February 2013 - openSUSE Commits - openSUSE Mailing Lists

commit gnome-control-center for openSUSE:12.1:Update
by root＠hilbert.suse.de 25 Feb '13

25 Feb '13

Hello community, here is the log from the commit of package gnome-control-center for openSUSE:12.1:Update checked in at 2013-02-25 09:55:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update/gnome-control-center (Old) and /work/SRC/openSUSE:12.1:Update/.gnome-control-center.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gnome-control-center", Maintainer is "gnome-maintainers(a)suse.de" Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.Zpf6Ly/_old 2013-02-25 09:55:58.000000000 +0100 +++ /var/tmp/diff_new_pack.Zpf6Ly/_new 2013-02-25 09:55:58.000000000 +0100 @@ -1 +1 @@ -<link package='gnome-control-center.171' cicount='copy' /> +<link package='gnome-control-center.1352' cicount='copy' /> -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit gnome-control-center.1352 for openSUSE:12.1:Update
by root＠hilbert.suse.de 25 Feb '13

25 Feb '13

Hello community, here is the log from the commit of package gnome-control-center.1352 for openSUSE:12.1:Update checked in at 2013-02-25 09:55:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update/gnome-control-center.1352 (Old) and /work/SRC/openSUSE:12.1:Update/.gnome-control-center.1352.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gnome-control-center.1352", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-02-09 11:18:20.872010756 +0100 +++ /work/SRC/openSUSE:12.1:Update/.gnome-control-center.1352.new/gnome-control-center.changes 2013-02-25 09:55:53.000000000 +0100 @@ -0,0 +1,3146 @@ +------------------------------------------------------------------- +Sat Feb 16 17:28:09 UTC 2013 - mike.catanzaro(a)gmail.com + +- Add gnome-control-center-minimal-password-dialog.patch + + Remove the random password generator, which cannot work in 12.1 + since it calls apg, which we do not package (bnc#779414) + + Remove password "hint to nowhere" that gdm no longer displays + (bnc#796932) +- Add gnome-control-center-remove-password-options.patch + + For 12.1, remove 'choose password at next login' and 'log in + without password' options as these conflict with our PAM and + make it impossible to log in (bnc#796932). +- Add gnome-control-center-remove-password-options.patch + + Disallow setting password to be the same as it used to be, to + avoid a hang (bnc#779413). + +------------------------------------------------------------------- +Fri Dec 23 04:29:04 UTC 2011 - glin(a)suse.com + +- add gnome-control-center-private-connections-by-default.patch to + create the private connections by default (bnc#731812) + +------------------------------------------------------------------- +Tue Nov 15 09:57:30 UTC 2011 - glin(a)suse.com + +- Add gnome-control-center-probe-radius-server-cert.patch to probe + the RADIUS server certificate (bnc#574266) + +------------------------------------------------------------------- +Thu Oct 20 08:25:40 UTC 2011 - vuntz(a)opensuse.org + +- Add gnome-control-center-hide-region-system-tab.patch: hide + system tab in region panel until we really use the same files as + systemd for setting the system-wide locale configuration. See + bnc#703833 for more details. +- Really drop + gnome-control-center-network-allocate-nm-connection.patch. + +------------------------------------------------------------------- +Mon Oct 17 18:10:24 CEST 2011 - dimstar(a)opensuse.org + +- Update to version 3.2.1: + + Common: + - Always collect locales from the directory (bgo#660725) + + Color: + - After removing a profile select the device so the UI is + correct (bgo#661658) + + Date & time: + - Fix showing actual clock format on panel open + + Info: + - Use new GtkAppChooserButton API (bgo#658693) + - Use x-content/unix-software as mime for the Software combobox + + Network: + - Allocate nm-connection for nma-wireless-dialog (bgo#648174) + - Show wireless dialog even if there is no active AP + (bgo#661526) + + Printers: + - Check state of CUPS after start (bgo#659721) + - Fix build on systems without LC_PAPER (bgo#660692) + - Don't hide address entry + - Disable remove button if no printer is selected (bgo#659724) + - Hide spinner after search (bgo#659753) + - Make +/- buttons insensitive when can not connect to CUPS + + Region: + - Hide system tab if no localed + - Simplify getting the current Locale + - Implement copying layouts (bgo#659300) + - Fix build on systems without LC_MEASUREMENT (bgo#660787) + - Only show locales for languages that have translations + + Screen: + - Never set gnome-session's idle-delay to 1 + + Shell: + - Use gtk_widget_show instead of _show_all in + gnome_control_center_show + - Show the label for the category sections + - Make sure we gtk_widget_show the search view + - Make Ctrl+Q work outside the overview + - Give focus to the search entry when showing the overview page + - Don't crash when loading the icon fails (bgo#660513) + + Updated translations. +- Drop gnome-control-center-setup-wpa-eap-no-active-ap.patch: fixed + upstream. +- Drop gnome-control-center-network-allocate-nm-connection.patch: + fixed upstream. + +------------------------------------------------------------------- +Wed Oct 12 08:49:59 UTC 2011 - glin(a)suse.com + +- Add gnome-control-center-setup-wpa-eap-no-active-ap.patch: show + the wireless setup dialog regardless of whether there is an + active AP or not (bgo#661526). + +------------------------------------------------------------------- +Tue Oct 11 18:09:05 UTC 2011 - vuntz(a)opensuse.org + +- Add gnome-control-center-allow-yast-in-shell.patch: allow the + launch of the YaST shell from the gnome-control-center shell. We + need a special case as the gnome-control-center shell only + supports internal panels, but we want an exception for the YaST + shell. +- Add gnome-control-center-shell-no-crash.patch: fix crash on + search when a .desktop file has no comment. +- Split /etc/xdg/menus/gnomecc.menu in a branding-upstream + subpackage, so that we can have a branding-openSUSE package that + will add YaST to the control center shell. +- Add a Requires on gnome-control-center-branding to the main + subpackage, to make sure we always have a menu definition for the + shell. + +------------------------------------------------------------------- +Thu Oct 6 04:27:50 UTC 2011 - glin(a)suse.com + +- Add gnome-control-center-network-allocate-nm-connection.patch: + allocate nm-connection for nma-wireless-dialog so that the user + can configure the wireless conection settings (bgo#648174). + +------------------------------------------------------------------- +Mon Oct 3 07:36:56 UTC 2011 - vuntz(a)opensuse.org + +- Remove usage of %mime_database_{post,postun} macros as there is + no MIME definition installed. +- Do not pass --disable-update-mimedb to configure since it's not + useful anymore. + +------------------------------------------------------------------- +Mon Sep 26 19:41:43 UTC 2011 - vuntz(a)opensuse.org + +- Update to version 3.2.0: + + System info: + - Don't crash when systemd isn't used (bgo#659367) + - Don't warn if PackageKit isn't around + - Continue on filesystem query info (bgo#654563) + + Wacom: + - Show "stand-by" page when Wacom not available (bgo#657424) + + Updated translations. + +------------------------------------------------------------------- +Tue Sep 20 08:32:23 UTC 2011 - vuntz(a)opensuse.org + +- Update to version 3.1.92: + + Color: + - Fix help links for gnome-help 3.1* + - Don't assert if the user double clicks the delete profile + button + - Fix spawning of gcm-viewer + - Do not allow the user to choose profiles owned by other users + - Do not allow the user to set default a profile they cannot + access + - Disable 'View details' button if gcm-viewer is not installed + - Escape profile titles that have markup in the titles + (bgo#659127) + - Pack the left and right button groups into two GtkBox + containers (bgo#659273) + + Common: + - Add a way for panels to receive additional arguments + (bgo#657093) + - Bump GTK+ deps + - Tell the actual required version for NM + + Display: + - Remove duplicate/unused translations + + Info: + - Don't warn when the hostname is empty + - Do fallback correctly when reading hostnames + - Split the hostname setting + + Keyboard: + - Link directly to the layouts page + + Network: + - Show wireless dialogs when asked (bgo#657093) + - Fix memleak when argv changes + - A segfault was introduced when assigning to args (bgo#658670) + - Bind HTTP host entry to the 'host' setting in GSettings + + Printers: + - Match lower-case properly + + Region: + - Add ability to switch pages + - Fix display of layouts on the system tab + - Only offer to copy settings if they are different + + Screen: + - Don't fill up the space + - Fix resulting top-padding (bgo#657606) + - Remove indent on "Turn off..." label + + Shell: + - Replace window sizing code (bgo#658068) + + Sound: + - Put the level bar at 0 when muting (bgo#644537) + - Allow switching tabs from the command-line + + Universal access: + - Fix sensitivity of keyboard a11y (bgo#649452) + - Add context for text sizes (bgo#645729) + - Set contrast combo on startup (bgo#658990) + + User accounts: + - Hide old message when enrolling + + Wacom: + - Add a left-handed switch (bgo#657810) + - Improve alignment of lines and widgets (bgo#657425) + - Make string as translatable + + Updated translations. ++++ 2949 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.1:Update/.gnome-control-center.1352.new/gnome-control-center.changes New: ---- gnome-control-center-3.2.1.tar.bz2 gnome-control-center-allow-yast-in-shell.patch gnome-control-center-hide-region-system-tab.patch gnome-control-center-minimal-password-dialog.patch gnome-control-center-password-must-change.patch gnome-control-center-private-connections-by-default.patch gnome-control-center-probe-radius-server-cert.patch gnome-control-center-remove-password-options.patch gnome-control-center-shell-no-crash.patch gnome-control-center-system-proxy-configuration.patch gnome-control-center.changes gnome-control-center.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnome-control-center.spec ++++++ # # spec file for package gnome-control-center # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: gnome-control-center BuildRequires: cups-devel BuildRequires: desktop-file-utils BuildRequires: fdupes BuildRequires: gnome-common BuildRequires: gnome-doc-utils-devel BuildRequires: intltool BuildRequires: translation-update-upstream BuildRequires: update-desktop-files BuildRequires: pkgconfig(cheese-gtk) BuildRequires: pkgconfig(colord) BuildRequires: pkgconfig(dbus-1) BuildRequires: pkgconfig(dbus-glib-1) BuildRequires: pkgconfig(gconf-2.0) BuildRequires: pkgconfig(gdk-pixbuf-2.0) BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(gnome-desktop-3.0) BuildRequires: pkgconfig(gnome-settings-daemon) >= 2.91.94 BuildRequires: pkgconfig(goa-1.0) BuildRequires: pkgconfig(goa-backend-1.0) BuildRequires: pkgconfig(gsettings-desktop-schemas) BuildRequires: pkgconfig(gstreamer-0.10) BuildRequires: pkgconfig(gtk+-3.0) >= 3.1.19 BuildRequires: pkgconfig(iso-codes) BuildRequires: pkgconfig(libcanberra-gtk3) BuildRequires: pkgconfig(libgnome-menu-3.0) BuildRequires: pkgconfig(libgnomekbd) BuildRequires: pkgconfig(libgnomekbdui) BuildRequires: pkgconfig(libgtop-2.0) BuildRequires: pkgconfig(libnm-glib) >= 0.8.992 BuildRequires: pkgconfig(libnm-gtk) >= 0.8.992 BuildRequires: pkgconfig(libnotify) >= 0.7.3 BuildRequires: pkgconfig(libpulse) BuildRequires: pkgconfig(libpulse-mainloop-glib) BuildRequires: pkgconfig(libsocialweb-client) BuildRequires: pkgconfig(libxklavier) BuildRequires: pkgconfig(libxml-2.0) BuildRequires: pkgconfig(polkit-gobject-1) >= 0.97 BuildRequires: pkgconfig(upower-glib) BuildRequires: pkgconfig(xcursor) BuildRequires: pkgconfig(xft) BuildRequires: pkgconfig(xi) Obsoletes: acme Obsoletes: fontilus Obsoletes: themus Provides: acme Provides: fontilus Provides: themus Version: 3.2.1 Release: 0 # FIXME: in 12.2 and later, check if we still need patch2 (gnome-control-center-hide-region-system-tab.patch) (see bnc#703833) Summary: The GNOME Control Center License: GPL-2.0+ Group: System/GUI/GNOME Source: http://download.gnome.org/sources/gnome-control-center/3.2/%{name}-%{versio… # PATCH-FEATURE-OPENSUSE gnome-control-center-allow-yast-in-shell.patch vuntz(a)opensuse.org -- Allow the launch of the yast shell from the g-c-c shell; it's quite ugly, but on the other hand, we don't want to change the behavior of the shell except for yast... Patch0: gnome-control-center-allow-yast-in-shell.patch # PATCH-FIX-UPSTREAM gnome-control-center-shell-no-crash.patch vuntz(a)opensuse.org -- Do not crash on search when a .desktop has no Comment Patch1: gnome-control-center-shell-no-crash.patch # PATCH-HACK-OPENSUSE gnome-control-center-hide-region-system-tab.patch vuntz(a)opensuse.org -- Hide system tab in region panel until we really use the right files for system settings (see bnc#703833) Patch2: gnome-control-center-hide-region-system-tab.patch # PATCH-NEEDS-REBASE gnome-control-center-system-proxy-configuration.patch -- this needs to be reimplemented to be more distro-generic before submitting upstream - docs at http://en.opensuse.org/GNOME/Proxy_configuration (was PATCH-FEATURE-OPENSUSE) Patch14: gnome-control-center-system-proxy-configuration.patch # PATCH-FIX-UPSTREAM gnome-control-center-probe-radius-server-cert.patch bnc#574266 glin(a)suse.com -- Probe the RADIUS server certificate Patch15: gnome-control-center-probe-radius-server-cert.patch # PATCH-FIX-OPENSUSE gnome-control-center-private-connections-by-default.patch bnc#731812 glin(a)suse.com -- Create the private connections by default Patch16: gnome-control-center-private-connections-by-default.patch # PATCH-FIX-OPENSUSE bnc#779413 bgo#691265 mike.catanzaro(a)gmail.com -- Don't allow nonsensical password change that will cause a hang, trying to get this upstream Patch17: gnome-control-center-password-must-change.patch # PATCH-FIX-OPENSUSE bnc#779414 bnc#796932 mike.catanzaro(a)gmail.com -- Hide random password and password hint options Patch18: gnome-control-center-minimal-password-dialog.patch # PATCH-HACK-OPENSUSE bnc#779408 mike.catanzaro(a)gmail.com -- These conflict with our current PAM policy Patch19: gnome-control-center-remove-password-options.patch Url: http://www.gnome.org Requires: %{name}-branding = %{version} # needed for printers panel Requires: cups-pk-helper # needed for /usr/bin/glxinfo, used by System info panel Requires: freeglut Requires: gnome-menus Requires: gnome-settings-daemon # needed for universal access panel Requires: gnome-themes-accessibility Requires: gnome-version Requires: iso-codes Requires: nautilus Recommends: %{name}-lang Recommends: %{name}-user-faces Recommends: apg # the printers panel can use the dbus service Recommends: system-config-printer-dbus-service Provides: control-center2 = 2.22.1 Obsoletes: control-center2 < 2.22.1 BuildRoot: %{_tmppath}/%{name}-%{version}-build %glib2_gsettings_schema_requires %description The control center is GNOME's main interface for configuration of various aspects of your desktop. %package branding-upstream Summary: The GNOME Control Center -- Upstream Definition of Shell Content Group: System/GUI/GNOME Requires: %{name} = %{version} Provides: %{name}-branding = %{version} Conflicts: otherproviders(%{name}-branding) Supplements: packageand(%{name}:branding-upstream) BuildArch: noarch #BRAND: This package contains the definitions of the content appearing #BRAND: in the shell (/etc/xdg/menus/gnomecc.menu). %description branding-upstream The control center is GNOME's main interface for configuration of various aspects of your desktop. This package provides the upstream definition of what appears in the control center. %package user-faces Summary: Login Managers user avatars Group: System/GUI/GNOME %description user-faces This package provides user avatars to be used by display managers %package -n libgnome-control-center1 Summary: Shared library used by GNOME control center Group: System/GUI/GNOME %description -n libgnome-control-center1 Shared library used by GNOME control center %package devel Summary: Header files for the GNOME Control Center Group: Development/Libraries/GNOME Requires: %{name} = %{version} Requires: libgnome-control-center1 = %{version} Provides: control-center2-devel = 2.22.1 Obsoletes: control-center2-devel < 2.22.1 %description devel The control center is GNOME's main interface for configuration of various aspects of your desktop. %lang_package %prep %setup -q translation-update-upstream %patch0 -p1 %patch1 -p1 %patch2 -p1 #NEEDS-REBASE #%patch14 -p1 %patch15 -p1 %patch16 -p1 %patch17 -p1 %patch18 -p1 %patch19 -p1 %if 0%{?BUILD_FROM_VCS} [ -x ./autogen.sh ] && NOCONFIGURE=1 ./autogen.sh %endif %build %configure --with-pic\ --with-libsocialweb\ --disable-static\ --disable-scrollkeeper\ --disable-maintainer-mode make %{?jobs:-j%jobs} V=1 %install %makeinstall %if 0%{?suse_version} <= 1120 %{__rm} %{buildroot}%{_datadir}/locale/en@shaw/LC_MESSAGES/* %endif find %{buildroot} -type f -name "*.la" -delete -print %find_lang %{name}-2.0 %{?no_lang_C} %find_lang %{name}-2.0-timezones %{name}-2.0.lang # help files %find_lang control-center %{?no_lang_C} %{name}-2.0.lang %suse_update_desktop_file gnome-control-center %suse_update_desktop_file gnome-sound-applet # capplets %suse_update_desktop_file gnome-background-panel X-SuSE-ControlCenter-LookAndFeel %suse_update_desktop_file gnome-color-panel X-SuSE-ControlCenter-Hardware %suse_update_desktop_file gnome-datetime-panel X-SuSE-ControlCenter-Hardware %suse_update_desktop_file gnome-display-panel X-SuSE-ControlCenter-Hardware %suse_update_desktop_file gnome-info-panel X-SuSE-ControlCenter-Personal %suse_update_desktop_file gnome-keyboard-panel X-SuSE-ControlCenter-Hardware %suse_update_desktop_file gnome-media-panel X-SuSE-ControlCenter-Hardware %suse_update_desktop_file gnome-mouse-panel X-SuSE-ControlCenter-Hardware %suse_update_desktop_file gnome-network-panel X-SuSE-ControlCenter-Hardware %suse_update_desktop_file gnome-online-accounts-panel X-SuSE-ControlCenter-Personal %suse_update_desktop_file gnome-power-panel X-SuSE-ControlCenter-Hardware %suse_update_desktop_file gnome-printers-panel X-SuSE-ControlCenter-Hardware %suse_update_desktop_file gnome-region-panel X-SuSE-ControlCenter-Personal %suse_update_desktop_file gnome-screen-panel X-SuSE-ControlCenter-LookAndFeel %suse_update_desktop_file gnome-sound-panel X-SuSE-ControlCenter-Hardware %suse_update_desktop_file gnome-universal-access-panel X-SuSE-ControlCenter-Personal %suse_update_desktop_file gnome-user-accounts-panel X-SuSE-ControlCenter-Personal %suse_update_desktop_file gnome-wacom-panel X-SuSE-ControlCenter-Hardware %fdupes $RPM_BUILD_ROOT %clean rm -rf $RPM_BUILD_ROOT %post %glib2_gsettings_schema_post %desktop_database_post %icon_theme_cache_post %postun %glib2_gsettings_schema_postun %desktop_database_postun %icon_theme_cache_postun %post -n libgnome-control-center1 -p /sbin/ldconfig %postun -n libgnome-control-center1 -p /sbin/ldconfig %files %defattr(-,root,root) %doc AUTHORS COPYING ChangeLog NEWS README TODO %dir %{_datadir}/gnome/ %dir %{_datadir}/gnome/help/ %dir %{_datadir}/gnome/help/control-center/ %doc %{_datadir}/gnome/help/control-center/C/ %dir %{_datadir}/omf/ %dir %{_datadir}/omf/control-center/ %doc %{_datadir}/omf/control-center/control-center-C.omf %{_bindir}/* %{_sysconfdir}/xdg/autostart/*.desktop %{_libdir}/control-center-1/ %{_datadir}/applications/*.desktop %{_datadir}/desktop-directories/*.directory %{_datadir}/gnome-control-center/ %{_datadir}/icons/hicolor/*/*/*.png %{_datadir}/icons/hicolor/*/*/*.svg %dir %{_datadir}/sounds/gnome %dir %{_datadir}/sounds/gnome/default %dir %{_datadir}/sounds/gnome/default/alerts %{_datadir}/sounds/gnome/default/alerts/*.ogg %files branding-upstream %defattr (-, root, root) %{_sysconfdir}/xdg/menus/gnomecc.menu %files lang -f %{name}-2.0.lang %files user-faces %defattr (-, root, root) %{_datadir}/pixmaps/faces/ %files -n libgnome-control-center1 %defattr (-, root, root) %{_libdir}/libgnome-control-center.so.1* %files devel %defattr (-, root, root) %{_datadir}/pkgconfig/gnome-keybindings.pc %{_libdir}/*.so %changelog ++++++ gnome-control-center-allow-yast-in-shell.patch ++++++ Index: gnome-control-center-3.2.0/shell/gnome-control-center.c =================================================================== --- gnome-control-center-3.2.0.orig/shell/gnome-control-center.c +++ gnome-control-center-3.2.0/shell/gnome-control-center.c @@ -110,6 +110,39 @@ get_icon_name_from_g_icon (GIcon *gicon) } static void +suse_activate_desktop (GnomeControlCenter *shell, + const gchar *id, + const gchar *desktop_file) +{ + GDesktopAppInfo *appinfo; + GdkAppLaunchContext *context; + GdkScreen *screen; + GdkDisplay *display; + GError *error; + + appinfo = g_desktop_app_info_new_from_filename (desktop_file); + + screen = gtk_widget_get_screen (shell->priv->window); + display = gdk_screen_get_display (screen); + context = gdk_display_get_app_launch_context (display); + gdk_app_launch_context_set_screen (context, screen); + gdk_app_launch_context_set_timestamp (context, gtk_get_current_event_time ()); + + error = NULL; + g_app_info_launch_uris (G_APP_INFO (appinfo), NULL, + (GAppLaunchContext *) context, + &error); + + if (error) { + g_printerr ("Could not launch '%s': %s\n", id, error->message); + g_clear_error (&error); + } + + g_object_unref (context); + g_object_unref (appinfo); +} + +static void activate_panel (GnomeControlCenter *shell, const gchar *id, const gchar **argv, @@ -127,6 +160,12 @@ activate_panel (GnomeControlCenter *shel if (!desktop_file) return; + if (g_strcmp0 (id, "YaST.desktop") == 0) + { + suse_activate_desktop (shell, id, desktop_file); + return; + } + if (id) { ++++++ gnome-control-center-hide-region-system-tab.patch ++++++ Index: gnome-control-center-3.2.1/panels/region/gnome-region-panel-system.c =================================================================== --- gnome-control-center-3.2.1.orig/panels/region/gnome-region-panel-system.c +++ gnome-control-center-3.2.1/panels/region/gnome-region-panel-system.c @@ -415,7 +415,8 @@ setup_system (GtkBuilder *dialog) GDBusConnection *bus; GtkWidget *button; - localed_permission = polkit_permission_new_sync ("org.freedesktop.locale1.set-locale", NULL, NULL, NULL); + //localed_permission = polkit_permission_new_sync ("org.freedesktop.locale1.set-locale", NULL, NULL, NULL); + localed_permission = NULL; if (localed_permission == NULL) { GtkWidget *tab_widget, *notebook; int num; ++++++ gnome-control-center-minimal-password-dialog.patch ++++++ ++++ 860 lines (skipped) ++++++ gnome-control-center-password-must-change.patch ++++++ >From 14f04443bb8f0ddb3bc080d275114743f15be06f Mon Sep 17 00:00:00 2001 From: Michael Catanzaro <mike.catanzaro(a)gmail.com> Date: Sun, 6 Jan 2013 21:47:48 -0600 Subject: [PATCH] Don't allow setting password to old password It hangs if you do this. bnc#779413 --- panels/user-accounts/um-password-dialog.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/panels/user-accounts/um-password-dialog.c b/panels/user-accounts/um-password-dialog.c index c825749..ef0a8ce 100644 --- a/panels/user-accounts/um-password-dialog.c +++ b/panels/user-accounts/um-password-dialog.c @@ -265,6 +265,11 @@ update_sensitivity (UmPasswordDialog *um) tooltip = _("The current password is not correct"); } } + else if (strcmp (password, old_password) == 0) { + /* not localized */ + can_change = FALSE; + tooltip = NULL; + } else { can_change = TRUE; tooltip = NULL; -- 1.7.10.4 ++++++ gnome-control-center-private-connections-by-default.patch ++++++ diff --git a/panels/network/cc-network-panel.c b/panels/network/cc-network-panel.c index ca31b0d..424ae38 100644 --- a/panels/network/cc-network-panel.c +++ b/panels/network/cc-network-panel.c @@ -2687,8 +2687,10 @@ wireless_ap_changed_cb (GtkComboBox *combo_box, CcNetworkPanel *panel) NetObject *object; NMConnection *connection; NMConnection *connection_activate = NULL; + NMConnection *partial; NMDevice *device; NMSettingWireless *setting_wireless; + NMSettingConnection *setting_con; if (panel->priv->updating_device) goto out; @@ -2757,8 +2759,12 @@ wireless_ap_changed_cb (GtkComboBox *combo_box, CcNetworkPanel *panel) /* create one, as it's missing */ g_debug ("no existing connection found for %s, creating", ssid_target); + partial = nm_connection_new (); + setting_con = nm_setting_connection_new (); + nm_connection_add_setting (partial, NM_SETTING (setting_con)); + nm_setting_connection_add_permission (setting_con, "user", g_get_user_name(), NULL); nm_client_add_and_activate_connection (panel->priv->client, - NULL, + partial, device, object_path, connection_add_activate_cb, panel); out: @@ -3010,6 +3016,7 @@ start_shared_connection (CcNetworkPanel *panel) "id", "Hotspot", "autoconnect", FALSE, NULL); + nm_setting_connection_add_permission (sc, "user", g_get_user_name(), NULL); nm_connection_add_setting (c, (NMSetting *)sc); sw = (NMSettingWireless *)nm_setting_wireless_new (); diff --git a/panels/network/network-dialogs.c b/panels/network/network-dialogs.c index efe1704..f8419e5 100644 --- a/panels/network/network-dialogs.c +++ b/panels/network/network-dialogs.c @@ -293,6 +293,7 @@ cc_network_panel_connect_to_8021x_network (CcNetworkPanel *panel, uuid = nm_utils_uuid_generate (); g_object_set (s_con, NM_SETTING_CONNECTION_UUID, uuid, NULL); g_free (uuid); + nm_setting_connection_add_permission (s_con, "user", g_get_user_name(), NULL); nm_connection_add_setting (connection, NM_SETTING (s_con)); s_wifi = (NMSettingWireless *) nm_setting_wireless_new (); @@ -393,6 +394,10 @@ cdma_mobile_wizard_done (NMAMobileWizard *wizard, NULL); g_free (uuid); g_free (id); + nm_setting_connection_add_permission ((NMSettingConnection *)setting, + "user", + g_get_user_name(), + NULL); nm_connection_add_setting (connection, setting); } @@ -456,6 +461,10 @@ gsm_mobile_wizard_done (NMAMobileWizard *wizard, NULL); g_free (uuid); g_free (id); + nm_setting_connection_add_permission ((NMSettingConnection *)setting, + "user", + g_get_user_name(), + NULL); nm_connection_add_setting (connection, setting); } ++++++ gnome-control-center-probe-radius-server-cert.patch ++++++ diff --git a/panels/network/network-dialogs.c b/panels/network/network-dialogs.c index 0e5aae1..43fc119 100644 --- a/panels/network/network-dialogs.c +++ b/panels/network/network-dialogs.c @@ -153,6 +153,11 @@ wireless_dialog_response_cb (GtkDialog *foo, g_assert (connection); g_assert (device); + if (nma_wireless_dialog_need_cert_probe (dialog)) { + nma_wireless_dialog_probe_cert (dialog); + return; + } + /* Find a similar connection and use that instead */ all = nm_remote_settings_list_connections (closure->settings); for (iter = all; iter; iter = g_slist_next (iter)) { ++++++ gnome-control-center-remove-password-options.patch ++++++ >From ac24c1f64364a8f955319c83767092a96d57a8ec Mon Sep 17 00:00:00 2001 From: Michael Catanzaro <mike.catanzaro(a)gmail.com> Date: Sat, 16 Feb 2013 11:23:34 -0600 Subject: [PATCH] Remove password options These options conflict with our PAM policy and selecting them will cause a user to accidentally make the account unusable. We need to remove them for now. --- panels/user-accounts/data/password-dialog.ui | 8 -------- 1 file changed, 8 deletions(-) diff --git a/panels/user-accounts/data/password-dialog.ui b/panels/user-accounts/data/password-dialog.ui index 660c499..db3a6a6 100644 --- a/panels/user-accounts/data/password-dialog.ui +++ b/panels/user-accounts/data/password-dialog.ui @@ -14,14 +14,6 @@ <col id="1">0</col> </row> <row> - <col id="0" translatable="yes">Choose password at next login</col> - <col id="1">1</col> - </row> - <row> - <col id="0" translatable="yes">Log in without a password</col> - <col id="1">2</col> - </row> - <row> <col id="0" translatable="yes">Disable this account</col> <col id="1">3</col> </row> -- 1.7.10.4 ++++++ gnome-control-center-shell-no-crash.patch ++++++ commit 59fe530504a4359f66d9a112050970a52fe46281 Author: Vincent Untz <vuntz(a)gnome.org> Date: Tue Oct 11 22:51:42 2011 +0200 shell: Avoid crash when searching if a .desktop has no comment The code doing the search assumes the description column is set, which might not be the case. https://bugzilla.gnome.org/show_bug.cgi?id=661494 diff --git a/shell/shell-search-renderer.c b/shell/shell-search-renderer.c index 0667bc0..6032af8 100644 --- a/shell/shell-search-renderer.c +++ b/shell/shell-search-renderer.c @@ -154,12 +154,15 @@ shell_search_renderer_set_layout (ShellSearchRenderer *cell, GtkWidget *widget) needle = g_utf8_casefold (priv->search_string, -1); else needle = NULL; - haystack = g_utf8_casefold (full_string, -1); + if (full_string != NULL) + haystack = g_utf8_casefold (full_string, -1); + else + haystack = NULL; /* clear any previous attributes */ pango_layout_set_attributes (priv->layout, NULL); - if (priv->search_string && priv->title + if (priv->search_string && priv->search_target && priv->title && (strstr (haystack, needle))) { gchar *start; ++++++ gnome-control-center-system-proxy-configuration.patch ++++++ >From 067cc33aba6eeaffd4efe1d8a8e838aa1a89476a Mon Sep 17 00:00:00 2001 From: Federico Mena Quintero <federico(a)novell.com> Date: Mon, 25 May 2009 14:38:52 -0500 Subject: [PATCH] Integrate openSUSE's network proxy configuration with GNOME's. This is documented in http://en.opensuse.org/GNOME/Proxy_configuration We basically add a "use system settings" proxy mode. When it is active, gnome-settings-daemon will read /etc/sysconfig/proxy and mirror its values into GNOME's GConf space. Signed-off-by: Federico Mena Quintero <federico(a)novell.com> --- capplets/network/gnome-network-properties.c | 164 +++++++++++++++++------ capplets/network/gnome-network-properties.glade | 24 +++- 2 files changed, 143 insertions(+), 45 deletions(-) diff --git a/capplets/network/gnome-network-properties.c b/capplets/network/gnome-network-properties.c index f6ea0e6..0ea9945 100644 --- a/capplets/network/gnome-network-properties.c +++ b/capplets/network/gnome-network-properties.c @@ -32,19 +32,11 @@ #include "capplet-util.h" #include "gconf-property-editor.h" -enum ProxyMode -{ - PROXYMODE_NONE, - PROXYMODE_MANUAL, - PROXYMODE_AUTO -}; - -static GEnumValue proxytype_values[] = { - { PROXYMODE_NONE, "PROXYMODE_NONE", "none"}, - { PROXYMODE_MANUAL, "PROXYMODE_MANUAL", "manual"}, - { PROXYMODE_AUTO, "PROXYMODE_AUTO", "auto"}, - { 0, NULL, NULL } -}; +/* Novell extension */ +#define KEY_USE_SYSTEM_SETTINGS "/system/proxy/use_system_settings" /* string */ +#define VAL_USE_SYSTEM_SETTINGS_ONLY_IF_NOT_SET "only_if_mode_not_set" +#define VAL_USE_SYSTEM_SETTINGS_SYSTEM_VALUES "system_values" +#define VAL_USE_SYSTEM_SETTINGS_USER_VALUES "user_values" enum { COL_NAME, @@ -1019,36 +1011,58 @@ extract_proxy_host (GConfPropertyEditor *peditor, const GConfValue *orig) } static void +set_sensitivity_based_on_active_radiobutton (GladeXML *dialog, GtkWidget *active_radio) +{ + gboolean manual_box_sensitive, auto_box_sensitive; + + g_assert (gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON (active_radio))); + + manual_box_sensitive = auto_box_sensitive = FALSE; + + if (active_radio == WID ("manual_radiobutton")) + manual_box_sensitive = TRUE; + else if (active_radio == WID ("auto_radiobutton")) + auto_box_sensitive = TRUE; + + gtk_widget_set_sensitive (WID ("manual_box"), manual_box_sensitive); + gtk_widget_set_sensitive (WID ("same_proxy_checkbutton"), manual_box_sensitive); + gtk_widget_set_sensitive (WID ("auto_box"), auto_box_sensitive); +} + +static void proxy_mode_radiobutton_clicked_cb (GtkWidget *widget, GladeXML *dialog) { - GSList *mode_group; - int mode; - GConfClient *client; + GConfClient *client; - if (!gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON(widget))) - return; - - mode_group = g_slist_copy (gtk_radio_button_get_group - (GTK_RADIO_BUTTON (WID ("none_radiobutton")))); - mode_group = g_slist_reverse (mode_group); - mode = g_slist_index (mode_group, widget); - g_slist_free (mode_group); - - gtk_widget_set_sensitive (WID ("manual_box"), - mode == PROXYMODE_MANUAL); - gtk_widget_set_sensitive (WID ("same_proxy_checkbutton"), - mode == PROXYMODE_MANUAL); - gtk_widget_set_sensitive (WID ("auto_box"), - mode == PROXYMODE_AUTO); + if (!gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON(widget))) + return; + client = gconf_client_get_default (); - gconf_client_set_bool (client, USE_PROXY_KEY, - mode == PROXYMODE_AUTO || mode == PROXYMODE_MANUAL, NULL); - g_object_unref (client); + + if (widget == WID ("system_radiobutton")) { + gconf_client_set_string (client, KEY_USE_SYSTEM_SETTINGS, VAL_USE_SYSTEM_SETTINGS_SYSTEM_VALUES, NULL); + } else if (widget == WID ("none_radiobutton")) { + gconf_client_set_string (client, KEY_USE_SYSTEM_SETTINGS, VAL_USE_SYSTEM_SETTINGS_USER_VALUES, NULL); + gconf_client_set_string (client, PROXY_MODE_KEY, "none", NULL); + gconf_client_set_bool (client, USE_PROXY_KEY, FALSE, NULL); + } else if (widget == WID ("manual_radiobutton")) { + gconf_client_set_string (client, KEY_USE_SYSTEM_SETTINGS, VAL_USE_SYSTEM_SETTINGS_USER_VALUES, NULL); + gconf_client_set_string (client, PROXY_MODE_KEY, "manual", NULL); + gconf_client_set_bool (client, USE_PROXY_KEY, TRUE, NULL); + } else if (widget == WID ("auto_radiobutton")) { + gconf_client_set_string (client, KEY_USE_SYSTEM_SETTINGS, VAL_USE_SYSTEM_SETTINGS_USER_VALUES, NULL); + gconf_client_set_string (client, PROXY_MODE_KEY, "auto", NULL); + gconf_client_set_bool (client, USE_PROXY_KEY, TRUE, NULL); + } + + set_sensitivity_based_on_active_radiobutton (dialog, widget); + + g_object_unref (client); } static void -connect_sensitivity_signals (GladeXML *dialog, GSList *mode_group) +connect_mode_radiobuttons (GladeXML *dialog, GSList *mode_group) { for (; mode_group != NULL; mode_group = mode_group->next) { @@ -1058,20 +1072,85 @@ connect_sensitivity_signals (GladeXML *dialog, GSList *mode_group) } } +static GtkWidget * +get_radio_for_mode (GladeXML *dialog, const char *mode_str) +{ + if (!mode_str) + return WID ("none_radiobutton"); + else if (strcmp (mode_str, "none") == 0) + return WID ("none_radiobutton"); + else if (strcmp (mode_str, "manual") == 0) + return WID ("manual_radiobutton"); + else if (strcmp (mode_str, "auto") == 0) + return WID ("auto_radiobutton"); + else + return WID ("none_radiobutton"); +} + +static void +mode_set_initial_value (GladeXML *dialog, GConfClient *client) +{ + char *use_system_settings; + GConfValue *mode_value; + gboolean use_system_if_mode_not_set; + gboolean use_mode; + GtkWidget *radiobutton; + + radiobutton = NULL; + + use_system_settings = gconf_client_get_string (client, KEY_USE_SYSTEM_SETTINGS, NULL); + mode_value = gconf_client_get_without_default (client, PROXY_MODE_KEY, NULL); + + use_system_if_mode_not_set = FALSE; + use_mode = FALSE; + + if (!use_system_settings) + use_system_if_mode_not_set = TRUE; + else { + if (strcmp (use_system_settings, VAL_USE_SYSTEM_SETTINGS_ONLY_IF_NOT_SET) == 0) + use_system_if_mode_not_set = TRUE; + else if (strcmp (use_system_settings, VAL_USE_SYSTEM_SETTINGS_SYSTEM_VALUES) == 0) + radiobutton = WID ("system_radiobutton"); + else if (strcmp (use_system_settings, VAL_USE_SYSTEM_SETTINGS_USER_VALUES) == 0) + use_mode = TRUE; + + g_free (use_system_settings); + } + + if (use_system_if_mode_not_set) { + if (mode_value) + use_mode = TRUE; + else + radiobutton = WID ("system_radiobutton"); + } + + if (use_mode) { + if (!mode_value || mode_value->type != GCONF_VALUE_STRING) + radiobutton = WID ("none_radiobutton"); + else + radiobutton = get_radio_for_mode (dialog, gconf_value_get_string (mode_value)); + } + + if (radiobutton) { + gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON (radiobutton), TRUE); + set_sensitivity_based_on_active_radiobutton (dialog, radiobutton); + } + + if (mode_value) + gconf_value_free (mode_value); +} + static void setup_dialog (GladeXML *dialog) { GConfPropertyEditor *peditor; GSList *mode_group; - GType mode_type = 0; GConfClient *client; gint port_value; GtkWidget *location_box; GtkCellRenderer *location_renderer; GtkListStore *store; - mode_type = g_enum_register_static ("NetworkPreferencesProxyType", - proxytype_values); /* There's a bug in peditors that cause them to not initialize the entry * correctly. */ @@ -1100,17 +1179,16 @@ setup_dialog (GladeXML *dialog) "style", COL_STYLE, NULL); /* Hackety hack */ + gtk_label_set_use_markup (GTK_LABEL (GTK_BIN (WID ("system_radiobutton"))->child), TRUE); gtk_label_set_use_markup (GTK_LABEL (GTK_BIN (WID ("none_radiobutton"))->child), TRUE); gtk_label_set_use_markup (GTK_LABEL (GTK_BIN (WID ("manual_radiobutton"))->child), TRUE); gtk_label_set_use_markup (GTK_LABEL (GTK_BIN (WID ("auto_radiobutton"))->child), TRUE); /* Mode */ - mode_group = gtk_radio_button_get_group (GTK_RADIO_BUTTON (WID ("none_radiobutton"))); - connect_sensitivity_signals (dialog, mode_group); + mode_set_initial_value (dialog, client); + mode_group = gtk_radio_button_get_group (GTK_RADIO_BUTTON (WID ("system_radiobutton"))); + connect_mode_radiobuttons (dialog, mode_group); - peditor = GCONF_PROPERTY_EDITOR (gconf_peditor_new_select_radio_with_enum (NULL, - PROXY_MODE_KEY, mode_group, mode_type, - TRUE, NULL)); /* Use same proxy for all protocols */ peditor = GCONF_PROPERTY_EDITOR (gconf_peditor_new_boolean (NULL, diff --git a/capplets/network/gnome-network-properties.glade b/capplets/network/gnome-network-properties.glade index 656acb5..1147f17 100644 --- a/capplets/network/gnome-network-properties.glade +++ b/capplets/network/gnome-network-properties.glade @@ -130,6 +130,25 @@ <property name="spacing">18</property> <child> + <widget class="GtkRadioButton" id="system_radiobutton"> + <property name="visible">True</property> + <property name="can_focus">True</property> + <property name="label" translatable="yes"><b>Use the s_ystem's proxy settings</b></property> + <property name="use_underline">True</property> + <property name="relief">GTK_RELIEF_NORMAL</property> + <property name="focus_on_click">True</property> + <property name="active">False</property> + <property name="inconsistent">False</property> + <property name="draw_indicator">True</property> + </widget> + <packing> + <property name="padding">0</property> + <property name="expand">False</property> + <property name="fill">False</property> + </packing> + </child> + + <child> <widget class="GtkRadioButton" id="none_radiobutton"> <property name="visible">True</property> <property name="can_focus">True</property> @@ -140,6 +159,7 @@ <property name="active">False</property> <property name="inconsistent">False</property> <property name="draw_indicator">True</property> + <property name="group">system_radiobutton</property> </widget> <packing> <property name="padding">0</property> @@ -171,7 +191,7 @@ <property name="active">False</property> <property name="inconsistent">False</property> <property name="draw_indicator">True</property> - <property name="group">none_radiobutton</property> + <property name="group">system_radiobutton</property> </widget> <packing> <property name="padding">0</property> @@ -714,7 +734,7 @@ <property name="active">False</property> <property name="inconsistent">False</property> <property name="draw_indicator">True</property> - <property name="group">none_radiobutton</property> + <property name="group">system_radiobutton</property> </widget> <packing> <property name="padding">0</property> -- 1.6.0.2 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit krb5 for openSUSE:12.2:Update
by root＠hilbert.suse.de 25 Feb '13

