开源软件构建与测试

We truncated the diff of some files because they were too big. If you want to see the full diff for every file, click here.

Changes of Revision 2

_service:tar_scm:krb5.spec Changed

@@ -3,7 +3,7 @@
 
 Name:     krb5
 Version:  1.21.2
-Release:  5
+Release:  8
 Summary:  The Kerberos network authentication protocol
 License:  MIT
 URL:      http://web.mit.edu/kerberos/www/
@@ -32,6 +32,12 @@
 Patch9: backport-Remove-klist-s-defname-global-variable.patch
 Patch10: backport-Fix-two-unlikely-memory-leaks.patch
 Patch11: backport-Allow-modifications-of-empty-profiles.patch
+Patch12: fix-leak-in-KDC-NDR-encoding.patch
+Patch13: backport-Fix-more-non-prototype-functions.patch
+Patch14: backport-Fix-Python-regexp-literals.patch
+Patch15: backport-Handle-empty-initial-buffer-in-IAKERB-initiator.patch
+Patch16: backport-CVE-2024-37370-CVE-2024-37371-Fix-vulnerabilities-in-GSS-message-token-handling.patch
+Patch17: backport-Change-krb5_get_credentials-endtime-behavior.patch
 
 BuildRequires:  gettext
 BuildRequires:  gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@@ -330,6 +336,15 @@
 %{_mandir}/man8/*
 
 %changelog
+* Tue Jul 23 2024 zhangxingrong <zhangxingrong@uniontech.cn> - 1.21.2-8
+- Change krb5_get_credentials() endtime behavior
+
+* Thu Jul 4 2024 xuraoqing <xuraoqing@huawei.com> - 1.21.2-7
+- backport patches to fix bugs and CVE-2024-37370 CVE-2024-37371
+
+* Thu Jun 27 2024 yanshuai <yanshuai@kylinos.cn> - 1.21.2-6
+- Fix leak in KDC NDR encoding
+
 * Tue Jun 18 2024 gengqihu <gengqihu2@h-partners.com> - 1.21.2-5
 - backport patches from upstream

_service:tar_scm:backport-CVE-2024-37370-CVE-2024-37371-Fix-vulnerabilities-in-GSS-message-token-handling.patch Added

