diff --git a/Fix-potential-close-1-in-cc_file.c.patch b/Fix-potential-close-1-in-cc_file.c.patch
new file mode 100644
index 0000000..931f085
--- /dev/null
+++ b/Fix-potential-close-1-in-cc_file.c.patch
@@ -0,0 +1,30 @@
+From b2002f8286c0f77e57c7387123328a31125cda2e Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Thu, 18 Apr 2019 13:39:37 -0400
+Subject: [PATCH] Fix potential close(-1) in cc_file.c
+
+As part of error handling in d3b39a8bac6206b5ea78b0bf6a2958c1df0b0dd5,
+an error path in delete_cred() may result in close(-1).  While this
+shouldn't be a prolblem in practice (just returning EBADF), it does
+upset Coverity.
+
+ticket: 8792
+(cherry picked from commit 5ccfbaf2f0c8871d2f0ea87ad4b21cc33392ca2c)
+---
+ src/lib/krb5/ccache/cc_file.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
+index a3f67766e..bf58c1d45 100644
+--- a/src/lib/krb5/ccache/cc_file.c
++++ b/src/lib/krb5/ccache/cc_file.c
+@@ -1122,7 +1122,8 @@ delete_cred(krb5_context context, krb5_ccache cache, krb5_cc_cursor *cursor,
+     }
+ 
+ cleanup:
+-    close(fd);
++    if (fd >= 0)
++        close(fd);
+     zapfree(on_disk, expected.len);
+     k5_buf_free(&expected);
+     k5_buf_free(&overwrite);
diff --git a/krb5.spec b/krb5.spec
index 9863c9f..73d6a53 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.17
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 11%{?dist}
+Release: 12%{?dist}
 
 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
@@ -83,6 +83,7 @@ Patch110: Remove-Kerberos-v4-support-vestiges-from-ccapi.patch
 Patch111: Fix-config-realm-change-logic-in-FILE-remove_cred.patch
 Patch112: Remove-confvalidator-utility.patch
 Patch113: Remove-ovsec_adm_export-dump-format-support.patch
+Patch114: Fix-potential-close-1-in-cc_file.c.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -719,6 +720,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Mon Apr 22 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-12
+- Fix potential close(-1) in cc_file.c
+
 * Wed Apr 17 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-11
 - Remove ovsec_adm_export and confvalidator