Sat Jun 7 18:36:07 2008 UTC ()
Add security patches for 3 Kerberos vulnerabilities:
- telnetd username and environment sanitizing vulnerabilities ("-f root")
as described in MIT Kerberos advisory 2007-001.
- krb5_klog_syslog() problems with overly long log strings as described
in MIT Kerberos advisory 2007-002.
- GSS API kg_unseal_v1() double free vulnerability as described in the
MIT Kerberos advisory 2007-003.
(tonnerre)
diff -r1.41 -r1.42 pkgsrc/security/mit-krb5/Makefile
diff -r1.16 -r1.17 pkgsrc/security/mit-krb5/distinfo
diff -r0 -r1.3 pkgsrc/security/mit-krb5/patches/patch-ai
diff -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-au
diff -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-av
diff -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-aw
diff -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-ax
diff -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-ay
diff -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-az
diff -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-ba
diff -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-bb
diff -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-bc
diff -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-bd
diff -r0 -r1.1 pkgsrc/security/mit-krb5/patches/patch-be
--- pkgsrc/security/mit-krb5/Makefile 2007/06/22 14:20:01 1.41
+++ pkgsrc/security/mit-krb5/Makefile 2008/06/07 18:36:06 1.42
| @@ -1,159 +1,159 @@ | | | @@ -1,159 +1,159 @@ |
| 1 | # $NetBSD: Makefile,v 1.41 2007/06/22 14:20:01 gdt Exp $ | | 1 | # $NetBSD: Makefile,v 1.42 2008/06/07 18:36:06 tonnerre Exp $ |
| 2 | | | 2 | |
| 3 | DISTNAME= krb5-1.4.2 | | 3 | DISTNAME= krb5-1.4.2 |
| 4 | PKGNAME= mit-${DISTNAME:S/-signed$//} | | 4 | PKGNAME= mit-${DISTNAME:S/-signed$//} |
| 5 | PKGREVISION= 4 | | 5 | PKGREVISION= 5 |
| 6 | CATEGORIES= security | | 6 | CATEGORIES= security |
| 7 | MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/1.4/ | | 7 | MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/1.4/ |
| 8 | DISTFILES= ${DISTNAME}-signed${EXTRACT_SUFX} | | 8 | DISTFILES= ${DISTNAME}-signed${EXTRACT_SUFX} |
| 9 | EXTRACT_SUFX= .tar | | 9 | EXTRACT_SUFX= .tar |
| 10 | | | 10 | |
| 11 | MAINTAINER= pkgsrc-users@NetBSD.org | | 11 | MAINTAINER= pkgsrc-users@NetBSD.org |
| 12 | HOMEPAGE= http://web.mit.edu/kerberos/www/ | | 12 | HOMEPAGE= http://web.mit.edu/kerberos/www/ |
| 13 | COMMENT= MIT Kerberos 5 authentication system | | 13 | COMMENT= MIT Kerberos 5 authentication system |
| 14 | | | 14 | |
| 15 | WRKSRC= ${WRKDIR}/${DISTNAME}/src | | 15 | WRKSRC= ${WRKDIR}/${DISTNAME}/src |
| 16 | | | 16 | |
| 17 | .include "../../mk/bsd.prefs.mk" | | 17 | .include "../../mk/bsd.prefs.mk" |
| 18 | | | 18 | |
| 19 | CONFLICTS+= heimdal-[0-9]* | | 19 | CONFLICTS+= heimdal-[0-9]* |
| 20 | CONFLICTS+= kth-krb4-[0-9]* | | 20 | CONFLICTS+= kth-krb4-[0-9]* |
| 21 | | | 21 | |
| 22 | USE_TOOLS+= autoconf gzcat yacc | | 22 | USE_TOOLS+= autoconf gzcat yacc |
| 23 | GNU_CONFIGURE= yes | | 23 | GNU_CONFIGURE= yes |
| 24 | USE_LIBTOOL= yes | | 24 | USE_LIBTOOL= yes |
| 25 | | | 25 | |
| 26 | # The actual KDC databases are stored in ${MIT_KRB5_STATEDIR}/krb5kdc. | | 26 | # The actual KDC databases are stored in ${MIT_KRB5_STATEDIR}/krb5kdc. |
| 27 | MIT_KRB5_STATEDIR?= ${VARBASE} | | 27 | MIT_KRB5_STATEDIR?= ${VARBASE} |
| 28 | FILES_SUBST+= MIT_KRB5_STATEDIR=${MIT_KRB5_STATEDIR:Q} | | 28 | FILES_SUBST+= MIT_KRB5_STATEDIR=${MIT_KRB5_STATEDIR:Q} |
| 29 | | | 29 | |
| 30 | BUILD_DEFS+= VARBASE | | 30 | BUILD_DEFS+= VARBASE |
| 31 | | | 31 | |
| 32 | CONFIGURE_ARGS+= --localstatedir=${MIT_KRB5_STATEDIR:Q} | | 32 | CONFIGURE_ARGS+= --localstatedir=${MIT_KRB5_STATEDIR:Q} |
| 33 | CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q} | | 33 | CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q} |
| 34 | CONFIGURE_ARGS+= --enable-shared | | 34 | CONFIGURE_ARGS+= --enable-shared |
| 35 | CONFIGURE_ARGS+= --enable-pkgsrc-libtool | | 35 | CONFIGURE_ARGS+= --enable-pkgsrc-libtool |
| 36 | CONFIGURE_ARGS+= --enable-dns | | 36 | CONFIGURE_ARGS+= --enable-dns |
| 37 | CONFIGURE_ARGS+= --enable-kdc-replay-cache | | 37 | CONFIGURE_ARGS+= --enable-kdc-replay-cache |
| 38 | CONFIGURE_ARGS+= --disable-thread-support | | 38 | CONFIGURE_ARGS+= --disable-thread-support |
| 39 | CONFIGURE_ARGS+= --without-krb4 | | 39 | CONFIGURE_ARGS+= --without-krb4 |
| 40 | CONFIGURE_ARGS+= --without-tcl | | 40 | CONFIGURE_ARGS+= --without-tcl |
| 41 | MAKE_ENV+= ROOT_USER=${ROOT_USER:Q} | | 41 | MAKE_ENV+= ROOT_USER=${ROOT_USER:Q} |
| 42 | | | 42 | |
| 43 | PKG_OPTIONS_VAR= PKG_OPTIONS.mit-krb5 | | 43 | PKG_OPTIONS_VAR= PKG_OPTIONS.mit-krb5 |
| 44 | PKG_SUPPORTED_OPTIONS= kerberos-prefix-cmds | | 44 | PKG_SUPPORTED_OPTIONS= kerberos-prefix-cmds |
| 45 | | | 45 | |
| 46 | .include "../../mk/bsd.options.mk" | | 46 | .include "../../mk/bsd.options.mk" |
| 47 | | | 47 | |
| 48 | # Rename some of MIT krb5's applications so they won't conflict with | | 48 | # Rename some of MIT krb5's applications so they won't conflict with |
| 49 | # other packages. | | 49 | # other packages. |
| 50 | # | | 50 | # |
| 51 | .if !empty(PKG_OPTIONS:Mkerberos-prefix-cmds) | | 51 | .if !empty(PKG_OPTIONS:Mkerberos-prefix-cmds) |
| 52 | KRB5_PREFIX= k | | 52 | KRB5_PREFIX= k |