25 Feb '13

Hello community, here is the log from the commit of package krb5 for openSUSE:12.2:Update checked in at 2013-02-25 09:52:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/krb5 (Old) and /work/SRC/openSUSE:12.2:Update/.krb5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "krb5", Maintainer is "mc(a)suse.com" Changes: -------- New Changes file: NO CHANGES FILE!!! New: ---- _link ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ <link package='krb5.1348' cicount='copy' /> -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit krb5 for openSUSE:12.1:Update
by root＠hilbert.suse.de 25 Feb '13

25 Feb '13

Hello community, here is the log from the commit of package krb5 for openSUSE:12.1:Update checked in at 2013-02-25 09:52:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update/krb5 (Old) and /work/SRC/openSUSE:12.1:Update/.krb5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "krb5", Maintainer is "mc(a)suse.com" Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.8JKj0M/_old 2013-02-25 09:52:37.000000000 +0100 +++ /var/tmp/diff_new_pack.8JKj0M/_new 2013-02-25 09:52:37.000000000 +0100 @@ -1 +1 @@ -<link package='krb5.730' cicount='copy' /> +<link package='krb5.1349' cicount='copy' /> -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit krb5.1349 for openSUSE:12.1:Update
by root＠hilbert.suse.de 25 Feb '13

25 Feb '13

Hello community, here is the log from the commit of package krb5.1349 for openSUSE:12.1:Update checked in at 2013-02-25 09:52:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update/krb5.1349 (Old) and /work/SRC/openSUSE:12.1:Update/.krb5.1349.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "krb5.1349", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-02-09 11:18:20.872010756 +0100 +++ /work/SRC/openSUSE:12.1:Update/.krb5.1349.new/krb5-doc.changes 2013-02-25 09:52:34.000000000 +0100 @@ -0,0 +1,186 @@ +------------------------------------------------------------------- +Mon Aug 22 10:21:56 CEST 2011 - mc(a)suse.de + +- update to version 1.9.1 + +------------------------------------------------------------------- +Fri Apr 9 12:45:30 CEST 2010 - mc(a)suse.de + +- update to version 1.8.1 + +------------------------------------------------------------------- +Tue Mar 23 12:38:29 CET 2010 - mc(a)suse.de + +- add post 1.8 fixes + * Document the ticket_lifetime libdefaults setting + +------------------------------------------------------------------- +Thu Mar 4 11:45:22 CET 2010 - mc(a)suse.de + +- update to version 1.8 + +------------------------------------------------------------------- +Wed Jun 3 10:47:07 CEST 2009 - mc(a)suse.de + +- update to final version 1.7 + +------------------------------------------------------------------- +Wed May 13 11:34:07 CEST 2009 - mc(a)suse.de + +- update to version 1.7 Beta2 + +------------------------------------------------------------------- +Mon Feb 16 13:08:05 CET 2009 - mc(a)suse.de + +- update to pre 1.7 version + * remove outdated documentation for kadm5 API + +------------------------------------------------------------------- +Fri Jul 25 12:17:10 CEST 2008 - mc(a)suse.de + +- add patches from SVN post 1.6.3 + * some fixes in the man pages + +------------------------------------------------------------------- +Wed Jun 18 15:34:16 CEST 2008 - mc(a)suse.de + +- reduce rpmlint warnings + +------------------------------------------------------------------- +Tue Oct 23 10:29:23 CEST 2007 - mc(a)suse.de + +- update to krb5 version 1.6.3 + * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow + * fix CVE-2007-4000 modify_policy vulnerability + * Add PKINIT support +- remove patches which are upstream now +- enhance init scripts and xinetd profiles + +------------------------------------------------------------------- +Thu Jul 12 17:02:30 CEST 2007 - mc(a)suse.de + +- update to version 1.6.2 +- remove krb5-1.6.1-post.dif all fixes are included in this release + +------------------------------------------------------------------- +Wed Jun 13 15:29:42 CEST 2007 - sschober(a)suse.de + +- removed executable permission from doc file + +------------------------------------------------------------------- +Mon Apr 23 11:15:59 CEST 2007 - mc(a)suse.de + +- update to final 1.6.1 version +- replace te_ams with texlive in BuildRequires + +------------------------------------------------------------------- +Wed Apr 18 14:47:49 CEST 2007 - mc(a)suse.de + +- build implementor.ps + +------------------------------------------------------------------- +Mon Apr 16 14:39:40 CEST 2007 - mc(a)suse.de + +- update to version 1.6.1 Beta1 +- remove obsolete patches + (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) + +------------------------------------------------------------------- +Mon Feb 19 14:00:49 CET 2007 - mc(a)suse.de + +- add krb5-1.6-post.dif + +------------------------------------------------------------------- +Mon Jan 22 12:21:20 CET 2007 - mc(a)suse.de + +- update to version 1.6 + * Major changes in 1.6 include + * Partial client implementation to handle server name referrals. + * Pre-authentication plug-in framework, donated by Red Hat. + * LDAP KDB plug-in, donated by Novell. + +------------------------------------------------------------------- +Thu Aug 24 12:53:25 CEST 2006 - mc(a)suse.de + +- update to version 1.5.1 +- remove obsolete patches which are now included upstream + * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif + * trunk-fix-uninitialized-vars.dif + +------------------------------------------------------------------- +Mon Jul 3 15:01:57 CEST 2006 - mc(a)suse.de + +- update to version 1.5 + * KDB abstraction layer, donated by Novell. + * plug-in architecture, allowing for extension modules to be + loaded at run-time. + * multi-mechanism GSS-API implementation ("mechglue"), + donated by Sun Microsystems + * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") + implementation, donated by Sun Microsystems +- remove obsolete patches and add some new + +------------------------------------------------------------------- +Mon Mar 13 18:01:06 CET 2006 - mc(a)suse.de + +- set BuildArchitectures to noarch +- set norootforbuild + +------------------------------------------------------------------- +Wed Jan 25 21:30:24 CET 2006 - mls(a)suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Fri Nov 18 12:15:07 CET 2005 - mc(a)suse.de + +- update to version 1.4.3 +- fix tex for kadm5 documentation (krb5-1.4.3-kadm5-tex.dif) + +------------------------------------------------------------------- +Wed Oct 12 16:19:08 CEST 2005 - mc(a)suse.de + +- build kadm5 documentation +- build documentation also as html +- include the text only documentation + +------------------------------------------------------------------- +Tue Oct 11 17:40:26 CEST 2005 - mc(a)suse.de + +- update to version 1.4.2 +- remove some obsolet patches + +------------------------------------------------------------------- +Mon Jun 27 13:36:04 CEST 2005 - mc(a)suse.de + +- update to version 1.4.1 +- remove obsolet patches + - krb5-1.4-VUL-0-telnet.dif + +------------------------------------------------------------------- +Thu Feb 10 02:38:39 CET 2005 - ro(a)suse.de + +- added libpng to neededforbuild (for tetex) + +------------------------------------------------------------------- +Fri Feb 4 16:50:34 CET 2005 - mc(a)suse.de + +- remove spx.c from tarball because of legal risk +- add README.Source which tell the user about this + action. + +------------------------------------------------------------------- +Fri Jan 28 13:28:18 CET 2005 - mc(a)suse.de + +- update to version 1.4 + +------------------------------------------------------------------- +Mon Jan 10 12:20:11 CET 2005 - mc(a)suse.de + +- update to version 1.3.6 + +------------------------------------------------------------------- +Tue Dec 14 15:21:02 CET 2004 - mc(a)suse.de + +- initial release + New Changes file: --- /dev/null 2013-02-09 11:18:20.872010756 +0100 +++ /work/SRC/openSUSE:12.1:Update/.krb5.1349.new/krb5-mini.changes 2013-02-25 09:52:34.000000000 +0100 @@ -0,0 +1,923 @@ +------------------------------------------------------------------- +Fri Feb 15 11:47:36 CET 2013 - mc(a)suse.de + +- Fix cross-realm traversal TGT requests (bnc#777474) +- Fix krb5-send-pr (bnc#794784) + +------------------------------------------------------------------- +Wed Aug 1 09:54:37 CEST 2012 - mc(a)suse.de + +- fix potentially execute code flaws + CVE-2012-1015 (bnc#770172) + +------------------------------------------------------------------- +Mon Jun 18 12:03:59 CEST 2012 - mc(a)suse.de + +- fix kadmind denial of service via null pointer dereference + CVE-2012-1013 (bnc#765485) + +------------------------------------------------------------------- +Mon Nov 21 11:23:02 CET 2011 - mc(a)suse.de + +- fix KDC null pointer dereference in TGS handling + (MITKRB5-SA-2011-007, bnc#730393) + CVE-2011-1530 + +------------------------------------------------------------------- +Mon Nov 21 11:06:33 CET 2011 - mc(a)suse.de + +- fix KDC HA feature introduced with implementing KDC poll + (RT#6951, bnc#731648) + +------------------------------------------------------------------- +Fri Nov 18 08:35:52 UTC 2011 - rhafer(a)suse.de + +- fix minor error messages for the IAKERB GSSAPI mechanism + (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020) + +------------------------------------------------------------------- +Mon Oct 17 16:11:03 CEST 2011 - mc(a)suse.de + +- fix kdc remote denial of service + (MITKRB5-SA-2011-006, bnc#719393) + CVE-2011-1527, CVE-2011-1528, CVE-2011-1529 + +------------------------------------------------------------------- +Tue Aug 23 13:52:03 CEST 2011 - mc(a)suse.de + +- use --without-pam to build krb5-mini + +------------------------------------------------------------------- +Sun Aug 21 09:37:01 UTC 2011 - mc(a)novell.com + +- add patches from Fedora and upstream +- fix init scripts (bnc#689006) + +------------------------------------------------------------------- +Fri Aug 19 15:48:35 UTC 2011 - mc(a)novell.com + +- update to version 1.9.1 + * obsolete patches: + MITKRB5-SA-2010-007-1.8.dif + krb5-1.8-MITKRB5-SA-2010-006.dif + krb5-1.8-MITKRB5-SA-2011-001.dif + krb5-1.8-MITKRB5-SA-2011-002.dif + krb5-1.8-MITKRB5-SA-2011-003.dif + krb5-1.8-MITKRB5-SA-2011-004.dif + krb5-1.4.3-enospc.dif + * replace krb5-1.6.1-compile_pie.dif +------------------------------------------------------------------- +Thu Apr 14 11:33:18 CEST 2011 - mc(a)suse.de + +- fix kadmind invalid pointer free() + (MITKRB5-SA-2011-004, bnc#687469) + CVE-2011-0285 + +------------------------------------------------------------------- +Tue Mar 1 12:43:22 CET 2011 - mc(a)suse.de + +- Fix vulnerability to a double-free condition in KDC daemon + (MITKRB5-SA-2011-003, bnc#671717) + CVE-2011-0284 + +------------------------------------------------------------------- +Wed Jan 19 14:42:27 CET 2011 - mc(a)suse.de + +- Fix kpropd denial of service + (MITKRB5-SA-2011-001, bnc#662665) + CVE-2010-4022 +- Fix KDC denial of service attacks with LDAP back end + (MITKRB5-SA-2011-002, bnc#663619) + CVE-2011-0281, CVE-2011-0282 + +------------------------------------------------------------------- +Wed Dec 1 11:44:15 CET 2010 - mc(a)suse.de + +- Fix multiple checksum handling vulnerabilities + (MITKRB5-SA-2010-007, bnc#650650) + CVE-2010-1324 + * krb5 GSS-API applications may accept unkeyed checksums + * krb5 application services may accept unkeyed PAC checksums + * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums + CVE-2010-1323 + * krb5 clients may accept unkeyed SAM-2 challenge checksums + * krb5 may accept KRB-SAFE checksums with low-entropy derived keys + CVE-2010-4020 + * krb5 may accept authdata checksums with low-entropy derived keys + CVE-2010-4021 + * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery + +------------------------------------------------------------------- +Thu Oct 28 12:53:13 CEST 2010 - mc(a)suse.de + +- fix csh profile (bnc#649856) + +------------------------------------------------------------------- +Fri Oct 22 11:15:43 CEST 2010 - mc(a)suse.de + +- update to krb5-1.8.3 + * remove patches which are now upstrem + - krb5-1.7-MITKRB5-SA-2010-004.dif + - krb5-1.8.1-gssapi-error-table.dif + - krb5-MITKRB5-SA-2010-005.dif + +------------------------------------------------------------------- +Fri Oct 22 10:49:11 CEST 2010 - mc(a)suse.de + +- change environment variable PATH directly for csh + (bnc#642080) + +------------------------------------------------------------------- +Mon Sep 27 11:42:43 CEST 2010 - mc(a)suse.de + +- fix a dereference of an uninitialized pointer while processing + authorization data. + CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990) + +------------------------------------------------------------------- +Mon Jun 21 21:31:53 UTC 2010 - lchiquitto(a)novell.com + +- add correct error table when initializing gss-krb5 (bnc#606584, + bnc#608295) + +------------------------------------------------------------------- +Wed May 19 14:27:19 CEST 2010 - mc(a)suse.de + +- fix GSS-API library null pointer dereference + CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826) + +------------------------------------------------------------------- +Wed Apr 14 11:36:32 CEST 2010 - mc(a)suse.de + +- fix a double free vulnerability in the KDC + CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002) + +------------------------------------------------------------------- +Fri Apr 9 12:43:44 CEST 2010 - mc(a)suse.de + +- update to version 1.8.1 + * include krb5-1.8-POST.dif + * include MITKRB5-SA-2010-002 + +------------------------------------------------------------------- +Tue Apr 6 14:14:56 CEST 2010 - mc(a)suse.de + +- update krb5-1.8-POST.dif + +------------------------------------------------------------------- +Tue Mar 23 14:32:41 CET 2010 - mc(a)suse.de + +- fix a bug where an unauthenticated remote attacker could cause + a GSS-API application including the Kerberos administration + daemon (kadmind) to crash. + CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) + +------------------------------------------------------------------- +Tue Mar 23 12:33:26 CET 2010 - mc(a)suse.de + +- add post 1.8 fixes + * Add IPv6 support to changepw.c + * fix two problems in kadm5_get_principal mask handling + * Ignore improperly encoded signedpath AD elements + * handle NT_SRV_INST in service principal referrals + * dereference options while checking + KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT + * Fix the kpasswd fallback from the ccache principal name + * Document the ticket_lifetime libdefaults setting + * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 + +------------------------------------------------------------------- +Thu Mar 4 10:42:29 CET 2010 - mc(a)suse.de + +- update to version 1.8 + * Increase code quality + * Move toward improved KDB interface + * Investigate and remedy repeatedly-reported performance + bottlenecks. + * Reduce DNS dependence by implementing an interface that allows ++++ 726 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.1:Update/.krb5.1349.new/krb5-mini.changes New Changes file: krb5.changes: same change New: ---- MITKRB5-SA-2012-001.dif baselibs.conf bug-765485-CVE-2012-1013-kadmind_dos_via_null_pointer_dereference.dif bug-777474-fix-cross-realm-traversal-TGT-requests.dif krb5-1.3.5-perlfix.dif krb5-1.6.3-gssapi_improve_errormessages.dif krb5-1.6.3-kpasswd_tcp.patch krb5-1.6.3-ktutil-manpage.dif krb5-1.6.3-texi2dvi-fix.dif krb5-1.7-doublelog.patch krb5-1.7-nodeplibs.patch krb5-1.8-api.patch krb5-1.8-manpaths.txt krb5-1.8-pam.patch krb5-1.9-MITKRB5-SA-2011-006.dif krb5-1.9-MITKRB5-SA-2011-007.dif krb5-1.9-buildconf.patch krb5-1.9-canonicalize-fallback.patch krb5-1.9-gss_display_status-iakerb.patch krb5-1.9-kprop-mktemp.patch krb5-1.9-ksu-path.patch krb5-1.9-manpaths.dif krb5-1.9-paren.patch krb5-1.9-selinux-label.patch krb5-1.9.1-ai_addrconfig.patch krb5-1.9.1-ai_addrconfig2.patch krb5-1.9.1-sendto_poll.patch krb5-1.9.1-sendto_poll2.patch krb5-1.9.1-sendto_poll3.patch krb5-1.9.1.tar.bz2 krb5-doc-rpmlintrc krb5-doc.changes krb5-doc.spec krb5-klist_s.patch krb5-mini.changes krb5-mini.spec krb5-pkinit-cms2.patch krb5-rpmlintrc krb5-trunk-chpw-err.patch krb5-trunk-gss_delete_sec.patch krb5-trunk-kadmin-oldproto.patch krb5.changes krb5.spec pre_checkin.sh vendor-files.