1,11 @@ +Index: trunk/doc/Makefile +=================================================================== +--- doc/Makefile ++++ doc/Makefile +@@ -1,5 +1,5 @@ + SRCDIR=../src +-DVI=texi2dvi4a2ps # texi2dvi ++DVI=texi2dvi # texi2dvi + DVIPS=dvips -o "$@" + PSPDF=ps2pdf + INFO=makeinfo diff --git a/krb5-1.6.3.tar.bz2 b/krb5-1.6.3.tar.bz2 new file mode 100644 index 0000000..79fcab7 --- /dev/null +++ b/krb5-1.6.3.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c272bea49a48059f9a31bca38e9d838c9b52d4257ba764aaed24783c24b36173 +size 10091032 diff --git a/krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif b/krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif deleted file mode 100644 index 23eb00e..0000000 --- a/krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif +++ /dev/null @@ -1,41 +0,0 @@ ---- src/lib/kadm5/srv/svr_policy.c -+++ src/lib/kadm5/srv/svr_policy.c 2007/08/24 14:32:34 -@@ -211,8 +211,9 @@ - if((mask & KADM5_POLICY)) - return KADM5_BAD_MASK; - -- ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt); -- if( ret && (cnt==0) ) -+ if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt))) -+ return ret; -+ if (cnt != 1) - return KADM5_UNK_POLICY; - - if ((mask & KADM5_PW_MAX_LIFE)) - ---- src/lib/rpc/svc_auth_gss.c -+++ src/lib/rpc/svc_auth_gss.c 2007/09/06 08:32:37 -@@ -355,6 +355,15 @@ - memset(rpchdr, 0, sizeof(rpchdr)); - - /* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */ -+ oa = &msg->rm_call.cb_cred; -+ if (oa->oa_length > MAX_AUTH_BYTES) -+ return (FALSE); -+ -+ /* 8 XDR units from the IXDR macro calls. */ -+ if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT + -+ RNDUP(oa->oa_length))) -+ return (FALSE); -+ - buf = (int32_t *)(void *)rpchdr; - IXDR_PUT_LONG(buf, msg->rm_xid); - IXDR_PUT_ENUM(buf, msg->rm_direction); -@@ -362,7 +371,6 @@ - IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); - IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); - IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); -- oa = &msg->rm_call.cb_cred; - IXDR_PUT_ENUM(buf, oa->oa_flavor); - IXDR_PUT_LONG(buf, oa->oa_length); - if (oa->oa_length) { diff --git a/krb5-doc.changes b/krb5-doc.changes index f5dd576..5af5d83 100644 --- a/krb5-doc.changes +++ b/krb5-doc.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue Oct 23 10:29:23 CEST 2007 - mc@suse.de + +- update to krb5 version 1.6.3 + * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow + * fix CVE-2007-4000 modify_policy vulnerability + * Add PKINIT support +- remove patches which are upstream now +- enhance init scripts and xinetd profiles + ------------------------------------------------------------------- Thu Jul 12 17:02:30 CEST 2007 - mc@suse.de diff --git a/krb5-doc.spec b/krb5-doc.spec index 69c6691..a5d9efc 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5-doc (Version 1.6.2) +# spec file for package krb5-doc (Version 1.6.3) # # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -12,17 +12,18 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive -Version: 1.6.2 -Release: 29 -%define srcRoot krb5-1.6.2 +Version: 1.6.3 +Release: 1 +%define srcRoot krb5-1.6.3 Summary: MIT Kerberos5 Implementation--Documentation License: X11/MIT Url: http://web.mit.edu/kerberos/www/ Group: Documentation/Other -Source: krb5-1.6.2.tar.bz2 +Source: krb5-1.6.3.tar.bz2 Source1: README.Source Source2: Makefile.kadm5 Patch0: krb5-1.3.5-perlfix.dif +Patch1: krb5-1.6.3-texi2dvi-fix.