Fixes for 3 security bugs. See bug #171889 for full details. Also, fixed bug #164703 by GNUtoo -- we now create a /var/lib/krb5kdc directory so that a kdc database is created more easily

(Portage version: 2.1.2.3)
author: Seemant Kulleen <seemant@gentoo.org> 2007-04-03 20:19:13 +0000
committer: Seemant Kulleen <seemant@gentoo.org> 2007-04-03 20:19:13 +0000
commit: 3db5b0249fa2f7bed345f384f2b520f319e60b75 (patch)
tree: e9f87b848997232878b3f73870082229a0cf5228 /app-crypt
parent: Fixed bug #172687, hopefully. (diff)
download: gentoo-2-3db5b0249fa2f7bed345f384f2b520f319e60b75.tar.gz
gentoo-2-3db5b0249fa2f7bed345f384f2b520f319e60b75.tar.bz2
gentoo-2-3db5b0249fa2f7bed345f384f2b520f319e60b75.zip
6 files changed, 1043 insertions, 1 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog
index 38218deab590..afefa04781f9 100644
--- a/app-crypt/mit-krb5/ChangeLog
+++ b/app-crypt/mit-krb5/ChangeLog
@@ -1,6 +1,16 @@
 # ChangeLog for app-crypt/mit-krb5
 # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.146 2007/01/15 18:55:34 kloeri Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.147 2007/04/03 20:19:13 seemant Exp $
+
+*mit-krb5-1.5.2-r1 (03 Apr 2007)
+
+  03 Apr 2007; Seemant Kulleen <seemant@gentoo.org>
+  +files/mit-krb5-SA-2007-001-telnetd.patch,
+  +files/mit-krb5-SA-2007-002-syslog.patch,
+  +files/mit-krb5-SA-2007-003.patch, +mit-krb5-1.5.2-r1.ebuild:
+  Fixes for 3 security bugs. See bug #171889 for full details. Also, fixed bug
+  #164703 by GNUtoo -- we now create a /var/lib/krb5kdc directory so that a
+  kdc database is created more easily
 
   15 Jan 2007; Bryan Østergaard <kloeri@gentoo.org> mit-krb5-1.5.2.ebuild:
   Stable on Alpha, bug 158810.
diff --git a/app-crypt/mit-krb5/files/digest-mit-krb5-1.5.2-r1 b/app-crypt/mit-krb5/files/digest-mit-krb5-1.5.2-r1
new file mode 100644
index 000000000000..acc96e7682b6
--- /dev/null
+++ b/app-crypt/mit-krb5/files/digest-mit-krb5-1.5.2-r1
@@ -0,0 +1,3 @@
+MD5 4d1452f775281f5da62e8fde0b517692 krb5-1.5.2-signed.tar 10086400
+RMD160 b8eca92373155eac0661721f0c65777673d4654e krb5-1.5.2-signed.tar 10086400
+SHA256 1db46e506fbc0b1a274cb00c3fda5b5e4de832ce40c209e4f6603adcdf2e770e krb5-1.5.2-signed.tar 10086400
diff --git a/app-crypt/mit-krb5/files/mit-krb5-SA-2007-001-telnetd.patch b/app-crypt/mit-krb5/files/mit-krb5-SA-2007-001-telnetd.patch
new file mode 100644
index 000000000000..a4d361445470
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-SA-2007-001-telnetd.patch
@@ -0,0 +1,56 @@
+diff -urN krb5-1.5.2.orig/src/appl/telnet/telnetd/state.c krb5-1.5.2/src/appl/telnet/telnetd/state.c
+--- krb5-1.5.2.orig/src/appl/telnet/telnetd/state.c	2006-06-15 18:42:53.000000000 -0400
++++ krb5-1.5.2/src/appl/telnet/telnetd/state.c	2007-03-28 18:05:19.000000000 -0400
+@@ -1665,7 +1665,8 @@
+ 	    strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
+ 	    strcmp(varp, "NLSPATH") && /* locale stuff */
+ 	    strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
+-	    strcmp(varp, "IFS")) {
++	    strcmp(varp, "IFS") &&
++		!strchr(varp, '-')) {
+ 		return 1;
+ 	} else {
+ 		syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
+diff -urN krb5-1.5.2.orig/src/appl/telnet/telnetd/sys_term.c krb5-1.5.2/src/appl/telnet/telnetd/sys_term.c
+--- krb5-1.5.2.orig/src/appl/telnet/telnetd/sys_term.c	2002-11-15 15:21:51.000000000 -0500
++++ krb5-1.5.2/src/appl/telnet/telnetd/sys_term.c	2007-03-28 18:10:59.000000000 -0400
+@@ -1287,6 +1287,16 @@
+ #endif
+ #if	defined (AUTHENTICATION)
+ 	if (auth_level >= 0 && autologin == AUTH_VALID) {
++		if (name[0] == '-') {
++			/* Authenticated and authorized to log in to an account
++			 * starting with '-'?  Even if that unlikely case comes
++			 * to pass, the current program will not patse the
++			 * resulting command line properly.
