rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import Oracle_OSS ipa-4.12.2-22.0.1.el9_7.3

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-03-12 12:37:57 -04:00
parent 04912c0a48
commit 2cb0008a67
22 changed files with 1225 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
SOURCES/0112-ipa-graceperiod-fix-memory-leaks.patch Normal file
View File

@ -0,0 +1,41 @@
From 15170f11de1a8cf9eccf9eef761f46e5f2c8fb7d Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Sat, 8 Nov 2025 00:40:42 +0100
Subject: [PATCH] ipa-graceperiod: fix memory leaks
Direct return of invalid grace limit bypassed cleanup code.
`tmpstr` variable was not freed in all code paths.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
index 7a2d4f2aaea677d1fb3553fe49e6aa17c3e7a38c..bb8559e3e4c665b3aedc0d5ce66f4b9a6bb64bfe 100644
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
@@ -448,7 +448,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
goto done;
} else if (grace_limit < -1) {
LOG_FATAL("Invalid passwordGraceLimit value %ld\n", grace_limit);
- return LDAP_OPERATIONS_ERROR;
+ ret = LDAP_OPERATIONS_ERROR;
+ goto done;
}
grace_user_time = slapi_entry_attr_get_int(target_entry, "passwordGraceUserTime");
@@ -500,6 +501,7 @@ done:
slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags);
}
if (sdn) slapi_sdn_free(&sdn);
+ slapi_ch_free_string(&tmpstr);
LOG("preop returning %d: %s\n", ret, errstr ? errstr : "success\n");
--
2.52.0

38
SOURCES/0113-ipa-lockout-fix-memory-leaks.patch Normal file
View File

@ -0,0 +1,38 @@
From a7587b78b4c2c46e2ec9612903b10b75e3adf973 Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Sat, 8 Nov 2025 00:44:35 +0100
Subject: [PATCH] ipa-lockout: fix memory leaks
Move cleanup of `unlock_time` to `done` label to ensure cleanup in all code paths.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
index ecb6d6df52b7e3c2239884e173c8498e651dff34..5142c79bcfcfa985a35d45f689a7c1d1ad3f4feb 100644
--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
@@ -813,7 +813,6 @@ static int ipalockout_preop(Slapi_PBlock *pb)
goto done;
}
}
- slapi_ch_free_string(&unlock_time);
}
max_fail = slapi_entry_attr_get_uint(policy_entry, "krbPwdMaxFailure");
@@ -840,6 +839,7 @@ static int ipalockout_preop(Slapi_PBlock *pb)
done:
if (lastfail) slapi_ch_free_string(&lastfail);
+ if (unlock_time) slapi_ch_free_string(&unlock_time);
slapi_entry_free(target_entry);
slapi_entry_free(policy_entry);
if (values != NULL) {
--
2.52.0

75
SOURCES/0114-ipa-pwd-extop-fix-memory-leaks.patch Normal file
View File

@ -0,0 +1,75 @@
From 2f32a199b443ede395e9f5f252a4e88394729766 Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Sat, 8 Nov 2025 00:46:35 +0100
Subject: [PATCH] ipa-pwd-extop: fix memory leaks
`cur_pw` was allocated but not freed after password validation.
`principal_expire` was allocated but not freed in all code paths.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 1 +
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 5 +++++
2 files changed, 6 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index ca48a12a68ffeca8dcb3f0ed46d789973aab2192..b2aa1c05fef6ccc6b1dfa583c00eba8a02f9cf2b 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -485,6 +485,7 @@ parse_req_done:
slapi_value_free(&cpw[0]);
slapi_value_free(&pw);
+ slapi_ch_free_string(&cur_pw);
if (ret != 0) {
LOG_TRACE("Invalid password for '%s'!\n", dn);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 0fdb7840bbe3d800270f60c58c1438a2d8267ba2..9e376efaf75643326c327d5594fbe1339ab63369 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1516,6 +1516,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
if (current_time > expire_time && expire_time > 0) {
LOG_FATAL("kerberos principal in %s is expired\n", dn);
+ slapi_ch_free_string(&principal_expire);
slapi_entry_free(entry);
slapi_sdn_free(&sdn);
slapi_send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
@@ -1535,6 +1536,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
if (ret != 0) {
LOG_FATAL("ipapwd_gen_checks failed for '%s': %s\n",
slapi_sdn_get_dn(sdn), errMesg);
+ slapi_ch_free_string(&principal_expire);
slapi_entry_free(entry);
slapi_sdn_free(&sdn);
return 0;
@@ -1591,6 +1593,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
/* Authenticate the user. */
ret = ipapwd_authenticate(dn, entry, credentials);
if (ret) {
+ slapi_ch_free_string(&principal_expire);
slapi_entry_free(entry);
slapi_sdn_free(&sdn);
return 0;
@@ -1614,12 +1617,14 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
}
#endif
+ slapi_ch_free_string(&principal_expire);
slapi_entry_free(entry);
slapi_sdn_free(&sdn);
return 0;
invalid_creds:
free_ipapwd_krbcfg(&krbcfg);
+ slapi_ch_free_string(&principal_expire);
slapi_entry_free(entry);
slapi_sdn_free(&sdn);
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
--
2.52.0

