backport some patches

2023-02-21 09:17:17 +08:00 · 2023-02-21 09:17:17 +08:00 · e6a8e8a1bf
commit e6a8e8a1bf
parent b3dbd3097a
3 changed files with 101 additions and 1 deletions
--- a/audit.spec
+++ b/audit.spec
@ -4,7 +4,7 @@ Summary:            User space tools for kernel auditing
 Name:               audit
 Epoch:              1
 Version:            3.0
-Release:            6
+Release:            7
 License:            GPLv2+ and LGPLv2+
 URL:                https://people.redhat.com/sgrubb/audit/
 Source0:            https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
@ -41,6 +41,8 @@ Patch27:            backport-audisp-remote-cleanup-krb5-memory-leaks-on-error-pa
 Patch28:            backport-Final-kerberos-leak-fixups.patch
 Patch29:            backport-time_t-is-not-an-int-anymore.patch
 Patch30:            backport-krb5_cc_store_cred-takes-custody-of-my_creds-so-we-do-not-need-to-keep-it-around.patch
+Patch31:            backport-asprintf-can-return-a-negative-number.patch
+Patch32:            backport-Cleanup-gssapi-code.patch

 BuildRequires:      gcc swig libtool systemd kernel-headers >= 2.6.29
 BuildRequires:      openldap-devel krb5-devel libcap-ng-devel
@ -395,6 +397,11 @@ fi
 %attr(644,root,root) %{_mandir}/man8/*.8.gz

 %changelog
+* Tue Feb 14 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 1:3.0-7
+- backport some patches
+  asprintf can return a negative number patch
+  Cleanup gssapi code
+
 * Tue Feb 14 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 1:3.0-6
 - backport some patches
  In auditd release the async flush lock on stop
--- a/backport-Cleanup-gssapi-code.patch
+++ b/backport-Cleanup-gssapi-code.patch
@ -0,0 +1,67 @@
+From ff0b0a11497fe9360e3aaa448c8744955f8c0fc9 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Fri, 15 Jul 2022 16:09:10 -0400
+Subject: Cleanup gssapi code
+
+---
+ src/auditd-listen.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/src/auditd-listen.c b/src/auditd-listen.c
+index 34a142a..61a3480 100644
+--- a/src/auditd-listen.c
+++ b/src/auditd-listen.c
+@@ -414,10 +414,9 @@ static int negotiate_credentials(ev_tcp *io)
+ 					GSS_C_NO_CHANNEL_BINDINGS, &client,
+ 					NULL, &send_tok, &sess_flags,
+ 					NULL, NULL);
+-		if (recv_tok.value) {
+-			free(recv_tok.value);
+-			recv_tok.value = NULL;
+-		}
+		if (recv_tok.value)
+			gss_release_buffer(&min_stat, &recv_tok);
+
+ 		if (maj_stat != GSS_S_COMPLETE
+ 		    && maj_stat != GSS_S_CONTINUE_NEEDED) {
+ 			gss_release_buffer(&min_stat, &send_tok);
+@@ -441,6 +440,7 @@ static int negotiate_credentials(ev_tcp *io)
+ 				if (*context != GSS_C_NO_CONTEXT)
+ 					gss_delete_sec_context(&min_stat,
+ 						context, GSS_C_NO_BUFFER);
+				gss_release_name(&min_stat, &client);
+ 				return -1;
+ 			}
+ 			gss_release_buffer(&min_stat, &send_tok);
+@@ -455,14 +455,22 @@ static int negotiate_credentials(ev_tcp *io)
+ 		return -1;
+ 	}
+ 
+-	audit_msg(LOG_INFO, "GSS-API Accepted connection from: %s",
+-		  (char *)recv_tok.value);
+-	io->remote_name = strdup(recv_tok.value);
+-	io->remote_name_len = strlen(recv_tok.value);
+	if (asprintf(&io->remote_name, "%.*s", (int)recv_tok.length,
+		    (char *)recv_tok.value) < 0) {
+		io->remote_name = strdup("?");
+		io->remote_name_len = 1;
+	} else
+		io->remote_name_len = recv_tok.length;
+
+	audit_msg(LOG_INFO, "GSS-API Accepted connection from: %s", 
+		  io->remote_name);
+ 	gss_release_buffer(&min_stat, &recv_tok);
+ 
+-	slashptr = strchr(io->remote_name, '/');
+-	atptr = strchr(io->remote_name, '@');
+	if (io->remote_name) {
+		slashptr = strchr(io->remote_name, '/');
+		atptr = strchr(io->remote_name, '@');
+	} else
+		slashptr = NULL;
+ 
+ 	if (!slashptr || !atptr) {
+ 		audit_msg(LOG_ERR, "Invalid GSS name from remote client: %s",
+-- 
+2.27.0
+
--- a/backport-asprintf-can-return-a-negative-number.patch
+++ b/backport-asprintf-can-return-a-negative-number.patch
@ -0,0 +1,26 @@
+From a75e42921997cab4cb9b2a01107441695239f764 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Mon, 11 Jul 2022 17:53:26 -0400
+Subject: asprintf can return a negative number
+
+Conflict:context adaptation
+---
+ audisp/audispd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/audisp/audispd.c b/audisp/audispd.c
+index f20b38d..77cb7b2 100644
+--- a/audisp/audispd.c
+++ b/audisp/audispd.c
+@@ -476,7 +476,7 @@ static int event_loop(void)
+ 		event_t *e;
+ 		const char *type;
+ 		char *v, *ptr, unknown[32];
+-		unsigned int len;
+		int len;
+ 		lnode *conf;
+ 
+ 		/* This is where we block until we have an event */
+-- 
+2.27.0
+