!210 [sync] PR-208: backport patches from upstream

From: @openeuler-sync-bot Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee
2024-12-11 09:14:59 +00:00 · 2024-12-11 09:14:59 +00:00 · aba9e18260
commit aba9e18260
parent 751fbcb294 720019e9a0
4 changed files with 172 additions and 1 deletions
--- a/backport-Avoid-mutex-locking-in-krb5int_trace.patch
+++ b/backport-Avoid-mutex-locking-in-krb5int_trace.patch
@ -0,0 +1,71 @@
+From b03d55c2b841731c8194cb12566cad1d6d2ad3cb Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 4 Oct 2024 18:00:21 +0200
+Subject: [PATCH] Avoid mutex locking in krb5int_trace()
+
+Trace logging doesn't need unique timestamps, so the locking within
+krb5_crypto_us_timeofday() makes trace logging slower for no reason.
+Add a new helper k5_us_timeofday(), which is merely a wrapper around
+the existing get_time_now(), and use it in krb5int_trace().
+
+[ghudson@mit.edu: edited commit message]
+---
+ src/include/k5-int.h       |  1 +
+ src/lib/krb5/os/c_ustime.c | 15 +++++++++++++++
+ src/lib/krb5/os/trace.c    |  2 +-
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/src/include/k5-int.h b/src/include/k5-int.h
+index fd79d7c..f492acb 100644
+--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
+@@ -697,6 +697,7 @@ krb5_error_code krb5int_c_copy_keyblock_contents(krb5_context context,
+                                                  const krb5_keyblock *from,
+                                                  krb5_keyblock *to);
+ 
+krb5_error_code k5_us_timeofday(krb5_timestamp *, krb5_int32 *);
+ krb5_error_code krb5_crypto_us_timeofday(krb5_timestamp *, krb5_int32 *);
+ 
+ /*
+diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c
+index f69f2ea..265c3b3 100644
+--- a/src/lib/krb5/os/c_ustime.c
+++ b/src/lib/krb5/os/c_ustime.c
+@@ -73,6 +73,21 @@ get_time_now(struct time_now *n)
+ 
+ #endif
+ 
+krb5_error_code
+k5_us_timeofday(krb5_timestamp *seconds, krb5_int32 *microseconds)
+{
+    struct time_now now;
+    krb5_error_code err;
+
+    err = get_time_now(&now);
+    if (err)
+        return err;
+
+    *seconds = now.sec;
+    *microseconds = now.usec;
+    return 0;
+}
+
+ static struct time_now last_time;
+ 
+ krb5_error_code
+diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
+index c4058dd..2af459d 100644
+--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
+@@ -411,7 +411,7 @@ krb5int_trace(krb5_context context, const char *fmt, ...)
+     str = trace_format(context, fmt, ap);
+     if (str == NULL)
+         goto cleanup;
+-    if (krb5_crypto_us_timeofday(&sec, &usec) != 0)
+    if (k5_us_timeofday(&sec, &usec) != 0)
+         goto cleanup;
+     if (asprintf(&msg, "[%d] %u.%06d: %s\n", (int)getpid(),
+                  (unsigned int)sec, (int)usec, str) < 0)
+-- 
+2.43.0
+
--- a/backport-Fix-krb5_ldap_list_policy-filtering-loop.patch
+++ b/backport-Fix-krb5_ldap_list_policy-filtering-loop.patch
@ -0,0 +1,32 @@
+From 0a23b0cd9466e8a7c6fb82fce185be6e0834ce26 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Sun, 27 Oct 2024 19:01:51 -0400
+Subject: [PATCH] Fix krb5_ldap_list_policy() filtering loop
+
+The loop at the end of this function is intended to ignore ticket
+policy DNs that can't be converted to names.  But it instead leaves a
+hole in the output list if that happens, effectively truncating the
+list and leaking any subsequent entries.  Use the correct index for
+the output list.
+
+ticket: 9148 (new)
+---
+ src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
+index 4f48fd6..27a2235 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
+@@ -382,7 +382,7 @@ krb5_ldap_list_policy(krb5_context context, char *containerdn, char ***policy)
+ 
