Description: <short summary of the patch>
 TODO: Put a short summary on the line above and replace this paragraph
 with a longer explanation of this change. Complete the meta-information
 with other relevant fields (see below for details). To make it easier, the
 information below has been extracted from the changelog. Adjust it or drop
 it.
 .
 krb5-appl (1:1.0.1-3) unstable; urgency=low
 .
   * Move some internal messing about with sig_t done by
     gssftp/ftp/ftp_var.h after the last system include to keep from
     stomping on system headers.  Hopefully will fix FTBFS issues on Hurd
     and kFreeBSD.
Author: Russ Allbery <rra@debian.org>

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: http://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: <YYYY-MM-DD>

--- /dev/null
+++ krb5-appl-1.0.1/.gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+pristine-tar=True
--- krb5-appl-1.0.1.orig/k5-util.h
+++ krb5-appl-1.0.1/k5-util.h
@@ -69,8 +69,7 @@
 #elif defined(HAVE_SETREUID)
 #  define krb5_seteuid(EUID)	setreuid(geteuid(), (uid_t)(EUID))
 #else
-   /* You need to add a case to deal with this operating system.*/
-#  define krb5_seteuid(EUID)	(errno = EPERM, -1)
+#  error "You need to add a case to deal with this operating system."
 #endif
 
 #ifdef HAVE_SETEGID
@@ -80,8 +79,7 @@
 #elif defined(HAVE_SETREGID)
 #  define krb5_setegid(EGID)	(setregid(getegid(), (gid_t)(EGID)))
 #else
-   /* You need to add a case to deal with this operating system.*/
-#  define krb5_setegid(EGID)	(errno = EPERM, -1)
+#  error "You need to add a case to deal with this operating system."
 #endif
 
 #endif
--- krb5-appl-1.0.1.orig/configure.ac
+++ krb5-appl-1.0.1/configure.ac
@@ -107,6 +107,7 @@ AC_CHECK_FUNCS(_getpty cgetent getcwd ge
 AC_CHECK_FUNCS(getutmpx grantpt inet_aton initgroups isatty killpg killpg)
 AC_CHECK_FUNCS(line_push ptsname revoke rmufile rresvport_af)
 AC_CHECK_FUNCS(seteuid setlogin setpgid setpriority setresuid setreuid)
+AC_CHECK_FUNCS(setegid setregid setresgid)
 AC_CHECK_FUNCS(setutent setutsent setutxent strsave tcgetpgrp tcsetpgrp)
 AC_CHECK_FUNCS(ttyname unsetenv updwtmp updwtmpx utimes utmpname utmpxname)
 AC_CHECK_FUNCS(vhangup vsnprintf waitpid)
--- krb5-appl-1.0.1.orig/bsd/login.c
+++ krb5-appl-1.0.1/bsd/login.c
@@ -122,6 +122,14 @@ int login_accept_passwd = 0;
 #define siglongjmp	longjmp
 #endif
 
+#ifndef MAXPATHLEN
+# define MAXPATHLEN 4096
+#endif
+
+#ifndef MAXHOSTNAMELEN
+# define MAXHOSTNAMELEN 256
+#endif
+
 #ifdef POSIX_SIGNALS
 typedef struct sigaction handler;
 #define handler_init(H,F)		(sigemptyset(&(H).sa_mask), \
--- krb5-appl-1.0.1.orig/bsd/klogind.M
+++ krb5-appl-1.0.1/bsd/klogind.M
@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when
 the port indicated in /etc/inetd.conf.  A typical /etc/inetd.conf
 configuration line for \fIklogind\fP might be:
 
-klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c
+klogin stream tcp nowait root /usr/sbin/klogind klogind \-e5c
 
 When a service request is received, the following protocol is initiated:
 
@@ -56,7 +56,7 @@ by command line arguments passed by inet
 
 .IP \fB\-P\fP
 Prompt the user for a password.
-If the -P option is passed, then the password is verified in addition
+If the \-P option is passed, then the password is verified in addition
 to all other checks.
 