++			 */
++			syslog(LOG_ERR, "user name can not start with '-'");
++			fatal(net, "user name can not start with '-'");
++			exit(1);
++		}
+ # if	!defined(NO_LOGIN_F)
+ #if	defined(LOGIN_CAP_F)
+ 		argv = addarg(argv, "-F");
+@@ -1377,12 +1387,20 @@
+ 	} else
+ #endif
+ 	if (getenv("USER")) {
+-		argv = addarg(argv, getenv("USER"));
++		char *user = getenv("USER");
++		if (user[0] == '-') {
++			/* "telnet -l-x ..." */
++			syslog(LOG_ERR, "user name cannot start with '-'");
++			fatal(net, "user name cannot start with '-'");
++			exit(1);
++		}
++		argv = addarg(argv, user);
+ #if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
+ 		{
+ 			register char **cpp;
+ 			for (cpp = environ; *cpp; cpp++)
+-				argv = addarg(argv, *cpp);
++				if ((*cpp[0] != '-')
++					argv = addarg(argv, *cpp);
+ 		}
+ #endif
+ 		/*
diff --git a/app-crypt/mit-krb5/files/mit-krb5-SA-2007-002-syslog.patch b/app-crypt/mit-krb5/files/mit-krb5-SA-2007-002-syslog.patch
new file mode 100644
index 000000000000..3fb2211f657d
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-SA-2007-002-syslog.patch
@@ -0,0 +1,857 @@
+diff -urN krb5-1.5.2.orig/src/kadmin/server/kadm_rpc_svc.c krb5-1.5.2/src/kadmin/server/kadm_rpc_svc.c
+--- krb5-1.5.2.orig/src/kadmin/server/kadm_rpc_svc.c	2006-03-31 22:08:17.000000000 -0500
++++ krb5-1.5.2/src/kadmin/server/kadm_rpc_svc.c	2007-03-28 18:17:57.000000000 -0400
+@@ -250,6 +250,8 @@
+      krb5_data *c1, *c2, *realm;
+      gss_buffer_desc gss_str;
+      kadm5_server_handle_t handle;
++	 size_t slen;
++	 char *sdots;
+ 
+      success = 0;
+      handle = (kadm5_server_handle_t)global_server_handle;
+@@ -274,6 +276,9 @@
+      if (ret == 0)
+ 	  goto fail_name;
+ 
++	 slen = gss_str.length;
++	 trunc_name(&slen, &sdots);
++
+      /*
+       * Since we accept with GSS_C_NO_NAME, the client can authenticate
+       * against the entire kdb.  Therefore, ensure that the service
+@@ -296,8 +301,8 @@
+ 
+ fail_princ:
+      if (!success) {
+-	 krb5_klog_syslog(LOG_ERR, "bad service principal %.*s",
+-			  gss_str.length, gss_str.value);
++	 krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s",
++			  slen, gss_str.value, sdots);
+      }
+      gss_release_buffer(&min_stat, &gss_str);
+      krb5_free_principal(kctx, princ);
+diff -urN krb5-1.5.2.orig/src/kadmin/server/misc.c krb5-1.5.2/src/kadmin/server/misc.c
+--- krb5-1.5.2.orig/src/kadmin/server/misc.c	2006-03-11 17:23:28.000000000 -0500
++++ krb5-1.5.2/src/kadmin/server/misc.c	2007-03-28 18:19:44.000000000 -0400
+@@ -171,3 +171,12 @@
+ 
+     return kadm5_free_principal_ent(handle->lhandle, &princ);
+ }
++
++#define MAXPRINCLEN 125
++
++void
++trunc_name(size_t *len, char **dots)
++{
++	*dots = *len > MAXPRINCLEN ? "..." : "";
++	*len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len;
++}
+diff -urN krb5-1.5.2.orig/src/kadmin/server/misc.h krb5-1.5.2/src/kadmin/server/misc.h
+--- krb5-1.5.2.orig/src/kadmin/server/misc.h	2005-10-12 00:09:19.000000000 -0400
++++ krb5-1.5.2/src/kadmin/server/misc.h	2007-03-28 18:20:15.000000000 -0400
+@@ -45,3 +45,5 @@
+ #ifdef SVC_GETARGS
+ void  kadm_1(struct svc_req *, SVCXPRT *);
+ #endif
++
++void trunc_name(size_t *len, char **dots);
+diff -urN krb5-1.5.2.orig/src/kadmin/server/ovsec_kadmd.c krb5-1.5.2/src/kadmin/server/ovsec_kadmd.c
+--- krb5-1.5.2.orig/src/kadmin/server/ovsec_kadmd.c	2007-01-09 20:08:20.000000000 -0500
++++ krb5-1.5.2/src/kadmin/server/ovsec_kadmd.c	2007-03-28 18:29:19.000000000 -0400
+@@ -989,6 +989,8 @@
+      rpcproc_t proc;
+      int i;
+      const char *procname;
++	 size_t clen, slen;
++	 char *cdots, *sdots;
+ 
+      client.length = 0;
+      client.value = NULL;
+@@ -997,10 +999,20 @@
+ 
+      (void) gss_display_name(&minor, client_name, &client, &gss_type);
+      (void) gss_display_name(&minor, server_name, &server, &gss_type);
+-     if (client.value == NULL)
+-	 client.value = "(null)";
+-     if (server.value == NULL)
+-	 server.value = "(null)";
++     if (client.value == NULL) {
++	 	 client.value = "(null)";
++		 clen = sizeof("(null)") - 1;
++	 } else {
++	 	 clen = client.length;
++	 }
++	 trunc_name(&clen, &cdots);
++     if (server.value == NULL) {
++	 	 server.value = "(null)";
++		 slen = sizeof("(null)") - 1;
++	 } else {
++	 	 slen = server.length;
++	 }
++	 trunc_name(&slen, &sdots);
+      a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);
+ 
+      proc = msg->rm_call.cb_proc;
+@@ -1013,14 +1025,14 @@
+      }
+      if (procname != NULL)
