packages/audit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport some patch for audit

Browse Source
This commit is contained in:
huangzq6 2022-12-28 10:53:05 +08:00
parent 9d2a8d8892
commit 215a896d41
10 changed files with 658 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
audit.spec
View File

@ -2,7 +2,7 @@ Summary: User space tools for kernel auditing
Name: audit
Epoch: 1
Version: 3.0.1
Release: 6
Release: 7
License: GPLv2+ and LGPLv2+
URL: https://people.redhat.com/sgrubb/audit/
Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
@ -33,6 +33,15 @@ Patch21: backport-auditd.service-Restart-on-failure-ignoring-some-exit.p
Patch22: backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch
Patch23: backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch
Patch24: audit-Add-sw64-architecture.patch
Patch25: backport-In-auditd-release-the-async-flush-lock-on-stop.patch
Patch26: backport-auditd-cleanup-krb5-memory-leaks-on-error-paths.patch
Patch27: backport-audisp-remote-cleanup-krb5-memory-leaks-on-error-paths.patch
Patch28: backport-Final-kerberos-leak-fixups.patch
Patch29: backport-time_t-is-not-an-int-anymore.patch
Patch30: backport-krb5_cc_store_cred-takes-custody-of-my_creds-so-we-do-not-need-to-keep-it-around.patch
Patch31: backport-asprintf-can-return-a-negative-number.patch
Patch32: backport-Cleanup-gssapi-code.patch
Patch33: backport-Fix-another-krb5-memory-leak.patch
BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29
BuildRequires: openldap-devel krb5-devel libcap-ng-devel
@ -370,7 +379,10 @@ fi
%attr(644,root,root) %{_mandir}/man8/*.8.gz
%changelog
* Sat Dec 17 2022 fangxiuning <fangxiuning@huawei.com> - 3.0.1-6
* Wed Dec 28 2022 huangzq6 <huangzhenqiang2@huawei.com> - 1:3.0.1-7
- backport some patches for audit
* Sat Dec 17 2022 fangxiuning <fangxiuning@huawei.com> - 1:3.0.1-6
- Move autoreconf to build
* Mon Nov 14 2022 wuzx<wuzx1226@qq.com> - 3.0.1-5

67
backport-Cleanup-gssapi-code.patch Normal file
View File

@ -0,0 +1,67 @@
From ff0b0a11497fe9360e3aaa448c8744955f8c0fc9 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Fri, 15 Jul 2022 16:09:10 -0400
Subject: Cleanup gssapi code
---
src/auditd-listen.c | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/src/auditd-listen.c b/src/auditd-listen.c
index 34a142a..61a3480 100644
--- a/src/auditd-listen.c
+++ b/src/auditd-listen.c
@@ -414,10 +414,9 @@ static int negotiate_credentials(ev_tcp *io)
GSS_C_NO_CHANNEL_BINDINGS, &client,
NULL, &send_tok, &sess_flags,
NULL, NULL);
- if (recv_tok.value) {
- free(recv_tok.value);
- recv_tok.value = NULL;
- }
+ if (recv_tok.value)
+ gss_release_buffer(&min_stat, &recv_tok);
+
if (maj_stat != GSS_S_COMPLETE
&& maj_stat != GSS_S_CONTINUE_NEEDED) {
gss_release_buffer(&min_stat, &send_tok);
@@ -441,6 +440,7 @@ static int negotiate_credentials(ev_tcp *io)
if (*context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&min_stat,
context, GSS_C_NO_BUFFER);
+ gss_release_name(&min_stat, &client);
return -1;
}
gss_release_buffer(&min_stat, &send_tok);
@@ -455,14 +455,22 @@ static int negotiate_credentials(ev_tcp *io)
return -1;
}
- audit_msg(LOG_INFO, "GSS-API Accepted connection from: %s",
- (char *)recv_tok.value);
- io->remote_name = strdup(recv_tok.value);
- io->remote_name_len = strlen(recv_tok.value);
+ if (asprintf(&io->remote_name, "%.*s", (int)recv_tok.length,
+ (char *)recv_tok.value) < 0) {
+ io->remote_name = strdup("?");
+ io->remote_name_len = 1;
+ } else
+ io->remote_name_len = recv_tok.length;
+
+ audit_msg(LOG_INFO, "GSS-API Accepted connection from: %s",
+ io->remote_name);
gss_release_buffer(&min_stat, &recv_tok);
- slashptr = strchr(io->remote_name, '/');
- atptr = strchr(io->remote_name, '@');
+ if (io->remote_name) {
+ slashptr = strchr(io->remote_name, '/');
+ atptr = strchr(io->remote_name, '@');
+ } else
+ slashptr = NULL;
if (!slashptr || !atptr) {
audit_msg(LOG_ERR, "Invalid GSS name from remote client: %s",
--
2.27.0

