diff --git a/SOURCES/Change-impersonator-check-code.patch b/SOURCES/Change-impersonator-check-code.patch
index 27cf421..4cc5de9 100644
--- a/SOURCES/Change-impersonator-check-code.patch
+++ b/SOURCES/Change-impersonator-check-code.patch
@@ -13,8 +13,8 @@ Merges: #172
(cherry picked from commit 73b50c0b2799f0aed53337a6516b8e1a27279ebf)
---
proxy/configure.ac | 3 +
- proxy/src/gp_creds.c | 147 ++++++++++++++++++++++++++++++++-----------
- 2 files changed, 112 insertions(+), 38 deletions(-)
+ proxy/src/gp_creds.c | 145 ++++++++++++++++++++++++++++++++-----------
+ 2 files changed, 111 insertions(+), 37 deletions(-)
diff --git a/proxy/configure.ac b/proxy/configure.ac
index 63c0edf..c52dbb6 100644
@@ -74,8 +74,12 @@ index 171a724..95a1c48 100644
goto done;
}
-+ err = krb5_cc_get_config(context, ccache, NULL, "proxy_impersonator",
-+ &config);
+- /* if we find an impersonator entry we bail as that is not authorized,
+- * if it were then gpcall->service->allow_const_deleg would have caused
+- * the ealier check to return GSS_S_COMPLETE already */
+ err = krb5_cc_get_config(context, ccache, NULL, "proxy_impersonator",
+ &config);
+- if (!err) {
+ if (err == 0) {
+ *impersonator = strndup(config.data, config.length);
+ if (!*impersonator) {
@@ -85,10 +89,14 @@ index 171a724..95a1c48 100644
+ ret_min = 0;
+ ret_maj = GSS_S_COMPLETE;
+ }
-+ krb5_free_data_contents(context, &config);
+ krb5_free_data_contents(context, &config);
+- ret_min = 0;
+- ret_maj = GSS_S_UNAUTHORIZED;
+- } else if (err != KRB5_CC_NOTFOUND) {
+ } else {
-+ ret_min = err;
-+ ret_maj = GSS_S_FAILURE;
+ ret_min = err;
+ ret_maj = GSS_S_FAILURE;
+- } else {
+ }
+
+done:
@@ -178,22 +186,13 @@ index 171a724..95a1c48 100644
+ ret_maj = get_impersonator_name(&ret_min, cred, &impersonator);
+ if (ret_maj) goto done;
+
- /* if we find an impersonator entry we bail as that is not authorized,
- * if it were then gpcall->service->allow_const_deleg would have caused
- * the ealier check to return GSS_S_COMPLETE already */
-- err = krb5_cc_get_config(context, ccache, NULL, "proxy_impersonator",
-- &config);
-- if (!err) {
-- krb5_free_data_contents(context, &config);
++ /* if we find an impersonator entry we bail as that is not authorized,
++ * if it were then gpcall->service->allow_const_deleg would have caused
++ * the ealier check to return GSS_S_COMPLETE already */
+ if (impersonator != NULL) {
ret_min = 0;
- ret_maj = GSS_S_UNAUTHORIZED;
-- } else if (err != KRB5_CC_NOTFOUND) {
-- ret_min = err;
-- ret_maj = GSS_S_FAILURE;
-- } else {
-- ret_min = 0;
- ret_maj = GSS_S_COMPLETE;
++ ret_maj = GSS_S_UNAUTHORIZED;
}
done:
diff --git a/SOURCES/Fix-double-free-of-popt-context-when-querying-versio.patch b/SOURCES/Fix-double-free-of-popt-context-when-querying-versio.patch
new file mode 100644
index 0000000..5837abd
--- /dev/null
+++ b/SOURCES/Fix-double-free-of-popt-context-when-querying-versio.patch
@@ -0,0 +1,28 @@
+From 3203f956cd77c43b6432b01d2d82950e9dac3580 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Thu, 24 Aug 2017 15:13:52 -0400
+Subject: [PATCH] Fix double free of popt context when querying version
+
+This is a non-exploitable, cosmetic issue which causes a segfault (in
+some cases) rather than a clean exit of the program.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Reviewed-by: Simo Sorce <simo@redhat.com>
+Merges: #209
+(cherry picked from commit 6ef4eb72bef742ed1ebb2824df5a600819e19666)
+---
+ proxy/src/gssproxy.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/proxy/src/gssproxy.c b/proxy/src/gssproxy.c
+index 3b6a16e..3221615 100644
+--- a/proxy/src/gssproxy.c
++++ b/proxy/src/gssproxy.c
+@@ -202,7 +202,6 @@ int main(int argc, const char *argv[])
+
+ if (opt_version) {
+ puts(VERSION""DISTRO_VERSION""PRERELEASE_VERSION);
+- poptFreeContext(pc);
+ ret = 0;
+ goto cleanup;
+ }
diff --git a/SOURCES/Properly-locate-credentials-in-collection-caches-in-.patch b/SOURCES/Properly-locate-credentials-in-collection-caches-in-.patch
index f1099e8..ff32fb0 100644
--- a/SOURCES/Properly-locate-credentials-in-collection-caches-in-.patch
+++ b/SOURCES/Properly-locate-credentials-in-collection-caches-in-.patch
@@ -11,9 +11,9 @@ Reviewed-by: Simo Sorce <simo@redhat.com>
Merges: #221
(cherry picked from commit 670240a6cd4d5e2ecf13e481621098693cdbaa89)
---
- proxy/src/mechglue/gpp_creds.c | 81 +++++++++++++++++++++++----------
