pkgsrc/security/mit-krb5/patches/patch-aw

$NetBSD$

--- kdc/do_tgs_req.c.orig	2005-07-12 22:59:51.000000000 +0200
+++ kdc/do_tgs_req.c
@@ -490,27 +490,38 @@ tgt_again:
 	newtransited = 1;
     }
     if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
+	unsigned int tlen;
+	char *tdots;
+
 	errcode = krb5_check_transited_list (kdc_context,
 					     &enc_tkt_reply.transited.tr_contents,
 					     krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
 					     krb5_princ_realm (kdc_context, request->server));
+	tlen = enc_tkt_reply.transited.tr_contents.length;
+	tdots = tlen > 125 ? "..." : "";
+	tlen = tlen > 125 ? 125 : tlen;
+
 	if (errcode == 0) {
 	    setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
 	} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
 	    krb5_klog_syslog (LOG_INFO,
-			      "bad realm transit path from '%s' to '%s' via '%.*s'",
+			      "bad realm transit path from '%s' to '%s' "
+			      "via '%.*s%s'",
 			      cname ? cname : "<unknown client>",
 			      sname ? sname : "<unknown server>",
-			      enc_tkt_reply.transited.tr_contents.length,
-			      enc_tkt_reply.transited.tr_contents.data);
-	else
+			      tlen,
+			      enc_tkt_reply.transited.tr_contents.data,
+			      tdots);
+	else {
 	    krb5_klog_syslog (LOG_ERR,
-			      "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",
+			      "unexpected error checking transit from "
+			      "'%s' to '%s' via '%.*s%s': %s",
 			      cname ? cname : "<unknown client>",
 			      sname ? sname : "<unknown server>",
-			      enc_tkt_reply.transited.tr_contents.length,
+			      tlen,
 			      enc_tkt_reply.transited.tr_contents.data,
-			      error_message (errcode));
+			      tdots, error_message (errcode));
+	}
     } else
 	krb5_klog_syslog (LOG_INFO, "not checking transit path");
     if (reject_bad_transit
@@ -538,6 +549,9 @@ tgt_again:
 	if (!krb5_principal_compare(kdc_context, request->server, client2)) {
 		if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
 			tmp = 0;
+		if (tmp != NULL)
+			limit_string(tmp);
+
 		krb5_klog_syslog(LOG_INFO,
 				 "TGS_REQ %s: 2ND_TKT_MISMATCH: "
 				 "authtime %d, %s for %s, 2nd tkt client %s",
@@ -800,6 +814,7 @@ find_alternate_tgs(krb5_kdc_req *request
 		krb5_klog_syslog(LOG_INFO,
 		       "TGS_REQ: issuing alternate <un-unparseable> TGT");
 	    } else {
+		limit_string(sname);
 		krb5_klog_syslog(LOG_INFO,
 		       "TGS_REQ: issuing TGT %s", sname);
 		free(sname);
Add security patches for 3 Kerberos vulnerabilities: - telnetd username and environment sanitizing vulnerabilities ("-f root") as described in MIT Kerberos advisory 2007-001. - krb5_klog_syslog() problems with overly long log strings as described in MIT Kerberos advisory 2007-002. - GSS API kg_unseal_v1() double free vulnerability as described in the MIT Kerberos advisory 2007-003. 2008-06-07 20:36:06 +02:00			$NetBSD$

