diff --git a/backport-KCM-another-memory-leak-fixed.patch b/backport-KCM-another-memory-leak-fixed.patch new file mode 100644 index 0000000000000000000000000000000000000000..c80ba80c836f5d47658c0f89511b5581599e8358 --- /dev/null +++ b/backport-KCM-another-memory-leak-fixed.patch @@ -0,0 +1,58 @@ +From 9e72bc242b600158d7920b2b98644efa42fd1ffa Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 12 Feb 2025 11:30:22 +0100 +Subject: [PATCH] KCM: another memory leak fixed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +``` +... + talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabc0a0 + talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaa84f90 + talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabf520 +... +``` + +Reviewed-by: Alejandro López +--- + src/responder/kcm/kcmsrv_ccache.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c +index f614156cc..bf8daffd0 100644 +--- a/src/responder/kcm/kcmsrv_ccache.c ++++ b/src/responder/kcm/kcmsrv_ccache.c +@@ -407,7 +407,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx, + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { +- goto done; ++ goto fail; + } + + for (cred = kcm_cc_get_cred(cc); cred != NULL; cred = kcm_cc_next_cred(cred)) { +@@ -420,7 +420,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx, + cred_list[i] = kcm_cred_to_krb5(krb_context, cred); + if (cred_list[i] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to convert kcm cred to krb5\n"); +- goto done; ++ goto fail; + } + } + +@@ -429,8 +429,10 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx, + + talloc_steal(mem_ctx, cred_list); + ++ talloc_free(tmp_ctx); + return cred_list; +-done: ++ ++fail: + talloc_free(tmp_ctx); + return NULL; + #endif +-- +2.43.0 + diff --git a/backport-KCM-fix-memory-leak.patch b/backport-KCM-fix-memory-leak.patch new file mode 100644 index 0000000000000000000000000000000000000000..1a02b755ba29691714a3c612a91dba781bffe177 --- /dev/null +++ b/backport-KCM-fix-memory-leak.patch @@ -0,0 +1,93 @@ +From 7f1b7c9689827df92e8b2166423d4e80688dbacb Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 4 Feb 2025 18:59:36 +0100 +Subject: [PATCH] KCM: fix memory leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The copy of 'secret' argument - `secret_val.data` - was left hanging +on `sss_sec_ctx`, effectively resulting in a memory leak. +But this copy isn't actually required as this data isn't modified in +below operations. +Skipping alloc+memcpy+erase is also beneficial performance wise. + +:fixes:'sssd_kcm' memory leak was fixed. + +Reviewed-by: Alejandro López +Reviewed-by: Justin Stephenson + +--- + src/responder/kcm/secrets/secrets.c | 28 ++++++++++++---------------- + 1 file changed, 12 insertions(+), 16 deletions(-) + +diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c +index a37edcc..a0e0154 100644 +--- a/src/responder/kcm/secrets/secrets.c ++++ b/src/responder/kcm/secrets/secrets.c +@@ -953,7 +953,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + size_t secret_len) + { + struct ldb_message *msg; +- struct ldb_val secret_val; ++ const struct ldb_val secret_val = { .length = secret_len, .data = secret }; + int ret; + + if (req == NULL || secret == NULL) { +@@ -1002,13 +1002,11 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- secret_val.length = secret_len; +- secret_val.data = talloc_memdup(req->sctx, secret, secret_len); +- if (!secret_val.data) { +- ret = ENOMEM; +- goto done; +- } +- ++ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data ++ * but rather copies a pointer under the hood. ++ * This is fine since no operations modifying this data are performed ++ * below and 