diff options
author | Eric Sandall | 2007-04-10 21:17:44 -0700 |
---|---|---|
committer | Eric Sandall | 2007-04-10 21:17:44 -0700 |
commit | 7c4c6d6a4931a3ccd97249f7e2f623c2e159273f (patch) | |
tree | 46f9b1abeb087830239717dce44fb1c26b0315d1 | |
parent | b509cfa9434f4f10ad77df070198f2f3533cc023 (diff) | |
parent | c549bc690f0bc9b5731938322f9a8c2c66db2e00 (diff) |
Merge branch 'stable-rc-0.9' of ssh://scm.sourcemage.org/smgl/grimoire into stable-rc-0.9
-rwxr-xr-x | archive/tar/BUILD | 2 | ||||
-rw-r--r-- | archive/tar/HISTORY | 4 | ||||
-rwxr-xr-x | archive/tar/INSTALL | 2 | ||||
-rwxr-xr-x | audio-players/gxmms2/DETAILS | 2 | ||||
-rw-r--r-- | audio-players/gxmms2/HISTORY | 3 | ||||
-rw-r--r-- | crypto/krb5/2007-001-patch.txt | 74 | ||||
-rw-r--r-- | crypto/krb5/2007-002-patch.txt | 1273 | ||||
-rw-r--r-- | crypto/krb5/2007-003-patch.txt | 24 | ||||
-rwxr-xr-x | crypto/krb5/BUILD | 5 | ||||
-rwxr-xr-x | crypto/krb5/DETAILS | 2 | ||||
-rw-r--r-- | crypto/krb5/HISTORY | 4 | ||||
-rwxr-xr-x | graphics-libs/freetype2/DETAILS | 3 | ||||
-rw-r--r-- | graphics-libs/freetype2/HISTORY | 9 | ||||
-rwxr-xr-x | kde-apps/ktorrent/DETAILS | 2 | ||||
-rw-r--r-- | kde-apps/ktorrent/HISTORY | 3 | ||||
-rw-r--r-- | kde-core/kdelibs/CVE-2007-1564-kdelibs-3.5.6.diff | 81 | ||||
-rwxr-xr-x | kde-core/kdelibs/DETAILS | 2 | ||||
-rw-r--r-- | kde-core/kdelibs/HISTORY | 10 | ||||
-rwxr-xr-x | kde-core/kdelibs/PRE_BUILD | 1 | ||||
-rwxr-xr-x | mail/dovecot/BUILD | 9 | ||||
-rwxr-xr-x | mail/dovecot/CONFIGURE | 5 | ||||
-rwxr-xr-x | mail/dovecot/DETAILS | 1 | ||||
-rw-r--r-- | mail/dovecot/HISTORY | 11 | ||||
-rwxr-xr-x | mail/dovecot/INSTALL | 2 | ||||
-rwxr-xr-x | xfce/verve-plugin/DEPENDS | 3 | ||||
-rw-r--r-- | xfce/verve-plugin/HISTORY | 3 |
26 files changed, 1518 insertions, 22 deletions
diff --git a/archive/tar/BUILD b/archive/tar/BUILD index 400f25d395..cef62cc036 100755 --- a/archive/tar/BUILD +++ b/archive/tar/BUILD @@ -9,5 +9,5 @@ OPTS="$OPTS --build=${BUILD}" --mandir=${INSTALL_ROOT}/usr/share/man \ --infodir=${INSTALL_ROOT}/usr/share/info \ $OPTS && -make DESTDIR=$INSTALL_ROOT +make diff --git a/archive/tar/HISTORY b/archive/tar/HISTORY index b65d7a8dff..0cc91af7fb 100644 --- a/archive/tar/HISTORY +++ b/archive/tar/HISTORY @@ -1,3 +1,7 @@ +2007-04-02 Thomas Orgis <sobukus@sourcemage.org> + * BUILD, INSTALL: remove DESTDIR, since that doubled INSTALL_ROOT, + bug 13593 + 2007-01-20 Pol Vinogradov <vin.public@gmail.com> * BUILD: install_rootifying * CONFIGURE: removed diff --git a/archive/tar/INSTALL b/archive/tar/INSTALL index 10a1e28b72..8992ad1b53 100755 --- a/archive/tar/INSTALL +++ b/archive/tar/INSTALL @@ -1,2 +1,2 @@ -make install DESTDIR=$INSTALL_ROOT && +make install && cp $SCRIPT_DIRECTORY/tar.1.gz ${INSTALL_ROOT}/usr/share/man/man1 diff --git a/audio-players/gxmms2/DETAILS b/audio-players/gxmms2/DETAILS index 6ad01fada9..036c258ac0 100755 --- a/audio-players/gxmms2/DETAILS +++ b/audio-players/gxmms2/DETAILS @@ -2,7 +2,7 @@ VERSION=0.6.5 SOURCE=$SPELL-$VERSION.tar.gz SOURCE_DIRECTORY=$BUILD_DIRECTORY/$SPELL-$VERSION - SOURCE_URL[0]=http://wejp.k.vu/wejp/xmms2/$SOURCE + SOURCE_URL[0]=http://wejp.k.vu/projects/xmms2/$SOURCE SOURCE_HASH=sha512:a2dad6c4dc51c749ea3b680c74b42034fa29993c4edeb32f8959f802956829b7426e93bdfa9dc99ef8d7bee043504cd66474e940596e5064b28bd0ac06bf7f6b WEB_SITE=http://wejp.k.vu/ LICENSE[0]=GPL diff --git a/audio-players/gxmms2/HISTORY b/audio-players/gxmms2/HISTORY index b839a3dfe9..f821dd09f7 100644 --- a/audio-players/gxmms2/HISTORY +++ b/audio-players/gxmms2/HISTORY @@ -1,3 +1,6 @@ +2007-04-06 Elisamuel Resto <ryuji@mages.ath.cx> + * DETAILS: SOURCE_URL change. Bug #13684 + 2007-03-14 Andraž "ruskie" Levstik <ruskie@mages.ath.cx> * DETAILS: forgot to update the hash diff --git a/crypto/krb5/2007-001-patch.txt b/crypto/krb5/2007-001-patch.txt new file mode 100644 index 0000000000..741ed35ad4 --- /dev/null +++ b/crypto/krb5/2007-001-patch.txt @@ -0,0 +1,74 @@ +*** src/appl/telnet/telnetd/state.c (revision 19480) +--- src/appl/telnet/telnetd/state.c (local) +*************** +*** 1665,1671 **** + strcmp(varp, "RESOLV_HOST_CONF") && /* linux */ + strcmp(varp, "NLSPATH") && /* locale stuff */ + strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */ +! strcmp(varp, "IFS")) { + return 1; + } else { + syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp); +--- 1665,1672 ---- + strcmp(varp, "RESOLV_HOST_CONF") && /* linux */ + strcmp(varp, "NLSPATH") && /* locale stuff */ + strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */ +! strcmp(varp, "IFS") && +! !strchr(varp, '-')) { + return 1; + } else { + syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp); +*** src/appl/telnet/telnetd/sys_term.c (revision 19480) +--- src/appl/telnet/telnetd/sys_term.c (local) +*************** +*** 1287,1292 **** +--- 1287,1302 ---- + #endif + #if defined (AUTHENTICATION) + if (auth_level >= 0 && autologin == AUTH_VALID) { ++ if (name[0] == '-') { ++ /* Authenticated and authorized to log in to an ++ account starting with '-'? Even if that ++ unlikely case comes to pass, the current login ++ program will not parse the resulting command ++ line properly. */ ++ syslog(LOG_ERR, "user name cannot start with '-'"); ++ fatal(net, "user name cannot start with '-'"); ++ exit(1); ++ } + # if !defined(NO_LOGIN_F) + #if defined(LOGIN_CAP_F) + argv = addarg(argv, "-F"); +*************** +*** 1377,1387 **** + } else + #endif + if (getenv("USER")) { +! argv = addarg(argv, getenv("USER")); + #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) + { + register char **cpp; + for (cpp = environ; *cpp; cpp++) + argv = addarg(argv, *cpp); + } + #endif +--- 1387,1405 ---- + } else + #endif + if (getenv("USER")) { +! char *user = getenv("USER"); +! if (user[0] == '-') { +! /* "telnet -l-x ..." */ +! syslog(LOG_ERR, "user name cannot start with '-'"); +! fatal(net, "user name cannot start with '-'"); +! exit(1); +! } +! argv = addarg(argv, user); + #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) + { + register char **cpp; + for (cpp = environ; *cpp; cpp++) ++ if ((*cpp)[0] != '-') + argv = addarg(argv, *cpp); + } + #endif diff --git a/crypto/krb5/2007-002-patch.txt b/crypto/krb5/2007-002-patch.txt new file mode 100644 index 0000000000..69f7d198f7 --- /dev/null +++ b/crypto/krb5/2007-002-patch.txt @@ -0,0 +1,1273 @@ +*** src/kadmin/server/kadm_rpc_svc.c (revision 19480) +--- src/kadmin/server/kadm_rpc_svc.c (local) +*************** +*** 250,255 **** +--- 250,257 ---- + krb5_data *c1, *c2, *realm; + gss_buffer_desc gss_str; + kadm5_server_handle_t handle; ++ size_t slen; ++ char *sdots; + + success = 0; + handle = (kadm5_server_handle_t)global_server_handle; +*************** +*** 274,279 **** +--- 276,283 ---- + if (ret == 0) + goto fail_name; + ++ slen = gss_str.length; ++ trunc_name(&slen, &sdots); + /* + * Since we accept with GSS_C_NO_NAME, the client can authenticate + * against the entire kdb. Therefore, ensure that the service +*************** +*** 296,303 **** + + fail_princ: + if (!success) { +! krb5_klog_syslog(LOG_ERR, "bad service principal %.*s", +! gss_str.length, gss_str.value); + } + gss_release_buffer(&min_stat, &gss_str); + krb5_free_principal(kctx, princ); +--- 300,307 ---- + + fail_princ: + if (!success) { +! krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s", +! slen, gss_str.value, sdots); + } + gss_release_buffer(&min_stat, &gss_str); + krb5_free_principal(kctx, princ); +*** src/kadmin/server/misc.c (revision 19480) +--- src/kadmin/server/misc.c (local) +*************** +*** 171,173 **** +--- 171,182 ---- + + return kadm5_free_principal_ent(handle->lhandle, &princ); + } ++ ++ #define MAXPRINCLEN 125 ++ ++ void ++ trunc_name(size_t *len, char **dots) ++ { ++ *dots = *len > MAXPRINCLEN ? "..." : ""; ++ *len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len; ++ } +*** src/kadmin/server/misc.h (revision 19480) +--- src/kadmin/server/misc.h (local) +*************** +*** 45,47 **** +--- 45,49 ---- + #ifdef SVC_GETARGS + void kadm_1(struct svc_req *, SVCXPRT *); + #endif ++ ++ void trunc_name(size_t *len, char **dots); +*** src/kadmin/server/ovsec_kadmd.c (revision 19480) +--- src/kadmin/server/ovsec_kadmd.c (local) +*************** +*** 992,997 **** +--- 992,999 ---- + rpcproc_t proc; + int i; + const char *procname; ++ size_t clen, slen; ++ char *cdots, *sdots; + + client.length = 0; + client.value = NULL; +*************** +*** 1000,1009 **** + + (void) gss_display_name(&minor, client_name, &client, &gss_type); + (void) gss_display_name(&minor, server_name, &server, &gss_type); +! if (client.value == NULL) + client.value = "(null)"; +! if (server.value == NULL) + server.value = "(null)"; + a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); + + proc = msg->rm_call.cb_proc; +--- 1002,1021 ---- + + (void) gss_display_name(&minor, client_name, &client, &gss_type); + (void) gss_display_name(&minor, server_name, &server, &gss_type); +! if (client.value == NULL) { + client.value = "(null)"; +! clen = sizeof("(null)") -1; +! } else { +! clen = client.length; +! } +! trunc_name(&clen, &cdots); +! if (server.value == NULL) { + server.value = "(null)"; ++ slen = sizeof("(null)") - 1; ++ } else { ++ slen = server.length; ++ } ++ trunc_name(&slen, &sdots); + a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); + + proc = msg->rm_call.cb_proc; +*************** +*** 1016,1029 **** + } + if (procname != NULL) + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " +! "claimed client = %s, server = %s, addr = %s", +! procname, client.value, +! server.value, a); + else + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " +! "claimed client = %s, server = %s, addr = %s", +! proc, client.value, +! server.value, a); + + (void) gss_release_buffer(&minor, &client); + (void) gss_release_buffer(&minor, &server); +--- 1028,1041 ---- + } + if (procname != NULL) + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " +! "claimed client = %.*s%s, server = %.*s%s, addr = %s", +! procname, clen, client.value, cdots, +! slen, server.value, sdots, a); + else + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " +! "claimed client = %.*s%s, server = %.*s%s, addr = %s", +! proc, clen, client.value, cdots, +! slen, server.value, sdots, a); + + (void) gss_release_buffer(&minor, &client); + (void) gss_release_buffer(&minor, &server); +*** src/kadmin/server/schpw.c (revision 19480) +--- src/kadmin/server/schpw.c (local) +*************** +*** 40,45 **** +--- 40,47 ---- + int numresult; + char strresult[1024]; + char *clientstr; ++ size_t clen; ++ char *cdots; + + ret = 0; + rep->length = 0; +*************** +*** 258,266 **** + free(ptr); + clear.length = 0; + +! krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s", + inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr), +! clientstr, ret ? krb5_get_error_message (context, ret) : "success"); + krb5_free_unparsed_name(context, clientstr); + + if (ret) { +--- 260,271 ---- + free(ptr); + clear.length = 0; + +! clen = strlen(clientstr); +! trunc_name(&clen, &cdots); +! krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s", + inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr), +! clen, clientstr, cdots, +! ret ? krb5_get_error_message (context, ret) : "success"); + krb5_free_unparsed_name(context, clientstr); + + if (ret) { +*** src/kadmin/server/server_stubs.c (revision 19480) +--- src/kadmin/server/server_stubs.c (local) +*************** +*** 14,19 **** +--- 14,20 ---- + #include <arpa/inet.h> /* inet_ntoa */ + #include <adm_proto.h> /* krb5_klog_syslog */ + #include "misc.h" ++ #include <string.h> + + #define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s" + #define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s" +*************** +*** 237,242 **** +--- 238,298 ---- + return 0; + } + ++ static int ++ log_unauth( ++ char *op, ++ char *target, ++ gss_buffer_t client, ++ gss_buffer_t server, ++ struct svc_req *rqstp) ++ { ++ size_t tlen, clen, slen; ++ char *tdots, *cdots, *sdots; ++ ++ tlen = strlen(target); ++ trunc_name(&tlen, &tdots); ++ clen = client->length; ++ trunc_name(&clen, &cdots); ++ slen = server->length; ++ trunc_name(&slen, &sdots); ++ ++ return krb5_klog_syslog(LOG_NOTICE, ++ "Unauthorized request: %s, %.*s%s, " ++ "client=%.*s%s, service=%.*s%s, addr=%s", ++ op, tlen, target, tdots, ++ clen, client->value, cdots, ++ slen, server->value, sdots, ++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ } ++ ++ static int ++ log_done( ++ char *op, ++ char *target, ++ char *errmsg, ++ gss_buffer_t client, ++ gss_buffer_t server, ++ struct svc_req *rqstp) ++ { ++ size_t tlen, clen, slen; ++ char *tdots, *cdots, *sdots; ++ ++ tlen = strlen(target); ++ trunc_name(&tlen, &tdots); ++ clen = client->length; ++ trunc_name(&clen, &cdots); ++ slen = server->length; ++ trunc_name(&slen, &sdots); ++ ++ return krb5_klog_syslog(LOG_NOTICE, ++ "Request: %s, %.*s%s, %s, " ++ "client=%.*s%s, service=%.*s%s, addr=%s", ++ op, tlen, target, tdots, errmsg, ++ clen, client->value, cdots, ++ slen, server->value, sdots, ++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ } ++ + generic_ret * + create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) + { +*************** +*** 275,283 **** + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_create_principal((void *)handle, + &arg->rec, arg->mask, +--- 331,338 ---- + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; +! log_unauth("kadm5_create_principal", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_create_principal((void *)handle, + &arg->rec, arg->mask, +*************** +*** 287,296 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +--- 342,349 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_create_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +*************** +*** 341,349 **** + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_create_principal_3((void *)handle, + &arg->rec, arg->mask, +--- 394,401 ---- + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; +! log_unauth("kadm5_create_principal", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_create_principal_3((void *)handle, + &arg->rec, arg->mask, +*************** +*** 355,364 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +--- 407,414 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_create_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +*************** +*** 406,414 **** + || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, + arg->princ, NULL)) { + ret.code = KADM5_AUTH_DELETE; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_delete_principal((void *)handle, arg->princ); + if( ret.code == 0 ) +--- 456,463 ---- + || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, + arg->princ, NULL)) { + ret.code = KADM5_AUTH_DELETE; +! log_unauth("kadm5_delete_principal", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_delete_principal((void *)handle, arg->princ); + if( ret.code == 0 ) +*************** +*** 416,425 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +--- 465,472 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_delete_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +*************** +*** 469,477 **** + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_MODIFY; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_modify_principal((void *)handle, &arg->rec, + arg->mask); +--- 516,523 ---- + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_MODIFY; +! log_unauth("kadm5_modify_principal", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_modify_principal((void *)handle, &arg->rec, + arg->mask); +*************** +*** 480,489 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +--- 526,533 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_modify_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +*************** +*** 546,554 **** + } else + ret.code = KADM5_AUTH_INSUFFICIENT; + if (ret.code != KADM5_OK) { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_rename_principal((void *)handle, arg->src, + arg->dest); +--- 590,597 ---- + } else + ret.code = KADM5_AUTH_INSUFFICIENT; + if (ret.code != KADM5_OK) { +! log_unauth("kadm5_rename_principal", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_rename_principal((void *)handle, arg->src, + arg->dest); +*************** +*** 557,566 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + free(prime_arg1); +--- 600,607 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_rename_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + free(prime_arg1); +*************** +*** 614,622 **** + arg->princ, + NULL))) { + ret.code = KADM5_AUTH_GET; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + if (handle->api_version == KADM5_API_VERSION_1) { + ret.code = kadm5_get_principal_v1((void *)handle, +--- 655,662 ---- + arg->princ, + NULL))) { + ret.code = KADM5_AUTH_GET; +! log_unauth(funcname, prime_arg, +! &client_name, &service_name, rqstp); + } else { + if (handle->api_version == KADM5_API_VERSION_1) { + ret.code = kadm5_get_principal_v1((void *)handle, +*************** +*** 636,646 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +! prime_arg, +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + } + free_server_handle(handle); +--- 676,683 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done(funcname, prime_arg, errmsg, +! &client_name, &service_name, rqstp); + + } + free_server_handle(handle); +*************** +*** 688,696 **** + NULL, + NULL)) { + ret.code = KADM5_AUTH_LIST; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_get_principals((void *)handle, + arg->exp, &ret.princs, +--- 725,732 ---- + NULL, + NULL)) { + ret.code = KADM5_AUTH_LIST; +! log_unauth("kadm5_get_principals", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_get_principals((void *)handle, + arg->exp, &ret.princs, +*************** +*** 700,710 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals", +! prime_arg, +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + } + free_server_handle(handle); +--- 736,743 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_get_principals", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + + } + free_server_handle(handle); +*************** +*** 755,763 **** + ret.code = kadm5_chpass_principal((void *)handle, arg->princ, + arg->pass); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_CHANGEPW; + } + +--- 788,795 ---- + ret.code = kadm5_chpass_principal((void *)handle, arg->princ, + arg->pass); + } else { +! log_unauth("kadm5_chpass_principal", prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +*************** +*** 767,776 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + + free_server_handle(handle); +--- 799,806 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_chpass_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +*************** +*** 828,836 **** + arg->ks_tuple, + arg->pass); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_CHANGEPW; + } + +--- 858,865 ---- + arg->ks_tuple, + arg->pass); + } else { +! log_unauth("kadm5_chpass_principal", prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +*************** +*** 840,849 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + + free_server_handle(handle); +--- 869,876 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_chpass_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +*************** +*** 892,900 **** + ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, + arg->keyblock); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_SETKEY; + } + +--- 919,926 ---- + ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, + arg->keyblock); + } else { +! log_unauth("kadm5_setv4key_principal", prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; + } + +*************** +*** 904,913 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + + free_server_handle(handle); +--- 930,937 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_setv4key_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +*************** +*** 956,964 **** + ret.code = kadm5_setkey_principal((void *)handle, arg->princ, + arg->keyblocks, arg->n_keys); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_SETKEY; + } + +--- 980,987 ---- + ret.code = kadm5_setkey_principal((void *)handle, arg->princ, + arg->keyblocks, arg->n_keys); + } else { +! log_unauth("kadm5_setkey_principal", prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; + } + +*************** +*** 968,977 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + + free_server_handle(handle); +--- 991,998 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_setkey_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +*************** +*** 1023,1031 **** + arg->ks_tuple, + arg->keyblocks, arg->n_keys); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_SETKEY; + } + +--- 1044,1051 ---- + arg->ks_tuple, + arg->keyblocks, arg->n_keys); + } else { +! log_unauth("kadm5_setkey_principal", prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; + } + +*************** +*** 1035,1044 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + + free_server_handle(handle); +--- 1055,1062 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_setkey_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +*************** +*** 1097,1105 **** + ret.code = kadm5_randkey_principal((void *)handle, arg->princ, + &k, &nkeys); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_CHANGEPW; + } + +--- 1115,1122 ---- + ret.code = kadm5_randkey_principal((void *)handle, arg->princ, + &k, &nkeys); + } else { +! log_unauth(funcname, prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +*************** +*** 1119,1128 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + free(prime_arg); +--- 1136,1143 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done(funcname, prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + free(prime_arg); +*************** +*** 1185,1193 **** + arg->ks_tuple, + &k, &nkeys); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_CHANGEPW; + } + +--- 1200,1207 ---- + arg->ks_tuple, + &k, &nkeys); + } else { +! log_unauth(funcname, prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +*************** +*** 1207,1216 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + free(prime_arg); +--- 1221,1228 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done(funcname, prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + free(prime_arg); +*************** +*** 1253,1262 **** + rqst2name(rqstp), + ACL_ADD, NULL, NULL)) { + ret.code = KADM5_AUTH_ADD; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); +! + } else { + ret.code = kadm5_create_policy((void *)handle, &arg->rec, + arg->mask); +--- 1265,1273 ---- + rqst2name(rqstp), + ACL_ADD, NULL, NULL)) { + ret.code = KADM5_AUTH_ADD; +! log_unauth("kadm5_create_policy", prime_arg, +! &client_name, &service_name, rqstp); +! + } else { + ret.code = kadm5_create_policy((void *)handle, &arg->rec, + arg->mask); +*************** +*** 1265,1275 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy", +! ((prime_arg == NULL) ? "(null)" : prime_arg), +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +--- 1276,1284 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_create_policy", +! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +*************** +*** 1310,1318 **** + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_DELETE, NULL, NULL)) { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_DELETE; + } else { + ret.code = kadm5_delete_policy((void *)handle, arg->name); +--- 1319,1326 ---- + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_DELETE, NULL, NULL)) { +! log_unauth("kadm5_delete_policy", prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_DELETE; + } else { + ret.code = kadm5_delete_policy((void *)handle, arg->name); +*************** +*** 1321,1331 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy", +! ((prime_arg == NULL) ? "(null)" : prime_arg), +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +--- 1329,1337 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_delete_policy", +! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +*************** +*** 1366,1374 **** + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_MODIFY, NULL, NULL)) { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_MODIFY; + } else { + ret.code = kadm5_modify_policy((void *)handle, &arg->rec, +--- 1372,1379 ---- + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_MODIFY, NULL, NULL)) { +! log_unauth("kadm5_modify_policy", prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_MODIFY; + } else { + ret.code = kadm5_modify_policy((void *)handle, &arg->rec, +*************** +*** 1378,1388 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy", +! ((prime_arg == NULL) ? "(null)" : prime_arg), +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +--- 1383,1391 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_modify_policy", +! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +*************** +*** 1464,1478 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +! ((prime_arg == NULL) ? "(null)" : prime_arg), +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +--- 1467,1478 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done(funcname, +! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, +! &client_name, &service_name, rqstp); + } else { +! log_unauth(funcname, prime_arg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +*************** +*** 1517,1525 **** + rqst2name(rqstp), + ACL_LIST, NULL, NULL)) { + ret.code = KADM5_AUTH_LIST; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_get_policies((void *)handle, + arg->exp, &ret.pols, +--- 1517,1524 ---- + rqst2name(rqstp), + ACL_LIST, NULL, NULL)) { + ret.code = KADM5_AUTH_LIST; +! log_unauth("kadm5_get_policies", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_get_policies((void *)handle, + arg->exp, &ret.pols, +*************** +*** 1529,1539 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies", +! prime_arg, +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +--- 1528,1535 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_get_policies", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +*************** +*** 1573,1583 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs", +! client_name.value, +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +--- 1569,1576 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_get_privs", client_name.value, errmsg, +! &client_name, &service_name, rqstp); + + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +*************** +*** 1594,1599 **** +--- 1587,1594 ---- + kadm5_server_handle_t handle; + OM_uint32 minor_stat; + char *errmsg = 0; ++ size_t clen, slen; ++ char *cdots, *sdots; + + xdr_free(xdr_generic_ret, &ret); + +*************** +*** 1612,1625 **** + + if (ret.code != 0) + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d", +! (ret.api_version == KADM5_API_VERSION_1 ? +! "kadm5_init (V1)" : "kadm5_init"), +! client_name.value, +! (ret.code == 0) ? "success" : errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), +! rqstp->rq_cred.oa_flavor); + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); + +--- 1607,1628 ---- + + if (ret.code != 0) + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); +! else +! errmsg = "success"; +! +! clen = client_name.length; +! trunc_name(&clen, &cdots); +! slen = service_name.length; +! trunc_name(&slen, &sdots); +! krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, " +! "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d", +! (ret.api_version == KADM5_API_VERSION_1 ? +! "kadm5_init (V1)" : "kadm5_init"), +! clen, client_name.value, cdots, errmsg, +! clen, client_name.value, cdots, +! slen, service_name.value, sdots, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), +! rqstp->rq_cred.oa_flavor); + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); + +*** src/kdc/do_tgs_req.c (revision 19480) +--- src/kdc/do_tgs_req.c (local) +*************** +*** 491,518 **** + newtransited = 1; + } + if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { + errcode = krb5_check_transited_list (kdc_context, + &enc_tkt_reply.transited.tr_contents, + krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), + krb5_princ_realm (kdc_context, request->server)); + if (errcode == 0) { + setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); + } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) + krb5_klog_syslog (LOG_INFO, +! "bad realm transit path from '%s' to '%s' via '%.