From 25af6c2f1b68ba8a0e8ca0684bf793900c865e31 Mon Sep 17 00:00:00 2001 From: Linux_zhang Date: Mon, 11 Aug 2025 18:44:42 +0800 Subject: [PATCH] backport upstream patches --- ...t-Check-lengths-in-xdr_krb5_key_data.patch | 39 +++++++++++++++ ...ditional-in-kadm5_chpass_principal_3.patch | 31 ++++++++++++ ...ness-in-LDAP-delegation-ACL-checking.patch | 48 +++++++++++++++++++ ...t-Fix-kdb5_util-ark-with-no-e-option.patch | 30 ++++++++++++ backport-Fix-typo-in-AS-REQ-client-code.patch | 31 ++++++++++++ krb5.spec | 10 +++- 6 files changed, 188 insertions(+), 1 deletion(-) create mode 100644 backport-Check-lengths-in-xdr_krb5_key_data.patch create mode 100644 backport-Fix-conditional-in-kadm5_chpass_principal_3.patch create mode 100644 backport-Fix-correctness-in-LDAP-delegation-ACL-checking.patch create mode 100644 backport-Fix-kdb5_util-ark-with-no-e-option.patch create mode 100644 backport-Fix-typo-in-AS-REQ-client-code.patch diff --git a/backport-Check-lengths-in-xdr_krb5_key_data.patch b/backport-Check-lengths-in-xdr_krb5_key_data.patch new file mode 100644 index 0000000..e6b2f5f --- /dev/null +++ b/backport-Check-lengths-in-xdr_krb5_key_data.patch @@ -0,0 +1,39 @@ +From e195747d2f8a8e1cd1694d768dba9265439228d0 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 9 Apr 2025 20:19:02 -0400 +Subject: [PATCH] Check lengths in xdr_krb5_key_data() + +Ensure that xdr_krb5_key_data() does not produce an inconsistent +representation if the serialized key_data_contents fields do not match +the corresponding byte array lengths. (This function is only used by +libkadm5srv to serialize historical key data in per-principal kadmin +data.) + +ticket: 9172 (new) +--- + src/lib/kadm5/srv/adb_xdr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/lib/kadm5/srv/adb_xdr.c b/src/lib/kadm5/srv/adb_xdr.c +index b6ffdb8c7..b14cb96ee 100644 +--- a/src/lib/kadm5/srv/adb_xdr.c ++++ b/src/lib/kadm5/srv/adb_xdr.c +@@ -36,11 +36,15 @@ xdr_krb5_key_data(XDR *xdrs, krb5_key_data *objp) + if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[0], + &tmp, ~0)) + return FALSE; ++ if (tmp != objp->key_data_length[0]) ++ return FALSE; + + tmp = (unsigned int) objp->key_data_length[1]; + if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[1], + &tmp, ~0)) + return FALSE; ++ if (tmp != objp->key_data_length[1]) ++ return FALSE; + + /* don't need to copy tmp out, since key_data_length will be set + by the above encoding. */ +-- +2.43.0 + diff --git a/backport-Fix-conditional-in-kadm5_chpass_principal_3.patch b/backport-Fix-conditional-in-kadm5_chpass_principal_3.patch new file mode 100644 index 0000000..16d7b19 --- /dev/null +++ b/backport-Fix-conditional-in-kadm5_chpass_principal_3.patch @@ -0,0 +1,31 @@ +From 42e2a33ada511bd1b52df71d763bf1156355d332 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 9 Apr 2025 20:22:15 -0400 +Subject: [PATCH] Fix conditional in kadm5_chpass_principal_3() + +Ensure that kadm5_chpass_principal_3() does not reference pol or hist +when the principal has a policy reference but the policy does not +exist. (Both structures are zeroed in this case, so the resulting +checks are pointless but have defined and harmless behavior.) +--- + src/lib/kadm5/srv/svr_principal.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +index 1557937f2..8f381882d 100644 +--- a/src/lib/kadm5/srv/svr_principal.c ++++ b/src/lib/kadm5/srv/svr_principal.c +@@ -1304,9 +1304,7 @@ kadm5_chpass_principal_3(void *server_handle, + goto done; + + kdb->pw_expiration = 0; +- if ((adb.aux_attributes & KADM5_POLICY)) { +- /* the policy was loaded before */ +- ++ if (have_pol) { + ret = check_pw_reuse(handle->context, hist_keyblocks, + kdb->n_key_data, kdb->key_data, + 1, &hist); +-- +2.43.0 + diff --git a/backport-Fix-correctness-in-LDAP-delegation-ACL-checking.patch b/backport-Fix-correctness-in-LDAP-delegation-ACL-checking.patch new file mode 100644 index 0000000..894c761 --- /dev/null +++ b/backport-Fix-correctness-in-LDAP-delegation-ACL-checking.patch @@ -0,0 +1,48 @@ +From 8456b1f0f55fbb42f983df1418c65bef9c71ad66 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 11 Apr 2025 02:14:57 -0400 +Subject: [PATCH] Fix correctness in LDAP delegation ACL checking + +The LDAP KDB module synthesizes KRB5_TL_CONSTRAINED_DELEGATION_ACL +tl-data when fetching a principal entry, and checks against those +values in krb5_ldap_check_allowed_to_delegate(). To avoid a locally +incorrect use of a counted data type, adjust the synthesized +attributes to include the trailing zero byte in tl_data_length, and +verify the zero terminator before calling krb5_parse_name() on the +value. +--- + src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 