Accepting request 28402 from network

Copy from network/krb5 based on submit request 28402 from user coolo OBS-URL: https://build.opensuse.org/request/show/28402 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=45
2010-01-14 14:34:47 +00:00 · 2010-01-14 14:34:47 +00:00 · 5670e1eed5
commit 5670e1eed5
parent 7f71d89cdd
9 changed files with 479 additions and 39 deletions
--- a/krb5-1.4.3-enospc.dif
+++ b/krb5-1.4.3-enospc.dif
@ -1,11 +1,11 @@
 If the error message is going to be ambiguous, try to give the user some clue
 by returning the last error reported by the OS.
-Index: trunk/src/clients/kinit/kinit.c
+Index: krb5-1.7/src/clients/kinit/kinit.c
 ===================================================================
--- trunk.orig/src/clients/kinit/kinit.c
+--- krb5-1.7.orig/src/clients/kinit/kinit.c
-+++ trunk/src/clients/kinit/kinit.c
+++ krb5-1.7/src/clients/kinit/kinit.c
-@@ -658,8 +658,14 @@ k5_kinit(opts, k5)
+@@ -670,8 +670,14 @@ k5_kinit(opts, k5)
     code = krb5_cc_initialize(k5->ctx, k5->cc,
 			      opts->canonicalize ? my_creds.client : k5->me);
     if (code) {
--- a/krb5-1.7-MITKRB5-SA-2009-003.dif
+++ b/krb5-1.7-MITKRB5-SA-2009-003.dif
@ -0,0 +1,27 @@
 Index: krb5-1.7/src/kdc/do_tgs_req.c
 ===================================================================
 --- krb5-1.7.orig/src/kdc/do_tgs_req.c
 +++ krb5-1.7/src/kdc/do_tgs_req.c
@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request
             free(temp_buf);
             if (retval) {
                 /* no match found */
 -                kdc_err(kdc_context, retval, 0);
 +                kdc_err(kdc_context, retval, "unable to find realm of host");
                 goto cleanup;
             }
             if (realms == 0) {
 Index: krb5-1.7/src/lib/kadm5/logger.c
 ===================================================================
 --- krb5-1.7.orig/src/lib/kadm5/logger.c
 +++ krb5-1.7/src/lib/kadm5/logger.c
@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, lo
     char	*cp;
     char	*syslogp;
 +    if (whoami == NULL || format == NULL)
 +	return;
 +
     /* Make the header */
     snprintf(outbuf, sizeof(outbuf), "%s: ", whoami);
     /*
--- a/krb5-1.7-MITKRB5-SA-2009-004.dif
+++ b/krb5-1.7-MITKRB5-SA-2009-004.dif
@ -0,0 +1,377 @@
 Index: krb5-1.7/src/lib/crypto/Makefile.in
 ===================================================================
 --- krb5-1.7.orig/src/lib/crypto/Makefile.in
 +++ krb5-1.7/src/lib/crypto/Makefile.in
@@ -18,6 +18,7 @@ EXTRADEPSRCS=\
 	$(srcdir)/t_nfold.c	\
 	$(srcdir)/t_cf2.c \
 	$(srcdir)/t_encrypt.c	\
 +	$(srcdir)/t_short.c	\
 	$(srcdir)/t_prf.c \
 	$(srcdir)/t_prng.c	\
 	$(srcdir)/t_hmac.c	\
@@ -206,7 +207,7 @@ libcrypto.lib:
 clean-unix:: clean-liblinks clean-libs clean-libobjs
 -check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2
 +check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 t_short
 	$(RUN_SETUP) $(VALGRIND) ./t_nfold
 	$(RUN_SETUP) $(VALGRIND) ./t_encrypt
 	$(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \
@@ -216,6 +217,7 @@ check-unix:: t_nfold t_encrypt t_prf t_p
 	diff t_prf.output $(srcdir)/t_prf.expected
 	$(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output
 	diff t_cf2.output $(srcdir)/t_cf2.expected
 +	$(RUN_SETUP) $(VALGRIND) ./t_short
 #	$(RUN_SETUP) $(VALGRIND) ./t_pkcs5
@@ -249,10 +251,14 @@ t_cts$(EXEEXT): t_cts.$(OBJEXT) $(CRYPTO
 	$(CC_LINK) -o $@ t_cts.$(OBJEXT) \
 		$(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB)
 +t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB)
 +	$(CC_LINK) -o $@ t_short.$(OBJEXT) \
 +		$(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB)
 clean::
 	$(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \
 -		t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o
 +		t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \
 +		t_cf2 t_cf2.o t_short t_short.o
 	-$(RM) t_prng.output
 all-windows::
 Index: krb5-1.7/src/lib/crypto/arcfour/arcfour.c
 ===================================================================
 --- krb5-1.7.orig/src/lib/crypto/arcfour/arcfour.c
 +++ krb5-1.7/src/lib/crypto/arcfour/arcfour.c
@@ -199,6 +199,12 @@ krb5_arcfour_decrypt(const struct krb5_e
   keylength = enc->keylength;
   hashsize = hash->hashsize;
 +  /* Verify input and output lengths. */
 +  if (input->length < hashsize + CONFOUNDERLENGTH)
 +    return KRB5_BAD_MSIZE;
 +  if (output->length < input->length - hashsize - CONFOUNDERLENGTH)
 +    return KRB5_BAD_MSIZE;
 +
   d1.length=keybytes;
   d1.data=malloc(d1.length);
   if (d1.data == NULL)
 Index: krb5-1.7/src/lib/crypto/enc_provider/aes.c
 ===================================================================
 --- krb5-1.7.orig/src/lib/crypto/enc_provider/aes.c
 +++ krb5-1.7/src/lib/crypto/enc_provider/aes.c
@@ -105,9 +105,11 @@ krb5int_aes_encrypt(const krb5_keyblock
     nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE;
     if (nblocks == 1) {
 -	/* XXX Used for DK function.  */
 +	/* Used when deriving keys. */
 +	if (input->length < BLOCK_SIZE)
 +	    return KRB5_BAD_MSIZE;
 	enc(output->data, input->data, &ctx);
 -    } else {
 +    } else if (nblocks > 1) {
 	unsigned int nleft;
 	for (blockno = 0; blockno < nblocks - 2; blockno++) {
@@ -160,9 +162,9 @@ krb5int_aes_decrypt(const krb5_keyblock
     if (nblocks == 1) {
 	if (input->length < BLOCK_SIZE)
 -	    abort();
 +	    return KRB5_BAD_MSIZE;
 	dec(output->data, input->data, &ctx);
 -    } else {
 +    } else if (nblocks > 1) {
 	for (blockno = 0; blockno < nblocks - 2; blockno++) {
 	    dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx);
@@ -208,6 +210,7 @@ krb5int_aes_encrypt_iov(const krb5_keybl
     char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE];
     int nblocks = 0, blockno;
     size_t input_length, i;
 +    struct iov_block_state input_pos, output_pos;
     if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
 	abort();
@@ -224,17 +227,19 @@ krb5int_aes_encrypt_iov(const krb5_keybl
 	    input_length += iov->data.length;
     }
 -    nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
 -
 -    assert(nblocks > 1);
 +    IOV_BLOCK_STATE_INIT(&input_pos);
 +    IOV_BLOCK_STATE_INIT(&output_pos);
 -    {
 +    nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
 +    if (nblocks == 1) {
 +       krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE,
 +                               data, num_data, &input_pos);
 +       enc(tmp2, tmp, &ctx);
 +       krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2,
 +                               BLOCK_SIZE, &output_pos);
 +    } else if (nblocks > 1) {
 	char blockN2[BLOCK_SIZE];   /* second last */
 	char blockN1[BLOCK_SIZE];   /* last block */
 -	struct iov_block_state input_pos, output_pos;
 -
 -	IOV_BLOCK_STATE_INIT(&input_pos);
 -	IOV_BLOCK_STATE_INIT(&output_pos);
 	for (blockno = 0; blockno < nblocks - 2; blockno++) {
 	    char blockN[BLOCK_SIZE];
@@ -288,6 +293,7 @@ krb5int_aes_decrypt_iov(const krb5_keybl
     char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
     int nblocks = 0, blockno, i;
     size_t input_length;
 +    struct iov_block_state input_pos, output_pos;
     CHECK_SIZES;
@@ -305,18 +311,19 @@ krb5int_aes_decrypt_iov(const krb5_keybl
 	if (ENCRYPT_IOV(iov))
 	    input_length += iov->data.length;
     }
 +    IOV_BLOCK_STATE_INIT(&input_pos);
 +    IOV_BLOCK_STATE_INIT(&output_pos);
     nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
 -
 -    assert(nblocks > 1);
 -
 -    {
 +    if (nblocks == 1) {
 +       krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE,
 +                               data, num_data, &input_pos);
 +       dec(tmp2, tmp, &ctx);
 +       krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2,
 +                               BLOCK_SIZE, &output_pos);
 +    } else if (nblocks > 1) {
 	char blockN2[BLOCK_SIZE];   /* second last */
 	char blockN1[BLOCK_SIZE];   /* last block */
 -	struct iov_block_state input_pos, output_pos;
 -
 -	IOV_BLOCK_STATE_INIT(&input_pos);
 -	IOV_BLOCK_STATE_INIT(&output_pos);
 	for (blockno = 0; blockno < nblocks - 2; blockno++) {
 	    char blockN[BLOCK_SIZE];
 Index: krb5-1.7/src/lib/crypto/old/old_decrypt.c
 ===================================================================
 --- krb5-1.7.orig/src/lib/crypto/old/old_decrypt.c
 +++ krb5-1.7/src/lib/crypto/old/old_decrypt.c
@@ -45,8 +45,10 @@ krb5_old_decrypt(const struct krb5_enc_p
     blocksize = enc->block_size;
     hashsize = hash->hashsize;
 +    /* Verify input and output lengths. */
 +    if (input->length < blocksize + hashsize || input->length % blocksize != 0)
 +	return(KRB5_BAD_MSIZE);
     plainsize = input->length - blocksize - hashsize;
 -
     if (arg_output->length < plainsize)
 	return(KRB5_BAD_MSIZE);
 Index: krb5-1.7/src/lib/crypto/raw/raw_decrypt.c
 ===================================================================
 --- krb5-1.7.orig/src/lib/crypto/raw/raw_decrypt.c
 +++ krb5-1.7/src/lib/crypto/raw/raw_decrypt.c
@@ -34,5 +34,7 @@ krb5_raw_decrypt(const struct krb5_enc_p
 		 const krb5_data *ivec, const krb5_data *input,
 		 krb5_data *output)
 {
 -    return((*(enc->decrypt))(key, ivec, input, output));
 +	if (output->length < input->length)
 +	  return KRB5_BAD_MSIZE;
 +    	return((*(enc->decrypt))(key, ivec, input, output));
 }
 Index: krb5-1.7/src/lib/crypto/t_short.c
 ===================================================================
 --- /dev/null
 +++ krb5-1.7/src/lib/crypto/t_short.c
@@ -0,0 +1,128 @@
 +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
 +/*
 + * lib/crypto/crypto_tests/t_short.c
 + *
 + * Copyright (C) 2009 by the Massachusetts Institute of Technology.
 + * All rights reserved.
 + *
 + * Export of this software from the United States of America may
 + *   require a specific license from the United States Government.
 + *   It is the responsibility of any person or organization contemplating
 + *   export to obtain such a license before exporting.
 + *
 + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
 + * distribute this software and its documentation for any purpose and
 + * without fee is hereby granted, provided that the above copyright
 + * notice appear in all copies and that both that copyright notice and
 + * this permission notice appear in supporting documentation, and that
 + * the name of M.I.T. not be used in advertising or publicity pertaining
 + * to distribution of the software without specific, written prior
 + * permission.  Furthermore if you modify this software you must label
 + * your software as modified software and not distribute it in such a
 + * fashion that it might be confused with the original M.I.T. software.
 + * M.I.T. makes no representations about the suitability of
 + * this software for any purpose.  It is provided "as is" without express
 + * or implied warranty.
 + *
 + * Tests the outcome of decrypting overly short tokens.  This program can be
 + * run under a tool like valgrind to detect bad memory accesses; when run
 + * normally by the test suite, it verifies that each operation returns
 + * KRB5_BAD_MSIZE.