91
SOURCES/0115-ipa-sidgen-fix-memory-leaks.patch Normal file
View File

@ -0,0 +1,91 @@
From e13bd8ca5414b7396a1550ebe9e77f605be6ee48 Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Sat, 8 Nov 2025 00:48:33 +0100
Subject: [PATCH] ipa-sidgen: fix memory leaks
In various code paths the `ctx` structure was freed, but not
`ctx->base_dn` which may have been allocated.
`sid` was duplicated, but the original memory was never freed.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c | 9 ++++++++-
daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 2 +-
daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c | 3 ++-
3 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
index 35ecef228d7fac1e7009dbf97983089755aa6768..9c6354e014b55e92c6580720bca18b9b1843f7c5 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
@@ -66,6 +66,8 @@ static int ipa_sidgen_close(Slapi_PBlock *pb)
if (ret == 0) {
free_ranges(&ctx->ranges);
slapi_ch_free_string(&ctx->dom_sid);
+ slapi_ch_free_string(&ctx->base_dn);
+ free(ctx);
} else {
LOG_FATAL("Missing private plugin context.\n");
}
@@ -202,7 +204,10 @@ static int ipa_sidgen_init_ctx(Slapi_PBlock *pb, struct ipa_sidgen_ctx **_ctx)
done:
if (ret != 0) {
- free(ctx);
+ if (ctx) {
+ slapi_ch_free_string(&ctx->base_dn);
+ free(ctx);
+ }
} else {
*_ctx = ctx;
}
@@ -235,6 +240,8 @@ int ipa_sidgen_init(Slapi_PBlock *pb)
(void *) ipa_sidgen_add_post_op) != 0 ||
slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, ctx) != 0) {
LOG_FATAL("failed to register plugin\n");
+ slapi_ch_free_string(&ctx->base_dn);
+ free(ctx);
ret = EFAIL;
}
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
index aec862796a8364de84e26fbca96a270a8fb508fc..fbae87e4d8ae71d9956b7ab97711cdc78f7dc506 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
@@ -74,7 +74,7 @@ struct range_info {
struct ipa_sidgen_ctx {
Slapi_ComponentId *plugin_id;
- const char *base_dn;
+ char *base_dn;
char *dom_sid;
struct range_info **ranges;
};
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
index 13f4de5416606df1911f14f60ab1af1a8ba0184b..b26c2df52b200be682bd8d39763c5303e9f2afc4 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
@@ -51,7 +51,7 @@ int get_dom_sid(Slapi_ComponentId *plugin_id, const char *base_dn, char **_sid)
int search_result;
Slapi_Entry **search_entries = NULL;
int ret;
- const char *sid;
+ char *sid = NULL;
search_pb = slapi_pblock_new();
if (search_pb == NULL) {
@@ -114,6 +114,7 @@ int get_dom_sid(Slapi_ComponentId *plugin_id, const char *base_dn, char **_sid)
ret = 0;
done:
+ slapi_ch_free_string(&sid);
slapi_free_search_results_internal(search_pb);
slapi_pblock_destroy(search_pb);
--
2.52.0

70
SOURCES/0116-ipa-range-check-fix-memory-leak.patch Normal file
View File

@ -0,0 +1,70 @@
From 0fc7c49f4805fa4633b4b816d6edb35633bd975d Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Sat, 8 Nov 2025 00:57:49 +0100
Subject: [PATCH] ipa-range-check: fix memory leak
`ipa_range_check_close` function didn't do any cleanup.
The `ctx` structure was freed, but not `ctx->base_dn` which may have
been allocated.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
.../ipa-range-check/ipa_range_check.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
index 5b53a2fe58e1ad0ad6067ea75287f023402bb1c4..37840cd4716741d4d3584a1cac4f447a4a733f9f 100644
--- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
+++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
@@ -76,7 +76,7 @@ Slapi_PluginDesc ipa_range_check_plugin_desc = {
struct ipa_range_check_ctx {
Slapi_ComponentId *plugin_id;
- const char *base_dn;
+ char *base_dn;
};
typedef enum {
@@ -469,6 +469,15 @@ static int ipa_range_check_start(Slapi_PBlock *pb)
static int ipa_range_check_close(Slapi_PBlock *pb)
{
+ int ret;
+ struct ipa_range_check_ctx *ctx;
+
+ ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx);
+ if (ret == 0 && ctx != NULL) {
+ slapi_ch_free_string(&ctx->base_dn);
+ free(ctx);
+ }
+
return 0;
}
@@ -752,7 +761,10 @@ static int ipa_range_check_init_ctx(Slapi_PBlock *pb,
done:
if (ret != 0) {
- free(ctx);
+ if (ctx) {
+ slapi_ch_free_string(&ctx->base_dn);
+ free(ctx);
+ }
} else {
*_ctx = ctx;
}
@@ -787,6 +799,8 @@ int ipa_range_check_init(Slapi_PBlock *pb)
(void *) ipa_range_check_add_pre_op) != 0 ||
slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, rc_ctx) != 0) {
LOG_FATAL("failed to register plugin\n");
+ slapi_ch_free_string(&rc_ctx->base_dn);
+ free(rc_ctx);
ret = EFAIL;
}
--
2.52.0