*s'", + cname ? cname : "<unknown client>", + sname ? sname : "<unknown server>", +! enc_tkt_reply.transited.tr_contents.length, +! enc_tkt_reply.transited.tr_contents.data); + else { + const char *emsg = krb5_get_error_message(kdc_context, errcode); + krb5_klog_syslog (LOG_ERR, +! "unexpected error checking transit from '%s' to '%s' via '%.*s': %s", + cname ? cname : "<unknown client>", + sname ? sname : "<unknown server>", +! enc_tkt_reply.transited.tr_contents.length, + enc_tkt_reply.transited.tr_contents.data, +! emsg); + krb5_free_error_message(kdc_context, emsg); + } + } else +--- 491,528 ---- + newtransited = 1; + } + if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { ++ unsigned int tlen; ++ char *tdots; ++ + errcode = krb5_check_transited_list (kdc_context, + &enc_tkt_reply.transited.tr_contents, + krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), + krb5_princ_realm (kdc_context, request->server)); ++ tlen = enc_tkt_reply.transited.tr_contents.length; ++ tdots = tlen > 125 ? "..." : ""; ++ tlen = tlen > 125 ? 125 : tlen; ++ + if (errcode == 0) { + setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); + } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) + krb5_klog_syslog (LOG_INFO, +! "bad realm transit path from '%s' to '%s' " +! "via '%.*s%s'", + cname ? cname : "<unknown client>", + sname ? sname : "<unknown server>", +! tlen, +! enc_tkt_reply.transited.tr_contents.data, +! tdots); + else { + const char *emsg = krb5_get_error_message(kdc_context, errcode); + krb5_klog_syslog (LOG_ERR, +! "unexpected error checking transit from " +! "'%s' to '%s' via '%.*s%s': %s", + cname ? cname : "<unknown client>", + sname ? sname : "<unknown server>", +! tlen, + enc_tkt_reply.transited.tr_contents.data, +! tdots, emsg); + krb5_free_error_message(kdc_context, emsg); + } + } else +*************** +*** 542,547 **** +--- 552,560 ---- + if (!krb5_principal_compare(kdc_context, request->server, client2)) { + if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp))) + tmp = 0; ++ if (tmp != NULL) ++ limit_string(tmp); ++ + krb5_klog_syslog(LOG_INFO, + "TGS_REQ %s: 2ND_TKT_MISMATCH: " + "authtime %d, %s for %s, 2nd tkt client %s", +*************** +*** 816,821 **** +--- 829,835 ---- + krb5_klog_syslog(LOG_INFO, + "TGS_REQ: issuing alternate <un-unparseable> TGT"); + } else { ++ limit_string(sname); + krb5_klog_syslog(LOG_INFO, + "TGS_REQ: issuing TGT %s", sname); + free(sname); +*** src/kdc/kdc_util.c (revision 19480) +--- src/kdc/kdc_util.c (local) +*************** +*** 404,409 **** +--- 404,410 ---- + + krb5_db_free_principal(kdc_context, &server, nprincs); + if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { ++ limit_string(sname); + krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", + sname); + free(sname); +*** src/lib/kadm5/logger.c (revision 19480) +--- src/lib/kadm5/logger.c (local) +*************** +*** 45,51 **** + #include <varargs.h> + #endif /* HAVE_STDARG_H */ + +! #define KRB5_KLOG_MAX_ERRMSG_SIZE 1024 + #ifndef MAXHOSTNAMELEN + #define MAXHOSTNAMELEN 256 + #endif /* MAXHOSTNAMELEN */ +--- 45,51 ---- + #include <varargs.h> + #endif /* HAVE_STDARG_H */ + +! #define KRB5_KLOG_MAX_ERRMSG_SIZE 2048 + #ifndef MAXHOSTNAMELEN + #define MAXHOSTNAMELEN 256 + #endif /* MAXHOSTNAMELEN */ +*************** +*** 261,267 **** + #endif /* HAVE_SYSLOG */ + + /* Now format the actual message */ +! #if HAVE_VSPRINTF + vsprintf(cp, actual_format, ap); + #else /* HAVE_VSPRINTF */ + sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1], +--- 261,269 ---- + #endif /* HAVE_SYSLOG */ + + /* Now format the actual message */ +! #if HAVE_VSNPRINTF +! vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap); +! #elif HAVE_VSPRINTF + vsprintf(cp, actual_format, ap); + #else /* HAVE_VSPRINTF */ + sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1], +*************** +*** 850,856 **** + syslogp = &outbuf[strlen(outbuf)]; + + /* Now format the actual message */ +! #ifdef HAVE_VSPRINTF + vsprintf(syslogp, format, arglist); + #else /* HAVE_VSPRINTF */ + sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1], +--- 852,860 ---- + syslogp = &outbuf[strlen(outbuf)]; + + /* Now format the actual message */ +! #ifdef HAVE_VSNPRINTF +! vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist); +! #elif HAVE_VSPRINTF + vsprintf(syslogp, format, arglist); + #else /* HAVE_VSPRINTF */ + sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1], diff --git a/crypto/krb5/2007-003-patch.txt b/crypto/krb5/2007-003-patch.txt new file mode 100644 index 0000000000..cefd7247a2 --- /dev/null +++ b/crypto/krb5/2007-003-patch.txt @@ -0,0 +1,24 @@ +*** src/lib/gssapi/krb5/k5unseal.c (revision 19510) +--- src/lib/gssapi/krb5/k5unseal.c (revision 19511) +*************** +*** 457,464 **** + + if ((ctx->initiate && direction != 0xff) || + (!ctx->initiate && direction != 0)) { +! if (toktype == KG_TOK_SEAL_MSG) + xfree(token.value); + *minor_status = G_BAD_DIRECTION; + return(GSS_S_BAD_SIG); + } +--- 457,467 ---- + + if ((ctx->initiate && direction != 0xff) || + (!ctx->initiate && direction != 0)) { +! if (toktype == KG_TOK_SEAL_MSG) { + xfree(token.value); ++ message_buffer->value = NULL; ++ message_buffer->length = 