| 53 | MIT_KRB5_TRANSFORM= s/^ftp/${KRB5_PREFIX}&/; \ | | 53 | MIT_KRB5_TRANSFORM= s/^ftp/${KRB5_PREFIX}&/; \ |
| 54 | s/^rcp/${KRB5_PREFIX}&/; \ | | 54 | s/^rcp/${KRB5_PREFIX}&/; \ |
| 55 | s/^rlogin/${KRB5_PREFIX}&/; \ | | 55 | s/^rlogin/${KRB5_PREFIX}&/; \ |
| 56 | s/^rsh/${KRB5_PREFIX}&/; \ | | 56 | s/^rsh/${KRB5_PREFIX}&/; \ |
| 57 | s/^telnet/${KRB5_PREFIX}&/ | | 57 | s/^telnet/${KRB5_PREFIX}&/ |
| 58 | .else | | 58 | .else |
| 59 | KRB5_PREFIX= # empty | | 59 | KRB5_PREFIX= # empty |
| 60 | MIT_KRB5_TRANSFORM= s/^ftp/k&/ | | 60 | MIT_KRB5_TRANSFORM= s/^ftp/k&/ |
| 61 | .endif | | 61 | .endif |
| 62 | PLIST_SUBST+= KRB5_PREFIX=${KRB5_PREFIX:Q} | | 62 | PLIST_SUBST+= KRB5_PREFIX=${KRB5_PREFIX:Q} |
| 63 | CONFIGURE_ARGS+= --program-transform-name=${MIT_KRB5_TRANSFORM:Q} | | 63 | CONFIGURE_ARGS+= --program-transform-name=${MIT_KRB5_TRANSFORM:Q} |
| 64 | | | 64 | |
| 65 | # Fix some places in the MIT krb5 sources that don't point to the correct | | 65 | # Fix some places in the MIT krb5 sources that don't point to the correct |
| 66 | # Kerberized binaries when exec'ing programs. | | 66 | # Kerberized binaries when exec'ing programs. |
| 67 | # | | 67 | # |
| 68 | SUBST_CLASSES+= mit-krb5 | | 68 | SUBST_CLASSES+= mit-krb5 |
| 69 | SUBST_STAGE.mit-krb5= pre-configure | | 69 | SUBST_STAGE.mit-krb5= pre-configure |
| 70 | SUBST_FILES.mit-krb5= appl/bsd/Makefile.in include/krb5/stock/osconf.h | | 70 | SUBST_FILES.mit-krb5= appl/bsd/Makefile.in include/krb5/stock/osconf.h |
| 71 | SUBST_SED.mit-krb5= -e "/KRB5_PATH_RLOGIN/s,/rlogin,/${KRB5_PREFIX}rlogin,g" | | 71 | SUBST_SED.mit-krb5= -e "/KRB5_PATH_RLOGIN/s,/rlogin,/${KRB5_PREFIX}rlogin,g" |
| 72 | | | 72 | |
| 73 | # Fix autoconf incompatibility in new versions where substitutions won't be | | 73 | # Fix autoconf incompatibility in new versions where substitutions won't be |
| 74 | # processed properly. For more details see: | | 74 | # processed properly. For more details see: |
| 75 | # http://mailman.mit.edu/pipermail/krb5-bugs/2006-June/004587.html | | 75 | # http://mailman.mit.edu/pipermail/krb5-bugs/2006-June/004587.html |
| 76 | SUBST_CLASSES+= frag | | 76 | SUBST_CLASSES+= frag |
| 77 | SUBST_STAGE.frag= post-patch | | 77 | SUBST_STAGE.frag= post-patch |
| 78 | SUBST_FILES.frag= appl/telnet/libtelnet/Makefile.in \ | | 78 | SUBST_FILES.frag= appl/telnet/libtelnet/Makefile.in \ |
| 79 | lib/apputils/Makefile.in \ | | 79 | lib/apputils/Makefile.in \ |
| 80 | lib/crypto/Makefile.in \ | | 80 | lib/crypto/Makefile.in \ |
| 81 | lib/crypto/aes/Makefile.in \ | | 81 | lib/crypto/aes/Makefile.in \ |
| 82 | lib/crypto/arcfour/Makefile.in \ | | 82 | lib/crypto/arcfour/Makefile.in \ |
| 83 | lib/crypto/crc32/Makefile.in \ | | 83 | lib/crypto/crc32/Makefile.in \ |
| 84 | lib/crypto/des/Makefile.in \ | | 84 | lib/crypto/des/Makefile.in \ |
| 85 | lib/crypto/dk/Makefile.in \ | | 85 | lib/crypto/dk/Makefile.in \ |
| 86 | lib/crypto/enc_provider/Makefile.in \ | | 86 | lib/crypto/enc_provider/Makefile.in \ |
| 87 | lib/crypto/hash_provider/Makefile.in \ | | 87 | lib/crypto/hash_provider/Makefile.in \ |
| 88 | lib/crypto/keyhash_provider/Makefile.in \ | | 88 | lib/crypto/keyhash_provider/Makefile.in \ |
| 89 | lib/crypto/md4/Makefile.in \ | | 89 | lib/crypto/md4/Makefile.in \ |
| 90 | lib/crypto/md5/Makefile.in \ | | 90 | lib/crypto/md5/Makefile.in \ |
| 91 | lib/crypto/old/Makefile.in \ | | 91 | lib/crypto/old/Makefile.in \ |
| 92 | lib/crypto/raw/Makefile.in \ | | 92 | lib/crypto/raw/Makefile.in \ |
| 93 | lib/crypto/sha1/Makefile.in \ | | 93 | lib/crypto/sha1/Makefile.in \ |
| 94 | lib/crypto/yarrow/Makefile.in \ | | 94 | lib/crypto/yarrow/Makefile.in \ |
| 95 | lib/des425/Makefile.in \ | | 95 | lib/des425/Makefile.in \ |
| 96 | lib/gssapi/Makefile.in \ | | 96 | lib/gssapi/Makefile.in \ |
| 97 | lib/gssapi/generic/Makefile.in \ | | 97 | lib/gssapi/generic/Makefile.in \ |
| 98 | lib/gssapi/krb5/Makefile.in \ | | 98 | lib/gssapi/krb5/Makefile.in \ |
| 99 | lib/kadm5/Makefile.in \ | | 99 | lib/kadm5/Makefile.in \ |
| 100 | lib/kadm5/clnt/Makefile.in \ | | 100 | lib/kadm5/clnt/Makefile.in \ |
| 101 | lib/kadm5/srv/Makefile.in \ | | 101 | lib/kadm5/srv/Makefile.in \ |
| 102 | lib/kdb/Makefile.in \ | | 102 | lib/kdb/Makefile.in \ |
| 103 | lib/krb4/Makefile.in \ | | 103 | lib/krb4/Makefile.in \ |
| 104 | lib/krb5/Makefile.in \ | | 104 | lib/krb5/Makefile.in \ |
| 105 | lib/krb5/asn.1/Makefile.in \ | | 105 | lib/krb5/asn.1/Makefile.in \ |
| 106 | lib/krb5/ccache/Makefile.in \ | | 106 | lib/krb5/ccache/Makefile.in \ |
| 107 | lib/krb5/error_tables/Makefile.in \ | | 107 | lib/krb5/error_tables/Makefile.in \ |
| 108 | lib/krb5/keytab/Makefile.in \ | | 108 | lib/krb5/keytab/Makefile.in \ |
| 109 | lib/krb5/krb/Makefile.in \ | | 109 | lib/krb5/krb/Makefile.in \ |
| 110 | lib/krb5/os/Makefile.in \ | | 110 | lib/krb5/os/Makefile.in \ |
| 111 | lib/krb5/posix/Makefile.in \ | | 111 | lib/krb5/posix/Makefile.in \ |
| 112 | lib/krb5/rcache/Makefile.in \ | | 112 | lib/krb5/rcache/Makefile.in \ |
| 113 | lib/rpc/Makefile.in \ | | 113 | lib/rpc/Makefile.in \ |
| 114 | util/db2/Makefile.in \ | | 114 | util/db2/Makefile.in \ |
| 115 | util/db2/btree/Makefile.in \ | | 115 | util/db2/btree/Makefile.in \ |
| 116 | util/db2/clib/Makefile.in \ | | 116 | util/db2/clib/Makefile.in \ |
