packages/krb5
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:6a4aefced6c5f439d520e88069fc60a8dfb75e04
Branches Tags
packages:main
..
compare: packages:fd540423ee7cf9f3802558fb774d0e4446d3dfff
Branches Tags
packages:main

10 Commits
6a4aefced6 ... fd540423ee

Author SHA1 Message Date
openeuler-ci-bot
fd540423ee
!221 backport patches to fix bugs 
From: @Linux_zhang2024 
Reviewed-by: @xuraoqing, @zhujianwei001 
Signed-off-by: @zhujianwei001
 2025-03-25 03:13:01 +00:00
Linux_zhang
b9f4c01102 backport patches to fix bugs 2025-03-24 18:37:02 +08:00
openeuler-ci-bot
584746b1fd
!214 fix CVE-2025-24528 
From: @fundawang 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2025-02-08 08:09:33 +00:00
Funda Wang
fbc3997b11 fix CVE-2025-24528 2025-01-30 14:36:11 +08:00
openeuler-ci-bot
4b6f850714
!211 [sync] PR-208: backport patches from upstream 
From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2024-12-11 09:15:09 +00:00
hugel
cd4109ef4a backport patches from upstream 
(cherry picked from commit 416dcf308b3cd09f0adb446a9f1b8268906f45da)
 2024-12-11 16:22:01 +08:00
openeuler-ci-bot
85f038468f
!200 [sync] PR-196: backport patch from upstream community 
From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2024-12-04 09:15:38 +00:00
wjiang
985a25382d backport patch from upstream community 
(cherry picked from commit ee4b3d012921b96d5e49b8625acad581c29184ac)
 2024-12-04 15:50:56 +08:00
openeuler-ci-bot
661d5896a2
!181 [sync] PR-178: Fix uncommon PKINIT memory leak 
From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2024-10-28 06:54:12 +00:00
yanshuai01
a5d212177e fix uncommon PKINIT memory leak 
(cherry picked from commit 02466bccfeda756f5b0a20dcc02c02a37fff09c6)
 2024-10-28 14:23:15 +08:00
16 changed files with 1470 additions and 1 deletions
Show Stats Expand all files Collapse all files

70
backport-Allow-null-keyblocks-in-IOV-checksum-functions.patch Normal file
View File

@ -0,0 +1,70 @@
From 6217454323b39cedb1b03ac161ecb0ade3ad84e6 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 20 Oct 2024 02:09:26 -0400
Subject: [PATCH] Allow null keyblocks in IOV checksum functions
Null keyblocks are allowed by the libk5crypto checksum functions when
the checksum type is not keyed. However, krb5_c_make_checksum_iov()
and krb5_c_verify_checksum_iov() crash on null keyblock inputs because
they do not check before converting to krb5_key as their non-IOV
variants do. Add the missing null checks.
ticket: 9146 (new)
Reference:https://github.com/krb5/krb5/commit/6217454323b39cedb1b03ac161ecb0ade3ad84e6
Conflict:NA
---
src/lib/crypto/krb/make_checksum_iov.c | 10 ++++++----
src/lib/crypto/krb/verify_checksum_iov.c | 10 ++++++----
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/lib/crypto/krb/make_checksum_iov.c b/src/lib/crypto/krb/make_checksum_iov.c
index 549180df5..84e98b141 100644
--- a/src/lib/crypto/krb/make_checksum_iov.c
+++ b/src/lib/crypto/krb/make_checksum_iov.c
@@ -81,12 +81,14 @@ krb5_c_make_checksum_iov(krb5_context context,
krb5_crypto_iov *data,
size_t num_data)
{
- krb5_key key;
+ krb5_key key = NULL;
krb5_error_code ret;
- ret = krb5_k_create_key(context, keyblock, &key);
- if (ret != 0)
- return ret;
+ if (keyblock != NULL) {
+ ret = krb5_k_create_key(context, keyblock, &key);
+ if (ret != 0)
+ return ret;
+ }
ret = krb5_k_make_checksum_iov(context, cksumtype, key, usage,
data, num_data);
krb5_k_free_key(context, key);
diff --git a/src/lib/crypto/krb/verify_checksum_iov.c b/src/lib/crypto/krb/verify_checksum_iov.c
index fc76c0e26..47a25a93b 100644
--- a/src/lib/crypto/krb/verify_checksum_iov.c
+++ b/src/lib/crypto/krb/verify_checksum_iov.c
@@ -88,12 +88,14 @@ krb5_c_verify_checksum_iov(krb5_context context,
size_t num_data,
krb5_boolean *valid)
{
- krb5_key key;
+ krb5_key key = NULL;
krb5_error_code ret;
- ret = krb5_k_create_key(context, keyblock, &key);
- if (ret != 0)
- return ret;
+ if (keyblock != NULL) {
+ ret = krb5_k_create_key(context, keyblock, &key);
+ if (ret != 0)
+ return ret;
+ }
ret = krb5_k_verify_checksum_iov(context, checksum_type, key, usage, data,
num_data, valid);
krb5_k_free_key(context, key);
--
2.33.0

71
backport-Avoid-mutex-locking-in-krb5int_trace.patch Normal file
View File

@ -0,0 +1,71 @@
From b03d55c2b841731c8194cb12566cad1d6d2ad3cb Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 4 Oct 2024 18:00:21 +0200
Subject: [PATCH] Avoid mutex locking in krb5int_trace()
Trace logging doesn't need unique timestamps, so the locking within
krb5_crypto_us_timeofday() makes trace logging slower for no reason.
Add a new helper k5_us_timeofday(), which is merely a wrapper around
the existing get_time_now(), and use it in krb5int_trace().
[ghudson@mit.edu: edited commit message]
---
src/include/k5-int.h | 1 +
src/lib/krb5/os/c_ustime.c | 15 +++++++++++++++
src/lib/krb5/os/trace.c | 2 +-
3 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index fd79d7c..f492acb 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -697,6 +697,7 @@ krb5_error_code krb5int_c_copy_keyblock_contents(krb5_context context,
const krb5_keyblock *from,
krb5_keyblock *to);
+krb5_error_code k5_us_timeofday(krb5_timestamp *, krb5_int32 *);
krb5_error_code krb5_crypto_us_timeofday(krb5_timestamp *, krb5_int32 *);
/*
diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c
index f69f2ea..265c3b3 100644
--- a/src/lib/krb5/os/c_ustime.c
+++ b/src/lib/krb5/os/c_ustime.c
@@ -73,6 +73,21 @@ get_time_now(struct time_now *n)
#endif
+krb5_error_code
+k5_us_timeofday(krb5_timestamp *seconds, krb5_int32 *microseconds)
+{
+ struct time_now now;
+ krb5_error_code err;
+
+ err = get_time_now(&now);
+ if (err)
+ return err;
+
+ *seconds = now.sec;
+ *microseconds = now.usec;
+ return 0;
+}
+
static struct time_now last_time;
krb5_error_code
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index c4058dd..2af459d 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -411,7 +411,7 @@ krb5int_trace(krb5_context context, const char *fmt, ...)
str = trace_format(context, fmt, ap);
if (str == NULL)
goto cleanup;
- if (krb5_crypto_us_timeofday(&sec, &usec) != 0)
+ if (k5_us_timeofday(&sec, &usec) != 0)
goto cleanup;
if (asprintf(&msg, "[%d] %u.%06d: %s\n", (int)getpid(),
(unsigned int)sec, (int)usec, str) < 0)
--
2.43.0

