summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authortonnerre <tonnerre@pkgsrc.org>2008-06-07 18:36:06 +0000
committertonnerre <tonnerre@pkgsrc.org>2008-06-07 18:36:06 +0000
commitc94122195f81d6172d0c9a18faf1b957600a6c56 (patch)
treea7cfb5e9b7e4e7d8e805881bc963e843d5103e20 /security
parent0940c02f91e0a508df790672bf200e1a792caddf (diff)
downloadpkgsrc-c94122195f81d6172d0c9a18faf1b957600a6c56.tar.gz
Add security patches for 3 Kerberos vulnerabilities:
- telnetd username and environment sanitizing vulnerabilities ("-f root") as described in MIT Kerberos advisory 2007-001. - krb5_klog_syslog() problems with overly long log strings as described in MIT Kerberos advisory 2007-002. - GSS API kg_unseal_v1() double free vulnerability as described in the MIT Kerberos advisory 2007-003.
Diffstat (limited to 'security')
-rw-r--r--security/mit-krb5/Makefile4
-rw-r--r--security/mit-krb5/distinfo14
-rw-r--r--security/mit-krb5/patches/patch-ai44
-rw-r--r--security/mit-krb5/patches/patch-au14
-rw-r--r--security/mit-krb5/patches/patch-av12
-rw-r--r--security/mit-krb5/patches/patch-aw70
-rw-r--r--security/mit-krb5/patches/patch-ax52
-rw-r--r--security/mit-krb5/patches/patch-ay10
-rw-r--r--security/mit-krb5/patches/patch-az28
-rw-r--r--security/mit-krb5/patches/patch-ba584
-rw-r--r--security/mit-krb5/patches/patch-bb34
-rw-r--r--security/mit-krb5/patches/patch-bc17
-rw-r--r--security/mit-krb5/patches/patch-bd35
-rw-r--r--security/mit-krb5/patches/patch-be17
14 files changed, 932 insertions, 3 deletions
diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile
index bc6adff0cd9..79c57e7f993 100644
--- a/security/mit-krb5/Makefile
+++ b/security/mit-krb5/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.41 2007/06/22 14:20:01 gdt Exp $
+# $NetBSD: Makefile,v 1.42 2008/06/07 18:36:06 tonnerre Exp $
DISTNAME= krb5-1.4.2
PKGNAME= mit-${DISTNAME:S/-signed$//}
-PKGREVISION= 4
+PKGREVISION= 5
CATEGORIES= security
MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/1.4/
DISTFILES= ${DISTNAME}-signed${EXTRACT_SUFX}
diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo
index d747fcd8cac..223d0d9e201 100644
--- a/security/mit-krb5/distinfo
+++ b/security/mit-krb5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16 2007/01/17 23:43:47 salo Exp $
+$NetBSD: distinfo,v 1.17 2008/06/07 18:36:06 tonnerre Exp $
SHA1 (krb5-1.4.2-signed.tar) = bbc03bd319d539fb9523c2545d80ba0784522e88
RMD160 (krb5-1.4.2-signed.tar) = 44500f5fab8e5959cf43f17f5f52f68e2dc73a1f
@@ -11,6 +11,7 @@ SHA1 (patch-ae) = fc6d5e11cd827cdfbe1bfc3a3c7ca9f5a71c17d7
SHA1 (patch-af) = c9631743e3c93aee2aab5c8a370e9bebfc4084e5
SHA1 (patch-ag) = 5da57455f36a2bd40e0f97db94e93249e90e0b8e
SHA1 (patch-ah) = 59a6bfc341a22234b38db406abe83b0d6d358a9f
+SHA1 (patch-ai) = 02cd8a292392b107609b48b6188cd15f4597f72b
SHA1 (patch-aj) = 5c633571ea932ce349065cbb4c3bf482cc971675
SHA1 (patch-ak) = 9d95372fd8edddbf0366e83a51d7a0b8a507f218
SHA1 (patch-al) = fb611fe47bd7c773d7baf11424e90cd3af70c422
@@ -22,3 +23,14 @@ SHA1 (patch-aq) = 52429b712ca7a478caeb76fd165585c7aab7fa02
SHA1 (patch-ar) = 37807c14f03533aef8796ac90e5fac36ff98308a
SHA1 (patch-as) = b155219fd512b59f698497af1bf6acf1ca4f4a34
SHA1 (patch-at) = df0605b0f5fbaef6b7540f87079ae64b2acc464c
+SHA1 (patch-au) = d0201dcbc543d8a31520afc72d4ce624ce552a35
+SHA1 (patch-av) = 4166e5be21a72bf64cd634039fd71aa56594ebfd
+SHA1 (patch-aw) = f9a91c4b4d6963ab09f5df1c1377303066955f4c
+SHA1 (patch-ax) = f35194913d12d202389072ba399d70ef868c5432
+SHA1 (patch-ay) = 183c15b1c654c63902d5dbcf161a0879f70804a8
+SHA1 (patch-az) = 548d3275605934e6574efb878b7f4ddc97078d3d
+SHA1 (patch-ba) = 7faacf94c157854fc099aaf40abae870a2e61ba6
+SHA1 (patch-bb) = 06595821593100b718e3e76c8dc2e5f0b99c8d67
+SHA1 (patch-bc) = c7d2b014b1092c0d53de6b3adcc91af39653396b
+SHA1 (patch-bd) = 6a8906aaaf0f620c80f830551eb19b61d42741d6
+SHA1 (patch-be) = 09f737ae6a3a1ed0bbce4f9a26611972260523ca
diff --git a/security/mit-krb5/patches/patch-ai b/security/mit-krb5/patches/patch-ai
new file mode 100644
index 00000000000..4c17776cdd3
--- /dev/null
