diff --git a/Prevent-overflow-when-calculating-ulog-block-size.patch b/Prevent-overflow-when-calculating-ulog-block-size.patch new file mode 100644 index 0000000000000000000000000000000000000000..4e3b39ef202dc000dbd40a89fe4ba5c58ef686a2 --- /dev/null +++ b/Prevent-overflow-when-calculating-ulog-block-size.patch @@ -0,0 +1,64 @@ +From 105ba83436476f5a08759b8e97bfb0c5a69596b9 Mon Sep 17 00:00:00 2001 +From: Zoltan Borbely +Date: Tue, 28 Jan 2025 16:39:25 -0500 +Subject: [PATCH] Prevent overflow when calculating ulog block size + +In kdb_log.c:resize(), log an error and fail if the update size is +larger than the largest possible block size (2^16-1). + +CVE-2025-24528: + +In MIT krb5 release 1.7 and later with incremental propagation +enabled, an authenticated attacker can cause kadmind to write beyond +the end of the mapped region for the iprop log file, likely causing a +process crash. + +[ghudson@mit.edu: edited commit message and added CVE description] + +ticket: 9159 (new) +tags: pullup +target_version: 1.21-next + +(cherry picked from commit 78ceba024b64d49612375be4a12d1c066b0bfbd0) +--- + src/lib/kdb/kdb_log.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c +index e9b95fce59..c805ebd988 100644 +--- a/src/lib/kdb/kdb_log.c ++++ b/src/lib/kdb/kdb_log.c +@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size) + */ + static krb5_error_code + resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd, +- unsigned int recsize) ++ unsigned int recsize, const kdb_incr_update_t *upd) + { + unsigned int new_block, new_size; + +@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd, + new_block *= ULOG_BLOCK; + new_size += ulogentries * new_block; + ++ if (new_block > UINT16_MAX) { ++ syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"), ++ upd->kdb_princ_name.utf8str_t_len, ++ upd->kdb_princ_name.utf8str_t_val); ++ return KRB5_LOG_ERROR; ++ } + if (new_size > MAXLOGLEN) + return KRB5_LOG_ERROR; + +@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd) + recsize = sizeof(kdb_ent_header_t) + upd_size; + + if (recsize > ulog->kdb_block) { +- retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize); ++ retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd); + if (retval) + return retval; + } +-- +2.48.1 + diff --git a/Set-missing-mask-flags-for-kdb5_util-operations.patch b/Set-missing-mask-flags-for-kdb5_util-operations.patch new file mode 100644 index 0000000000000000000000000000000000000000..b36490e6b9c22ad1f41814eda9db834d510c1876 --- /dev/null +++ b/Set-missing-mask-flags-for-kdb5_util-operations.patch @@ -0,0 +1,61 @@ +From 8c2dbb9260e8beab6ae7d169e9791d8756eb40a2 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 1 Aug 2024 10:56:07 +0200 +Subject: [PATCH] Set missing mask flags for kdb5_util operations + +Set KADM5_TL_DATA for the use_mkey and update_princ_encryption +commands. (Commit c877f13c8985d820583b0d7ac1bb4c5dc36e677e did this +for the add_new_mkey and purge_mkeys commands.) Set appropriate flags +for the add_random_key command. + +[ghudson@mit.edu: combined two commits; pruned out proposed mask flag +additions for values represented within key data or tl-data (like +KADM5_MKVNO), as those flags are currently only used in the kadm5 +protocol, not to communicate with the KDB module] + +ticket: 9158 (new) +(cherry picked from commit 4ed7da378940198cf4415f86d4eb013de6ac6455) +--- + src/kadmin/dbutil/kdb5_mkey.c | 4 +++- + src/kadmin/dbutil/kdb5_util.c | 3 +++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c +index aceb0a9b80..ac5c51d05e 100644 +--- a/src/kadmin/dbutil/kdb5_mkey.c ++++ b/src/kadmin/dbutil/kdb5_mkey.c +@@ -525,6 +525,8 @@ kdb5_use_mkey(int argc, char *argv[]) + goto cleanup_return; + } + ++ master_entry->mask |= KADM5_TL_DATA; ++ + if ((retval = krb5_db_put_principal(util_context, master_entry))) { + com_err(progname, retval, + _("while adding master key entry to the database")); +@@ -814,7 +816,7 @@ update_princ_encryption_1(void *cb, krb5_db_entry *ent) + goto fail; + } + +- ent->mask |= KADM5_KEY_DATA; ++ ent->mask |= KADM5_KEY_DATA | KADM5_TL_DATA; + + if ((retval = krb5_db_put_principal(util_context, ent))) { + com_err(progname, retval, _("while updating principal '%s' key data " +diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c +index a720eecf0b..0bb4244681 100644 +--- a/src/kadmin/dbutil/kdb5_util.c ++++ b/src/kadmin/dbutil/kdb5_util.c +@@ -600,6 +600,9 @@ add_random_key(argc, argv) + exit_status++; + return; + } ++ ++ dbent->mask |= KADM5_ATTRIBUTES | KADM5_KEY_DATA | KADM5_TL_DATA; ++ + ret = krb5_db_put_principal(util_context, dbent); + krb5_db_free_principal(util_context, dbent); + if (ret) { +-- +2.48.1 + diff --git a/krb5.spec b/krb5.spec index 86e1c27fbba88c94787738b66e7084a52d46ee14..faaa6b6a1c5a2d9ff19ae2a5313305e907ba7c49 100644 --- a/krb5.spec +++ b/krb5.spec @@ -19,7 +19,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 30%{anolis_release}%{?dist} +Release: 31%{anolis_release}%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -110,6 +110,8 @@ Patch163: Add-a-simple-DER-support-header.patch Patch164: Fix-vulnerabilities-in-GSS-message-token-handling.patch Patch165: Remove-PKINIT-RSA-support.patch Patch166: Generate-and-verify-message-MACs-in-libkrad.patch +Patch167: Set-missing-mask-flags-for-kdb5_util-operations.patch +Patch168: Prevent-overflow-when-calculating-ulog-block-size.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -729,9 +731,15 @@ exit 0 %doc README NOTICE %changelog -* Tue Nov 05 2024 Bo Ren - 1.18.2-30.0.1 +* Fri Mar 14 2025 Bo Ren - 1.18.2-31.0.1 - Add doc sub package +* Tue Feb 11 2025 Julien Rische - 1.18.2-31 +- Prevent overflow when calculating ulog block size (CVE-2025-24528) + Resolves: RHEL-78248 +- kdb5_util: fix DB entry flags on modification + Resolves: RHEL-56060 + * Thu Oct 17 2024 Julien Rische - 1.18.2-30 - libkrad: implement support for Message-Authenticator (CVE-2024-3596) Resolves: RHEL-50253