From f817e39736dd32dce16c535132ec4ac9e555c3fc Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@fedoraproject.org>
Date: Fri, 2 Dec 2005 01:46:50 +0000
Subject: [PATCH] - login: don't truncate passwords before passing them into
 crypt(), in case     they're significant (#149476)

---
 krb5-1.2.7-login-lpass.patch | 27 +++++++++++++++++++++++++++
 krb5.spec                    |  6 ++++++
 2 files changed, 33 insertions(+)
 create mode 100644 krb5-1.2.7-login-lpass.patch

diff --git a/krb5-1.2.7-login-lpass.patch b/krb5-1.2.7-login-lpass.patch
new file mode 100644
index 0000000..f943213
--- /dev/null
+++ b/krb5-1.2.7-login-lpass.patch
@@ -0,0 +1,27 @@
+The local crypt() may support hash types which use more than the first 8
+characters.  It also doesn't modify the input string, so we should just
+stop truncating it.
+--- krb5-1.2.7/src/appl/bsd/login.c	2005-11-15 16:20:34.000000000 -0500
++++ krb5-1.2.7/src/appl/bsd/login.c	2005-11-15 16:20:29.000000000 -0500
+@@ -461,17 +461,14 @@
+ int unix_passwd_okay (pass)
+     char *pass;
+ {
+-    char user_pwcopy[9], *namep;
++    char *namep;
+     char *crypt ();
+ 
+     assert (pwd != 0);
+ 
+-    /* copy the first 8 chars of the password for unix crypt */
+-    strncpy(user_pwcopy, pass, sizeof(user_pwcopy));
+-    user_pwcopy[sizeof(user_pwcopy) - 1]='\0';
+-    namep = crypt(user_pwcopy, salt);
+-    memset (user_pwcopy, 0, sizeof(user_pwcopy));
+-    /* ... and wipe the copy now that we have the string */
++    namep = crypt(pass, salt);
++    if (strlen(namep) < 13)
++	return 0;
+ 
+     /* verify the local password string */
+ #ifdef HAVE_SHADOW
diff --git a/krb5.spec b/krb5.spec
index 67045f7..f0e5347 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -70,6 +70,7 @@ Patch35: krb5-1.4.1-fclose.patch
 Patch36: krb5-1.3.3-rcp-markus.patch
 Patch39: krb5-1.4.1-api.patch
 Patch40: krb5-1.4.1-telnet-environ.patch
+Patch41: krb5-1.2.7-login-lpass.patch
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@@ -134,6 +135,10 @@ network uses Kerberos, this package should be installed on every
 workstation.
 
 %changelog
+* Thu Dec  1 2005 Nalin Dahyabhai <nalin@redhat.com>
+- login: don't truncate passwords before passing them into crypt(), in
+  case they're significant (#149476)
+
 * Thu Nov 17 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.3-1
 - update to 1.4.3
 - make ksu setuid again (#137934, others)
@@ -880,6 +885,7 @@ workstation.
 %patch36 -p1 -b .rcp-markus
 %patch39 -p1 -b .api
 %patch40 -p1 -b .telnet-environ
+%patch41 -p1 -b .login-lpass
 cp src/krb524/README README.krb524
 find . -type f -name "*.info-dir" -exec rm -fv "{}" ";"
 gzip doc/*.ps