Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2025-12-09 12:45:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new.1939 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5" Tue Dec 9 12:45:47 2025 rev:178 rq:1321564 version:1.22.1 Changes: -------- --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2025-07-17 17:18:13.890419792 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5-mini.changes 2025-12-09 12:47:01.795514364 +0100 @@ -1,0 +2,60 @@ +Fri Aug 29 17:32:17 UTC 2025 - Samuel Cabrero <[email protected]> + +- Update to 1.22.1 + * Fix a vulnerability in GSS MIC verification [CVE-2025-57736] +- Changes in 1.22.0 + User experience + * The libdefaults configuration variable "request_timeout" can be + set to limit the total timeout for KDC requests. When making a + KDC request, the client will now wait indefinitely (or until the + request timeout has elapsed) on a KDC which accepts a TCP + connection, without contacting any additional KDCs. Clients will + make fewer DNS queries in some configurations. + * The realm configuration variable "sitename" can be set to cause + the client to query site-specific DNS records when making KDC + requests. + Administrator experience + * Principal aliases are supported in the DB2 and LMDB KDB modules + and in the kadmin protocol. (The LDAP KDB module has supported + aliases since release 1.7.) + * UNIX domain sockets are supported for the Kerberos and kpasswd + protocols. + * systemd socket activation is supported for krb5kdc and kadmind. + Developer experience + * KDB modules can be be implemented in terms of other modules using + the new krb5_db_load_module() function. + * The profile library supports the modification of empty profiles + and the copying of modified profiles, making it possible to + construct an in-memory profile and pass it to + krb5_init_context_profile(). + * GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to + gss_init_sec_context() to request strict enforcement of channel + bindings by the acceptor. +Protocol evolution + * The PKINIT preauth module supports elliptic curve client + certificates, ECDH key exchange, and the Microsoft paChecksum2 field. + * The IAKERB implementation has been changed to comply with the + most recent draft standard and to support realm discovery. + * Message-Authenticator is supported in the RADIUS implementation + used by the OTP kdcpreauth module. +Code quality + * Removed old-style function declarations, to accomodate compilers + which have removed support for them. + * Added OSS-Fuzz to the project's continuous integration infrastructure. + * Rewrote the GSS per-message token parsing code for improved safety. +- Updated patches: + * 0001-ksu-pam-integration.patch + * 0002-krb5-1.9-manpaths.patch + * 0003-Adjust-build-configuration.patch + * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * 0005-krb5-1.6.3-ktutil-manpage.patch + * 0006-krb5-1.12-api.patch + * 0007-SELinux-integration.patch + * 0008-krb5-1.9-debuginfo.patch +- Renamed patches: + * 0011_usr_etc.patch -> 0009-UsrEtc-support.patch +- Deleted patches: + * 0009-Fix-three-memory-leaks.patch + * 0010-CVE-2025-24528.patch + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/krb5/krb5.changes 2025-07-17 17:18:13.902420291 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5.changes 2025-12-09 12:47:03.447584187 +0100 @@ -1,0 +2,66 @@ +Mon Nov 24 12:56:46 UTC 2025 - Samuel Cabrero <[email protected]> + +- Fix memory leak; (bsc#1252989); Update patch + 0009-UsrEtc-support.patch + +------------------------------------------------------------------- +Fri Aug 29 17:32:17 UTC 2025 - Samuel Cabrero <[email protected]> + +- Update to 1.22.1 + * Fix a vulnerability in GSS MIC verification [CVE-2025-57736] +- Changes in 1.22.0 + User experience + * The libdefaults configuration variable "request_timeout" can be + set to limit the total timeout for KDC requests. When making a + KDC request, the client will now wait indefinitely (or until the + request timeout has elapsed) on a KDC which accepts a TCP + connection, without contacting any additional KDCs. Clients will + make fewer DNS queries in some configurations. + * The realm configuration variable "sitename" can be set to cause + the client to query site-specific DNS records when making KDC + requests. + Administrator experience + * Principal aliases are supported in the DB2 and LMDB KDB modules + and in the kadmin protocol. (The LDAP KDB module has supported + aliases since release 1.7.) + * UNIX domain sockets are supported for the Kerberos and kpasswd + protocols. + * systemd socket activation is supported for krb5kdc and kadmind. + Developer experience + * KDB modules can be be implemented in terms of other modules using + the new krb5_db_load_module() function. + * The profile library supports the modification of empty profiles + and the copying of modified profiles, making it possible to + construct an in-memory profile and pass it to + krb5_init_context_profile(). + * GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to + gss_init_sec_context() to request strict enforcement of channel + bindings by the acceptor. +Protocol evolution + * The PKINIT preauth module supports elliptic curve client + certificates, ECDH key exchange, and the Microsoft paChecksum2 field. + * The IAKERB implementation has been changed to comply with the + most recent draft standard and to support realm discovery. + * Message-Authenticator is supported in the RADIUS implementation + used by the OTP kdcpreauth module. +Code quality + * Removed