diff --git a/SOURCES/0001-Various-fixes-for-issues-found-by-static-code-scanne.patch b/SOURCES/0001-Various-fixes-for-issues-found-by-static-code-scanne.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1f71f8034d7afebb725d27a0d08d695f8d75c03d
--- /dev/null
+++ b/SOURCES/0001-Various-fixes-for-issues-found-by-static-code-scanne.patch
@@ -0,0 +1,198 @@
+From fab13daeaf23cc4a26b10cfe0c3d7ac469a9da76 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 5 Nov 2024 14:22:47 +0100
+Subject: [PATCH 1/2] Various fixes for issues found by static code scanners
+
+---
+ library/adconn.c | 17 ++++++++++++-----
+ library/adenroll.c | 4 ++--
+ library/adutil.c | 2 +-
+ library/seq.c | 13 +++++++++----
+ library/seq.h | 3 ++-
+ tools/tools.c | 24 +++++++++++++++++-------
+ 6 files changed, 43 insertions(+), 20 deletions(-)
+
+diff --git a/library/adconn.c b/library/adconn.c
+index 087225d..e668b8d 100644
+--- a/library/adconn.c
++++ b/library/adconn.c
+@@ -402,9 +402,9 @@ clear_krb5_conf_snippet (adcli_conn *conn)
+ static adcli_result
+ setup_krb5_conf_snippet (adcli_conn *conn)
+ {
+- char *filename;
+- char *snippet;
+- char *controller;
++ char *filename = NULL;
++ char *snippet = NULL;
++ char *controller = NULL;
+ int errn;
+ int ret;
+ int fd;
+@@ -429,7 +429,10 @@ setup_krb5_conf_snippet (adcli_conn *conn)
+ controller = strdup (conn->domain_controller);
+ }
+
+- return_unexpected_if_fail (controller != NULL);
++ if (controller == NULL) {
++ free (filename);
++ return_unexpected_if_reached ();
++ }
+
+ if (asprintf (&snippet, "[realms]\n"
+ " %s = {\n"
+@@ -442,8 +445,11 @@ setup_krb5_conf_snippet (adcli_conn *conn)
+ " %s = %s\n",
+ conn->domain_realm, controller, controller, controller,
+ conn->canonical_host, conn->domain_realm,
+- conn->domain_controller, conn->domain_realm) < 0)
++ conn->domain_controller, conn->domain_realm) < 0) {
++ free (controller);
++ free (filename);
+ return_unexpected_if_reached ();
++ }
+
+ old_mask = umask (0177);
+ fd = mkstemp (filename);
+@@ -451,6 +457,7 @@ setup_krb5_conf_snippet (adcli_conn *conn)
+ if (fd < 0) {
+ _adcli_warn ("Couldn't create krb5.conf snippet file in: %s: %s",
+ conn->krb5_conf_dir, strerror (errno));
++ free (filename);
+
+ } else {
+ conn->krb5_conf_snippet = filename;
+diff --git a/library/adenroll.c b/library/adenroll.c
+index b6558ed..e978f46 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -2340,9 +2340,9 @@ update_keytab_for_principals (adcli_enroll *enroll,
+
+ for (i = 0; enroll->keytab_principals[i] != 0; i++) {
+ if (krb5_unparse_name (k5, enroll->keytab_principals[i], &name) != 0)
+- name = "";
++ name = NULL;
+ res = add_principal_to_keytab (enroll, k5, enroll->keytab_principals[i],
+- name, &which_salt, flags);
++ name != NULL ? name : "", &which_salt, flags);
+ krb5_free_unparsed_name (k5, name);
+
+ if (res != ADCLI_SUCCESS)
+diff --git a/library/adutil.c b/library/adutil.c
+index 36822e2..a112ad8 100644
+--- a/library/adutil.c
++++ b/library/adutil.c
+@@ -169,7 +169,7 @@ _adcli_strv_dup (char **strv)
+ return NULL;
+
+ count = seq_count (strv);
+- return seq_dup (strv, &count, (seq_copy)strdup);
++ return seq_dup (strv, &count, (seq_copy)strdup, (seq_destroy)free);
+ }
+
+ char *
+diff --git a/library/seq.c b/library/seq.c
+index 8e7475d..5410918 100644
+--- a/library/seq.c
++++ b/library/seq.c
+@@ -299,7 +299,8 @@ seq_lookup (seq_voidp sequence,
+ void *
+ seq_dup (seq_voidp sequence,
+ int *length,
+- seq_copy copy)
++ seq_copy copy,