+++ b/security/mit-krb5/patches/patch-ai
@@ -0,0 +1,44 @@
+$NetBSD: patch-ai,v 1.3 2008/06/07 18:36:06 tonnerre Exp $
+
+--- src/appl/telnet/telnetd/sys_term.c.orig 2008-06-07 15:55:51.000000000 +0200
++++ src/appl/telnet/telnetd/sys_term.c
+@@ -1287,6 +1287,16 @@ start_login(host, autologin, name)
+ #endif
+ #if defined (AUTHENTICATION)
+ if (auth_level >= 0 && autologin == AUTH_VALID) {
++ if (name[0] == '-') {
++ /* Authenticated and authorized to log in to an
++ account starting with '-'? Even if that
++ unlikely case comes to pass, the current login
++ program will not parse the resulting command
++ line properly. */
++ syslog(LOG_ERR, "user name cannot start with '-'");
++ fatal(net, "user name cannot start with '-'");
++ exit(1);
++ }
+ # if !defined(NO_LOGIN_F)
+ #if defined(LOGIN_CAP_F)
+ argv = addarg(argv, "-F");
+@@ -1377,12 +1387,20 @@ start_login(host, autologin, name)
+ } else
+ #endif
+ if (getenv("USER")) {
+- argv = addarg(argv, getenv("USER"));
++ char *user = getenv("USER");
++ if (user[0] == '-') {
++ /* "telnet -l-x ..." */
++ syslog(LOG_ERR, "user name cannot start with '-'");
++ fatal(net, "user name cannot start with '-'");
++ exit(EXIT_FAILURE);
++ }
++ argv = addarg(argv, user);
+ #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
+ {
+ register char **cpp;
+ for (cpp = environ; *cpp; cpp++)
+- argv = addarg(argv, *cpp);
++ if ((*cpp)[0] != '-')
++ argv = addarg(argv, *cpp);
+ }
+ #endif
+ /*
diff --git a/security/mit-krb5/patches/patch-au b/security/mit-krb5/patches/patch-au
new file mode 100644
index 00000000000..7ad69984325
--- /dev/null
+++ b/security/mit-krb5/patches/patch-au
@@ -0,0 +1,14 @@
+$NetBSD$
+
+--- src/appl/telnet/telnetd/state.c.orig 2002-11-15 21:21:51.000000000 +0100
++++ src/appl/telnet/telnetd/state.c
+@@ -1665,7 +1665,8 @@ static int envvarok(varp)
+ strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
+ strcmp(varp, "NLSPATH") && /* locale stuff */
+ strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
+- strcmp(varp, "IFS")) {
++ strcmp(varp, "IFS") &&
++ !strchr(varp, '-')) {
+ return 1;
+ } else {
+ syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
diff --git a/security/mit-krb5/patches/patch-av b/security/mit-krb5/patches/patch-av
new file mode 100644
index 00000000000..89fd5226733
--- /dev/null
+++ b/security/mit-krb5/patches/patch-av
@@ -0,0 +1,12 @@
+$NetBSD$
+
+--- src/kdc/kdc_util.c.orig 2004-02-13 05:20:56.000000000 +0100
++++ src/kdc/kdc_util.c
+@@ -404,6 +404,7 @@ kdc_get_server_key(krb5_ticket *ticket,
+
+ krb5_db_free_principal(kdc_context, &server, nprincs);
+ if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {
++ limit_string(sname);
+ krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",
+ sname);
+ free(sname);
diff --git a/security/mit-krb5/patches/patch-aw b/security/mit-krb5/patches/patch-aw
new file mode 100644
index 00000000000..cd79b0625b2
--- /dev/null
+++ b/security/mit-krb5/patches/patch-aw
@@ -0,0 +1,70 @@
+$NetBSD$
+
+--- src/kdc/do_tgs_req.c.orig 2005-07-12 22:59:51.000000000 +0200
++++ src/kdc/do_tgs_req.c
+@@ -490,27 +490,40 @@ tgt_again:
+ newtransited = 1;
+ }
+ if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
++ unsigned int tlen;
++ char *tdots;
++
+ errcode = krb5_check_transited_list (kdc_context,
+ &enc_tkt_reply.transited.tr_contents,
+ krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
+ krb5_princ_realm (kdc_context, request->server));
++ tlen = enc_tkt_reply.transited.tr_contents.length;
++ tdots = tlen > 125 ? "..." : "";
++ tlen = tlen > 125 ? 125 : tlen;
++
+ if (errcode == 0) {
+ setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
+ } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
+ krb5_klog_syslog (LOG_INFO,
+- "bad realm transit path from '%s' to '%s' via '%.*s'",
++ "bad realm transit path from '%s' to '%s' "
++ "via '%.*s%s'",
+ cname ? cname : "<unknown client>",
+ sname ? sname : "<unknown server>",
+- enc_tkt_reply.transited.tr_contents.length,
+- enc_tkt_reply.transited.tr_contents.data);
+- else
++ tlen,