@@ -0,0 +1,536 @@
+From b0a2f8a5365f2eec3e27d78907de9f9d2c80505a Mon Sep 17 00:00:00 2001                 
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 14 Jun 2024 10:56:12 -0400
+Subject: PATCH Fix vulnerabilities in GSS message token handling
+
+In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
+verify the Extra Count field of CFX wrap tokens against the encrypted
+header.  Reported by Jacob Champion.
+
+In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
+length too short to contain the encrypted header and extra count
+bytes.  Reported by Jacob Champion.
+
+In kg_unseal_iov_token(), separately track the header IOV length and
+complete token length when parsing the token's ASN.1 wrapper.  This
+fix contains modified versions of functions from k5-der.h and
+util_token.c; this duplication will be cleaned up in a future commit.
+
+CVE-2024-37370:
+
+In MIT krb5 release 1.3 and later, an attacker can modify the
+plaintext Extra Count field of a confidential GSS krb5 wrap token,
+causing the unwrapped token to appear truncated to the application.
+
+CVE-2024-37371:
+
+In MIT krb5 release 1.3 and later, an attacker can cause invalid
+memory reads by sending message tokens with invalid length fields.
+
+ticket: 9128 (new)
+tags: pullup
+target_version: 1.21-next
+
+Reference: https://github.com/krb5/krb5/commit/b0a2f8a5365f2eec3e27d78907de9f9d2c80505a
+Conflict: src/tests/gssapi/t_invalid.c
+
+---
+ src/lib/gssapi/krb5/k5sealv3.c    |   5 +
+ src/lib/gssapi/krb5/k5sealv3iov.c |   3 +-
+ src/lib/gssapi/krb5/k5unsealiov.c |  80 +++++++++-
+ src/tests/gssapi/t_invalid.c      | 233 +++++++++++++++++++++++++-----
+ 4 files changed, 275 insertions(+), 46 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
+index e881eee..d3210c1 100644
+--- a/src/lib/gssapi/krb5/k5sealv3.c
++++ b/src/lib/gssapi/krb5/k5sealv3.c
+@@ -400,10 +400,15 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr,
+             /* Don't use bodysize here!  Use the fact that
+                cipher.ciphertext.length has been adjusted to the
+                correct length.  */
++            if (plain.length < 16 + ec) {
++                free(plain.data);
++                goto defective;
++            }
+             althdr = (unsigned char *)plain.data + plain.length - 16;
+             if (load_16_be(althdr) != KG2_TOK_WRAP_MSG
+                 || althdr2 != ptr2
+                 || althdr3 != ptr3
++                || load_16_be(althdr+4) != ec
+                 || memcmp(althdr+8, ptr+8, 8)) {
+                 free(plain.data);
+                 goto defective;
+diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c
+index 333ee12..f8e90c3 100644
+--- a/src/lib/gssapi/krb5/k5sealv3iov.c
++++ b/src/lib/gssapi/krb5/k5sealv3iov.c
+@@ -402,9 +402,10 @@ gss_krb5int_unseal_v3_iov(krb5_context context,
+             if (load_16_be(althdr) != KG2_TOK_WRAP_MSG
+                 || althdr2 != ptr2
+                 || althdr3 != ptr3
++                || load_16_be(althdr + 4) != ec
+                 || memcmp(althdr + 8, ptr + 8, 8) != 0) {
+                 *minor_status = 0;
+-                return GSS_S_BAD_SIG;
++                return GSS_S_DEFECTIVE_TOKEN;
+             }
+         } else {
+             /* Verify checksum: note EC is checksum size here, not padding */
+diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
+index 3ce2a90..6a6585d 100644
+--- a/src/lib/gssapi/krb5/k5unsealiov.c
++++ b/src/lib/gssapi/krb5/k5unsealiov.c
+@@ -25,6 +25,7 @@
+  */
+ 
+ #include "k5-int.h"
++#include "k5-der.h"
+ #include "gssapiP_krb5.h"
+ 
+ static OM_uint32
+@@ -247,6 +248,73 @@ cleanup:
+     return retval;
+ }
+ 
++/* Similar to k5_der_get_value(), but output an unchecked content length
++ * instead of a k5input containing the contents. */
++static inline bool
++get_der_tag(struct k5input *in, uint8_t idbyte, size_t *len_out)
++{
++    uint8_t lenbyte, i;
++    size_t len;
++
++    /* Do nothing if in is empty or the next byte doesn't match idbyte. */
++    if (in->status || in->len == 0 || *in->ptr != idbyte)
++        return false;
++
++    /* Advance past the identifier byte and decode the length. */
++    (void)k5_input_get_byte(in);
++    lenbyte = k5_input_get_byte(in);
++    if (lenbyte < 128) {
++        len = lenbyte;
++    } else {
++        len = 0;
++        for (i = 0; i < (lenbyte & 0x7F); i++) {
++            if (len > (SIZE_MAX >> 8)) {
++                k5_input_set_status(in, EOVERFLOW);
++                return false;
++            }
++            len = (len << 8) | k5_input_get_byte(in);
++        }
++    }
++
++    if (in->status)
++        return false;
++
++    *len_out = len;
++    return true;
++}
++
++/*
++ * Similar to g_verify_token_header() without toktype or flags, but do not read
++ * more than *header_len bytes of ASN.1 wrapper, and on output set *header_len
++ * to the remaining number of header bytes.  Verify the outer DER tag's length
++ * against token_len, which may be larger (but not smaller) than *header_len.
++ */
++static gss_int32
++verify_detached_wrapper(const gss_OID_desc *mech, size_t *header_len,
++                        uint8_t **header_in, size_t token_len)
++{
++    struct k5input in, mech_der;
++    gss_OID_desc toid;
++    size_t len;
++
++    k5_input_init(&in, *header_in, *header_len);
++
++    if (get_der_tag(&in, 0x60, &len)) {
++        if (len != token_len - (in.ptr - *header_in))
++            return G_BAD_TOK_HEADER;
++        if (!k5_der_get_value(&in, 0x06, &mech_der))
++            return G_BAD_TOK_HEADER;
++        toid.elements = (uint8_t *)mech_der.ptr;
++        toid.length = mech_der.len;
++        if (!g_OID_equal(&toid, mech))
++            return G_WRONG_MECH;
++    }
++
++    *header_in = (uint8_t *)in.ptr;
++    *header_len = in.len;
++    return 0;
++}
++
+ /*
+  * Caller must provide TOKEN | DATA | PADDING | TRAILER, except
+  * for DCE in which case it can just provide TOKEN | DATA (must
+@@ -267,8 +335,7 @@ kg_unseal_iov_token(OM_uint32 *minor_status,
+     gss_iov_buffer_t header;
+     gss_iov_buffer_t padding;
+     gss_iov_buffer_t trailer;
+-    size_t input_length;
+-    unsigned int bodysize;
++    size_t input_length, hlen;
+     int toktype2;
+ 
+     header = kg_locate_header_iov(iov, iov_count, toktype);
+@@ -298,15 +365,14 @@ kg_unseal_iov_token(OM_uint32 *minor_status,
+             input_length += trailer->buffer.length;
+     }
+ 
+-    code = g_verify_token_header(ctx->mech_used,
+-                                 &bodysize, &ptr, -1,
+-                                 input_length, 0);
++    hlen = header->buffer.length;
++    code = verify_detached_wrapper(ctx->mech_used, &hlen, &ptr, input_length);
+     if (code != 0) {
+         *minor_status = code;
+         return GSS_S_DEFECTIVE_TOKEN;
+     }
+ 
+-    if (bodysize < 2) {
++    if (hlen < 2) {
+         *minor_status = (OM_uint32)G_BAD_TOK_HEADER;
+         return GSS_S_DEFECTIVE_TOKEN;
+     }
+@@ -314,7 +380,7 @@ kg_unseal_iov_token(OM_uint32 *minor_status,
+     toktype2 = load_16_be(ptr);
+ 
+     ptr += 2;
+-    bodysize -= 2;