++ seq_destroy destroy)
+ {
+ void **seq = sequence;
+ void **copied;
+@@ -308,6 +309,7 @@ seq_dup (seq_voidp sequence,
+ int at;
+
+ assert (length != NULL);
++ assert ( (copy != NULL && destroy != NULL) || (copy == NULL && destroy == NULL) );
+
+ len = *length;
+ alloc = alloc_size (len + 1);
+@@ -321,7 +323,10 @@ seq_dup (seq_voidp sequence,
+ copied[at] = seq[at];
+ } else {
+ copied[at] = copy (seq[at]);
+- bail_on_null (copied[at]);
++ if (copied[at] == NULL) {
++ destroy (copied);
++ return NULL;
++ }
+ }
+ }
+
+@@ -707,7 +712,7 @@ test_dup (void)
+ seq = seq_insert (seq, &len, "3", (seq_compar)strcmp, NULL);
+ seq = seq_insert (seq, &len, "1", (seq_compar)strcmp, NULL);
+
+- dup = seq_dup (seq, &len, NULL);
++ dup = seq_dup (seq, &len, NULL, NULL);
+ assert (dup != NULL);
+
+ assert_str_eq (dup[0], "1");
+@@ -734,7 +739,7 @@ test_dup_deep (void)
+ seq = seq_insert (seq, &len, "3", (seq_compar)strcmp, NULL);
+ seq = seq_insert (seq, &len, "1", (seq_compar)strcmp, NULL);
+
+- dup = seq_dup (seq, &len, (seq_copy)strdup);
++ dup = seq_dup (seq, &len, (seq_copy)strdup, (seq_destroy)free);
+ assert (dup != NULL);
+
+ assert_str_eq (dup[0], "1");
+diff --git a/library/seq.h b/library/seq.h
+index 5d48848..3fec747 100644
+--- a/library/seq.h
++++ b/library/seq.h
+@@ -89,7 +89,8 @@ int seq_count (seq_voidp seq);
+
+ seq_voidp seq_dup (seq_voidp seq,
+ int *length,
+- seq_copy copy);
++ seq_copy copy,
++ seq_destroy destroy);
+
+ void seq_free (seq_voidp seq,
+ seq_destroy destroy);
+diff --git a/tools/tools.c b/tools/tools.c
+index 7e382ae..444485c 100644
+--- a/tools/tools.c
++++ b/tools/tools.c
+@@ -399,14 +399,24 @@ setup_krb5_conf_directory (adcli_conn *conn)
+ warnx ("couldn't create temporary directory in: %s: %s",
+ parent, strerror (errn));
+ } else {
+- if (asprintf (&filename, "%s/krb5.conf", directory) < 0 ||
+- asprintf (&snippets, "%s/krb5.d", directory) < 0 ||
+- asprintf (&contents, "includedir %s\n%s%s\n", snippets,
+- krb5_conf ? "include " : "",
+- krb5_conf ? krb5_conf : "") < 0) {
++ if (asprintf (&filename, "%s/krb5.conf", directory) < 0) {
++ warnx ("unexpected: out of memory");
++ failed = 1;
++ }
++ if (!failed && asprintf (&snippets, "%s/krb5.d", directory) < 0) {
++ free (filename);
++ filename = NULL;
++ warnx ("unexpected: out of memory");
++ failed = 1;
++ }
++ if (!failed && asprintf (&contents, "includedir %s\n%s%s\n", snippets,
++ krb5_conf ? "include " : "",
++ krb5_conf ? krb5_conf : "") < 0) {
++ free (snippets);
++ snippets = NULL;
++ free (filename);
++ filename = NULL;
+ warnx ("unexpected: out of memory");
+- filename = NULL; /* content is undefined */
+- snippets = NULL; /* content is undefined */
+ contents = NULL; /* content is undefined */
+ failed = 1;
+ }
+--
+2.48.1
+
diff --git a/SOURCES/0002-krb5-add-adcli_krb5_get_error_message.patch b/SOURCES/0002-krb5-add-adcli_krb5_get_error_message.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1369d129f511c825783d3af69dc4168bb460a38b
--- /dev/null
+++ b/SOURCES/0002-krb5-add-adcli_krb5_get_error_message.patch
@@ -0,0 +1,226 @@
+From d3db46e8b03f0f2db0df01466b597fde588a06bf Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 5 Nov 2024 19:00:54 +0100
+Subject: [PATCH 2/2] krb5: add adcli_krb5_get_error_message()
+
+The krb5_get_error_message() call returns an error message in an
+allocated string which must be freed. This makes it hard to simply use
+krb5_get_error_message() in a printf() argument list.
