diff --git a/backport-Allow-null-keyblocks-in-IOV-checksum-functions.patch b/backport-Allow-null-keyblocks-in-IOV-checksum-functions.patch new file mode 100644 index 0000000000000000000000000000000000000000..dfc8e39b996a49297cdd0cf9c3c85dd02ca21992 --- /dev/null +++ b/backport-Allow-null-keyblocks-in-IOV-checksum-functions.patch @@ -0,0 +1,66 @@ +From 6217454323b39cedb1b03ac161ecb0ade3ad84e6 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Sun, 20 Oct 2024 02:09:26 -0400 +Subject: [PATCH] Allow null keyblocks in IOV checksum functions + +Null keyblocks are allowed by the libk5crypto checksum functions when +the checksum type is not keyed. However, krb5_c_make_checksum_iov() +and krb5_c_verify_checksum_iov() crash on null keyblock inputs because +they do not check before converting to krb5_key as their non-IOV +variants do. Add the missing null checks. + +ticket: 9146 (new) +--- + src/lib/crypto/krb/make_checksum_iov.c | 10 ++++++---- + src/lib/crypto/krb/verify_checksum_iov.c | 10 ++++++---- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/lib/crypto/krb/make_checksum_iov.c b/src/lib/crypto/krb/make_checksum_iov.c +index 549180d..84e98b1 100644 +--- a/src/lib/crypto/krb/make_checksum_iov.c ++++ b/src/lib/crypto/krb/make_checksum_iov.c +@@ -81,12 +81,14 @@ krb5_c_make_checksum_iov(krb5_context context, + krb5_crypto_iov *data, + size_t num_data) + { +- krb5_key key; ++ krb5_key key = NULL; + krb5_error_code ret; + +- ret = krb5_k_create_key(context, keyblock, &key); +- if (ret != 0) +- return ret; ++ if (keyblock != NULL) { ++ ret = krb5_k_create_key(context, keyblock, &key); ++ if (ret != 0) ++ return ret; ++ } + ret = krb5_k_make_checksum_iov(context, cksumtype, key, usage, + data, num_data); + krb5_k_free_key(context, key); +diff --git a/src/lib/crypto/krb/verify_checksum_iov.c b/src/lib/crypto/krb/verify_checksum_iov.c +index fc76c0e..47a25a9 100644 +--- a/src/lib/crypto/krb/verify_checksum_iov.c ++++ b/src/lib/crypto/krb/verify_checksum_iov.c +@@ -88,12 +88,14 @@ krb5_c_verify_checksum_iov(krb5_context context, + size_t num_data, + krb5_boolean *valid) + { +- krb5_key key; ++ krb5_key key = NULL; + krb5_error_code ret; + +- ret = krb5_k_create_key(context, keyblock, &key); +- if (ret != 0) +- return ret; ++ if (keyblock != NULL) { ++ ret = krb5_k_create_key(context, keyblock, &key); ++ if (ret != 0) ++ return ret; ++ } + ret = krb5_k_verify_checksum_iov(context, checksum_type, key, usage, data, + num_data, valid); + krb5_k_free_key(context, key); +-- +2.43.0 + diff --git a/backport-Avoid-mutex-locking-in-krb5int_trace.patch b/backport-Avoid-mutex-locking-in-krb5int_trace.patch new file mode 100644 index 0000000000000000000000000000000000000000..52b9c264729bfdae6bf7806c7e12ccba40f38cd9 --- /dev/null +++ b/backport-Avoid-mutex-locking-in-krb5int_trace.patch @@ -0,0 +1,71 @@ +From b03d55c2b841731c8194cb12566cad1d6d2ad3cb Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 4 Oct 2024 18:00:21 +0200 +Subject: [PATCH] Avoid mutex locking in krb5int_trace() + +Trace logging doesn't need unique timestamps, so the locking within +krb5_crypto_us_timeofday() makes trace logging slower for no reason. +Add a new helper k5_us_timeofday(), which is merely a wrapper around +the existing get_time_now(), and use it in krb5int_trace(). + +[ghudson@mit.edu: edited commit message] +--- + src/include/k5-int.h | 1 + + src/lib/krb5/os/c_ustime.c | 15 +++++++++++++++ + src/lib/krb5/os/trace.c | 2 +- + 3 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index fd79d7c..f492acb 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -697,6 +697,7 @@ krb5_error_code krb5int_c_copy_keyblock_contents(krb5_context context, + const krb5_keyblock *from, + krb5_keyblock *to); + ++krb5_error_code k5_us_timeofday(krb5_timestamp *, krb5_int32 *); + krb5_error_code krb5_crypto_us_timeofday(krb5_timestamp *, krb5_int32 *); + + /* +diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c +index f69f2ea..265c3b3 100644 +--- a/src/lib/krb5/os/c_ustime.c ++++ b/src/lib/krb5/os/c_ustime.c +@@ -73,6 +73,21 @@ get_time_now(struct time_now *n) + + #endif + ++krb5_error_code ++k5_us_timeofday(krb5_timestamp *seconds, krb5_int32 *microseconds) ++{ ++ struct time_now now; ++ krb5_error_code err; ++ ++ err = get_time_now(&now); ++ if (err) ++ return err; ++ ++ *seconds = now.sec; ++ *microseconds = now.usec; ++ return 0; ++} ++ + static struct time_now last_time; + + krb5_error_code +diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c +index c4058dd..2af459d 100644 +--- a/src/lib/krb5/os/trace.c ++++ b/src/lib/krb5/os/trace.c +@@ -411,7 +411,7 @@ krb5int_trace(krb5_context context, const char *fmt, ...) + str = trace_format(context, fmt, ap); + if (str == NULL) + goto cleanup; +- if (krb5_crypto_us_timeofday(&sec, &usec) != 0) ++ if (k5_us_timeofday(&sec, &usec) != 0) + goto cleanup; + if (asprintf(&msg, "[%d] %u.