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5-doc.spec ++++++ # # spec file for package krb5-doc # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: krb5-doc BuildRequires: ghostscript-library BuildRequires: latex2html BuildRequires: texlive Version: 1.9.1 Release: 0 %define srcRoot krb5-1.9.1 Summary: MIT Kerberos5 Implementation--Documentation License: MIT Group: Documentation/Other Url: http://web.mit.edu/kerberos/www/ Source: krb5-%{version}.tar.bz2 Source3: %{name}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch %description Kerberos V5 is a trusted-third-party network authentication system,which can improve your network's security by eliminating the insecurepractice of clear text passwords. This package includes extended documentation for MIT Kerberos. Authors: -------- The MIT Kerberos Team Sam Hartman <hartmans(a)mit.edu> Ken Raeburn <raeburn(a)mit.edu> Tom Yu <tlyu(a)mit.edu> %prep %setup -n %{srcRoot} %patch0 %patch1 %build %install cd doc mkdir -p html make make implementor.ps make -C api make -C implement #make -C kadm5 #cd api #latex2html -dir ../html/library -mkdir library.tex #latex2html -dir ../html/libdes -mkdir libdes.tex #cd ../implement #latex2html -dir ../html/implement -mkdir implement.tex #cd .. mv *.html html/ cd .. find . -type f -name '*.ps' -exec gzip -9 {} \; chmod 644 doc/man2ps chmod 644 doc/krb5-protocol/draft-jaganathan-rc4-hmac-03.txt # cleanup rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* rm -rf /usr/lib/mit/share rm -rf %{buildroot}/usr/lib/mit/share #rm -f doc/html/*/WARNINGS #rm -f doc/html/*/images.aux #rm -f doc/html/*/labels.pl #### check for duplicate files and replace them with a link #cd doc/html/library #if cmp --quiet library.html index.html ; then # rm -f index.html # ln -s library.html index.html #fi #cd ../libdes #if cmp --quiet libdes.html index.html ; then # rm -f index.html # ln -s libdes.html index.html #fi #cd ../implement #if cmp --quiet implement.html index.html ; then # rm -f index.html # ln -s implement.html index.html #fi #cd ../.. %clean rm -rf %{buildroot} %files %defattr(-,root,root) %doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz %doc doc/krb5-protocol doc/kadmin %doc doc/html %changelog ++++++ krb5-mini.spec ++++++ ++++ 620 lines (skipped) krb5.spec: same change ++++++ MITKRB5-SA-2012-001.dif ++++++ Index: krb5-1.9.1/src/kdc/kdc_preauth.c =================================================================== --- krb5-1.9.1.orig/src/kdc/kdc_preauth.c +++ krb5-1.9.1/src/kdc/kdc_preauth.c @@ -1562,7 +1562,8 @@ etype_info_helper(krb5_context context, continue; } - if (request_contains_enctype(context, request, db_etype)) { + if (krb5_is_permitted_enctype(context, db_etype) && + request_contains_enctype(context, request, db_etype)) { retval = _make_etype_info_entry(context, client->princ, client_key, db_etype, &entry[i], etype_info2); Index: krb5-1.9.1/src/kdc/kdc_util.c =================================================================== --- krb5-1.9.1.orig/src/kdc/kdc_util.c +++ krb5-1.9.1/src/kdc/kdc_util.c @@ -2465,6 +2465,7 @@ kdc_handle_protected_negotiation(krb5_da return 0; pa.magic = KV5M_PA_DATA; pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP; + memset(&checksum, 0, sizeof(checksum)); retval = krb5_c_make_checksum(kdc_context,0, reply_key, KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum); if (retval != 0) Index: krb5-1.9.1/src/lib/kdb/kdb_default.c =================================================================== --- krb5-1.9.1.orig/src/lib/kdb/kdb_default.c +++ krb5-1.9.1/src/lib/kdb/kdb_default.c @@ -64,6 +64,9 @@ krb5_dbe_def_search_enctype(kcontext, db krb5_boolean saw_non_permitted = FALSE; ret = 0; + if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype)) + return KRB5_KDB_NO_PERMITTED_KEY; + if (kvno == -1 && stype == -1 && ktype == -1) kvno = 0; ++++++ baselibs.conf ++++++ krb5 obsoletes "heimdal-lib-<targettype>" provides "heimdal-lib-<targettype>" krb5-devel ++++++ bug-765485-CVE-2012-1013-kadmind_dos_via_null_pointer_dereference.dif ++++++ commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b Author: Richard Basch <basch(a)alum.mit.edu> Date: Tue May 29 14:07:03 2012 -0400 Null pointer deref in kadmind [CVE-2012-1013] The fix for #6626 could cause kadmind to dereference a null pointer if a create-principal request contains no password but does contain the KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix name"). Only clients authorized to create principals can trigger the bug. Fix the bug by testing for a null password in check_1_6_dummy. CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C [ghudson(a)mit.edu: Minor style change and commit message] ticket: 7152 target_version: 1.10.2 tags: pullup Index: krb5-1.9.1/src/lib/kadm5/srv/svr_principal.c =================================================================== --- krb5-1.9.1.orig/src/lib/kadm5/srv/svr_principal.c +++ krb5-1.9.1/src/lib/kadm5/srv/svr_principal.c @@ -194,7 +194,7 @@ check_1_6_dummy(kadm5_principal_ent_t en char *password = *passptr; /* Old-style randkey operations disallowed tickets to start. */ - if (!(mask & KADM5_ATTRIBUTES) || + if (password == NULL || !(mask & KADM5_ATTRIBUTES) || !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX)) return; ++++++ bug-777474-fix-cross-realm-traversal-TGT-requests.dif ++++++ commit 5c94d680e4e9cbffa763ad69b112385492fd4ebf Author: Greg Hudson <ghudson(a)mit.edu> Date: Thu Sep 1 16:21:25 2011 +0000 Fix cross-realm traversal TGT requests When requesting a cross-realm TGT, use the KDC instance of the current TGT (the second data component), not the realm which the TGT came from. ticket: 6952 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25121 dc483132-0cff-0310-8789-dd5450dbe970 Index: krb5-1.9.1/src/lib/krb5/krb/get_creds.c =================================================================== --- krb5-1.9.1.orig/src/lib/krb5/krb/get_creds.c +++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c @@ -296,7 +296,7 @@ make_request_for_tgt(krb5_context contex /* Construct the principal krbtgt/<realm>@<cur-tgt-realm>. */ krb5_free_principal(context, ctx->tgt_princ); ctx->tgt_princ = NULL; - code = krb5int_tgtname(context, realm, &ctx->cur_tgt->server->realm, + code = krb5int_tgtname(context, realm, &ctx->cur_tgt->server->data[1], &ctx->tgt_princ); if (code != 0) return code; ++++++ krb5-1.3.5-perlfix.dif ++++++ --- doc/man2html +++ doc/man2html 2004/10/18 16:20:53 @@ -1,5 +1,4 @@ -#!/usr/athena/bin/perl -#!/usr/local/bin/perl +#!/usr/bin/perl ##---------------------------------------------------------------------------## ## File: ## @(#) man2html 1.2 97/08/12 12:57:30 @(#) ++++++ krb5-1.6.3-gssapi_improve_errormessages.dif ++++++ Index: trunk/src/lib/gssapi/generic/disp_com_err_status.c =================================================================== --- trunk.orig/src/lib/gssapi/generic/disp_com_err_status.c +++ trunk/src/lib/gssapi/generic/disp_com_err_status.c @@ -54,7 +54,7 @@ g_display_com_err_status(minor_status, s status_string->value = NULL; if (! g_make_string_buffer(((status_value == 0)?no_error: - error_message(status_value)), + error_message((long)status_value)), status_string)) { *minor_status = ENOMEM; return(GSS_S_FAILURE); ++++++ krb5-1.6.3-kpasswd_tcp.patch ++++++ Fall back to TCP on kdc-unresolvable/unreachable errors. We still have to wait for UDP to fail, so this might not be ideal. RT #5868. Index: src/lib/krb5/os/changepw.c =================================================================== --- src/lib/krb5/os/changepw.c.orig +++ src/lib/krb5/os/changepw.c @@ -282,10 +282,22 @@ change_set_password(krb5_context context NULL ))) { - /* - * Here we may want to switch to TCP on some errors. - * right? - */ + /* if we're not using a stream socket, and it's an error which + * might reasonably be specific to a datagram "connection", try + * again with a stream socket */ + if (!useTcp) { + switch (code) { + case KRB5_KDC_UNREACH: + case KRB5_REALM_CANT_RESOLVE: + case KRB5KRB_ERR_RESPONSE_TOO_BIG: + /* should we do this for more result codes than these? */ + krb5int_free_addrlist (&al); + useTcp = 1; + continue; + default: + break; + } + } break; } ++++++ krb5-1.6.3-ktutil-manpage.dif ++++++ Index: krb5-1.6.3/src/kadmin/ktutil/ktutil.M =================================================================== --- krb5-1.6.3.orig/src/kadmin/ktutil/ktutil.M +++ krb5-1.6.3/src/kadmin/ktutil/ktutil.M @@ -63,5 +63,17 @@ Quits Aliases: .BR exit , .BR q . +.SH REMARKS +Changes to the keytab are appended to the keytab file (i.e., the keytab file +is never overwritten). To directly modify a keytab, save the changes to a +temporary file and then overwrite the keytab file of interest. +.TP +.nf +Example: +ktutil> rkt /etc/krb5.keytab +(modifications to keytab) +ktutil> wkt /tmp/krb5.newtab +ktutil> q +# mv /tmp/krb5.newtab /etc/krb5.keytab .SH SEE ALSO kadmin(8), kdb5_util(8) ++++++ krb5-1.6.3-texi2dvi-fix.dif ++++++ Index: trunk/doc/Makefile =================================================================== --- doc/Makefile +++ doc/Makefile @@ -1,5 +1,5 @@ SRCDIR=../src -DVI=texi2dvi4a2ps # texi2dvi +DVI=texi2dvi # texi2dvi DVIPS=dvips -o "$@" PSPDF=ps2pdf INFO=makeinfo ++++++ krb5-1.7-doublelog.patch ++++++ Don't double-log (actually, don't process /etc/krb5.conf twice) just because we built with --sysconfdir=/etc. RT#3277 Index: krb5-1.9.1/src/include/Makefile.in =================================================================== --- krb5-1.9.1.orig/src/include/Makefile.in +++ krb5-1.9.1/src/include/Makefile.in @@ -66,7 +66,9 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$( -e "s+@MODULEDIR+$(MODULE_DIR)+" \ -e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \ -e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \ - -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' + -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \ + -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \ + -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' OSCONFSRC = $(srcdir)/osconf.hin ++++++ krb5-1.7-nodeplibs.patch ++++++ Omit extra libraries because their interfaces aren't exposed to applications by libkrb5, unless do_deps is set to 1, which indicates that the caller wants the whole list. Index: krb5-1.9.1/src/krb5-config.in =================================================================== --- krb5-1.9.1.orig/src/krb5-config.in +++ krb5-1.9.1/src/krb5-config.in @@ -221,7 +221,11 @@ if test -n "$do_libs"; then fi if test $library = 'krb5'; then - lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + if test 0$do_deps -eq 1 ; then + lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + else + lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err" + fi fi echo $lib_flags ++++++ krb5-1.8-api.patch ++++++ Reference docs don't define what happens if you call krb5_realm_compare() with malformed krb5_principal structures. Define a behavior which keeps it from crashing if applications don't check ahead of time. diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/princ_comp.c --- krb5-1.8/src/lib/krb5/krb/princ_comp.c.api 2009-10-30 20:48:38.000000000 -0400 +++ krb5-1.8/src/lib/krb5/krb/princ_comp.c 2010-03-05 11:00:55.000000000 -0500 @@ -41,6 +41,12 @@ realm_compare_flags(krb5_context context const krb5_data *realm1 = krb5_princ_realm(context, princ1); const krb5_data *realm2 = krb5_princ_realm(context, princ2); + if ((princ1 == NULL) || (princ2 == NULL)) + return FALSE; + + if ((realm1 == NULL) || (realm2 == NULL)) + return FALSE; + if (realm1->length != realm2->length) return FALSE; @@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex krb5_principal upn2 = NULL; krb5_boolean ret = FALSE; + if ((princ1 == NULL) || (princ2 == NULL)) + return FALSE; + if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { /* Treat UPNs as if they were real principals */ if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) { ++++++ krb5-1.8-manpaths.txt ++++++ appl/sample/sserver/sserver.M config-files/kdc.conf.M config-files/krb5.conf.M kadmin/cli/kadmin.M slave/kpropd.M slave/kprop.M ++++++ krb5-1.8-pam.patch ++++++ ++++ 757 lines (skipped) ++++++ krb5-1.9-MITKRB5-SA-2011-006.dif ++++++ diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c index b473611..50c60b7 100644 --- a/src/plugins/kdb/db2/lockout.c +++ b/src/plugins/kdb/db2/lockout.c @@ -169,6 +169,9 @@ krb5_db2_lockout_audit(krb5_context context, return 0; } + if (entry == NULL) + return 0; + if (!db_ctx->disable_lockout) { code = lookup_lockout_policy(context, entry, &max_fail, &failcnt_interval, &lockout_duration); @@ -176,6 +179,15 @@ krb5_db2_lockout_audit(krb5_context context, return code; } + /* + * Don't continue to modify the DB for an already locked account. + * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and + * this check is unneeded, but in rare cases, we can fail with an + * integrity error or preauth failure before a policy check.) + */ + if (locked_check_p(context, stamp, max_fail, lockout_duration, entry)) + return 0; + /* Only mark the authentication as successful if the entry * required preauthentication, otherwise we have no idea. */ if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) { diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 552e39a..c2f44ab 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -105,6 +105,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, CHECK_LDAP_HANDLE(ldap_context); if (is_principal_in_realm(ldap_context, searchfor) != 0) { + st = KRB5_KDB_NOENTRY; krb5_set_error_message (context, st, "Principal does not belong to realm"); goto cleanup; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c index a218dc7..fd164dd 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c @@ -165,6 +165,9 @@ krb5_ldap_lockout_audit(krb5_context context, return 0; } + if (entry == NULL) + return 0; + if (!ldap_context->disable_lockout) { code = lookup_lockout_policy(context, entry, &max_fail, &failcnt_interval, @@ -173,9 +176,16 @@ krb5_ldap_lockout_audit(krb5_context context, return code; } - entry->mask = 0; + /* + * Don't continue to modify the DB for an already locked account. + * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and + * this check is unneeded, but in rare cases, we can fail with an + * integrity error or preauth failure before a policy check.) + */ + if (locked_check_p(context, stamp, max_fail, lockout_duration, entry)) + return 0; - assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry)); + entry->mask = 0; /* Only mark the authentication as successful if the entry * required preauthentication, otherwise we have no idea. */ ++++++ krb5-1.9-MITKRB5-SA-2011-007.dif ++++++ diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in index f46cad3..102fbaa 100644 --- a/src/kdc/Makefile.in +++ b/src/kdc/Makefile.in @@ -67,6 +67,7 @@ check-unix:: rtest check-pytests:: $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS) install:: $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index c169c54..840a2ef 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -243,7 +243,8 @@ tgt_again: if (!tgs_1 || !data_eq(*server_1, *tgs_1)) { errcode = find_alternate_tgs(request, &server); firstpass = 0; - goto tgt_again; + if (errcode == 0) + goto tgt_again; } } status = "UNKNOWN_SERVER"; diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py new file mode 100644 index 0000000..1760bcd --- /dev/null +++ b/src/kdc/t_emptytgt.py @@ -0,0 +1,8 @@ +#!