+adcli_krb5_get_error_message() used a static memory area to make the
+usage more easy.
+---
+ library/adconn.c | 10 +++++-----
+ library/adenroll.c | 18 +++++++++---------
+ library/adentry.c | 2 +-
+ library/adkrb5.c | 22 +++++++++++++++++++---
+ library/adprivate.h | 2 ++
+ 5 files changed, 36 insertions(+), 18 deletions(-)
+
+diff --git a/library/adconn.c b/library/adconn.c
+index e668b8d..2c94af9 100644
+--- a/library/adconn.c
++++ b/library/adconn.c
+@@ -367,20 +367,20 @@ handle_kinit_krb5_code (adcli_conn *conn,
+ code == KRB5_PREAUTH_FAILED) {
+ if (type == ADCLI_LOGIN_COMPUTER_ACCOUNT) {
+ _adcli_err ("Couldn't authenticate as machine account: %s: %s",
+- name, krb5_get_error_message (conn->k5, code));
++ name, adcli_krb5_get_error_message (conn->k5, code));
+ } else {
+ _adcli_err ("Couldn't authenticate as: %s: %s",
+- name, krb5_get_error_message (conn->k5, code));
++ name, adcli_krb5_get_error_message (conn->k5, code));
+ }
+ return ADCLI_ERR_CREDENTIALS;
+
+ } else {
+ if (type == ADCLI_LOGIN_COMPUTER_ACCOUNT) {
+ _adcli_err ("Couldn't get kerberos ticket for machine account: %s: %s",
+- name, krb5_get_error_message (conn->k5, code));
++ name, adcli_krb5_get_error_message (conn->k5, code));
+ } else {
+ _adcli_err ("Couldn't get kerberos ticket for: %s: %s",
+- name, krb5_get_error_message (conn->k5, code));
++ name, adcli_krb5_get_error_message (conn->k5, code));
+ }
+ return ADCLI_ERR_DIRECTORY;
+ }
+@@ -726,7 +726,7 @@ prep_kerberos_and_kinit (adcli_conn *conn)
+
+ if (code != 0) {
+ _adcli_err ("Couldn't open kerberos credential cache: %s: %s",
+- conn->login_ccache_name, krb5_get_error_message (NULL, code));
++ conn->login_ccache_name, adcli_krb5_get_error_message (NULL, code));
+ return ADCLI_ERR_CONFIG;
+ }
+ }
+diff --git a/library/adenroll.c b/library/adenroll.c
+index e978f46..c854c9e 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -549,7 +549,7 @@ ensure_keytab_principals (adcli_result res,
+ if (code != 0) {
+ _adcli_err ("Couldn't parse kerberos user principal: %s: %s",
+ enroll->user_principal,
+- krb5_get_error_message (k5, code));
++ adcli_krb5_get_error_message (k5, code));
+ return ADCLI_ERR_CONFIG;
+ }
+ }
+@@ -1523,7 +1523,7 @@ set_password_with_user_creds (adcli_enroll *enroll)
+ if (code != 0) {
+ _adcli_err ("Couldn't set password for %s account: %s: %s",
+ s_or_c (enroll),
+- enroll->computer_sam, krb5_get_error_message (k5, code));
++ enroll->computer_sam, adcli_krb5_get_error_message (k5, code));
+ /* TODO: Parse out these values */
+ res = ADCLI_ERR_DIRECTORY;
+
+@@ -1584,7 +1584,7 @@ set_password_with_computer_creds (adcli_enroll *enroll)
+ if (code != 0) {
+ _adcli_err ("Couldn't get change password ticket for %s account: %s: %s",
+ s_or_c (enroll),
+- enroll->computer_sam, krb5_get_error_message (k5, code));
++ enroll->computer_sam, adcli_krb5_get_error_message (k5, code));
