# # spec file for package krb5-plugins (Version 1.6.3) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # norootforbuild # nodebuginfo Name: krb5-plugins Version: 1.6.3 Release: 11 BuildRequires: bison krb5-devel ncurses-devel openldap2-devel %define srcRoot krb5-1.6.3 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 Requires: krb5-server Summary: MIT Kerberos5 Implementation--Libraries License: X11/MIT Url: http://web.mit.edu/kerberos/www/ Group: Productivity/Networking/Security Source: krb5-1.6.3.tar.bz2 Source1: vendor-files.tar.bz2 Source2: README.Source Source3: spx.c Source4: EncryptWithMasterKey.c Source5: %{name}-%{version}-rpmlintrc Source10: krb5-trunk-manpaths.txt Patch1: krb5-1.5.1-fix-too-few-arguments.dif Patch2: krb5-1.6.1-compile_pie.dif Patch3: krb5-1.4-fix-segfault.dif Patch6: trunk-EncryptWithMasterKey.dif Patch14: warning-fix-lib-crypto-des.dif Patch15: warning-fix-lib-crypto-dk.dif Patch16: warning-fix-lib-crypto.dif Patch17: warning-fix-lib-crypto-enc_provider.dif Patch18: warning-fix-lib-crypto-yarrow_arcfour.dif Patch20: kprop-use-mkstemp.dif Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif Patch24: krb5-1.5.1-fix-strncat-warning.dif Patch25: krb5-1.6.1-init-salt-length.dif Patch30: trunk-manpaths.dif Patch31: krb5-1.6-ldap-man.dif Patch32: krb5-1.4.3-enospc.dif Patch33: krb5-1.3.3-rcp-markus.dif Patch34: gssapi_improve_errormessages.dif Patch35: krb5-1.6-fix-CVE-2007-5894.dif Patch36: krb5-1.6-fix-CVE-2007-5902.dif Patch37: krb5-1.6-fix-CVE-2007-5971.dif Patch38: krb5-1.6-fix-CVE-2007-5972.dif Patch39: krb5-1.6-MITKRB5-SA-2008-001.dif Patch40: krb5-1.6-MITKRB5-SA-2008-002.dif Patch41: krb5-trunk-kpasswd_tcp.patch Patch42: krb5-trunk-seqnum.patch Patch43: krb5-1.6.3-case-insensitive.dif Patch44: krb5-1.6.3-ktutil-manpage.dif Patch45: krb5-1.6.3-post.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of clear text passwords. Authors: -------- The MIT Kerberos Team Sam Hartman Ken Raeburn Tom Yu %package -n krb5-plugin-kdb-ldap Requires: krb5-server = %{version} Summary: MIT Kerberos5 Implementation--LDAP Database Plugin License: X11/MIT Url: http://web.mit.edu/kerberos/www/ Group: Productivity/Networking/Security %description -n krb5-plugin-kdb-ldap Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of clear text passwords. This package contains the LDAP database plugin. Authors: -------- The MIT Kerberos Team Sam Hartman Ken Raeburn Tom Yu %package -n krb5-plugin-preauth-pkinit License: X11/MIT Summary: MIT Kerberos5 Implementation--PKINIT preauth Plugin Group: Productivity/Networking/Security Conflicts: krb5-plugin-preauth-pkinit-nss %description -n krb5-plugin-preauth-pkinit Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. This package includes a PKINIT plugin. Authors: -------- The MIT Kerberos Team Sam Hartman Ken Raeburn Tom Yu %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ] then echo "spx.c contains potential legal risks." exit 1; else cp %{_sourcedir}/spx.c %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c fi %patch1 %patch2 %patch3 %patch6 %patch14 %patch15 %patch16 %patch17 %patch18 %patch20 %patch21 %patch22 %patch24 %patch25 %patch30 -p1 %patch31 %patch32 -p1 %patch33 -p1 %patch34 -p1 %patch35 %patch36 %patch37 %patch38 %patch39 -p1 %patch40 %patch41 %patch42 %patch43 %patch44 -p1 %patch45 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c # Rename the man pages so that they'll get generated correctly. pushd src cat $RPM_SOURCE_DIR/krb5-trunk-manpaths.txt | while read