SHA256
1
0
forked from pool/krb5
OBS User unknown 2008-05-17 00:39:26 +00:00 committed by Git OBS Bridge
parent 983d9ce5de
commit 7a79e440be
6 changed files with 106 additions and 3 deletions

View File

@ -14,7 +14,7 @@
Name: krb5-doc
BuildRequires: ghostscript-library latex2html texlive
Version: 1.6.3
Release: 63
Release: 77
%define srcRoot krb5-1.6.3
Summary: MIT Kerberos5 Implementation--Documentation
License: X11/MIT

View File

@ -14,7 +14,7 @@
Name: krb5-plugins
Version: 1.6.3
Release: 7
Release: 8
BuildRequires: bison krb5-devel ncurses-devel openldap2-devel
%define srcRoot krb5-1.6.3
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
@ -55,6 +55,8 @@ Patch37: krb5-1.6-fix-CVE-2007-5971.dif
Patch38: krb5-1.6-fix-CVE-2007-5972.dif
Patch39: krb5-1.6-MITKRB5-SA-2008-001.dif
Patch40: krb5-1.6-MITKRB5-SA-2008-002.dif
Patch41: krb5-trunk-kpasswd_tcp.patch
Patch42: krb5-trunk-seqnum.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -148,6 +150,8 @@ fi
%patch38
%patch39 -p1
%patch40
%patch41
%patch42
cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c
# Rename the man pages so that they'll get generated correctly.
pushd src

View File

@ -0,0 +1,35 @@
Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
to wait for UDP to fail, so this might not be ideal. RT #5868.
Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c (revision 20199)
+++ src/lib/krb5/os/changepw.c (working copy)
@@ -251,11 +251,22 @@
NULL,
NULL
))) {
-
- /*
- * Here we may want to switch to TCP on some errors.
- * right?
- */
+ /* if we're not using a stream socket, and it's an error which
+ * might reasonably be specific to a datagram "connection", try
+ * again with a stream socket */
+ if (!useTcp) {
+ switch (code) {
+ case KRB5_KDC_UNREACH:
+ case KRB5_REALM_CANT_RESOLVE:
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
+ /* should we do this for more result codes than these? */
+ krb5int_free_addrlist (&al);
+ useTcp = 1;
+ continue;
+ default:
+ break;
+ }
+ }
break;
}

49
krb5-trunk-seqnum.patch Normal file
View File

@ -0,0 +1,49 @@
Every KRB-PRIV message we generate to include as part of a password change
request we create (after the first one) will include sequence numbers which
look "wrong" to the recipient, because previously generating other KRB-PRIV
messages will mess with the counters in the auth_context. Because the
current code attempts to reuse auth_context structures (and changing that
would be more invasive), we'll just save the sequence number values as they
are after we build the AP-REQ, and restore them before generating requests.
RT#5867.
Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c (revision 20195)
+++ src/lib/krb5/os/changepw.c (working copy)
@@ -34,6 +34,7 @@
#include "k5-int.h"
#include "os-proto.h"
#include "cm.h"
+#include "../krb/auth_con.h"
#include <stdio.h>
#include <errno.h>
@@ -48,6 +49,7 @@
krb5_principal set_password_for;
char *newpw;
krb5_data ap_req;
+ krb5_ui_4 remote_seq_num, local_seq_num;
};
@@ -159,6 +161,9 @@
&local_kaddr, NULL)))
goto cleanup;
+ ctx->auth_context->remote_seq_number = ctx->remote_seq_num;
+ ctx->auth_context->local_seq_number = ctx->local_seq_num;
+
if (ctx->set_password_for)
code = krb5int_mk_setpw_req(ctx->context,
ctx->auth_context,
@@ -225,6 +230,9 @@
&callback_ctx.ap_req)))
goto cleanup;
+ callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number;
+ callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number;
+
do {
if ((code = krb5_locate_kpasswd(callback_ctx.context,
krb5_princ_realm(callback_ctx.context,

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed May 14 17:44:59 CEST 2008 - mc@suse.de
- Fall back to TCP on kdc-unresolvable/unreachable errors.
- restore valid sequence number before generating requests
(fix changing passwords in mixed ipv4/ipv6 enviroments)
-------------------------------------------------------------------
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de

View File

@ -13,7 +13,7 @@
Name: krb5
Version: 1.6.3
Release: 40
Release: 47
BuildRequires: bison libcom_err-devel ncurses-devel
%if %{suse_version} > 1010
BuildRequires: keyutils keyutils-devel
@ -59,6 +59,8 @@ Patch37: krb5-1.6-fix-CVE-2007-5971.dif
Patch38: krb5-1.6-fix-CVE-2007-5972.dif
Patch39: krb5-1.6-MITKRB5-SA-2008-001.dif
Patch40: krb5-1.6-MITKRB5-SA-2008-002.dif
Patch41: krb5-trunk-kpasswd_tcp.patch
Patch42: krb5-trunk-seqnum.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
@ -224,6 +226,8 @@ fi
%patch38
%patch39 -p1
%patch40
%patch41
%patch42
cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c
# Rename the man pages so that they'll get generated correctly.
pushd src
@ -542,6 +546,10 @@ rm -rf %{buildroot}
%{_mandir}/man1/krb5-config.1*
%changelog
* Wed May 14 2008 mc@suse.de
- Fall back to TCP on kdc-unresolvable/unreachable errors.
- restore valid sequence number before generating requests
(fix changing passwords in mixed ipv4/ipv6 enviroments)
* Thu Apr 10 2008 ro@suse.de
- added baselibs.conf file to build xxbit packages
for multilib support