From 160115576c838154450e5cd4aa5cfd9324de4208 Mon Sep 17 00:00:00 2001 From: wjiang Date: Wed, 4 Dec 2024 10:24:31 +0800 Subject: [PATCH] backport patch from upstream community (cherry picked from commit 6c307c246cb8b6578f4b1873022e7de73c7ed713) --- ...ypto_us_timeofday-microseconds-check.patch | 48 +++++ ...s-issues-detected-by-static-analysis.patch | 175 ++++++++++++++++++ ...late-initialization-of-GSS-error-map.patch | 91 +++++++++ krb5.spec | 8 +- 4 files changed, 321 insertions(+), 1 deletion(-) create mode 100644 backport-Fix-krb5_crypto_us_timeofday-microseconds-check.patch create mode 100644 backport-Fix-various-issues-detected-by-static-analysis.patch create mode 100644 backport-Prevent-late-initialization-of-GSS-error-map.patch diff --git a/backport-Fix-krb5_crypto_us_timeofday-microseconds-check.patch b/backport-Fix-krb5_crypto_us_timeofday-microseconds-check.patch new file mode 100644 index 0000000..b0ed742 --- /dev/null +++ b/backport-Fix-krb5_crypto_us_timeofday-microseconds-check.patch @@ -0,0 +1,48 @@ +From 6f6d795be8d0dd0a46952cf8afa59b65d71df744 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Thu, 3 Oct 2024 18:40:04 +0200 +Subject: [PATCH] Fix krb5_crypto_us_timeofday() microseconds check + +Commit a60db180211a383bd382afe729e9309acb8dcf53 mistakenly reversed +the sense of the krb5_crypto_us_timeofday() conditional that enforces +fowards movement of the microseconds value within a second. Moreover, +the macros ts_after() and ts_incr() should not have been applied to +non-timestamp values. Revert the incorrect changes. + +[ghudson@mit.edu: rewrote commit message] + +ticket: 9141 (new) +tags: pullup +target_version: 1.21-next + +Reference:https://github.com/krb5/krb5/commit/6f6d795be8d0dd0a46952cf8afa59b65d71df744 +Conflict:NA + +--- + src/lib/krb5/os/c_ustime.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c +index f69f2ea4c..7019ea197 100644 +--- a/src/lib/krb5/os/c_ustime.c ++++ b/src/lib/krb5/os/c_ustime.c +@@ -106,14 +106,14 @@ krb5_crypto_us_timeofday(krb5_timestamp *seconds, krb5_int32 *microseconds) + need to properly handle the case where the administrator intentionally + adjusted time backwards. */ + if (now.sec == ts_incr(last_time.sec, -1) || +- (now.sec == last_time.sec && !ts_after(last_time.usec, now.usec))) { ++ (now.sec == last_time.sec && now.usec <= last_time.usec)) { + /* Correct 'now' to be exactly one microsecond later than 'last_time'. + Note that _because_ we perform this hack, 'now' may be _earlier_ + than 'last_time', even though the system time is monotonically + increasing. */ + + now.sec = last_time.sec; +- now.usec = ts_incr(last_time.usec, 1); ++ now.usec = last_time.usec + 1; + if (now.usec >= 1000000) { + now.sec = ts_incr(now.sec, 1); + now.usec = 0; +-- +2.33.0 + diff --git a/backport-Fix-various-issues-detected-by-static-analysis.patch b/backport-Fix-various-issues-detected-by-static-analysis.patch new file mode 100644 index 0000000..cc3a16c --- /dev/null +++ b/backport-Fix-various-issues-detected-by-static-analysis.patch @@ -0,0 +1,175 @@ +From a96541981ee34c8642ddeb6101b98e883e41c6e5 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Fri, 6 Sep 2024 17:18:11 +0200 +Subject: [PATCH] Fix various issues detected by static analysis + +In klists's show_credential(), ensure that the column counter doesn't +decrease if printf() fails. + +In process_k5beta7_princ(), bounds-check the e_length field. + +In