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -44,6 +45,7 @@ Authors: %prep %setup -n %{srcRoot} %patch0 +%patch1 cp %{_sourcedir}/Makefile.kadm5 %{_builddir}/%{srcRoot}/doc/kadm5/Makefile %build @@ -86,8 +88,14 @@ rm -rf %{buildroot} %doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz doc/kadm5/*.ps.gz %doc doc/krb5-protocol doc/kadmin %doc doc/html - %changelog +* Tue Oct 23 2007 - mc@suse.de +- update to krb5 version 1.6.3 + * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow + * fix CVE-2007-4000 modify_policy vulnerability + * Add PKINIT support +- remove patches which are upstream now +- enhance init scripts and xinetd profiles * Thu Jul 12 2007 - mc@suse.de - update to version 1.6.2 - remove krb5-1.6.1-post.dif all fixes are included in this release diff --git a/krb5-plugins.changes b/krb5-plugins.changes index 2056cfc..127498f 100644 --- a/krb5-plugins.changes +++ b/krb5-plugins.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue Oct 23 10:29:14 CEST 2007 - mc@suse.de + +- update to krb5 version 1.6.3 + * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow + * fix CVE-2007-4000 modify_policy vulnerability + * Add PKINIT support +- remove patches which are upstream now +- enhance init scripts and xinetd profiles + ------------------------------------------------------------------- Fri Sep 14 12:10:01 CEST 2007 - mc@suse.de diff --git a/krb5-plugins.spec b/krb5-plugins.spec index c41aaa5..e5f53c1 100644 --- a/krb5-plugins.spec +++ b/krb5-plugins.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5-plugins (Version 1.6.2) +# spec file for package krb5-plugins (Version 1.6.3) # # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -12,10 +12,10 @@ # nodebuginfo Name: krb5-plugins -Version: 1.6.2 -Release: 4 +Version: 1.6.3 +Release: 1 BuildRequires: bison krb5-devel ncurses-devel openldap2-devel -%define srcRoot krb5-1.6.2 +%define srcRoot krb5-1.6.3 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 Requires: krb5-server @@ -23,15 +23,15 @@ Summary: MIT Kerberos5 Implementation--Libraries License: X11/MIT Url: http://web.mit.edu/kerberos/www/ Group: Productivity/Networking/Security -Source: krb5-1.6.2.tar.bz2 +Source: krb5-1.6.3.tar.bz2 Source1: vendor-files.tar.bz2 Source2: README.Source Source3: spx.c Source4: EncryptWithMasterKey.c +Source10: krb5-trunk-manpaths.txt Patch1: krb5-1.5.1-fix-too-few-arguments.dif Patch2: krb5-1.6.1-compile_pie.dif Patch3: krb5-1.4-fix-segfault.dif -Patch4: krb5-1.6.2-post.dif Patch6: trunk-EncryptWithMasterKey.dif Patch14: warning-fix-lib-crypto-des.dif Patch15: warning-fix-lib-crypto-dk.dif @@ -41,11 +41,12 @@ Patch18: warning-fix-lib-crypto-yarrow_arcfour.dif Patch20: kprop-use-mkstemp.dif Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif -#Patch23: trunk-install-preauth-header.dif Patch24: krb5-1.5.1-fix-strncat-warning.dif Patch25: krb5-1.6.1-init-salt-length.dif -Patch26: krb5-1.4.3-extra-check-kt_file.c.dif -Patch27: krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif +Patch30: trunk-manpaths.dif +Patch31: krb5-1.6-ldap-man.dif +Patch32: krb5-1.4.3-enospc.dif +Patch33: krb5-1.3.3-rcp-markus.