+ 	  krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
+-			   "claimed client = %s, server = %s, addr = %s",
+-			   procname, client.value,
+-			   server.value, a);
++			   "claimed client = %.*s%s, server = %.*s%s, addr = %s",
++			   procname, clen, client.value, cdots,
++			   slen, server.value, sdots, a);
+      else
+ 	  krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "
+-			   "claimed client = %s, server = %s, addr = %s",
+-			   proc, client.value,
+-			   server.value, a);
++			   "claimed client = %.*s%s, server = %.*s%s, addr = %s",
++			   proc, clen, client.value, cdots,
++			   slen, server.value, sdots, a);
+ 
+      (void) gss_release_buffer(&minor, &client);
+      (void) gss_release_buffer(&minor, &server);
+diff -urN krb5-1.5.2.orig/src/kadmin/server/schpw.c krb5-1.5.2/src/kadmin/server/schpw.c
+--- krb5-1.5.2.orig/src/kadmin/server/schpw.c	2006-04-13 14:58:56.000000000 -0400
++++ krb5-1.5.2/src/kadmin/server/schpw.c	2007-03-28 18:29:11.000000000 -0400
+@@ -40,6 +40,8 @@
+     int numresult;
+     char strresult[1024];
+     char *clientstr;
++	size_t clen;
++	char *cdots;
+ 
+     ret = 0;
+     rep->length = 0;
+@@ -258,9 +260,12 @@
+     free(ptr);
+     clear.length = 0;
+ 
+-    krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s",
++	clen = strlen(clientstr);
++	trunc_name(&clen, &cdots);
++    krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s",
+ 		     inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),
+-		     clientstr, ret ? krb5_get_error_message (context, ret) : "success");
++		     clen, clientstr, cdots,
++			 ret ? krb5_get_error_message (context, ret) : "success");
+     krb5_free_unparsed_name(context, clientstr);
+ 
+     if (ret) {
+diff -urN krb5-1.5.2.orig/src/kadmin/server/server_stubs.c krb5-1.5.2/src/kadmin/server/server_stubs.c
+--- krb5-1.5.2.orig/src/kadmin/server/server_stubs.c	2006-04-13 14:58:56.000000000 -0400
++++ krb5-1.5.2/src/kadmin/server/server_stubs.c	2007-03-28 21:03:41.000000000 -0400
+@@ -14,6 +14,7 @@
+ #include <arpa/inet.h>  /* inet_ntoa */
+ #include <adm_proto.h>  /* krb5_klog_syslog */
+ #include "misc.h"
++#include <string.h>
+ 
+ #define LOG_UNAUTH  "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s"
+ #define	LOG_DONE    "Request: %s, %s, %s, client=%s, service=%s, addr=%s"
+@@ -237,6 +238,50 @@
+      return 0;
+ }
+ 
++static int
++log_unauth(char *op, char *target, gss_buffer_t client, gss_buffer_t server, struct svc_req *rqstp)
++{
++	size_t tlen, clen, slen;
++	char *tdots, *cdots, *sdots;
++
++	tlen = strlen(target);
++	trunc_name(&tlen, &tdots);
++	clen = client->length;
++	trunc_name(&clen, &cdots);
++	slen = server->length;
++	trunc_name(&slen, &sdots);
++
++	return krb5_klog_syslog(LOG_NOTICE,
++			"Unauthorized request: %s, %.*s%s, "
++			"client=%.*s%s, service=%.*s%s, addr=%s",
++			op, tlen, target, tdots,
++			clen, client->value, cdots,
++			slen, server->value, sdots,
++			inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++}
++
++static int
++log_done(char *op, char *target, char *errmsg, gss_buffer_t client, gss_buffer_t server, struct svc_req *rqstp)
++{
++	size_t tlen, clen, slen;
++	char *tdots, *cdots, *sdots;
++
++	tlen = strlen(target);
++	trunc_name(&tlen, &tdots);
++	clen = client->length;
++	trunc_name(&clen, &cdots);
++	slen = server->length;
++	trunc_name(&slen, &sdots);
++
++	return krb5_klog_syslog(LOG_NOTICE,
++			"Request: %s, %.*s%s, %s, "
++			"client=%.*s%s, service=%.*s%s, addr=%s",
++			op, tlen, target, tdots, errmsg,
++			clen, client->value, cdots,
++			slen, server->value, sdots,
++			inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++}
++
+ generic_ret *
+ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
+ {
+@@ -275,9 +320,8 @@
+ 	|| kadm5int_acl_impose_restrictions(handle->context,
+ 				   &arg->rec, &arg->mask, rp)) {
+ 	 ret.code = KADM5_AUTH_ADD;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_create_principal", prime_arg,
++		&client_name, &service_name, rqstp);
+     } else {
+ 	 ret.code = kadm5_create_principal((void *)handle,
+ 						&arg->rec, arg->mask,
+@@ -287,10 +331,8 @@
+ 	 else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
+-		prime_arg, errmsg,
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_done("kadm5_create_principal", prime_arg, errmsg,
++			&client_name, &service_name, rqstp);
+ 
+ 	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
+     }
+@@ -341,9 +383,8 @@