ndr_enc_delegation_info(), initialize b so it is always valid for +the cleanup handler. + +In krb5_dbe_def_decrypt_key_data(), change the flow control so ret is +always set by the end of the function. Return KRB5_KDB_INVALIDKEYSIZE +if there isn't enough data in the first key_data_contents field or if +the serialized key length is invalid. + +In svcauth_gss_validate(), expand rpchdr to accomodate the header plus +MAX_AUTH_BYTES. + +In svcudp_reply(), change slen to unsigned to match the return type of +XDR_GETPOS() and eliminate an unnecessary check for slen >= 0. + +In krb5int_pthread_loaded()(), remove pthread_equal() from the weak +symbol checks. It is implemented as an inline function in some glibc +versions, which makes the comparison "&pthread_equal == 0" always +false. + +[ghudson@mit.edu: further modified krb5_dbe_def_decrypt_key_data() for +clarity; added detail to commit message] + +Reference:https://github.com/krb5/krb5/commit/a96541981ee34c8642ddeb6101b98e883e41c6e5 +Conflict:src/kdc/ndr.c,src/lib/kdb/decrypt_key.c + +--- + src/clients/klist/klist.c | 12 ++++++------ + src/kadmin/dbutil/dump.c | 5 +++++ + src/lib/rpc/svc_auth_gss.c | 5 ++++- + src/lib/rpc/svc_udp.c | 13 +++++++------ + src/util/support/threads.c | 2 -- + 5 files changed, 22 insertions(+), 15 deletions(-) + +diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c +index 394c75b..1511c59 100644 +--- a/src/clients/klist/klist.c ++++ b/src/clients/klist/klist.c +@@ -681,7 +681,7 @@ show_credential(krb5_creds *cred, const char *defname) + krb5_error_code ret; + krb5_ticket *tkt = NULL; + char *name = NULL, *sname = NULL, *tktsname, *flags; +- int extra_field = 0, ccol = 0, i; ++ int extra_field = 0, ccol = 0, i, r; + krb5_boolean is_config = krb5_is_config_principal(context, cred->server); + + ret = krb5_unparse_name(context, cred->client, &name); +@@ -711,11 +711,11 @@ show_credential(krb5_creds *cred, const char *defname) + fputs("config: ", stdout); + ccol = 8; + for (i = 1; i < cred->server->length; i++) { +- ccol += printf("%s%.*s%s", +- i > 1 ? "(" : "", +- (int)cred->server->data[i].length, +- cred->server->data[i].data, +- i > 1 ? ")" : ""); ++ r = printf("%s%.*s%s", i > 1 ? "(" : "", ++ (int)cred->server->data[i].length, ++ cred->server->data[i].data, i > 1 ? ")" : ""); ++ if (r >= 0) ++ ccol += r; + } + fputs(" = ", stdout); + ccol += 3; +diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c +index 4d6cc0b..feb053d 100644 +--- a/src/kadmin/dbutil/dump.c ++++ b/src/kadmin/dbutil/dump.c +@@ -704,6 +704,11 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, + + dbentry->len = u1; + dbentry->n_key_data = u4; ++ ++ if (u5 > UINT16_MAX) { ++ load_err(fname, *linenop, _("invalid principal extra data size")); ++ goto fail; ++ } + dbentry->e_length = u5; + + if (kp != NULL) { +diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c +index aba7694..e290018 100644 +--- a/src/lib/rpc/svc_auth_gss.c ++++ b/src/lib/rpc/svc_auth_gss.c +@@ -296,7 +296,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r + struct opaque_auth *oa; + gss_buffer_desc rpcbuf, checksum; + OM_uint32 maj_stat, min_stat, qop_state; +- u_char rpchdr[128]; ++ u_char rpchdr[32 + MAX_AUTH_BYTES]; + int32_t *buf; + + log_debug("in svcauth_gss_validate()"); +@@ -314,6 +314,8 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r + return (FALSE); + + buf = (int32_t *)(void *)rpchdr; ++ ++ /* Write the 32 first bytes of the header. */ + IXDR_PUT_LONG(buf, msg->rm_xid); + IXDR_PUT_ENUM(buf, msg->rm_direction); + IXDR_PUT_LONG(buf, msg->rm_call.cb_rpcvers); +@@ -322,6 +324,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r + IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); + IXDR_PUT_ENUM(buf, oa->oa_flavor); + IXDR_PUT_LONG(buf, oa->oa_length); ++ + if (oa->oa_length) { + memcpy((caddr_t)buf, oa->oa_base, oa->oa_length); + buf += RNDUP(oa->oa_length) / sizeof(int32_t); +diff --git a/src/lib/rpc/svc_udp.c b/src/lib/rpc/svc_udp.c +index 8ecbdf2..3aff277 100644 +--- a/src/lib/rpc/svc_udp.c ++++ b/src/lib/rpc/svc_udp.c +@@ -248,8 +248,9 @@ static bool_t svcudp_reply( + { + struct svcudp_data *su = su_data(xprt); + XDR *xdrs = &su->su_xdrs; +- int slen; ++ u_int slen; + bool_t stat = FALSE; ++ ssize_t r; + + xdrproc_t xdr_results = NULL; + caddr_t xdr_location = 0; +@@ -272,12 +273,12 @@ static bool_t svcudp_reply( + if (xdr_replymsg(xdrs, msg) && + (!has_args || + (SVCAUTH_WRAP(xprt->xp_auth, xdrs, xdr_results, xdr_location)))) { +- slen = (int)XDR_GETPOS(xdrs); +- if (sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0, +- (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen) +- == slen) { ++ slen = XDR_GETPOS(xdrs); ++ r = sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0, ++ (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen); ++ if (r >= 0 && (u_int)r == slen) { + stat = TRUE; +- if (su->su_cache && slen >= 0) { ++ if (su->su_cache) { + cache_set(xprt, (uint32_t) slen); + } + } +diff --git a/src/util/support/threads.c b/src/util/support/threads.c +index be7e4c2..4ded805 100644 +--- a/src/util/support/threads.c ++++ b/src/util/support/threads.c +@@ -118,7 +118,6 @@ struct tsd_block { + # pragma weak pthread_mutex_destroy + # pragma weak pthread_mutex_init + # pragma weak pthread_self +-# pragma weak pthread_equal + # pragma weak pthread_getspecific + # pragma weak pthread_setspecific + # pragma weak pthread_key_create +@@ -151,7 +150,6 @@ int krb5int_pthread_loaded (void) + || &pthread_mutex_destroy == 0 + || &pthread_mutex_init == 0 + || &pthread_self == 0 +- || &pthread_equal == 0 + /* Any program that's really multithreaded will have to be + able to create threads. */ + || &pthread_create == 0 +-- +2.33.0 + diff --git a/backport-Prevent-late-initialization-of-GSS-error-map.patch b/backport-Prevent-late-initialization-of-GSS-error-map.patch new file mode 100644 index 0000000..00e9fe4 --- /dev/null +++ b/backport-Prevent-late-initialization-of-GSS-error-map.patch @@ -0,0 +1,91 @@ +From bba0c36394cb88265da6e3d6566dd88b9c7978ca Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Mon, 21 Oct 2024 19:04:08 -0400 +Subject: [PATCH] Prevent late initialization of GSS error map + +Some of the peripheral libgssapi_krb5 utility functions, such as +gss_str_to_oid(), do not access the mechanism list and therefore do +not reach any of the calls to gssint_mechglue_initialize_library(). +If one of these functions is called early and produces an error, its +call to map_error() will operate on the uninitialized error map. When +the library is later initialized, any entries added to the error map +this way will be leaked. + +To ensure that the error map is initialized before it is operated on, +add library initialization calls to gssint_mecherrmap_map() and +gssint_mecherrmap_get(). + +ticket: 9145 (new) + +Reference:https://github.com/krb5/krb5/commit/bba0c36394cb88265da6e3d6566dd88b9c7978ca +Conflict:src/lib/gssapi/generic/deps + +--- + src/lib/gssapi/generic/Makefile.in | 2 +- + src/lib/gssapi/generic/deps | 6 ++++-- + src/lib/gssapi/generic/util_errmap.c | 6 +++++- + 3 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/lib/gssapi/generic/Makefile.in b/src/lib/gssapi/generic/Makefile.in +index 1a95a7d..ac69a85 100644 +--- a/src/lib/gssapi/generic/Makefile.in ++++ b/src/lib/gssapi/generic/Makefile.in +@@ -1,6 +1,6 @@ + mydir=lib$(S)gssapi$(S)generic + BUILDTOP=$(REL)..