59
backport-CVE-2025-24528.patch Normal file
View File

@ -0,0 +1,59 @@
From 78ceba024b64d49612375be4a12d1c066b0bfbd0 Mon Sep 17 00:00:00 2001
From: Zoltan Borbely <Zoltan.Borbely@morganstanley.com>
Date: Tue, 28 Jan 2025 16:39:25 -0500
Subject: [PATCH] Prevent overflow when calculating ulog block size
In kdb_log.c:resize(), log an error and fail if the update size is
larger than the largest possible block size (2^16-1).
CVE-2025-24528:
In MIT krb5 release 1.7 and later with incremental propagation
enabled, an authenticated attacker can cause kadmind to write beyond
the end of the mapped region for the iprop log file, likely causing a
process crash.
[ghudson@mit.edu: edited commit message and added CVE description]
ticket: 9159 (new)
tags: pullup
target_version: 1.21-next
---
src/lib/kdb/kdb_log.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
index 2659a250187..68fae919a52 100644
--- a/src/lib/kdb/kdb_log.c
+++ b/src/lib/kdb/kdb_log.c
@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size)
*/
static krb5_error_code
resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
- unsigned int recsize)
+ unsigned int recsize, const kdb_incr_update_t *upd)
{
unsigned int new_block, new_size;
@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
new_block *= ULOG_BLOCK;
new_size += ulogentries * new_block;
+ if (new_block > UINT16_MAX) {
+ syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
+ upd->kdb_princ_name.utf8str_t_len,
+ upd->kdb_princ_name.utf8str_t_val);
+ return KRB5_LOG_ERROR;
+ }
if (new_size > MAXLOGLEN)
return KRB5_LOG_ERROR;
@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd)
recsize = sizeof(kdb_ent_header_t) + upd_size;
if (recsize > ulog->kdb_block) {
- retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize);
+ retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd);
if (retval)
return retval;
}

30
backport-Fix-LDAP-module-leak-on-authentication-error.patch Normal file
View File

@ -0,0 +1,30 @@
From 85c93922232300b0316546a2fc6dd93c7e2906cd Mon Sep 17 00:00:00 2001
From: Feng Guo <gardonkoo@163.com>
Date: Thu, 28 Nov 2024 21:32:37 +0800
Subject: [PATCH] Fix LDAP module leak on authentication error
In initialize_server(), unbind the server handle if authenticate()
fails.
[ghudson@mit.edu: rewrote commit message]
ticket: 9153 (new)
---
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
index 5e77d5e49..d19e2b761 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
@@ -189,6 +189,7 @@ initialize_server(krb5_ldap_context *ldap_context, krb5_ldap_server_info *info)
if (ret) {
info->server_status = OFF;
time(&info->downtime);
+ ldap_unbind_ext_s(server->ldap_handle, NULL, NULL);
free(server);
return ret;
}
--
2.33.0

48
backport-Fix-krb5_crypto_us_timeofday-microseconds-check.patch Normal file
View File

@ -0,0 +1,48 @@
From 6f6d795be8d0dd0a46952cf8afa59b65d71df744 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 3 Oct 2024 18:40:04 +0200
Subject: [PATCH] Fix krb5_crypto_us_timeofday() microseconds check
Commit a60db180211a383bd382afe729e9309acb8dcf53 mistakenly reversed
the sense of the krb5_crypto_us_timeofday() conditional that enforces
fowards movement of the microseconds value within a second. Moreover,
the macros ts_after() and ts_incr() should not have been applied to
non-timestamp values. Revert the incorrect changes.
[ghudson@mit.edu: rewrote commit message]
ticket: 9141 (new)
tags: pullup
target_version: 1.21-next
Reference:https://github.com/krb5/krb5/commit/6f6d795be8d0dd0a46952cf8afa59b65d71df744
Conflict:NA
---
src/lib/krb5/os/c_ustime.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c
index f69f2ea4c..7019ea197 100644
--- a/src/lib/krb5/os/c_ustime.c
+++ b/src/lib/krb5/os/c_ustime.c
@@ -106,14 +106,14 @@ krb5_crypto_us_timeofday(krb5_timestamp *seconds, krb5_int32 *microseconds)
need to properly handle the case where the administrator intentionally
adjusted time backwards. */
if (now.sec == ts_incr(last_time.sec, -1) ||
- (now.sec == last_time.sec && !ts_after(last_time.usec, now.usec))) {
+ (now.sec == last_time.sec && now.usec <= last_time.usec)) {
/* Correct 'now' to be exactly one microsecond later than 'last_time'.
Note that _because_ we perform this hack, 'now' may be _earlier_
than 'last_time', even though the system time is monotonically
increasing. */
now.sec = last_time.sec;
- now.usec = ts_incr(last_time.usec, 1);
+ now.usec = last_time.usec + 1;
if (now.usec >= 1000000) {
now.sec = ts_incr(now.sec, 1);
now.usec = 0;
--
2.33.0

32
backport-Fix-krb5_ldap_list_policy-filtering-loop.patch Normal file
View File

@ -0,0 +1,32 @@
From 0a23b0cd9466e8a7c6fb82fce185be6e0834ce26 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 27 Oct 2024 19:01:51 -0400
Subject: [PATCH] Fix krb5_ldap_list_policy() filtering loop
The loop at the end of this function is intended to ignore ticket
policy DNs that can't be converted to names. But it instead leaves a
hole in the output list if that happens, effectively truncating the
list and leaking any subsequent entries. Use the correct index for
the output list.
ticket: 9148 (new)
---
src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
index 4f48fd6..27a2235 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
@@ -382,7 +382,7 @@ krb5_ldap_list_policy(krb5_context context, char *containerdn, char ***policy)
for (i = 0, j = 0; list[i] != NULL; i++, j++) {
int ret;
- ret = krb5_ldap_policydn_to_name (context, list[i], &(*policy)[i]);
+ ret = krb5_ldap_policydn_to_name (context, list[i], &(*policy)[j]);
if (ret != 0)
j--;
}
--
2.43.0

36
backport-Fix-libkadm5-parameter-leak.patch Normal file
View File

@ -0,0 +1,36 @@
From f14651a9fe94aca2bc2569848d931e4ba7a318a7 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Fri, 11 Oct 2024 11:38:03 +0200
Subject: [PATCH] Fix libkadm5 parameter leak
Commit aa91cb5dbbd4356c7a9069f4f52a10f70d91bc00 added kadmind_listen,
kpasswd_listen, and iprop_listen fields to kadm5_config_params, but
did not add them to the fields freed in kadm5_free_config_params().
Add them now.
[ghudson@mit.edu: rewrote commit message]
Reference:https://github.com/krb5/krb5/commit/f14651a9fe94aca2bc2569848d931e4ba7a318a7
Conflict:NA
---
src/lib/kadm5/alt_prof.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
index e8c1f51ca..4eb840e64 100644
--- a/src/lib/kadm5/alt_prof.c
+++ b/src/lib/kadm5/alt_prof.c
@@ -839,6 +839,9 @@ kadm5_free_config_params(krb5_context context, kadm5_config_params *params)
free(params->acl_file);
free(params->realm);
free(params->iprop_logfile);
+ free(params->iprop_listen);
+ free(params->kadmind_listen);
+ free(params->kpasswd_listen);
return 0;
}
--
2.33.0

