From 297f069b6981c46c77d359bbb8a48fcd2e986499 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 21 Apr 2026 12:04:37 -0400 Subject: [PATCH] import UBI krb5-1.21.3-9.el10_1 --- ...lized-pointer-dereference-in-libkrad.patch | 44 +++++++++++++++++++ krb5.spec | 7 ++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 0039-Fix-uninitialized-pointer-dereference-in-libkrad.patch diff --git a/0039-Fix-uninitialized-pointer-dereference-in-libkrad.patch b/0039-Fix-uninitialized-pointer-dereference-in-libkrad.patch new file mode 100644 index 0000000..4f51028 --- /dev/null +++ b/0039-Fix-uninitialized-pointer-dereference-in-libkrad.patch @@ -0,0 +1,44 @@ +From 38074663f9c4d2f5f561f253bd8f7d29120513cc Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 21 Jan 2026 11:31:39 +0100 +Subject: [PATCH] Fix uninitialized pointer dereference in libkrad + +Commit 871125fea8ce0370a972bf65f7d1de63f619b06c changed +krad_packet_decode_request() to use a local variable "req" to hold the +decoded packet until it is verified, instead of immediately storing +into the caller's *reqpkt. The code to check for duplicate packets +erroneously continues to use *reqpkt, causing a read dereference of +whatever was in *reqpkt on entry to the function (typically null or an +uninitialized value). Fix the code to use req instead of *reqpkt. + +This bug does not affect the KDC (which only uses libkrad as a +client), but can crash external software using libkrad as a server if +it ever processes more than one packet at a time. + +[ghudson@mit.edu: edited commit message] + +ticket: 9193 (new) +tags: pullup +target_version: 1.22-next + +(cherry picked from commit f74a1b3fcde44cfa0d487973fd47a943cda49dc8) +--- + src/lib/krad/packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c +index b95c99df65..79b8e87f8c 100644 +--- a/src/lib/krad/packet.c ++++ b/src/lib/krad/packet.c +@@ -575,7 +575,7 @@ krad_packet_decode_request(krb5_context ctx, const char *secret, + + if (cb != NULL) { + for (tmp = (*cb)(data, FALSE); tmp != NULL; tmp = (*cb)(data, FALSE)) { +- if (pkt_id_get(*reqpkt) == pkt_id_get(tmp)) ++ if (pkt_id_get(req) == pkt_id_get(tmp)) + break; + } + +-- +2.51.1 + diff --git a/krb5.spec b/krb5.spec index abc71db..64178e2 100644 --- a/krb5.spec +++ b/krb5.spec @@ -10,7 +10,7 @@ # # baserelease is what we have standardized across Fedora and what # rpmdev-bumpspec knows how to handle. -%global baserelease 8 +%global baserelease 9 # This should be e.g. beta1 or %%nil %global pre_release %nil @@ -97,6 +97,7 @@ Patch0035: 0035-Don-t-issue-session-keys-with-deprecated-enctypes.patch Patch0036: 0036-downstream-Remove-3des-support-cumulative-1.patch Patch0037: 0037-Add-PKINIT-paChecksum2-from-MS-PKCA-v20230920.patch Patch0038: 0038-downstream-Do-not-block-HMAC-MD4-5-in-FIPS-mode.patch +Patch0039: 0039-Fix-uninitialized-pointer-dereference-in-libkrad.patch License: Brian-Gladman-2-Clause AND BSD-2-Clause AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-first-lines AND BSD-3-Clause AND BSD-4-Clause AND CMU-Mach-nodoc AND FSFULLRWD AND HPND AND HPND-export2-US AND HPND-export-US AND HPND-export-US-acknowledgement AND HPND-export-US-modify AND ISC AND MIT AND MIT-CMU AND OLDAP-2.8 AND OpenVision URL: https://web.mit.edu/kerberos/www/ @@ -738,6 +739,10 @@ exit 0 %{_datarootdir}/%{name}-tests/%{_arch} %changelog +* Thu Feb 19 2026 Julien Rische - 1.21.3-9 +- krad: packet ID fetched from uninitialized variable + Resolves: RHEL-150954 + * Mon Apr 28 2025 Julien Rische - 1.21.3-8 - Do not block HMAC-MD4/5 in FIPS mode Resolves: RHEL-88705