| 117 | util/db2/db/Makefile.in \ | | 117 | util/db2/db/Makefile.in \ |
| 118 | util/db2/hash/Makefile.in \ | | 118 | util/db2/hash/Makefile.in \ |
| 119 | util/db2/mpool/Makefile.in \ | | 119 | util/db2/mpool/Makefile.in \ |
| 120 | util/db2/recno/Makefile.in \ | | 120 | util/db2/recno/Makefile.in \ |
| 121 | util/et/Makefile.in \ | | 121 | util/et/Makefile.in \ |
| 122 | util/profile/Makefile.in \ | | 122 | util/profile/Makefile.in \ |
| 123 | util/pty/Makefile.in \ | | 123 | util/pty/Makefile.in \ |
| 124 | util/ss/Makefile.in \ | | 124 | util/ss/Makefile.in \ |
| 125 | util/support/Makefile.in | | 125 | util/support/Makefile.in |
| 126 | SUBST_SED.frag= -e "s/^\#.\\(@lib.*_frag@\\)/\\1/g" | | 126 | SUBST_SED.frag= -e "s/^\#.\\(@lib.*_frag@\\)/\\1/g" |
| 127 | | | 127 | |
| 128 | INFO_FILES= # PLIST | | 128 | INFO_FILES= # PLIST |
| 129 | | | 129 | |
| 130 | OWN_DIRS_PERMS= ${MIT_KRB5_STATEDIR}/krb5kdc \ | | 130 | OWN_DIRS_PERMS= ${MIT_KRB5_STATEDIR}/krb5kdc \ |
| 131 | ${ROOT_USER} ${ROOT_GROUP} 0700 | | 131 | ${ROOT_USER} ${ROOT_GROUP} 0700 |
| 132 | RCD_SCRIPTS= kadmind kdc | | 132 | RCD_SCRIPTS= kadmind kdc |
| 133 | | | 133 | |
| 134 | INSTALLATION_DIRS= bin include/gssapi include/gssrpc ${PKGINFODIR} \ | | 134 | INSTALLATION_DIRS= bin include/gssapi include/gssrpc ${PKGINFODIR} \ |
| 135 | lib ${PKGMANDIR}/man1 ${PKGMANDIR}/man5 \ | | 135 | lib ${PKGMANDIR}/man1 ${PKGMANDIR}/man5 \ |
| 136 | ${PKGMANDIR}/man8 sbin share/examples/krb5 | | 136 | ${PKGMANDIR}/man8 sbin share/examples/krb5 |
| 137 | | | 137 | |
| 138 | # The MIT krb5 distribution is actually a tar file that contains the | | 138 | # The MIT krb5 distribution is actually a tar file that contains the |
| 139 | # real .tar.gz distfile and a PGP signature. | | 139 | # real .tar.gz distfile and a PGP signature. |
| 140 | # | | 140 | # |
| 141 | post-extract: | | 141 | post-extract: |
| 142 | extract_file="${WRKDIR}/${DISTNAME}.tar.gz"; \ | | 142 | extract_file="${WRKDIR}/${DISTNAME}.tar.gz"; \ |
| 143 | cd ${WRKDIR} && ${EXTRACT_CMD} | | 143 | cd ${WRKDIR} && ${EXTRACT_CMD} |
| 144 | | | 144 | |
| 145 | pre-configure: | | 145 | pre-configure: |
| 146 | cd ${WRKSRC}; ${FIND} . -name configure -print | \ | | 146 | cd ${WRKSRC}; ${FIND} . -name configure -print | \ |
| 147 | ${XARGS} -n 1 ${DIRNAME} | \ | | 147 | ${XARGS} -n 1 ${DIRNAME} | \ |
| 148 | while read dir; do \ | | 148 | while read dir; do \ |
| 149 | ${ECHO} "=> Generating configure in $$dir"; \ | | 149 | ${ECHO} "=> Generating configure in $$dir"; \ |
| 150 | (cd $$dir && autoconf -I ${WRKSRC} -f); \ | | 150 | (cd $$dir && autoconf -I ${WRKSRC} -f); \ |
| 151 | done | | 151 | done |
| 152 | | | 152 | |
| 153 | post-install: | | 153 | post-install: |
| 154 | cd ${WRKSRC}/../doc; for f in *.info *.info-[0-9]*; do \ | | 154 | cd ${WRKSRC}/../doc; for f in *.info *.info-[0-9]*; do \ |
| 155 | ${TEST} ! -f "$$f" || \ | | 155 | ${TEST} ! -f "$$f" || \ |
| 156 | ${INSTALL_MAN} "$$f" ${PREFIX}/${PKGINFODIR}; \ | | 156 | ${INSTALL_MAN} "$$f" ${PREFIX}/${PKGINFODIR}; \ |
| 157 | done | | 157 | done |
| 158 | | | 158 | |
| 159 | .include "../../mk/bsd.pkg.mk" | | 159 | .include "../../mk/bsd.pkg.mk" |
--- pkgsrc/security/mit-krb5/distinfo 2007/01/17 23:43:47 1.16
+++ pkgsrc/security/mit-krb5/distinfo 2008/06/07 18:36:06 1.17
| @@ -1,24 +1,36 @@ | | | @@ -1,24 +1,36 @@ |
| 1 | $NetBSD: distinfo,v 1.16 2007/01/17 23:43:47 salo Exp $ | | 1 | $NetBSD: distinfo,v 1.17 2008/06/07 18:36:06 tonnerre Exp $ |
| 2 | | | 2 | |
| 3 | SHA1 (krb5-1.4.2-signed.tar) = bbc03bd319d539fb9523c2545d80ba0784522e88 | | 3 | SHA1 (krb5-1.4.2-signed.tar) = bbc03bd319d539fb9523c2545d80ba0784522e88 |
| 4 | RMD160 (krb5-1.4.2-signed.tar) = 44500f5fab8e5959cf43f17f5f52f68e2dc73a1f | | 4 | RMD160 (krb5-1.4.2-signed.tar) = 44500f5fab8e5959cf43f17f5f52f68e2dc73a1f |
| 5 | Size (krb5-1.4.2-signed.tar) = 6696960 bytes | | 5 | Size (krb5-1.4.2-signed.tar) = 6696960 bytes |
| 6 | SHA1 (patch-aa) = 17e0934ea2ef21b3457fba54cf3d1c36de2da479 | | 6 | SHA1 (patch-aa) = 17e0934ea2ef21b3457fba54cf3d1c36de2da479 |
| 7 | SHA1 (patch-ab) = 8d6904b80e8576085acbaa3ac0cd17824c7b301d | | 7 | SHA1 (patch-ab) = 8d6904b80e8576085acbaa3ac0cd17824c7b301d |
| 8 | SHA1 (patch-ac) = d0777e6005cd1249c7c6406068973f6959d11302 | | 8 | SHA1 (patch-ac) = d0777e6005cd1249c7c6406068973f6959d11302 |
| 9 | SHA1 (patch-ad) = 7b17ffcd14cdedeb0ddfb606802a156589995c1b | | 9 | SHA1 (patch-ad) = 7b17ffcd14cdedeb0ddfb606802a156589995c1b |
| 10 | SHA1 (patch-ae) = fc6d5e11cd827cdfbe1bfc3a3c7ca9f5a71c17d7 | | 10 | SHA1 (patch-ae) = fc6d5e11cd827cdfbe1bfc3a3c7ca9f5a71c17d7 |
| 11 | SHA1 (patch-af) = c9631743e3c93aee2aab5c8a370e9bebfc4084e5 | | 11 | SHA1 (patch-af) = c9631743e3c93aee2aab5c8a370e9bebfc4084e5 |
| 12 | SHA1 (patch-ag) = 5da57455f36a2bd40e0f97db94e93249e90e0b8e | | 12 | SHA1 (patch-ag) = 5da57455f36a2bd40e0f97db94e93249e90e0b8e |
| 13 | SHA1 (patch-ah) = 59a6bfc341a22234b38db406abe83b0d6d358a9f | | 13 | SHA1 (patch-ah) = 59a6bfc341a22234b38db406abe83b0d6d358a9f |
| | | 14 | SHA1 (patch-ai) = 02cd8a292392b107609b48b6188cd15f4597f72b |
| 14 | SHA1 (patch-aj) = 5c633571ea932ce349065cbb4c3bf482cc971675 | | 15 | SHA1 (patch-aj) = 5c633571ea932ce349065cbb4c3bf482cc971675 |
| 15 | SHA1 (patch-ak) = 9d95372fd8edddbf0366e83a51d7a0b8a507f218 | | 16 | SHA1 (patch-ak) = 9d95372fd8edddbf0366e83a51d7a0b8a507f218 |