4 +++- + src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +index 342e6df15..d2f872be4 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +@@ -296,7 +296,9 @@ krb5_ldap_check_allowed_to_delegate(krb5_context context, + for (tlp = server->tl_data; tlp != NULL; tlp = tlp->tl_data_next) { + krb5_principal acl; + +- if (tlp->tl_data_type != KRB5_TL_CONSTRAINED_DELEGATION_ACL) ++ if (tlp->tl_data_type != KRB5_TL_CONSTRAINED_DELEGATION_ACL || ++ tlp->tl_data_length < 1 || ++ tlp->tl_data_contents[tlp->tl_data_length - 1] != '\0') + continue; + + if (krb5_parse_name(context, (char *)tlp->tl_data_contents, &acl) != 0) +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +index f73f71adc..90b90183b 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +@@ -1606,7 +1606,7 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, + if (tl == NULL) + goto cleanup; + tl->tl_data_type = KRB5_TL_CONSTRAINED_DELEGATION_ACL; +- tl->tl_data_length = strlen(a2d2[i]); ++ tl->tl_data_length = strlen(a2d2[i]) + 1; + tl->tl_data_contents = (unsigned char *)strdup(a2d2[i]); + if (tl->tl_data_contents == NULL) { + ret = ENOMEM; +-- +2.43.0 + diff --git a/backport-Fix-kdb5_util-ark-with-no-e-option.patch b/backport-Fix-kdb5_util-ark-with-no-e-option.patch new file mode 100644 index 0000000..ba68706 --- /dev/null +++ b/backport-Fix-kdb5_util-ark-with-no-e-option.patch @@ -0,0 +1,30 @@ +From edbd493a3ea5fcba195f65e142509a3cd1d73e83 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 18 Apr 2025 02:59:33 -0400 +Subject: [PATCH] Fix kdb5_util ark with no -e option + +Avoid passing NULL to krb5_string_to_keysalt() in add_random_key(). +When add_random_key() was first written, krb5_string_to_keysalts() did +nothing on a null string input. After commit +3576bd662be9b7cc2cca97065fe467e745542b69 it calls strdup(NULL) and +crashes. +--- + src/kadmin/dbutil/kdb5_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c +index 88218dba7..96b4a2571 100644 +--- a/src/kadmin/dbutil/kdb5_util.c ++++ b/src/kadmin/dbutil/kdb5_util.c +@@ -522,7 +522,7 @@ add_random_key(int argc, char **argv) + + int free_keysalts; + char *me = progname; +- char *ks_str = NULL; ++ char *ks_str = ""; + char *pr_str; + krb5_keyblock *tmp_mkey; + +-- +2.43.0 + diff --git a/backport-Fix-typo-in-AS-REQ-client-code.patch b/backport-Fix-typo-in-AS-REQ-client-code.patch new file mode 100644 index 0000000..4eaff8a --- /dev/null +++ b/backport-Fix-typo-in-AS-REQ-client-code.patch @@ -0,0 +1,31 @@ +From 6f8292ca20bddf1de23b9f525e54a3a674c46b8b Mon Sep 17 00:00:00 2001 +From: "Richard E. Silverman" +Date: Thu, 3 Apr 2025 22:09:11 -0400 +Subject: [PATCH] Fix typo in AS-REQ client code + +Add a missing "else" to init_creds_step_request(). The mistake was +harmless because optimistic preauth can only be present for the first +step, and the other conditions can only be true after the state +machine has processed an error reply. + +[ghudson@mit.edu: rewrote commit message] +--- + src/lib/krb5/krb/get_in_tkt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index 4833255d9..4b2be41e7 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1307,7 +1307,7 @@ init_creds_step_request(krb5_context context, + krb5_clear_error_message(context); + code = 0; + } +- } if (ctx->more_padata != NULL) { ++ } else if (ctx->more_padata != NULL) { + /* Continuing after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. */ + TRACE_INIT_CREDS_PREAUTH_MORE(context, ctx->selected_preauth_type); + code = k5_preauth(context, ctx, ctx->more_padata, TRUE, +-- +2.43.0 + diff --git a/krb5.spec b/krb5.spec index 0a74273..242a94c 100644 --- a/krb5.spec +++ b/krb5.spec @@ -3,7 +3,7 @@ Name: krb5 Version: 1.18.2 -Release: 17 +Release: 18 Summary: The Kerberos network authentication protocol License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -55,6 +55,11 @@ Patch32: backport-Avoid-mutex-locking-in-krb5int_trace.patch Patch33: backport-Fix-unlikely-password-change-leak.patch Patch34: backport-Fix-krb5_ldap_list_policy-filtering-loop.patch Patch35: backport-CVE-2025-24528.patch +Patch36: backport-Check-lengths-in-xdr_krb5_key_data.patch +Patch37: backport-Fix-conditional-in-kadm5_chpass_principal_3.patch +Patch38: backport-Fix-correctness-in-LDAP-delegation-ACL-checking.patch +Patch39: backport-Fix-kdb5_util-ark-with-no-e-option.patch +Patch40: backport-Fix-typo-in-AS-REQ-client-code.patch BuildRequires: gettext BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc @@ -346,6 +351,9 @@ make -C src check || : %{_mandir}/man8/* %changelog +* Mon Aug 11 2025 Linux_zhang - 1.18.2-18 +- backport upstream patches + * Thu Jan 30 2025 Funda Wang - 1.18.2-17 - fix CVE-2025-24528 -- Gitee