old-style function declarations, to accomodate compilers + which have removed support for them. + * Added OSS-Fuzz to the project's continuous integration infrastructure. + * Rewrote the GSS per-message token parsing code for improved safety. +- Updated patches: + * 0001-ksu-pam-integration.patch + * 0002-krb5-1.9-manpaths.patch + * 0003-Adjust-build-configuration.patch + * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * 0005-krb5-1.6.3-ktutil-manpage.patch + * 0006-krb5-1.12-api.patch + * 0007-SELinux-integration.patch + * 0008-krb5-1.9-debuginfo.patch +- Renamed patches: + * 0011_usr_etc.patch -> 0009-UsrEtc-support.patch +- Deleted patches: + * 0009-Fix-three-memory-leaks.patch + * 0010-CVE-2025-24528.patch + +------------------------------------------------------------------- Old: ---- 0009-Fix-three-memory-leaks.patch 0010-CVE-2025-24528.patch 0011_usr_etc.patch krb5-1.21.3.tar.gz krb5-1.21.3.tar.gz.asc New: ---- 0009-UsrEtc-support.patch krb5-1.22.1.tar.gz krb5-1.22.1.tar.gz.asc ----------(Old B)---------- Old:/work/SRC/openSUSE:Factory/.krb5.new.1939/krb5-mini.changes-- Deleted patches: /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5-mini.changes: * 0009-Fix-three-memory-leaks.patch /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5-mini.changes- * 0010-CVE-2025-24528.patch -- /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5.changes-- Deleted patches: /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5.changes: * 0009-Fix-three-memory-leaks.patch /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5.changes- * 0010-CVE-2025-24528.patch Old:/work/SRC/openSUSE:Factory/.krb5.new.1939/krb5-mini.changes- * 0009-Fix-three-memory-leaks.patch /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5-mini.changes: * 0010-CVE-2025-24528.patch /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5-mini.changes- -- /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5.changes- * 0009-Fix-three-memory-leaks.patch /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5.changes: * 0010-CVE-2025-24528.patch /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5.changes- Old:/work/SRC/openSUSE:Factory/.krb5.new.1939/krb5-mini.changes-- Renamed patches: /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5-mini.changes: * 0011_usr_etc.patch -> 0009-UsrEtc-support.patch /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5-mini.changes-- Deleted patches: -- /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5.changes-- Renamed patches: /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5.changes: * 0011_usr_etc.patch -> 0009-UsrEtc-support.patch /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5.changes-- Deleted patches: ----------(Old E)---------- ----------(New B)---------- New:/work/SRC/openSUSE:Factory/.krb5.new.1939/krb5-mini.changes-- Renamed patches: /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5-mini.changes: * 0011_usr_etc.patch -> 0009-UsrEtc-support.patch /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5-mini.changes-- Deleted patches: -- /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5.changes-- Fix memory leak; (bsc#1252989); Update patch /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5.changes: 0009-UsrEtc-support.patch /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5.changes- ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5-mini.spec ++++++ --- /var/tmp/diff_new_pack.DaZfLU/_old 2025-12-09 12:47:23.744442006 +0100 +++ /var/tmp/diff_new_pack.DaZfLU/_new 2025-12-09 12:47:23.744442006 +0100 @@ -1,7 +1,7 @@ # # spec file for package krb5-mini # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,13 +24,13 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: krb5-mini -Version: 1.21.3 +Version: 1.22.1 Release: 0 Summary: MIT Kerberos5 implementation and libraries with minimal dependencies License: MIT URL: https://kerberos.org/dist/ -Source0: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz -Source1: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc +Source0: https://kerberos.org/dist/krb5/1.22/krb5-%{version}.tar.gz +Source1: https://kerberos.org/dist/krb5/1.22/krb5-%{version}.tar.gz.asc Source2: krb5.keyring Source3: vendor-files.tar.bz2 Source4: baselibs.conf @@ -44,9 +44,7 @@ Patch6: 0006-krb5-1.12-api.patch Patch7: 0007-SELinux-integration.patch Patch8: 0008-krb5-1.9-debuginfo.patch -Patch9: 0009-Fix-three-memory-leaks.patch -Patch10: 0010-CVE-2025-24528.patch -Patch11: 0011_usr_etc.patch +Patch9: 0009-UsrEtc-support.patch BuildRequires: autoconf BuildRequires: bison BuildRequires: pkgconfig ++++++ krb5.spec ++++++ --- /var/tmp/diff_new_pack.DaZfLU/_old 2025-12-09 12:47:23.796444204 +0100 +++ /var/tmp/diff_new_pack.DaZfLU/_new 2025-12-09 12:47:23.796444204 +0100 @@ -1,7 +1,7 @@ # # spec file for package krb5 # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,13 +21,13 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: krb5 -Version: 1.21.3 +Version: 1.22.1 Release: 0 Summary: MIT Kerberos5 implementation License: MIT URL: https://kerberos.org/dist/ -Source0: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz -Source1: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc +Source0: https://kerberos.org/dist/krb5/1.22/krb5-%{version}.tar.gz +Source1: https://kerberos.org/dist/krb5/1.22/krb5-%{version}.tar.gz.asc Source2: krb5.keyring Source3: vendor-files.tar.bz2 Source4: baselibs.conf @@ -42,9 +42,7 @@ Patch6: 0006-krb5-1.12-api.patch Patch7: 0007-SELinux-integration.patch Patch8: 0008-krb5-1.9-debuginfo.patch -Patch9: 