From de68477bf5290826247832f0fb7725112d565090 Mon Sep 17 00:00:00 2001 From: Zhao Hnag Date: Fri, 14 Mar 2025 15:02:25 +0800 Subject: [PATCH 1/2] [CVE]update to krb5-1.18.2-31 to #IBTEID update to krb5-1.18.2-31 for CVE-2025-24528 Project: TC2024080204 Signed-off-by: Zhao Hnag --- ...low-when-calculating-ulog-block-size.patch | 64 +++++++++++++++++++ ...-mask-flags-for-kdb5_util-operations.patch | 61 ++++++++++++++++++ krb5.spec | 23 +++---- 3 files changed, 134 insertions(+), 14 deletions(-) create mode 100644 Prevent-overflow-when-calculating-ulog-block-size.patch create mode 100644 Set-missing-mask-flags-for-kdb5_util-operations.patch diff --git a/Prevent-overflow-when-calculating-ulog-block-size.patch b/Prevent-overflow-when-calculating-ulog-block-size.patch new file mode 100644 index 0000000..4e3b39e --- /dev/null +++ b/Prevent-overflow-when-calculating-ulog-block-size.patch @@ -0,0 +1,64 @@ +From 105ba83436476f5a08759b8e97bfb0c5a69596b9 Mon Sep 17 00:00:00 2001 +From: Zoltan Borbely +Date: Tue, 28 Jan 2025 16:39:25 -0500 +Subject: [PATCH] Prevent overflow when calculating ulog block size + +In kdb_log.c:resize(), log an error and fail if the update size is +larger than the largest possible block size (2^16-1). + +CVE-2025-24528: + +In MIT krb5 release 1.7 and later with incremental propagation +enabled, an authenticated attacker can cause kadmind to write beyond +the end of the mapped region for the iprop log file, likely causing a +process crash. + +[ghudson@mit.edu: edited commit message and added CVE description] + +ticket: 9159 (new) +tags: pullup +target_version: 1.21-next + +(cherry picked from commit 78ceba024b64d49612375be4a12d1c066b0bfbd0) +--- + src/lib/kdb/kdb_log.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c +index e9b95fce59..c805ebd988 100644 +--- a/src/lib/kdb/kdb_log.c ++++ b/src/lib/kdb/kdb_log.c +@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size) + */ + static krb5_error_code + resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd, +- unsigned int recsize) ++ unsigned int recsize, const kdb_incr_update_t *upd) + { + unsigned int new_block, new_size; + +@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd, + new_block *= ULOG_BLOCK; + new_size += ulogentries * new_block; + ++ if (new_block > UINT16_MAX) { ++ syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"), ++ upd->kdb_princ_name.utf8str_t_len, ++ upd->kdb_princ_name.utf8str_t_val); ++ return KRB5_LOG_ERROR; ++ } + if (new_size > MAXLOGLEN) + return KRB5_LOG_ERROR; + +@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd) + recsize = sizeof(kdb_ent_header_t) + upd_size; + + if (recsize > ulog->kdb_block) { +- retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize); ++ retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd); + if (retval) + return retval; + } +-- +2.48.1 + diff --git a/Set-missing-mask-flags-for-kdb5_util-operations.patch b/Set-missing-mask-flags-for-kdb5_util-operations.patch new file mode 100644 index 0000000..b36490e --- /dev/null +++ b/Set-missing-mask-flags-for-kdb5_util-operations.patch @@ -0,0 +1,61 @@ +From 8c2dbb9260e8beab6ae7d169e9791d8756eb40a2 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 1 Aug 2024 10:56:07 +0200 +Subject: [PATCH] Set missing mask flags for kdb5_util operations + +Set KADM5_TL_DATA for the use_mkey and update_princ_encryption +commands. (Commit c877f13c8985d820583b0d7ac1bb4c5dc36e677e did this +for the add_new_mkey and purge_mkeys commands.) Set appropriate flags +for the add_random_key command. + +[ghudson@mit.edu: combined two commits; pruned out proposed mask flag +additions for values represented within key data or tl-data (like +KADM5_MKVNO), as those flags are currently only used in the kadm5 +protocol, not to communicate with the KDB module] + +ticket: 9158 (new) +(cherry picked from commit 4ed7da378940198cf4415f86d4eb013de6ac6455) +--- + src/kadmin/dbutil/kdb5_mkey.c | 4 +++- + src/kadmin/dbutil/kdb5_util.c | 3 +++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c +index aceb0a9b80..ac5c51d05e 100644 +--- a/src/kadmin/dbutil/kdb5_mkey.c ++++ b/src/kadmin/dbutil/kdb5_mkey.c +@@ -525,6 +525,8 @@ kdb5_use_mkey(int argc, char *argv[]) + goto cleanup_return; + } + ++ master_entry->mask |= KADM5_TL_DATA; ++ + if ((retval = krb5_db_put_principal(util_context, master_entry))) { + com_err(progname, retval, + _("while adding master key entry to the database")); +@@ -814,7 +816,7 @@ update_princ_encryption_1(void *cb, krb5_db_entry *ent) + goto fail; + } + +- ent->mask |= KADM5_KEY_DATA; ++ ent->mask |= KADM5_KEY_DATA | KADM5_TL_DATA; + + if ((retval = krb5_db_put_principal(util_context, ent))) { + com_err(progname, retval, _("while updating principal '%s' key data " +diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c +index a720eecf0b..0bb4244681 100644 +--- a/src/kadmin/dbutil/kdb5_util.c ++++ b/src/kadmin/dbutil/kdb5_util.c +@@ -600,6 +600,9 @@ add_random_key(argc, argv) + exit_status++; + return; + } ++ ++ dbent->mask |= KADM5_ATTRIBUTES | KADM5_KEY_DATA | KADM5_TL_DATA; ++ + ret = krb5_db_put_principal(util_context, dbent); + krb5_db_free_principal(util_context, dbent); + if (ret) { +-- +2.48.1 + diff --git a/krb5.spec b/krb5.spec index 86e1c27..73bf4cf 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 %global WITH_DIRSRV 1 # Set this so that find-lang.sh will recognize the .po files. @@ -19,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 30%{anolis_release}%{?dist} +Release: 31%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -110,6 +109,8 @@ Patch163: Add-a-simple-DER-support-header.patch Patch164: Fix-vulnerabilities-in-GSS-message-token-handling.patch Patch165: Remove-PKINIT-RSA-support.patch Patch166: Generate-and-verify-message-MACs-in-libkrad.patch +Patch167: Set-missing-mask-flags-for-kdb5_util-operations.patch +Patch168: Prevent-overflow-when-calculating-ulog-block-size.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -291,13 +292,6 @@ Kerberos is a network authentication system. The libkadm5 package contains only the libkadm5clnt and libkadm5serv shared objects. This interface is not considered stable. -%package doc -Summary: Documents for %{name} -BuildArch: noarch - -%description doc -Doc pages for %{name}. - %prep %autosetup -S git -n %{name}-%{version}%{prerelease} -a 3 ln NOTICE LICENSE @@ -653,6 +647,7 @@ exit 0 %{_sbindir}/kdb5_ldap_util %files libs -f %{gettext_domain}.lang +%doc README NOTICE %{!?_licensedir:%global license %%doc} %license LICENSE %docdir %{_mandir} @@ -725,12 +720,12 @@ exit 0 %{_libdir}/libkadm5clnt_mit.so.* %{_libdir}/libkadm5srv_mit.so.* -%files doc -%doc README NOTICE - %changelog -* Tue Nov 05 2024 Bo Ren - 1.18.2-30.0.1 -- Add doc sub package +* Tue Feb 11 2025 Julien Rische - 1.18.2-31 +- Prevent overflow when calculating ulog block size (CVE-2025-24528) + Resolves: RHEL-78248 +- kdb5_util: fix DB entry flags on modification + Resolves: RHEL-56060 * Thu Oct 17 2024 Julien Rische - 1.18.2-30 - libkrad: implement support for Message-Authenticator (CVE-2024-3596) -- Gitee From 1b55fa71ea8712eb3b0255edb59e2d79286ae643 Mon Sep 17 00:00:00 2001 From: Bo Ren Date: Tue, 19 Jul 2022 14:05:24 +0800 Subject: [PATCH 2/2] spec: add doc sub package Signed-off-by: Bo Ren --- krb5.spec | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/krb5.spec b/krb5.spec index 73bf4cf..faaa6b6 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 %global WITH_DIRSRV 1 # Set this so that find-lang.sh will recognize the .po files. @@ -18,7 +19,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 31%{?dist} +Release: 31%{anolis_release}%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -292,6 +293,13 @@ Kerberos is a network authentication system. The libkadm5 package contains only the libkadm5clnt and libkadm5serv shared objects. This interface is not considered stable. +%package doc +Summary: Documents for %{name} +BuildArch: noarch + +%description doc +Doc pages for %{name}. + %prep %autosetup -S git -n %{name}-%{version}%{prerelease} -a 3 ln NOTICE LICENSE @@ -647,7 +655,6 @@ exit 0 %{_sbindir}/kdb5_ldap_util %files libs -f %{gettext_domain}.lang -%doc README NOTICE %{!?_licensedir:%global license %%doc} %license LICENSE %docdir %{_mandir} @@ -720,7 +727,13 @@ exit 0 %{_libdir}/libkadm5clnt_mit.so.* %{_libdir}/libkadm5srv_mit.so.* +%files doc +%doc README NOTICE + %changelog +* Fri Mar 14 2025 Bo Ren - 1.18.2-31.0.1 +- Add doc sub package + * Tue Feb 11 2025 Julien Rische - 1.18.2-31 - Prevent overflow when calculating ulog block size (CVE-2025-24528) Resolves: RHEL-78248 -- Gitee