122
backport-Final-kerberos-leak-fixups.patch Normal file
View File

@ -0,0 +1,122 @@
From 7bda187f92424bf4891eb22f1877808ca5eb059a Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Mon, 11 Jul 2022 17:03:09 -0400
Subject: Final kerberos leak fixups
---
audisp/plugins/remote/audisp-remote.c | 34 ++++++++++++++++++++-------
src/auditd-listen.c | 6 +++--
2 files changed, 29 insertions(+), 11 deletions(-)
diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c
index 3b9d8f0..eda8c4e 100644
--- a/audisp/plugins/remote/audisp-remote.c
+++ b/audisp/plugins/remote/audisp-remote.c
@@ -757,8 +757,17 @@ static void gss_failure (const char *msg, int major_status, int minor_status)
gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE);
}
-#define KLOG(x,f) syslog (LOG_ERR, "krb5 error: %s in %s\n", \
- krb5_get_error_message (kcontext, x), f);
+#define KLOG(x,f) { \
+ const char *kstr = krb5_get_error_message(kcontext, x); \
+ syslog (LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \
+ krb5_free_error_message(kcontext, kstr); }
+static krb5_context kcontext = NULL;
+static char *realm_name = NULL;
+static krb5_principal audit_princ;
+static krb5_ccache ccache = NULL;
+static krb5_creds my_creds;
+static krb5_get_init_creds_opt options;
+static krb5_keytab keytab = NULL;
/* Each time we connect to the server, we negotiate a set of credentials and
a security context. To do this, we need our own credentials first. For
@@ -781,13 +790,6 @@ static int negotiate_credentials (void)
we use Kerberos calls here. */
int krberr;
- krb5_context kcontext = NULL;
- char *realm_name;
- krb5_principal audit_princ;
- krb5_ccache ccache = NULL;
- krb5_creds my_creds;
- krb5_get_init_creds_opt options;
- krb5_keytab keytab = NULL;
const char *krb5_client_name;
char *slashptr;
char host_name[255];
@@ -1013,14 +1015,18 @@ error6:
krb5_free_creds(kcontext, &my_creds);
error5:
krb5_cc_close(kcontext, ccache);
+ ccache = NULL;
error4:
krb5_kt_close(kcontext, keytab);
+ keytab = NULL;
error3:
krb5_free_principal(kcontext, audit_princ);
error2:
krb5_free_default_realm(kcontext, realm_name);
+ realm_name = NULL;
error1:
krb5_free_context(kcontext);
+ kcontext = NULL;
return -1;
}
#endif // USE_GSSAPI
@@ -1034,6 +1040,16 @@ static int stop_sock(void)
gss_delete_sec_context(&minor_status, &my_context,
GSS_C_NO_BUFFER);
my_context = GSS_C_NO_CONTEXT;
+ krb5_free_creds(kcontext, &my_creds);
+ krb5_cc_close(kcontext, ccache);
+ ccache = NULL;
+ krb5_kt_close(kcontext, keytab);
+ keytab = NULL;
+ krb5_free_principal(kcontext, audit_princ);
+ krb5_free_default_realm(kcontext, realm_name);
+ realm_name = NULL;
+ krb5_free_context(kcontext);
+ kcontext = NULL;
}
#endif
shutdown(sock, SHUT_RDWR);
diff --git a/src/auditd-listen.c b/src/auditd-listen.c
index c8cae38..34a142a 100644
--- a/src/auditd-listen.c
+++ b/src/auditd-listen.c
@@ -325,11 +325,12 @@ static void gss_failure(const char *msg, int major_status, int minor_status)
const char *kstr = krb5_get_error_message(kcontext, x); \
audit_msg(LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \
krb5_free_error_message(kcontext, kstr); \
- krb5_free_context(k); \
+ krb5_free_context(k); k = NULL; \
return -1; }
/* These are our private credentials, which come from a key file on
our server. They are aquired once, at program start. */
+static krb5_context kcontext = NULL;
static int server_acquire_creds(const char *service_name,
gss_cred_id_t *lserver_creds)
{
@@ -337,7 +338,6 @@ static int server_acquire_creds(const char *service_name,
gss_name_t server_name;
OM_uint32 major_status, minor_status;
- krb5_context kcontext = NULL;
int krberr;
my_service_name = strdup(service_name);
@@ -1139,6 +1139,8 @@ void auditd_tcp_listen_uninit(struct ev_loop *loop, struct daemon_conf *config)
#ifdef USE_GSSAPI
if (USE_GSS) {
gss_release_cred(&status, &server_creds);
+ krb5_free_context(kcontext);
+ kcontext = NULL;
free(my_service_name);
my_service_name = NULL;
}
--
2.27.0