| 16 | SHA1 (patch-al) = fb611fe47bd7c773d7baf11424e90cd3af70c422 | | 17 | SHA1 (patch-al) = fb611fe47bd7c773d7baf11424e90cd3af70c422 |
| 17 | SHA1 (patch-am) = 050690479d75c5df6e89424bac594ab48ae98a8c | | 18 | SHA1 (patch-am) = 050690479d75c5df6e89424bac594ab48ae98a8c |
| 18 | SHA1 (patch-an) = ccf76eecb4a0f3b4c7addd37ab8391dc831caa41 | | 19 | SHA1 (patch-an) = ccf76eecb4a0f3b4c7addd37ab8391dc831caa41 |
| 19 | SHA1 (patch-ao) = 22f907ce8c6d66582523b05326a9e8d56ae28401 | | 20 | SHA1 (patch-ao) = 22f907ce8c6d66582523b05326a9e8d56ae28401 |
| 20 | SHA1 (patch-ap) = c77a8f7bc35aa184e510bac576c12f55d5cfbf65 | | 21 | SHA1 (patch-ap) = c77a8f7bc35aa184e510bac576c12f55d5cfbf65 |
| 21 | SHA1 (patch-aq) = 52429b712ca7a478caeb76fd165585c7aab7fa02 | | 22 | SHA1 (patch-aq) = 52429b712ca7a478caeb76fd165585c7aab7fa02 |
| 22 | SHA1 (patch-ar) = 37807c14f03533aef8796ac90e5fac36ff98308a | | 23 | SHA1 (patch-ar) = 37807c14f03533aef8796ac90e5fac36ff98308a |
| 23 | SHA1 (patch-as) = b155219fd512b59f698497af1bf6acf1ca4f4a34 | | 24 | SHA1 (patch-as) = b155219fd512b59f698497af1bf6acf1ca4f4a34 |
| 24 | SHA1 (patch-at) = df0605b0f5fbaef6b7540f87079ae64b2acc464c | | 25 | SHA1 (patch-at) = df0605b0f5fbaef6b7540f87079ae64b2acc464c |
| | | 26 | SHA1 (patch-au) = d0201dcbc543d8a31520afc72d4ce624ce552a35 |
| | | 27 | SHA1 (patch-av) = 4166e5be21a72bf64cd634039fd71aa56594ebfd |
| | | 28 | SHA1 (patch-aw) = f9a91c4b4d6963ab09f5df1c1377303066955f4c |
| | | 29 | SHA1 (patch-ax) = f35194913d12d202389072ba399d70ef868c5432 |
| | | 30 | SHA1 (patch-ay) = 183c15b1c654c63902d5dbcf161a0879f70804a8 |
| | | 31 | SHA1 (patch-az) = 548d3275605934e6574efb878b7f4ddc97078d3d |
| | | 32 | SHA1 (patch-ba) = 7faacf94c157854fc099aaf40abae870a2e61ba6 |
| | | 33 | SHA1 (patch-bb) = 06595821593100b718e3e76c8dc2e5f0b99c8d67 |
| | | 34 | SHA1 (patch-bc) = c7d2b014b1092c0d53de6b3adcc91af39653396b |
| | | 35 | SHA1 (patch-bd) = 6a8906aaaf0f620c80f830551eb19b61d42741d6 |
| | | 36 | SHA1 (patch-be) = 09f737ae6a3a1ed0bbce4f9a26611972260523ca |
$NetBSD: patch-ai,v 1.3 2008/06/07 18:36:06 tonnerre Exp $
--- src/appl/telnet/telnetd/sys_term.c.orig 2008-06-07 15:55:51.000000000 +0200
+++ src/appl/telnet/telnetd/sys_term.c
@@ -1287,6 +1287,16 @@ start_login(host, autologin, name)
#endif
#if defined (AUTHENTICATION)
if (auth_level >= 0 && autologin == AUTH_VALID) {
+ if (name[0] == '-') {
+ /* Authenticated and authorized to log in to an
+ account starting with '-'? Even if that
+ unlikely case comes to pass, the current login
+ program will not parse the resulting command
+ line properly. */
+ syslog(LOG_ERR, "user name cannot start with '-'");
+ fatal(net, "user name cannot start with '-'");
+ exit(1);
+ }
# if !defined(NO_LOGIN_F)
#if defined(LOGIN_CAP_F)
argv = addarg(argv, "-F");
@@ -1377,12 +1387,20 @@ start_login(host, autologin, name)
} else
#endif
if (getenv("USER")) {
- argv = addarg(argv, getenv("USER"));
+ char *user = getenv("USER");
+ if (user[0] == '-') {
+ /* "telnet -l-x ..." */
+ syslog(LOG_ERR, "user name cannot start with '-'");
+ fatal(net, "user name cannot start with '-'");
+ exit(EXIT_FAILURE);
+ }
+ argv = addarg(argv, user);
#if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
{
register char **cpp;
for (cpp = environ; *cpp; cpp++)
- argv = addarg(argv, *cpp);
+ if ((*cpp)[0] != '-')
+ argv = addarg(argv, *cpp);
}
#endif
/*
$NetBSD$
--- src/appl/telnet/telnetd/state.c.orig 2002-11-15 21:21:51.000000000 +0100
+++ src/appl/telnet/telnetd/state.c
@@ -1665,7 +1665,8 @@ static int envvarok(varp)
strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
strcmp(varp, "NLSPATH") && /* locale stuff */
strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
- strcmp(varp, "IFS")) {
+ strcmp(varp, "IFS") &&
+ !strchr(varp, '-')) {
return 1;
} else {
syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
$NetBSD$
--- src/kdc/kdc_util.c.orig 2004-02-13 05:20:56.000000000 +0100
+++ src/kdc/kdc_util.c
@@ -404,6 +404,7 @@ kdc_get_server_key(krb5_ticket *ticket,
krb5_db_free_principal(kdc_context, &server, nprincs);
if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {
+ limit_string(sname);
krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",
sname);
free(sname);
$NetBSD$
--- src/kdc/do_tgs_req.c.orig 2005-07-12 22:59:51.000000000 +0200
+++ src/kdc/do_tgs_req.c
@@ -490,27 +490,40 @@ tgt_again:
newtransited = 1;
}
if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
+ unsigned int tlen;
+ char *tdots;
+
errcode = krb5_check_transited_list (kdc_context,
&enc_tkt_reply.transited.tr_contents,
krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
krb5_princ_realm (kdc_context, request->server));
+ tlen = enc_tkt_reply.transited.tr_contents.length;
+ tdots = tlen > 125 ? "..." : "";
+ tlen = tlen > 125 ? 125 : tlen;
+
if (errcode == 0) {
setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
krb5_klog_syslog (LOG_INFO,
- "bad realm transit path from '%s' to '%s' via '%.*s'",
+ "bad realm transit path from '%s' to '%s' "
+ "via '%.*s%s'",
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
- enc_tkt_reply.transited.tr_contents.length,
- enc_tkt_reply.transited.tr_contents.data);
- else
+ tlen,
+ enc_tkt_reply.transited.tr_contents.data,
+ tdots);
+ else {
