diff --git a/audit.spec b/audit.spec index b19990117f0458076dbbca7c00a322603e8c34b3..b0b9990117805f945513f0670d1d4d46298451d5 100644 --- a/audit.spec +++ b/audit.spec @@ -2,7 +2,7 @@ Summary: User space tools for kernel auditing Name: audit Epoch: 1 Version: 3.0.1 -Release: 5 +Release: 6 License: GPLv2+ and LGPLv2+ URL: https://people.redhat.com/sgrubb/audit/ Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz @@ -33,6 +33,15 @@ Patch21: backport-auditd.service-Restart-on-failure-ignoring-some-exit.p Patch22: backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch Patch23: backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch Patch24: audit-Add-sw64-architecture.patch +Patch25: backport-In-auditd-release-the-async-flush-lock-on-stop.patch +Patch26: backport-auditd-cleanup-krb5-memory-leaks-on-error-paths.patch +Patch27: backport-audisp-remote-cleanup-krb5-memory-leaks-on-error-paths.patch +Patch28: backport-Final-kerberos-leak-fixups.patch +Patch29: backport-time_t-is-not-an-int-anymore.patch +Patch30: backport-krb5_cc_store_cred-takes-custody-of-my_creds-so-we-do-not-need-to-keep-it-around.patch +Patch31: backport-asprintf-can-return-a-negative-number.patch +Patch32: backport-Cleanup-gssapi-code.patch +Patch33: backport-Fix-another-krb5-memory-leak.patch BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29 BuildRequires: openldap-devel krb5-devel libcap-ng-devel @@ -370,6 +379,9 @@ fi %attr(644,root,root) %{_mandir}/man8/*.8.gz %changelog +* Tue Dec 27 2022 zhangguangzhi - 3.0.1-6 +- backport some patches + * Mon Nov 14 2022 wuzx - 3.0.1-5 - Add sw64 architecture diff --git a/backport-Cleanup-gssapi-code.patch b/backport-Cleanup-gssapi-code.patch new file mode 100644 index 0000000000000000000000000000000000000000..1c73f1553f6fdbc1b14fadcedfb9436734b53800 --- /dev/null +++ b/backport-Cleanup-gssapi-code.patch @@ -0,0 +1,67 @@ +From ff0b0a11497fe9360e3aaa448c8744955f8c0fc9 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Fri, 15 Jul 2022 16:09:10 -0400 +Subject: Cleanup gssapi code + +--- + src/auditd-listen.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/src/auditd-listen.c b/src/auditd-listen.c +index 34a142a..61a3480 100644 +--- a/src/auditd-listen.c ++++ b/src/auditd-listen.c +@@ -414,10 +414,9 @@ static int negotiate_credentials(ev_tcp *io) + GSS_C_NO_CHANNEL_BINDINGS, &client, + NULL, &send_tok, &sess_flags, + NULL, NULL); +- if (recv_tok.value) { +- free(recv_tok.value); +- recv_tok.value = NULL; +- } ++ if (recv_tok.value) ++ gss_release_buffer(&min_stat, &recv_tok); ++ + if (maj_stat != GSS_S_COMPLETE + && maj_stat != GSS_S_CONTINUE_NEEDED) { + gss_release_buffer(&min_stat, &send_tok); +@@ -441,6 +440,7 @@ static int negotiate_credentials(ev_tcp *io) + if (*context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&min_stat, + context, GSS_C_NO_BUFFER); ++ gss_release_name(&min_stat, &client); + return -1; + } + gss_release_buffer(&min_stat, &send_tok); +@@ -455,14 +455,22 @@ static int negotiate_credentials(ev_tcp *io) + return -1; + } + +- audit_msg(LOG_INFO, "GSS-API Accepted connection from: %s", +- (char *)recv_tok.value); +- io->remote_name = strdup(recv_tok.value); +- io->remote_name_len = strlen(recv_tok.value); ++ if (asprintf(&io->remote_name, "%.