24
backport-Fix-another-krb5-memory-leak.patch Normal file
View File

@ -0,0 +1,24 @@
From e95722695a1d3dc6ac266af8871069da74471999 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Thu, 6 Oct 2022 13:34:15 -0400
Subject: Fix another krb5 memory leak
---
src/auditd-listen.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/auditd-listen.c b/src/auditd-listen.c
index 61a3480..171974c 100644
--- a/src/auditd-listen.c
+++ b/src/auditd-listen.c
@@ -358,6 +358,7 @@ static int server_acquire_creds(const char *service_name,
if (major_status != GSS_S_COMPLETE) {
gss_failure("acquiring credentials",
major_status, minor_status);
+ (void) gss_release_name(&minor_status, &server_name);
return -1;
}
--
2.27.0

29
backport-In-auditd-release-the-async-flush-lock-on-stop.patch Normal file
View File

@ -0,0 +1,29 @@
From f7df667ba76391ffd65a4ed45b2150bf9902b99d Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Wed, 30 Mar 2022 10:12:16 -0400
Subject: In auditd, release the async flush lock on stop
Conflict:delete changelog
---
src/auditd-event.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/auditd-event.c b/src/auditd-event.c
index e88ef6e..ed6e929 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -208,8 +208,10 @@ static void *flush_thread_main(void *arg)
// into a loop of fsyncs.
while (flush == 0) {
pthread_cond_wait(&do_flush, &flush_lock);
- if (stop)
+ if (stop) {
+ pthread_mutex_unlock(&flush_lock);
return NULL;
+ }
}
flush = 0;
pthread_mutex_unlock(&flush_lock);
--
2.27.0

25
backport-asprintf-can-return-a-negative-number.patch Normal file
View File

@ -0,0 +1,25 @@
From a75e42921997cab4cb9b2a01107441695239f764 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Mon, 11 Jul 2022 17:53:26 -0400
Subject: asprintf can return a negative number
---
audisp/audispd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/audisp/audispd.c b/audisp/audispd.c
index f20b38d..77cb7b2 100644
--- a/audisp/audispd.c
+++ b/audisp/audispd.c
@@ -484,7 +484,7 @@ static int event_loop(void)
while (stop == 0) {
event_t *e;
char *v, *ptr, unknown[32];
- unsigned int len;
+ int len;
lnode *conf;
/* This is where we block until we have an event */
--
2.27.0

200
backport-audisp-remote-cleanup-krb5-memory-leaks-on-error-paths.patch Normal file
View File