_service:tar_scm:backport-Change-krb5_get_credentials-endtime-behavior.patch Added

@@ -0,0 +1,77 @@
+From e68890329f8ab766f9b746351b5c7d2d18d8dd48 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Thu, 27 Jun 2024 07:25:21 -0400
+Subject: PATCH Change krb5_get_credentials() endtime behavior
+
+Historically, krb5_get_credentials() uses in_creds->times.endtime both
+as the TGS request endtime and as a cache lookup criterion.  These
+uses are in conflict; setting a TGS request endtime can only serve to
+limit the maximum lifetime of the issued ticket, while a cache lookup
+endtime restricts the minimum lifetime of an acceptable cached ticket.
+The likely outcome is to never use a cached ticket, leading to poor
+performance as we add an entry to the cache for each request.
+
+Change to the Heimdal behavior of using in_creds->times.endtime only
+as the TGS request endtime.
+
+ticket: 9132 (new)
+---
+ src/include/krb5/krb5.hin    |  8 ++++----
+ src/lib/krb5/krb/get_creds.c | 13 +++++--------
+ 2 files changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
+index 7c4fc10dd4..99b637872f 100644
+--- a/src/include/krb5/krb5.hin
++++ b/src/include/krb5/krb5.hin
+@@ -3043,10 +3043,10 @@ krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts);
+  * session key type is specified in @a in_creds->keyblock.enctype, if it is
+  * nonzero.
+  *
+- * The expiration date is specified in @a in_creds->times.endtime.
+- * The KDC may return tickets with an earlier expiration date.
+- * If @a in_creds->times.endtime is set to 0, the latest possible
+- * expiration date will be requested.
++ * If @a in_creds->times.endtime is specified, it is used as the requested
++ * expiration date if a TGS request is made.  If @a in_creds->times.endtime is
++ * set to 0, the latest possible expiration date will be requested.  The KDC or
++ * cache may return a ticket with an earlier expiration date.
+  *
+  * Any returned ticket and intermediate ticket-granting tickets are stored
+  * in @a ccache.
+diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
+index e986844a71..00becae965 100644
+--- a/src/lib/krb5/krb/get_creds.c
++++ b/src/lib/krb5/krb/get_creds.c
+@@ -53,18 +53,16 @@ construct_matching_creds(krb5_context context, krb5_flags options,
+                          krb5_creds *in_creds, krb5_creds *mcreds,
+                          krb5_flags *fields)
+ {
++    krb5_error_code ret;
++
+     if (!in_creds || !in_creds->server || !in_creds->client)
+         return EINVAL;
+ 
+     memset(mcreds, 0, sizeof(krb5_creds));
+     mcreds->magic = KV5M_CREDS;
+-    if (in_creds->times.endtime != 0) {
+-        mcreds->times.endtime = in_creds->times.endtime;
+-    } else {
+-        krb5_error_code retval;
+-        retval = krb5_timeofday(context, &mcreds->times.endtime);
+-        if (retval != 0) return retval;
+-    }
++    ret = krb5_timeofday(context, &mcreds->times.endtime);
++    if (ret)
++        return ret;
+     mcreds->keyblock = in_creds->keyblock;
+     mcreds->authdata = in_creds->authdata;
+     mcreds->server = in_creds->server;
+@@ -75,7 +73,6 @@ construct_matching_creds(krb5_context context, krb5_flags options,
+         | KRB5_TC_SUPPORTED_KTYPES;
+     if (mcreds->keyblock.enctype) {
+         krb5_enctype *ktypes;
+-        krb5_error_code ret;
+         int i;
+ 
+         *fields |= KRB5_TC_MATCH_KTYPE;