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -77,6 +78,25 @@ database plugin. +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package -n krb5-plugin-preauth-pkinit +Summary: MIT Kerberos5 Implementation--PKINIT preauth Plugin +Group: Productivity/Networking/Security +Conflicts: krb5-plugin-preauth-pkinit-nss + +%description -n krb5-plugin-preauth-pkinit +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes a PKINIT plugin. + + + Authors: -------- The MIT Kerberos Team @@ -97,7 +117,6 @@ fi %patch1 %patch2 %patch3 -%patch4 %patch6 %patch14 %patch15 @@ -107,12 +126,19 @@ fi %patch20 %patch21 %patch22 -#%patch23 %patch24 %patch25 -%patch26 -%patch27 +%patch30 -p1 +%patch31 +%patch32 -p1 +%patch33 -p1 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c +# Rename the man pages so that they'll get generated correctly. +pushd src +cat $RPM_SOURCE_DIR/krb5-trunk-manpaths.txt | while read manpage ; do + mv "$manpage" "$manpage".in +done +popd %build cd src @@ -155,17 +181,21 @@ ln -s %{_libdir}/libdes425.so %{_builddir}/%{srcRoot}/src/lib/ cd ../../../kadmin/cli make getdate.o cd ../../plugins/kdb/ldap/ -make %{?jobs:-j%jobs} +make %{?jobs:-j%jobs} +cd ../../preauth/pkinit/ +make %{?jobs:-j%jobs} #make check %install -rm -rf %{buildroot} mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth mkdir -p %{buildroot}/%{krb5docdir} mkdir -p %{buildroot}/usr/lib/mit/sbin/ mkdir -p %{buildroot}/%{_mandir}/man8/ cd src/plugins/kdb/ldap/ make DESTDIR=%{buildroot} install +cd ../../preauth/pkinit/ +make DESTDIR=%{buildroot} install # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -208,7 +238,20 @@ rm -rf %{buildroot} %{_libdir}/libkdb_ldap* %{_mandir}/man8/* +%files -n krb5-plugin-preauth-pkinit +%defattr(-,root,root) +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/pkinit.so %changelog +* Tue Oct 23 2007 - mc@suse.de +- update to krb5 version 1.6.3 + * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow + * fix CVE-2007-4000 modify_policy vulnerability + * Add PKINIT support +- remove patches which are upstream now +- enhance init scripts and xinetd profiles * Fri Sep 14 2007 - mc@suse.de - update krb5-1.6.2-post.dif * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that diff --git a/krb5-trunk-manpaths.txt b/krb5-trunk-manpaths.txt new file mode 100644 index 0000000..69c0192 --- /dev/null +++ b/krb5-trunk-manpaths.txt @@ -0,0 +1,45 @@ +appl/bsd/klogind.M +appl/bsd/kshd.M +appl/bsd/login.M +appl/bsd/rcp.M +appl/bsd/rlogin.M +appl/bsd/rsh.M +appl/bsd/v4rcp.M +appl/gssftp/ftpd/ftpd.M +appl/gssftp/ftp/ftp.M +appl/sample/sclient/sclient.M +appl/sample/sserver/sserver.M +appl/telnet/telnetd/telnetd.8 +appl/telnet/telnet/telnet.1 +clients/kcpytkt/kcpytkt.M +clients/kdeltkt/kdeltkt.M +clients/kdestroy/kdestroy.M +clients/kinit/kinit.M +clients/klist/klist.M +clients/kpasswd/kpasswd.M +clients/ksu/ksu.M +clients/kvno/kvno.M +config-files/kdc.conf.M +config-files/krb5.conf.M +gen-manpages/k5login.M +gen-manpages/kerberos.M +kadmin/cli/k5srvutil.M +kadmin/cli/kadmin.local.M +kadmin/cli/kadmin.M +kadmin/dbutil/kdb5_util.M +kadmin/ktutil/ktutil.M +kadmin/passwd/kpasswd.M +kadmin/server/kadmind.M +kdc/fakeka.M +kdc/krb5kdc.M +krb524/k524init.M +krb524/krb524d.M +krb5-config.M +plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M +slave/kpropd.M +slave/kprop.M +tests/create/kdb5_mkdums.M +util/et/com_err.3 +util/et/compile_et.1 +util/profile/profile.5 +util/send-pr/send-pr.1 diff --git a/krb5.changes b/krb5.changes index b1ca637..a53f383 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de + +- update to krb5 version 1.6.3 + * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow + * fix CVE-2007-4000 modify_policy vulnerability + * Add PKINIT support +- remove patches which are upstream now +- enhance init scripts and xinetd profiles + ------------------------------------------------------------------- Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index 