diff --git a/0017-Fix-possible-double-free-during-KDB-creation.patch b/0017-Fix-possible-double-free-during-KDB-creation.patch new file mode 100644 index 0000000..59b6c48 --- /dev/null +++ b/0017-Fix-possible-double-free-during-KDB-creation.patch @@ -0,0 +1,45 @@ +From ff9c99b689855a646c371379d30a668dfd7a87a7 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 1 Feb 2023 15:57:26 +0100 +Subject: [PATCH] Fix possible double-free during KDB creation + +In krb5_dbe_def_encrypt_key_data(), when we free +key_data->key_data_contents[0], reset it to null so the caller doesn't +free it as well. + +Since commit a06945b4ec267e8b80e5e8c95edd89930ff12103 this bug +manifests as a double-free during KDB creation if master key +encryption fails. + +[ghudson@mit.edu: edited commit message] + +ticket: 9086 (new) +tags: pullup +target_version: 1.20-next +--- + src/lib/kdb/encrypt_key.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c +index dc612c810e..91debea533 100644 +--- a/src/lib/kdb/encrypt_key.c ++++ b/src/lib/kdb/encrypt_key.c +@@ -109,6 +109,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context, + if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0, + &plain, &cipher))) { + free(key_data->key_data_contents[0]); ++ key_data->key_data_contents[0] = NULL; + return retval; + } + +@@ -121,6 +122,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context, + key_data->key_data_contents[1] = malloc(keysalt->data.length); + if (key_data->key_data_contents[1] == NULL) { + free(key_data->key_data_contents[0]); ++ key_data->key_data_contents[0] = NULL; + return ENOMEM; + } + memcpy(key_data->key_data_contents[1], keysalt->data.data, +-- +2.39.1 + diff --git a/krb5.spec b/krb5.spec index 74b08a3..5098d15 100644 --- a/krb5.spec +++ b/krb5.spec @@ -34,7 +34,7 @@ # # baserelease is what we have standardized across Fedora and what # rpmdev-bumpspec knows how to handle. -%global baserelease 6 +%global baserelease 7 # This should be e.g. beta1 or %%nil %global pre_release %nil @@ -99,6 +99,7 @@ Patch13: 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch Patch14: 0014-downstream-Do-not-set-root-as-ksu-file-owner.patch Patch15: 0015-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch Patch16: 0016-Add-PAC-full-checksums.patch +Patch17: 0017-Fix-possible-double-free-during-KDB-creation.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -663,6 +664,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Feb 14 2023 Julien Rische - 1.20.1-7 +- Fix double free on kdb5_util key creation failure +- Resolves: rhbz#2166603 + * Tue Jan 31 2023 Julien Rische - 1.20.1-6 - Add support for MS-PAC extended KDC signature (CVE-2022-37967) - Resolves: rhbz#2165827