backport patches from upstream

Signed-off-by: xuraoqing <xuraoqing@huawei.com>

backport-Remove-klist-s-defname-global-variable.patch

@@ -0,0 +1,73 @@
+From 5b00197227231943bd2305328c8260dd0b0dbcf0 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Mon, 8 Jan 2024 16:52:27 +0100
+Subject: [PATCH] Remove klist's defname global variable
+
+Addition of a "cleanup" section in kinit's show_ccache() function as
+part of commit 6c5471176f5266564fbc8a7e02f03b4b042202f8 introduced a
+double-free bug, because defname is a global variable.  After the
+first call, successive calls may take place with a dangling pointer in
+defname, which will be freed if krb5_cc_get_principal() fails.
+
+Convert "defname" to a local variable initialized at the beginning of
+show_ccache().
+
+[ghudson@mit.edu: edited commit message]
+
+Reference:https://github.com/krb5/krb5/commit/5b00197227231943bd2305328c8260dd0b0dbcf0
+Conflict:NA
+
+---
+ src/clients/klist/klist.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
+index b5ae96a84..b5808e5c9 100644
+--- a/src/clients/klist/klist.c
++++ b/src/clients/klist/klist.c
+@@ -53,7 +53,6 @@ int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0;
+ int show_etype = 0, show_addresses = 0, no_resolve = 0, print_version = 0;
+ int show_adtype = 0, show_all = 0, list_all = 0, use_client_keytab = 0;
+ int show_config = 0;
+-char *defname;
+ char *progname;
+ krb5_timestamp now;
+ unsigned int timestamp_width;
+@@ -62,7 +61,7 @@ krb5_context context;
+ 
+ static krb5_boolean is_local_tgt(krb5_principal princ, krb5_data *realm);
+ static char *etype_string(krb5_enctype );
+-static void show_credential(krb5_creds *);
++static void show_credential(krb5_creds *, const char *);
+ 
+ static void list_all_ccaches(void);
+ static int list_ccache(krb5_ccache);
+@@ -473,6 +472,7 @@ show_ccache(krb5_ccache cache)
+     krb5_creds creds;
+     krb5_principal princ = NULL;
+     krb5_error_code ret;
++    char *defname = NULL;
+     int status = 1;
+ 
+     ret = krb5_cc_get_principal(context, cache, &princ);
+@@ -503,7 +503,7 @@ show_ccache(krb5_ccache cache)
+     }
+     while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
+         if (show_config || !krb5_is_config_principal(context, creds.server))
+-            show_credential(&creds);
++            show_credential(&creds, defname);
+         krb5_free_cred_contents(context, &creds);
+     }
+     if (ret == KRB5_CC_END) {
+@@ -676,7 +676,7 @@ print_config_data(int col, krb5_data *data)
+ }
+ 
+ static void
+-show_credential(krb5_creds *cred)
++show_credential(krb5_creds *cred, const char *defname)
+ {
+     krb5_error_code ret;
+     krb5_ticket *tkt = NULL;
+-- 
+2.33.0
+

krb5.spec

@@ -3,7 +3,7 @@
 
 Name:     krb5
 Version:  1.19.2
-Release:  14
+Release:  15
 Summary:  The Kerberos network authentication protocol
 License:  MIT
 URL:      http://web.mit.edu/kerberos/www/
@@ -46,6 +46,7 @@ Patch22: backport-Add-and-use-ts_interval-helper.patch
 Patch23: backport-Avoid-small-read-overrun-in-UTF8-normalization.patch
 Patch24: backport-Use-memmove-in-Unicode-functions.patch
 Patch25: backport-In-PKINIT-check-for-null-PKCS7-enveloped-fields.patch
+Patch26: backport-Remove-klist-s-defname-global-variable.patch
 
 BuildRequires:  gettext
 BuildRequires:  gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@@ -338,6 +339,9 @@ make -C src check || :
 
 
 %changelog
+* Tue Mar 19 2024 xuraoqing <xuraoqing@huawei.com> - 1.19.2-15
+- backport patches from upstream
+
 * Thu Jan 25 2024 zhangruifang <zhangruifang1@h-partners.com> - 1.19.2-14
 - Backport patches from upstream community