++ enc_tkt_reply.transited.tr_contents.data,
++ tdots);
++ else {
++ char *emsg = krb5_get_error_message(kdc_context, errcode);
+ krb5_klog_syslog (LOG_ERR,
+- "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",
++ "unexpected error checking transit from "
++ "'%s' to '%s' via '%.*s%s': %s",
+ cname ? cname : "<unknown client>",
+ sname ? sname : "<unknown server>",
+- enc_tkt_reply.transited.tr_contents.length,
++ tlen,
+ enc_tkt_reply.transited.tr_contents.data,
+- error_message (errcode));
++ tdots, emsg);
++ krb5_free_error_message(kdc_context, emsg);
++ }
+ } else
+ krb5_klog_syslog (LOG_INFO, "not checking transit path");
+ if (reject_bad_transit
+@@ -538,6 +551,9 @@ tgt_again:
+ if (!krb5_principal_compare(kdc_context, request->server, client2)) {
+ if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
+ tmp = 0;
++ if (tmp != NULL)
++ limit_string(tmp);
++
+ krb5_klog_syslog(LOG_INFO,
+ "TGS_REQ %s: 2ND_TKT_MISMATCH: "
+ "authtime %d, %s for %s, 2nd tkt client %s",
+@@ -800,6 +816,7 @@ find_alternate_tgs(krb5_kdc_req *request
+ krb5_klog_syslog(LOG_INFO,
+ "TGS_REQ: issuing alternate <un-unparseable> TGT");
+ } else {
++ limit_string(sname);
+ krb5_klog_syslog(LOG_INFO,
+ "TGS_REQ: issuing TGT %s", sname);
+ free(sname);
diff --git a/security/mit-krb5/patches/patch-ax b/security/mit-krb5/patches/patch-ax
new file mode 100644
index 00000000000..85d9d4706b8
--- /dev/null
+++ b/security/mit-krb5/patches/patch-ax
@@ -0,0 +1,52 @@
+$NetBSD$
+
+--- src/kadmin/server/ovsec_kadmd.c.orig 2004-09-21 20:20:16.000000000 +0200
++++ src/kadmin/server/ovsec_kadmd.c
+@@ -952,13 +952,25 @@ void log_badverf(gss_name_t client_name,
+ rpcproc_t proc;
+ int i;
+ const char *procname;
++ size_t clen, slen;
++ char *cdots, *sdots;
+
+ (void) gss_display_name(&minor, client_name, &client, &gss_type);
+ (void) gss_display_name(&minor, server_name, &server, &gss_type);
+ if (client.value == NULL)
+ client.value = "(null)";
+- if (server.value == NULL)
++ clen = sizeof("(null)") -1;
++ } else {
++ clen = client.length;
++ }
++ trunc_name(&clen, &cdots);
++ if (server.value == NULL) {
+ server.value = "(null)";
++ slen = sizeof("(null)") - 1;
++ } else {
++ slen = server.length;
++ }
++ trunc_name(&slen, &sdots);
+ a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);
+
+ proc = msg->rm_call.cb_proc;
+@@ -971,14 +983,14 @@ void log_badverf(gss_name_t client_name,
+ }
+ if (procname != NULL)
+ krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
+- "claimed client = %s, server = %s, addr = %s",
+- procname, client.value,
+- server.value, a);
++ "claimed client = %.*s%s, server = %.*s%s, addr = %s",
++ procname, clen, client.value, cdots,
++ slen, server.value, sdots, a);
+ else
+ krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "
+- "claimed client = %s, server = %s, addr = %s",
+- proc, client.value,
+- server.value, a);
++ "claimed client = %.*s%s, server = %.*s%s, addr = %s",
++ proc, clen, client.value, cdots,
++ slen, server.value, sdots, a);
+
+ (void) gss_release_buffer(&minor, &client);
+ (void) gss_release_buffer(&minor, &server);
diff --git a/security/mit-krb5/patches/patch-ay b/security/mit-krb5/patches/patch-ay
new file mode 100644
index 00000000000..2bccd981152
--- /dev/null
+++ b/security/mit-krb5/patches/patch-ay
@@ -0,0 +1,10 @@
+$NetBSD$
+
+--- src/kadmin/server/misc.h.orig 2004-10-28 00:12:48.000000000 +0200
++++ src/kadmin/server/misc.h
+@@ -44,3 +44,5 @@ krb5_error_code process_chpw_request(krb
+ #ifdef SVC_GETARGS
+ void kadm_1(struct svc_req *, SVCXPRT *);
+ #endif
++
++void trunc_name(size_t *len, char **dots);
diff --git a/security/mit-krb5/patches/patch-az b/security/mit-krb5/patches/patch-az
new file mode 100644
index 00000000000..c483f7ff0f4
--- /dev/null
+++ b/security/mit-krb5/patches/patch-az
@@ -0,0 +1,28 @@
+$NetBSD$
+
+--- src/kadmin/server/schpw.c.orig 2004-10-28 00:12:48.000000000 +0200
++++ src/kadmin/server/schpw.c
+@@ -41,6 +41,8 @@ process_chpw_request(context, server_han
+ int numresult;
+ char strresult[1024];
+ char *clientstr;