94
SOURCES/0117-ipa-extdom-extop-fix-memory-leaks.patch Normal file
View File

@ -0,0 +1,94 @@
From c1e1ff6121640d6a07d8c17edd5f15713649182e Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Sat, 8 Nov 2025 00:59:58 +0100
Subject: [PATCH] ipa-extdom-extop: fix memory leaks
In various code paths the `ctx` structure was freed, but not `ctx`
resources (`base_dn`, `nss_ctx`, `extdom_instance_counter`) which may
have been allocated.
Plugin didn't have SLAPI_PLUGIN_CLOSE_FN registered, so context was
never freed on server shutdown.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
.../ipa-extdom-extop/ipa_extdom_extop.c | 39 ++++++++++++++++++-
1 file changed, 38 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
index 5d22f9f2d5a107cc265c9d257bdf20918cb74333..a180e3307ce1e9d6b9fb4569c909526f41c01c3d 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
@@ -171,6 +171,26 @@ static int ipa_extdom_start(Slapi_PBlock *pb)
return LDAP_SUCCESS;
}
+static int ipa_extdom_close(Slapi_PBlock *pb)
+{
+ int ret;
+ struct ipa_extdom_ctx *ctx;
+
+ ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx);
+ if (ret == 0 && ctx != NULL) {
+ if (ctx->extdom_instance_counter) {
+ slapi_counter_destroy(&ctx->extdom_instance_counter);
+ }
+ if (ctx->nss_ctx) {
+ back_extdom_free_context(&ctx->nss_ctx);
+ }
+ slapi_ch_free_string(&ctx->base_dn);
+ free(ctx);
+ }
+
+ return 0;
+}
+
static int ipa_extdom_extop(Slapi_PBlock *pb)
{
char *oid = NULL;
@@ -360,7 +380,16 @@ static int ipa_extdom_init_ctx(Slapi_PBlock *pb, struct ipa_extdom_ctx **_ctx)
done:
if (ret) {
- free(ctx);
+ if (ctx) {
+ if (ctx->extdom_instance_counter) {
+ slapi_counter_destroy(&ctx->extdom_instance_counter);
+ }
+ if (ctx->nss_ctx) {
+ back_extdom_free_context(&ctx->nss_ctx);
+ }
+ slapi_ch_free_string(&ctx->base_dn);
+ free(ctx);
+ }
} else {
*_ctx = ctx;
}
@@ -388,6 +417,10 @@ int ipa_extdom_init(Slapi_PBlock *pb)
ret = slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN,
(void *)ipa_extdom_start);
}
+ if (!ret) {
+ ret = slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN,
+ (void *)ipa_extdom_close);
+ }
if (!ret) {
ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_OIDLIST,
ipa_extdom_oid_list);
@@ -405,6 +438,10 @@ int ipa_extdom_init(Slapi_PBlock *pb)
}
if (ret) {
LOG("Failed to set plug-in version, function, and OID.\n" );
+ slapi_counter_destroy(&extdom_ctx->extdom_instance_counter);
+ back_extdom_free_context(&extdom_ctx->nss_ctx);
+ slapi_ch_free_string(&extdom_ctx->base_dn);
+ free(extdom_ctx);
return -1;
}
--
2.52.0

45
SOURCES/0118-ipa-enrollment-fix-memory-leaks.patch Normal file
View File

@ -0,0 +1,45 @@
From c3c4eeaa81c75cdd04d74d7407c0b7103ac7558e Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Sat, 8 Nov 2025 01:03:52 +0100
Subject: [PATCH] ipa-enrollment: fix memory leaks
`smods`, `fqdn`, `sdn` were not freed.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
index b72ad5ef1c81997d89b2f94528da516b5df3d285..3a70dd0a5594fc623e7e808ab8a734349a748a49 100644
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
@@ -137,7 +137,7 @@ ipa_join(Slapi_PBlock *pb)
int is_root=0;
char *krbLastPwdChange = NULL;
char *fqdn = NULL;
- Slapi_Mods *smods;
+ Slapi_Mods *smods = NULL;
char *attrlist[] = {"fqdn", "krbPrincipalKey", "krbLastPwdChange", "krbPrincipalName", NULL };
char * filter;
@@ -329,8 +329,13 @@ free_and_return:
if (pbtm) {
slapi_pblock_destroy(pbtm);
}
+ if (smods) {
+ slapi_mods_free(&smods);
+ }
if (krbLastPwdChange) slapi_ch_free_string(&krbLastPwdChange);
+ if (fqdn) slapi_ch_free_string(&fqdn);
+ if (sdn) slapi_sdn_free(&sdn);
LOG("%s", errMesg ? errMesg : "success\n");
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
--
2.52.0

51
SOURCES/0119-topology-fix-memory-leaks.patch Normal file
View File

@ -0,0 +1,51 @@
From 98ad3653ca853932e2c754315540ba18a09c495c Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Sat, 8 Nov 2025 01:05:15 +0100
Subject: [PATCH] topology: fix memory leaks
`agmt_attr_val`, `targetHost` and internal search results pblock were
not freed.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
daemons/ipa-slapi-plugins/topology/topology_util.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/topology/topology_util.c b/daemons/ipa-slapi-plugins/topology/topology_util.c
index 3f9bf137fdcd398e12dfa7bfbcd9ccde3d773c99..cd3e70910d54bb4f1853ef68ea98d69f2f97ba7e 100644
--- a/daemons/ipa-slapi-plugins/topology/topology_util.c
+++ b/daemons/ipa-slapi-plugins/topology/topology_util.c
@@ -678,6 +678,7 @@ ipa_topo_util_update_agmt_list(TopoReplica *conf, TopoReplicaSegmentList *repl_s
mattrs[i],
segm_attr_val);
}
+ slapi_ch_free_string(&agmt_attr_val);
}
}
@@ -711,10 +712,10 @@ ipa_topo_util_update_agmt_list(TopoReplica *conf, TopoReplicaSegmentList *repl_s
ipa_topo_cfg_segment_set_visited(conf, topo_segm);
}
}
+ slapi_ch_free_string(&targetHost);
repl_agmt = entries[++nentries];
}
- slapi_free_search_results_internal(pb);
update_only:
/* check if segments not covered by agreement exist
@@ -724,6 +725,7 @@ update_only:
ipa_topo_get_plugin_hostname());
error_return:
+ slapi_free_search_results_internal(pb);
slapi_ch_free_string(&filter);
slapi_pblock_destroy(pb);
return rc;
--
2.52.0

46
SOURCES/0120-ipa-pwd-extop-free-krbcfg-in-all-exit-paths.patch Normal file
View File

@ -0,0 +1,46 @@
From 99625ed5df97f0921e6c6e03dbfec21aa0488ea9 Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Wed, 19 Nov 2025 22:23:54 +0100
Subject: [PATCH] ipa-pwd-extop: free krbcfg in all exit paths
Add `free_ipapwd_krbcfg()` calls.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 9e376efaf75643326c327d5594fbe1339ab63369..70f0d7fcc8b8e8966022d5acd7a5089f010100eb 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1536,6 +1536,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
if (ret != 0) {
LOG_FATAL("ipapwd_gen_checks failed for '%s': %s\n",
slapi_sdn_get_dn(sdn), errMesg);
+ free_ipapwd_krbcfg(&krbcfg);
slapi_ch_free_string(&principal_expire);
slapi_entry_free(entry);
slapi_sdn_free(&sdn);
@@ -1593,6 +1594,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
/* Authenticate the user. */
ret = ipapwd_authenticate(dn, entry, credentials);
if (ret) {
+ free_ipapwd_krbcfg(&krbcfg);
slapi_ch_free_string(&principal_expire);
slapi_entry_free(entry);
slapi_sdn_free(&sdn);
@@ -1617,6 +1619,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
}
#endif
+ free_ipapwd_krbcfg(&krbcfg);
slapi_ch_free_string(&principal_expire);
slapi_entry_free(entry);
slapi_sdn_free(&sdn);
--
2.52.0