 + */
 +
 +#include "k5-int.h"
 +
 +
 +krb5_enctype interesting_enctypes[] = {
 +    ENCTYPE_DES_CBC_CRC,
 +    ENCTYPE_DES_CBC_MD4,
 +    ENCTYPE_DES_CBC_MD5,
 +    ENCTYPE_DES3_CBC_SHA1,
 +    ENCTYPE_ARCFOUR_HMAC,
 +    ENCTYPE_ARCFOUR_HMAC_EXP,
 +    ENCTYPE_AES256_CTS_HMAC_SHA1_96,
 +    ENCTYPE_AES128_CTS_HMAC_SHA1_96,
 +    0
 +};
 +
 +/* Abort if an operation unexpectedly fails. */
 +static void
 +x(krb5_error_code code)
 +{
 +    if (code != 0)
 +        abort();
 +}
 +
 +/* Abort if a decrypt operation doesn't have the expected result. */
 +static void
 +check_decrypt_result(krb5_error_code code, size_t len, size_t min_len)
 +{
 +    if (len < min_len) {
 +        /* Undersized tokens should always result in BAD_MSIZE. */
 +        if (code != KRB5_BAD_MSIZE)
 +            abort();
 +    } else {
 +        /* Min-size tokens should succeed or fail the integrity check. */
 +        if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY)
 +            abort();
 +    }
 +}
 +
 +static void
 +test_enctype(krb5_enctype enctype)
 +{
 +    krb5_error_code ret;
 +    krb5_keyblock keyblock;
 +    krb5_enc_data input;
 +    krb5_data output;
 +    krb5_crypto_iov iov[2];
 +    unsigned int dummy;
 +    size_t min_len, len;
 +
 +    printf("Testing enctype %d\n", (int) enctype);
 +    x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len));
 +    x(krb5_c_make_random_key(NULL, enctype, &keyblock));
 +    input.enctype = enctype;
 +
 +    /* Try each length up to the minimum length. */
 +    for (len = 0; len <= min_len; len++) {
 +        input.ciphertext.data = calloc(len, 1);
 +        input.ciphertext.length = len;
 +        output.data = calloc(len, 1);
 +        output.length = len;
 +
 +        /* Attempt a normal decryption. */
 +        ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output);
 +        check_decrypt_result(ret, len, min_len);
 +
 +        if (krb5_c_crypto_length(NULL, enctype, KRB5_CRYPTO_TYPE_HEADER,
 +                                 &dummy) == 0) {
 +            /* Attempt an IOV stream decryption. */
 +            iov[0].flags = KRB5_CRYPTO_TYPE_STREAM;
 +            iov[0].data = input.ciphertext;
 +            iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
 +            iov[1].data.data = NULL;
 +            iov[1].data.length = 0;
 +            ret = krb5_c_decrypt_iov(NULL, &keyblock, 0, NULL, iov, 2);
 +            check_decrypt_result(ret, len, min_len);
 +        }
 +
 +        free(input.ciphertext.data);
 +        free(output.data);
 +    }
 +}
 +
 +int
 +main(int argc, char **argv)
 +{
 +    int i;
 +    krb5_data notrandom;
 +
 +    notrandom.data = "notrandom";
 +    notrandom.length = 9;
 +    krb5_c_random_seed(NULL, &notrandom);
 +    for (i = 0; interesting_enctypes[i]; i++)
 +        test_enctype(interesting_enctypes[i]);
 +    return 0;
 +}
 +
 Index: krb5-1.7/src/lib/crypto/deps
 ===================================================================
 --- krb5-1.7.orig/src/lib/crypto/deps
 +++ krb5-1.7/src/lib/crypto/deps
@@ -463,6 +463,16 @@ t_encrypt.so t_encrypt.po $(OUTPRE)t_enc
   $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
   $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
   $(SRCTOP)/include/socket-utils.h etypes.h t_encrypt.c
 +t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
 +  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
 +  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
 +  $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
 +  $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
 +  $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
 +  $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
 +  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
 +  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
 +  t_short.c
 t_prf.so t_prf.po $(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
 Index: krb5-1.7/src/lib/crypto/dk/dk_aead.c
 ===================================================================
 --- krb5-1.7.orig/src/lib/crypto/dk/dk_aead.c
 +++ krb5-1.7/src/lib/crypto/dk/dk_aead.c
@@ -248,7 +248,7 @@ krb5int_dk_decrypt_iov(const struct krb5
     for (i = 0; i < num_data; i++) {
 	const krb5_crypto_iov *iov = &data[i];