++ size_t clen;
++ char *cdots;
+
+ ret = 0;
+ rep->length = 0;
+@@ -259,9 +261,12 @@ process_chpw_request(context, server_han
+ free(ptr);
+ clear.length = 0;
+
+- krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s",
++ clen = strlen(clientstr);
++ trunc_name(&clen, &cdots);
++ krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s",
+ inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),
+- clientstr, ret ? error_message(ret) : "success");
++ clen, clientstr, cdots,
++ ret ? krb5_get_error_message (context, ret) : "success");
+ krb5_free_unparsed_name(context, clientstr);
+
+ if (ret) {
diff --git a/security/mit-krb5/patches/patch-ba b/security/mit-krb5/patches/patch-ba
new file mode 100644
index 00000000000..ec938526b95
--- /dev/null
+++ b/security/mit-krb5/patches/patch-ba
@@ -0,0 +1,584 @@
+$NetBSD$
+
+--- src/kadmin/server/server_stubs.c.orig 2004-08-20 20:45:30.000000000 +0200
++++ src/kadmin/server/server_stubs.c
+@@ -14,6 +14,7 @@
+ #include <arpa/inet.h> /* inet_ntoa */
+ #include <krb5/adm_proto.h> /* krb5_klog_syslog */
+ #include "misc.h"
++#include <string.h>
+
+ #define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s"
+ #define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s"
+@@ -237,6 +238,61 @@ gss_name_to_string(gss_name_t gss_name,
+ return 0;
+ }
+
++static int
++log_unauth(
++ char *op,
++ char *target,
++ gss_buffer_t client,
++ gss_buffer_t server,
++ struct svc_req *rqstp)
++{
++ size_t tlen, clen, slen;
++ char *tdots, *cdots, *sdots;
++
++ tlen = strlen(target);
++ trunc_name(&tlen, &tdots);
++ clen = client->length;
++ trunc_name(&clen, &cdots);
++ slen = server->length;
++ trunc_name(&slen, &sdots);
++
++ return krb5_klog_syslog(LOG_NOTICE,
++ "Unauthorized request: %s, %.*s%s, "
++ "client=%.*s%s, service=%.*s%s, addr=%s",
++ op, tlen, target, tdots,
++ clen, client->value, cdots,
++ slen, server->value, sdots,
++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++}
++
++static int
++log_done(
++ char *op,
++ char *target,
++ char *errmsg,
++ gss_buffer_t client,
++ gss_buffer_t server,
++ struct svc_req *rqstp)
++{
++ size_t tlen, clen, slen;
++ char *tdots, *cdots, *sdots;
++
++ tlen = strlen(target);
++ trunc_name(&tlen, &tdots);
++ clen = client->length;
++ trunc_name(&clen, &cdots);
++ slen = server->length;
++ trunc_name(&slen, &sdots);
++
++ return krb5_klog_syslog(LOG_NOTICE,
++ "Request: %s, %.*s%s, %s, "
++ "client=%.*s%s, service=%.*s%s, addr=%s",
++ op, tlen, target, tdots, errmsg,
++ clen, client->value, cdots,
++ slen, server->value, sdots,
++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++}
++
+ generic_ret *
+ create_principal_1_svc(cprinc_arg *arg, struct svc_req *rqstp)
+ {
+@@ -274,18 +330,15 @@ create_principal_1_svc(cprinc_arg *arg,
+ || kadm5int_acl_impose_restrictions(handle->context,
+ &arg->rec, &arg->mask, rp)) {
+ ret.code = KADM5_AUTH_ADD;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_create_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ ret.code = kadm5_create_principal((void *)handle,
+ &arg->rec, arg->mask,
+ arg->passwd);
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
+- prime_arg,((ret.code == 0) ? "success" :
+- error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_create_principal", prime_arg,
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ free(prime_arg);
+@@ -331,20 +384,18 @@ create_principal3_1_svc(cprinc3_arg *arg
+ || kadm5int_acl_impose_restrictions(handle->context,
+ &arg->rec, &arg->mask, rp)) {
+ ret.code = KADM5_AUTH_ADD;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_create_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ ret.code = kadm5_create_principal_3((void *)handle,
+ &arg->rec, arg->mask,
+ arg->n_ks_tuple,
+ arg->ks_tuple,
+ arg->passwd);
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
+- prime_arg,((ret.code == 0) ? "success" :
+- error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++
++ log_done("kadm5_create_principal", prime_arg,
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ free(prime_arg);