1de1da9..91bbdd5 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5 (Version 1.6.2) +# spec file for package krb5 (Version 1.6.3) # # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -11,13 +11,13 @@ # norootforbuild Name: krb5 -Version: 1.6.2 -Release: 19 +Version: 1.6.3 +Release: 1 BuildRequires: bison libcom_err-devel ncurses-devel %if %{suse_version} > 1010 BuildRequires: keyutils keyutils-devel %endif -%define srcRoot krb5-1.6.2 +%define srcRoot krb5-1.6.3 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/%{name} Provides: heimdal-lib @@ -26,16 +26,16 @@ Summary: MIT Kerberos5 Implementation--Libraries License: X11/MIT Url: http://web.mit.edu/kerberos/www/ Group: Productivity/Networking/Security -Source: krb5-1.6.2.tar.bz2 +Source: krb5-1.6.3.tar.bz2 Source1: vendor-files.tar.bz2 Source2: README.Source Source3: spx.c Source4: EncryptWithMasterKey.c Source5: krb5-1.6.1-rpmlintrc +Source10: krb5-trunk-manpaths.txt Patch1: krb5-1.5.1-fix-too-few-arguments.dif Patch2: krb5-1.6.1-compile_pie.dif Patch3: krb5-1.4-fix-segfault.dif -Patch4: krb5-1.6.2-post.dif Patch6: trunk-EncryptWithMasterKey.dif Patch14: warning-fix-lib-crypto-des.dif Patch15: warning-fix-lib-crypto-dk.dif @@ -45,11 +45,12 @@ Patch18: warning-fix-lib-crypto-yarrow_arcfour.dif Patch20: kprop-use-mkstemp.dif Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif -#Patch23: trunk-install-preauth-header.dif Patch24: krb5-1.5.1-fix-strncat-warning.dif Patch25: krb5-1.6.1-init-salt-length.dif -Patch26: krb5-1.4.3-extra-check-kt_file.c.dif -Patch27: krb5-MITKRB5-SA-2007-006-fix-execute-code-2.dif +Patch30: trunk-manpaths.dif +Patch31: krb5-1.6-ldap-man.dif +Patch32: krb5-1.4.3-enospc.dif +Patch33: krb5-1.3.3-rcp-markus.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch @@ -188,7 +189,6 @@ fi %patch1 %patch2 %patch3 -%patch4 %patch6 %patch14 %patch15 @@ -198,12 +198,19 @@ fi %patch20 %patch21 %patch22 -#%patch23 %patch24 %patch25 -%patch26 -%patch27 +%patch30 -p1 +%patch31 +%patch32 -p1 +%patch33 -p1 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c +# Rename the man pages so that they'll get generated correctly. +pushd src +cat $RPM_SOURCE_DIR/krb5-trunk-manpaths.txt | while read manpage ; do + mv "$manpage" "$manpage".in +done +popd %build cd src @@ -221,8 +228,7 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI --localstatedir=%{_localstatedir}/lib/kerberos \ --enable-shared \ --disable-static \ - --enable-kdc-replay-cache \ - --enable-dns-for-realm \ + --enable-dns \ --with-system-et \ --with-system-ss make %{?jobs:-j%jobs} @@ -275,6 +281,7 @@ install -m 755 %{vendorFiles}/krb524d.init %{buildroot}%{_sysconfdir}/init.d/krb # install xinetd files mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d install -m 644 %{vendorFiles}/klogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/klogin +install -m 644 %{vendorFiles}/eklogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/eklogin install -m 644 %{vendorFiles}/krb5-telnet.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/ktelnet install -m 644 %{vendorFiles}/kshell.