+ 	|| kadm5int_acl_impose_restrictions(handle->context,
+ 				   &arg->rec, &arg->mask, rp)) {
+ 	 ret.code = KADM5_AUTH_ADD;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_create_principal", prime_arg,
++	 		 &client_name, &service_name, rqstp);
+     } else {
+ 	 ret.code = kadm5_create_principal_3((void *)handle,
+ 					     &arg->rec, arg->mask,
+@@ -355,10 +396,8 @@
+ 	 else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
+-		prime_arg, errmsg,
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_done("kadm5_create_principal", prime_arg, errmsg,
++		&client_name, &service_name, rqstp);
+ 
+ 	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
+     }
+@@ -406,9 +445,8 @@
+ 	|| !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,
+ 		      arg->princ, NULL)) {
+ 	 ret.code = KADM5_AUTH_DELETE;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_delete_principal", prime_arg,
++	 		 &client_name, &service_name, rqstp);
+     } else {
+ 	 ret.code = kadm5_delete_principal((void *)handle, arg->princ);
+ 	 if( ret.code == 0 )
+@@ -416,10 +454,8 @@
+ 	 else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal",
+-			  prime_arg, errmsg,
+-			  client_name.value, service_name.value,
+-			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_done("kadm5_delete_principal", prime_arg, errmsg,
++			  &client_name, &service_name, rqstp);
+ 
+ 	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
+     }
+@@ -469,9 +505,8 @@
+ 	|| kadm5int_acl_impose_restrictions(handle->context,
+ 				   &arg->rec, &arg->mask, rp)) {
+ 	 ret.code = KADM5_AUTH_MODIFY;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_modify_principal", prime_arg,
++	 		 &client_name, &service_name, rqstp);
+     } else {
+ 	 ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
+ 						arg->mask);
+@@ -480,10 +515,8 @@
+ 	 else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal",
+-			  prime_arg, errmsg,
+-			  client_name.value, service_name.value,
+-			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_done("kadm5_modify_principal", prime_arg, errmsg,
++			  &client_name, &service_name, rqstp);
+ 
+ 	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
+     }
+@@ -546,9 +579,8 @@
+     } else
+ 	 ret.code = KADM5_AUTH_INSUFFICIENT;
+     if (ret.code != KADM5_OK) {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_rename_principal", prime_arg,
++	 		 &client_name, &service_name, rqstp);
+     } else {
+ 	 ret.code = kadm5_rename_principal((void *)handle, arg->src,
+ 						arg->dest);
+@@ -557,10 +589,8 @@
+ 	 else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal",
+-		prime_arg, errmsg,
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_done("kadm5_rename_principal", prime_arg, errmsg,
++		&client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     free(prime_arg1);
+@@ -614,9 +644,8 @@
+ 					       arg->princ,
+ 					       NULL))) {
+ 	 ret.code = KADM5_AUTH_GET;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth(funcname, prime_arg,
++	 		 &client_name, &service_name, rqstp);
+     } else {
+ 	 if (handle->api_version == KADM5_API_VERSION_1) {
+ 	      ret.code  = kadm5_get_principal_v1((void *)handle,
+@@ -636,11 +665,8 @@
+ 	 else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+-		prime_arg,  
+-		errmsg,
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_done(funcname, prime_arg,  errmsg,
++		&client_name, &service_name, rqstp);
+ 
+     }
+     free_server_handle(handle);
+@@ -688,9 +714,8 @@
+ 					      NULL,
+ 					      NULL)) {
+ 	 ret.code = KADM5_AUTH_LIST;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_get_principals", prime_arg,
++	 		 &client_name, &service_name, rqstp);
+     } else {
+ 	 ret.code  = kadm5_get_principals((void *)handle,
+ 					       arg->exp, &ret.princs,
+@@ -700,11 +725,8 @@
+ 	 else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals",
+-		prime_arg,  
+-		errmsg,
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_done("kadm5_get_principals", prime_arg, errmsg,
++		&client_name, &service_name, rqstp);
+ 
+     }
+     free_server_handle(handle);
+@@ -755,9 +777,8 @@
+ 	 ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
+ 						arg->pass);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_chpass_principal", prime_arg,
++	 		 &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_CHANGEPW;
+     }
+ 
+@@ -767,10 +788,8 @@
+ 	 else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", 
+-	       prime_arg, errmsg,