'msg' is freed before function returns. ++ */ + ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, +@@ -1050,7 +1048,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + size_t secret_len) + { + struct ldb_message *msg; +- struct ldb_val secret_val; ++ const struct ldb_val secret_val = { .length = secret_len, .data = secret }; + int ret; + + if (req == NULL || secret == NULL) { +@@ -1099,13 +1097,6 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- secret_val.length = secret_len; +- secret_val.data = talloc_memdup(req->sctx, secret, secret_len); +- if (!secret_val.data) { +- ret = ENOMEM; +- goto done; +- } +- + /* FIXME - should we have a lastUpdate timestamp? */ + ret = ldb_msg_add_empty(msg, SEC_ATTR_SECRET, LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { +@@ -1115,6 +1106,11 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + ++ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data ++ * but rather copies a pointer under the hood. ++ * This is fine since no operations modifying this data are performed ++ * below and 'msg' is freed before function returns. ++ */ + ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, +-- +2.43.0 + diff --git a/backport-PAM-fix-issue-found-by-Coverity.patch b/backport-PAM-fix-issue-found-by-Coverity.patch new file mode 100644 index 0000000000000000000000000000000000000000..7cb11fed4447e544e1110c0e758ab15c13da96cd --- /dev/null +++ b/backport-PAM-fix-issue-found-by-Coverity.patch @@ -0,0 +1,36 @@ +From c36c320d12e48178b041d9859e3035f0c65c4909 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 14 Jan 2025 12:35:43 +0100 +Subject: [PATCH] PAM: fix issue found by Coverity + +``` +1614 D(("Illegal task [%#x]", task)); + 9. out_of_scope: Variable buf goes out of scope. + +CID 530049: (#1 of 1): Resource leak (RESOURCE_LEAK) +10. leaked_storage: Variable rd going out of scope leaks the storage rd.data points to. +1615 return PAM_SYSTEM_ERR; +1616 } +``` + +Reviewed-by: Justin Stephenson +--- + src/sss_client/pam_sss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c +index 600c3616a..9aec74ce3 100644 +--- a/src/sss_client/pam_sss.c ++++ b/src/sss_client/pam_sss.c +@@ -1612,7 +1612,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, + break; + default: + D(("Illegal task [%#x]", task)); +- return PAM_SYSTEM_ERR; ++ pam_status = PAM_SYSTEM_ERR; + } + + done: +-- +2.43.0 + diff --git a/backport-failover-Make-failover-work-over-IP-families.patch b/backport-failover-Make-failover-work-over-IP-families.patch new file mode 100644 index 0000000000000000000000000000000000000000..068c870ec428dc84e2876c15af16bef1ac1c9266 --- /dev/null +++ b/backport-failover-Make-failover-work-over-IP-families.patch @@ -0,0 +1,305 @@ +From 537e586ba71672ec5e8167283230bc5783d81770 Mon Sep 17 00:00:00 2001 +From: Tomas Halman +Date: Fri, 18 Oct 2024 15:53:28 +0200 +Subject: [PATCH] failover: Make failover work over IP families +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally the option ipv4_first and ipv6_first was taken into account +when resolving IP address. + +When both families are resolvable but the primary is blocked on +firewall, the SSSD should try the secondary family before giving up. + +:relnote:SSSD now attempts to connect to the server using a secondary +protocol if the server is not reachable using the primary one. +See the lookup_family_order option. + +Reviewed-by: Alejandro López +Reviewed-by: Dan Lavu +--- + src/providers/backend.h | 1 + + src/providers/data_provider_fo.c | 13 +++- + src/providers/fail_over.c | 108 ++++++++++++++++++++++++++++++- + src/providers/fail_over.h | 16 +++++ + src/providers/fail_over_srv.c | 1 + + 5 files changed, 133 insertions(+), 6 deletions(-) + +diff --git a/src/providers/backend.h b/src/providers/backend.h +index 96dc611de..7972741f6 100644 +--- a/src/providers/backend.h ++++ b/src/providers/backend.h +@@ -56,6 +56,7 @@ struct be_svc_data { + + char *last_good_srv; + int last_good_port; ++ int last_good_family; + time_t last_status_change; + bool run_callbacks; + +diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c +index c23f92e35..9d742725c 100644 +--- a/src/providers/data_provider_fo.c ++++ b/src/providers/data_provider_fo.c +@@ -22,6 +22,7 @@ + #include + #include + #include "providers/backend.h" ++#include "providers/fail_over.h" + #include "resolv/async_resolv.h" + + struct be_svc_callback { +@@ -670,9 +671,13 @@ errno_t be_resolve_server_process(struct tevent_req *subreq, + DEBUG(SSSDBG_TRACE_LIBS, "Saving the first resolved server\n"); + state->svc->first_resolved = state->srv; + } else if (state->svc->first_resolved == state->srv) { +- DEBUG(SSSDBG_OP_FAILURE, +- "The fail over cycled through all available servers\n"); +- return ENOENT; ++ /* check that this is not the first attempt to second IP family */ ++ if (fo_get_server_family(state->srv) != ++ fo_get_server_secondary_family(state->srv)) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "The fail over cycled through all available servers\n"); ++ return ENOENT; ++ } + } + + if (fo_get_server_name(state->srv)) { +@@ -713,6 +718,7 @@ errno_t be_resolve_server_process(struct tevent_req *subreq, + if (state->svc->last_good_srv == NULL || + strcmp(fo_get_server_name(state->srv), state->svc->last_good_srv) != 0 || + fo_get_server_port(state->srv) != state->svc->last_good_port || ++ fo_get_server_family(state->srv) != state->svc->last_good_family || + state->svc->run_callbacks || + srv_status_change > state->svc->last_status_change) { + state->svc->last_status_change = srv_status_change; +@@ -727,6 +733,7 @@ errno_t be_resolve_server_process(struct tevent_req *subreq, + talloc_free(state->svc->last_good_srv); + state->svc->last_good_srv = srvname; + state->svc->last_good_port = fo_get_server_port(state->srv); ++ state->svc->last_good_family = fo_get_server_family(state->srv); + + DLIST_FOR_EACH(callback, state->svc->callbacks) { + callback->fn(callback->private_data, state->srv); +diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c +index 7f94407c5..ae3e1c664 100644 +--- a/src/providers/fail_over.c ++++ b/src/providers/fail_over.c +@@ -23,6 +23,7 @@ + along with this program. If not, see . + */ + ++#include + #include + + #include +@@ -30,6 +31,7 @@ + #include + #include + #include ++#include + + #include "util/dlinklist.h" + #include "util/refcount.h" +@@ -268,6 +270,8 @@ str_server_status(enum server_status status) + return "working"; + case SERVER_NOT_WORKING: + return "not working"; ++ case SERVER_SECOND_FAMILY: ++ return "second family"; + } + + return "unknown server status"; +@@ -481,6 +485,74 @@ service_destructor(struct fo_service *service) + return 0; + } + ++static bool fo_is_ip_address(char *name) ++{ ++ struct sockaddr_in sa; ++ int result; ++ ++ result = inet_pton(AF_INET, name, &(sa.sin_addr)); ++ if (result == 1) { ++ return true; ++ } ++ result = inet_pton(AF_INET6, name, &(sa.sin_addr)); ++ return (result == 1); ++} ++ ++static bool ++try_another_family(struct fo_server *server) { ++ enum restrict_family family_order; ++ ++ if ( ++ server == NULL || ++ server->common == NULL || ++ server->common->rhostent == NULL || ++ server->service == NULL || ++ server->service->ctx == NULL || ++ server->service->ctx->opts == NULL) { ++ return false; ++ } ++ ++ if (fo_is_ip_address(server->common->name)) { ++ return false; ++ } ++ ++ family_order = server->service->ctx->opts->family_order; ++ ++ if (server->common->rhostent->family == AF_INET && ++ family_order == IPV4_FIRST) { ++ ++ return true; ++ } ++ ++ if (server->common->rhostent->family == AF_INET6 && ++ family_order == IPV6_FIRST) { ++ ++ return true; ++ } ++ ++ return false; ++} ++ ++int ++fo_get_server_secondary_family(struct fo_server *server) { ++ if ( ++ server == NULL || ++ server->service == NULL || ++ server->service->ctx == NULL || ++ server->service->ctx->opts == NULL) { ++ return 0; ++ } ++ ++ switch (server->service->ctx->opts->family_order) { ++ case IPV4_FIRST: ++ return AF_INET6; ++ case IPV6_FIRST: ++ return AF_INET; ++ default: ++ return 0; ++ } ++} ++ + int + fo_new_service(struct fo_ctx *ctx, const char *name, + datacmp_fn user_data_cmp, +@@ -1193,13 +1265,28 @@ fo_resolve_service_server(struct tevent_req *req) + struct resolve_service_state); + struct tevent_req *subreq; + int ret; ++ enum restrict_family family_restriction; + ++ family_restriction = state->fo_ctx->opts->family_order; + switch (get_server_status(state->server)) { ++ case SERVER_SECOND_FAMILY: ++ switch (family_restriction) { ++ case IPV4_FIRST: ++ family_restriction = IPV6_ONLY; ++ break; ++ case IPV6_FIRST: ++ family_restriction = IPV4_ONLY; ++ break; ++ default: ++ break; ++ } ++ /* FALLTHROUGH */ ++ SSS_ATTRIBUTE_FALLTHROUGH; + case SERVER_NAME_NOT_RESOLVED: /* Request name resolution. */ + subreq = resolv_gethostbyname_send(state->server->common, + state->ev, state->resolv, + state->server->common->name, +- state->fo_ctx->opts->family_order, ++ family_restriction, + default_host_dbs); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); +@@ -1603,12 +1690,16 @@ fo_set_port_status(struct fo_server *server, enum port_status status) + } + + if (!server->common || !server->common->name) return; +- ++ if (status == PORT_NOT_WORKING && try_another_family(server)) { ++ set_server_common_status(server->common, SERVER_SECOND_FAMILY); ++ server->port_status = PORT_NEUTRAL; ++ status = PORT_NEUTRAL; ++ } + /* It is possible to introduce duplicates when expanding SRV results + * into fo_server structures. Find the duplicates and set the same + * status */ + DLIST_FOR_EACH(siter, server->service->server_list) { +- if (fo_server_cmp(siter, server)) { ++ if (fo_server_cmp(siter, server) && siter != server) { + DEBUG(SSSDBG_TRACE_FUNC, + "Marking port %d of duplicate server '%s' as '%s'\n", + siter->port, SERVER_NAME(siter), +@@ -1657,6 +1748,17 @@ fo_get_server_port(struct fo_server *server) + return server->port; + } + ++int ++fo_get_server_family(struct fo_server *server) ++{ ++ if (server != NULL && ++ server->common != NULL && ++ server->common->rhostent != NULL) { ++ return server->common->rhostent->family; ++ } ++ return 0; ++} ++ + const char * + fo_get_server_name(struct fo_server *server) + { +diff --git a/src/providers/fail_over.h b/src/providers/fail_over.h +index 924a09970..9ff3d06b8 100644 +--- a/src/providers/fail_over.h ++++ b/src/providers/fail_over.h +@@ -49,6 +49,7 @@ enum server_status { + SERVER_NAME_NOT_RESOLVED, /* We didn't yet resolved the host name. */ + SERVER_RESOLVING_NAME, /* Name resolving is in progress. */ + SERVER_NAME_RESOLVED, /* We resolved the host name but didn't try to connect. */ ++ SERVER_SECOND_FAMILY, /* We should try second protocol */ + SERVER_WORKING, /* We successfully connected to the server. */ + SERVER_NOT_WORKING /* We tried and failed to connect to the server. */ + }; +@@ -198,6 +199,21 @@ void *fo_get_server_user_data(struct fo_server *server); + + int