From ac1f0cbd674722e5489d87d2de2b7705046ea356 Mon Sep 17 00:00:00 2001 From: fangxiuning Date: Fri, 25 Oct 2024 19:27:44 +0800 Subject: [PATCH] change --- ...rt-CLIENT-idmap-fix-coverity-warning.patch | 51 +++++++++++++++++++ ...-SSH-sanity-check-to-please-coverity.patch | 48 +++++++++++++++++ sssd.spec | 11 ++-- 3 files changed, 107 insertions(+), 3 deletions(-) create mode 100644 backport-CLIENT-idmap-fix-coverity-warning.patch create mode 100644 backport-SSH-sanity-check-to-please-coverity.patch diff --git a/backport-CLIENT-idmap-fix-coverity-warning.patch b/backport-CLIENT-idmap-fix-coverity-warning.patch new file mode 100644 index 0000000..d8ee642 --- /dev/null +++ b/backport-CLIENT-idmap-fix-coverity-warning.patch @@ -0,0 +1,51 @@ +From 7c913edc84e0201020b5ab770dd0823911387781 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 22 May 2024 20:19:05 +0200 +Subject: [PATCH] CLIENT:idmap: fix coverity warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes following issue: +``` +"Error: INTEGER_OVERFLOW (CWE-190): +sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:306:5: tainted_data_argument: The value returned in ""replen"" is considered tainted. +sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:331:5: overflow: The expression ""replen - 12UL"" might be negative, but is used in a context that treats it as unsigned. +sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:331:5: assign: Assigning: ""data_len"" = ""replen - 12UL"". +sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:347:9: overflow: The expression ""1UL * data_len"" is deemed underflowed because at least one of its arguments has underflowed. +sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:347:9: overflow_sink: ""1UL * data_len"", which might have underflowed, is passed to ""malloc(1UL * data_len)"". + # 345| } + # 346| + # 347|-> str = malloc(sizeof(char) * data_len); + # 348| if (str == NULL) { + # 349| ret = ENOMEM;" +``` + +Reviewed-by: Alejandro López + +Reference: https://github.com/SSSD/sssd/commit/7c913edc84e0201020b5ab770dd0823911387781 +Conflict: NA + +--- + src/sss_client/idmap/sss_nss_idmap.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/sss_client/idmap/sss_nss_idmap.c b/src/sss_client/idmap/sss_nss_idmap.c +index 575d03057..604933c6d 100644 +--- a/src/sss_client/idmap/sss_nss_idmap.c ++++ b/src/sss_client/idmap/sss_nss_idmap.c +@@ -324,6 +324,11 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd, + goto done; + } + ++ if (replen < DATA_START) { /* make sure 'type' is present */ ++ ret = EBADMSG; ++ goto done; ++ } ++ + /* Skip first two 32 bit values (number of results and + * reserved padding) */ + SAFEALIGN_COPY_UINT32(&out->type, repbuf + 2 * sizeof(uint32_t), NULL); +-- +2.33.0 + diff --git a/backport-SSH-sanity-check-to-please-coverity.patch b/backport-SSH-sanity-check-to-please-coverity.patch new file mode 100644 index 0000000..aac9381 --- /dev/null +++ b/backport-SSH-sanity-check-to-please-coverity.patch @@ -0,0 +1,48 @@ +From 19df6a5d2ed220e6236aa1c921b7abdeba233dd1 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 22 May 2024 21:13:31 +0200 +Subject: [PATCH] SSH: sanity check to please coverity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: +``` +Error: INTEGER_OVERFLOW (CWE-190): +sssd-2.10.0/src/util/sss_ssh.c:195:13: underflow: The decrement operator on the unsigned variable ""len"" might result in an underflow. +sssd-2.10.0/src/util/sss_ssh.c:204:9: overflow_sink: ""len"", which might have underflowed, is passed to ""memcpy(out, pubkey->data, len)"". [Note: The source code implementation of the function has been overridden by a builtin model.] + # 202| } + # 203| + # 204|-> memcpy(out, pubkey->data, len); + # 205| out[len] = '\0'; + # 206| } +``` + +Reviewed-by: Alejandro López +Reviewed-by: Justin Stephenson + +Reference: https://github.com/SSSD/sssd/commit/19df6a5d2ed220e6236aa1c921b7abdeba233dd1 +Conflict: NA + +--- + src/util/sss_ssh.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/util/sss_ssh.c b/src/util/sss_ssh.c +index 9df397873..f9c0918fd 100644 +--- a/src/util/sss_ssh.c ++++ b/src/util/sss_ssh.c +@@ -191,6 +191,10 @@ sss_ssh_format_pubkey(TALLOC_CTX *mem_ctx, + } + + len = pubkey->data_len; ++ if (len == 0) { ++ ret = EINVAL; ++ goto done; ++ } + if (pubkey->data[len - 1] == '\n') { + len--; + } +-- +2.33.0 + diff --git a/sssd.spec b/sssd.spec index b40ff00..35edb08 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,6 +1,6 @@ Name: sssd Version: 2.6.1 -Release: 16 +Release: 17 Summary: System Security Services Daemon License: GPLv3+ and LGPLv3+ URL: https://pagure.io/SSSD/sssd/ @@ -52,8 +52,10 @@ Patch6042: backport-CVE-2023-3758.patch Patch6043: backport-UTILS-inotify-avoid-potential-NULL-deref.patch Patch6044: backport-ad-refresh-root-domain-when-read-directly.patch Patch6045: backport-RESPONDER-use-proper-context-for-getDomains.patch -Patch6046: backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch -Patch6047: backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch +Patch6046: backport-SSH-sanity-check-to-please-coverity.patch +Patch6047: backport-CLIENT-idmap-fix-coverity-warning.patch +Patch6048: backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch +Patch6049: backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch Requires: python3-sssd = %{version}-%{release} Requires: libldb @@ -561,6 +563,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Fri Oct 25 2024 fangxiuning - 2.6.1-17 +- backport patches to fix bugs + * Sun Sep 29 2024 fangxiuning - 2.6.1-16 - backport upstream patches -- Gitee