0009-Fix-three-memory-leaks.patch -Patch10: 0010-CVE-2025-24528.patch -Patch11: 0011_usr_etc.patch +Patch9: 0009-UsrEtc-support.patch BuildRequires: autoconf BuildRequires: bison BuildRequires: cyrus-sasl-devel @@ -176,6 +174,7 @@ SS_LIB="-lss" \ --sysconfdir=%{_sysconfdir} \ %if 0%{?suse_version} > 1500 + --enable-vendordir \ --with-vendordir=%{_distconfdir} \ %endif --mandir=%{_mandir} \ ++++++ 0001-ksu-pam-integration.patch ++++++ --- /var/tmp/diff_new_pack.DaZfLU/_old 2025-12-09 12:47:23.828445557 +0100 +++ /var/tmp/diff_new_pack.DaZfLU/_new 2025-12-09 12:47:23.836445895 +0100 @@ -1,7 +1,7 @@ -From cb49731c07ee57f64bd5a93a182446bc834b9057 Mon Sep 17 00:00:00 2001 +From c9ba1af2540cd00b700a7db6ff3f7a0e507cb6b8 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <[email protected]> Date: Tue, 23 Aug 2016 16:29:58 -0400 -Subject: [PATCH 1/8] ksu pam integration +Subject: [PATCH 1/9] ksu pam integration Modify ksu so that it performs account and session management on behalf of the target user account, mimicking the action of regular su. The default @@ -30,10 +30,10 @@ create mode 100644 src/clients/ksu/pam.h diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 024d6370c..43eed3b87 100644 +index 7397bdcc2..3b3be926b 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 -@@ -1677,3 +1677,71 @@ if test "$with_ldap" = yes; then +@@ -1413,3 +1413,71 @@ if test "$with_ldap" = yes; then OPENLDAP_PLUGIN=yes fi ])dnl @@ -106,7 +106,7 @@ +AC_SUBST(NON_PAM_MAN) +])dnl diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in -index 8b4edce4d..9d58f29b5 100644 +index 9a892e665..5c9845c1f 100644 --- a/src/clients/ksu/Makefile.in +++ b/src/clients/ksu/Makefile.in @@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. @@ -144,7 +144,7 @@ clean: $(RM) ksu diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index af1286172..931f05404 100644 +index ca3981ea7..da029e877 100644 --- a/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c @@ -26,6 +26,7 @@ @@ -174,7 +174,7 @@ /***********/ #define KS_TEMPORARY_CACHE "MEMORY:_ksu" -@@ -536,6 +542,23 @@ main (argc, argv) +@@ -523,6 +529,23 @@ main(int argc, char ** argv) prog_name,target_user,client_name, source_user,ontty()); @@ -198,7 +198,7 @@ /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, _("while switching to target for " -@@ -596,6 +619,24 @@ main (argc, argv) +@@ -583,6 +606,24 @@ main(int argc, char ** argv) exit(1); } @@ -223,7 +223,7 @@ } if( some_rest_copy){ -@@ -653,6 +694,30 @@ main (argc, argv) +@@ -640,6 +681,30 @@ main(int argc, char ** argv) exit(1); } @@ -254,7 +254,7 @@ /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { perror("ksu: setgid"); -@@ -750,7 +815,7 @@ main (argc, argv) +@@ -737,7 +802,7 @@ main(int argc, char ** argv) fprintf(stderr, "program to be execed %s\n",params[0]); } @@ -263,7 +263,7 @@ execv(params[0], params); com_err(prog_name, errno, _("while trying to execv %s"), params[0]); sweep_up(ksu_context, cc_target); -@@ -780,16 +845,35 @@ main (argc, argv) +@@ -767,16 +832,35 @@ main(int argc, char ** argv) if (ret_pid == -1) { com_err(prog_name, errno, _("while calling waitpid")); } @@ -271,7 +271,7 @@ + if( !keep_target_cache ) { + sweep_up(ksu_context, cc_target); + } - exit (statusp); + exit (WIFEXITED(statusp) ? WEXITSTATUS(statusp) : 1); case -1: com_err(prog_name, errno, _("while trying to fork.")); sweep_up(ksu_context, cc_target); @@ -759,10 +759,10 @@ +void appl_pam_cleanup(void); +#endif diff --git a/src/configure.ac b/src/configure.ac -index 4eb080784..693f76a81 100644 +index 4325fae99..969d05fff 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1389,6 +1389,8 @@ AC_SUBST([VERTO_VERSION]) +@@ -1407,6 +1407,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) @@ -772,6 +772,6 @@ if test "${localedir+set}" != set; then localedir='$(datadir)/locale' -- -2.30.0 +2.51.0 ++++++ 0002-krb5-1.9-manpaths.patch ++++++ --- /var/tmp/diff_new_pack.DaZfLU/_old 2025-12-09 12:47:23.848446402 +0100 +++ /var/tmp/diff_new_pack.DaZfLU/_new 2025-12-09 12:47:23.852446571 +0100 @@ -1,7 +1,7 @@ -From 852d6a0d81b21673bdcb80ff13bf60dd5a416dd4 Mon Sep 17 00:00:00 2001 +From c79a302c3ddf91ef9b389be3bab47abf4261e2e3 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Mon, 14 Jan 2019 13:06:55 +0100 -Subject: [PATCH 2/8] krb5-1.9-manpaths +Subject: [PATCH 2/9] krb5-1.9-manpaths Import krb5-1.9-manpaths.dif @@ -13,17 +13,20 @@ src/man/kpropd.man | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -Index: krb5-1.19.3/src/man/kpropd.man -=================================================================== ---- krb5-1.19.3.orig/src/man/kpropd.man -+++ krb5-1.19.3/src/man/kpropd.man -@@ -68,7 +68,7 @@ the \fB/etc/inetd.conf\fP file which loo +diff --git a/src/man/kpropd.man b/src/man/kpropd.man +index b1caad000..9bfa7be94 100644 +--- a/src/man/kpropd.man ++++ b/src/man/kpropd.man +@@ -67,7 +67,7 @@ the \fB/etc/inetd.conf\fP file which looks like this: + .INDENT 3.5 .sp - .nf - .ft C + .EX -kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd +kprop stream tcp nowait root @SBINDIR@/kpropd kpropd - .ft P - .fi + .EE .UNINDENT + .UNINDENT +-- +2.51.0 + ++++++ 0003-Adjust-build-configuration.patch ++++++ --- /var/tmp/diff_new_pack.DaZfLU/_old 2025-12-09 12:47:23.872447417 +0100 +++ /var/tmp/diff_new_pack.DaZfLU/_new 2025-12-09 12:47:23.876447585 +0100 @@ -1,7 +1,7 @@ -From 48abdf7c7b28611c1135b35dfa23ac61899e80b2 Mon Sep 17 00:00:00 2001 +From 25aaa35ecfe65cf857ae2319c49602255684ca4d Mon Sep 17 00:00:00 2001 From: Robbie Harwood <[email protected]> Date: Tue, 23 Aug 2016 16:45:26 -0400 -Subject: [PATCH 3/8] Adjust build configuration +Subject: [PATCH 3/9] Adjust build configuration Build binaries in this package as RELRO PIEs, libraries as partial RELRO, and install shared libraries with the execute bit set on them. Prune out @@ -16,11 +16,11 @@ src/config/shlib.conf | 5 +++-- 3 files changed, 11 insertions(+), 3 deletions(-) -Index: krb5-1.19.3/src/build-tools/krb5-config.in -=================================================================== ---- krb5-1.19.3.orig/src/build-tools/krb5-config.in -+++ krb5-1.19.3/src/build-tools/krb5-config.in -@@ -224,6 +224,13 @@ if test -n "$do_libs"; then +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index 2cb439887..9c6e55bf6 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -222,6 +222,13 @@ if test -n "$do_libs"; then -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ -e 's#\$(CFLAGS)##'` @@ -34,11 +34,11 @@ if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 -Index: krb5-1.19.3/src/config/pre.in -=================================================================== ---- krb5-1.19.3.orig/src/config/pre.in -+++ krb5-1.19.3/src/config/pre.in -@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST +diff --git a/src/config/pre.in b/src/config/pre.in +index 1197c1ffd..a04b3890a 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in +@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP) INSTALL_SCRIPT=@INSTALL_PROGRAM@ INSTALL_DATA=@INSTALL_DATA@ INSTALL_SHLIB=@INSTALL_SHLIB@ @@ -47,20 +47,20 @@ ## This is needed because autoconf will sometimes define @exec_prefix@ to be ## ${prefix}. prefix=@prefix@ -Index: krb5-1.19.3/src/config/shlib.conf -=================================================================== ---- krb5-1.19.3.orig/src/config/shlib.conf -+++ krb5-1.19.3/src/config/shlib.conf -@@ -424,7 +424,7 @@ mips-*-netbsd*) +diff --git a/src/config/shlib.conf b/src/config/shlib.conf +index f838c2536..b5008ac7a 100644 +--- a/src/config/shlib.conf ++++ b/src/config/shlib.conf +@@ -273,7 +273,7 @@ mips-*-netbsd*) # Linux ld doesn't default to stuffing the SONAME field... # Use objdump -x to examine the fields of the library # UNDEF_CHECK is suppressed by --enable-asan -- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)' -+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro -Wl,--warn-shared-textrel' +- LDCOMBINE='$(CC) -shared -fPIC -Wl,-z,nodelete -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)' ++ LDCOMBINE='$(CC) -shared -fPIC -Wl,-z,nodelete -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro -Wl,--warn-shared-textrel' UNDEF_CHECK='-Wl,--no-undefined' # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode. LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)' -@@ -436,7 +436,8 @@ mips-*-netbsd*) +@@ -285,7 +285,8 @@ mips-*-netbsd*) SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' PROFFLAGS=-pg PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' @@ -70,4 +70,7 @@ CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' +-- +2.51.0 + ++++++ 0004-krb5-1.6.3-gssapi_improve_errormessages.patch ++++++ --- /var/tmp/diff_new_pack.DaZfLU/_old 2025-12-09 12:47:23.896448431 +0100 +++ /var/tmp/diff_new_pack.DaZfLU/_new 2025-12-09 12:47:23.904448769 +0100 @@ -1,7 +1,7 @@ -From c1b8aa3d8546453544fd659ef18b96709eb88e54 Mon Sep 17 00:00:00 2001 +From b1a1a178c86a03a0059d4f3fd57b8d94dc24ecc2 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Mon, 14 Jan 2019 13:09:05 +0100 -Subject: [PATCH 4/8] krb5-1.6.3-gssapi_improve_errormessages +Subject: [PATCH 4/9] krb5-1.6.3-gssapi_improve_errormessages Import krb5-1.6.3-gssapi_improve_errormessages.dif --- @@ -22,6 +22,6 @@ *minor_status = ENOMEM; return(GSS_S_FAILURE); -- -2.25.0 +2.51.0 ++++++ 0005-krb5-1.6.3-ktutil-manpage.patch ++++++ --- /var/tmp/diff_new_pack.DaZfLU/_old 2025-12-09 12:47:23.920449445 +0100 +++ /var/tmp/diff_new_pack.DaZfLU/_new 2025-12-09 12:47:23.924449614 +0100 @@ -1,20 +1,20 @@ -From 2a5b2877495384bbe5db8f3b66ac342f83cd45dc Mon Sep 17 00:00:00 2001 +From 75806e167e2ee2b9334b049ac9829fd76db2e65b Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Mon, 14 Jan 2019 13:14:47 +0100 -Subject: [PATCH 5/8] krb5-1.6.3-ktutil-manpage +Subject: [PATCH 5/9] krb5-1.6.3-ktutil-manpage Import krb5-1.6.3-ktutil-manpage.dif --- src/man/ktutil.man | 12 ++++++++++++ 1 file changed, 12 insertions(+) -Index: krb5-1.19.3/src/man/ktutil.man -=================================================================== ---- krb5-1.19.3.orig/src/man/ktutil.man -+++ krb5-1.19.3/src/man/ktutil.man -@@ -153,6 +153,18 @@ ktutil: +diff --git a/src/man/ktutil.man b/src/man/ktutil.man +index 8e4ec8377..06aaa6635 100644 +--- a/src/man/ktutil.man ++++ b/src/man/ktutil.man +@@ -151,6 +151,18 @@ ktutil: .sp - See kerberos(7) for a description of Kerberos environment + See \fI\%kerberos\fP for a description of Kerberos environment variables. +.SH REMARKS +Changes to the keytab are appended to the keytab file (i.e., the keytab file @@ -30,5 +30,8 @@ +# mv /tmp/krb5.newtab /etc/krb5.keytab .SH SEE ALSO .sp - kadmin(1), kdb5_util(8), kerberos(7) + \fI\%kadmin\fP, \fI\%kdb5_util\fP, \fI\%kerberos\fP +-- +2.51.0 + ++++++ 0006-krb5-1.12-api.patch ++++++ --- /var/tmp/diff_new_pack.DaZfLU/_old 2025-12-09 12:47:23.940450291 +0100 +++ /var/tmp/diff_new_pack.DaZfLU/_new 2025-12-09 12:47:23.944450459 +0100 @@ -1,7 +1,7 @@ -From b8544a75b273008042fadf51f0b49c00617ff275 Mon Sep 17 00:00:00 2001 +From 3938177c375ed9db1693651546e9d0cc345377f5 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Mon, 14 Jan 2019 13:15:50 +0100 -Subject: [PATCH 