From 4b799ce6131aec747339863609ffcc8f689b3dbd Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 1 Feb 2023 16:01:22 +0100
Subject: [PATCH] Fix double free on kdb5_util key creation failure

Resolves: rhbz#2166603
Signed-off-by: Julien Rische <jrische@redhat.com>
---
 ...ible-double-free-during-KDB-creation.patch | 45 +++++++++++++++++++
 krb5.spec                                     |  7 ++-
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 0017-Fix-possible-double-free-during-KDB-creation.patch

diff --git a/0017-Fix-possible-double-free-during-KDB-creation.patch b/0017-Fix-possible-double-free-during-KDB-creation.patch
new file mode 100644
index 0000000..59b6c48
--- /dev/null
+++ b/0017-Fix-possible-double-free-during-KDB-creation.patch
@@ -0,0 +1,45 @@
+From ff9c99b689855a646c371379d30a668dfd7a87a7 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Wed, 1 Feb 2023 15:57:26 +0100
+Subject: [PATCH] Fix possible double-free during KDB creation
+
+In krb5_dbe_def_encrypt_key_data(), when we free
+key_data->key_data_contents[0], reset it to null so the caller doesn't
+free it as well.
+
+Since commit a06945b4ec267e8b80e5e8c95edd89930ff12103 this bug
+manifests as a double-free during KDB creation if master key
+encryption fails.
+
+[ghudson@mit.edu: edited commit message]
+
+ticket: 9086 (new)
+tags: pullup
+target_version: 1.20-next
+---
+ src/lib/kdb/encrypt_key.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c
+index dc612c810e..91debea533 100644
+--- a/src/lib/kdb/encrypt_key.c
++++ b/src/lib/kdb/encrypt_key.c
+@@ -109,6 +109,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context             context,
+     if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0,
+                                  &plain, &cipher))) {
+         free(key_data->key_data_contents[0]);
++        key_data->key_data_contents[0] = NULL;
+         return retval;
+     }
+ 
+@@ -121,6 +122,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context             context,
+                 key_data->key_data_contents[1] = malloc(keysalt->data.length);
+                 if (key_data->key_data_contents[1] == NULL) {
+                     free(key_data->key_data_contents[0]);
++                    key_data->key_data_contents[0] = NULL;
+                     return ENOMEM;
+                 }
+                 memcpy(key_data->key_data_contents[1], keysalt->data.data,
+-- 
+2.39.1
+
diff --git a/krb5.spec b/krb5.spec
index 74b08a3..5098d15 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -34,7 +34,7 @@
 #
 # baserelease is what we have standardized across Fedora and what
 # rpmdev-bumpspec knows how to handle.
-%global baserelease 6
+%global baserelease 7
 
 # This should be e.g. beta1 or %%nil
 %global pre_release %nil
@@ -99,6 +99,7 @@ Patch13: 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch
 Patch14: 0014-downstream-Do-not-set-root-as-ksu-file-owner.patch
 Patch15: 0015-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch
 Patch16: 0016-Add-PAC-full-checksums.patch
+Patch17: 0017-Fix-possible-double-free-during-KDB-creation.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -663,6 +664,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Tue Feb 14 2023 Julien Rische <jrische@redhat.com> - 1.20.1-7
+- Fix double free on kdb5_util key creation failure
+- Resolves: rhbz#2166603
+
 * Tue Jan 31 2023 Julien Rische <jrische@redhat.com> - 1.20.1-6
 - Add support for MS-PAC extended KDC signature (CVE-2022-37967)
 - Resolves: rhbz#2165827