Backport patches from upstream community

2023-11-30 17:31:21 +08:00 · 2023-11-30 17:31:21 +08:00 · 9ac9fe9a1a
commit 9ac9fe9a1a
parent 8cf6b121e6
5 changed files with 283 additions and 1 deletions
--- a/backport-Fix-krb5_cccol_have_content-bad-pointer-free.patch
+++ b/backport-Fix-krb5_cccol_have_content-bad-pointer-free.patch
@ -0,0 +1,35 @@
+From 635c8cca65b745476d07c1f5ff701445db25c10d Mon Sep 17 00:00:00 2001
+From: Ilya Gladyshev <ilya.v.gladyshev@gmail.com>
+Date: Wed, 30 Aug 2023 21:19:59 +0100
+Subject: [PATCH] Fix krb5_cccol_have_content() bad pointer free
+
+krb5_cccol_have_content() calls krb5_cc_get_principal() within a loop,
+and frees the resulting principal on success or failure.  Set princ to
+null before each call to ensure we don't free a dangling pointer.
+
+[ghudson@mit.edu: rewrote commit message; moved assignment for greater
+clarity]
+
+ticket: 9103
+tags: pullup
+target_version: 1.21-next
+target_version: 1.20-next
+---
+ src/lib/krb5/ccache/cccursor.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/lib/krb5/ccache/cccursor.c b/src/lib/krb5/ccache/cccursor.c
+index 4bcb66b71..926873f2a 100644
+--- a/src/lib/krb5/ccache/cccursor.c
+++ b/src/lib/krb5/ccache/cccursor.c
+@@ -249,6 +249,7 @@ krb5_cccol_have_content(krb5_context context)
+         save_first_error(context, ret, &errsave);
+         if (ret || cache == NULL)
+             break;
+        princ = NULL;
+         ret = krb5_cc_get_principal(context, cache, &princ);
+         save_first_error(context, ret, &errsave);
+         if (!ret)
+-- 
+2.33.0
+
--- a/backport-Fix-possible-double-free-during-KDB-creation.patch
+++ b/backport-Fix-possible-double-free-during-KDB-creation.patch
@ -0,0 +1,45 @@
+From fddd419fc4112a118d8091e296cc2bfa8d8f777b Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Wed, 1 Feb 2023 15:57:26 +0100
+Subject: [PATCH] Fix possible double-free during KDB creation
+
+In krb5_dbe_def_encrypt_key_data(), when we free
+key_data->key_data_contents[0], reset it to null so the caller doesn't
+free it as well.
+
+Since commit a06945b4ec267e8b80e5e8c95edd89930ff12103 this bug
+manifests as a double-free during KDB creation if master key
+encryption fails.
+
+[ghudson@mit.edu: edited commit message]
+
+ticket: 9086 (new)
+tags: pullup
+target_version: 1.20-next
+---
+ src/lib/kdb/encrypt_key.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c
+index dc612c810..91debea53 100644
+--- a/src/lib/kdb/encrypt_key.c
+++ b/src/lib/kdb/encrypt_key.c
+@@ -109,6 +109,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context             context,
+     if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0,
+                                  &plain, &cipher))) {
+         free(key_data->key_data_contents[0]);
+        key_data->key_data_contents[0] = NULL;
+         return retval;
+     }
+ 
+@@ -121,6 +122,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context             context,
+                 key_data->key_data_contents[1] = malloc(keysalt->data.length);
+                 if (key_data->key_data_contents[1] == NULL) {
+                     free(key_data->key_data_contents[0]);
+                    key_data->key_data_contents[0] = NULL;
+                     return ENOMEM;
+                 }
+                 memcpy(key_data->key_data_contents[1], keysalt->data.data,
+-- 
+2.33.0
+
--- a/backport-Fix-read-overruns-in-SPNEGO-parsing.patch
+++ b/backport-Fix-read-overruns-in-SPNEGO-parsing.patch
@ -0,0 +1,81 @@
+From 47c2a12830dbd7fb8e13c239ddc0ac74129a91f6 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 8 Feb 2023 12:23:28 -0500
+Subject: [PATCH] Fix read overruns in SPNEGO parsing
+
+Fix three read overruns discovered by the GitHub Security Lab team
+(GHSL-2023-016, GHSL-2023-017, and GHSL-2023-018) using OSS-Fuzz.
+
+In get_mech_set(), error out if gss_add_oid_set_member() fails rather
+than continue the loop and increment i past the current bound of
+returned_mechSet.  In g_verify_neg_token_init(), check for zero-byte
+sequences before reading tag bytes, and reduce cur_size by one to
+account for the tag byte when calling gssint_get_der_length().