/usr/bin/python +from k5test import * + +realm = K5Realm(start_kadmind=False, create_host=False) +output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1) +if 'not found in Kerberos database' not in output: + fail('TGT lookup for empty realm failed in unexpected way') +success('Empty tgt lookup.') ++++++ krb5-1.9-buildconf.patch ++++++ Build binaries in this package as RELRO PIEs and install shared libraries with the execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf --- krb5-1.9/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500 +++ krb5-1.9/src/config/shlib.conf 2009-06-04 14:01:28.000000000 -0400 @@ -430,7 +430,8 @@ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' PROFFLAGS=-pg PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' - CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' + CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)' + INSTALL_SHLIB='${INSTALL} -m755' CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in --- krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 +++ krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 @@ -187,8 +187,14 @@ if test -n "$do_libs"; then -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ - -e 's#\$(CFLAGS)#'"$CFLAGS"'#'` + -e 's#\$(CFLAGS)##'` + if test `dirname $libdir` = /usr ; then + lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` + fi + lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"` + lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"` + if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 ++++++ krb5-1.9-canonicalize-fallback.patch ++++++ >From RT#6917. Index: krb5-1.9.1/src/lib/krb5/krb/get_creds.c =================================================================== --- krb5-1.9.1.orig/src/lib/krb5/krb/get_creds.c +++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c @@ -470,13 +470,10 @@ begin_non_referral(krb5_context context, /***** STATE_REFERRALS *****/ -/* - * Possibly retry a request in the fallback realm after a referral request - * failure in the local realm. Expects ctx->reply_code to be set to the error - * from a referral request. - */ +/* Possibly try a non-referral request after a referral request failure. + * Expects ctx->reply_code to be set to the error from a referral request. */ static krb5_error_code -try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx) +try_fallback(krb5_context context, krb5_tkt_creds_context ctx) { krb5_error_code code; char **hrealms; @@ -485,9 +482,10 @@ try_fallback_realm(krb5_context context, if (ctx->referral_count > 1) return ctx->reply_code; - /* Only fall back if the original request used the referral realm. */ + /* If the request used a specified realm, make a non-referral request to + * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */ if (!krb5_is_referral_realm(&ctx->req_server->realm)) - return ctx->reply_code; + return begin_non_referral(context, ctx); if (ctx->server->length < 2) { /* We need a type/host format principal to find a fallback realm. */ @@ -500,10 +498,10 @@ try_fallback_realm(krb5_context context, if (code != 0) return code; - /* Give up if the fallback realm isn't any different. */ + /* If the fallback realm isn't any different, use the existing TGT. */ if (data_eq_string(ctx->server->realm, hrealms[0])) { krb5_free_host_realm(context, hrealms); - return ctx->reply_code; + return begin_non_referral(context, ctx); } /* Rewrite server->realm to be the fallback realm. */ @@ -540,9 +538,9 @@ step_referrals(krb5_context context, krb krb5_error_code code; const krb5_data *referral_realm; - /* Possibly retry with the fallback realm on error. */ + /* Possibly try a non-referral fallback request on error. */ if (ctx->reply_code != 0) - return try_fallback_realm(context, ctx); + return try_fallback(context, ctx); if (krb5_principal_compare(context, ctx->reply_creds->server, ctx->server)) { ++++++ krb5-1.9-gss_display_status-iakerb.patch ++++++ Index: krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c =================================================================== --- krb5-1.9.1.orig/src/lib/gssapi/krb5/disp_status.c +++ krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c @@ -167,7 +167,8 @@ krb5_gss_display_status(minor_status, st if ((mech_type != GSS_C_NULL_OID) && !g_OID_equal(gss_mech_krb5, mech_type) && - !g_OID_equal(gss_mech_krb5_old, mech_type)) { + !g_OID_equal(gss_mech_krb5_old, mech_type) && + !g_OID_equal(gss_mech_iakerb, mech_type)) { *minor_status = 0; return(GSS_S_BAD_MECH); } ++++++ krb5-1.9-kprop-mktemp.patch ++++++ Use an in-memory ccache to silence a compiler warning, for RT#6414. Index: krb5-1.9.1/src/slave/kprop.c =================================================================== --- krb5-1.9.1.orig/src/slave/kprop.c +++ krb5-1.9.1/src/slave/kprop.c @@ -188,9 +188,8 @@ void PRS(argc, argv) void get_tickets(context) krb5_context context; { - char buf[BUFSIZ], *def_realm; + char buf[] = "MEMORY:_kproptkt", *def_realm; krb5_error_code retval; - static char tkstring[] = "/tmp/kproptktXXXXXX"; krb5_keytab keytab = NULL; /* @@ -229,11 +228,8 @@ void get_tickets(context) #endif /* - * Initialize cache file which we're going to be using + * Initialize an in-memory cache for temporary use */ - (void) mktemp(tkstring); - snprintf(buf, sizeof(buf), "FILE:%s", tkstring); - retval = krb5_cc_resolve(context, buf, &ccache); if (retval) { com_err(progname, retval, "while opening credential cache %s", ++++++ krb5-1.9-ksu-path.patch ++++++ Set the default PATH to the one set by login. diff -up krb5-1.9/src/clients/ksu/Makefile.in.ksu-path krb5-1.9/src/clients/ksu/Makefile.in --- krb5-1.9/src/clients/ksu/Makefile.in.ksu-path 2010-03-05 10:58:25.000000000 -0500 +++ krb5-1.9/src/clients/ksu/Makefile.in 2010-03-05 10:58:25.000000000 -0500 @@ -1,6 +1,6 @@ mydir=clients$(S)ksu BUILDTOP=$(REL)..$(S).. -DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' +DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin"' DEFS= PROG_LIBPATH=-L$(TOPLIBD) ++++++ krb5-1.9-manpaths.dif ++++++ Change the absolute paths included in the man pages so that the correct values can be dropped in by config.status. After applying this patch, these files should be renamed to their ".in" counterparts, and then the configure scripts should be rebuilt. Originally RT#6525 Index: krb5-1.9.1/src/aclocal.m4 =================================================================== --- krb5-1.9.1.orig/src/aclocal.m4 +++ krb5-1.9.1/src/aclocal.m4 @@ -1782,3 +1782,24 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl +AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[ +mansysconfdir=$sysconfdir +mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"` +mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"` +mansbindir=$sbindir +mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"` +mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"` +mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"` +manlocalstatedir=$localstatedir +manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"` +manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"` +manlibexecdir=$libexecdir +manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"` +manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"` +manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"` +AC_SUBST(mansysconfdir) +AC_SUBST(mansbindir) +AC_SUBST(manlocalstatedir) +AC_SUBST(manlibexecdir) +AC_CONFIG_FILES($1) +]) Index: krb5-1.9.1/src/appl/sample/sserver/sserver.M =================================================================== --- krb5-1.9.1.orig/src/appl/sample/sserver/sserver.M +++ krb5-1.9.1/src/appl/sample/sserver/sserver.M @@ -59,7 +59,7 @@ option allows for a different keytab tha using a line in /etc/inetd.conf that looks like this: .PP -sample stream tcp nowait root /usr/local/sbin/sserver sserver +sample stream tcp nowait root @mansbindir@/sserver sserver .PP Since \fBsample\fP is normally not a port defined in /etc/services, you will usually have to add a line to /etc/services which looks like this: Index: krb5-1.9.1/src/config-files/kdc.conf.M =================================================================== --- krb5-1.9.1.orig/src/config-files/kdc.conf.M +++ krb5-1.9.1/src/config-files/kdc.conf.M @@ -92,14 +92,14 @@ This .B string specifies the location of the access control list (acl) file that kadmin uses to determine which principals are allowed which permissions -on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl. +on the database. The default value is @manlocalstatedir@/krb5kdc/kadm5.acl. .IP admin_keytab This .B string Specifies the location of the keytab file that kadmin uses to authenticate to the database. The default value is -/usr/local/var/krb5kdc/kadm5.keytab. +@manlocalstatedir@/krb5kdc/kadm5.keytab. .IP database_name This @@ -274,7 +274,7 @@ tickets should be checked against the tr realm names and the [capaths] section of its krb5.conf file .SH FILES -/usr/local/var/krb5kdc/kdc.conf +@manlocalstatedir@/krb5kdc/kdc.conf .SH SEE ALSO krb5.conf(5), krb5kdc(8) Index: krb5-1.9.1/src/config-files/krb5.conf.M =================================================================== --- krb5-1.9.1.orig/src/config-files/krb5.conf.M +++ krb5-1.9.1/src/config-files/krb5.conf.M @@ -768,6 +768,6 @@ with another database such as Active Dir in for this interface. .SH FILES -/etc/krb5.conf +@mansysconfdir@/krb5.conf .SH SEE ALSO syslog(3) Index: krb5-1.9.1/src/configure.in =================================================================== --- krb5-1.9.1.orig/src/configure.in +++ krb5-1.9.1/src/configure.in @@ -1128,6 +1128,16 @@ fi KRB5_WITH_PAM AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + +V5_AC_OUTPUT_MANPAGE([ + appl/sample/sserver/sserver.M + config-files/kdc.conf.M + config-files/krb5.conf.M + kadmin/cli/kadmin.M + slave/kpropd.M + slave/kprop.M +]) + V5_AC_OUTPUT_MAKEFILE(. util util/support util/profile util/send-pr Index: krb5-1.9.1/src/kadmin/cli/kadmin.M =================================================================== --- krb5-1.9.1.orig/src/kadmin/cli/kadmin.M +++ krb5-1.9.1/src/kadmin/cli/kadmin.M @@ -880,9 +880,9 @@ option is specified, less verbose status .RS .TP EXAMPLE: -kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin +kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin Entry for principal kadmin/admin with kvno 3 removed - from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab. + from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab. kadmin: .RE .fi @@ -924,7 +924,7 @@ passwords. .SH HISTORY The .B kadmin -prorgam was originally written by Tom Yu at MIT, as an interface to the +program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program. .SH SEE ALSO .IR kerberos (1), Index: krb5-1.9.1/src/slave/kpropd.M =================================================================== --- krb5-1.9.1.orig/src/slave/kpropd.M +++ krb5-1.9.1/src/slave/kpropd.M @@ -74,7 +74,7 @@ Normally, kpropd is invoked out of This is done by adding a line to the inetd.conf file which looks like this: -kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd +kprop stream tcp nowait root @mansbindir@/kpropd kpropd However, kpropd can also run as a standalone daemon, if the .B \-S @@ -111,13 +111,13 @@ is used. \fB\-f\fP \fIfile\fP specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is KPROPD_DEFAULT_FILE -(normally /usr/local/var/krb5kdc/from_master). +(normally @manlocalstatedir@/krb5kdc/from_master). .TP .B \-p allows the user to specify the pathname to the .IR kdb5_util (8) program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL -(normally /usr/local/sbin/kdb5_util). +(normally @mansbindir@/kdb5_util). .TP .B \-S turn on standalone mode. Normally, kpropd is invoked out of @@ -148,14 +148,14 @@ mode. allows the user to specify the path to the kpropd.acl file; by default the path used is KPROPD_ACL_FILE -(normally /usr/local/var/krb5kdc/kpropd.acl). +(normally @manlocalstatedir@/krb5kdc/kpropd.acl). .SH FILES .TP "\w'kpropd.acl\ \ 'u" kpropd.acl Access file for .BR kpropd ; the default location is KPROPD_ACL_FILE (normally -/usr/local/var/krb5kdc/kpropd.acl). +@manlocalstatedir@/krb5kdc/kpropd.acl). Each entry is a line containing the principal of a host from which the local machine will allow Kerberos database propagation via kprop. .SH SEE ALSO Index: krb5-1.9.1/src/slave/kprop.M =================================================================== --- krb5-1.9.1.orig/src/slave/kprop.M +++ krb5-1.9.1/src/slave/kprop.M @@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv This is done by transmitting the dumped database file to the slave server over an encrypted, secure channel. The dump file must be created by kdb5_util, and is normally KPROP_DEFAULT_FILE -(/usr/local/var/krb5kdc/slave_datatrans). +(@manlocalstatedir@/krb5kdc/slave_datatrans). .SH OPTIONS .TP \fB\-r\fP \fIrealm\fP @@ -51,7 +51,7 @@ is used. \fB\-f\fP \fIfile\fP specifies the filename where the dumped principal database file is to be found; by default the dumped database file is KPROP_DEFAULT_FILE -(normally /usr/local/var/krb5kdc/slave_datatrans). +(normally @manlocalstatedir@/krb5kdc/slave_datatrans). .TP \fB\-P\fP \fIport\fP specifies the port to use to contact the ++++++ krb5-1.9-paren.patch ++++++ Upstream commit #24477. diff -up krb5-1.9/src/slave/kpropd.c krb5-1.9/src/slave/kpropd.c --- krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:24.020999947 -0400 +++ krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:34.159999947 -0400 @@ -993,7 +993,7 @@ unsigned int backoff_from_master(int *cn btime = (unsigned int)(2<<(*cnt)); if (btime > MAX_BACKOFF) { btime = MAX_BACKOFF; - *cnt--; + (*cnt)--; } return (btime); ++++++ krb5-1.9-selinux-label.patch ++++++ ++++ 919 lines (skipped) ++++++ krb5-1.9.1-ai_addrconfig.patch ++++++ >From RT#6922. When we're converting a host/service pair into a principal name, specify AF_UNSPEC instead of AF_INET4 and then maybe AF_INET6 to try to avoid libc having doing a PTR lookup because we also specify AI_CANONNAME. Add AI_ADDRCONFIG because it's usually the right idea. Index: src/lib/krb5/os/sn2princ.c =================================================================== --- src/lib/krb5/os/sn2princ.c.orig +++ src/lib/krb5/os/sn2princ.c @@ -107,19 +107,12 @@ krb5_sname_to_principal(krb5_context con hostnames associated. */ memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_INET; - hints.ai_flags = AI_CANONNAME; - try_getaddrinfo_again: + hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; err = getaddrinfo(hostname, 0, &hints, &ai); if (err) { #ifdef DEBUG_REFERRALS printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname); #endif - if (hints.ai_family == AF_INET) { - /* Just in case it's an IPv6-only name. */ - hints.ai_family = 0; - goto try_getaddrinfo_again; - } return KRB5_ERR_BAD_HOSTNAME; } remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname); ++++++ krb5-1.9.1-ai_addrconfig2.patch ++++++ Most of RT#6923, except for the part that depends on the sendto_kdc rewrite (it's still in locate_kdc in this version): pass AI_ADDRCONFIG whenever we specify hints to getaddrinfo() to get the address of a server. Index: src/plugins/locate/python/py-locate.c =================================================================== --- src/plugins/locate/python/py-locate.c.orig +++ src/plugins/locate/python/py-locate.c @@ -303,6 +303,7 @@ lookup(void *blob, enum locate_service_t return -1; } aihints.ai_socktype = thissocktype; + aihints.ai_flags = AI_ADDRCONFIG; x = getaddrinfo (hoststr, portstr, &aihints, &airesult); if (x != 0) continue; Index: src/appl/sample/sclient/sclient.c =================================================================== --- src/appl/sample/sclient/sclient.c.orig +++ src/appl/sample/sclient/sclient.c @@ -124,6 +124,7 @@ main(int argc, char *argv[]) memset(&aihints, 0, sizeof(aihints)); aihints.ai_socktype = SOCK_STREAM; + aihints.ai_flags = AI_ADDRCONFIG; aierr = getaddrinfo(argv[1], portstr, &aihints, &ap); if (aierr) { fprintf(stderr, "%s: error looking up host '%s' port '%s'/tcp: %s\n", Index: src/kadmin/dbutil/kadm5_create.c =================================================================== --- src/kadmin/dbutil/kadm5_create.c.orig +++ src/kadmin/dbutil/kadm5_create.c @@ -182,7 +182,7 @@ static int add_admin_princs(void *handle goto clean_and_exit; } memset(&ai_hints, 0, sizeof(ai_hints)); - ai_hints.ai_flags = AI_CANONNAME; + ai_hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai); if (gai_error) { ret = EINVAL; Index: src/lib/kadm5/alt_prof.c =================================================================== --- src/lib/kadm5/alt_prof.c.orig +++ src/lib/kadm5/alt_prof.c @@ -901,7 +901,7 @@ kadm5_get_admin_service_name(krb5_contex } memset(&hint, 0, sizeof(hint)); - hint.ai_flags = AI_CANONNAME; + hint.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; err = getaddrinfo(params_out.admin_server, NULL, &hint, &ai); if (err != 0) { ret = KADM5_CANT_RESOLVE; Index: src/lib/kadm5/clnt/client_init.c =================================================================== --- src/lib/kadm5/clnt/client_init.c.orig +++ src/lib/kadm5/clnt/client_init.c @@ -563,8 +563,9 @@ connect_to_server(const char *hostname, (void) snprintf(portbuf, sizeof(portbuf), "%d", port); memset(&hint, 0, sizeof(hint)); hint.ai_socktype = SOCK_STREAM; + hint.ai_flags = AI_ADDRCONFIG; #ifdef AI_NUMERICSERV - hint.ai_flags = AI_NUMERICSERV; + hint.ai_flags |= AI_NUMERICSERV; #endif err = getaddrinfo(hostname, portbuf, &hint, &addrs); if (err != 0) Index: src/lib/krb5/os/hostaddr.c =================================================================== --- src/lib/krb5/os/hostaddr.c.orig +++ src/lib/krb5/os/hostaddr.c @@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c return KRB5_ERR_BAD_HOSTNAME; memset (&hints, 0, sizeof (hints)); - hints.ai_flags = AI_NUMERICHOST; + hints.ai_flags = AI_NUMERICHOST | AI_ADDRCONFIG; /* We don't care what kind at this point, really, but without this, we can get back multiple sockaddrs per address, for SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if Index: src/lib/krb5/os/hst_realm.c =================================================================== --- src/lib/krb5/os/hst_realm.c.orig +++ src/lib/krb5/os/hst_realm.c @@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz int err; memset (&hints, 0, sizeof (hints)); - hints.ai_flags = AI_CANONNAME; + hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; err = getaddrinfo (name, 0, &hints, &ai); if (err) return krb5int_translate_gai_error (err); Index: src/slave/kprop.c =================================================================== --- src/slave/kprop.c.orig +++ src/slave/kprop.c @@ -325,6 +325,7 @@ open_connection(krb5_context context, ch memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_ADDRCONFIG; error = getaddrinfo(host, port, &hints, &answers); if (error != 0) { com_err(progname, 0, "%s: %s", host, gai_strerror(error)); Index: src/lib/krb5/os/locate_kdc.c =================================================================== --- src/lib/krb5/os/locate_kdc.c.orig +++ src/lib/krb5/os/locate_kdc.c @@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis memset(&hint, 0, sizeof(hint)); hint.ai_family = family; hint.ai_socktype = socktype; + hint.ai_flags = AI_ADDRCONFIG; #ifdef AI_NUMERICSERV - hint.ai_flags = AI_NUMERICSERV; + hint.ai_flags |= AI_NUMERICSERV; #endif result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)); if (SNPRINTF_OVERFLOW(result, sizeof(portbuf))) ++++++ krb5-1.9.1-sendto_poll.patch ++++++ ++++ 624 lines (skipped) ++++++ krb5-1.9.1-sendto_poll2.patch ++++++ RT#6951 Index: krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c =================================================================== --- krb5-1.9.1.orig/src/lib/krb5/os/sendto_kdc.c +++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c @@ -895,12 +895,12 @@ maybe_send(krb5_context context, struct static void kill_conn(struct conn_state *conn, struct select_state *selstate, int err) { + dprint("abandoning connection %d: %m\n", conn->fd, err); + cm_remove_fd(selstate, conn->fd); + closesocket(conn->fd); + conn->fd = INVALID_SOCKET; conn->state = FAILED; conn->err = err; - shutdown(conn->fd, SHUTDOWN_BOTH); - cm_remove_fd(selstate, conn->fd); - dprint("abandoning connection %d: %m\n", conn->fd, err); - /* Fix up max fd for next select call. */ } /* Check socket for error. */ ++++++ krb5-1.9.1-sendto_poll3.patch ++++++ If we exit the transmit loop cleanly, don't overestimate the size of the connections array. This bug appears to have been removed upstream when this function was rewritten in trunk, and the select()-based implementation is still what's in 1.9, so this patch has nowhere to go. --- krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:20.560811664 -0400 +++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:11.396812292 -0400 @@ -1317,7 +1319,10 @@ krb5int_sendto (krb5_context context, co call with the last one from the above loop, if the loop actually calls select. */ sel_state->end_time.tv_sec += delay_this_pass; - e = service_fds(context, sel_state, conns, host+1, &winning_conn, + i = host+1; + if (i > n_conns) + i = n_conns; + e = service_fds(context, sel_state, conns, i, &winning_conn, sel_state+1, msg_handler, msg_handler_data); if (e) break; ++++++ krb5-doc-rpmlintrc ++++++ addFilter("files-duplicate .