krb5 1.21.3-7
- Prevent overflow when calculating ulog block size (CVE-2025-24528) Resolves: RHEL-76758 Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
		
							parent
							
								
									0aef9858bc
								
							
						
					
					
						commit
						afcfeeca0e
					
				
							
								
								
									
										64
									
								
								0034-Prevent-overflow-when-calculating-ulog-block-size.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										64
									
								
								0034-Prevent-overflow-when-calculating-ulog-block-size.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,64 @@ | |||||||
|  | From acca49896d1783c8427c5181412abf29ef62208c Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Zoltan Borbely <Zoltan.Borbely@morganstanley.com> | ||||||
|  | Date: Tue, 28 Jan 2025 16:39:25 -0500 | ||||||
|  | Subject: [PATCH] Prevent overflow when calculating ulog block size | ||||||
|  | 
 | ||||||
|  | In kdb_log.c:resize(), log an error and fail if the update size is | ||||||
|  | larger than the largest possible block size (2^16-1). | ||||||
|  | 
 | ||||||
|  | CVE-2025-24528: | ||||||
|  | 
 | ||||||
|  | In MIT krb5 release 1.7 and later with incremental propagation | ||||||
|  | enabled, an authenticated attacker can cause kadmind to write beyond | ||||||
|  | the end of the mapped region for the iprop log file, likely causing a | ||||||
|  | process crash. | ||||||
|  | 
 | ||||||
|  | [ghudson@mit.edu: edited commit message and added CVE description] | ||||||
|  | 
 | ||||||
|  | ticket: 9159 (new) | ||||||
|  | tags: pullup | ||||||
|  | target_version: 1.21-next | ||||||
|  | 
 | ||||||
|  | (cherry picked from commit 78ceba024b64d49612375be4a12d1c066b0bfbd0) | ||||||
|  | ---
 | ||||||
|  |  src/lib/kdb/kdb_log.c | 10 ++++++++-- | ||||||
|  |  1 file changed, 8 insertions(+), 2 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
 | ||||||
|  | index e9b95fce59..c805ebd988 100644
 | ||||||
|  | --- a/src/lib/kdb/kdb_log.c
 | ||||||
|  | +++ b/src/lib/kdb/kdb_log.c
 | ||||||
|  | @@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size)
 | ||||||
|  |   */ | ||||||
|  |  static krb5_error_code | ||||||
|  |  resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd, | ||||||
|  | -       unsigned int recsize)
 | ||||||
|  | +       unsigned int recsize, const kdb_incr_update_t *upd)
 | ||||||
|  |  { | ||||||
|  |      unsigned int new_block, new_size; | ||||||
|  |   | ||||||
|  | @@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
 | ||||||
|  |      new_block *= ULOG_BLOCK; | ||||||
|  |      new_size += ulogentries * new_block; | ||||||
|  |   | ||||||
|  | +    if (new_block > UINT16_MAX) {
 | ||||||
|  | +        syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
 | ||||||
|  | +               upd->kdb_princ_name.utf8str_t_len,
 | ||||||
|  | +               upd->kdb_princ_name.utf8str_t_val);
 | ||||||
|  | +        return KRB5_LOG_ERROR;
 | ||||||
|  | +    }
 | ||||||
|  |      if (new_size > MAXLOGLEN) | ||||||
|  |          return KRB5_LOG_ERROR; | ||||||
|  |   | ||||||
|  | @@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd)
 | ||||||
|  |      recsize = sizeof(kdb_ent_header_t) + upd_size; | ||||||
|  |   | ||||||
|  |      if (recsize > ulog->kdb_block) { | ||||||
|  | -        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize);
 | ||||||
|  | +        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd);
 | ||||||
|  |          if (retval) | ||||||
|  |              return retval; | ||||||
|  |      } | ||||||
|  | -- 
 | ||||||
|  | 2.48.1 | ||||||
|  | 
 | ||||||
| @ -10,7 +10,7 @@ | |||||||
| # | # | ||||||
| # baserelease is what we have standardized across Fedora and what | # baserelease is what we have standardized across Fedora and what | ||||||
| # rpmdev-bumpspec knows how to handle. | # rpmdev-bumpspec knows how to handle. | ||||||
| %global baserelease 6 | %global baserelease 7 | ||||||
| 
 | 
 | ||||||
| # This should be e.g. beta1 or %%nil | # This should be e.g. beta1 or %%nil | ||||||
| %global pre_release %nil | %global pre_release %nil | ||||||
| @ -92,6 +92,7 @@ Patch0030: 0030-Simplify-PKINIT-cert-representation.patch | |||||||
| Patch0031: 0031-Support-PKCS11-EC-client-certs-in-PKINIT.patch | Patch0031: 0031-Support-PKCS11-EC-client-certs-in-PKINIT.patch | ||||||
| Patch0032: 0032-Improve-PKCS11-error-reporting-in-PKINIT.patch | Patch0032: 0032-Improve-PKCS11-error-reporting-in-PKINIT.patch | ||||||
| Patch0033: 0033-Set-missing-mask-flags-for-kdb5_util-operations.patch | Patch0033: 0033-Set-missing-mask-flags-for-kdb5_util-operations.patch | ||||||
|  | Patch0034: 0034-Prevent-overflow-when-calculating-ulog-block-size.patch | ||||||
| 
 | 
 | ||||||
| License: Brian-Gladman-2-Clause AND BSD-2-Clause AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-first-lines AND BSD-3-Clause AND BSD-4-Clause AND CMU-Mach-nodoc AND FSFULLRWD AND HPND AND HPND-export2-US AND HPND-export-US AND HPND-export-US-acknowledgement AND HPND-export-US-modify AND ISC AND MIT AND MIT-CMU AND OLDAP-2.8 AND OpenVision | License: Brian-Gladman-2-Clause AND BSD-2-Clause AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-first-lines AND BSD-3-Clause AND BSD-4-Clause AND CMU-Mach-nodoc AND FSFULLRWD AND HPND AND HPND-export2-US AND HPND-export-US AND HPND-export-US-acknowledgement AND HPND-export-US-modify AND ISC AND MIT AND MIT-CMU AND OLDAP-2.8 AND OpenVision | ||||||
| URL: https://web.mit.edu/kerberos/www/ | URL: https://web.mit.edu/kerberos/www/ | ||||||
| @ -733,6 +734,10 @@ exit 0 | |||||||
| %{_datarootdir}/%{name}-tests/%{_arch} | %{_datarootdir}/%{name}-tests/%{_arch} | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Wed Jan 29 2025 Julien Rische <jrische@redhat.com> - 1.21.3-7 | ||||||
|  | - Prevent overflow when calculating ulog block size (CVE-2025-24528) | ||||||
|  |   Resolves: RHEL-76758 | ||||||
|  | 
 | ||||||
| * Fri Jan 17 2025 Julien Rische <jrische@redhat.com> - 1.21.3-6 | * Fri Jan 17 2025 Julien Rische <jrische@redhat.com> - 1.21.3-6 | ||||||
| - Support PKCS11 EC client certs in PKINIT | - Support PKCS11 EC client certs in PKINIT | ||||||
|   Resolves: RHEL-74373 |   Resolves: RHEL-74373 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user