43
SOURCES/0121-ipa-pwd-extop-fix-memory-leaks.patch Normal file
View File

@ -0,0 +1,43 @@
From 859990a0b0a3694ee99db398a0ec513e4a02d5de Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Fri, 28 Nov 2025 12:19:05 +0100
Subject: [PATCH] ipa-pwd-extop: fix memory leaks
In `ipapwd_set_extradata` free `xdata` after it's not longer needed. It
was leaked because `slapi_value_new_berval()` makes a copy of the data.
In `ipapwd_free_slapi_value_array` free `svals` (caller's pointer)
instead of `sv` (local pointer).
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 114d20417d053ad7e822bd474eedf794b2c316d6..de60d4e7bf1b8f0e313e5883041d3e28c09022b9 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -1107,6 +1107,7 @@ int ipapwd_set_extradata(const char *dn,
slapi_value_free(&va[0]);
slapi_mods_free(&smods);
+ free(xdata);
return ret;
}
@@ -1121,7 +1122,7 @@ void ipapwd_free_slapi_value_array(Slapi_Value ***svals)
}
}
- slapi_ch_free((void **)sv);
+ slapi_ch_free((void **)svals);
}
void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg)
--
2.52.0

51
SOURCES/0122-ipa-pwd-extop-fix-memory-leaks-of-bind-DN.patch Normal file
View File

@ -0,0 +1,51 @@
From efd6cc2bd9002c927823880eb77fab66cfb0e6a2 Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Thu, 11 Dec 2025 10:08:35 +0100
Subject: [PATCH] ipa-pwd-extop: fix memory leaks of bind DN
In `ipapwd_chpwop()`, `ipapwd_setkeytab()`, and `ipapwd_getkeytab()`
functions, `bindDN`/`bind_dn` is obtained via `slapi_pblock_get()` with
SLAPI_CONN_DN which returns an allocated string. This string was never
freed in the cleanup sections of these functions.
Add `slapi_ch_free_string()` calls for the bind DN variables in the
`free_and_return` sections of all three functions.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index b2aa1c05fef6ccc6b1dfa583c00eba8a02f9cf2b..b50e4d5ca1e8fe89d5f67e22618415469eb5e4b5 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -650,6 +650,7 @@ free_and_return:
}
slapi_pblock_destroy(chpwop_pb);
}
+ slapi_ch_free_string(&bindDN);
slapi_ch_free_string(&oldPasswd);
slapi_ch_free_string(&newPasswd);
/* Either this is the same pointer that we allocated and set above,
@@ -1372,6 +1373,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
/* Free anything that we allocated above */
free_and_return:
+ slapi_ch_free_string(&bindDN);
free(serviceName);
if (kset) ipapwd_keyset_free(&kset);
@@ -1790,6 +1792,7 @@ free_and_return:
slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL);
/* Free anything that we allocated above */
+ slapi_ch_free_string(&bind_dn);
if (krbctx) krb5_free_context(krbctx);
free(kenctypes);
free(service_name);
--
2.52.0

61
SOURCES/0123-ipa-pwd-extop-fix-memory-leaks-in-ipapwd_pre_add.patch Normal file
View File

@ -0,0 +1,61 @@
From 52cf968dc91b557215c303e354bd770f52222390 Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Thu, 11 Dec 2025 11:09:34 +0100
Subject: [PATCH] ipa-pwd-extop: fix memory leaks in `ipapwd_pre_add()`
In `ipapwd_pre_add()`, when processing password from entry extension,
`userpw` was reassigned without freeing the previous value.
Additionally, `enabled` obtained from `ipapwd_getIpaConfigAttr()` was
never freed, and early returns bypassed the cleanup section causing
memory leaks.
Free `userpw` before reassigning it.
Free `enabled` after use.
Replace early `return 0` statements with `goto done` to ensure proper
cleanup of all allocated resources.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 70f0d7fcc8b8e8966022d5acd7a5089f010100eb..b0162c49cd4db9684085c62ada4c30daf657b2e2 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -291,6 +291,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
slapi_sdn_get_dn(sdn), errMesg);
goto done;
}
+ slapi_ch_free_string(&userpw);
userpw = slapi_ch_strdup(userpw_clear);
}
@@ -302,8 +303,11 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
if (NULL == enabled) {
LOG("no ipaMigrationEnabled in config, assuming FALSE\n");
} else if (0 == strcmp(enabled, "TRUE")) {
- return 0;
+ slapi_ch_free_string(&enabled);
+ rc = LDAP_SUCCESS;
+ goto done;
}
+ slapi_ch_free_string(&enabled);
/* With User Life Cycle, it could be a stage user that is activated.
* The userPassword and krb keys were set while the user was a stage user.
@@ -315,7 +319,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
LOG("User Life Cycle: %s is a activated stage user "
"(with prehashed password and krb keys)\n",
sdn ? slapi_sdn_get_dn(sdn) : "unknown");
- return 0;
+ rc = LDAP_SUCCESS;
+ goto done;
}
LOG("pre-hashed passwords are not valid\n");
--
2.52.0