*s", (int)recv_tok.length, ++ (char *)recv_tok.value) < 0) { ++ io->remote_name = strdup("?"); ++ io->remote_name_len = 1; ++ } else ++ io->remote_name_len = recv_tok.length; ++ ++ audit_msg(LOG_INFO, "GSS-API Accepted connection from: %s", ++ io->remote_name); + gss_release_buffer(&min_stat, &recv_tok); + +- slashptr = strchr(io->remote_name, '/'); +- atptr = strchr(io->remote_name, '@'); ++ if (io->remote_name) { ++ slashptr = strchr(io->remote_name, '/'); ++ atptr = strchr(io->remote_name, '@'); ++ } else ++ slashptr = NULL; + + if (!slashptr || !atptr) { + audit_msg(LOG_ERR, "Invalid GSS name from remote client: %s", +-- +2.27.0 + diff --git a/backport-Final-kerberos-leak-fixups.patch b/backport-Final-kerberos-leak-fixups.patch new file mode 100644 index 0000000000000000000000000000000000000000..ca3e0790c4fb30406ce4c54431152eabe3b60c80 --- /dev/null +++ b/backport-Final-kerberos-leak-fixups.patch @@ -0,0 +1,122 @@ +From 7bda187f92424bf4891eb22f1877808ca5eb059a Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 11 Jul 2022 17:03:09 -0400 +Subject: Final kerberos leak fixups + +--- + audisp/plugins/remote/audisp-remote.c | 34 ++++++++++++++++++++------- + src/auditd-listen.c | 6 +++-- + 2 files changed, 29 insertions(+), 11 deletions(-) + +diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c +index 3b9d8f0..eda8c4e 100644 +--- a/audisp/plugins/remote/audisp-remote.c ++++ b/audisp/plugins/remote/audisp-remote.c +@@ -757,8 +757,17 @@ static void gss_failure (const char *msg, int major_status, int minor_status) + gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE); + } + +-#define KLOG(x,f) syslog (LOG_ERR, "krb5 error: %s in %s\n", \ +- krb5_get_error_message (kcontext, x), f); ++#define KLOG(x,f) { \ ++ const char *kstr = krb5_get_error_message(kcontext, x); \ ++ syslog (LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \ ++ krb5_free_error_message(kcontext, kstr); } ++static krb5_context kcontext = NULL; ++static char *realm_name = NULL; ++static krb5_principal audit_princ; ++static krb5_ccache ccache = NULL; ++static krb5_creds my_creds; ++static krb5_get_init_creds_opt options; ++static krb5_keytab keytab = NULL; + + /* Each time we connect to the server, we negotiate a set of credentials and + a security context. To do this, we need our own credentials first. For +@@ -781,13 +790,6 @@ static int negotiate_credentials (void) + we use Kerberos calls here. */ + + int krberr; +- krb5_context kcontext = NULL; +- char *realm_name; +- krb5_principal audit_princ; +- krb5_ccache ccache = NULL; +- krb5_creds my_creds; +- krb5_get_init_creds_opt options; +- krb5_keytab keytab = NULL; + const char *krb5_client_name; + char *slashptr; + char host_name[255]; +@@ -1013,14 +1015,18 @@ error6: + krb5_free_creds(kcontext, &my_creds); + error5: + krb5_cc_close(kcontext, ccache); ++ ccache = NULL; + error4: + krb5_kt_close(kcontext, keytab); ++ keytab = NULL; + error3: + krb5_free_principal(kcontext, audit_princ); + error2: + krb5_free_default_realm(kcontext, realm_name); ++ realm_name = NULL; + error1: + krb5_free_context(kcontext); ++ kcontext = NULL; + return -1; + } + #endif // USE_GSSAPI +@@ -1034,6 +1040,16 @@ static int stop_sock(void) + gss_delete_sec_context(&minor_status, &my_context, + GSS_C_NO_BUFFER); + my_context = GSS_C_NO_CONTEXT; ++ krb5_free_creds(kcontext, &my_creds); ++ krb5_cc_close(kcontext, ccache); ++ ccache = NULL; ++ krb5_kt_close(kcontext, keytab); ++ keytab = NULL; ++ krb5_free_principal(kcontext, audit_princ); ++ krb5_free_default_realm(kcontext, realm_name); ++ realm_name = NULL; ++ krb5_free_context(kcontext); ++ kcontext = NULL; + } + #endif + shutdown(sock, SHUT_RDWR); +diff --git a/src/auditd-listen.c b/src/auditd-listen.c +index c8cae38..34a142a 100644 +--- a/src/auditd-listen.c ++++ b/src/auditd-listen.c +@@ -325,11 +325,12 @@ static void gss_failure(const char *msg, int major_status, int minor_status) + const char *kstr = krb5_get_error_message(kcontext, x); \ + audit_msg(LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \ + krb5_free_error_message(kcontext, kstr); \ +- krb5_free_context(k); \ ++ krb5_free_context(k); k = NULL; \ + return -1; } + + /* These are our private credentials, which come from a key file on + our server. They are aquired once, at program start. */ ++static krb5_context kcontext = NULL; + static int server_acquire_creds(const char *service_name, + gss_cred_id_t *lserver_creds) + { +@@ -337,7 +338,6 @@ static int server_acquire_creds(const char *service_name, + gss_name_t server_name; + OM_uint32 major_status, minor_status; + +- krb5_context kcontext = NULL; + int krberr; + + my_service_name = strdup(service_name); +@@ -1139,6 +1139,8 @@ void auditd_tcp_listen_uninit(struct ev_loop *loop, struct daemon_conf *config) + #ifdef USE_GSSAPI + if (USE_GSS) { + gss_release_cred(&status, &server_creds); ++ krb5_free_context(kcontext); ++ kcontext = NULL; + free(my_service_name); + my_service_name = NULL; + } +-- +2.27.0 + diff --git a/backport-Fix-another-krb5-memory-leak.patch b/backport-Fix-another-krb5-memory-leak.patch new file mode 100644 index 0000000000000000000000000000000000000000..30fbc13ecf9dc9e9bdf3e45520d9e3be04922b4b --- /dev/null +++ b/backport-Fix-another-krb5-memory-leak.patch @@ -0,0 +1,24 @@ +From e95722695a1d3dc6ac266af8871069da74471999 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Thu, 6 Oct 2022 13:34:15 -0400 +Subject: Fix another krb5 memory leak + +--- + src/auditd-listen.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/auditd-listen.c b/src/auditd-listen.c +index 61a3480..171974c 100644 +--- a/src/auditd-listen.c ++++ b/src/auditd-listen.c +@@ -358,6 +358,7 @@ static int server_acquire_creds(const char *service_name, + if (major_status != GSS_S_COMPLETE) { + gss_failure("acquiring credentials", + major_status, minor_status); ++ (void) gss_release_name(&minor_status, &server_name); + return -1; + } + +-- +2.27.0 + diff --git a/backport-In-auditd-release-the-async-flush-lock-on-stop.patch b/backport-In-auditd-release-the-async-flush-lock-on-stop.patch new file mode 100644 index 0000000000000000000000000000000000000000..2d6eef73da2071a800b71dea44f67c7559d28ad3 --- /dev/null +++ b/backport-In-auditd-release-the-async-flush-lock-on-stop.patch @@ -0,0 +1,29 @@ +From f7df667ba76391ffd65a4ed45b2150bf9902b99d Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Wed, 30 Mar 2022 10:12:16 -0400 +Subject: In auditd, release the async flush lock on stop + +Conflict:delete changelog +--- + src/auditd-event.