+ return ADCLI_ERR_DIRECTORY;
+ }
+
+@@ -1596,7 +1596,7 @@ set_password_with_computer_creds (adcli_enroll *enroll)
+ if (code != 0) {
+ _adcli_err ("Couldn't change password for %s account: %s: %s",
+ s_or_c (enroll),
+- enroll->computer_sam, krb5_get_error_message (k5, code));
++ enroll->computer_sam, adcli_krb5_get_error_message (k5, code));
+ /* TODO: Parse out these values */
+ res = ADCLI_ERR_DIRECTORY;
+
+@@ -2113,7 +2113,7 @@ load_host_keytab (adcli_enroll *enroll)
+ code = _adcli_krb5_keytab_enumerate (k5, keytab, load_keytab_entry, enroll);
+ if (code != 0) {
+ _adcli_err ("Couldn't enumerate keytab: %s: %s",
+- enroll->keytab_name, krb5_get_error_message (k5, code));
++ enroll->keytab_name, adcli_krb5_get_error_message (k5, code));
+ res = ADCLI_ERR_FAIL;
+ }
+ krb5_kt_close (k5, keytab);
+@@ -2225,7 +2225,7 @@ remove_principal_from_keytab (adcli_enroll *enroll,
+
+ if (code != 0) {
+ _adcli_err ("Couldn't update keytab: %s: %s",
+- enroll->keytab_name, krb5_get_error_message (k5, code));
++ enroll->keytab_name, adcli_krb5_get_error_message (k5, code));
+ return ADCLI_ERR_FAIL;
+ }
+
+@@ -2257,7 +2257,7 @@ add_principal_to_keytab (adcli_enroll *enroll,
+
+ if (code != 0) {
+ _adcli_err ("Couldn't update keytab: %s: %s",
+- enroll->keytab_name, krb5_get_error_message (k5, code));
++ enroll->keytab_name, adcli_krb5_get_error_message (k5, code));
+ return ADCLI_ERR_FAIL;
+ }
+
+@@ -2296,7 +2296,7 @@ add_principal_to_keytab (adcli_enroll *enroll,
+ enctypes, salts, which_salt);
+ if (code != 0) {
+ _adcli_warn ("Couldn't authenticate with keytab while discovering which salt to use: %s: %s",
+- principal_name, krb5_get_error_message (k5, code));
++ principal_name, adcli_krb5_get_error_message (k5, code));
+ *which_salt = DEFAULT_SALT;
+ } else {
+ assert (*which_salt >= 0);
+@@ -2313,7 +2313,7 @@ add_principal_to_keytab (adcli_enroll *enroll,
+
+ if (code != 0) {
+ _adcli_err ("Couldn't add keytab entries: %s: %s",
+- enroll->keytab_name, krb5_get_error_message (k5, code));
++ enroll->keytab_name, adcli_krb5_get_error_message (k5, code));
+ return ADCLI_ERR_FAIL;
+ }
+
+diff --git a/library/adentry.c b/library/adentry.c
+index 0d9b9af..38ec7ca 100644
+--- a/library/adentry.c
++++ b/library/adentry.c
+@@ -515,7 +515,7 @@ adcli_entry_set_passwd (adcli_entry *entry, const char *user_pwd)
+ if (code != 0) {
+ _adcli_err ("Couldn't set password for %s account: %s: %s",
+ entry->object_class,
+- entry->sam_name, krb5_get_error_message (k5, code));
++ entry->sam_name, adcli_krb5_get_error_message (k5, code));
+ /* TODO: Parse out these values */
+ res = ADCLI_ERR_DIRECTORY;
+
+diff --git a/library/adkrb5.c b/library/adkrb5.c
+index be3ede5..7a9ee8f 100644
+--- a/library/adkrb5.c
++++ b/library/adkrb5.c
+@@ -33,6 +33,7 @@
+ #include <ctype.h>
+ #include <errno.h>
+ #include <stdio.h>
++#include <sys/param.h>