6/8] krb5-1.12-api +Subject: [PATCH 6/9] krb5-1.12-api Import krb5-1.12-api.patch @@ -38,6 +38,6 @@ /* Treat UPNs as if they were real principals */ if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { -- -2.25.0 +2.51.0 ++++++ 0007-SELinux-integration.patch ++++++ --- /var/tmp/diff_new_pack.DaZfLU/_old 2025-12-09 12:47:23.960451136 +0100 +++ /var/tmp/diff_new_pack.DaZfLU/_new 2025-12-09 12:47:23.968451474 +0100 @@ -1,7 +1,7 @@ -From cc329567eec2ab99f2dd883b2d48b069054d85b5 Mon Sep 17 00:00:00 2001 +From ca713cfac29cd557bb8247d6629aa5d5abc9d6b2 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <[email protected]> Date: Tue, 23 Aug 2016 16:30:53 -0400 -Subject: [PATCH] SELinux integration +Subject: [PATCH 7/9] SELinux integration SELinux bases access to files on the domain of the requesting process, the operation being performed, and the context applied to the file. @@ -69,7 +69,7 @@ create mode 100644 src/util/support/selinux.c diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index baec309ae..b09c74b1b 100644 +index 3b3be926b..e61826542 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag) @@ -80,7 +80,7 @@ KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1526,3 +1527,51 @@ AC_SUBST(PAM_LIBS) +@@ -1481,3 +1482,51 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl @@ -133,52 +133,52 @@ +AC_SUBST(SELINUX_LIBS) +])dnl diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in -index f153aeb1c..c2f13f38c 100755 +index 9c6e55bf6..c484f5340 100755 --- a/src/build-tools/krb5-config.in +++ b/src/build-tools/krb5-config.in -@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' +@@ -40,6 +40,7 @@ DL_LIB='@DL_LIB@' DEFCCNAME='@DEFCCNAME@' DEFKTNAME='@DEFKTNAME@' DEFCKTNAME='@DEFCKTNAME@' +SELINUX_LIBS='@SELINUX_LIBS@' LIBS='@LIBS@' - GEN_LIB=@GEN_LIB@ -@@ -261,7 +262,7 @@ if test -n "$do_libs"; then + +@@ -259,7 +260,7 @@ if test -n "$do_libs"; then fi # If we ever support a flag to generate output suitable for static -- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" -+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" - # here. +- # linking, we would output "-lkrb5support $LIBS $DL_LIB" here. ++ # linking, we would output "-lkrb5support $LIBS $SELINUX_LIBS $DL_LIB" here. echo $lib_flags + fi diff --git a/src/config/pre.in b/src/config/pre.in -index c96d7c1f4..290f06cc2 100644 +index a04b3890a..0676e11c2 100644 --- a/src/config/pre.in +++ b/src/config/pre.in -@@ -177,6 +177,7 @@ LD = $(PURE) @LD@ - KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include +@@ -178,6 +178,7 @@ KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include LDFLAGS = @LDFLAGS@ LIBS = @LIBS@ + FUZZ_LDFLAGS = @FUZZ_LDFLAGS@ +SELINUX_LIBS=@SELINUX_LIBS@ INSTALL=@INSTALL@ INSTALL_STRIP= -@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) +@@ -377,7 +378,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) # HESIOD_LIBS is -lhesiod... HESIOD_LIBS = @HESIOD_LIBS@ --KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB) -+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB) +-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(LIBS) $(DL_LIB) ++KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB) KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on macOS! diff --git a/src/configure.ac b/src/configure.ac -index aa970b044..40545f2bf 100644 +index 969d05fff..53936759e 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1402,6 +1402,8 @@ AC_PATH_PROG(GROFF, groff) +@@ -1409,6 +1409,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -188,7 +188,7 @@ if test "${localedir+set}" != set; then localedir='$(datadir)/locale' diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 44dc1eeb3..c3aecba7d 100644 +index cfd2cc939..bc2a0a3f6 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -128,6 +128,7 @@ typedef unsigned char u_char; @@ -238,10 +238,10 @@ +#endif +#endif diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index c0194c3c9..7e1dea2cb 100644 +index b5d295f33..0225ad37c 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin -@@ -87,6 +87,12 @@ +@@ -83,6 +83,12 @@ #define THREEPARAMOPEN(x,y,z) open(x,y,z) #endif @@ -255,10 +255,10 @@ #include <stdlib.h> diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c -index a89b5144f..4d6cc0bdf 100644 +index e45551a20..cd32ebdaf 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c -@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) +@@ -134,12 +134,21 @@ create_ofile(char *ofile, char **tmpname) { int fd = -1; FILE *f; @@ -280,7 +280,7 @@ if (fd == -1) goto error; -@@ -197,7 +206,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd_out) +@@ -183,7 +192,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd_out) goto cleanup; } @@ -290,23 +290,23 @@ com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); goto cleanup; diff --git a/src/kdc/main.c b/src/kdc/main.c -index 38b929906..085afc922 100644 +index 105276601..f48d60a77 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c -@@ -848,7 +848,7 @@ write_pid_file(const char *path) - FILE *file; +@@ -837,7 +837,7 @@ write_pid_file(const char *path) unsigned long pid; + int st1, st2; - file = fopen(path, "w"); + file = WRITABLEFOPEN(path, "w"); if (file == NULL) return errno; - pid = (unsigned long) getpid(); + pid = (unsigned long)getpid(); diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c -index f2341d720..ffdac9f39 100644 +index 4b3675264..296ca2bb7 100644 --- a/src/kprop/kpropd.c +++ b/src/kprop/kpropd.c -@@ -488,6 +488,9 @@ doit(int fd) +@@ -489,6 +489,9 @@ doit(int fd) krb5_enctype etype; int database_fd; char