Remove parts of a different security patch which slipped in but are not supported yet. Don't bump revision as the package didn't build before. 2008-06-07 22:22:18 +02:00			`--- kdc/do_tgs_req.c.orig 2005-07-12 22:59:51.000000000 +0200`
			`+++ kdc/do_tgs_req.c`
			`@@ -490,27 +490,38 @@ tgt_again:`
Add security patches for 3 Kerberos vulnerabilities: - telnetd username and environment sanitizing vulnerabilities ("-f root") as described in MIT Kerberos advisory 2007-001. - krb5_klog_syslog() problems with overly long log strings as described in MIT Kerberos advisory 2007-002. - GSS API kg_unseal_v1() double free vulnerability as described in the MIT Kerberos advisory 2007-003. 2008-06-07 20:36:06 +02:00			`newtransited = 1;`
			`}`
			`if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {`
			`+ unsigned int tlen;`
			`+ char *tdots;`
			`+`
			`errcode = krb5_check_transited_list (kdc_context,`
			`&enc_tkt_reply.transited.tr_contents,`
			`krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),`
			`krb5_princ_realm (kdc_context, request->server));`
			`+ tlen = enc_tkt_reply.transited.tr_contents.length;`
			`+ tdots = tlen > 125 ? "..." : "";`
			`+ tlen = tlen > 125 ? 125 : tlen;`
			`+`
			`if (errcode == 0) {`
			`setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);`
			`} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)`
			`krb5_klog_syslog (LOG_INFO,`
			`- "bad realm transit path from '%s' to '%s' via '%.*s'",`
			`+ "bad realm transit path from '%s' to '%s' "`
			`+ "via '%.*s%s'",`
			`cname ? cname : "<unknown client>",`
			`sname ? sname : "<unknown server>",`
			`- enc_tkt_reply.transited.tr_contents.length,`
			`- enc_tkt_reply.transited.tr_contents.data);`
			`- else`
			`+ tlen,`
			`+ enc_tkt_reply.transited.tr_contents.data,`
			`+ tdots);`
			`+ else {`
			`krb5_klog_syslog (LOG_ERR,`
			`- "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",`
			`+ "unexpected error checking transit from "`
			`+ "'%s' to '%s' via '%.*s%s': %s",`
			`cname ? cname : "<unknown client>",`
			`sname ? sname : "<unknown server>",`
			`- enc_tkt_reply.transited.tr_contents.length,`
			`+ tlen,`
			`enc_tkt_reply.transited.tr_contents.data,`
			`- error_message (errcode));`
Remove parts of a different security patch which slipped in but are not supported yet. Don't bump revision as the package didn't build before. 2008-06-07 22:22:18 +02:00			`+ tdots, error_message (errcode));`
Add security patches for 3 Kerberos vulnerabilities: - telnetd username and environment sanitizing vulnerabilities ("-f root") as described in MIT Kerberos advisory 2007-001. - krb5_klog_syslog() problems with overly long log strings as described in MIT Kerberos advisory 2007-002. - GSS API kg_unseal_v1() double free vulnerability as described in the MIT Kerberos advisory 2007-003. 2008-06-07 20:36:06 +02:00			`+ }`
			`} else`
			`krb5_klog_syslog (LOG_INFO, "not checking transit path");`
			`if (reject_bad_transit`
Remove parts of a different security patch which slipped in but are not supported yet. Don't bump revision as the package didn't build before. 2008-06-07 22:22:18 +02:00			`@@ -538,6 +549,9 @@ tgt_again:`
Add security patches for 3 Kerberos vulnerabilities: - telnetd username and environment sanitizing vulnerabilities ("-f root") as described in MIT Kerberos advisory 2007-001. - krb5_klog_syslog() problems with overly long log strings as described in MIT Kerberos advisory 2007-002. - GSS API kg_unseal_v1() double free vulnerability as described in the MIT Kerberos advisory 2007-003. 2008-06-07 20:36:06 +02:00			`if (!krb5_principal_compare(kdc_context, request->server, client2)) {`
			`if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))`
			`tmp = 0;`
			`+ if (tmp != NULL)`
			`+ limit_string(tmp);`
			`+`
			`krb5_klog_syslog(LOG_INFO,`
			`"TGS_REQ %s: 2ND_TKT_MISMATCH: "`
			`"authtime %d, %s for %s, 2nd tkt client %s",`
Remove parts of a different security patch which slipped in but are not supported yet. Don't bump revision as the package didn't build before. 2008-06-07 22:22:18 +02:00			`@@ -800,6 +814,7 @@ find_alternate_tgs(krb5_kdc_req *request`
Add security patches for 3 Kerberos vulnerabilities: - telnetd username and environment sanitizing vulnerabilities ("-f root") as described in MIT Kerberos advisory 2007-001. - krb5_klog_syslog() problems with overly long log strings as described in MIT Kerberos advisory 2007-002. - GSS API kg_unseal_v1() double free vulnerability as described in the MIT Kerberos advisory 2007-003. 2008-06-07 20:36:06 +02:00			`krb5_klog_syslog(LOG_INFO,`
			`"TGS_REQ: issuing alternate <un-unparseable> TGT");`
			`} else {`
			`+ limit_string(sname);`
			`krb5_klog_syslog(LOG_INFO,`
			`"TGS_REQ: issuing TGT %s", sname);`
			`free(sname);`