0; ++ } + *minor_status = G_BAD_DIRECTION; + return(GSS_S_BAD_SIG); + } diff --git a/crypto/krb5/BUILD b/crypto/krb5/BUILD index 14d12068f3..3a94233a7d 100755 --- a/crypto/krb5/BUILD +++ b/crypto/krb5/BUILD @@ -6,6 +6,11 @@ fi cd $SPELL-$VERSION/src && +# Kerberos Security Advisories +patch -p1 < $SCRIPT_DIRECTORY/2007-001-patch.txt && +patch -p1 < $SCRIPT_DIRECTORY/2007-002-patch.txt && +patch -p1 < $SCRIPT_DIRECTORY/2007-003-patch.txt && + ./configure --enable-dns-for-kdc \ --enable-dns-for-realm \ --infodir=/usr/share/info \ diff --git a/crypto/krb5/DETAILS b/crypto/krb5/DETAILS index 8269613f70..fe1e94b29f 100755 --- a/crypto/krb5/DETAILS +++ b/crypto/krb5/DETAILS @@ -9,7 +9,7 @@ SOURCE_DIRECTORY=$BUILD_DIRECTORY/$SPELL-$VERSION ENTERED=20020215 LICENSE[0]=http://web.mit.edu/kerberos/www/krb5-1.6/krb5-1.6/doc/krb5-install.html#Copyright PATCHLEVEL=0 - SECURITY_PATCH=2 + SECURITY_PATCH=3 KEYWORDS="security crypto" SHORT="Kerberos 5 network security protocol" cat << EOF diff --git a/crypto/krb5/HISTORY b/crypto/krb5/HISTORY index 2b94aef9c2..74aac0fadb 100644 --- a/crypto/krb5/HISTORY +++ b/crypto/krb5/HISTORY @@ -1,3 +1,7 @@ +2007-04-04 Ladislav Hagara <hgr@vabo.cz> + * DETAILS: SECURITY_PATCH=3 + * BUILD, 2007-00[123]-patch.txt: added security patches + 2007-01-14 Ladislav Hagara <hgr@vabo.cz> * DETAILS: 1.6 SECURITY_PATCH=2, http://web.mit.edu/kerberos/www/krb5-1.6/ diff --git a/graphics-libs/freetype2/DETAILS b/graphics-libs/freetype2/DETAILS index 0933f0aef3..483851f8f2 100755 --- a/graphics-libs/freetype2/DETAILS +++ b/graphics-libs/freetype2/DETAILS @@ -1,5 +1,6 @@ SPELL=freetype2 - VERSION=2.3.2 + VERSION=2.3.3 + SECURITY_PATCH=1 SOURCE=freetype-$VERSION.tar.bz2 SOURCE2=$SOURCE.sig SOURCE_DIRECTORY=${BUILD_DIRECTORY}/freetype-${VERSION} diff --git a/graphics-libs/freetype2/HISTORY b/graphics-libs/freetype2/HISTORY index d0d99898d1..f476cca864 100644 --- a/graphics-libs/freetype2/HISTORY +++ b/graphics-libs/freetype2/HISTORY @@ -1,4 +1,11 @@ -2007-03-09 Treeve Jelbert <treeve@pi.be> +2007-04-05 Arwed v. Merkatz <v.merkatz@gmx.net> + * DETAILS: SECURITY_PATCH++, CVE-2007-1351, heap overflow in BDF font + handling + +2007-04-05 Martin Spitzbarth <m.spitzbarth@gmx.de> + * DETAILS: version 2.3.3 + +2007-03-09 Treeve Jelbert <treeve@sourcemage.org> * DETAILS: version 2.3.2 2007-02-23 Arwed v. Merkatz <v.merkatz@gmx.net> diff --git a/kde-apps/ktorrent/DETAILS b/kde-apps/ktorrent/DETAILS index 6bad237d90..8b4c35557c 100755 --- a/kde-apps/ktorrent/DETAILS +++ b/kde-apps/ktorrent/DETAILS @@ -2,7 +2,7 @@ VERSION=2.1.1 SOURCE=$SPELL-$VERSION.tar.gz SOURCE_URL=http://ktorrent.org/downloads/$VERSION/$SOURCE - SOURCE_HASH=sha512:0c8bba0ab07406ecf665fe629f5f0518ef6cc9f7688563fedf23a404f1bbede9ccd8f3cf0a066b7dbdcd0455bcad6e2b72ff970e01ea5a839f260e9c9b5cbf2b + SOURCE_HASH=sha512:94f459fe23eb8f32f754deb85cc34fb94289c961326055a3ec99a2fca4296e410c7b4ede0ff6308a4a24f63e93eebfb79c40f0ef61a6b74dad64fcda564191be SOURCE_DIRECTORY=$BUILD_DIRECTORY/$SPELL-$VERSION WEB_SITE=http://www.ktorrent.org ENTERED=20060128 diff --git a/kde-apps/ktorrent/HISTORY b/kde-apps/ktorrent/HISTORY index 9ba1f41fb7..97cf8cb02c 100644 --- a/kde-apps/ktorrent/HISTORY +++ b/kde-apps/ktorrent/HISTORY @@ -1,3 +1,6 @@ +2007-04-07 Jaka Kranjc <lynxlynxlynx@sourcemage.org> + * DETAILS: update the hash #13686, they changed to make + 2007-03-06 Jaka Kranjc <lynxlynxlynx@sourcemage.org> * BUILD: added to avoid needing unsermake * DEPENDS: added optional avahi diff --git a/kde-core/kdelibs/CVE-2007-1564-kdelibs-3.5.6.diff b/kde-core/kdelibs/CVE-2007-1564-kdelibs-3.5.6.diff new file mode 100644 index 0000000000..b026d67a3d --- /dev/null +++ b/kde-core/kdelibs/CVE-2007-1564-kdelibs-3.5.6.diff @@ -0,0 +1,81 @@ +--- khtml/ecma/kjs_html.cpp ++++ khtml/ecma/kjs_html.cpp +@@ -1866,9 +1866,11 @@ Value KJS::HTMLElement::getValueProperty + getDOMNode(exec, frameElement.contentDocument()) : Undefined(); + case FrameContentWindow: { + KHTMLPart* part = static_cast<DOM::HTMLFrameElementImpl*>(frameElement.handle())->contentPart(); +- if (part) +- return Value(Window::retrieveWindow(part)); +- else ++ if (part) { ++ Window *w = Window::retrieveWindow(part); ++ if (w) ++ return Value(w); ++ } + return Undefined(); + } + case FrameFrameBorder: return String(frameElement.frameBorder()); +@@ -1899,9 +1901,11 @@ Value KJS::HTMLElement::getValueProperty + getDOMNode(exec, iFrame.contentDocument()) : Undefined(); + case IFrameContentWindow: { + KHTMLPart* part = static_cast<DOM::HTMLIFrameElementImpl*>(iFrame.handle())->contentPart(); +- if (part) +- return Value(Window::retrieveWindow(part)); +- else ++ if (part) { ++ Window *w = Window::retrieveWindow(part); ++ if (w) ++ return Value(w); ++ } + return Undefined(); + } + case IFrameFrameBorder: return String(iFrame.frameBorder()); +--- kioslave/ftp/ftp.cc ++++ kioslave/ftp/ftp.cc +@@ -58,6 +58,7 @@ + #include <kmimemagic.h> + #include <kmimetype.h> + #include <ksockaddr.h> ++#include <ksocketaddress.h> + #include <kio/ioslave_defaults.h> + #include <kio/slaveconfig.h> + #include <kremoteencoding.h> +@@ -835,7 +836,6 @@ bool Ftp::ftpSendCmd( const QCString& cm + return true; + } + +- + /* + * ftpOpenPASVDataConnection - set up data connection, using PASV mode + * +@@ -853,6 +853,8 @@ int Ftp::ftpOpenPASVDataConnection() + if (sa != NULL && sa->family() != PF_INET) + return ERR_INTERNAL; // no PASV for non-PF_INET connections + ++ const KInetSocketAddress *sin = static_cast<const KInetSocketAddress*>(sa); ++ + if (m_extControl & pasvUnknown) + return ERR_INTERNAL; // already tried and got "unknown command" + +@@ -886,14 +888,17 @@ int Ftp::ftpOpenPASVDataConnection() + } + + // Make hostname and port number ... +- QString host; +- host.sprintf("%d.