+     for (i = 0, j = 0; list[i] != NULL; i++, j++) {
+         int ret;
+-        ret = krb5_ldap_policydn_to_name (context, list[i], &(*policy)[i]);
+        ret = krb5_ldap_policydn_to_name (context, list[i], &(*policy)[j]);
+         if (ret != 0)
+             j--;
+     }
+-- 
+2.43.0
+
--- a/backport-Fix-unlikely-password-change-leak.patch
+++ b/backport-Fix-unlikely-password-change-leak.patch
@ -0,0 +1,62 @@
+From 038793c3083f44c4fb62626c12f80c80147029cf Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Fri, 11 Oct 2024 12:45:13 +0200
+Subject: [PATCH] Fix unlikely password change leak
+
+In kpasswd_sendto_msg_callback(), if getsockname() does not reveal the
+local address, a copy of the first local address's contents is made
+and never freed.  Instead of making an allocated copy of the address
+contents, make a shallow copy of the whole address.  Delay freeing the
+address array until the end of the function so that alias pointer made
+by the shallow copy remains valid.
+
+[ghudson@mit.edu: further simplified code; rewrote commit message]
+---
+ src/lib/krb5/os/changepw.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
+index c592325..9cae409 100644
+--- a/src/lib/krb5/os/changepw.c
+++ b/src/lib/krb5/os/changepw.c
+@@ -115,6 +115,7 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message)
+     struct sendto_callback_context      *ctx = data;
+     GETSOCKNAME_ARG3_TYPE               addrlen;
+     krb5_data                           output;
+    krb5_address                        **addrs = NULL;
+ 
+     memset (message, 0, sizeof(krb5_data));
+ 
+@@ -143,20 +144,10 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message)
+         local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr);
+         local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr;
+     } else {
+-        krb5_address **addrs;
+-
+         code = krb5_os_localaddr(ctx->context, &addrs);
+         if (code)
+             goto cleanup;
+-
+-        local_kaddr.magic = addrs[0]->magic;
+-        local_kaddr.addrtype = addrs[0]->addrtype;
+-        local_kaddr.length = addrs[0]->length;
+-        local_kaddr.contents = k5memdup(addrs[0]->contents, addrs[0]->length,
+-                                        &code);
+-        krb5_free_addresses(ctx->context, addrs);
+-        if (local_kaddr.contents == NULL)
+-            goto cleanup;
+        local_kaddr = *addrs[0];
+     }
+ 
+ 
+@@ -193,6 +184,7 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message)
+     message->data = output.data;
+ 
+ cleanup:
+    krb5_free_addresses(ctx->context, addrs);
+     return code;
+ }
+ 
+-- 
+2.43.0
+
--- a/krb5.spec
+++ b/krb5.spec
@ -3,7 +3,7 @@

 Name:     krb5
 Version:  1.19.2
-Release:  21
+Release:  22
 Summary:  The Kerberos network authentication protocol
 License:  MIT
 URL:      http://web.mit.edu/kerberos/www/
@ -63,6 +63,9 @@ Patch39: backport-Fix-krb5_crypto_us_timeofday-microseconds-check.patch
 Patch40: backport-Fix-libkadm5-parameter-leak.patch
 Patch41: backport-Prevent-late-initialization-of-GSS-error-map.patch
 Patch42: backport-Allow-null-keyblocks-in-IOV-checksum-functions.patch
+Patch43: backport-Avoid-mutex-locking-in-krb5int_trace.patch
+Patch44: backport-Fix-unlikely-password-change-leak.patch
+Patch45: backport-Fix-krb5_ldap_list_policy-filtering-loop.patch

 BuildRequires:  gettext
 BuildRequires:  gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@ -355,6 +358,9 @@ make -C src check || :


 %changelog
+* Wed Dec 11 2024 liuh <liuhuan01@kylinos.cn> - 1.19.2-22
+- backport patches from upstream
+
 * Wed Dec 04 2024 wangjiang <app@cameyan.com> - 1.19.2-21
 - backport upstream patches