From 5627511d5ffb3dd23701251b682a99d8b7b034af Mon Sep 17 00:00:00 2001
From: zhuhongbo <zhuhongbo@uniontech.com>
Date: Mon, 14 Jul 2025 10:57:58 +0800
Subject: [PATCH] fix cve CVE-2025-4404

---
 1006-fix-cve-CVE-2025-4404.patch | 111 +++++++++++++++++++++++++++++++
 ipa.spec                         |   6 +-
 2 files changed, 116 insertions(+), 1 deletion(-)
 create mode 100644 1006-fix-cve-CVE-2025-4404.patch

diff --git a/1006-fix-cve-CVE-2025-4404.patch b/1006-fix-cve-CVE-2025-4404.patch
new file mode 100644
index 0000000..514344b
--- /dev/null
+++ b/1006-fix-cve-CVE-2025-4404.patch
@@ -0,0 +1,111 @@
+From a1bfe86d798ced0229f0c242092b5a019d259057 Mon Sep 17 00:00:00 2001
+From: zhuhongbo <zhuhongbo@uniontech.com>
+Date: Mon, 14 Jul 2025 14:01:52 +0800
+Subject: [PATCH] fix cve CVE-2025-4404
+
+---
+ .../updates/90-post_upgrade_plugins.update    |  1 +
+ .../plugins/add_admin_krbcanonicalname.py     | 79 +++++++++++++++++++
+ 2 files changed, 80 insertions(+)
+ create mode 100644 ipaserver/install/plugins/add_admin_krbcanonicalname.py
+
+diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
+index 94bbf39..dfe11bd 100644
+--- a/install/updates/90-post_upgrade_plugins.update
++++ b/install/updates/90-post_upgrade_plugins.update
+@@ -24,6 +24,7 @@ plugin: update_upload_cacrt
+ plugin: update_ra_cert_store
+ plugin: update_mapping_Guests_to_nobody
+ plugin: fix_kra_people_entry
++plugin: add_admin_krbcanonicalname
+ 
+ # last
+ # DNS version 1
+diff --git a/ipaserver/install/plugins/add_admin_krbcanonicalname.py b/ipaserver/install/plugins/add_admin_krbcanonicalname.py
+new file mode 100644
+index 0000000..f32dcf9
+--- /dev/null
++++ b/ipaserver/install/plugins/add_admin_krbcanonicalname.py
+@@ -0,0 +1,79 @@
++#
++# Copyright (C) 2025  FreeIPA Contributors see COPYING for license
++#
++
++from __future__ import absolute_import
++
++import logging
++
++from ipalib import errors
++from ipalib import Registry
++from ipalib import Updater
++from ipapython.dn import DN
++
++logger = logging.getLogger(__name__)
++
++register = Registry()
++
++
++@register()
++class add_admin_krbcanonicalname(Updater):
++    """
++    Ensures that only the admin user has the krbCanonicalName of
++    admin@$REALM.
++    """
++
++    def execute(self, **options):
++        ldap = self.api.Backend.ldap2
++
++        search_filter = (
++            "(krbcanonicalname=admin@{})".format(self.api.env.realm))
++        try:
++            (entries, _truncated) = ldap.find_entries(
++                filter=search_filter, base_dn=self.api.env.basedn,
++                time_limit=0, size_limit=0)
++        except errors.EmptyResult:
++            logger.debug("add_admin_krbcanonicalname: No user set with "
++                         "admin krbcanonicalname")
++            entries = []
++            # fall through
++        except errors.ExecutionError as e:
++            logger.error("add_admin_krbcanonicalname: Can not get list "
++                         "of krbcanonicalname: %s", e)
++            return False, []
++
++        admin_set = False
++        # admin should be only user with admin@ as krbcanonicalname
++        # It has a uniquness setting so there can be only one, we
++        # just didn't automatically set it for admin.
++        for entry in entries:
++            if entry.single_value.get('uid') != 'admin':
++                logger.critical(
++                    "add_admin_krbcanonicalname: "
++                    "entry %s has a krbcanonicalname of admin. Removing.",
++                    entry.dn)
++                del entry['krbcanonicalname']
++                ldap.update_entry(entry)
++            else:
++                admin_set = True
++
++        if not admin_set:
++            dn = DN(
++                ('uid', 'admin'),
++                self.api.env.container_user,
++                self.api.env.basedn)
++            entry = ldap.get_entry(dn)
++            entry['krbcanonicalname'] = 'admin@%s' % self.api.env.realm
++            try:
++                ldap.update_entry(entry)
++            except errors.DuplicateEntry:
++                logger.critical(
++                    "add_admin_krbcanonicalname: "
++                    "Failed to set krbcanonicalname on admin. It is set "
++                    "on another entry.")
++            except errors.ExecutionError as e:
++                logger.critical(
++                    "add_admin_krbcanonicalname: "
++                    "Failed to set krbcanonicalname on admin: %s", e)
++
++        return False, [] 
+-- 
+2.39.3
+
diff --git a/ipa.spec b/ipa.spec
index 4b0cd73..4dcff37 100644
--- a/ipa.spec
+++ b/ipa.spec
@@ -105,7 +105,7 @@
 
 Name:           ipa
 Version:        %{IPA_VERSION}
-Release:        5%{anolis_release}%{?dist}.17
+Release:        5%{anolis_release}%{?dist}.18
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -169,6 +169,7 @@ Patch1002:      1002-Package-copy-schema-to-ca.py.patch
 Patch1003:      1003-Revert-Increased-mod_wsgi-socket-timeout.patch
 Patch1004:      1004-Remove-csrgen.patch
 Patch1005:      1005-Removing-filesystem-encoding-check.patch
+Patch1006:      1006-fix-cve-CVE-2025-4404.patch
 # RHEL spec file only: END
 
 BuildRequires: libtool, automake, autoconf
@@ -1775,6 +1776,9 @@ fi
 
 
 %changelog
+* Mon Jul 14 2025 zhuhongbo <zhuhongbo@uniontech.com> - 4.6.8-5.el7_9.18.0.1
+- fix: fix cve CVE-2025-4404
+
 * Wed Jun 12 2024 yangxianzhao <yangxianzhao@uniontech.com> - 4.6.8-5.el7_9.17.0.1
 - rebrand to anolis
 
-- 
Gitee