I am having similar problems with version 1.5.2:

[mbrookov@oneoften krb5-1.5.2]$ patch -b -p0 < ../2007-002-patch.txt
patching file src/kadmin/server/kadm_rpc_svc.c
patching file src/kadmin/server/misc.c
patching file src/kadmin/server/misc.h
patching file src/kadmin/server/ovsec_kadmd.c
Hunk #1 succeeded at 989 (offset -3 lines).
Hunk #3 succeeded at 1025 (offset -3 lines).
patching file src/kadmin/server/schpw.c
patching file src/kadmin/server/server_stubs.c
patching file src/kdc/do_tgs_req.c
Hunk #1 FAILED at 491.
1 out of 3 hunks FAILED -- saving rejects to file
src/kdc/do_tgs_req.c.rej
patching file src/kdc/kdc_util.c
patching file src/lib/kadm5/logger.c
[mbrookov@oneoften krb5-1.5.2]$

The patches will load, compile and run on version 1.6. Is any body
running 1.6 in production?

We are also considering moving the Kerberos servers to Red Hat, they
have a fix out.

Matt

mbrookov@mines.edu


On Fri, 2007-04-06 at 13:34 -0500, simonst@wellsfargo.com wrote:
> Patch MITKRB5-SA-2007-002 is failing to apply on krb5-1.5:
> [rpmdev]$ patch -p0 <2007-002-patch.txt
> patching file src/kadmin/server/kadm_rpc_svc.c
> patching file src/kadmin/server/misc.c
> patching file src/kadmin/server/misc.h
> patching file src/kadmin/server/ovsec_kadmd.c
> Hunk #1 succeeded at 989 with fuzz 2 (offset -3 lines).
> Hunk #2 succeeded at 997 (offset -5 lines).
> Hunk #3 succeeded at 1025 (offset -3 lines).
> patching file src/kadmin/server/schpw.c
> patching file src/kadmin/server/server_stubs.c
> patching file src/kdc/do_tgs_req.c
> Hunk #1 FAILED at 491.
> Hunk #2 succeeded at 550 (offset -2 lines).
> 1 out of 3 hunks FAILED -- saving rejects to file
> src/kdc/do_tgs_req.c.rej
> patching file src/kdc/kdc_util.c
> patching file src/lib/kadm5/logger.c
>
> Here's the complete cmdline output:
>
> [rpmdev]$ uname -a
> Linux rpmdev 2.4.21-37.ELsmp #1 SMP Wed Sep 7 13:28:55 EDT 2005 i686 i686
> i386 GNU/Linux
> [rpmdev]$ gpgv -v krb5-1.5.tar.gz.asc
> gpgv: armor header: Version: GnuPG v1.4.3 (SunOS)
> gpgv: assuming signed data in `krb5-1.5.tar.gz'
> gpgv: Signature made Fri 30 Jun 2006 10:16:09 PM PDT using RSA key ID
> F376813D
> gpgv: Good signature from "Tom Yu "
> gpgv: aka "Tom Yu "
> [rpmdev]$ md5sum krb5-1.5.tar.gz
> fe62bcd315fe4139e4fa05732ce8abde krb5-1.5.tar.gz
>
> [rpmdev]$ tar xzf krb5-1.5.tar.gz
>
> [rpmdev]$ cd krb5-1.5
>
> [rpmdev]$ wget http://web.mit.edu/kerberos/advisori...-002-patch.txt
> --11:05:42-- http://web.mit.edu/kerberos/advisori...-002-patch.txt
> => `2007-002-patch.txt'
> Length: 41,658 (41K) [text/plain]
> 100%[================================================== ==>] 41,658
> 106.89K/s
> 11:05:43 (106.55 KB/s) - `2007-002-patch.txt' saved [41658/41658]
>
> [rpmdev]$ md5sum 2007-002-patch.txt
> 25b7ae9462b7439f7d11064138aac11e 2007-002-patch.txt
> [rpmdev]$ head 2007-002-patch.txt
> *** src/kadmin/server/kadm_rpc_svc.c (revision 19480)
> --- src/kadmin/server/kadm_rpc_svc.c (local)
> ***************
> *** 250,255 ****
> --- 250,257 ----
> krb5_data *c1, *c2, *realm;
> gss_buffer_desc gss_str;
> kadm5_server_handle_t handle;
> + size_t slen;
> + char *sdots;
>
> [rpmdev]$ patch -p0 <2007-002-patch.txt