*css") addFilter("files-duplicate .*img.*png") ++++++ krb5-klist_s.patch ++++++ Don't trip over referral entries. RT#6915 Index: krb5-1.9.1/src/clients/klist/klist.c =================================================================== --- krb5-1.9.1.orig/src/clients/klist/klist.c +++ krb5-1.9.1/src/clients/klist/klist.c @@ -28,7 +28,7 @@ * List out the contents of your credential cache or keytab. */ -#include "autoconf.h" +#include "k5-int.h" #include <krb5.h> #include <com_err.h> #include <stdlib.h> @@ -390,10 +390,9 @@ void do_ccache(name) continue; if (status_only) { if (exit_status && creds.server->length == 2 && - strcmp(creds.server->realm.data, princ->realm.data) == 0 && - strcmp((char *)creds.server->data[0].data, "krbtgt") == 0 && - strcmp((char *)creds.server->data[1].data, - princ->realm.data) == 0 && + data_eq(creds.server->realm, princ->realm) && + data_eq_string(creds.server->data[0], "krbtgt") && + data_eq(creds.server->data[1], princ->realm) && creds.times.endtime > now) exit_status = 0; } else { ++++++ krb5-pkinit-cms2.patch ++++++ When verifying signed-data, use the OpenSSL CMS APIs if we're building with a version of OpenSSL which supplies them (1.0.0 or later). Revised proposal for RT#6851. diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index bb8f036..6aedec4 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -41,6 +41,34 @@ #include "pkinit_crypto_openssl.h" +#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#include <openssl/cms.h> +#define pkinit_CMS_free1_crls(_sk_x509crl) sk_X509_CRL_free((_sk_x509crl)) +#define pkinit_CMS_free1_certs(_sk_x509) sk_X509_free((_sk_x509)) +#define pkinit_CMS_SignerInfo_get_cert(_cms,_si,_x509_pp) CMS_SignerInfo_get0_algs(_si,NULL,_x509_pp,NULL,NULL) +#else +#define pkinit_CMS_free1_crls(_stack_of_x509crls) /* don't free these CRLs */ +#define pkinit_CMS_free1_certs(_stack_of_x509certs) /* don't free these certs */ +#define CMS_NO_SIGNER_CERT_VERIFY PKCS7_NOVERIFY +#define CMS_NOATTR PKCS7_NOATTR +#define CMS_ContentInfo PKCS7 +#define CMS_SignerInfo PKCS7_SIGNER_INFO +#define d2i_CMS_ContentInfo d2i_PKCS7 +#define CMS_get0_type(_p7) ((_p7)->type) +#define CMS_get0_content(_p7) (&((_p7)->d.other->value.octet_string)) +#define CMS_set1_signers_certs(_p7,_stack_of_x509,_uint) +#define CMS_get0_SignerInfos PKCS7_get_signer_info +#define stack_st_CMS_SignerInfo stack_st_PKCS7_SIGNER_INFO +#undef sk_CMS_SignerInfo_value +#define sk_CMS_SignerInfo_value sk_PKCS7_SIGNER_INFO_value +#define CMS_get0_eContentType(_p7) (_p7->d.sign->contents->type) +#define CMS_verify PKCS7_verify +#define CMS_get1_crls(_p7) (_p7->d.sign->crl) +#define CMS_get1_certs(_p7) (_p7->d.sign->cert) +#define CMS_ContentInfo_free(_p7) PKCS7_free(_p7) +#define pkinit_CMS_SignerInfo_get_cert(_p7,_si,_x509_pp) (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si) +#endif + static struct pkcs11_errstrings { short code; char *text; @@ -1127,21 +1155,25 @@ cms_signeddata_verify(krb5_context context, int *is_signed) { krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; - PKCS7 *p7 = NULL; + CMS_ContentInfo *cms = NULL; BIO *out = NULL; - int flags = PKCS7_NOVERIFY; + int flags = CMS_NO_SIGNER_CERT_VERIFY; unsigned int i = 0; unsigned int vflags = 0, size = 0; const unsigned char *p = signed_data; - STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL; - PKCS7_SIGNER_INFO *si = NULL; + STACK_OF(CMS_SignerInfo) *si_sk = NULL; + CMS_SignerInfo *si = NULL; X509 *x = NULL; X509_STORE *store = NULL; X509_STORE_CTX cert_ctx; + STACK_OF(X509) *signerCerts = NULL; STACK_OF(X509) *intermediateCAs = NULL; + STACK_OF(X509_CRL) *signerRevoked = NULL; STACK_OF(X509_CRL) *revoked = NULL; STACK_OF(X509) *verified_chain = NULL; ASN1_OBJECT *oid = NULL; + const ASN1_OBJECT *type = NULL, *etype = NULL; + ASN1_OCTET_STRING **octets; krb5_external_principal_identifier **krb5_verified_chain = NULL; krb5_data *authz = NULL; char buf[DN_BUF_LEN]; @@ -1157,8 +1189,8 @@ cms_signeddata_verify(krb5_context context, if (oid == NULL) goto cleanup; - /* decode received PKCS7 message */ - if ((p7 = d2i_PKCS7(NULL, &p, (int)signed_data_len)) == NULL) { + /* decode received CMS message */ + if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) { unsigned long err = ERR_peek_error(); krb5_set_error_message(context, retval, "%s\n", ERR_error_string(err, NULL)); @@ -1168,37 +1200,39 @@ cms_signeddata_verify(krb5_context context, } /* Handle the case in pkinit anonymous where we get unsigned data. */ - if (is_signed && !OBJ_cmp(p7->type, oid)) { + type = CMS_get0_type(cms); + if (is_signed && !OBJ_cmp(type, oid)) { unsigned char *d; *is_signed = 0; - if (p7->d.other->type != V_ASN1_OCTET_STRING) { + octets = CMS_get0_content(cms); + if (!octets || ((*octets)->type != V_ASN1_OCTET_STRING)) { retval = KRB5KDC_ERR_PREAUTH_FAILED; krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Invalid pkinit packet: octet string " "expected"); goto cleanup; } - *data_len = ASN1_STRING_length(p7->d.other->value.octet_string); + *data_len = ASN1_STRING_length(*octets); d = malloc(*data_len); if (d == NULL) { retval = ENOMEM; goto cleanup; } - memcpy(d, ASN1_STRING_data(p7->d.other->value.octet_string), + memcpy(d, ASN1_STRING_data(*octets), *data_len); *data = d; goto out; } else { - /* Verify that the received message is PKCS7 SignedData message. */ - if (OBJ_obj2nid(p7->type) != NID_pkcs7_signed) { - pkiDebug("Expected id-signedData PKCS7 msg (received type = %d)\n", - OBJ_obj2nid(p7->type)); + /* Verify that the received message is CMS SignedData message. */ + if (OBJ_obj2nid(type) != NID_pkcs7_signed) { + pkiDebug("Expected id-signedData CMS msg (received type = %d)\n", + OBJ_obj2nid(type)); krb5_set_error_message(context, retval, "wrong oid\n"); goto cleanup; } } - /* setup to verify X509 certificate used to sign PKCS7 message */ + /* setup to verify X509 certificate used to sign CMS message */ if (!(store = X509_STORE_new())) goto cleanup; @@ -1210,37 +1244,41 @@ cms_signeddata_verify(krb5_context context, X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls); X509_STORE_set_flags(store, vflags); - /* get the signer's information from the PKCS7 message */ - if ((si_sk = PKCS7_get_signer_info(p7)) == NULL) + /* get the signer's information from the CMS message */ + CMS_set1_signers_certs(cms, NULL, 0); + if ((si_sk = CMS_get0_SignerInfos(cms)) == NULL) goto cleanup; - if ((si = sk_PKCS7_SIGNER_INFO_value(si_sk, 0)) == NULL) + if ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL) goto cleanup; - if ((x = PKCS7_cert_from_signer_info(p7, si)) == NULL) + pkinit_CMS_SignerInfo_get_cert(cms, si, &x); + if (x == NULL) goto cleanup; /* create available CRL information (get local CRLs and include CRLs - * received in the PKCS7 message + * received in the CMS message */ + signerRevoked = CMS_get1_crls(cms); if (idctx->revoked == NULL) - revoked = p7->d.sign->crl; - else if (p7->d.sign->crl == NULL) + revoked = signerRevoked; + else if (signerRevoked == NULL) revoked = idctx->revoked; else { size = sk_X509_CRL_num(idctx->revoked); revoked = sk_X509_CRL_new_null(); for (i = 0; i < size; i++) sk_X509_CRL_push(revoked, sk_X509_CRL_value(idctx->revoked, i)); - size = sk_X509_CRL_num(p7->d.sign->crl); + size = sk_X509_CRL_num(signerRevoked); for (i = 0; i < size; i++) - sk_X509_CRL_push(revoked, sk_X509_CRL_value(p7->d.sign->crl, i)); + sk_X509_CRL_push(revoked, sk_X509_CRL_value(signerRevoked, i)); } /* create available intermediate CAs chains (get local intermediateCAs and - * include the CA chain received in the PKCS7 message + * include the CA chain received in the CMS message */ + signerCerts = CMS_get1_certs(cms); if (idctx->intermediateCAs == NULL) - intermediateCAs = p7->d.sign->cert; - else if (p7->d.sign->cert == NULL) + intermediateCAs = signerCerts; + else if (signerCerts == NULL) intermediateCAs = idctx->intermediateCAs; else { size = sk_X509_num(idctx->intermediateCAs); @@ -1249,9 +1287,9 @@ cms_signeddata_verify(krb5_context context, sk_X509_push(intermediateCAs, sk_X509_value(idctx->intermediateCAs, i)); } - size = sk_X509_num(p7->d.sign->cert); + size = sk_X509_num(signerCerts); for (i = 0; i < size; i++) { - sk_X509_push(intermediateCAs, sk_X509_value(p7->d.sign->cert, i)); + sk_X509_push(intermediateCAs, sk_X509_value(signerCerts, i)); } } @@ -1329,10 +1367,10 @@ cms_signeddata_verify(krb5_context context, krb5_set_error_message(context, retval, "%s\n", X509_verify_cert_error_string(j)); #ifdef DEBUG_CERTCHAIN - size = sk_X509_num(p7->d.sign->cert); + size = sk_X509_num(signerCerts); pkiDebug("received cert chain of size %d\n", size); for (j = 0; j < size; j++) { - X509 *tmp_cert = sk_X509_value(p7->d.sign->cert, j); + X509 *tmp_cert = sk_X509_value(signerCerts, j); X509_NAME_oneline(X509_get_subject_name(tmp_cert), buf, sizeof(buf)); pkiDebug("cert #%d: %s\n", j, buf); } @@ -1348,11 +1386,12 @@ cms_signeddata_verify(krb5_context context, out = BIO_new(BIO_s_mem()); if (cms_msg_type == CMS_SIGN_DRAFT9) - flags |= PKCS7_NOATTR; - if (PKCS7_verify(p7, NULL, store, NULL, out, flags)) { + flags |= CMS_NOATTR; + etype = CMS_get0_eContentType(cms); + if (CMS_verify(cms, NULL, store, NULL, out, flags)) { int valid_oid = 0; - if (!OBJ_cmp(p7->d.sign->contents->type, oid)) + if (!OBJ_cmp(etype, oid)) valid_oid = 1; else if (cms_msg_type == CMS_SIGN_DRAFT9) { /* @@ -1364,18 +1403,18 @@ cms_signeddata_verify(krb5_context context, client_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_CLIENT); server_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_SERVER); rsa_oid = pkinit_pkcs7type2oid(plgctx, CMS_ENVEL_SERVER); - if (!OBJ_cmp(p7->d.sign->contents->type, client_oid) || - !OBJ_cmp(p7->d.sign->contents->type, server_oid) || - !OBJ_cmp(p7->d.sign->contents->type, rsa_oid)) + if (!OBJ_cmp(etype, client_oid) || + !OBJ_cmp(etype, server_oid) || + !OBJ_cmp(etype, rsa_oid)) valid_oid = 1; } if (valid_oid) - pkiDebug("PKCS7 Verification successful\n"); + pkiDebug("CMS Verification successful\n"); else { pkiDebug("wrong oid in eContentType\n"); - print_buffer(p7->d.sign->contents->type->data, - (unsigned int)p7->d.sign->contents->type->length); + print_buffer(etype->data, + (unsigned int)etype->length); retval = KRB5KDC_ERR_PREAUTH_FAILED; krb5_set_error_message(context, retval, "wrong oid\n"); goto cleanup; @@ -1391,13 +1430,13 @@ cms_signeddata_verify(krb5_context context, default: retval = KRB5KDC_ERR_INVALID_SIG; } - pkiDebug("PKCS7 Verification failure\n"); + pkiDebug("CMS Verification failure\n"); krb5_set_error_message(context, retval, "%s\n", ERR_error_string(err, NULL)); goto cleanup; } - /* transfer the data from PKCS7 message into return buffer */ + /* transfer the data from CMS message into return buffer */ for (size = 0;;) { int remain; retval = ENOMEM; @@ -1452,12 +1491,16 @@ cleanup: BIO_free(out); if (store != NULL) X509_STORE_free(store); - if (p7 != NULL) { - if (idctx->intermediateCAs != NULL && p7->d.sign->cert) + if (cms != NULL) { + if (signerCerts != NULL) + pkinit_CMS_free1_certs(signerCerts); + if (idctx->intermediateCAs != NULL && signerCerts) sk_X509_free(intermediateCAs); - if (idctx->revoked != NULL && p7->d.sign->crl) + if (signerRevoked != NULL) + pkinit_CMS_free1_crls(signerRevoked); + if (idctx->revoked != NULL && signerRevoked) sk_X509_CRL_free(revoked); - PKCS7_free(p7); + CMS_ContentInfo_free(cms); } if (verified_chain != NULL) sk_X509_pop_free(verified_chain, X509_free); ++++++ krb5-rpmlintrc ++++++ addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so") addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz") addFilter("files-duplicate .*css") addFilter("files-duplicate .*img.*png") addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so") addFilter("shlib-policy-missing-suffix") ++++++ krb5-trunk-chpw-err.patch ++++++ Don't suppress the error code from an error message when the error message contains e-data. RT#6893 Index: src/lib/krb5/krb/chpw.c =================================================================== --- src/lib/krb5/krb/chpw.c (revision 24838) +++ src/lib/krb5/krb/chpw.c (working copy) @@ -111,15 +111,11 @@ if ((ret = krb5_rd_error(context, packet, &krberror))) return(ret); - if (krberror->e_data.data == NULL) - ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; - else - ret = KRB5KRB_AP_ERR_MODIFIED; + ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; krb5_free_error(context, krberror); return(ret); - } else { - return(KRB5KRB_AP_ERR_MODIFIED); } + return(KRB5KRB_AP_ERR_MODIFIED); } ++++++ krb5-trunk-gss_delete_sec.patch ++++++ Author: ghudson Date: Mon May 9 17:28:07 2011 +0000 ticket: 6908 subject: Delete sec context properly in gss_krb5_export_lucid_sec_context target_version: 1.9.2 tags: pullup Since r21690, gss_krb5_export_lucid_sec_context() has been passing a union context to krb5_gss_delete_sec_context(), causing a crash as the krb5 routine attempts to interpret a union context structure as a krb5 GSS context. Call the mechglue gss_delete_sec_context instead. svn://anonsvn.mit.edu:/krb5/trunk@24917 --- a/src/lib/gssapi/krb5/krb5_gss_glue.c +++ b/src/lib/gssapi/krb5/krb5_gss_glue.c @@ -196,7 +196,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, /* Clean up the context state (it is an error for * someone to attempt to use this context again) */ - (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); + (void)gss_delete_sec_context(minor_status, context_handle, NULL); *context_handle = GSS_C_NO_CONTEXT; generic_gss_release_buffer_set(&minor, &data_set); ++++++ krb5-trunk-kadmin-oldproto.patch ++++++ ------------------------------------------------------------------------ r24967 | ghudson | 2011-06-13 14:54:33 -0400 (Mon, 13 Jun 2011) | 11 lines ticket: 6920 subject: Fix old-style GSSRPC authentication target_version: 1.9.2 tags: pullup r24147 (ticket #6746) made libgssrpc ignorant of the remote address of the kadmin socket, even when it's IPv4. This made old-style GSSAPI authentication fail because it uses the wrong channel bindings. Fix this problem by making clnttcp_create() get the remote address from the socket using getpeername() if the caller doesn't provide it and it's an IPv4 address. ------------------------------------------------------------------------ Index: src/lib/rpc/clnt_tcp.c =================================================================== --- src/lib/rpc/clnt_tcp.c (revision 24966) +++ src/lib/rpc/clnt_tcp.c (revision 24967) @@ -187,9 +187,16 @@ ct->ct_sock = *sockp; ct->ct_wait.tv_usec = 0; ct->ct_waitset = FALSE; - if (raddr == NULL) - memset(&ct->ct_addr, 0, sizeof(ct->ct_addr)); - else + if (raddr == NULL) { + /* Get the remote address from the socket, if it's IPv4. */ + struct sockaddr_in sin; + socklen_t len = sizeof(sin); + int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len); + if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET) + ct->ct_addr = sin; + else + memset(&ct->ct_addr, 0, sizeof(ct->ct_addr)); + } else ct->ct_addr = *raddr; /* ++++++ pre_checkin.sh ++++++ #!/bin/sh sed -e 's/Name:.*/Name: krb5-mini/g;' \ -e 's/%define.*build_mini.*/%define build_mini 1/g' krb5.spec > krb5-mini.spec cp krb5.changes krb5-mini.changes -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit patchinfo.1366 for openSUSE:12.2:Update
by root＠hilbert.suse.de 25 Feb '13