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/auditd-event.c b/src/auditd-event.c +index e88ef6e..ed6e929 100644 +--- a/src/auditd-event.c ++++ b/src/auditd-event.c +@@ -208,8 +208,10 @@ static void *flush_thread_main(void *arg) + // into a loop of fsyncs. + while (flush == 0) { + pthread_cond_wait(&do_flush, &flush_lock); +- if (stop) ++ if (stop) { ++ pthread_mutex_unlock(&flush_lock); + return NULL; ++ } + } + flush = 0; + pthread_mutex_unlock(&flush_lock); +-- +2.27.0 + diff --git a/backport-asprintf-can-return-a-negative-number.patch b/backport-asprintf-can-return-a-negative-number.patch new file mode 100644 index 0000000000000000000000000000000000000000..85cb0be1ebdca57233277c615a7514bbc08d49e8 --- /dev/null +++ b/backport-asprintf-can-return-a-negative-number.patch @@ -0,0 +1,25 @@ +From a75e42921997cab4cb9b2a01107441695239f764 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 11 Jul 2022 17:53:26 -0400 +Subject: asprintf can return a negative number + +--- + audisp/audispd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/audisp/audispd.c b/audisp/audispd.c +index f20b38d..77cb7b2 100644 +--- a/audisp/audispd.c ++++ b/audisp/audispd.c +@@ -484,7 +484,7 @@ static int event_loop(void) + while (stop == 0) { + event_t *e; + char *v, *ptr, unknown[32]; +- unsigned int len; ++ int len; + lnode *conf; + + /* This is where we block until we have an event */ +-- +2.27.0 + diff --git a/backport-audisp-remote-cleanup-krb5-memory-leaks-on-error-paths.patch b/backport-audisp-remote-cleanup-krb5-memory-leaks-on-error-paths.patch new file mode 100644 index 0000000000000000000000000000000000000000..76ab3f163d98a2a05956bba3fbf5b2d4143f4e3c --- /dev/null +++ b/backport-audisp-remote-cleanup-krb5-memory-leaks-on-error-paths.patch @@ -0,0 +1,200 @@ +From 09c62a6f4e4a6963a731d3018209b91dc6447f70 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 11 Jul 2022 14:21:04 -0400 +Subject: audisp-remote - cleanup krb5 memory leaks on error + paths +Conflict:context adaptation +--- + audisp/plugins/remote/audisp-remote.c | 75 ++++++++++++++++++++------- + 1 file changed, 56 insertions(+), 19 deletions(-) + +diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c +index 3be91b3..3b9d8f0 100644 +--- a/audisp/plugins/remote/audisp-remote.c ++++ b/audisp/plugins/remote/audisp-remote.c +@@ -757,9 +757,8 @@ static void gss_failure (const char *msg, int major_status, int minor_status) + gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE); + } + +-#define KCHECK(x,f) if (x) { \ +- syslog (LOG_ERR, "krb5 error: %s in %s\n", krb5_get_error_message (kcontext, x), f); \ +- return -1; } ++#define KLOG(x,f) syslog (LOG_ERR, "krb5 error: %s in %s\n", \ ++ krb5_get_error_message (kcontext, x), f); + + /* Each time we connect to the server, we negotiate a set of credentials and + a security context. To do this, we need our own credentials first. For +@@ -800,7 +799,10 @@ static int negotiate_credentials (void) + recv_tok.value = NULL; + + krberr = krb5_init_context (&kcontext); +- KCHECK (krberr, "krb5_init_context"); ++ if (krberr) { ++ KLOG (krberr, "krb5_init_context"); ++ return -1; ++ } + + if (config.krb5_key_file) + key_file = config.krb5_key_file; +@@ -815,21 +817,24 @@ static int negotiate_credentials (void) + syslog (LOG_ERR, + "%s is not mode 0400 (it's %#o) - compromised key?", + key_file, st.st_mode & 07777); +- return -1; ++ goto error1; + } + if (st.st_uid != 0) { + if (!quiet) + syslog (LOG_ERR, + "%s is not owned by root (it's %d) - compromised key?", + key_file, st.st_uid); +- return -1; ++ goto error1; + } + } + + /* This looks up the default real (*our* realm) from + /etc/krb5.conf (or wherever) */ + krberr = krb5_get_default_realm (kcontext, &realm_name); +- KCHECK (krberr, "krb5_get_default_realm"); ++ if (krberr) { ++ KLOG (krberr, "krb5_get_default_realm"); ++ goto error1; ++ } + + krb5_client_name = config.krb5_client_name ? + config.krb5_client_name : "auditd"; +@@ -838,7 +843,7 @@ static int negotiate_credentials (void) + syslog (LOG_ERR, + "gethostname: host name longer than %ld characters?", + sizeof (host_name)); +- return -1; ++ goto error2; + } + + syslog (LOG_ERR, "kerberos principal: %s/%s@%s\n", +@@ -847,17 +852,26 @@ static int negotiate_credentials (void) + krberr = krb5_build_principal (kcontext, &audit_princ, + strlen(realm_name), realm_name, + krb5_client_name, host_name, NULL); +- KCHECK (krberr, "krb5_build_principal"); ++ if (krberr) { ++ KLOG (krberr, "krb5_build_principal"); ++ goto error2; ++ } + + /* Locate our machine's key table, where our private key is + * held. */ + krberr = krb5_kt_resolve (kcontext, key_file, &keytab); +- KCHECK (krberr, "krb5_kt_resolve"); ++ if (krberr) { ++ KLOG (krberr, "krb5_kt_resolve"); ++ goto error3; ++ } + + /* Identify a cache to hold the key in. The GSS wrappers look + up our credentials here. */ + krberr = krb5_cc_resolve (kcontext, CCACHE_NAME, &ccache); +- KCHECK (krberr, "krb5_cc_resolve"); ++ if (krberr) { ++ KLOG (krberr, "krb5_cc_resolve"); ++ goto error4; ++ } + + setenv("KRB5CCNAME", CCACHE_NAME, 1); + +@@ -872,15 +886,24 @@ static int negotiate_credentials (void) + krberr = krb5_get_init_creds_keytab(kcontext, &my_creds, audit_princ, + keytab, 0, NULL, + &options); +- KCHECK (krberr, "krb5_get_init_creds_keytab"); ++ if (krberr) { ++ KLOG (krberr, "krb5_get_init_creds_keytab"); ++ goto error5; ++ } + + /* Create the cache... */ + krberr = krb5_cc_initialize(kcontext, ccache, audit_princ); +- KCHECK (krberr, "krb5_cc_initialize"); ++ if (krberr) { ++ KLOG (krberr, "krb5_cc_initialize"); ++ goto error6; ++ } + + /* ...and store our credentials in it. */ + krberr = krb5_cc_store_cred(kcontext, ccache, &my_creds); +- KCHECK (krberr, "krb5_cc_store_cred"); ++ if (krberr) { ++ KLOG (krberr, "krb5_cc_store_cred"); ++ goto error6; ++ } + + /* The GSS code now has a set of credentials for this program. + I.e. we know who "we" are. Now we talk to the server to +@@ -903,13 +926,13 @@ static int negotiate_credentials (void) + (gss_OID) gss_nt_service_name, &service_name_e); + if (major_status != GSS_S_COMPLETE) { + gss_failure("importing name", major_status, minor_status); +- return -1; ++ goto error6; + } + + /* Someone has to go first. In this case, it's us. */ + if (send_token(sock, empty_token) < 0) { + (void) gss_release_name(&minor_status, &service_name_e); +- return -1; ++ goto error6; + } + + /* The server starts this loop with the token we just sent +@@ -936,7 +959,7 @@ static int negotiate_credentials (void) + &send_tok); + (void) gss_release_name(&minor_status, + &service_name_e); +- return -1; ++ goto error6; + } + } + (void) gss_release_buffer(&minor_status, &send_tok); +@@ -949,7 +972,7 @@ static int negotiate_credentials (void) + if (*gss_context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&minor_status, + gss_context, GSS_C_NO_BUFFER); +- return -1; ++ goto error6; + } + + /* Now get any tokens the sever sends back. We use +@@ -958,7 +981,7 @@ static int negotiate_credentials (void) + if (recv_token(sock, &recv_tok) < 0) { + (void) gss_release_name(&minor_status, + &service_name_e); +- return -1; ++ goto error6; + } + token_ptr = &recv_tok; + } +@@ -985,6 +1008,20 @@ static