From ce9192ac2ce7c3d6a5461039309fc644574a000e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=AF=E5=B7=9D=E4=B8=8010346279?= Date: Wed, 15 May 2024 15:49:43 +0800 Subject: [PATCH 1/7] Bugfix for CVE-2024-26462 --- fix-CVE-2024-26462.patch | 18 ++++++++++++++++++ krb5.spec | 4 ++++ 2 files changed, 22 insertions(+) create mode 100644 fix-CVE-2024-26462.patch diff --git a/fix-CVE-2024-26462.patch b/fix-CVE-2024-26462.patch new file mode 100644 index 0000000..04d2df8 --- /dev/null +++ b/fix-CVE-2024-26462.patch @@ -0,0 +1,18 @@ +--- ndr.c 2023-08-15 00:16:43.000000000 +0800 ++++ ndr_2.c 2024-05-15 15:36:35.505970354 +0800 +@@ -96,14 +96,13 @@ + size_t utf16len, num_wchars; + uint8_t *utf16; + +- k5_buf_init_dynamic(&b); +- + ret = k5_utf8_to_utf16le(utf8, &utf16, &utf16len); + if (ret) + return ret; + + num_wchars = utf16len / 2; + ++ k5_buf_init_dynamic(&b); + k5_buf_add_uint32_le(&b, num_wchars + 1); + k5_buf_add_uint32_le(&b, 0); + k5_buf_add_uint32_le(&b, num_wchars); diff --git a/krb5.spec b/krb5.spec index de33fdf..2237dba 100644 --- a/krb5.spec +++ b/krb5.spec @@ -44,6 +44,7 @@ Patch13: 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch Patch14: 0014-downstream-Include-missing-OpenSSL-FIPS-header.patch Patch15: 0015-downstream-Do-not-set-root-as-ksu-file-owner.patch Patch16: 0016-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch +Patch17: fix-CVE-2024-26462.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -679,6 +680,9 @@ exit 0 %{_datarootdir}/%{name}-tests/ %changelog +* Wed May 15 2024 Chuanyi Feng - 1.21.2-2 +- Fix CVE-2024-26462 + * Wed Mar 13 2024 dash - 1.21.2-1 - New version 1.21.2 -- Gitee From 2c2a837036fb3ae60089ed3eb87a2053a2b297a2 Mon Sep 17 00:00:00 2001 From: liuyyoo Date: Wed, 15 May 2024 08:32:26 +0000 Subject: [PATCH 2/7] update fix-CVE-2024-26462.patch. Signed-off-by: liuyyoo --- fix-CVE-2024-26462.patch | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/fix-CVE-2024-26462.patch b/fix-CVE-2024-26462.patch index 04d2df8..a1e1256 100644 --- a/fix-CVE-2024-26462.patch +++ b/fix-CVE-2024-26462.patch @@ -1,18 +1,20 @@ ---- ndr.c 2023-08-15 00:16:43.000000000 +0800 -+++ ndr_2.c 2024-05-15 15:36:35.505970354 +0800 -@@ -96,14 +96,13 @@ +diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c +index 48395ab..d438408 100644 +--- a/src/kdc/ndr.c ++++ b/src/kdc/ndr.c +@@ -96,14 +96,13 @@ enc_wchar_pointer(const char *utf8, struct encoded_wchars *encoded_out) size_t utf16len, num_wchars; uint8_t *utf16; - + - k5_buf_init_dynamic(&b); - ret = k5_utf8_to_utf16le(utf8, &utf16, &utf16len); if (ret) return ret; - + num_wchars = utf16len / 2; - + + k5_buf_init_dynamic(&b); k5_buf_add_uint32_le(&b, num_wchars + 1); k5_buf_add_uint32_le(&b, 0); - k5_buf_add_uint32_le(&b, num_wchars); + k5_buf_add_uint32_le(&b, num_wchars); \ No newline at end of file -- Gitee From 932143474dc91d15ded81d08ef364f6a33a91fa1 Mon Sep 17 00:00:00 2001 From: liuyyoo Date: Wed, 15 May 2024 08:47:06 +0000 Subject: [PATCH 3/7] update krb5.spec. Signed-off-by: liuyyoo --- krb5.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krb5.spec b/krb5.spec index 2237dba..a9a0c8b 100644 --- a/krb5.spec +++ b/krb5.spec @@ -599,7 +599,7 @@ exit 0 %{abidir}/kdb5_ldap_util-option.list %files libs -f %{gettext_domain}.lang -%license LICENSE +%license MIT %dir %{abidir} # These are hard-coded, not-dependent-on-the-configure-script paths. %dir /etc/gss -- Gitee From be6274730ccf0069a9de75a6b8272aa85e34cf33 Mon Sep 17 00:00:00 2001 From: liuyyoo Date: Wed, 15 May 2024 09:05:27 +0000 Subject: [PATCH 4/7] update krb5.spec. Signed-off-by: liuyyoo --- krb5.