backport patches to fix bugs

Signed-off-by: xuraoqing <xuraoqing@huawei.com>
2024-10-25 14:51:11 +08:00 · 2024-10-25 14:51:11 +08:00 · 988a61df65
commit 988a61df65
parent 029ea8b56b
3 changed files with 107 additions and 3 deletions
--- a/backport-CLIENT-idmap-fix-coverity-warning.patch
+++ b/backport-CLIENT-idmap-fix-coverity-warning.patch
@ -0,0 +1,51 @@
+From 7c913edc84e0201020b5ab770dd0823911387781 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 22 May 2024 20:19:05 +0200
+Subject: [PATCH] CLIENT:idmap: fix coverity warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes following issue:
+```
+"Error: INTEGER_OVERFLOW (CWE-190):
+sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:306:5: tainted_data_argument: The value returned in ""replen"" is considered tainted.
+sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:331:5: overflow: The expression ""replen - 12UL"" might be negative, but is used in a context that treats it as unsigned.
+sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:331:5: assign: Assigning: ""data_len"" = ""replen - 12UL"".
+sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:347:9: overflow: The expression ""1UL * data_len"" is deemed underflowed because at least one of its arguments has underflowed.
+sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:347:9: overflow_sink: ""1UL * data_len"", which might have underflowed, is passed to ""malloc(1UL * data_len)"".
+ #  345|           }
+ #  346|
+ #  347|->         str = malloc(sizeof(char) * data_len);
+ #  348|           if (str == NULL) {
+ #  349|               ret = ENOMEM;"
+```
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+
+Reference: https://github.com/SSSD/sssd/commit/7c913edc84e0201020b5ab770dd0823911387781
+Conflict: NA
+
+---
+ src/sss_client/idmap/sss_nss_idmap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/sss_client/idmap/sss_nss_idmap.c b/src/sss_client/idmap/sss_nss_idmap.c
+index 575d03057..604933c6d 100644
+--- a/src/sss_client/idmap/sss_nss_idmap.c
+++ b/src/sss_client/idmap/sss_nss_idmap.c
+@@ -324,6 +324,11 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd,
+         goto done;
+     }
+ 
+    if (replen < DATA_START) { /* make sure 'type' is present */
+        ret = EBADMSG;
+        goto done;
+    }
+
+     /* Skip first two 32 bit values (number of results and
+      * reserved padding) */
+     SAFEALIGN_COPY_UINT32(&out->type, repbuf + 2 * sizeof(uint32_t), NULL);
+-- 
+2.33.0
+
--- a/backport-SSH-sanity-check-to-please-coverity.patch
+++ b/backport-SSH-sanity-check-to-please-coverity.patch
@ -0,0 +1,48 @@
+From 19df6a5d2ed220e6236aa1c921b7abdeba233dd1 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 22 May 2024 21:13:31 +0200
+Subject: [PATCH] SSH: sanity check to please coverity
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes:
+```
+Error: INTEGER_OVERFLOW (CWE-190):
+sssd-2.10.0/src/util/sss_ssh.c:195:13: underflow: The decrement operator on the unsigned variable ""len"" might result in an underflow.
+sssd-2.10.0/src/util/sss_ssh.c:204:9: overflow_sink: ""len"", which might have underflowed, is passed to ""memcpy(out, pubkey->data, len)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
+ #  202|           }
+ #  203|
+ #  204|->         memcpy(out, pubkey->data, len);
+ #  205|           out[len] = '\0';
+ #  206|       }
+```
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+
+Reference: https://github.com/SSSD/sssd/commit/19df6a5d2ed220e6236aa1c921b7abdeba233dd1
+Conflict: NA
+
+---
+ src/util/sss_ssh.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/util/sss_ssh.c b/src/util/sss_ssh.c
+index 9df397873..f9c0918fd 100644
+--- a/src/util/sss_ssh.c
+++ b/src/util/sss_ssh.c
+@@ -191,6 +191,10 @@ sss_ssh_format_pubkey(TALLOC_CTX *mem_ctx,
+         }
+ 
+         len = pubkey->data_len;
+        if (len == 0) {
+            ret = EINVAL;
+            goto done;
+        }
+         if (pubkey->data[len - 1] == '\n') {
+             len--;
+         }
+-- 
+2.33.0
+
--- a/sssd.spec
+++ b/sssd.spec
@ -8,7 +8,7 @@

 Name: sssd
 Version: 2.9.4
-Release: 7
+Release: 8
 Summary: System Security Services Daemon
 License: GPL-3.0-or-later
 URL: https://github.com/SSSD/sssd/
@ -18,8 +18,10 @@ Patch0001: backport-CVE-2023-3758.patch
 Patch0002: backport-UTILS-inotify-avoid-potential-NULL-deref.patch
 Patch0003: backport-ad-refresh-root-domain-when-read-directly.patch
 Patch0004: backport-RESPONDER-use-proper-context-for-getDomains.patch
-Patch0005: backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
-Patch0006: backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch
+Patch0005: backport-SSH-sanity-check-to-please-coverity.patch
+Patch0006: backport-CLIENT-idmap-fix-coverity-warning.patch
+Patch0007: backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
+Patch0008: backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch

 Requires: sssd-ad = %{version}-%{release}
 Requires: sssd-common = %{version}-%{release}
@ -919,6 +921,9 @@ fi
 %systemd_postun_with_restart sssd.service

 %changelog
+* Fri Oct 25 2024 xuraoqing <xuraoqing@huawei.com> - 2.9.4-8
+- backport patches to fix bugs
+
 * Wed Sep 25 2024 xuraoqing <xuraoqing@huawei.com> - 2.9.4-7
 - backport patches to fix bugs