int negotiate_credentials (void) + (char *)recv_tok.value); + #endif + return 0; ++ ++error6: ++ krb5_free_creds(kcontext, &my_creds); ++error5: ++ krb5_cc_close(kcontext, ccache); ++error4: ++ krb5_kt_close(kcontext, keytab); ++error3: ++ krb5_free_principal(kcontext, audit_princ); ++error2: ++ krb5_free_default_realm(kcontext, realm_name); ++error1: ++ krb5_free_context(kcontext); ++ return -1; + } + #endif // USE_GSSAPI + +-- +2.27.0 + diff --git a/backport-auditd-cleanup-krb5-memory-leaks-on-error-paths.patch b/backport-auditd-cleanup-krb5-memory-leaks-on-error-paths.patch new file mode 100644 index 0000000000000000000000000000000000000000..b7d7c5cbeb48aaa7716255bb1f9eccf934c4f3db --- /dev/null +++ b/backport-auditd-cleanup-krb5-memory-leaks-on-error-paths.patch @@ -0,0 +1,42 @@ +From f0ce136497ea4f3e7f6e7b05283c1299e76251e7 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 11 Jul 2022 12:07:50 -0400 +Subject: auditd - cleanup krb5 memory leaks on error paths + +Conflict:delete changelog +--- + src/auditd-listen.c | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/auditd-listen.c b/src/auditd-listen.c +index 5c433e7..c8cae38 100644 +--- a/src/auditd-listen.c ++++ b/src/auditd-listen.c +@@ -321,10 +321,11 @@ static void gss_failure(const char *msg, int major_status, int minor_status) + gss_failure_2(msg, minor_status, GSS_C_MECH_CODE); + } + +-#define KCHECK(x,f) if (x) { \ ++#define KCHECK(x,f, k) if (x) { \ + const char *kstr = krb5_get_error_message(kcontext, x); \ + audit_msg(LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \ + krb5_free_error_message(kcontext, kstr); \ ++ krb5_free_context(k); \ + return -1; } + + /* These are our private credentials, which come from a key file on +@@ -363,9 +364,9 @@ static int server_acquire_creds(const char *service_name, + (void) gss_release_name(&minor_status, &server_name); + + krberr = krb5_init_context(&kcontext); +- KCHECK (krberr, "krb5_init_context"); ++ KCHECK (krberr, "krb5_init_context", kcontext); + krberr = krb5_get_default_realm(kcontext, &my_gss_realm); +- KCHECK (krberr, "krb5_get_default_realm"); ++ KCHECK (krberr, "krb5_get_default_realm", kcontext); + + audit_msg(LOG_DEBUG, "GSS creds for %s acquired", service_name); + +-- +2.27.0 + diff --git a/backport-krb5_cc_store_cred-takes-custody-of-my_creds-so-we-do-not-need-to-keep-it-around.patch b/backport-krb5_cc_store_cred-takes-custody-of-my_creds-so-we-do-not-need-to-keep-it-around.patch new file mode 100644 index 0000000000000000000000000000000000000000..db1dd46bd0595f7a56981a8869e2d0eecb1d460b --- /dev/null +++ b/backport-krb5_cc_store_cred-takes-custody-of-my_creds-so-we-do-not-need-to-keep-it-around.patch @@ -0,0 +1,110 @@ +From a1c3ba0fbbafc8f9a4dcb64fdee55fe2f8eef3be Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 11 Jul 2022 17:37:13 -0400 +Subject: krb5_cc_store_cred takes custody of my_creds so we do + not need to keep it around + +--- + audisp/plugins/remote/audisp-remote.