aboutsummaryrefslogtreecommitdiffstats
path: root/security/krb5/files
diff options
context:
space:
mode:
authorcy <cy@FreeBSD.org>2007-04-05 05:12:17 +0800
committercy <cy@FreeBSD.org>2007-04-05 05:12:17 +0800
commitb94faf1cbd3018a54728cac091540dd9b94b39f9 (patch)
tree5516d01e07c1d9509f8adb5d03395a3b88df7766 /security/krb5/files
parent95bf82ea5be5047f7ed8e50215e27afb90fca916 (diff)
downloadfreebsd-ports-gnome-b94faf1cbd3018a54728cac091540dd9b94b39f9.tar.gz
freebsd-ports-gnome-b94faf1cbd3018a54728cac091540dd9b94b39f9.tar.zst
freebsd-ports-gnome-b94faf1cbd3018a54728cac091540dd9b94b39f9.zip
MIT KRB5 Security patches:
1. MIT krb5 Security Advisory 2007-001: Telnetd allows login as arbitrary user CVE: CVE-2007-0956 CERT: VU#220816 2. MIT krb5 Security Advisory 2007-002: KDC, kadmind stack overflow in krb5_klog_syslog CVE: CVE-2007-0957 CERT: VU#704024
Diffstat (limited to 'security/krb5/files')
-rw-r--r--security/krb5/files/patch-appl-telnet-telnetd-state.c12
-rw-r--r--security/krb5/files/patch-appl-telnet-telnetd-sys_term.c40
-rw-r--r--security/krb5/files/patch-kadmin-server-kadm_rpc_svc.c31
-rw-r--r--security/krb5/files/patch-kadmin-server-misc.c15
-rw-r--r--security/krb5/files/patch-kadmin-server-misc.h8
-rw-r--r--security/krb5/files/patch-kadmin-server-ovsec_kadmd.c55
-rw-r--r--security/krb5/files/patch-kadmin-server-schpw0
-rw-r--r--security/krb5/files/patch-kadmin-server-schpw.c26
-rw-r--r--security/krb5/files/patch-kadmin-server-schpw.c.c0
-rw-r--r--security/krb5/files/patch-kadmin-server-server_stubs.c608
-rw-r--r--security/krb5/files/patch-kdc-do_tgs_req.c65
-rw-r--r--security/krb5/files/patch-kdc-kdc_util.c10
-rw-r--r--security/krb5/files/patch-lib-kadm5-logger.c33
13 files changed, 903 insertions, 0 deletions
diff --git a/security/krb5/files/patch-appl-telnet-telnetd-state.c b/security/krb5/files/patch-appl-telnet-telnetd-state.c
new file mode 100644
index 000000000000..9a9b8f2b5d91
--- /dev/null
+++ b/security/krb5/files/patch-appl-telnet-telnetd-state.c
@@ -0,0 +1,12 @@
+--- appl/telnet/telnetd/state.c.orig Thu Jun 15 15:42:53 2006
++++ appl/telnet/telnetd/state.c Wed Apr 4 14:02:18 2007
+@@ -1665,7 +1665,8 @@
+ strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
+ strcmp(varp, "NLSPATH") && /* locale stuff */
+ strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
+- strcmp(varp, "IFS")) {
++ strcmp(varp, "IFS") &&
++ !strchr(varp, '-')) {
+ return 1;
+ } else {
+ syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
diff --git a/security/krb5/files/patch-appl-telnet-telnetd-sys_term.c b/security/krb5/files/patch-appl-telnet-telnetd-sys_term.c
new file mode 100644
index 000000000000..ec0cf6e41a0e
--- /dev/null
+++ b/security/krb5/files/patch-appl-telnet-telnetd-sys_term.c
@@ -0,0 +1,40 @@
+--- appl/telnet/telnetd/sys_term.c.orig Fri Nov 15 12:21:51 2002
++++ appl/telnet/telnetd/sys_term.c Wed Apr 4 14:02:18 2007
+@@ -1287,6 +1287,16 @@
+ #endif
+ #if defined (AUTHENTICATION)
+ if (auth_level >= 0 && autologin == AUTH_VALID) {
++ if (name[0] == '-') {
++ /* Authenticated and authorized to log in to an
++ account starting with '-'? Even if that
++ unlikely case comes to pass, the current login
++ program will not parse the resulting command
++ line properly. */
++ syslog(LOG_ERR, "user name cannot start with '-'");
++ fatal(net, "user name cannot start with '-'");
++ exit(1);
++ }
+ # if !defined(NO_LOGIN_F)
+ #if defined(LOGIN_CAP_F)
+ argv = addarg(argv, "-F");
+@@ -1377,11 +1387,19 @@
+ } else
+ #endif
+ if (getenv("USER")) {
+- argv = addarg(argv, getenv("USER"));
++ char *user = getenv("USER");
++ if (user[0] == '-') {
++ /* "telnet -l-x ..." */
++ syslog(LOG_ERR, "user name cannot start with '-'");
++ fatal(net, "user name cannot start with '-'");
++ exit(1);
++ }
++ argv = addarg(argv, user);
+ #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
+ {
+ register char **cpp;
+ for (cpp = environ; *cpp; cpp++)
++ if ((*cpp)[0] != '-')
+ argv = addarg(argv, *cpp);
+ }