517
backport-Fix-minor-logic-errors.patch Normal file
View File

@ -0,0 +1,517 @@
From e50f46b210ddafe85cc917e2571516ade46bc65f Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 17 Nov 2024 13:54:12 -0500
Subject: [PATCH] Fix minor logic errors
In k5_externalize_auth_context(), serialize the correct field when
remote_port is set. This is not a reachable bug because the function
is only accessible via gss_export_sec_context(), and the GSS library
does not set a remote port.
In generic_gss_oid_to_str(), remove an inconsistently-applied test for
a null minor_status. Also remove minor_status null checks from
generic_gss_release_oid() and generic_gss_str_to_oid(), but add output
initializations and pointer checks to the API functions in g_oid_ops.c
in a similar manner to other GSSAPI functions. Remove
gssint_copy_oid_set() and replace its one call with a call to
generic_gss_copy_oid_set().
In the checksum functions, avoid crashing if the caller passes a null
key and checksum type 0. An error will be returned instead when
find_cksumtype() can't find the checksum type.
(krb5_k_verify_checksum() already had this check.)
In pkinit_open_session(), remove an unnecessary null check for
ctx->p11_module_name, and add a check for p11name being null due to an
asprintf() failure.
In profile_add_node(), add a check for null ret_node in the duplicate
subsection check. This is not a reachable bug because the function is
currently never called with null ret_node and null value.
In ksu's main(), check for krb5_cc_default_name() returning NULL
(which only happens on allocation failure). Also clean up some
vestiges left behind by commit
9ebae7cb434b9b177c0af85c67a6d6267f46bc68.
In ksu's get_authorized_princ_names(), close login_fp if we fail to
open k5users_path.
In the KDC and kpropd write_pid_file(), avoid briefly leaking the file
handle on write failure.
Reported by Valery Fedorenko.
Conflict:src/lib/gssapi/mechglue/g_oid_ops.c,src/kdc/main.c
---
src/clients/ksu/heuristic.c | 5 +-
src/clients/ksu/main.c | 30 +++-------
src/kadmin/server/ovsec_kadmd.c | 26 +++------
src/kdc/main.c | 9 +--
src/kprop/kpropd.c | 7 ++-
src/lib/crypto/krb/make_checksum.c | 2 +-
src/lib/crypto/krb/make_checksum_iov.c | 2 +-
src/lib/crypto/krb/verify_checksum_iov.c | 2 +-
src/lib/gssapi/generic/oid_ops.c | 9 +--
src/lib/gssapi/mechglue/g_oid_ops.c | 58 +++++++++++++++----
src/lib/gssapi/mechglue/mglueP.h | 6 --
src/lib/gssapi/spnego/spnego_mech.c | 2 +-
src/lib/krb5/krb/ser_actx.c | 2 +-
.../preauth/pkinit/pkinit_crypto_openssl.c | 30 +++++-----
src/util/profile/prof_tree.c | 3 +-
15 files changed, 104 insertions(+), 89 deletions(-)
diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c
index 47baa78..962b794 100644
--- a/src/clients/ksu/heuristic.c
+++ b/src/clients/ksu/heuristic.c
@@ -237,8 +237,11 @@ get_authorized_princ_names(luser, cmd, princ_list)
}
}
if (!k5users_flag){
- if ((users_fp = fopen(k5users_path, "r")) == NULL)
+ users_fp = fopen(k5users_path, "r");
+ if (users_fp == NULL) {
+ close_time(1, NULL, k5login_flag, login_fp);
return 0;
+ }
if ( fowner(users_fp, pwd->pw_uid) == FALSE){
close_time(k5users_flag,users_fp, k5login_flag,login_fp);
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index a7cb7ed..35ecf1b 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -107,7 +107,6 @@ main (argc, argv)
krb5_ccache cc_source = NULL;
const char * cc_source_tag = NULL;
- const char * cc_source_tag_tmp = NULL;
char * cmd = NULL, * exec_cmd = NULL;
int errflg = 0;
krb5_boolean auth_val;
@@ -281,23 +280,13 @@ main (argc, argv)
case 'c':
if (cc_source_tag == NULL) {
cc_source_tag = xstrdup(optarg);
- if ( strchr(cc_source_tag, ':')){
- cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
-
- if (!ks_ccache_name_is_initialized(ksu_context,
- cc_source_tag)) {
- com_err(prog_name, errno,
- _("while looking for credentials cache %s"),
- cc_source_tag_tmp);
- exit (1);
- }
- }
- else {
- fprintf(stderr, _("malformed credential cache name %s\n"),
+ if (!ks_ccache_name_is_initialized(ksu_context,
+ cc_source_tag)) {
+ com_err(prog_name, errno,
+ _("while looking for credentials cache %s"),
cc_source_tag);
- errflg++;
+ exit(1);
}
-
} else {
fprintf(stderr, _("Only one -c option allowed\n"));
errflg++;
@@ -381,11 +370,10 @@ main (argc, argv)
if (cc_source_tag == NULL){
cc_source_tag = krb5_cc_default_name(ksu_context);
- cc_source_tag_tmp = strchr(cc_source_tag, ':');
- if (cc_source_tag_tmp == 0)
- cc_source_tag_tmp = cc_source_tag;
- else
- cc_source_tag_tmp++;
+ if (cc_source_tag == NULL) {
+ fprintf(stderr, _("ksu: failed to get default ccache name\n"));
+ exit(1);
+ }
}
/* get a handle for the cache */
diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
index 73d9bac..fe78ad6 100644
--- a/src/kadmin/server/ovsec_kadmd.c
+++ b/src/kadmin/server/ovsec_kadmd.c
@@ -239,7 +239,7 @@ log_badverf(gss_name_t client_name, gss_name_t server_name,
OM_uint32 minor;
gss_buffer_desc client, server;
gss_OID gss_type;
- const char *a;
+ const char *a, *cname, *sname;
rpcproc_t proc;
unsigned int i;
const char *procname;
@@ -253,19 +253,11 @@ log_badverf(gss_name_t client_name, gss_name_t server_name,
(void)gss_display_name(&minor, client_name, &client, &gss_type);
(void)gss_display_name(&minor, server_name, &server, &gss_type);
- if (client.value == NULL) {
- client.value = "(null)";
- clen = sizeof("(null)") - 1;
- } else {
- clen = client.length;
- }
+ cname = (client.value == NULL) ? "(null)" : client.value;
+ clen = (client.value == NULL) ? sizeof("(null)") - 1 : client.length;
trunc_name(&clen, &cdots);
- if (server.value == NULL) {
- server.value = "(null)";
- slen = sizeof("(null)") - 1;
- } else {
- slen = server.length;
- }
+ sname = (server.value == NULL) ? "(null)" : server.value;
+ slen = (server.value == NULL) ? sizeof("(null)") - 1 : server.length;
trunc_name(&slen, &sdots);
a = client_addr(rqst->rq_xprt);
@@ -281,14 +273,14 @@ log_badverf(gss_name_t client_name, gss_name_t server_name,
krb5_klog_syslog(LOG_NOTICE,
_("WARNING! Forged/garbled request: %s, claimed "
"client = %.*s%s, server = %.*s%s, addr = %s"),
- procname, (int)clen, (char *)client.value, cdots,
- (int)slen, (char *)server.value, sdots, a);
+ procname, (int)clen, cname, cdots, (int)slen, sname,
+ sdots, a);
} else {
krb5_klog_syslog(LOG_NOTICE,
_("WARNING! Forged/garbled request: %d, claimed "
"client = %.*s%s, server = %.*s%s, addr = %s"),
- proc, (int)clen, (char *)client.value, cdots,
- (int)slen, (char *)server.value, sdots, a);
+ proc, (int)clen, cname, cdots, (int)slen, sname,
+ sdots, a);
}
(void)gss_release_buffer(&minor, &client);
diff --git a/src/kdc/main.c b/src/kdc/main.c
index d30e6cd..f11f141 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -871,14 +871,15 @@ write_pid_file(const char *path)
{
FILE *file;
unsigned long pid;
+ int st1, st2;
file = WRITABLEFOPEN(path, "w");
if (file == NULL)
return errno;
- pid = (unsigned long) getpid();
- if (fprintf(file, "%ld\n", pid) < 0 || fclose(file) == EOF)
- return errno;
- return 0;
+ pid = (unsigned long)getpid();
+ st1 = (fprintf(file, "%ld\n", pid) < 0) ? errno : 0;
+ st2 = (fclose(file) == EOF) ? errno : 0;
+ return st1 ? st1 : st2;
}
static void
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
index e0500d4..724ed95 100644
--- a/src/kprop/kpropd.c
+++ b/src/kprop/kpropd.c
@@ -180,14 +180,15 @@ write_pid_file(const char *path)
{
FILE *fp;
unsigned long pid;
+ int st1, st2;
fp = fopen(path, "w");
if (fp == NULL)
return errno;
pid = (unsigned long)getpid();
- if (fprintf(fp, "%ld\n", pid) < 0 || fclose(fp) == EOF)
- return errno;
- return 0;
+ st1 = (fprintf(fp, "%ld\n", pid) < 0) ? errno : 0;
+ st2 = (fclose(fp) == EOF) ? errno : 0;
+ return st1 ? st1 : st2;
}
typedef void (*sig_handler_fn)(int sig);
diff --git a/src/lib/crypto/krb/make_checksum.c b/src/lib/crypto/krb/make_checksum.c
index 398c84a..3c57e41 100644
--- a/src/lib/crypto/krb/make_checksum.c
+++ b/src/lib/crypto/krb/make_checksum.c
@@ -40,7 +40,7 @@ krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
krb5_octet *trunc;
krb5_error_code ret;
- if (cksumtype == 0) {
+ if (cksumtype == 0 && key != NULL) {
ret = krb5int_c_mandatory_cksumtype(context, key->keyblock.enctype,