+-	       client_name.value, service_name.value,
+-	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	log_done("kadm5_chpass_principal", prime_arg, errmsg,
++	       &client_name, &service_name, rqstp);
+     }
+ 
+     free_server_handle(handle);
+@@ -828,9 +847,8 @@
+ 					     arg->ks_tuple,
+ 					     arg->pass);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_chpass_principal", prime_arg,
++	 		 &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_CHANGEPW;
+     }
+ 
+@@ -840,10 +858,8 @@
+ 	else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", 
+-	       prime_arg, errmsg, 
+-	       client_name.value, service_name.value,
+-	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	log_done("kadm5_chpass_principal", prime_arg, errmsg, 
++	       &client_name, &service_name, rqstp);
+     }
+ 
+     free_server_handle(handle);
+@@ -892,9 +908,8 @@
+ 	 ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
+ 					     arg->keyblock);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_setv4key_principal", prime_arg,
++	 		 &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_SETKEY;
+     }
+ 
+@@ -904,10 +919,8 @@
+ 	else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal", 
+-	       prime_arg, errmsg, 
+-	       client_name.value, service_name.value,
+-	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	log_done("kadm5_setv4key_principal", prime_arg, errmsg, 
++	       &client_name, &service_name, rqstp);
+     }
+ 
+     free_server_handle(handle);
+@@ -956,9 +969,8 @@
+ 	 ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
+ 					   arg->keyblocks, arg->n_keys);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_setkey_principal", prime_arg,
++	 		 &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_SETKEY;
+     }
+ 
+@@ -968,10 +980,8 @@
+ 	else
+ 	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", 
+-	       prime_arg, errmsg, 
+-	       client_name.value, service_name.value,
+-	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	log_done("kadm5_setkey_principal", prime_arg, errmsg, 
++	       &client_name, &service_name, rqstp);
+     }
+ 
+     free_server_handle(handle);
+@@ -1023,9 +1033,8 @@
+ 					     arg->ks_tuple,
+ 					     arg->keyblocks, arg->n_keys);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_setkey_principal", prime_arg,
++	 		 &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_SETKEY;
+     }
+ 
+@@ -1035,10 +1044,8 @@
+ 	else
+ 	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", 
+-	       prime_arg, errmsg, 
+-	       client_name.value, service_name.value,
+-	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	log_done("kadm5_setkey_principal", prime_arg, errmsg, 
++	 		 &client_name, &service_name, rqstp);
+     }
+ 
+     free_server_handle(handle);
+@@ -1097,9 +1104,8 @@
+ 	 ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
+ 					    &k, &nkeys);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth(funcname, prime_arg,
++	 		 &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_CHANGEPW;
+     }
+ 
+@@ -1119,10 +1125,8 @@
+ 	else
+ 	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+-	       prime_arg, errmsg, 
+-	       client_name.value, service_name.value,
+-	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	log_done(funcname, prime_arg, errmsg, 
++	 		 &client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     free(prime_arg);
+@@ -1185,9 +1189,8 @@
+ 					      arg->ks_tuple,
+ 					      &k, &nkeys);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth(funcname, prime_arg,
++	 		 &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_CHANGEPW;
+     }
+ 
+@@ -1207,10 +1210,8 @@
+ 	else
+ 	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+-	       prime_arg, errmsg, 
+-	       client_name.value, service_name.value,
+-	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	log_done(funcname, prime_arg, errmsg, 
++	 		 &client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     free(prime_arg);
+@@ -1253,9 +1254,8 @@
+ 					      rqst2name(rqstp),
+ 					      ACL_ADD, NULL, NULL)) {
+ 	 ret.code = KADM5_AUTH_ADD;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_create_policy", prime_arg,
++	 		 &client_name, &service_name, rqstp);
+ 	 
+     } else {
+ 	 ret.code = kadm5_create_policy((void *)handle, &arg->rec,
+@@ -1265,11 +1265,9 @@
+ 	 else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy",
+-		((prime_arg == NULL) ? "(null)" : prime_arg),