25 Feb '13

Hello community, here is the log from the commit of package patchinfo.1366 for openSUSE:12.2:Update checked in at 2013-02-25 09:11:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/patchinfo.1366 (Old) and /work/SRC/openSUSE:12.2:Update/.patchinfo.1366.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "patchinfo.1366", Maintainer is "" Changes: -------- New Changes file: NO CHANGES FILE!!! New: ---- _patchinfo ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _patchinfo ++++++ <patchinfo> <packager>computersalat</packager> <category>recommended</category> <rating>moderate</rating> <summary>WindowMaker: fixed SUSE menu in WindowMaker</summary> <description>This update fixes the following issue for WindowMaker: - bnc#780348: - WMRootMenu: (SuSE, OPEN_MENU, "| xdg_menu --format WindowMaker --charset UTF-8") - More (un)maximize tweaks ("jumping window")</description> <issue tracker="bnc" id="780348">SUSE menu in WindowMaker does not open</issue> </patchinfo> -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit WindowMaker for openSUSE:12.2:Update
by root＠hilbert.suse.de 25 Feb '13

25 Feb '13

Hello community, here is the log from the commit of package WindowMaker for openSUSE:12.2:Update checked in at 2013-02-25 09:11:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/WindowMaker (Old) and /work/SRC/openSUSE:12.2:Update/.WindowMaker.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "WindowMaker", Maintainer is "MHrusecky(a)suse.com" Changes: -------- New Changes file: NO CHANGES FILE!!! New: ---- _link ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ <link package='WindowMaker.1366' cicount='copy' /> -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit patchinfo.1371 for openSUSE:12.3:Update
by root＠hilbert.suse.de 24 Feb '13

24 Feb '13

Hello community, here is the log from the commit of package patchinfo.1371 for openSUSE:12.3:Update checked in at 2013-02-24 20:51:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/patchinfo.1371 (Old) and /work/SRC/openSUSE:12.3:Update/.patchinfo.1371.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "patchinfo.1371", Maintainer is "" Changes: -------- New Changes file: NO CHANGES FILE!!! New: ---- _patchinfo ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _patchinfo ++++++ <patchinfo> <issue id="804730" tracker="bnc">VUL-1: CVE-2013-0308: git: missing SSL host verification in git-imap-send</issue> <issue id="CVE-2013-0308" tracker="cve" /> <category>security</category> <rating>moderate</rating> <packager>tiwai</packager> <description> git was updated to version 1.8.1.4: * "git imap-send" talking over imaps:// did make sure it received a valid certificate from the other end, but did not check if the certificate matched the host it thought it was talking to. This fixes CVE-2013-0308, bnc#804730 - updated to version 1.8.1.3: * minor fixes and documentation updates. more details, please see here: https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.3.txt - updated to version 1.8.1.2: * An element on GIT_CEILING_DIRECTORIES list that does not name the real path to a directory (i.e. a symbolic link) could have caused the GIT_DIR discovery logic to escape the ceiling. * Command line completion for "tcsh" emitted an unwanted space after completing a single directory name. * Command line completion leaked an unnecessary error message while looking for possible matches with paths in <tree-ish>. * "git archive" did not record uncompressed size in the header when streaming a zip archive, which confused some implementations of unzip. * When users spelled "cc:" in lowercase in the fake "header" in the trailer part, "git send-email" failed to pick up the addresses from there. As e-mail headers field names are case insensitive, this script should follow suit and treat "cc:" and "Cc:" the same way. Also contains various documentation fixes. </description> <summary>git: update to 1.8.1.4</summary> </patchinfo> -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit git.1371 for openSUSE:12.3:Update
by root＠hilbert.suse.de 24 Feb '13