+
+ticket: 9085 (new)
+tags: pullup
+target_version: 1.20-next
+target_version: 1.19-next
+---
+ src/lib/gssapi/spnego/spnego_mech.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index ba7765cb4..654964c62 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -3455,7 +3455,7 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in,
+ 	     unsigned int buff_length)
+ {
+ 	gss_OID_set returned_mechSet;
+-	OM_uint32 major_status;
+	OM_uint32 major_status, tmpmin;
+ 	int length;
+ 	unsigned int bytes;
+ 	OM_uint32 set_length;
+@@ -3485,9 +3485,12 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in,
+ 
+ 		major_status = gss_add_oid_set_member(minor_status,
+ 						      temp, &returned_mechSet);
+-		if (major_status == GSS_S_COMPLETE)
+-			set_length += returned_mechSet->elements[i].length +2;
+ 		generic_gss_release_oid(minor_status, &temp);
+		if (major_status != GSS_S_COMPLETE) {
+			gss_release_oid_set(&tmpmin, &returned_mechSet);
+			return (NULL);
+		}
+		set_length += returned_mechSet->elements[i].length + 2;
+ 	}
+ 
+ 	return (returned_mechSet);
+@@ -4305,7 +4308,8 @@ g_verify_neg_token_init(unsigned char **buf_in, unsigned int cur_size)
+ 	 * - check for a0(context specific identifier)
+ 	 * - get length and verify that enoughd ata exists
+ 	 */
+-	if (g_get_tag_and_length(&buf, CONTEXT, cur_size, &bytes) < 0)
+	if (g_get_tag_and_length(&buf, CONTEXT, cur_size, &bytes) < 0 ||
+	    bytes == 0)
+ 		return (G_BAD_TOK_HEADER);
+ 
+ 	cur_size = bytes; /* should indicate bytes remaining */
+@@ -4315,7 +4319,7 @@ g_verify_neg_token_init(unsigned char **buf_in, unsigned int cur_size)
+ 	 * a strucure of type NegTokenInit.
+ 	 */
+ 	if (*buf++ == SEQUENCE) {
+-		if ((seqsize = gssint_get_der_length(&buf, cur_size, &bytes)) < 0)
+		if ((seqsize = gssint_get_der_length(&buf, cur_size - 1, &bytes)) <= 0)
+ 			return (G_BAD_TOK_HEADER);
+ 		/*
+ 		 * Make sure we have the entire buffer as described
+@@ -4332,7 +4336,7 @@ g_verify_neg_token_init(unsigned char **buf_in, unsigned int cur_size)
+ 	 * Verify that the first blob is a sequence of mechTypes
+ 	 */
+ 	if (*buf++ == CONTEXT) {
+-		if ((seqsize = gssint_get_der_length(&buf, cur_size, &bytes)) < 0)
+		if ((seqsize = gssint_get_der_length(&buf, cur_size - 1, &bytes)) < 0)
+ 			return (G_BAD_TOK_HEADER);
+ 		/*
+ 		 * Make sure we have the entire buffer as described
+-- 
+2.33.0
+
--- a/backport-Simplify-krb5_cccol_have_content.patch
+++ b/backport-Simplify-krb5_cccol_have_content.patch
@ -0,0 +1,114 @@
+From 52c34009598357d6b276eee09a9778ada09b002b Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 31 Mar 2021 15:00:21 -0400
+Subject: [PATCH] Simplify krb5_cccol_have_content()
+
+For the purposes of determining whether Kerberos credentials are
+present, just check for an initialized ccache (as detected by
+krb5_cc_get_principal()), not one with credentials in it.  For KCM and
+KEYRING caches, this changes avoids the O(n) expense of starting an
+iteration.
+
+Also fix a potential memory leak if a cache is found after an error is
+saved.
+
+ticket: 8998 (new)
+---
+ src/include/krb5/krb5.hin      |  6 +++---
+ src/lib/krb5/ccache/cccursor.c | 35 +++++++---------------------------
+ 2 files changed, 10 insertions(+), 31 deletions(-)
+
+diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
+index 978204fa8..7017837a0 100644
+--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
+@@ -2667,14 +2667,14 @@ krb5_error_code KRB5_CALLCONV
+ krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor);
+ 
+ /**
+- * Check if the credential cache collection contains any credentials.
+ * Check if the credential cache collection contains any initialized caches.