@ -0,0 +1,200 @@
From 09c62a6f4e4a6963a731d3018209b91dc6447f70 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Mon, 11 Jul 2022 14:21:04 -0400
Subject: audisp-remote - cleanup krb5 memory leaks on error
paths
Conflict:context adaptation
---
audisp/plugins/remote/audisp-remote.c | 75 ++++++++++++++++++++-------
1 file changed, 56 insertions(+), 19 deletions(-)
diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c
index 3be91b3..3b9d8f0 100644
--- a/audisp/plugins/remote/audisp-remote.c
+++ b/audisp/plugins/remote/audisp-remote.c
@@ -757,9 +757,8 @@ static void gss_failure (const char *msg, int major_status, int minor_status)
gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE);
}
-#define KCHECK(x,f) if (x) { \
- syslog (LOG_ERR, "krb5 error: %s in %s\n", krb5_get_error_message (kcontext, x), f); \
- return -1; }
+#define KLOG(x,f) syslog (LOG_ERR, "krb5 error: %s in %s\n", \
+ krb5_get_error_message (kcontext, x), f);
/* Each time we connect to the server, we negotiate a set of credentials and
a security context. To do this, we need our own credentials first. For
@@ -800,7 +799,10 @@ static int negotiate_credentials (void)
recv_tok.value = NULL;
krberr = krb5_init_context (&kcontext);
- KCHECK (krberr, "krb5_init_context");
+ if (krberr) {
+ KLOG (krberr, "krb5_init_context");
+ return -1;
+ }
if (config.krb5_key_file)
key_file = config.krb5_key_file;
@@ -815,21 +817,24 @@ static int negotiate_credentials (void)
syslog (LOG_ERR,
"%s is not mode 0400 (it's %#o) - compromised key?",
key_file, st.st_mode & 07777);
- return -1;
+ goto error1;
}
if (st.st_uid != 0) {
if (!quiet)
syslog (LOG_ERR,
"%s is not owned by root (it's %d) - compromised key?",
key_file, st.st_uid);
- return -1;
+ goto error1;
}
}
/* This looks up the default real (*our* realm) from
/etc/krb5.conf (or wherever) */
krberr = krb5_get_default_realm (kcontext, &realm_name);
- KCHECK (krberr, "krb5_get_default_realm");
+ if (krberr) {
+ KLOG (krberr, "krb5_get_default_realm");
+ goto error1;
+ }
krb5_client_name = config.krb5_client_name ?
config.krb5_client_name : "auditd";
@@ -838,7 +843,7 @@ static int negotiate_credentials (void)
syslog (LOG_ERR,
"gethostname: host name longer than %ld characters?",
sizeof (host_name));
- return -1;
+ goto error2;
}
syslog (LOG_ERR, "kerberos principal: %s/%s@%s\n",
@@ -847,17 +852,26 @@ static int negotiate_credentials (void)
krberr = krb5_build_principal (kcontext, &audit_princ,
strlen(realm_name), realm_name,
krb5_client_name, host_name, NULL);
- KCHECK (krberr, "krb5_build_principal");
+ if (krberr) {
+ KLOG (krberr, "krb5_build_principal");
+ goto error2;
+ }
/* Locate our machine's key table, where our private key is
* held. */
krberr = krb5_kt_resolve (kcontext, key_file, &keytab);
- KCHECK (krberr, "krb5_kt_resolve");
+ if (krberr) {
+ KLOG (krberr, "krb5_kt_resolve");
+ goto error3;
+ }
/* Identify a cache to hold the key in. The GSS wrappers look
up our credentials here. */
krberr = krb5_cc_resolve (kcontext, CCACHE_NAME, &ccache);
- KCHECK (krberr, "krb5_cc_resolve");
+ if (krberr) {
+ KLOG (krberr, "krb5_cc_resolve");
+ goto error4;
+ }
setenv("KRB5CCNAME", CCACHE_NAME, 1);
@@ -872,15 +886,24 @@ static int negotiate_credentials (void)
krberr = krb5_get_init_creds_keytab(kcontext, &my_creds, audit_princ,
keytab, 0, NULL,
&options);
- KCHECK (krberr, "krb5_get_init_creds_keytab");
+ if (krberr) {
+ KLOG (krberr, "krb5_get_init_creds_keytab");
+ goto error5;
+ }
/* Create the cache... */
krberr = krb5_cc_initialize(kcontext, ccache, audit_princ);
- KCHECK (krberr, "krb5_cc_initialize");
+ if (krberr) {
+ KLOG (krberr, "krb5_cc_initialize");
+ goto error6;
+ }
/* ...and store our credentials in it. */
krberr = krb5_cc_store_cred(kcontext, ccache, &my_creds);
- KCHECK (krberr, "krb5_cc_store_cred");
+ if (krberr) {
+ KLOG (krberr, "krb5_cc_store_cred");
+ goto error6;
+ }
/* The GSS code now has a set of credentials for this program.
I.e. we know who "we" are. Now we talk to the server to
@@ -903,13 +926,13 @@ static int negotiate_credentials (void)
(gss_OID) gss_nt_service_name, &service_name_e);
if (major_status != GSS_S_COMPLETE) {
gss_failure("importing name", major_status, minor_status);
- return -1;
+ goto error6;
}
/* Someone has to go first. In this case, it's us. */
if (send_token(sock, empty_token) < 0) {
(void) gss_release_name(&minor_status, &service_name_e);
- return -1;
+ goto error6;
}
/* The server starts this loop with the token we just sent
@@ -936,7 +959,7 @@ static int negotiate_credentials (void)
&send_tok);
(void) gss_release_name(&minor_status,
&service_name_e);
- return -1;
+ goto error6;
}
}
(void) gss_release_buffer(&minor_status, &send_tok);
@@ -949,7 +972,7 @@ static int negotiate_credentials (void)
if (*gss_context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&minor_status,
gss_context, GSS_C_NO_BUFFER);
- return -1;
+ goto error6;
}
/* Now get any tokens the sever sends back. We use
@@ -958,7 +981,7 @@ static int negotiate_credentials (void)
if (recv_token(sock, &recv_tok) < 0) {
(void) gss_release_name(&minor_status,
&service_name_e);
- return -1;
+ goto error6;
}
token_ptr = &recv_tok;
}
@@ -985,6 +1008,20 @@ static int negotiate_credentials (void)
(char *)recv_tok.value);
#endif
return 0;
+
+error6:
+ krb5_free_creds(kcontext, &my_creds);
+error5:
+ krb5_cc_close(kcontext, ccache);
+error4:
+ krb5_kt_close(kcontext, keytab);
+error3:
+ krb5_free_principal(kcontext, audit_princ);
+error2:
+ krb5_free_default_realm(kcontext, realm_name);
+error1:
+ krb5_free_context(kcontext);
+ return -1;
}
#endif // USE_GSSAPI
--
2.27.0