 .IP \fB\-e\fP
@@ -77,7 +77,7 @@ checksums are validated if presented.  S
 a checksum from an authenticator without making the authenticator
 invalid, this default mode is almost as significant of a security
 improvement as \fB-c\fP if new clients are used.  It has the additional
-advantage of backwards compatability with some clients.
+advantage of backwards compatibility with some clients.
 Unfortunately, clients before Kerberos V5, Beta5, generate invalid
 checksums; if these clients are used, the \fB-i\fP option must be
 used.
@@ -87,8 +87,8 @@ Ignore authenticator checksums if provid
 ignore authenticator checksusm presented by current Kerberos clients
 to protect initial connection information; it is the opposite of
 \fB-c\fP.  This option is provided because some older
-clients--particularly clients predating the release of Kerberos V5
-Beta5 (May 1995)--present bogus checksums that prevent Kerberos
+clients -- particularly clients predating the release of Kerberos V5
+Beta5 (May 1995) -- present bogus checksums that prevent Kerberos
 authentication from succeeding in the default mode.
 
 .PP
--- krb5-appl-1.0.1.orig/bsd/kshd.M
+++ krb5-appl-1.0.1/bsd/kshd.M
@@ -8,7 +8,7 @@
 .SH NAME
 kshd \- kerberized remote shell server
 .SH SYNOPSIS
-.B /usr/local/sbin/kshd 
+.B kshd 
 [
 .B \-kr45ec
 ]
@@ -30,7 +30,7 @@ server is invoked by \fIinetd(8c)\fP whe
 on the port indicated in /etc/inetd.conf.  A typical /etc/inetd.conf
 configuration line for \fIkrshd\fP might be:
 
-kshell	stream	tcp	nowait	root	/usr/local/sbin/kshd	kshd -5c
+kshell	stream	tcp	nowait	root	/usr/sbin/kshd	kshd \-5c
 
 When a service request is received, the following protocol is initiated:
 
@@ -97,7 +97,7 @@ checksums are validated if presented.  S
 a checksum from an authenticator without making the authenticator
 invalid, this default mode is almost as significant of a security
 improvement as \fB-c\fP if new clients are used.  It has the additional
-advantage of backwards compatability with some clients.
+advantage of backwards compatibility with some clients.
 Unfortunately, clients before Kerberos V5, Beta5, generate invalid
 checksums; if these clients are used, the \fB-i\fP option must be
 used.
@@ -107,8 +107,8 @@ Ignore authenticator checksums if provid
 ignore authenticator checksusm presented by current Kerberos clients
 to protect initial connection information; it is the opposite of
 \fB-c\fP.  This option is provided because some older
-clients--particularly clients predating the release of Kerberos V5
-Beta5 (May 1995)--present bogus checksums that prevent Kerberos
+clients -- particularly clients predating the release of Kerberos V5
+Beta5 (May 1995) -- present bogus checksums that prevent Kerberos
 authentication from succeeding in the default mode.
 
 
--- krb5-appl-1.0.1.orig/bsd/Makefile.in
+++ krb5-appl-1.0.1/bsd/Makefile.in
@@ -9,9 +9,9 @@ SRCS= $(srcdir)/krcp.c $(srcdir)/krlogin
 	$(srcdir)/krlogind.c
 OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o login.o krshd.o krlogind.o
 
-UCB_RLOGIN = @UCB_RLOGIN@
-UCB_RSH = @UCB_RSH@
-UCB_RCP = @UCB_RCP@
+UCB_RLOGIN = /usr/bin/netkit-rlogin
+UCB_RSH = /usr/bin/netkit-rsh
+UCB_RCP = /usr/bin/netkit-rcp
 
 RSH=	-DKRB5_PATH_RLOGIN=\"$(CLIENT_BINDIR)/rlogin\"
 BSD=	-DUCB_RLOGIN=\"$(UCB_RLOGIN)\" \
--- krb5-appl-1.0.1.orig/bsd/krshd.c
+++ krb5-appl-1.0.1/bsd/krshd.c
@@ -488,6 +488,11 @@ int maxlogs;
 #define NCARGS 1024
 #endif
 
+#if NCARGS == INT_MAX
+#undef NCARGS
+#define NCARGS 4096
+#endif
+
 #define NMAX   16 
 
 int pid;
--- krb5-appl-1.0.1.orig/bsd/krlogind.c
+++ krb5-appl-1.0.1/bsd/krlogind.c
@@ -286,6 +286,10 @@ char *login_program = LOGIN_PROGRAM;
 #define MAXDNAME 256 /*per the rfc*/
 #endif
 