+ #endif
diff --git a/security/krb5/files/patch-kadmin-server-kadm_rpc_svc.c b/security/krb5/files/patch-kadmin-server-kadm_rpc_svc.c
new file mode 100644
index 000000000000..40cc158e5fe3
--- /dev/null
+++ b/security/krb5/files/patch-kadmin-server-kadm_rpc_svc.c
@@ -0,0 +1,31 @@
+--- kadmin/server/kadm_rpc_svc.c.orig Fri Mar 31 19:08:17 2006
++++ kadmin/server/kadm_rpc_svc.c Wed Apr 4 13:53:04 2007
+@@ -250,6 +250,8 @@
+ krb5_data *c1, *c2, *realm;
+ gss_buffer_desc gss_str;
+ kadm5_server_handle_t handle;
++ size_t slen;
++ char *sdots;
+
+ success = 0;
+ handle = (kadm5_server_handle_t)global_server_handle;
+@@ -274,6 +276,8 @@
+ if (ret == 0)
+ goto fail_name;
+
++ slen = gss_str.length;
++ trunc_name(&slen, &sdots);
+ /*
+ * Since we accept with GSS_C_NO_NAME, the client can authenticate
+ * against the entire kdb. Therefore, ensure that the service
+@@ -296,8 +300,8 @@
+
+ fail_princ:
+ if (!success) {
+- krb5_klog_syslog(LOG_ERR, "bad service principal %.*s",
+- gss_str.length, gss_str.value);
++ krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s",
++ slen, gss_str.value, sdots);
+ }
+ gss_release_buffer(&min_stat, &gss_str);
+ krb5_free_principal(kctx, princ);
diff --git a/security/krb5/files/patch-kadmin-server-misc.c b/security/krb5/files/patch-kadmin-server-misc.c
new file mode 100644
index 000000000000..ed09a06ac7c6
--- /dev/null
+++ b/security/krb5/files/patch-kadmin-server-misc.c
@@ -0,0 +1,15 @@
+--- kadmin/server/misc.c.orig Sat Mar 11 14:23:28 2006
++++ kadmin/server/misc.c Wed Apr 4 13:53:04 2007
+@@ -171,3 +171,12 @@
+
+ return kadm5_free_principal_ent(handle->lhandle, &princ);
+ }
++
++#define MAXPRINCLEN 125
++
++void
++trunc_name(size_t *len, char **dots)
++{
++ *dots = *len > MAXPRINCLEN ? "..." : "";
++ *len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len;
++}
diff --git a/security/krb5/files/patch-kadmin-server-misc.h b/security/krb5/files/patch-kadmin-server-misc.h
new file mode 100644
index 000000000000..bdae6f75806f
--- /dev/null
+++ b/security/krb5/files/patch-kadmin-server-misc.h
@@ -0,0 +1,8 @@
+--- kadmin/server/misc.h.orig Tue Oct 11 21:09:19 2005
++++ kadmin/server/misc.h Wed Apr 4 13:53:04 2007
+@@ -45,3 +45,5 @@
+ #ifdef SVC_GETARGS
+ void kadm_1(struct svc_req *, SVCXPRT *);
+ #endif
++
++void trunc_name(size_t *len, char **dots);
diff --git a/security/krb5/files/patch-kadmin-server-ovsec_kadmd.c b/security/krb5/files/patch-kadmin-server-ovsec_kadmd.c
new file mode 100644
index 000000000000..461aa2b0b700
--- /dev/null
+++ b/security/krb5/files/patch-kadmin-server-ovsec_kadmd.c
@@ -0,0 +1,55 @@
+--- kadmin/server/ovsec_kadmd.c.orig Tue Jan 9 12:21:43 2007
++++ kadmin/server/ovsec_kadmd.c Wed Apr 4 13:53:04 2007
+@@ -992,6 +992,8 @@
+ rpcproc_t proc;
+ int i;
+ const char *procname;
++ size_t clen, slen;
++ char *cdots, *sdots;
+
+ client.length = 0;
+ client.value = NULL;
+@@ -1000,10 +1002,20 @@
+
+ (void) gss_display_name(&minor, client_name, &client, &gss_type);
+ (void) gss_display_name(&minor, server_name, &server, &gss_type);
+- if (client.value == NULL)
++ if (client.value == NULL) {
+ client.value = "(null)";
+- if (server.value == NULL)
++ clen = sizeof("(null)") -1;
++ } else {
++ clen = client.length;
++ }
++ trunc_name(&clen, &cdots);
++ if (server.value == NULL) {
+ server.value = "(null)";
++ slen = sizeof("(null)") - 1;
++ } else {
++ slen = server.length;
++ }
++ trunc_name(&slen, &sdots);
+ a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);
+
+ proc = msg->rm_call.cb_proc;
+@@ -1016,14 +1028,14 @@
+ }
+ if (procname != NULL)
+ krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
+- "claimed client = %s, server = %s, addr = %s",
+- procname, client.value,
+- server.value, a);
++ "claimed client = %.*s%s, server = %.*s%s, addr = %s",
++ procname, clen, client.value, cdots,
++ slen, server.value, sdots, a);
+ else
+ krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "
+- "claimed client = %s, server = %s, addr = %s",