_service:tar_scm:backport-Fix-Python-regexp-literals.patch Added

@@ -0,0 +1,44 @@
+From 4b21b2e2821d3cb91042be09e0ebe09707a57d72 Mon Sep 17 00:00:00 2001                 
+From: Arjun <pkillarjun@protonmail.com>
+Date: Thu, 9 May 2024 20:47:08 +0530
+Subject: PATCH Fix Python regexp literals
+
+Add missing "r" prefixes before literals using regexp escape
+sequences.
+
+ghudson@mit.edu: split into separate commit; rewrote commit message
+
+Reference: https://github.com/krb5/krb5/commit/4b21b2e2821d3cb91042be09e0ebe09707a57d72
+Conflict: NA
+
+---
+ src/util/cstyle-file.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/util/cstyle-file.py b/src/util/cstyle-file.py
+index 837fa05..56b1e32 100644
+--- a/src/util/cstyle-file.py
++++ b/src/util/cstyle-file.py
+@@ -208,7 +208,7 @@ def check_assignment_in_conditional(line, ln):
+ 
+ 
+ def indent(line):
+-    return len(re.match('\s*', line).group(0).expandtabs())
++    return len(re.match(r'\s*', line).group(0).expandtabs())
+ 
+ 
+ def check_unbraced_flow_body(line, ln, lines):
+@@ -220,8 +220,8 @@ def check_unbraced_flow_body(line, ln, lines):
+     if m and (m.group(1) is None) != (m.group(3) is None):
+         warn(ln, 'One arm of if/else statement braced but not the other')
+ 
+-    if (re.match('\s*(if|else if|for|while)\s*$.*$$', line) or
+-        re.match('\s*else$', line)):
++    if (re.match(r'\s*(if|else if|for|while)\s*$.*$$', line) or
++        re.match(r'\s*else$', line)):
+         base = indent(line)
+         # Look at the next two lines (ln is 1-based so linesln is next).
+         if indent(linesln) > base and indent(linesln + 1) > base:
+-- 
+2.33.0
+