&cksumtype);
if (ret != 0)
diff --git a/src/lib/crypto/krb/make_checksum_iov.c b/src/lib/crypto/krb/make_checksum_iov.c
index 84e98b1..c9e9da8 100644
--- a/src/lib/crypto/krb/make_checksum_iov.c
+++ b/src/lib/crypto/krb/make_checksum_iov.c
@@ -39,7 +39,7 @@ krb5_k_make_checksum_iov(krb5_context context,
krb5_crypto_iov *checksum;
const struct krb5_cksumtypes *ctp;
- if (cksumtype == 0) {
+ if (cksumtype == 0 && key != NULL) {
ret = krb5int_c_mandatory_cksumtype(context, key->keyblock.enctype,
&cksumtype);
if (ret != 0)
diff --git a/src/lib/crypto/krb/verify_checksum_iov.c b/src/lib/crypto/krb/verify_checksum_iov.c
index 47a25a9..532e45c 100644
--- a/src/lib/crypto/krb/verify_checksum_iov.c
+++ b/src/lib/crypto/krb/verify_checksum_iov.c
@@ -40,7 +40,7 @@ krb5_k_verify_checksum_iov(krb5_context context,
krb5_data computed;
krb5_crypto_iov *checksum;
- if (checksum_type == 0) {
+ if (checksum_type == 0 && key != NULL) {
ret = krb5int_c_mandatory_cksumtype(context, key->keyblock.enctype,
&checksum_type);
if (ret != 0)
diff --git a/src/lib/gssapi/generic/oid_ops.c b/src/lib/gssapi/generic/oid_ops.c
index 253d646..0d65a95 100644
--- a/src/lib/gssapi/generic/oid_ops.c
+++ b/src/lib/gssapi/generic/oid_ops.c
@@ -68,8 +68,7 @@
OM_uint32
generic_gss_release_oid(OM_uint32 *minor_status, gss_OID *oid)
{
- if (minor_status)
- *minor_status = 0;
+ *minor_status = 0;
if (oid == NULL || *oid == GSS_C_NO_OID)
return(GSS_S_COMPLETE);
@@ -245,8 +244,7 @@ generic_gss_oid_to_str(OM_uint32 *minor_status,
unsigned char *cp;
struct k5buf buf;
- if (minor_status != NULL)
- *minor_status = 0;
+ *minor_status = 0;
if (oid_str != GSS_C_NO_BUFFER) {
oid_str->length = 0;
@@ -353,8 +351,7 @@ generic_gss_str_to_oid(OM_uint32 *minor_status,
int brace = 0;
gss_OID oid;
- if (minor_status != NULL)
- *minor_status = 0;
+ *minor_status = 0;
if (oid_out != NULL)
*oid_out = GSS_C_NO_OID;
diff --git a/src/lib/gssapi/mechglue/g_oid_ops.c b/src/lib/gssapi/mechglue/g_oid_ops.c
index 1d7970c..035da76 100644
--- a/src/lib/gssapi/mechglue/g_oid_ops.c
+++ b/src/lib/gssapi/mechglue/g_oid_ops.c
@@ -38,6 +38,13 @@ gss_create_empty_oid_set(minor_status, oid_set)
gss_OID_set *oid_set;
{
OM_uint32 status;
+
+ if (minor_status != NULL)
+ *minor_status = 0;
+ if (oid_set != NULL)
+ *oid_set = GSS_C_NO_OID_SET;
+ if (minor_status == NULL || oid_set == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
status = generic_gss_create_empty_oid_set(minor_status, oid_set);
if (status != GSS_S_COMPLETE)
map_errcode(minor_status);
@@ -51,6 +58,14 @@ gss_add_oid_set_member(minor_status, member_oid, oid_set)
gss_OID_set *oid_set;
{
OM_uint32 status;
+
+ if (minor_status != NULL)
+ *minor_status = 0;
+ if (minor_status == NULL || oid_set == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
+ if (member_oid == GSS_C_NO_OID || member_oid->length == 0 ||
+ member_oid->elements == NULL)
+ return GSS_S_CALL_INACCESSIBLE_READ;
status = generic_gss_add_oid_set_member(minor_status, member_oid, oid_set);
if (status != GSS_S_COMPLETE)
map_errcode(minor_status);
@@ -64,6 +79,14 @@ gss_test_oid_set_member(minor_status, member, set, present)
gss_OID_set set;
int *present;
{
+ if (minor_status != NULL)
+ *minor_status = 0;
+ if (present != NULL)
+ *present = 0;
+ if (minor_status == NULL || present == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
+ if (member == GSS_C_NO_OID || set == GSS_C_NO_OID_SET)
+ return GSS_S_CALL_INACCESSIBLE_READ;
return generic_gss_test_oid_set_member(minor_status, member, set, present);
}
@@ -73,7 +96,19 @@ gss_oid_to_str(minor_status, oid, oid_str)
gss_OID oid;
gss_buffer_t oid_str;
{
- OM_uint32 status = generic_gss_oid_to_str(minor_status, oid, oid_str);
+ OM_uint32 status;
+
+ if (minor_status != NULL)
+ *minor_status = 0;
+ if (oid_str != GSS_C_NO_BUFFER) {
+ oid_str->length = 0;
+ oid_str->value = NULL;
+ }
+ if (minor_status == NULL || oid_str == GSS_C_NO_BUFFER)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
+ if (oid == GSS_C_NO_OID || oid->length == 0 || oid->elements == NULL)
+ return GSS_S_CALL_INACCESSIBLE_READ;
+ status = generic_gss_oid_to_str(minor_status, oid, oid_str);
if (status != GSS_S_COMPLETE)
map_errcode(minor_status);
return status;
@@ -85,21 +120,22 @@ gss_str_to_oid(minor_status, oid_str, oid)
gss_buffer_t oid_str;
gss_OID *oid;
{
- OM_uint32 status = generic_gss_str_to_oid(minor_status, oid_str, oid);
+ OM_uint32 status;
+
+ if (minor_status != NULL)
+ *minor_status = 0;
+ if (oid != NULL)
+ *oid = GSS_C_NO_OID;
+ if (minor_status == NULL || oid == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
+ if (GSS_EMPTY_BUFFER(oid_str))
+ return GSS_S_CALL_INACCESSIBLE_READ;
+ status = generic_gss_str_to_oid(minor_status, oid_str, oid);
if (status != GSS_S_COMPLETE)
map_errcode(minor_status);
return status;
}
-OM_uint32
-gssint_copy_oid_set(
- OM_uint32 *minor_status,
- const gss_OID_set_desc * const oidset,
- gss_OID_set *new_oidset)
-{
- return generic_gss_copy_oid_set(minor_status, oidset, new_oidset);
-}
-
int KRB5_CALLCONV
gss_oid_equal(
gss_const_OID first_oid,
diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h
index 2b65939..f66a54a 100644
--- a/src/lib/gssapi/mechglue/mglueP.h
+++ b/src/lib/gssapi/mechglue/mglueP.h
@@ -806,12 +806,6 @@ OM_uint32 gssint_create_union_context(
gss_union_ctx_id_t * /* ctx_out */
);
-OM_uint32 gssint_copy_oid_set(
- OM_uint32 *, /* minor_status */
- const gss_OID_set_desc * const, /* oid set */
- gss_OID_set * /* new oid set */
-);
-
gss_OID gss_find_mechanism_from_name_type (gss_OID); /* name_type */
OM_uint32 gss_add_mech_name_type
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 654964c..f8b50d8 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -401,7 +401,7 @@ spnego_gss_acquire_cred_from(OM_uint32 *minor_status,
&amechs, time_rec);
if (actual_mechs && amechs != GSS_C_NULL_OID_SET) {
- (void) gssint_copy_oid_set(&tmpmin, amechs, actual_mechs);
+ (void) generic_gss_copy_oid_set(&tmpmin, amechs, actual_mechs);
}
(void) gss_release_oid_set(&tmpmin, &amechs);
diff --git a/src/lib/krb5/krb/ser_actx.c b/src/lib/krb5/krb/ser_actx.c
index 6de35a1..ed8e255 100644
--- a/src/lib/krb5/krb/ser_actx.c
+++ b/src/lib/krb5/krb/ser_actx.c
@@ -171,7 +171,7 @@ k5_externalize_auth_context(krb5_auth_context auth_context,
/* Now handle remote_port, if appropriate */
if (!kret && auth_context->remote_port) {
(void) krb5_ser_pack_int32(TOKEN_RPORT, &bp, &remain);
- kret = k5_externalize_address(auth_context->remote_addr,
+ kret = k5_externalize_address(auth_context->remote_port,
&bp, &remain);
}
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index f2e4dcb..3a98980 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -3735,20 +3735,22 @@ pkinit_open_session(krb5_context context,
/* Login if needed */
if (tinfo.flags & CKF_LOGIN_REQUIRED) {
- if (cctx->p11_module_name != NULL) {
- if (cctx->slotid != PK_NOSLOT) {
- if (asprintf(&p11name,
- "PKCS11:module_name=%s:slotid=%ld:token=%.*s",
- cctx->p11_module_name, (long)cctx->slotid,
- (int)label_len, tinfo.label) < 0)
- p11name = NULL;
- } else {
- if (asprintf(&p11name,
- "PKCS11:module_name=%s,token=%.*s",
- cctx->p11_module_name,
- (int)label_len, tinfo.label) < 0)
- p11name = NULL;
- }
+ if (cctx->slotid != PK_NOSLOT) {
+ if (asprintf(&p11name,
+ "PKCS11:module_name=%s:slotid=%ld:token=%.*s",
+ cctx->p11_module_name, (long)cctx->slotid,
+ (int)label_len, tinfo.label) < 0)
+ p11name = NULL;
+ } else {
+ if (asprintf(&p11name,
+ "PKCS11:module_name=%s,token=%.*s",
+ cctx->p11_module_name,
+ (int)label_len, tinfo.label) < 0)
+ p11name = NULL;
+ }
+ if (p11name == NULL) {
+ ret = ENOMEM;
+ goto cleanup;
}
if (cctx->defer_id_prompt) {
/* Supply the identity name to be passed to the responder. */
diff --git a/src/util/profile/prof_tree.c b/src/util/profile/prof_tree.c
index b3c15ca..cecd33e 100644
--- a/src/util/profile/prof_tree.c
+++ b/src/util/profile/prof_tree.c
@@ -172,7 +172,8 @@ errcode_t profile_add_node(struct profile_node *section, const char *name,
} else if (value == NULL && cmp == 0 &&
p->value == NULL && p->deleted != 1) {
/* Found duplicate subsection, so don't make a new one. */
- *ret_node = p;
+ if (ret_node)
+ *ret_node = p;
return 0;
}
}
--
2.33.0