+- proc, client.value,
+- server.value, a);
++ "claimed client = %.*s%s, server = %.*s%s, addr = %s",
++ proc, clen, client.value, cdots,
++ slen, server.value, sdots, a);
+
+ (void) gss_release_buffer(&minor, &client);
+ (void) gss_release_buffer(&minor, &server);
diff --git a/security/krb5/files/patch-kadmin-server-schpw b/security/krb5/files/patch-kadmin-server-schpw
new file mode 100644
index 000000000000..e69de29bb2d1
--- /dev/null
+++ b/security/krb5/files/patch-kadmin-server-schpw
diff --git a/security/krb5/files/patch-kadmin-server-schpw.c b/security/krb5/files/patch-kadmin-server-schpw.c
new file mode 100644
index 000000000000..673d69b4e937
--- /dev/null
+++ b/security/krb5/files/patch-kadmin-server-schpw.c
@@ -0,0 +1,26 @@
+--- kadmin/server/schpw.c.orig Thu Apr 13 11:58:56 2006
++++ kadmin/server/schpw.c Wed Apr 4 13:53:04 2007
+@@ -40,6 +40,8 @@
+ int numresult;
+ char strresult[1024];
+ char *clientstr;
++ size_t clen;
++ char *cdots;
+
+ ret = 0;
+ rep->length = 0;
+@@ -258,9 +260,12 @@
+ free(ptr);
+ clear.length = 0;
+
+- krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s",
++ clen = strlen(clientstr);
++ trunc_name(&clen, &cdots);
++ krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s",
+ inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),
+- clientstr, ret ? krb5_get_error_message (context, ret) : "success");
++ clen, clientstr, cdots,
++ ret ? krb5_get_error_message (context, ret) : "success");
+ krb5_free_unparsed_name(context, clientstr);
+
+ if (ret) {
diff --git a/security/krb5/files/patch-kadmin-server-schpw.c.c b/security/krb5/files/patch-kadmin-server-schpw.c.c
new file mode 100644
index 000000000000..e69de29bb2d1
--- /dev/null
+++ b/security/krb5/files/patch-kadmin-server-schpw.c.c
diff --git a/security/krb5/files/patch-kadmin-server-server_stubs.c b/security/krb5/files/patch-kadmin-server-server_stubs.c
new file mode 100644
index 000000000000..927cd1900593
--- /dev/null
+++ b/security/krb5/files/patch-kadmin-server-server_stubs.c
@@ -0,0 +1,608 @@
+--- kadmin/server/server_stubs.c.orig Thu Apr 13 11:58:56 2006
++++ kadmin/server/server_stubs.c Wed Apr 4 13:53:04 2007
+@@ -14,6 +14,7 @@
+ #include <arpa/inet.h> /* inet_ntoa */
+ #include <adm_proto.h> /* krb5_klog_syslog */
+ #include "misc.h"
++#include <string.h>
+
+ #define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s"
+ #define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s"
+@@ -237,6 +238,61 @@
+ return 0;
+ }
+
++static int
++log_unauth(
++ char *op,
++ char *target,
++ gss_buffer_t client,
++ gss_buffer_t server,
++ struct svc_req *rqstp)
++{
++ size_t tlen, clen, slen;
++ char *tdots, *cdots, *sdots;
++
++ tlen = strlen(target);
++ trunc_name(&tlen, &tdots);
++ clen = client->length;
++ trunc_name(&clen, &cdots);
++ slen = server->length;
++ trunc_name(&slen, &sdots);
++
++ return krb5_klog_syslog(LOG_NOTICE,
++ "Unauthorized request: %s, %.*s%s, "
++ "client=%.*s%s, service=%.*s%s, addr=%s",
++ op, tlen, target, tdots,
++ clen, client->value, cdots,
++ slen, server->value, sdots,
++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++}
++
++static int
++log_done(
++ char *op,
++ char *target,
++ char *errmsg,
++ gss_buffer_t client,
++ gss_buffer_t server,
++ struct svc_req *rqstp)
++{
++ size_t tlen, clen, slen;
++ char *tdots, *cdots, *sdots;
++
++ tlen = strlen(target);
++ trunc_name(&tlen, &tdots);
++ clen = client->length;
++ trunc_name(&clen, &cdots);
++ slen = server->length;
++ trunc_name(&slen, &sdots);
++
++ return krb5_klog_syslog(LOG_NOTICE,
++ "Request: %s, %.*s%s, %s, "
++ "client=%.*s%s, service=%.*s%s, addr=%s",
++ op, tlen, target, tdots, errmsg,
++ clen, client->value, cdots,
++ slen, server->value, sdots,
++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++}
++
+ generic_ret *
+ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
+ {
+@@ -275,9 +331,8 @@
+ || kadm5int_acl_impose_restrictions(handle->context,
+ &arg->rec, &arg->mask, rp)) {