42
SOURCES/0124-ipa-pwd-extop-fix-bind-DN-memory-leaks-in-pre-op-han.patch Normal file
View File

@ -0,0 +1,42 @@
From c98a006be077c944612a69545463f1d8a66e8b92 Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Thu, 11 Dec 2025 12:02:33 +0100
Subject: [PATCH] ipa-pwd-extop: fix bind DN memory leaks in pre-op handlers
In `ipapwd_pre_add()` and `ipapwd_pre_mod()`, `binddn` is obtained via
`slapi_pblock_get()` with SLAPI_CONN_DN which returns an allocated
string. This string was never freed after use.
Add `slapi_ch_free_string(&binddn)` calls after the bind DN is no longer
needed in both functions.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index b0162c49cd4db9684085c62ada4c30daf657b2e2..8f8d0a0929105869d9df15339d8c447d890f92bf 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -379,6 +379,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
break;
}
}
+ slapi_ch_free_string(&binddn);
}
pwdop->pwdata.dn = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
@@ -880,6 +881,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
slapi_sdn_free(&bdn);
slapi_sdn_free(&tdn);
+ slapi_ch_free_string(&binddn);
}
pwdop->pwdata.dn = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
--
2.52.0

82
SOURCES/0125-ipa-pwd-extop-fix-NT-hash-string-memory-leak.patch Normal file
View File

@ -0,0 +1,82 @@
From 301cada8a1b5e7e5ad2c91111f51ef0649932eee Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Thu, 11 Dec 2025 13:13:45 +0100
Subject: [PATCH] ipa-pwd-extop: fix NT hash string memory leak
In `ipapwd_pre_add()` and `ipapwd_pre_mod()`, the `nt` string returned
by `ipapwd_gen_hashes()` was only freed when `is_smb` was true. When NT
hashes are generated for `is_ipant` entries but `is_smb` is false, the
`nt` string was leaked.
Free `nt`, `ntvals` and `svals` unconditionally.
Fix the error path in `ipapwd_pre_add()` where `nt` and `ntvals` were
leaked when `slapi_entry_attr_replace_sv()` failed for `svals`.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 8f8d0a0929105869d9df15339d8c447d890f92bf..58f6926fe4f9894bc17f5ef34b02b5652cbb477f 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -422,22 +422,23 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
LOG_FATAL("failed to set encoded values in entry\n");
rc = LDAP_OPERATIONS_ERROR;
ipapwd_free_slapi_value_array(&svals);
+ slapi_ch_free_string(&nt);
+ ipapwd_free_slapi_value_array(&ntvals);
goto done;
}
-
- ipapwd_free_slapi_value_array(&svals);
}
+ ipapwd_free_slapi_value_array(&svals);
if (nt && is_smb) {
/* set value */
slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt);
- slapi_ch_free_string(&nt);
}
+ slapi_ch_free_string(&nt);
if (ntvals && is_ipant) {
slapi_entry_attr_replace_sv(e, "ipaNTHash", ntvals);
- ipapwd_free_slapi_value_array(&ntvals);
}
+ ipapwd_free_slapi_value_array(&ntvals);
if (is_smb) {
/* with samba integration we need to also set sambaPwdLastSet or
@@ -921,21 +922,21 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
/* replace values */
slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE,
"krbPrincipalKey", svals);
- ipapwd_free_slapi_value_array(&svals);
}
+ ipapwd_free_slapi_value_array(&svals);
if (nt && is_smb) {
/* replace value */
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"sambaNTPassword", nt);
- slapi_ch_free_string(&nt);
}
+ slapi_ch_free_string(&nt);
if (ntvals && is_ipant) {
slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE,
"ipaNTHash", ntvals);
- ipapwd_free_slapi_value_array(&ntvals);
}
+ ipapwd_free_slapi_value_array(&ntvals);
if (is_smb) {
/* with samba integration we need to also set sambaPwdLastSet or
--
2.52.0

44
SOURCES/0126-ipa-pwd-extop-fix-password-history-values-memory-lea.patch Normal file
View File

@ -0,0 +1,44 @@
From aa4a3fbd89ddbe2eecb3063a042fd815e6dd49d8 Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Thu, 11 Dec 2025 14:34:47 +0100
Subject: [PATCH] ipa-pwd-extop: fix password history values memory leak
In `ipapwd_post_modadd()`, the `pwvals` array returned by
`ipapwd_setPasswordHistory()` was passed to `slapi_mods_add_mod_values()`
but never freed. The `slapi_mods_add_mod_values()` function makes a copy
of the values, so the original array still needs to be freed.
Add `ipapwd_free_slapi_value_array()` call in the cleanup section to
free the array.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 58f6926fe4f9894bc17f5ef34b02b5652cbb477f..68281868f18c257ab4058fc743f5d67c8f0604f3 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1080,7 +1080,7 @@ static int ipapwd_post_modadd(Slapi_PBlock *pb)
void *op;
struct ipapwd_operation *pwdop = NULL;
Slapi_Mods *smods;
- Slapi_Value **pwvals;
+ Slapi_Value **pwvals = NULL;
int ret;
char *errMsg = "Internal operations error\n";
struct ipapwd_krbcfg *krbcfg = NULL;
@@ -1210,6 +1210,7 @@ done:
slapi_mods_free(&smods);
slapi_ch_free_string(&principal);
free_ipapwd_krbcfg(&krbcfg);
+ ipapwd_free_slapi_value_array(&pwvals);
return 0;
}
--
2.52.0

41
SOURCES/0127-ipa-pwd-extop-fix-memory-leaks-in-ipapwd_gen_hashes-.patch Normal file
View File

@ -0,0 +1,41 @@
From 343c9a8ab8f5dd6af4217bf5cd66a2f5f9dcbbbd Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Thu, 11 Dec 2025 15:45:27 +0100
Subject: [PATCH] ipa-pwd-extop: fix memory leaks in `ipapwd_gen_hashes()`
error path
In `ipapwd_gen_hashes()`, when an error occurred after allocating output
parameters, `*ntvals` was freed but `*nthash` was not.
Add `slapi_ch_free_string(nthash)` to the error cleanup section.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
index 43ae6f0a645c8f3ff0fa2d147891f93efff0eb20..dd73c1f335733c314be8ff08b9d5982130cc75ff 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
@@ -220,6 +220,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
*svals = NULL;
*nthash = NULL;
+ *ntvals = NULL;
*errMesg = NULL;
if (is_krb) {
@@ -282,6 +283,7 @@ done:
if (rc) {
ipapwd_free_slapi_value_array(svals);
ipapwd_free_slapi_value_array(ntvals);
+ slapi_ch_free_string(nthash);
}
return rc;
--
2.52.0

