SOURCES/Fix-buffer-overflow-when-unpacking-message-address-l.patch

@@ -1,52 +0,0 @@
-From bf40cc27c4ce8451d4b062c9de0b67ec40894812 Mon Sep 17 00:00:00 2001
-From: Chris Dunlap <cdunlap@llnl.gov>
-Date: Mon, 26 Jan 2026 20:42:40 -0800
-Subject: [PATCH] Fix buffer overflow when unpacking message address length
-
-Add validation that addr_len does not exceed the size of the addr
-field before copying IP address data in _msg_unpack().
-
-The m_msg structure contains a 4-byte struct in_addr for the IP
-address.  When unpacking a MUNGE_MSG_DEC_RSP message, the addr_len
-field (uint8_t) was read from untrusted message data and used directly
-in _copy() without validation.  An attacker setting addr_len to 255
-causes _copy() to write 251 bytes past the end of the addr field,
-corrupting subsequent structure members.
-
-This buffer overflow corrupts munged's internal state and can
-be exploited by a local attacker to leak conf->mac_key and other
-cryptographic secrets from process memory.  With the leaked key,
-an attacker can forge arbitrary MUNGE credentials to impersonate any
-user to services that rely on MUNGE for authentication.
-
-Any local user can trigger this by connecting to munged's Unix socket
-and sending a crafted MUNGE_MSG_DEC_RSP message.  While message type
-validation in job_exec() will reject response-type messages, this
-validation occurs after m_msg_recv() has already called _msg_unpack()
-to process the message body.  The buffer overflow occurs during the
-unpacking phase, before the message type is validated and rejected.
-
-A working proof-of-concept exploit exists that demonstrates key
-leakage and credential forgery.
-
-Reported-by: Titouan Lazard <t.lazard@lexfo.fr>
-Security: CVE-2026-25506
----
- src/libcommon/m_msg.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/libcommon/m_msg.c b/src/libcommon/m_msg.c
-index 38e01ae3dd81..eaeaf0b8bc3e 100644
---- a/src/libcommon/m_msg.c
-+++ b/src/libcommon/m_msg.c
-@@ -686,6 +686,7 @@ _msg_unpack (m_msg_t m, m_msg_type_t type, const void *src, int srclen)
-             else if ( _copy (m->realm_str, p, m->realm_len, p, q, &p) < 0) ;
-             else if (!_unpack (&(m->ttl), &p, sizeof (m->ttl), q)) ;
-             else if (!_unpack (&(m->addr_len), &p, sizeof (m->addr_len), q)) ;
-+            else if (m->addr_len > sizeof (m->addr)) goto err;
-             else if ( _copy (&(m->addr), p, m->addr_len, p, q, &p) < 0) ;
-             else if (!_unpack (&(m->time0), &p, sizeof (m->time0), q)) ;
-             else if (!_unpack (&(m->time1), &p, sizeof (m->time1), q)) ;
--- 
-2.52.0
-

SOURCES/munge.sysusers

@@ -0,0 +1 @@
+u munge - "Runs Uid 'N' Gid Emporium" /run/munge /sbin/nologin

SPECS/munge.spec

@@ -1,6 +1,6 @@
 Name:           munge
 Version:        0.5.13
-Release:        3%{?dist}
+Release:        13%{?dist}
 Summary:        Enables uid & gid authentication across a host cluster
 
 # The libs and devel package is GPLv3+ and LGPLv3+ where as the main package is GPLv3 only.
@@ -9,7 +9,7 @@ URL:            https://dun.github.io/munge/
 Source0:        https://github.com/dun/munge/releases/download/munge-%{version}/munge-%{version}.tar.xz
 Source1:        create-munge-key
 Source2:        munge.logrotate
-Patch01:	Fix-buffer-overflow-when-unpacking-message-address-l.patch
+Source3:        munge.sysusers
 
 BuildRequires:  gcc
 BuildRequires:  systemd-rpm-macros
@@ -19,9 +19,8 @@ Requires:       logrotate
 
 Requires(pre):    shadow-utils
 
-Requires(post):   systemd
+%{?systemd_requires}
-Requires(preun):  systemd
+%{?sysusers_requires_compat}
-Requires(postun): systemd
 
 %description
 MUNGE (MUNGE Uid 'N' Gid Emporium) is an authentication service for creating
@@ -50,7 +49,6 @@ Runtime libraries for using MUNGE.
 
