Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2025-02-06 22:02:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new.2316 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5"
Thu Feb 6 22:02:16 2025 rev:175 rq:1243471 version:1.21.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2024-07-08
19:06:56.995864817 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new.2316/krb5-mini.changes 2025-02-06
22:02:29.462877533 +0100
@@ -1,0 +2,9 @@
+Thu Jan 30 10:01:12 UTC 2025 - Samuel Cabrero <scabr...@suse.de>
+
+- Prevent overflow when calculating ulog block size. An authenticated
+ attacker can cause kadmind to write beyond the end of the mapped
+ region for the iprop log file, likely causing a process crash;
+ (CVE-2025-24528); (bsc#1236619).
+- Add patch 0010-CVE-2025-24528.patch
+
+-------------------------------------------------------------------
krb5.changes: same change
New:
----
0010-CVE-2025-24528.patch
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.krb5.new.2316/krb5-mini.changes-
(CVE-2025-24528); (bsc#1236619).
/work/SRC/openSUSE:Factory/.krb5.new.2316/krb5-mini.changes:- Add patch
0010-CVE-2025-24528.patch
/work/SRC/openSUSE:Factory/.krb5.new.2316/krb5-mini.changes-
--
/work/SRC/openSUSE:Factory/.krb5.new.2316/krb5.changes- (CVE-2025-24528);
(bsc#1236619).
/work/SRC/openSUSE:Factory/.krb5.new.2316/krb5.changes:- Add patch
0010-CVE-2025-24528.patch
/work/SRC/openSUSE:Factory/.krb5.new.2316/krb5.changes-
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ krb5-mini.spec ++++++
--- /var/tmp/diff_new_pack.bjiZg0/_old 2025-02-06 22:02:32.234991327 +0100
+++ /var/tmp/diff_new_pack.bjiZg0/_new 2025-02-06 22:02:32.234991327 +0100
@@ -1,7 +1,7 @@
#
# spec file for package krb5-mini
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -45,6 +45,7 @@
Patch7: 0007-SELinux-integration.patch
Patch8: 0008-krb5-1.9-debuginfo.patch
Patch9: 0009-Fix-three-memory-leaks.patch
+Patch10: 0010-CVE-2025-24528.patch
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: pkgconfig
++++++ krb5.spec ++++++
--- /var/tmp/diff_new_pack.bjiZg0/_old 2025-02-06 22:02:32.270992805 +0100
+++ /var/tmp/diff_new_pack.bjiZg0/_new 2025-02-06 22:02:32.274992969 +0100
@@ -1,7 +1,7 @@
#
# spec file for package krb5
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -43,6 +43,7 @@
Patch7: 0007-SELinux-integration.patch
Patch8: 0008-krb5-1.9-debuginfo.patch
Patch9: 0009-Fix-three-memory-leaks.patch
+Patch10: 0010-CVE-2025-24528.patch
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: cyrus-sasl-devel
++++++ 0010-CVE-2025-24528.patch ++++++
>From 78ceba024b64d49612375be4a12d1c066b0bfbd0 Mon Sep 17 00:00:00 2001
From: Zoltan Borbely <zoltan.borb...@morganstanley.com>
Date: Tue, 28 Jan 2025 16:39:25 -0500
Subject: [PATCH] Prevent overflow when calculating ulog block size
In kdb_log.c:resize(), log an error and fail if the update size is
larger than the largest possible block size (2^16-1).
CVE-2025-24528:
In MIT krb5 release 1.7 and later with incremental propagation
enabled, an authenticated attacker can cause kadmind to write beyond
the end of the mapped region for the iprop log file, likely causing a
process crash.
[ghud...@mit.edu: edited commit message and added CVE description]
ticket: 9159 (new)
tags: pullup
target_version: 1.21-next
---
src/lib/kdb/kdb_log.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
index 2659a25018..68fae919a5 100644
--- a/src/lib/kdb/kdb_log.c
+++ b/src/lib/kdb/kdb_log.c
@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size)
*/
static krb5_error_code
resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
- unsigned int recsize)
+ unsigned int recsize, const kdb_incr_update_t *upd)
{
unsigned int new_block, new_size;
@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
new_block *= ULOG_BLOCK;
new_size += ulogentries * new_block;
+ if (new_block > UINT16_MAX) {
+ syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
+ upd->kdb_princ_name.utf8str_t_len,
+ upd->kdb_princ_name.utf8str_t_val);
+ return KRB5_LOG_ERROR;
+ }
if (new_size > MAXLOGLEN)
return KRB5_LOG_ERROR;
@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t
*upd)
recsize = sizeof(kdb_ent_header_t) + upd_size;
if (recsize > ulog->kdb_block) {
- retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize);
+ retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd);
if (retval)
return retval;
}
--
2.48.1