35
SOURCES/0128-ipa-pwd-extop-fix-valueset-memory-leak-in-ipapwd_get.patch Normal file
View File

@ -0,0 +1,35 @@
From 40217032aa201313f8bdfcb22abe0088749574f1 Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Thu, 11 Dec 2025 16:16:02 +0100
Subject: [PATCH] ipa-pwd-extop: fix valueset memory leak in
`ipapwd_get_cur_kvno()`
In `ipapwd_get_cur_kvno()`, the `Slapi_ValueSet` obtained via
`slapi_attr_get_valueset()` was never freed. This function returns a
copy of the valueset that must be freed by the caller using
`slapi_valueset_free()`.
Add `slapi_valueset_free(svs)` before returning from the function.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index de60d4e7bf1b8f0e313e5883041d3e28c09022b9..7179b1dc3847df5c2cd88065a5bfa66d886daa14 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -786,6 +786,7 @@ next:
hint = slapi_valueset_next_value(svs, hint, &sv);
}
+ slapi_valueset_free(svs);
return kvno;
}
--
2.52.0

41
SOURCES/0129-ipa-pwd-extop-Don-t-manipulate-the-config-if-not-ret.patch Normal file
View File

@ -0,0 +1,41 @@
From 53e568b8c5b0cd82568863cf582054244bf734d3 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 6 Jan 2026 14:44:50 -0500
Subject: [PATCH] ipa-pwd-extop: Don't manipulate the config if not retrieved
There is a non-zero chance that the Kerberos configuration can't
be retrieved. If this fails it should report an error which will
likely fail the operation but otherwise allow the server to
remain running.
A flag was added to not allow the Master key to be returned
but since this manipulates *config and that is NULL...SEGV.
Add a goto to skip that block in the case of failure.
Credit to Viktor Ashirov for identifying the fix. All I did
was write up the patch.
Fixes: https://pagure.io/freeipa/issue/9914
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 7179b1dc3847df5c2cd88065a5bfa66d886daa14..0e69f3410737ea1787e611846f1a8801239f4d2f 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -585,6 +585,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
LOG_FATAL("Error Retrieving Master Key\n");
*errMesg = "Fatal Internal Error";
rc = LDAP_OPERATIONS_ERROR;
+ goto done;
}
/* do not return the master key if asked */
--
2.52.0

34
SOURCES/0130-ipatests-fix-kdcproxy-tests-against-AD.patch Normal file
View File

@ -0,0 +1,34 @@
From 368da4f4f5e4d05aecf149a5773d8d0b4f28ff92 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Tue, 18 Nov 2025 11:17:27 +0100
Subject: [PATCH] ipatests: fix kdcproxy tests against AD
In recent kdcproxy commit 1773f28eeea72ec6efcd433d3b66595c44d1253f, the
use of DNS discovery has been restricted to declared realms in order to
mitigate CVE-2025-59088. The present commit update the
TestHttpKdcProxy::test_ad_user_login_on_client_with_kdcproxy test to
take this change into account.
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_http_kdc_proxy.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_http_kdc_proxy.py b/ipatests/test_integration/test_http_kdc_proxy.py
index b5906bc4bf8de7000d2b8ec582cbacf6e2e05be0..d48a5dd953d58a002fe7247d98e27c82a72b6626 100644
--- a/ipatests/test_integration/test_http_kdc_proxy.py
+++ b/ipatests/test_integration/test_http_kdc_proxy.py
@@ -131,8 +131,8 @@ class TestHttpKdcProxy(IntegrationTest):
with tasks.remote_ini_file(self.master, paths.KDCPROXY_CONFIG) as conf:
conf.set('global', 'use_dns', 'true')
conf.set('global', 'configs', 'mit')
+ conf.add_section(self.ad.domain.realm)
if use_tcp:
- conf.add_section(self.ad.domain.realm)
conf.set(self.ad.domain.realm, 'kerberos',
'kerberos+tcp://{}:88'.format(self.ad.hostname))
conf.set(self.ad.domain.realm, 'kpasswd',
--
2.52.0