_service:tar_scm:backport-Fix-more-non-prototype-functions.patch Added

@@ -0,0 +1,857 @@
+From 623d649ba852839ba4822934bad9f97c184bf3ab Mon Sep 17 00:00:00 2001
+From: Arjun <pkillarjun@protonmail.com>
+Date: Thu, 9 May 2024 20:47:08 +0530
+Subject: PATCH Fix more non-prototype functions
+
+Add "void" designations to more function declarations and definitions
+not changed by commits 3ae9244cd021a75eba909d872a92c25db490714d and
+4b9d7f7c107f01a61600fddcd8cde3812d0366a2.
+
+ghudson@mit.edu: change additional functions; split into two commits;
+rewrote commit message
+
+Reference:https://github.com/krb5/krb5/commit/623d649ba852839ba4822934bad9f97c184bf3ab
+Conflict: src/lib/crypto/crypto_tests/vectors.c
+
+---
+ src/ccapi/common/win/OldCC/ccutils.c          |  2 +-
+ src/ccapi/common/win/OldCC/ccutils.h          |  2 +-
+ src/ccapi/common/win/OldCC/util.h             |  2 +-
+ src/ccapi/common/win/win-utils.c              |  2 +-
+ src/ccapi/common/win/win-utils.h              |  4 +-
+ src/ccapi/lib/ccapi_context.h                 |  2 +-
+ src/ccapi/lib/win/dllmain.h                   |  2 +-
+ src/ccapi/server/ccs_server.c                 |  2 +-
+ src/ccapi/server/ccs_server.h                 |  2 +-
+ src/ccapi/server/win/WorkQueue.h              |  8 +--
+ src/ccapi/test/pingtest.c                     |  2 +-
+ src/include/gssrpc/netdb.h                    |  4 +-
+ src/include/port-sockets.h                    |  2 +-
+ src/kadmin/cli/getdate.y                      |  2 +-
+ src/kadmin/dbutil/kdb5_util.c                 |  2 +-
+ src/kprop/kprop.c                             |  2 +-
+ src/lib/crypto/crypto_tests/t_pkcs5.c         |  4 +-
+ src/lib/crypto/crypto_tests/vectors.c         |  8 +--
+ src/lib/gssapi/generic/maptest.c              |  2 +-
+ src/lib/krb5/ccache/ccapi/stdcc.c             |  6 +-
+ src/lib/krb5/ccache/ccapi/winccld.c           |  9 ++-
+ src/lib/krb5/ccache/ccbase.c                  |  2 +-
+ src/lib/krb5/krb/bld_princ.c                  |  4 +-
+ src/lib/krb5/krb/conv_creds.c                 |  2 +-
+ src/lib/krb5/krb/init_ctx.c                   |  2 +-
+ src/lib/krb5/os/dnsglue.c                     |  4 +-
+ src/lib/krb5/os/localaddr.c                   |  6 +-
+ src/lib/rpc/getrpcent.c                       |  6 +-
+ src/lib/win_glue.c                            |  8 +--
+ src/plugins/kdb/db2/kdb_db2.c                 |  4 +-
+ src/plugins/kdb/db2/libdb2/hash/dbm.c         |  2 +-
+ .../kdb/ldap/libkdb_ldap/kdb_ldap_conn.c      |  4 +-
+ src/tests/threads/gss-perf.c                  |  4 +-
+ src/tests/threads/init_ctx.c                  |  2 +-
+ src/tests/threads/profread.c                  |  2 +-
+ src/tests/threads/t_rcache.c                  |  2 +-
+ src/util/et/com_err.c                         |  4 +-
+ src/util/et/error_message.c                   |  2 +-
+ src/util/profile/prof_file.c                  |  4 +-
+ src/util/support/secure_getenv.c              |  2 +-
+ src/windows/include/leashwin.h                | 60 +++++++++----------
+ 41 files changed, 99 insertions(+), 98 deletions(-)
+
+diff --git a/src/ccapi/common/win/OldCC/ccutils.c b/src/ccapi/common/win/OldCC/ccutils.c
+index 403c67e..7abaefa 100644
+--- a/src/ccapi/common/win/OldCC/ccutils.c
++++ b/src/ccapi/common/win/OldCC/ccutils.c
+@@ -30,7 +30,7 @@
+ #include "cci_debugging.h"
+ #include "util.h"
+ 
+-BOOL isNT() {
++BOOL isNT(void) {
+     OSVERSIONINFO osvi;
+     DWORD   status              = 0;
+     BOOL    bSupportedVersion   = FALSE;
+diff --git a/src/ccapi/common/win/OldCC/ccutils.h b/src/ccapi/common/win/OldCC/ccutils.h
+index 9da3d87..0fb7e14 100644
+--- a/src/ccapi/common/win/OldCC/ccutils.h
++++ b/src/ccapi/common/win/OldCC/ccutils.h
+@@ -33,7 +33,7 @@ extern "C" {
+ #define REPLY_SUFFIX    (char*)"reply"
+ #define LISTEN_SUFFIX   (char*)"listen"
+ 
+-BOOL    isNT();
++BOOL    isNT(void);
+ char*   allocEventName   (char* uuid, char* suffix);
