Accepting request 28402 from network

Copy from network/krb5 based on submit request 28402 from user coolo

OBS-URL: https://build.opensuse.org/request/show/28402
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=45

krb5-1.4.3-enospc.dif

@@ -1,11 +1,11 @@
 If the error message is going to be ambiguous, try to give the user some clue
 by returning the last error reported by the OS.
 
-Index: trunk/src/clients/kinit/kinit.c
+Index: krb5-1.7/src/clients/kinit/kinit.c
 ===================================================================
---- trunk.orig/src/clients/kinit/kinit.c
-+++ trunk/src/clients/kinit/kinit.c
-@@ -658,8 +658,14 @@ k5_kinit(opts, k5)
+--- krb5-1.7.orig/src/clients/kinit/kinit.c
++++ krb5-1.7/src/clients/kinit/kinit.c
+@@ -670,8 +670,14 @@ k5_kinit(opts, k5)
      code = krb5_cc_initialize(k5->ctx, k5->cc,
  			      opts->canonicalize ? my_creds.client : k5->me);
      if (code) {

krb5-1.7-MITKRB5-SA-2009-003.dif

@@ -0,0 +1,27 @@
+Index: krb5-1.7/src/kdc/do_tgs_req.c
+===================================================================
+--- krb5-1.7.orig/src/kdc/do_tgs_req.c
++++ krb5-1.7/src/kdc/do_tgs_req.c
+@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request
+             free(temp_buf);
+             if (retval) {
+                 /* no match found */
+-                kdc_err(kdc_context, retval, 0);
++                kdc_err(kdc_context, retval, "unable to find realm of host");
+                 goto cleanup;
+             }
+             if (realms == 0) {
+Index: krb5-1.7/src/lib/kadm5/logger.c
+===================================================================
+--- krb5-1.7.orig/src/lib/kadm5/logger.c
++++ krb5-1.7/src/lib/kadm5/logger.c
+@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, lo
+     char	*cp;
+     char	*syslogp;
+ 
++    if (whoami == NULL || format == NULL)
++	return;
++
+     /* Make the header */
+     snprintf(outbuf, sizeof(outbuf), "%s: ", whoami);
+     /*

