diff --git a/SOURCES/libtirpc-1.1.4-blacklist.patch b/SOURCES/libtirpc-1.1.4-blacklist.patch new file mode 100644 index 0000000..cc41a9e --- /dev/null +++ b/SOURCES/libtirpc-1.1.4-blacklist.patch @@ -0,0 +1,15 @@ +diff -up libtirpc-1.1.4/doc/bindresvport.blacklist.save libtirpc-1.1.4/doc/bindresvport.blacklist +--- libtirpc-1.1.4/doc/bindresvport.blacklist.save 2021-04-17 13:04:20.092274589 -0400 ++++ libtirpc-1.1.4/doc/bindresvport.blacklist 2021-04-17 13:04:45.609945925 -0400 +@@ -8,6 +8,11 @@ + 631 # cups + 636 # ldaps + 664 # Secure ASF, used by IPMI on some cards ++749 # Kerberos V kadmin ++774 # rpasswd ++873 # rsyncd + 921 # lwresd ++992 # SSL-enabled telnet + 993 # imaps ++994 # irc + 995 # pops diff --git a/SOURCES/libtirpc-1.1.4-disallow-auth_refresh.patch b/SOURCES/libtirpc-1.1.4-disallow-auth_refresh.patch new file mode 100644 index 0000000..edf7466 --- /dev/null +++ b/SOURCES/libtirpc-1.1.4-disallow-auth_refresh.patch @@ -0,0 +1,76 @@ +diff -up libtirpc-1.1.4/src/auth_gss.c.orig libtirpc-1.1.4/src/auth_gss.c +--- libtirpc-1.1.4/src/auth_gss.c.orig 2021-04-17 13:11:03.229880600 -0400 ++++ libtirpc-1.1.4/src/auth_gss.c 2021-04-17 13:15:10.722391798 -0400 +@@ -982,3 +982,9 @@ rpc_gss_max_data_length(AUTH *auth, int + rpc_gss_clear_error(); + return result; + } ++ ++bool_t ++is_authgss_client(CLIENT *clnt) ++{ ++ return (clnt->cl_auth->ah_ops == &authgss_ops); ++} +diff -up libtirpc-1.1.4/src/clnt_dg.c.orig libtirpc-1.1.4/src/clnt_dg.c +--- libtirpc-1.1.4/src/clnt_dg.c.orig 2018-08-27 10:06:49.000000000 -0400 ++++ libtirpc-1.1.4/src/clnt_dg.c 2021-04-17 13:15:10.722391798 -0400 +@@ -60,6 +60,9 @@ + #include + #endif + ++#ifdef HAVE_RPCSEC_GSS ++#include ++#endif + + #define MAX_DEFAULT_FDS 20000 + +@@ -356,6 +359,11 @@ clnt_dg_call(cl, proc, xargs, argsp, xre + salen = cu->cu_rlen; + } + ++#ifdef HAVE_RPCSEC_GSS ++ if (is_authgss_client(cl)) ++ nrefreshes = 0; ++#endif ++ + /* Clean up in case the last call ended in a longjmp(3) call. */ + call_again: + xdrs = &(cu->cu_outxdrs); +diff -up libtirpc-1.1.4/src/clnt_vc.c.orig libtirpc-1.1.4/src/clnt_vc.c +--- libtirpc-1.1.4/src/clnt_vc.c.orig 2018-08-27 10:06:49.000000000 -0400 ++++ libtirpc-1.1.4/src/clnt_vc.c 2021-04-17 13:15:10.723391824 -0400 +@@ -68,6 +68,10 @@ + #include + #include "rpc_com.h" + ++#ifdef HAVE_RPCSEC_GSS ++#include ++#endif ++ + #define MCALL_MSG_SIZE 24 + + #define CMGROUP_MAX 16 +@@ -380,6 +384,11 @@ clnt_vc_call(cl, proc, xdr_args, args_pt + (xdr_results == NULL && timeout.tv_sec == 0 + && timeout.tv_usec == 0) ? FALSE : TRUE; + ++#ifdef HAVE_RPCSEC_GSS ++ if (is_authgss_client(cl)) ++ refreshes = 0; ++#endif ++ + call_again: + xdrs->x_op = XDR_ENCODE; + ct->ct_error.re_status = RPC_SUCCESS; +diff -up libtirpc-1.1.4/tirpc/rpc/auth_gss.h.orig libtirpc-1.1.4/tirpc/rpc/auth_gss.h +--- libtirpc-1.1.4/tirpc/rpc/auth_gss.h.orig 2018-08-27 10:06:49.000000000 -0400 ++++ libtirpc-1.1.4/tirpc/rpc/auth_gss.h 2021-04-17 13:15:10.723391824 -0400 +@@ -120,6 +120,8 @@ void gss_log_debug (const char *fmt, .. + void gss_log_status (char *m, OM_uint32 major, OM_uint32 minor); + void gss_log_hexdump (const u_char *buf, int len, int offset); + ++bool_t is_authgss_client (CLIENT *); ++ + #ifdef __cplusplus + } + #endif diff --git a/SPECS/libtirpc.spec b/SPECS/libtirpc.spec index 305ac5b..259fee5 100644 --- a/SPECS/libtirpc.spec +++ b/SPECS/libtirpc.spec @@ -2,7 +2,7 @@ Name: libtirpc Version: 1.1.4 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Transport Independent RPC Library Group: System Environment/Libraries License: SISSL and BSD @@ -23,6 +23,14 @@ Patch002: libtirpc-1.1.4-dup_ncp-bad-free.patch # bz 1641875 Patch003: libtirpc-1.1.4-fix-EOF-non-block.patch +# +# RHEL 8.5 +# +# bz 1854147 +Patch004: libtirpc-1.1.4-blacklist.patch +# bz 1934866 +Patch005: libtirpc-1.1.4-disallow-auth_refresh.patch + BuildRequires: automake, autoconf, libtool, pkgconfig BuildRequires: krb5-devel @@ -142,6 +150,10 @@ mv %{buildroot}%{_mandir}/man3 %{buildroot}%{_mandir}/man3t %{_mandir}/*/* %changelog +* Sat Apr 17 2021 Steve Dickson 1.1.4-5 +- blacklist: Add a few more well known ports (bz 1854147) +- Disallow calling auth_refresh from clnt_call with RPCSEC_GSS (bz 1934866) + * Wed Jul 24 2019 Steve Dickson 1.1.4-4 - Enable gating using reverse dependency testing of nfs-utils (bz 1681965) - Updated the URL (bz 1638671)