+ char *emsg = krb5_get_error_message(kdc_context, errcode);
krb5_klog_syslog (LOG_ERR,
- "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",
+ "unexpected error checking transit from "
+ "'%s' to '%s' via '%.*s%s': %s",
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
- enc_tkt_reply.transited.tr_contents.length,
+ tlen,
enc_tkt_reply.transited.tr_contents.data,
- error_message (errcode));
+ tdots, emsg);
+ krb5_free_error_message(kdc_context, emsg);
+ }
} else
krb5_klog_syslog (LOG_INFO, "not checking transit path");
if (reject_bad_transit
@@ -538,6 +551,9 @@ tgt_again:
if (!krb5_principal_compare(kdc_context, request->server, client2)) {
if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
tmp = 0;
+ if (tmp != NULL)
+ limit_string(tmp);
+
krb5_klog_syslog(LOG_INFO,
"TGS_REQ %s: 2ND_TKT_MISMATCH: "
"authtime %d, %s for %s, 2nd tkt client %s",
@@ -800,6 +816,7 @@ find_alternate_tgs(krb5_kdc_req *request
krb5_klog_syslog(LOG_INFO,
"TGS_REQ: issuing alternate <un-unparseable> TGT");
} else {
+ limit_string(sname);
krb5_klog_syslog(LOG_INFO,
"TGS_REQ: issuing TGT %s", sname);
free(sname);
$NetBSD$
--- src/kadmin/server/ovsec_kadmd.c.orig 2004-09-21 20:20:16.000000000 +0200
+++ src/kadmin/server/ovsec_kadmd.c
@@ -952,13 +952,25 @@ void log_badverf(gss_name_t client_name,
rpcproc_t proc;
int i;
const char *procname;
+ size_t clen, slen;
+ char *cdots, *sdots;
(void) gss_display_name(&minor, client_name, &client, &gss_type);
(void) gss_display_name(&minor, server_name, &server, &gss_type);
if (client.value == NULL)
client.value = "(null)";
- if (server.value == NULL)
+ clen = sizeof("(null)") -1;
+ } else {
+ clen = client.length;
+ }
+ trunc_name(&clen, &cdots);
+ if (server.value == NULL) {
server.value = "(null)";
+ slen = sizeof("(null)") - 1;
+ } else {
+ slen = server.length;
+ }
+ trunc_name(&slen, &sdots);
a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);
proc = msg->rm_call.cb_proc;
@@ -971,14 +983,14 @@ void log_badverf(gss_name_t client_name,
}
if (procname != NULL)
krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
- "claimed client = %s, server = %s, addr = %s",
- procname, client.value,
- server.value, a);
+ "claimed client = %.*s%s, server = %.*s%s, addr = %s",
+ procname, clen, client.value, cdots,
+ slen, server.value, sdots, a);
else
krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "
- "claimed client = %s, server = %s, addr = %s",
- proc, client.value,
- server.value, a);
+ "claimed client = %.*s%s, server = %.*s%s, addr = %s",
+ proc, clen, client.value, cdots,
+ slen, server.value, sdots, a);
(void) gss_release_buffer(&minor, &client);
(void) gss_release_buffer(&minor, &server);
$NetBSD$
--- src/kadmin/server/misc.h.orig 2004-10-28 00:12:48.000000000 +0200
+++ src/kadmin/server/misc.h
@@ -44,3 +44,5 @@ krb5_error_code process_chpw_request(krb
#ifdef SVC_GETARGS
void kadm_1(struct svc_req *, SVCXPRT *);
#endif
+
+void trunc_name(size_t *len, char **dots);
$NetBSD$
--- src/kadmin/server/schpw.c.orig 2004-10-28 00:12:48.000000000 +0200
+++ src/kadmin/server/schpw.c
@@ -41,6 +41,8 @@ process_chpw_request(context, server_han
int numresult;
char strresult[1024];
char *clientstr;
+ size_t clen;
+ char *cdots;
ret = 0;
rep->length = 0;
@@ -259,9 +261,12 @@ process_chpw_request(context, server_han
free(ptr);
clear.length = 0;
- krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s",
+ clen = strlen(clientstr);
+ trunc_name(&clen, &cdots);
+ krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s",
inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),
- clientstr, ret ? error_message(ret) : "success");
+ clen, clientstr, cdots,
+ ret ? krb5_get_error_message (context, ret) : "success");
krb5_free_unparsed_name(context, clientstr);
if (ret) {
$NetBSD$
--- src/kadmin/server/server_stubs.c.orig 2004-08-20 20:45:30.000000000 +0200
+++ src/kadmin/server/server_stubs.c
@@ -14,6 +14,7 @@
#include <arpa/inet.h> /* inet_ntoa */
#include <krb5/adm_proto.h> /* krb5_klog_syslog */
#include "misc.h"
+#include <string.h>
#define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s"
#define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s"
@@ -237,6 +238,61 @@ gss_name_to_string(gss_name_t gss_name,
return 0;
}
+static int
+log_unauth(
+ char *op,
+ char *target,
+ gss_buffer_t client,
+ gss_buffer_t server,
+ struct svc_req *rqstp)
+{
+ size_t tlen, clen, slen;
+ char *tdots, *cdots, *sdots;
+
+ tlen = strlen(target);
+ trunc_name(&tlen, &tdots);
+ clen = client->length;
+ trunc_name(&clen, &cdots);
+ slen = server->length;
+ trunc_name(&slen, &sdots);
+
+ return krb5_klog_syslog(LOG_NOTICE,
+ "Unauthorized request: %s, %.*s%s, "
+ "client=%.*s%s, service=%.*s%s, addr=%s",
+ op, tlen, target, tdots,
+ clen, client->value, cdots,
+ slen, server->value, sdots,
+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+}
+
+static int
+log_done(
+ char *op,
+ char *target,
+ char *errmsg,
+ gss_buffer_t client,
+ gss_buffer_t server,
+ struct svc_req *rqstp)
+{
+ size_t tlen, clen, slen;
+ char *tdots, *cdots, *sdots;
+
+ tlen = strlen(target);
+ trunc_name(&tlen, &tdots);
+ clen = client->length;
+ trunc_name(&clen, &cdots);
+ slen = server->length;
+ trunc_name(&slen, &sdots);
+
+ return krb5_klog_syslog(LOG_NOTICE,
+ "Request: %s, %.*s%s, %s, "
+ "client=%.*s%s, service=%.*s%s, addr=%s",