+ ret.code = KADM5_AUTH_ADD;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_create_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ ret.code = kadm5_create_principal((void *)handle,
+ &arg->rec, arg->mask,
+@@ -287,10 +342,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
+- prime_arg, errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_create_principal", prime_arg, errmsg,
++ &client_name, &service_name, rqstp);
+
+ /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
+ }
+@@ -341,9 +394,8 @@
+ || kadm5int_acl_impose_restrictions(handle->context,
+ &arg->rec, &arg->mask, rp)) {
+ ret.code = KADM5_AUTH_ADD;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_create_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ ret.code = kadm5_create_principal_3((void *)handle,
+ &arg->rec, arg->mask,
+@@ -355,10 +407,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
+- prime_arg, errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_create_principal", prime_arg, errmsg,
++ &client_name, &service_name, rqstp);
+
+ /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
+ }
+@@ -406,9 +456,8 @@
+ || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,
+ arg->princ, NULL)) {
+ ret.code = KADM5_AUTH_DELETE;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_delete_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ ret.code = kadm5_delete_principal((void *)handle, arg->princ);
+ if( ret.code == 0 )
+@@ -416,10 +465,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal",
+- prime_arg, errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_delete_principal", prime_arg, errmsg,
++ &client_name, &service_name, rqstp);
+
+ /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
+ }
+@@ -469,9 +516,8 @@
+ || kadm5int_acl_impose_restrictions(handle->context,
+ &arg->rec, &arg->mask, rp)) {
+ ret.code = KADM5_AUTH_MODIFY;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_modify_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
+ arg->mask);
+@@ -480,10 +526,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal",
+- prime_arg, errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_modify_principal", prime_arg, errmsg,
++ &client_name, &service_name, rqstp);
+
+ /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
+ }
+@@ -546,9 +590,8 @@
+ } else
+ ret.code = KADM5_AUTH_INSUFFICIENT;
+ if (ret.code != KADM5_OK) {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_rename_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ ret.code = kadm5_rename_principal((void *)handle, arg->src,
+ arg->dest);
+@@ -557,10 +600,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal",
+- prime_arg, errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_rename_principal", prime_arg, errmsg,
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ free(prime_arg1);
+@@ -614,9 +655,8 @@
+ arg->princ,
+ NULL))) {
+ ret.code = KADM5_AUTH_GET;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth(funcname, prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ if (handle->api_version == KADM5_API_VERSION_1) {
+ ret.code = kadm5_get_principal_v1((void *)handle,
+@@ -636,11 +676,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+- prime_arg,
+- errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done(funcname, prime_arg, errmsg,
++ &client_name, &service_name, rqstp);
+
+ }
+ free_server_handle(handle);
+@@ -688,9 +725,8 @@
+ NULL,
+ NULL)) {
+ ret.code = KADM5_AUTH_LIST;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_get_principals", prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ ret.code = kadm5_get_principals((void *)handle,
+ arg->exp, &ret.princs,
+@@ -700,11 +736,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals",
+- prime_arg,
+- errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_get_principals", prime_arg, errmsg,
++ &client_name, &service_name, rqstp);
+
+ }
+ free_server_handle(handle);
+@@ -755,9 +788,8 @@
+ ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
