diff --git a/0034-Prevent-overflow-when-calculating-ulog-block-size.patch b/0034-Prevent-overflow-when-calculating-ulog-block-size.patch new file mode 100644 index 0000000..8e7c60d --- /dev/null +++ b/0034-Prevent-overflow-when-calculating-ulog-block-size.patch @@ -0,0 +1,64 @@ +From acca49896d1783c8427c5181412abf29ef62208c Mon Sep 17 00:00:00 2001 +From: Zoltan Borbely +Date: Tue, 28 Jan 2025 16:39:25 -0500 +Subject: [PATCH] Prevent overflow when calculating ulog block size + +In kdb_log.c:resize(), log an error and fail if the update size is +larger than the largest possible block size (2^16-1). + +CVE-2025-24528: + +In MIT krb5 release 1.7 and later with incremental propagation +enabled, an authenticated attacker can cause kadmind to write beyond +the end of the mapped region for the iprop log file, likely causing a +process crash. + +[ghudson@mit.edu: edited commit message and added CVE description] + +ticket: 9159 (new) +tags: pullup +target_version: 1.21-next + +(cherry picked from commit 78ceba024b64d49612375be4a12d1c066b0bfbd0) +--- + src/lib/kdb/kdb_log.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c +index e9b95fce59..c805ebd988 100644 +--- a/src/lib/kdb/kdb_log.c ++++ b/src/lib/kdb/kdb_log.c +@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size) + */ + static krb5_error_code + resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd, +- unsigned int recsize) ++ unsigned int recsize, const kdb_incr_update_t *upd) + { + unsigned int new_block, new_size; + +@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd, + new_block *= ULOG_BLOCK; + new_size += ulogentries * new_block; + ++ if (new_block > UINT16_MAX) { ++ syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"), ++ upd->kdb_princ_name.utf8str_t_len, ++ upd->kdb_princ_name.utf8str_t_val); ++ return KRB5_LOG_ERROR; ++ } + if (new_size > MAXLOGLEN) + return KRB5_LOG_ERROR; + +@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd) + recsize = sizeof(kdb_ent_header_t) + upd_size; + + if (recsize > ulog->kdb_block) { +- retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize); ++ retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd); + if (retval) + return retval; + } +-- +2.48.1 + diff --git a/krb5.spec b/krb5.spec index bfe1c02..08579be 100644 --- a/krb5.spec +++ b/krb5.spec @@ -10,7 +10,7 @@ # # baserelease is what we have standardized across Fedora and what # rpmdev-bumpspec knows how to handle. -%global baserelease 6 +%global baserelease 7 # This should be e.g. beta1 or %%nil %global pre_release %nil @@ -92,6 +92,7 @@ Patch0030: 0030-Simplify-PKINIT-cert-representation.patch Patch0031: 0031-Support-PKCS11-EC-client-certs-in-PKINIT.patch Patch0032: 0032-Improve-PKCS11-error-reporting-in-PKINIT.patch Patch0033: 0033-Set-missing-mask-flags-for-kdb5_util-operations.patch +Patch0034: 0034-Prevent-overflow-when-calculating-ulog-block-size.patch License: Brian-Gladman-2-Clause AND BSD-2-Clause AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-first-lines AND BSD-3-Clause AND BSD-4-Clause AND CMU-Mach-nodoc AND FSFULLRWD AND HPND AND HPND-export2-US AND HPND-export-US AND HPND-export-US-acknowledgement AND HPND-export-US-modify AND ISC AND MIT AND MIT-CMU AND OLDAP-2.8 AND OpenVision URL: https://web.mit.edu/kerberos/www/ @@ -733,6 +734,10 @@ exit 0 %{_datarootdir}/%{name}-tests/%{_arch} %changelog +* Wed Jan 29 2025 Julien Rische - 1.21.3-7 +- Prevent overflow when calculating ulog block size (CVE-2025-24528) + Resolves: RHEL-76758 + * Fri Jan 17 2025 Julien Rische - 1.21.3-6 - Support PKCS11 EC client certs in PKINIT Resolves: RHEL-74373