manpage ; do mv "$manpage" "$manpage".in done popd %build cd src %{?suse_update_config:%{suse_update_config -f}} ./util/reconf CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -I/usr/include -I%{_builddir}/%{srcRoot}/src/lib/ -fno-strict-aliasing -D_GNU_SOURCE -D__CI_PRINC__ -fPIC " \ ./configure \ --prefix=/usr/lib/mit \ --sysconfdir=%{_sysconfdir} \ --mandir=%{_mandir} \ --infodir=%{_infodir} \ --libexecdir=/usr/lib/mit/sbin \ --libdir=%{_libdir} \ --includedir=%{_includedir} \ --localstatedir=%{_localstatedir}/lib/kerberos \ --enable-shared \ --disable-static \ --enable-kdc-replay-cache \ --enable-dns-for-realm \ --with-ldap \ --with-system-et \ --with-system-ss cd util/profile make install-headers-unix cd ../../include make cd ../lib/kadm5 make includes cd ../gssapi/generic make gssapi-include ln -s %{_libdir}/libgssrpc.so %{_builddir}/%{srcRoot}/src/lib/ ln -s %{_libdir}/libgssapi_krb5.so %{_builddir}/%{srcRoot}/src/lib/ ln -s %{_libdir}/libk5crypto.so %{_builddir}/%{srcRoot}/src/lib/ ln -s %{_libdir}/libkrb5support.so %{_builddir}/%{srcRoot}/src/lib/ ln -s %{_libdir}/libkrb5.so %{_builddir}/%{srcRoot}/src/lib/ ln -s %{_libdir}/libkadm5srv.so %{_builddir}/%{srcRoot}/src/lib/ ln -s %{_libdir}/libkdb5.so %{_builddir}/%{srcRoot}/src/lib/ ln -s %{_libdir}/libkrb4.so %{_builddir}/%{srcRoot}/src/lib/ ln -s %{_libdir}/libdes425.so %{_builddir}/%{srcRoot}/src/lib/ cd ../../../kadmin/cli make getdate.o cd ../../plugins/kdb/ldap/ make %{?jobs:-j%jobs} cd ../../preauth/pkinit/ make %{?jobs:-j%jobs} #make check %install mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth mkdir -p %{buildroot}/%{krb5docdir} mkdir -p %{buildroot}/usr/lib/mit/sbin/ mkdir -p %{buildroot}/%{_mandir}/man8/ cd src/plugins/kdb/ldap/ make DESTDIR=%{buildroot} install cd ../../preauth/pkinit/ make DESTDIR=%{buildroot} install # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do chmod 0755 ${lib} done install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{krb5docdir}/kerberos.schema install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{krb5docdir}/kerberos.ldif # cleanup rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* rm -rf /usr/lib/mit/share rm -rf %{buildroot}/usr/lib/mit/share ##################################################### # krb5 pre/post/postun ##################################################### %post -n krb5-plugin-kdb-ldap /sbin/ldconfig %postun -n krb5-plugin-kdb-ldap /sbin/ldconfig %clean rm -rf %{buildroot} ######################################################## # files sections ######################################################## %files -n krb5-plugin-kdb-ldap %defattr(-,root,root) %dir %{_libdir}/krb5 %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/kdb %dir /usr/lib/mit/sbin/ %dir %{krb5docdir} %doc %{krb5docdir}/kerberos.schema %doc %{krb5docdir}/kerberos.ldif %{_libdir}/krb5/plugins/kdb/*.so /usr/lib/mit/sbin/* %{_libdir}/libkdb_ldap* %{_mandir}/man8/* %files -n krb5-plugin-preauth-pkinit %defattr(-,root,root) %dir %{_libdir}/krb5 %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/preauth %{_libdir}/krb5/plugins/preauth/pkinit.so %changelog * Fri Jul 25 2008 mc@suse.de - add patches from SVN post 1.6.3 * krb5_string_to_keysalts: Fix an infinite loop * fix some mutex issues * better recovery from corrupt rcache files * some more small fixes * Wed Jun 18 2008 mc@suse.de - reduce rpmlint warnings * Tue Dec 04 2007 mc@suse.de - improve GSSAPI error messages * Tue Oct 23 2007 mc@suse.de - update to krb5 version 