krb5-1.7-MITKRB5-SA-2009-004.dif

@@ -0,0 +1,377 @@
+Index: krb5-1.7/src/lib/crypto/Makefile.in
+===================================================================
+--- krb5-1.7.orig/src/lib/crypto/Makefile.in
++++ krb5-1.7/src/lib/crypto/Makefile.in
+@@ -18,6 +18,7 @@ EXTRADEPSRCS=\
+ 	$(srcdir)/t_nfold.c	\
+ 	$(srcdir)/t_cf2.c \
+ 	$(srcdir)/t_encrypt.c	\
++	$(srcdir)/t_short.c	\
+ 	$(srcdir)/t_prf.c \
+ 	$(srcdir)/t_prng.c	\
+ 	$(srcdir)/t_hmac.c	\
+@@ -206,7 +207,7 @@ libcrypto.lib:
+ 
+ clean-unix:: clean-liblinks clean-libs clean-libobjs
+ 
+-check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2
++check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 t_short
+ 	$(RUN_SETUP) $(VALGRIND) ./t_nfold
+ 	$(RUN_SETUP) $(VALGRIND) ./t_encrypt
+ 	$(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \
+@@ -216,6 +217,7 @@ check-unix:: t_nfold t_encrypt t_prf t_p
+ 	diff t_prf.output $(srcdir)/t_prf.expected
+ 	$(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output
+ 	diff t_cf2.output $(srcdir)/t_cf2.expected
++	$(RUN_SETUP) $(VALGRIND) ./t_short
+ 
+ 
+ #	$(RUN_SETUP) $(VALGRIND) ./t_pkcs5
+@@ -249,10 +251,14 @@ t_cts$(EXEEXT): t_cts.$(OBJEXT) $(CRYPTO
+ 	$(CC_LINK) -o $@ t_cts.$(OBJEXT) \
+ 		$(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB)
+ 
++t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB)
++	$(CC_LINK) -o $@ t_short.$(OBJEXT) \
++		$(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB)
+ 
+ clean::
+ 	$(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \
+-		t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o
++		t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \
++		t_cf2 t_cf2.o t_short t_short.o
+ 	-$(RM) t_prng.output
+ 
+ all-windows::
+Index: krb5-1.7/src/lib/crypto/arcfour/arcfour.c
+===================================================================
+--- krb5-1.7.orig/src/lib/crypto/arcfour/arcfour.c
++++ krb5-1.7/src/lib/crypto/arcfour/arcfour.c
+@@ -199,6 +199,12 @@ krb5_arcfour_decrypt(const struct krb5_e
+   keylength = enc->keylength;
+   hashsize = hash->hashsize;
+ 
++  /* Verify input and output lengths. */
++  if (input->length < hashsize + CONFOUNDERLENGTH)
++    return KRB5_BAD_MSIZE;
++  if (output->length < input->length - hashsize - CONFOUNDERLENGTH)
++    return KRB5_BAD_MSIZE;
++
+   d1.length=keybytes;
+   d1.data=malloc(d1.length);
+   if (d1.data == NULL)
+Index: krb5-1.7/src/lib/crypto/enc_provider/aes.c
+===================================================================
+--- krb5-1.7.orig/src/lib/crypto/enc_provider/aes.c
++++ krb5-1.7/src/lib/crypto/enc_provider/aes.c
+@@ -105,9 +105,11 @@ krb5int_aes_encrypt(const krb5_keyblock
+     nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+ 
+     if (nblocks == 1) {
+-	/* XXX Used for DK function.  */
++	/* Used when deriving keys. */
++	if (input->length < BLOCK_SIZE)
++	    return KRB5_BAD_MSIZE;
+ 	enc(output->data, input->data, &ctx);
+-    } else {
++    } else if (nblocks > 1) {
+ 	unsigned int nleft;
+ 
+ 	for (blockno = 0; blockno < nblocks - 2; blockno++) {
+@@ -160,9 +162,9 @@ krb5int_aes_decrypt(const krb5_keyblock
+ 
+     if (nblocks == 1) {
+ 	if (input->length < BLOCK_SIZE)
+-	    abort();
++	    return KRB5_BAD_MSIZE;
+ 	dec(output->data, input->data, &ctx);
+-    } else {
++    } else if (nblocks > 1) {
+ 
+ 	for (blockno = 0; blockno < nblocks - 2; blockno++) {
+ 	    dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx);
+@@ -208,6 +210,7 @@ krb5int_aes_encrypt_iov(const krb5_keybl
+     char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE];
+     int nblocks = 0, blockno;
+     size_t input_length, i;
++    struct iov_block_state input_pos, output_pos;
+ 
+     if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
+ 	abort();
+@@ -224,17 +227,19 @@ krb5int_aes_encrypt_iov(const krb5_keybl
+ 	    input_length += iov->data.length;
+     }
+ 
+-    nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+-
+-    assert(nblocks > 1);
++    IOV_BLOCK_STATE_INIT(&input_pos);
++    IOV_BLOCK_STATE_INIT(&output_pos);
+ 
+-    {
++    nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
++    if (nblocks == 1) {
++       krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE,
++                               data, num_data, &input_pos);
++       enc(tmp2, tmp, &ctx);
++       krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2,
++                               BLOCK_SIZE, &output_pos);
++    } else if (nblocks > 1) {
+ 	char blockN2[BLOCK_SIZE];   /* second last */
+ 	char blockN1[BLOCK_SIZE];   /* last block */
+-	struct iov_block_state input_pos, output_pos;
+-
+-	IOV_BLOCK_STATE_INIT(&input_pos);
+-	IOV_BLOCK_STATE_INIT(&output_pos);