+ op, tlen, target, tdots, errmsg,
+ clen, client->value, cdots,
+ slen, server->value, sdots,
+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+}
+
generic_ret *
create_principal_1_svc(cprinc_arg *arg, struct svc_req *rqstp)
{
@@ -274,18 +330,15 @@ create_principal_1_svc(cprinc_arg *arg,
|| kadm5int_acl_impose_restrictions(handle->context,
&arg->rec, &arg->mask, rp)) {
ret.code = KADM5_AUTH_ADD;
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth("kadm5_create_principal", prime_arg,
+ &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_create_principal((void *)handle,
&arg->rec, arg->mask,
arg->passwd);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
- prime_arg,((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done("kadm5_create_principal", prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
free(prime_arg);
@@ -331,20 +384,18 @@ create_principal3_1_svc(cprinc3_arg *arg
|| kadm5int_acl_impose_restrictions(handle->context,
&arg->rec, &arg->mask, rp)) {
ret.code = KADM5_AUTH_ADD;
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth("kadm5_create_principal", prime_arg,
+ &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_create_principal_3((void *)handle,
&arg->rec, arg->mask,
arg->n_ks_tuple,
arg->ks_tuple,
arg->passwd);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
- prime_arg,((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+
+ log_done("kadm5_create_principal", prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
free(prime_arg);
@@ -388,15 +439,13 @@ delete_principal_1_svc(dprinc_arg *arg,
|| !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,
arg->princ, NULL)) {
ret.code = KADM5_AUTH_DELETE;
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth("kadm5_delete_principal", prime_arg,
+ &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_delete_principal((void *)handle, arg->princ);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal", prime_arg,
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done("kadm5_delete_principal", prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free(prime_arg);
free_server_handle(handle);
@@ -441,17 +490,14 @@ modify_principal_1_svc(mprinc_arg *arg,
|| kadm5int_acl_impose_restrictions(handle->context,
&arg->rec, &arg->mask, rp)) {
ret.code = KADM5_AUTH_MODIFY;
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth("kadm5_modify_principal", prime_arg,
+ &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
arg->mask);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal",
- prime_arg, ((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done("kadm5_modify_principal", prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
free(prime_arg);
@@ -510,17 +556,14 @@ rename_principal_1_svc(rprinc_arg *arg,
} else
ret.code = KADM5_AUTH_INSUFFICIENT;
if (ret.code != KADM5_OK) {
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth("kadm5_rename_principal", prime_arg,
+ &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_rename_principal((void *)handle, arg->src,
arg->dest);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal",
- prime_arg, ((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done("kadm5_rename_principal", prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
free(prime_arg1);
@@ -572,9 +615,8 @@ get_principal_1_svc(gprinc_arg *arg, str
arg->princ,
NULL))) {
ret.code = KADM5_AUTH_GET;
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth(funcname, prime_arg,
+ &client_name, &service_name, rqstp);
} else {
if (handle->api_version == KADM5_API_VERSION_1) {
ret.code = kadm5_get_principal_v1((void *)handle,
@@ -588,12 +630,10 @@ get_principal_1_svc(gprinc_arg *arg, str
arg->princ, &ret.rec,
arg->mask);
}
-
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
- prime_arg,
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+
+ log_done(funcname, prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
free(prime_arg);
@@ -638,18 +678,15 @@ get_princs_1_svc(gprincs_arg *arg, struc
NULL,
NULL)) {
ret.code = KADM5_AUTH_LIST;
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth("kadm5_get_principals", prime_arg,
+ &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_get_principals((void *)handle,
arg->exp, &ret.princs,
&ret.count);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals",
- prime_arg,
+ log_done("kadm5_get_principals", prime_arg,
((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
@@ -697,18 +734,15 @@ chpass_principal_1_svc(chpass_arg *arg,
ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
arg->pass);
} else {
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth("kadm5_chpass_principal", prime_arg,
+ &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_CHANGEPW;
}
if(ret.code != KADM5_AUTH_CHANGEPW) {
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",
- prime_arg, ((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done("kadm5_chpass_principal", prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
@@ -764,18 +798,15 @@ chpass_principal3_1_svc(chpass3_arg *arg
arg->ks_tuple,
arg->pass);
} else {
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth("kadm5_chpass_principal", prime_arg,
+ &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_CHANGEPW;
}
if(ret.code != KADM5_AUTH_CHANGEPW) {
