From 9ed602fde3f0d0254658f4d4d7e74ccac125bb86 Mon Sep 17 00:00:00 2001 From: zhangyaqi Date: Thu, 23 Oct 2025 07:00:31 +0800 Subject: [PATCH] backport upstream patches (cherry picked from commit 38f96eb9cb3d41064630ab76805046bf5a7ade1e) --- ...dling-in-pkinit_server_verify_padata.patch | 30 ++++++++++ backport-Udppktinfo-fix-bug-in-a-macro.patch | 60 +++++++++++++++++++ krb5.spec | 7 ++- 3 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 backport-Fix-error-handling-in-pkinit_server_verify_padata.patch create mode 100644 backport-Udppktinfo-fix-bug-in-a-macro.patch diff --git a/backport-Fix-error-handling-in-pkinit_server_verify_padata.patch b/backport-Fix-error-handling-in-pkinit_server_verify_padata.patch new file mode 100644 index 0000000..887efb6 --- /dev/null +++ b/backport-Fix-error-handling-in-pkinit_server_verify_padata.patch @@ -0,0 +1,30 @@ +From 1113e746abd0c30b4522c75a99426185e6ab8772 Mon Sep 17 00:00:00 2001 +From: Anastasia Belova +Date: Mon, 2 Jun 2025 12:28:49 +0300 +Subject: [PATCH] Fix pkinit_server_verify_padata() error handling + +Avoid a null deference if pkinit_init_kdc_req_context() fails to +allocate reqctx. + +[ghudson@mit.edu: fixed cleanup handler to work with reqctx == NULL +instead of avoiding the cleanup handler on allocation failure] +--- + src/plugins/preauth/pkinit/pkinit_srv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 1b3bf6d..875b7ef 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -625,7 +625,7 @@ pkinit_server_verify_padata(krb5_context context, + reqctx = NULL; + + cleanup: +- if (retval && data->pa_type == KRB5_PADATA_PK_AS_REQ) { ++ if (retval && reqctx != NULL && data->pa_type == KRB5_PADATA_PK_AS_REQ) { + pkiDebug("pkinit_verify_padata failed: creating e-data\n"); + if (pkinit_create_edata(context, plgctx->cryptoctx, reqctx->cryptoctx, + plgctx->idctx, plgctx->opts, retval, &e_data)) +-- +2.43.0 + diff --git a/backport-Udppktinfo-fix-bug-in-a-macro.patch b/backport-Udppktinfo-fix-bug-in-a-macro.patch new file mode 100644 index 0000000..faa9ac9 --- /dev/null +++ b/backport-Udppktinfo-fix-bug-in-a-macro.patch @@ -0,0 +1,60 @@ +From 67abc25fa9deadd3638bb1b78373d2f08de0d54d Mon Sep 17 00:00:00 2001 +From: Sergey Fedorov +Date: Fri, 10 Oct 2025 13:54:40 +0800 +Subject: [PATCH] Fix fallback macros in udppktinfo.c + +Commit 87b7d86676bff0b64a9eea39849abc97fdbe2972 changed the signatures +of several udppktinfo.c functions, but did not update the fallback +macro signatures to match. Update the fallback macros. Fixes a build +error observed on macOS 10.6.8. + +[ghudson@mit.edu: fixed additional fallback macros; edited commit +message] + +--- + src/lib/apputils/udppktinfo.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/lib/apputils/udppktinfo.c b/src/lib/apputils/udppktinfo.c +index c6e86f6..f858daf 100644 +--- a/src/lib/apputils/udppktinfo.c ++++ b/src/lib/apputils/udppktinfo.c +@@ -215,7 +215,7 @@ check_cmsg_ip_recvdstaddr(struct cmsghdr *cmsgptr, struct sockaddr *to, + } + + #else /* HAVE_IP_PKTINFO || IP_RECVDSTADDR */ +-#define check_cmsg_v4_pktinfo(c, t, l, a) 0 ++#define check_cmsg_v4_pktinfo(c, t, a) 0 + #endif /* HAVE_IP_PKTINFO || IP_RECVDSTADDR */ + + #ifdef HAVE_IPV6_PKTINFO +@@ -248,7 +248,7 @@ check_cmsg_ipv6_pktinfo(struct cmsghdr *cmsgptr, struct sockaddr *to, + return 0; + } + #else /* HAVE_IPV6_PKTINFO */ +-#define check_cmsg_v6_pktinfo(c, t, l, a) 0 ++#define check_cmsg_v6_pktinfo(c, t, a) 0 + #endif /* HAVE_IPV6_PKTINFO */ + + static int +@@ -379,7 +379,7 @@ set_msg_from_ip_sendsrcaddr(struct msghdr *msg, struct cmsghdr *cmsgptr, + } + + #else /* HAVE_IP_PKTINFO || IP_SENDSRCADDR */ +-#define set_msg_from_ipv4(m, c, f, l, a) EINVAL ++#define set_msg_from_ipv4(m, c, f, a) EINVAL + #endif /* HAVE_IP_PKTINFO || IP_SENDSRCADDR */ + + #ifdef HAVE_IPV6_PKTINFO +@@ -417,7 +417,7 @@ set_msg_from_ipv6_pktinfo(struct msghdr *msg, struct cmsghdr *cmsgptr, + } + + #else /* HAVE_IPV6_PKTINFO */ +-#define set_msg_from_ipv6(m, c, f, l, a) EINVAL ++#define set_msg_from_ipv6(m, c, f, a) EINVAL + #endif /* HAVE_IPV6_PKTINFO */ + + static krb5_error_code +-- +2.43.0 + diff --git a/krb5.spec b/krb5.spec index 6cdb865..c413994 100644 --- a/krb5.spec +++ b/krb5.spec @@ -3,7 +3,7 @@ Name: krb5 Version: 1.21.2 -Release: 16 +Release: 17 Summary: The Kerberos network authentication protocol License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -59,6 +59,8 @@ Patch35: backport-Fix-conditional-in-kadm5_chpass_principal_3.patch Patch36: backport-Fix-correctness-in-LDAP-delegation-ACL-checking.patch Patch37: backport-Fix-kdb5_util-ark-with-no-e-option.patch Patch38: backport-Fix-typo-in-AS-REQ-client-code.patch +Patch39: backport-Fix-error-handling-in-pkinit_server_verify_padata.patch +Patch40: backport-Udppktinfo-fix-bug-in-a-macro.patch BuildRequires: gettext BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc @@ -343,6 +345,9 @@ make -C src check || : %{_mandir}/man8/* %changelog +* Fri Oct 31 2025 zhangyaqi - 1.21.2-17 +- backport upstream patches + * Mon Aug 11 2025 Linux_zhang - 1.21.2-16 - backport upstream patches -- Gitee