+@@ -388,15 +439,13 @@ delete_principal_1_svc(dprinc_arg *arg,
+ || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,
+ arg->princ, NULL)) {
+ ret.code = KADM5_AUTH_DELETE;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_delete_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ ret.code = kadm5_delete_principal((void *)handle, arg->princ);
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal", prime_arg,
+- ((ret.code == 0) ? "success" : error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_delete_principal", prime_arg,
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+ free(prime_arg);
+ free_server_handle(handle);
+@@ -441,17 +490,14 @@ modify_principal_1_svc(mprinc_arg *arg,
+ || kadm5int_acl_impose_restrictions(handle->context,
+ &arg->rec, &arg->mask, rp)) {
+ ret.code = KADM5_AUTH_MODIFY;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_modify_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
+ arg->mask);
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal",
+- prime_arg, ((ret.code == 0) ? "success" :
+- error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_modify_principal", prime_arg,
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ free(prime_arg);
+@@ -510,17 +556,14 @@ rename_principal_1_svc(rprinc_arg *arg,
+ } else
+ ret.code = KADM5_AUTH_INSUFFICIENT;
+ if (ret.code != KADM5_OK) {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_rename_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ ret.code = kadm5_rename_principal((void *)handle, arg->src,
+ arg->dest);
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal",
+- prime_arg, ((ret.code == 0) ? "success" :
+- error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_rename_principal", prime_arg,
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ free(prime_arg1);
+@@ -572,9 +615,8 @@ get_principal_1_svc(gprinc_arg *arg, str
+ arg->princ,
+ NULL))) {
+ ret.code = KADM5_AUTH_GET;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth(funcname, prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ if (handle->api_version == KADM5_API_VERSION_1) {
+ ret.code = kadm5_get_principal_v1((void *)handle,
+@@ -588,12 +630,10 @@ get_principal_1_svc(gprinc_arg *arg, str
+ arg->princ, &ret.rec,
+ arg->mask);
+ }
+-
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+- prime_arg,
+- ((ret.code == 0) ? "success" : error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++
++ log_done(funcname, prime_arg,
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ free(prime_arg);
+@@ -638,18 +678,15 @@ get_princs_1_svc(gprincs_arg *arg, struc
+ NULL,
+ NULL)) {
+ ret.code = KADM5_AUTH_LIST;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_get_principals", prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ ret.code = kadm5_get_principals((void *)handle,
+ arg->exp, &ret.princs,
+ &ret.count);
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals",
+- prime_arg,
++ log_done("kadm5_get_principals", prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ gss_release_buffer(&minor_stat, &client_name);
+@@ -697,18 +734,15 @@ chpass_principal_1_svc(chpass_arg *arg,
+ ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
+ arg->pass);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_chpass_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_CHANGEPW;
+ }
+
+ if(ret.code != KADM5_AUTH_CHANGEPW) {
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",
+- prime_arg, ((ret.code == 0) ? "success" :
+- error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_chpass_principal", prime_arg,
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+
+ free_server_handle(handle);
+@@ -764,18 +798,15 @@ chpass_principal3_1_svc(chpass3_arg *arg
+ arg->ks_tuple,
+ arg->pass);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_chpass_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_CHANGEPW;
+ }
+
+ if(ret.code != KADM5_AUTH_CHANGEPW) {
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",
+- prime_arg, ((ret.code == 0) ? "success" :