 -	if (ENCRYPT_DATA_IOV(iov))
 +	if (ENCRYPT_IOV(iov))
 	    cipherlen += iov->data.length;
     }
 Index: krb5-1.7/src/lib/crypto/dk/dk_decrypt.c
 ===================================================================
 --- krb5-1.7.orig/src/lib/crypto/dk/dk_decrypt.c
 +++ krb5-1.7/src/lib/crypto/dk/dk_decrypt.c
@@ -89,6 +89,12 @@ krb5_dk_decrypt_maybe_trunc_hmac(const s
     else if (hmacsize > hashsize)
 	return KRB5KRB_AP_ERR_BAD_INTEGRITY;
 +    /* Verify input and output lengths. */
 +    if (input->length < blocksize + hmacsize)
 +	return KRB5_BAD_MSIZE;
 +    if (output->length < input->length - blocksize - hmacsize)
 +	return KRB5_BAD_MSIZE;
 +
     enclen = input->length - hmacsize;
     if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
--- a/krb5-1.7-manpaths.dif
+++ b/krb5-1.7-manpaths.dif
@ -1,8 +1,8 @@
-Index: trunk/src/appl/bsd/klogind.M
+Index: krb5-1.7/src/appl/bsd/klogind.M
 ===================================================================
--- trunk.orig/src/appl/bsd/klogind.M
+--- krb5-1.7.orig/src/appl/bsd/klogind.M
-+++ trunk/src/appl/bsd/klogind.M
+++ krb5-1.7/src/appl/bsd/klogind.M
@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when
 the port indicated in /etc/inetd.conf.  A typical /etc/inetd.conf
 configuration line for \fIklogind\fP might be:
@ -12,10 +12,10 @@ Index: trunk/src/appl/bsd/klogind.M
 When a service request is received, the following protocol is initiated:
-Index: trunk/src/appl/bsd/kshd.M
+Index: krb5-1.7/src/appl/bsd/kshd.M
 ===================================================================
--- trunk.orig/src/appl/bsd/kshd.M
+--- krb5-1.7.orig/src/appl/bsd/kshd.M
-+++ trunk/src/appl/bsd/kshd.M
+++ krb5-1.7/src/appl/bsd/kshd.M
@@ -8,7 +8,7 @@
 .SH NAME
 kshd \- kerberized remote shell server
@ -34,10 +34,10 @@ Index: trunk/src/appl/bsd/kshd.M
 When a service request is received, the following protocol is initiated:
-Index: trunk/src/appl/sample/sserver/sserver.M
+Index: krb5-1.7/src/appl/sample/sserver/sserver.M
 ===================================================================
--- trunk.orig/src/appl/sample/sserver/sserver.M
+--- krb5-1.7.orig/src/appl/sample/sserver/sserver.M
-+++ trunk/src/appl/sample/sserver/sserver.M
+++ krb5-1.7/src/appl/sample/sserver/sserver.M
@@ -59,7 +59,7 @@ option allows for a different keytab tha
 using a line in
 /etc/inetd.conf that looks like this:
@ -47,10 +47,10 @@ Index: trunk/src/appl/sample/sserver/sserver.M
 .PP
 Since \fBsample\fP is normally not a port defined in /etc/services, you will
 usually have to add a line to /etc/services which looks like this:
-Index: trunk/src/appl/telnet/telnetd/telnetd.8
+Index: krb5-1.7/src/appl/telnet/telnetd/telnetd.8
 ===================================================================
--- trunk.orig/src/appl/telnet/telnetd/telnetd.8
+--- krb5-1.7.orig/src/appl/telnet/telnetd/telnetd.8
-+++ trunk/src/appl/telnet/telnetd/telnetd.8
+++ krb5-1.7/src/appl/telnet/telnetd/telnetd.8
@@ -37,7 +37,7 @@ telnetd \-
 .SM DARPA TELNET
 protocol server
@ -60,10 +60,10 @@ Index: trunk/src/appl/telnet/telnetd/telnetd.8
 [\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP]
 [\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
 [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
-Index: trunk/src/config-files/kdc.conf.M
+Index: krb5-1.7/src/config-files/kdc.conf.M
 ===================================================================
--- trunk.orig/src/config-files/kdc.conf.M
+--- krb5-1.7.orig/src/config-files/kdc.conf.M
-+++ trunk/src/config-files/kdc.conf.M
+++ krb5-1.7/src/config-files/kdc.conf.M
@@ -82,14 +82,14 @@ This
 .B string
 specifies the location of the access control list (acl) file that
@ -90,10 +90,10 @@ Index: trunk/src/config-files/kdc.conf.M
 .SH SEE ALSO
 krb5.conf(5), krb5kdc(8)
-Index: trunk/src/configure.in
+Index: krb5-1.7/src/configure.in
 ===================================================================
--- trunk.orig/src/configure.in
+--- krb5-1.7.orig/src/configure.in
-+++ trunk/src/configure.in
+++ krb5-1.7/src/configure.in
@@ -1041,6 +1041,69 @@ dnl
 AC_CONFIG_SUBDIRS(appl/libpty appl/bsd appl/gssftp appl/telnet)
@ -164,11 +164,11 @@ Index: trunk/src/configure.in
 V5_AC_OUTPUT_MAKEFILE(.