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/kshell # install logrotate files @@ -446,6 +453,7 @@ rm -rf %{buildroot} %files apps-servers %defattr(-,root,root) %config(noreplace) %{_sysconfdir}/xinetd.d/klogin +%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin %config(noreplace) %{_sysconfdir}/xinetd.d/kshell %config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet %dir /usr/lib/mit @@ -511,8 +519,14 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/krb5-send-pr %{_mandir}/man1/krb5-send-pr.1* %{_mandir}/man1/krb5-config.1* - %changelog +* Tue Oct 23 2007 - mc@suse.de +- update to krb5 version 1.6.3 + * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow + * fix CVE-2007-4000 modify_policy vulnerability + * Add PKINIT support +- remove patches which are upstream now +- enhance init scripts and xinetd profiles * Fri Sep 14 2007 - mc@suse.de - update krb5-1.6.2-post.dif * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that diff --git a/trunk-manpaths.dif b/trunk-manpaths.dif new file mode 100644 index 0000000..fb9e7a9 --- /dev/null +++ b/trunk-manpaths.dif @@ -0,0 +1,263 @@ + +Index: krb5-1.6.3/src/appl/bsd/klogind.M +=================================================================== +--- krb5-1.6.3.orig/src/appl/bsd/klogind.M ++++ krb5-1.6.3/src/appl/bsd/klogind.M +@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when + the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf + configuration line for \fIklogind\fP might be: + +-klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c ++klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c + + When a service request is received, the following protocol is initiated: + +Index: krb5-1.6.3/src/appl/bsd/kshd.M +=================================================================== +--- krb5-1.6.3.orig/src/appl/bsd/kshd.M ++++ krb5-1.6.3/src/appl/bsd/kshd.M +@@ -8,7 +8,7 @@ + .SH NAME + kshd \- kerberized remote shell server + .SH SYNOPSIS +-.B /usr/local/sbin/kshd ++.B @mansbindir@/kshd + [ + .B \-kr45ec + ] +@@ -30,7 +30,7 @@ server is invoked by \fIinetd(8c)\fP whe + on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf + configuration line for \fIkrshd\fP might be: + +-kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c ++kshell stream tcp nowait root @mansbindir@/kshd kshd -5c + + When a service request is received, the following protocol is initiated: + +Index: krb5-1.6.3/src/appl/sample/sserver/sserver.M +=================================================================== +--- krb5-1.6.3.orig/src/appl/sample/sserver/sserver.M ++++ krb5-1.6.3/src/appl/sample/sserver/sserver.M +@@ -59,7 +59,7 @@ option allows for a different keytab tha + using a line in + /etc/inetd.conf that looks like this: + .PP +-sample stream tcp nowait root /usr/local/sbin/sserver sserver ++sample stream tcp nowait root @mansbindir@/sserver sserver + .PP + Since \fBsample\fP is normally not a port defined in /etc/services, you will + usually have to add a line to /etc/services which looks like this: +Index: krb5-1.6.3/src/appl/telnet/telnetd/telnetd.8 +=================================================================== +--- krb5-1.6.3.orig/src/appl/telnet/telnetd/telnetd.8 ++++ krb5-1.6.3/src/appl/telnet/telnetd/telnetd.8 +@@ -37,7 +37,7 @@ telnetd \- + .SM DARPA TELNET + protocol server + .SH SYNOPSIS +-.B /usr/libexec/telnetd ++.B @manlibexecdir@/telnetd + [\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP] + [\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP] + [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP] +Index: krb5-1.6.3/src/config-files/kdc.conf.M +=================================================================== +--- krb5-1.6.3.orig/src/config-files/kdc.conf.M ++++ krb5-1.6.3/src/config-files/kdc.conf.M +@@ -82,14 +82,14 @@ This + .B string + specifies the location of the access