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/krb5.spec b/krb5.spec index a9a0c8b..5fe4f89 100644 --- a/krb5.spec +++ b/krb5.spec @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.21.2 +Version: 1.21.3 Release: %{anolis_release}%{?dist} # rharwood has trust path to signing key and verifies on check-in @@ -680,7 +680,7 @@ exit 0 %{_datarootdir}/%{name}-tests/ %changelog -* Wed May 15 2024 Chuanyi Feng - 1.21.2-2 +* Wed May 15 2024 Chuanyi Feng - 1.21.3-1 - Fix CVE-2024-26462 * Wed Mar 13 2024 dash - 1.21.2-1 -- Gitee From fd8e8bf7b166f08e950a64ddeddcbd599f6991cf Mon Sep 17 00:00:00 2001 From: liuyyoo Date: Wed, 15 May 2024 09:46:28 +0000 Subject: [PATCH 5/7] update krb5.spec. Signed-off-by: liuyyoo --- krb5.spec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/krb5.spec b/krb5.spec index 5fe4f89..e52a3fa 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 # Set this so that find-lang.sh will recognize the .po files. %global gettext_domain mit-krb5 @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.21.3 +Version: 1.21.2 Release: %{anolis_release}%{?dist} # rharwood has trust path to signing key and verifies on check-in @@ -599,7 +599,7 @@ exit 0 %{abidir}/kdb5_ldap_util-option.list %files libs -f %{gettext_domain}.lang -%license MIT +%license LICENSE %dir %{abidir} # These are hard-coded, not-dependent-on-the-configure-script paths. %dir /etc/gss @@ -680,7 +680,7 @@ exit 0 %{_datarootdir}/%{name}-tests/ %changelog -* Wed May 15 2024 Chuanyi Feng - 1.21.3-1 +* Wed May 15 2024 Chuanyi Feng - 1.21.2-2 - Fix CVE-2024-26462 * Wed Mar 13 2024 dash - 1.21.2-1 -- Gitee From 0de1c5c9990dd2056ed59bd02f68f48b6a0755bf Mon Sep 17 00:00:00 2001 From: liuyyoo Date: Thu, 16 May 2024 01:48:00 +0000 Subject: [PATCH 6/7] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20fix-?= =?UTF-8?q?CVE-2024-26462.patch?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- fix-CVE-2024-26462.patch | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 fix-CVE-2024-26462.patch diff --git a/fix-CVE-2024-26462.patch b/fix-CVE-2024-26462.patch deleted file mode 100644 index a1e1256..0000000 --- a/fix-CVE-2024-26462.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c -index 48395ab..d438408 100644 ---- a/src/kdc/ndr.c -+++ b/src/kdc/ndr.c -@@ -96,14 +96,13 @@ enc_wchar_pointer(const char *utf8, struct encoded_wchars *encoded_out) - size_t utf16len, num_wchars; - uint8_t *utf16; - -- k5_buf_init_dynamic(&b); -- - ret = k5_utf8_to_utf16le(utf8, &utf16, &utf16len); - if (ret) - return ret; - - num_wchars = utf16len / 2; - -+ k5_buf_init_dynamic(&b); - k5_buf_add_uint32_le(&b, num_wchars + 1); - k5_buf_add_uint32_le(&b, 0); - k5_buf_add_uint32_le(&b, num_wchars); \ No newline at end of file -- Gitee From 68661c7c296a7b073d143d181ef9d33668035bde Mon Sep 17 00:00:00 2001 From: liuyyoo Date: Thu, 16 May 2024 01:55:37 +0000 Subject: [PATCH 7/7] update krb5.spec. Signed-off-by: liuyyoo --- krb5.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/krb5.spec b/krb5.spec index e52a3fa..03940b3 100644 --- a/krb5.spec +++ b/krb5.spec @@ -44,7 +44,6 @@ Patch13: 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch Patch14: 0014-downstream-Include-missing-OpenSSL-FIPS-header.patch Patch15: 0015-downstream-Do-not-set-root-as-ksu-file-owner.patch Patch16: 0016-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch -Patch17: fix-CVE-2024-26462.patch License: MIT URL: https://web.mit.edu/kerberos/www/ -- Gitee