 	util util/support util/profile util/send-pr
-Index: trunk/src/kadmin/cli/kadmin.M
+Index: krb5-1.7/src/kadmin/cli/kadmin.M
 ===================================================================
--- trunk.orig/src/kadmin/cli/kadmin.M
+--- krb5-1.7.orig/src/kadmin/cli/kadmin.M
-+++ trunk/src/kadmin/cli/kadmin.M
+++ krb5-1.7/src/kadmin/cli/kadmin.M
-@@ -840,9 +840,9 @@ option is specified, less verbose status
+@@ -850,9 +850,9 @@ option is specified, less verbose status
 .RS
 .TP
 EXAMPLE:
@ -180,7 +180,7 @@ Index: trunk/src/kadmin/cli/kadmin.M
 kadmin:
 .RE
 .fi
-@@ -884,7 +884,7 @@ passwords.
+@@ -894,7 +894,7 @@ passwords.
 .SH HISTORY
 The
 .B kadmin
@ -189,10 +189,10 @@ Index: trunk/src/kadmin/cli/kadmin.M
 OpenVision Kerberos administration program.
 .SH SEE ALSO
 .IR kerberos (1),
-Index: trunk/src/slave/kprop.M
+Index: krb5-1.7/src/slave/kprop.M
 ===================================================================
--- trunk.orig/src/slave/kprop.M
+--- krb5-1.7.orig/src/slave/kprop.M
-+++ trunk/src/slave/kprop.M
+++ krb5-1.7/src/slave/kprop.M
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
 This is done by transmitting the dumped database file to the slave
 server over an encrypted, secure channel.  The dump file must be created
@ -211,10 +211,10 @@ Index: trunk/src/slave/kprop.M
 .TP
 \fB\-P\fP \fIport\fP
 specifies the port to use to contact the
-Index: trunk/src/slave/kpropd.M
+Index: krb5-1.7/src/slave/kpropd.M
 ===================================================================
--- trunk.orig/src/slave/kpropd.M
+--- krb5-1.7.orig/src/slave/kpropd.M
-+++ trunk/src/slave/kpropd.M
+++ krb5-1.7/src/slave/kpropd.M
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
 This is done by adding a line to the inetd.conf file which looks like
 this:
--- a/krb5-doc.spec
+++ b/krb5-doc.spec
@ -1,7 +1,7 @@
 #
 # spec file for package krb5-doc (Version 1.7)
 #
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -21,7 +21,7 @@
 Name:           krb5-doc
 BuildRequires:  ghostscript-library latex2html texlive
 Version:        1.7
-Release:        6
+Release:        7
 %define srcRoot krb5-1.7
 Summary:        MIT Kerberos5 Implementation--Documentation
 License:        MIT License (or similar)
--- a/krb5-mini.changes
+++ b/krb5-mini.changes
@ -1,3 +1,16 @@
 -------------------------------------------------------------------
 Thu Jan  7 11:45:14 CET 2010 - mc@suse.de
 - fix KDC denial of service in cross-realm referral processing
  CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347)
 - fix integer underflow in AES and RC4 decryption
  CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) 
 -------------------------------------------------------------------
 Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de
 - add baselibs.conf as a source
 -------------------------------------------------------------------
 Fri Nov 13 16:51:37 CET 2009 - mc@suse.de
--- a/krb5-mini.spec
+++ b/krb5-mini.spec
@ -1,7 +1,7 @@
 #
 # spec file for package krb5-mini (Version 1.7)
 #
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -28,7 +28,7 @@ Url:            http://web.mit.edu/kerberos/www/