+- error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_chpass_principal", prime_arg,
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+
+ free_server_handle(handle);
+@@ -822,18 +853,15 @@ setv4key_principal_1_svc(setv4key_arg *a
+ ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
+ arg->keyblock);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_setv4key_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_SETKEY;
+ }
+
+ if(ret.code != KADM5_AUTH_SETKEY) {
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal",
+- prime_arg, ((ret.code == 0) ? "success" :
+- error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_setv4key_principal", prime_arg,
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+
+ free_server_handle(handle);
+@@ -880,18 +908,15 @@ setkey_principal_1_svc(setkey_arg *arg,
+ ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
+ arg->keyblocks, arg->n_keys);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_setkey_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_SETKEY;
+ }
+
+ if(ret.code != KADM5_AUTH_SETKEY) {
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",
+- prime_arg, ((ret.code == 0) ? "success" :
+- error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_setkey_principal", prime_arg,
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+
+ free_server_handle(handle);
+@@ -941,18 +966,15 @@ setkey_principal3_1_svc(setkey3_arg *arg
+ arg->ks_tuple,
+ arg->keyblocks, arg->n_keys);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_setkey_principal", prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_SETKEY;
+ }
+
+ if(ret.code != KADM5_AUTH_SETKEY) {
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",
+- prime_arg, ((ret.code == 0) ? "success" :
+- error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_setkey_principal", prime_arg,
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+
+ free_server_handle(handle);
+@@ -1008,9 +1030,8 @@ chrand_principal_1_svc(chrand_arg *arg,
+ ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
+ &k, &nkeys);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth(funcname, prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_CHANGEPW;
+ }
+
+@@ -1025,11 +1046,9 @@ chrand_principal_1_svc(chrand_arg *arg,
+ }
+
+ if(ret.code != KADM5_AUTH_CHANGEPW) {
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+- prime_arg, ((ret.code == 0) ? "success" :
+- error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done(funcname, prime_arg,
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ free(prime_arg);
+@@ -1090,9 +1109,8 @@ chrand_principal3_1_svc(chrand3_arg *arg
+ arg->ks_tuple,
+ &k, &nkeys);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth(funcname, prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_CHANGEPW;
+ }
+
+@@ -1107,11 +1125,9 @@ chrand_principal3_1_svc(chrand3_arg *arg
+ }
+
+ if(ret.code != KADM5_AUTH_CHANGEPW) {
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+- prime_arg, ((ret.code == 0) ? "success" :
+- error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done(funcname, prime_arg,
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ free(prime_arg);
+@@ -1152,18 +1168,15 @@ create_policy_1_svc(cpol_arg *arg, struc
+ rqst2name(rqstp),
+ ACL_ADD, NULL, NULL)) {
+ ret.code = KADM5_AUTH_ADD;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+-
++ log_unauth("kadm5_create_policy", prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ ret.code = kadm5_create_policy((void *)handle, &arg->rec,
+ arg->mask);
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy",
+- ((prime_arg == NULL) ? "(null)" : prime_arg),
+- ((ret.code == 0) ? "success" : error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_create_policy",
++ ((prime_arg == NULL) ? "(null)" : prime_arg),
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ gss_release_buffer(&minor_stat, &client_name);
+@@ -1202,17 +1215,15 @@ delete_policy_1_svc(dpol_arg *arg, struc
+ if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
+ rqst2name(rqstp),