62
backport-Fix-type-violation-in-libkrad.patch Normal file
View File

@ -0,0 +1,62 @@
From aac785e5e050415f8b8cb29059d2f658f755e7e7 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 28 Oct 2024 11:51:54 -0400
Subject: [PATCH] Fix type violation in libkrad
remote.c uses casts to cover up a signature difference between
iterator() and krad_packet_iter_cb. The difference is unimportant in
typical platform ABIs, but calling the function this way is undefined
behavior (C99 6.3.2.8). Fix iterator() to conform to
krad_packet_iter_cb and remove the casts.
---
src/lib/krad/remote.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index fff04fe..63abda2 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -76,15 +76,15 @@ on_timeout(verto_ctx *ctx, verto_ev *ev);
/* Iterate over the set of outstanding packets. */
static const krad_packet *
-iterator(request **out)
+iterator(void *data, krb5_boolean cancel)
{
- request *tmp = *out;
+ request **rptr = data, *req = *rptr;
- if (tmp == NULL)
+ if (cancel || req == NULL)
return NULL;
- *out = K5_TAILQ_NEXT(tmp, list);
- return tmp->request;
+ *rptr = K5_TAILQ_NEXT(req, list);
+ return req->request;
}
/* Create a new request. */
@@ -349,8 +349,7 @@ on_io_read(krad_remote *rr)
/* Decode the packet. */
tmp = K5_TAILQ_FIRST(&rr->list);
retval = krad_packet_decode_response(rr->kctx, rr->secret, &rr->buffer,
- (krad_packet_iter_cb)iterator, &tmp,
- &req, &rsp);
+ iterator, &tmp, &req, &rsp);
rr->buffer.length = 0;
if (retval != 0)
return;
@@ -452,7 +451,7 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
r = K5_TAILQ_FIRST(&rr->list);
retval = krad_packet_new_request(rr->kctx, rr->secret, code, attrs,
- (krad_packet_iter_cb)iterator, &r, &tmp);
+ iterator, &r, &tmp);
if (retval != 0)
goto error;
else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL &&
--
2.33.0