 %prep
 %setup -q
-%patch -P 1 -p1
 cp -p %{SOURCE1} create-munge-key
 cp -p %{SOURCE2} munge.logrotate
 
@@ -60,7 +58,7 @@ echo "d /run/munge 0755 munge munge -" > src/etc/munge.tmpfiles.conf.in
 # Get rid of some rpaths for /usr/sbin
 sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
 sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
-make %{?_smp_mflags} 
+%make_build
 
 
 %install
@@ -70,11 +68,11 @@ make %{?_smp_mflags}
 install -p -m 755 create-munge-key %{buildroot}/%{_sbindir}/create-munge-key
 install -p -D -m 644 munge.logrotate %{buildroot}/%{_sysconfdir}/logrotate.d/munge
 
+install -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/munge.conf
+
 # rm unneeded files.
 rm %{buildroot}/%{_sysconfdir}/sysconfig/munge
-# 
+rm %{buildroot}/%{_sysconfdir}/init.d/munge
-rm %{buildroot}/%{_initddir}/munge
-
 # Exclude .la files
 rm %{buildroot}/%{_libdir}/libmunge.la
 
@@ -89,17 +87,12 @@ chmod 700 %{buildroot}%{_sysconfdir}/munge
 touch %{buildroot}%{_var}/run/munge/munged.pid
 mv %{buildroot}%{_var}/run %{buildroot}
 
+%pre
+%sysusers_create_compat %{SOURCE3}
+
 %preun
 %systemd_preun munge.service
 
-%pre
-getent group munge >/dev/null || groupadd -r munge
-getent passwd munge >/dev/null || \
-useradd -r -g munge -d %{_var}/run/munge -s /sbin/nologin \
-  -c "Runs Uid 'N' Gid Emporium" munge
-exit 0
-
-
 %post
 %systemd_post munge.service
 
@@ -127,7 +120,8 @@ exit 0
 %attr(0755,munge,munge) %dir   /run/munge/
 %attr(0644,munge,munge) %ghost /run/munge/munged.pid
 
-%config(noreplace) %{_tmpfilesdir}/munge.conf
+%{_tmpfilesdir}/munge.conf
+%{_sysusersdir}/munge.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/munge
 
 %license COPYING COPYING.LESSER
@@ -161,16 +155,49 @@ exit 0
 
 
 %changelog
-* Sun Feb 15 2026 Kamal Heib <kheib@redhat.com> - 0.5.13-3
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.5.13-13
-- Fix CVE-2026-25506
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-- Resolves: RHEL-148521
+  Related: rhbz#1991688
 
-* Fri Apr 24 2020 Honggang Li <honli@redhat.com> - 0.5.13-2
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.5.13-12
-- Don't create temporary files in legacy directory
+- Rebuilt for RHEL 9 BETA for openssl 3.0
-- Resolves: bz1805956
+  Related: rhbz#1971065
 
-* Thu Jul 19 2018 Jarod Wilson <jarod@redhat.com> - 0.5.13-1
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.5.13-11
-- Update to upstream 0.5.13 release
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Sep 29 2020 Ankur Sinha <ankursinha AT fedoraproject DOT org> - 0.5.13-10
+- Fix spec + build
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.13-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Feb 10 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.5.13-8
+- Provide a sysusers.d file to get user() and group() provides
+  (see https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format).
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.13-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Nov 28 2019 Gerd Pokorra <gp@zimt.uni-siegen.de> - 0.5.13-6
+- updating line in /usr/lib/tmpfiles.d/munge.conf: /var/run/munge → /run/munge
+- add license tag
+- add requires logrotate
+
+* Wed Nov 27 2019 Gerd Pokorra <gp@zimt.uni-siegen.de> - 0.5.13-5
+- built with OpenSSL (not libgcrypt)
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.13-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.13-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.13-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu May 17 2018 Steve Traylen <steve.traylen@cern.ch> - 0.5.13-1
+- Escape macros in %%changelog
 
 * Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.5.12-9
 - Escape macros in %%changelog