+ ACL_DELETE, NULL, NULL)) {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_delete_policy", prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_DELETE;
+ } else {
+ ret.code = kadm5_delete_policy((void *)handle, arg->name);
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy",
+- ((prime_arg == NULL) ? "(null)" : prime_arg),
+- ((ret.code == 0) ? "success" : error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_delete_policy",
++ ((prime_arg == NULL) ? "(null)" : prime_arg),
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ gss_release_buffer(&minor_stat, &client_name);
+@@ -1251,18 +1262,16 @@ modify_policy_1_svc(mpol_arg *arg, struc
+ if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
+ rqst2name(rqstp),
+ ACL_MODIFY, NULL, NULL)) {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_modify_policy", prime_arg,
++ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_MODIFY;
+ } else {
+ ret.code = kadm5_modify_policy((void *)handle, &arg->rec,
+ arg->mask);
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy",
+- ((prime_arg == NULL) ? "(null)" : prime_arg),
+- ((ret.code == 0) ? "success" : error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_modify_policy",
++ ((prime_arg == NULL) ? "(null)" : prime_arg),
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ gss_release_buffer(&minor_stat, &client_name);
+@@ -1337,15 +1346,13 @@ get_policy_1_svc(gpol_arg *arg, struct s
+ &ret.rec);
+ }
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+- ((prime_arg == NULL) ? "(null)" : prime_arg),
+- ((ret.code == 0) ? "success" : error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done(funcname,
++ ((prime_arg == NULL) ? "(null)" : prime_arg),
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ } else {
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth(funcname, prime_arg,
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ gss_release_buffer(&minor_stat, &client_name);
+@@ -1388,18 +1395,15 @@ get_pols_1_svc(gpols_arg *arg, struct sv
+ rqst2name(rqstp),
+ ACL_LIST, NULL, NULL)) {
+ ret.code = KADM5_AUTH_LIST;
+- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies",
+- prime_arg, client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_unauth("kadm5_get_policies", prime_arg,
++ &client_name, &service_name, rqstp);
+ } else {
+ ret.code = kadm5_get_policies((void *)handle,
+ arg->exp, &ret.pols,
+ &ret.count);
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies",
+- prime_arg,
+- ((ret.code == 0) ? "success" : error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_get_policies", prime_arg,
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ }
+ free_server_handle(handle);
+ gss_release_buffer(&minor_stat, &client_name);
+@@ -1432,11 +1436,9 @@ getprivs_ret * get_privs_1_svc(krb5_ui_4
+ }
+
+ ret.code = kadm5_get_privs((void *)handle, &ret.privs);
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs",
+- client_name.value,
+- ((ret.code == 0) ? "success" : error_message(ret.code)),
+- client_name.value, service_name.value,
+- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++ log_done("kadm5_get_privs", client_name.value,
++ ((ret.code == 0) ? "success" : error_message(ret.code)),
++ &client_name, &service_name, rqstp);
+ free_server_handle(handle);
+ gss_release_buffer(&minor_stat, &client_name);
+ gss_release_buffer(&minor_stat, &service_name);
+@@ -1450,6 +1452,8 @@ generic_ret *init_1_svc(krb5_ui_4 *arg,
+ service_name;
+ kadm5_server_handle_t handle;
+ OM_uint32 minor_stat;
++ size_t clen, slen;
++ char *cdots, *sdots;
+
+ xdr_free(xdr_generic_ret, &ret);
+
+@@ -1466,12 +1470,18 @@ generic_ret *init_1_svc(krb5_ui_4 *arg,
+ return &ret;
+ }
+
+- krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d",
++ clen = client_name.length;
++ trunc_name(&clen, &cdots);
++ slen = service_name.length;
++ trunc_name(&slen, &sdots);
++ krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, "
++ client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d",
+ (ret.api_version == KADM5_API_VERSION_1 ?