host[INET6_ADDRSTRLEN + 1]; @@ -316,7 +316,7 @@ signal_wrapper(SIGALRM, alarm_handler); alarm(params.iprop_resync_timeout); -@@ -543,9 +546,15 @@ doit(int fd) +@@ -544,9 +547,15 @@ doit(int fd) free(name); exit(1); } @@ -333,10 +333,10 @@ KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); if (retval) { diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c -index c6885edf2..9aec3c05e 100644 +index e14da5379..b879a4049 100644 --- a/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c -@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do +@@ -310,7 +310,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do */ append = (cp[4] == ':') ? O_APPEND : 0; if (append || cp[4] == '=') { @@ -345,7 +345,7 @@ S_IRUSR | S_IWUSR | S_IRGRP); if (fd != -1) f = fdopen(fd, append ? "a" : "w"); -@@ -776,7 +776,7 @@ krb5_klog_reopen(krb5_context kcontext) +@@ -777,7 +777,7 @@ krb5_klog_reopen(krb5_context kcontext) * In case the old logfile did not get moved out of the * way, open for append to prevent squashing the old logs. */ @@ -355,10 +355,10 @@ set_cloexec_file(f); log_control.log_entries[lindex].lfu_filep = f; diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c -index 2659a2501..e9b95fce5 100644 +index b840eec9a..419beab9e 100644 --- a/src/lib/kdb/kdb_log.c +++ b/src/lib/kdb/kdb_log.c -@@ -480,7 +480,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) +@@ -512,7 +512,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) return ENOMEM; if (stat(logname, &st) == -1) { @@ -418,10 +418,10 @@ _("Credential cache directory %s does not exist"), dirname); diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c -index e510211fc..f3ea28c8e 100644 +index 993f902c7..8fd150511 100644 --- a/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c -@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) +@@ -736,14 +736,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) KTCHECKLOCK(id); errno = 0; @@ -439,10 +439,10 @@ goto report_errno; writevno = 1; diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c -index 3369fc4ba..95f82cda0 100644 +index 89699f7df..9c7d7dad6 100644 --- a/src/lib/krb5/os/trace.c +++ b/src/lib/krb5/os/trace.c -@@ -459,7 +459,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) +@@ -455,7 +455,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) fd = malloc(sizeof(*fd)); if (fd == NULL) return ENOMEM; @@ -452,7 +452,7 @@ free(fd); return errno; diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c -index 7db30a33b..2b9d01921 100644 +index 9a506e9d4..f92ab4714 100644 --- a/src/plugins/kdb/db2/adb_openclose.c +++ b/src/plugins/kdb/db2/adb_openclose.c @@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, @@ -465,7 +465,7 @@ * maybe someone took away write permission so we could only * get shared locks? diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c -index 2c163d91c..9a344a603 100644 +index 381228e6d..eb8610b2a 100644 --- a/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c @@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) @@ -480,7 +480,7 @@ retval = errno; goto cleanup; diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c -index 2977b17f3..d5809a5a9 100644 +index 56bab1941..ef7515c3d 100644 --- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c +++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c @@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95"; @@ -491,7 +491,7 @@ #include "db-int.h" #include "btree.h" -@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags) +@@ -201,7 +202,7 @@ __bt_open(const char *fname, int flags, int mode, const BTREEINFO *openinfo, goto einval; } @@ -501,7 +501,7 @@ } else { diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c -index 862dbb164..686a960c9 100644 +index 7c3e951aa..9528b6253 100644 --- a/src/plugins/kdb/db2/libdb2/hash/hash.c +++ b/src/plugins/kdb/db2/libdb2/hash/hash.c @@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95"; @@ -512,7 +512,7 @@ #include "db-int.h" #include "hash.h" #include "page.h" -@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags) +@@ -127,7 +128,7 @@ __kdb2_hash_open(const char *file, int flags, int mode, const HASHINFO *info, new_table = 1; } if (file) { @@ -522,7 +522,7 @@ (void)fcntl(hashp->fp, F_SETFD, 1); } diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c -index d8b26e701..b0daa7c02 100644 +index acbf03d9d..de3fc3f4d 100644 --- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c +++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c @@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94"; @@ -533,7 +533,7 @@ #include "db-int.h" #include "recno.h" -@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags) +@@ -66,7 +67,8 @@ __rec_open(const char *fname, int flags, int mode, const RECNOINFO *openinfo, int rfd = -1, sverrno; /* Open the user's file -- if this fails, we're done. */ @@ -581,7 +581,7 @@ if (newfile == NULL) { com_err(me, errno, _("Error creating file %s"), tmp_file); diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c -index aa951df05..79f9500f6 100644 +index 8b0b2bb44..9468e317b 100644 --- a/src/util/profile/prof_file.c +++ b/src/util/profile/prof_file.c @@ -33,6 +33,7 @@ @@ -592,7 +592,7 @@ struct global_shared_profile_data { /* This is the head of the global list of shared trees */ -@@ -391,7 +392,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile, +@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile, errno = 0; @@ -602,10 +602,10 @@ retval = errno; if (retval == 0) diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in -index 86d5a950a..1052d53a1 