+ arg->pass);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_chpass_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_CHANGEPW;
+ }
+
+@@ -767,10 +799,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",
+- prime_arg, errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_chpass_principal", prime_arg, errmsg,
++ &client_name, &service_name, rqstp);
+ }
+
+ free_server_handle(handle);
+@@ -828,9 +858,8 @@
+ arg->ks_tuple,
+ arg->pass);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_chpass_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_CHANGEPW;
+ }
+
+@@ -840,10 +869,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",
+- prime_arg, errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_chpass_principal", prime_arg, errmsg,
++ &client_name, &service_name, rqstp);
+ }
+
+ free_server_handle(handle);
+@@ -892,9 +919,8 @@
+ ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
+ arg->keyblock);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_setv4key_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_SETKEY;
+ }
+
+@@ -904,10 +930,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal",
+- prime_arg, errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_setv4key_principal", prime_arg, errmsg,
++ &client_name, &service_name, rqstp);
+ }
+
+ free_server_handle(handle);
+@@ -956,9 +980,8 @@
+ ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
+ arg->keyblocks, arg->n_keys);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_setkey_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_SETKEY;
+ }
+
+@@ -968,10 +991,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",
+- prime_arg, errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_setkey_principal", prime_arg, errmsg,
++ &client_name, &service_name, rqstp);
+ }
+
+ free_server_handle(handle);
+@@ -1023,9 +1044,8 @@
+ arg->ks_tuple,
+ arg->keyblocks, arg->n_keys);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_setkey_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_SETKEY;
+ }
+
+@@ -1035,10 +1055,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",
+- prime_arg, errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_setkey_principal", prime_arg, errmsg,
++ &client_name, &service_name, rqstp);
+ }
+
+ free_server_handle(handle);
+@@ -1097,9 +1115,8 @@
+ ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
+ &k, &nkeys);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth(funcname, prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_CHANGEPW;
+ }
+
+@@ -1119,10 +1136,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+- prime_arg, errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done(funcname, prime_arg, errmsg,
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ free(prime_arg);
+@@ -1185,9 +1200,8 @@
+ arg->ks_tuple,
+ &k, &nkeys);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth(funcname, prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_CHANGEPW;
+ }
+
+@@ -1207,10 +1221,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+- prime_arg, errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done(funcname, prime_arg, errmsg,
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ free(prime_arg);
+@@ -1253,10 +1265,9 @@
+ rqst2name(rqstp),
+ ACL_ADD, NULL, NULL)) {
+ ret.code = KADM5_AUTH_ADD;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+-
++ log_unauth("kadm5_create_policy", prime_arg,
++ &client_name, &service_name, rqstp);
++
+ } else {
+ ret.code = kadm5_create_policy((void *)handle, &arg->rec,
+ arg->mask);
+@@ -1265,11 +1276,9 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy",
+- ((prime_arg == NULL) ? "(null)" : prime_arg),
+- errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_create_policy",
++ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ gss_release_buffer(&minor_stat, &client_name);
+@@ -1310,9 +1319,8 @@
+ if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
+ rqst2name(rqstp),