control list (acl) file that + kadmin uses to determine which principals are allowed which permissions +-on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl. ++on the database. The default value is @manlocalstatedir@/krb5kdc/kadm5.acl. + + .IP admin_keytab + This + .B string + Specifies the location of the keytab file that kadmin uses to + authenticate to the database. The default value is +-/usr/local/var/krb5kdc/kadm5.keytab. ++@manlocalstatedir@/krb5kdc/kadm5.keytab. + + .IP database_name + This +@@ -239,7 +239,7 @@ tickets should be checked against the tr + realm names and the [capaths] section of its krb5.conf file + + .SH FILES +-/usr/local/var/krb5kdc/kdc.conf ++@manlocalstatedir@/krb5kdc/kdc.conf + + .SH SEE ALSO + krb5.conf(5), krb5kdc(8) +Index: krb5-1.6.3/src/configure.in +=================================================================== +--- krb5-1.6.3.orig/src/configure.in ++++ krb5-1.6.3/src/configure.in +@@ -944,6 +944,73 @@ if false; then + fi + + AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) ++ ++mansysconfdir=$sysconfdir ++mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"` ++mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"` ++mansbindir=$sbindir ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"` ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"` ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"` ++manlocalstatedir=$localstatedir ++manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"` ++manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"` ++manlibexecdir=$libexecdir ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"` ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"` ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"` ++AC_SUBST(mansysconfdir) ++AC_SUBST(mansbindir) ++AC_SUBST(manlocalstatedir) ++AC_SUBST(manlibexecdir) ++AC_OUTPUT([ ++ appl/bsd/klogind.M ++ appl/bsd/kshd.M ++ appl/bsd/login.M ++ appl/bsd/rcp.M ++ appl/bsd/rlogin.M ++ appl/bsd/rsh.M ++ appl/bsd/v4rcp.M ++ appl/gssftp/ftpd/ftpd.M ++ appl/gssftp/ftp/ftp.M ++ appl/sample/sclient/sclient.M ++ appl/sample/sserver/sserver.M ++ appl/telnet/telnetd/telnetd.8 ++ appl/telnet/telnet/telnet.1 ++ clients/kcpytkt/kcpytkt.M ++ clients/kdeltkt/kdeltkt.M ++ clients/kdestroy/kdestroy.M ++ clients/kinit/kinit.M ++ clients/klist/klist.M ++ clients/kpasswd/kpasswd.M ++ clients/ksu/ksu.M ++ clients/kvno/kvno.M ++ config-files/kdc.conf.M ++ config-files/krb5.conf.M ++ gen-manpages/k5login.M ++ gen-manpages/kerberos.M ++ kadmin/cli/k5srvutil.M ++ kadmin/cli/kadmin.local.M ++ kadmin/cli/kadmin.M ++ kadmin/dbutil/kdb5_util.M ++ kadmin/ktutil/ktutil.M ++ kadmin/passwd/kpasswd.M ++ kadmin/server/kadmind.M ++ kdc/fakeka.M ++ kdc/krb5kdc.M ++ krb524/k524init.M ++ krb524/krb524d.M ++ krb5-config.M ++ plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M ++ slave/kpropd.M ++ slave/kprop.M ++ tests/create/kdb5_mkdums.M ++ util/et/com_err.3 ++ util/et/compile_et.1 ++ util/profile/profile.5 ++ util/send-pr/send-pr.1 ++]) ++ + V5_AC_OUTPUT_MAKEFILE(. + + util util/support util/profile util/send-pr +Index: krb5-1.6.3/src/kadmin/cli/kadmin.M +=================================================================== +--- krb5-1.6.3.orig/src/kadmin/cli/kadmin.M ++++ krb5-1.6.3/src/kadmin/cli/kadmin.M +@@ -808,9 +808,9 @@ option is specified, less verbose status + .RS + .TP + EXAMPLE: +-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin ++kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin + Entry for principal