- update to 1.8.1

- no longer need patches for #555875, #561174, #563431, RT#6661, CVE-2010-0628 - replace buildrequires on tetex-latex with one on texlive-latex, which is the package that provides it now
2010-04-09 13:44:05 +00:00 · 2010-04-09 13:44:05 +00:00 · b48f2bcb58
commit b48f2bcb58
parent 6b3df78771
8 changed files with 16 additions and 281 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -36,3 +36,6 @@ krb5-1.8.tar.gz.asc
 krb5-appl-1.0.tar.gz
 krb5-appl-1.0.tar.gz.asc
 krb5-1.8-pdf.tar.gz
 krb5-1.8.1.tar.gz
 krb5-1.8.1.tar.gz.asc
 krb5-1.8.1-pdf.tar.gz
--- a/2010-002-patch.txt
+++ b/2010-002-patch.txt
@ -1,73 +0,0 @@
 Index: src/lib/gssapi/spnego/spnego_mech.c
 ===================================================================
 --- src/lib/gssapi/spnego/spnego_mech.c	(revision 23717)
 +++ src/lib/gssapi/spnego/spnego_mech.c	(working copy)
@@ -1570,7 +1570,7 @@
 	spnego_gss_ctx_id_t sc = NULL;
 	spnego_gss_cred_id_t spcred = NULL;
 	OM_uint32 mechstat = GSS_S_FAILURE;
 -	int sendTokenInit = 0;
 +	int sendTokenInit = 0, tmpret;
 	mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER;
@@ -1603,7 +1603,6 @@
 		if (delegated_cred_handle != NULL)
 			*delegated_cred_handle = GSS_C_NO_CREDENTIAL;
 		if (input_token->length == 0) {
 -			sendTokenInit = 1;
 			ret = acc_ctx_hints(minor_status,
 					    context_handle, spcred,
 					    &mic_out,
@@ -1611,6 +1610,7 @@
 					    &return_token);
 			if (ret != GSS_S_COMPLETE)
 				goto cleanup;
 +			sendTokenInit = 1;
 			ret = GSS_S_CONTINUE_NEEDED;
 		} else {
 			/* Can set negState to REQUEST_MIC */
@@ -1658,29 +1658,23 @@
 				 &negState, &return_token);
 	}
 cleanup:
 -	if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
 -		/* For acceptor-sends-first send a tokenInit */
 -		int tmpret;
 -
 +	if (return_token == INIT_TOKEN_SEND && sendTokenInit) {
 		assert(sc != NULL);
 -
 -		if (sendTokenInit) {
 -			tmpret = make_spnego_tokenInit_msg(sc,
 -							   1,
 -							   mic_out,
 -							   0,
 -							   GSS_C_NO_BUFFER,
 -							   return_token,
 -							   output_token);
 -		} else {
 -			tmpret = make_spnego_tokenTarg_msg(negState,
 -							   sc ? sc->internal_mech : GSS_C_NO_OID,
 -							   &mechtok_out, mic_out,
 -							   return_token,
 -							   output_token);
 -		}
 +		tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0,
 +						   GSS_C_NO_BUFFER,
 +						   return_token, output_token);
 		if (tmpret < 0)
 			ret = GSS_S_FAILURE;
 +	} else if (return_token != NO_TOKEN_SEND &&
 +		   return_token != CHECK_MIC) {
 +		tmpret = make_spnego_tokenTarg_msg(negState,
 +						   sc ? sc->internal_mech :
 +						   GSS_C_NO_OID,
 +						   &mechtok_out, mic_out,
 +						   return_token,
 +						   output_token);
 +		if (tmpret < 0)
 +			ret = GSS_S_FAILURE;
 	}
 	if (ret == GSS_S_COMPLETE) {
 		*context_handle = (gss_ctx_id_t)sc->ctx_handle;
--- a/krb5-1.8-kpasswd_ccache.patch
+++ b/krb5-1.8-kpasswd_ccache.patch
@ -1,50 +0,0 @@
 If we encounter any errors reading the user's principal name from the default
 ccache, fall back to the default of using the current user's name.  RT#6683
 Index: src/clients/kpasswd/kpasswd.c
 ===================================================================
 --- src/clients/kpasswd/kpasswd.c	(revision 23818)
 +++ src/clients/kpasswd/kpasswd.c	(revision 23819)
@@ -47,7 +47,7 @@
 {
     krb5_error_code ret;
     krb5_context context;
 -    krb5_principal princ;
 +    krb5_principal princ = NULL;
     char *pname;
     krb5_ccache ccache;
     krb5_get_init_creds_opt *opts = NULL;
@@ -84,23 +84,27 @@
             com_err(argv[0], ret, "parsing client name");
             exit(1);
         }
 -    } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) {
 -        if (ret) {
 +    } else {
 +        ret = krb5_cc_default(context, &ccache);
 +        if (ret != 0) {
             com_err(argv[0], ret, "opening default ccache");
             exit(1);
         }
 -        if ((ret = krb5_cc_get_principal(context, ccache, &princ))) {
 +        ret = krb5_cc_get_principal(context, ccache, &princ);
 +        if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) {
             com_err(argv[0], ret, "getting principal from ccache");
             exit(1);
         }
 -        if ((ret = krb5_cc_close(context, ccache))) {
 +        ret = krb5_cc_close(context, ccache);
 +        if (ret != 0) {
             com_err(argv[0], ret, "closing ccache");
             exit(1);
         }
 -    } else {
 -        get_name_from_passwd_file(argv[0], context, &princ);
 +
 +        if (princ == NULL)
 +            get_name_from_passwd_file(argv[0], context, &princ);
     }
     if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) {
--- a/krb5-1.8-opte.patch
+++ b/krb5-1.8-opte.patch
@ -1,33 +0,0 @@
 Fall back to the library default for whether or not to prompt for a password-
 change during authentication, if we weren't passed any options.  RT#6681
 diff -up krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte krb5-1.8/src/lib/krb5/krb/gic_pwd.c
 --- krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte	2009-12-23 11:00:05.000000000 -0500
 +++ krb5-1.8/src/lib/krb5/krb/gic_pwd.c	2010-03-05 11:03:42.000000000 -0500
@@ -123,6 +123,7 @@ krb5_get_init_creds_password(krb5_contex
     int tries;
     krb5_creds chpw_creds;
     krb5_get_init_creds_opt *chpw_opts = NULL;
 +    krb5_gic_opt_ext *opte = NULL;
     krb5_data pw0, pw1;
     char banner[1024], pw0array[1024], pw1array[1024];
     krb5_prompt prompt[2];
@@ -218,7 +219,8 @@ krb5_get_init_creds_password(krb5_contex
      * to prompt.  Prompting is only disabled if the option has been set
      * and the value has been set to false.