100644 +index b9cd70dac..6705681df 100644 --- a/src/util/support/Makefile.in +++ b/src/util/support/Makefile.in -@@ -74,6 +74,7 @@ IPC_SYMS= \ +@@ -79,6 +79,7 @@ IPC_SYMS= \ STLIBOBJS= \ threads.o \ @@ -613,7 +613,7 @@ init-addrinfo.o \ plugins.o \ errors.o \ -@@ -168,7 +169,7 @@ SRCS=\ +@@ -176,7 +177,7 @@ SRCS=\ SHLIB_EXPDEPS = # Add -lm if dumping thread stats, for sqrt. @@ -1034,6 +1034,6 @@ + +#endif /* USE_SELINUX */ -- -2.39.2 +2.51.0 ++++++ 0008-krb5-1.9-debuginfo.patch ++++++ --- /var/tmp/diff_new_pack.DaZfLU/_old 2025-12-09 12:47:23.992452488 +0100 +++ /var/tmp/diff_new_pack.DaZfLU/_new 2025-12-09 12:47:23.996452658 +0100 @@ -1,7 +1,7 @@ -From f079a7f765dc76eb01ba80fb7214ee0d25116e59 Mon Sep 17 00:00:00 2001 +From 48f6d3981f4c1231c6357c41371a682c5277cdc4 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Mon, 14 Jan 2019 13:18:16 +0100 -Subject: [PATCH 8/8] krb5-1.9-debuginfo +Subject: [PATCH 8/9] krb5-1.9-debuginfo Import krb5-1.9-debuginfo.patch @@ -40,6 +40,6 @@ install: $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) -- -2.25.0 +2.51.0 ++++++ 0009-UsrEtc-support.patch ++++++ >From 4d138d9b4393ba1e38a0e8a02daf504adc549feb Mon Sep 17 00:00:00 2001 From: Stefan Schubert <[email protected]> Date: Fri, 29 Aug 2025 20:29:04 +0200 Subject: [PATCH] UsrEtc support [[email protected]: Amend to fix memory leak in os_get_default_config_files()] [[email protected]: Add --enable-vendordir, simplify configure.ac] [[email protected]: Fix typo] --- doc/admin/conf_files/krb5_conf.rst | 14 ++++++++++++-- doc/conf.py | 5 ++++- src/configure.ac | 25 +++++++++++++++++++++++++ src/doc/Makefile.in | 23 +++++++++++++++++++---- src/include/Makefile.in | 4 +++- src/include/osconf.hin | 4 ++++ src/lib/krb5/os/init_os_ctx.c | 22 +++++++++++++++++++++- src/man/Makefile.in | 9 ++++++++- 8 files changed, 96 insertions(+), 10 deletions(-) diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index e0c7a6330..a169b6e36 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -7,8 +7,14 @@ The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. -Normally, you should install your krb5.conf file in the directory -``/etc``. You can override the default location by setting the +Normally, you should install your individual krb5.conf file in the directory +``/etc``. + +.. only:: use_vendordir + If there is no individual one the dafault one |vendorkrb5conf| will + be taken. + +You can override the default location by setting the environment variable **KRB5_CONFIG**. Multiple colon-separated filenames may be specified in **KRB5_CONFIG**; all files which are present will be read. Starting in release 1.14, directory names can @@ -1271,6 +1277,10 @@ FILES |krb5conf| +.. only:: use_vendordir + + |vendorkrb5conf| if |krb5conf| is not there. + SEE ALSO -------- diff --git a/doc/conf.py b/doc/conf.py index 60835e936..88eee1d60 100644 --- a/doc/conf.py +++ b/doc/conf.py @@ -239,6 +239,7 @@ if 'mansubs' in tags: localstatedir = '``@LOCALSTATEDIR@``' runstatedir = '``@RUNSTATEDIR@``' sysconfdir = '``@SYSCONFDIR@``' + vendordir = '``@VENDORDIR@``' ccache = '``@CCNAME@``' keytab = '``@KTNAME@``' ckeytab = '``@CKTNAME@``' @@ -253,6 +254,7 @@ else: localstatedir = ':ref:`LOCALSTATEDIR <paths>`' runstatedir = ':ref:`RUNSTATEDIR <paths>`' sysconfdir = ':ref:`SYSCONFDIR <paths>`' + vendordir = ':ref:`VENDORDIR <paths>`' ccache = ':ref:`DEFCCNAME <paths>`' keytab = ':ref:`DEFKTNAME <paths>`' ckeytab = ':ref:`DEFCKTNAME <paths>`' @@ -278,8 +280,9 @@ else: rst_epilog += '.. |keytab| replace:: %s\n' % keytab rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname + rst_epilog += '.. |vendorkrb5conf| replace:: %s/krb5.conf\n' % vendordir + rst_epilog += '.. |krb5conf| replace:: %s/krb5.conf\n' % sysconfdir rst_epilog += ''' -.. |krb5conf| replace:: ``/etc/krb5.conf`` .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` .. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac`` .. |defmkey| replace:: ``aes256-cts-hmac-sha1-96`` diff --git a/src/configure.ac b/src/configure.ac index 53936759e..d8a902a6f 100644 --- a/src/configure.ac +++ b/src/configure.ac @@ -1451,6 +1451,31 @@ fi AC_SUBST(OSX) AC_SUBST(MACOS_FRAMEWORK) +# Vendordir +AC_ARG_WITH([vendordir], + AS_HELP_STRING([--with-vendordir=DIR], [Directory for distribution provided configuration files]), + [ + case $with_vendordir in + /*) + ;; + *) + AC_MSG_ERROR(You must specify an absolute path to --with-vendordir=DIR) + ;; + esac + VENDORDIR="$with_vendordir" + ], + [ VENDORDIR="/usr/etc" ]) +AC_DEFINE_UNQUOTED(VENDORDIR, ["$VENDORDIR"], [Location of vendor configuration files]) +AC_SUBST(VENDORDIR) + +AC_ARG_ENABLE([vendordir], + [AS_HELP_STRING([--enable-vendordir], [Enable support for distribution provided configuration files])], + [], [enable_vendordir=no]) +if test "$enable_vendordir" != no; then + AC_DEFINE(USE_VENDORDIR, 1, [Define if distribution provided configuration files should be used.]) + AC_MSG_NOTICE([Used vendor dir: $VENDORDIR]) +fi + # Build-time default ccache, keytab, and client keytab names. These # can be given as variable arguments DEFCCNAME, DEFKTNAME, and # DEFCKTNAME. Otherwise, we try to get the OS defaults from diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in index a1b0cff0a..d0c8a66cf 100644 --- a/src/doc/Makefile.in +++ b/src/doc/Makefile.in @@ -11,6 +11,8 @@ DEFCCNAME=@DEFCCNAME@ DEFKTNAME=@DEFKTNAME@ DEFCKTNAME=@DEFCKTNAME@ PKCS11_MODNAME=@PKCS11_MODNAME@ +VENDORDIR=@VENDORDIR@ +USE_VENDORDIR=@USE_VENDORDIR@ RST_SOURCES= _static \ _templates \ @@ -43,7 +45,11 @@ LATEXOPTS= # make -f