58
backport-Fix-uncommon-PKINIT-memory-leak.patch Normal file
View File

@ -0,0 +1,58 @@
From 441736872285e6538e6b6c78eab60862d3b6dcaa Mon Sep 17 00:00:00 2001
From: sashan <anedvedicky@gmail.com>
Date: Sun, 29 May 2022 10:32:57 +0200
Subject: [PATCH] Fix uncommon PKINIT memory leak
PKINIT per-request module data objects are normally created by
pkinit_server_verify_padata() and freed by
pkinit_server_return_padata(). In some unusual circumstances, the KDC
may not call the return_padata method after verification succeeds.
Add a free_modreq method and free the object there instead.
[ghudson@mit.edu: rewrote commit message]
(cherry picked from commit 883415036a4b4e0372b84a5a6e46c10b3a67aba0)
ticket: 9065
version_fixed: 1.19.4
---
src/plugins/preauth/pkinit/pkinit_srv.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 3ae56c0..26fcccc 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -1026,7 +1026,6 @@ pkinit_server_return_padata(krb5_context context,
(*send_pa)->contents = (krb5_octet *) out_data->data;
cleanup:
- pkinit_fini_kdc_req_context(context, reqctx);
free(scratch.data);
free(out_data);
if (encoded_dhkey_info != NULL)
@@ -1615,6 +1614,13 @@ pkinit_fini_kdc_req_context(krb5_context context, void *ctx)
free(reqctx);
}
+static void
+pkinit_free_modreq(krb5_context context, krb5_kdcpreauth_moddata moddata,
+ krb5_kdcpreauth_modreq modreq)
+{
+ pkinit_fini_kdc_req_context(context, modreq);
+}
+
krb5_error_code
kdcpreauth_pkinit_initvt(krb5_context context, int maj_ver, int min_ver,
krb5_plugin_vtable vtable);
@@ -1636,5 +1642,6 @@ kdcpreauth_pkinit_initvt(krb5_context context, int maj_ver, int min_ver,
vt->edata = pkinit_server_get_edata;
vt->verify = pkinit_server_verify_padata;
vt->return_padata = pkinit_server_return_padata;
+ vt->free_modreq = pkinit_free_modreq;
return 0;
}
--
2.27.0

62
backport-Fix-unlikely-password-change-leak.patch Normal file
View File

@ -0,0 +1,62 @@
From 038793c3083f44c4fb62626c12f80c80147029cf Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Fri, 11 Oct 2024 12:45:13 +0200
Subject: [PATCH] Fix unlikely password change leak
In kpasswd_sendto_msg_callback(), if getsockname() does not reveal the
local address, a copy of the first local address's contents is made
and never freed. Instead of making an allocated copy of the address
contents, make a shallow copy of the whole address. Delay freeing the
address array until the end of the function so that alias pointer made
by the shallow copy remains valid.
[ghudson@mit.edu: further simplified code; rewrote commit message]
---
src/lib/krb5/os/changepw.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
index c592325..9cae409 100644
--- a/src/lib/krb5/os/changepw.c
+++ b/src/lib/krb5/os/changepw.c
@@ -115,6 +115,7 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message)
struct sendto_callback_context *ctx = data;
GETSOCKNAME_ARG3_TYPE addrlen;
krb5_data output;
+ krb5_address **addrs = NULL;
memset (message, 0, sizeof(krb5_data));
@@ -143,20 +144,10 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message)
local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr);
local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr;
} else {
- krb5_address **addrs;
-
code = krb5_os_localaddr(ctx->context, &addrs);
if (code)
goto cleanup;
-
- local_kaddr.magic = addrs[0]->magic;
- local_kaddr.addrtype = addrs[0]->addrtype;
- local_kaddr.length = addrs[0]->length;
- local_kaddr.contents = k5memdup(addrs[0]->contents, addrs[0]->length,
- &code);
- krb5_free_addresses(ctx->context, addrs);
- if (local_kaddr.contents == NULL)
- goto cleanup;
+ local_kaddr = *addrs[0];
}
@@ -193,6 +184,7 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message)
message->data = output.data;
cleanup:
+ krb5_free_addresses(ctx->context, addrs);
return code;
}
--
2.43.0

175
backport-Fix-various-issues-detected-by-static-analysis.patch Normal file
View File

@ -0,0 +1,175 @@
From a96541981ee34c8642ddeb6101b98e883e41c6e5 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Fri, 6 Sep 2024 17:18:11 +0200
Subject: [PATCH] Fix various issues detected by static analysis
In klists's show_credential(), ensure that the column counter doesn't
decrease if printf() fails.
In process_k5beta7_princ(), bounds-check the e_length field.
In ndr_enc_delegation_info(), initialize b so it is always valid for
the cleanup handler.
In krb5_dbe_def_decrypt_key_data(), change the flow control so ret is
always set by the end of the function. Return KRB5_KDB_INVALIDKEYSIZE
if there isn't enough data in the first key_data_contents field or if
the serialized key length is invalid.
In svcauth_gss_validate(), expand rpchdr to accomodate the header plus
MAX_AUTH_BYTES.
In svcudp_reply(), change slen to unsigned to match the return type of
XDR_GETPOS() and eliminate an unnecessary check for slen >= 0.
In krb5int_pthread_loaded()(), remove pthread_equal() from the weak
symbol checks. It is implemented as an inline function in some glibc
versions, which makes the comparison "&pthread_equal == 0" always
false.
[ghudson@mit.edu: further modified krb5_dbe_def_decrypt_key_data() for
clarity; added detail to commit message]
Reference:https://github.com/krb5/krb5/commit/a96541981ee34c8642ddeb6101b98e883e41c6e5
Conflict:src/kdc/ndr.c,src/lib/kdb/decrypt_key.c
---
src/clients/klist/klist.c | 12 ++++++------
src/kadmin/dbutil/dump.c | 5 +++++
src/lib/rpc/svc_auth_gss.c | 5 ++++-
src/lib/rpc/svc_udp.c | 13 +++++++------
src/util/support/threads.c | 2 --
5 files changed, 22 insertions(+), 15 deletions(-)
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index 394c75b..1511c59 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -681,7 +681,7 @@ show_credential(krb5_creds *cred, const char *defname)
krb5_error_code ret;
krb5_ticket *tkt = NULL;
char *name = NULL, *sname = NULL, *tktsname, *flags;
- int extra_field = 0, ccol = 0, i;
+ int extra_field = 0, ccol = 0, i, r;
krb5_boolean is_config = krb5_is_config_principal(context, cred->server);
ret = krb5_unparse_name(context, cred->client, &name);
@@ -711,11 +711,11 @@ show_credential(krb5_creds *cred, const char *defname)
fputs("config: ", stdout);
ccol = 8;
for (i = 1; i < cred->server->length; i++) {
- ccol += printf("%s%.*s%s",
- i > 1 ? "(" : "",
- (int)cred->server->data[i].length,
- cred->server->data[i].data,
- i > 1 ? ")" : "");
+ r = printf("%s%.*s%s", i > 1 ? "(" : "",
+ (int)cred->server->data[i].length,
+ cred->server->data[i].data, i > 1 ? ")" : "");
+ if (r >= 0)
+ ccol += r;
}
fputs(" = ", stdout);
ccol += 3;
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 4d6cc0b..feb053d 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -696,6 +696,11 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
dbentry->len = u1;
dbentry->n_key_data = u4;
+
+ if (u5 > UINT16_MAX) {
+ load_err(fname, *linenop, _("invalid principal extra data size"));
+ goto fail;
+ }
dbentry->e_length = u5;
if (kp != NULL) {
diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c
index aba7694..e290018 100644
--- a/src/lib/rpc/svc_auth_gss.c
+++ b/src/lib/rpc/svc_auth_gss.c
@@ -296,7 +296,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
struct opaque_auth *oa;
gss_buffer_desc rpcbuf, checksum;
OM_uint32 maj_stat, min_stat, qop_state;
- u_char rpchdr[128];
+ u_char rpchdr[32 + MAX_AUTH_BYTES];
int32_t *buf;
log_debug("in svcauth_gss_validate()");
@@ -314,6 +314,8 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
return (FALSE);
buf = (int32_t *)(void *)rpchdr;
+
+ /* Write the 32 first bytes of the header. */
IXDR_PUT_LONG(buf, msg->rm_xid);
IXDR_PUT_ENUM(buf, msg->rm_direction);
IXDR_PUT_LONG(buf, msg->rm_call.cb_rpcvers);
@@ -322,6 +324,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
IXDR_PUT_ENUM(buf, oa->oa_flavor);
IXDR_PUT_LONG(buf, oa->oa_length);
+
if (oa->oa_length) {
memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
buf += RNDUP(oa->oa_length) / sizeof(int32_t);
diff --git a/src/lib/rpc/svc_udp.c b/src/lib/rpc/svc_udp.c
index 8ecbdf2..3aff277 100644
--- a/src/lib/rpc/svc_udp.c
+++ b/src/lib/rpc/svc_udp.c
@@ -248,8 +248,9 @@ static bool_t svcudp_reply(
{
struct svcudp_data *su = su_data(xprt);
XDR *xdrs = &su->su_xdrs;
- int slen;
+ u_int slen;
bool_t stat = FALSE;
+ ssize_t r;
xdrproc_t xdr_results = NULL;
caddr_t xdr_location = 0;
@@ -272,12 +273,12 @@ static bool_t svcudp_reply(
if (xdr_replymsg(xdrs, msg) &&
(!has_args ||
(SVCAUTH_WRAP(xprt->xp_auth, xdrs, xdr_results, xdr_location)))) {
- slen = (int)XDR_GETPOS(xdrs);
- if (sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0,
- (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen)
- == slen) {
+ slen = XDR_GETPOS(xdrs);
+ r = sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0,
+ (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen);
+ if (r >= 0 && (u_int)r == slen) {
stat = TRUE;
- if (su->su_cache && slen >= 0) {
+ if (su->su_cache) {
cache_set(xprt, (uint32_t) slen);
}
}
diff --git a/src/util/support/threads.c b/src/util/support/threads.c
index be7e4c2..4ded805 100644
--- a/src/util/support/threads.c
+++ b/src/util/support/threads.c
@@ -118,7 +118,6 @@ struct tsd_block {
# pragma weak pthread_mutex_destroy
# pragma weak pthread_mutex_init
# pragma weak pthread_self
-# pragma weak pthread_equal
# pragma weak pthread_getspecific
# pragma weak pthread_setspecific
# pragma weak pthread_key_create
@@ -151,7 +150,6 @@ int krb5int_pthread_loaded (void)
|| &pthread_mutex_destroy == 0
|| &pthread_mutex_init == 0
|| &pthread_self == 0
- || &pthread_equal == 0
/* Any program that's really multithreaded will have to be
able to create threads. */
|| &pthread_create == 0
--
2.33.0