+  *
+  * @param [in]  context         Library context
+  *
+  * @version New in 1.11
+  *
+- * @retval 0 Credentials are available in the collection
+- * @retval KRB5_CC_NOTFOUND The collection contains no credentials
+ * @retval 0 At least one initialized cache is present in the collection
+ * @retval KRB5_CC_NOTFOUND The collection contains no caches
+  */
+ krb5_error_code KRB5_CALLCONV
+ krb5_cccol_have_content(krb5_context context);
+diff --git a/src/lib/krb5/ccache/cccursor.c b/src/lib/krb5/ccache/cccursor.c
+index 760216d05..4bcb66b71 100644
+--- a/src/lib/krb5/ccache/cccursor.c
+++ b/src/lib/krb5/ccache/cccursor.c
+@@ -224,41 +224,17 @@ static void
+ save_first_error(krb5_context context, krb5_error_code code,
+                  struct errinfo *errsave)
+ {
+-    if (code && code != KRB5_CC_END && !errsave->code)
+    if (code && code != KRB5_FCC_NOFILE && !errsave->code)
+         k5_save_ctx_error(context, code, errsave);
+ }
+ 
+-/* Return 0 if cache contains any non-config credentials.  Return KRB5_CC_END
+- * if it does not, or another error if we failed to read through it. */
+-static krb5_error_code
+-has_content(krb5_context context, krb5_ccache cache)
+-{
+-    krb5_error_code ret;
+-    krb5_boolean found = FALSE;
+-    krb5_cc_cursor cache_cursor;
+-    krb5_creds creds;
+-
+-    ret = krb5_cc_start_seq_get(context, cache, &cache_cursor);
+-    if (ret)
+-        return ret;
+-    while (!found) {
+-        ret = krb5_cc_next_cred(context, cache, &cache_cursor, &creds);
+-        if (ret)
+-            break;
+-        if (!krb5_is_config_principal(context, creds.server))
+-            found = TRUE;
+-        krb5_free_cred_contents(context, &creds);
+-    }
+-    krb5_cc_end_seq_get(context, cache, &cache_cursor);
+-    return ret;
+-}
+-
+ krb5_error_code KRB5_CALLCONV
+ krb5_cccol_have_content(krb5_context context)
+ {
+     krb5_error_code ret;
+     krb5_cccol_cursor col_cursor;
+     krb5_ccache cache;
+    krb5_principal princ;
+     krb5_boolean found = FALSE;
+     struct errinfo errsave = EMPTY_ERRINFO;
+     const char *defname;
+@@ -273,15 +249,18 @@ krb5_cccol_have_content(krb5_context context)
+         save_first_error(context, ret, &errsave);
+         if (ret || cache == NULL)
+             break;
+-        ret = has_content(context, cache);
+        ret = krb5_cc_get_principal(context, cache, &princ);
+         save_first_error(context, ret, &errsave);
+         if (!ret)
+             found = TRUE;
+        krb5_free_principal(context, princ);
+         krb5_cc_close(context, cache);
+     }
+     krb5_cccol_cursor_free(context, &col_cursor);
+-    if (found)
+    if (found) {
+        k5_clear_error(&errsave);
+         return 0;
+    }
+ 
+ no_entries:
+     if (errsave.code) {
+-- 
+2.33.0
+
--- a/krb5.spec
+++ b/krb5.spec
@ -3,7 +3,7 @@

 Name:     krb5
 Version:  1.19.2
-Release:  9
+Release:  11
 Summary:  The Kerberos network authentication protocol
 License:  MIT
 URL:      http://web.mit.edu/kerberos/www/
@ -37,6 +37,10 @@ Patch13: backport-Free-verto-context-later-in-KDC-cleanup.patch
 Patch14: backport-Squash-unused-variable-warnings-in-kdb5_ldap_util.patch
 Patch15: CVE-2023-36054.patch
 Patch16: backport-Fix-kpropd-crash-with-unrecognized-option.patch
+Patch17: backport-Simplify-krb5_cccol_have_content.patch
+Patch18: backport-Fix-krb5_cccol_have_content-bad-pointer-free.patch
+Patch19: backport-Fix-read-overruns-in-SPNEGO-parsing.patch
+Patch20: backport-Fix-possible-double-free-during-KDB-creation.patch

 BuildRequires:  gettext
 BuildRequires:  gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@ -329,6 +333,9 @@ make -C src check || :


 %changelog
+* Thu Nov 30 2023 zhangruifang <zhangruifang1@h-partners.com> - 1.19.2-11
+- Backport patches from upstream community
+
 * Tue Sep 19 2023 xuraoqing <xuraoqing@huawei.com> - 1.19.2-10
 - backport patches