+ 
+ 	for (blockno = 0; blockno < nblocks - 2; blockno++) {
+ 	    char blockN[BLOCK_SIZE];
+@@ -288,6 +293,7 @@ krb5int_aes_decrypt_iov(const krb5_keybl
+     char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
+     int nblocks = 0, blockno, i;
+     size_t input_length;
++    struct iov_block_state input_pos, output_pos;
+ 
+     CHECK_SIZES;
+ 
+@@ -305,18 +311,19 @@ krb5int_aes_decrypt_iov(const krb5_keybl
+ 	if (ENCRYPT_IOV(iov))
+ 	    input_length += iov->data.length;
+     }
++    IOV_BLOCK_STATE_INIT(&input_pos);
++    IOV_BLOCK_STATE_INIT(&output_pos);
+ 
+     nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+-
+-    assert(nblocks > 1);
+-
+-    {
++    if (nblocks == 1) {
++       krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE,
++                               data, num_data, &input_pos);
++       dec(tmp2, tmp, &ctx);
++       krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2,
++                               BLOCK_SIZE, &output_pos);
++    } else if (nblocks > 1) {
+ 	char blockN2[BLOCK_SIZE];   /* second last */
+ 	char blockN1[BLOCK_SIZE];   /* last block */
+-	struct iov_block_state input_pos, output_pos;
+-
+-	IOV_BLOCK_STATE_INIT(&input_pos);
+-	IOV_BLOCK_STATE_INIT(&output_pos);
+ 
+ 	for (blockno = 0; blockno < nblocks - 2; blockno++) {
+ 	    char blockN[BLOCK_SIZE];
+Index: krb5-1.7/src/lib/crypto/old/old_decrypt.c
+===================================================================
+--- krb5-1.7.orig/src/lib/crypto/old/old_decrypt.c
++++ krb5-1.7/src/lib/crypto/old/old_decrypt.c
+@@ -45,8 +45,10 @@ krb5_old_decrypt(const struct krb5_enc_p
+     blocksize = enc->block_size;
+     hashsize = hash->hashsize;
+ 
++    /* Verify input and output lengths. */
++    if (input->length < blocksize + hashsize || input->length % blocksize != 0)
++	return(KRB5_BAD_MSIZE);
+     plainsize = input->length - blocksize - hashsize;
+-
+     if (arg_output->length < plainsize)
+ 	return(KRB5_BAD_MSIZE);
+ 
+Index: krb5-1.7/src/lib/crypto/raw/raw_decrypt.c
+===================================================================
+--- krb5-1.7.orig/src/lib/crypto/raw/raw_decrypt.c
++++ krb5-1.7/src/lib/crypto/raw/raw_decrypt.c
+@@ -34,5 +34,7 @@ krb5_raw_decrypt(const struct krb5_enc_p
+ 		 const krb5_data *ivec, const krb5_data *input,
+ 		 krb5_data *output)
+ {
+-    return((*(enc->decrypt))(key, ivec, input, output));
++	if (output->length < input->length)
++	  return KRB5_BAD_MSIZE;
++    	return((*(enc->decrypt))(key, ivec, input, output));
+ }
+Index: krb5-1.7/src/lib/crypto/t_short.c
+===================================================================
+--- /dev/null
++++ krb5-1.7/src/lib/crypto/t_short.c
+@@ -0,0 +1,128 @@
++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
++/*
++ * lib/crypto/crypto_tests/t_short.c
++ *
++ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
++ * All rights reserved.
++ *
++ * Export of this software from the United States of America may
++ *   require a specific license from the United States Government.
++ *   It is the responsibility of any person or organization contemplating
++ *   export to obtain such a license before exporting.
++ *
++ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
++ * distribute this software and its documentation for any purpose and
++ * without fee is hereby granted, provided that the above copyright
++ * notice appear in all copies and that both that copyright notice and
++ * this permission notice appear in supporting documentation, and that
++ * the name of M.I.T. not be used in advertising or publicity pertaining
++ * to distribution of the software without specific, written prior
++ * permission.  Furthermore if you modify this software you must label
++ * your software as modified software and not distribute it in such a
++ * fashion that it might be confused with the original M.I.T. software.
++ * M.I.T. makes no representations about the suitability of
++ * this software for any purpose.  It is provided "as is" without express
++ * or implied warranty.
++ *
++ * Tests the outcome of decrypting overly short tokens.  This program can be
++ * run under a tool like valgrind to detect bad memory accesses; when run
++ * normally by the test suite, it verifies that each operation returns
++ * KRB5_BAD_MSIZE.
++ */
++
++#include "k5-int.h"
++
++
++krb5_enctype interesting_enctypes[] = {
++    ENCTYPE_DES_CBC_CRC,
++    ENCTYPE_DES_CBC_MD4,
++    ENCTYPE_DES_CBC_MD5,
++    ENCTYPE_DES3_CBC_SHA1,
++    ENCTYPE_ARCFOUR_HMAC,
++    ENCTYPE_ARCFOUR_HMAC_EXP,
++    ENCTYPE_AES256_CTS_HMAC_SHA1_96,
++    ENCTYPE_AES128_CTS_HMAC_SHA1_96,
++    0
++};
++