+#ifndef MAXPATHLEN
+# define MAXPATHLEN 4096
+#endif
+
 char		lusername[UT_NAMESIZE+1];
 char		rusername[UT_NAMESIZE+1];
 char            *krusername = 0;
--- krb5-appl-1.0.1.orig/bsd/krlogin.c
+++ krb5-appl-1.0.1/bsd/krlogin.c
@@ -139,6 +139,7 @@ char copyright[] =
 #include <sys/ptyvar.h>
 #endif
 #endif
+#undef TIOCGLTC
 
 #ifndef TIOCPKT_NOSTOP
 /* These values are over-the-wire protocol, *not* local values */
--- krb5-appl-1.0.1.orig/telnet/libtelnet/encrypt.c
+++ krb5-appl-1.0.1/telnet/libtelnet/encrypt.c
@@ -757,6 +757,9 @@ static void encrypt_keyid(kp, keyid, len
 	int dir = kp->dir;
 	register int ret = 0;
 
+	if (len > MAXKEYLEN)
+		len = MAXKEYLEN;
+
 	if (!(ep = (*kp->getcrypt)(*kp->modep))) {
 		if (len == 0)
 			return;
--- krb5-appl-1.0.1.orig/telnet/telnet/main.c
+++ krb5-appl-1.0.1/telnet/telnet/main.c
@@ -322,10 +322,14 @@ main(argc, argv)
 
 		if (setjmp(toplevel) != 0)
 			Exit(0);
-		if (tn(argp - args, args) == 1)
-			return (0);
-		else
-			return (1);
+		{
+			int ret = tn(argp - args, args);
+			switch (ret) {
+				case 1: return 0;
+				case 2: usage();
+				default: return 1;
+			}
+		}
 	}
 	(void)setjmp(toplevel);
 	for (;;) {
--- krb5-appl-1.0.1.orig/telnet/telnet/sys_bsd.c
+++ krb5-appl-1.0.1/telnet/telnet/sys_bsd.c
@@ -44,6 +44,8 @@
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/socket.h>
+#include <sys/ioctl.h>
+
 #ifdef HAVE_SYS_SELECT_H
 #include <sys/select.h>
 #endif
--- krb5-appl-1.0.1.orig/telnet/telnet/commands.c
+++ krb5-appl-1.0.1/telnet/telnet/commands.c
@@ -2467,8 +2467,7 @@ tn(argc, argv)
 	    continue;
 	}
     usage:
-	printf("usage: %s [-l user] [-a] host-name [port]\r\n", cmd);
-	return 0;
+	return 2;
     }
     if (hostp == 0)
 	goto usage;
--- krb5-appl-1.0.1.orig/telnet/telnet/utilities.c
+++ krb5-appl-1.0.1/telnet/telnet/utilities.c
@@ -797,13 +797,13 @@ printsub(direction, pointer, length)
 			    if (pointer[0] == TELOPT_OLD_ENVIRON) {
 # ifdef	ENV_HACK
 				if (old_env_var == OLD_ENV_VALUE)
-				    fprintf(NetTrace, "\" (VALUE) " + noquote);
+				    fprintf(NetTrace, "%s", "\" (VALUE) " + noquote);
 				else
 # endif
-				    fprintf(NetTrace, "\" VAR " + noquote);
+				    fprintf(NetTrace, "%s", "\" VAR " + noquote);
 			    } else
 #endif /* OLD_ENVIRON */
-				fprintf(NetTrace, "\" VALUE " + noquote);
+				fprintf(NetTrace, "%s", "\" VALUE " + noquote);
 			    noquote = 2;
 			    break;
 
@@ -813,23 +813,23 @@ printsub(direction, pointer, length)
 			    if (pointer[0] == TELOPT_OLD_ENVIRON) {
 # ifdef	ENV_HACK
 				if (old_env_value == OLD_ENV_VAR)
-				    fprintf(NetTrace, "\" (VAR) " + noquote);
+				    fprintf(NetTrace, "%s", "\" (VAR) " + noquote);
 				else
 # endif
-				    fprintf(NetTrace, "\" VALUE " + noquote);
+				    fprintf(NetTrace, "%s", "\" VALUE " + noquote);
 			    } else
 #endif /* OLD_ENVIRON */
-				fprintf(NetTrace, "\" VAR " + noquote);
+				fprintf(NetTrace, "%s", "\" VAR " + noquote);
 			    noquote = 2;
 			    break;
 
 			case ENV_ESC:
-			    fprintf(NetTrace, "\" ESC " + noquote);
+			    fprintf(NetTrace, "%s", "\" ESC " + noquote);
 			    noquote = 2;
 			    break;
 
 			case ENV_USERVAR:
-			    fprintf(NetTrace, "\" USERVAR " + noquote);
+			    fprintf(NetTrace, "%s", "\" USERVAR " + noquote);
 			    noquote = 2;
 			    break;
 