$(S)..$(S).. +-LOCALINCLUDES = -I. -I$(srcdir) -I$(srcdir)/.. ++LOCALINCLUDES = -I. -I$(srcdir) -I$(srcdir)/../mechglue + + ##DOS##BUILDTOP = ..\..\.. + ##DOS##PREFIXDIR=generic +diff --git a/src/lib/gssapi/generic/deps b/src/lib/gssapi/generic/deps +index 5b80e7f..222b088 100644 +--- a/src/lib/gssapi/generic/deps ++++ b/src/lib/gssapi/generic/deps +@@ -59,8 +59,10 @@ util_buffer_set.so util_buffer_set.po $(OUTPRE)util_buffer_set.$(OBJEXT): \ + util_buffer_set.c + util_errmap.so util_errmap.po $(OUTPRE)util_errmap.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ +- $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-platform.h \ ++ $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \ ++ $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(srcdir)/../mechglue/mechglue.h \ ++ $(srcdir)/../mechglue/mglueP.h $(top_srcdir)/include/k5-buf.h \ ++ $(top_srcdir)/include/k5-input.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ + errmap.h gssapiP_generic.h gssapi_err_generic.h gssapi_ext.h \ + gssapi_generic.h util_errmap.c +diff --git a/src/lib/gssapi/generic/util_errmap.c b/src/lib/gssapi/generic/util_errmap.c +index 628a455..138310c 100644 +--- a/src/lib/gssapi/generic/util_errmap.c ++++ b/src/lib/gssapi/generic/util_errmap.c +@@ -25,6 +25,7 @@ + */ + + #include "gssapiP_generic.h" ++#include + #include + #ifndef _WIN32 + #include +@@ -181,6 +182,9 @@ OM_uint32 gssint_mecherrmap_map(OM_uint32 minor, const gss_OID_desc * oid) + f = stderr; + #endif + ++ if (gssint_mechglue_initialize_library() != 0) ++ return 0; ++ + me.code = minor; + me.mech = *oid; + k5_mutex_lock(&mutex); +@@ -249,7 +253,7 @@ int gssint_mecherrmap_get(OM_uint32 minor, gss_OID mech_oid, + { + const struct mecherror *p; + +- if (minor == 0) { ++ if (minor == 0 || gssint_mechglue_initialize_library() != 0) { + return EINVAL; + } + k5_mutex_lock(&mutex); +-- +2.33.0 + diff --git a/krb5.spec b/krb5.spec index 122e2cf..d0040b7 100644 --- a/krb5.spec +++ b/krb5.spec @@ -3,7 +3,7 @@ Name: krb5 Version: 1.21.2 -Release: 12 +Release: 13 Summary: The Kerberos network authentication protocol License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -45,6 +45,9 @@ Patch21: backport-Avoid-mutex-locking-in-krb5int_trace.patch Patch22: backport-Fix-unlikely-password-change-leak.patch Patch23: backport-Allow-null-keyblocks-in-IOV-checksum-functions.patch Patch24: backport-Fix-krb5_ldap_list_policy-filtering-loop.patch +Patch25: backport-Fix-various-issues-detected-by-static-analysis.patch +Patch26: backport-Fix-krb5_crypto_us_timeofday-microseconds-check.patch +Patch27: backport-Prevent-late-initialization-of-GSS-error-map.patch BuildRequires: gettext BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc @@ -329,6 +332,9 @@ make -C src check || : %{_mandir}/man8/* %changelog +* Wed Dec 04 2024 wangjiang - 1.21.2-13 +- backport upstream patches + * Fri Nov 22 2024 liuh - 1.21.2-12 - backport patches from upstream -- Gitee