Makefile.in SPHINX_ARGS= htmlsrc html: composite rm -rf $(docsrc)/html - $(SPHINX_BUILD) -q rst_composite $(docsrc)/html + if test "$(USE_VENDORDIR)" == "1" ; then \ + $(SPHINX_BUILD) -q rst_composite -t use_vendordir $(docsrc)/html; \ + else \ + $(SPHINX_BUILD) -q rst_composite $(docsrc)/html; \ + fi # Dummy target for use in an unconfigured source tree. htmlsrc: @@ -55,17 +61,25 @@ htmlsrc: substhtml: composite paths.py rm -rf html_subst cp paths.py rst_composite - $(SPHINX_BUILD) -t pathsubs -q rst_composite html_subst + if test "$(USE_VENDORDIR)" == "1" ; then \ + $(SPHINX_BUILD) -t pathsubs -q -t use_vendordir rst_composite html_subst; \ + else \ + $(SPHINX_BUILD) -t pathsubs -q rst_composite html_subst; \ + fi # Create an ASCII (okay, UTF-8) version of the NOTICE file notice.txt: $(docsrc)/conf.py $(docsrc)/notice.rst $(docsrc)/version.py - $(SPHINX_BUILD) -b text -t notice -q $(docsrc) . + if test "$(USE_VENDORDIR)" == "1" ; then \ + $(SPHINX_BUILD) -b text -t notice -t use_vendordir -q $(docsrc) .; \ + else \ + $(SPHINX_BUILD) -b text -t notice -q $(docsrc) .; \ + fi NOTICE: notice.txt cp notice.txt $(top_srcdir)/../NOTICE $(PDFDIR): composite - $(SPHINX_BUILD) -b latex -q rst_composite $(PDFDIR) + $(SPHINX_BUILD) -b latex -q -t $(USEVENDORDIR) rst_composite $(PDFDIR) # sphinx-build generates a gmake-specific Makefile that we don't use mv $(PDFDIR)/Makefile $(PDFDIR)/GMakefile @@ -116,6 +130,7 @@ paths.py: echo 'localstatedir = "``$(localstatedir)``"' >> $@ echo 'runstatedir = "``$(runstatedir)``"' >> $@ echo 'sysconfdir = "``$(sysconfdir)``"' >> $@ + echo 'vendordir = "``$(VENDORDIR)``"' >> $@ echo 'ccache = "``$(DEFCCNAME)``"' >> $@ echo 'keytab = "``$(DEFKTNAME)``"' >> $@ echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@ diff --git a/src/include/Makefile.in b/src/include/Makefile.in index b9dd98e01..cf4aa0ad6 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -56,6 +56,7 @@ BINDIR = @bindir@ SBINDIR = @sbindir@ LIBDIR = @libdir@ SYSCONFCONF = @SYSCONFCONF@ +VENDORDIR = @VENDORDIR@ PROCESS_REPLACE = -e "s\"@KRB5RCTMPDIR\"$(KRB5RCTMPDIR)\"" \ -e "s\"@PREFIX\"$(INSTALL_PREFIX)\"" \ @@ -69,7 +70,8 @@ PROCESS_REPLACE = -e "s\"@KRB5RCTMPDIR\"$(KRB5RCTMPDIR)\"" \ -e "s\"@RUNSTATEDIR\"$(RUNSTATEDIR)\"" \ -e "s\"@SYSCONFDIR\"$(SYSCONFDIR)\"" \ -e "s\"@DYNOBJEXT\"$(DYNOBJEXT)\"" \ - -e "s\"@SYSCONFCONF\"$(SYSCONFCONF)\"" + -e "s\"@SYSCONFCONF\"$(SYSCONFCONF)\"" \ + -e "s\"@VENDORDIR\"$(VENDORDIR)\"" OSCONFSRC = $(srcdir)/osconf.hin diff --git a/src/include/osconf.hin b/src/include/osconf.hin index c14297535..bad43f116 100644 --- a/src/include/osconf.hin +++ b/src/include/osconf.hin @@ -52,6 +52,10 @@ #else #define DEFAULT_SECURE_PROFILE_PATH "/etc/krb5.conf@SYSCONFCONF" #define DEFAULT_PROFILE_PATH DEFAULT_SECURE_PROFILE_PATH +#if defined(USE_VENDORDIR) +#define DEFAULT_VENDOR_SECURE_PROFILE_PATH "@VENDORDIR/krb5.conf" +#define DEFAULT_VENDOR_PROFILE_PATH DEFAULT_VENDOR_SECURE_PROFILE_PATH +#endif /* USE_VENDORDIR */ #endif #endif /* _WINDOWS */ diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c index c35007888..f1ef638fc 100644 --- a/src/lib/krb5/os/init_os_ctx.c +++ b/src/lib/krb5/os/init_os_ctx.c @@ -30,6 +30,10 @@ #include "os-proto.h" #include "../krb/int-proto.h" +#ifdef USE_VENDORDIR +#include <sys/stat.h> +#endif + #if defined(_WIN32) #include <winsock.h> #include <Shlobj.h> @@ -294,11 +298,27 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure) unsigned int ent_len; const char *s, *t; +#ifdef USE_VENDORDIR + struct stat stats = { 0 }; +#endif /* USE_VENDORDIR */ + if (secure) { filepath = DEFAULT_SECURE_PROFILE_PATH; +#ifdef USE_VENDORDIR + if (stat(filepath, &stats) < 0) { + filepath = DEFAULT_VENDOR_SECURE_PROFILE_PATH; + } +#endif /* USE_VENDORDIR */ } else { filepath = secure_getenv("KRB5_CONFIG"); - if (!filepath) filepath = DEFAULT_PROFILE_PATH; + if (!filepath) { + filepath = DEFAULT_PROFILE_PATH; +#ifdef USE_VENDORDIR + if (stat(filepath, &stats) < 0) { + filepath = DEFAULT_VENDOR_PROFILE_PATH; + } +#endif /* USE_VENDORDIR */ + } } /* count the distinct filename components */ diff --git a/src/man/Makefile.in b/src/man/Makefile.in index 85cae0914..9f7ccaffa 100644 --- a/src/man/Makefile.in +++ b/src/man/Makefile.in @@ -9,6 +9,8 @@ DEFCCNAME=@DEFCCNAME@ DEFKTNAME=@DEFKTNAME@ DEFCKTNAME=@DEFCKTNAME@ PKCS11_MODNAME=@PKCS11_MODNAME@ +vendordir=@VENDORDIR@ +USE_VENDORDIR=@USE_VENDORDIR@ MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \ kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \ @@ -26,7 +28,11 @@ docsrc=$(top_srcdir)/../doc # manpage writer outputs near the end of its output files. man: $(docsrc)/version.py rm -rf rst_man - $(SPHINX_BUILD) -q -t mansubs -b man $(docsrc) rst_man + if test "$(USE_VENDORDIR)" == "1" ; then \ + $(SPHINX_BUILD) -q -t mansubs -t use_vendordir -b man $(docsrc) rst_man; \ + else \ + $(SPHINX_BUILD) -q -t mansubs -b man $(docsrc) rst_man; \ + fi for f in rst_man/*.[0-9]; do \ name=`echo $$f | sed -e 's|^.*/\(.*\)\.[0-9]$$|\1|'`; \ sed -e '/^\.\\" $$/d' \ @@ -46,6 +52,7 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h -e 's|@LOCALSTATEDIR@|$(localstatedir)|g' \ -e 's|@RUNSTATEDIR@|$(runstatedir)|g' \ -e 's|@SYSCONFDIR@|$(sysconfdir)|g' \ + -e 's|@VENDOR_DIR@|$(vendordir)|g' \ -e 's|@CCNAME@|$(DEFCCNAME)|g' \ -e 's|@KTNAME@|$(DEFKTNAME)|g' \ -e 's|@CKTNAME@|$(DEFCKTNAME)|g' \ -- 2.52.0 ++++++ krb5-1.21.3.tar.gz -> krb5-1.22.1.tar.gz ++++++ /work/SRC/openSUSE:Factory/krb5/krb5-1.21.3.tar.gz /work/SRC/openSUSE:Factory/.krb5.new.1939/krb5-1.22.1.tar.gz differ: char 13, line 1