fo_get_server_port(struct fo_server *server); + ++/* ++ * Get curently used/resolved inet family. ++ * Function returns AF_INET, AF_INET6 or 0 in case that ++ * name is not resolved yet. ++ */ ++int fo_get_server_family(struct fo_server *server); ++ ++/* ++ * Get secondary inet family if exists. ++ * Function returns AF_INET, AF_INET6 or 0 in case that there is no ++ * secondary family (for example if IPV4_ONLY is set). Note that ++ * this function returns what is configured, not what is actually used. ++ */ ++int fo_get_server_secondary_family(struct fo_server *server); ++ + const char *fo_get_server_name(struct fo_server *server); + + const char *fo_get_server_str_name(struct fo_server *server); +diff --git a/src/providers/fail_over_srv.c b/src/providers/fail_over_srv.c +index 5f474eaee..be68761a1 100644 +--- a/src/providers/fail_over_srv.c ++++ b/src/providers/fail_over_srv.c +@@ -440,6 +440,7 @@ struct fo_resolve_srv_dns_ctx { + char *hostname; + char *sssd_domain; + char *detected_domain; ++ bool last_family_tried; + }; + + struct fo_resolve_srv_dns_state { +-- +2.43.0 + diff --git a/backport-ipa-Check-sudo-command-threshold-correctly.patch b/backport-ipa-Check-sudo-command-threshold-correctly.patch new file mode 100644 index 0000000000000000000000000000000000000000..e380d361ee65967203a141ae5c2ca7cac6192bda --- /dev/null +++ b/backport-ipa-Check-sudo-command-threshold-correctly.patch @@ -0,0 +1,27 @@ +From 7a8da2762897005d854cb91eaf5024986c31f8e7 Mon Sep 17 00:00:00 2001 +From: Justin Stephenson +Date: Thu, 7 Nov 2024 14:20:03 -0500 +Subject: [PATCH] ipa: Check sudo command threshold correctly + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Sumit Bose +--- + src/providers/ipa/ipa_sudo_conversion.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c +index 220d937b6..a502b3228 100644 +--- a/src/providers/ipa/ipa_sudo_conversion.c ++++ b/src/providers/ipa/ipa_sudo_conversion.c +@@ -753,7 +753,7 @@ ipa_sudo_conv_cmd_filter(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + int cmd_threshold) + { +- if (ipa_sudo_cmdgroups_exceed_threshold(conv, cmd_threshold)) { ++ if (ipa_sudo_cmds_exceed_threshold(conv, cmd_threshold)) { + DEBUG(SSSDBG_TRACE_FUNC, + "Command threshold [%d] exceeded, retrieving all sudo commands\n", + cmd_threshold); +-- +2.43.0 + diff --git a/backport-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch b/backport-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch new file mode 100644 index 0000000000000000000000000000000000000000..d33cda0c445d9bf0e9c5d584013fe841a9b31fae --- /dev/null +++ b/backport-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch @@ -0,0 +1,54 @@ +From fce94aec3f335cbe33c509b14e389b9df0748744 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 21 Nov 2024 09:16:09 +0100 +Subject: [PATCH] ldap_child: make sure invalid krb5 context is not used +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: https://github.com/SSSD/sssd/issues/7715 + +Reviewed-by: Alejandro López +Reviewed-by: Alexey Tikhonov +--- + src/util/sss_krb5.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c +index aa3b5b96e..6b6dd2069 100644 +--- a/src/util/sss_krb5.c ++++ b/src/util/sss_krb5.c +@@ -45,6 +45,10 @@ const char *sss_printable_keytab_name(krb5_context ctx, const char *keytab_name) + return keytab_name; + } + ++ if (ctx == NULL) { ++ return "-unknown-"; ++ } ++ + if (krb5_kt_default_name(ctx, buff, sizeof(buff)) != 0) { + return "-default keytab-"; + } +@@ -1122,8 +1126,9 @@ krb5_error_code sss_krb5_init_context(krb5_context *context) + { + krb5_error_code kerr; + const char *msg; ++ krb5_context ctx; + +- kerr = krb5_init_context(context); ++ kerr = krb5_init_context(&ctx); + if (kerr != 0) { + /* It is safe to call (sss_)krb5_get_error_message() with NULL as first + * argument. */ +@@ -1132,6 +1137,8 @@ krb5_error_code sss_krb5_init_context(krb5_context *context) + "Failed to init Kerberos context [%s]\n", msg); + sss_log(SSS_LOG_CRIT, "Failed to init Kerberos context [%s]\n", msg); + sss_krb5_free_error_message(NULL, msg); ++ } else { ++ *context = ctx; + } + + return kerr; +-- +2.43.0 + diff --git a/backport-pam_sss-add-some-missing-cleanup-calls.patch b/backport-pam_sss-add-some-missing-cleanup-calls.patch new file mode 100644 index 0000000000000000000000000000000000000000..728611b7abbc404245beeb7960c1810ccdf4bb36 --- /dev/null +++ b/backport-pam_sss-add-some-missing-cleanup-calls.patch @@ -0,0 +1,50 @@ +From 2d408edd97342b30761775e84108d605e423f2d3 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 1 Nov 2024 14:27:14 +0100 +Subject: [PATCH] pam_sss: add some missing cleanup calls. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch should avoid Coverity warnings like: + +./src/sss_client/pam_sss.c:3075:17: alloc_arg: "get_authtok_for_password_change" allocates memory that is stored into "pi.first_factor". +./src/sss_client/pam_sss.c:3090:25: leaked_storage: Variable "pi" going out of scope leaks the storage "pi.first_factor" points to. + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Tomáš Halman +--- + src/sss_client/pam_sss.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c +index 4350b7f7f..600c3616a 100644 +--- a/src/sss_client/pam_sss.c ++++ b/src/sss_client/pam_sss.c +@@ -3037,6 +3037,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, + if (ret != PAM_SUCCESS) { + D(("failed to get authentication token: %s", + pam_strerror(pamh, ret))); ++ overwrite_and_free_pam_items(&pi); + return ret; + } + break; +@@ -3091,6 +3092,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, + * would be invalid for the actual password change. So + * we are done. */ + ++ overwrite_and_free_pam_items(&pi); + return PAM_SUCCESS; + } + task = SSS_PAM_CHAUTHTOK_PRELIM; +@@ -3103,6 +3105,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, + break; + default: + D(("Illegal task [%#x]", task)); ++ overwrite_and_free_pam_items(&pi); + return PAM_SYSTEM_ERR; + } + +-- +2.43.0 + diff --git a/sssd.spec b/sssd.spec index 6a8a06e818a088608764f64722c9efb1a04c8417..7849edec7215e1efaedd84e77f8a62e991251c7f 100644 --- a/sssd.spec +++ b/sssd.spec @@ -8,7 +8,7 @@ Name: sssd Version: 2.9.4 -Release: 12 +Release: 13 Summary: System Security Services Daemon License: GPL-3.0-or-later URL: https://github.com/SSSD/sssd/ @@ -26,6 +26,13 @@ Patch0009: backport-Missing-dns_update_per_family-option.patch Patch0010: backport-TOOLS-mistype-fix.patch Patch0011: backport-ad-honor-ad_use_ldaps-setting-with-ad_machine_pw_ren.patch Patch0012: backport-Make-sure-invalid-krb5-context-is-not-used.patch +Patch0013: backport-failover-Make-failover-work-over-IP-families.patch +Patch0014: backport-ipa-Check-sudo-command-threshold-correctly.patch +Patch0015: backport-KCM-another-memory-leak-fixed.patch +Patch0016: backport-KCM-fix-memory-leak.patch +Patch0017: backport-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch +Patch0018: backport-PAM-fix-issue-found-by-Coverity.patch +Patch0019: backport-pam_sss-add-some-missing-cleanup-calls.patch Requires: sssd-ad = %{version}-%{release} Requires: sssd-common = %{version}-%{release} @@ -925,6 +932,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Aug 11 2025 Linux_zhang - 2.9.4-13 +- backport upstream patches + * Tue Jul 01 2025 xuraoqing - 2.9.4-12 - remove rpath in sssd_kcm