++/* Abort if an operation unexpectedly fails. */
++static void
++x(krb5_error_code code)
++{
++    if (code != 0)
++        abort();
++}
++
++/* Abort if a decrypt operation doesn't have the expected result. */
++static void
++check_decrypt_result(krb5_error_code code, size_t len, size_t min_len)
++{
++    if (len < min_len) {
++        /* Undersized tokens should always result in BAD_MSIZE. */
++        if (code != KRB5_BAD_MSIZE)
++            abort();
++    } else {
++        /* Min-size tokens should succeed or fail the integrity check. */
++        if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY)
++            abort();
++    }
++}
++
++static void
++test_enctype(krb5_enctype enctype)
++{
++    krb5_error_code ret;
++    krb5_keyblock keyblock;
++    krb5_enc_data input;
++    krb5_data output;
++    krb5_crypto_iov iov[2];
++    unsigned int dummy;
++    size_t min_len, len;
++
++    printf("Testing enctype %d\n", (int) enctype);
++    x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len));
++    x(krb5_c_make_random_key(NULL, enctype, &keyblock));
++    input.enctype = enctype;
++
++    /* Try each length up to the minimum length. */
++    for (len = 0; len <= min_len; len++) {
++        input.ciphertext.data = calloc(len, 1);
++        input.ciphertext.length = len;
++        output.data = calloc(len, 1);
++        output.length = len;
++
++        /* Attempt a normal decryption. */
++        ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output);
++        check_decrypt_result(ret, len, min_len);
++
++        if (krb5_c_crypto_length(NULL, enctype, KRB5_CRYPTO_TYPE_HEADER,
++                                 &dummy) == 0) {
++            /* Attempt an IOV stream decryption. */
++            iov[0].flags = KRB5_CRYPTO_TYPE_STREAM;
++            iov[0].data = input.ciphertext;
++            iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
++            iov[1].data.data = NULL;
++            iov[1].data.length = 0;
++            ret = krb5_c_decrypt_iov(NULL, &keyblock, 0, NULL, iov, 2);
++            check_decrypt_result(ret, len, min_len);
++        }
++
++        free(input.ciphertext.data);
++        free(output.data);
++    }
++}
++
++int
++main(int argc, char **argv)
++{
++    int i;
++    krb5_data notrandom;
++
++    notrandom.data = "notrandom";
++    notrandom.length = 9;
++    krb5_c_random_seed(NULL, &notrandom);
++    for (i = 0; interesting_enctypes[i]; i++)
++        test_enctype(interesting_enctypes[i]);
++    return 0;
++}
++
+Index: krb5-1.7/src/lib/crypto/deps
+===================================================================
+--- krb5-1.7.orig/src/lib/crypto/deps
++++ krb5-1.7/src/lib/crypto/deps
+@@ -463,6 +463,16 @@ t_encrypt.so t_encrypt.po $(OUTPRE)t_enc
+   $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
+   $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+   $(SRCTOP)/include/socket-utils.h etypes.h t_encrypt.c
++t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
++  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
++  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
++  $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
++  $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
++  $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
++  $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
++  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
++  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
++  t_short.c
+ t_prf.so t_prf.po $(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
+Index: krb5-1.7/src/lib/crypto/dk/dk_aead.c
+===================================================================
+--- krb5-1.7.orig/src/lib/crypto/dk/dk_aead.c
++++ krb5-1.7/src/lib/crypto/dk/dk_aead.c
+@@ -248,7 +248,7 @@ krb5int_dk_decrypt_iov(const struct krb5
+     for (i = 0; i < num_data; i++) {
+ 	const krb5_crypto_iov *iov = &data[i];
+ 
+-	if (ENCRYPT_DATA_IOV(iov))
++	if (ENCRYPT_IOV(iov))
+ 	    cipherlen += iov->data.length;
+     }
+ 
+Index: krb5-1.7/src/lib/crypto/dk/dk_decrypt.c
+===================================================================
+--- krb5-1.7.orig/src/lib/crypto/dk/dk_decrypt.c
++++ krb5-1.7/src/lib/crypto/dk/dk_decrypt.c
+@@ -89,6 +89,12 @@ krb5_dk_decrypt_maybe_trunc_hmac(const s
+     else if (hmacsize > hashsize)
+ 	return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ 
++    /* Verify input and output lengths. */
++    if (input->length < blocksize + hmacsize)
++	return KRB5_BAD_MSIZE;
++    if (output->length < input->length - blocksize - hmacsize)
++	return KRB5_BAD_MSIZE;
++
+     enclen = input->length - hmacsize;
+ 
+     if ((kedata = (unsigned char *) malloc(keylength)) == NULL)