42
backport-auditd-cleanup-krb5-memory-leaks-on-error-paths.patch Normal file
View File

@ -0,0 +1,42 @@
From f0ce136497ea4f3e7f6e7b05283c1299e76251e7 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Mon, 11 Jul 2022 12:07:50 -0400
Subject: auditd - cleanup krb5 memory leaks on error paths
Conflict:delete changelog
---
src/auditd-listen.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/auditd-listen.c b/src/auditd-listen.c
index 5c433e7..c8cae38 100644
--- a/src/auditd-listen.c
+++ b/src/auditd-listen.c
@@ -321,10 +321,11 @@ static void gss_failure(const char *msg, int major_status, int minor_status)
gss_failure_2(msg, minor_status, GSS_C_MECH_CODE);
}
-#define KCHECK(x,f) if (x) { \
+#define KCHECK(x,f, k) if (x) { \
const char *kstr = krb5_get_error_message(kcontext, x); \
audit_msg(LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \
krb5_free_error_message(kcontext, kstr); \
+ krb5_free_context(k); \
return -1; }
/* These are our private credentials, which come from a key file on
@@ -363,9 +364,9 @@ static int server_acquire_creds(const char *service_name,
(void) gss_release_name(&minor_status, &server_name);
krberr = krb5_init_context(&kcontext);
- KCHECK (krberr, "krb5_init_context");
+ KCHECK (krberr, "krb5_init_context", kcontext);
krberr = krb5_get_default_realm(kcontext, &my_gss_realm);
- KCHECK (krberr, "krb5_get_default_realm");
+ KCHECK (krberr, "krb5_get_default_realm", kcontext);
audit_msg(LOG_DEBUG, "GSS creds for %s acquired", service_name);
--
2.27.0

110
backport-krb5_cc_store_cred-takes-custody-of-my_creds-so-we-do-not-need-to-keep-it-around.patch Normal file
View File