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c +index eda8c4e..78c3eca 100644 +--- a/audisp/plugins/remote/audisp-remote.c ++++ b/audisp/plugins/remote/audisp-remote.c +@@ -765,7 +765,6 @@ static krb5_context kcontext = NULL; + static char *realm_name = NULL; + static krb5_principal audit_princ; + static krb5_ccache ccache = NULL; +-static krb5_creds my_creds; + static krb5_get_init_creds_opt options; + static krb5_keytab keytab = NULL; + +@@ -790,6 +789,7 @@ static int negotiate_credentials (void) + we use Kerberos calls here. */ + + int krberr; ++ krb5_creds my_creds; + const char *krb5_client_name; + char *slashptr; + char host_name[255]; +@@ -897,14 +897,14 @@ static int negotiate_credentials (void) + krberr = krb5_cc_initialize(kcontext, ccache, audit_princ); + if (krberr) { + KLOG (krberr, "krb5_cc_initialize"); +- goto error6; ++ goto error5; + } + + /* ...and store our credentials in it. */ + krberr = krb5_cc_store_cred(kcontext, ccache, &my_creds); + if (krberr) { + KLOG (krberr, "krb5_cc_store_cred"); +- goto error6; ++ goto error5; + } + + /* The GSS code now has a set of credentials for this program. +@@ -928,13 +928,13 @@ static int negotiate_credentials (void) + (gss_OID) gss_nt_service_name, &service_name_e); + if (major_status != GSS_S_COMPLETE) { + gss_failure("importing name", major_status, minor_status); +- goto error6; ++ goto error5; + } + + /* Someone has to go first. In this case, it's us. */ + if (send_token(sock, empty_token) < 0) { + (void) gss_release_name(&minor_status, &service_name_e); +- goto error6; ++ goto error5; + } + + /* The server starts this loop with the token we just sent +@@ -961,7 +961,7 @@ static int negotiate_credentials (void) + &send_tok); + (void) gss_release_name(&minor_status, + &service_name_e); +- goto error6; ++ goto error5; + } + } + (void) gss_release_buffer(&minor_status, &send_tok); +@@ -974,7 +974,7 @@ static int negotiate_credentials (void) + if (*gss_context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&minor_status, + gss_context, GSS_C_NO_BUFFER); +- goto error6; ++ goto error5; + } + + /* Now get any tokens the sever sends back. We use +@@ -983,7 +983,7 @@ static int negotiate_credentials (void) + if (recv_token(sock, &recv_tok) < 0) { + (void) gss_release_name(&minor_status, + &service_name_e); +- goto error6; ++ goto error5; + } + token_ptr = &recv_tok; + } +@@ -1011,8 +1011,6 @@ static int negotiate_credentials (void) + #endif + return 0; + +-error6: +- krb5_free_creds(kcontext, &my_creds); + error5: + krb5_cc_close(kcontext, ccache); + ccache = NULL; +@@ -1040,7 +1038,6 @@ static int stop_sock(void) + gss_delete_sec_context(&minor_status, &my_context, + GSS_C_NO_BUFFER); + my_context = GSS_C_NO_CONTEXT; +- krb5_free_creds(kcontext, &my_creds); + krb5_cc_close(kcontext, ccache); + ccache = NULL; + krb5_kt_close(kcontext, keytab); +-- +2.27.0 + diff --git a/backport-time_t-is-not-an-int-anymore.patch b/backport-time_t-is-not-an-int-anymore.patch new file mode 100644 index 0000000000000000000000000000000000000000..00ee8bc1dfd3406bc9840b27e9bb0ff39091b163 --- /dev/null +++ b/backport-time_t-is-not-an-int-anymore.patch @@ -0,0 +1,25 @@ +From 5023b59ac710a25fe30e689aaf0af38a4b7ea3f1 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 11 Jul 2022 17:03:45 -0400 +Subject: time_t is not an int anymore + +--- + tools/aulast/aulast.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/aulast/aulast.c b/tools/aulast/aulast.c +index 8a25f3b..cf9be60 100644 +--- a/tools/aulast/aulast.c ++++ b/tools/aulast/aulast.c +@@ -408,7 +408,7 @@ static void update_session_logout(auparse_state_t *au) + static void process_bootup(auparse_state_t *au) + { + lnode *cur; +- int start; ++ time_t start; + + // See if we have unclosed boot up and make into CRASH record + list_first(&l); +-- +2.27.0 +