krb5-1.7-manpaths.dif

@@ -1,8 +1,8 @@
 
-Index: trunk/src/appl/bsd/klogind.M
+Index: krb5-1.7/src/appl/bsd/klogind.M
 ===================================================================
---- trunk.orig/src/appl/bsd/klogind.M
-+++ trunk/src/appl/bsd/klogind.M
+--- krb5-1.7.orig/src/appl/bsd/klogind.M
++++ krb5-1.7/src/appl/bsd/klogind.M
 @@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when
  the port indicated in /etc/inetd.conf.  A typical /etc/inetd.conf
  configuration line for \fIklogind\fP might be:
@@ -12,10 +12,10 @@ Index: trunk/src/appl/bsd/klogind.M
  
  When a service request is received, the following protocol is initiated:
  
-Index: trunk/src/appl/bsd/kshd.M
+Index: krb5-1.7/src/appl/bsd/kshd.M
 ===================================================================
---- trunk.orig/src/appl/bsd/kshd.M
-+++ trunk/src/appl/bsd/kshd.M
+--- krb5-1.7.orig/src/appl/bsd/kshd.M
++++ krb5-1.7/src/appl/bsd/kshd.M
 @@ -8,7 +8,7 @@
  .SH NAME
  kshd \- kerberized remote shell server
@@ -34,10 +34,10 @@ Index: trunk/src/appl/bsd/kshd.M
  
  When a service request is received, the following protocol is initiated:
  
-Index: trunk/src/appl/sample/sserver/sserver.M
+Index: krb5-1.7/src/appl/sample/sserver/sserver.M
 ===================================================================
---- trunk.orig/src/appl/sample/sserver/sserver.M
-+++ trunk/src/appl/sample/sserver/sserver.M
+--- krb5-1.7.orig/src/appl/sample/sserver/sserver.M
++++ krb5-1.7/src/appl/sample/sserver/sserver.M
 @@ -59,7 +59,7 @@ option allows for a different keytab tha
  using a line in
  /etc/inetd.conf that looks like this:
@@ -47,10 +47,10 @@ Index: trunk/src/appl/sample/sserver/sserver.M
  .PP
  Since \fBsample\fP is normally not a port defined in /etc/services, you will
  usually have to add a line to /etc/services which looks like this:
-Index: trunk/src/appl/telnet/telnetd/telnetd.8
+Index: krb5-1.7/src/appl/telnet/telnetd/telnetd.8
 ===================================================================
---- trunk.orig/src/appl/telnet/telnetd/telnetd.8
-+++ trunk/src/appl/telnet/telnetd/telnetd.8
+--- krb5-1.7.orig/src/appl/telnet/telnetd/telnetd.8
++++ krb5-1.7/src/appl/telnet/telnetd/telnetd.8
 @@ -37,7 +37,7 @@ telnetd \-
  .SM DARPA TELNET
  protocol server
@@ -60,10 +60,10 @@ Index: trunk/src/appl/telnet/telnetd/telnetd.8
  [\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP]
  [\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
  [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
-Index: trunk/src/config-files/kdc.conf.M
+Index: krb5-1.7/src/config-files/kdc.conf.M
 ===================================================================
---- trunk.orig/src/config-files/kdc.conf.M
-+++ trunk/src/config-files/kdc.conf.M
+--- krb5-1.7.orig/src/config-files/kdc.conf.M
++++ krb5-1.7/src/config-files/kdc.conf.M
 @@ -82,14 +82,14 @@ This
  .B string
  specifies the location of the access control list (acl) file that
@@ -90,10 +90,10 @@ Index: trunk/src/config-files/kdc.conf.M
  
  .SH SEE ALSO
  krb5.conf(5), krb5kdc(8)
-Index: trunk/src/configure.in
+Index: krb5-1.7/src/configure.in
 ===================================================================
---- trunk.orig/src/configure.in
-+++ trunk/src/configure.in
+--- krb5-1.7.orig/src/configure.in
++++ krb5-1.7/src/configure.in
 @@ -1041,6 +1041,69 @@ dnl
  AC_CONFIG_SUBDIRS(appl/libpty appl/bsd appl/gssftp appl/telnet)
  
@@ -164,11 +164,11 @@ Index: trunk/src/configure.in
  V5_AC_OUTPUT_MAKEFILE(.
  
  	util util/support util/profile util/send-pr
-Index: trunk/src/kadmin/cli/kadmin.M
+Index: krb5-1.7/src/kadmin/cli/kadmin.M
 ===================================================================
---- trunk.orig/src/kadmin/cli/kadmin.M
-+++ trunk/src/kadmin/cli/kadmin.M
-@@ -840,9 +840,9 @@ option is specified, less verbose status
+--- krb5-1.7.orig/src/kadmin/cli/kadmin.M
++++ krb5-1.7/src/kadmin/cli/kadmin.M
+@@ -850,9 +850,9 @@ option is specified, less verbose status
  .RS
  .TP
  EXAMPLE:
@@ -180,7 +180,7 @@ Index: trunk/src/kadmin/cli/kadmin.M
  kadmin:
  .RE
  .fi
-@@ -884,7 +884,7 @@ passwords.
+@@ -894,7 +894,7 @@ passwords.
  .SH HISTORY
  The
  .B kadmin
@@ -189,10 +189,10 @@ Index: trunk/src/kadmin/cli/kadmin.M
  OpenVision Kerberos administration program.
  .SH SEE ALSO
  .IR kerberos (1),
-Index: trunk/src/slave/kprop.M
+Index: krb5-1.7/src/slave/kprop.M
 ===================================================================
---- trunk.orig/src/slave/kprop.M
-+++ trunk/src/slave/kprop.M
+--- krb5-1.7.orig/src/slave/kprop.M
++++ krb5-1.7/src/slave/kprop.M
 @@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
  This is done by transmitting the dumped database file to the slave
  server over an encrypted, secure channel.  The dump file must be created
@@ -211,10 +211,10 @@ Index: trunk/src/slave/kprop.M
  .TP
  \fB\-P\fP \fIport\fP
  specifies the port to use to contact the
-Index: trunk/src/slave/kpropd.M
+Index: krb5-1.7/src/slave/kpropd.M
 ===================================================================
---- trunk.orig/src/slave/kpropd.M
-+++ trunk/src/slave/kpropd.M
+--- krb5-1.7.orig/src/slave/kpropd.M
++++ krb5-1.7/src/slave/kpropd.M
 @@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
  This is done by adding a line to the inetd.conf file which looks like
  this:

krb5-doc.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package krb5-doc (Version 1.7)
 #
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -21,7 +21,7 @@
 Name:           krb5-doc
 BuildRequires:  ghostscript-library latex2html texlive
 Version:        1.7
-Release:        6
+Release:        7
 %define srcRoot krb5-1.7
 Summary:        MIT Kerberos5 Implementation--Documentation
 License:        MIT License (or similar)