+ proxy/src/mechglue/gpp_creds.c | 77 ++++++++++++++++++++++++---------
proxy/src/mechglue/gss_plugin.h | 2 +-
- 2 files changed, 59 insertions(+), 24 deletions(-)
+ 2 files changed, 57 insertions(+), 22 deletions(-)
diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c
index 3ebd726..187ada7 100644
@@ -86,21 +86,19 @@ index 3ebd726..187ada7 100644
* principal name, they are blackholed. We either have to change the
* name (at which point the file grows forever) or flash the cache on
* every update. */
-- ret = krb5_cc_initialize(ctx, ccache, cred.client);
-- if (ret != 0) {
+ ret = krb5_cc_default(ctx, &ccache);
+ if (ret)
- goto done;
-- }
++ goto done;
+
-+ ret = krb5_cc_initialize(ctx, ccache, cred.client);
+ ret = krb5_cc_initialize(ctx, ccache, cred.client);
+- if (ret != 0) {
+ if (ret != 0)
+ goto done;
+
+ ret = krb5_cc_store_cred(ctx, ccache, &cred);
+ goto done;
- }
-
++ }
++
+ ret = krb5_cc_cache_match(ctx, cred.client, &ccache);
+ if (ret == KRB5_CC_NOTFOUND) {
+ /* A new ccache within the collection whose name is based off the
@@ -113,15 +111,15 @@ index 3ebd726..187ada7 100644
+ cc_type = strndup(cc_name, p - cc_name);
+ if (!cc_type) {
+ ret = ENOMEM;
-+ goto done;
-+ }
+ goto done;
+ }
+
+ ret = krb5_cc_new_unique(ctx, cc_type, NULL, &ccache);
+ free(cc_type);
-+ }
+ }
+ if (ret)
+ goto done;
-+
+
ret = krb5_cc_store_cred(ctx, ccache, &cred);
+ if (ret)
+ goto done;
diff --git a/SOURCES/Update-docs-to-reflect-actual-behavior-of-krb5_princ.patch b/SOURCES/Update-docs-to-reflect-actual-behavior-of-krb5_princ.patch
new file mode 100644
index 0000000..a94074d
--- /dev/null
+++ b/SOURCES/Update-docs-to-reflect-actual-behavior-of-krb5_princ.patch
@@ -0,0 +1,31 @@
+From c97c8e8b4a1db36a2658d1f054a33e830dbcfa7c Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 2 Oct 2018 14:52:18 -0400
+Subject: [PATCH] Update docs to reflect actual behavior of krb5_principal
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Reviewed-by: Simo Sorce <simo@redhat.com>
+Merges: #235
+(cherry picked from commit ffb05b5eeb9aa818690e5eece5ab6d84cf8fc24b)
+---
+ proxy/man/gssproxy.conf.5.xml | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml
+index abb6745..7874c6e 100644
+--- a/proxy/man/gssproxy.conf.5.xml
++++ b/proxy/man/gssproxy.conf.5.xml
+@@ -307,7 +307,12 @@
+ <varlistentry>
+ <term>krb5_principal (string)</term>
+ <listitem>
+- <para>The krb5 principal to be used by this service.</para>
++ <para>
++ The krb5 principal to be used preferred for this
++ service, if one isn't requested by the
++ application. Note that this does not enforce use
++ of this specific name; it only sets a default.
++ </para>
+ <para>Default: krb5_principal = </para>
+ </listitem>
+ </varlistentry>
diff --git a/SPECS/gssproxy.spec b/SPECS/gssproxy.spec
index a667d8b..154df99 100644
--- a/SPECS/gssproxy.spec
+++ b/SPECS/gssproxy.spec
@@ -1,6 +1,6 @@
Name: gssproxy
Version: 0.7.0
-Release: 26%{?dist}
+Release: 28%{?dist}
Summary: GSSAPI Proxy
Group: System Environment/Libraries
@@ -61,6 +61,8 @@ Patch43: Handle-gss_import_cred-failure-when-importing-gssx-c.patch
Patch44: Include-length-when-using-krb5_c_decrypt.patch
Patch45: Change-the-way-we-handle-encrypted-buffers.patch
Patch46: Avoid-uninitialized-free-when-allocating-buffers.patch
+Patch47: Update-docs-to-reflect-actual-behavior-of-krb5_princ.patch
+Patch48: Fix-double-free-of-popt-context-when-querying-versio.patch
### Dependencies ###
@@ -153,6 +155,8 @@ A proxy for GSSAPI credential handling
%patch44 -p2 -b .Include-length-when-using-krb5_c_decrypt
%patch45 -p2 -b .Change-the-way-we-handle-encrypted-buffers
%patch46 -p2 -b .Avoid-uninitialized-free-when-allocating-buffers
+%patch47 -p2 -b .Update-docs-to-reflect-actual-behavior-of-krb5_princ
+%patch48 -p2 -b .Fix-double-free-of-popt-context-when-querying-versio
%build
autoreconf -f -i
@@ -215,6 +219,14 @@ rm -rf -- "%{buildroot}"
%changelog
+* Thu Sep 19 2019 Robbie Harwood <rharwood@redhat.com> 0.7.0-28
+- Fix double free of popt context when querying version
+- Resolves: #1752810
+
+* Mon Jul 22 2019 Robbie Harwood <rharwood@redhat.com> 0.7.0-27
+- Update docs to reflect actual behavior of krb5_principal
+- Resolves: #1553094
+
* Wed May 01 2019 Robbie Harwood <rharwood@redhat.com> 0.7.0-26
- Avoid uninitialized free when allocating buffers
- Resolves: #1699331