import libtirpc-1.1.4-5.el8

SOURCES/libtirpc-1.1.4-blacklist.patch

@@ -0,0 +1,15 @@
+diff -up libtirpc-1.1.4/doc/bindresvport.blacklist.save libtirpc-1.1.4/doc/bindresvport.blacklist
+--- libtirpc-1.1.4/doc/bindresvport.blacklist.save	2021-04-17 13:04:20.092274589 -0400
++++ libtirpc-1.1.4/doc/bindresvport.blacklist	2021-04-17 13:04:45.609945925 -0400
+@@ -8,6 +8,11 @@
+ 631     # cups
+ 636     # ldaps
+ 664     # Secure ASF, used by IPMI on some cards
++749     # Kerberos V kadmin
++774     # rpasswd
++873     # rsyncd
+ 921     # lwresd
++992     # SSL-enabled telnet
+ 993     # imaps
++994     # irc
+ 995     # pops

SOURCES/libtirpc-1.1.4-disallow-auth_refresh.patch

@@ -0,0 +1,76 @@
+diff -up libtirpc-1.1.4/src/auth_gss.c.orig libtirpc-1.1.4/src/auth_gss.c
+--- libtirpc-1.1.4/src/auth_gss.c.orig	2021-04-17 13:11:03.229880600 -0400
++++ libtirpc-1.1.4/src/auth_gss.c	2021-04-17 13:15:10.722391798 -0400
+@@ -982,3 +982,9 @@ rpc_gss_max_data_length(AUTH *auth, int
+ 	rpc_gss_clear_error();
+ 	return result;
+ }
++
++bool_t
++is_authgss_client(CLIENT *clnt)
++{
++	return (clnt->cl_auth->ah_ops == &authgss_ops);
++}
+diff -up libtirpc-1.1.4/src/clnt_dg.c.orig libtirpc-1.1.4/src/clnt_dg.c
+--- libtirpc-1.1.4/src/clnt_dg.c.orig	2018-08-27 10:06:49.000000000 -0400
++++ libtirpc-1.1.4/src/clnt_dg.c	2021-04-17 13:15:10.722391798 -0400
+@@ -60,6 +60,9 @@
+ #include <sys/uio.h>
+ #endif
+ 
++#ifdef HAVE_RPCSEC_GSS
++#include <rpc/auth_gss.h>
++#endif
+ 
+ #define MAX_DEFAULT_FDS                 20000
+ 
+@@ -356,6 +359,11 @@ clnt_dg_call(cl, proc, xargs, argsp, xre
+ 		salen = cu->cu_rlen;
+ 	}
+ 
++#ifdef HAVE_RPCSEC_GSS
++	if (is_authgss_client(cl))
++		nrefreshes = 0;
++#endif
++
+ 	/* Clean up in case the last call ended in a longjmp(3) call. */
+ call_again:
+ 	xdrs = &(cu->cu_outxdrs);
+diff -up libtirpc-1.1.4/src/clnt_vc.c.orig libtirpc-1.1.4/src/clnt_vc.c
+--- libtirpc-1.1.4/src/clnt_vc.c.orig	2018-08-27 10:06:49.000000000 -0400
++++ libtirpc-1.1.4/src/clnt_vc.c	2021-04-17 13:15:10.723391824 -0400
+@@ -68,6 +68,10 @@
+ #include <rpc/rpc.h>
+ #include "rpc_com.h"
+ 
++#ifdef HAVE_RPCSEC_GSS
++#include <rpc/auth_gss.h>
++#endif
++
+ #define MCALL_MSG_SIZE 24
+ 
+ #define CMGROUP_MAX    16
+@@ -380,6 +384,11 @@ clnt_vc_call(cl, proc, xdr_args, args_pt
+ 	    (xdr_results == NULL && timeout.tv_sec == 0
+ 	    && timeout.tv_usec == 0) ? FALSE : TRUE;
+ 
++#ifdef HAVE_RPCSEC_GSS
++	if (is_authgss_client(cl))
++		refreshes = 0;
++#endif
++
+ call_again:
+ 	xdrs->x_op = XDR_ENCODE;
+ 	ct->ct_error.re_status = RPC_SUCCESS;
+diff -up libtirpc-1.1.4/tirpc/rpc/auth_gss.h.orig libtirpc-1.1.4/tirpc/rpc/auth_gss.h
+--- libtirpc-1.1.4/tirpc/rpc/auth_gss.h.orig	2018-08-27 10:06:49.000000000 -0400
++++ libtirpc-1.1.4/tirpc/rpc/auth_gss.h	2021-04-17 13:15:10.723391824 -0400
+@@ -120,6 +120,8 @@ void	gss_log_debug		(const char *fmt, ..
+ void	gss_log_status		(char *m, OM_uint32 major, OM_uint32 minor);
+ void	gss_log_hexdump		(const u_char *buf, int len, int offset);
+ 
++bool_t	is_authgss_client	(CLIENT *);
++
+ #ifdef __cplusplus
+ }
+ #endif

SPECS/libtirpc.spec

@@ -2,7 +2,7 @@
 
 Name:			libtirpc
 Version:		1.1.4
-Release:		4%{?dist}
+Release:		5%{?dist}
 Summary:		Transport Independent RPC Library
 Group:		  	System Environment/Libraries
 License:		SISSL and BSD
@@ -23,6 +23,14 @@ Patch002: libtirpc-1.1.4-dup_ncp-bad-free.patch
 # bz 1641875
 Patch003: libtirpc-1.1.4-fix-EOF-non-block.patch
 
+#
+# RHEL 8.5
+#
+# bz 1854147
+Patch004: libtirpc-1.1.4-blacklist.patch
+# bz 1934866
+Patch005: libtirpc-1.1.4-disallow-auth_refresh.patch
+
 BuildRequires:		automake, autoconf, libtool, pkgconfig
 BuildRequires:		krb5-devel
 
@@ -142,6 +150,10 @@ mv %{buildroot}%{_mandir}/man3 %{buildroot}%{_mandir}/man3t
 %{_mandir}/*/*
 
 %changelog
+* Sat Apr 17 2021 Steve Dickson <steved@redhat.com> 1.1.4-5
+- blacklist: Add a few more well known ports (bz 1854147)
+- Disallow calling auth_refresh from clnt_call with RPCSEC_GSS (bz 1934866)
+
 * Wed Jul 24 2019 Steve Dickson <steved@redhat.com> 1.1.4-4
 - Enable gating using reverse dependency testing of nfs-utils (bz 1681965)
 - Updated the URL (bz 1638671)