      */
 -    if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
 +    krb5int_gic_opt_to_opte(context, options, &opte, 1, NULL);
 +    if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
         goto cleanup;
     /* ok, we have an expired password.  Give the user a few chances
@@ -332,6 +334,8 @@ krb5_get_init_creds_password(krb5_contex
                                  &use_master, &as_reply);
 cleanup:
 +    if (opte != options)
 +        krb5_get_init_creds_opt_free(context, opte);
     krb5int_set_prompt_types(context, 0);
     /* if getting the password was successful, then check to see if the
        password is about to expire, and warn if so */
--- a/krb5-trunk-kpasswd_ipv6.patch
+++ b/krb5-trunk-kpasswd_ipv6.patch
@ -1,75 +0,0 @@
 Get the client libraries to correctly attempt password changes when using
 IPv6.  Sumit Bose, RT#6661
 Index: src/lib/krb5/os/changepw.c
 ===================================================================
 --- src/lib/krb5/os/changepw.c	(revision 23766)
 +++ src/lib/krb5/os/changepw.c	(revision 23767)
@@ -65,20 +65,23 @@
     int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM);
     code = krb5int_locate_server (context, realm, addrlist,
 -                                  locate_service_kpasswd, sockType, AF_INET);
 +                                  locate_service_kpasswd, sockType, AF_UNSPEC);
     if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) {
         code = krb5int_locate_server (context, realm, addrlist,
                                       locate_service_kadmin, SOCK_STREAM,
 -                                      AF_INET);
 +                                      AF_UNSPEC);
         if (!code) {
             /* Success with admin_server but now we need to change the
                port number to use DEFAULT_KPASSWD_PORT and the socktype.  */
             size_t i;
             for (i=0; i<addrlist->naddrs; i++) {
                 struct addrinfo *a = addrlist->addrs[i].ai;
 +                krb5_ui_2 kpasswd_port = htons(DEFAULT_KPASSWD_PORT);
                 if (a->ai_family == AF_INET)
 -                    sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT);
 +                    sa2sin (a->ai_addr)->sin_port = kpasswd_port;
 +                if (a->ai_family == AF_INET6)
 +                    sa2sin6 (a->ai_addr)->sin6_port = kpasswd_port;
                 if (sockType != SOCK_STREAM)
                     a->ai_socktype = sockType;
             }
@@ -131,10 +134,16 @@
     /* some brain-dead OS's don't return useful information from
      * the getsockname call.  Namely, windows and solaris.  */
 -    if (ss2sin(&local_addr)->sin_addr.s_addr != 0) {
 +    if (local_addr.ss_family == AF_INET &&
 +        ss2sin(&local_addr)->sin_addr.s_addr != 0) {
         local_kaddr.addrtype = ADDRTYPE_INET;
         local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr);
         local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr;
 +    } else if (local_addr.ss_family == AF_INET6 &&
 +               ss2sin6(&local_addr)->sin6_addr.s6_addr != 0) {
 +        local_kaddr.addrtype = ADDRTYPE_INET6;
 +        local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr);
 +        local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr;
     } else {
         krb5_address **addrs;
@@ -278,9 +287,19 @@
             break;
         }
 -        remote_kaddr.addrtype = ADDRTYPE_INET;
 -        remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
 -        remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
 +        if (remote_addr.ss_family == AF_INET) {
 +            remote_kaddr.addrtype = ADDRTYPE_INET;
 +            remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
 +            remote_kaddr.contents =
 +                (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
 +        } else if (remote_addr.ss_family == AF_INET6) {
 +            remote_kaddr.addrtype = ADDRTYPE_INET6;
 +            remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr);
 +            remote_kaddr.contents =
 +                (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr;
 +        } else {
 +            break;
 +        }
         if ((code = krb5_auth_con_setaddrs(callback_ctx.context,
                                            callback_ctx.auth_context,
--- a/krb5-trunk-tktlifetime.patch
+++ b/krb5-trunk-tktlifetime.patch
@ -1,33 +0,0 @@
 The 'ticket_lifetime' option isn't documented.  RT#6680
 Index: doc/admin.texinfo
 ===================================================================
 --- doc/admin.texinfo	(revision 23799)
 +++ doc/admin.texinfo	(working copy)
@@ -583,6 +583,11 @@
 fail if the client machine does not have a keytab.  The default for the
 flag is @value{DefaultVerifyApReqNofail}.
 +@itemx ticket_lifetime
 +The value of this tag is the default lifetime for
 +initial tickets.  The default value for the tag is
 +@value{DefaultTktLifetime}.
 +
 @itemx renew_lifetime
 The value of this tag is the default renewable lifetime for
 initial tickets.  The default value for the tag is
 Index: src/config-files/krb5.conf.M
 ===================================================================
 --- src/config-files/krb5.conf.M	(revision 23799)
 +++ src/config-files/krb5.conf.M	(working copy)
@@ -220,6 +220,10 @@
 fail if the client machine does not have a keytab.  The default for the
 flag is false.