+ ACL_DELETE, NULL, NULL)) {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_delete_policy", prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_DELETE;
+ } else {
+ ret.code = kadm5_delete_policy((void *)handle, arg->name);
+@@ -1321,11 +1329,9 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy",
+- ((prime_arg == NULL) ? "(null)" : prime_arg),
+- errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_delete_policy",
++ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ gss_release_buffer(&minor_stat, &client_name);
+@@ -1366,9 +1372,8 @@
+ if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
+ rqst2name(rqstp),
+ ACL_MODIFY, NULL, NULL)) {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_modify_policy", prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_MODIFY;
+ } else {
+ ret.code = kadm5_modify_policy((void *)handle, &arg->rec,
+@@ -1378,11 +1383,9 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy",
+- ((prime_arg == NULL) ? "(null)" : prime_arg),
+- errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_modify_policy",
++ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ gss_release_buffer(&minor_stat, &client_name);
+@@ -1464,15 +1467,12 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+- ((prime_arg == NULL) ? "(null)" : prime_arg),
+- errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done(funcname,
++ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
++ &client_name, &service_name, rqstp);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth(funcname, prime_arg,
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ gss_release_buffer(&minor_stat, &client_name);
+@@ -1517,9 +1517,8 @@
+ rqst2name(rqstp),
+ ACL_LIST, NULL, NULL)) {
+ ret.code = KADM5_AUTH_LIST;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_get_policies", prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ ret.code = kadm5_get_policies((void *)handle,
+ arg->exp, &ret.pols,
+@@ -1529,11 +1528,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies",
+- prime_arg,
+- errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_get_policies", prime_arg, errmsg,
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ gss_release_buffer(&minor_stat, &client_name);
+@@ -1573,11 +1569,8 @@
+ else
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs",
+- client_name.value,
+- errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_get_privs", client_name.value, errmsg,
++ &client_name, &service_name, rqstp);
+
+ free_server_handle(handle);
+ gss_release_buffer(&minor_stat, &client_name);
+@@ -1594,6 +1587,8 @@
+ kadm5_server_handle_t handle;
+ OM_uint32 minor_stat;
+ char *errmsg = 0;
++ size_t clen, slen;
++ char *cdots, *sdots;
+
+ xdr_free(xdr_generic_ret, &ret);
+
+@@ -1612,14 +1607,22 @@
+
+ if (ret.code != 0)
+ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d",
+- (ret.api_version == KADM5_API_VERSION_1 ?
+- "kadm5_init (V1)" : "kadm5_init"),
+- client_name.value,
+- (ret.code == 0) ? "success" : errmsg,
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
+- rqstp->rq_cred.oa_flavor);
++ else
++ errmsg = "success";
++
++ clen = client_name.length;
++ trunc_name(&clen, &cdots);
++ slen = service_name.length;
++ trunc_name(&slen, &sdots);
++ krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, "
++ "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d",
++ (ret.api_version == KADM5_API_VERSION_1 ?
++ "kadm5_init (V1)" : "kadm5_init"),
++ clen, client_name.value, cdots, errmsg,
++ clen, client_name.value, cdots,
++ slen, service_name.value, sdots,
++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
++ rqstp->rq_cred.oa_flavor);
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+
diff --git a/security/krb5/files/patch-kdc-do_tgs_req.c b/security/krb5/files/patch-kdc-do_tgs_req.c
new file mode 100644
index 000000000000..d6cfa2133209
--- /dev/null
+++ b/security/krb5/files/patch-kdc-do_tgs_req.c
@@ -0,0 +1,65 @@
+--- kdc/do_tgs_req.c.orig Fri Oct 13 14:08:07 2006