+-		errmsg, 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));	 
++	 log_done("kadm5_create_policy",
++		((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, 
++	 	&client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     gss_release_buffer(&minor_stat, &client_name);
+@@ -1310,9 +1308,8 @@
+     if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
+ 					      rqst2name(rqstp),
+ 					      ACL_DELETE, NULL, NULL)) {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_delete_policy", prime_arg,
++	 		 &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_DELETE;
+     } else {
+ 	 ret.code = kadm5_delete_policy((void *)handle, arg->name);
+@@ -1321,11 +1318,9 @@
+ 	 else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy",
+-		((prime_arg == NULL) ? "(null)" : prime_arg),
+-		errmsg, 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));	 
++	 log_done("kadm5_delete_policy",
++		((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, 
++		&client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     gss_release_buffer(&minor_stat, &client_name);
+@@ -1366,9 +1361,8 @@
+     if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
+ 					      rqst2name(rqstp),
+ 					      ACL_MODIFY, NULL, NULL)) {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_modify_policy", prime_arg,
++		&client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_MODIFY;
+     } else {
+ 	 ret.code = kadm5_modify_policy((void *)handle, &arg->rec,
+@@ -1378,11 +1372,9 @@
+ 	 else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy",
+-		((prime_arg == NULL) ? "(null)" : prime_arg),	    
+-		errmsg, 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));	
++	 log_done("kadm5_modify_policy",
++		((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, 
++		&client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     gss_release_buffer(&minor_stat, &client_name);
+@@ -1464,15 +1456,12 @@
+ 	 else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+-		((prime_arg == NULL) ? "(null)" : prime_arg),
+-		errmsg, 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));	 
++	 log_done(funcname,
++		((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, 
++		&client_name, &service_name, rqstp);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth(funcname, prime_arg,
++		&client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     gss_release_buffer(&minor_stat, &client_name);
+@@ -1517,9 +1506,8 @@
+ 					      rqst2name(rqstp),
+ 					      ACL_LIST, NULL, NULL)) {
+ 	 ret.code = KADM5_AUTH_LIST;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_get_policies", prime_arg,
++		&client_name, &service_name, rqstp);
+     } else {
+ 	 ret.code  = kadm5_get_policies((void *)handle,
+ 					       arg->exp, &ret.pols,
+@@ -1529,11 +1517,8 @@
+ 	 else
+ 	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies",
+-		prime_arg,  
+-		errmsg, 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_done("kadm5_get_policies", prime_arg, errmsg, 
++		&client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     gss_release_buffer(&minor_stat, &client_name);
+@@ -1573,11 +1558,8 @@
+      else
+ 	 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ 
+-     krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs",
+-	    client_name.value, 
+-	    errmsg, 
+-	    client_name.value, service_name.value,
+-	    inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++     log_done("kadm5_get_privs", client_name.value, errmsg, 
++	    &client_name, &service_name, rqstp);
+ 
+      free_server_handle(handle);
+      gss_release_buffer(&minor_stat, &client_name);
+@@ -1594,6 +1576,8 @@
+      kadm5_server_handle_t	handle;
+      OM_uint32			minor_stat;
+      char                       *errmsg = 0;
++	 size_t clen, slen;
++	 char *cdots, *sdots;
+ 
+      xdr_free(xdr_generic_ret, &ret);
+ 
+@@ -1611,13 +1595,21 @@
+      }
+ 
+      if (ret.code != 0)
+-	 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+-     krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d",
++ 	 	 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
++	 else
++	 	 errmsg = "success";
++
++	 clen = client_name.length;
++	 trunc_name(&clen, &cdots);
++	 slen = service_name.length;
++	 trunc_name(&slen, &sdots);
++     krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, "
++	 	"client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d",
+ 	    (ret.api_version == KADM5_API_VERSION_1 ?