@ -0,0 +1,110 @@
From a1c3ba0fbbafc8f9a4dcb64fdee55fe2f8eef3be Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Mon, 11 Jul 2022 17:37:13 -0400
Subject: krb5_cc_store_cred takes custody of my_creds so we do
not need to keep it around
---
audisp/plugins/remote/audisp-remote.c | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c
index eda8c4e..78c3eca 100644
--- a/audisp/plugins/remote/audisp-remote.c
+++ b/audisp/plugins/remote/audisp-remote.c
@@ -765,7 +765,6 @@ static krb5_context kcontext = NULL;
static char *realm_name = NULL;
static krb5_principal audit_princ;
static krb5_ccache ccache = NULL;
-static krb5_creds my_creds;
static krb5_get_init_creds_opt options;
static krb5_keytab keytab = NULL;
@@ -790,6 +789,7 @@ static int negotiate_credentials (void)
we use Kerberos calls here. */
int krberr;
+ krb5_creds my_creds;
const char *krb5_client_name;
char *slashptr;
char host_name[255];
@@ -897,14 +897,14 @@ static int negotiate_credentials (void)
krberr = krb5_cc_initialize(kcontext, ccache, audit_princ);
if (krberr) {
KLOG (krberr, "krb5_cc_initialize");
- goto error6;
+ goto error5;
}
/* ...and store our credentials in it. */
krberr = krb5_cc_store_cred(kcontext, ccache, &my_creds);
if (krberr) {
KLOG (krberr, "krb5_cc_store_cred");
- goto error6;
+ goto error5;
}
/* The GSS code now has a set of credentials for this program.
@@ -928,13 +928,13 @@ static int negotiate_credentials (void)
(gss_OID) gss_nt_service_name, &service_name_e);
if (major_status != GSS_S_COMPLETE) {
gss_failure("importing name", major_status, minor_status);
- goto error6;
+ goto error5;
}
/* Someone has to go first. In this case, it's us. */
if (send_token(sock, empty_token) < 0) {
(void) gss_release_name(&minor_status, &service_name_e);
- goto error6;
+ goto error5;
}
/* The server starts this loop with the token we just sent
@@ -961,7 +961,7 @@ static int negotiate_credentials (void)
&send_tok);
(void) gss_release_name(&minor_status,
&service_name_e);
- goto error6;
+ goto error5;
}
}
(void) gss_release_buffer(&minor_status, &send_tok);
@@ -974,7 +974,7 @@ static int negotiate_credentials (void)
if (*gss_context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&minor_status,
gss_context, GSS_C_NO_BUFFER);
- goto error6;
+ goto error5;
}
/* Now get any tokens the sever sends back. We use
@@ -983,7 +983,7 @@ static int negotiate_credentials (void)
if (recv_token(sock, &recv_tok) < 0) {
(void) gss_release_name(&minor_status,
&service_name_e);
- goto error6;
+ goto error5;
}
token_ptr = &recv_tok;
}
@@ -1011,8 +1011,6 @@ static int negotiate_credentials (void)
#endif
return 0;
-error6:
- krb5_free_creds(kcontext, &my_creds);
error5:
krb5_cc_close(kcontext, ccache);
ccache = NULL;
@@ -1040,7 +1038,6 @@ static int stop_sock(void)
gss_delete_sec_context(&minor_status, &my_context,
GSS_C_NO_BUFFER);
my_context = GSS_C_NO_CONTEXT;
- krb5_free_creds(kcontext, &my_creds);
krb5_cc_close(kcontext, ccache);
ccache = NULL;
krb5_kt_close(kcontext, keytab);
--
2.27.0

25
backport-time_t-is-not-an-int-anymore.patch Normal file
View File

@ -0,0 +1,25 @@
From 5023b59ac710a25fe30e689aaf0af38a4b7ea3f1 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Mon, 11 Jul 2022 17:03:45 -0400
Subject: time_t is not an int anymore
---
tools/aulast/aulast.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/aulast/aulast.c b/tools/aulast/aulast.c
index 8a25f3b..cf9be60 100644
--- a/tools/aulast/aulast.c
+++ b/tools/aulast/aulast.c
@@ -408,7 +408,7 @@ static void update_session_logout(auparse_state_t *au)
static void process_bootup(auparse_state_t *au)
{
lnode *cur;
- int start;
+ time_t start;
// See if we have unclosed boot up and make into CRASH record
list_first(&l);
--
2.27.0