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",
- prime_arg, ((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done("kadm5_chpass_principal", prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
@@ -822,18 +853,15 @@ setv4key_principal_1_svc(setv4key_arg *a
ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
arg->keyblock);
} else {
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth("kadm5_setv4key_principal", prime_arg,
+ &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_SETKEY;
}
if(ret.code != KADM5_AUTH_SETKEY) {
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal",
- prime_arg, ((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done("kadm5_setv4key_principal", prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
@@ -880,18 +908,15 @@ setkey_principal_1_svc(setkey_arg *arg,
ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
arg->keyblocks, arg->n_keys);
} else {
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth("kadm5_setkey_principal", prime_arg,
+ &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_SETKEY;
}
if(ret.code != KADM5_AUTH_SETKEY) {
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",
- prime_arg, ((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done("kadm5_setkey_principal", prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
@@ -941,18 +966,15 @@ setkey_principal3_1_svc(setkey3_arg *arg
arg->ks_tuple,
arg->keyblocks, arg->n_keys);
} else {
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth("kadm5_setkey_principal", prime_arg,
+ &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_SETKEY;
}
if(ret.code != KADM5_AUTH_SETKEY) {
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",
- prime_arg, ((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done("kadm5_setkey_principal", prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
@@ -1008,9 +1030,8 @@ chrand_principal_1_svc(chrand_arg *arg,
ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
&k, &nkeys);
} else {
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth(funcname, prime_arg,
+ &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_CHANGEPW;
}
@@ -1025,11 +1046,9 @@ chrand_principal_1_svc(chrand_arg *arg,
}
if(ret.code != KADM5_AUTH_CHANGEPW) {
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
- prime_arg, ((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done(funcname, prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
free(prime_arg);
@@ -1090,9 +1109,8 @@ chrand_principal3_1_svc(chrand3_arg *arg
arg->ks_tuple,
&k, &nkeys);
} else {
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth(funcname, prime_arg,
+ &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_CHANGEPW;
}
@@ -1107,11 +1125,9 @@ chrand_principal3_1_svc(chrand3_arg *arg
}
if(ret.code != KADM5_AUTH_CHANGEPW) {
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
- prime_arg, ((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done(funcname, prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
free(prime_arg);
@@ -1152,18 +1168,15 @@ create_policy_1_svc(cpol_arg *arg, struc
rqst2name(rqstp),
ACL_ADD, NULL, NULL)) {
ret.code = KADM5_AUTH_ADD;
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
-
+ log_unauth("kadm5_create_policy", prime_arg,
+ &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_create_policy((void *)handle, &arg->rec,
arg->mask);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy",
- ((prime_arg == NULL) ? "(null)" : prime_arg),
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done("kadm5_create_policy",
+ ((prime_arg == NULL) ? "(null)" : prime_arg),
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
@@ -1202,17 +1215,15 @@ delete_policy_1_svc(dpol_arg *arg, struc
if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_DELETE, NULL, NULL)) {
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth("kadm5_delete_policy", prime_arg,
+ &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_DELETE;
} else {
ret.code = kadm5_delete_policy((void *)handle, arg->name);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy",
- ((prime_arg == NULL) ? "(null)" : prime_arg),
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done("kadm5_delete_policy",
+ ((prime_arg == NULL) ? "(null)" : prime_arg),
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
@@ -1251,18 +1262,16 @@ modify_policy_1_svc(mpol_arg *arg, struc
if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_MODIFY, NULL, NULL)) {
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth("kadm5_modify_policy", prime_arg,
+ &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_MODIFY;
} else {
ret.code = kadm5_modify_policy((void *)handle, &arg->rec,
arg->mask);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy",
- ((prime_arg == NULL) ? "(null)" : prime_arg),
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done("kadm5_modify_policy",
+ ((prime_arg == NULL) ? "(null)" : prime_arg),
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
@@ -1337,15 +1346,13 @@ get_policy_1_svc(gpol_arg *arg, struct s
&ret.rec);
}
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
- ((prime_arg == NULL) ? "(null)" : prime_arg),
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done(funcname,
+ ((prime_arg == NULL) ? "(null)" : prime_arg),
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