++++ kdc/do_tgs_req.c Wed Apr 4 13:53:04 2007
+@@ -491,28 +491,38 @@
+ newtransited = 1;
+ }
+ if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
++ unsigned int tlen;
++ char *tdots;
++
+ errcode = krb5_check_transited_list (kdc_context,
+ &enc_tkt_reply.transited.tr_contents,
+ krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
+ krb5_princ_realm (kdc_context, request->server));
++ tlen = enc_tkt_reply.transited.tr_contents.length;
++ tdots = tlen > 125 ? "..." : "";
++ tlen = tlen > 125 ? 125 : tlen;
++
+ if (errcode == 0) {
+ setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
+ } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
+ krb5_klog_syslog (LOG_INFO,
+- "bad realm transit path from '%s' to '%s' via '%.*s'",
++ "bad realm transit path from '%s' to '%s' "
++ "via '%.*s%s'",
+ cname ? cname : "<unknown client>",
+ sname ? sname : "<unknown server>",
+- enc_tkt_reply.transited.tr_contents.length,
+- enc_tkt_reply.transited.tr_contents.data);
++ tlen,
++ enc_tkt_reply.transited.tr_contents.data,
++ tdots);
+ else {
+ const char *emsg = krb5_get_error_message(kdc_context, errcode);
+ krb5_klog_syslog (LOG_ERR,
+- "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",
++ "unexpected error checking transit from "
++ "'%s' to '%s' via '%.*s%s': %s",
+ cname ? cname : "<unknown client>",
+ sname ? sname : "<unknown server>",
+- enc_tkt_reply.transited.tr_contents.length,
++ tlen,
+ enc_tkt_reply.transited.tr_contents.data,
+- emsg);
++ tdots, emsg);
+ krb5_free_error_message(kdc_context, emsg);
+ }
+ } else
+@@ -542,6 +552,9 @@
+ if (!krb5_principal_compare(kdc_context, request->server, client2)) {
+ if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
+ tmp = 0;
++ if (tmp != NULL)
++ limit_string(tmp);
++
+ krb5_klog_syslog(LOG_INFO,
+ "TGS_REQ %s: 2ND_TKT_MISMATCH: "
+ "authtime %d, %s for %s, 2nd tkt client %s",
+@@ -816,6 +829,7 @@
+ krb5_klog_syslog(LOG_INFO,
+ "TGS_REQ: issuing alternate <un-unparseable> TGT");
+ } else {
++ limit_string(sname);
+ krb5_klog_syslog(LOG_INFO,
+ "TGS_REQ: issuing TGT %s", sname);
+ free(sname);
diff --git a/security/krb5/files/patch-kdc-kdc_util.c b/security/krb5/files/patch-kdc-kdc_util.c
new file mode 100644
index 000000000000..7ace820c79c0
--- /dev/null
+++ b/security/krb5/files/patch-kdc-kdc_util.c
@@ -0,0 +1,10 @@
+--- kdc/kdc_util.c.orig Wed Oct 11 17:33:12 2006
++++ kdc/kdc_util.c Wed Apr 4 13:53:04 2007
+@@ -404,6 +404,7 @@
+
+ krb5_db_free_principal(kdc_context, &server, nprincs);
+ if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {
++ limit_string(sname);
+ krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",
+ sname);
+ free(sname);
diff --git a/security/krb5/files/patch-lib-kadm5-logger.c b/security/krb5/files/patch-lib-kadm5-logger.c
new file mode 100644
index 000000000000..f553a359e4a2
--- /dev/null
+++ b/security/krb5/files/patch-lib-kadm5-logger.c
@@ -0,0 +1,33 @@
+--- lib/kadm5/logger.c.orig Mon Jun 19 16:33:36 2006
++++ lib/kadm5/logger.c Wed Apr 4 13:53:04 2007
+@@ -45,7 +45,7 @@
+ #include <varargs.h>
+ #endif /* HAVE_STDARG_H */
+
+-#define KRB5_KLOG_MAX_ERRMSG_SIZE 1024
++#define KRB5_KLOG_MAX_ERRMSG_SIZE 2048
+ #ifndef MAXHOSTNAMELEN
+ #define MAXHOSTNAMELEN 256
+ #endif /* MAXHOSTNAMELEN */
+@@ -261,7 +261,9 @@
+ #endif /* HAVE_SYSLOG */
+
+ /* Now format the actual message */
+-#if HAVE_VSPRINTF
++#if HAVE_VSNPRINTF
++ vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap);
++#elif HAVE_VSPRINTF
+ vsprintf(cp, actual_format, ap);
+ #else /* HAVE_VSPRINTF */
+ sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1],
+@@ -850,7 +852,9 @@
+ syslogp = &outbuf[strlen(outbuf)];
+
+ /* Now format the actual message */
+-#ifdef HAVE_VSPRINTF
++#ifdef HAVE_VSNPRINTF
++ vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist);
++#elif HAVE_VSPRINTF
+ vsprintf(syslogp, format, arglist);
+ #else /* HAVE_VSPRINTF */
+ sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1],