 BuildRequires:  bison libcom_err-devel ncurses-devel
 BuildRequires:  keyutils keyutils-devel
 Version:        1.7
-Release:        6
+Release:        7
 %if ! 0%{?build_mini}
 BuildRequires:  libopenssl-devel openldap2-devel
 # bug437293
@ -46,6 +46,7 @@ Source:         krb5-1.7.tar.bz2
 Source1:        vendor-files.tar.bz2
 Source2:        README.Source
 Source3:        spx.c
 Source4:        baselibs.conf
 Source5:        krb5-%{version}-rpmlintrc
 Source10:       krb5-1.7-manpaths.txt
 Patch2:         krb5-1.6.1-compile_pie.dif 
@ -58,6 +59,8 @@ Patch34:        krb5-1.6.3-gssapi_improve_errormessages.dif
 Patch41:        krb5-1.6.3-kpasswd_tcp.patch
 Patch44:        krb5-1.6.3-ktutil-manpage.dif
 Patch46:        krb5-1.6.3-fix-ipv6-query.dif
 Patch47:        krb5-1.7-MITKRB5-SA-2009-003.dif
 Patch48:        krb5-1.7-MITKRB5-SA-2009-004.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@ -254,6 +257,8 @@ fi
 %patch41 
 %patch44 -p1
 %patch46 -p1
 %patch47 -p1
 %patch48 -p1
 # Rename the man pages so that they'll get generated correctly.
 pushd src
 cat %{SOURCE10} | while read manpage ; do
--- a/krb5.changes
+++ b/krb5.changes
@ -1,3 +1,16 @@
 -------------------------------------------------------------------
 Thu Jan  7 11:45:14 CET 2010 - mc@suse.de
 - fix KDC denial of service in cross-realm referral processing
  CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347)
 - fix integer underflow in AES and RC4 decryption
  CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) 
 -------------------------------------------------------------------
 Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de
 - add baselibs.conf as a source
 -------------------------------------------------------------------
 Fri Nov 13 16:51:37 CET 2009 - mc@suse.de
--- a/krb5.spec
+++ b/krb5.spec
@ -1,7 +1,7 @@
 #
 # spec file for package krb5 (Version 1.7)
 #
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -28,7 +28,7 @@ Url:            http://web.mit.edu/kerberos/www/
 BuildRequires:  bison libcom_err-devel ncurses-devel
 BuildRequires:  keyutils keyutils-devel
 Version:        1.7
-Release:        6
+Release:        7
 %if ! 0%{?build_mini}
 BuildRequires:  libopenssl-devel openldap2-devel
 # bug437293
@ -46,6 +46,7 @@ Source:         krb5-1.7.tar.bz2
 Source1:        vendor-files.tar.bz2
 Source2:        README.Source
 Source3:        spx.c
 Source4:        baselibs.conf
 Source5:        krb5-%{version}-rpmlintrc
 Source10:       krb5-1.7-manpaths.txt
 Patch2:         krb5-1.6.1-compile_pie.dif 
@ -58,6 +59,8 @@ Patch34:        krb5-1.6.3-gssapi_improve_errormessages.dif
 Patch41:        krb5-1.6.3-kpasswd_tcp.patch
 Patch44:        krb5-1.6.3-ktutil-manpage.dif
 Patch46:        krb5-1.6.3-fix-ipv6-query.dif
 Patch47:        krb5-1.7-MITKRB5-SA-2009-003.dif
 Patch48:        krb5-1.7-MITKRB5-SA-2009-004.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@ -254,6 +257,8 @@ fi
 %patch41 
 %patch44 -p1
 %patch46 -p1
 %patch47 -p1
 %patch48 -p1
 # Rename the man pages so that they'll get generated correctly.
 pushd src
 cat %{SOURCE10} | while read manpage ; do