90
backport-Fix-various-small-logic-errors.patch Normal file
View File

@ -0,0 +1,90 @@
From 3b57de1b68f31fa297d91e8b00bd91587d71fd02 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 1 Nov 2024 13:42:44 -0400
Subject: [PATCH] Fix various small logic errors
Correct five logic errors (all unlikely to manifest as user-visible
bugs) found by static analysis. Reported by Valery Fedorenko.
---
src/kdc/policy.c | 2 +-
src/lib/apputils/net-server.c | 2 +-
src/lib/rpc/unit-test/client.c | 1 +
src/plugins/audit/kdc_j_encode.c | 10 ++++------
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 2 ++
5 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/kdc/policy.c b/src/kdc/policy.c
index a3ff556c5..1ae1c7a05 100644
--- a/src/kdc/policy.c
+++ b/src/kdc/policy.c
@@ -180,7 +180,7 @@ unload_kdcpolicy_plugins(krb5_context context)
{
kdcpolicy_handle *hp, h;
- for (hp = handles; *hp != NULL; hp++) {
+ for (hp = handles; hp != NULL && *hp != NULL; hp++) {
h = *hp;
if (h->vt.fini != NULL)
h->vt.fini(context, h->moddata);
diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c
index 75372d894..b3da72d3f 100644
--- a/src/lib/apputils/net-server.c
+++ b/src/lib/apputils/net-server.c
@@ -1127,7 +1127,7 @@ kill_lru_tcp_or_rpc_connection(void *handle, verto_ev *newev)
}
if (oldest_c != NULL) {
krb5_klog_syslog(LOG_INFO, _("dropping %s fd %d from %s"),
- c->type == CONN_RPC ? "rpc" : "tcp",
+ oldest_c->type == CONN_RPC ? "rpc" : "tcp",
verto_get_fd(oldest_ev), oldest_c->addrbuf);
if (oldest_c->type == CONN_RPC)
oldest_c->rpc_force_close = 1;
diff --git a/src/lib/rpc/unit-test/client.c b/src/lib/rpc/unit-test/client.c
index 9b907bcdc..7965a4306 100644
--- a/src/lib/rpc/unit-test/client.c
+++ b/src/lib/rpc/unit-test/client.c
@@ -165,6 +165,7 @@ main(int argc, char **argv)
if (echo_resp == NULL) {
fprintf(stderr, "RPC_TEST_ECHO call %d%s", i,
clnt_sperror(clnt, ""));
+ break;
}
if (strncmp(*echo_resp, "Echo: ", 6) &&
strcmp(echo_arg, (*echo_resp) + 6) != 0)
diff --git a/src/plugins/audit/kdc_j_encode.c b/src/plugins/audit/kdc_j_encode.c
index fb4a4ed73..0df258d76 100755
--- a/src/plugins/audit/kdc_j_encode.c
+++ b/src/plugins/audit/kdc_j_encode.c
@@ -419,12 +419,10 @@ kau_j_tgs_u2u(const krb5_boolean ev_success, krb5_audit_state *state,
goto error;
}
/* Client in the second ticket. */
- if (req != NULL) {
- ret = princ_to_value(req->second_ticket[0]->enc_part2->client,
- obj, AU_REQ_U2U_USER);
- if (ret)
- goto error;
- }
+ ret = princ_to_value(req->second_ticket[0]->enc_part2->client,
+ obj, AU_REQ_U2U_USER);
+ if (ret)
+ goto error;
/* Enctype of a session key of the second ticket. */
ret = int32_to_value(req->second_ticket[0]->enc_part2->session->enctype,
obj, AU_SRV_ETYPE);
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 6d1966194..4ae2c00ad 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -4110,6 +4110,8 @@ pkinit_get_certs_pkcs12(krb5_context context,
TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(context);
+ if (p12name == NULL)
+ goto cleanup;
if (id_cryptoctx->defer_id_prompt) {
/* Supply the identity name to be passed to the responder. */
pkinit_set_deferred_id(&id_cryptoctx->deferred_ids, p12name, 0,
--
2.33.0

91
backport-Prevent-late-initialization-of-GSS-error-map.patch Normal file
View File

