SOURCES/Fix-buffer-overflow-when-unpacking-message-address-l.patch

@@ -1,52 +0,0 @@
-From bf40cc27c4ce8451d4b062c9de0b67ec40894812 Mon Sep 17 00:00:00 2001
-From: Chris Dunlap <cdunlap@llnl.gov>
-Date: Mon, 26 Jan 2026 20:42:40 -0800
-Subject: [PATCH] Fix buffer overflow when unpacking message address length
-
-Add validation that addr_len does not exceed the size of the addr
-field before copying IP address data in _msg_unpack().
-
-The m_msg structure contains a 4-byte struct in_addr for the IP
-address.  When unpacking a MUNGE_MSG_DEC_RSP message, the addr_len
-field (uint8_t) was read from untrusted message data and used directly
-in _copy() without validation.  An attacker setting addr_len to 255
-causes _copy() to write 251 bytes past the end of the addr field,
-corrupting subsequent structure members.
-
-This buffer overflow corrupts munged's internal state and can
-be exploited by a local attacker to leak conf->mac_key and other
-cryptographic secrets from process memory.  With the leaked key,
-an attacker can forge arbitrary MUNGE credentials to impersonate any
-user to services that rely on MUNGE for authentication.
-
-Any local user can trigger this by connecting to munged's Unix socket
-and sending a crafted MUNGE_MSG_DEC_RSP message.  While message type
-validation in job_exec() will reject response-type messages, this
-validation occurs after m_msg_recv() has already called _msg_unpack()
-to process the message body.  The buffer overflow occurs during the
-unpacking phase, before the message type is validated and rejected.
-
-A working proof-of-concept exploit exists that demonstrates key
-leakage and credential forgery.
-
-Reported-by: Titouan Lazard <t.lazard@lexfo.fr>
-Security: CVE-2026-25506
----
- src/libcommon/m_msg.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/libcommon/m_msg.c b/src/libcommon/m_msg.c
-index 38e01ae3dd81..eaeaf0b8bc3e 100644
---- a/src/libcommon/m_msg.c
-+++ b/src/libcommon/m_msg.c
-@@ -686,6 +686,7 @@ _msg_unpack (m_msg_t m, m_msg_type_t type, const void *src, int srclen)
-             else if ( _copy (m->realm_str, p, m->realm_len, p, q, &p) < 0) ;
-             else if (!_unpack (&(m->ttl), &p, sizeof (m->ttl), q)) ;
-             else if (!_unpack (&(m->addr_len), &p, sizeof (m->addr_len), q)) ;
-+            else if (m->addr_len > sizeof (m->addr)) goto err;
-             else if ( _copy (&(m->addr), p, m->addr_len, p, q, &p) < 0) ;
-             else if (!_unpack (&(m->time0), &p, sizeof (m->time0), q)) ;
-             else if (!_unpack (&(m->time1), &p, sizeof (m->time1), q)) ;
--- 
-2.52.0
-

SPECS/munge.spec

@@ -1,6 +1,6 @@
 Name:           munge
 Version:        0.5.13
-Release:        3%{?dist}
+Release:        2%{?dist}
 Summary:        Enables uid & gid authentication across a host cluster
 
 # The libs and devel package is GPLv3+ and LGPLv3+ where as the main package is GPLv3 only.
@@ -9,7 +9,6 @@ URL:            https://dun.github.io/munge/
 Source0:        https://github.com/dun/munge/releases/download/munge-%{version}/munge-%{version}.tar.xz
 Source1:        create-munge-key
 Source2:        munge.logrotate
-Patch01:	Fix-buffer-overflow-when-unpacking-message-address-l.patch
 
 BuildRequires:  gcc
 BuildRequires:  systemd-rpm-macros
@@ -50,7 +49,6 @@ Runtime libraries for using MUNGE.
 
 %prep
 %setup -q
-%patch -P 1 -p1
 cp -p %{SOURCE1} create-munge-key
 cp -p %{SOURCE2} munge.logrotate
 
@@ -161,10 +159,6 @@ exit 0
 
 
 %changelog
-* Sun Feb 15 2026 Kamal Heib <kheib@redhat.com> - 0.5.13-3
-- Fix CVE-2026-25506
-- Resolves: RHEL-148521
-
 * Fri Apr 24 2020 Honggang Li <honli@redhat.com> - 0.5.13-2
 - Don't create temporary files in legacy directory
 - Resolves: bz1805956