kadmin/admin with kvno 3 removed +- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab. ++ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab. + kadmin: + .RE + .fi +@@ -852,7 +852,7 @@ passwords. + .SH HISTORY + The + .B kadmin +-prorgam was originally written by Tom Yu at MIT, as an interface to the ++program was originally written by Tom Yu at MIT, as an interface to the + OpenVision Kerberos administration program. + .SH SEE ALSO + .IR kerberos (1), +Index: krb5-1.6.3/src/slave/kprop.M +=================================================================== +--- krb5-1.6.3.orig/src/slave/kprop.M ++++ krb5-1.6.3/src/slave/kprop.M +@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv + This is done by transmitting the dumped database file to the slave + server over an encrypted, secure channel. The dump file must be created + by kdb5_util, and is normally KPROP_DEFAULT_FILE +-(/usr/local/var/krb5kdc/slave_datatrans). ++(@manlocalstatedir@/krb5kdc/slave_datatrans). + .SH OPTIONS + .TP + \fB\-r\fP \fIrealm\fP +@@ -51,7 +51,7 @@ is used. + \fB\-f\fP \fIfile\fP + specifies the filename where the dumped principal database file is to be + found; by default the dumped database file is KPROP_DEFAULT_FILE +-(normally /usr/local/var/krb5kdc/slave_datatrans). ++(normally @manlocalstatedir@/krb5kdc/slave_datatrans). + .TP + \fB\-P\fP \fIport\fP + specifies the port to use to contact the +Index: krb5-1.6.3/src/slave/kpropd.M +=================================================================== +--- krb5-1.6.3.orig/src/slave/kpropd.M ++++ krb5-1.6.3/src/slave/kpropd.M +@@ -69,7 +69,7 @@ Normally, kpropd is invoked out of + This is done by adding a line to the inetd.conf file which looks like + this: + +-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd ++kprop stream tcp nowait root @mansbindir@/kpropd kpropd + + However, kpropd can also run as a standalone deamon, if the + .B \-S +@@ -87,13 +87,13 @@ is used. + \fB\-f\fP \fIfile\fP + specifies the filename where the dumped principal database file is to be + stored; by default the dumped database file is KPROPD_DEFAULT_FILE +-(normally /usr/local/var/krb5kdc/from_master). ++(normally @manlocalstatedir@/krb5kdc/from_master). + .TP + .B \-p + allows the user to specify the pathname to the + .IR kdb5_util (8) + program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL +-(normally /usr/local/sbin/kdb5_util). ++(normally @mansbindir@/kdb5_util). + .TP + .B \-S + turn on standalone mode. Normally, kpropd is invoked out of +@@ -124,14 +124,14 @@ mode. + allows the user to specify the path to the + .KR kpropd.acl + file; by default the path used is KPROPD_ACL_FILE +-(normally /usr/local/var/krb5kdc/kpropd.acl). ++(normally @manlocalstatedir@/krb5kdc/kpropd.acl). + .SH FILES + .TP "\w'kpropd.acl\ \ 'u" + kpropd.acl + Access file for + .BR kpropd ; + the default location is KPROPD_ACL_FILE (normally +-/usr/local/var/krb5kdc/kpropd.acl). ++@manlocalstatedir@/krb5kdc/kpropd.acl). + Each entry is a line containing the principal of a host from which the + local machine will allow Kerberos database propagation via kprop. + .SH SEE ALSO diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2 index 0c99721..45da0d3 100644 --- a/vendor-files.tar.bz2 +++ b/vendor-files.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:6571269211d0d941b7dcf4b72b87d154178529268ef368c4f504e3c251ebb430 -size 186347 +oid sha256:7ccfa471ed0c7e2646316277ef0dd77463263faeb3febed2e3292048dd3f79e4 +size 186569