24 Feb '13

Hello community, here is the log from the commit of package git.1371 for openSUSE:12.3:Update checked in at 2013-02-24 20:51:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/git.1371 (Old) and /work/SRC/openSUSE:12.3:Update/.git.1371.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "git.1371", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-02-09 11:18:20.872010756 +0100 +++ /work/SRC/openSUSE:12.3:Update/.git.1371.new/git.changes 2013-02-24 20:51:25.000000000 +0100 @@ -0,0 +1,1877 @@ +------------------------------------------------------------------- +Wed Feb 20 17:26:15 CET 2013 - tiwai(a)suse.de + +- updated to version 1.8.1.4: + * "git imap-send" talking over imaps:// did make sure it received a + valid certificate from the other end, but did not check if the + certificate matched the host it thought it was talking to. + + This fixes CVE-2013-0308, bnc#804730 + +------------------------------------------------------------------- +Sat Feb 16 02:19:25 UTC 2013 - douglarek(a)outlook.com + +- updated to version 1.8.1.3: + + * minor fixes and documentation updates. + + more details, please see here: + https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.3.txt + +------------------------------------------------------------------- +Wed Jan 30 01:57:15 UTC 2013 - douglarek(a)outlook.com + +- updated to version 1.8.1.2: + + * An element on GIT_CEILING_DIRECTORIES list that does not name the + real path to a directory (i.e. a symbolic link) could have caused + the GIT_DIR discovery logic to escape the ceiling. + + * Command line completion for "tcsh" emitted an unwanted space + after completing a single directory name. + + * Command line completion leaked an unnecessary error message while + looking for possible matches with paths in <tree-ish>. + + * "git archive" did not record uncompressed size in the header when + streaming a zip archive, which confused some implementations of unzip. + + * When users spelled "cc:" in lowercase in the fake "header" in the + trailer part, "git send-email" failed to pick up the addresses from + there. As e-mail headers field names are case insensitive, this + script should follow suit and treat "cc:" and "Cc:" the same way. + + Also contains various documentation fixes. + +------------------------------------------------------------------- +Thu Jan 17 02:08:43 UTC 2013 - douglarek(a)outlook.com + +- updated to version 1.8.1.1: + + * minor fixes and documentation updates. + + more details, please see here: + https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.1.txt + +------------------------------------------------------------------- +Tue Jan 1 15:18:58 UTC 2013 - douglarek(a)outlook.com + +- updated to version 1.8.1: + + * a bit of features. + * other minor fixes and documentation updates since v1.8.0. + + more details, please see here: + https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.txt. + +------------------------------------------------------------------- +Fri Dec 14 00:46:08 UTC 2012 - douglarek(a)outlook.com + +- updated to version 1.8.0.2: + + * Various codepaths have workaround for a common misconfiguration to + spell "UTF-8" as "utf8", but it was not used uniformly. Most + notably, mailinfo (which is used by "git am") lacked this support. + + * We failed to mention a file without any content change but whose + permission bit was modified, or (worse yet) a new file without any + content in the "git diff --stat" output. + + * When "--stat-count" hides a diffstat for binary contents, the total + number of added and removed lines at the bottom was computed + incorrectly. + + * When "--stat-count" hides a diffstat for unmerged paths, the total + number of affected files at the bottom of the "diff --stat" output + was computed incorrectly. + + * "diff --shortstat" miscounted the total number of affected files + when there were unmerged paths. + + * "git p4" used to try expanding malformed "$keyword$" that spans + across multiple lines. + + * "git update-ref -d --deref SYM" to delete a ref through a symbolic + ref that points to it did not remove it correctly. + + * Syntax highlighting in "gitweb" was not quite working. + + Also contains other minor fixes and documentation updates. + +------------------------------------------------------------------- +Tue Nov 27 02:54:50 UTC 2012 - douglarek(a)outlook.com + +- updated to version 1.8.0.1: + + * a bit of features. + + * other minor fixes and documentation updates since v1.8.0. + + more details, please see here: + https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.0.1.txt. + +------------------------------------------------------------------- +Mon Oct 22 12:21:08 UTC 2012 - douglarek(a)outlook.com + +- updated to version 1.8.0: + + * a lot of features. + + * minor documentation updates and code clean-ups. + + * all the fixes since v1.7.12. + + more details, please see here: + https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.0.txt. + +------------------------------------------------------------------- +Thu Oct 18 14:50:30 UTC 2012 - douglarek(a)outlook.com + +- updated to version 1.7.12.4: + + * "git fetch" over the dumb-http revision walker could segfault when + curl's multi interface was used. + + * It was possible to give specific paths for "asciidoc" and other + tools in the documentation toolchain, but not for "xmlto". + + * "gitweb" did not give the correct committer timezone in its feed + output due to a typo. + + * The "-Xours" (and similarly -Xtheirs) backend option to "git + merge -s recursive" was ignored for binary files. Now it is + honored. + + * The "binary" synthetic attribute made "diff" to treat the path as + binary, but not "merge". + + Also contains many documentation updates. + +------------------------------------------------------------------- +Thu Oct 11 00:19:07 CST 2012 - douglarek(a)outlook.com + +- updated to version 1.7.12.3: + + * "git am" mishandled a patch attached as application/octet-stream + (e.g. not text/*); Content-Transfer-Encoding (e.g. base64) was not + honored correctly. + + * It was unclear in the documentation for "git blame" that it is + unnecessary for users to use the "--follow" option. + + * A repository created with "git clone --single" had its fetch + refspecs set up just like a clone without "--single", leading the + subsequent "git fetch" to slurp all the other branches, defeating + the whole point of specifying "only this branch". + + * "git fetch" over http had an old workaround for an unlikely server + misconfiguration; it turns out that this hurts debuggability of the + configuration in general, and has been reverted. + + * "git fetch" over http advertised that it supports "deflate", which + is much less common, and did not advertise the more common "gzip" on + its Accept-Encoding header. + + * "git receive-pack" (the counterpart to "git push") did not give + progress output while processing objects it received to the puser + when run over the smart-http protocol. + + * "git status" honored the ignore=dirty settings in .gitmodules but + "git commit" didn't. + + Also contains a handful of documentation updates. + +------------------------------------------------------------------- +Mon Oct 8 20:50:47 UTC 2012 - schwab(a)linux-m68k.org + +- Use ./.make also in %check to test exactly what was built +- Avoid duplicate file warnings + +------------------------------------------------------------------- +Thu Oct 4 22:29:10 CST 2012 - douglarek(a)outlook.com + +- updated to version 1.7.12.2: + + * When "git am" is fed an input that has multiple "Content-type: ..." + header, it did not grok charset= attribute correctly. + ++++ 1680 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.3:Update/.git.1371.new/git.changes New: ---- apache2-gitweb.conf completion-wordbreaks.diff git-1.8.1.4.tar.gz git-bash-completion-egrep-color-fix.diff git-daemon.init git-prevent_xss-default.diff git-python-install-fix.diff git.changes git.spec git.xinetd susefirewall-git-daemon sysconfig.git-daemon usr.share.git-web.gitweb.cgi ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ git.spec ++++++ # # spec file for package git # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define gitexecdir %_libexecdir/git %define _fwdefdir /etc/sysconfig/SuSEfirewall2.d/services Name: git BuildRequires: asciidoc BuildRequires: curl BuildRequires: fdupes BuildRequires: libcurl-devel BuildRequires: libexpat-devel BuildRequires: libopenssl-devel BuildRequires: perl-Error BuildRequires: python BuildRequires: sgml-skel BuildRequires: xmlto Version: 1.8.1.4 Release: 0 Summary: Fast, scalable, distributed revision control system License: GPL-2.0 Group: Development/Tools/Version Control Url: http://git-scm.com Source0: http://git-core.googlecode.com/files/%name-%{version}.tar.gz Source1: apache2-gitweb.conf Source2: sysconfig.git-daemon Source3: git-daemon.init Source4: git.xinetd Source5: usr.share.git-web.gitweb.cgi Source6: susefirewall-git-daemon Patch2: git-python-install-fix.diff Patch3: completion-wordbreaks.diff # CVE-2011-2186, bnc#698456 Patch4: git-prevent_xss-default.diff # fix broken bash copmletion with colored egrep (bnc#779536) Patch5: git-bash-completion-egrep-color-fix.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: git-core = %{version} Recommends: git-svn git-cvs git-email gitk git-gui git-web Suggests: git-daemon %description Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. This package itself only provides the README of git but with the packages it requires, it brings you a complete Git environment including GTK and email interfaces and tools for importing source code repositories from other revision control systems such as subversion, CVS, and GNU arch. %package core Summary: Core git tools Group: Development/Tools/Version Control Requires: less Requires: openssh Requires: perl-Error Requires: perl-base = %{perl_version} Requires: rsync %description core Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. These are the core tools with minimal dependencies. %package svn Summary: Git tools for importing Subversion repositories Group: Development/Tools/Version Control Requires: git-core = %{version} Requires: subversion Requires: subversion-perl %description svn Tools for importing Subversion repositories to the Git version control system. %package cvs Summary: Git tools for importing CVS repositories Group: Development/Tools/Version Control Requires: cvs Requires: cvsps Requires: git-core = %{version} Requires: perl-DBD-SQLite %description cvs Tools for importing CVS repositories to the Git version control system. %package arch Summary: Git tools for importing Arch repositories Group: Development/Tools/Version Control Requires: git-core = %{version} # Requires: tla %description arch Tools for importing GNU Arch repositories to the GIT version control system. %package email Summary: Git tools for sending email Group: Development/Tools/Version Control Requires: git-core = %{version} # For sending mails over secure SMTP: Recommends: perl-Net-SMTP-SSL, perl-Authen-SASL %description email Email interface for the GIT version control system. %package daemon Summary: Simple Server for Git Repositories Group: Development/Tools/Version Control Requires: git-core = %{version} PreReq: /usr/sbin/useradd %fillup_prereq %insserv_prereq %description daemon A really simple TCP git daemon. In the default configuration it allows read only access to repositories in /srv/git/ that contain the 'git-daemon-export-ok' file. %package -n gitk Summary: Git revision tree visualiser Group: Development/Tools/Version Control Requires: git-core = %{version} Requires: tk >= 8.4 Supplements: packageand(git-core:tk) %description -n gitk Grapical tool for visualization of revision trees of projects maintained in the Git version control system. It name gitk indicates that it's written using the Tk Widget set. A simple Tk based graphical interface for common Git operations is found in the package git-gui. %package gui Summary: Grapical tool for common git operations Group: Development/Tools/Version Control Requires: git-core = %{version} Requires: tk >= 8.4 Supplements: packageand(git-core:tk) %description gui A Tcl/Tk based graphical user interface to Git. git-gui focuses on allowing users to make changes to their repository by making new commits, amending existing ones, creating branches, performing local merges, and fetching/pushing to remote repositories. Unlike gitk, git-gui focuses on commit generation and single file annotation, and does not show project history. It does however supply menu actions to start a gitk session from within git-gui. %package web Summary: Git Web Interface Group: Development/Tools/Version Control Requires: git-core = %{version} Supplements: packageand(git-core:apache2) %description web CGI script that allows browsing git repositories via web interface. The apache2 configuration contained in this package installs a virtual directory /git/ that calls the cgi script. %package remote-helpers Summary: Python package for remote helper scripts Group: Development/Tools/Version Control Requires: git-core = %{version} Requires: python %description remote-helpers This package contains the building blocks for remote helpers written in Python. %prep %setup -q %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %build cat > .make <<'EOF' #!/bin/bash make %{_smp_mflags} CFLAGS="$RPM_OPT_FLAGS" \ GITWEB_CONFIG="/etc/gitweb.conf" \ GITWEB_PROJECTROOT="/srv/git" \ WITH_OWN_SUBPROCESS_PY=YesPlease \ DESTDIR=$RPM_BUILD_ROOT \ NO_CROSS_DIRECTORY_HARDLINKS=1 \ NO_INSTALL_HARDLINKS=1 \ V=1 \ prefix=%{_prefix} mandir=%{_mandir} \ gitexecdir=%{gitexecdir} \ htmldir=%{_docdir}/git-core \ "$@" EOF # chmod 755 .make ./.make all %{?_smp_mflags} %{!?_without_docs: ./.make doc} %install ./.make install %{!?_without_docs: install-doc} ### git-web cp gitweb/INSTALL INSTALL.gitweb cp gitweb/README README.gitweb install -d %{buildroot}/usr/share/git-web install -d %{buildroot}/etc/apache2/conf.d install -m 644 %{SOURCE1} $RPM_BUILD_ROOT/etc/apache2/conf.d/gitweb.conf ### git-daemon install -d -m 755 $RPM_BUILD_ROOT/etc/init.d install -m 755 %{SOURCE3} $RPM_BUILD_ROOT/etc/init.d/git-daemon install -d -m 755 $RPM_BUILD_ROOT%{_sbindir} ln -s ../../etc/init.d/git-daemon $RPM_BUILD_ROOT%{_sbindir}/rcgit-daemon install -d -m 755 $RPM_BUILD_ROOT/var/adm/fillup-templates install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.git-daemon install -d -m 755 $RPM_BUILD_ROOT/srv/git install -d -m 755 $RPM_BUILD_ROOT/etc/xinetd.d install -m 644 %{S:4} $RPM_BUILD_ROOT/etc/xinetd.d/git mkdir -p $RPM_BUILD_ROOT/%{_fwdefdir} install -m 644 %{S:6} $RPM_BUILD_ROOT/%{_fwdefdir}/git-daemon ### (find $RPM_BUILD_ROOT%{_bindir} -type f -o -type l | grep -vE "archimport|svn|cvs|email|gitk|daemon|gui" | sed -e s@^$RPM_BUILD_ROOT@@) > bin-man-doc-files (find $RPM_BUILD_ROOT%{gitexecdir} ! -type d | grep -vE "archimport|svn|cvs|email|gitk|daemon|gui" | sed -e s@^$RPM_BUILD_ROOT@@) >> bin-man-doc-files (find $RPM_BUILD_ROOT%{_mandir} $RPM_BUILD_ROOT/Documentation -type f | grep -vE "archimport|svn|git-cvs|email|gitk|daemon|gui" | sed -e s@^$RPM_BUILD_ROOT@@ -e 's/$/*/' ) >> bin-man-doc-files ( pushd perl perl Makefile.PL make -f perl.mak DESTDIR=%{buildroot} install_vendor ) rm -rf %{buildroot}/usr/lib/perl5/site_perl %perl_process_packlist find $RPM_BUILD_ROOT/%_mandir -type f -print0 | xargs -0 chmod 644 install -m 644 -D contrib/completion/git-completion.bash $RPM_BUILD_ROOT/etc/bash_completion.d/git.sh install -m 644 -D contrib/completion/git-prompt.sh $RPM_BUILD_ROOT/etc/bash_completion.d/git-prompt.sh # # apparmor profile for git-web # install -d -m 755 $RPM_BUILD_ROOT/etc/apparmor.d install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc/apparmor.d # # create predictable symlinks to make apparmor profile work for i in git git-upload-archive git-receive-pack; do rm $RPM_BUILD_ROOT%{_bindir}/$i ln -s %{gitexecdir}/git-add $RPM_BUILD_ROOT%{_bindir}/$i done if ! test -f $RPM_BUILD_ROOT%{gitexecdir}/git-add; then echo "git-add is not a regular file, apparmor profile won't work!" >&2 exit 1 fi %find_lang %{name} cat %{name}.lang >>bin-man-doc-files # use symlinks instead of hardlinks in sub-commands %fdupes -s $RPM_BUILD_ROOT %check ./.make %{?_smp_mflags} test %pre daemon if ! /usr/bin/getent passwd git-daemon >/dev/null; then /usr/sbin/useradd -r -d /var/lib/empty -s /bin/false -c "git daemon" -g nogroup git-daemon || : fi %post daemon %{fillup_and_insserv -n git-daemon} %postun daemon %{insserv_cleanup} %preun daemon %stop_on_removal %files %defattr(-,root,root) %doc README %files svn %defattr(-,root,root) %{gitexecdir}/*svn* %doc Documentation/*svn*.txt %{!?_without_docs: %{_mandir}/man1/*svn*.1*} %{!?_without_docs: %doc Documentation/*svn*.html } %files cvs %defattr(-,root,root) %doc Documentation/*git-cvs*.txt %{_bindir}/git-cvs* %{gitexecdir}/*cvs* %{!?_without_docs: %{_mandir}/man1/*cvs*.1*} %{!?_without_docs: %doc Documentation/*git-cvs*.html } %files arch %defattr(-,root,root) %doc Documentation/git-archimport.txt %{gitexecdir}/git-archimport %{!?_without_docs: %{_mandir}/man1/git-archimport.1*} %{!?_without_docs: %doc Documentation/git-archimport.html } %files email %defattr(-,root,root) %doc Documentation/*email*.txt %{gitexecdir}/*email* %{!?_without_docs: %{_mandir}/man1/*email*.1*} %{!?_without_docs: %doc Documentation/*email*.html } %files daemon %defattr(-,root,root) %doc Documentation/*daemon*.txt %{gitexecdir}/*daemon* /etc/init.d/git-daemon %{_sbindir}/rcgit-daemon %dir /srv/git /var/adm/fillup-templates/sysconfig.git-daemon %{!?_without_docs: %{_mandir}/man1/*daemon*.1*} %{!?_without_docs: %doc Documentation/*daemon*.html } %config(noreplace) /etc/xinetd.d/git %config %{_fwdefdir}/* %files -n gitk %defattr(-,root,root) %doc Documentation/*gitk*.txt %{_bindir}/gitk /usr/share/gitk %{!?_without_docs: %{_mandir}/man1/*gitk*.1*} %{!?_without_docs: %doc Documentation/*gitk*.html } %files gui %defattr(-,root,root) %doc Documentation/*gui*.txt %{gitexecdir}/git-gui* /usr/share/git-gui %{!?_without_docs: %{_mandir}/man1/*gui*.1*} %{!?_without_docs: %doc Documentation/*gui*.html } %files web %defattr(-,root,root) %doc README.gitweb INSTALL.gitweb %dir /etc/apache2 %dir /etc/apache2/conf.d %config(noreplace) /etc/apache2/conf.d/gitweb.conf /usr/share/gitweb /etc/apparmor.d %files remote-helpers %defattr(-,root,root) %if %suse_version >= 1120 %python_sitelib/* %else %py_sitedir/* %endif %files core -f bin-man-doc-files %defattr(-,root,root) %{_datadir}/git-core/ %dir %{gitexecdir} %dir %{gitexecdir}/mergetools %doc README COPYING Documentation/*.txt %{!?_without_docs: %doc Documentation/*.html } %if 0%{?suse_version} < 1140 /var/adm/perl-modules/%{name} %endif %{perl_vendorlib}/Git.pm %{perl_vendorlib}/Git/ %{perl_vendorarch}/auto/Git/ /etc/bash_completion.d/*.sh %changelog ++++++ apache2-gitweb.conf ++++++ Alias /git "/usr/share/gitweb/" <Directory "/usr/share/gitweb"> Options ExecCGI AllowOverride None AddHandler cgi-script .cgi DirectoryIndex gitweb.cgi Order allow,deny Allow from all </Directory> ++++++ completion-wordbreaks.diff ++++++ --- contrib/completion/git-completion.bash | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/contrib/completion/git-completion.bash +++ b/contrib/completion/git-completion.bash @@ -23,10 +23,12 @@ # 3) Consider changing your PS1 to also show the current branch, # see git-prompt.sh for details. -case "$COMP_WORDBREAKS" in -*:*) : great ;; -*) COMP_WORDBREAKS="$COMP_WORDBREAKS:" -esac +# SUSE-specific: We trust the system is consistent and do not let individual +# scripts play ping-pong with the global $COMP_WORDBREAKS value. +#case "$COMP_WORDBREAKS" in +#*:*) : great ;; +#*) COMP_WORDBREAKS="$COMP_WORDBREAKS:" +#esac # __gitdir accepts 0 or 1 arguments (i.e., location) # returns location of .git repo ++++++ git-bash-completion-egrep-color-fix.diff ++++++ --- contrib/completion/git-completion.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/contrib/completion/git-completion.bash +++ b/contrib/completion/git-completion.bash @@ -538,7 +538,7 @@ __git_commands () { then printf "%s" "${GIT_TESTING_COMMAND_COMPLETION}" else - git help -a|egrep '^ [a-zA-Z0-9]' + git help -a|egrep --color=never '^ [a-zA-Z0-9]' fi } ++++++ git-daemon.init ++++++ #!/bin/sh # # SUSE system startup script for git-daemon # Copyright (C) 1995-2008 SUSE / Novell Inc. # # This library is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or (at # your option) any later version. # # This library is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, # USA. # # /etc/init.d/git-daemon # and its symbolic link # /usr/sbin/rcgit-daemon # ### BEGIN INIT INFO # Provides: git-daemon # Required-Start: $syslog $remote_fs $network # Required-Stop: $syslog $remote_fs # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: server for git repositories # Description: server for git repositories ### END INIT INFO if test -x /usr/lib64/git/git-daemon; then git_daemon=/usr/lib64/git/git-daemon elif test -x /usr/lib/git/git-daemon; then git_daemon=/usr/lib/git/git-daemon else echo "git-daemon not installed" if [ "$1" = "stop" ]; then exit 0 else exit 5 fi fi pidfile=/var/run/git-daemon.pid # Check for existence of needed config file and read it git_daemon_config=/etc/sysconfig/git-daemon test -r $git_daemon_config || { echo "$git_daemon_config not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } # Read config . $git_daemon_config : ${GIT_DAEMON_BASE_PATH:=/srv/git} : ${GIT_DAEMON_USER:=git-daemon} : ${GIT_DAEMON_GROUP:=nogroup} . /etc/rc.status # Reset status of this service rc_reset case "$1" in start) echo -n "Starting git-daemon " /sbin/startproc -p $pidfile $git_daemon \ --syslog \ --detach \ --reuseaddr \ --user=${GIT_DAEMON_USER} \ --group=${GIT_DAEMON_GROUP} \ --pid-file=$pidfile \ --base-path="$GIT_DAEMON_BASE_PATH" \ $GIT_DAEMON_ARGS rc_status -v ;; stop) echo -n "Shutting down git-daemon " /sbin/killproc -p $pidfile $git_daemon -TERM rc_status -v ;; try-restart|condrestart) if test "$1" = "condrestart"; then echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" fi $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # Remember status and be quiet rc_status ;; force-reload) $0 try-restart rc_status ;; reload) echo -n "Reload service git-daemon " ## does not support reload rc_failed 3 rc_status -v ;; status) echo -n "Checking for service git-daemon " /sbin/checkproc -p $pidfile $git_daemon rc_status -v ;; probe) test $git_daemon_config -nt $pidfile && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ git-prevent_xss-default.diff ++++++ From: Jakub Narebski <jnareb@...il.com> Subject: [PATCH] gitweb: Enable $prevent_xss by default This fixes issue CVE-2011-2186 originally reported in https://launchpad.net/bugs/777804 Reported-by: dave b <db.pub.mail@...il.com> Signed-off-by: Jakub Narebski <jnareb@...il.com> --- git-instaweb.sh | 4 ++++ gitweb/README | 5 +++-- gitweb/gitweb.perl | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) --- a/git-instaweb.sh +++ b/git-instaweb.sh @@ -583,6 +583,10 @@ our \$git_temp = "$fqgitdir/gitweb/tmp"; our \$projects_list = \$projectroot; +# we can trust our own repository, so disable XSS prevention +# to enable some extra features +our \$prevent_xss = 0; + \$feature{'remote_heads'}{'default'} = [1]; EOF } --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -170,7 +170,7 @@ # Disables features that would allow repository owners to inject script into # the gitweb domain. -our $prevent_xss = 0; +our $prevent_xss = 1; # Path to the highlight executable to use (must be the one from # http://www.andre-simon.de due to assumptions about parameters and output). ++++++ git-python-install-fix.diff ++++++ --- Makefile | 2 +- git_remote_helpers/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- a/git_remote_helpers/Makefile +++ b/git_remote_helpers/Makefile @@ -29,7 +29,7 @@ $(QUIET)$(PYTHON_PATH) $(pysetupfile) $(QUIETSETUP) build install: $(pysetupfile) - $(PYTHON_PATH) $(pysetupfile) install --prefix $(DESTDIR_SQ)$(prefix) + $(PYTHON_PATH) $(pysetupfile) install --prefix $(prefix) --root $(DESTDIR_SQ) instlibdir: $(pysetupfile) @echo "$(DESTDIR_SQ)$(prefix)/$(PYLIBDIR)" --- a/Makefile +++ b/Makefile @@ -1800,7 +1800,7 @@ $(patsubst %.py,%,$(SCRIPT_PYTHON)): % : %.py $(QUIET_GEN)$(RM) $@ $@+ && \ INSTLIBDIR=`MAKEFLAGS= $(MAKE) -C git_remote_helpers -s \ - --no-print-directory prefix='$(prefix_SQ)' DESTDIR='$(DESTDIR_SQ)' \ + --no-print-directory prefix='$(prefix_SQ)' DESTDIR=\ instlibdir` && \ sed -e '1s|#!.*python|#!$(PYTHON_PATH_SQ)|' \ -e 's|$os\.getenv("GITPYTHONLIB"$[^)]*)|\1,"@@INSTLIBDIR@@")|' \ ++++++ git.xinetd ++++++ # default: off # description: The git server offers access to git repositories service git { disable = yes socket_type = stream protocol = tcp wait = no user = git-daemon group = nogroup server = /usr/bin/git server_args = daemon --syslog --inetd --base-path=/srv/git type = UNLISTED port = 9418 log_on_failure += USERID } ++++++ susefirewall-git-daemon ++++++ ## Name: git-daemon ## Description: Open ports for git-daemon TCP="git" ++++++ sysconfig.git-daemon ++++++ ## Path: Network/git-daemon ## Description: git daemon configuration ## ServiceRestart: git-daemon ## Type: string ## Default: # # base path for exported directories # # defaults to "/srv/git" if not set # GIT_DAEMON_BASE_PATH="" ## Type: string ## Default: # # additional arguments for git-daemon. See manual page GIT_DAEMON_ARGS="" ## Type: string ## Default: # # defaults to "git-daemon" if not set # # User to run git-daemon as. GIT_DAEMON_USER="" ## Type: string ## Default: # # defaults to "nogroup" if not set # # Group to run git-daemon as. GIT_DAEMON_GROUP="" ++++++ usr.share.git-web.gitweb.cgi ++++++ # Last Modified: Fri Dec 19 11:03:49 2008 #include <tunables/global> /usr/share/gitweb/gitweb.cgi { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/nameservice> #include <abstractions/perl> /bin/bash rix, /dev/tty rw, /etc/gitweb.conf r, /etc/mime.types r, /proc/meminfo r, /proc/sys/kernel/ngroups_max r, /srv/git/ r, /srv/git/** r, /usr/bin/perl ix, /usr/lib/git/git rix, /usr/bin/git-receive-pack rix, /usr/share/gitweb/* r, /usr/share/gitweb/static/* r, } -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit patchinfo.1369 for openSUSE:12.3:Update
by root＠hilbert.suse.de 24 Feb '13

24 Feb '13

Hello community, here is the log from the commit of package patchinfo.1369 for openSUSE:12.3:Update checked in at 2013-02-24 20:51:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/patchinfo.1369 (Old) and /work/SRC/openSUSE:12.3:Update/.patchinfo.1369.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "patchinfo.1369", Maintainer is "" Changes: -------- New Changes file: NO CHANGES FILE!!! New: ---- _patchinfo ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _patchinfo ++++++ <patchinfo incident="1369"> <packager>jeff_mahoney</packager> <issue tracker="bnc" id="802347">sunrpc panics in xprt_alloc_slot</issue> <issue tracker="bnc" id="804367">openSUSE 12.2 stable kernel 3.7.8 big USB 2.0 slowdown</issue> <issue tracker="bnc" id="804482">disable pstore by default</issue> <category>recommended</category> <rating>moderate</rating> <summary>kernel: update to 3.7.9</summary> <description> The Linux kernel was updated to 3.7.9. - Update Xen patches to 3.7.9 and c/s 1224. - Disable efi pstore by default (bnc#804482). - Revert "USB: EHCI: remove ASS/PSS polling timeout" (bnc#804367). - drm/nouveau/vm: fix memory corruption when pgt allocation fails (bnc#802347). - Linux 3.7.9. - Linux 3.7.8. - Update Xen patches to 3.7.9 and c/s 1224. - Disable efi pstore by default (bnc#804482). - Revert "USB: EHCI: remove ASS/PSS polling timeout" (bnc#804367). - drm/nouveau/vm: fix memory corruption when pgt allocation fails (bnc#802347). </description> <reboot_needed/> </patchinfo> -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0