 +.IP ticket_lifetime
 +The value of this tag is the default lifetime for initial tickets.  The
 +default value for the tag is 1 day (1d).
 +
 .IP renew_lifetime
 The value of this tag is the default renewable lifetime for initial
 tickets.  The default value for the tag is 0.
--- a/krb5.spec
+++ b/krb5.spec
@ -4,10 +4,10 @@
 Summary: The Kerberos network authentication system
 Name: krb5
-Version: 1.8
+Version: 1.8.1
-Release: 5%{?dist}
+Release: 1%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
-# http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar
+# http://web.mit.edu/kerberos/dist/krb5/1.8/krb5-1.8.1-signed.tar
 Source0: krb5-%{version}.tar.gz
 Source1: krb5-%{version}.tar.gz.asc
 Source2: kpropd.init
@ -45,11 +45,6 @@ Patch61: krb5-1.8-manpaths.patch
 Patch63: krb5-1.8-selinux-label.patch
 Patch70: krb5-trunk-kpasswd_tcp2.patch
 Patch71: krb5-1.8-dirsrv-accountlock.patch
 Patch95: krb5-1.8-opte.patch
 Patch98: krb5-1.8-kpasswd_ccache.patch
 Patch99: krb5-trunk-kpasswd_ipv6.patch
 Patch100: krb5-trunk-tktlifetime.patch
 Patch101: http://web.mit.edu/kerberos/advisories/2010-002-patch.txt
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -60,7 +55,7 @@ BuildRequires: autoconf, bison, flex, gawk
 BuildRequires: libcom_err-devel, libss-devel
 %endif
 BuildRequires: gzip, ncurses-devel, rsh, texinfo, texinfo-tex, tar
-BuildRequires: tetex-latex
+BuildRequires: texlive-latex
 BuildRequires: keyutils-libs-devel
 BuildRequires: libselinux-devel
 BuildRequires: pam-devel
@ -184,11 +179,6 @@ ln -s NOTICE LICENSE
 %patch59 -p1 -b .kpasswd_tcp
 #%patch70 -p0 -b .kpasswd_tcp2
 %patch71 -p1 -b .dirsrv-accountlock
 %patch95 -p1 -b .opte
 %patch98 -p0 -b .kpasswd-ccache
 %patch99 -p0 -b .kpasswd-ipv6
 %patch100 -p0 -b .tktlifetime
 %patch101 -p0 -b .2010-002
 gzip doc/*.ps
 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@ -622,6 +612,12 @@ exit 0
 %{_sbindir}/uuserver
 %changelog
 * Fri Apr  9 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.1-1
 - update to 1.8.1
  - no longer need patches for #555875, #561174, #563431, RT#6661, CVE-2010-0628
 - replace buildrequires on tetex-latex with one on texlive-latex, which is
  the package that provides it now
 * Thu Apr  8 2010 Nalin Dahyabhai <nalin@redhat.com>
 - kdc.conf: no more need to suggest a v4 mode, or listening on the v4 port
--- a/6
+++ b/6
@ -1,3 +1,3 @@
-a3391a739009efa9734db720d34f4c07  krb5-1.8.tar.gz
+275409c607933d81db69922e68bfab2d  krb5-1.8.1.tar.gz
-f923ec08f24df9e5a284be74895a6daa  krb5-1.8.tar.gz.asc
+787e4f86775bcfbb90ee8c6e7cb53fc9  krb5-1.8.1.tar.gz.asc
-32f8238d4553c44ecdc41205c3cb0333  krb5-1.8-pdf.tar.gz
+afdfd2e81345e6cd978dd37d76c3b0a2  krb5-1.8.1-pdf.tar.gz