+
+ krb5_error_code
+ _adcli_krb5_build_principal (krb5_context k5,
+@@ -174,7 +175,7 @@ _adcli_krb5_init_context (krb5_context *k5)
+
+ } else if (code != 0) {
+ _adcli_err ("Failed to create kerberos context: %s",
+- krb5_get_error_message (NULL, code));
++ adcli_krb5_get_error_message (NULL, code));
+ return ADCLI_ERR_UNEXPECTED;
+ }
+
+@@ -192,7 +193,7 @@ _adcli_krb5_open_keytab (krb5_context k5,
+ code = krb5_kt_resolve (k5, keytab_name, keytab);
+ if (code != 0) {
+ _adcli_err ("Failed to open keytab: %s: %s",
+- keytab_name, krb5_get_error_message (k5, code));
++ keytab_name, adcli_krb5_get_error_message (k5, code));
+ return ADCLI_ERR_FAIL;
+ }
+
+@@ -200,7 +201,7 @@ _adcli_krb5_open_keytab (krb5_context k5,
+ code = krb5_kt_default (k5, keytab);
+ if (code != 0) {
+ _adcli_err ("Failed to open default keytab: %s",
+- krb5_get_error_message (k5, code));
++ adcli_krb5_get_error_message (k5, code));
+ return ADCLI_ERR_FAIL;
+ }
+ }
+@@ -570,3 +571,18 @@ _adcli_krb5_format_enctypes (krb5_enctype *enctypes)
+
+ return value;
+ }
++
++const char *adcli_krb5_get_error_message (krb5_context ctx, krb5_error_code code)
++{
++ static char out[4096];
++ const char *tmp;
++ size_t len;
++
++ tmp = krb5_get_error_message (ctx, code);
++ len = strlen (tmp);
++ memcpy (out, tmp, MIN (sizeof (out), len));
++ out[sizeof(out) - 1] = '\0';
++ krb5_free_error_message (ctx, tmp);
++
++ return out;
++}
+diff --git a/library/adprivate.h b/library/adprivate.h
+index bf0381c..cca58f9 100644
+--- a/library/adprivate.h
++++ b/library/adprivate.h
+@@ -323,4 +323,6 @@ adcli_result _adcli_call_external_program (const char *binary,
+ uint8_t **stdout_data,
+ size_t *stdout_data_len);
+
++const char *adcli_krb5_get_error_message (krb5_context ctx,
++ krb5_error_code code);
+ #endif /* ADPRIVATE_H_ */
+--
+2.48.1
+
diff --git a/SPECS/adcli.spec b/SPECS/adcli.spec
index f43983ebfd8917b6e08c31ee764dfa81160d6b4a..9ffa3eefd83fa8a4bec342cc42cc7eb6982b0a77 100644
--- a/SPECS/adcli.spec
+++ b/SPECS/adcli.spec
@@ -1,11 +1,14 @@
Name: adcli
Version: 0.9.2
-Release: 8%{?dist}
+Release: 9%{?dist}
Summary: Active Directory enrollment
License: LGPL-2.1-or-later
URL: https://gitlab.freedesktop.org/realmd/adcli
Source0: https://gitlab.freedesktop.org/realmd/adcli/uploads/ea560656ac921b3fe0d455976aaae9be/adcli-%{version}.tar.gz
+# fixes for issues found by static analyser
+Patch1: 0001-Various-fixes-for-issues-found-by-static-code-scanne.patch
+Patch2: 0002-krb5-add-adcli_krb5_get_error_message.patch
BuildRequires: gcc
BuildRequires: intltool pkgconfig
@@ -70,6 +73,10 @@ documentation.
%doc %{_datadir}/doc/adcli/*
%changelog
+* Thu Feb 13 2025 Sumit Bose <sbose@redhat.com> - 0.9.2-9
+- Fixes for RHEL SAST Automation
+ Resolves: RHEL-45146
+
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.9.2-8
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018