fix CVE-2025-24528

(cherry picked from commit 4fda28d01cf1b4604c785f6602efd503956e6e5e)
2025-01-30 14:32:45 +08:00 · 2025-01-30 14:32:45 +08:00 · 7c37c8d166
commit 7c37c8d166
parent e2ba1077b8
2 changed files with 64 additions and 1 deletions
--- a/backport-CVE-2025-24528.patch
+++ b/backport-CVE-2025-24528.patch
@ -0,0 +1,59 @@
+From 78ceba024b64d49612375be4a12d1c066b0bfbd0 Mon Sep 17 00:00:00 2001
+From: Zoltan Borbely <Zoltan.Borbely@morganstanley.com>
+Date: Tue, 28 Jan 2025 16:39:25 -0500
+Subject: [PATCH] Prevent overflow when calculating ulog block size
+
+In kdb_log.c:resize(), log an error and fail if the update size is
+larger than the largest possible block size (2^16-1).
+
+CVE-2025-24528:
+
+In MIT krb5 release 1.7 and later with incremental propagation
+enabled, an authenticated attacker can cause kadmind to write beyond
+the end of the mapped region for the iprop log file, likely causing a
+process crash.
+
+[ghudson@mit.edu: edited commit message and added CVE description]
+
+ticket: 9159 (new)
+tags: pullup
+target_version: 1.21-next
+---
+ src/lib/kdb/kdb_log.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
+index 2659a250187..68fae919a52 100644
+--- a/src/lib/kdb/kdb_log.c
+++ b/src/lib/kdb/kdb_log.c
+@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size)
+  */
+ static krb5_error_code
+ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+-       unsigned int recsize)
+       unsigned int recsize, const kdb_incr_update_t *upd)
+ {
+     unsigned int new_block, new_size;
+ 
+@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+     new_block *= ULOG_BLOCK;
+     new_size += ulogentries * new_block;
+ 
+    if (new_block > UINT16_MAX) {
+        syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
+               upd->kdb_princ_name.utf8str_t_len,
+               upd->kdb_princ_name.utf8str_t_val);
+        return KRB5_LOG_ERROR;
+    }
+     if (new_size > MAXLOGLEN)
+         return KRB5_LOG_ERROR;
+ 
+@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd)
+     recsize = sizeof(kdb_ent_header_t) + upd_size;
+ 
+     if (recsize > ulog->kdb_block) {
+-        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize);
+        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd);
+         if (retval)
+             return retval;
+     }
--- a/krb5.spec
+++ b/krb5.spec
@ -3,7 +3,7 @@

 Name:     krb5
 Version:  1.21.2
-Release:  13
+Release:  14
 Summary:  The Kerberos network authentication protocol
 License:  MIT
 URL:      http://web.mit.edu/kerberos/www/
@ -48,6 +48,7 @@ Patch24: backport-Fix-krb5_ldap_list_policy-filtering-loop.patch
 Patch25: backport-Fix-various-issues-detected-by-static-analysis.patch
 Patch26: backport-Fix-krb5_crypto_us_timeofday-microseconds-check.patch
 Patch27: backport-Prevent-late-initialization-of-GSS-error-map.patch
+Patch28: backport-CVE-2025-24528.patch

 BuildRequires:  gettext
 BuildRequires:  gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@ -332,6 +333,9 @@ make -C src check || :
 %{_mandir}/man8/*

 %changelog
+* Thu Jan 30 2025 Funda Wang <fundawang@yeah.net> - 1.21.2-14
+- fix CVE-2025-24528
+
 * Wed Dec 04 2024 wangjiang <app@cameyan.com> - 1.21.2-13
 - backport upstream patches