krb5-mini.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Thu Jan  7 11:45:14 CET 2010 - mc@suse.de
+
+- fix KDC denial of service in cross-realm referral processing
+  CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347)
+- fix integer underflow in AES and RC4 decryption
+  CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) 
+
+-------------------------------------------------------------------
+Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de
+
+- add baselibs.conf as a source
+
 -------------------------------------------------------------------
 Fri Nov 13 16:51:37 CET 2009 - mc@suse.de
 

krb5-mini.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package krb5-mini (Version 1.7)
 #
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -28,7 +28,7 @@ Url:            http://web.mit.edu/kerberos/www/
 BuildRequires:  bison libcom_err-devel ncurses-devel
 BuildRequires:  keyutils keyutils-devel
 Version:        1.7
-Release:        6
+Release:        7
 %if ! 0%{?build_mini}
 BuildRequires:  libopenssl-devel openldap2-devel
 # bug437293
@@ -46,6 +46,7 @@ Source:         krb5-1.7.tar.bz2
 Source1:        vendor-files.tar.bz2
 Source2:        README.Source
 Source3:        spx.c
+Source4:        baselibs.conf
 Source5:        krb5-%{version}-rpmlintrc
 Source10:       krb5-1.7-manpaths.txt
 Patch2:         krb5-1.6.1-compile_pie.dif 
@@ -58,6 +59,8 @@ Patch34:        krb5-1.6.3-gssapi_improve_errormessages.dif
 Patch41:        krb5-1.6.3-kpasswd_tcp.patch
 Patch44:        krb5-1.6.3-ktutil-manpage.dif
 Patch46:        krb5-1.6.3-fix-ipv6-query.dif
+Patch47:        krb5-1.7-MITKRB5-SA-2009-003.dif
+Patch48:        krb5-1.7-MITKRB5-SA-2009-004.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@@ -254,6 +257,8 @@ fi
 %patch41 
 %patch44 -p1
 %patch46 -p1
+%patch47 -p1
+%patch48 -p1
 # Rename the man pages so that they'll get generated correctly.
 pushd src
 cat %{SOURCE10} | while read manpage ; do

krb5.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Thu Jan  7 11:45:14 CET 2010 - mc@suse.de
+
+- fix KDC denial of service in cross-realm referral processing
+  CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347)
+- fix integer underflow in AES and RC4 decryption
+  CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) 
+
+-------------------------------------------------------------------
+Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de
+
+- add baselibs.conf as a source
+
 -------------------------------------------------------------------
 Fri Nov 13 16:51:37 CET 2009 - mc@suse.de
 

krb5.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package krb5 (Version 1.7)
 #
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -28,7 +28,7 @@ Url:            http://web.mit.edu/kerberos/www/
 BuildRequires:  bison libcom_err-devel ncurses-devel
 BuildRequires:  keyutils keyutils-devel
 Version:        1.7
-Release:        6
+Release:        7
 %if ! 0%{?build_mini}
 BuildRequires:  libopenssl-devel openldap2-devel
 # bug437293
@@ -46,6 +46,7 @@ Source:         krb5-1.7.tar.bz2
 Source1:        vendor-files.tar.bz2
 Source2:        README.Source
 Source3:        spx.c
+Source4:        baselibs.conf
 Source5:        krb5-%{version}-rpmlintrc
 Source10:       krb5-1.7-manpaths.txt
 Patch2:         krb5-1.6.1-compile_pie.dif 
@@ -58,6 +59,8 @@ Patch34:        krb5-1.6.3-gssapi_improve_errormessages.dif
 Patch41:        krb5-1.6.3-kpasswd_tcp.patch
 Patch44:        krb5-1.6.3-ktutil-manpage.dif
 Patch46:        krb5-1.6.3-fix-ipv6-query.dif
+Patch47:        krb5-1.7-MITKRB5-SA-2009-003.dif
+Patch48:        krb5-1.7-MITKRB5-SA-2009-004.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@@ -254,6 +257,8 @@ fi
 %patch41 
 %patch44 -p1
 %patch46 -p1
+%patch47 -p1
+%patch48 -p1
 # Rename the man pages so that they'll get generated correctly.
 pushd src
 cat %{SOURCE10} | while read manpage ; do