packages/krb5
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport patches from upstream

Browse Source
This commit is contained in:
wjiang 2024-12-04 09:49:42 +08:00
parent 875f8a11e8
commit 023d8f06f2
5 changed files with 239 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
backport-Allow-null-keyblocks-in-IOV-checksum-functions.patch Normal file
View File

@ -0,0 +1,66 @@
From 6217454323b39cedb1b03ac161ecb0ade3ad84e6 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 20 Oct 2024 02:09:26 -0400
Subject: [PATCH] Allow null keyblocks in IOV checksum functions
Null keyblocks are allowed by the libk5crypto checksum functions when
the checksum type is not keyed. However, krb5_c_make_checksum_iov()
and krb5_c_verify_checksum_iov() crash on null keyblock inputs because
they do not check before converting to krb5_key as their non-IOV
variants do. Add the missing null checks.
ticket: 9146 (new)
---
src/lib/crypto/krb/make_checksum_iov.c | 10 ++++++----
src/lib/crypto/krb/verify_checksum_iov.c | 10 ++++++----
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/lib/crypto/krb/make_checksum_iov.c b/src/lib/crypto/krb/make_checksum_iov.c
index 549180d..84e98b1 100644
--- a/src/lib/crypto/krb/make_checksum_iov.c
+++ b/src/lib/crypto/krb/make_checksum_iov.c
@@ -81,12 +81,14 @@ krb5_c_make_checksum_iov(krb5_context context,
krb5_crypto_iov *data,
size_t num_data)
{
- krb5_key key;
+ krb5_key key = NULL;
krb5_error_code ret;
- ret = krb5_k_create_key(context, keyblock, &key);
- if (ret != 0)
- return ret;
+ if (keyblock != NULL) {
+ ret = krb5_k_create_key(context, keyblock, &key);
+ if (ret != 0)
+ return ret;
+ }
ret = krb5_k_make_checksum_iov(context, cksumtype, key, usage,
data, num_data);
krb5_k_free_key(context, key);
diff --git a/src/lib/crypto/krb/verify_checksum_iov.c b/src/lib/crypto/krb/verify_checksum_iov.c
index fc76c0e..47a25a9 100644
--- a/src/lib/crypto/krb/verify_checksum_iov.c
+++ b/src/lib/crypto/krb/verify_checksum_iov.c
@@ -88,12 +88,14 @@ krb5_c_verify_checksum_iov(krb5_context context,
size_t num_data,
krb5_boolean *valid)
{
- krb5_key key;
+ krb5_key key = NULL;
krb5_error_code ret;
- ret = krb5_k_create_key(context, keyblock, &key);
- if (ret != 0)
- return ret;
+ if (keyblock != NULL) {
+ ret = krb5_k_create_key(context, keyblock, &key);
+ if (ret != 0)
+ return ret;
+ }
ret = krb5_k_verify_checksum_iov(context, checksum_type, key, usage, data,
num_data, valid);
krb5_k_free_key(context, key);
--
2.43.0

71
backport-Avoid-mutex-locking-in-krb5int_trace.patch Normal file
View File

@ -0,0 +1,71 @@
From b03d55c2b841731c8194cb12566cad1d6d2ad3cb Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 4 Oct 2024 18:00:21 +0200
Subject: [PATCH] Avoid mutex locking in krb5int_trace()
Trace logging doesn't need unique timestamps, so the locking within
krb5_crypto_us_timeofday() makes trace logging slower for no reason.
Add a new helper k5_us_timeofday(), which is merely a wrapper around
the existing get_time_now(), and use it in krb5int_trace().
[ghudson@mit.edu: edited commit message]
---
src/include/k5-int.h | 1 +
src/lib/krb5/os/c_ustime.c | 15 +++++++++++++++
src/lib/krb5/os/trace.c | 2 +-
3 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index fd79d7c..f492acb 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -697,6 +697,7 @@ krb5_error_code krb5int_c_copy_keyblock_contents(krb5_context context,
const krb5_keyblock *from,
krb5_keyblock *to);
+krb5_error_code k5_us_timeofday(krb5_timestamp *, krb5_int32 *);
krb5_error_code krb5_crypto_us_timeofday(krb5_timestamp *, krb5_int32 *);
/*
diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c
index f69f2ea..265c3b3 100644
--- a/src/lib/krb5/os/c_ustime.c
+++ b/src/lib/krb5/os/c_ustime.c
@@ -73,6 +73,21 @@ get_time_now(struct time_now *n)
#endif
+krb5_error_code
+k5_us_timeofday(krb5_timestamp *seconds, krb5_int32 *microseconds)
+{
+ struct time_now now;
+ krb5_error_code err;
+
+ err = get_time_now(&now);
+ if (err)
+ return err;
+
+ *seconds = now.sec;
+ *microseconds = now.usec;
+ return 0;
+}
+
static struct time_now last_time;
krb5_error_code
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index c4058dd..2af459d 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -411,7 +411,7 @@ krb5int_trace(krb5_context context, const char *fmt, ...)
str = trace_format(context, fmt, ap);
if (str == NULL)
goto cleanup;
- if (krb5_crypto_us_timeofday(&sec, &usec) != 0)
+ if (k5_us_timeofday(&sec, &usec) != 0)
goto cleanup;
if (asprintf(&msg, "[%d] %u.%06d: %s\n", (int)getpid(),
(unsigned int)sec, (int)usec, str) < 0)
--
2.43.0