--- krb5-appl-1.0.1.orig/telnet/telnetd/telnetd.8
+++ krb5-appl-1.0.1/telnet/telnetd/telnetd.8
@@ -37,7 +37,7 @@ telnetd \-
 .SM DARPA TELNET
 protocol server
 .SH SYNOPSIS
-.B /usr/libexec/telnetd
+.B telnetd
 [\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP]
 [\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
 [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
--- krb5-appl-1.0.1.orig/telnet/telnetd/defs.h
+++ krb5-appl-1.0.1/telnet/telnetd/defs.h
@@ -38,6 +38,7 @@
  */
 #include <sys/types.h>
 #include <sys/param.h>
+#include <sys/ioctl.h>
 
 #ifndef	BSD
 # define	BSD 43
--- krb5-appl-1.0.1.orig/gssftp/ftpd/ftpd.c
+++ krb5-appl-1.0.1/gssftp/ftpd/ftpd.c
@@ -152,6 +152,14 @@ int have_creds;		/* User has credentials
 #include "ftpd_var.h"
 #include "secure.h"
 
+#ifndef MAXPATHLEN
+# define MAXPATHLEN 4096
+#endif
+
+#ifndef MAXHOSTNAMELEN
+# define MAXHOSTNAMELEN 256
+#endif
+
 extern	char *crypt();
 extern	char version[];
 extern	char *home;		/* pointer to home directory for glob */
@@ -986,9 +994,14 @@ login(passwd, logincode)
 #endif
 	}
 
-	(void) krb5_setegid((gid_t)pw->pw_gid);
-	(void) initgroups(pw->pw_name, pw->pw_gid);
-
+	if (krb5_setegid((gid_t)pw->pw_gid) < 0) {
+		reply(550, "Can't set egid.");
+		goto bad;
+	}
+	if (geteuid() == 0 && initgroups(pw->pw_name, pw->pw_gid) < 0) {
+		reply(550, "Can't initgroups");
+		goto bad;
+	}
 	/* open wtmp before chroot */
 	(void) snprintf(ttyline, sizeof(ttyline), "ftp%ld", (long) getpid());
 	pty_logwtmp(ttyline, pw->pw_name, rhost_sane);
@@ -2360,7 +2373,7 @@ send_file_list(whichfiles)
 		globerr = NULL;
 		dirlist = ftpglob(whichfiles);
 		if (globerr != NULL) {
-			reply(550, globerr);
+			reply(550, "%s", globerr);
 			return;
 		} else if (dirlist == NULL) {
 			errno = ENOENT;
@@ -2536,7 +2549,7 @@ static void
 log_gss_error(int severity, OM_uint32 maj_stat, OM_uint32 min_stat,
 	      const char *s)
 {
-    syslog(severity, s);
+    syslog(severity, "%s", s);
     with_gss_error_text(log_gss_error_1, maj_stat, min_stat, severity);
 }
 
