diff --git a/backport-Check-lengths-in-xdr_krb5_key_data.patch b/backport-Check-lengths-in-xdr_krb5_key_data.patch new file mode 100644 index 0000000000000000000000000000000000000000..e6b2f5f6cac4e8beec4643dbfd1eb80d6c0ff020 --- /dev/null +++ b/backport-Check-lengths-in-xdr_krb5_key_data.patch @@ -0,0 +1,39 @@ +From e195747d2f8a8e1cd1694d768dba9265439228d0 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 9 Apr 2025 20:19:02 -0400 +Subject: [PATCH] Check lengths in xdr_krb5_key_data() + +Ensure that xdr_krb5_key_data() does not produce an inconsistent +representation if the serialized key_data_contents fields do not match +the corresponding byte array lengths. (This function is only used by +libkadm5srv to serialize historical key data in per-principal kadmin +data.) + +ticket: 9172 (new) +--- + src/lib/kadm5/srv/adb_xdr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/lib/kadm5/srv/adb_xdr.c b/src/lib/kadm5/srv/adb_xdr.c +index b6ffdb8c7..b14cb96ee 100644 +--- a/src/lib/kadm5/srv/adb_xdr.c ++++ b/src/lib/kadm5/srv/adb_xdr.c +@@ -36,11 +36,15 @@ xdr_krb5_key_data(XDR *xdrs, krb5_key_data *objp) + if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[0], + &tmp, ~0)) + return FALSE; ++ if (tmp != objp->key_data_length[0]) ++ return FALSE; + + tmp = (unsigned int) objp->key_data_length[1]; + if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[1], + &tmp, ~0)) + return FALSE; ++ if (tmp != objp->key_data_length[1]) ++ return FALSE; + + /* don't need to copy tmp out, since key_data_length will be set + by the above encoding. */ +-- +2.43.0 + diff --git a/backport-Fix-conditional-in-kadm5_chpass_principal_3.patch b/backport-Fix-conditional-in-kadm5_chpass_principal_3.patch new file mode 100644 index 0000000000000000000000000000000000000000..16d7b196e5150b1a51c5657fefcdef23ccce0b96 --- /dev/null +++ b/backport-Fix-conditional-in-kadm5_chpass_principal_3.patch @@ -0,0 +1,31 @@ +From 42e2a33ada511bd1b52df71d763bf1156355d332 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 9 Apr 2025 20:22:15 -0400 +Subject: [PATCH] Fix conditional in kadm5_chpass_principal_3() + +Ensure that kadm5_chpass_principal_3() does not reference pol or hist +when the principal has a policy reference but the policy does not +exist. (Both structures are zeroed in this case, so the resulting +checks are pointless but have defined and harmless behavior.) +--- + src/lib/kadm5/srv/svr_principal.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +index 1557937f2..8f381882d 100644 +--- a/src/lib/kadm5/srv/svr_principal.c ++++ b/src/lib/kadm5/srv/svr_principal.c +@@ -1304,9 +1304,7 @@ kadm5_chpass_principal_3(void *server_handle, + goto done; + + kdb->pw_expiration = 0; +- if ((adb.aux_attributes & KADM5_POLICY)) { +- /* the policy was loaded before */ +- ++ if (have_pol) { + ret = check_pw_reuse(handle->context, hist_keyblocks, + kdb->n_key_data, kdb->key_data, + 1, &hist); +-- +2.43.0 + diff --git a/backport-Fix-correctness-in-LDAP-delegation-ACL-checking.patch b/backport-Fix-correctness-in-LDAP-delegation-ACL-checking.patch new file mode 100644 index 0000000000000000000000000000000000000000..894c76180c7c8703b9592ef672162a2e9607fbeb --- /dev/null +++ b/backport-Fix-correctness-in-LDAP-delegation-ACL-checking.patch @@ -0,0 +1,48 @@ +From 8456b1f0f55fbb42f983df1418c65bef9c71ad66 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 11 Apr 2025 02:14:57 -0400 +Subject: [PATCH] Fix correctness in LDAP delegation ACL checking + +The LDAP KDB module synthesizes KRB5_TL_CONSTRAINED_DELEGATION_ACL +tl-data when fetching a principal entry, and checks against those +values in krb5_ldap_check_allowed_to_delegate(). To avoid a locally +incorrect use of a counted data type, adjust the synthesized +attributes to include the trailing zero byte in tl_data_length, and +verify the zero terminator before calling krb5_parse_name() on the +value. +--- + src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 4 +++- + src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +index 342e6df15..d2f872be4 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +@@ -296,7 +296,9 @@ krb5_ldap_check_allowed_to_delegate(krb5_context context, + for (tlp = server->tl_data; tlp != NULL; tlp = tlp->tl_data_next) { + krb5_principal acl; + +- if (tlp->tl_data_type != KRB5_TL_CONSTRAINED_DELEGATION_ACL) ++ if (tlp->tl_data_type != KRB5_TL_CONSTRAINED_DELEGATION_ACL || ++ tlp->tl_data_length < 1 || ++ tlp->tl_data_contents[tlp->tl_data_length - 1] != '\0') + continue; + + if (krb5_parse_name(context, (char *)tlp->tl_data_contents, &acl) != 0) +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +index f73f71adc..90b90183b 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +@@ -1606,7 +1606,7 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, + if (tl == NULL) + goto cleanup; + tl->tl_data_type = KRB5_TL_CONSTRAINED_DELEGATION_ACL; +- tl->tl_data_length = strlen(a2d2[i]); ++ tl->tl_data_length = strlen(a2d2[i]) + 1; + tl->tl_data_contents = (unsigned char *)strdup(a2d2[i]); + if (tl->tl_data_contents == NULL) { + ret = ENOMEM; +-- +2.43.0 + diff --git a/backport-Fix-kdb5_util-ark-with-no-e-option.patch b/backport-Fix-kdb5_util-ark-with-no-e-option.patch new file mode 100644 index 0000000000000000000000000000000000000000..ba6870689f55b9038f7c78142a045000da7dab56 --- /dev/null +++ b/backport-Fix-kdb5_util-ark-with-no-e-option.patch @@ -0,0 +1,30 @@ +From edbd493a3ea5fcba195f65e142509a3cd1d73e83 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 18 Apr 2025 02:59:33 -0400 +Subject: [PATCH] Fix kdb5_util ark with no -e option + +Avoid passing NULL to krb5_string_to_keysalt() in add_random_key(). +When add_random_key() was first written, krb5_string_to_keysalts() did +nothing on a null string input. After commit +3576bd662be9b7cc2cca97065fe467e745542b69 it calls strdup(NULL) and +crashes. +--- + src/kadmin/dbutil/kdb5_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c +index 88218dba7..96b4a2571 100644 +--- a/src/kadmin/dbutil/kdb5_util.c ++++ b/src/kadmin/dbutil/kdb5_util.c +@@ -522,7 +522,7 @@ add_random_key(int argc, char **argv) + + int free_keysalts; + char *me = progname; +- char *ks_str = NULL; ++ char *ks_str = ""; + char *pr_str; + krb5_keyblock *tmp_mkey; + +-- +2.43.0 + diff --git a/backport-Fix-typo-in-AS-REQ-client-code.patch b/backport-Fix-typo-in-AS-REQ-client-code.patch new file mode 100644 index 0000000000000000000000000000000000000000..4eaff8ad9c44a6f63061b5f57b24a4897aac2219 --- /dev/null +++ b/backport-Fix-typo-in-AS-REQ-client-code.patch @@ -0,0 +1,31 @@ +From 6f8292ca20bddf1de23b9f525e54a3a674c46b8b Mon Sep 17 00:00:00 2001 +From: "Richard E. Silverman" +Date: Thu, 3 Apr 2025 22:09:11 -0400 +Subject: [PATCH] Fix typo in AS-REQ client code + +Add a missing "else" to init_creds_step_request(). The mistake was +harmless because optimistic preauth can only be present for the first +step, and the other conditions can only be true after the state +machine has processed an error reply. + +[ghudson@mit.edu: rewrote commit message] +--- + src/lib/krb5/krb/get_in_tkt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index 4833255d9..4b2be41e7 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1307,7 +1307,7 @@ init_creds_step_request(krb5_context context, + krb5_clear_error_message(context); + code = 0; + } +- } if (ctx->more_padata != NULL) { ++ } else if (ctx->more_padata != NULL) { + /* Continuing after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. */ + TRACE_INIT_CREDS_PREAUTH_MORE(context, ctx->selected_preauth_type); + code = k5_preauth(context, ctx, ctx->more_padata, TRUE, +-- +2.43.0 + diff --git a/krb5.spec b/krb5.spec index e1f6756426fcab8d3c9784c32c544c2d4a92601d..6cdb86559dbb58a610a203d46f990238345be193 100644 --- a/krb5.spec +++ b/krb5.spec @@ -3,7 +3,7 @@ Name: krb5 Version: 1.21.2 -Release: 15 +Release: 16 Summary: The Kerberos network authentication protocol License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -54,6 +54,11 @@ Patch30: backport-Fix-minor-logic-errors.patch Patch31: backport-Fix-type-violation-in-libkrad.patch Patch32: backport-Fix-various-small-logic-errors.patch Patch33: backport-Prevent-undefined-shift-in-decode_krb5_flags.patch +Patch34: backport-Check-lengths-in-xdr_krb5_key_data.patch +Patch35: backport-Fix-conditional-in-kadm5_chpass_principal_3.patch +Patch36: backport-Fix-correctness-in-LDAP-delegation-ACL-checking.patch +Patch37: backport-Fix-kdb5_util-ark-with-no-e-option.patch +Patch38: backport-Fix-typo-in-AS-REQ-client-code.patch BuildRequires: gettext BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc @@ -338,6 +343,9 @@ make -C src check || : %{_mandir}/man8/* %changelog +* Mon Aug 11 2025 Linux_zhang - 1.21.2-16 +- backport upstream patches + * Tue Mar 25 2025 Linux_zhang - 1.21.2-15 - backport patches to fix bugs