+ HANDLE  createThreadEvent(char* uuid, char* suffix);
+ HANDLE  openThreadEvent  (char* uuid, char* suffix);
+diff --git a/src/ccapi/common/win/OldCC/util.h b/src/ccapi/common/win/OldCC/util.h
+index 45e069a..7ee5319 100644
+--- a/src/ccapi/common/win/OldCC/util.h
++++ b/src/ccapi/common/win/OldCC/util.h
+@@ -30,7 +30,7 @@
+ extern "C" {
+ #endif
+ 
+-BOOL isNT();
++BOOL isNT(void);
+ 
+ void*
+ user_allocate(
+diff --git a/src/ccapi/common/win/win-utils.c b/src/ccapi/common/win/win-utils.c
+index b49cca8..d9018a6 100644
+--- a/src/ccapi/common/win/win-utils.c
++++ b/src/ccapi/common/win/win-utils.c
+@@ -60,7 +60,7 @@ char* serverEndpoint(const char* user) {
+     return _serverEndpoint;
+     }
+ 
+-char* timestamp() {
++char* timestamp(void) {
+     SYSTEMTIME  _stime;
+     GetSystemTime(&_stime);
+     GetTimeFormat(LOCALE_SYSTEM_DEFAULT, 0, &_stime, "HH:mm:ss", _ts, sizeof(_ts)-1);
+diff --git a/src/ccapi/common/win/win-utils.h b/src/ccapi/common/win/win-utils.h
+index 41cab24..94d0a9f 100644
+--- a/src/ccapi/common/win/win-utils.h
++++ b/src/ccapi/common/win/win-utils.h
+@@ -50,6 +50,6 @@ char*                   clientEndpoint(const char* UUID);
+ char*                   serverEndpoint(const char* UUID);
+ extern unsigned char*   pszProtocolSequence;
+ 
+-char* timestamp();
++char* timestamp(void);
+ 
+-#endif // _win_utils_h
+\ No newline at end of file
++#endif // _win_utils_h
+diff --git a/src/ccapi/lib/ccapi_context.h b/src/ccapi/lib/ccapi_context.h
+index 51b8982..88f0ee8 100644
+--- a/src/ccapi/lib/ccapi_context.h
++++ b/src/ccapi/lib/ccapi_context.h
+@@ -79,7 +79,7 @@ cc_int32 ccapi_context_compare (cc_context_t  in_context,
+                                 cc_uint32    *out_equal);
+ 
+ #ifdef WIN32
+-void cci_thread_init__auxinit();
++void cci_thread_init__auxinit(void);
+ #endif
+ 
+ 
+diff --git a/src/ccapi/lib/win/dllmain.h b/src/ccapi/lib/win/dllmain.h
+index 8238566..28ca34e 100644
+--- a/src/ccapi/lib/win/dllmain.h
++++ b/src/ccapi/lib/win/dllmain.h
+@@ -32,7 +32,7 @@
+ extern "C" {          // we need to export the C interface
+ #endif
+ 
+-DWORD GetTlsIndex();
++DWORD GetTlsIndex(void);
+ 
+ #ifdef __cplusplus
+ }
+diff --git a/src/ccapi/server/ccs_server.c b/src/ccapi/server/ccs_server.c
+index 1fc8d2c..de74b71 100644
+--- a/src/ccapi/server/ccs_server.c
++++ b/src/ccapi/server/ccs_server.c
+@@ -402,7 +402,7 @@ cc_int32 ccs_server_send_reply (ccs_pipe_t     in_reply_pipe,
+ 
+ /* ------------------------------------------------------------------------ */
+ 
+-cc_uint64 ccs_server_client_count ()
++cc_uint64 ccs_server_client_count (void)
+ {
+     return ccs_client_array_count (g_client_array);
+ }
+diff --git a/src/ccapi/server/ccs_server.h b/src/ccapi/server/ccs_server.h
+index e920ad9..f71ab06 100644
+--- a/src/ccapi/server/ccs_server.h
++++ b/src/ccapi/server/ccs_server.h
+@@ -48,6 +48,6 @@ cc_int32 ccs_server_send_reply (ccs_pipe_t     in_reply_pipe,
+                                 cc_int32       in_reply_err,
+                                 k5_ipc_stream   in_reply_data);
+ 
+-cc_uint64 ccs_server_client_count ();
++cc_uint64 ccs_server_client_count (void);
+ 
+ #endif /* CCS_SERVER_H */
+diff --git a/src/ccapi/server/win/WorkQueue.h b/src/ccapi/server/win/WorkQueue.h
+index 68aa8b1..66a2960 100644
+--- a/src/ccapi/server/win/WorkQueue.h
++++ b/src/ccapi/server/win/WorkQueue.h
+@@ -29,14 +29,14 @@
+ #include "windows.h"
+ #include "ccs_pipe.h"
+ 
+-EXTERN_C    int worklist_initialize();
++EXTERN_C    int worklist_initialize(void);
+ 
+-EXTERN_C    int worklist_cleanup();
++EXTERN_C    int worklist_cleanup(void);
+ 
+ /* Wait for work to be added to the list (via worklist_add) from another thread */
+-EXTERN_C    void worklist_wait();
++EXTERN_C    void worklist_wait(void);
+ 
+-EXTERN_C    BOOL worklist_isEmpty();
++EXTERN_C    BOOL worklist_isEmpty(void);
+ 
+ EXTERN_C    int worklist_add(  const long          rpcmsg,
+                                 const ccs_pipe_t    pipe,