+ 	     "kadm5_init (V1)" : "kadm5_init"),
+-	    client_name.value,
+-	    (ret.code == 0) ? "success" : errmsg,
+-	    client_name.value, service_name.value,
++	    clen, client_name.value, cdots, errmsg,
++	    clen, client_name.value, cdots,
++		slen, service_name.value, sdots,
+ 	    inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
+ 	    rqstp->rq_cred.oa_flavor);
+      gss_release_buffer(&minor_stat, &client_name);
+diff -urN krb5-1.5.2.orig/src/kdc/do_tgs_req.c krb5-1.5.2/src/kdc/do_tgs_req.c
+--- krb5-1.5.2.orig/src/kdc/do_tgs_req.c	2006-08-07 15:38:41.000000000 -0400
++++ krb5-1.5.2/src/kdc/do_tgs_req.c	2007-03-28 21:08:52.000000000 -0400
+@@ -491,30 +491,40 @@
+ 	newtransited = 1;
+     }
+     if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
+-	errcode = krb5_check_transited_list (kdc_context,
++		unsigned int tlen;
++		char *tdots;
++
++		errcode = krb5_check_transited_list (kdc_context,
+ 					     &enc_tkt_reply.transited.tr_contents,
+ 					     krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
+ 					     krb5_princ_realm (kdc_context, request->server));
+-	if (errcode == 0) {
+-	    setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
+-	} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
+-	    krb5_klog_syslog (LOG_INFO,
+-			      "bad realm transit path from '%s' to '%s' via '%.*s'",
++		tlen = enc_tkt_reply.transited.tr_contents.length;
++		tdots = tlen > 125 ? "..." : "";
++		tlen = tlen > 125 ? 125 : tlen;
++
++		if (errcode == 0) {
++	    	setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
++		} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
++	    	krb5_klog_syslog (LOG_INFO,
++			      "bad realm transit path from '%s' to '%s' "
++				  "via '%.*s%s'",
+ 			      cname ? cname : "<unknown client>",
+ 			      sname ? sname : "<unknown server>",
+-			      enc_tkt_reply.transited.tr_contents.length,
+-			      enc_tkt_reply.transited.tr_contents.data);
+-	else {
+-	    char *emsg = krb5_get_error_message(kdc_context, errcode);
+-	    krb5_klog_syslog (LOG_ERR,
+-			      "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",
++				  tlen,
++			      enc_tkt_reply.transited.tr_contents.data,
++				  tdots);
++		else {
++	    	const char *emsg = krb5_get_error_message(kdc_context, errcode);
++	    	krb5_klog_syslog (LOG_ERR,
++			      "unexpected error checking transit from "
++				  "'%s' to '%s' via '%.*s%s': %s",
+ 			      cname ? cname : "<unknown client>",
+ 			      sname ? sname : "<unknown server>",
+-			      enc_tkt_reply.transited.tr_contents.length,
++				  tlen,
+ 			      enc_tkt_reply.transited.tr_contents.data,
+-			      emsg);
++			      tdots, emsg);
+ 	    krb5_free_error_message(kdc_context, emsg);
+-	}
++		}
+     } else
+ 	krb5_klog_syslog (LOG_INFO, "not checking transit path");
+     if (reject_bad_transit
+@@ -542,6 +552,9 @@
+ 	if (!krb5_principal_compare(kdc_context, request->server, client2)) {
+ 		if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
+ 			tmp = 0;
++		if (tmp != NULL)
++			limit_string(tmp);
++
+ 		krb5_klog_syslog(LOG_INFO,
+ 				 "TGS_REQ %s: 2ND_TKT_MISMATCH: "
+ 				 "authtime %d, %s for %s, 2nd tkt client %s",
+@@ -816,6 +829,7 @@
+ 		krb5_klog_syslog(LOG_INFO,
+ 		       "TGS_REQ: issuing alternate <un-unparseable> TGT");
+ 	    } else {
++			limit_string(sname);
+ 		krb5_klog_syslog(LOG_INFO,
+ 		       "TGS_REQ: issuing TGT %s", sname);
+ 		free(sname);
+diff -urN krb5-1.5.2.orig/src/kdc/kdc_util.c krb5-1.5.2/src/kdc/kdc_util.c
+--- krb5-1.5.2.orig/src/kdc/kdc_util.c	2004-02-12 23:20:56.000000000 -0500
++++ krb5-1.5.2/src/kdc/kdc_util.c	2007-03-28 19:16:51.000000000 -0400
+@@ -404,6 +404,7 @@
+ 
+ 	krb5_db_free_principal(kdc_context, &server, nprincs);
+ 	if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {
++		limit_string(sname);
+ 	    krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",
+ 			     sname);
+ 	    free(sname);
+diff -urN krb5-1.5.2.orig/src/lib/kadm5/logger.c krb5-1.5.2/src/lib/kadm5/logger.c
+--- krb5-1.5.2.orig/src/lib/kadm5/logger.c	2006-05-31 23:18:19.000000000 -0400
++++ krb5-1.5.2/src/lib/kadm5/logger.c	2007-03-28 19:20:15.000000000 -0400
+@@ -45,7 +45,7 @@
+ #include <varargs.h>
+ #endif	/* HAVE_STDARG_H */
+ 
+-#define	KRB5_KLOG_MAX_ERRMSG_SIZE	1024
++#define	KRB5_KLOG_MAX_ERRMSG_SIZE	2048
+ #ifndef	MAXHOSTNAMELEN
+ #define	MAXHOSTNAMELEN	256
+ #endif	/* MAXHOSTNAMELEN */
+@@ -261,7 +261,9 @@
+ #endif	/* HAVE_SYSLOG */
+ 
+     /* Now format the actual message */
