Description: <short summary of the patch>
TODO: Put a short summary on the line above and replace this paragraph
with a longer explanation of this change. Complete the meta-information
with other relevant fields (see below for details). To make it easier, the
information below has been extracted from the changelog. Adjust it or drop
it.
.
krb5-appl (1:1.0.1-4) unstable; urgency=low
.
* Remove the include of sys/tty.h in telnet/telnetd/sys_term.c, which
breaks the build on kFreeBSD because it introduces a second competing
definition of struct termios.
* Define MAXHOSTNAMELEN in the resolve test to fix builds on Hurd.
* Fix spelling error in ftp binary (thanks, Lintian).
Author: Russ Allbery <rra@debian.org>
---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:
Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: http://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: <YYYY-MM-DD>
--- /dev/null
+++ krb5-appl-1.0.1/.gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+pristine-tar=True
--- krb5-appl-1.0.1.orig/k5-util.h
+++ krb5-appl-1.0.1/k5-util.h
@@ -69,8 +69,7 @@
#elif defined(HAVE_SETREUID)
# define krb5_seteuid(EUID) setreuid(geteuid(), (uid_t)(EUID))
#else
- /* You need to add a case to deal with this operating system.*/
-# define krb5_seteuid(EUID) (errno = EPERM, -1)
+# error "You need to add a case to deal with this operating system."
#endif
#ifdef HAVE_SETEGID
@@ -80,8 +79,7 @@
#elif defined(HAVE_SETREGID)
# define krb5_setegid(EGID) (setregid(getegid(), (gid_t)(EGID)))
#else
- /* You need to add a case to deal with this operating system.*/
-# define krb5_setegid(EGID) (errno = EPERM, -1)
+# error "You need to add a case to deal with this operating system."
#endif
#endif
--- krb5-appl-1.0.1.orig/configure.ac
+++ krb5-appl-1.0.1/configure.ac
@@ -107,6 +107,7 @@ AC_CHECK_FUNCS(_getpty cgetent getcwd ge
AC_CHECK_FUNCS(getutmpx grantpt inet_aton initgroups isatty killpg killpg)
AC_CHECK_FUNCS(line_push ptsname revoke rmufile rresvport_af)
AC_CHECK_FUNCS(seteuid setlogin setpgid setpriority setresuid setreuid)
+AC_CHECK_FUNCS(setegid setregid setresgid)
AC_CHECK_FUNCS(setutent setutsent setutxent strsave tcgetpgrp tcsetpgrp)
AC_CHECK_FUNCS(ttyname unsetenv updwtmp updwtmpx utimes utmpname utmpxname)
AC_CHECK_FUNCS(vhangup vsnprintf waitpid)
--- krb5-appl-1.0.1.orig/tests/resolve/resolve.c
+++ krb5-appl-1.0.1/tests/resolve/resolve.c
@@ -72,6 +72,10 @@ char *strchr();
#include <netinet/in.h>
#include <netdb.h>
+#ifndef MAXHOSTNAMELEN
+# define MAXHOSTNAMELEN 256
+#endif
+
int
main(argc, argv)
int argc;
--- krb5-appl-1.0.1.orig/bsd/login.c
+++ krb5-appl-1.0.1/bsd/login.c
@@ -122,6 +122,14 @@ int login_accept_passwd = 0;
#define siglongjmp longjmp
#endif
+#ifndef MAXPATHLEN
+# define MAXPATHLEN 4096
+#endif
+
+#ifndef MAXHOSTNAMELEN
+# define MAXHOSTNAMELEN 256
+#endif
+
#ifdef POSIX_SIGNALS
typedef struct sigaction handler;
#define handler_init(H,F) (sigemptyset(&(H).sa_mask), \
--- krb5-appl-1.0.1.orig/bsd/klogind.M
+++ krb5-appl-1.0.1/bsd/klogind.M
@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when
the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
configuration line for \fIklogind\fP might be:
-klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c
+klogin stream tcp nowait root /usr/sbin/klogind klogind \-e5c
When a service request is received, the following protocol is initiated:
@@ -56,7 +56,7 @@ by command line arguments passed by inet
.IP \fB\-P\fP
Prompt the user for a password.
-If the -P option is passed, then the password is verified in addition
+If the \-P option is passed, then the password is verified in addition
to all other checks.