@ -0,0 +1,91 @@
From bba0c36394cb88265da6e3d6566dd88b9c7978ca Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 21 Oct 2024 19:04:08 -0400
Subject: [PATCH] Prevent late initialization of GSS error map
Some of the peripheral libgssapi_krb5 utility functions, such as
gss_str_to_oid(), do not access the mechanism list and therefore do
not reach any of the calls to gssint_mechglue_initialize_library().
If one of these functions is called early and produces an error, its
call to map_error() will operate on the uninitialized error map. When
the library is later initialized, any entries added to the error map
this way will be leaked.
To ensure that the error map is initialized before it is operated on,
add library initialization calls to gssint_mecherrmap_map() and
gssint_mecherrmap_get().
ticket: 9145 (new)
Reference:https://github.com/krb5/krb5/commit/bba0c36394cb88265da6e3d6566dd88b9c7978ca
Conflict:src/lib/gssapi/generic/deps
---
src/lib/gssapi/generic/Makefile.in | 2 +-
src/lib/gssapi/generic/deps | 6 ++++--
src/lib/gssapi/generic/util_errmap.c | 6 +++++-
3 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/lib/gssapi/generic/Makefile.in b/src/lib/gssapi/generic/Makefile.in
index 1a95a7d..ac69a85 100644
--- a/src/lib/gssapi/generic/Makefile.in
+++ b/src/lib/gssapi/generic/Makefile.in
@@ -1,6 +1,6 @@
mydir=lib$(S)gssapi$(S)generic
BUILDTOP=$(REL)..$(S)..$(S)..
-LOCALINCLUDES = -I. -I$(srcdir) -I$(srcdir)/..
+LOCALINCLUDES = -I. -I$(srcdir) -I$(srcdir)/../mechglue
##DOS##BUILDTOP = ..\..\..
##DOS##PREFIXDIR=generic
diff --git a/src/lib/gssapi/generic/deps b/src/lib/gssapi/generic/deps
index 5b80e7f..222b088 100644
--- a/src/lib/gssapi/generic/deps
+++ b/src/lib/gssapi/generic/deps
@@ -59,8 +59,10 @@ util_buffer_set.so util_buffer_set.po $(OUTPRE)util_buffer_set.$(OBJEXT): \
util_buffer_set.c
util_errmap.so util_errmap.po $(OUTPRE)util_errmap.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-platform.h \
+ $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(srcdir)/../mechglue/mechglue.h \
+ $(srcdir)/../mechglue/mglueP.h $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-input.h $(top_srcdir)/include/k5-platform.h \
$(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
errmap.h gssapiP_generic.h gssapi_err_generic.h gssapi_ext.h \
gssapi_generic.h util_errmap.c
diff --git a/src/lib/gssapi/generic/util_errmap.c b/src/lib/gssapi/generic/util_errmap.c
index 628a455..138310c 100644
--- a/src/lib/gssapi/generic/util_errmap.c
+++ b/src/lib/gssapi/generic/util_errmap.c
@@ -25,6 +25,7 @@
*/
#include "gssapiP_generic.h"
+#include <mglueP.h>
#include <string.h>
#ifndef _WIN32
#include <unistd.h>
@@ -181,6 +182,9 @@ OM_uint32 gssint_mecherrmap_map(OM_uint32 minor, const gss_OID_desc * oid)
f = stderr;
#endif
+ if (gssint_mechglue_initialize_library() != 0)
+ return 0;
+
me.code = minor;
me.mech = *oid;
k5_mutex_lock(&mutex);
@@ -249,7 +253,7 @@ int gssint_mecherrmap_get(OM_uint32 minor, gss_OID mech_oid,
{
const struct mecherror *p;
- if (minor == 0) {
+ if (minor == 0 || gssint_mechglue_initialize_library() != 0) {
return EINVAL;
}
k5_mutex_lock(&mutex);
--
2.33.0

38
backport-Prevent-undefined-shift-in-decode_krb5_flags.patch Normal file
View File

@ -0,0 +1,38 @@
From d09433aed821d40142b10dc5b4a0aa8110c5a09e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 6 Nov 2024 17:31:37 -0500
Subject: [PATCH] Prevent undefined shift in decode_krb5_flags()
In the statement "f |= bits[i] << (8 * (3 - i))", bits[i] is
implicitly promoted from uint8_t to int according to the integer
promotion rules (C99 6.3.1.1). If i is 0 and bits[i] >= 128, the
result cannot be represented as an int and the behavior of the shift
is undefined (C99 6.5.7). To ensure that the shift operation is
defined, cast bits[i] to uint32_t.
(f and the function output are int32_t, but the conversion of uint32_t
to int32_t is implementation-defined when the value cannot be
represented, not undefined. We check in configure.ac that the
platform is two's complement.)
(Discovered by OSS-Fuzz.)
---
src/lib/krb5/asn.1/asn1_k_encode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index ad5a18a24..1a250c98c 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -250,7 +250,7 @@ decode_krb5_flags(const taginfo *t, const uint8_t *asn1, size_t len, void *val)
return ret;
/* Copy up to 32 bits into f, starting at the most significant byte. */
for (i = 0; i < blen && i < 4; i++)
- f |= bits[i] << (8 * (3 - i));
+ f |= (uint32_t)bits[i] << (8 * (3 - i));
*(krb5_flags *)val = f;
free(bits);
return 0;
--
2.33.0

32
krb5.spec
View File

@ -3,7 +3,7 @@
Name: krb5
Version: 1.19.2
Release: 19
Release: 24
Summary: The Kerberos network authentication protocol
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -57,6 +57,21 @@ Patch33: backport-Add-a-simple-DER-support-header.patch
Patch34: backport-CVE-2024-37370-CVE-2024-37371-Fix-vulnerabilities-in-GSS-message-token-handling.patch
Patch35: Fix-memory-leak-in-OTP-kdcpreauth-module.patch
Patch36: backport-Change-krb5_get_credentials-endtime-behavior.patch
Patch37: backport-Fix-uncommon-PKINIT-memory-leak.patch
Patch38: backport-Fix-various-issues-detected-by-static-analysis.patch
Patch39: backport-Fix-krb5_crypto_us_timeofday-microseconds-check.patch
Patch40: backport-Fix-libkadm5-parameter-leak.patch
Patch41: backport-Prevent-late-initialization-of-GSS-error-map.patch
Patch42: backport-Allow-null-keyblocks-in-IOV-checksum-functions.patch
Patch43: backport-Avoid-mutex-locking-in-krb5int_trace.patch
Patch44: backport-Fix-unlikely-password-change-leak.patch
Patch45: backport-Fix-krb5_ldap_list_policy-filtering-loop.patch
Patch46: backport-CVE-2025-24528.patch
Patch47: backport-Fix-LDAP-module-leak-on-authentication-error.patch
Patch48: backport-Fix-minor-logic-errors.patch
Patch49: backport-Fix-type-violation-in-libkrad.patch
Patch50: backport-Fix-various-small-logic-errors.patch
Patch51: backport-Prevent-undefined-shift-in-decode_krb5_flags.patch
BuildRequires: gettext
BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@ -349,6 +364,21 @@ make -C src check || :
%changelog
* Mon Mar 24 2025 Linux_zhang <zhangruifang@h-partners.com> - 1.19.2-24
- backport patches to fix bugs
* Thu Jan 30 2025 Funda Wang <fundawang@yeah.net> - 1.19.2-23
- fix CVE-2025-24528
* Wed Dec 11 2024 liuh <liuhuan01@kylinos.cn> - 1.19.2-22
- backport patches from upstream
* Wed Dec 04 2024 wangjiang <app@cameyan.com> - 1.19.2-21
- backport upstream patches
* Wed Aug 28 2024 yanshuai <yanshuai01@kylinos.cn> - 1.19.2-20
- Fix uncommon PKINIT memory leak
* Thu Aug 15 2024 yixiangzhike <yixiangzhike007@163.com> - 1.19.2-19
- Change krb5_get_credentials() endtime behavior