%06d: %s\n", (int)getpid(), + (unsigned int)sec, (int)usec, str) < 0) +-- +2.43.0 + diff --git a/backport-Fix-krb5_ldap_list_policy-filtering-loop.patch b/backport-Fix-krb5_ldap_list_policy-filtering-loop.patch new file mode 100644 index 0000000000000000000000000000000000000000..677ce5869a9d9e4cfa5679409872b412329fd7f5 --- /dev/null +++ b/backport-Fix-krb5_ldap_list_policy-filtering-loop.patch @@ -0,0 +1,32 @@ +From 0a23b0cd9466e8a7c6fb82fce185be6e0834ce26 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Sun, 27 Oct 2024 19:01:51 -0400 +Subject: [PATCH] Fix krb5_ldap_list_policy() filtering loop + +The loop at the end of this function is intended to ignore ticket +policy DNs that can't be converted to names. But it instead leaves a +hole in the output list if that happens, effectively truncating the +list and leaking any subsequent entries. Use the correct index for +the output list. + +ticket: 9148 (new) +--- + src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c +index 4f48fd6..27a2235 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c +@@ -382,7 +382,7 @@ krb5_ldap_list_policy(krb5_context context, char *containerdn, char ***policy) + + for (i = 0, j = 0; list[i] != NULL; i++, j++) { + int ret; +- ret = krb5_ldap_policydn_to_name (context, list[i], &(*policy)[i]); ++ ret = krb5_ldap_policydn_to_name (context, list[i], &(*policy)[j]); + if (ret != 0) + j--; + } +-- +2.43.0 + diff --git a/backport-Fix-unlikely-password-change-leak.patch b/backport-Fix-unlikely-password-change-leak.patch new file mode 100644 index 0000000000000000000000000000000000000000..02e4fd8208a640e25a5fc00526e489af2709d26e --- /dev/null +++ b/backport-Fix-unlikely-password-change-leak.patch @@ -0,0 +1,62 @@ +From 038793c3083f44c4fb62626c12f80c80147029cf Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 11 Oct 2024 12:45:13 +0200 +Subject: [PATCH] Fix unlikely password change leak + +In kpasswd_sendto_msg_callback(), if getsockname() does not reveal the +local address, a copy of the first local address's contents is made +and never freed. Instead of making an allocated copy of the address +contents, make a shallow copy of the whole address. Delay freeing the +address array until the end of the function so that alias pointer made +by the shallow copy remains valid. + +[ghudson@mit.edu: further simplified code; rewrote commit message] +--- + src/lib/krb5/os/changepw.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c +index c592325..9cae409 100644 +--- a/src/lib/krb5/os/changepw.c ++++ b/src/lib/krb5/os/changepw.c +@@ -115,6 +115,7 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message) + struct sendto_callback_context *ctx = data; + GETSOCKNAME_ARG3_TYPE addrlen; + krb5_data output; ++ krb5_address **addrs = NULL; + + memset (message, 0, sizeof(krb5_data)); + +@@ -143,20 +144,10 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message) + local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr); + local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr; + } else { +- krb5_address **addrs; +- + code = krb5_os_localaddr(ctx->context, &addrs); + if (code) + goto cleanup; +- +- local_kaddr.magic = addrs[0]->magic; +- local_kaddr.addrtype = addrs[0]->addrtype; +- local_kaddr.length = addrs[0]->length; +- local_kaddr.contents = k5memdup(addrs[0]->contents, addrs[0]->length, +- &code); +- krb5_free_addresses(ctx->context, addrs); +- if (local_kaddr.contents == NULL) +- goto cleanup; ++ local_kaddr = *addrs[0]; + } + + +@@ -193,6 +184,7 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message) + message->data = output.data; + + cleanup: ++ krb5_free_addresses(ctx->context, addrs); + return code; + } + +-- +2.43.0 + diff --git a/krb5.spec b/krb5.spec index 157eef1b76e1f04493aee49e6ca03fdc78bca0f6..122e2cf4de0d1c44efc8f4050c46ad312a9df039 100644 --- a/krb5.spec +++ b/krb5.spec @@ -3,7 +3,7 @@ Name: krb5 Version: 1.21.2 -Release: 11 +Release: 12 Summary: The Kerberos network authentication protocol License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -41,6 +41,10 @@ Patch17: backport-Change-krb5_get_credentials-endtime-behavior.patch Patch18: backport-Fix-memory-leak-in-PAC-checksum-verification.patch Patch19: fix-libkadm5-parameter-leak.patch Patch20: backport-CVE-2024-3596.patch +Patch21: backport-Avoid-mutex-locking-in-krb5int_trace.patch +Patch22: backport-Fix-unlikely-password-change-leak.patch +Patch23: backport-Allow-null-keyblocks-in-IOV-checksum-functions.patch +Patch24: backport-Fix-krb5_ldap_list_policy-filtering-loop.patch BuildRequires: gettext BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc @@ -325,6 +329,9 @@ make -C src check || : %{_mandir}/man8/* %changelog +* Fri Nov 22 2024 liuh - 1.21.2-12 +- backport patches from upstream + * Thu Nov 07 2024 Funda Wang - 1.21.2-11 - fix CVE-2024-3596