From 2843572c2fca315f5c7a1097d8550d8770a0e3c4 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 10 Jun 2019 12:41:26 -0400
Subject: [PATCH] Remove strerror() calls from k5_get_error()

---
 Remove-strerror-calls-from-k5_get_error.patch | 34 +++++++++++++++++++
 krb5.spec                                     |  6 +++-
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 Remove-strerror-calls-from-k5_get_error.patch

diff --git a/Remove-strerror-calls-from-k5_get_error.patch b/Remove-strerror-calls-from-k5_get_error.patch
new file mode 100644
index 0000000..7ce77b3
--- /dev/null
+++ b/Remove-strerror-calls-from-k5_get_error.patch
@@ -0,0 +1,34 @@
+From f9c5dd7a9bb19dc99de8ee046b0ac1506c494f4e Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Thu, 6 Jun 2019 11:46:58 -0400
+Subject: [PATCH] Remove strerror() calls from k5_get_error()
+
+Coverity models strerror() as a function which cannot accept negative
+values, even though it has defined behavior on all integers.
+k5_get_error() contains code to call strerror_r() and strerror() if
+its fptr global is unset, which isn't an expected case in practice.
+To silence a large number of Coverity false positives, just return a
+fixed string if fptr is null.
+
+(cherry picked from commit 2d400bea7a81a5a834a1be6ded439f18e0afa5ba)
+---
+ src/util/support/errors.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/util/support/errors.c b/src/util/support/errors.c
+index 70e1d59d0..f8bea07a3 100644
+--- a/src/util/support/errors.c
++++ b/src/util/support/errors.c
+@@ -78,10 +78,9 @@ k5_get_error(struct errinfo *ep, long code)
+ 
+     lock();
+     if (fptr == NULL) {
++        /* Should be rare; fptr should be set whenever libkrb5 is loaded. */
+         unlock();
+-        if (strerror_r(code, buf, sizeof(buf)) == 0)
+-            return oom_check(strdup(buf));
+-        return oom_check(strdup(strerror(code)));
++        return oom_check(strdup(_("Error code translation unavailable")));
+     }
+     r = fptr(code);
+ #ifndef HAVE_COM_ERR_INTL
diff --git a/krb5.spec b/krb5.spec
index 1db95af..7cd5bc8 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.17
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 30%{?dist}
+Release: 31%{?dist}
 
 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@@ -107,6 +107,7 @@ Patch143: Remove-support-for-no-flags-SAM-2-preauth.patch
 Patch144: Remove-krb5int_c_combine_keys.patch
 Patch145: Remove-3des-support.patch
 Patch146: krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
+Patch147: Remove-strerror-calls-from-k5_get_error.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -716,6 +717,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Mon Jun 10 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-31
+- Remove strerror() calls from k5_get_error()
+
 * Fri Jun 07 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-30
 - Remove 3des from kdc.conf example