From 9c373bf497ac05e7634ea43d58bc583f2b6b73e5 Mon Sep 17 00:00:00 2001 From: liyunqing Date: Tue, 10 Dec 2024 16:53:27 +0800 Subject: [PATCH] backport patch to fix segfaults when krb5.conf is invalid --- ...sure-invalid-krb5-context-is-not-use.patch | 54 +++++++++++++++++++ sssd.spec | 9 +++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 backport-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch diff --git a/backport-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch b/backport-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch new file mode 100644 index 0000000..d33cda0 --- /dev/null +++ b/backport-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch @@ -0,0 +1,54 @@ +From fce94aec3f335cbe33c509b14e389b9df0748744 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 21 Nov 2024 09:16:09 +0100 +Subject: [PATCH] ldap_child: make sure invalid krb5 context is not used +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: https://github.com/SSSD/sssd/issues/7715 + +Reviewed-by: Alejandro López +Reviewed-by: Alexey Tikhonov +--- + src/util/sss_krb5.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c +index aa3b5b96e..6b6dd2069 100644 +--- a/src/util/sss_krb5.c ++++ b/src/util/sss_krb5.c +@@ -45,6 +45,10 @@ const char *sss_printable_keytab_name(krb5_context ctx, const char *keytab_name) + return keytab_name; + } + ++ if (ctx == NULL) { ++ return "-unknown-"; ++ } ++ + if (krb5_kt_default_name(ctx, buff, sizeof(buff)) != 0) { + return "-default keytab-"; + } +@@ -1122,8 +1126,9 @@ krb5_error_code sss_krb5_init_context(krb5_context *context) + { + krb5_error_code kerr; + const char *msg; ++ krb5_context ctx; + +- kerr = krb5_init_context(context); ++ kerr = krb5_init_context(&ctx); + if (kerr != 0) { + /* It is safe to call (sss_)krb5_get_error_message() with NULL as first + * argument. */ +@@ -1132,6 +1137,8 @@ krb5_error_code sss_krb5_init_context(krb5_context *context) + "Failed to init Kerberos context [%s]\n", msg); + sss_log(SSS_LOG_CRIT, "Failed to init Kerberos context [%s]\n", msg); + sss_krb5_free_error_message(NULL, msg); ++ } else { ++ *context = ctx; + } + + return kerr; +-- +2.43.0 + diff --git a/sssd.spec b/sssd.spec index bd54f27..5fd131e 100644 --- a/sssd.spec +++ b/sssd.spec @@ -8,7 +8,7 @@ Name: sssd Version: 2.9.5 -Release: 3 +Release: 4 Summary: System Security Services Daemon License: GPL-3.0-or-later URL: https://github.com/SSSD/sssd/ @@ -20,6 +20,7 @@ Patch0003: backport-honor-ad_use_ldaps-setting-with-ad_machine_pw_renewal.patch Patch0004: backport-mistype-fix.patch Patch0005: backport-add-option-for-dp_opt_dyndns_refresh_offset.patch Patch0006: backport-test-default_dyndns_opts.patch +Patch0007: backport-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch Requires: sssd-ad = %{version}-%{release} Requires: sssd-common = %{version}-%{release} @@ -919,6 +920,12 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Tue Dec 10 2024 liyunqing - 2.9.5-4 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:Sync upstream patches to fix segfaults when krb5.conf is invalid + * Mon Dec 02 2024 Majianhan - 2.9.5-3 - Adds the missing dns_update_per_family option to support separate or combined DNS updates for A and AAAA records. - Ensures the ad_use_ldaps setting is passed correctly to the adcli update command for secure AD machine account password renewals. -- Gitee