115
SOURCES/0131-ipatests-update-the-Let-s-Encrypt-cert-chain.patch Normal file
View File

@ -0,0 +1,115 @@
From 94493640e10547cd4aff82b017391916149822e5 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 17 Sep 2025 10:13:44 +0200
Subject: [PATCH] ipatests: update the Let's Encrypt cert chain
The test TestIPACommand::test_cacert_manage is using
Let's Encrypt chain to check the ipa-cacert-manage install
command.
The chain isrgrootx1 > r3 must be replaced with
isrgrootx1 > r12 because r3 expired Sep 15.
Fixes: https://pagure.io/freeipa/issue/9857
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_commands.py | 63 +++++++++++-----------
1 file changed, 31 insertions(+), 32 deletions(-)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index ad97affe62e15c68442239d669032f0c84e7f5c9..fcf347ee068729d1b28d215b242569f02e9a549c 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -88,41 +88,40 @@ isrgrootx1 = (
)
isrgrootx1_nick = 'CN=ISRG Root X1,O=Internet Security Research Group,C=US'
-# This sub-CA expires on Sep 15, 2025 and will need to be replaced
+# This sub-CA expires on March 12, 2027 and will need to be replaced
# after this date. Otherwise TestIPACommand::test_cacert_manage fails.
-letsencryptauthorityr3 = (
+letsencryptauthorityr12 = (
b'-----BEGIN CERTIFICATE-----\n'
- b'MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\n'
+ b'MIIFBjCCAu6gAwIBAgIRAMISMktwqbSRcdxA9+KFJjwwDQYJKoZIhvcNAQELBQAw\n'
b'TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n'
- b'cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\n'
- b'WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\n'
- b'RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n'
- b'AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\n'
- b'R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\n'
- b'sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\n'
- b'NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\n'
- b'Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n'
- b'/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\n'
- b'AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\n'
- b'Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\n'
- b'FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\n'
- b'AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\n'
- b'Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\n'
- b'gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\n'
- b'PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\n'
- b'ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\n'
- b'CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\n'
- b'lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\n'
- b'avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\n'
- b'yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\n'
- b'yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\n'
- b'hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\n'
- b'HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\n'
- b'MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\n'
- b'nLRbwHOoq7hHwg==\n'
+ b'cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw\n'
+ b'WhcNMjcwMzEyMjM1OTU5WjAzMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\n'
+ b'RW5jcnlwdDEMMAoGA1UEAxMDUjEyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n'
+ b'CgKCAQEA2pgodK2+lP474B7i5Ut1qywSf+2nAzJ+Npfs6DGPpRONC5kuHs0BUT1M\n'
+ b'5ShuCVUxqqUiXXL0LQfCTUA83wEjuXg39RplMjTmhnGdBO+ECFu9AhqZ66YBAJpz\n'
+ b'kG2Pogeg0JfT2kVhgTU9FPnEwF9q3AuWGrCf4yrqvSrWmMebcas7dA8827JgvlpL\n'
+ b'Thjp2ypzXIlhZZ7+7Tymy05v5J75AEaz/xlNKmOzjmbGGIVwx1Blbzt05UiDDwhY\n'
+ b'XS0jnV6j/ujbAKHS9OMZTfLuevYnnuXNnC2i8n+cF63vEzc50bTILEHWhsDp7CH4\n'
+ b'WRt/uTp8n1wBnWIEwii9Cq08yhDsGwIDAQABo4H4MIH1MA4GA1UdDwEB/wQEAwIB\n'
+ b'hjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwEgYDVR0TAQH/BAgwBgEB\n'
+ b'/wIBADAdBgNVHQ4EFgQUALUp8i2ObzHom0yteD763OkM0dIwHwYDVR0jBBgwFoAU\n'
+ b'ebRZ5nu25eQBc4AIiMgaWPbpm24wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAC\n'
+ b'hhZodHRwOi8veDEuaS5sZW5jci5vcmcvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMCcG\n'
+ b'A1UdHwQgMB4wHKAaoBiGFmh0dHA6Ly94MS5jLmxlbmNyLm9yZy8wDQYJKoZIhvcN\n'
+ b'AQELBQADggIBAI910AnPanZIZTKS3rVEyIV29BWEjAK/duuz8eL5boSoVpHhkkv3\n'
+ b'4eoAeEiPdZLj5EZ7G2ArIK+gzhTlRQ1q4FKGpPPaFBSpqV/xbUb5UlAXQOnkHn3m\n'
+ b'FVj+qYv87/WeY+Bm4sN3Ox8BhyaU7UAQ3LeZ7N1X01xxQe4wIAAE3JVLUCiHmZL+\n'
+ b'qoCUtgYIFPgcg350QMUIWgxPXNGEncT921ne7nluI02V8pLUmClqXOsCwULw+PVO\n'
+ b'ZCB7qOMxxMBoCUeL2Ll4oMpOSr5pJCpLN3tRA2s6P1KLs9TSrVhOk+7LX28NMUlI\n'
+ b'usQ/nxLJID0RhAeFtPjyOCOscQBA53+NRjSCak7P4A5jX7ppmkcJECL+S0i3kXVU\n'
+ b'y5Me5BbrU8973jZNv/ax6+ZK6TM8jWmimL6of6OrX7ZU6E2WqazzsFrLG3o2kySb\n'
+ b'zlhSgJ81Cl4tv3SbYiYXnJExKQvzf83DYotox3f0fwv7xln1A2ZLplCb0O+l/AK0\n'
+ b'YE0DS2FPxSAHi0iwMfW2nNHJrXcY3LLHD77gRgje4Eveubi2xxa+Nmk/hmhLdIET\n'
+ b'iVDFanoCrMVIpQ59XWHkzdFmoHXHBV7oibVjGSO7ULSQ7MJ1Nz51phuDJSgAIU7A\n'
+ b'0zrLnOrAj/dfrlEWRhCvAgbuwLZX1A2sjNjXoPOHbsPiy+lO1KF8/XY7\n'
b'-----END CERTIFICATE-----\n'
)
-le_r3_nick = "CN=R3,O=Let's Encrypt,C=US"
+le_r12_nick = "CN=R12,O=Let's Encrypt,C=US"
# Certificates for reproducing duplicate ipaCertSubject values.
# The trick to creating the second intermediate is for the validity
@@ -1230,7 +1229,7 @@ class TestIPACommand(IntegrationTest):
result.stderr_text
# Install 3rd party CA's, Let's Encrypt in this case
- for cert in (isrgrootx1, letsencryptauthorityr3):
+ for cert in (isrgrootx1, letsencryptauthorityr12):
certfile = os.path.join(self.master.config.test_dir, 'cert.pem')
self.master.put_file_contents(certfile, cert)
result = self.master.run_command(
@@ -1257,7 +1256,7 @@ class TestIPACommand(IntegrationTest):
# deletion of a subca
result = self.master.run_command(
- ['ipa-cacert-manage', 'delete', le_r3_nick],
+ ['ipa-cacert-manage', 'delete', le_r12_nick],
raiseonerr=False
)
assert result.returncode == 0
--
2.52.0