--- krb5-appl-1.0.1.orig/gssftp/ftpd/ftpd.M
+++ krb5-appl-1.0.1/gssftp/ftpd/ftpd.M
@@ -36,7 +36,7 @@
 ftpd \- DARPA Internet File Transfer Protocol server
 .SH SYNOPSIS
 .B ftpd
-[\fB\-A \fP|\fB -a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB-E\fP]
+[\fB\-A \fP|\fB\-a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB\-E\fP]
 [\fB\-l\fP] [\fB\-v\fP] [\fB\-T\fP \fImaxtimeout\fP] [\fB\-t\fP \fItimeout\fP]
 [\fB\-p\fP \fIport\fP] [\fB\-U\fP \fIftpusers-file\fP] [\fB\-u\fP \fIumask\fP]
 [\fB\-r\fP \fIrealm-file\fP] [\fB\-s\fP \fIsrvtab\fP]
@@ -75,7 +75,7 @@ Allow the CCC (Clear Command Channel) co
 less secure connections, and should probably only be used when debugging.
 .TP
 .B \-d
-Debugging information is written to the syslog.  (Identical to -v)
+Debugging information is written to the syslog.  (Identical to \-v)
 .TP
 .B \-E
 Don't allow passwords to be typed across unencrypted connections.
@@ -90,7 +90,7 @@ other statistics such as the number of b
 syslog as well.
 .TP
 .B \-v
-Debugging information is written to the syslog.  (Identical to -d)
+Debugging information is written to the syslog.  (Identical to \-d)
 .TP
 \fB\-T\fP \fImaxtimeout\fP
 A client may request a maximum timeout period allowed set to
@@ -191,7 +191,7 @@ give help information
 .sp -1
 .TP
 LIST
-give list files in a directory (``ls -lgA'')
+give list files in a directory (``ls \-lgA'')
 .sp -1
 .TP
 MIC
--- krb5-appl-1.0.1.orig/gssftp/ftp/ftp.M
+++ krb5-appl-1.0.1/gssftp/ftp/ftp.M
@@ -947,7 +947,7 @@ then forks a shell, using
 .IR popen (3)
 with the argument supplied, and reads from (writes to) stdout (stdin).
 If the shell command includes spaces, the argument must be quoted; e.g.
-``" ls -lt"''.  A particularly useful example of this mechanism is:
+``" ls \-lt"''.  A particularly useful example of this mechanism is:
 ``dir more''.
 .TP
 3.
--- krb5-appl-1.0.1.orig/gssftp/ftp/ftp.c
+++ krb5-appl-1.0.1/gssftp/ftp/ftp.c
@@ -150,6 +150,10 @@ unsigned char *ucbuf;
 #include "ftp_var.h"
 #include "secure.h"
 
+#ifndef MAXHOSTNAMELEN
+# define MAXHOSTNAMELEN 256
+#endif
+
 #ifdef GSSAPI
 void user_gss_error (OM_uint32, OM_uint32, char *);
 #endif
--- krb5-appl-1.0.1.orig/gssftp/ftp/ftp_var.h
+++ krb5-appl-1.0.1/gssftp/ftp/ftp_var.h
@@ -53,15 +53,6 @@ FILE* fdopen_socket(SOCKET s, char* mode
 #define PERROR_SOCKET(str) perror(str)
 #endif
 
-#ifdef _WIN32
-typedef void (*sig_t)(int);
-typedef void sigtype;
-#else
-#define sig_t my_sig_t
-#define sigtype krb5_sigtype
-typedef sigtype (*sig_t)();
-#endif
-
 /*
  * FTP global variables.
  */
@@ -70,6 +61,10 @@ typedef sigtype (*sig_t)();
 #define extern
 #endif
 
+#ifndef MAXPATHLEN
+# define MAXPATHLEN 4096
+#endif
+
 /*
  * Options and other state info.
  */
@@ -164,6 +159,15 @@ extern int macnum;		/* number of defined
 extern struct macel macros[16];
 extern char macbuf[4096];
 
+#ifdef _WIN32
+typedef void (*sig_t)(int);
+typedef void sigtype;
+#else
+#define sig_t my_sig_t
+#define sigtype krb5_sigtype
+typedef sigtype (*sig_t)();
+#endif
+
 #ifdef DEFINITIONS
 #undef extern
 #endif
--- krb5-appl-1.0.1.orig/gssftp/ftp/cmds.c
+++ krb5-appl-1.0.1/gssftp/ftp/cmds.c
@@ -1824,7 +1824,7 @@ static void quote1(initial, argc, argv)
 			len += strlen(strncpy(&buf[len], argv[i], sizeof(buf) - 1 - len));
 		}
 	}
-	if (command(buf) == PRELIM) {
+	if (command("%s", buf) == PRELIM) {
 		while (getreply(0) == PRELIM);
 	}
 }
--- krb5-appl-1.0.1.orig/libpty/sane_hostname.c
+++ krb5-appl-1.0.1/libpty/sane_hostname.c
@@ -27,6 +27,10 @@
 #include "socket-utils.h"
 #include "fake-addrinfo.h"
 
+#ifndef MAXHOSTNAMELEN
+# define MAXHOSTNAMELEN 256
+#endif
+
 static void
 downcase (char *s)
 {