.IP \fB\-e\fP
@@ -77,7 +77,7 @@ checksums are validated if presented. S
a checksum from an authenticator without making the authenticator
invalid, this default mode is almost as significant of a security
improvement as \fB-c\fP if new clients are used. It has the additional
-advantage of backwards compatability with some clients.
+advantage of backwards compatibility with some clients.
Unfortunately, clients before Kerberos V5, Beta5, generate invalid
checksums; if these clients are used, the \fB-i\fP option must be
used.
@@ -87,8 +87,8 @@ Ignore authenticator checksums if provid
ignore authenticator checksusm presented by current Kerberos clients
to protect initial connection information; it is the opposite of
\fB-c\fP. This option is provided because some older
-clients--particularly clients predating the release of Kerberos V5
-Beta5 (May 1995)--present bogus checksums that prevent Kerberos
+clients -- particularly clients predating the release of Kerberos V5
+Beta5 (May 1995) -- present bogus checksums that prevent Kerberos
authentication from succeeding in the default mode.
.PP
--- krb5-appl-1.0.1.orig/bsd/kshd.M
+++ krb5-appl-1.0.1/bsd/kshd.M
@@ -8,7 +8,7 @@
.SH NAME
kshd \- kerberized remote shell server
.SH SYNOPSIS
-.B /usr/local/sbin/kshd
+.B kshd
[
.B \-kr45ec
]
@@ -30,7 +30,7 @@ server is invoked by \fIinetd(8c)\fP whe
on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
configuration line for \fIkrshd\fP might be:
-kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c
+kshell stream tcp nowait root /usr/sbin/kshd kshd \-5c
When a service request is received, the following protocol is initiated:
@@ -97,7 +97,7 @@ checksums are validated if presented. S
a checksum from an authenticator without making the authenticator
invalid, this default mode is almost as significant of a security
improvement as \fB-c\fP if new clients are used. It has the additional
-advantage of backwards compatability with some clients.
+advantage of backwards compatibility with some clients.
Unfortunately, clients before Kerberos V5, Beta5, generate invalid
checksums; if these clients are used, the \fB-i\fP option must be
used.
@@ -107,8 +107,8 @@ Ignore authenticator checksums if provid
ignore authenticator checksusm presented by current Kerberos clients
to protect initial connection information; it is the opposite of
\fB-c\fP. This option is provided because some older
-clients--particularly clients predating the release of Kerberos V5
-Beta5 (May 1995)--present bogus checksums that prevent Kerberos
+clients -- particularly clients predating the release of Kerberos V5
+Beta5 (May 1995) -- present bogus checksums that prevent Kerberos
authentication from succeeding in the default mode.
--- krb5-appl-1.0.1.orig/bsd/Makefile.in
+++ krb5-appl-1.0.1/bsd/Makefile.in
@@ -9,9 +9,9 @@ SRCS= $(srcdir)/krcp.c $(srcdir)/krlogin
$(srcdir)/krlogind.c
OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o login.o krshd.o krlogind.o
-UCB_RLOGIN = @UCB_RLOGIN@
-UCB_RSH = @UCB_RSH@
-UCB_RCP = @UCB_RCP@
+UCB_RLOGIN = /usr/bin/netkit-rlogin
+UCB_RSH = /usr/bin/netkit-rsh
+UCB_RCP = /usr/bin/netkit-rcp
RSH= -DKRB5_PATH_RLOGIN=\"$(CLIENT_BINDIR)/rlogin\"
BSD= -DUCB_RLOGIN=\"$(UCB_RLOGIN)\" \
--- krb5-appl-1.0.1.orig/bsd/krshd.c
+++ krb5-appl-1.0.1/bsd/krshd.c
@@ -488,6 +488,11 @@ int maxlogs;
#define NCARGS 1024
#endif
+#if NCARGS == INT_MAX
+#undef NCARGS
+#define NCARGS 4096
+#endif
+
#define NMAX 16
int pid;
--- krb5-appl-1.0.1.orig/bsd/krlogind.c
+++ krb5-appl-1.0.1/bsd/krlogind.c
@@ -286,6 +286,10 @@ char *login_program = LOGIN_PROGRAM;
#define MAXDNAME 256 /*per the rfc*/
#endif
+#ifndef MAXPATHLEN
+# define MAXPATHLEN 4096
+#endif
+
char lusername[UT_NAMESIZE+1];
char rusername[UT_NAMESIZE+1];
char *krusername = 0;
--- krb5-appl-1.0.1.orig/bsd/krlogin.c
+++ krb5-appl-1.0.1/bsd/krlogin.c
@@ -139,6 +139,7 @@ char copyright[] =
#include <sys/ptyvar.h>
#endif
#endif
+#undef TIOCGLTC
#ifndef TIOCPKT_NOSTOP
/* These values are over-the-wire protocol, *not* local values */
--- krb5-appl-1.0.1.orig/telnet/libtelnet/encrypt.c
+++ krb5-appl-1.0.1/telnet/libtelnet/encrypt.c
@@ -757,6 +757,9 @@ static void encrypt_keyid(kp, keyid, len
int dir = kp->dir;
register int ret = 0;
+ if (len > MAXKEYLEN)
+ len = MAXKEYLEN;
+
if (!(ep = (*kp->getcrypt)(*kp->modep))) {
if (len == 0)
return;
--- krb5-appl-1.0.1.orig/telnet/telnet/main.c
+++ krb5-appl-1.0.1/telnet/telnet/main.c
@@ -322,10 +322,14 @@ main(argc, argv)
if (setjmp(toplevel) != 0)
Exit(0);
- if (tn(argp - args, args) == 1)
- return (0);
- else
- return (1);
+ {
+ int ret = tn(argp - args, args);
+ switch (ret) {
+ case 1: return 0;
+ case 2: usage();
+ default: return 1;
+ }
+ }
}
(void)setjmp(toplevel);
for (;;) {
--- krb5-appl-1.0.1.orig/telnet/telnet/sys_bsd.c
+++ krb5-appl-1.0.1/telnet/telnet/sys_bsd.c
@@ -44,6 +44,8 @@
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
+#include <sys/ioctl.h>
+
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h>
#endif
--- krb5-appl-1.0.1.orig/telnet/telnet/commands.c
+++ krb5-appl-1.0.1/telnet/telnet/commands.c
@@ -2467,8 +2467,7 @@ tn(argc, argv)
continue;
}
usage:
- printf("usage: %s [-l user] [-a] host-name [port]\r\n", cmd);
- return 0;
+ return 2;
}
if (hostp == 0)
goto usage;
--- krb5-appl-1.0.1.orig/telnet/telnet/utilities.c
+++ krb5-appl-1.0.1/telnet/telnet/utilities.c
@@ -797,13 +797,13 @@ printsub(direction, pointer, length)
if (pointer[0] == TELOPT_OLD_ENVIRON) {
# ifdef ENV_HACK
if (old_env_var == OLD_ENV_VALUE)
- fprintf(NetTrace, "\" (VALUE) " + noquote);
+ fprintf(NetTrace, "%s", "\" (VALUE) " + noquote);
else
# endif
- fprintf(NetTrace, "\" VAR " + noquote);
+ fprintf(NetTrace, "%s", "\" VAR " + noquote);
} else
#endif /* OLD_ENVIRON */
- fprintf(NetTrace, "\" VALUE " + noquote);
+ fprintf(NetTrace, "%s", "\" VALUE " + noquote);
noquote = 2;
break;
@@ -813,23 +813,23 @@ printsub(direction, pointer, length)
if (pointer[0] == TELOPT_OLD_ENVIRON) {
# ifdef ENV_HACK
if (old_env_value == OLD_ENV_VAR)
- fprintf(NetTrace, "\" (VAR) " + noquote);
+ fprintf(NetTrace, "%s", "\" (VAR) " + noquote);
else
# endif
- fprintf(NetTrace, "\" VALUE " + noquote);
+ fprintf(NetTrace, "%s", "\" VALUE " + noquote);
} else
#endif /* OLD_ENVIRON */
- fprintf(NetTrace, "\" VAR " + noquote);
+ fprintf(NetTrace, "%s", "\" VAR " + noquote);
noquote = 2;
break;
case ENV_ESC:
- fprintf(NetTrace, "\" ESC " + noquote);
+ fprintf(NetTrace, "%s", "\" ESC " + noquote);
noquote = 2;
break;
case ENV_USERVAR:
- fprintf(NetTrace, "\" USERVAR " + noquote);
+ fprintf(NetTrace, "%s", "\" USERVAR " + noquote);
noquote = 2;
break;
--- krb5-appl-1.0.1.orig/telnet/telnetd/telnetd.8
+++ krb5-appl-1.0.1/telnet/telnetd/telnetd.8
@@ -37,7 +37,7 @@ telnetd \-
.SM DARPA TELNET
protocol server
.SH SYNOPSIS
-.B /usr/libexec/telnetd
+.B telnetd
[\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP]
[\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
[\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
--- krb5-appl-1.0.1.orig/telnet/telnetd/defs.h
+++ krb5-appl-1.0.1/telnet/telnetd/defs.h
@@ -38,6 +38,7 @@
*/
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/ioctl.h>
#ifndef BSD
# define BSD 43
--- krb5-appl-1.0.1.orig/telnet/telnetd/sys_term.c
+++ krb5-appl-1.0.1/telnet/telnetd/sys_term.c
@@ -115,9 +115,12 @@ extern struct sysv sysv;
#include <sys/proc.h>
#endif
/* For what platforms do we really need sys/tty.h? */
+/* Not Linux, at least, and including this on kFreeBSD breaks the build. */
+#if 0
#ifdef HAVE_SYS_TTY_H
#include <sys/tty.h>
#endif
+#endif
#ifdef t_erase
#undef t_erase
--- krb5-appl-1.0.1.orig/gssftp/ftpd/ftpd.c
+++ krb5-appl-1.0.1/gssftp/ftpd/ftpd.c
@@ -152,6 +152,14 @@ int have_creds; /* User has credentials
#include "ftpd_var.h"
#include "secure.h"
+#ifndef MAXPATHLEN
+# define MAXPATHLEN 4096
+#endif
+
+#ifndef MAXHOSTNAMELEN
+# define MAXHOSTNAMELEN 256
+#endif
+
extern char *crypt();
extern char version[];
extern char *home; /* pointer to home directory for glob */
@@ -986,9 +994,14 @@ login(passwd, logincode)
#endif
}
- (void) krb5_setegid((gid_t)pw->pw_gid);
- (void) initgroups(pw->pw_name, pw->pw_gid);
-
+ if (krb5_setegid((gid_t)pw->pw_gid) < 0) {
+ reply(550, "Can't set egid.");
+ goto bad;
+ }
+ if (geteuid() == 0 && initgroups(pw->pw_name, pw->pw_gid) < 0) {
+ reply(550, "Can't initgroups");
+ goto bad;
+ }
/* open wtmp before chroot */
(void) snprintf(ttyline, sizeof(ttyline), "ftp%ld", (long) getpid());
pty_logwtmp(ttyline, pw->pw_name, rhost_sane);
@@ -2360,7 +2373,7 @@ send_file_list(whichfiles)
globerr = NULL;
dirlist = ftpglob(whichfiles);
if (globerr != NULL) {
- reply(550, globerr);
+ reply(550, "%s", globerr);
return;
} else if (dirlist == NULL) {
errno = ENOENT;
@@ -2536,7 +2549,7 @@ static void
log_gss_error(int severity, OM_uint32 maj_stat, OM_uint32 min_stat,
const char *s)
{
- syslog(severity, s);
+ syslog(severity, "%s", s);
with_gss_error_text(log_gss_error_1, maj_stat, min_stat, severity);
}
--- krb5-appl-1.0.1.orig/gssftp/ftpd/ftpd.M
+++ krb5-appl-1.0.1/gssftp/ftpd/ftpd.M
@@ -36,7 +36,7 @@
ftpd \- DARPA Internet File Transfer Protocol server
.SH SYNOPSIS
.B ftpd
-[\fB\-A \fP|\fB -a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB-E\fP]
+[\fB\-A \fP|\fB\-a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB\-E\fP]
[\fB\-l\fP] [\fB\-v\fP] [\fB\-T\fP \fImaxtimeout\fP] [\fB\-t\fP \fItimeout\fP]
[\fB\-p\fP \fIport\fP] [\fB\-U\fP \fIftpusers-file\fP] [\fB\-u\fP \fIumask\fP]
[\fB\-r\fP \fIrealm-file\fP] [\fB\-s\fP \fIsrvtab\fP]
@@ -75,7 +75,7 @@ Allow the CCC (Clear Command Channel) co
less secure connections, and should probably only be used when debugging.
.TP
.B \-d
-Debugging information is written to the syslog. (Identical to -v)
+Debugging information is written to the syslog. (Identical to \-v)
.TP
.B \-E
Don't allow passwords to be typed across unencrypted connections.
@@ -90,7 +90,7 @@ other statistics such as the number of b
syslog as well.
.TP
.B \-v
-Debugging information is written to the syslog. (Identical to -d)
+Debugging information is written to the syslog. (Identical to \-d)
.TP
\fB\-T\fP \fImaxtimeout\fP
A client may request a maximum timeout period allowed set to
@@ -191,7 +191,7 @@ give help information
.sp -1
.TP
LIST
-give list files in a directory (``ls -lgA'')
+give list files in a directory (``ls \-lgA'')
.sp -1
.TP
MIC
--- krb5-appl-1.0.1.orig/gssftp/ftp/ftp.M
+++ krb5-appl-1.0.1/gssftp/ftp/ftp.M
@@ -947,7 +947,7 @@ then forks a shell, using
.IR popen (3)
with the argument supplied, and reads from (writes to) stdout (stdin).
If the shell command includes spaces, the argument must be quoted; e.g.
-``" ls -lt"''. A particularly useful example of this mechanism is:
+``" ls \-lt"''. A particularly useful example of this mechanism is:
``dir more''.
.TP
3.
--- krb5-appl-1.0.1.orig/gssftp/ftp/ftp.c
+++ krb5-appl-1.0.1/gssftp/ftp/ftp.c
@@ -150,6 +150,10 @@ unsigned char *ucbuf;
#include "ftp_var.h"
#include "secure.h"
+#ifndef MAXHOSTNAMELEN
+# define MAXHOSTNAMELEN 256
+#endif
+
#ifdef GSSAPI
void user_gss_error (OM_uint32, OM_uint32, char *);
#endif
--- krb5-appl-1.0.1.orig/gssftp/ftp/ftp_var.h
+++ krb5-appl-1.0.1/gssftp/ftp/ftp_var.h
@@ -53,15 +53,6 @@ FILE* fdopen_socket(SOCKET s, char* mode
#define PERROR_SOCKET(str) perror(str)
#endif
-#ifdef _WIN32
-typedef void (*sig_t)(int);
-typedef void sigtype;
-#else
-#define sig_t my_sig_t
-#define sigtype krb5_sigtype
-typedef sigtype (*sig_t)();
-#endif
-
/*
* FTP global variables.
*/
@@ -70,6 +61,10 @@ typedef sigtype (*sig_t)();
#define extern
#endif
+#ifndef MAXPATHLEN
+# define MAXPATHLEN 4096
+#endif
+
/*
* Options and other state info.
*/
@@ -164,6 +159,15 @@ extern int macnum; /* number of defined
extern struct macel macros[16];
extern char macbuf[4096];
+#ifdef _WIN32
+typedef void (*sig_t)(int);
+typedef void sigtype;
+#else
+#define sig_t my_sig_t
+#define sigtype krb5_sigtype
+typedef sigtype (*sig_t)();
+#endif
+
#ifdef DEFINITIONS
#undef extern
#endif
--- krb5-appl-1.0.1.orig/gssftp/ftp/cmds.c
+++ krb5-appl-1.0.1/gssftp/ftp/cmds.c
@@ -262,7 +262,7 @@ void setpeer(argc, argv)
if (overbose &&
!strncmp(reply_string, "215 TOPS20", 10))
printf(
-"Remember to set tenex mode when transfering binary files from this machine.\n");
+"Remember to set tenex mode when transferring binary files from this machine.\n");
}
verbose = overbose;
#else
@@ -1824,7 +1824,7 @@ static void quote1(initial, argc, argv)
len += strlen(strncpy(&buf[len], argv[i], sizeof(buf) - 1 - len));
}
}
- if (command(buf) == PRELIM) {
+ if (command("%s", buf) == PRELIM) {
while (getreply(0) == PRELIM);
}
}
--- krb5-appl-1.0.1.orig/libpty/sane_hostname.c
+++ krb5-appl-1.0.1/libpty/sane_hostname.c
@@ -27,6 +27,10 @@
#include "socket-utils.h"
#include "fake-addrinfo.h"
+#ifndef MAXHOSTNAMELEN
+# define MAXHOSTNAMELEN 256
+#endif
+
static void
downcase (char *s)
{
![[patchlogo]](http://patch-tracker.debian.org/static/img/swirlpatch.png)