47
SOURCES/0132-ipa-join-initialize-pointer.patch Normal file
View File

@ -0,0 +1,47 @@
From 0f691463c379861ca5be88f99d02a313941a39d3 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 4 Feb 2026 09:21:14 +0100
Subject: [PATCH] ipa-join: initialize pointer
OpenScanHub detected an uninitialized pointer in ipa_join:
Slapi_DN *sdn;
...
if (sdn) slapi_sdn_free(&sdn);
Initialize to NULL
Also initialize Slapi_Backend *be=NULL and char * filter=NULL
to avoid potential issues.
Fixes: https://pagure.io/freeipa/issue/9936
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
index 3a70dd0a5594fc623e7e808ab8a734349a748a49..2f8923e10310a8a6e19ac701070d6451915c3be3 100644
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
@@ -129,8 +129,8 @@ ipa_join(Slapi_PBlock *pb)
Slapi_PBlock *pbte = NULL;
Slapi_PBlock *pbtm = NULL;
Slapi_Entry *targetEntry=NULL;
- Slapi_DN *sdn;
- Slapi_Backend *be;
+ Slapi_DN *sdn=NULL;
+ Slapi_Backend *be=NULL;
Slapi_Entry **es = NULL;
int rc=0, ret=0, res;
size_t i;
@@ -139,7 +139,7 @@ ipa_join(Slapi_PBlock *pb)
char *fqdn = NULL;
Slapi_Mods *smods = NULL;
char *attrlist[] = {"fqdn", "krbPrincipalKey", "krbLastPwdChange", "krbPrincipalName", NULL };
- char * filter;
+ char * filter=NULL;
int scope = LDAP_SCOPE_SUBTREE;
char *principal = NULL;
--
2.52.0

40
SPECS/freeipa.spec
View File

@ -232,7 +232,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 22%{?rc_version:.%rc_version}%{?dist}.1
Release: 22%{?rc_version:.%rc_version}.0.1%{?dist}.3
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -367,6 +367,27 @@ Patch0108: 0108-ipatests-add-extensions-to-server-certificates-for-C.patch
Patch0109: 0109-Enforce-uniqueness-across-krbprincipalname-and-krbca.patch
Patch0110: 0110-ipa-kdb-enforce-PAC-presence-on-TGT-for-TGS-REQ.patch
Patch0111: 0111-ipatests-extend-test-for-unique-krbcanonicalname.patch
Patch0112: 0112-ipa-graceperiod-fix-memory-leaks.patch
Patch0113: 0113-ipa-lockout-fix-memory-leaks.patch
Patch0114: 0114-ipa-pwd-extop-fix-memory-leaks.patch
Patch0115: 0115-ipa-sidgen-fix-memory-leaks.patch
Patch0116: 0116-ipa-range-check-fix-memory-leak.patch
Patch0117: 0117-ipa-extdom-extop-fix-memory-leaks.patch
Patch0118: 0118-ipa-enrollment-fix-memory-leaks.patch
Patch0119: 0119-topology-fix-memory-leaks.patch
Patch0120: 0120-ipa-pwd-extop-free-krbcfg-in-all-exit-paths.patch
Patch0121: 0121-ipa-pwd-extop-fix-memory-leaks.patch
Patch0122: 0122-ipa-pwd-extop-fix-memory-leaks-of-bind-DN.patch
Patch0123: 0123-ipa-pwd-extop-fix-memory-leaks-in-ipapwd_pre_add.patch
Patch0124: 0124-ipa-pwd-extop-fix-bind-DN-memory-leaks-in-pre-op-han.patch
Patch0125: 0125-ipa-pwd-extop-fix-NT-hash-string-memory-leak.patch
Patch0126: 0126-ipa-pwd-extop-fix-password-history-values-memory-lea.patch
Patch0127: 0127-ipa-pwd-extop-fix-memory-leaks-in-ipapwd_gen_hashes-.patch
Patch0128: 0128-ipa-pwd-extop-fix-valueset-memory-leak-in-ipapwd_get.patch
Patch0129: 0129-ipa-pwd-extop-Don-t-manipulate-the-config-if-not-ret.patch
Patch0130: 0130-ipatests-fix-kdcproxy-tests-against-AD.patch
Patch0131: 0131-ipatests-update-the-Let-s-Encrypt-cert-chain.patch
Patch0132: 0132-ipa-join-initialize-pointer.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -695,6 +716,7 @@ BuildArch: noarch
Requires: %{name}-client-common = %{version}-%{release}
Requires: httpd >= %{httpd_version}
Requires: systemd-units >= %{systemd_version}
Requires: bind >= %{bind_version}
%if 0%{?rhel} >= 8 && ! 0%{?eln}
Requires: system-logos-ipa >= 80.4
%endif
@ -1170,7 +1192,8 @@ autoreconf -ivf
%{enable_server_option} \
%{with_ipatests_option} \
%{with_ipa_join_xml_option} \
%{linter_options}
%{linter_options} \
--with-ipaplatform=rhel
# run build in default dir
# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
@ -2020,6 +2043,19 @@ fi
%endif
%changelog
* Tue Mar 10 2026 EL Errata <el-errata_ww@oracle.com> - 4.12.2-22.0.1.el9_7.3
- Set IPAPLATFORM=rhel when build on Oracle Linux [Orabug: 29516674]
- Add bind to ipa-server-common Requires [Orabug: 36518596]
* Thu Feb 5 2026 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-22.3
- Resolves: RHEL-141322 Memory leaks in IPA plugins
* Wed Jan 14 2026 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-22.2
- Resolves: RHEL-141322 Memory leaks in IPA plugins
- Resolves: RHEL-141314 AddressSanitizer: SEGV ipa-pwd-extop/common.c:584 in ipapwd_gen_checks
- Resolves: RHEL-129963 Fix ipatests for kdcproxy after CVE-2025-59088 fix
- Resolves: RHEL-124424 test_cacert_manage fails due to expired Let's Encrypt R3 certificate
* Tue Sep 30 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-22.1
- Resolves: RHEL-118449 ipa: Privilege escalation from host to domain admin in FreeIPA