+-#if	HAVE_VSPRINTF
++#if	HAVE_VSNPRINTF
++    vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap);
++#elif	HAVE_VSPRINTF
+     vsprintf(cp, actual_format, ap);
+ #else	/* HAVE_VSPRINTF */
+     sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1],
+@@ -850,7 +852,9 @@
+     syslogp = &outbuf[strlen(outbuf)];
+ 
+     /* Now format the actual message */
+-#ifdef	HAVE_VSPRINTF
++#ifdef	HAVE_VSNPRINTF
++    vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist);
++#elif	HAVE_VSPRINTF
+     vsprintf(syslogp, format, arglist);
+ #else	/* HAVE_VSPRINTF */
+     sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1],
diff --git a/app-crypt/mit-krb5/files/mit-krb5-SA-2007-003.patch b/app-crypt/mit-krb5/files/mit-krb5-SA-2007-003.patch
new file mode 100644
index 000000000000..756a35073a91
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-SA-2007-003.patch
@@ -0,0 +1,16 @@
+diff -urN krb5-1.5.2.old/src/lib/gssapi/krb5/k5unseal.c krb5-1.5.2/src/lib/gssapi/krb5/k5unseal.c
+--- krb5-1.5.2.old/src/lib/gssapi/krb5/k5unseal.c	2006-05-09 07:31:02.000000000 -0400
++++ krb5-1.5.2/src/lib/gssapi/krb5/k5unseal.c	2007-03-28 21:13:44.000000000 -0400
+@@ -457,8 +457,11 @@
+ 
+     if ((ctx->initiate && direction != 0xff) ||
+ 	(!ctx->initiate && direction != 0)) {
+-	if (toktype == KG_TOK_SEAL_MSG)
++	if (toktype == KG_TOK_SEAL_MSG) {
+ 	    xfree(token.value);
++		message_buffer->value = NULL;
++		message_buffer->length = 0;
++	}
+ 	*minor_status = G_BAD_DIRECTION;
+ 	return(GSS_S_BAD_SIG);
+     }
diff --git a/app-crypt/mit-krb5/mit-krb5-1.5.2-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.5.2-r1.ebuild
new file mode 100644
index 000000000000..5c6f905dc733
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.5.2-r1.ebuild
@@ -0,0 +1,100 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.5.2-r1.ebuild,v 1.1 2007/04/03 20:19:13 seemant Exp $
+
+inherit eutils flag-o-matic versionator autotools
+
+MY_P=${P/mit-}
+P_DIR=$(get_version_component_range 1-2)
+S=${WORKDIR}/${MY_P}/src
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
+IUSE="krb4 tcl ipv6 doc"
+
+RDEPEND="!virtual/krb5
+	sys-libs/com_err
+	sys-libs/ss
+	tcl? ( dev-lang/tcl )"
+DEPEND="${RDEPEND}
+	doc? ( virtual/tetex )"
+PROVIDE="virtual/krb5"
+
+src_unpack() {
+	unpack ${MY_P}-signed.tar
+	unpack ./${MY_P}.tar.gz
+	cd "${S}"
+	epatch "${FILESDIR}"/${PN}-lazyldflags.patch
+	epatch "${FILESDIR}"/${PN}-SA-2007-001-telnetd.patch
+	epatch "${FILESDIR}"/${PN}-SA-2007-002-syslog.patch
+	epatch "${FILESDIR}"/${PN}-SA-2007-003.patch
+	ebegin "Reconfiguring configure scripts (be patient)"
+	cd "${S}"/appl/telnet
+	eautoconf --force -I "${S}"
+	eend $?
+}
+
+src_compile() {
+	econf \
+		$(use_with krb4) \
+		$(use_with tcl) \
+		$(use_enable ipv6) \
+		--enable-shared \
+		--with-system-et --with-system-ss \
+		--enable-dns-for-realm || die
+
+	emake -j1 || die
+
+	if use doc ; then
+		cd ../doc
+		for dir in api implement ; do
+			make -C ${dir} || die
+		done
+	fi
+}
+
+src_test() {
+	einfo "Testing is being debugged, disabled for now"
+}
+
+src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR=/usr/share/doc/${PF}/examples \
+		install || die
+
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+	dodoc doc/*.ps
+	doinfo doc/*.info*
+	dohtml -r doc/*
+
+	use doc && dodoc doc/{api,implement}/*.ps
+
+	for i in {telnetd,ftpd} ; do
+		mv "${D}"/usr/share/man/man8/${i}.8 "${D}"/usr/share/man/man8/k${i}.8
+		mv "${D}"/usr/sbin/${i} "${D}"/usr/sbin/k${i}
+	done
+
+	for i in {rcp,rlogin,rsh,telnet,ftp} ; do
+		mv "${D}"/usr/share/man/man1/${i}.1 "${D}"/usr/share/man/man1/k${i}.1
+		mv "${D}"/usr/bin/${i} "${D}"/usr/bin/k${i}
+	done
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc
+
+	insinto /etc
+	newins ${D}/usr/share/doc/${PF}/examples/krb5.conf krb5.conf.example
+	newins ${D}/usr/share/doc/${PF}/examples/kdc.conf kdc.conf.example
+}
+
+pkg_postinst() {
+	elog "See /usr/share/doc/${PF}/html/krb5-admin/index.html for documentation."
+}
author	Seemant Kulleen <seemant@gentoo.org>	2007-04-03 20:19:13 +0000
committer	Seemant Kulleen <seemant@gentoo.org>	2007-04-03 20:19:13 +0000
commit	3db5b0249fa2f7bed345f384f2b520f319e60b75 (patch)
tree	e9f87b848997232878b3f73870082229a0cf5228 /app-crypt
parent	Fixed bug #172687, hopefully. (diff)
download	gentoo-2-3db5b0249fa2f7bed345f384f2b520f319e60b75.tar.gz gentoo-2-3db5b0249fa2f7bed345f384f2b520f319e60b75.tar.bz2 gentoo-2-3db5b0249fa2f7bed345f384f2b520f319e60b75.zip