} else {
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth(funcname, prime_arg,
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
@@ -1388,18 +1395,15 @@ get_pols_1_svc(gpols_arg *arg, struct sv
rqst2name(rqstp),
ACL_LIST, NULL, NULL)) {
ret.code = KADM5_AUTH_LIST;
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies",
- prime_arg, client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_unauth("kadm5_get_policies", prime_arg,
+ &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_get_policies((void *)handle,
arg->exp, &ret.pols,
&ret.count);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies",
- prime_arg,
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done("kadm5_get_policies", prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
@@ -1432,11 +1436,9 @@ getprivs_ret * get_privs_1_svc(krb5_ui_4
}
ret.code = kadm5_get_privs((void *)handle, &ret.privs);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs",
- client_name.value,
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name.value, service_name.value,
- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ log_done("kadm5_get_privs", client_name.value,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ &client_name, &service_name, rqstp);
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
@@ -1450,6 +1452,8 @@ generic_ret *init_1_svc(krb5_ui_4 *arg,
service_name;
kadm5_server_handle_t handle;
OM_uint32 minor_stat;
+ size_t clen, slen;
+ char *cdots, *sdots;
xdr_free(xdr_generic_ret, &ret);
@@ -1466,12 +1470,18 @@ generic_ret *init_1_svc(krb5_ui_4 *arg,
return &ret;
}
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d",
+ clen = client_name.length;
+ trunc_name(&clen, &cdots);
+ slen = service_name.length;
+ trunc_name(&slen, &sdots);
+ krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, "
+ client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d",
(ret.api_version == KADM5_API_VERSION_1 ?
"kadm5_init (V1)" : "kadm5_init"),
- client_name.value,
+ clen, client_name.value, cdots,
(ret.code == 0) ? "success" : error_message(ret.code),
- client_name.value, service_name.value,
+ clen, client_name.value, cdots,
+ slen, service_name.value, sdots,
inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
rqstp->rq_cred.oa_flavor);
gss_release_buffer(&minor_stat, &client_name);
$NetBSD$
--- src/kadmin/server/kadm_rpc_svc.c.orig 2004-06-16 05:11:51.000000000 +0200
+++ src/kadmin/server/kadm_rpc_svc.c
@@ -249,6 +249,8 @@ check_rpcsec_auth(struct svc_req *rqstp)
krb5_data *c1, *c2, *realm;
gss_buffer_desc gss_str;
kadm5_server_handle_t handle;
+ size_t slen;
+ char *sdots;
success = 0;
handle = (kadm5_server_handle_t)global_server_handle;
@@ -273,6 +275,9 @@ check_rpcsec_auth(struct svc_req *rqstp)
if (ret == 0)
goto fail_name;
+ slen = gss_str.length;
+ trunc_name(&slen, &sdots);
+
/*
* Since we accept with GSS_C_NO_NAME, the client can authenticate
* against the entire kdb. Therefore, ensure that the service
@@ -295,8 +300,8 @@ check_rpcsec_auth(struct svc_req *rqstp)
fail_princ:
if (!success) {
- krb5_klog_syslog(LOG_ERR, "bad service principal %.*s",
- gss_str.length, gss_str.value);
+ krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s",
+ slen, gss_str.value, sdots);
}
gss_release_buffer(&min_stat, &gss_str);
krb5_free_principal(kctx, princ);
$NetBSD$
--- src/kadmin/server/misc.c.orig 2004-10-29 01:41:10.000000000 +0200
+++ src/kadmin/server/misc.c
@@ -149,3 +149,12 @@ check_min_life(void *server_handle, krb5
return kadm5_free_principal_ent(handle->lhandle, &princ);
}
+
+#define MAXPRINCLEN 125
+
+void
+trunc_name(size_t *len, char **dots)
+{
+ *dots = *len > MAXPRINCLEN ? "..." : "";
+ *len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len;
+}
$NetBSD$
--- src/lib/kadm5/logger.c.orig 2002-09-18 22:44:13.000000000 +0200
+++ src/lib/kadm5/logger.c
@@ -45,7 +45,7 @@
#include <varargs.h>
#endif /* HAVE_STDARG_H */
-#define KRB5_KLOG_MAX_ERRMSG_SIZE 1024
+#define KRB5_KLOG_MAX_ERRMSG_SIZE 2048
#ifndef MAXHOSTNAMELEN
#define MAXHOSTNAMELEN 256
#endif /* MAXHOSTNAMELEN */
@@ -256,7 +256,9 @@ klog_com_err_proc(const char *whoami, lo
#endif /* HAVE_SYSLOG */
/* Now format the actual message */
-#if HAVE_VSPRINTF
+#if HAVE_VSNPRINTF
+ vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap);
+#elif HAVE_VSPRINTF
vsprintf(cp, actual_format, ap);
#else /* HAVE_VSPRINTF */
sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1],
@@ -843,7 +845,9 @@ klog_vsyslog(int priority, const char *f
syslogp = &outbuf[strlen(outbuf)];
/* Now format the actual message */
-#ifdef HAVE_VSPRINTF
+#ifdef HAVE_VSNPRINTF
+ vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist);
+#elif HAVE_VSPRINTF
vsprintf(syslogp, format, arglist);
#else /* HAVE_VSPRINTF */
sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1],
$NetBSD$
--- src/lib/gssapi/krb5/k5unseal.c.orig 2004-04-13 22:00:19.000000000 +0200
+++ src/lib/gssapi/krb5/k5unseal.c
@@ -457,8 +457,11 @@ kg_unseal_v1(context, minor_status, ctx,
if ((ctx->initiate && direction != 0xff) ||
(!ctx->initiate && direction != 0)) {
- if (toktype == KG_TOK_SEAL_MSG)
+ if (toktype == KG_TOK_SEAL_MSG) {
xfree(token.value);
+ message_buffer->value = NULL;
+ message_buffer->length = 0;
+ }
*minor_status = G_BAD_DIRECTION;
return(GSS_S_BAD_SIG);
}