1.6.3 * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow * fix CVE-2007-4000 modify_policy vulnerability * Add PKINIT support - remove patches which are upstream now - enhance init scripts and xinetd profiles * Fri Sep 14 2007 mc@suse.de - update krb5-1.6.2-post.dif * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that that the client library will not failover to the next KDC. [#310540] * Tue Sep 11 2007 mc@suse.de - update krb5-1.6.2-post.dif * new -S sname option for kvno * read_entropy_from_device on partial read will not fill buffer * Bail out if encoded "ticket" doesn't decode correctly. * patch for referrals loop * Thu Sep 06 2007 mc@suse.de - fix a problem with the originally published patch for MITKRB5-SA-2007-006 - CVE-2007-3999 [#302377] * Wed Sep 05 2007 mc@suse.de - fix execute arbitrary code (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) [#302377] * Tue Aug 07 2007 mc@suse.de - add krb5-1.6.2-post.dif * during the referrals loop, check to see if the session key enctype of a returned credential for the final service is among the enctypes explicitly selected by the application, and retry with old_use_conf_ktypes if it is not. * If mkstemp() is available, the new ccache file gets created but the subsequent open(O_CREAT|O_EXCL) call fails because the file was already created by mkstemp(). Apply patch from Apple to keep the file descriptor open. * Thu Jul 12 2007 mc@suse.de - update to version 1.6.2 - remove krb5-1.6.1-post.dif all fixes are included in this release * Mon Jul 02 2007 mc@suse.de - update krb5-1.6.1-post.dif * fix leak in krb5_walk_realm_tree * rd_req_decoded needs to deal with referral realms * fix buffer overflow in kadmind (MITKRB5-SA-2007-005 - CVE-2007-2798) [#278689] * fix kadmind code execution bug (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) [#271191] * Wed May 09 2007 mc@suse.de - fix uninitialized salt length - add extra check for keytab file * Thu May 03 2007 mc@suse.de - adding krb5-1.6.1-post.dif * fix segfault in krb5_get_init_creds_password * remove debug output in ftp client * profile stores empty string values without double quotes * Mon Apr 23 2007 mc@suse.de - update to final 1.6.1 version * Mon Apr 16 2007 mc@suse.de - update to version 1.6.1 Beta1 - remove obsolete patches (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) - rework compile_pie patch * Wed Apr 11 2007 mc@suse.de - update krb5-1.6-post.dif * fix kadmind stack overflow in krb5_klog_syslog (MITKRB5-SA-2007-002 - CVE-2007-0957) [#253548] * fix double free attack in the RPC library (MITKRB5-SA-2007-003 - CVE-2007-1216) [#252487] * fix krb5 telnetd login injection (MIT-SA-2007-001 - CVE-2007-0956) [#247765] * Thu Mar 29 2007 mc@suse.de - add ncurses-devel and bison to BuildRequires - rework some patches * Mon Feb 19 2007 mc@suse.de - update krb5-1.6-post.dif * Fri Feb 09 2007 mc@suse.de - update krb5-1.6-post.dif * Mon Jan 29 2007 ro@suse.de - no main package, no debuginfo * Mon Jan 29 2007 mc@suse.de - krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif are now upstream. Remove patches. - fix leak in krb5_kt_resolve and krb5_kt_wresolve * Tue Jan 23 2007 mc@suse.de - fix "local variable used before set" in ftp.c [#237684] - use less BuildRequires * Mon Jan 22 2007 mc@suse.de - initial release (version 1.6) * Major changes in 1.6 include * Partial client implementation to handle server name referrals. * Pre-authentication plug-in framework, donated by Red Hat. * LDAP KDB plug-in, donated by Novell.