diff --git a/backport-Fix-crash-on-empty-TXT-records.patch b/backport-Fix-crash-on-empty-TXT-records.patch new file mode 100644 index 0000000000000000000000000000000000000000..f561d784b55c56c00331e16419d8d48af1dcc4e3 --- /dev/null +++ b/backport-Fix-crash-on-empty-TXT-records.patch @@ -0,0 +1,44 @@ +From 6a7877183ef668d3b52df1f2926acc8be6f1c475 Mon Sep 17 00:00:00 2001 +From: David Zhou +Date: Fri, 24 May 2024 02:40:06 +0000 +Subject: [PATCH] Fix crash on empty TXT records + +In k5_try_realm_txt_rr(), error out if the first text string in a TXT +record is empty or if its length exceeds the record length. + +This function is only used when dns_lookup_realm is set to true in +krb5.conf. An alternative implementation is used on Windows. + +[ghudson@mit.edu: moved zero-length check and added upper bound check; +rewrote commit message] + +ticket: 9174 (new) + +Reference:https://github.com/krb5/krb5/commit/6a7877183ef668d3b52df1f2926acc8be6f1c475 +Conflicta:NA + +--- + src/lib/krb5/os/dnsglue.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/lib/krb5/os/dnsglue.c b/src/lib/krb5/os/dnsglue.c +index 5da550c1e..fd403aa75 100644 +--- a/src/lib/krb5/os/dnsglue.c ++++ b/src/lib/krb5/os/dnsglue.c +@@ -470,12 +470,10 @@ k5_try_realm_txt_rr(krb5_context context, const char *prefix, const char *name, + } + + ret = krb5int_dns_nextans(ds, &base, &rdlen); +- if (ret < 0 || base == NULL) ++ if (ret < 0 || rdlen < 2 || *base == 0 || *base > rdlen - 1) + goto errout; + + p = base; +- if (!INCR_OK(base, rdlen, p, 1)) +- goto errout; + len = *p++; + *realm = malloc((size_t)len + 1); + if (*realm == NULL) { +-- +2.43.0 + diff --git a/backport-Fix-potential-PAC-processing-crash.patch b/backport-Fix-potential-PAC-processing-crash.patch new file mode 100644 index 0000000000000000000000000000000000000000..2ea237af726110af3dbcb95e12f244ff6c725d7f --- /dev/null +++ b/backport-Fix-potential-PAC-processing-crash.patch @@ -0,0 +1,39 @@ +From 79b244de8be6902a4af2c78e6619a815a1df8722 Mon Sep 17 00:00:00 2001 +From: Arjun +Date: Fri, 11 Oct 2024 08:52:52 +0530 +Subject: [PATCH] Fix potential PAC processing crash + +An input to krb5_pac_parse() with a zero-length buffer at the end of +the PAC can cause an assertion failure in k5_pac_locate_buffer() due +to an off-by-one error. Correct the assertion. + +[ghudson@mit.edu: edited commit message] + +(cherry picked from commit 331e393c6def46c00b6b54e1b2a0d1080c2af9e0) + +ticket: 9144 +version_fixed: 1.21.4 + +Reference:https://github.com/krb5/krb5/commit/79b244de8be6902a4af2c78e6619a815a1df8722 +Conflict:NA + +--- + src/lib/krb5/krb/pac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c +index 77adcd272..909196b8d 100644 +--- a/src/lib/krb5/krb/pac.c ++++ b/src/lib/krb5/krb/pac.c +@@ -146,7 +146,7 @@ k5_pac_locate_buffer(krb5_context context, const krb5_pac pac, uint32_t type, + if (buffer == NULL) + return ENOENT; + +- assert(buffer->offset < pac->data.length); ++ assert(buffer->offset <= pac->data.length); + assert(buffer->size <= pac->data.length - buffer->offset); + + if (data_out != NULL) +-- +2.43.0 + diff --git a/backport-In-PKINIT-check-for-null-PKCS7-enveloped-fields.patch b/backport-In-PKINIT-check-for-null-PKCS7-enveloped-fields.patch new file mode 100644 