_service:tar_scm:backport-Handle-empty-initial-buffer-in-IAKERB-initiator.patch Added

@@ -0,0 +1,38 @@
+From 5f0023d5f05e95021a7caa1193f76f86871222ce Mon Sep 17 00:00:00 2001                 
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 May 2024 10:10:56 +0200
+Subject: PATCH Handle empty initial buffer in IAKERB initiator
+
+Section 5.19 of RFC 2744 (about gss_init_sec_context) states,
+"Initially, the input_token parameter should be specified either as
+GSS_C_NO_BUFFER, or as a pointer to a gss_buffer_desc object whose
+length field contains the value zero."  In iakerb_initiator_step(),
+handle both cases when deciding whether to parse an acceptor message.
+
+ghudson@mit.edu: edited commit message
+
+ticket: 9126 (new)
+
+Reference: https://github.com/krb5/krb5/commit/5f0023d5f05e95021a7caa1193f76f86871222ce
+Conflict: NA
+
+---
+ src/lib/gssapi/krb5/iakerb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
+index b0d0ede..7a3ad1c 100644
+--- a/src/lib/gssapi/krb5/iakerb.c
++++ b/src/lib/gssapi/krb5/iakerb.c
+@@ -539,7 +539,7 @@ iakerb_initiator_step(iakerb_ctx_id_t ctx,
+     output_token->length = 0;
+     output_token->value = NULL;
+ 
+-    if (input_token != GSS_C_NO_BUFFER) {
++    if (input_token != GSS_C_NO_BUFFER && input_token->length > 0) {
+         code = iakerb_parse_token(ctx, 0, input_token, NULL, &cookie, &in);
+         if (code != 0)
+             goto cleanup;
+-- 
+2.33.0
+

_service:tar_scm:fix-leak-in-KDC-NDR-encoding.patch Added

@@ -0,0 +1,42 @@
+From 0c2de238b5bf1ea4578e3933a604c7850905b8be Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 5 Mar 2024 17:38:49 -0500
+Subject: PATCH Fix leak in KDC NDR encoding
+
+If the KDC tries to encode a principal containing encode invalid UTF-8
+sequences for inclusion in a PAC delegation info buffer, it will leak
+a small amount of memory in enc_wchar_pointer() before failing.  Fix
+the leak.
+
+(cherry picked from commit 7d0d85bf99caf60c0afd4dcf91b0c4c683b983fe)
+
+ticket: 9115
+version_fixed: 1.21.3
+
+---
+ src/kdc/ndr.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c
+index 48395ab..d438408 100644
+--- a/src/kdc/ndr.c
++++ b/src/kdc/ndr.c
+@@ -96,14 +96,13 @@ enc_wchar_pointer(const char *utf8, struct encoded_wchars *encoded_out)
+     size_t utf16len, num_wchars;
+     uint8_t *utf16;
+ 
+-    k5_buf_init_dynamic(&b);
+-
+     ret = k5_utf8_to_utf16le(utf8, &utf16, &utf16len);
+     if (ret)
+         return ret;
+ 
+     num_wchars = utf16len / 2;
+ 
++    k5_buf_init_dynamic(&b);
+     k5_buf_add_uint32_le(&b, num_wchars + 1);
+     k5_buf_add_uint32_le(&b, 0);
+     k5_buf_add_uint32_le(&b, num_wchars);
+-- 
+2.27.0
+

_service Changed