From 6c59462f173700c2b038203917f62c50c7c848ea Mon Sep 17 00:00:00 2001 From: zhangyaqi Date: Thu, 23 Oct 2025 07:41:16 +0800 Subject: [PATCH] backport upstream patches --- ...dling-in-pkinit_server_verify_padata.patch | 30 ++++++++++ backport-Udppktinfo-fix-bug-in-a-macro.patch | 60 +++++++++++++++++++ krb5.spec | 7 ++- 3 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 backport-Fix-error-handling-in-pkinit_server_verify_padata.patch create mode 100644 backport-Udppktinfo-fix-bug-in-a-macro.patch diff --git a/backport-Fix-error-handling-in-pkinit_server_verify_padata.patch b/backport-Fix-error-handling-in-pkinit_server_verify_padata.patch new file mode 100644 index 0000000..c295802 --- /dev/null +++ b/backport-Fix-error-handling-in-pkinit_server_verify_padata.patch @@ -0,0 +1,30 @@ +From 1113e746abd0c30b4522c75a99426185e6ab8772 Mon Sep 17 00:00:00 2001 +From: Anastasia Belova +Date: Mon, 2 Jun 2025 12:28:49 +0300 +Subject: [PATCH] Fix pkinit_server_verify_padata() error handling + +Avoid a null deference if pkinit_init_kdc_req_context() fails to +allocate reqctx. + +[ghudson@mit.edu: fixed cleanup handler to work with reqctx == NULL +instead of avoiding the cleanup handler on allocation failure] +--- + src/plugins/preauth/pkinit/pkinit_srv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index feca118..37a10d4 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -617,7 +617,7 @@ pkinit_server_verify_padata(krb5_context context, + reqctx = NULL; + + cleanup: +- if (retval && data->pa_type == KRB5_PADATA_PK_AS_REQ) { ++ if (retval && reqctx != NULL && data->pa_type == KRB5_PADATA_PK_AS_REQ) { + pkiDebug("pkinit_verify_padata failed: creating e-data\n"); + if (pkinit_create_edata(context, plgctx->cryptoctx, reqctx->cryptoctx, + plgctx->idctx, plgctx->opts, retval, &e_data)) +-- +2.43.0 + diff --git a/backport-Udppktinfo-fix-bug-in-a-macro.patch b/backport-Udppktinfo-fix-bug-in-a-macro.patch new file mode 100644 index 0000000..6a9f684 --- /dev/null +++ b/backport-Udppktinfo-fix-bug-in-a-macro.patch @@ -0,0 +1,60 @@ +From 67abc25fa9deadd3638bb1b78373d2f08de0d54d Mon Sep 17 00:00:00 2001 +From: Sergey Fedorov +Date: Fri, 10 Oct 2025 13:54:40 +0800 +Subject: [PATCH] Fix fallback macros in udppktinfo.c + +Commit 87b7d86676bff0b64a9eea39849abc97fdbe2972 changed the signatures +of several udppktinfo.c functions, but did not update the fallback +macro signatures to match. Update the fallback macros. Fixes a build +error observed on macOS 10.6.8. + +[ghudson@mit.edu: fixed additional fallback macros; edited commit +message] + +--- + src/lib/apputils/udppktinfo.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/lib/apputils/udppktinfo.c b/src/lib/apputils/udppktinfo.c +index 9a06ae8..fa964d5 100644 +--- a/src/lib/apputils/udppktinfo.c ++++ b/src/lib/apputils/udppktinfo.c +@@ -215,7 +215,7 @@ check_cmsg_ip_recvdstaddr(struct cmsghdr *cmsgptr, struct sockaddr *to, + } + + #else /* HAVE_IP_PKTINFO || IP_RECVDSTADDR */ +-#define check_cmsg_v4_pktinfo(c, t, l, a) 0 ++#define check_cmsg_v4_pktinfo(c, t, a) 0 + #endif /* HAVE_IP_PKTINFO || IP_RECVDSTADDR */ + + #ifdef HAVE_IPV6_PKTINFO +@@ -248,7 +248,7 @@ check_cmsg_ipv6_pktinfo(struct cmsghdr *cmsgptr, struct sockaddr *to, + return 0; + } + #else /* HAVE_IPV6_PKTINFO */ +-#define check_cmsg_v6_pktinfo(c, t, l, a) 0 ++#define check_cmsg_v6_pktinfo(c, t, a) 0 + #endif /* HAVE_IPV6_PKTINFO */ + + static int +@@ -379,7 +379,7 @@ set_msg_from_ip_sendsrcaddr(struct msghdr *msg, struct cmsghdr *cmsgptr, + } + + #else /* HAVE_IP_PKTINFO || IP_SENDSRCADDR */ +-#define set_msg_from_ipv4(m, c, f, l, a) EINVAL ++#define set_msg_from_ipv4(m, c, f, a) EINVAL + #endif /* HAVE_IP_PKTINFO || IP_SENDSRCADDR */ + + #ifdef HAVE_IPV6_PKTINFO +@@ -417,7 +417,7 @@ set_msg_from_ipv6_pktinfo(struct msghdr *msg, struct cmsghdr *cmsgptr, + } + + #else /* HAVE_IPV6_PKTINFO */ +-#define set_msg_from_ipv6(m, c, f, l, a) EINVAL ++#define set_msg_from_ipv6(m, c, f, a) EINVAL + #endif /* HAVE_IPV6_PKTINFO */ + + static krb5_error_code +-- +2.43.0 + diff --git a/krb5.spec b/krb5.spec index b3116a1..9b7c9de 100644 --- a/krb5.spec +++ b/krb5.spec @@ -3,7 +3,7 @@ Name: krb5 Version: 1.18.2 -Release: 19 +Release: 20 Summary: The Kerberos network authentication protocol License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -62,6 +62,8 @@ Patch39: backport-Fix-kdb5_util-ark-with-no-e-option.patch Patch40: backport-Fix-typo-in-AS-REQ-client-code.patch Patch41: backport-0001-fix-CVE-2025-3576.patch Patch42: backport-0002-fix-CVE-2025-3576.patch +Patch43: backport-Fix-error-handling-in-pkinit_server_verify_padata.patch +Patch44: backport-Udppktinfo-fix-bug-in-a-macro.patch BuildRequires: gettext BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc @@ -353,6 +355,9 @@ make -C src check || : %{_mandir}/man8/* %changelog +* Fri Oct 31 2025 zhangyaqi - 1.18.2-20 +- backport upstream patches + * Tue Aug 12 2025 Xu Raoqing - 1.18.2-19 - backport upstream patches -- Gitee