+ "kadm5_init (V1)" : "kadm5_init"),
+- client_name.value,
++ clen, client_name.value, cdots,
+ (ret.code == 0) ? "success" : error_message(ret.code),
+- client_name.value, service_name.value,
++ clen, client_name.value, cdots,
++ slen, service_name.value, sdots,
+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
+ rqstp->rq_cred.oa_flavor);
+ gss_release_buffer(&minor_stat, &client_name);
diff --git a/security/mit-krb5/patches/patch-bb b/security/mit-krb5/patches/patch-bb
new file mode 100644
index 00000000000..7727b6187c6
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bb
@@ -0,0 +1,34 @@
+$NetBSD$
+
+--- src/kadmin/server/kadm_rpc_svc.c.orig 2004-06-16 05:11:51.000000000 +0200
++++ src/kadmin/server/kadm_rpc_svc.c
+@@ -249,6 +249,8 @@ check_rpcsec_auth(struct svc_req *rqstp)
+ krb5_data *c1, *c2, *realm;
+ gss_buffer_desc gss_str;
+ kadm5_server_handle_t handle;
++ size_t slen;
++ char *sdots;
+
+ success = 0;
+ handle = (kadm5_server_handle_t)global_server_handle;
+@@ -273,6 +275,9 @@ check_rpcsec_auth(struct svc_req *rqstp)
+ if (ret == 0)
+ goto fail_name;
+
++ slen = gss_str.length;
++ trunc_name(&slen, &sdots);
++
+ /*
+ * Since we accept with GSS_C_NO_NAME, the client can authenticate
+ * against the entire kdb. Therefore, ensure that the service
+@@ -295,8 +300,8 @@ check_rpcsec_auth(struct svc_req *rqstp)
+
+ fail_princ:
+ if (!success) {
+- krb5_klog_syslog(LOG_ERR, "bad service principal %.*s",
+- gss_str.length, gss_str.value);
++ krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s",
++ slen, gss_str.value, sdots);
+ }
+ gss_release_buffer(&min_stat, &gss_str);
+ krb5_free_principal(kctx, princ);
diff --git a/security/mit-krb5/patches/patch-bc b/security/mit-krb5/patches/patch-bc
new file mode 100644
index 00000000000..b9800601b78
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bc
@@ -0,0 +1,17 @@
+$NetBSD$
+
+--- src/kadmin/server/misc.c.orig 2004-10-29 01:41:10.000000000 +0200
++++ src/kadmin/server/misc.c
+@@ -149,3 +149,12 @@ check_min_life(void *server_handle, krb5
+
+ return kadm5_free_principal_ent(handle->lhandle, &princ);
+ }
++
++#define MAXPRINCLEN 125
++
++void
++trunc_name(size_t *len, char **dots)
++{
++ *dots = *len > MAXPRINCLEN ? "..." : "";
++ *len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len;
++}
diff --git a/security/mit-krb5/patches/patch-bd b/security/mit-krb5/patches/patch-bd
new file mode 100644
index 00000000000..664933d5838
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bd
@@ -0,0 +1,35 @@
+$NetBSD$
+
+--- src/lib/kadm5/logger.c.orig 2002-09-18 22:44:13.000000000 +0200
++++ src/lib/kadm5/logger.c
+@@ -45,7 +45,7 @@
+ #include <varargs.h>
+ #endif /* HAVE_STDARG_H */
+
+-#define KRB5_KLOG_MAX_ERRMSG_SIZE 1024
++#define KRB5_KLOG_MAX_ERRMSG_SIZE 2048
+ #ifndef MAXHOSTNAMELEN
+ #define MAXHOSTNAMELEN 256
+ #endif /* MAXHOSTNAMELEN */
+@@ -256,7 +256,9 @@ klog_com_err_proc(const char *whoami, lo
+ #endif /* HAVE_SYSLOG */
+
+ /* Now format the actual message */
+-#if HAVE_VSPRINTF
++#if HAVE_VSNPRINTF
++ vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap);
++#elif HAVE_VSPRINTF
+ vsprintf(cp, actual_format, ap);
+ #else /* HAVE_VSPRINTF */
+ sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1],
+@@ -843,7 +845,9 @@ klog_vsyslog(int priority, const char *f
+ syslogp = &outbuf[strlen(outbuf)];
+
+ /* Now format the actual message */
+-#ifdef HAVE_VSPRINTF
++#ifdef HAVE_VSNPRINTF
++ vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist);
++#elif HAVE_VSPRINTF
+ vsprintf(syslogp, format, arglist);
+ #else /* HAVE_VSPRINTF */
+ sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1],
diff --git a/security/mit-krb5/patches/patch-be b/security/mit-krb5/patches/patch-be
new file mode 100644
index 00000000000..6fe060e4aa9
--- /dev/null
+++ b/security/mit-krb5/patches/patch-be
@@ -0,0 +1,17 @@
+$NetBSD$
+
+--- src/lib/gssapi/krb5/k5unseal.c.orig 2004-04-13 22:00:19.000000000 +0200
++++ src/lib/gssapi/krb5/k5unseal.c
+@@ -457,8 +457,11 @@ kg_unseal_v1(context, minor_status, ctx,
+
+ if ((ctx->initiate && direction != 0xff) ||
+ (!ctx->initiate && direction != 0)) {
+- if (toktype == KG_TOK_SEAL_MSG)
++ if (toktype == KG_TOK_SEAL_MSG) {
+ xfree(token.value);
++ message_buffer->value = NULL;
++ message_buffer->length = 0;
++ }
+ *minor_status = G_BAD_DIRECTION;
+ return(GSS_S_BAD_SIG);
+ }