backport patch from upstream community

(cherry picked from commit 6c307c246cb8b6578f4b1873022e7de73c7ed713)
2024-12-04 10:24:31 +08:00 · 2024-12-04 10:24:31 +08:00 · c64bcea70a
commit c64bcea70a
parent e67e6c9257
4 changed files with 321 additions and 1 deletions
--- a/backport-Fix-krb5_crypto_us_timeofday-microseconds-check.patch
+++ b/backport-Fix-krb5_crypto_us_timeofday-microseconds-check.patch
@ -0,0 +1,48 @@
+From 6f6d795be8d0dd0a46952cf8afa59b65d71df744 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Thu, 3 Oct 2024 18:40:04 +0200
+Subject: [PATCH] Fix krb5_crypto_us_timeofday() microseconds check
+
+Commit a60db180211a383bd382afe729e9309acb8dcf53 mistakenly reversed
+the sense of the krb5_crypto_us_timeofday() conditional that enforces
+fowards movement of the microseconds value within a second.  Moreover,
+the macros ts_after() and ts_incr() should not have been applied to
+non-timestamp values.  Revert the incorrect changes.
+
+[ghudson@mit.edu: rewrote commit message]
+
+ticket: 9141 (new)
+tags: pullup
+target_version: 1.21-next
+
+Reference:https://github.com/krb5/krb5/commit/6f6d795be8d0dd0a46952cf8afa59b65d71df744
+Conflict:NA
+
+---
+ src/lib/krb5/os/c_ustime.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c
+index f69f2ea4c..7019ea197 100644
+--- a/src/lib/krb5/os/c_ustime.c
+++ b/src/lib/krb5/os/c_ustime.c
+@@ -106,14 +106,14 @@ krb5_crypto_us_timeofday(krb5_timestamp *seconds, krb5_int32 *microseconds)
+        need to properly handle the case where the administrator intentionally
+        adjusted time backwards. */
+     if (now.sec == ts_incr(last_time.sec, -1) ||
+-        (now.sec == last_time.sec && !ts_after(last_time.usec, now.usec))) {
+        (now.sec == last_time.sec && now.usec <= last_time.usec)) {
+         /* Correct 'now' to be exactly one microsecond later than 'last_time'.
+            Note that _because_ we perform this hack, 'now' may be _earlier_
+            than 'last_time', even though the system time is monotonically
+            increasing. */
+ 
+         now.sec = last_time.sec;
+-        now.usec = ts_incr(last_time.usec, 1);
+        now.usec = last_time.usec + 1;
+         if (now.usec >= 1000000) {
+             now.sec = ts_incr(now.sec, 1);
+             now.usec = 0;
+-- 
+2.33.0
+
--- a/backport-Fix-various-issues-detected-by-static-analysis.patch
+++ b/backport-Fix-various-issues-detected-by-static-analysis.patch
@ -0,0 +1,175 @@
+From a96541981ee34c8642ddeb6101b98e883e41c6e5 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Fri, 6 Sep 2024 17:18:11 +0200
+Subject: [PATCH] Fix various issues detected by static analysis
+ 
+In klists's show_credential(), ensure that the column counter doesn't
+decrease if printf() fails.
+ 
+In process_k5beta7_princ(), bounds-check the e_length field.
+ 
+In ndr_enc_delegation_info(), initialize b so it is always valid for
+the cleanup handler.
+ 
+In krb5_dbe_def_decrypt_key_data(), change the flow control so ret is
+always set by the end of the function.  Return KRB5_KDB_INVALIDKEYSIZE
+if there isn't enough data in the first key_data_contents field or if
+the serialized key length is invalid.
+ 
+In svcauth_gss_validate(), expand rpchdr to accomodate the header plus
+MAX_AUTH_BYTES.
+ 
+In svcudp_reply(), change slen to unsigned to match the return type of
+XDR_GETPOS() and eliminate an unnecessary check for slen >= 0.
+ 
+In krb5int_pthread_loaded()(), remove pthread_equal() from the weak
+symbol checks.  It is implemented as an inline function in some glibc
+versions, which makes the comparison "&pthread_equal == 0" always
+false.
+ 
+[ghudson@mit.edu: further modified krb5_dbe_def_decrypt_key_data() for
+clarity; added detail to commit message]
+ 
+Reference:https://github.com/krb5/krb5/commit/a96541981ee34c8642ddeb6101b98e883e41c6e5
+Conflict:src/kdc/ndr.c,src/lib/kdb/decrypt_key.c
+
+---
+ src/clients/klist/klist.c  | 12 ++++++------
+ src/kadmin/dbutil/dump.c   |  5 +++++
+ src/lib/rpc/svc_auth_gss.c |  5 ++++-
+ src/lib/rpc/svc_udp.c      | 13 +++++++------
+ src/util/support/threads.c |  2 --
+ 5 files changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
+index 394c75b..1511c59 100644
+--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
+@@ -681,7 +681,7 @@ show_credential(krb5_creds *cred, const char *defname)
+     krb5_error_code ret;
+     krb5_ticket *tkt = NULL;
+     char *name = NULL, *sname = NULL, *tktsname, *flags;
+-    int extra_field = 0, ccol = 0, i;
+    int extra_field = 0, ccol = 0, i, r;
+     krb5_boolean is_config = krb5_is_config_principal(context, cred->server);
+ 
+     ret = krb5_unparse_name(context, cred->client, &name);
+@@ -711,11 +711,11 @@ show_credential(krb5_creds *cred, const char *defname)
+         fputs("config: ", stdout);
+         ccol = 8;
+         for (i = 1; i < cred->server->length; i++) {
+-            ccol += printf("%s%.*s%s",
+-                           i > 1 ? "(" : "",
+-                           (int)cred->server->data[i].length,
+-                           cred->server->data[i].data,
+-                           i > 1 ? ")" : "");
+            r = printf("%s%.*s%s", i > 1 ? "(" : "",
+                       (int)cred->server->data[i].length,
+                       cred->server->data[i].data, i > 1 ? ")" : "");
+            if (r >= 0)
+                ccol += r;
+         }
+         fputs(" = ", stdout);
+         ccol += 3;
+diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
+index 4d6cc0b..feb053d 100644
+--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
+@@ -704,6 +704,11 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
+ 
+     dbentry->len = u1;
+     dbentry->n_key_data = u4;
+
+    if (u5 > UINT16_MAX) {
+        load_err(fname, *linenop, _("invalid principal extra data size"));
+        goto fail;
+    }
+     dbentry->e_length = u5;
+ 
+     if (kp != NULL) {
+diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c
+index aba7694..e290018 100644
+--- a/src/lib/rpc/svc_auth_gss.c
+++ b/src/lib/rpc/svc_auth_gss.c
+@@ -296,7 +296,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
+ 	struct opaque_auth	*oa;
+ 	gss_buffer_desc		 rpcbuf, checksum;
+ 	OM_uint32		 maj_stat, min_stat, qop_state;
+-	u_char			 rpchdr[128];
+	u_char			 rpchdr[32 + MAX_AUTH_BYTES];
+ 	int32_t			*buf;
+ 
+ 	log_debug("in svcauth_gss_validate()");
+@@ -314,6 +314,8 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
+ 		return (FALSE);
+ 
+ 	buf = (int32_t *)(void *)rpchdr;
+
+	/* Write the 32 first bytes of the header. */
+ 	IXDR_PUT_LONG(buf, msg->rm_xid);
+ 	IXDR_PUT_ENUM(buf, msg->rm_direction);
+ 	IXDR_PUT_LONG(buf, msg->rm_call.cb_rpcvers);
+@@ -322,6 +324,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
+ 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
+ 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
+ 	IXDR_PUT_LONG(buf, oa->oa_length);
+
+ 	if (oa->oa_length) {
+ 		memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
+ 		buf += RNDUP(oa->oa_length) / sizeof(int32_t);
+diff --git a/src/lib/rpc/svc_udp.c b/src/lib/rpc/svc_udp.c
+index 8ecbdf2..3aff277 100644
+--- a/src/lib/rpc/svc_udp.c
+++ b/src/lib/rpc/svc_udp.c
+@@ -248,8 +248,9 @@ static bool_t svcudp_reply(
+ {
+      struct svcudp_data *su = su_data(xprt);
+      XDR *xdrs = &su->su_xdrs;
+-     int slen;
+     u_int slen;
+      bool_t stat = FALSE;
+     ssize_t r;
+ 
+      xdrproc_t xdr_results = NULL;
+      caddr_t xdr_location = 0;
+@@ -272,12 +273,12 @@ static bool_t svcudp_reply(
+      if (xdr_replymsg(xdrs, msg) &&
+ 	 (!has_args ||
+ 	  (SVCAUTH_WRAP(xprt->xp_auth, xdrs, xdr_results, xdr_location)))) {
+-	  slen = (int)XDR_GETPOS(xdrs);
+-	  if (sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0,
+-		     (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen)
+-	      == slen) {
+	  slen = XDR_GETPOS(xdrs);
+	  r = sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0,
+		     (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen);
+	  if (r >= 0 && (u_int)r == slen) {
+ 	       stat = TRUE;
+-	       if (su->su_cache && slen >= 0) {
+	       if (su->su_cache) {
+ 		    cache_set(xprt, (uint32_t) slen);
+ 	       }
+ 	  }
+diff --git a/src/util/support/threads.c b/src/util/support/threads.c
+index be7e4c2..4ded805 100644
+--- a/src/util/support/threads.c
+++ b/src/util/support/threads.c
+@@ -118,7 +118,6 @@ struct tsd_block {
+ # pragma weak pthread_mutex_destroy
+ # pragma weak pthread_mutex_init
+ # pragma weak pthread_self
+-# pragma weak pthread_equal
+ # pragma weak pthread_getspecific
+ # pragma weak pthread_setspecific
+ # pragma weak pthread_key_create
+@@ -151,7 +150,6 @@ int krb5int_pthread_loaded (void)
+         || &pthread_mutex_destroy == 0
+         || &pthread_mutex_init == 0
+         || &pthread_self == 0
+-        || &pthread_equal == 0
+         /* Any program that's really multithreaded will have to be
+            able to create threads.  */
+         || &pthread_create == 0
+-- 
+2.33.0
+
--- a/backport-Prevent-late-initialization-of-GSS-error-map.patch
+++ b/backport-Prevent-late-initialization-of-GSS-error-map.patch
@ -0,0 +1,91 @@
+From bba0c36394cb88265da6e3d6566dd88b9c7978ca Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 21 Oct 2024 19:04:08 -0400
+Subject: [PATCH] Prevent late initialization of GSS error map
+
+Some of the peripheral libgssapi_krb5 utility functions, such as
+gss_str_to_oid(), do not access the mechanism list and therefore do
+not reach any of the calls to gssint_mechglue_initialize_library().
+If one of these functions is called early and produces an error, its
+call to map_error() will operate on the uninitialized error map.  When
+the library is later initialized, any entries added to the error map
+this way will be leaked.
+
+To ensure that the error map is initialized before it is operated on,
+add library initialization calls to gssint_mecherrmap_map() and
+gssint_mecherrmap_get().
+
+ticket: 9145 (new)
+
+Reference:https://github.com/krb5/krb5/commit/bba0c36394cb88265da6e3d6566dd88b9c7978ca
+Conflict:src/lib/gssapi/generic/deps
+
+---
+ src/lib/gssapi/generic/Makefile.in   | 2 +-
+ src/lib/gssapi/generic/deps          | 6 ++++--
+ src/lib/gssapi/generic/util_errmap.c | 6 +++++-
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/gssapi/generic/Makefile.in b/src/lib/gssapi/generic/Makefile.in
+index 1a95a7d..ac69a85 100644
+--- a/src/lib/gssapi/generic/Makefile.in
+++ b/src/lib/gssapi/generic/Makefile.in
+@@ -1,6 +1,6 @@
+ mydir=lib$(S)gssapi$(S)generic
+ BUILDTOP=$(REL)..$(S)..$(S)..
+-LOCALINCLUDES = -I. -I$(srcdir) -I$(srcdir)/..
+LOCALINCLUDES = -I. -I$(srcdir) -I$(srcdir)/../mechglue
+ 
+ ##DOS##BUILDTOP = ..\..\..
+ ##DOS##PREFIXDIR=generic
+diff --git a/src/lib/gssapi/generic/deps b/src/lib/gssapi/generic/deps
+index 5b80e7f..222b088 100644
+--- a/src/lib/gssapi/generic/deps
+++ b/src/lib/gssapi/generic/deps
+@@ -59,8 +59,10 @@ util_buffer_set.so util_buffer_set.po $(OUTPRE)util_buffer_set.$(OBJEXT): \
+   util_buffer_set.c
+ util_errmap.so util_errmap.po $(OUTPRE)util_errmap.$(OBJEXT): \
+   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
+-  $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(BUILDTOP)/include/krb5/krb5.h \
+-  $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-platform.h \
+  $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(srcdir)/../mechglue/mechglue.h \
+  $(srcdir)/../mechglue/mglueP.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-input.h $(top_srcdir)/include/k5-platform.h \
+   $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+   errmap.h gssapiP_generic.h gssapi_err_generic.h gssapi_ext.h \
+   gssapi_generic.h util_errmap.c
+diff --git a/src/lib/gssapi/generic/util_errmap.c b/src/lib/gssapi/generic/util_errmap.c
+index 628a455..138310c 100644
+--- a/src/lib/gssapi/generic/util_errmap.c
+++ b/src/lib/gssapi/generic/util_errmap.c
+@@ -25,6 +25,7 @@
+  */
+ 
+ #include "gssapiP_generic.h"
+#include <mglueP.h>
+ #include <string.h>
+ #ifndef _WIN32
+ #include <unistd.h>
+@@ -181,6 +182,9 @@ OM_uint32 gssint_mecherrmap_map(OM_uint32 minor, const gss_OID_desc * oid)
+         f = stderr;
+ #endif
+ 
+    if (gssint_mechglue_initialize_library() != 0)
+        return 0;
+
+     me.code = minor;
+     me.mech = *oid;
+     k5_mutex_lock(&mutex);
+@@ -249,7 +253,7 @@ int gssint_mecherrmap_get(OM_uint32 minor, gss_OID mech_oid,
+ {
+     const struct mecherror *p;
+ 
+-    if (minor == 0) {
+    if (minor == 0 || gssint_mechglue_initialize_library() != 0) {
+         return EINVAL;
+     }
+     k5_mutex_lock(&mutex);
+-- 
+2.33.0
+
--- a/krb5.spec
+++ b/krb5.spec
@ -3,7 +3,7 @@

 Name:     krb5
 Version:  1.21.2
-Release:  12
+Release:  13
 Summary:  The Kerberos network authentication protocol
 License:  MIT
 URL:      http://web.mit.edu/kerberos/www/
@ -45,6 +45,9 @@ Patch21: backport-Avoid-mutex-locking-in-krb5int_trace.patch
 Patch22: backport-Fix-unlikely-password-change-leak.patch
 Patch23: backport-Allow-null-keyblocks-in-IOV-checksum-functions.patch
 Patch24: backport-Fix-krb5_ldap_list_policy-filtering-loop.patch
+Patch25: backport-Fix-various-issues-detected-by-static-analysis.patch
+Patch26: backport-Fix-krb5_crypto_us_timeofday-microseconds-check.patch
+Patch27: backport-Prevent-late-initialization-of-GSS-error-map.patch

 BuildRequires:  gettext
 BuildRequires:  gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@ -329,6 +332,9 @@ make -C src check || :
 %{_mandir}/man8/*

 %changelog
+* Wed Dec 04 2024 wangjiang <app@cameyan.com> - 1.21.2-13
+- backport upstream patches
+
 * Fri Nov 22 2024 liuh <liuhuan01@kylinos.cn> - 1.21.2-12
 - backport patches from upstream