%d.%d.%d", i[0], i[1], i[2], i[3]); + int port = i[4] << 8 | i[5]; + ++ // we ignore the host part on purpose for two reasons ++ // a) it might be wrong anyway ++ // b) it would make us being suceptible to a port scanning attack ++ + // now connect the data socket ... + m_data = new FtpSocket("PASV"); +- m_data->setAddress(host, port); +- kdDebug(7102) << "Connecting to " << host << " on port " << port << endl; ++ m_data->setAddress(sin->nodeName(), port); ++ ++ kdDebug(7102) << "Connecting to " << sin->nodeName() << " on port " << port << endl; + return m_data->connectSocket(connectTimeout(), false); + } + diff --git a/kde-core/kdelibs/DETAILS b/kde-core/kdelibs/DETAILS index 2fc3b834df..859f47aefe 100755 --- a/kde-core/kdelibs/DETAILS +++ b/kde-core/kdelibs/DETAILS @@ -8,7 +8,7 @@ SOURCE_DIRECTORY=$BUILD_DIRECTORY/$SPELL-$VERSION SOURCE_URL[0]=$KDE_URL/stable/${VERSION//.0/}/src/$SOURCE WEB_SITE=http://www.kde.org ENTERED=20020912 - SECURITY_PATCH=2 + SECURITY_PATCH=3 LICENSE[0]=GPL KEYWORDS="kde" SHORT="Base applications that form the core of KDE." diff --git a/kde-core/kdelibs/HISTORY b/kde-core/kdelibs/HISTORY index cbad1a3b1f..b2d32d5e5f 100644 --- a/kde-core/kdelibs/HISTORY +++ b/kde-core/kdelibs/HISTORY @@ -1,4 +1,12 @@ -2007-03-08 Treeve Jelbert <treeve01@pi.be> +2007-04-02 Treeve Jelbert <treeve@sourcemage.org> + * DETAILS: SECURITY_PATCH++ + * CVE-2007-1564-kdelibs-3.5.6.diff: added + * PRE_BUILD: apply patch + security fix CVE-2007-1564 + URL: http://www.kde.org/info/security/advisory-20070326-1.txt + fixes bug #13672 + +2007-03-08 Treeve Jelbert <treeve@sourcemage.org> * DETAILS: SECURITY_PATCH * PRE_BUILD, post-3.5.6-kdelibs.diff:add security fix CVE-2007-0537 diff --git a/kde-core/kdelibs/PRE_BUILD b/kde-core/kdelibs/PRE_BUILD index 13e482626d..cab47ecd48 100755 --- a/kde-core/kdelibs/PRE_BUILD +++ b/kde-core/kdelibs/PRE_BUILD @@ -1,3 +1,4 @@ default_pre_build && cd $SOURCE_DIRECTORY && +patch -p0 < $SPELL_DIRECTORY/CVE-2007-1564-kdelibs-3.5.6.diff && patch -p0 < $SPELL_DIRECTORY/post-3.5.6-kdelibs.diff diff --git a/mail/dovecot/BUILD b/mail/dovecot/BUILD index 4c1dfe51a6..966460dd7d 100755 --- a/mail/dovecot/BUILD +++ b/mail/dovecot/BUILD @@ -1,5 +1,10 @@ #LDFLAGS="$LDFLAGS -lc" # disableing what we don't have available +if [[ $DOVECOT_EXT_LDA == y ]]; then +OPTS="--with-deliver $OPTS" +else +OPTS="--without-deliver $OPTS" +fi && OPTS="--without-vpopmail \ --without-sia \ --without-bsdauth \ @@ -7,10 +12,12 @@ OPTS="--without-vpopmail \ $DOVECOT_OPTS \ $OPTS" && default_build && -pushd dovecot-sieve-1.0.1 && +if [[ $DOVECOT_EXT_LDA == y ]]; then +pushd dovecot-sieve-* && OPTS="--with-dovecot=.." && default_build && popd +fi # when the dspam plugin will get updated to work in # a multiuser environment this will be usefull #pushd src/plugins/dspam diff --git a/mail/dovecot/CONFIGURE b/mail/dovecot/CONFIGURE index e08bdfcf27..5f37e62984 100755 --- a/mail/dovecot/CONFIGURE +++ b/mail/dovecot/CONFIGURE @@ -33,11 +33,6 @@ config_query_option DOVECOT_OPTS \ "--with-pop3d" \ "--without-pop3d" && config_query_option DOVECOT_OPTS \ - 'Build mail delivery agent' \ - y \ - "--with-deliver" \ - "--without-deliver" && -config_query_option DOVECOT_OPTS \ 'Install documentation' \ y \ "--with-docs" \ diff --git a/mail/dovecot/DETAILS b/mail/dovecot/DETAILS index 73d359cfd1..91975db92b 100755 --- a/mail/dovecot/DETAILS +++ b/mail/dovecot/DETAILS @@ -22,6 +22,7 @@ fi SOURCE_DIRECTORY=$BUILD_DIRECTORY/$SPELL-$VERSION ENTERED=20030224 SECURITY_PATCH=1 + PATCHLEVEL=1 LICENSE[0]=GPL WEB_SITE=http://www.dovecot.org/ KEYWORDS="mail" diff --git a/mail/dovecot/HISTORY b/mail/dovecot/HISTORY index d774a7ac30..650c435f8f 100644 --- a/mail/dovecot/HISTORY +++ b/mail/dovecot/HISTORY @@ -1,9 +1,5 @@ -2007-03-31 Andraž "ruskie" Levstik <ruskie@mages.ath.cx> - * DETAILS: update to 1.0.rc29 - SECURITY_PATCH=1:Security fix: If zlib plugin was loaded, it was possible - to open gzipped mbox files outside the user's mail directory. - added managesieve server patch - updated lda +2007-04-01 Andraž "ruskie" Levstik <ruskie@mages.ath.cx> + * DETAILS: added managesieve server patch, PATCHLEVEL++ * PREPARE: ask for managesieve if lda is selected * CONFIGURE: added plenty of options to configure * BUILD: fixup for extra options, disabled what we don't have @@ -12,6 +8,9 @@ * PREPARE: ask for managesieve patch * PRE_BUILD: handle the managesieve patch +2007-03-31 Andraž "ruskie" Levstik <ruskie@mages.ath.cx> + * DETAILS: update to 1.0.rc29, SECURITY_PATCH=1 + 2006-03-14 Bearcat M. Sandor <sourcemage@feline-soul.com> * DETAILS: update to 1.0.rc26 diff --git a/mail/dovecot/INSTALL b/mail/dovecot/INSTALL index 1cdd0df924..d2599df331 100755 --- a/mail/dovecot/INSTALL +++ b/mail/dovecot/INSTALL @@ -1,4 +1,6 @@ default_install && +if [[ $DOVECOT_EXT_LDA == y ]]; then pushd dovecot-sieve-1.0.1 && default_install && popd +fi diff --git a/xfce/verve-plugin/DEPENDS b/xfce/verve-plugin/DEPENDS index 45188033fd..108befd71f 100755 --- a/xfce/verve-plugin/DEPENDS +++ b/xfce/verve-plugin/DEPENDS @@ -1,2 +1,3 @@ depends xfce4-panel && -depends exo +depends exo && +depends pcre diff --git a/xfce/verve-plugin/HISTORY b/xfce/verve-plugin/HISTORY index aa113df99d..9f17e018af 100644 --- a/xfce/verve-plugin/HISTORY +++ b/xfce/verve-plugin/HISTORY @@ -1,3 +1,6 @@ +2007-04-02 David Brown <dmlb2000@gmail.com> + * DEPENDS: needs pcre + 2007-01-23 George Sherwood <george@beernabeer.com> * DEPENDS, DETAILS, HISTORY: created the spell |