From 7466da837bd55f2432079ed25371866d7097b6f1 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Thu, 13 Mar 2025 10:47:50 +0000
Subject: [PATCH] import UBI krb5-1.18.2-31.el8_10

---
 ...low-when-calculating-ulog-block-size.patch | 64 +++++++++++++++++++
 ...-mask-flags-for-kdb5_util-operations.patch | 61 ++++++++++++++++++
 SPECS/krb5.spec                               | 10 ++-
 3 files changed, 134 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/Prevent-overflow-when-calculating-ulog-block-size.patch
 create mode 100644 SOURCES/Set-missing-mask-flags-for-kdb5_util-operations.patch

diff --git a/SOURCES/Prevent-overflow-when-calculating-ulog-block-size.patch b/SOURCES/Prevent-overflow-when-calculating-ulog-block-size.patch
new file mode 100644
index 0000000..4e3b39e
--- /dev/null
+++ b/SOURCES/Prevent-overflow-when-calculating-ulog-block-size.patch
@@ -0,0 +1,64 @@
+From 105ba83436476f5a08759b8e97bfb0c5a69596b9 Mon Sep 17 00:00:00 2001
+From: Zoltan Borbely <Zoltan.Borbely@morganstanley.com>
+Date: Tue, 28 Jan 2025 16:39:25 -0500
+Subject: [PATCH] Prevent overflow when calculating ulog block size
+
+In kdb_log.c:resize(), log an error and fail if the update size is
+larger than the largest possible block size (2^16-1).
+
+CVE-2025-24528:
+
+In MIT krb5 release 1.7 and later with incremental propagation
+enabled, an authenticated attacker can cause kadmind to write beyond
+the end of the mapped region for the iprop log file, likely causing a
+process crash.
+
+[ghudson@mit.edu: edited commit message and added CVE description]
+
+ticket: 9159 (new)
+tags: pullup
+target_version: 1.21-next
+
+(cherry picked from commit 78ceba024b64d49612375be4a12d1c066b0bfbd0)
+---
+ src/lib/kdb/kdb_log.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
+index e9b95fce59..c805ebd988 100644
+--- a/src/lib/kdb/kdb_log.c
++++ b/src/lib/kdb/kdb_log.c
+@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size)
+  */
+ static krb5_error_code
+ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+-       unsigned int recsize)
++       unsigned int recsize, const kdb_incr_update_t *upd)
+ {
+     unsigned int new_block, new_size;
+ 
+@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+     new_block *= ULOG_BLOCK;
+     new_size += ulogentries * new_block;
+ 
++    if (new_block > UINT16_MAX) {
++        syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
++               upd->kdb_princ_name.utf8str_t_len,
++               upd->kdb_princ_name.utf8str_t_val);
++        return KRB5_LOG_ERROR;
++    }
+     if (new_size > MAXLOGLEN)
+         return KRB5_LOG_ERROR;
+ 
+@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd)
+     recsize = sizeof(kdb_ent_header_t) + upd_size;
+ 
+     if (recsize > ulog->kdb_block) {
+-        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize);
++        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd);
+         if (retval)
+             return retval;
+     }
+-- 
+2.48.1
+
diff --git a/SOURCES/Set-missing-mask-flags-for-kdb5_util-operations.patch b/SOURCES/Set-missing-mask-flags-for-kdb5_util-operations.patch
new file mode 100644
index 0000000..b36490e
--- /dev/null
+++ b/SOURCES/Set-missing-mask-flags-for-kdb5_util-operations.patch
@@ -0,0 +1,61 @@
+From 8c2dbb9260e8beab6ae7d169e9791d8756eb40a2 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Thu, 1 Aug 2024 10:56:07 +0200
+Subject: [PATCH] Set missing mask flags for kdb5_util operations
+
+Set KADM5_TL_DATA for the use_mkey and update_princ_encryption
+commands.  (Commit c877f13c8985d820583b0d7ac1bb4c5dc36e677e did this
+for the add_new_mkey and purge_mkeys commands.)  Set appropriate flags
+for the add_random_key command.
+
+[ghudson@mit.edu: combined two commits; pruned out proposed mask flag
+additions for values represented within key data or tl-data (like
+KADM5_MKVNO), as those flags are currently only used in the kadm5
+protocol, not to communicate with the KDB module]
+
+ticket: 9158 (new)
+(cherry picked from commit 4ed7da378940198cf4415f86d4eb013de6ac6455)
+---
+ src/kadmin/dbutil/kdb5_mkey.c | 4 +++-
+ src/kadmin/dbutil/kdb5_util.c | 3 +++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c
+index aceb0a9b80..ac5c51d05e 100644
+--- a/src/kadmin/dbutil/kdb5_mkey.c
++++ b/src/kadmin/dbutil/kdb5_mkey.c
+@@ -525,6 +525,8 @@ kdb5_use_mkey(int argc, char *argv[])
+         goto cleanup_return;
+     }
+ 
++    master_entry->mask |= KADM5_TL_DATA;
++
+     if ((retval = krb5_db_put_principal(util_context, master_entry))) {
+         com_err(progname, retval,
+                 _("while adding master key entry to the database"));
+@@ -814,7 +816,7 @@ update_princ_encryption_1(void *cb, krb5_db_entry *ent)
+         goto fail;
+     }
+ 
+-    ent->mask |= KADM5_KEY_DATA;
++    ent->mask |= KADM5_KEY_DATA | KADM5_TL_DATA;
+ 
+     if ((retval = krb5_db_put_principal(util_context, ent))) {
+         com_err(progname, retval, _("while updating principal '%s' key data "
+diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c
+index a720eecf0b..0bb4244681 100644
+--- a/src/kadmin/dbutil/kdb5_util.c
++++ b/src/kadmin/dbutil/kdb5_util.c
+@@ -600,6 +600,9 @@ add_random_key(argc, argv)
+         exit_status++;
+         return;
+     }
++
++    dbent->mask |= KADM5_ATTRIBUTES | KADM5_KEY_DATA | KADM5_TL_DATA;
++
+     ret = krb5_db_put_principal(util_context, dbent);
+     krb5_db_free_principal(util_context, dbent);
+     if (ret) {
+-- 
+2.48.1
+
diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec
index 188d7a3..73bf4cf 100644
--- a/SPECS/krb5.spec
+++ b/SPECS/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.18.2
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 30%{?dist}
+Release: 31%{?dist}
 
 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@@ -109,6 +109,8 @@ Patch163: Add-a-simple-DER-support-header.patch
 Patch164: Fix-vulnerabilities-in-GSS-message-token-handling.patch
 Patch165: Remove-PKINIT-RSA-support.patch
 Patch166: Generate-and-verify-message-MACs-in-libkrad.patch
+Patch167: Set-missing-mask-flags-for-kdb5_util-operations.patch
+Patch168: Prevent-overflow-when-calculating-ulog-block-size.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -719,6 +721,12 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Tue Feb 11 2025 Julien Rische <jrische@redhat.com> - 1.18.2-31
+- Prevent overflow when calculating ulog block size (CVE-2025-24528)
+  Resolves: RHEL-78248
+- kdb5_util: fix DB entry flags on modification
+  Resolves: RHEL-56060
+
 * Thu Oct 17 2024 Julien Rische <jrische@redhat.com> - 1.18.2-30
 - libkrad: implement support for Message-Authenticator (CVE-2024-3596)
   Resolves: RHEL-50253