> patching file src/kadmin/server/kadm_rpc_svc.c
> patching file src/kadmin/server/misc.c
> patching file src/kadmin/server/misc.h
> patching file src/kadmin/server/ovsec_kadmd.c
> Hunk #1 succeeded at 989 with fuzz 2 (offset -3 lines).
> Hunk #2 succeeded at 997 (offset -5 lines).
> Hunk #3 succeeded at 1025 (offset -3 lines).
> patching file src/kadmin/server/schpw.c
> patching file src/kadmin/server/server_stubs.c
> patching file src/kdc/do_tgs_req.c
> Hunk #1 FAILED at 491.
> Hunk #2 succeeded at 550 (offset -2 lines).
> 1 out of 3 hunks FAILED -- saving rejects to file src/kdc/do_tgs_req.c.rej
> patching file src/kdc/kdc_util.c
> patching file src/lib/kadm5/logger.c
>
> [rpmdev]$ cat src/kdc/do_tgs_req.c.rej
> ***************
> *** 491,518 ****
> newtransited = 1;
> }
> if (!isflagset (request->kdc_options,
> KDC_OPT_DISABLE_TRANSITED_CHECK)) {
> errcode = krb5_check_transited_list (kdc_context,
>
> &enc_tkt_reply.transited.tr_contents,
> krb5_princ_realm (kdc_context,
> header_ticket->enc_part2->client),
> krb5_princ_realm (kdc_context,
> request->server));
> if (errcode == 0) {
> setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
> } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
> krb5_klog_syslog (LOG_INFO,
> ! "bad realm transit path from '%s' to '%s' via
> '%.*s'",
> cname ? cname : "",
> sname ? sname : "",
> ! enc_tkt_reply.transited.tr_contents.length,
> ! enc_tkt_reply.transited.tr_contents.data);
> else {
> const char *emsg = krb5_get_error_message(kdc_context, errcode);
> krb5_klog_syslog (LOG_ERR,
> ! "unexpected error checking transit from '%s'
> to '%s' via '%.*s': %s",
> cname ? cname : "",
> sname ? sname : "",
> ! enc_tkt_reply.transited.tr_contents.length,
> enc_tkt_reply.transited.tr_contents.data,
> ! emsg);
> krb5_free_error_message(kdc_context, emsg);
> }
> } else
> --- 491,528 ----
> newtransited = 1;
> }
> if (!isflagset (request->kdc_options,
> KDC_OPT_DISABLE_TRANSITED_CHECK)) {
> + unsigned int tlen;
> + char *tdots;
> +
> errcode = krb5_check_transited_list (kdc_context,
>
> &enc_tkt_reply.transited.tr_contents,
> krb5_princ_realm (kdc_context,
> header_ticket->enc_part2->client),
> krb5_princ_realm (kdc_context,
> request->server));
> + tlen = enc_tkt_reply.transited.tr_contents.length;
> + tdots = tlen > 125 ? "..." : "";
> + tlen = tlen > 125 ? 125 : tlen;
> +
> if (errcode == 0) {
> setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
> } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
> krb5_klog_syslog (LOG_INFO,
> ! "bad realm transit path from '%s' to '%s' "
> ! "via '%.*s%s'",
> cname ? cname : "",
> sname ? sname : "",
> ! tlen,
> ! enc_tkt_reply.transited.tr_contents.data,
> ! tdots);
> else {
> const char *emsg = krb5_get_error_message(kdc_context, errcode);
> krb5_klog_syslog (LOG_ERR,
> ! "unexpected error checking transit from "
> ! "'%s' to '%s' via '%.*s%s': %s",
> cname ? cname : "",
> sname ? sname : "",
> ! tlen,
> enc_tkt_reply.transited.tr_contents.data,
> ! tdots, emsg);
> krb5_free_error_message(kdc_context, emsg);
> }
> } else
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Please try the 1.5.x patch at:

http://web.mit.edu/kerberos/advisori...02-patch15.txt

PGP-signed version:

http://web.mit.edu/kerberos/advisori...atch15.txt.asc

Advisory will be updated shortly.

---Tom
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

In article <1175893104.6642.18.camel@merlin.Mines.EDU>,
Matthew B. Brookover wrote:

>The patches will load, compile and run on version 1.6. Is any body
>running 1.6 in production?

Yes, CSAIL.MIT.EDU is, as of about a month ago. No issues.

-GAWollman

--
Garrett A. Wollman | The real tragedy of human existence is not that we are
wollman@csail.mit.edu| nasty by nature, but that a cruel structural asymmetry
Opinions not those | grants to rare events of meanness such power to shape
of MIT or CSAIL. | our history. - S.J. Gould, Ten Thousand Acts of Kindness

Thank you Tom, the new patch looks good. I have not tried to set up a
kdc yet, but configure, make, make install, and make check look good.

Simon, if you patch the 1.5.2 package, it will not have any offsets or
fuzz:
[mbrookov@k-one krb5-1.5.2]$ patch -p0 -b < ../2007-002-patch15.txt
patching file src/kdc/kdc_util.c
patching file src/kdc/do_tgs_req.c
patching file src/kadmin/server/ovsec_kadmd.c
patching file src/kadmin/server/misc.h
patching file src/kadmin/server/schpw.c
patching file src/kadmin/server/server_stubs.c
patching file src/kadmin/server/kadm_rpc_svc.c
patching file src/kadmin/server/misc.c
patching file src/lib/kadm5/logger.c
[mbrookov@k-one krb5-1.5.2]$

Matt


On Fri, 2007-04-06 at 17:54 -0500, simonst@wellsfargo.com wrote:
> The 2007-002-patch15.txt patch applied successfully on my krb5-1.5 - thanks!
>
> $ patch -p0 <2007-002-patch15.txt
> patching file src/kdc/kdc_util.c
> patching file src/kdc/do_tgs_req.c
> Hunk #1 succeeded at 489 (offset -2 lines).
> Hunk #3 succeeded at 827 (offset -2 lines).
> patching file src/kadmin/server/ovsec_kadmd.c
> Hunk #1 succeeded at 989 with fuzz 2.
> Hunk #2 succeeded at 994 (offset -5 lines).
> patching file src/kadmin/server/misc.h
> patching file src/kadmin/server/schpw.c
> patching file src/kadmin/server/server_stubs.c
> patching file src/kadmin/server/kadm_rpc_svc.c
> patching file src/kadmin/server/misc.c
> patching file src/lib/kadm5/logger.c
>
> -----Original Message-----
> From: Tom Yu [mailto:tlyu@MIT.EDU]
> Sent: Friday, April 06, 2007 2:13 PM
> To: mbrookov@mines.edu
> Cc: Simons, Tom; kerberos@MIT.EDU
> Subject: Re: Error applying MITKRB5-SA-2007-002 on krb5-1.5
>
> Please try the 1.5.x patch at:
>
> http://web.mit.edu/kerberos/advisori...02-patch15.txt
>
> PGP-signed version:
>
> http://web.mit.edu/kerberos/advisori...atch15.txt.asc
>
> Advisory will be updated shortly.
>
> ---Tom
>

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos