!205 [sync] PR-198: backport patch from upstream community

From: @openeuler-sync-bot Reviewed-by: @open-bot, @dillon_chen Signed-off-by: @open-bot, @dillon_chen
2024-12-06 03:45:19 +00:00 · 2024-12-06 03:45:19 +00:00 · e2ba1077b8
commit e2ba1077b8
parent e67e6c9257 c64bcea70a
4 changed files with 321 additions and 1 deletions
--- a/backport-Fix-krb5_crypto_us_timeofday-microseconds-check.patch
+++ b/backport-Fix-krb5_crypto_us_timeofday-microseconds-check.patch
@ -0,0 +1,48 @@
 From 6f6d795be8d0dd0a46952cf8afa59b65d71df744 Mon Sep 17 00:00:00 2001
 From: Alexey Tikhonov <atikhono@redhat.com>
 Date: Thu, 3 Oct 2024 18:40:04 +0200
 Subject: [PATCH] Fix krb5_crypto_us_timeofday() microseconds check
 Commit a60db180211a383bd382afe729e9309acb8dcf53 mistakenly reversed
 the sense of the krb5_crypto_us_timeofday() conditional that enforces
 fowards movement of the microseconds value within a second.  Moreover,
 the macros ts_after() and ts_incr() should not have been applied to
 non-timestamp values.  Revert the incorrect changes.
 [ghudson@mit.edu: rewrote commit message]
 ticket: 9141 (new)
 tags: pullup
 target_version: 1.21-next
 Reference:https://github.com/krb5/krb5/commit/6f6d795be8d0dd0a46952cf8afa59b65d71df744
 Conflict:NA
 ---
 src/lib/krb5/os/c_ustime.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c
 index f69f2ea4c..7019ea197 100644
 --- a/src/lib/krb5/os/c_ustime.c
 +++ b/src/lib/krb5/os/c_ustime.c
@@ -106,14 +106,14 @@ krb5_crypto_us_timeofday(krb5_timestamp *seconds, krb5_int32 *microseconds)
        need to properly handle the case where the administrator intentionally
        adjusted time backwards. */
     if (now.sec == ts_incr(last_time.sec, -1) ||
 -        (now.sec == last_time.sec && !ts_after(last_time.usec, now.usec))) {
 +        (now.sec == last_time.sec && now.usec <= last_time.usec)) {
         /* Correct 'now' to be exactly one microsecond later than 'last_time'.
            Note that _because_ we perform this hack, 'now' may be _earlier_
            than 'last_time', even though the system time is monotonically
            increasing. */
         now.sec = last_time.sec;
 -        now.usec = ts_incr(last_time.usec, 1);
 +        now.usec = last_time.usec + 1;
         if (now.usec >= 1000000) {
             now.sec = ts_incr(now.sec, 1);
             now.usec = 0;
 -- 
 2.33.0
--- a/backport-Fix-various-issues-detected-by-static-analysis.patch
+++ b/backport-Fix-various-issues-detected-by-static-analysis.patch
@ -0,0 +1,175 @@
 From a96541981ee34c8642ddeb6101b98e883e41c6e5 Mon Sep 17 00:00:00 2001
 From: Julien Rische <jrische@redhat.com>
 Date: Fri, 6 Sep 2024 17:18:11 +0200
 Subject: [PATCH] Fix various issues detected by static analysis
 In klists's show_credential(), ensure that the column counter doesn't
 decrease if printf() fails.
 In process_k5beta7_princ(), bounds-check the e_length field.
 In ndr_enc_delegation_info(), initialize b so it is always valid for
 the cleanup handler.
 In krb5_dbe_def_decrypt_key_data(), change the flow control so ret is
 always set by the end of the function.  Return KRB5_KDB_INVALIDKEYSIZE
 if there isn't enough data in the first key_data_contents field or if
 the serialized key length is invalid.
 In svcauth_gss_validate(), expand rpchdr to accomodate the header plus
 MAX_AUTH_BYTES.
 In svcudp_reply(), change slen to unsigned to match the return type of
 XDR_GETPOS() and eliminate an unnecessary check for slen >= 0.
 In krb5int_pthread_loaded()(), remove pthread_equal() from the weak
 symbol checks.  It is implemented as an inline function in some glibc
 versions, which makes the comparison "&pthread_equal == 0" always
 false.
 [ghudson@mit.edu: further modified krb5_dbe_def_decrypt_key_data() for
 clarity; added detail to commit message]
 Reference:https://github.com/krb5/krb5/commit/a96541981ee34c8642ddeb6101b98e883e41c6e5
 Conflict:src/kdc/ndr.c,src/lib/kdb/decrypt_key.c
 ---
 src/clients/klist/klist.c  | 12 ++++++------
 src/kadmin/dbutil/dump.c   |  5 +++++
 src/lib/rpc/svc_auth_gss.c |  5 ++++-
 src/lib/rpc/svc_udp.c      | 13 +++++++------
 src/util/support/threads.c |  2 --
 5 files changed, 22 insertions(+), 15 deletions(-)
 diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
 index 394c75b..1511c59 100644
 --- a/src/clients/klist/klist.c
 +++ b/src/clients/klist/klist.c
@@ -681,7 +681,7 @@ show_credential(krb5_creds *cred, const char *defname)
     krb5_error_code ret;
     krb5_ticket *tkt = NULL;
     char *name = NULL, *sname = NULL, *tktsname, *flags;
 -    int extra_field = 0, ccol = 0, i;
 +    int extra_field = 0, ccol = 0, i, r;
     krb5_boolean is_config = krb5_is_config_principal(context, cred->server);
     ret = krb5_unparse_name(context, cred->client, &name);
@@ -711,11 +711,11 @@ show_credential(krb5_creds *cred, const char *defname)
         fputs("config: ", stdout);
         ccol = 8;
         for (i = 1; i < cred->server->length; i++) {
 -            ccol += printf("%s%.*s%s",
 -                           i > 1 ? "(" : "",
 -                           (int)cred->server->data[i].length,
 -                           cred->server->data[i].data,
 -                           i > 1 ? ")" : "");
 +            r = printf("%s%.*s%s", i > 1 ? "(" : "",
 +                       (int)cred->server->data[i].length,
 +                       cred->server->data[i].data, i > 1 ? ")" : "");
 +            if (r >= 0)
 +                ccol += r;
         }
         fputs(" = ", stdout);
         ccol += 3;
 diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
 index 4d6cc0b..feb053d 100644
 --- a/src/kadmin/dbutil/dump.c
 +++ b/src/kadmin/dbutil/dump.c
@@ -704,6 +704,11 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
     dbentry->len = u1;
     dbentry->n_key_data = u4;
 +
 +    if (u5 > UINT16_MAX) {
 +        load_err(fname, *linenop, _("invalid principal extra data size"));
 +        goto fail;
 +    }
     dbentry->e_length = u5;
     if (kp != NULL) {
 diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c
 index aba7694..e290018 100644
 --- a/src/lib/rpc/svc_auth_gss.c
 +++ b/src/lib/rpc/svc_auth_gss.c
@@ -296,7 +296,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
 	struct opaque_auth	*oa;
 	gss_buffer_desc		 rpcbuf, checksum;
 	OM_uint32		 maj_stat, min_stat, qop_state;
 -	u_char			 rpchdr[128];
 +	u_char			 rpchdr[32 + MAX_AUTH_BYTES];
 	int32_t			*buf;
 	log_debug("in svcauth_gss_validate()");
@@ -314,6 +314,8 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
 		return (FALSE);
 	buf = (int32_t *)(void *)rpchdr;
 +
 +	/* Write the 32 first bytes of the header. */
 	IXDR_PUT_LONG(buf, msg->rm_xid);
 	IXDR_PUT_ENUM(buf, msg->rm_direction);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_rpcvers);
@@ -322,6 +324,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
 	IXDR_PUT_LONG(buf, oa->oa_length);
 +
 	if (oa->oa_length) {
 		memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
 		buf += RNDUP(oa->oa_length) / sizeof(int32_t);
 diff --git a/src/lib/rpc/svc_udp.c b/src/lib/rpc/svc_udp.c
 index 8ecbdf2..3aff277 100644
 --- a/src/lib/rpc/svc_udp.c
 +++ b/src/lib/rpc/svc_udp.c
@@ -248,8 +248,9 @@ static bool_t svcudp_reply(
 {
      struct svcudp_data *su = su_data(xprt);
      XDR *xdrs = &su->su_xdrs;
 -     int slen;
 +     u_int slen;
      bool_t stat = FALSE;
 +     ssize_t r;
      xdrproc_t xdr_results = NULL;
      caddr_t xdr_location = 0;
@@ -272,12 +273,12 @@ static bool_t svcudp_reply(
      if (xdr_replymsg(xdrs, msg) &&
 	 (!has_args ||
 	  (SVCAUTH_WRAP(xprt->xp_auth, xdrs, xdr_results, xdr_location)))) {
 -	  slen = (int)XDR_GETPOS(xdrs);
 -	  if (sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0,
 -		     (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen)
 -	      == slen) {
 +	  slen = XDR_GETPOS(xdrs);
 +	  r = sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0,
 +		     (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen);
 +	  if (r >= 0 && (u_int)r == slen) {
 	       stat = TRUE;
 -	       if (su->su_cache && slen >= 0) {
 +	       if (su->su_cache) {
 		    cache_set(xprt, (uint32_t) slen);
 	       }
 	  }
 diff --git a/src/util/support/threads.c b/src/util/support/threads.c
 index be7e4c2..4ded805 100644
 --- a/src/util/support/threads.c
 +++ b/src/util/support/threads.c
@@ -118,7 +118,6 @@ struct tsd_block {
 # pragma weak pthread_mutex_destroy
 # pragma weak pthread_mutex_init
 # pragma weak pthread_self
 -# pragma weak pthread_equal
 # pragma weak pthread_getspecific
 # pragma weak pthread_setspecific
 # pragma weak pthread_key_create
@@ -151,7 +150,6 @@ int krb5int_pthread_loaded (void)
         || &pthread_mutex_destroy == 0
         || &pthread_mutex_init == 0
         || &pthread_self == 0
 -        || &pthread_equal == 0
         /* Any program that's really multithreaded will have to be
            able to create threads.  */
         || &pthread_create == 0
 -- 
 2.33.0
--- a/backport-Prevent-late-initialization-of-GSS-error-map.patch
+++ b/backport-Prevent-late-initialization-of-GSS-error-map.patch
@ -0,0 +1,91 @@
 From bba0c36394cb88265da6e3d6566dd88b9c7978ca Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Mon, 21 Oct 2024 19:04:08 -0400
 Subject: [PATCH] Prevent late initialization of GSS error map
 Some of the peripheral libgssapi_krb5 utility functions, such as
 gss_str_to_oid(), do not access the mechanism list and therefore do
 not reach any of the calls to gssint_mechglue_initialize_library().
 If one of these functions is called early and produces an error, its
 call to map_error() will operate on the uninitialized error map.  When
 the library is later initialized, any entries added to the error map
 this way will be leaked.
 To ensure that the error map is initialized before it is operated on,
 add library initialization calls to gssint_mecherrmap_map() and
 gssint_mecherrmap_get().
 ticket: 9145 (new)
 Reference:https://github.com/krb5/krb5/commit/bba0c36394cb88265da6e3d6566dd88b9c7978ca
 Conflict:src/lib/gssapi/generic/deps
 ---
 src/lib/gssapi/generic/Makefile.in   | 2 +-
 src/lib/gssapi/generic/deps          | 6 ++++--
 src/lib/gssapi/generic/util_errmap.c | 6 +++++-
 3 files changed, 10 insertions(+), 4 deletions(-)
 diff --git a/src/lib/gssapi/generic/Makefile.in b/src/lib/gssapi/generic/Makefile.in
 index 1a95a7d..ac69a85 100644
 --- a/src/lib/gssapi/generic/Makefile.in
 +++ b/src/lib/gssapi/generic/Makefile.in
@@ -1,6 +1,6 @@
 mydir=lib$(S)gssapi$(S)generic
 BUILDTOP=$(REL)..$(S)..$(S)..
 -LOCALINCLUDES = -I. -I$(srcdir) -I$(srcdir)/..
 +LOCALINCLUDES = -I. -I$(srcdir) -I$(srcdir)/../mechglue
 ##DOS##BUILDTOP = ..\..\..
 ##DOS##PREFIXDIR=generic
 diff --git a/src/lib/gssapi/generic/deps b/src/lib/gssapi/generic/deps
 index 5b80e7f..222b088 100644
 --- a/src/lib/gssapi/generic/deps
 +++ b/src/lib/gssapi/generic/deps
@@ -59,8 +59,10 @@ util_buffer_set.so util_buffer_set.po $(OUTPRE)util_buffer_set.$(OBJEXT): \
   util_buffer_set.c
 util_errmap.so util_errmap.po $(OUTPRE)util_errmap.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
 -  $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(BUILDTOP)/include/krb5/krb5.h \
 -  $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-platform.h \
 +  $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
 +  $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(srcdir)/../mechglue/mechglue.h \
 +  $(srcdir)/../mechglue/mglueP.h $(top_srcdir)/include/k5-buf.h \
 +  $(top_srcdir)/include/k5-input.h $(top_srcdir)/include/k5-platform.h \
   $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
   errmap.h gssapiP_generic.h gssapi_err_generic.h gssapi_ext.h \
   gssapi_generic.h util_errmap.c
 diff --git a/src/lib/gssapi/generic/util_errmap.c b/src/lib/gssapi/generic/util_errmap.c
 index 628a455..138310c 100644
 --- a/src/lib/gssapi/generic/util_errmap.c
 +++ b/src/lib/gssapi/generic/util_errmap.c
@@ -25,6 +25,7 @@
  */
 #include "gssapiP_generic.h"
 +#include <mglueP.h>
 #include <string.h>
 #ifndef _WIN32
 #include <unistd.h>
@@ -181,6 +182,9 @@ OM_uint32 gssint_mecherrmap_map(OM_uint32 minor, const gss_OID_desc * oid)
         f = stderr;
 #endif
 +    if (gssint_mechglue_initialize_library() != 0)
 +        return 0;
 +
     me.code = minor;
     me.mech = *oid;
     k5_mutex_lock(&mutex);
@@ -249,7 +253,7 @@ int gssint_mecherrmap_get(OM_uint32 minor, gss_OID mech_oid,
 {
     const struct mecherror *p;
 -    if (minor == 0) {
 +    if (minor == 0 || gssint_mechglue_initialize_library() != 0) {
         return EINVAL;
     }
     k5_mutex_lock(&mutex);
 -- 
 2.33.0
--- a/krb5.spec
+++ b/krb5.spec
@ -3,7 +3,7 @@
 Name:     krb5
 Version:  1.21.2
-Release:  12
+Release:  13
 Summary:  The Kerberos network authentication protocol
 License:  MIT
 URL:      http://web.mit.edu/kerberos/www/
@ -45,6 +45,9 @@ Patch21: backport-Avoid-mutex-locking-in-krb5int_trace.patch
 Patch22: backport-Fix-unlikely-password-change-leak.patch
 Patch23: backport-Allow-null-keyblocks-in-IOV-checksum-functions.patch
 Patch24: backport-Fix-krb5_ldap_list_policy-filtering-loop.patch
 Patch25: backport-Fix-various-issues-detected-by-static-analysis.patch
 Patch26: backport-Fix-krb5_crypto_us_timeofday-microseconds-check.patch
 Patch27: backport-Prevent-late-initialization-of-GSS-error-map.patch
 BuildRequires:  gettext
 BuildRequires:  gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@ -329,6 +332,9 @@ make -C src check || :
 %{_mandir}/man8/*
 %changelog
 * Wed Dec 04 2024 wangjiang <app@cameyan.com> - 1.21.2-13
 - backport upstream patches
 * Fri Nov 22 2024 liuh <liuhuan01@kylinos.cn> - 1.21.2-12
 - backport patches from upstream