index 0000000000000000000000000000000000000000..77a0e5aaada0323a9562ad5cfdc40d5ee4092b63 --- /dev/null +++ b/backport-In-PKINIT-check-for-null-PKCS7-enveloped-fields.patch @@ -0,0 +1,40 @@ +From 48ccd81656381522d1f9ccb8705c13f0266a46ab Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Sat, 25 Nov 2023 11:04:56 -0500 +Subject: [PATCH] In PKINIT, check for null PKCS7 enveloped fields + +The PKCS7 ContentInfo content field and EncryptedContentInfo +encryptedContent field are optional. Check for null values in +cms_envelopeddata_verify() before calling pkcs7_decrypt(). Reported +by Bahaa Naamneh. + +ticket: 9107 (new) +tags: pullup +target_version: 1.21-next +target_version: 1.20-next + +Reference:https://github.com/krb5/krb5/commit/48ccd81656381522d1f9ccb8705c13f0266a46ab +Conflict: NA + +--- + src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 453b1119a..15c6cd8c4 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -2464,7 +2464,9 @@ cms_envelopeddata_verify(krb5_context context, + } + + /* verify that the received message is PKCS7 EnvelopedData message */ +- if (OBJ_obj2nid(p7->type) != NID_pkcs7_enveloped) { ++ if (OBJ_obj2nid(p7->type) != NID_pkcs7_enveloped || ++ p7->d.enveloped == NULL || ++ p7->d.enveloped->enc_data->enc_data == NULL) { + pkiDebug("Expected id-enveloped PKCS7 msg (received type = %d)\n", + OBJ_obj2nid(p7->type)); + krb5_set_error_message(context, retval, "wrong oid\n"); +-- +2.43.0 + diff --git a/backport-Simplify-preauth-fallback-disabling.patch b/backport-Simplify-preauth-fallback-disabling.patch new file mode 100644 index 0000000000000000000000000000000000000000..05453b9d4c3f73e0c7d37f242d297f8f968d9553 --- /dev/null +++ b/backport-Simplify-preauth-fallback-disabling.patch @@ -0,0 +1,93 @@ +From df70aed645da58698466f5a8811a75873b85b5b2 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Mon, 12 May 2025 16:21:05 -0400 +Subject: [PATCH] Simplify preauth fallback disabling + +Remove the fallback_disabled field from krb5_init_creds_context, and +instead record the current preauth type as the only allowed preauth +type when a preauth module invokes the disable_fallback() method. + +The previous method failed to prevent fallback when a KDC unexpectedly +responds with PREAUTH_REQUIRED partway through the preauth exchange. +Reported by Richard Silverman. + +Reference:https://github.com/krb5/krb5/commit/df70aed645da58698466f5a8811a75873b85b5b2 +Conflict:NA + +--- + src/lib/krb5/krb/get_in_tkt.c | 3 --- + src/lib/krb5/krb/init_creds_ctx.h | 2 +- + src/lib/krb5/krb/preauth2.c | 7 ++++++- + 3 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index 4b2be41e7..00a5cceea 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1331,9 +1331,6 @@ init_creds_step_request(krb5_context context, + /* Don't continue after a keyboard interrupt. */ + if (code == KRB5_LIBOS_PWDINTR) + goto cleanup; +- /* Don't continue if fallback is disabled. */ +- if (code && ctx->fallback_disabled) +- goto cleanup; + if (code) { + /* See if we can try a different preauth mech before giving up. */ + k5_save_ctx_error(context, code, &save); +diff --git a/src/lib/krb5/krb/init_creds_ctx.h b/src/lib/krb5/krb/init_creds_ctx.h +index 17d55dd7c..710b77810 100644 +--- a/src/lib/krb5/krb/init_creds_ctx.h ++++ b/src/lib/krb5/krb/init_creds_ctx.h +@@ -63,9 +63,9 @@ struct _krb5_init_creds_context { + krb5_enctype etype; + krb5_boolean info_pa_permitted; + krb5_boolean restarted; +- krb5_boolean fallback_disabled; + krb5_boolean encts_disabled; + struct krb5_responder_context_st rctx; ++ krb5_preauthtype current_preauth_type; + krb5_preauthtype selected_preauth_type; + krb5_preauthtype allowed_preauth_type; + k5_json_object cc_config_in; +diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c +index 32f35b761..b5ef6c616 100644 +--- a/src/lib/krb5/krb/preauth2.c ++++ b/src/lib/krb5/krb/preauth2.c +@@ -552,7 +552,9 @@ set_cc_config(krb5_context context, krb5_clpreauth_rock rock, + static void + disable_fallback(krb5_context context, krb5_clpreauth_rock rock) + { +- ((krb5_init_creds_context)rock)->fallback_disabled = TRUE; ++ krb5_init_creds_context ctx = (krb5_init_creds_context)rock; ++ ++ ctx->allowed_preauth_type = ctx->current_preauth_type; + } + + static struct krb5_clpreauth_callbacks_st callbacks = { +@@ -676,6 +678,7 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx, + if (real && previously_failed(ctx, pa->pa_type)) + continue; + mod_pa = NULL; ++ ctx->current_preauth_type = pa->pa_type; + ret = clpreauth_process(context, h, modreq, ctx->opt, &callbacks, + (krb5_clpreauth_rock)ctx, ctx->request, + ctx->inner_request_body, +@@ -908,6 +911,7 @@ k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, + if (h == NULL) + return KRB5KRB_ERR_GENERIC; + mod_pa = NULL; ++ ctx->current_preauth_type = pa_type; + ret = clpreauth_tryagain(context, h, modreq, ctx->opt, &callbacks, + (krb5_clpreauth_rock)ctx, ctx->request, + ctx->inner_request_body, +@@ -954,6 +958,7 @@ fill_response_items(krb5_context context, krb5_init_creds_context ctx, + h = find_module(context, ctx, pa->pa_type, &modreq); + if (h == NULL) + continue; ++ ctx->current_preauth_type = pa->pa_type; + ret = clpreauth_prep_questions(context, h, modreq, ctx->opt, + &callbacks, (krb5_clpreauth_rock)ctx, + ctx->request, ctx->inner_request_body, +-- +2.43.0 + diff --git a/krb5.spec b/krb5.spec index e72c97fcca0de8fbdb7c654182445fd151ee5d3f..98476314598b671dcf31023fc9baa04ab9b3539d 100644 --- a/krb5.spec +++ b/krb5.spec @@ -3,7 +3,7 @@ Name: krb5 Version: 1.21.2 -Release: 18 +Release: 19 Summary: The Kerberos network authentication protocol License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -60,6 +60,10 @@ Patch36: backport-Fix-correctness-in-LDAP-delegation-ACL-checking.patch Patch37: backport-Fix-kdb5_util-ark-with-no-e-option.patch Patch38: backport-Fix-typo-in-AS-REQ-client-code.patch Patch39: backport-Fix-error-handling-in-pkinit_server_verify_padata.patch +Patch40: backport-In-PKINIT-check-for-null-PKCS7-enveloped-fields.patch +Patch41: backport-Fix-potential-PAC-processing-crash.patch +Patch42: backport-Fix-crash-on-empty-TXT-records.patch +Patch43: backport-Simplify-preauth-fallback-disabling.patch BuildRequires: gettext BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc @@ -344,6 +348,9 @@ make -C src check || : %{_mandir}/man8/* %changelog +* Sat Nov 29 2025 xuraoqing - 1.21.2-19 +- backport patches to fix bugs + * Tue Nov 18 2025 zhangyaqi - 1.21.2-18 - Delete the last submitted patch