32
backport-Fix-krb5_ldap_list_policy-filtering-loop.patch Normal file
View File

@ -0,0 +1,32 @@
From 0a23b0cd9466e8a7c6fb82fce185be6e0834ce26 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 27 Oct 2024 19:01:51 -0400
Subject: [PATCH] Fix krb5_ldap_list_policy() filtering loop
The loop at the end of this function is intended to ignore ticket
policy DNs that can't be converted to names. But it instead leaves a
hole in the output list if that happens, effectively truncating the
list and leaking any subsequent entries. Use the correct index for
the output list.
ticket: 9148 (new)
---
src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
index 4f48fd6..27a2235 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
@@ -382,7 +382,7 @@ krb5_ldap_list_policy(krb5_context context, char *containerdn, char ***policy)
for (i = 0, j = 0; list[i] != NULL; i++, j++) {
int ret;
- ret = krb5_ldap_policydn_to_name (context, list[i], &(*policy)[i]);
+ ret = krb5_ldap_policydn_to_name (context, list[i], &(*policy)[j]);
if (ret != 0)
j--;
}
--
2.43.0

62
backport-Fix-unlikely-password-change-leak.patch Normal file
View File

@ -0,0 +1,62 @@
From 038793c3083f44c4fb62626c12f80c80147029cf Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Fri, 11 Oct 2024 12:45:13 +0200
Subject: [PATCH] Fix unlikely password change leak
In kpasswd_sendto_msg_callback(), if getsockname() does not reveal the
local address, a copy of the first local address's contents is made
and never freed. Instead of making an allocated copy of the address
contents, make a shallow copy of the whole address. Delay freeing the
address array until the end of the function so that alias pointer made
by the shallow copy remains valid.
[ghudson@mit.edu: further simplified code; rewrote commit message]
---
src/lib/krb5/os/changepw.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
index c592325..9cae409 100644
--- a/src/lib/krb5/os/changepw.c
+++ b/src/lib/krb5/os/changepw.c
@@ -115,6 +115,7 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message)
struct sendto_callback_context *ctx = data;
GETSOCKNAME_ARG3_TYPE addrlen;
krb5_data output;
+ krb5_address **addrs = NULL;
memset (message, 0, sizeof(krb5_data));
@@ -143,20 +144,10 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message)
local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr);
local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr;
} else {
- krb5_address **addrs;
-
code = krb5_os_localaddr(ctx->context, &addrs);
if (code)
goto cleanup;
-
- local_kaddr.magic = addrs[0]->magic;
- local_kaddr.addrtype = addrs[0]->addrtype;
- local_kaddr.length = addrs[0]->length;
- local_kaddr.contents = k5memdup(addrs[0]->contents, addrs[0]->length,
- &code);
- krb5_free_addresses(ctx->context, addrs);
- if (local_kaddr.contents == NULL)
- goto cleanup;
+ local_kaddr = *addrs[0];
}
@@ -193,6 +184,7 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message)
message->data = output.data;
cleanup:
+ krb5_free_addresses(ctx->context, addrs);
return code;
}
--
2.43.0

9
krb5.spec
View File

@ -3,7 +3,7 @@
Name: krb5
Version: 1.21.2
Release: 11
Release: 12
Summary: The Kerberos network authentication protocol
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -41,6 +41,10 @@ Patch17: backport-Change-krb5_get_credentials-endtime-behavior.patch
Patch18: backport-Fix-memory-leak-in-PAC-checksum-verification.patch
Patch19: fix-libkadm5-parameter-leak.patch
Patch20: backport-CVE-2024-3596.patch
Patch21: backport-Avoid-mutex-locking-in-krb5int_trace.patch
Patch22: backport-Fix-unlikely-password-change-leak.patch
Patch23: backport-Allow-null-keyblocks-in-IOV-checksum-functions.patch
Patch24: backport-Fix-krb5_ldap_list_policy-filtering-loop.patch
BuildRequires: gettext
BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@ -325,6 +329,9 @@ make -C src check || :
%{_mandir}/man8/*
%changelog
* Fri Nov 22 2024 liuh <liuhuan01@kylinos.cn> - 1.21.2-12
- backport patches from upstream
* Thu Nov 07 2024 Funda Wang <fundawang@yeah.net> - 1.21.2-11
- fix CVE-2024-3596